Cisco Guard Configuration Guide (Software Version 3.1(0)) - Initializing the Guard [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Initializing the Guard

Physical Specifications of the Guard

The Rack Mount

The Front Panel

The Rear Panel

Connecting the Guard

Connecting the Mini USB Cable

Connecting the Network Interfaces

Connecting the Power Supply

Connecting a Console

Connecting Locally

Using the Command Line Interface

Issuing Commands in the CLI

Using the No Form of a Command

Show Command Syntax

CLI Error Messages

Tips for Using the CLI

Help

Tab Completion

Operation Direction Conventions

Abbreviating a Command

Wildcard Characters

Managing the Guard

Accessing the Guard for the First Time

Configuring the Guard Interfaces

Configuring a Physical Interface

Configuring a VLAN

Configuring a Loopback Interface

Configuring a Tunnel

Checking the Status of a GRE Tunnel

Configuring the Default Gateway

Adding a Static Route to the Routing Table

Configuring the Proxy IP Address

Managing the Guard with Web Based Management

Accessing the Guard with SSH

Reloading the Guard

Rebooting the Guard

Turning the Guard OFF

Initializing the Guard

This chapter includes the following topics:

•Physical Specifications of the Guard

•Connecting the Guard

•Using the Command Line Interface

•Managing the Guard

•Configuring the Guard Interfaces

•Configuring the Default Gateway

•Adding a Static Route to the Routing Table

•Configuring the Proxy IP Address

•Managing the Guard with Web Based Management

•Accessing the Guard with SSH

•Reloading the Guard

•Rebooting the Guard

Physical Specifications of the Guard

The Rack Mount

Table 2-1 displays the Guard main rack mount specifications.

Table 2-1 Rack Mount Specifications

Dimensions

Weight

62 lbs (28.12 Kg)

Height

3.36 inches (2U) (8.53cm)

Width

17.5 inches (19 inches rack mountable)

Depth

27.5 inches

Power management

Power supply

350 Watts

Power supply type

110 or 220 volt universal auto sensing

Interfaces

Out-of-Band

Two 10/100/1000 BaseT

In-Band

One dual port NIC consisting of one of the following options:

•Two Auto sense full/half duplex 10/100/1000 Base-T (copper)

•Two 1000 Base-SX (fiber)

Serial port

Two serial DB9 RS-232 ports

Electrical

100-240 VAC auto sense auto switch 50-60 Hz (Optional- A dual power supply)

The Front Panel

Figure 2-1 displays the Guard front panel:

Figure 2-1 Guard Front Panel

Table 2-2 displays the specifications of the Guard front panel.

Table 2-2 Front Panel Specifications

No

Item

Description

Function

1

ON/OFF Button

Power control button

Switches the Guard On/Off

A Green LED is turned on when the Guard is powered. The LED blinks when the Guard is OFF but connected to live mains.

2

Reset button

Orange button

Resets the server and runs the power-on self test.

3

CD-ROM Drive

CD-ROM drive

CD-ROM drive for CDs

4

Diskette Drive

Diskette drive

Diskette drive for a floppy diskette

5

Hard Disk Drive

Hard disk drive

A drive for a server hard disk

The Rear Panel

Figure 2-2 displays the Guard rear panel:

Figure 2-2 Guard Rear Panel

Table 2-3 displays the specifications of the Guard rear panel.

Table 2-3 Rear Panel Specifications

No

Item

Description

Function

1

Serial RS-232

Serial port (COM 1)

A serial port to connect to the user console control or to the console server.

2

Monitor cable socket

Console monitor socket

A socket for the console monitor

3

Keyboard cable socket

Console keyboard cable socket

A socket for the console keyboard cable

4

Mouse cable socket

Console mouse cable socket

A socket for the console mouse cable

5

Eth0 socket

10/100/1000 BaseT Ethernet cable socket

Network interface socket for Out-of-Band management cable

6

Eth1socket

10/100/1000 BaseT Ethernet cable socket

Network interface socket for Out-of-Band management cable

7

USB port

USB port

A port for connecting the mini USB cable to the hardware diagnostics card

Caution This mini USB cable must be connected before power up.

