Applies To:

Show Versions Show Versions

Manual Chapter: FirePass 5.2 Handbook: Installing the FirePass Controller
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>



Installing the FirePass Controller



Overview of installing the FirePass controller

Installing the FirePass® controller is fairly straight-forward if you follow these instructions and make the necessary changes in your existing environment. The FirePass controller configuration tasks can be categorized as initial installation and configuration tasks, and additional or secondary configuration tasks. Some of the secondary tasks are required, some are recommended, and some are optional.

A Quick Start card is included with the controller. Use the Quick Setup worksheet to gather necessary network configuration information before beginning to install the FirePass controller.


Summary of tasks for installing and configuring the FirePass controller

Installing and configuring the FirePass controller is a multi-step process. However, the process is simple, as long as you complete the tasks in the correct order.

Table 2.1 lists a summary of the initial tasks for installing and configuring the FirePass controller and suggests where to look for more details. The tasks are listed in the order you should do them. Once you have completed the initial tasks listed here, you can move on to the secondary configuration tasks shown in Table 2.2.

Overview of initial FirePass installation and configuration tasks


Task

For more information, see

Configure the firewalls at your site to allow traffic to and from the FirePass controller.

Configuring a firewall

If the FirePass controller has a private IP address, set up name resolution for internal users and client software.

Understanding name resolution issues with private IP addresses

Install the FirePass controller, and start it. Using the WAN port (1000 and 4000 controllers) or Management port (4100 controller), create an isolated network to reach the FirePass controller using its factory default IP address.

Installing the FirePass controller

If you are installing a new FirePass controller, configure the controller using the Quick Setup wizard.

Using the Quick Setup wizard

Install a FirePass controller license.

Installing a FirePass controller license

Connect the FirePass controller to the network. Test that the FirePass controller is accessible on the network, and test DNS resolution of the FirePass controller's host name inside and outside the firewall.

Testing network connectivity


Table 2.2 provides a summary of the additional tasks for installing and configuring the FirePass controller. Once you have completed the initial installation tasks listed in Table 2.1, you can review these additional tasks, and complete the ones necessary for your configuration.

Overview of additional FirePass configuration tasks


Task

For more information, see

After the FirePass controller is up and running and the network connections are working, use the Administrative Console to finish configuring the controller from a Web browser.

Using the Administrative Console

Add groups and user accounts. Then configure one or more authentication methods for FirePass controller users.

Online help

Configure the FirePass controller Access functions you want to make available to users. For example, configure Network Access, if necessary.

Configuring Network Access settings

Install a new SSL certificate.

Online help

If necessary, customize the appearance of the user's home screen, such as the logo, and terms used for logging in.

Online help



Configuring a firewall

The FirePass controller provides remote access by communicating through secure tunnels between remote users at untrusted or unprivileged hosts on the Internet and your corporate LAN. A tunnel is a secure (private) connection between computers or networks over a public network. This section describes the firewall ports you must open at your site to allow traffic to and from the FirePass controller so that it can operate correctly.

The particular firewall ports that you must open at your site depend on where you install the FirePass controller relative to the firewalls, and which network and application services the controller must access. Certain ports, such as ports 80 and 443 for HTTP and HTTPS, must be open in all situations on the external firewall between the FirePass controller and remote Web browsers. If the FirePass controller is installed in a DMZ with an internal firewall separating it from the corporate network, you also have to open other ports as necessary to allow access to network services such as DNS, and to use particular application services such as email. A DMZ, or demilitarized zone, is a small subnetwork or single computer that is installed between your internal corporate LAN and the external Internet.

Note


You can block port 80 on your firewall, but if you do, the FirePass controller will not be able to redirect http:// addresses to https://, and remote users will have to manually type https:// for every URL.

 

The illustration in Figure 2.1 shows the services and ports used by the FirePass controller.


Figure 2.1 Allowing traffic on firewall ports for a FirePass controller

For more information on configuring the firewall ports, see the following section and tables.


Overview of the firewall configuration process

During the process of firewall configuration, you might consider opening the firewall ports in phases. In the initial phase, you could focus on opening the ports that allow access to the FirePass controller from both inside and outside the firewall when you specify the controller's host name in a Web browser. During this phase, you might also open the ports for SMTP so that the FirePass controller can send email messages to the FirePass controller administrator. For this initial phase you should open the following ports:

  • 80 (HTTP) and 443 (HTTPS)
    Assuming there is a firewall between the Internet and the FirePass controller, the firewall must allow inbound traffic on ports 80 (HTTP) and 443 (HTTPS) as a base configuration with a destination address of the publicly accessible FirePass controller address.


  • 123 (NTP), 53 (DNS), and 25 (SMTP)
    The firewall must also allow the FirePass controller to access network services such as NTP, DNS, and SMTP (on ports 123, 53, and 25). The network services might be located on an external network (Internet), or on the internal corporate network. The location of the network services and your particular deployment scenario determine which firewall's ports must be open, assuming there is a firewall between the FirePass controller and these services.


  • 80 (HTTP), 443 (HTTPS), and 661 (HAP)
    If there is a firewall between the FirePass controller and the corporate LAN, the firewall must allow traffic on ports 80, 443, and 661.


