Appendix A Using the Command Line

All the functionality of SunScreen that is available through the administration GUI is also available through a command. Administering your Screens through the command line can be useful when you want to manage one or more remote Screen or if you use more than one network address.

You can access a Screen using the command line from its own keyboard, when the Screen is being administered locally and requires that you have superuser (root) access; or you can access a Screen using the command line from an Administration Station, when the Screen is being administered remotely and requires that you use SKIP encryption and an Administration User name and password.

For more information on the command line, see the SunScreen Reference Manual.

UNIX (shell) Command Summary

The following Unix (shell) commands are available at your shell prompt when /opt/SUNWicg/SunScreen/bin is included in your $PATH. The following table lists the SunScreen Unix (shell) commands and their descriptions. Many of these commands duplicate administration GUI functions, while others provide a context for other commands.

The commands used by skiptool can be found in the SunScreen SKIP 1.5.1 User's Guide.

UNIX (shell) Commands

ss_install Command

ss_install is a text-based command-line utility for creating an initial SunScreen configuration. ss_install, combined with pkgadd, is the command-line equivalent to the installation wizard graphical user interface.

ss_install interactively queries you with various options for configuring the SunScreen, creates a configuration, stores it under the policy name "Initial", and activates it. After ss_install is complete, you can administer the firewall.

ssadm Command

ssadm is the primary command-line tool for SunScreen administration. ssadm has a number of sub-commands that perform various operations such as editing and activating a configuration, and examining the status of a Screen.

ssadm runs directly on a locally administered Screen, or indirectly from a remote Administration Station that is using SunScreen SKIP to encrypt IP network communications passing between them. See the SunScreen SKIP User's Guide for more information regarding SKIP encryption.

Usage:

ssadm [-b] [-n] sub-command [parameters...]

ssadm [-b] [-n] -r remotehost [-F ticketfile] sub-command [parameters...]

Options:

-b -- Allow binary data (instead of text) in standard input and output.

-n -- Do not read any input from standard input.

-r remotehost -- Access remote Screen using address or hostname remotehost.

-F ticketfile -- Use authorization ticket stored in ticketfile.

The available ssadm sub-commands are each described in the ssadm Sub-Command section of this document.

The -b option normally is not needed since those commands that process binary data enable the binary mode automatically. For example, ssadm backup, ssadm restore, ssadm log, ssadm logdump, and ssadm patch handle binary data even if -b is not specified.

When ssadm is executed locally on the Screen (that is, without the -r option) no login or authentication is required, but you must be superuser to have any effect.

When ssadm is used with the -r option to access a remote Screen, login authentication is required. You must use the ssadm login command to get a ticket that is used by subsequent invocations of ssadm to allow access to the remote Screen. Normally, the ticket is stored in a ticketfile, the name of which can be specified using the -F option, or through the SSADM_TICKET_FILE environment variable. See the ssadm login command for information about ticket files and remote administration using ssadm.

Executing an ssadm Command on a Local Screen

You can configure a local Screen by typing the commands listed in this appendix using the Screen's keyboard. For example, to activate a policy called "Initial," you would type:

# ssadm activate Initial

where ssadm is the command you want to execute, activate is the name of the ssadm subcommand, and Initial is the name of the policy you want to activate.

The ssadm command resides in the /opt/SUNWicg/SunScreen/bin directory. Include this directory in your directory search path to have access to the commands on the local Screen.

Executing an ssadm -r Command on a Remote Administration Station

You can configure a Screen from a remote Administration Station by preceding the commands listed in this appendix with the ssadm -r command and the name of the Screen you want to administer. For example, to activate the policy "Initial" on a remote Screen called SunScreen1, you would type:

# ssadm -r SunScreen1 activate Initial

where ssadm -r indicates that you want to execute a command on a remote Screen called SunScreen1, activate is the name of the ssadm sub-command, and Initial is the name of the policy you want to activate

---

Note -

A local ssadm command can be turned into a remote ssadm command by adding -r remote_Screen_name immediately after ssadm.

---

When ssadm is used with the -r option to access a remote Screen, the name of the ticketfile can be specified using the -F option, or through the SSADM_TICKET_FILE environment.

Remotely Logging Into and Out of SunScreen

If you are using remote administration, you must log in before you can perform most ssadm commands.