8

Accelerator card

Accelerator card

A Cisco proprietary accelerator card

9

Giga1 socket

Network socket

An accelerator card network In-Band interface socket

Caution When using a single In-Band interface you must use this socket

10

Giga0 socket

Network sockets

An accelerator card network In-Band interface socket

11

Accelerator card serial socket

Accelerator card serial socket

A Cisco proprietary accelerator card serial socket

12

USB socket on hardware diagnostics card

USB socket on hardware diagnostics card

A socket for connecting the mini USB cable

13

Hardware diagnostics card

Hardware diagnostics card

This card provides hardware diagnostic data

14

Power Cable 2 Socket

Power supply cable socket

A power supply cable for the server power supply 2

15

Power Cable 1 Socket

Power supply cable socket

A power supply cable for the server power supply 1

Note The Cisco Guard employs a pre-installed hardware acceleration card (P/N X25E02 with fiber cable or P/N X25E03 with copper cable). There are no connections with exposed plant leads. All lines are indoors only.

The card is used to off-load critical per-packet processing from the main Intel CPU's, thus achieving the high throughput required. The card contains 3 connectors on the bracket: 2 GigE interfaces as described above (Giga0 and Giga1 (9,10) and a serial connector for debugging purposes (11). Other connectors on the card that are not on the bracket (a power connector and an EJTAG connector) are not user accessible, and should never be used outside Cisco labs.

Warning Card P/N X25E02 contains a CLASS I LASER product. This module satisfies Class I Laser Safety requirements in accordance with the US FDA/CDRH and international IEC-825 standards.

Connecting the Guard

This section describes how to connect the Guard to the network and power sources.

Note The Guard console connections depend on whether you operate the Guard locally or from a console. See "Connecting a Console" for further details.

Connecting the Mini USB Cable

Caution The mini USB cable must be connected before power up.

To connect the mini USB cable perform the following steps:

Step 1 Connect the small plug on the mini USB cable to the USB socket on the hardware diagnostics card. (See item 12 in Figure 2-2.)

Step 2 Connect the other plug to either of the USB ports on the chassis. (See item 7 in Figure 2-2.)

Connecting the Network Interfaces

To connect the network interfaces perform the following steps:

Step 1 Connect the Ethernet 10/100/1000 Base-T cable to the corresponding Guard network socket and to the appropriate management network socket. (See items 5,6 in Figure 2-2.)

Step 2 Connect the In-Band cable (copper or fiber) to the appropriate In-Band network socket (see items 9,10 in Figure 2-2) and to the corresponding network socket. The Guard can work with one or two In-Band network interface cards.

Warning When using a single In-Band interface you must use Giga1. (See item 9.)

Connecting the Power Supply

Connect the two power supply cables to the sockets on the rear panel (see items 14,15 in Figure 2-2) and to the appropriate mains. A blinking green light indicates that the cables have been successfully connected.

Caution Both cables must be connected to the mains for the Guard to work properly

Connect the power supply cable to the Guard power cable socket 2 (see socket 7 in Figure 2-2) and the cable other end to the appropriate mains. A Green light indicates the connection.

Note Refer to the label at the power cable sockets for reference.

Connecting a Console

Connect one end of a RS-232 cable to the RS-232 socket in the Guard (see socket 1 in Figure 2-2) and the other end to the serial console control and push the ON/OFF button. (See the ON/OFF button in Figure 2-1.)

You can use any suitable Terminal Emulator software to establish communication with the Guard via the serial connection. The example cited in this manual is Hilgraeve Inc. Hyper Terminal, software written for Microsoft by Hilgraeve Inc.

To establish communication with the Guard via the serial connection perform the following steps:

Step 1 Launch the Hyper Terminal. Enter a connection name and click OK.

Step 2 Choose the communications port from the Connect using drop-down list and click OK.

Step 3 Enter the following port settings and click OK:

•Bits per second: 9600

•Data bits: 8

•Parity: None

•Stop bits: 1

•Flow control: None

Step 4 The Hyper Terminal main screen appears. From the File menu, choose Properties.

Step 5 Select the Settings screen tab.

Step 6 Insert the following values and click OK:

•Emulation: VT100

•Telnet terminal ID: VT100

•Backscroll buffer lines: 500

The Hyper Terminal main screen appears with the Guard login prompt.