  • To verify that the FirePass controller has access to DNS and SMTP services after you have opened the ports and installed the FirePass controller, you can use the instructions in Testing network connectivity.

    After you have verified that the FirePass controller has access to DNS and SMTP services and that you can access the controller from a Web browser from either side of the firewall, then you can open up the specific ports that are necessary for your particular deployment. See the following tables in this section that describe the ports and services. For example, if you are using LDAP for authentication, you must open ports 389 and 636. Here are some other examples of application services you might need to support:

  • To support Windows® files, the FirePass controller needs access to Windows file servers using Microsoft® Networking (ports 135, 137, 138, 139).


  • To support Mobile Email, the FirePass controller needs access to SMTP (port 25), POP/IMAP (ports 110, 143), LDAP (port 389), and Secure LDAP (port 636).


  • To support legacy host access, the FirePass controller needs access to Telnet (port 23). To use SSH, port 22 is also needed.


  • To support internal Web applications, the FirePass controller needs access to HTTP (port 80) and HTTPS (443).

Services hosted behind firewalls

Network services are sometimes hosted locally behind a firewall, and sometimes hosted remotely. If the services are hosted remotely, the external firewall must allow the FirePass controller to make connections to those services on specific TCP/IP ports.

To allow access to the FirePass controller from the Internet, you can create either Network Address Translation (NAT) rules or port forwarding rules on the firewall to forward inbound packets to the controller. The advantage of static NAT is that it does not require you to forward each individual port to the FirePass controller. However, some firewalls only allow static NAT using a public IP address other than its own public interface.

  • To use static NAT, configure a rule that forwards all allowable traffic from the public IP address to the private IP assigned to the FirePass controller.


  • If your firewall does not allow static NAT, you must use port forwarding by setting up rules to forward the appropriate ports to the private IP address assigned to the FirePass controller.

Stateful and non-stateful firewalls

Firewalls can be classified as stateful and non-stateful.

  • Stateful firewalls allow bi-directional communication (that is, they create a return rule for an allowed service). If you have a stateful firewall (most newer commercial firewalls are stateful), you only need to define rules for the actual traffic; the replies are automatically allowed to pass.


  • Older firewalls, especially ones based on Linux IP chains, are often non-stateful; they do not allow bi-directional communications. If you have a non-stateful firewall, you also must define rules for traffic coming in and the replies with the ACK (acknowledgement) bit set for those protocols.

Note


The FirePass controller includes a troubleshooting tool called the Network packet dump. This tool is useful for troubleshooting firewall-related issues. For more information, see the online help for the Device Management : Maintenance : Troubleshooting Tools screen.

 


Reviewing network traffic and the FirePass controller

To ensure full functionality of the FirePass controller, you should confirm that certain types of traffic are allowed through the firewalls. The following tables show these types of traffic, listed in request/response pairs.

All traffic associated with the FirePass controller falls into one of these categories:

Note


A particular type of traffic shown in the tables is required only if Required appears in the Comment column for the traffic, or if you are enabling an application service that requires the port to be opened.

 


Understanding traffic between a remote user's browser and the controller

To allow traffic between a remote user's browser and the FirePass controller, you must open the firewall ports as shown in Table 2.3.

The FirePass bridge ports (10000-10100) are optional ports in the external firewall that are used to distribute sessions to ensure that port 443 is open for new requests. These ports are configurable, and can be set to any of the high TCP/IP ports (1025 - 65535). If the number of concurrent Desktop Access users is low (less than 5 concurrent users on the FirePass 1000, or less than 20 on the FirePass 4000 or 4100), then there is no requirement to open the high TCP/IP ports (1025 to 65535). The controller uses the high ports if they are available, otherwise it uses port 443.

Traffic between remote user's browser and FirePass controller  


Traffic Type

Protocol

Source

Destination

ACK bit

Comment

Address

Ports

Address

Ports

HTTP

TCP

Remote Browser

1025 to 65535

FirePass controller

80


Required if redirection to HTTPS is needed

HTTP (response)

TCP

FirePass controller

80

Remote Browser

1025 to 65535

yes

Required

HTTPS

TCP

Remote Browser

1025 to 65535

FirePass controller

443


Required

HTTPS (response)

TCP

FirePass controller

443

Remote Browser

1025 to 65535

yes

Required

FirePass bridge

TCP

Remote Browser

1025 to 65535

FirePass controller

10000 to 10100


Optional for Desktop Access

FirePass bridge Response

TCP

FirePass controller

10000 to 10100

Remote Browser

1025 to 65535

yes

Optional for Desktop Access

SSH

TCP

Local LAN

1025 to 65535

FirePass controller

22


Optional (used by F5 Technical Support)

SSH (response)

TCP

FirePass controller

22

Local LAN

1025 to 65535

Yes

Optional



Understanding traffic between the controller and network services

The FirePass controller needs access to the network services listed in Table 2.4, some of which are optional and depend on your particular configuration. If the services are hosted across a firewall from the FirePass controller, you must open the firewall ports to allow the FirePass controller to access these services.

Note


Configure your internal DNS server so that the FirePass controller host name resolves to the controller's local IP address. This is to ensure that traffic from the same side of the firewall can reach the FirePass controller. You can do this on a WINS server, or on a DNS server if the DNS server is hosted locally. (See Understanding name resolution issues with private IP addresses.)

