proventia_administratorguide

8/9/2019 proventia_administratorguide

1/48

Administrator GuideFirmware version 3.11


2/48

Internet Security Systems, Inc.6303 Barfield RoadAtlanta, Georgia 30328-4233United States(404) 236-2600http://www.iss.net

Internet Security Systems, Inc. 2003-2007. All rights reserved worldwide. Customers may make reasonable numbers of copiesof this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by anyother person or entity without the express prior written consent of Internet Security Systems, Inc.

Patent pending.

Internet Security Systems, ADDME, ActiveAlert, AlertCon, the AlertCon logos, FireCell, FlexCheck, SecurityFusion,SecurePartner, SiteProtector, SecureU, System Scanner, Virtual Patch, Wireless Scanner, and X-Press Update are trademarks andservice marks; Database Scanner, Internet Scanner, the Internet Security Systems logo, Online Scanner, Proventia, RealSecure,SAFEsuite, Secure Steps, and X-Force are registered trademarks and service marks of Internet Security Systems, Inc. NetworkICE, the Network ICE logo, and ICEpac are trademarks, BlackICE a licensed trademark, and ICEcap a registered trademark ofNetwork ICE Corporation, a wholly owned subsidiary of Internet Security Systems, Inc. Powering Content Security is atrademark and Cobion is a registered trademark of Cobion AG, a wholly owned subsidiary of Internet Security Systems, Inc.SilentRunner is a registered trademark of Raytheon Company. Acrobat and Adobe are registered trademarks of Adobe SystemsIncorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Cisco

and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM Corporation. InstallShield is a registered trademark andservice mark of InstallShield Software Corporation in the United States and/or other countries. Intel and Pentium are registeredtrademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and Windows NT areeither registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus aretrademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software,and the Seagate logo are trademarks or registered trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology,Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH Communications Security. iplanet, Sun, SunMicrosystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are trademarks or registered trademarks of SunMicrosystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarksor registered trademarks of SPARC International, Inc. in the United States and other countries. Adaptive Server, SQL, SQLServer, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a registered trademark of Tivoli SystemsInc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company,Ltd. All other trademarks are the property of their respective owners and are used here in an editorial context without intent ofinfringement. Specifications are subject to change without notice.

Disclaimer:The information contained in this document may change without notice, and may have been altered or changed ifyou have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in anAS IS condition, without warranties of any kind, and any use of this information is at the user s own risk. ISS and the X-Forcedisclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particularpurpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental,consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised ofthe possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidentaldamages, so the foregoing limitation may not apply.

Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, orotherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems,Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems,Inc., and shall not be used for advertising or product endorsement purposes.

Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internetprevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference

contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken orinappropriate link, please send an email with the topic name, link, and its behavior to [email protected].

March 20, 2007
http://www.iss.net/mailto:[email protected]:[email protected]://www.iss.net/


3/48

3Proventia Network Multi-Function Security Administrator Guide

Contents

PrefaceOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

About Proventia Appliance Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Conventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Getting Technical Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 1: LicensesOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Installing Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2: Firmware and Security Content UpdatesOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Installing Updates from Proventia Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Getting Updates from an Alternate Update Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Installing Updates with the Manual Upgrader Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Getting Updates through a Proxy Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 3: Reinstalling the FirmwareOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Reinstalling the Firmware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 4: Web Filter and Antispam Database MaintenanceOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Installing and Updating the Web Filter and Antispam Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 5: Maintenance ToolsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Working with Maintenance Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Chapter 6: Back Up and RecoveryOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Policy Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Full System Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 7: System DiagnosticsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

About System Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Running Diagnostics and Downloading Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 8: SupportOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Generating Support Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47


4/48

4

Contents


5/48


Preface

Overview

Introduction This guide provides information about performing Proventia Multi-Function Security(MFS) appliance maintenance tasks such as creating backups, reinstalling the firmware,and using the system diagnostics utility.

Scope This guide includes basic information, guidelines, and required procedures formaintaining your MFS appliance. It does not cover policy configuration.

Audience This guide is intended for network security system administrators responsible formaintaining updates, performing backups, and troubleshooting Proventia Network MFSappliances. A fundamental knowledge of network security practices and IP networkconfiguration is helpful.


6/48

6

About Proventia Appliance Documentation

Introduction This guide explains how to create backups, update firmware and security content,maintain Web filter and antispam databases, and otherwise maintain your appliance.

Where to find thelatest productinformation

For the latest appliance information, refer to the Help and the Readme file for yourproduct.

Related publications For information not included in this guide, see the following ISS Web sites:

Feedback Your feedback is important to Internet Security Systems. Please send comments andsuggestions to [email protected].

Web site Documents

www.iss.net/support/documentation Frequently asked questions

Datasheets

Information about virtual private networks

and firewalls

www.iss.net/download/ Readme files

Product downloads and updates

Table 1: Web sites for additional information
mailto:%[email protected]://www.iss.net/support/documentationhttp://www.iss.net/download/mailto:%[email protected]://www.iss.net/download/http://www.iss.net/support/documentation


7/48

Conventions Used in this Guide


Conventions Used in this Guide

Introduction This topic explains the typographic conventions used in this guide to make information inprocedures and commands easier to recognize.

In procedures The typographic conventions used in procedures are shown in the following table:

Commandconventions

The typographic conventions used for command lines are shown in the following table:

Convention What it Indicates Examples

Bold An element on the graphicaluser interface.

Type the computersaddress in the IP Address

box.Select the Printcheck box.Click OK.