To Remotely Log Into SunScreen

Type the following:

# export SSADM_TICKET_FILE # touch $SSADM_TICKET_FILE # chmod go= $SSADM_TICKET_FILE # ssadm -r SunScreen1 login username password WRITE access <E23B344150C702EC>

To Remotely Log Out of SunScreen

Type the following:

# ssadm -r SunScreen1 logout

ssadm Sub-Command Summary

The following table lists the SunScreen ssadm sub-commands and their descriptions. Many ssadm sub-commands duplicate administration GUI functions, while others provide a context for other sub-commands.

You maintain user-controlled data by using the edit command that is a sub-command of ssadm.

When you need to look at or change a policy in some way like Move or Delete, you invoke the configuration editor and enter a series of commands that end with save and quit requests.

Be sure to save change commands, such as add, del, rename, renamereference, insert, replace, and move, before you quit. Run save just before the quit command to avoid accumulating too many policy versions.

Configuration Editor Commands

The ssadm edit commands are used when running the configuration editor, which is responsible for maintaining the SunScreen configuration database.

The following table lists the SunScreen configuration editor ssadm edit sub-commands and their descriptions. Many sub-commands duplicate administration GUI functions, while others provide a context for other sub-commands.

Command-Line Session

Unlike many of the other ssadm sub-commands, the configuration editor allows editing only one policy at a time. When you are in an editing session, others are unable to edit, and can only read the policy.

You invoke the configuration editor with the edit command, which is a sub-command of ssadm, and the name of your policy, such as Initial. Once it is running, the prompt becomes: edit>.

1. For a locally administered Screen, type:

   # ssadm edit policy_name

2. For a remotely administered Screen, type:

   # ssadm -r Screen_name edit policy_name

Creating and Editing Policies

To Create a New Policy

Add a new policy, for example, myconfig, by typing:

• For local administration:

  # ssadm policy -a myconfig

• For remote administration:

  # ssadm -r Screen_name policy -a myconfig

To Copy a Policy

Copy a policy by typing:

• For local administration:

  # ssadm policy -c myconfig myconfigcopy

• For remote administration:

  # ssadm -r policy -c myconfig myconfigcopy

To Rename a Policy

Rename a policy by typing:

• For local administration:

  # ssadm policy -r old_name new_name

• For remote administration:

  # ssadm -r Screen_name policy -r old_name new_name

To Delete a Policy

Delete a policy by typing:

• For local administration:

  # ssadm policy -d name

• For remote administration:

  # ssadm -r Screen_name policy -d name

To Verify a Policy

Verify the validity of a policy, for example, myconfig, by typing:

• For local administration:

  # ssadm activate -n myconfig

• For remote administration:

  # ssadm -r Screen_name activate -n myconfig

To Activate a Policy

Activate a policy by typing:

• For local administration:

  # ssadm activate myconfig

• For remote administration:

  # ssadm -r Screen_name activate myconfig

To Back Up Your SunScreen Configuration

Type the following to back up a policy:

• For local administration:

  # ssadm backup > filename

• For remote administration:

  # ssadm backup Screen_name > filename

To Restore Your SunScreen Configuration

Restore a policy, for example, myconfig, by typing:

• For local administration:

  # ssadm restore < myconfig

• For remote administration:

  # ssadm -r Screen_name restore < myconfig

Services and Service Groups

To Add a New Single Service

1. Type the following to add the service ftp-34, service engine, discriminator, parameters, and an optional description within quotation marks.

   You only need to type in the "PARAMETERS 1200 1200 1" in the example below if you do not want to use the default values. See the SunScreen Reference Manual for the default parameters for the state engines

   edit> add service ftp-34 SINGLE FORWARD ftp PORT 34 PARAMETERS 1200 1200 1 COMMENT "ftp-34 uses port 34 instead of port 21. Use ftp-34 instead of the supplied ftp service."

2. Type the following to see the new service ftp-34:

   edit> list service ftp-34 "ftp-34" SINGLE FORWARD "ftp" PORT 34 PARAMETERS 1200 1200 1 COMMENT "ftp-34 uses port 34 instead of port 21. Use ftp-34 instead of the supplied ftp service."

To Add a New Service Group

Although SunScreen lets you change the default services in service groups, to make any troubleshooting easier, it is better to add a new service group that contains the services that you want.

1. Type the following to add the service group "useful services" and an optional description within quotation marks:

   • For local administration:

     edit> add service "useful services" GROUP www archie gopher COMMENT "A new service group that is used instead of common services."

   The description will appear in the Service Details field that appears when you choose a service or service group for a policy rule using the Policy Rule Definition dialog window.

