Firewalls

This section includes the following topics:

Each Firewall node in the Security Editor represents an installed Amaranten Firewall unit, which can be either a product from the Amaranten Firewall Appliance series, or from the Amaranten Firewall Software series. Representing the actual firewall installations, firewall nodes are naturally the most important nodes available in the Security Editor.

The screen shot to the right illustrates a sample firewall, named Paris. The firewall node is illustrated with a server-like icon. Depending on the status of the firewall, the icon can have an overlay image representing an information, warning or error status. For more information about firewall status, please see the section Monitoring firewall status below.

Each firewall node contains a number of child nodes, mainly folders, each containing the various configuration sections of the firewall:

Rules ?contains the rule-set, which is the main filtering table of the firewall.
Routing ?contains all configuration sections needed to configure IP routing in the firewall. This includes normal static routing as well as Policy-Based routing and DHCP Relay. Please see section Routing for more information about the individual routing configuration sections.
Interfaces ?contains interface related configuration sections. For instance, Ethernet adapters, Virtual LANs and VPN tunnels are configured in sections residing in this folder. Please see section Interfaces for more information about interface related configuration.
Local Objects ?contains configuration sections identical to the ones defined in Namespaces. These include, for instance, Hosts & Networks, Services and VPN Settings. When defining a configuration item in Local Objects, the item will be available to the local firewall only, as opposed to defining the item in a Namespace, where it will be available to all underlying firewalls.
Miscellaneous ?contains the configuration sections Access, Remotes and Pipes. The Access section provides anti-spoofing capabilities. The Remotes section configures remote management and the Pipes section is used for Traffic Shaping functionality. Please see the corresponding sections for more information.
Advanced Settings ?contains parameter settings for the firewall. These include protocol time-outs, header lengths, IP options, TCP flags etc. Please see section Advanced Settings for more information.

All the configuration sections together build up the entire firewall configuration, which is used run-time by the actual Amaranten Firewall.

Firewall types

The Security Editor defines three types of firewalls, namely:

Appliance ?represents a firewall from the Amaranten Firewall Appliance series of products. When installing an appliance firewall, major parts of the configuration, for instance, interfaces, routing and so forth, are auto-generated.
Software ?represents a firewall from the Amaranten Firewall Software series of products. A software firewall is similar to an appliance, but with one major difference; a software firewall involves creating and managing boot medias, which, for obvious reasons, is not needed for appliances.
Custom ?a custom firewall is used when no auto-generation of configuration is needed. A custom firewall is basically a firewall node with an, initially, empty configuration. The custom firewall type is only recommended to use by experienced users.

There is also one additional pseudo-type of firewall: the High Availability cluster, which is actually several firewalls working as one. For more information about High Availability clusters and firewalls, please see the section High Availability.

The type of the firewall is only important in the creation process. In operation, all firewall nodes look and behave the same in the security editor. The only restriction is for appliance firewall nodes, on which boot media operations are not permitted.

Creating a firewall

To create a new namespace, locate and select the Firewalls node in the namespace where the new firewall is to be created. Right-click the selected Firewalls node and choose Firewall... in the New submenu. The New Firewall Wizard dialog box will be displayed. The process of creating a new firewall is described in detail in the Getting Started guide, especially in the Running the New Firewall wizard section.

Modifying firewall properties

A firewall node contains, except for the firewall run-time configuration, a number of properties used to describe the firewall node, for instance the name of the firewall and how Amaranten Firewall Manager should communicate with it.

To modify the properties of a firewall, first check out the actual firewall, then right-click the firewall and choose Properties... from the context menu. A dialog box similar to the one to the right is shown.

Please note that changing settings in the properties dialog box will not make any changes to the firewall itself. Changing the IP Address in this dialog box, for example, will only change the IP address stored in the management database and used for management communication with the firewall.

General

General parameters

Name ?the name of the firewall. Most tools in Amaranten Firewall Manager uses the firewall name to identify the specific firewall. As the name is also used in log analyzing, it is not recommended to change the name of a running firewall unless absolutely necessary.

IP Address ?this is the IP address of the firewall. Normally, this is the IP address of the interface that was chosen as management interface during the installation. Amaranten Firewall Manager uses this IP address for remote control purposes. However, this setting will not affect how the firewall will be configured.

Firewall version - this is the version of the firewall software used, this value is used to determine what sections will be available in the firewall.

De-selecting the IP button will change the IP Address field to a hostname field. Amaranten Firewall Manager supports using standard DNS resolving to get the IP address of the firewall. This option is only recommended if the IP address of the firewall is dynamic, for instance if DHCP client support is activated in the firewall. Please see section DHCP for more information.

Status ? the status of the firewall. Amaranten Firewall Manager will not perform status monitoring of firewalls marked as Inactive.

Comments ?optional comments on the firewall, for instance location, product model etc.

Options

Web Authentication

Path to the HTML banner files: ?this where the customized HTML pages are stored, read more in Creating customized HTML pages in the User Authentication section.

Click OK to save the properties and to close the dialog box. Finish by checking in the firewall.

Removing a firewall

To remove a firewall, right-click the actual firewall, choose Delete from the context menu and answer Yes to the confirmation question.

Note: Removing a firewall is an irreversible operation.