SMALLCAPS A key on the keyboard. Press ENTER.Press the PLUSSIGN(+).

Constant

width

A file name, folder name,

path name, or other

information that you must

type exactly as shown.

Save the User.txtfile inthe Addressesfolder.Type IUSR__SMA in theUsernamebox.

Constant

width

italic

A file name, folder name,

path name, or other

information that you must

supply.

Type Versionnumberinthe Identificationinformationbox.

A sequence of commands

from the taskbar or menu bar.From the taskbar, selectStartRun.

On the Filemenu, selectUtilitiesCompareDocuments.

Table 2: Typographic conventions for procedures

Convention What it Indicates Examples

Constant

width bold

Information to type in exactly

as shown.

md ISS

Italic Information that variesaccording to your

circumstances.

mdyour_folder_name

[ ] Optional information. dir [drive:][path][filename] [/P][/W]

[/D]

| Two mutually exclusivechoices.

verify[ON|OFF]

{ } A set of choices from whichyou must choose one.

% chmod {ugo

a}=[r][w][x] file

Table 3: Typographic conventions for commands


8/48

8

Getting Technical Support

Introduction ISS provides technical support through its Web site and by email or telephone.

The ISS Web site The Internet Security Systems (ISS) Resource Center Web site (http://www.iss.net/support/) provides direct access to online user documentation, current versions listings,detailed product literature, white papers, and the Technical Support Knowledgebase.

Support levels ISS offers three levels of support:

Standard

Select

Premium

Each level provides you with 24x7 telephone and electronic support. Select and Premium

services provide more features and benefits than the Standard service. Contact ClientServices at [email protected] you do not know the level of support yourorganization has selected.

Hours of support The following table provides hours for Technical Support at the Americas and otherlocations:

Contact information The following table provides electronic support information and telephone numbers fortechnical support requests:

Location Hours

Americas 24 hours a day

All other

locations

Monday through Friday, 9:00 A.M. to 6:00 P.M. during their

local time, excluding ISS published holidaysNote: If your local support office is located outside theAmericas, you may call or send an email to the Americas

office for help during off-hours.

Table 4: Hours for technical support

RegionalOffice

Electronic Support Telephone Number

North America Connect to the MYISS

section of our Web site:

www.iss.net

Standard:

(1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Select and Premium:

Refer to your Welcome Kit or

call your Primary Designated

Contact for this information.

Latin America [email protected] (1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Table 5: Contact information for technical support
http://www.iss.net/support/http://www.iss.net/support/mailto:[email protected]://www.iss.net/mailto:[email protected]:[email protected]://www.iss.net/mailto:[email protected]://www.iss.net/support/http://www.iss.net/support/


9/48

Getting Technical Support


Europe, Middle

East, and [email protected] (44) (1753) 845105

Asia-Pacific,Australia, and

the Philippines

[email protected] (1) (888) 447-4861 (toll free)(1) (404) 236-2700

Japan [email protected] Domestic: (81) (3) 5740-4065

RegionalOffice

Electronic Support Telephone Number

Table 5: Contact information for technical support (Continued)
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


10/48

10


11/48


12/48

Chapter 1: Licenses

12

Installing Licenses

Introduction This topic explains how to install licenses in Proventia Manager. You cannot update thesystem without first installing your product licenses. You need a license for each featureyou plan to update.

Obtaining licenses For instructions about how to obtain your product licenses, see the Welcome Kitand OrderConfirmation email you received from Internet Security Systems or go directly to theLicense Registration Web site at the following location:

https://www1.iss.net/cgi-bin/lrc

Important: After you generate your licenses, save the licenses to an easily accessiblelocation such as a network share, a local computer, or a removable USB drive. You must beable to access this location when you upload the licenses to the system.

Contacting licensesupport

You can contact ISS license support in the following ways:

email: [email protected] or [email protected]

online: www.iss.net/support

Installing licenses inProventia Manager

To install licenses in Proventia Manager:

1. Select MaintenanceLicensing.

2. Click Browse, select the license, click Open, and then click Upload.

Tip: Licenses are issued as xml files such as iss_31362101_key.isslicense.xml.

You may want to rename this file with your appliance model and the relatedfunctionality as follows:

M10_AV_iss_31362101_key.isslicense.xml
https://www1.iss.net/cgi-bin/lrchttp://www.iss.net/support/index.htmlhttp://www.iss.net/support/index.htmlhttps://www1.iss.net/cgi-bin/lrc


13/48


Chapter 2

Firmware and Security ContentUpdates

Overview

Introduction This chapter explains how to install updates from Proventia Manager and SiteProtector.ISS provides numerous ways for you to download and install your updates. This ensuresthat you can always update your antivirus, intrusion prevention, and firmware regardlessof how you are deploying your appliance.

Note: This chapter does not explain how to define your update policy. Refer to the Helpor the Policy Configuration Guidefor details on update policy settings.

In this chapter This chapter contains the following topics:

Topic Page

Installing Updates from Proventia Manager 14

Getting Updates from an Alternate Update Server 16

Installing Updates with the Manual Upgrader Utility 18

Getting Updates through a Proxy Server 21


14/48

Chapter 2: Firmware and Security Content Updates

14

Installing Updates from Proventia Manager

Introduction This topic explains how to find, download, and install updates from Proventia Managerfor the following:

antivirus

intrusion prevention

firmware

Task overview The following table describes the tasks for manually updating the appliance:

Finding updates To find available updates:

1. In Proventia Manager, select MaintenanceUpdatesStatus.

2. Click Find Updates.

3. Do one of the following:

Downloadingupdates

To download available updates, do one of the following:

Installing updatesmanually

To install updates manually:

1. In Proventia Manager, select MaintenanceUpdatesAvailable Installs.

Note: If the Export Administration Regulationwindow appears, then review theagreement, select Yes, and then click Submit.

