View
213
Download
0
Category
Tags:
Preview:
Citation preview
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r1 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Labs
Installation Files
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r2 FC 2.0 Labs (v1.1)
Installation Files on Windows NT:
Create installation folders: C:\Install\Sbfc
C:\Install\Sbgui
Use WinZip to unzip files to installation folders: CDROM:\sbfc_fw1_20\nt\sbfc_xxx.zip to folder c:\install\sbfc
CDROM:\sbgui_42\nt\sbgui_xxx.zip to folder c:\install\sbgui
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r3 FC 2.0 Labs (v1.1)
Installation Files on Solaris:
Create installation folder: mkdir /install
Copy files from the cdrom to the installation folder: cp /cdrom/cdrom0/sbfc_fw1_20/solaris/sbfc_xxx.gz /install
cp /cdrom/cdrom0/sbgui_42/solaris/sbgui_xxx.gz /install
Unzip files: /cdrom/cdrom0/Zip/gunzip.bin /install/sbfc_xxx.gz
/cdrom/cdrom0/Zip/gunzip.bin /install/sbgui_xxx.gz
Untar files: tar xvf /install/sbfc_xxx
tar xvf /install/sbgui_xxx
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r4 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Labs
Network Topology
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r5 FC 2.0 Labs (v1.1)
FTP-CLIENT110.0.1.254
SBFC101192.168.1.101
SBFC102192.168.1.102
10.0.1.110.0.1.101
10.0.1.110.0.1.102
204.32.38.101204.32.38.1
204.32.38.102204.32.38.1
FTP-SERVER204.32.38.254
StoneBeat FullClusterLab Network Topology
Site #1
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r6 FC 2.0 Labs (v1.1)
Site #1: /etc/hosts
127.0.0.1 localhost
#Ftp-server for all the sites
204.32.38.254 ftp-server
#Site 1
192.168.1.101 sbfc101 #Control
192.168.1.102 sbfc102
204.32.38.1 site1-external #External
204.32.38.101 sbfc101-external
204.32.38.102 sbfc102-external
10.0.1.1 site1-internal #Internal
10.0.1.101 sbfc101-internal
10.0.1.102 sbfc102-internal
10.0.1.254 ftp-client1 #Ftp-client
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r7 FC 2.0 Labs (v1.1)
FTP-CLIENT210.0.2.254
SBFC103192.168.1.103
SBFC104192.168.1.104
10.0.2.110.0.2.103
10.0.2.110.0.2.104
204.32.38.103204.32.38.2
204.32.38.104204.32.38.2
FTP-SERVER204.32.38.254
StoneBeat FullClusterLab Network Topology
Site #2
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r8 FC 2.0 Labs (v1.1)
Site #2: /etc/hosts
127.0.0.1 localhost
#Ftp-server for all the sites
204.32.38.254 ftp-server
#Site 2
192.168.1.103 sbfc103 #Control
192.168.1.104 sbfc104
204.32.38.2 site1-external #External
204.32.38.103 sbfc103-external
204.32.38.104 sbfc104-external
10.0.2.1 site1-internal #Internal
10.0.2.103 sbfc103-internal
10.0.2.104 sbfc104-internal
10.0.2.254 ftp-client2 #Ftp-client
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r9 FC 2.0 Labs (v1.1)
FTP-CLIENT310.0.3.254
SBFC105192.168.1.105
SBFC106192.168.1.106
10.0.3.110.0.3.105
10.0.3.110.0.3.106
204.32.38.105204.32.38.3
204.32.38.106204.32.38.3
FTP-SERVER204.32.38.254
StoneBeat FullClusterLab Network Topology
Site #3
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r10 FC 2.0 Labs (v1.1)
Site #3: /etc/hosts
127.0.0.1 localhost
#Ftp-server for all the sites
204.32.38.254 ftp-server
#Site 3
192.168.1.105 sbfc105 #Control
192.168.1.106 sbfc106
204.32.38.3 site3-external #External
204.32.38.105 sbfc105-external
204.32.38.106 sbfc106-external
10.0.3.1 site3-internal #Internal
10.0.3.105 sbfc105-internal
10.0.3.106 sbfc106-internal
10.0.3.254 ftp-client3 #Ftp-client
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r11 FC 2.0 Labs (v1.1)
FTP-CLIENT410.0.4.254
