Understanding Configuration Options

In this section, you are provided with an overview of all the configuration menu options found in Voyager. You should feel comfortable using this section of the chapter as a quick reference guide to each configuration link available on the main Configuration screen in Voyager. We'll be describing the highlights of each option so that you are aware of all the things you can do remotely through the Voyager Web interface.

Interface Configuration

Voyager provides a simple Web-based interface that you can access remotely to configure interface parameters and ARP settings:

• Interfaces Configuring physical and logical interfaces, including IP addresses, speed and duplex settings, and the like.

• ARP Address Resolution Protocol settings, adding static ARP entries, clearing the ARP table.

System Configuration

A wide variety of tools are available under the System Configuration heading. Each item in this section allows you to perform common system administration tasks, such as upgrading the IPSO images and scheduling jobs through crontab. Here is a description of each item:

• DNS Domain Name System—configure as a client only.

• Disk Mirroring Add or delete disk mirrors. This option is available for IP-500 and IP-700 series only. This is different from the RAID-1 available in the IP400 series, which was mentioned previously.

• Mail Relay Enter an IP address of a mail server that will accept mail from the Nokia for final delivery.

• System Failure Notification Enable or disable notification of system failures. Mail Relay must be configured for this option to function.

• Local Time Setup Manually set the date, time, and time zone of the system.

• Host Address Assignment Configure the Hosts table on the Nokia (/etc/hosts).

• System Logging Configure a remote syslog server or accept syslog from other devices.

• Change Hostname Change the hostname of the Nokia. If you have installed Check Point NG, do not change the hostname. The Secure Internal Communications certificate depends on the hostname.

• Manage Configuration Sets Save the current Voyager settings (/config/active) and toggle back and forth between various Voyager configurations.

• Backup and Restore Make a one-time backup or schedule a backup of the system. You may also use this screen to restore from a previous backup. You can even set it up to FTP the backup file off the server when complete.

• Job Scheduler Add scheduled cron jobs to the system.

• Manage IPSO Images Toggle between installed IPSO images and delete images.

• Install New IPSO Image (Upgrade) Download the IPSO image from a remote HTTP or FTP server and upgrade from an existing image.

• Manage Installed Packages Toggle packages (such as Check Point FireWall-1) off and on, FTP new packages, install new packages, and delete packages.

SNMP

Enable or disable Simple Network Management Protocol (SNMP), set community strings, and configure a server to receive traps. The default settings should be usable, but you can enable or disable many different trap options here.

IPv6

Configure the Nokia system to use IPv6 IP addressing instead of the more common IPv4. There are many options to select in this section, such as logical interfaces, IPv6 over IPv4, static routes, host address assignment, and network access and services, to name a few. Recent press releases state that Check Point NG FP3 will support IPv6. Note that prior to IPSO 3.6, the Apache server running on IPSO does not support IPv6 connections, meaning that you cannot use Voyager over IPv6 on earlier versions of IPSO.

Reboot, Shut Down System

This screen allows you to perform a system halt or reboot through Voyager and displays the currently selected image that will be used on the next boot.

Security and Access Configuration

The items located under the Security and Access Configuration heading allow you to perform access administration to your Nokia system by providing you with an interface for manipulating users and services available on the platform. Many of these are discussed in more detail throughout the book:

• Users Change passwords, add new users, and configure S/Key authentication.

• Groups Set up groups for file permissions and assign users to these groups.

• AAA Configure authentication, authorization, and accounting.

• Network Access and Services Enable or disable network protocols such as Telnet usually found in inetd.conf.

• Voyager Web Access Enable or disable Voyager Web access, configure the ports used to access Voyager, and determine if SSL encryption is required.

• SSL Certificate Tool Generate a request for a certificate or create your own self-signed X.509 certificate for SSL access.

• SSH (Secure Shell) Enable or disable SSH, make various configuration changes, and determine which version server you will run (1 or 2).

• IPSec IP Security; configure security associations (SA) to other IPSec-compliant devices in order to generate a VPN. This option supports native IPSec (without FW-1).