Task Description

1 Find available updates.

2 Download updates.

3 Install updates.

Table 6: Tasks for manually updating the appliance

If... Then...

updates are available for

download

click View Available Downloads.

updates are available for

installation

click View Available Installs.

If you want to... Then...

download updates from the

Updates Status page1. In Proventia Manager, select MaintenanceUpdates

Status.

2. Click Download Updates.

download updates from the

Updates to Downloads page1. In Proventia Manager, select MaintenanceUpdates

Available Downloads.

2. Click Download All Available Updates.


15/48

Installing Updates from Proventia Manager


2. Select the updates to install, and then click Install Updates.

Note: You must reboot the appliance after installing some updates.

Removing updates Removing an update is referred to as a rollback. You can remove or roll back thefollowing:

the last intrusion prevention update and the update package

the two most recent antivirus updates and the update packages

Note: You cannot remove or roll back firmware updates.

Example

You can only roll back to an update that you specifically installed. The following exampleillustrates the roll back process for cumulative updates:

Rolling backupdates

To roll back an update:

1. In Proventia Manager, select MaintenanceUpdatesStatus.

2. If you want to roll back either an antivirus update or an intrusion prevention update,then click Rollback Last Update, and then click OK.

Troubleshooting If you experience unusual behavior after you apply a firmware update, try the following:

1. Close the Web browser.

2. Clear the Java cache.

Note: For more information about how to clear the Java cache, see www.java.com/en/download/help/5000020300.xml.

3. Restart the Web browser, and then log on to Proventia Manager.

Task Description

1 You install version 1.1.

2 You skip version 1.2 and update to version 1.3.

3 You remove or roll back the 1.3 update.

4 The appliance returns to version 1.1.

Table 7: Example of the roll back process
http://www.java.com/en/download/help/5000020300.xmlhttp://www.java.com/en/download/help/5000020300.xmlhttp://www.java.com/en/download/help/5000020300.xmlhttp://www.java.com/en/download/help/5000020300.xml


16/48


16

Getting Updates from an Alternate Update Server

Introduction The topic explains how to configure the appliance to get updates from an alternate updateserver. Use an alternate update server when you do not want the appliance to contact ISSand download updates over the Internet. Instead of contacting ISS for the updates, the

appliance contacts the update server. The update servers function is to retrieve and storeappliance updates and provide them to the appliance when requested.

Note: The appliance does not have to be registered in SiteProtector to get updates from analternate update server.

Note: This topic assumes that you have installed and configured the update server.

Gathering requiredinformation

You need the following information about the update server:

host name or IP address

portthe port to which the update server is listening for download requests:

For the ISS Download Center (www.iss.net), the default port is 443.

For the SiteProtector X-Press Update Server, the default port if 3994.

authentication level between the appliance and the update server:

trust-all (the appliance always trusts connections with the SiteProtector updateserver without the servers digital certificate)

explicit-trust (the appliance verifies the servers identify with the servers digitalcertificate)

If you use theexplicit-trust levelIf you want to use the explicit-trust authentication level, then you must manually copy therequired certificate to the appliance.

Copying requiredcertificatesmanually

To copy a required certificate to the appliance manually:

1. Locate the following certificate file on the update server:

server-rsa.crt

Note: The file is stored in the following default location on the SiteProtector 2.0 SP5update server:

Program Files\ISS\RealSecure SiteProtector\X-Press Update

Server\webserver\Apache2\conf\ssl.crt\

Note: The file is stored in the following default location on the SiteProtector 2.0 SP6update server:

Program Files\ISS\SiteProtector\Application

Server\webserver\Apache2\conf\ssl.crt\

2. Use an SCP (Secure Copy) client such as WinSCP to copy the server-rsa.crt certificatefile to the following directory on the appliance:

/etc

Note: WinSCP is a third-party tool not supported by ISS. For information about howto run the utility, see the product documentation for the utility.


17/48

Getting Updates from an Alternate Update Server


Getting updatesfrom SiteProtector

To configure the appliance to obtain updates from SiteProtector:

1. In the navigation pane, select MaintenanceUpdatesAutomatic Settings.

Note: If the Export Administration Regulationwindow appears, then review theagreement, select Yes, and then click Submit.

2. Select the Alternate Update Servertab.

3. Select the Use Alternate Update Serveroption, and then complete the followingoptions:

4. Click Save Changes.

Option Description

Host or IP Type the fully-qualified domain name or IP address of the SiteProtector

update server.

Port Specify the port on which the appliance and the SiteProtector update

server communicate.

Default = 3994

Trust Level Select one of the following:

Trust-allthe appliance always trusts connections with the

SiteProtector update server without the servers digital certificate.

Tip: This is the easiest way to set up the connection.

Explicit-trustthe appliance verifies the servers identify with the

servers digital certificate. You must manually copy the certificate to the

appliance and specify the CA Certificatebox as described below.

Tip: This is a more secure connection than trust-all.