SBFC107192.168.1.107
SBFC108192.168.1.108
10.0.4.110.0.4.107
10.0.4.110.0.4.108
204.32.38.107204.32.38.4
204.32.38.108204.32.38.4
FTP-SERVER204.32.38.254
StoneBeat FullClusterLab Network Topology
Site #4
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r12 FC 2.0 Labs (v1.1)
Site #4: /etc/hosts
127.0.0.1 localhost
#Ftp-server for all the sites
204.32.38.254 ftp-server
#Site 4
192.168.1.107 sbfc107 #Control
192.168.1.108 sbfc108
204.32.38.4 site4-external #External
204.32.38.107 sbfc107-external
204.32.38.108 sbfc108-external
10.0.4.1 site4-internal #Internal
10.0.4.107 sbfc107-internal
10.0.4.108 sbfc108-internal
10.0.4.254 ftp-client4 #Ftp-client
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r13 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Lab
Installation on Sun Solaris
(FireWall-1)
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r14 FC 2.0 Labs (v1.1)
Installation: Step 1 - Operating System
Install Solaris 7 - DONE Install Solaris 7 suggested patches - DONE Check the hostname - DONE Check the /etc/hosts and /etc/netmasks files - DONE Configure the Control Interfaces - DONE Connect the Control Network Cables - DONE
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r15 FC 2.0 Labs (v1.1)
Installation: Step 2 - FireWall-1
Install FireWall-1 4.1 - DONE Install FireWall-1 Policy - DONE Check the /.profile - DONE Configure Operative Interfaces
Edit /etc/hostname.qfe files:qfe0 External Dedicated IP: 204.32.38.yyy/255.255.255.0qfe0:1 External Cluster IP: 204.32.38.x/255.255.255.0qfe1 Internal Dedicated IP: 10.0.x.yyy/255.255.255.0qfe1:1 Internal Cluster IP: 10.0.x.1/255.255.255.0
Delete the directly connected route from the alias interface/etc/rc3.d/S99staticroutes: route delete net 204.32.38.0 204.32.38.x route delete net 10.0.x.0 10.0.x.1
x=site number, yyy=node number and zzz=partner node number
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r16 FC 2.0 Labs (v1.1)
Installation: Step 2 - FireWall-1
Enable FireWall-1 Synchronization Edit $FWDIR/conf/sync.conf
192.168.1.zzz
$FWDIR/bin/fwstop
$FWDIR/bin/fw putkey 192.168.1.zzz
$FWDIR/bin/fwstart
Edit /etc/fw.boot/ifdev Add row: sbif accept
Reboot
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r17 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster
Install FullCluster cd /install
pkgadd -d .
Choose all packages: SBFCbase, SBFCconf, SBFCdrv,SBFCgui, SBFCmod and SBFCsnmp
Create the SBFCHOME environment variable Edit /.profile:
SBFCHOME=/opt/fullclusterPATH=$SBFCHOME/bin:$PATHexport PATH SBFCHOME
Use Web Configuration GUI Wizard: hotjava http://localhost:3003/install/
$SBFCHOME/bin/sbfcwebconfig install
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r18 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster node #2
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r19 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster node #2
#reboot
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r20 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster node #1
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r21 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster node #1
How many nodes: 2
How many operative interfaces: 2
Configuration type: multicast
Heartbeat IP addresses: 192.168.1.yyy and 192.168.1.zzz
Cluster mode: balancing
Is this machine FireWall-1 management station: Yes Username: fwadmin
Password: password
Policy name: Standard
Remember to download and rename the GUI certificate files to /install/guikey.pem and /install/guicerts.pem
Check the node.conf file!
