Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Part No. N451343002 Rev A *N451343002 Rev A*
Published January 2005
COPYRIGHT ©2005 Nokia. All rights reserved. Rights reserved under the copyright laws of the United States. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19. IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage. Nokia reserves the right to make changes without further notice to any products herein. TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.
030114
2
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Nokia Contact Information Corporate Headquarters Web Site
http://www.nokia.com
Telephone
1-888-477-4566 or 1-650-625-2000
Fax
1-650-691-2170
Mail Address
Nokia Inc. 313 Fairchild Drive Mountain View, California 94043-2215 USA
Regional Contact Information Americas
Tel: 1-877-997-9199 Nokia Inc. Outside USA and Canada: +1 512-437-7089 313 Fairchild Drive Mountain View, CA 94043-2215 email:
[email protected] USA
Nokia House, Summit Avenue Europe, Middle East, Southwood, Farnborough Hampshire GU14 ONG UK and Africa
Tel: UK: +44 161 601 8908 Tel: France: +33 170 708 166 email:
[email protected]
Asia-Pacific 438B Alexandra Road #07-00 Alexandra Technopark Singapore 119968
Tel: +65 6588 3364 email:
[email protected]
Nokia Customer Support Web Site:
https://support.nokia.com/
Email:
[email protected]
Americas
Europe
Voice:
1-888-361-5030 or 1-613-271-6721
Voice:
+44 (0) 125-286-8900
Fax:
1-613-271-8782
Fax:
+44 (0) 125-286-5666
Asia-Pacific Voice:
+65-67232999
Fax:
+65-67232897 031014
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
3
4
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Contents
1
New Features in Nokia IPSO 3.8.1 . . . . . . . . . . . . . . . . . . . . . . . 11 What’s New in Nokia IPSO 3.8.1 . . . . . . . . . . . . . . . . . . . . . . . . . . Support for Nokia IP265 and IP260 Platforms . . . . . . . . . . . . . . Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SecureXL Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Performance Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RIP in a VRRP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Clustering Support for PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . PIM Dense-Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PIM Sparse-Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP for IPv6 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support for New Nokia Encrypt Cards . . . . . . . . . . . . . . . . . . . . APC Simple Signaling Daemon (SSD) . . . . . . . . . . . . . . . . . . . . Configuration Summary Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . Included Fixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fix for Denial of Service Vulnerability . . . . . . . . . . . . . . . . . . . . . Fix for http Log Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . Fix for BGP Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fix for Upgrading IPSO on an IP2250 . . . . . . . . . . . . . . . . . . . . Fix for DHCP Server Vulnerability . . . . . . . . . . . . . . . . . . . . . . . Fix for Deleting Packages on an IP2250 . . . . . . . . . . . . . . . . . . Fix to savecore Command for IP2250 . . . . . . . . . . . . . . . . . . . . Fix for IPSO Kernel Crash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fixes for Hard Disk Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fix for Incorrect NoDiskSpace Trap . . . . . . . . . . . . . . . . . . . . . .
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
11 12 12 13 13 14 15 15 16 16 17 18 19 19 20 20 21 21 21 21 22 22 22 22 23
5
Fixes for Gigabit Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fix to New Image Command on IP2250 Platform . . . . . . . . . . . Fix for VRRP When Running Nokia Secure Access System . . . Fix for OSPF Area Address Range . . . . . . . . . . . . . . . . . . . . . . Fix for OSPF Router ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fix for Interoperability with Cisco Routers Running OSPF . . . . . Fix for Network Voyager Connection Problem . . . . . . . . . . . . . . Fault Management Not Supported . . . . . . . . . . . . . . . . . . . . . . . New Features and Enhancements in IPSO 3.8 . . . . . . . . . . . . . . . Check Point SecureXL Support. . . . . . . . . . . . . . . . . . . . . . . . . . Traffic Accelerated by SecureXL . . . . . . . . . . . . . . . . . . . . . . . Traffic Not Accelerated by SecureXL . . . . . . . . . . . . . . . . . . . . DHCP Client and Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Point-to-Point over Ethernet Protocol . . . . . . . . . . . . . . . . . . . . . BGP over Check Point VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Clustering Enhancements. . . . . . . . . . . . . . . . . . . . . . . . . . . . Switch Failure Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support for BGP and OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DVMRP Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCP/IP Stack and TCP Flag Combinations. . . . . . . . . . . . . . . . . Support for Nokia IP1220 and Nokia IP2250 Security Platforms Supported Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Supported Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Performing the Initial Configuration . . . . . . . . . . . . . . . . . . . . . 37 Using DHCP to Configure the System . . . . . . . . . . . . . . . . . . . . . . Configuring Your DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . Running the DHCP Client on the Nokia System . . . . . . . . . . . . . Using the Console to Configure the System . . . . . . . . . . . . . . . . . Performing the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . Performing Additional Configuration . . . . . . . . . . . . . . . . . . . . . . .
6
23 23 24 24 24 24 25 25 25 26 26 27 29 30 30 30 30 31 32 32 33 34 34 35 36
37 38 39 40 41 44
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Using Nokia Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . Using the IPSO CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using an SSH Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disabling Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
44 44 45 46 47
Upgrading to Nokia IPSO 3.8.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Downloading Nokia IPSO 3.8.1 and Related Files. . . . . . . . . . . . . 51 Before You Install Nokia IPSO from Nokia Network Voyager or the Command Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Putting the ipso.tgz file on the Platform. . . . . . . . . . . . . . . . . . . . 52 Verifying MD5 Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Installing Nokia IPSO 3.8.1 from Nokia Network Voyager or the Command Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Adding a Nokia IPSO Image Using Nokia Network Voyager . . . 56 Adding a Nokia IPSO Image from the Command Shell. . . . . . . . 56 Overwriting Existing Images (Fresh Installation) . . . . . . . . . . . . . 59 Fresh Installation on Nokia Appliances . . . . . . . . . . . . . . . . . . 60 Installing and Activating Packages. . . . . . . . . . . . . . . . . . . . . . . . . 62 Using Nokia Network Voyager to Install Packages . . . . . . . . . . . 63 Activating Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Using the newpkg Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Upgrading to Check Point NG with Application Intelligence (R55) for Nokia IPSO 3.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Upgrading Check Point NG with the Nokia IPSO Command Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Modem Country Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 High-Availability Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 VRRP and VMAC Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Deleting Backup Addresses for VRRP Monitored Circuit (Simplified Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
7
Transparent Mode with VRRP and Check Point NG VPNs . . . . Transparent Mode and Check Point NG SmartDashboard . . . . SecureXL and VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Failover and Failback . . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP in a Multicast Environment and Check Point NG . . . . . . VRRP Performance and Check Point NG . . . . . . . . . . . . . . . . . Check Point NG and IP Clustering . . . . . . . . . . . . . . . . . . . . . . . Check Point NG, IP Clustering, and PIM . . . . . . . . . . . . . . . . . . IP Clustering and PIM Dense-Mode . . . . . . . . . . . . . . . . . . . . . . Other Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Memory Considerations When Using SecureXL . . . . . . . . . . . . Secure XL and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secure XL and Check Point Supported Algorithms. . . . . . . . . . . SecureXL and SecureClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . SecureXL and VPN Accelerator Card Error Message . . . . . . . . Check Point NG with Firewall Flows and NAT Enabled . . . . . . . Check Point NG with Application Intelligence and ICMP . . . . . . Check Point NG and BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Check Point NG Time-Out Values . . . . . . . . . . . . . . . . . . . . . . . Check Point NG and IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . Check Point NG and Incorrect Version Display . . . . . . . . . . . . . Check Point NG Error Messages When Rebooting Nokia IP Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disk Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Four-Port 10/100 Ethernet Card in IP350 and IP380 . . . . . . . . . DHCP Client Process and Manually Assigned IP Addresses . . DHCP and VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP700 Appliances with Copper Gigabit NICs . . . . . . . . . . . . . . . IP700 Appliances and Nokia Encrypt Card . . . . . . . . . . . . . . . . . Fiber Gigabit Ethernet Card on IP1200 Series Platforms and Extreme Summit and Netgear Switches . . . . . . . . . . . . . . GigE Interface with Certain Switches . . . . . . . . . . . . . . . . . . . . . Limited SSL Access After Upgrade . . . . . . . . . . . . . . . . . . . . . .
8
73 73 73 73 74 74 74 75 75 76 76 78 78 79 79 80 80 80 80 81 81 81 82 82 82 83 83 83 83 84 84
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Upgrading Image by Using Nokia Network Voyager with Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kernel Error Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Failure Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modem Error Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPv6 Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Malicious HTML Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Misleading Message After Power Failure . . . . . . . . . . . . . . . . . . Restrictions Specific to Nokia IP2250 Security Platform . . . . . . . . Upgrading IPSO on an IP2250 Platform . . . . . . . . . . . . . . . . . . . Copper Gigabit Ethernet Interface on an IP2250 Platform and Extreme Networks Switches . . . . . . . . . . . . . . . . . . . . . . . Detecting Cable Disconnection on an IP2250 . . . . . . . . . . . . . . Viewing Log Messages on an IP2250 Platform . . . . . . . . . . . . . ARP Entries and the IP2250 Platform . . . . . . . . . . . . . . . . . . . .
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
85 85 86 86 86 86 87 87 89 89 89 90 90
9
10
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
1
New Features in Nokia IPSO 3.8.1
Nokia is pleased to announce Nokia IPSO 3.8.1, an update of the Nokia IPSO 3.8 operating system used on Nokia IP security platforms. Nokia IPSO 3.8.1 adds the following new features, enhancements, and fixes to existing IPSO 3.8. For information about how to download IPSO 3.8.1 and other items from the Nokia customer support Web site, see “Downloading Nokia IPSO 3.8.1 and Related Files” on page 51. You can also go to the Nokia support site, click on the Knowledge Base link, and to resolution number 22032.
What’s New in Nokia IPSO 3.8.1
Support for Nokia IP265 and IP260 Platforms Link Aggregation SecureXL Enhancements RIP in a VRRP Environment IP Clustering Support for PIM VRRP for IPv6 Interfaces Support for New Nokia Encrypt Cards APC Simple Signaling Daemon (SSD) Configuration Summary Tool
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
11
1
New Features in Nokia IPSO 3.8.1
Support for Nokia IP265 and IP260 Platforms Nokia IPSO 3.8.1 supports the new Nokia diskless IP265 and IP260 (which contains a hard disk) security platforms. These appliances provide low-cost and robust firewall and VPN solutions. These platforms are ideally suited for smaller enterprise locations, such as growing companies and branch or satellite offices of larger companies. In addition to cost-efficiency, these platforms offer a space-efficient design. Each platform occupies only half of a single rack space, so two IP200 appliances can be mounted side-by-side in a single rack space and can be individually inserted or removed. You can easily add PC card options, such as system storage, and you can configure these platforms for high availability using either Nokia IP Clustering or VRRP. The IP265 and IP260 offer robust performance and include built-in hardwarebased encryption acceleration. They support a comprehensive suite of IProuting functions and protocols.
Link Aggregation With IPSO 3.8.1, Nokia appliances allow you to aggregate (combine) Ethernet ports so that they function as one logical port. You get the benefits of greater bandwidth per logical link and load balancing across the ports. For example, you can aggregate two 10/100 mbps ports so they function like a single port with a theoretical bandwidth of 200 mbps, or you can aggregate two Gigabit Ethernet ports so they function like a single port with a theoretical bandwidth of 2000 mbps. If you have only 10/100 interfaces and need a faster link but cannot or do not want to use Gigabit Ethernet, you can use link aggregation to achieve faster throughput with interfaces you already have. In addition to helping you meet the general demand for greater bandwidth, link aggregation is also useful if you combine IP2250 appliances as a VRRP pair. Because of the performance of this appliance, a single 10/100 mbps link might not be sufficient to keep up with firewall synchronization. To meet the
12
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
What’s New in Nokia IPSO 3.8.1
need, you can aggregate two built-in ports on each appliance and use this link for synchronization. Another benefit of link aggregation is redundancy—if one of the physical links in an aggregation group fails, the traffic is redistributed to the remaining physical links and the aggregation group continues to function. IPSO distributes the outbound IP traffic across the physical links using the source and destination IP addresses. It uses the source and destination MAC addresses to distribute non-IP traffic. You can aggregate as many as four ports in one aggregation group, and you can have as many as eight aggregation groups on one appliance. As with any IPSO logical interface, you can configure as many as 1015 VLANs for each aggregated link.
SecureXL Enhancements Nokia IPSO 3.8.1 includes enhanced support for Check Point’s SecureXL technology to allow faster and more secure connections.
