Pre-configuring the Firewall

cache will not automatically switch over. If the firewall is enabled on a slave router, then all sessions would have to be re-established. You would have to re-authenticate users for access to authentication-protected servers.

Load Sharing - If two or more firewall-enabled XSRs are linked, load sharing is not supported. Each XSR would act as a discrete firewall and monitor sessions that pass through it.

Secondary IP Address/Firewall - The firewall does not interoperate with interface IP addresses, so, a secondary interface address has no affect on firewall operations. Configure network objects for the secondary address just as you would any primary IP address.

Firewall Authentication over VPN - Firewall authentication is not supported over VPN tunnels.

Pre-configuring the Firewall

We recommend you consider the following suggestions to set up the firewall:

Establish a security plan by:

Examining your network topology

Determining exactly what resources you want to protect

Deciding where on the network to enable the firewall and plan on writing a Telnet or SSH policy for remote administration if you are configuring an XSR located in the field

Making a list of internal addresses

Forming an inventory of desirable applications the firewall will allow between protected and external networks

Look up official port numbers of well-known applications at: http://www.iana.org/ assignments/protocol-numbers

The show ip firewall session command also lists these numbers.

Refer to Firewall Limitations” on page 16-22before configuration

Steps to Configure the Firewall

Follow the procedure below to configure the firewall:

Specify the network objects

Specify network-group, service and service group objects

Write TCP/UDP policies. The order is important and objects and names are case-sensitive

Specify filters for other protocols (ICMP, OSPF, ESP, etc.)

Set miscellaneous parameters such as:

TCP, UDP or ICMP session timeouts

Logging event-levels 0-7

Authentication service for users

Java and ActiveX filtering

IP options filtering on the interface such as time-stamps, route recording, and loose or strict routing through the Internet

XSR User’s Guide 16-23

Page 408 Page 410
Page 409
Image 409
Enterasys Networks X-PeditionTM manual Pre-configuring the Firewall, Steps to Configure the Firewall
Page 408 Page 410
Top Page Image Contents