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r22 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster node #1
#reboot
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r23 FC 2.0 Labs (v1.1)
Installation: Step 4 - StoneBeat GUI
Install StoneBeat GUI version 4.2 pkgadd -d /install/SBFCgui - DONE
Copy Key and Certificate Files:From /install/gui*.pem to /stonebeat/etc
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r24 FC 2.0 Labs (v1.1)
Installation: Step 4 - StoneBeat GUI
Create and connect a new FullCluster Site Run: /opt/stonebeat/gui/bin/sbgui
Select: Site->New->FullCluster
Enter Site Name and Password
Enter ID, Hostname, IP address and SSL port (3002)
Retrieve
Select: Site->Connect
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r25 FC 2.0 Labs (v1.1)
Installation: Step 5 - Testing
Connect the Operative Network Cables
Configure Ftp-Server Control Panel->Network->Protocols->TCP/IP Protocol->Properties
IP Address 204.32.38.254/255.255.255.0
Add routes to internal networks: 10.0.x.0
Configure Ftp-Client Control Panel->Network->Protocols->TCP/IP Protocol->Properties
IP Address 10.0.x.254/255.255.0.0 - Default Gateway: 10.0.x.1
Test Programs in Ftp-Client Run: \\ftp-server\avi\forest.avi
Run: telnet ftp-server 19
Run: ftp ftp-server (configure filter.conf)
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r26 FC 2.0 Labs (v1.1)
Installation: Additional Step 6
Install StoneBeat GUI in FTP-Client
Create installation folder: C:\Install\Sbgui
Use WinZip to unzip files to installation folder: CDROM:\sbgui_42\nt\sbgui_xxx.zip to folder c:\install\sbgui
Install StoneBeat GUI Run from C:\Install\Sbgui\Setup.exe
Copy Key and Certificate Files
Run: Start->Programs->StoneBeat->StoneBeat GUI
Create and connect a new FullCluster Site
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r27 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Lab
Installation on Windows NT
(FireWall-1)
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r28 FC 2.0 Labs (v1.1)
Installation: Step 1 - Operating System
Install WindowsNT 4.0 Server - DONE Install the network - DONE
Only TCP/IP Protocol
Only SNMP Service
Enable IP Forwarding
Install WindowsNT 4.0 Service Pack 6a - DONE Check the Computer name and the Hosts file - DONE Configure the Control Interfaces - DONE Connect the Control Network Cables - DONE
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r29 FC 2.0 Labs (v1.1)
Installation: Step 2 - FireWall-1
Install FireWall-1 4.1 - DONE Install FireWall-1 Policy - DONE
Configure Operative Interfaces Do you want to install Windows NT Networking now? NO
Control Panel->Network->->Protocols->TCP/IP Protocol->Properties->AdvancedExternal Dedicated IP: 204.32.38.yyy/255.255.255.0External Cluster IP: 204.32.38.x/255.255.255.0 (alias)Internal Dedicated IP: 10.0.0.yyy/255.255.255.0Internal Cluster IP: 10.0.x.1/255.255.255.0 (alias)
x=site number, yyy=node number and zzz=partner node number
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r30 FC 2.0 Labs (v1.1)
Installation: Step 2 - FireWall-1
Enable FireWall-1 Synchronization Edit %FWDIR%\conf\sync.conf
192.168.1.zzz
%FWDIR%\bin\fwstop
%FWDIR%\bin\fw putkey 192.168.1.zzz
%FWDIR%\bin\fwstart
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r31 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster
Install FullCluster Driver Control Panel->Network->Protocols
Add StoneBeat Driver from C:\Install\Sbfc
Reboot
Install FullCluster Module Run from C:\Install\Sbfc\Setup.exe
Use SNMP Agent
Destination Folder: C:\Program Files\FullCluster
Use WEB Configuration GUI wizard:The browser will be started automatically
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r32 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster node #2
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r33 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster node #2
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r34 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster node #1
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r35 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster node #1
How many nodes: 2
How many operative interfaces: 2
Configuration type: multicast
Heartbeat IP addresses: 192.168.1.yyy and 192.168.1.zzz
Cluster mode: balancing
Is this machine FireWall-1 management station: Yes Username: fwadmin
Password: password
Policy name: Standard
Remember to download and rename the GUI certificate files to C:\Install\guikey.pem and C:\install\guicerts.pem
Check the node.conf file!
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r36 FC 2.0 Labs (v1.1)
Installation: Step 3 - FullCluster node #1
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r37 FC 2.0 Labs (v1.1)
Installation: Step 4 - StoneBeat GUI
Install StoneBeat GUI version 4.2 Run from C:\Install\Sbgui\Setup.exe
Destination Folder: C:\Program Files\StoneBeat
Program Folder: Start->Programs->StoneBeat
Copy Key and Certificate Files:From C:\Install\gui*.pem to C:\StoneBeat\etc
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r38 FC 2.0 Labs (v1.1)
Installation: Step 4 - StoneBeat GUI
Create and connect a new FullCluster Site Run: Start->Programs->StoneBeat->StoneBeat GUI
Select: Site->New->FullCluster
Enter Site Name and Password
Enter ID, Hostname, IP address and SSL port (3002)
Retrieve
Select: Site->Connect
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r39 FC 2.0 Labs (v1.1)
Installation: Step 5 - Testing
Connect the Operative Network Cables
Configure Ftp-Server Control Panel->Network->Protocols->TCP/IP Protocol->Properties
IP Address 204.32.38.254/255.255.255.0
Add routes to internal networks: 10.0.x.0
Configure Ftp-Client Control Panel->Network->Protocols->TCP/IP Protocol->Properties
IP Address 10.0.x.254/255.255.0.0 - Default Gateway: 10.0.x.1
Test Programs in Ftp-Client Run: \\ftp-server\avi\forest.avi
Run: telnet ftp-server 19
Run: ftp ftp-server (configure filter.conf)
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r40 FC 2.0 Labs (v1.1)
Installation: Additional Step 6
Install StoneBeat GUI in FTP-Client
Create installation folder: C:\Install\Sbgui
Use WinZip to unzip files to installation folder: CDROM:\sbgui_42\nt\sbgui_xxx.zip to folder c:\install\sbgui
Install StoneBeat GUI Run from C:\Install\Sbgui\Setup.exe
Copy Key and Certificate Files
Run: Start->Programs->StoneBeat->StoneBeat GUI
Create and connect a new FullCluster Site
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r41 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Lab
Filter.conf settings
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r42 FC 2.0 Labs (v1.1)
Filter.conf settings
Configure in filter.conf Tunnel statement
Hide NAT statement
Ignore port statement for FTP
Note! Edit filter.conf in all nodes
Reread configuration files
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r43 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Lab
Fetching NAT rules
(FireWall-1)
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r44 FC 2.0 Labs (v1.1)
Fetching NAT rules
Create a simple NAT rule in your FireWall-1 rule base
Fetch NAT rules using FullCluster Web Configuration GUI
Check the filter-nat.conf file!