Performance Improvements IPSO 3.8.1 improves firewall performance by reducing the overhead required for creating, removing, and synchronizing connections. IPSO achieves these improvements by supporting the following SecureXL 2.1 features:
auto expiration delayed notification of connections delayed synchronization in IP clusters and VRRP groups
These enhancements improve performance by reducing the amount of required communication between IPSO and the firewall and reducing the amount of synchronization between the members of IP clusters or VRRP groups, thereby reducing overhead processing. If you use SecureXL, you get the advantage of IPSO’s support for auto expiration automatically. You do not need to configure anything in the Check Point management application or in IPSO.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
13
1
New Features in Nokia IPSO 3.8.1
On stand-alone systems, delayed notification is automatic and requires no configuration. For IP clusters and VRRP groups, you control delayed notification by setting a synchronization delay for a service. If you enable delayed synchronization, delayed notification is enabled automatically. If you do not enable delayed synchronization, delayed notification is left disabled. If you have an IP cluster or VRRP group, you can configure delayed synchronization so that connections that expire before a time you set are not synchronized. For example, if you configure HTTP traffic to be synchronized after 10 seconds, HTTP connections that expire before this time are not synchronized to the other systems. (Should a failover occur, unsynchronized connections do not survive.) You enable delayed synchronization in the Check Point management application (in the Advanced TCP Service Properties dialog box for the appropriate service—for example, HTTP). You do not need to configure anything in IPSO. Delayed notification and synchronization are particularly beneficial when a system processes many short-lived connections. Delayed synchronization is automatically disabled if you use any of the following Check Point features:
Logging Accounting Worm catcher
Security Improvement For enhanced security, IPSO 3.8.1 supports the SecureXL 2.1 sequence validation (TCP state detection version 2) functionality. This feature allows the firewall to stop exploits that make use of out-of-sequence TCP packets. You enable or disable sequence validation in both the Check Point management application and in IPSO. To get the full benefits of this feature, you should enable it in both products. If you want to enable sequence validation in the Check Point management application and IPSO, follow these steps:
14
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
What’s New in Nokia IPSO 3.8.1
1. On the main Configuration page in Nokia Network Voyager, click Advanced System Tuning (in the System Configuration section). 2. On the Advanced System Tuning page, click the button to enable sequence validation. 3. Enable sequence validation in the Check Point management application. 4. Push the new policy to the IPSO appliance.
RIP in a VRRP Environment Beginning with Nokia IPSO 3.8.1, Nokia supports advertising the virtual IP address of the VRRP virtual router for RIP. The routing protocol advertises the virtual IP addresses of the VRRP virtual router, which does not change if a failover occurs and one of the backup routers becomes the new master. The RIP runs only on the master, so when a failover occurs, the protocol stops running on the previous master and then begins to run on the new master. Nokia recommends, but does not require, that you configure the same router ID on each Nokia IP security platform for a VRRP pair. Nokia introduced advertising of the virtual IP address of the VRRP virtual router for OSPF, BGP, and PIM, both dense mode and sparse mode, beginning with Nokia IPSO 3.8. For more information, see “VRRP Enhancements” on page 32. Note You must use Monitored Circuit mode when configuring virtual IP support for any dynamic routing protocol, including RIP. Do not use VRRPv2 when configuring virtual IP support for any dynamic routing protocol.
IP Clustering Support for PIM Beginning with IPSO 3.8.1, Nokia supports PIM, Sparse-Mode and DenseMode, in an IP cluster. The routing protocol advertises the virtual IP addresses of the cluster, which does not change if member(s) are added to or removed
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
15
1
New Features in Nokia IPSO 3.8.1
from the cluster. The single-system view of the cluster by the remainder of the network stabilizes the routing topology as changes occur in the cluster, avoiding the need to reconverge on new IP addresses. Nokia introduced support for BGP-4 and OSPF in an IP cluster with IPSO 3.8. For more information, see “Support for BGP and OSPF” on page 31.
PIM Dense-Mode In the Nokia implementation of PIM Dense-Mode (PIM-DM), all the nodes process PIM control traffic received by the cluster, and only the master processes most of the control traffic sent from the cluster. However, hello messages, for example, are sent by all nodes. Some multicast switches do not forward multicast traffic to interfaces from which they have not received any multicast traffic. To avoid having a multicast switch fail to forward multicast traffic, all cluster nodes send periodic PIM hello messages. All messages from each cluster member have the same source IP address, generation ID, holdtime and designated router priority. Therefore, all neighboring routers view the cluster as a single neighbor even though they receive hello messages from all members of the cluster. The multicast data traffic is load-balanced and can be process by any of the cluster members. All cluster members sync the dense-mode forwarding state with each other member; therefore, if any cluster member fails. the new member responsible for the corresponding data traffic has the same state as the member that failed.
PIM Sparse-Mode In the Nokia implementation of PIM Sparse-Mode (PIM-SM), depending on its location, the cluster can function as the designated router, the bootstrap router, the rendezvous point or any location in the source or shortest-path tree (SPT). All the nodes process PIM control traffic received by the cluster, and only the master processes most of the control traffic sent from the cluster. However, hello messages, for example, are sent by all nodes. Some multicast switches do not forward multicast traffic to interfaces from which they have not received any multicast traffic. To avoid having a multicast switch fail to forward multicast traffic, all cluster nodes send periodic PIM hello messages.
16
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
What’s New in Nokia IPSO 3.8.1
All messages from each cluster member have the same source IP address, generation ID, holdtime and designated router priority. Therefore, all neighboring routers view the cluster as a single neighbor even though they receive hello messages from all members of the cluster. The multicast data traffic is load-balanced and can be processed by any member of the cluster. However, the cluster is the elected rendezvous point, only the master processes the encapsulated register messages until the SPT is created. Note Nokia strongly recommends that you not configure PIM or any other routing protocol on the primary or secondary cluster protocol interfaces of an IP cluster.
As part of the new support for PIM-DM and PIM-SM, Nokia also introduces support of IGMP in an IP cluster. The support for IGMP in an IP cluster ensures synchronization of IGMP state from master to members when a new node running PIM joins the cluster.
VRRP for IPv6 Interfaces Beginning with IPSO 3.8.1, Nokia supports VRRP configuration for IPv6 interfaces. Nokia supports the VRRP version 3, which is based on VRRP version 2 as defined for IPv4 in RFC 3768, and Monitored Circuit. Unlike VRRP version 2, VRRP version 3 does not support authentication. Check Point NG with Application Intelligence does not support user, session, or client authentication for IPv6 interfaces. Also, Check Point NG does not support synchronization for IPv6 interfaces. When a master router of a VRRP pair fails, and the backup router becomes the new master, all previously established connections are lost because synchronization does not occur.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
17
1
New Features in Nokia IPSO 3.8.1
Support for New Nokia Encrypt Cards Nokia IPSO 3.8.1 supports two new encryption accelerator cards, the Nokia Encrypt Card for the IP380, IP530, and the IP700 series and the Nokia Encrypt Card for the IP1200 series. The Nokia Encrypt Cards come in a PMC format for the IP380, IP530, IP700, and IP1200 series security platforms. If your IP security platform is not currently running Nokia IPSO 3.8.1, you must upgrade to this version to use the new accelerator cards. The Nokia Encrypt Card for the IP380, IP530, and IP700 series supports the following security algorithms:
MD5 and SHA-1 authentication DES and 3DES encryption 128 and 256 bit AES encryption
The Nokia Encrypt Card for the IP1200 series supports the following security algorithms:
RC4/ARC4 DES and 3DES encryption AES-128, AES-192, AES-256 HMAC-SHA1 and HMAC-MD5
Note If you use the new Nokia Encrypt Card in a VRRP group or an IP cluster and use a different encryption accelerator card, such as the Nokia Encryption Accelerator Card, in another appliance in the group or cluster, you must select encryption algorithms for each card that are supported on both cards. (You configure supported algorithms using the Check Point management application.) If you select different encryption algorithms on the backup appliance than on the master, failover might not occur correctly.
18
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
What’s New in Nokia IPSO 3.8.1
APC Simple Signaling Daemon (SSD) IPSO 3.8.1 includes the APC Simple Signaling Daemon, SSD. SSD provides basic shutdown and notification services for an appliance powered by an APC uninterruptible power supply (UPS) in simple signaling mode and connected to the UPS with a 940-0020B simple signaling cable. When an extended power failure occurs, SSD sends notifications to logged-in users and shuts down the appliance cleanly. The interface to SSD is a command-line utility, apcssd. For more information on how to configure and use SSD, see the apcssd command description in the CLI Reference Guide for Nokia IPSO 3.8.1.
Configuration Summary Tool The Nokia IPSO Configuration Summary Tool (CST) is a troubleshooting tool that is now part of the IPSO image (it was previously available as a package). Entering cst at the IPSO shell prompt displays a summary of the current configuration of your system. It also creates a compressed file (in /admin) that you can move to a workstation and uncompress to produce various HTML and image files that make it easy to view the current configuration. CST replaces ipsoinfo, and its HTML output is easier to read than a typical ipsoinfo output file. CST reports the MD5 of key files on the system. This is important if vmcores exist on the system and an analysis is to be performed. The MD5 information reported by CST ensures the correct kernel and loadable modules are used during the analysis. CST generates historical reports for cpu utilization, memory utilization, and traffic throughput for all interfaces. These reports contain pie and chart graphs as well as the raw data collected. CST also gathers debug information on VRRP, RIP, OSPF, BGP, and DVMRP.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
19
1
New Features in Nokia IPSO 3.8.1
Included Fixes IPSO 3.8.1 includes the following fixes that were previously implemented in IPSO 3.8 build 039 and earlier:
Fix for Denial of Service Vulnerability Fix for http Log Vulnerabilities Fix for BGP Vulnerabilities Fix for Upgrading IPSO on an IP2250 Fix for DHCP Server Vulnerability Fix for Deleting Packages on an IP2250 Fix to savecore Command for IP2250 Fix for IPSO Kernel Crash Fixes for Hard Disk Failures Fix for Incorrect NoDiskSpace Trap Fixes for Gigabit Ethernet Fix to New Image Command on IP2250 Platform Fix for VRRP When Running Nokia Secure Access System Fix for OSPF Area Address Range Fix for OSPF Router ID Fix for Interoperability with Cisco Routers Running OSPF Fix for Network Voyager Connection Problem Fault Management Not Supported
Fix for Denial of Service Vulnerability Earlier builds of IPSO 3.8 are vulnerable to a denial of service attack that could affect Nokia appliances running Check Point's VPN-1/Firewall-1 or Nokia Secure Access Server. This vulnerability is fixed in Build 039.
20
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Included Fixes
Fix for http Log Vulnerabilities Builds of IPSO 3.8 prior to 039 are capable of passing terminal escape sequences and malicious code inserted by an attacker into the IPSO http access or error logs on to a terminal used to view those logs. If the terminal has related vulnerabilities, exploits using these escape sequences and malicious code could be run on the terminal. See http://cve.mitre/org/cgi-bin/cvename.cgi?name=CAN-2003-0020 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0083 for more information about these vulnerabilities. Build 039 prevents attacks of this type.
Fix for BGP Vulnerabilities IPSO 3.8 Build 039 includes a fix for BGP vulnerabilities in the processing of malformed open and update packets. Exploitation of these vulnerabilities might cause a denial of service. For more information about these vulnerabilities as reported by CERT, see http://www.kb.cert.org/vuls/id/ 784540.
Fix for Upgrading IPSO on an IP2250 If you are using IPSO 3.8 Build 034 on an IP2250 platform, you cannot use Nokia Network Voyager to upgrade to a later build of IPSO. You must use the newimage command or the CLI to upgrade from Build 034. IPSO 3.8 Build 039 fixes this problem.
Fix for DHCP Server Vulnerability IPSO 3.8 Build 039 contains a fix for a DHCP server vulnerability reported by CERT in June 2004. The Internet Systems Consortium’s DHCP version 3 application contains several potential buffer overflow vulnerabilities. Exploitation of this vulnerability can cause a denial-of-service (DoS)
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
21
1
New Features in Nokia IPSO 3.8.1
condition to the DHCP daemon (DHCPD) and might permit a remote attacker to execute arbitrary code on the system with the privileges of the DHCPD process. DoS of the DHCP server is mitigated by the process manager, which would automatically restart the server. IPSO 3.8 Build 036 contains the fix that the ISC has released that resolves this issue. For more information about the vulnerability as reported by CERT, go to http://www.kb.cert.org/vuls/id/317350 or http://www.kb.cert.org/vuls/id/ 654390.
Fix for Deleting Packages on an IP2250 IPSO Build 039 contains a fix that lets you use the CLI to delete packages on a Nokia IP2250 security platform. On previous versions of IPSO 3.8, the CLI command for deleting packages on an IP2250 platform did not function properly.