• Check Point FireWall-1 Enable or disable Check Point FW-1 4.1 to start at boot time. Also configure FloodGate-1 v4.1 and ifwd. If you are running NG, this page only allows you to configure ifwd, since these options have moved to the cpconfig utility instead.

Fault Management Configuration

This section allows you to set certain alarm parameters for your NSP. You can have an active role in viewing and filtering alarms such as disk space, interface link, and temperature alarms.

• General Configurations Enable or disable Fault Management and configure general parameters such as log file size and the like.

• Current Alarm List View active alarms and cancel them.

• Alarm Log Display all past alarms, even if you cancelled them in the Current Alarm List.

• Alarm Filtering List all alarm types; allows you to suppress alarms.

Routing Configuration

You have a robust set of tools for routing configuration in the NSP. There are several network protocols to choose from, such as BGP, OSPF, and RIP:

• BGP Border Gateway Protocol. Configure your Nokia to participate in BGP exterior routing.

• OSPF Open Shortest Path First network protocol. Enable or disable OSPF on each interface.

• RIP Routing Information Protocol. Enable or disable RIP on each interface.

• IGRP Interior Gateway Routing Protocol. Enable or disable IGRP on each interface.

• IGMP Internet Group Management Protocol. Used in IP multicast routing, this protocol maintains the multicast group database.

• PIM Protocol-Independent Multicast. Enable or disable PIM on each interface.

• DVMRP Distance Vector Multicast Routing Protocol. Enable or disable DVMRP on each interface.

• Static Routes Add, edit, or delete routes and configure your default gateway.

• Route Aggregation Create new aggregates by lumping together similar routes into a more general route for route redistribution and advertisement.

• Inbound Route Filters Configure inbound route filters, set protocol rank, and determine which learned routes should be accepted.

• Route Redistribution Allows you to redistribute routes between static routes, aggregate routes, interface routes, BGP, OSPF, RIP, and IGRP.

• Routing Options Configure various routing options such as the next-hop selection algorithm and protocol rank and restart the routing subsystem.

Traffic Management

Use the tools provided in Voyager under the Traffic Management heading to customize your Nokia for your network environment. You can make the Nokia firewall a member of a cluster, configure your Nokia to behave like a firewall with access lists, or set up quality of service (QoS) for bandwidth management:

• Cluster Enable and configure firewall gateway clustering. This is a new feature in IPSO 3.6 and should prove to be a very popular high-availability option.

• Access List Configure access control lists (ACLs) on your Nokia.

• Aggregation Class Set up a maximum bandwidth rate, which you can use in the ACL config.

• Queue Class Create new queue classes, which are service definitions for setting precedence for certain types of traffic.

• ATM QoS Descriptor Create or delete an ATM QoS descriptor, which determines the traffic bandwidth parameters of an ATM.

• Dial-On-Demand Routing Allows you to use ACLs to determine if a packet should bring up an ISDN line.

• DSCP-VLAN Priority Enable or disable DSCP-to-VLAN or VLAN-to-DSCP priority mappings.

• COPS Configure the Nokia to utilize Common Open Policy Service (COPS). COPS is used in a client/server model where the server is a policy server or policy decision point (PDP) and the client is a policy enforcement point (PEP). The PEP will get control decisions from the PDP for things such as QoS policies, IPSec, or admission control. This protocol is described in RFC 2748.

Router Services

You don't pass broadcast traffic through a gateway without running some sort of relay. This section tells you how to configure a bootp relay on the gateway per interface and set up a relay for any UDP broadcast traffic. You may also advertise your NSP as a default gateway, configure fail-over routing, and set up NTP to synchronize system time:

• BOOTP Relay Enable or disable a bootp/DHCP relay on each interface.

• IP Broadcast Helper Enable or disable forwarding on any UDP broadcast traffic you determine on each interface.

• Router Discovery Enable the Nokia as an ICMP router discovery server so that it advertises itself as a default gateway.

• VRRP Virtual Router Redundancy Protocol allows you to share virtual IP and MAC addresses for fail-over routing. This is a popular fail-over mechanism with Check Point FW-1.

• NTP Network Time Protocol. You can run NTP as a client or a server.