Connecting Locally

To connect and operate the Guard locally, perform the following steps:

Step 1 Connect the monitor, keyboard, and mouse cables to their corresponding Guard sockets (see sockets 2,3, and 4 in Figure 2-2.)

Step 2 Push the ON/OFF button (see the ON/OFF button Figure 2-1.) The login prompt appears after a few minutes.

Using the Command Line Interface

Using the CLI you can control the Guard functions. The Guard user interface is divided into many different command modes. The commands available to you at any given time depend on which mode you are currently in. Entering ? at the system prompt allows you to obtain a list of commands available for each command mode.

The access to the CLI is mapped according to user privilege levels. Each privilege level has its own group of commands.

Table 2-4 describes the user privilege levels.

Table 2-4 User Privilege Levels

User Privilege Level

Command Group

Administrator (admin)

Full access to all command groups

Configuration (config)

Full access to all command groups except the commands relating to user definition, deletion, and modification

Dynamic (dynamic)

Access to show commands, protect and learning related commands and Flex and Dynamic filter configuration (see the note below)

Show (show)

All the Global command group show commands

Note We recommend that Administrator and Configuration level users perform all filter configuration procedures. Lower level users can also add and remove dynamic filters.

Issuing Commands in the CLI

Table 2-5 summarizes the rules for entering CLI commands.

Table 2-5 CLI Rules

To

Keyboard Sequence

Scroll through and modify the command history

Use the arrow keys

Display commands available in a specific command mode

Shift + ?

Display a command completion

Type the beginning of the command and press TAB

Display a command syntax completion(s)

Type the command and press TAB twice

Scrolling using the more command

more number-of-lines

The more command configures number of additional lines displayed in the window once you press the SPACE bar. The default is two lines less than the terminal is capable of.

number-of-lines—configures the number of additional lines to be displayed once you press the SPACE bar.

Scrolling on a single screen (within a command output)

SPACE bar

Scrolling back a single screen (within a command output)

b

Stop scrolling movement

q

Search forward for a string

/ string

Search backward for a string

? string

Cancel the action or delete a parameter

Use the no form of a specific command

Display information relating to a current operation

show

To exit from a current command group level to a higher group level

exit

To exit all command group levels and return to the root level

end

Display command output from and including the first line that contains a string.

| begin string

To display command output lines that include a string

| include string

To display command output lines that do not include a string

| exclude string

Note If you issue the exit command at the root level, you will exit the CLI environment to the operating system login screen.

Using the No Form of a Command

Almost every configuration command also has a no form. In general, use the no form of a command to disable a feature or function. Use the command without the keyword no to enable a disabled feature or function. For example, the event monitor command turns on the event monitor, the no event monitor command turns it off.

Show Command Syntax

You can execute zone related show commands from the Zone command group level. Alternatively, you can execute these commands from the Global or Configuration command group levels.

The syntax for the show command in the Global or Configuration command group levels is:

show zone zone-name parameters...
The syntax for the show command in the Zone command group level is:

show parameters...

Note This guide uses the show command syntax from the zone command group level as its writing convention.

CLI Error Messages

The Guard CLI displays error messages in the following cases:

•The syntax of the typed command is incomplete or incorrect.

•The typed command does not match the system configuration.

•The operation could not be performed due to a system failure - in this case, an entry is created in the system's log.

Tips for Using the CLI

Help

The CLI provides context-sensitive help at every level of the command hierarchy. The help information tells you which commands are available at the current level in the hierarchy and provides a brief description of each command.

To get help, type ?.

To display help for a command, type ? after the command.

Typing ? at the command prompt displays all commands available in that mode along with a short description.

The help displays only commands available in the current mode.

Tab Completion

You can type a portion of a command and press Tab to complete the command.

After entering a command that has a value with multiple options, press Tab twice to display a list of possible input parameters. This is true for system-defined parameters and user defined parameters.
For example, pressing Tab twice after entering the policy-template command at the zone prompt displays the list of policy template names. Pressing Tab twice after entering the zone command at the configuration prompt displays zones that are already defined.

If multiple commands match for a tab completion, nothing is displayed; the terminal repeats the current line you entered.