Fix to savecore Command for IP2250 IPSO 3.8 Build 039 contains a fix that restores functionality to the savecore command on the Nokia IP2250 security platform. With previous builds of IPSO 3.8, the savecore command did not function properly on the IP2250.
Fix for IPSO Kernel Crash With builds of IPSO 3.8 prior to 039, the IPSO kernel sometimes crashes and reboots when there is very heavy read and write activity on the system’s hard disk. This issue is fixed in Build 037.
Fixes for Hard Disk Failures Customers have observed the error messages No Bootable Device Available and wd0 timeout error and/or have experienced system hangs or spontaneous reboots of Nokia firewall appliances containing 2.5-inch hard disk drives.
22
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Included Fixes
Nokia has made changes to IPSO 3.8 Build 039 to improve the overall operation and reliability of Nokia platforms. The changes ensure compliance with the power management modes of hard disk drives and improve drive longevity by reducing duty cycles.
Fix for Incorrect NoDiskSpace Trap If you have an earlier build of IPSO 3.8 on a platform with a 40 gigabyte hard disk, IPSO sometimes sends the SNMP trap NoDiskSpace even though enough disk space is available. This problem is fixed in Build 039.
Fixes for Gigabit Ethernet IPSO 3.8 Build 039 includes a fix that addresses issues with transmission of traffic over Gigabit Ethernet interfaces. With builds of IPSO 3.8 prior to 039, Gigabit Ethernet interfaces can periodically fail to properly transmit traffic. The reported problem is intermittent and is not restricted to any particular Nokia IP security platform. This issue can occur with the fiber or copper Gigabit Ethernet cards. IPSO 3.8 Build 039 also includes a fix for a minor latency issue that can affect Gigabit Ethernet connections under certain conditions.
Fix to New Image Command on IP2250 Platform IPSO 3.8 Build 039 contains a fix that restores functionality to the newimage command on the IP2250 platform, when you use the -r image-name and -t image-name options. With previous builds of IPSO 3.8, when you use these options on the IP2250 platform, the image specified does not get installed on the next reboot.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
23
1
New Features in Nokia IPSO 3.8.1
Fix for VRRP When Running Nokia Secure Access System With builds of IPSO 3.8 prior to 039, when running VRRP and the Nokia Secure Access System, you have to manually disable the monitor firewall state feature. This feature functions with the firewall and forces a failover to the second router of a VRRP pair if the firewall is not detected. In a VRRP and Nokia Secure Access System implementation, IPSO does not detect a firewall, and each node of a VRRP pair is prevented from becoming the master. This problem is fixed in IPSO 3.8 Build 039. The monitor firewall state feature now determines first whether the firewall is installed.
Fix for OSPF Area Address Range With builds of IPSO 3.8 prior to 039, when running OSPF, if you configure an address range in the backbone area on a router with multiple areas, the address range of the backbone is neglected. Therefore, routes that originate from the address range of the backbone are not summarized in the non-backbone areas. This issue is fixed in IPSO 3.8 Build 039
Fix for OSPF Router ID Builds of IPSO 3.8 prior to 039 do not let you enter a dotted-quad value for the OSPF router ID with a value greater than 239. If the value of the dottedquad address of the router ID is greater than 239, you receive a message that the router ID you entered is invalid. This issue is fixed in IPSO 3.8 Build 039.
Fix for Interoperability with Cisco Routers Running OSPF Builds of IPSO 3.8 prior to Build 039 do not support interoperability with Cisco routers that implement link-local signaling (LLS) when running OSPF.
24
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
New Features and Enhancements in IPSO 3.8
This issue is fixed in IPSO 3.8 Build 039, and you no longer have to disable LLS on a Cisco router that is running OSPF.
Fix for Network Voyager Connection Problem With builds of IPSO 3.8 prior to Build 039, you might be unable to connect to the system using Network Voyager because of a problem related to the fault management functionality. If this problem occurs, you see the following error message at the console: Unable to connect to database: Couldn't connect to /tmp/xgets: Connection refused
This problem is fixed in Build 039.
Fault Management Not Supported Fault management is not supported in IPSO 3.8. The fault management configuration pages have been removed from Nokia Network Voyager.
New Features and Enhancements in IPSO 3.8
Check Point SecureXL Support DHCP Client and Server Point-to-Point over Ethernet Protocol BGP over Check Point VPN IP Clustering Enhancements VRRP Enhancements DVMRP Enhancement TCP/IP Stack and TCP Flag Combinations Support for Nokia IP1220 and Nokia IP2250 Security Platforms Supported Appliances Supported Applications
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
25
1
New Features in Nokia IPSO 3.8.1
For information about how to download IPSO 3.8.1 and other items from the Nokia customer support Web site, see “Downloading Nokia IPSO 3.8.1 and Related Files” on page 51.
Check Point SecureXL Support Nokia IPSO 3.8 includes support for SecureXL, the Check Point integrated acceleration flow and encryption API. Specifically, IPSO 3.8 works with SecureXL to accelerate the following:
Connection establishment VPN traffic
Using the SecureXL API, the firewall passes the connection table information to IPSO where it is stored in the connection table. Previously, when using Firewall Flows, the firewall maintained a connection table and requested IPSO to flow specific connections. Using the SecureXL API, the firewall passes the Security Association table information to IPSO, where it is stored in the connection table. Check Point’s FloodGate-1 software is not supported by SecureXL, which is automatically disabled when FloodGate-1 is enabled. For Check Point’s SmartView Monitor, traffic charts and counters do not account for packets that SecureXL handles. For Check Point’s SmartDefense, TCP Sequence Verifier is not enforced when SecureXL is enabled. When Smart Defense Fingerprint Scrambling is selected, acceleration is disabled. Also, SecureXL is not supported on IP40 Nokia platforms. Only certain types of traffic are accelerated by SecureXL. Consult the sections below to find out which types of traffic are or are not accelerated.
Traffic Accelerated by SecureXL Protocols and Environments
26
TCP unicast traffic in environments that either do or do not run network address translation (NAT).
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
New Features and Enhancements in IPSO 3.8
UDP unicast traffic in an environments that either do or do not run NAT. IPSec traffic. Higher-layer protocol traffic that is transported over TCP or UDP.
Connection Establishment
TCP unicast traffic that is not running NAT. UDP unicast traffic that is not running NAT. Higher-layer protocol traffic that is transported over unicast TCP or UDP in an environment that is not running NAT.
Traffic Not Accelerated by SecureXL Protocols and Environments
IPv6 Multicast traffic. Directed broadcast traffic. Any traffic across an interface that has an access control list enabled. Any traffic whose protocol field in the IP header is not TCP or UDP, such as ICMP and IGRP.
Connection Establishment
IPv6 TCP unicast traffic in an environment that is running NAT. Multicast traffic Directed Broadcast traffic Any traffic across an interface that has an access control list enabled. Any traffic whose protocol field in the IP header is not TCP or UDP, such as ICMP or IGRP.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
27
1
New Features in Nokia IPSO 3.8.1
Note See your CheckPoint documentation for more detailed information about SecureXL.
Note SecureXL is disabled on all platforms by default except the IP2250, which relies on SecureXL as part of its accelerated data path (ADP) technology. For all other platforms, you must run the cpconfig command to enable SecureXL. When you perform a fresh installation of Check Point NG, enter y, for yes, when you see the following message: Would you like to enable SecureXL acceleration feature? (y/ n) [n] ? When you upgrade the firewall software, enter the numerical value that corresponds to the following: Enable SecureXL. The console then displays the following: SecureXL currently disabled. Would you like to enable SecureXL (y/n) [y] ? Press the enter key or enter y for yes.
Note Nokia IPSO continues to support the Chrysalis Luna VPN and Nokia encryption acceleration cards. However, only the Nokia encryption acceleration cards support SecureXL.
The increased performance that the combination of IPSO 3.8 and SecureXL provides could affect other devices in customers’ networks. SecureXL also reduces the number of connections that a platform can establish compared with a Nokia IP security platform running Firewall Flows. For more information on the maximum number of connections supported for specific amounts of memory, see “Memory Considerations When Using SecureXL” on page 76.
28
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
New Features and Enhancements in IPSO 3.8
DHCP Client and Server Nokia IPSO 3.8 provides support for the Dynamic Host Configuration Protocol (DHCP), including complete DHCP client and DHCP server capabilities for your Nokia IP security platform. Your platform can provide network configuration parameters to clients that are configured for dynamic addressing. DHCP eliminates the need for you to configure each client manually and thus reduces configuration errors. DHCP for IPSO support includes the following:
Enabling the DHCP client. Configuring the DHCP client interfaces. Dynamic IP address allocation as well as the ability to assign fixed IP addresses to clients. The ability to specify various client parameters, including which servers are available for services such as DNS, NTP, TFTP, and SMTP. You can also configure NetBIOS over TCP/IP, which includes identifying WINS and Datagram Distribution servers available to clients. Support for VLANs. Automatic DNS server updates through the DHCP server implementation that Nokia supports.
Note If you enable the IPSO DHCP server, the appliance receives and accepts DHCP requests even if there is a firewall rule blocking DHCP requests. Although requests are shown as blocked in the firewall logs, the IPSO DHCP server still provides addresses to clients that request them. If you don’t need the DHCP server, leave it disabled (the default option). If you enable the DHCP server but do not want DHCP requests from the outside to be accepted, enable it only on internal interfaces.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
29
1
New Features in Nokia IPSO 3.8.1
Point-to-Point over Ethernet Protocol Beginning with Nokia IPSO 3.8, Point-to-Point over Ethernet (PPPoE) Protocol lets you create multiple point-to-point connections from your Ethernet network to your ISP. Configuration is simple and your network can be connected over a bridging device such as a DSL modem. Users have the benefit of a familiar point-to-point interface.
BGP over Check Point VPN Nokia IPSO 3.8 enhances support of BGP-4 in conjunction with Check Point NG with Application Intelligence. You can now establish a BGP-4 session over a Check Point VPN connection. The BGP instance creates a virtual point-to-point link between two networks that are separated by the Internet but connected by a Check Point VPN.
IP Clustering Enhancements The Nokia IPSO 3.8 IP clustering feature provides load balancing by distributing traffic across the multiple IP security platforms (nodes) in a cluster. The IP clustering feature provides fault tolerance, because a cluster continues to function if a node fails or is taken out of service for maintenance purposes. The nodes in a cluster share IP addresses and appear as a single system to the attached networks.
Switch Failure Recovery Nokia IPSO 3.8 includes an enhancement that ensures that cluster members do not leave a network if an external attached switch fails and all cluster members lose connectivity to a particular network through that switch to a particular network. The members continue to service the remaining networks through their interfaces. Previously, in such a situation, the cluster broke up and all connectivity was lost.
30
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
New Features and Enhancements in IPSO 3.8
If one or more cluster members lose connectivity to a network, but at least one member maintains connectivity to the network, the failed member(s) leave the cluster.
Support for BGP and OSPF Nokia IPSO 3.8 introduces support for BGP-4 and OSPF routing protocols running on an IP cluster. The routing protocol advertises the virtual IP addresses of the cluster, which does not change if member(s) are added to or removed from the cluster. The single-system view of the cluster by the remainder of the network stabilizes the routing topology as changes occur in the cluster, avoiding the need to reconverge on new IP addresses. This new support for BGP and OSPF also simplifies the management view of the cluster. With previous versions of IPSO, clusters did not support dynamic routing. For BGP, the protocol runs only on the master. On a failover, BGP stops running on the previous master and establishes its peering relationship on the new master. You must configure a local address when you run BGP in clustered mode. For OSPF, each member runs OSPF tasks, but only the master changes the state and sends OSPF messages to the external routers. Note Nokia strongly recommends that you not configure OSPF or any other routing protocol on the primary or secondary cluster protocol interfaces of an IP cluster.Nokia also recommends that you configure BGP in an IP cluster so that peer traffic does not run on the primary and secondary cluster protocol interfaces.
Note Nokia does not support BGP and OSPF over IPSec in a cluster.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
31
1
New Features in Nokia IPSO 3.8.1
IGMP Snooping In the multicast mode of clustering, data frames are sent to a multicast MAC address. Nokia IPSO 3.8 includes IGMP support for switches that listen for and elicit IGMP messages to learn the IP group membership of the connected systems and use that information to distribute the IP group multicast frames. With previous version of IPSO, switches broadcast these IP group multicast frames on all ports, delivering them to all cluster members. However, data frames were also copied and delivered to any other systems connected to the same switch as the cluster. This behavior produced unnecessary traffic on unrelated interfaces, reducing bandwidth available for legitimate traffic.