Monitoring firewall status

Each firewall has a status, representing the health of the firewall. The status is used to indicate, for instance, configuration related errors or problems on a running firewall. The icons of the firewalls in the tree view of the Security Editor will change shape according to their status, and the Status column in the firewall list, shown below, will present the status in clear-text.

An example of a status is Configuration error, which indicates that the corresponding firewall has a severe problem with its configuration. Not all statuses are severe. For instance, the status Needs deployment is not a critical status at all. For this reason, each status is assigned a status level. There are four status levels: Error, Warning, Information, and Ok, in order of importance.

A firewall can have several simultaneous statuses, but only the status with the most important status level will be shown. A status indicating that the firewall is unreachable, for instance, will have precedence over the Needs deployment status.

Amaranten Firewall Manager uses the NetCon remote management protocol to periodically query active firewalls for information. In this way, Amaranten Firewall Manager is able to detect if a firewall is reachable or not. Furthermore, the information returned from the firewall contains important information, for instance the version of the running configuration, the firewall core version and capabilities, firewall uptime etc.

The table below lists all possible statuses, their meaning and what actions that are proposed in order to solve the potential problem.

Status Level	Status	Meaning	Proposed Actions
Ok	Ok	The Firewall is up and running.	None
Information	Demo mode	The firewall is running in demo mode.	If a license has been purchased, register the firewall by selecting the firewall and choosing Register... from the Action->License menu.
Information	Needs deployment	The management data source has a more recent version of the firewall configuration.	Click the Deploy Configuration toolbar button. See Deploying a configuration for more information.
Information	Empty configuration	The configuration is empty.	For custom type firewalls, check out the firewall and add configuration items manually. For HA Clusters, add cluster members to the cluster by right-clicking the Cluster Members folder and choosing High Availability Master... from the New submenu.
Information	A more recent configuration exists in data source	The configuration has been modified from another Amaranten Firewall Manager, or by using the text-mode editor.	Right-click the firewall and choose Get Latest Version from the Version Control submenu.
Information	Needs configuration download	The firewall has a more recent version of the firewall configuration.	Select the firewall and download the latest configuration. See Downloading a configuration for more information.
Information	The Software Subscription will expire in less then two weeks	The firewall license stored in the manager is about to expire in less then two weeks and will not be possible to upgrade.	If you are planing to upgrade the firewall after this two week period you need to download an updated version of the license from the ClientWeb and if necessary buy a subscription.
Warning	License file on firewall, missing in data source	The firewall has a valid license, but the license file is missing in the data source.	Download the license from Amaranten Client web.
Warning	Configuration warning(s)	The firewall configuration contains one or more warnings.	Right-click the firewall and choose View Warnings and Errors... in the context menu to see the configuration warnings.
Warning	One or more child nodes are down	One or several firewalls is this namespace has been reported as down.	Expand the Firewalls folder in the namespace to locate the faulty firewalls.
Warning	One or both cluster members are down	One or both cluster members in this HA Cluster has been reported as down.	Expand the Cluster Members folder in the namespace to locate the faulty firewalls.
Warning	License bound, but missing on firewall	The firewall has been registered and a license has been retrieved from Amaranten Client web, but the license has not been uploaded to the firewall.	Select the firewall and choose Upload License... from the Action->License menu.
Warning	Uses default management keys	The firewall is using default management keys, which is a security problem.	Select the firewall and choose Change Remote Management Keys... from Action -> Communication menu.
Error	Text-mode only	The Security Editor was unable to parse the configuration. Only the text-mode editor can be used to modify the configuration.	Open the text-mode editor by selecting the firewall and choosing Edit Configuration in Text-mode... from the Edit menu.
Error	Incomplete configuration	The New Firewall wizard was aborted before the firewall configuration was downloaded.	Right-click the firewall and select Resume New Firewall wizard... from the context menu.
Error	Error parsing the configuration file	The Security Editor was unable to parse the configuration due to severe errors in the configuration.	Right-click the firewall and choose View Warnings and Errors... in the context menu to see the configuration errors.
Error	Down	Amaranten Firewall Manager is unable to contact the firewall.	Read the Troubleshooting section. Revert to Default Remote Management Keys.
Error	Lockdown: By the 'lockdown' console command	The command 'lockdown on' has been issued on the firewall console. Only traffic from management networks to the firewall itself is allowed .	Issue the command 'lockdown off' on the firewall console.
Error	Lockdown: License problem	The license file on the firewall is invalid. This will occur if the license file has been manually modified, or if the firewall hardware has been replaced (MAC address mismatch). Only traffic from management networks to the firewall itself is allowed.	If the license file on the firewall has been modified, upload a valid license by selecting the firewall and choosing Upload License... from the Action->License menu.
Error	Lockdown: Configuration problem	The firewall configuration is invalid. Only traffic from management networks to the firewall itself is allowed.	Contact your reseller or system integrator for technical support.
Error	Lockdown: Reason unknown	The firewall has been locked down for an unknown reason. Only traffic from management networks to the firewall itself is allowed.	Contact your reseller or system integrator for technical support.
Error	Not a valid entry	The entry for this firewall in the data source is invalid. The data base is most likely corrupt.	Contact your reseller or system integrator for technical support.
Error	Not a valid configuration	The configuration data for this firewall in the data source is invalid. The data base is most likely corrupt.	Contact your reseller or system integrator for technical support.