2. Type the following to list the new service group "useful services."

   edit> list service "useful services"

To Modify Service Groups

Add the GROUP again with the modified member list. The new version will overwrite the old version.

To Rename a Service and Service Group and Its References

SunScreen lets you rename a single service or a service group. To make troubleshooting easier, do not rename the single services and service groups that are supplied with SunScreen.

Type the following to rename the old service or service group to the new name and all references to it, for example:

edit> renamereference service "useful services" "dmz services"

To Rename a Service or Service Group

Type the following to rename the old service or service group to the new name only, for example:

edit> rename service "useful services" "dmz services"

To have the changes take effect, you must activate the policy whose rules you edited.

To Delete a Service or Service Group

SunScreen lets you delete a single service or a service group. To make any troubleshooting easier, do not delete the single services and service groups that are supplied with SunScreen.

This command does not check for references to the single service or service group that you are deleting.

Type the following to delete a service or service group, for example to delete the service group "dmz service":

edit> del service "dmz services"

To have the changes take effect, you must activate the policy whose rules you edited.

To Check References to Deleted Service or Service Group

To check references to the single service or service group that you want to delete or have deleted:

Type the following to find references to the service or service group that you want to delete or have deleted, for example:

edit> referlist service "dmz services"

You see a list of all the instances where the service or service group is used. You, then, can remove the service or service group from the service group in which it is used, and edit the rule to remove it from the rule or rules in which it is used.

Addresses, Address Ranges, and Address Groups

To Add a New Host Address

SunScreen lets you define a new host address.

Type the following to add the new host address and an optional description within quotation marks:

edit> add address ftp-www HOST 172.16.1.2 COMMENT "Address of the DMZ host"

To have the changes take effect, you must activate the policy whose rules you edited.

To Add a Range of Addresses

Type the following to add an address range and an optional description within quotation marks, for example:

edit> add address corp RANGE 172.16.3.2 172.16.3.255 COMMENT "All hosts in corporate"

To have the changes take effect, you must activate the policy whose rules you edited.

To Add an Address Group

Type the following to add an address group and an optional description within quotation marks, for example:

edit> add address Internet GROUP { corp sales ftp-www } {} COMMENT "The ranges corporate and sales and the host ftp-www have access to the Internet"

To have the changes take effect, you must activate the policy whose rules you edited.

To Delete an Address, Address Range, or Address List

To make troubleshooting easier, do not delete the names of addresses, ranges of addresses, and lists of addresses that were defined when SunScreen was installed.

This command does not check for references to the address, range of addresses, or list of addresses that you are deleting.

Type the following to delete an address, a range of addresses, or a list of addresses, for example:

edit> del address host0

To have the changes take effect, you must activate the policy.

To Check References to a Deleted Address, Address Range, or Address List

To check references to the address, range of addresses, or list of addresses that you want to delete or have deleted, use these commands:

Type the following to find the reference to an address, a range of addresses, or a list of address that you want to delete or have deleted, for example:

edit> referlist address host0

You see a list of all the instances where the address, range of addresses, or list of addresses is used. You, then, can remove the address, range of addresses, or list of addresses from the address list in which it is used, and edit the policy rule to remove it from the rule or rules in which it is used.

To Rename an Address, Address Range, or Address Group

To make troubleshooting easier, do not delete the names of addresses, ranges of addresses, and lists of address that were defined when SunScreen was installed.

1. Type the following to rename an address, a range of addresses, or a list of addresses and all reference to it, for example:

   edit> renamereference address ftp-www DMZ

2. Type the following to rename an address, a range of addresses, or a list of addresses only, for example:

   edit> rename address ftp-www DMZ

   To have the changes take effect, you must activate the policy whose rules you edited.

Certificates

Each type of certificate requires a particular Name Space ID (NSID) and the Master Key ID (certificate ID) of the certificate:

• Certificate IDs that use the IP address use the NSID 0 convention with the IP address as the MKID.

• Certificate IDs use the NSID 1 convention with an MKID of 8 hexadecimal digits (32 bits}.

• Diffie-Hellman certificates use the NSID 8 convention with an MKID of 32 hexadecimal digits (128 bits).

NSIDs and certificate IDs are described in the SunScreen Reference Manual.

To Add Screen Certificates From a Diskette or a File

Presently, you can only do this with local administration. Therefore, for a remotely administrated Screen, you must go to the Screen to add Screen certificates from a diskette or a file.

This example shows adding a private certificate key and certificate.