 

Traffic between FirePass controller and network services  


Traffic Type

Protocol

Source

Destination

ACK bit

Comment

Address

Ports

Address

Ports

DNS

TCP

Local LAN

1025 to 65535

FirePass controller

53



DNS (response)

TCP

FirePass controller

53

Local LAN

1025 to 65535

Yes


NTP

UDP

Local LAN

1025 to 65535

FirePass controller

123



NTP (response)

UDP

FirePass controller

123

Local LAN

1025 to 65535



SSH

TCP

Local LAN

1025 to 65535

FirePass controller

22


Optional

SSH (response)

TCP

FirePass controller

22

Local LAN

1025 to 65535

Yes

Optional

LDAP

TCP

FirePass controller

1025 to 65535

Local LAN

389, 636


Required for LDAP authentication

LDAP (Response)

TCP

Local LAN

389, 636

FirePass controller

1025 to 65535

Yes

Required for LDAP authentication

RADIUS

TCP

FirePass controller

1025 to 65535

Local LAN

1645, 1646

or

1812, 1813


Required for RADIUS authentication

RADIUS (response)

TCP

Local LAN

1645, 1646 or
1812, 1813

FirePass controller

1025 to 65535

Yes

Required for RADIUS authentication

SMTP Services

TCP

FirePass controller

1025 to 65535

Local LAN

25



SMTP Services (response)

TCP

Local LAN

25

FirePass controller

1025 to 65535

Yes




Understanding traffic between the controller and application services

To allow traffic between the FirePass controller and application services on the corporate LAN, you must open the firewall ports as shown in Table 2.5. The application services include the following services, some of which are optional and depend on your particular configuration:

  • File servers


  • Email servers


  • Intranet


  • Terminal servers


  • Legacy mainframe and AS/400 applications


  • Client/server applications


  • Network access

A FirePass controller that needs to use any of these application services must be able to communicate with the local LAN on several ports. Most of these ports are listed in Table 2.5with the default port assignments. (Your network may vary). Microsoft Networking requires four ports: two TCP/IP ports and two UDP ports. Port 135 is the RPC port, port 139 is the NetBIOS session, port 137 is the NetBIOS name service, and port 138 is the datagram. You must configure these ports so that users can view network file shares. For NTLM-style networking a WINS server helps address resolution from NetBIOS to TCP/IP to work properly. Active Directory® uses DNS and does not require WINS.

Traffic between FirePass controller and application services  


Traffic Type

Protocol

Source

Destination

ACK bit

Comment

Address

Ports

Address

Ports

HTTP

TCP

Local LAN

1025 to 65535

FirePass controller

80


Required

HTTP (response)

TCP

FirePass controller

80

Local LAN

1025 to 65535

Yes

Required

HTTPS

TCP

Local LAN

1025 to 65535

FirePass controller

443



HTTPS (response)

TCP

FirePass controller

443

Local LAN

1025 to 65535

Yes


IMAP

TCP

FirePass controller

1025 to 65535

Local LAN

143


Required for email

IMAP (Response)

TCP

Local LAN

143

FirePass controller

1025 to 65535

Yes

Required for email

POP

TCP

FirePass controller

1025 to 65535

Local LAN

110


Required for email

POP (Response)

TCP

Local LAN

110

FirePass controller

1025 to 65535

Yes

Required for email

Microsoft Networking

TCP

FirePass controller

1025 to 65535

Local LAN

135, 139


Required for File services

Microsoft Networking (Response)

TCP

Local LAN

135, 139

FirePass controller

1025 to 65535

Yes

Required for File services

Microsoft Networking

UDP

FirePass controller

1025 to 65535

Local LAN

137, 138


Required for File services

Microsoft Networking (Response)

UDP

Local LAN

137, 138

FirePass controller

1025 to 65535

Yes

Required for File services

Telnet/3270

TCP

FirePass controller

1025 to 65535

Local LAN

23


Required for Legacy Hosts

Telnet/3270 (Response)

TCP

Local LAN

23

FirePass controller

1025 to 65535

Yes

Required for Legacy Hosts

Client/Server applications

TCP

FirePass controller

1025 to 65535

Local LAN

User-
defined TCP


Required for each Application Access client

Client/Server applications (response)

TCP

Local LAN

User-defined TCP

FirePass controller

1025 to 65535

Yes

Required for each Application Access client

Network Access

TCP UDP ICMP

FirePass controller

1025 to 65535

Local LAN

Any ports as needed


Required for Network Access as needed

Network Access (response)

TCP UDP ICMP

Local LAN

Any ports as needed

FirePass controller

1025 to 65535

Yes

Required for Network Access as needed



Understanding traffic between the controller and the Desktop Access client

To allow traffic from the FirePass controller to the corporate LAN using the Desktop Access feature, you must open firewall ports as shown in Table 2.6.

The FirePass client on the desktop computer on the local LAN uses ports 80 and 81 to initiate communications with the FirePass controller during Desktop Access sessions. The FirePass controller contacts the client on port 661, then communicates with it on port 443. The client responds by initiating a new connection on port 81 back to the FirePass controller.