CA Certificate provide the fully qualified path to where the certificate resides on the

appliance as in the following example:

/etc/server-rsa.crt


18/48


18

Installing Updates with the Manual Upgrader Utility

Introduction The Manual Upgrader utility retrieves update files from the Download Center. This topicexplains how to use the Manual Upgrader to download update files to the XPU server.

When to use thisprocedure

Use the procedures in this topic to update your appliance manually in the followingsituations:

Your appliance is configured to get updates from SiteProtector, but the SiteProtectorX-Press Update Server does not have Internet access.

Your appliance is configured to get updates from a stand-alone update server, but theserver does not have Internet access.

Installing updateswith the Manual

Upgrader utility

To install updates with the Manual Upgrader utility, you must do the following:

Configuring thealternate updateserver

To configure the alternate update server:

1. In Proventia Manager, select MaintenanceUpdatesAutomatic Settings.

2. Select the Alternate Update Servertab.

3. Select the Use Alternate Update Servercheck box.

4. Specify the Host or IPaddress of the XPU server.

5. Specify the Porton which the server is monitoring download requests.

For the SiteProtector X-Press Update Server, the default port is 3994.

Note: Confirm with the SiteProtector administrator that the port number has not

been changed.6. Save your changes.

Installing theManual Upgrader

To install the Manual Upgrader utility:

1. Obtain the Manual Upgrader installation file from the ISS Download Center.

The file is located in the SiteProtector area under the Other tab.

2. Copy the file to a computer that has Internet access.

3. Extract the downloaded zip file to a convenient directory.

Note: If you enable the Use Folder Names option when you extract the zip file, then

the program extracts the files to a directory called ManualUpgrader.

Task Description

1 Configure the alternate update server.

2 Install the Manual Upgrader utility.

3 Run the Manual Upgrader util ity.

4 Copy updates to the XPU server.

5 Install the updates.

Table 8: Tasks for installing updates with the Manual Upgrader utility


19/48

Installing Updates with the Manual Upgrader Utility


Running the ManualUpgrader

To run the Manual Upgrader:

1. On the computer where you installed the Manual Upgrader, navigate to the foldercontaining the program.

2. Double-click ManualUpgrader.exe.

3. Browse to a valid license file, and then select the file.

4. Read the End User License Agreement, and then click I Accept.

Note: If the Export Agreement appears, read the agreement, and then click I Accept.

5. Click Yeson the Manual Upgrader dialog to download a new catalog of availableupdates from the Web.

6. If you are prompted to download a Manual Upgrader update, click Yes.

The update is downloaded, and then you are prompted to download the most recentcatalog files.

7. Click Yes.

8. If an export agreement appears, accept it.

The newest catalog files are downloaded and all ISS product lines appear in the toppane and all available operating systems appear in the bottom pane.

9. Select CatalogLatest Network Multi-Function Catalogto select only MFS content.

10. Select the ISS product lines and the operating systems for which you want todownload updates.

Note: You can select multiple product lines and operating systems if needed.

11. You can control how recent the updates are by selecting the Only Get Files PostedWithin This Many Dayscheck box and specifying the number of days for which youwant to get updates.

12. Click Get Selected Updates.

Copying updates tothe XPU server

After you download the updates, you must copy the files to the appropriate directory onthe update server. You can use either the integrated XPU Server that is installed on thesame computer as the Application Server or an XPU Server that is installed on a separatecomputer.

If you did not download the required files to the computer where the XPU Server isinstalled, then you must transfer the files to that computer before you can apply theupdates.

Requireddirectories

You must copy the required files to specific directories on the computer where the XPUServer is installed. If these directories do not exist, then you must create them before youcan apply the updates.

Important: When you create the directories, you must spell and capitalize the directorynames exactly as described in this topic.

Required directoryon integrated XPUserver

The directory path below assumes that you are creating the directories on the integratedXPU Server and that this server is installed on the same computer as the ApplicationServer:


20/48


20

\Program Files\ISS\SiteProtector\Application

Server\webserver\Apache2\htdocs\XPU\Proventia\M-Series

Required directoryon remote XPU

server

If you are creating the directories on a remote XPU Server that is not installed on the samecomputer as the Application Server, then you must create the directories in the following

directory path on the computer where the remote XPU Server is installed:

\Program Files\ISS\SiteProtector\X-Press Update

Server\webserver\Apache2\htdocs\XPU\

Installing theupdates

Depending on how you have configured Proventia Manager, the updates are eitherinstalled automatically once they are available or you can install them manually.


21/48

Getting Updates through a Proxy Server


Getting Updates through a Proxy Server

Introduction This topic provides information about how to enable the appliance to retrieve updatesthrough a proxy server.

Updating through aproxy server

If the appliance must go through a Web proxy server to retrieve updates from ISS, thenyou must enable the Web (HTTP) proxy service.

Enable the Webproxy service

To enable the Web (HTTP) proxy service:

1. In Proventia Manager, select ConfigurationSystemServices.

2. Select the HTTP Proxy tab.

3. Select the Enable HTTP Proxycheck box.

4. Specify the Addressand Portof the HTTP proxy.

5. Click Save Changes.


22/48


22


23/48


Chapter 3

Reinstalling the Firmware

Overview

Introduction This chapter explains how to install the firmware.

In this chapter This chapter contains the following topic:

Topic Page

Reinstalling the Firmware 24


24/48

Chapter 3: Reinstalling the Firmware

24


Introduction This topic explains how to reinstall the firmware.

Considerations Reinstalling the firmware takes the appliance off line and overwrites your custom policieswith the original factory defaults.