1. Insert the diskette that contains the private certificate, if you are using Sun CA X.509 keys and certificates, into the diskette drive of the Administration Station.

   You also can add a new private keys and certificates from a directory that contains only one set of private key and certificate files.

   If you are adding a private key and certificate from a directory, you do not need this step and step 2.

2. Mount the diskette by typing:

   # volcheck

3. Type the path to the directory where the private key and certificate are stored and the following command and the name of the directory to add the private key and certificate, for example:

   # install_skip_keys -icg /floppy/unnamed_floppy

4. Type the following to eject the diskette, if you are using Sun CA X.509 keys and certificates:

   # eject unnamed_floppy

   If you are adding a private certificate from a directory, you do not need this step.

   ---

   Note -

   Store the diskette that contains the private key and public certificate safely and securely. It contains sensitive information that is not encrypted.

   ---

5. Type the following to restart the SKIP key manager to update the certificate database:

   # skipd_restart

6. Type the following to name the private key and certificate you have just added, for example:

   edit> add certificate sales-home SINGLE NSID 1 MKID "0xA0050E" COMMENT "Use this cert for tunnelling to home from NY"

   Where sales-home is the name that you are giving the certificate; 1 is the NSID; A00050E is the certificate ID.

To Add Screen Local Identities

Presently, you can only do this with local administration; therefore, for a remotely administrated Screen, you must somehow gain access to the Screen's crt.file, then the commands will work. One means of gaining access to this file might be through the rlogin command, if you have a policy rule that allows this.

To use this command you must first have saved the local identity and the secret key to separate files. For example, you may have extracted the self-generated certificate ID keys that you generated on a Screen to a diskette. You do this because it is impossible to generate the same key later, should you have to reinstall the SunScreen software. Once you have swapped certificate IDs with a number of peer systems, it becomes difficult to fix things in a timely manner.

The SunScreen installation programs all intrinsically rekey the SunScreen being installed. While this is not a serious problem, it means that you have to add your old keys back into the database before configuring the Screen for any virtual private networks (VPN) that existed. See the SunScreen Reference Manual for information about VPNs.

1. Type the following to add the Screen's local identity.

   # skiplocal -a -T soft -t x509 -n 1 -c certificate_filename -s secret_filename

   This example shows adding a CA key and certificate. If you are adding a self-generated key and certificate, the value for -t is dhpublic and the value for -n is 8.

2. Type the following to restart the SKIP key manager to update the certificate database:

   # skipd_restart

3. Type the following to name the private key and certificate you have just added, for example:

   edit> add certificate sales-home SINGLE NSID 1 MKID "0xA000050E" COMMENT "certificate for home sales"

   where sales-home is the name that you are giving the certificate; 1 is the NSID; A00050E is the MKID.

To Add Self-Generated Screen Certificates

• For local administration:

1. Type the following to create a self-generated Screen certificate, for example:

   # skiplocal -k -m 512

   The example shows generating a global (512-bit) key.

   Use the -m followed by the modulus size in bits of the encryption for which you want to create a new certificate, if you have installed more than one encryption strength. The modulus sizes are:

   • Global (1024 bits)

   • U.S. and Canada Only (4096 bits)

   You see the following message on the Screen:

   generating local secret with 512 modulus size It would help the quality of the random numbers if you would type 50-100 random keys on the keyboard. Hit return when you are done.

2. Type 50 to 100 random keys.

   As you type the random keys, the number of keys appears on the screen.

   After you press the Return key, you see the continuation of the message on the screen:

   100 Format: Hashed Public Key (MD5) Name/Hash: 3f 3c f9 d0 52 85 a3 be 1e 6d 4e cb e4 9e 49 e7 Not valid Before: Fri Apr 17 17:00:00 1998 Not valid After: Thu Apr 17 17:00:00 2003 g: 2 p: f52aff3ce1b1294018118d7c84a70a72d686c40319c807297aca950cd9969fab d00a509b0246d3083d66a45d419f9c7cbd894b221926baaba25ec355e92a055f public key: 9945eb0a204efd9643a3aeb42f80d18a22a194232ef6e18809b4b80ac6227100 0b24fbd0a01608a6b3fe92a3ab107efd1970c398cdc2d0f73effea55c1cb0565 Added local identity slot 12

3. Type the following to restart the SKIP key manager to update the certificate database:

   # skipd_restart

4. Type the following to add the new certificate and its name to the certificate database, for example:

   edit> add certificate sales-home SINGLE NSID 8 MKID "0x3f3cf9d05285a3be1e6d4ecbe49e49e7" COMMENT "This is the Screen's key for the home sales network."