Tab completion and help display only commands available for the current mode.

Operation Direction Conventions

In general, when ftp comes before the command name, the direction of the command is to copy from the Guard to the FTP server. When the command comes before the FTP, the direction of the command is to copy from the FTP server to the Guard. For example, the copy log ftp command copies the log file to the FTP server. The copy ftp new-version command copies the new version from the FTP server to the Guard.

Abbreviating a Command

You can abbreviate commands and keywords to the number of characters that allow a unique abbreviation.

For example, you can abbreviate the show command to sh.

Wildcard Characters

You can use an asterisk (*) as a wildcard.

For example:

If you issue the learning policy-construction * command, the policy construction phase is activated for all of the Guard's zones.

If you issue the learning policy-construction scan* command, the policy construction phase is activated for all Guard zones with names that begin with scan (such as scannet, scanserver and so on).

If you issue the no zone * command, all zones are removed.

Managing the Guard

Initially you can manage the Guard locally from a console. The console connection provides access to the CLI and allows you to run the initial setup procedures when you first turn on the Guard. See the "Assigning Privilege Levels with Passwords" section for more information.

Once you configure the Guard networking (see the "Configuring the Guard Interfaces" section), you can access and manage the Guard using one of the following methods:

•Access using a Secured Shell (SSH) session. See the "Accessing the Guard with SSH" section for further details.

•Access the Guard using Web-Based Management (WBM). See the "Managing the Guard with Web Based Management" section for further details.

•Access from a DDoS-sensing, network element to establish a connection and form a counter DDoS system. Refer to the appropriate documentation for further details.

Accessing the Guard for the First Time

The Guard has a preconfigured user name with administrator privileges.

To access the Guard for the first time perform the following steps:

Step 1 Push the Guard ON/OFF button to power the Guard. A green LED is turned on.

Step 2 Choose a password for the administrative (root) account. Your password must have a minimum length of 6 characters and should be a combination of letters and numbers.

Step 3 Type admin for the user name and choose a password. The password must be 6 to 24 characters with no spaces.

Note You change this password at any time. See the "Changing a Password" section for further details.

The following prompt line appears: admin@GUARD#

You must enter the configuration command level to configure the Guard.

To enter the Configuration command level enter the following:

configure [terminal]
For example:
admin@GUARD# configure 
admin@GUARD-conf#
Note The riverhead user name, grants Dynamic privileges. The Detector uses this user name to remotely activate the Guard.

Configuring the Guard Interfaces

This section describes the Guard interface configuration procedures. The Guard has several Network Interface Cards (NICs). The Eth0 and the Eth1 (Fast/Gigabit Ethernet) make up the Out-of-Band NICs used for management purposes.

The Giga0 and the Giga1 (Gigabit Ethernet) make up the In-Band NICs used for Guard management and zone traffic transmissions.

Note The Guard is limited to two In-Band interfaces Giga0 and Giga1. You can configure one or both.

The Giga0 and Giga1 provide the physical interface on which virtual interfaces (VLANs and tunnels) are configured. Configuring the Guard interfaces serves as a basis for the diversion procedures (see "Zone Traffic Diversion," for further details).

You must configure Guard interfaces for proper Guard functioning. Interface characteristics include, but are not limited to, IP address and interface MTU.

Caution You must not configure two physical interfaces on the same subnet.

Many features are enabled on a per-interface basis. When you enter the interface command, you must specify the interface type and number.

The following general guidelines apply to all physical and virtual interface configuration processes:

•Each interface must be configured with an IP address and an IP subnet mask.

•You must activate each interface using the no shutdown command.

•After every interface major configuration change, you must reload the Guard.

To display the configuration of an interface, use the show or show running-config commands.

Configuring a Physical Interface

The Guard has four physical interfaces. The Out-of-Band interfaces, Fast/Gigabit Ethernet sockets for Out-of-Band management, are Eth0 and Eth1.

The In-Band interfaces, copper or fiber socket, are Giga0 and Giga1.

Caution When using a single In-Band interface you must use Giga1.

To configure a physical interface, perform the following steps:

Step 1 Enter the interface configuration mode. Enter the following:
interface if-name
The argument if-name specifies the interface name.

