TMS zl Module Installation and Getting Started Guide 2010-03

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

ProCurve Threat Management Services (TMS) zl Module

Installation and Getting Started Guide

zlSM.book Page 1 Monday, March 1, 2010 11:42 PM

Summary of content (64 pages)

PAGE 1
zlSM.
PAGE 2
zlSM.
PAGE 3
zlSM.book Page ii Monday, March 1, 2010 11:42 PM © Copyright 2008-2012, Hewlett-Packard Development Company, L.P. Disclaimer HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
PAGE 4
zlSM.book Page 1 Monday, March 1, 2010 11:42 PM Contents 1 Hardware Installation TMS zl Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Installing the Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Installation Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Installation Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 5
zlSM.book Page 2 Monday, March 1, 2010 11:42 PM A EMC Regulatory Statements U.S.A. - FCC Class A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Australia/New Zealand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Japan - VCCI Class A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2 Korea . .
PAGE 6
zlSM.book Page 3 Monday, March 1, 2010 11:42 PM Boot the TMS zl Module to the Product OS . . . . . . . . . . . . . . . . . . . . D-12 IDS/IPS Signature Subscription Registration . . . . . . . . . . . . . . . . . .
PAGE 7
zlSM.book Page 1 Monday, March 1, 2010 11:42 PM Hardware Installation TMS zl Module Overview 1 Hardware Installation TMS zl Module Overview The TMS zl module is an HP ProCurve zl Services Module that runs the Threat Management Services application software. It is a multi-function security system with integrated deep packet inspection Firewall, Intrusion Prevention/ Detection System (IPS/IDS), and VPN Gateway.
PAGE 8
zlSM.book Page 2 Monday, March 1, 2010 11:42 PM Hardware Installation Installing the Module For a description of the front panel buttons and LEDs, see Table C-1 on page C-1 in the Web version of this document at www.hp.com/go/procurve/manuals. Note The printed version of this document contains the basic information needed to get you started using the TMS zl module. It also contains EMC Regulatory Statements (Appendix A) and Waste Electrical and Electronic Equipment (WEEE) Statements (Appendix B).
PAGE 9
zlSM.book Page 3 Monday, March 1, 2010 11:42 PM Hardware Installation Installing the Module Installation Procedure 1. Use a Torx T-10 or flat-bladed screwdriver to unscrew the screws in the cover plate over the slot where the module is to be installed. Remove the cover, and store the cover plate for possible future use. 2. Hold the module by its bulkhead—taking care not to touch the metal connectors or components on the board. 3. Open the extractor handles. 4.
PAGE 10
zlSM.book Page 4 Monday, March 1, 2010 11:42 PM Hardware Installation Installing the Module Verifying the Module is Installed Correctly When the module is installed properly, it undergoes a self test that takes a few seconds. This happens both when the switch is powered on after installing the module, and when the module is installed while the switch already has power. The LEDs help determine if the module has passed the self test, as described in the table below.
PAGE 11
zlSM.book Page 5 Monday, March 1, 2010 11:42 PM Hardware Installation Environmental Specifications Environmental Specifications Temperature Operating Non-Operating 0C to 40C (32F to 104F)a -10C to 65C (-10F to 149F) Relative humidity (non-condensing) 15% to 90% at 40C (104F) 15% to 90% at 65C (149F) Maximum altitude 3.0 km (10,000 ft) 4.6 km (15,000 ft) a. For the 8206zl chassis, a maximum of 2 of these modules may be installed.
PAGE 12
zlSM.book Page 1 Monday, March 1, 2010 11:42 PM Getting Started 2 Getting Started Threat Management Overview The TMS zl module detects and mitigates threats to a network from both internal and external sources. The module provides multiple capabilities for managing threats.
PAGE 13
zlSM.book Page 2 Monday, March 1, 2010 11:42 PM Getting Started • Application-Level Gateway (ALG) • Network Address Translation (NAT) ■ Intrusion Prevention (IPS) ■ Virtual Private Network (VPN) ■ High Availability (HA) ■ Network authentication The monitoring mode provides the following features: Note ■ Intrusion Detection (IDS) ■ High Availability (HA) A TMS zl module operates in only one mode.