   Because this is a self-generated UDH certificate, the NSID is 8.

   To enter the certificate ID:

   1. Run the command skiplocal list command.

   2. Cut the Name (certificate ID) for local ID Slot Name that has the same number that you noted above.

   3. Paste in the command certificate above.

• For remote administration:

1. Type the following to create a self-generated Screen certificate, for example:

   # ssadm -r Screen_name lib/skiplocal keygen -k -m 1024-f

   ---

   Note -

   You must use the -f flag with remote administration. This flag suppresses the prompt to type random keys on the keyboard.

   ---

   The example shows generating a global (1024 bit) key.

   Use the -m flag followed by the modulus size in bits of the encryption for which you want to create a new certificate, if you have installed more than one encryption strength. The modulus sizes are:

   • Global (1024 bits)

   • U.S. and Canada Only (4096 bits)

   You see the following message on the screen:

   generating local secret with 1024 modulus size Format: Hashed Public Key (MD5) Name/Hash: 3f 3c f9 d0 52 85 a3 be 1e 6d 4e cb e4 9e 49 e7 Not valid Before: Fri Apr 17 17:00:00 1998 Not valid After: Thu Apr 17 17:00:00 2003 g: 2 p: f52aff3ce1b1294018118d7c84a70a72d686c40319c807297aca950cd9969fab d00a509b0246d3083d66a45d419f9c7cbd894b221926baaba25ec355e92a055f public key: 9945eb0a204efd9643a3aeb42f80d18a22a194232ef6e18809b4b80ac6227100 0b24fbd0a01608a6b3fe92a3ab107efd1970c398cdc2d0f73effea55c1cb0565 Added local identity slot 12

2. Type the following to restart the SKIP key manager to update the certificate database:

   # ssadm -r Screen_name lib/skipd_restart

3. After entering the editor (remote login), type the following to add the new certificate and its name to the certificate database, for example:

   edit> add certificate sales-home NSID 8 MKID "0x3f3cf9d05285a3be1e6d4ecbe49e49e7" COMMENT "This is the Screen's key for the home sales network."

   Because this is a self-generated UDH certificate, the NSID is 8.

   To enter the certificate ID:

   1. Run the skiplocal list command.

   2. Cut the Name (certificate ID) for local ID Slot Name that has the same number that you noted above and paste in the command certificate above.

For tunnelling with a remote administration station, see the editor command accessremote. For tunnelling with encrypted packet filtering, see "Policy Rules." Tunnelling is also described in the SunScreen Reference Manual.

To Add Certificates from a Diskette or a File

Presently, you can only do this with local administration; therefore, for a remotely administrated Screen, you must go to the Screen to add Screen certificates from a diskette or a file.

1. Insert the diskette that contains the public certificate, if you are using issued certificates, into the diskette drive of the Administration Station.

   You also can add new private keys from a directory that contains only one set of certificate files. If you are adding private certificate from a directory, you do not need this step and step 2.

2. Mount the diskette by typing:

   # volcheck

3. Type the path to the directory where the public certificate are stored and the following command and the name of the directory to add the public certificate, for example:

   # /floppy/floppy0/install_skip_keys A00050B

   This example shows adding a public certificate ID:

4. Type the following in the terminal window to eject the diskette, if you are using issued certificates:

   # eject floppy0

   If you are adding a public certificate from a directory, you do not need this step.

5. Type the following to name the public certificate you have just added, for example:

   edit> add certificate NYcert NSID 1 "0xA00050B" COMMENT "NY office public cert"

   Where NYcert is the name that you are giving the certificate; 1 is the NSID; A00050B is the certificate ID.

   Each type of certificate requires a particular Name Space ID (NSID) and the Master Key ID (certificate ID) of the certificate.

   • Issued certificates use the NSID 1 convention with a certificate ID of 8 hexadecimal digits (32 bit).

   • Diffie-Hellman certificates use the NSID 8 convention with an certificate ID of 32 hexadecimal digits (128 bit).

   NSIDs and certificate IDs are described in the SunScreen Reference Manual.

   ---

   Note -

   The tunnelling address is specified as an option in the rule that uses the key, or in the remote administration rule.