VRRP Enhancements Beginning with Nokia IPSO 3.8, Nokia supports advertising the virtual IP address of the VRRP virtual router for OSPF, BGP, and PIM, both sparse mode and dense mode. The routing protocols advertise the virtual IP addresses of the VRRP virtual router, which does not change if a failover occurs and one the backup routers becomes the new master. For BGP and OSPF, the routing protocols run only on the master, so when a failover occurs, the routing protocols stop running on the previous master and then start running on the new master. For PIM, the VRRP master sends hello messages with the virtual IP address as the source address and process PIM control messages from routers that neighbor the VRRP pair. Nokia recommends, but does not require, that you configure the same router ID on each Nokia IP security platform for a VRRP pair. Beginning with IPSO 3.8, Nokia also supports BGP-4 and OSPF in an IP cluster where all nodes of the cluster always have full state. Note You must use Monitored Circuit mode when configuring virtual IP support for any dynamic routing protocol. Do not use VRRPv2 when configuring virtual IP support for any dynamic routing protocol.
32
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
New Features and Enhancements in IPSO 3.8
IPSO 3.8 also introduces support for monitoring the health, that is, state of the firewall. To monitor the state of the firewall, IPSRD, the IPSO routing daemon, listens to firewall state messages that the kernel generates. This way IPSRD learns whether the firewall is not ready to handle traffic or is not functioning properly and thus cannot pass traffic. In this situation, the router does not become the VRRP master, and a failover is initiated to a backup device. Note The new option to monitor the state of the firewall supersedes the option to enable cold-start delay. Beginning with IPSO 3.8, the cold-start delay option is no longer needed or supported.
DVMRP Enhancement With Nokia IPSO 3.8, you can configure values for six timers that previously were fixed:
neighbor problem interval neighbor time-out interval route report interval route expiration time route hold-down period cache lifetime
Nokia recommends that if you have a core multicast network, you configure the timer values so that they are uniform throughout a network. Otherwise, you can rely on the default timer values.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
33
1
New Features in Nokia IPSO 3.8.1
TCP/IP Stack and TCP Flag Combinations Nokia IPSO 3.8 introduces a change to how the IPSO TCP/IP stack handles malformed TCP packets where both the SYN and FIN bits are set. The new default behavior is for IPSO to drop these packets. To have your Nokia platform accept packets which have both SYN and FIN bits set, change the default configuration. To change the default setting, go to the Nokia Network Voyager home page, click, Config, and click the Misc link under the Security and Access Configuration section. You can also enter the following CLI command: set miscsec enable_rfc1644 on
This change addresses a CERT advisory. For more information on that advisory, go to http://www.kb.cert.org/vuls/id/464113.
Support for Nokia IP1220 and Nokia IP2250 Security Platforms Nokia IPSO 3.8 supports the new IP1220 and IP2250 security platforms. The Nokia IP1220 platform is a mid-range security platform that is ideally suited for a smaller data center. It supports an initial memory configuration of 512 MB, with upgrades available up to 2 GB of RAM. The IP1220 security platform also supports an encryption accelerator card to further enhance VPN performance. The IP2250 security platform is ideally suited to handle small packet sizes, short-lived sessions, and short-lived connections, and to provide secure Internet connectivity. The IP2250 security platform uses accelerated data path (ADP) technology to deliver gigabit firewall and VPN forwarding performance when running Check Point Next Generation with Application Intelligence. The ADP technology allows the Nokia operating system and Check Point applications to accelerate other data link, network, and transport layer functions. The IP2250 security platform also supports an encryption accelerator card to further enhance VPN performance. For more information about restrictions specific to the IP2250 security platform, see “Restrictions Specific to Nokia IP2250 Security Platform” on page 87.
34
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Supported Appliances
Note Only Nokia IPSO 3.8 and Check Point Next Generation with Application Intelligence (R55) for IPSO 3.8 are supported on the IP1220 and IP2250 platforms. Do not install any other version of Nokia IPSO or Check Point NG on either of these platforms.
Supported Appliances You can run IPSO 3.8.1 and an application on the following Nokia appliances:
IP120 IP130 IP260 IP265 IP330 IP350 IP380 IP530 IP650 IP710 IP740 IP1220 IP1260 IP2250
IPSO 3.8 and 3.8.1 do not run on the IP110. IPSO 3.8.1 is not supported on the IP440; you can, however, run IPSO 3.8 on the IP440. For better performance, Nokia recommends that you have at least 256 MB of memory in your platform.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
35
1
New Features in Nokia IPSO 3.8.1
Supported Applications The Nokia IPSO 3.8.1 operating system supports the following applications on Nokia IP appliances. The features and operation of the available applications are described in separate documents.
Check Point Next Generation with Application Intelligence (R55) for IPSO 3.8 For more information on upgrading Check Point NG, see “Upgrading Check Point NG with the Nokia IPSO Command Shell” on page 66.
36
Nokia Secure Access System versions 2.0, 2.1, and 3.0 on the IP130, IP350, IP380, and IP1260 security platforms.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
2
Performing the Initial Configuration
When you turn on a Nokia IP security platform for the first time, you must provide it with some initial configuration information. You can use two methods to perform the initial configuration:
In an automated fashion by using the built-in dynamic host configuration protocol (DHCP) client. Manually by using a console (direct serial) connection.
After you decide which method to use, follow the instructions in “Using DHCP to Configure the System” or “Using the Console to Configure the System”on page 40 to perform the initial configuration. Regardless of which method you use, see “Performing Additional Configuration” on page 44 for important information about how to proceed after you complete the initial configuration.
Using DHCP to Configure the System The Nokia IPSO DHCP feature allows a properly configured DHCP server to provide your system with the following information:
Host name IP address Default route
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
37
2
Performing the Initial Configuration
You can then use Nokia Network Voyager to reconfigure any of these settings. When you do so, Voyager keeps the modified settings. (DHCP is not used if configuration information already exists.) Your DHCP server automatically sets the administrative password of the IP system to password. To use DHCP to configure your system, perform the following steps (which are explained in the following sections): 1. Configure your DHCP server. 2. Run the DHCP client on the Nokia system.
Configuring Your DHCP server Configure a DHCP server with (at a minimum) mappings for:
A host name for the Nokia system. The serial number of the Nokia IP security platform. A static IP address for the platform.
IPSO also supports MAC-address based configuration. Beginning with Nokia IPSO 3.8, the DHCP client accepts the lease time for the IP address that the server provides. When the lease expires, the DHCP client contacts the server. Previously, the client accepted only IP address leases that were at least a year long. Note Your DHCP server must be on the same network as the Nokia platform or the DHCP/BOOTP relay must be configured on the intermediate routers.
38
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Using DHCP to Configure the System
The following example shows relevant DHCP configuration information: ddns-update-style ad-hoc; subnet 10.1.1.0 netmask 255.255.255.0 { # default gateway option routers option subnet-mask
10.1.1.1; 255.255.255.0;
option domain-name-servers
24.5.207.179;
range dynamic-bootp 10.1.1.20 10.1.1.100; host IP710fixed { # serial number of the box option dhcp-client-identifier "123456"; fixed-address 10.1.1.11; option host-name "IP710"; } }
Running the DHCP Client on the Nokia System Note Do not perform the following procedures unless you configured an appropriate DHCP server with configuration information for your platform.
1. Connect a NIC installed in your platform to your network. 2. Turn the platform on. The DHCP client program in the system starts automatically, and your DHCP server provides the appropriate configuration information. (This can require 5 to 10 minutes.)
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
39
2
Performing the Initial Configuration
3. From a computer on the same network, ping the IP address that you configured your DHCP server to provide to the Nokia system. When you receive replies from ping, you can use Nokia Network Voyager to connect to the system. 4. Connect to the system by using Voyager. To connect, start a Web browser and enter the IP address or host name of the system in the address or URL field of the browser. 5. Enter the user name admin and the password password. 6. Modify the configuration of the system as appropriate. Note Nokia strongly recommends that you change the password.
For information about how to proceed, see “Performing Additional Configuration”on page 44. If you intend to use the IPSO CLI or shell, be sure to see “Using the IPSO CLI” on page 44.
Using the Console to Configure the System If you are installing a new Nokia IP security platform and are not using DHCP to perform the initial configuration, follow the instructions in this section to perform the initial configuration. Before you begin, make sure that you know:
40
A host name to assign to the platform. An IP address that you will assign to the platform. The appropriate network mask length. The IP address of the default gateway for the platform. An appropriate password to assign to the administrator account.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Using the Console to Configure the System
Performing the Configuration 1. Establish a physical console connection to the Nokia IP security platform. The console can be any standard VT100-compatible terminal or terminal emulator with the following properties:
RS-232 data terminal equipment (DTE) 9600 bps 8 data bits No parity 1 stop bit
You can also use a data communications equipment (DCE) device. To establish the physical console connection, follow these steps: a. Connect the appropriate cable to the local console port on the front panel of the platform. If the console is DTE, use the supplied null-modem cable (console cable). If the console is DCE, use a straight-through cable. b. Connect the other end of the cable to the console system. 2. Turn the platform on. After some miscellaneous output appears on the console connection, the following prompt appears: Hostname?
If the Hostname? prompt does not appear on the console, see the Installation Guide for troubleshooting suggestions. 3. Respond to the Hostname? prompt within 30 seconds to prevent the DHCP client from starting. If you wait more than approximately 30 seconds before you type a response to the host name prompt, the DHCP client program starts automatically, and the system might be provided with a host name and IP address that is unknown to you. (This could happen if a DHCP server on
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
41
2
Performing the Initial Configuration
your network is configured to supply configuration information to any system that requests it.) If this happens, follow these steps: c. Enter: rm /config/active
or mv /config/active /config/active.old
d. Reboot the platform. e. Respond to the configuration prompts in a timely manner. 4. Respond to the following prompts. When you see the following message, type 1: You can configure your system in two ways: 1) configure an interface and use our Web-based Voyager via a remote browser 2) VT100-based Lynx browser Please enter a choice [ 1-2, q ]:
5. You are prompted to select a network interface to configure: Select an interface from the following for configuration: 1) ser-s2p1 2) eth-s3p1 3) eth-s4p1 4) eth-s5p1 5) quit this menu Enter choice [1-5]:
42
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Using the Console to Configure the System
The list of interfaces that you see depends on the NICs that are installed. In the preceding example, ser-s2p1 is a serial interface in chassis slot 2, port 1, and eth-s3p1 is an ethernet interface in chassis slot 3, port 1. Type the number for the interface to configure. Remember that this is the interface you will connect to with Network Voyager or the CLI to continue with the configuration. 6. At the prompt, enter the IP address and subnetwork mask length. 7. When you see the following message, choose y (the default option): Do you wish to set the default route [ y ] ?
If you choose n, you cannot use Network Voyager unless you do one of the following:
Perform the installation procedure again and set a default route. Use the command-line interface over a console connection to create a default route or static route. Connect to the platform by using a system that is on the same network as a configured interface on the platform.
8. If you have a modem installed, you see a message similar to the following: Modem detected on /dev/cuaa1. Enable logins on this modem [y,n]:
To enable logging in to the platform through the modem, you can configure the modem now or you can configure it in Network Voyager or the IPSO CLI after you complete the installation. To configure the modem for logins now, type y. You are then prompted to configure a country code for the modem. For a list of the valid country codes, see “Modem Country Codes” on page 67. 9. When you are prompted to reboot the system, type: reboot
and press Enter.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
43
2
Performing the Initial Configuration
Performing Additional Configuration After you reboot the system, you are ready to continue configuring it. You can connect to the network interface you configured and perform the additional configuration using either:
Nokia Network Voyager The IPSO CLI
Using Nokia Network Voyager To log in to the system by using Network Voyager, follow these steps: 1. Start a Web browser on a workstation that has network connectivity to the Nokia IP security platform. 2. In the Location or Address field of the browser, enter the IP address of the interface you configured on the platform. 3. Enter the user name admin and the password you entered when you performed the initial configuration in the appropriate fields.
Using the IPSO CLI After the system reboots, SSH is on by default as a security measure. This means that you have two options to connect to a network interface and use the IPSO CLI (or the IPSO shell):
Use an SSH client. This is the recommended approach. For more information, see “Using an SSH Client.” If you do not want users to be able to access the system with an SSH client, see “Disabling SSH”on page 47 for information about how to disable SSH.
44
Connect to the configured network interface by using Telnet or rlogin.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Performing Additional Configuration
To maintain optimum security, Nokia recommends that you disable Telnet and use an SSH client. For more information about how to disable Telnet, see “Disabling Telnet” on page 46. Note SSH does not apply to console connections. Regardless of whether SSH is enabled, you can always access the Nokia IP security platform over a console connection.