PAGE 14
zlSM.book Page 3 Monday, March 1, 2010 11:42 PM Getting Started ■ Access control zones Traffic that passes between locations on the network or from an outside network to the internal network.
PAGE 15
zlSM.book Page 4 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration Threat Detection Only (Internal or Perimeter) When the TMS zl module operates in monitor mode, it can detect known DoS attacks, exploits, worms, viruses, and other threats that are launched by internal users (users who have been allowed access to the network). It logs the attack and can inform an administrator, syslog server, or SNMP server. However, the module does not take action to mitigate the threat.
PAGE 16
zlSM.
PAGE 17
zlSM.book Page 6 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration ■ Install the product license key on the TMS zl module. For step-by-step instructions, see “Install the Product License Key” on page 2-7. Obtain the Product Registration ID and the Activation Hardware ID To register the TMS zl module, obtain the following two IDs that are needed to complete the process successfully: ■ Product registration ID ■ Activation hardware ID Product Registration ID.
PAGE 18
zlSM.book Page 7 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration Register the TMS zl Module Once the product registration ID and the activation hardware ID have been obtained, the TMS zl module registration process can be completed on the My ProCurve portal. 1. Point your Web browser to the My ProCurve portal (https://my.procurve.com). 2. If you are a new user, click Create an account and follow the prompts to set up an account. 3.
PAGE 19
zlSM.book Page 8 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration hostswitch# licenses install activation SG000GG000-A-0123456-ABCDEFG-0123456-ABCDEFG 3. Continue by completing one of the following steps: • Register an IDS/IPS signature subscription (if you have purchased one). You can register the IDS/IPS signature subscription now as part of the initial setup or later after you have activated the TMS zl module and booted it to the Product OS.
PAGE 20
zlSM.book Page 9 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration To register the IDS/IPS signature subscription, complete the following tasks. (Step-by-step instructions for each task are provided in the sections that follow.) ■ Obtain the subscription registration ID and the TMS-subscription hardware ID. For step-by-step instructions, see “Obtain the Subscription Registration ID and TMS-Subscription Hardware ID” on page 2-24.
PAGE 21
zlSM.book Page 10 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration Subscription Hardware ID From Product OS Context” on page 2-16 or “Obtain the TMS-Subscription Hardware ID From Web Browser Interface” on page 2-16. Enter the Subscription Registration ID and the TMSSubscription Hardware ID on the My ProCurve Portal To register an IDS/IPS signature subscription, complete the following steps: 1. Point your Web browser to the My ProCurve portal (https://my.procurve.com). 2.
PAGE 22
zlSM.book Page 11 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration Boot the TMS zl Module to the Product OS To boot the TMS zl module to the Product OS, complete the following steps. 1. From the Service OS context, enter the following. When asked if you would like to reboot the module, type y: hostswitch(services-module-C:HD)# boot product Changing boot from Service OS to Product OS. System will be rebooted. Do you want to continue [y/n]? y Rebooting 2.
PAGE 23
zlSM.book Page 12 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration Caution A product index number (the number '2' in the command services c 2) is subject to change on reboot. Note that the alternative command to access an application CLI: services name works in all cases. Use the show services command to see the listed under the Name heading.
PAGE 24
zlSM.book Page 13 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration Note If you have configured a dedicated management VLAN on the module's host switch, you may want to associate that management VLAN with the management access zone.
PAGE 25
zlSM.book Page 14 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration hostswitch(tms-module-C:config)# vlan zone Remember if you want the host switch to have an IP address on that VLAN, include the allow-switch-ip option. hostswitch(tms-module-C:config)# vlan zone allow-switch-ip b. Assign the module an IP address on the subnet that is associated with that VLAN.
PAGE 26
zlSM.book Page 15 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration 12. On the default gateway (the router or routing switch), create a route or routes to the TMS VLANs. The routes’ next hop should be the TMS zl module’s IP address on the VLAN just added.