The recovery CD includes the Filter Database that came with your appliance. Thisdatabase is quickly out of date because database updates are released often. ISSrecommends that you reinstall only the firmware and thenafter the appliance isdeployeduse the Get Filter Database option in Proventia Manager to download thelatest database directly from the ISS Web site.

Prerequisites computer (see Computer Requirements) or keyboard and monitor (for M50 models)

red crossover cable

serial cable

recovery CD

Computerrequirements

If you are connecting a computer to the appliance for this procedure, verify the computerrequirements below:

Note: No software is installed on the computer during this process; the computer is usedonly to reinstall the firmware.

Requirement Description

BIOS setting Computer must be configured to allow it to boot from the CD drive.Reference:For information on how to check or change your BIOS

settings, see your computer documentation or go online and

search for instructions. Commonly, pressing F12 during bootup

allows you to specify booting from a CD.

CPU Pentium II or compatible

RAM 64MB

Drive IDE CD-ROM Drive

Port COM1

Network interface 3Com 3c905C Intel PRO/100 or PRO/1000

3Com 3c574 or 3Com 3c575

Netgear FA511 or Netgear FA411

Intel PRO/100 S Mobile Adapter

ISS supports only the listed network cards. The Proventia M50

appliance automatically detects network interface cards.

Table 9: Computer requirements


25/48



Before you reinstall If your appliance is still operational, do the following before you reinstall the firmware:

Back up your policies using a Settings Backup, and then download the backup files toa remote location. You can restore your policies from the backup files after youreinstall the appliance firmware.

Record the networking settings shown in the following table:

Reinstalling thefirmware on anM50 appliance

To reinstall the firmware on an M50 appliance:

1. Connect to the appliance:

2. Remove the front bezel.

3. Insert the Recovery CD in appliance CD drive.

4. Restart the appliance.

Mode Network settings

Routing IP addresses

subnet masks

default gateways for all interfaces

hostname

domain name

DNS name servers

Transparent IP address

subnet maskdefault gateway

hostname

domain name

DNS name server

If you areusing a... Then...

computer 1. Connect the serial cable from your computer to the serial port on the

appliance.

2. Connect the red Ethernet crossover cable from the Ethernet port on

your computer to the Internal ETH0port on the appliance.

3. On the computer, use an application such as HyperTerminal to

configure a terminal connection between the computer and the

appliance. Use the following settings:

Port = COM1 or other appropriate port

Bits Per Second = 9600

Data bits = 8

Parity = None

Stop bits = 1

Flow control = None

4. Start the connection.

keyboard and

monitorconnect the keyboard and monitor to the appliance.


26/48

Chapter 3: Reinstalling the Firmware

26

5. When you see the boot:prompt, type reinstall, and then press ENTER.

6. Wait until the appliance reinstalls the software and automatically ejects Recovery CD.

Next Steps You must run the Proventia Setup Assistant again to initialize the system. You must alsoeither reconfigure your policies or restore your policies from the backup files you made.

Reinstalling thefirmware on allother models

To reinstall the firmware on any non-M50 appliance (that does not have a built-in CDdrive):

1. Turn off the appliance, and then disconnect it from the network.

2. Connect the serial cable from the console port on the appliance to the serial port onyour computer.

3. Connect the red Ethernet crossover cable from the internal port on the appliance tothe Ethernet port on your computer.

4. Insert the recovery CD into the CD drive on your computer, and then restart the

computer.

5. Wait until you see the following message:

***You may now boot your Proventia Appliance via the network******Starting Terminal Emulator******Press Control-G to Exit and Reboot***

Important: In the next step, you have only five seconds to press Lafter the Press Lprompt appears.

6. Turn on the appliance and watch the screen closely for the Press L prompt.

7. When you see the Press L to boot from LANprompt, press the Lkey.

8. When you see the boot:prompt, type reinstall, and then press ENTER.

9. Wait until the appliance reinstalls the software.

10. When the installation is complete, press CONTROL+Gto eject the CD and restart thecomputer in normal mode.

Next Steps You must run the Proventia Setup Assistant again to initialize the system. You must alsoeither reconfigure your policies or restore your policies from the backup files you made.


27/48


Chapter 4

Web Filter and Antispam DatabaseMaintenance

Overview

Introduction This chapter explains how to install and update the Web Filter and Antispam database.


Topic Page

Installing and Updating the Web Filter and Antispam Database 28


28/48

Chapter 4: Web Filter and Antispam Database Maintenance

28

Installing and Updating the Web Filter and Antispam Database

Introduction This topic explains how to install and update the Web Filter and Antispam Database.

Important: You must perform these tasks locally in Proventia Manager. You cannot

perform these tasks in SiteProtector.

Viewing databaseproperties

To view the Web Filter and Antispam Database version and other properties:

In Proventia Manager, select MaintenanceFilter DB.

The appliance displays the following database properties:

Installing thedatabase

To install the latest version of the Web Filter and Antispam Database:

Note: Installing the database does not take the appliance off line.

1. In Proventia Manager, select MaintenanceFilter DB.

2. Click Get Local DB.

Updating the

database

To update the Web Filter and Antispam Database:

Note: Updating the database does not take the appliance off line.

1. In Proventia Manager, select MaintenanceFilter DB.

2. Click the message Click here to update an existing database.

Property Description

Mode The current database status:

Not installed

Installed

Version The local database version in the following format:

x.xxxx

Status The status of the local database:

Installed

Downloading

Updating

Download Progress The progress of the local database download:

x% (percentage of completed download)

Indexing Database


29/48


Chapter 5

Maintenance Tools

Overview

Introduction This chapter explains how to use the maintenance tools.


