- Enterasys Security Router User's Guide
Pre-configuring the Firewall
XSR User’s Guide 16-23
cache will not automatically switch over. If the firewall is enabled on a slave router, then all
sessions would have to be re-established. You would have to re-authenticate users for access
to authentication-protected servers.
• Load Sharing - If two or more firewall-enabled XSRs are linked, load sharing is not supported.
Each XSR would act as a discrete firewall and monitor sessions that pass through it.
• Secondary IP Address/Firewall - The firewall does not interoperate with interface IP addresses,
so, a secondary interface address has no affect on firewall operations. Configure network
objects for the secondary address just as you would any primary IP address.
• Firewall Authentication over VPN - Firewall authentication is not supported over VPN tunnels.
Pre-configuring the Firewall
We recommend you consider the following suggestions to set up the firewall:
• Establish a security plan by:
– Examining your network topology
– Determining exactly what resources you want to protect
– Deciding where on the network to enable the firewall and plan on writing a Telnet or SSH
policy for remote administration if you are configuring an XSR located in the field
– Making a list of internal addresses
– Forming an inventory of desirable applications the firewall will allow between protected
and external networks
• Look up official port numbers of well-known applications at: http://www.iana.org/
assignments/protocol-numbers
The
show ip firewall session command also lists these numbers.
• Refer to “Firewall Limitations” on page 16-22 before configuration
Steps to Configure the Firewall
Follow the procedure below to configure the firewall:
• Specify the network objects
• Specify network-group, service and service group objects
• Write TCP/UDP policies. The order is important and objects and names are case-sensitive
• Specify filters for other protocols (ICMP, OSPF, ESP, etc.)
• Set miscellaneous parameters such as:
– TCP, UDP or ICMP session timeouts
– Logging event-levels 0-7
– Authentication service for users
– Java and ActiveX filtering
– IP options filtering on the interface such as time-stamps, route recording, and loose or
strict routing through the Internet