Host Activation Protocol (HAP) is a registered port (661) that allows the FirePass controller to initiate a session with the FirePass Desktop Agent. The FirePass controller communicates with the agent on port 443.

Note


The port numbers in the following table are default values that you can change. For more information, see the Online Help.

 

Traffic between FirePass controller and corporate LAN using Desktop Access  


Traffic Type

Protocol

Source

Destination

ACK bit

Comment

Address

Ports

Address

Ports

HTTP

TCP

Local LAN

1025 to 65535

FirePass controller

80, 81


Required for Desktop Access

HTTP (response)

TCP

FirePass controller

80, 81

Local LAN

1025 to 65535

Yes

Required for Desktop Access

Host Activation Protocol (HAP)

TCP

FirePass controller

1025 to 65535

Local LAN

661


Required for Desktop Access

Host Activation Protocol (HAP) (response)

TCP

Local LAN

661

FirePass controller

1025 to 65535

Yes

Required for Desktop Access

HTTPS

TCP

FirePass controller

1025 to 65535

Local LAN

443



HTTPS (response)

TCP

Local LAN

443

FirePass controller

1025 to 65535

Yes




Understanding name resolution issues with private IP addresses

If the FirePass controller is installed on a corporate LAN or in a DMZ that uses private IP addresses, the firewall or gateway performs NAT (Network Address Translation). This means that the FirePass controller has two different DNS identities: one mapped to the public IP address, and another mapped to a private IP address.

Users outside the firewall should not have name resolution problems because the FirePass controller's name resolves to the public address of the firewall or gateway. The firewall or gateway then uses NAT to forward the user's traffic to the FirePass controller.

However, internal users on the corporate LAN and the Desktop Access client software may be affected by internal name resolution problems unless you take specific steps to prevent them.

  • If you have an internal DNS server, add an A record to that zone that resolves to the FirePass controller's private address (such as 10.0.0.8). An A record is an address record, the basic DNS record type, and is used to associate a domain name with an IP address.


  • If you have a WINS server, add a static entry for the FirePass controller name.


  • If you have a firewall that supports a DNS aliasing feature, set up the firewall to redirect internal FirePass controller traffic originating from the corporate LAN to the FirePass controller's private IP address.


  • If there is no internal DNS server, WINS server, or suitable firewall feature, you must use a local hosts file on each corporate LAN computer that must connect to the FirePass controller.

Note


This name resolution problem does not apply to a FirePass controller that has a public IP address, because internal and external users can both use a name that resolves to the same IP address for the controller.

 

Note


To support the FirePass controller's application tunnels for clustered or load balanced applications such as Oracle®, Citrix®, or SAP®, you must specify the fully qualified domain names of the servers running the applications. Those applications must also support the use of fully qualified domain names when passing server address information to the client side application. Single server applications may use the server IP address if the remote client is also configured to do so.

 


Installing the FirePass controller

This section describes how to install a FirePass controller, connect it to a network, and start the controller.

When installing and connecting the wiring to the FirePass controller, be sure to follow these basic safety precautions to avoid injury to yourself or damage to the controller:

  • Read and follow all instructions.


  • Do not disassemble the FirePass controller.


  • Ensure that airflow is unrestricted through the fans and vents of the FirePass controller.


  • Connect the unit to a properly grounded and rated power supply circuit that meets the provisions of the current edition of the National Electrical Code, or other wiring rules that may apply to your location.

Contents of the FirePass controller package

After unpacking the FirePass controller, you should have the following items:

  • FirePass controller


  • 120 VAC power cord or 220 VAC power cord


  • CAT 5 network cable


  • Null modem serial cable


  • Resource Kit containing a CD, Quick Start card, and Quick Setup worksheet

Mounting the FirePass controller in an equipment rack

You can mount a FirePass 1000 controller in a standard 1U equipment rack. You can mount a FirePass 4000 controller or a FirePass 4100 controller in a standard 2U equipment rack. Make sure that the rack has adequate ventilation and power. We strongly recommend using an Uninterruptible Power Supply (UPS).


Connecting the FirePass controller to an isolated network

After you unpack and mount the FirePass controller, the next step is to connect the controller to an isolated network. When you have done this, you can turn the controller on.

Note


Use the Quick Setup worksheet included with the FirePass controller to collect and record your basic installation information before continuing.

 


To connect a FirePass controller to a network and start it
  1. Connect a PC to the controller using either:


    • A cross-over Ethernet cable


    • A standard Ethernet cable with an isolated hub or switch


  2. Connect the Ethernet cable to the controller. Where you connect the cable depends on the FirePass controller model:


    • If you are configuring a FirePass 1000, connect the Ethernet cable to the 10/100 Base-T (RJ-45) WAN connector on the front panel of the controller. The WAN port is clearly labeled on the controller.


    • If you are configuring a FirePass 4000 controller, connect the Ethernet cable to the 10/100 Base-T (RJ-45) WAN connector on the back of the controller. The WAN connector is the network port in the expansion slot on the right side.


    • If you are configuring a FirePass 4100 controller, connect the Ethernet cable to the Management port. The Management port is on the far left of the front of the controller.


  3. Temporarily change the IP address of the PC:


    • If you are configuring a FirePass 1000 or 4000 controller, use any IP address in the 192.168.1.0/24 subnet except 192.168.1.99.