Type one of the following:

•eth0 or eth1—The Out-of-Band interfaces

•giga1—First In -Band interface

•giga0—Second In-Band interface

Step 2 Set the interface IP address. Enter the following:
ip address ip-addr ip-mask 
The arguments ip-addr and ip-mask define the interface's IP address.

Step 3 (Optional) Define the interface MTU. Enter the following:
mtu integer 
The argument integer is an integer between 576 and 16384 bytes for eth0 and eth1 interfaces and an integer between 576 and 1824 for giga0 and giga1 interfaces.

The default MTU value is 1500 bytes.

Step 4 Activate the interface. Enter the following:
no shutdown
You must reload the Guard configuration if you have made major changes.

Note If you do not reload the Guard configuration, the configuration is modified, but the change does not take effect until the configuration is reloaded.

For example:
admin@GUARD-conf# interface eth1
admin@GUARD-conf-if-eth1#
admin@GUARD-conf-if-eth1# ip address 10.10.10.33 255.255.255.252
admin@GUARD-conf-if-eth1# no shutdown
Configuring a VLAN

You can define VLANs on the In-Band interfaces.

To define a VLAN, perform the following steps:

Step 1 Enter the VLAN interface configuration mode, if one exists, or define a new VLAN. Enter the following at the Configuration prompt:
interface gigax.vlan-id 
The argument vlan-id is an integer that specifies the VLAN ID number. The VLAN ID is a TAG IEEE 802.1Q number.

The argument x specifies the interface. Enter 0 or 1 for the In-Band interface.

Step 2 Set the VLAN IP address. Enter the following:
ip address ip-addr ip-mask 
The arguments ip-addr and ip-mask define the interface's IP address.

Step 3 (Optional) Define the interface MTU. Enter the following:
mtu integer 
The argument integer is an integer between 576 and 1824 bytes.

The default MTU value is 1500 bytes.

Step 4 Activate the interface. Enter the following:
no shutdown
You must reload the Guard configuration if you have made major changes.

Note If you do not reload the Guard configuration, the configuration is modified but the change does not take effect until the configuration is reloaded.
For example:
admin@GUARD-conf#interface giga2.2
admin@GUARD-conf-if-giga2.2#
admin@GUARD-conf-if-giga2.2# ip address 192.168.5.8 255.255.255.0
admin@GUARD-conf-if-giga2.2# no shutdown
Configuring a Loopback Interface

You can configure a Loopback interface. This interface is used for the Long Diversion mechanism.

To configure the loopback interface, perform the following steps:

Step 1 Enter the loopback interface configuration mode, if one exists, or define a new loopback interface. Enter the following:
interface if-name 
The argument if-name specifies the loopback interface name. The interface name is lo:integer where integer is an integer between 0 and 1023.

Step 2 Set the loopback interface IP address. Enter the following:
ip address ip-addr ip-mask 
The arguments ip-addr and ip-mask define the interface's IP address.

Step 3 Exit the loopback interface configuration mode. Enter the following:
exit
You must reload the Guard configuration.

Note If you do not reload the Guard configuration, the configuration is modified but the change does not take effect until the configuration is reloaded.

For example:
admin@GUARD-conf# interface lo:0
admin@GUARD-conf-if-lo:0# ip address 1.1.1.1 255.255.255.255
admin@GUARD-conf-if-lo:0# exit
Configuring a Tunnel

You can define a GRE or an IPIP tunnel. The tunnels can be used for the zone diversion mechanisms.

To define a tunnel perform the following steps:

Step 1 Enter the tunnel interface configuration mode if one exists or define a new tunnel. Enter the following:
interface {greX | ipipY}
The argument X is an integer between 0 and 1024 bytes assigned to a GRE tunnel.

The argument Y is an integer between 0 and 1024 bytes assigned to an IPIP tunnel.

Step 2 Set the tunnel IP address. Enter the following:
ip address ip-addr [ip-mask] 
The arguments ip-addr and ip-mask define the interface's IP address. The default subnet mask is 255.255.255.255.
Step 3 Set the tunnel source IP address. Enter the following:
tunnel source source ip
The argument source ip specifies the tunnel source IP address. This IP address will be used as the source address for the packets in the tunnel.