Topic Page

Working with Maintenance Tools 30


30/48

Chapter 5: Maintenance Tools

30

Working with Maintenance Tools

Introduction This topic describes how to use the maintenance tools to do the following:

start or stop the appliance

use the traceroute utility to provide a list of all the routers along the path to acomputer or destination

ping a computer on your network to determine whether it can be contacted

reconnect the PPPoE on the external interface

release and renew a DHCP lease for the external interface

Tracerouteprotocols

You can use two types of protocols for the traceroute utility:

Openingmaintenance tools

To open the maintenance tools in Proventia Manager:

Note: You cannot access the maintenance tools in the SiteProtector Console. You mustaccess them locally in Proventia Manager.

Select MaintenanceTools.

Working with thetools

To use the maintenance tools:

1. Open the maintenance tools in Proventia Manager.


Protocol Description

UDP The UNIX traceroute command. When you select a UDP traceroute protocol, theappliance sends a UDP packet to a random port on the target host. The Time to Live

(TTL) and the destination port are incremental for each ICMP Port Unreachable

message that is returned, or until 30 hops are reached.

ICMP The Windows tracert command. When you select an ICMP traceroute protocol, the

TTL and the destination port are incremental for each ICMP Echo Request

message that is returned, or until 30 hops are reached.

Table 10: Traceroute protocol descriptions


reboot the appliance click Reboot.

stop the appliance click Shutdown.

ping a computer type the IP address of the computer you want to ping in the

Pingfield, and then click Submit.

trace the route to a

device

1. Type the IP address you want to trace in the Traceroutefield.

2. Select a protocol in the Protocol section:

UDP(User Datagram Protocol)

ICMP(Internet Control Message Protocol)

3. Click Submit.


31/48

Working with Maintenance Tools


reconnect the PPPoE

connection on the

external interface

click the Reconnectbutton next to Reconnect PPPoE

Connection in the Network Connection section.

release and renew theDHCP lease for the

external interface

click the Renewbutton next to Renew DHCP lease in theNetwork Connection section.



32/48

Chapter 5: Maintenance Tools

32


33/48


Chapter 6

Back Up and Recovery

Overview

Introduction This chapter provides information about how to back up and restore your policies andhow to create and restore full system backups.


Topic Page

Policy Backups 34

Full System Backups 35


34/48

Chapter 6: Back Up and Recovery

34

Policy Backups

Introduction A policy backup (or settings backup) file contains all your appliance policies, includingpolicies for networking, appliance access, network objects, firewall, and antivirus. Theappliance comes with a policy backup file labeled FactoryDefault.settingsthat includes the

default appliance policies. Since you can store multiple policy backup files on theappliance, we recommend that you keep the default policies for troubleshootingpurposes. Do not use policy backup files to distribute policies to multiple appliances. ISSrecommends that you use SiteProtector to distribute policies to multiple appliances.

Note: Policy backup files are referred to as settings snapshotsand settings backups. Thesefiles are all the same.

When to back uppolicies

You should back up your policies as soon as possible after you configure the appliance fordeployment. You should also back up your policies on a regular basis.

Important: Use a unique name for the backup policy file.

Restrictions The following restrictions apply:

A policy backup file is model specific. The policy backup file is only compatibleamong appliances with the exact same model. (You cannot back up policies on onemodel, and then restore that policy on a different model.)

Policy (settings) backups made on older firmware releases may not restore properlyon newer firmware releases.

If your appliance is registered with SiteProtector, you must unregister the appliancefrom SiteProtector before you back up your policies.

Backing up andrestoring policies

To back up or restore policies:

1. In Proventia Manager, select MaintenanceBackup and Recovery.

2. Select the Settings Backuptab.



back up settings 1. Click the Add icon, and then type a name for the backup file.

2. Click Create.

restore settings select the file, and then click Apply.

delete a backup file select the file, and then click Delete.

download a backup file select the file, and then click Download.

upload a backup file 1. Click Add.

2. Type the filename, or click Browseto locate the file.

3. Click Upload.


35/48

Full System Backups


Full System Backups

Introduction A full-system backup file contains a complete image of the appliance and its operatingsystem. You can restore the entire system from a full system backup. You should alwayscreate a full system backup before you apply a firmware update.

Restrictions The following restrictions apply:

You can store one full-system backup file on the appliance at any given time. Whenyou create a new full-system backup file, you overwrite the existing full-system

backup file.

Creating a full system backup takes the appliance off line for several minutes.

Full-system backups for version 1.7 or earlier are not compatible with version 1.8 orlater. Upgrade from version 1.7 to version 1.8 or later, and then create the full-system

backup.

Creating andrestoring fullsystem backups

To create or restore a full system backup:

1. In Proventia Manager, select MaintenanceBackup and Recovery.

2. Select the Full Backuptab.


To... Do this...

create a full system

backup

click Create System Backup.

Note:You cannot access the appliance during the backup or

restore process.

restore a full system

backup

1. Click Restore from Backup, and then click OK.

Note:You cannot access the appliance during the backup or

restore process.

2. Close all Web browser windows, and then clear your Java

cache.

Important: If you dont close all browser windows and clear

the Java cache, Proventia Manager might not function properly

after you have restored the system. For instructions about how

to clear the cache, see the documentation for your operating

system.