Using an SSH Client To communicate with your Nokia system by using SSH, you must have an SSH client program installed on a workstation that has network connectivity to the Nokia IP security platform. You can get information about SSH client programs at http://www.freessh.org. At a minimum, you should use a host key as explained in “Using a Host Key.” For even better security, use authorized keys as well. For more information about how to use SSH with your Nokia system, see the Nokia Network Voyager Reference Guide (available on the Nokia Security Platform Software CD that came with your platform) or press Doc in Network Voyager. Using a Host Key
IPSO automatically generates a host public and private key pair after you perform the initial configuration. For maximum security, you can install the public part of this key on the workstations that you will use to connect to the Nokia system. Having the host public key installed allows the SSH client program to verify that it really is communicating with the Nokia system and not a system that is falsely purporting to be the Nokia system. If you do install the host public key on workstations, the most secure way to transport the key is to use an out-of-band method, such as transporting the key on a floppy disk. This reduces the possibility that the key could be stolen in transit.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
45
2
Performing the Initial Configuration
If you do not install the public host key on a workstation that you use to connect to the platform, the Nokia system asks the SSH client to accept the key the first time you attempt to connect:
If you choose to accept the key, the connection is established. This procedure is potentially less secure because the SSH client cannot be sure that the host key is really being supplied by the Nokia system. If you choose to not accept the key, you are not able to connect to the Nokia system.
When a workstation has the host public key (regardless of how it received it), the SSH client program can connect to the Nokia system as long as the host public and private key pair is valid.
Disabling Telnet You can use Nokia Network Voyager or the IPSO CLI to disable Telnet. To use Nokia Network Voyager to disable Telnet 1. Log into the platform by using Nokia Network Voyager. Enter the user name admin and the password you configured for this user when you performed the initial configuration. 2. On the Network Voyager home page, click the Security and Access Configuration link. 3. Click the Network Access and Services link. 4. Next to ALLOW TELNET ACCESS, click NO. 5. Click Apply. To use the CLI to disable Telnet 1. Establish a console connection to the platform. 2. Log in using the user name admin and the password you configured for this user when you performed the initial configuration.
46
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Performing Additional Configuration
3. Start the CLI by entering: clish
4. Enter: set net-access telnet no
Disabling SSH You can use Nokia Network Voyager or the IPSO CLI to disable SSH. To use Nokia Network Voyager to disable SSH 1. Log in to the platform by using Network Voyager. Enter the user name admin and the password you configured for this user when you performed the initial configuration. 2. On the Voyager home page, click the Security and Access Configuration link. 3. Click the SSH (Secure Shell) link. 4. Next to ENABLE SSH SERVICE (DAEMON SSHD), click NO. 5. Click Apply. To use the IPSO CLI to disable SSH 1. Establish a console connection to the platform. 2. Log in by using the user name admin and the password you configured for this user when you performed the initial configuration. 3. Start the CLI by entering: clish
4. Enter: set ssh server enable off
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
47
2
48
Performing the Initial Configuration
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
3
Upgrading to Nokia IPSO 3.8.1
You can upgrade directly to Nokia IPSO 3.8.1 from the following IPSO versions:
3.5 3.5.1 3.6 3.7 3.7.1 3.8
You can also revert to those earlier versions of Nokia IPSO from IPSO 3.8.1 if they were previously installed on your Nokia IP security platform. Reverting to earlier versions of IPSO that were not installed on your platform can be problematic (in rare cases) and is not guaranteed. Caution Nokia IP350 and IP380 platforms can be upgraded to IPSO 3.8.1, but they cannot be upgraded or downgraded to IPSO 3.6. These systems do not work with versions of IPSO other than 3.5.1. 3.7, 3.7.1, 3.8 and 3.8.1.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
49
3
Upgrading to Nokia IPSO 3.8.1
Caution To use the Disk Mirroring feature with IPSO 3.8.1, you must first install the 3.8.1 bootmanager and then install IPSO 3.8.1 from the new bootmanager. If you do not, you might receive messages that show that the mirror set is 100 percent complete or that the “sync process” is complete when in fact the disks are still syncing.
If you attempt to install a version of IPSO on a platform that does not support that version, the installation process does not proceed and you see a message explaining the issue. You can obtain IPSO 3.8.1 from the CD-ROM that is provided with the Nokia IPSO 3.8 Release Pack. You can also obtain IPSO 3.8.1 by downloading the software from the Nokia support site at https://support.nokia.com. You can install IPSO and packages by using the following:
Nokia Network Voyager (on one Nokia platform at a time) IPSO CLI IPSO command shell (console session)
You can also install IPSO and packages on multiple cluster nodes simultaneously by using Cluster Voyager or the Cluster CLI. For more information, see the Clustering Configuration Guide for Nokia IPSO 3.8.1.
50
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Downloading Nokia IPSO 3.8.1 and Related Files
Downloading Nokia IPSO 3.8.1 and Related Files To download IPSO 3.8.1 and related files and documentation: 1. Access the Nokia customer support Web site at https://support.nokia.com. 2. Log in using your user name and password. 1. In the drop-down list under Product Homepages, select IP Security Platforms. 2. On the IP Security Platforms page, click the link for IPSO 3.8.1 under Software Downloads. 3. Click the links for the items to download. To download IPSO 3.8.1, continue with this procedure. 4. Locate the link for downloading IPSO 3.8.1. Before you click the link to download IPSO 3.8.1, copy or take note of the MD5 value displayed near the link. 5. Click the link for downloading IPSO 3.8.1. 6. Download the ipso.tgz file to an FTP server or workstation. You can now install IPSO 3.8.1 remotely from the FTP server or workstation. (See “Installing Nokia IPSO 3.8.1 from Nokia Network Voyager or the Command Shell” on page 54.)
Before You Install Nokia IPSO from Nokia Network Voyager or the Command Shell You need at least 140 MB of free disk space in your root partition to install an IPSO 3.8.1 image. To determine the available disk space, log in to the IPSO shell through a terminal or console connection and enter df -k. If the first number in the Avail column (which shows the available space in the root partition) is less than 140000 Kbytes, you should make more space available in the root partition by deleting the temporary files specified in the following
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
51
3
Upgrading to Nokia IPSO 3.8.1
command if they are present. (These files might not be present, depending on how the upgrades were done on your system.) Execute the following commands to delete the list of unwanted files: mount rm -f rm -f mount
-uw / /image/*/bootmgr/*.sav /image/*/bootmgr/*.tmp -ur /
If you use the df command after you install IPSO 3.8.1 as a third image, you might see that the root partition is more than 100 percent full. If no errors were displayed while you installed IPSO 3.8.1, you can safely ignore this output from df. When you have enough space in the root partition, follow the instructions in “Putting the ipso.tgz file on the Platform” on page 52.
Putting the ipso.tgz file on the Platform After you make sure that at least 140000 Kbytes are available on the root partition, put the ipso.tgz file on an FTP server and transfer this file to the platform. You can transfer the ipso.tgz in either one of the following two ways:
FTP the ipso.tgz file to the platform and install IPSO in one procedure. Follow the appropriate instructions in “Installing Nokia IPSO 3.8.1 from Nokia Network Voyager or the Command Shell” on page 54.
FTP the ipso.tgz file to the platform first and then install IPSO in a separate procedure. Follow the instructions in “Transferring the ipso.tgz file”and “Verifying MD5 Values” on page 54 and then follow the appropriate instructions under “Installing Nokia IPSO 3.8.1 from Nokia Network Voyager or the Command Shell” on page 54.
52
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Before You Install Nokia IPSO from Nokia Network Voyager or the Command Shell
Caution If you perform a fresh installation of IPSO, you must download the ipso.tgz file and perform the installation at one time. Do not copy the ipso.tgz file to the platform first—it will be overwritten during the installation procedure. For more information, see “Overwriting Existing Images (Fresh Installation)” on page 59.
Transferring the ipso.tgz file Transferring IPSO 3.8.1 to your platform as a separate step allows you to perform a local installation (as opposed to a remote installation from an FTP server). 1. Use Nokia Network Voyager to enable FTP access to the platform. To do so: a. On the Network Voyager home page, click Config. b. In the Security and Access Configuration section, click the Network Access and Services link. c. In the Allow FTP access field, click Yes. d. Click Apply e. Click Save to make your change permanent. 2. To copy IPSO 3.8.1 from a workstation: a. Insert the CD-ROM into the CD drive of the workstation. b. Make sure that you can connect to the Nokia platform over the network. 3. Open the directory on the FTP server or workstation that contains the ipso.tgz file (this can be the image directory on the CD-ROM). 4. Begin an FTP session to your platform. By default, the current directory should be var/admin. Do not change the current directory.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
53
3
Upgrading to Nokia IPSO 3.8.1
5. At the prompt, enter: bin
6. Transfer the ipso.tgz file to the platform. At the prompt, enter: put ipso.tgz
7. Close the FTP session.
Verifying MD5 Values Use the MD5 application to verify that the ipso.tgz file did not change during the download process: 1. Log on to the platform through a console connection. 2. At the prompt, enter: md5 ipso.tgz
You should see a response that displays the same MD5 value that matches the MD5 value shown at the Nokia support site. For example, you should see something like the following (this is an example only; you will see a different value): MD5 (ipso.tgz) = 1b248152586d0599e27130b1251c38c6
3. Compare the MD5 value you see to the value posted on the Nokia support site. If the values are identical, the download was successful and the file is good. If not, download the file (in binary) again and repeat this procedure. To complete your installation of IPSO, proceed to the following section.
Installing Nokia IPSO 3.8.1 from Nokia Network Voyager or the Command Shell You can change the version of IPSO running on your platform in either of the following ways:
54
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Installing Nokia IPSO 3.8.1 from Nokia Network Voyager or the Command Shell
Add the new version of IPSO (also known as an IPSO image) without removing the existing images or your configuration information. If you add a new version, you can revert to the earlier versions stored on the platform. When you do so, your configuration information is not affected. If you copied the ipso.tgz file to the platform you are upgrading as described in “Transferring the ipso.tgz file” on page 53, you must use this method. You can use Nokia Network Voyager, the IPSO shell, or the IPSO CLI to add an image. The procedures for using Network Voyager and the IPSO shell are explained below. For information about how to add an image using the IPSO CLI, see the CLI Reference Guide for Nokia IPSO 3.8.1. When you add an IPSO image, the IPSO boot manager is upgraded automatically if your system does not have the boot manger for the image you are adding.
Note To upgrade Check Point NG, do so after you upgrade IPSO. After you upgrade to Nokia IPSO 3.8.1, you must reactivate the current version of Check Point NG (the version you are upgrading from). You must make sure that the current version of Check Point NG is active to complete the upgrade process successfully to Check Point NG with Application Intelligence (R55) for Nokia IPSO 3.8.1. See “Upgrading Check Point NG with the Nokia IPSO Command Shell” on page 66. Nokia IPSO 3.8.1 supports Next Generation with Application Intelligence (R55) for Nokia IPSO 3.8.
Perform a fresh installation, which removes the existing images and your configuration information. If you perform a fresh installation, you can restore versions of IPSO that were previously installed, but the process is more involved and all of your configuration information is removed again. For information about how to perform a fresh installation, “Overwriting Existing Images (Fresh Installation)” on page 59.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
55
3
Upgrading to Nokia IPSO 3.8.1
When you perform a fresh installation, you are asked whether you want to upgrade the boot manager program, if this is appropriate. You should choose to upgrade the boot manager.
Adding a Nokia IPSO Image Using Nokia Network Voyager Note To upgrade Check Point NG, do so after you upgrade IPSO. After you upgrade to Nokia IPSO 3.8.1, you must reactivate the current version of Check Point NG (the version of you are upgrading from). You must make sure that the current version of Check Point NG is active to complete the upgrade process successfully to Check Point NG with Application Intelligence for Nokia IPSO 3.8.1 (R55) for Nokia IPSO 3.8.1. See “Upgrading Check Point NG with the Nokia IPSO Command Shell” on page 66. Nokia IPSO 3.8.1 supports Next Generation with Application Intelligence (R55) for Nokia IPSO 3.8.1.
Using Network Voyager is a convenient way to add an IPSO image to a platform. To view the instructions about how to do this, follow these steps: 1. On the Network Voyager home page, click Doc. 2. Click System Configuration. 3. Scroll down to Installing New IPSO Images and click Upgrading the IPSO Image.