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r45 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Lab
Test Subsystem
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r46 FC 2.0 Labs (v1.1)
Test Subsystem
Configure a multiping test that commands node to offline in case of failure for external unicast addresses 204.32.38.254
Test multi-ping (configure filter.conf) Edit $SBFCHOME/etc/checklist:
multiping 30 online offline 2 1000 multi-ping 204.32.38.254
sbfc reconfigure
sbfc restart
disconnect cable from external interface (blue)
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r47 FC 2.0 Labs (v1.1)
Test Subsystem
Test firewall functionality with fw-module-running (Check Point’s FireWall-1) servicerunning (Network Associate’s Gauntlet
and Axent’s Raptor)
Test fw-module-running Edit $SBFCHOME/etc/checklist:
firewall-module-on 60 online offline 1 1 fw-module-running
sbfc reconfigure
sbfc restart
fwstop
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r48 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Lab
Management GUI and sbfc
Command Line Interface
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r49 FC 2.0 Labs (v1.1)
GUI and Command Line Interface
Try do following things on both StoneBeat GUI and command line interface Command one node first to offline state and to online state
Restart all nodes
Check the status of FullCluster site
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r50 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Lab
Ten problems
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r51 FC 2.0 Labs (v1.1)
Ten problems
The instructor has changed ten things in the demo site: 1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Note! Only software configuration changes!
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r52 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Lab
Switch Configuration
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r53 FC 2.0 Labs (v1.1)
Switch Configuration
Cisco Catalyst 2900 Series XL or equivalent
Configure VLANs EXTERNAL: external ports of the FullCluster nodes and ftp-server
INTERNAL: internal ports of the FullCluster nodes and ftp-client
CONTROL: control ports of the FullCluster nodes
Configure static multicast support 0104.3238.0100: EXTERNAL VLAN ports
0110.0000.0100: INTERNAL VLAN ports
0192.6801.0100: CONTROL VLAN ports
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r54 FC 2.0 Labs (v1.1)
Catalyst 2900 Series XL: VLAN Switch>enable
Switch#vlan database
Switch(vlan)#vlan 10 name EXTERNAL media ethernet
Switch(vlan)#exit
Switch#configure terminal
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/2
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/3
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/4
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#exit
Switch#write memory
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r55 FC 2.0 Labs (v1.1)
Catalyst 2900 Series XL: VLAN Switch#
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/13, Fa0/14, Fa0/15, Fa0/16,
Fa0/20, Fa0/21, Fa0/22, Fa0/23,
Fa0/24
10 EXTERNAL active Fa0/1, Fa0/2, Fa0/3, Fa0/4
20 INTERNAL active Fa0/9, Fa0/10, Fa0/11, Fa0/12
30 CONTROL active Fa0/17, Fa0/18, Fa0/19
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100110 1500 - - - - - 0 0
20 enet 100120 1500 - - - - - 0 0
30 enet 100130 1500 - - - - - 0 0
Switch#
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r56 FC 2.0 Labs (v1.1)
Catalyst 2900 Series XL: Multicast Group Switch>enable
Switch#configure terminal
Switch(config)#
Switch(config)#mac-address-table static 0104.3238.0100 fastEthernet 0/4 fastEthernet 0/1 fastEthernet 0/2 fastEthernet 0/3