3. Wait at least five minutes before you access the appliance.


36/48

Chapter 6: Back Up and Recovery

36


37/48


Chapter 7

System Diagnostics

Overview

Introduction This chapter describes the system diagnostics utility and provides instructions on how torun it.


Topic Page

About System Diagnostics 38

Running Diagnostics and Downloading Test Results 41


38/48

Chapter 7: System Diagnostics

38

About System Diagnostics

Introduction The system diagnostics utility is included on the recovery CD for your appliance andprovides a way to check for the following types of hardware failures:

network interface failures

hard disk failures

file system errors

certain general hardware errors

Limitations The utility does not detect the following:

a single failed power supply on appliances with dual supplies

a single failed drive in a RAID mirror

bad memory

When to run thetool

You can run the utility at the following times:

before you deploy a new appliance

before you deploy a replacement appliance

when you suspect there is a hardware issue with the appliance

when Technical Support requests it

What tests are

available

The utility provides four classes of diagnostic tests available:

serial number and model

disk

network

event log analysis

Serial number andmodel tests

The following table describes serial number and model tests:

Test Description

Model test Verifies that the appliance model matches the recovery CD used.

Serial number test Verifies that the appliance serial number is either 9 or 13 digits.

Table 11: Serial number and model test descriptions and considerations


39/48

About System Diagnostics


Disk tests You can skip all disk tests by specifying nodisk. The following table describes disk tests:

Network tests You can skip all network tests by specifying nonet. The following table describes networktests:

Test Description

Badblock test Finds invalid disk sectors. Each test takes approximately one hour

except when run on the M10, M10e, and M30 models. On these

models, each test takes approximately two hours.Parameters:

To run this test multiple times, use the dtbb=parameter.

To skip this test, use the dtbb=0parameter.

Files system test Checks the integrity of the linux file system on the appliance but

does not necessarily indicate failure.

Parameters:

To skip this test, use the nofsckparameter.

To resolve most file system errors:

1. Reboot the device normally.2. Log in as the root user.

3. Type reboot.

4. Reload the system diagnostics.

If this does not resolve a file system error message, you may

need to reimage the appliance.

SMART drive test Checks the hard drive error log for signs of failure. This test is

available on the following models that dont have multiple disks:

M10, M10e, M30, M30e, MX1004, and MX3006.

Parameters:

To skip this test, use the nosmartparameter.

Table 12: Disk test descriptions and considerations

Check Description

Network port count check If this test fails, the appliance may require RMA replacement.

Network interface self test Determines whether all interfaces are plugged in. Any interface

that is not plugged in shows up as failed.

Parameters: To skip this test, use the nonetselfparameter.

Table 13: Network test descriptions and considerations


40/48


40

Event log analysistests for the M50appliance

On the M50 appliance, event log analysis tests check for fault indicators or messages suchas the following:

critical interrupts

system POST errors

system temperature issues

Network traffic test Checks the interface traffic flow. Cables must be connected to the

interfaces to run this test.

Example cable connections on MX5010

Cable connections will be similar on other models. Connect eth0 to eth1

Connect eth2 to eth3


Connect eth 6 to eth7


Parameters:

To skip this test, use notrafficparameter.

Important:Immediately before this test begins, you have

approximately 30 seconds to verify that the cables are correctly

connected. The delay may be longer depending on your appliance

version.Important:Do not run earlier versions of system diagnostics on

M10, M10e, and M30e models because the test always fails, even

when the interfaces are not defective.

Check Description

Table 13: Network test descriptions and considerations (Continued)


41/48

Running Diagnostics and Downloading Test Results



Introduction This topic explains how to run the system diagnostic utility and download the test results.

Considerations Consider the following before you run the utility:

running system diagnostics takes the appliance off line completely.

running all tests takes the appliance offline for one to two hours.

Note: The test takes two hours for the M10, M10e, and M30 models.

you must recable the appliance network interfaces before you run the network tests.

Requirements Before you run the utility, verify that you have the following:

computer

Note: A computer is required if you want to download the results. red Ethernet crossover cable

serial cable

recovery CD

Computerrequirements

If you are connecting a computer to the appliance for this procedure, verify the computerrequirements:

Note: No software is installed on the computer during this process.

Requirement Description

BIOS Settings Computer must be configured to allow it to boot from the CD drive.

Reference:For information on how to check or change your BIOS

settings, see your computer documentation or go online and

search for instructions. Commonly, pressing F12 during bootup

allows you to specify booting from a CD.

CPU Pentium II or compatible

RAM 64MB

Drive IDE CD-ROM Drive

Serial port COM1

Network interface card 3Com 3c905C

Intel PRO/100 or PRO/1000

3Com 3c574 or 3Com 3c575

Netgear FA511 or Netgear FA411

Intel PRO/100 S Mobile Adapter

ISS supports only the listed network cards. The Proventia M50

appliance automatically detects network interface cards.

Table 14: Computer requirements


42/48


42

Running diagnosticson M50s

To run system diagnostics on M50 appliances:

1. Connect to the appliance:

Tip: To view output and download diagnostic files after you run the tests, you mustconnect a computer to the appliance using the serial cable.

2. Remove the front bezel.

3. Insert the Recovery CD in the appliance CD drive.

4. Restart the appliance.

5. When you see the boot: prompt, press TABfor the diagnostics menu.

Important: If you plan to run network diagnostic tests, you must recable the deviceby connecting crossover cables between all interfaces. Connect ETH0 to ETH1, port 2to 3, and so on.