Adding a Nokia IPSO Image from the Command Shell This section describes how to install IPSO by using the IPSO command shell over a console connection. (For instructions about how to install IPSO by using the CLI, see the “System Configuration Commands” section of the CLI Reference Guide for Nokia IPSO 3.8.1 Beta. To access this document, click Doc on the Voyager home
56
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Installing Nokia IPSO 3.8.1 from Nokia Network Voyager or the Command Shell
page, then click the link for the CLI Reference Guide. The CLI Reference Guide is also included on the Nokia Security Platform Software CD that came with your platform.) Note When you add an image or perform a fresh installation by using the IPSO command shell, use a console connection (rather than by Telneting to an interface that is already configured).
To add a new image from the IPSO command shell, use the newimage command. The syntax is: newimage [[-i | -l local_file] [-b] [-R | -T]] [-r | -t image_name] [-k] [-v]
Table 1 describes the options you can use with the newimage command. Table 1 newimage Options -i
Load a new image interactively. Interactive mode supports anonymous FTP, FTP with a user name and password, access to a CD-ROM, and access to the local file system.
-l local_file
Extract the new image from a local file.
-b
Force upgrade of boot manager.
-R
Use newly installed image at next reboot.
-T
Test boot using newly installed image .
-r image_name
Specify image to run at next boot.
-t image_name
Specify image to run at next test boot.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
57
3
Upgrading to Nokia IPSO 3.8.1
Note You must reboot your platform after you use the newimage command to upgrade the IPSO image. Save your current configuration before you install the new image.
To add an IPSO image. 1. Log on to your platform by using a console connection. Note
If you originally downloaded IPSO 3.8.1, use the MD5 application to check that the file originated at Nokia and did not change during the download process. (See “Verifying MD5 Values” on page 54.) 2. Perform one of the following, depending on whether you copied the ipso.tgz file to your platform or will install it from an FTP server:
If the IPSO image is copied to your platform, enter: newimage -k -l ipso.tgz
You should see a response similar to the following: ipso.tgz Validating image...done. Version tag stored in image: IPSO-3.8.1-FCS1-releng 849 06.12.2003-102644 Installing new image...done [example]
If the IPSO image is on an FTP server, enter: newimage -i -k
The installation procedures prompt you for the IP address of the FTP server and the path to the ipso.tgz file. 3. At the prompt, choose the image to load after the next reboot. 4. At the prompt, reboot your platform.
58
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Installing Nokia IPSO 3.8.1 from Nokia Network Voyager or the Command Shell
Overwriting Existing Images (Fresh Installation) Caution The following procedure deletes any existing images and configuration information on your platform. Back up any files that you want to keep and copy them back to the platform after you install the new system.
Before you begin, make sure that you know:
The serial number of your platform. The number is on a sticker attached to the platform and is preceded by “S/N.” Whether the platform will run IGRP. Whether the platform will run BGP. Whether to run the platform in diskless mode. Only an IP2250 platform should be run in diskless mode. All other Nokia platforms contain hard drives and should not be run in diskless mode. For every platform except an IP2250 platform, enter n, for no when you are prompted after the following question: Do you want to install a diskless image (y/ n)?
On an IP2250 platform only, the install script also asks you whether you want to install the image on a PC flash card if it detects such a device and whether you want to store logs on a PC flash card if you have such a device installed. You should not install an image on a PC flash card, but you should choose to store logs on a PC flash card. An IP address that you will assign to the platform. The appropriate network mask length. The IP address of the FTP server. The path to the ipso.tgz file on the FTP server. The IP address of the default gateway for the platform. A host name to assign to the platform. An appropriate password to assign to the administrator account.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
59
3
Upgrading to Nokia IPSO 3.8.1
Note If you perform a fresh installation and later downgrade to an earlier version of Nokia IPSO, all current configuration information is deleted. For example, if you perform a fresh installation of IPSO 3.8.1 and later downgrade to IPSO 3.8, all your current configuration is deleted after you reboot your platform.
The following sections describe a fresh installation of the IPSO image using the install command. The procedure differs depending on your platform. To perform a fresh installation on a platform, see “Fresh Installation on Nokia Appliances” on page 60.
Fresh Installation on Nokia Appliances 1. Log on to your platform through a console connection. 2. At the prompt, enter: reboot. 3. When you see the following message, Press 1: Verifying DMI Pool Data ........ 1 . . . Bootmgr 2 . . . IPSO Press 1 to start the boot manager.
4. When the system enters autoboot mode and displays following the message, press any key to display the boot manager prompt: Type any character to enter command mode
5. At the boot manager prompt, enter: install. If a password is configured, the system prompts you to enter the boot manager password. The installation script runs. Follow the prompts to install the new IPSO image from an FTP server.
60
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Installing Nokia IPSO 3.8.1 from Nokia Network Voyager or the Command Shell
6. If you are asked whether you want to upgrade the boot manager, choose to do so. 7. At the end of the installation procedure, enter: reboot. 8. After your platform reboots, follow the prompts to configure basic settings. 9. When you see the following message, type 1: You can configure your system in two ways: 1) configure an interface and use our Web-based Voyager via a remote browser 2) VT100-based Lynx browser Please enter a choice [ 1-2, q ]:
10. When you see the following message, choose y (the default option): Do you wish to set the default route [ y ] ?
. If you choose n, you cannot use Network Voyager unless you do one of the following:
Perform the installation procedure again and set a default route. Use the command-line interface over a console connection to create a default route or static route. Connect to the platform by using a system that is on the same network as a configured interface on the platform.
11. If you have a modem installed, you see a message similar to the following: Modem detected on /dev/cuaa1. Enable logins on this modem [y,n]:
To enable logging in to the platform through the modem, you can configure the modem now or configure it in Network Voyager or the IPSO CLI after you complete the installation. To configure the modem for logins now, type y. You are then prompted to configure a country code for the modem. For a list of the valid country codes, see “Modem Country Codes” on page 67.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
61
3
Upgrading to Nokia IPSO 3.8.1
12. When you are prompted to log in to the platform, you are ready to continue configuring your platform. Do one of the following:
Log into the platform and use the newpkg command to install packages. For more information, see “Using the newpkg Command” on page 64. Use Network Voyager to complete the configuration (including installing packages). To log in by using Network Voyager, enter the IP address you configured for the platform in the URL field of your browser.
Installing and Activating Packages After you install Nokia IPSO, you might want to install Nokia documentation and third-party packages (Check Point NG, for example). If you added a new version of IPSO by using the newimage command and the -k (keep) option, your previous packages are active with the new IPSO version. If you used newimage without -k option, all the optional packages currently installed on the platform are turned off, but they are not deleted. To turn these packages on again, see “Activating Packages” on page 64. If you performed a fresh installation of IPSO, you must install and activate the packages you want to use. You can do this by using Network Voyager, the command-line interface (CLI), or the newpkg command at the IPSO command shell. For information about how to use the CLI to install and activate packages, see the CLI Reference Guide for Nokia IPSO 3.8.1 Beta, which is on the Nokia Security Platform Software CD that came with your platform. You can also get the CLI Reference Guide by clicking Doc on the Network Voyager home page or by visiting the Nokia customer support web site. For information about the newpkg command, see “Using the newpkg Command” on page 64. For information about how to install packages, see “Using Nokia Network Voyager to Install Packages” on page 63.
62
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Installing and Activating Packages
Using Nokia Network Voyager to Install Packages To install Nokia documentation and third-party packages by using Network Voyager: 1. Log on to your platform by using Nokia Network Voyager. 2. On the Network Voyager home page, click the System Configuration link. 3. Click Manage Installed Packages. 4. Click FTP and Install Packages. 5. Enter the name or IP address of the FTP server. 6. Enter the path to the directory on the FTP server where the packages are stored. 7. If necessary, enter the appropriate user name and password. 8. Click Apply. The names of the available packages appear in the Site Listing window. 9. Select the packages you want to install. 10. Click Apply. The selected package is downloaded to the platform. When the download is complete, the package appears in the Unpack New Packages field. 11. Select the package in the Unpack New Packages field. 12. Click Apply. 13. Click the link to install or upgrade the package. 14. (Optional) To display all installed packages, click Yes next to Display all packages; then click Apply. 15. (Optional) To perform a first-time installation, click Yes next to Install; then click Apply. 16. (Optional) To upgrade a package, Click Yes next to Upgrade. 17. (Optional) To upgrade a package, click the button of the package that you want to upgrade under Choose one of the following packages to upgrade from.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
63
3
Upgrading to Nokia IPSO 3.8.1
18. Click Apply. 19. Click Save to make your changes permanent. 20. To activate package, see “Activating Packages” on page 64.
Activating Packages To turn on optional packages that were deactivated when you added a new version of Nokia IPSO by using the newimage command: 1. Log on to the platform using Nokia Network Voyager. 2. On the Network Voyager home page, click the System Configuration link. 3. Click Manage Installed Packages. 4. Click On next to the packages you want to turn on. 5. Click Apply. 6. Click Save. 7. Reboot your platform. Your installation of IPSO 3.8.1 is complete, and the packages that you selected are activated.
Using the newpkg Command Use the newpkg command to add documentation and third-party packages. To use the configuration files from a previously installed version of a package, use Network Voyager to upgrade the package. The syntax of newpkg is: newpkg [-d] [-h] [i] [-l user_name] [-m media_type] [-n path] [-o path] [-p password] [-s server_ipaddrs] [-S] [-v]
Table 2 describes the options you can use with the newpkg command.
64
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Installing and Activating Packages
Table 2 newpkg Options -d
Print debug messages.
-h
Display help lines for command-line parameters.
-i
Install only (do not activate).
-l user_name
User name for FTP.
-m media_type
Media type; for example, FTP, CD, and so on.
-n path
Full path to new package.
-o path
Full path to old package for upgrade.
-p password
Password for FTP.
-s server_ipaddrs
The server IP address if media type is FTP/AFTP.
-S
Silent mode. Silent mode requires the following options: -o, -m, -n. If the media type is FTP/AFTP, silent mode also requires -s. If the media type is FTP, silent mode also requires -l, -p.
-v
Verbose FTP.
Note The newpkg command is automatically invoked if you perform a fresh installation. You are prompted to install or skip each package.
To turn on the installed packages, continue with the procedure in “Activating Packages” on page 64.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
65
3
Upgrading to Nokia IPSO 3.8.1
Upgrading to Check Point NG with Application Intelligence (R55) for Nokia IPSO 3.8 You can upgrade to Check Point NG with Application Intelligence (R55) for IPSO 3.8 from the following versions of Check Point software:
NG with Application Intelligence (R55) NG with Application Intelligence (R54) NG FP3 NG FP2 NG FP1 4.1 SP6 4.1 SP5
Note Nokia IPSO 3.8.1 supports Check Point NG with Application Intelligence (R55) for Nokia IPSO 3.8. Do not run any other version of Check Point NG with IPSO 3.8.
Upgrading Check Point NG with the Nokia IPSO Command Shell When you upgrade to NG with Application Intelligence (R55) for Nokia IPSO 3.8 and Nokia IPSO 3.8, follow this procedure. 1. Upgrade to Nokia IPSO 3.8.1. 2. Reboot the Nokia IP security platform. 3. Upgrade to Check Point NG with Application Intelligence (R55) for Nokia IPSO 3.8 by using the following procedure. Note After you upgrade to Nokia IPSO 3.8.1 and reboot your platform, you must reactivate the current version of Check Point NG (the version you
66
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Modem Country Codes
are upgrading from). You must make sure that the current version of Check Point NG is active to complete the upgrade process successfully.
See “Installing Nokia IPSO 3.8.1 from Nokia Network Voyager or the Command Shell” on page 54 for more information on how to upgrade to IPSO 3.8.1 To Upgrade NG 1. Log on to your platform console. Note The current version of Check Point NG (the version you are upgrading from) must be active to complete the upgrade successfully.
2. At the prompt, enter: newpkg. 3. Choose the installation method that allows you to upgrade from an FTP server. 4. At the prompt, enter the pathname to the directory on your server that contains package files. 5. Follow the system prompts to install NG. 6. Reboot the system.