    • If you are configuring a FirePass 4100 controller, use any IP address in the 192.168.0.0/24 subnet except 192.168.0.99.


  4. Connect the power to the FirePass controller and turn the controller on using the main power switch.


  5. Note: Loading the system on a FirePass 4100 can take three to five minutes. After the system has fully loaded, the LCD information screen displays three information panels:

    • The currently-configured IP address of the Management interface, and the fully qualified domain name


    • The date and time


    • The software version build numbers

  6. If you are connecting two dual-NIC FirePass controllers in a redundant system, connect the corresponding NIC on each controller to the same subnet. For example, connect the internal NIC on each controller to the same subnet. A redundant system is a pair of FirePass controllers configured so that one controller acts as a primary controller while a second controller backs up the primary controller in case of failure. For information on configuring FirePass controllers in redundant systems, see Chapter 7, Using FirePass Controllers for Failover.


  7. If you are connecting several FirePass controllers as a cluster, connect the primary NICs to the same subnet unless they are installed in different geographic locations. For information on configuring FirePass controller clusters, see Chapter 8, Using FirePass Controllers in Clusters.


  8. Plug the power cable into a wall outlet and into the Power connector on the rear panel of the FirePass controller.


  9. Starting the FirePass controller is easy, but the procedure varies depending on how your controllers are configured:


    • If you have a single FirePass controller, start the controller using the Power switch on the front panel.


    • If you have a FirePass redundant system (a failover pair of controllers) you can start either controller first, using the power switch. The second controller you start becomes the standby controller automatically.


    • If you have a controller cluster, always start the primary controller first, using the power switch. If the primary controller is not available when the secondary controllers start, the cluster does not work properly.

Warning


Do not turn off the FirePass controller using the Power switch on the front panel. If you use the Power switch, you can corrupt data and may not be able to connect to the FirePass controller again. To turn off the FirePass controller, always use the Shutdown commands in the Administrative Console or the Maintenance Console.

 


Configuring the FirePass controller

Configuring the FirePass controller is easy if you follow a number of tasks, in sequence, to properly configure the controller. You need to understand the initial configuration process, including the default FirePass controller settings, using the Quick Setup wizard, and installing a license on the controller. You will also need to test the controller after you have configured it.


Overview of the initial configuration process

After you have unpacked the controller and connected it to your network, you can begin your configuration. To complete the initial FirePass controller configuration:

  • Create an isolated network
    For more information, see Connecting the FirePass controller to an isolated network.


    1. Create an isolated network that includes the FirePass controller and a PC with a web browser.


    2. Connect them directly using a cross-over Ethernet cable, or indirectly with a standard Ethernet cable and an isolated hub or switch.


  • Connect to the controller
    In the PC's Web browser, type the controller's default URL (be sure to include the final slash):


    • On a FirePass 1000 or FirePass 4000 controller:


    • https://192.168.1.99/admin/

    • On a FirePass 4100 controller:

      https://192.168.0.99/admin/

      Note: You can still use the pre-5.0 format:

      https://192.168.<n>.99/stats/

      One or more certificate warning messages may display. Accept these. You should see the FirePass login screen.

  • Log in
    Log in using the default administrator name admin, and password of admin. The startup screen for unlicensed FirePass controllers displays.


  • Note: If you are upgrading to version 5.0, you see the unlicensed FirePass controller startup screen. You need to relicense the controller.

  • Run the FirePass Quick Setup


    1. Click FirePass Quick Setup to run the Quick Setup.


    2. Using the Quick Setup wizard, you perform the initial configuration including updating the controller IP address, changing the administrator user name and password, and specifying proxy servers.


    3. For more information, see Using the Quick Setup wizard.

  • Shut down/Restart
    The Quick Setup wizard prompts you to restart the FirePass controller. Do not use the Power switch on the front panel to turn the controller off.


  • Install a license
    You need to install a FirePass controller license before you can finish configuring the controller. For more information, see Installing a FirePass controller license.


  • Connect to your network


    1. Connect the FirePass controller to your network:


      • On a FirePass 1000 or FirePass 4000 controller, disconnect the controller from the isolated network and reconnect it to your network.


      • On a FirePass 4100 controller, connect the Eth1.1 port to your network. The Management port is intended for a direct connection to the Administrative Console.


    2. Test the network connections by following the instructions in Testing network connectivity.


  • Finish configuring the FirePass controller
    Finish configuring the FirePass controller using a browser on a PC on the network and either the fully-qualified domain name of the controller, or the IP address you assigned during the Quick Setup.



About the FirePass controller preconfigured settings

The FirePass controller comes preconfigured with a default set of networking and controller settings. These settings provide a predefined configuration that allows you initial access to the controller. They are not intended for actual use in your environment. Connect to the controller using the default settings and then configure it with your own settings. The following table provides important default FirePass controller settings.