Running diagnosticson all other models

To run system diagnostics on the M10, M30, MX1004, MX3006, MX5010, or any other M-series models that do not include a built-in CD drive:

1. In Proventia Manager, select MaintenanceTools.

2. Click Shut Down.

3. Turn off the appliance, and then disconnect it from the network.

If you are using a... Then...

computer 1. Connect the serial cable from your computer to the serial port

on the appliance.

2. On the computer, use an application such as HyperTerminal to

configure a terminal connection between the computer and the

appliance. Use the following settings:



Data bits = 8

Parity = None

Stop bits = 1

Flow control = None

3. Start the connection.

keyboard and monitor connect the keyboard and monitor to the appliance.


run all four classes of

system diagnostic tests type sysdiag, and press ENTER.

skip diagnostic test type sysdiagparametername.

Example: sysdiag nodisk

Tip: Optional parameters and descriptions are listed on thescreen. You can specify multiple parameters by placing a space

between parameters.


43/48



4. Connect the serial cable from the console port on the appliance to the serial port onyour computer.

5. Connect the red Ethernet crossover cable from the internal (ETH0) port on theappliance to the Ethernet port on your computer.

6. Insert the recovery CD into the CD drive on your computer, and then restart the

computer.

7. Wait until you see the following message:

***You may now boot your Proventia Appliance via the network******Starting Terminal Emulator******Press Control-G to Exit and Reboot***

8. If you plan to run network diagnostic tests, you must now recable the device byconnecting crossover cables between all available interfaces except for ETH0 andETH1. Connect port 2 to 3, port 4 to 5, and so on.

Important: In the next step, you have only five seconds to press Lafter the Press Lprompt appears.

9. Turn on the appliance and watch the screen closely for the Press L prompt.

10. When you see the Press L to boot from LANprompt, press the Lkey.

11. When you see the boot:prompt, press TABfor the diagnostics menu.


13. Wait until you see the messages:

Loading installerLoading filesystemBooting, please wait

14. Unplug the network cable from the computer.

15. Connect the remaining two appliance interfaces (ETH0 and ETH1) to each other.

About test results After the tests are finished, the results are displayed on a summary screen and included inthe following file:/tmp/sysdiag_.tgz

Caution: All output, logs, and diagnostic files are stored in memory only and are lostwhen you restart the appliance. To preserve the files, you must transfer them to anothersystem over the serial cable. Depending on the version of the system diagnostics utilityyou are running, the utility may provide an option to copy the file to an external USBdrive.


run all four classes of

system diagnostic tests type sysdiag, and then press ENTER.

skip diagnostic test type sysdiagparametername.

Example: sysdiag nodiskTip: Optional parameters and descriptions are listed on the

screen. You can specify multiple parameters by placing a space

between parameters.


44/48


44

Copying results file To copy the sysdiag_.tgztest results file to another system:

1. Start the computer connected to the appliance.

Important: Do not restart the appliance itself.

2. Start a HyperTerminal connection using the following values:



Data bits = 8

Parity = None

Stop bits = 1

Flow control = None

3. Press ENTERto get a bashprompt.

4. At the prompt, type download.

5. Type exitto safely turn off the appliance.6. Locate the file on your local system.

Tip: The default location is the following:C:\Documents and Settings\\sysdiag_.tgz


45/48


Chapter 8

Support

Overview

Introduction This chapter provides information about how to generate files used to troubleshoot issueswith customer support.


Topic Page

Generating Support Files 46


46/48

Chapter 8: Support

46

Generating Support Files

Introduction This topic explains how to generate a support file that can be used to troubleshoottechnical issues with customer support.

Contactingcustomer support

To contact customer support:

In Proventia Manager, select SupportSupport Contacts.

Creating anddownloadingsupport files

To create or download a system support file:

1. In Proventia Manager, select SupportSystem Support File.


To... Do this...

create a file select Generate Support Data File.

download a file 1. Select the radio button next to the file, and then click the

Downloadicon.

2. At the message prompt, click OK.

3. Follow the prompts to save the file to your hard drive.


47/48


Index

aappliance

rebooting 30

shutting down 30

bbackup and recovery

full system 35

policies 34

cconventions, typographicalin commands 7

in procedures 7

in this manual 7

dDHCP

releasing and renewing leases 31

DHCP leases, releasing and renewing 31

documentation, locating 6

fFilter Database

obtaining full version 28

updating existing 28

firmware updates

installing manually 14

full backup 35

iInternet Security Systems

technical support 8

Web site 8

mmanual appliance updates 14

ooperating system

back up and recovery 35

pping command 30

policies

backing up 34PPPoE

reconnecting the connection 31

PXE boot server 24, 41

rreinstalling appliance firmware

procedure for M50 2425

procedure for Mx1004 24, 26

procedure for Mx3006 24, 26

requirements 25

ssecurity content updates

installing manually 14

removing manually 15

system support file 46

system tools 30


48/48

Index

ttechnical support

contacting 46

system support file 46

technical support, Internet Security Systems 8traceroute command 30

traceroute protocols 30

typographical conventions 7

uupdates

alternate update servers 16

downloading updates 14

finding updates 14

installing updates manually 14obtaining from SiteProtector 16

removing security content updates 15

rolling back updates 15

troubleshooting 15

wWeb site, Internet Security Systems 8

xX-Press update server 16

proventia_administratorguide

Documents

Transcript of proventia_administratorguide