Modem Country Codes If you configure a Nokia-supported PC card modem while you are installing Nokia IPSO, use the tables in this section to choose the appropriate country code. Table 3 Country Codes for Ositech Five of Clubs Modem Country Code
Country
22
USA
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
67
3
Upgrading to Nokia IPSO 3.8.1
Country Code
Country
20
Canada
1
Australia
2
Belgium
3
Denmark
4
Finland
5
France
6
Germany
17
Greece
99
Iceland
7
Ireland
8
Italy
9
Luxembourg
10
The Netherlands
11
Norway
12
Portugal
13
Spain
14
Sweden
25
Switzerland
16
United Kingdom
Table 4 Country Codes for Ositech Five of Clubs II Modem
68
Country Code
Country
B5
USA
20
Canada
09
Australia
0F
Belgium
31
Denmark
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Modem Country Codes
Country Code
Country
3C
Finland
3D
France
42
Germany
46
Greece
57
Iceland
59
Italy
69
Luxembourg
7B
The Netherlands
82
Norway
B8
Portugal
A0
Spain
A5
Sweden
A6
Switzerland
B4
United Kingdom
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
69
3
70
Upgrading to Nokia IPSO 3.8.1
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
4
Limitations
Nokia wants to hear about information you might have regarding the limitations in this chapter. For information about how to contact Customer Service, see the contact information at the beginning of this document. For a more comprehensive listing of resolutions to problems, see the online knowledge base after you log in at https://support.nokia.com. Consult the knowledge base occasionally because records are continually added after the completed cases are reported to the Customer Service Center. The following section describes known limitations associated with IPSO 3.8.1
High-Availability Limitations The following section includes information about limitations regarding the Nokia implementations of IP Clustering and VRRP.
VRRP and VMAC Mode Your VRRP implementation might stop functioning if you configured a virtual MAC address mode that does not guarantee that both routers in a VRRP pair have the same MAC address for a specific virtual router. The four VMAC modes are VRRP, which is the default, interface, extended, and static. Use one of the following workarounds to ensure this situation does not occur.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
71
4
Limitations
Use a VMAC mode that maintains the same virtual MAC address for a specific virtual router regardless of which VRRP router becomes the master. The three options include the VRRP mode, which selects the VMAC according to the VRRP specification, the static mode, which lets you configure a specific address, or extended mode. In extended mode, the system dynamically calculates three bytes of the interface hardware MAC address to extend its range of uniqueness. Make sure you fully configure all VRRP routers before you connect any other nodes to the network. As you are configuring VRRP on your Nokia platforms, bring down each of the interfaces on the given local area network (LAN) on which VRRP is being configured. Then, configure VRRP on each interface. Bring up the interfaces logically only after you configure all the interfaces in the LAN on which you want to run VRRP.
Deleting Backup Addresses for VRRP Monitored Circuit (Simplified Configuration) When deleting an IP address from a logical interface, you must first delete the corresponding backup addresses configured in the Monitored Circuit, Simplified Configuration, for the specified virtual router. The configuration for the virtual router might become corrupted if you delete the IP address before you delete the backup addresses. This issue does not apply either to the legacy configuration of Monitored Circuit or to VRRPv2. In the simplified method of configuring Monitored Circuit, the system determines the associated interfaces for the addresses configured for the virtual router, whereas in the legacy configuration, you must select which interfaces to associate with the virtual addresses of the virtual router.
72
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
High-Availability Limitations
Transparent Mode with VRRP and Check Point NG VPNs Do not use transparent mode with VRRP and Check Point NG VPN traffic with IPSO 3.8. You can, however, configure transparent mode with VRRP and Check Point NG firewall traffic for reliable operation. That implementation functions properly.
Transparent Mode and Check Point NG SmartDashboard When you use SmartDashboard to configure the Gateway Cluster properties of a VRRP pair that uses IPSO transparent mode, do not enter any interface information in the Topology window of the cluster object.
SecureXL and VRRP When you use VRRP with SecureXL enabled, Nokia strongly recommends that you configure the maximum connection capacity on your firewall to 470,000 connections or fewer based on the amount of memory installed on your Nokia IP security platform. If your firewall is configured for a higher connection capacity, your platform might crash, drop packets, or operate with reduced throughput, and SecureXL might automatically become disabled. For more information on SecureXL and memory considerations, see “Memory Considerations When Using SecureXL” on page 76
VRRP Failover and Failback This section describes a problem that can occur with failover and failback in VRRP groups running VPN-1 NG.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
73
4
Limitations
If the VRRP master contains a NIC with internal and external interfaces, a temporary problem can occur if you do the following: 1. 1. You configure a VPN tunnel on an external interface on the NIC. 2. 2. You remove the NIC while the system is running or disable the external and internal interface being used by the tunnel. Failover to the backup system occurs properly. 3. 3. You reinsert the NIC that you removed or reenable the interfaces. The original master becomes the master again. When the original master reasserts itself, the tunnel does not fail back to it.
VRRP in a Multicast Environment and Check Point NG When you use VRRP in a multicast environment, set the Check Point cluster control protocol (CP CCP) to send sync updates using broadcast mode rather than multicast mode. To do this, use the command cphaconf set_ccp broadcast.
VRRP Performance and Check Point NG You experience a drop in connections per second when you enable VRRP on your Nokia IP security platform. This is normal behavior because Check Point NG has to perform the necessary synchronization of IP addresses between the default router and the backup router to facilitate dynamic failover.
Check Point NG and IP Clustering If you are running large-packet VPN traffic encrypted by VPN gateways in an IP cluster, the console of the decrypting device, that is, the gateway running firewall that decrypts traffic, might display the following message:
74
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
High-Availability Limitations
Authentication Failure.
You can ignore this message. It does not affect the operation of your system.
Check Point NG, IP Clustering, and PIM To configure Check Point NG with Application Intelligence (R55) for Nokia IPSO 3.8 with IP clustering and either PIM-SM or PIM-DM, make sure you configure Check Point NG as follows. 1. Use Check Point SmartDashboard to create and configure the cluster gateway object. For more information on how to configure the cluster gateway object, see the IP Clustering Configuration Guide for Nokia IPSO 3.8.1 2. Click the 3rd Party Configuration tab and configure as follows only when PIM-SM or PIM-DM is enabled with IP Clustering: a. For the availability mode of the gateway cluster object, select load sharing. b. In the third-party drop-down list, select Nokia IP clustering. c. Make sure that the check box next to Forward Cluster Members’ IP addresses is not checked. If it is checked, click on the check box to remove the check. Make sure that all the other available check boxes are checked. Note All available check boxes should be checked if you are not enabling PIM-SM or PIM-DM in an IP cluster.
3. Click Ok to save your changes.
IP Clustering and PIM Dense-Mode When you enabled PIM Dense-Mode (PIM-DM) in an IP cluster, and a prune is received by the cluster for a multicast stream for which there are no
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
75
4
Limitations
downstream receivers, the cluster stops forwarding traffic but might not properly propagate the prune upstream. This situation occurs when the stream is assigned to a member of the cluster that is not the master.
Other Limitations The following sections describe limitations to all other aspects of Nokia IPSO.
Memory Considerations When Using SecureXL SecureXL enhances performance by accelerating connection establishment but requires more system memory for each connection than Firewall Flows. Generally, each SecureXL connection requires about two times as much memory as a firewall flows connection. Therefore, Nokia strongly recommends that when you enable SecureXL on a system that is already running Check Point firewall software, you reduce by half the values you have set for the maximum number of connections if those values were optimized for the available system memory. For information on the number of connections supported for specific amounts of memory consult the tables below. Table 5 “All Nokia IP Security Platforms Except IP2250” on page 77 refers to Check Point values for SecureXL installed on a disk-based platform. Table 6 “Nokia IP 2250 Security Platforms” on page 77 refers to Check Point values for SecureXL running on a diskless platform. Use the values in the second column to determine which value to enter in the Check Point GUI for the maximum number of connections. Note The values for Check Point maximum connections apply to stand-alone platforms only. When running VRRP, you should set your maximum connections to 470,000 or fewer. This restriction applies specifically to
76
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Other Limitations
platforms that have 2 GB of memory installed. For more information on VRRP and Secure XL, see “SecureXL and VRRP” on page 73.
Table 5 All Nokia IP Security Platforms Except IP2250
DRAM
Check Point maximum connections (disk-based)
Hash table size (disk-based)
Memory pool size (disk-based)
Maximum memory pool size (disk-based)
128 MB
25,000
Default
24 MB
32 MB
256 MB
48,000
2 MB
48 MB
64 MB
512 MB
200,000
4 MB
196 MB
256 MB
1 GB
400,000
8 MB
400 MB
512 MB
2 GB
800,000
16 MB
800 MB
900 MB
Table 6 Nokia IP 2250 Security Platforms
DRAM
Check Point maximum connections (diskless)
Hash table size (diskless)
Memory pool size (diskless)
Maximum memory pool size (diskless)
512 MB
150,000
4 MB
128 MB
196 MB
1 GB
250,000
8 MB
256 MB
400 MB
2 GB
800,000
16 MB
800 MB
900 MB
Consult Table 7 “Nokia IPSO Maximum Connections” on page 78 to determine the maximum number of IPSO connections for specific amounts of memory. These values apply to IPSO 3.8.1 and are hard coded in IPSO. The
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
77
4
Limitations
value you set for Check Point maximum connections cannot exceed the IPSO maximum connections for a given amount of memory. Table 7 Nokia IPSO Maximum Connections DRAM
IPSO Maximum Connections
128 MB
20,000
256 MB
40,000
512 MB
150,000
1 GB
400,000
2 GB
800,000
Secure XL and NAT Connection establishment that does not use network address translation (NAT) is significantly accelerated when you enable Secure XL. However, connection establishment that uses NAT does not benefit from SecureXL acceleration.
Secure XL and Check Point Supported Algorithms Only supported security associations are passed to IPSO. The following table shows the supported Check Point cryptographic algorithms and Nokia cryptographic hardware for Nokia IP security platforms.
78
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Other Limitations
Table 8 Check Point Supported Cryptographic Algorithms Nokia cryptographic Hardware
Check Point Cryptographic Algorithms
Nokia Encryption Accelerator II
3DES
DES
Null
Nokia Encryption Accelerator IV
3DES
DES
Null
MD5
SHA1
AES128
ADP Nokia Encrypt (IP2250 Platform Only
3DES
DES
Null
MD5
SHA1
AES128
SecureXL and SecureClient If you are running a SecureClient session in the connect mode and your connection stops functioning, you should use a disconnect option available in the SecureClient GUI to disconnect and reconnect with the gateway without stopping and restarting your SecureClient session. The session is transparently reinitiated after you disconnect and reconnect with the gateway. Network administrators who are running SecureXL on a Nokia platform should advise SecureClient users that if their connections stop functioning to use the disconnect option in the GUI to reconnect with the gateway without stopping and restarting their SecureClient sessions. The SecureClient session is reinitiated after the user reconnects with the gateway through the SecureClient GUI.
SecureXL and VPN Accelerator Card Error Message When SecureXL is enabled, you receive a message that suggests that you installed a VPN accelerator card even if you did not. Ignore this message. The operation of your Nokia platform or Check Point NG is not affected.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
79
4
Limitations
Check Point NG with Firewall Flows and NAT Enabled With you enable NAT with Firewall Flows, you experience a 10 to 11 percent reduction in the number of maximum connections on the firewall on the IP530, IP380 and the IP350 platforms compared with connections that do not use NAT. When you enable NAT with Firewall Flows, you need to change the maximum connections on the firewall to 376404.
Check Point NG with Application Intelligence and ICMP When a VPN community is configured and SecureXL is disabled, the firewall drops large ICMP packets when you ping the external interface of the firewall. When SecureXL is enabled, pinging with ICMP packets of 60,000 bytes or more functions properly.
Check Point NG and BGP You cannot establish a connection between two BGP peers by using loopback addresses when either the Check Point NG VPN policy or the FW policy is enabled on the routers that are running BGP. You can use loopback addresses with BGP to establish a peer connection between two routers when the firewall is running on other devices to which the routers are connected.
Check Point NG Time-Out Values If you are maintaining an open connection for traffic whose time-out values for UDP connections, TCP connections, or TCP sessions exceeds the default values for Check Point NG, Nokia recommends that you increase the Check Point time-out values to match the time-out values of that traffic. The default Check Point NG time-out values are 40 seconds for UDP connections, 20 seconds for TCP connections, and 3600 seconds for TCP sessions. If you do not increase the Check Point time-out values for traffic that exceeds the default values, you might experience packet losses and reduced performance when closed connections have to be re-established.
80
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Other Limitations
Check Point NG and IPv6 Traffic You can configure a maximum of eight IPv6 addresses for each interface when running Check Point NG. When is a policy is pushed to a Nokia appliance that has more than eight IPv6 addresses configured on any interface, the console logs the following critical kernel error message: Sept 2 10:07:32 anu-r8 [LOG-CRIT] kernel: FW-1: Not all ip addresses installed Sept 2 10:07:32 anu-r8 [LOG-CRIT] kernel: FW-1: Can only handle 8 ip addresses per interface
Check Point NG and Incorrect Version Display Both Nokia Network Voyager and the CLI display the incorrect version of Check Point NG when you run the fw command. The command returns NG with Application Intelligence (R55) for IPSO 3.8
rather than IPSO 3.8.1. This error occurs even when you install Check NG with Application Intelligence (R55) for Nokia IPSO 3.8.1, which is the correct version of Check Point NG for IPSO 3.8.1.