Step 4 Set the tunnel destination IP address. Enter the following:
tunnel destination destination-ip
The argument destination ip specifies the tunnel destination IP address.

Step 5 (Optional) Define the interface MTU. Enter the following:
mtu integer 
The argument integer is an integer between 576 and 1480.

The default value for an IPIP tunnel is 1480 bytes.

The default value for a GRE tunnel is 1476 bytes.

Step 6 Activate the interface. Enter the following:
no shutdown
You must reload the Guard configuration if you have made major changes.

Note If you do not reload the Guard configuration, the configuration is modified but the change does not take effect until the configuration is reloaded.

For example:
admin@GUARD-conf# interface gre2
admin@GUARD-conf-if-gre2# ip address 192.168.121.1 255.255.255.0
admin@GUARD-conf-if-gre2# tunnel source 192.168.8.8
admin@GUARD-conf-if-gre2# tunnel destination 192.168.250.2
admin@GUARD-conf-if-gre2# no shutdown
Checking the Status of a GRE Tunnel

You can enable keepalive messages over a GRE tunnel. When the keepalive feature is enabled, a keepalive packet is sent at the specified time interval to keep the interface active. You can specify the number of times that the Guard tries to send keepalive packets without response before bringing the tunnel down.

You can configure the keepalive time interval, which is the frequency at which the Guard sends messages, to ensure that the GRE tunnel is alive and can adjust the interval in one-second increments. If you do not change the default retries value, a GRE tunnel is declared down after 10 intervals have passed without receiving a keepalive packet.

Note When the GRE tunnel is declared down, the Guard stops using the tunnel for injection. If no other means of traffic injection exist, the Guard stops the zone traffic diversion!

The Guard continues to send keepalive messages even when the GRE tunnel is declared down. If the tunnel end returns the keepalive message, the Guard activates the tunnel and resumes the traffic diversion.

To enable keepalive messages on a GRE tunnel, enter the following:

keepalive [refresh-time [retries]]
Table 2-6 provides the arguments for the keepalive command.

Table 2-6 Arguments for the keepalive Command

Parameter

Description

refresh-time

(Optional) The time interval in seconds at which keepalive messages are sent. Enter an integer from 1 to 32767.

The default refresh time is 3 seconds.

retries

(Optional) Specifies the number of times that the Guard continues to send keepalive packets without response before bringing the tunnel interface protocol down. Enter an integer from 1 to 255.

The default number of retries is 10.

Note You must reload the Guard for keepalive configuration changes to take effect.

For example:

admin@GUARD-conf-if-gre2# keepalive 60 5

Configuring the Default Gateway

You can assign a default Gateway to the Guard. In most cases, the Guard's default gateway IP address is the adjacent router, located between the Guard and the Internet. The default gateway address must be on the same network as one of the IP addresses of the Guard's network interfaces.

Note Do not assign an IP address to a default Gateway while the Guard is in protection mode.

Caution Removing a default gateway address may render the Guard inaccessible.

To assign a default Gateway address, enter the following:

default-gateway ip-addr
The argument ip-addr specifies the default Gateway IP address.

To modify the default Gateway address reissue the command.

For example:
admin@GUARD-conf# default-gateway 192.168.100.1
Adding a Static Route to the Routing Table

You can add a static route to the Guard routing table. Add a a static route to specify routes for servers or networks outside the local networks associated with the Guard IP interfaces.

The static route is added permanently, and is not removed after the Guard is rebooted.

To add a static route to the Guard routing table, enter the following:

ip route ip-addr ip-mask nexthop-ip [if-name]
Table 2-7 provides the arguments for the ip route command.

Table 2-7 Arguments for the ip route Command

Parameter

Description

ip-addr

The network destination of the route. The destination can be an IP network address (where the host bits of the network address are set to 0) or an IP address for a host route.

ip-mask

The subnet mask associated with the network destination.

nexthop-ip

The forwarding or the nexthop-IP address over which the set of addresses defined by the network destination and subnet mask are reachable. The nexthop IP address should be within the interface subnet. For local subnet routes, the nexthop-IP address is the IP address assigned to the interface that is attached to the subnet. For remote routes, available across one or more routers, the nexthop-IP address is a directly reachable IP address that is assigned to a neighboring router.

if-name

(Optional) The Guard interface, VLAN, or tunnel over which the destination is reachable.