FirePass default network settings


Setting

Factory default value
(FirePass 1000/FirePass 4000)

Factory default value
(FirePass 4100)

Admin Console User Name

admin

admin

Admin Console password

admin

admin

Maintenance Console User Name

maintenance

maintenance

Maintenance Console password

<no password>

<no password>

Controller name

firepass.company.xyz

firepass.company.xyz

Controller IP Address/Mask

192.168.1.99 / 255.255.255.0

192.168.0.99 / 255.255.255.0
(management port)
192.168.1.99 / 255.255.255.0
(Eth1.1 user port)

DNS Server IP Address

192.168.1.1

192.168.1.1

Gateway IP Address

192.168.1.1

192.168.1.1

Domain suffix

company.xyz

company.xyz

SSL VPN Network Subnet

192.168.192.0 / 255.255.255.0

192.168.192.0 / 255.255.255.0

SSL Certificate

firepass.company.xyz

firepass.company.xyz

Administrator's email address

support@company.xyz

support@company.xyz

SMTP Server

mail.company.xyz

mail.company.xyz

NTP Server

ntp.nasa.gov

ntp.nasa.gov



Using the Quick Setup wizard

After you install the FirePass controller and connect to it for the first time, you can run the FirePass Quick Setup to do the initial configuration of the controller. The Quick Setup prompts you for basic configuration information and helps you configure the controller quickly. The Quick Setup screen displays only if you do not have a license installed on the new FirePass controller.

If you already have a license installed on your controller but still need to make configuration changes, use the Administrative Console or the Maintenance Console. For more information, see Using the Administrative Console to configure the controller.

Note


Quick Setup applies most changes immediately, including the administrator login name and password. However, it does not change the network configuration until you finish the wizard and restart the FirePass controller.

 


To make initial configuration changes using the FirePass Quick Setup

When you log onto the FirePass controller for the first time, the Quick Setup screen displays. Run the Quick Setup wizard from this screen to configure the controller.

  1. Click FirePass Quick Setup.


  2. Follow the wizard prompts and enter the requested information. Click Next to move from one screen to the next.


  3. When the Quick Setup is complete, click Finish.
    The wizard prompts you to restart the FirePass controller.


  4. Click Go to restart the controller and implement the configuration changes you just made.

Installing a FirePass controller license

After you have made the initial configuration changes and have restarted the FirePass controller, the next step is to install (activate) a license.

You need to activate a license in order to use the FirePass controller. The license affects what configuration options you have access to, and what features of the controller are activated. When you activate a license, the FirePass controller accesses an F5 Networks licensing server and downloads the correct license based on your purchase.

When you receive a new FirePass controller, you should receive an email from Technical Support or the entitlement server with directions on how to license your controller. If you did not receive an email, contact Technical Support to make sure your license is ready.

Note


If you are upgrading from an earlier version of FirePass controller, you must get a new registration key before activating your license. See the release notes for more information.

 


Getting your license

Before you can use the FirePass controller, you have to license it. Your controller should be preconfigured with a serial number and registration key. These are displayed on the Activate License screen. If the Serial number appears as unknown, contact Technical Support.


To see the Activate License screen
  1. In the Administrative Console, click Device Management on the navigation pane.


  2. Click Maintenance to display the Activate License screen.


  3. Check your serial number and registration key. Verify that the serial number is not unknown.

To install the controller's first license

Before activating the license, make the initial configuration changes and confirm that the FirePass controller is configured to work on your local network. (For more information, see Overview of the initial configuration process .) Also make sure that your firewall allows outbound Internet connections to port 443.

  1. In the Administrative Console, click Welcome on the navigation pane.
    A screen displays indicating that there is no FirePass license installed.


  2. Click Activate License.
    The Device Management : Maintenance : Activate License screen displays.


  3. In Registration Method, select Automatic, then click Request License at the bottom of the screen.
    A Terms of Use agreement displays.


  4. Read the terms, click the I have read and agree to the terms of this license box, and click Continue.
    A license file displays.


  5. To install and activate the license, click Continue.


  6. When a message displays saying that the license was activated, click Continue.

Note: You may be prompted to restart the controller.

If the Automatic registration method does not work, install the license using the manual method.


To install the controller's license manually
  1. In the Administrative Console, click Welcome on the navigation pane.
    A screen displays indicating that there is no FirePass license installed.


  2. Click Activate License.
    The Device Management : Maintenance : Activate License screen displays.


  3. In Registration Method, select Manual, then click Request License at the bottom of the screen.
    A Terms of Use agreement displays.


  4. Copy the entire contents of the Product Dossier box, and click the indicated text, Click Here to access F5 Licensing Server. You will need to paste the dossier box contents into the licensing server.


  5. On the licensing server, paste the dossier into the Enter your dossier box, and click Activate.


  6. Follow the prompts and enter the requested information on the licensing server.


  7. When the server validates your information, a license file is displayed. You can either copy the entire file, or click Download license to copy the file to your local drive.


  8. Paste the license file in the License File box on the Device Management : Maintenance : Activate License screen, and click Install License.


  9. After the license is installed, click Continue.

Note


If you cannot access the F5 Networks licensing server using either the automatic or the manual activation process, contact F5 Technical Support.

 


Testing network connectivity

After connecting the FirePass controller to your network, starting it up, and performing the initial IP address configuration, test that you can access the controller from your network, and that the FirePass controller's fully qualified domain name resolves correctly both inside and outside the firewall.

Note


The following steps assume that your firewall is not configured to block ICMP packets.