Check Point NG Error Messages When Rebooting Nokia IP Security Platform When you reboot your Nokia platform and you are running Check Point NG, you might see the following error messages: sb6 Dec Dec Dec Dec
[admin] # halt 23 19:20:29 sb6 23 19:20:29 sb6 23 19:20:29 sb6 23 19:20:20 sb6
[LOG_CRIT] halt: halted by [LOG_CRIT] halt: halted by [LOG_ERR] syslogd: exiting [LOG_ERR] syslogd: exiting
admin admin on signal 15 on signal 15
cleaning up . . . syncing disks . . . 7 7 done fw_unlock: static_s is -l fw_unlock: static_s is -l
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
81
4
Limitations
fw_unlock: static_s is -l fw_unlock: static_s is -l The operating system has halted. Please press any key to reboot.
You can ignore these messages. They do not affect the operation of your platform.
Disk Mirroring To use disk mirroring for IPSO 3.8, Nokia strongly recommends that you first download and install the IPSO 3.8 boot manager and then install the IPSO 3.8 image. If you do not follow this procedure, the system might hang or crash. You might also receive messages that show that the mirror set is 100 percent complete or that the “sync process” is complete when in fact the disks are still syncing.
Four-Port 10/100 Ethernet Card in IP350 and IP380 You can only install one four-port 10/100 Ethernet network interface card in either an IP350 or IP380 Nokia platform. If you install two cards, the console displays error messages when the system starts up and then Nokia IPSO halts. You can either install a different type of card or leave the slot empty.
DHCP Client Process and Manually Assigned IP Addresses If you configure and enable the DHCP client process on an interface and it receives an IP address that is on the same subnet as an interface to which you have manually assigned an IP address, the client process accepts the serverassigned IP address and removes the manually assigned IP addresses without notification. For example, if you manually assigned an IP address to eth-s3p1c0 from subnet x.y.z.0/24 and you enable the DHCP client process on eth-s5p1c0, and
82
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Other Limitations
the DHCP server then assigns an address that is on the x.y.z.0/24 subnet to eth-s5p1c0, the manually assigned IP address on eth-s3p1c0 is removed.
DHCP and VLAN Interfaces If the DHCP client is enabled and you are using DHCP to configure a large number of VLANs, you might experience a delay in having IP addresses assigned to VLAN interfaces.
IP700 Appliances with Copper Gigabit NICs Do not install four dual-port copper Gigabit Ethernet NICs in an IP700 series appliance running IPSO 3.8 or 3.8.1. If you install four of these NICs in an IP710 or IP740, traffic through the interfaces in the NICs may stop flowing unexpectedly.
IP700 Appliances and Nokia Encrypt Card In IP700 Series appliances, the optional Nokia Encrypt Card shares a data bus with slots 3 and 4. If you use this card and VPN connections terminate on your appliance, you should route VPN tunnel traffic through slots 1 and 2 to prevent significantly degraded performance.
Fiber Gigabit Ethernet Card on IP1200 Series Platforms and Extreme Summit and Netgear Switches If you are running an interface on a fiber Gigabit Ethernet card installed on an IP1200 Series platform that is connected either to an Extreme Summit 7i switch or a Netgear GSM712F switch, and you reboot the switch, the fiber Gigabit Ethernet link is no longer recognized. That is, the Nokia Network Voyager interface displays a red indicator next to the physical interface name, and the output of the ifconfig command shows that the physical interface is
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
83
4
Limitations
not available. This behavior does not occur if you reboot the Nokia platform after the switch is rebooted. To ensure that the physical interface is recognized you must manually disable and enable the physical interface either through Network Voyager or through the command line. To make the interface available through Network Voyager, go to the interfaces page and first click off in the Active field next to the name of the physical interface, click Apply, and then click on. Click Apply, and then click Save to make your change permanent. To bring the interface back up through the command line, enter the following command: ifconfig ethINTF physdown, where eth-INTF is the name of the interface you configured and need to make available. You do not need to perform the physup command because the interface manager running in the background automatically brings the interface back up.
GigE Interface with Certain Switches A copper Gigabit Ethernet interface connected to certain switches might not come up after a the Nokia ystem is rebooted. This problem was observed on the IP740 and IP1220, and it does not occur with the IP530.
The problem does not occur with fiber Gigabit Ethernet interfaces. It happens only on the first port of the interface card. It occurs only with certain switches.
The problem occurs because some switches do not shut down their interfaces correctly.
Limited SSL Access After Upgrade If you use Internet Explorer v5.0 or later, you cannot use Network Voyager to connect to the platform if you configured SSL to use 3DES as the required encryption. To connect to the platform, use a different Web browser or change the required encryption level.
84
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Other Limitations
To change the encryption level to 128-bit key, enter the following CLI command: set voyager ssl-level 128 Note The basis for the IPSO implementation is OpenSSL, which recently introduced a fix. Microsoft has not introduced this security fix into its SSL implementation that runs on Internet Explorer.
Upgrading Image by Using Nokia Network Voyager with Internet Explorer If you run Network Voyager on any 5.x version of Internet Explorer (IE) and perform an upgrade of the IPSO image through the New Image Installation (Upgrade) page, IE displays a pop-up box with a message to refresh the page because the browser needs to repost the data. You can ignore this message or click Cancel. The upgrade process is completed successfully. The pop-up box and the message is a function of Internet Explorer 5.x. You do not see this type of behavior when you use Netscape or any 6.x version of IE to upgrade your software by using Voyager.
Kernel Error Message The kernel might generate the following error message when the system detects that a metadata page was modified. You can ignore this message. It does not affect the operation of your platform. vnode_pager_output: attempt to write meta-data!!! -- 0xfffe8000 (ff) Jul 21 14:09:58 gwnok [LOG_CRIT] kernel: vnode_pager_output: attempt to write meta-data!!! -- 0xfffe8000 (ff) FW-1: Initializing buffer to size 2048K
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
85
4
Limitations
System Failure Notification If you configure your system to use an email message to notify you of a system failure, the message you receive might contain the following in the crash trace section: no debugging symbols found. You can ignore that specific portion of the message. The system failure notification itself remains valid and contains valid information regarding the location of crash files.
Modem Error Message When you configure either a serial or a PCMCIA modem, the Nokia Voyager network access and services page displays an erroneous, “no modem detected,” message. You can ignore this message. It does not affect the operation of your modem. If you log off and then check the status of the modem on the Voyager network access and services page, the page correctly displays a “modem detected” message.
IPv6 Show Command If you configure an interface to use IPv6 and you configure the physical interface as full duplex, the output of the CLI command show ipv6 config incorrectly shows that the interface is configured as half duplex.
Malicious HTML Tags To protect your platform from malicious HTML tags embedded in client Web requests, do not connect to untrusted Web sites with your browser while you have an active Network Voyager session.
86
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Restrictions Specific to Nokia IP2250 Security Platform
Misleading Message After Power Failure If your appliance is powered by an APC uninterruptible power supply (UPS), and a power failure occurs, the system displays several messages, including The operating system has halted please press any key to reboot
If you press any key, the system does not reboot. The system shuts down because of the loss of power.
Restrictions Specific to Nokia IP2250 Security Platform The following section outlines some restrictions and behavior that are specific to the new IP2250 platform.
The only Nokia IPSO software release that is initially supported on the IP2250 platform is 3.8 and 3.8.1 Do not attempt to install any other versions of IPSO on an IP2250 platform. IP Clustering is not supported on the IP2250 platform. Transparent bridging is not supported on the IP2250 platform. The Chrysalis API is not supported on the IP2250 platform. Because the IP2250 platform does not contain any hard disk drives, you can have only two versions of IPSO on the platform at any one time. Before you install a new version of IPSO, delete one IPSO image if you have two images already installed. On an IP2250 platform, Check Point NG with Application Intelligence always runs in “enforcement module only.” Therefore, you must configure your management station on a separate device to manage the IP2250 platform. You cannot log Check Point logs locally on an IP2250 platform. You must configure a remote logging server using Smart Dashboard when your IP2250 platform is the enforcement module. You must also configure the logging server using Nokia Network Voyager or the IPSO CLI. When
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
87
4
Limitations
88
configuring your logging server through Smart Dashboard, enter the following values. Click Logs and Masters to take you to the Local Log Files Page. In the Disk Management section in the Measure free disk space drop-down list, select Mbytes. Check the Required Free Disk Space check box and enter 256 in the Mbytes box. Check the Alert when free disk space is below check box and enter 250 in the MBytes text box. In the Alert Type drop-down list, select Popup Alert. Check the Stop logging when free disk space is below check box and enter 200 in the MBytes text box. Click Ok to save your values. Do not enter any other values or check any other check boxes on this page. Because the IP2250 platform uses a flash memory system, to configure a remote syslog server and a remote core dump server, you must use Nokia Voyager. It is not necessary to configure remote syslog and core dump servers for an IP2250 platform, but Nokia recommends that you do so. For syslog, use any device connected to a syslog server. For core dump, use a server connected to an FTP/TFTP server. The IP2250 platform overwrites all IPSO log messages when the total reaches 512. This limit does not include kernel and application core dumps; all core dumps and logs are deleted when you reboot the platform. You can, however, save two kernel crash dumps on a compact flash disk. If you retrieve a kernel crash dump using the savecore program, you should clear the dump by using the savecore -c command. You can choose to encrypt traffic between the enforcement module and the devices connected to remote syslog and core dump servers. When you install packages using Voyager or the newpkg command using FTP/AFTP media, packages are not automatically stored in the /opt/ packages directory. This behavior differs from that of other Nokia platform. Packages are not automatically saved; you must manually save packages. On an IP2250 platform, all installed packages reside in the / opt/packages/installed directory, which you must not change in any way. The IPSO package management system manages this directory.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
Restrictions Specific to Nokia IP2250 Security Platform
Note In contrast to the behavior of other Nokia IP platforms, the IP2250 platform does not store Check Point NG because the reliance of the IP2250 platform on a flash memory system limits the memory available for packages.
Upgrading IPSO on an IP2250 Platform If you are using IPSO 3.8 Build 034 on an IP2250 platform, you cannot use Nokia Network Voyager to upgrade to a later build or of IPSO. You must use the newimage command or the CLI to upgrade from Build 034.
Copper Gigabit Ethernet Interface on an IP2250 Platform and Extreme Networks Switches If a copper gigabit ethernet interface on an IP2250 Nokia security platform is connected to an Extreme Networks switch, make sure that autonegotiation is enabled. Extreme Networks does not support disabling autonegotiation and if you disable autonegotiation on the copper gigabit ethernet interface of your IP2250 platform, it will not function with an Extreme Networks switch.
Detecting Cable Disconnection on an IP2250 Under specific circumstances, the IP2250 does not properly detect when a fiber Ethernet cable is disconnected from a NIC. If you remove the transmit portion of the cable, the link status LED on the IP 2250 remains green (incorrectly). However, as long as autonegotiation is enabled on the appliance and the switch it is connected to, IPSO detects the disconnection and correctly shows the link as down in Network Voyager, even though the LED remains green.
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
89
4
Limitations
This problem applies to the transmit portion of the cable only. If you remove the receive portion of the cable, both the link status LED and the software correctly detect the disconnection. This problem can affect VRRP and IP cluster failover because a master system might not detect the disconnection and will try to failover to the affected system if there is a failure on the master. To avoid this problem, make sure that autonegotiation is enabled on the IP2250 and the connected switch.
Viewing Log Messages on an IP2250 Platform To view log messages in the /var/log/messages file on the IP2250 Nokia security platform only, use only either Voyager or the CLI. Do not use a text editor, such as vi, to open these files. If you do, the console displays junk characters at the end of the file, which you might need to stop by using the ctrl-C command, resulting in a core dump. Note This limitation applies only to the IP2250 platform and does not occur on any other Nokia security platform.
ARP Entries and the IP2250 Platform With a firewall running, dynamic ARP entries cannot be flushed through Voyager or the CLI. Those ARP entries are set to unresolved by the IPSO kernel. This problem can cause VRRP failover or failback to not occur as expected. Additionally, if you enabled the SNMP link down trap, this problem causes the system to fail to generate a link down trap message. To avoid this problem, make sure that autonegotiation is enabled on both the IP2250 and the connected switch.
90
Getting Started Guide and Release Notes for Nokia IPSO 3.8.1