Switch(config)#
Switch(config)#mac-address-table static 0110.0000.0100 fastEthernet 0/12 fastEthernet 0/9 fastEthernet 0/10 fastEthernet 0/11
Switch(config)#
Switch(config)#mac-address-table static 0192.6801.0100 fastEthernet 0/17 fastEthernet 0/18 fastEthernet 0/19
Switch(config)#mac-address-table static 0192.6801.0100 fastEthernet 0/18 fastEthernet 0/17 fastEthernet 0/19
Switch(config)#mac-address-table static 0192.6801.0100 fastEthernet 0/19 fastEthernet 0/17 fastEthernet 0/18
Switch(config)#
Switch(config)#exit
Switch#write memory
Switch#show conf
Switch#
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r57 FC 2.0 Labs (v1.1)
Catalyst 2900 Series XL: Multicast Group Switch#
Switch#show mac-address-table
Dynamic Address Count: 11
Secure Address Count: 0
Static Address (User-defined) Count: 3
System Self Address Count: 47
Total MAC addresses: 61
Maximum MAC addresses: 8192
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
0000.d1ec.e3b1 Dynamic 20 FastEthernet0/12
0000.d1ec.fde1 Dynamic 30 FastEthernet0/18
0000.d1ec.fde2 Dynamic 10 FastEthernet0/2
0000.d1ec.fde3 Dynamic 20 FastEthernet0/10
0000.d1ec.fed5 Dynamic 30 FastEthernet0/17
0000.d1ec.fed6 Dynamic 10 FastEthernet0/3
0000.d1ec.fed7 Dynamic 20 FastEthernet0/9
0000.d1ec.fef5 Dynamic 10 FastEthernet0/4
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r58 FC 2.0 Labs (v1.1)
Catalyst 2900 Series XL: Multicast Group 0000.d1ed.aa16 Dynamic 10 FastEthernet0/1
0000.d1ed.aa17 Dynamic 20 FastEthernet0/11
0000.d1ed.aa18 Dynamic 30 FastEthernet0/19
Static Address Table:
Destination Address VLAN Input Port Output Ports
------------------- ---- ---------- -----------------------
0104.3238.0100 10 Fa0/1
10 Fa0/2
10 Fa0/3
10 Fa0/4 Fa0/1 Fa0/2 Fa0/3
0110.0000.0100 20 Fa0/9
20 Fa0/10
20 Fa0/11
20 Fa0/12 Fa0/9 Fa0/10 Fa0/11
0192.6801.0100 30 Fa0/17 Fa0/18 Fa0/19
30 Fa0/18 Fa0/17 Fa0/19
30 Fa0/19 Fa0/17 Fa0/18
Switch#
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r59 FC 2.0 Labs (v1.1)
StoneBeat™
FullCluster Lab
VPN Tunnel
(FireWall-1)
Note! A separated FireWall-1 management server is needed to load policy with Gateway Cluster Object!
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r60 FC 2.0 Labs (v1.1)
VPN Tunnel between sites #1 and #2
See the StoneBeat FullCluster Manual Appendix B: 1. Define FireWall-1 and network objects:
Local FireWall-1 Modules: sbfc101 and sbfc102
Local FireWall-1 Management: sbfc105
Local Network: site1-network
Remote Gateway: site2-external (IPSec, Domain: site2-network)
Remote Network: site2-network
2. Enable gateway clustering and define a gateway cluster objects: Local FireWall-1 Gateway Cluster: site1-external (IPSec, Domain: site1-network)
Cluster members: sbfc101 and sbfc102
3. Create SEP VPN-1 configuration on the management Manual IPSec
SPI 0x1234: EPS encryption key 0x1234567890abcdef, no AH
A New Dimension of Network Security and Information Management
w w w . s t o n e s o f t . c o m
Training - Customer Services
S t o n e B e a t F u l l C l u s t e r61 FC 2.0 Labs (v1.1)
VPN Tunnel between sites #1 and #2
4. Add encryption rules in the FireWall-1 security policies sbfc101 site2-external IPSEC accept long
sbfc102 sbfc102site2-external sbfc101
site1-network site2-network any encrypt longsite2-network site1-network
5. Install the security policy
6. Delete the external routes via dedicated IP addresses and create a route via the cluster IP
7. Configure FullCluster load balancing filter (filter.conf) tunnel 204.32.38.1 204.32.38.2 10.0.2.0 netmask 255.255.255.0
8. Reconfigure and restart FullCluster using GUI sbfc reconfigure all
sbfc restart all
Recommended