 


To test network connectivity
  1. Test that the FirePass controller is accessible from the LAN by entering the following command on a host computer on the LAN:

  2. ping x.x.x.x

    where x.x.x.x is the FirePass controller's private IP address.

  3. Test DNS resolution of the FirePass controller's name and address inside the firewall. On a host computer inside the firewall, enter the following command:


  4. ping <fully qualified controller name>

    Inside the firewall, this name should resolve to the FirePass controller's private IP address.

  5. Test DNS resolution of the FirePass controller's name and address outside the firewall. On a host computer outside the firewall, enter the following command:

  6. ping <fully qualified controller name>

    Outside the firewall, this name should resolve to the FirePass controller's public IP address.

  7. Test accessing the controller from a Web browser by entering the URL for the FirePass controller on computers both inside and outside the firewall. For example, use the following syntax where <fqdn> is the fully qualified domain name assigned to the FirePass controller:

    https://<fqdn>/admin/

    For example, you might enter:

    https://controller-name.company.com/admin/

    The FirePass controller's login screen should appear when you enter this URL.


Troubleshooting connections to the controller

If you have problems accessing the controller, it is probably due to one of two reasons; a misconfigured firewall, or DNS reflection. Use the following information to troubleshoot problems accessing the controller.

  • Accessing the FirePass controller on a computer outside the firewall
    If you have trouble accessing the FirePass controller with a Web browser on a computer outside the firewall, the problem is likely caused by a misconfigured firewall, or a firewall that does not allow packets to travel in both directions.


  • Accessing the FirePass controller on a computer inside the firewall
    If you have trouble accessing the FirePass controller by entering the fully qualified domain name on a computer inside the firewall, try entering the internal IP address. This problem can be caused by DNS reflection, which occurs when an internal host sends a packet to the external interface of the firewall. When the firewall forwards the packet to the FirePass controller, the FirePass controller replies to the external interface of the firewall which cannot properly route the packet back to the internal host.


  • Providing Secure Shell access to Technical Support
    In case of severe malfunction, you may need to give Technical Support access to your Maintenance Console using Secure Shell (SSH). To allow this access while blocking routine SSH access, the FirePass controller uses temporary, encrypted keys, further protected by a passphrase.

Using the Administrative Console

After verifying that the FirePass controller is accessible on your network, you can use the Administrative Console in a Web browser to administer the controller, and change configuration settings as necessary. You can run the Administrative Console on any computer that can access the FirePass controller over the network.


Logging in to the Administrative Console

The Administrative Console is composed of several screens where you select options, enter configuration information, and choose commands to configure and administer the FirePass controller. Some panels contain status information and reports that you can use to monitor the controller. Click the links on the navigation pane to expand navigation options and to load configuration screens.


To log in to the Administrative Console

To log in to the Administrative Console, you must have a computer that can access the FirePass controller over a network or the Internet.

  1. Type a URL using the following syntax, where <fqdn> is the fully qualified domain name assigned to the FirePass controller:

  2. https://<fqdn>/admin/

    For example, you might enter:

    https://controller-name.company.com/admin/

  3. If a Security alert appears, click Yes to accept the SSL encryption certificate.
    The FirePass login screen appears.


  4. Enter the superuser user name: admin.

  5. The superuser account is a preconfigured administrative account on the FirePass controller.

  6. Enter the default superuser password: admin.


  7. Click Go to log in.
    After you log in, the FirePass Administrative Console Welcome screen appears.

Note: The user name and password are case sensitive.


Displaying a list of current settings

You can see a list of current settings on the Current Settings screen. These are useful for confirming settings and for troubleshooting problems.

Note


The licensed features appear on the Activate License screen after you install a license on the controller. For instructions on displaying the FirePass controller's licensed features, see To see the Activate License screen.

 


To display a list of current settings
  1. In the Administrative Console, click Device Management on the navigation pane.


  2. Click Current Settings to display the Current Settings screen.

Note: The settings are read-only on the Current Settings screen.


Changing the superuser password

One of the first things you should do after installing and configuring the FirePass controller is change the default password for the superuser account. The superuser account is a preconfigured Administrator account. The Quick Setup wizard prompts you to change the superuser password, but you can also change the password at any time using the Administrative Console.

Note


When you open the Superuser screen you also see an option to disable the Superuser account. Do not check this box before you have given comprehensive Administrator privileges, including access to all links on the Server tab, to other named accounts.For more information, see the online help for the Device Management : Security : Administrators screen.

 


To change the superuser password
  1. On the navigation pane, click Device Management.


  2. Expand Security, and click Superuser to open the Superuser screen.


  3. In the Old Password box, type the current password.


  4. In the Password and Confirm Password boxes, type the new password.


  5. Click Go to change the superuser password.

Note


If your superuser password is lost, contact Technical Support.

 


Accessing the Maintenance Console from the Administrative Console

You can use the Administrative Console to access the Maintenance Console by starting a Telnet session from within the Administrative Console. Accessing the Maintenance Console in this way is much more convenient because you do not need to connect a computer directly to the FirePass controller.


To use the Administrative Console to run the Maintenance Console
  1. In the Administrative Console, click Device Management on the navigation pane.