PAGE 27
zlSM.book Page 16 Monday, March 1, 2010 11:42 PM Getting Started Initial Configuration Obtain the TMS-Subscription Hardware ID From Product OS Context To obtain the TMS-subscription hardware ID from the Product OS context of the CLI, first access the host switch’s CLI. Then, from the manager-level context of the host switch’s CLI, complete the following steps: 1. Enter the Product OS context by typing the following command: services c 2 2.
PAGE 28
zlSM.book Page 1 Monday, March 1, 2010 11:42 PM Troubleshooting HP Customer Support Services 3 Troubleshooting Detailed troubleshooting information for the TMS zl module is available in the Threat Management Services zl Module Management and Configuration Guide at www.hp.com/go/procurve/manuals. HP Customer Support Services HP offers support 24 hours a day, seven days a week through the use of a number of automated electronic services.
PAGE 29
zlSM.book Page 1 Monday, March 1, 2010 11:42 PM EMC Regulatory Statements A EMC Regulatory Statements U.S.A. - FCC Class A This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against interference when the equipment is used in a commercial environment.
PAGE 30
zlSM.
PAGE 31
zlSM.book Page 1 Monday, March 1, 2010 11:42 PM Waste Electrical and Electronic Equipment (WEEE) Statements B Waste Electrical and Electronic Equipment (WEEE) Statements Disposal of Waste Equipment by Users in Private Household in the European Union This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste.
PAGE 32
zlSM.book Page 2 Monday, March 1, 2010 11:42 PM Waste Electrical and Electronic Equipment (WEEE) Statements Laitteiden hävittäminen kotitalouksissa Euroopan unionin alueella Jos tuotteessa tai sen pakkauksessa on tämä merkki, tuotetta ei saa hävittää kotitalousjätteiden mukana. Tällöin hävitettävä laite on toimitettava sähkölaitteiden ja elektronisten laitteiden kierrätyspisteeseen.
PAGE 33
zlSM.book Page 3 Monday, March 1, 2010 11:42 PM Waste Electrical and Electronic Equipment (WEEE) Statements Smaltimento delle apparecchiature da parte di privati nel territorio dell'Unione Europea Questo simbolo presente sul prodotto o sulla sua confezione indica che il prodotto non può essere smaltito insieme ai rifiuti domestici.
PAGE 34
zlSM.book Page 4 Monday, March 1, 2010 11:42 PM Waste Electrical and Electronic Equipment (WEEE) Statements Descarte de Lixo Elétrico na Comunidade Européia Este símbolo encontrado no produto ou na embalagem indica que o produto não deve ser descartado no lixo doméstico comum. É responsabilidade do cliente descartar o material usado (lixo elétrico), encaminhando-o para um ponto de coleta para reciclagem.
PAGE 35
zlSM.book Page 1 Monday, March 1, 2010 11:42 PM Hardware Components Front Panel Buttons and LEDs C Hardware Components Front Panel Buttons and LEDs This section describes the different buttons and LEDs on the front panel of a TMS zl module: ■ Module Shutdown button: This button is used to shut down the module. It is controlled by hardware; there is no way for the software to read state. A message is written to the switch log to indicate the module has shut down.
PAGE 36
zlSM.book Page 2 Monday, March 1, 2010 11:42 PM Hardware Components Internal Ports Module LED State Meaning Module Locator (blue) Flashing/ solid Solid during boot only when the module is inserted into a chassis, soft reboots do not enable this LED. Used to locate a specific module in an area full of chassis. Enabled by using the following switch CLI command: services locate This LED is off by default.
PAGE 37
zlSM.book Page 3 Monday, March 1, 2010 11:42 PM Hardware Components Serial Numbers Serial Numbers Serial numbers are required when contacting HP or a reseller for warranty assistance or for coverage under a service agreement. For future reference, record the serial and product numbers in the warranty booklet. The TMS product ships as a bundle.