Note If you do not specify an interface, the Guard determines the interface for the route from the nexthop IP address according to its routing table.

For example:
admin@GUARD-conf# ip route 172.16.31.5 255.255.255.255 192.168.100.34
Use the show ip route command to display the routing table.

Configuring the Proxy IP Address

You must assign the Guard a proxy IP address. The Guard proxy IP address is required for the proxy mode anti-spoofing protection mechanisms. Do not assign the Guard with a proxy IP address while the Guard is in protection mode. See the "Protection Mechanisms" section for further details.

Warning You cannot activate zone Protection mode if no proxy IP address is defined.

To configure the Guard's anti-spoofing proxy IP address, enter the following:

proxy ip-addr
The argument ip-addr specifies the proxy IP address.

You must verify the route between every zone and the Guard proxy IP address. The Guard does not answer ping requests to its proxy IP.

To configure additional proxy IP addresses, re-issue the command.

We recommend that you configure three to four proxy IP addresses. The Guard can have up to ten proxy IP addresses.

You must reload the Guard configuration for the change to take effect.

Managing the Guard with Web Based Management

You can manage the Guard from the web using a web browser using web based management (WBM).

To enable the Guard WBM perform the following steps:

Step 1 Enable the WBM service. Enter the following:
service wbm
Step 2 Permit access to the Guard from the remote manager's IP address. Enter the following:
permit wbm ip-addr [ip-mask]
The arguments ip-addr and ip-mask define the remote manager's IP address.

Step 3 Open the browser and type the following address:
https://Guard-ip-address/ 
The argument Guard-ip-address is the IP address of the Guard.

The Guard WBM window appears.

Note Note that HTTPS and not HTTP is used to enable web based management control.

Step 4 Enter your username and password and click OK.

After you enter the user name and password correctly, the Guard's home page is displayed.

Note If TACACS+ authentication is configured, the TACACS+ user database is used for user authentication rather than the local database.

For example:
admin@GUARD-conf# service wbm
admin@GUARD-conf# permit wbm 192.168.30.32
Accessing the Guard with SSH

You can access the Guard using a secured shell (SSH) connection. This section describes the Guard SSH communication configuration.

Note The SSH service is enabled by default.

To enable SSH connection to the Guard, perform the following steps:

Step 1 Permit access to the Guard from the remote network address. Enter the following:
permit ssh ip-addr [ip-mask]
The arguments ip-addr and ip-mask define the remote network IP address.

Step 2 Establish a connection from the remote network address and enter the login and password. To enable SSH connection without the need to enter a login and password, add the remote connection SSH public key to the Guard SSH key list. See the "Managing SSH Keys" section for further details.

Reloading the Guard

The reload command enables you to reload the Guard's configuration without the need to reboot the machine.

Caution Issuing the reload command affects details in the Guard configurations and deactivates the learning and the protection processes.

Use the reload command to reload the Guard.

For the following changes to take effect, you must reload the Guard:

•Interface IP address modification

•Interface activation/deactivation

•VLAN ID number and IP address modification

•Modifications in the following Tunnel parameters: name, type, source and destination IP addresses and Mask

•Default Gateway IP address modification

•Guard TCP Proxy IP address modification

•Burning a new flash

•Synchronizing the Guard with an NTP server

Rebooting the Guard

To reboot the Guard, enter the following:

reboot
The default behavior of the Guard is to load all zones in an inactive mode, thus the Guard does not reactivate zones that were in protect or learning modes prior to the reboot.

You can change the default behavior to automatically activate zones that were active prior to the reboot process. Enter the following:

boot reactivate-zones

Caution The zone learning phase is restarted after reboot.

Turning the Guard OFF

A clean shutdown enables the Guard to save vital information.

To turn the Guard OFF perform the following steps:

Step 1 Enter the following:
poweroff
Step 2 Type yes at the command prompt to verify the process.

Step 3 Push the Guard ON/OFF button to turn the Guard power OFF. The green power LED will turn off.

Caution Pushing the OFF button without issuing the poweroff command may result in critical data loss!