  2. Expand Maintenance and click Troubleshooting Tools.
    The Troubleshooting Tools screen opens.


  3. Under Telnet access, click Please click here to start a Telnet Session to the Maintenance Account.


  4. You may see one or more security warnings. Click Yes to continue.


  5. At the login: prompt, type maintenance.
    No password is required.


  6. Note: If there is no response from the Maintenance Console, use your mouse to click in the Console window, then press Enter to get a login prompt.

  7. Type Y to agree to the conditions on the screen.
    The Maintenance Console menu appears.

Using the Administrative Console to configure the controller

In most instances, you should use the Quick Setup wizard for the initial configuration of the FirePass controller. The Quick Setup wizard is designed to guide you through the necessary changes, prompting you for required information. For more information on the Quick Setup wizard, see Using the Quick Setup wizard.

If you already have a license installed on the FirePass controller, or if you are upgrading from a previous FirePass version, you will need to configure the controller using the Administrative Console. Quick Setup is not available if a license has already been installed.


To use the Administrative Console for initial configuration
  1. Log in using the default administrator name admin, and password of admin.


  2. Configure the controller's IP address:


    1. On the navigation pane, click Device Management.


    2. Expand Configuration and click Network Configuration.
      The IP Configuration tab is selected by default.


    3. In the appropriate boxes, type the IP address, subnet, and port settings for your network, and select an interface from the Interface list.


  3. Configure DNS name resolution:


    1. On the navigation pane, click Device Management.


    2. Expand Configuration and click Network Configuration.


    3. Click the Hosts tab.


    4. In the FQDN of the controller box, type the fully-qualified domain name (FQDN) of the FirePass controller, and click Update.


    5. Click the DNS tab.


    6. Type the IP Address of your domain name server in the Name server 0 box, and click Update.


  4. Shut down and restart the FirePass controller.
    Do not use the Power switch on the front panel to turn the controller off. Use the Shutdown command in the Administrative Console to turn off the FirePass controller.


  5. Disconnect the FirePass controller from the isolated network and reconnect it to your network. Test the network connections by following the instructions in Testing network connectivit.


  6. Finish configuring the FirePass controller using a browser on a PC on the network and either the fully-qualified domain name of the controller, or the IP address you assigned during the Quick Setup.



Logging out of the Administrative Console

For security reasons, it is a good practice to log out before leaving your computer. If you do not log out of the Administrative Console, the FirePass controller automatically logs you out after a period of inactivity. This time interval is specified in the inactivity timeout option on the Device Management : Security : Timeouts screen of the Administrative Console.


To log out of the Administrative Console

Use either option:

  • Click the Logout link on the upper right of the Administrative Console.


  • Close your Web browser.

Using the Maintenance Console

Network configuration changes should be made using the Administrative Console, but if your controller's IP address and network mask are not configured correctly, or if you are unable to connect to the controller using a Web browser, you can connect directly to the controller and run the Maintenance Console to reset the controller and make limited configuration changes. You can also perform basic connectivity diagnostics using the Maintenance Console, or restore the default configuration settings.

Note


After resetting the FirePass controller you must request a new FirePass license.

 


To use the Maintenance Console to reset the FirePass controller
  1. Use a 9-pin, D-style, null modem cable to connect the serial port on a serial terminal or on a computer to the FirePass controller's serial console port:


    • On FirePass 1000 and 4000 controllers, the serial console port is located on the controller's rear panel.


    • On FirePass 4100 controllers, the serial console port is located on the front panel.


  2. If necessary, turn on the FirePass controller's Power switch.


  3. Proceed based on your connection method:


    • If you connected a serial terminal, press Enter on the terminal's keyboard to start the Maintenance Console.


    • If you connected a computer to the serial port, start a serial terminal emulation application (such as HyperTerminal on Windows or Minicom on Linux®) on the computer. Use the terminal emulation application to connect to the FirePass controller with the following communications settings.

    • Setting

      Value

      Bits per second

      19200

      Data bits

      8

      Parity

      None

      Stop bits

      1

      Flow control

      Xon/Xoff


  4. At the login: prompt, type maintenance
    By default, no password is required.


  5. Type Y to agree to the conditions on the screen.
    The Maintenance Console menu appears.


  6. To make basic configuration changes, type 1 for Reset FirePass settings and/or admin password, then press the Enter key.


  7. Type 1 for Reset FirePass settings and admin password, then press the Enter key.
    A warning screen displays.


  8. At the Rest FirePass to default values (full reset) prompt, type yes and press Enter.


  9. Follow the prompts to reset the controller to default values.
    You are given the opportunity to change basic IP address values during the reset process.


  10. After you finish entering the settings, type Y at the confirmation prompt.


  11. For some configuration changes, you may need to restart the controller.


    • If the controller prompts you to restart, type 9 for Restart Server on the command menu, and then press the Enter key.


    • If you do not receive a restart prompt, type 0 for Exit, and then press the Enter key to exit the Maintenance Console.


  12. Disconnect the serial cable.

Note


You can access the Maintenance Console using a Telnet session from the Administration Console. For more information, see Using the Administrative Console.

 

Tip


The IP Address and Network Mask are the only settings that you must configure on the controller in order to access to the controller using the Administrative Console, but you can use Maintenance Console commands at any time to configure other settings.

 


Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)