PAGE 38
zlSM.book Page 4 Monday, March 1, 2010 11:42 PM Hardware Components Switch LEDs The serial number of the module also can be obtained through the CLI or through the Web browser interface. Switch LEDs The following figures show the Test, Fault, and Module Status LEDs on the switches the TMS zl module can be installed in. Test LED Fault LED Module Status LEDs Figure C-3. Test, Fault, and Module Status LEDs on a Series 5400zl switch Fault LED Test LED Module Status LEDs Figure C-4.
PAGE 39
zlSM.book Page 5 Monday, March 1, 2010 11:42 PM Hardware Components Replacing the Disk Drive It is possible to “hot-swap” one module for another; that is, replace one module with another while the switch is still powered on, without interrupting the operation of the rest of the switch ports. If the modules are not the same type, the switch may have to be reconfigured. Caution A 5-second delay is mandatory between removing a module, and either reinstalling it, or replacing it with another.
PAGE 40
zlSM.book Page 6 Monday, March 1, 2010 11:42 PM Hardware Components Replacing the Disk Drive 6. Using either side of the disk drive bracket, lift the disk drive out. 7. Install the new disk drive and slide it forward to engage the connector. 8. Re-install the four retaining screws. 9. Re-install the module into the switch. 10. Use an equal amount of pressure and push both extractor handles closed to completely seat the module. 11. Tighten the retaining screws. 1. 2.
PAGE 41
zlSM.book Page 7 Monday, March 1, 2010 11:42 PM Hardware Components Replacing the Flash Card Replacing the Flash Card The following is the procedure for replacing the Flash Card in the TMS zl module. The module may be removed while the switch is powered on. The numbers in Figure C-6 correspond to the step numbers below. 1. Using either a flat-bladed or Torx T-10 screwdriver loosen the retaining screws securing the module. 2.
PAGE 42
zlSM.book Page 8 Monday, March 1, 2010 11:42 PM Hardware Components Replacing the Flash Card 3. 4. Figure C-6.
PAGE 43
zlSM.book Page 1 Monday, March 1, 2010 11:42 PM Software Components Updating Switch Software D Software Components For the latest information on software capabilities, refer to the release notes at www.hp.com/go/procurve/manuals. Updating Switch Software The TMS zl module requires switch software version K.13.55 or greater to be installed in the switch. When an update is needed, use the following steps to update the switch software: 1. Visit the HP ProCurve Web portal at www.hp.
PAGE 44
zlSM.
PAGE 45
zlSM.book Page 3 Monday, March 1, 2010 11:42 PM Software Components Updating Product OS 3. Get an IP address (the “ip address” and “ip default-gateway” commands also can be used to manually set an IP). hostswitch# ip dhcp Verify there is an IP address. hostswitch# show ip 4. Download the Product OS. hostswitch# download ftp 5. Uninstall the previous version of the Product OS.
PAGE 46
zlSM.book Page 4 Monday, March 1, 2010 11:42 PM Software Components Updating Product OS Updating Product OS via USB 1. Insert a USB flash drive into a Windows PC. Make sure the drive is FAT/ FAT32 formatted and can hold all files that will be downloaded. 2. Download the entire folder that contains the Product OS. 3. Copy the folder onto the USB flash drive under a /services/images/ folder. 4. Safely remove the USB flash drive from the Windows PC. 5.
PAGE 47
zlSM.book Page 5 Monday, March 1, 2010 11:42 PM Software Components Updating Product OS 14. Check the version of the updated software and confirm that it is running: hostswitch# show services C Status and Counters HP Services zl Module Versions : Current status : For more information, services context Services Module C Status J9154A A.01.
PAGE 48
zlSM.book Page 6 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation TMS zl Module Activation “Activate the TMS zl Module” on page 2-5 gives a high-level description of how the product license can be activated. This section gives a detailed description of the activation process. Activate the TMS zl Module Installing a License This section describes the steps required to obtain and install the TMS product license key.
PAGE 49
zlSM.book Page 7 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation The following figure summarizes the process to activate the product. Figure D-1. Product Activation Summary The process details are provided below: 1. Using the switch CLI boot the Service OS on the module. Then enter the following: hostswitch# services c 1 This assumes the TMS zl module is in slot C.
PAGE 50
zlSM.book Page 8 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation hostswitch(services-module-C)# licenses hardware-id activation The CLI returns an activation hardware ID number. This number is entered on the My ProCurve portal in step 3 below. 2. Go to https://my.procurve.com and sign in to access the My ProCurve page. Click My Licenses to continue to the License Activation page. Click Generate License key to continue to the Registration ID page.
PAGE 51
zlSM.book Page 9 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation Enter the registration ID number in the Registration ID field. (This number is not case-sensitive.) It is located on the card that is included with the license product. Click Next to enter the activation registration ID number and to continue to the Hardware ID page. 3. Enter the Hardware ID copied from the console session (from Step 1). Optionally, enter notes in the Customer Notes field.
PAGE 52
zlSM.book Page 10 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation Click Next to continue to the License Agreement page. Read the license terms, check I accept all of the above terms, and click Next. This generates a license key and displays it on the screen. You may save the license key on your local computer or have it sent to an email address.
PAGE 53
zlSM.book Page 11 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation This license key will be entered into the CLI in the next step. Install the Product License Key This is Step 4 in Figure D-1. Enter this command at the TMS zl module’s CLI prompt: hostswitch# licenses install activation The key is case-sensitive.
PAGE 54
zlSM.book Page 12 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation Boot the TMS zl Module to the Product OS Enter the following command: hostswitch# boot product Changing boot from Service OS to Product OS. System will be rebooted. Do you want to continue [y/n]? y Rebooting This returns the user back to the switch context.
PAGE 55
zlSM.book Page 13 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation Uninstalling a License To uninstall the TMS license from a module, make sure the module is booted into the Service OS, and enter the following command: hostswitch(services-module-C:HD)# licenses uninstall activation 0 An uninstall verification key is generated.
PAGE 56
zlSM.book Page 14 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation 3. Click View licenses. 4. To use a registration ID to install a license in a ProCurve module, select an entry in the table that has a license type appropriate for the module and click Generate License. This leads to the Registration ID page and fills in the registration ID number in the appropriate field. From here continue the standard installation procedure for a license.
PAGE 57
zlSM.book Page 15 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation IDS/IPS Signature Subscription Registration “Register the IDS/IPS Signature Subscription” on page 2-8 gives a high-level description of how the IDS/IPS signature subscription can be registered. This section gives a detailed description of the registration process. 1. Go to https://my.procurve.com and sign in to continue to the My ProCurve page. 2. Click My Licenses to continue to the License Activation page.
PAGE 58
zlSM.book Page 16 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation 4. Enter the subscription registration ID in the registration ID field. This number is not case-sensitive. It is located on the HP ProCurve Threat Management Services x-Year IDS/IPS Signature Subscription Registration Card, which ships with the product if you purchased an IDS/IPS signature subscription. Click Next to enter the registration ID number and to continue to the Hardware ID page. 5.
PAGE 59
zlSM.book Page 17 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation Optionally, enter notes in the Customer Notes field. These might, for instance, identify which device has been licensed and where it is located. These notes are kept, along with the registration ID number, in the user account on the My ProCurve portal. Click Next to continue to the License Agreement page.
PAGE 60
zlSM.book Page 18 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation D-18 6. Read the license terms, check I agree to the license terms, and click Next to continue to the License expiration notification page: 7. Pick one of the expiration notification options available and click Next to continue to the license accepted page. The subscription service is now activated in the ProCurve system.
PAGE 61
zlSM.book Page 19 Monday, March 1, 2010 11:42 PM Software Components TMS zl Module Activation 8. The module is now marked as licensed in the ProCurve Signature Server. When the module attempts to download signatures, the signature server will recognize that the module is licensed. 9. Download the latest signature files the Procurve Signature Server by selecting Intrusion Prevention/Detection > Signatures > Download. 10.
PAGE 62
zlSM.
PAGE 63
zlSM.
PAGE 64
zlSM.book Page 2 Monday, March 1, 2010 11:42 PM Technology for better business outcomes To learn more, visit www.hp.com/networking © Copyright 2008-2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.