   ---

To Add Certificate Groups

After you have named certificate IDs in the rule, you can group them into logical groups, so that you can use a group instead of single names in a rule:

edit> add certificate sales-list GROUP sales-co sales-il sales-tx sales-sca sales-nca COMMENT "list of U.S. sales offices"

To Add a New Member to a Certificate Group

Type the following to add a new member to a certificate group, for example:

edit> add_member certificate sales-list sales-wy

To Remove a Member From a Certificate Group

Type the following to remove a new member to a certificate group, for example:

edit> del_member certificate sales-list sales-wy

To Rename a Certificate or Certificate Group

To make troubleshooting easier, do not rename the certificates that were created when you installed a remotely administered SunScreen.

When you rename a certificate group using this command, SunScreen checks for all instances in the certificate policy object for the old name and changes them to the new name. It does not rename references in other places, like administrative rules and policy rules.

Type the following to rename a certificate or certificate group, for example:

edit> renamereference certificate sales-ny sales-northeast

To Delete a Certificate or Certificate Group

To make troubleshooting easier, do not delete the certificates that were created when you installed a remotely administered SunScreen.

This command does not check for any references to the certificate or certificate group that you are deleting.

Type the following to delete a certificate or certificate group, for example:

edit> del certificate sales-la

To Check References to a Deleted Certificate

If you want to check references to the certificate that you want to delete or have deleted,

Type the following to find the reference to a certificate and certificate group that you want to delete or have deleted, for example:

edit> refer certificate sales-la

You see a list of all the instances in the certificate database where the certificate is used. You, then, can remove it from the access entries in which it is used, and edit any policy rule in which it is used to remove it.

To Check References to a Deleted Certificate Group

If you want to check references to the certificate group that you want to delete or have deleted,

Type the following to find the reference to a certificate and certificate group that you want to delete or have deleted, for example:

edit> referlist certificate sales-west

You see a list of all the instances in the certificate database where the certificate group is used. You, then, can remove it from the access entries in which it is used, and edit any policy rule in which it is used to remove it.

Screens

The Screen object controls much of the identity of SunScreen. It contains information for your stealth, HA, cluster, and administrative rules. Upon installation, a Screen object is created, which you can edit. As with other common objects you can edit, you must specify all the options that you want to set; otherwise the options are set to off, the default.

To Add a Screen

To add a screen object with a previously- created certificate, using DNS and NIS for Name Service, pass routing information, and a comment, type the following:

edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin RIP DNS NIS COMMENT "The screen that protects the sales office"

To List the Screens

Type the following to list all the Screens:

edit> list screen "sphere" ADMIN_CERTIFICATE "sphere.admin" CDP RIP DNS COMMENT "This is the data center screen"

To Add an SNMP Receiver to a Screen

To add an SNMP receiver to the previous Screen:

edit> add screen sphere ADMIN_CERTIFICATE sphere.admin RIP DNS NIS SNMP 10.100.253.200

To Add Multiple SNMP Receivers to a Screen

To add multiple SNMP receivers to the previous Screen object:

edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin ROUTING DNS NIS SNMP 10.100.253.200 10.100.253.254

To Add a Time Status Indicator to a Screen

To add a Time Status Indicator of 30 minutes to the previous Screen object:

edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin ROUTING DNS NIS SNMP_TIMER 30 SNMP 10.100.253.200 10.100.253.254

To Remove SNMP Receivers From a Screen

To remove SNMP receivers from the Screen, do not include them in the Screen object when you set it:

edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin RIP DNS NIS

To Set Logsize on a Screen

The Screen object allows you to set the maximum size of your log file. The value is in Mb, where 200 is 200 Mb.

At the command line prompt, type:

edit> add screen sphere ADMIN_CERTIFICATE sphere.admin CDP RIP DNS SNMP 10.100.253.200 LOGSIZE 200

To Set a Screen to Stealth Mode

Type the following:

edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin RIP STEALTH_NET 10.100.253.0 255.255.255.0 COMMENT "The screen in Stealth Mode"

Interfaces

To Add Interfaces (in Routing Mode)

Before you add a new interface, you must define the address group that the interface will use.

Type the following to define the interface qe0 with no logging, no SNMP alerts, and ICMP_PORT_UNREACHABLE:

edit> add interface qe0 ROUTING qe0 ICMP PORT_UNREACHABLE

To Add Interfaces (in Routing Mode) with a Detailed Log

Type the following:

edit> add interface qe0 ROUTING qe0 LOG DETAIL SNMP ICMP PORT_UNREACHABLE

---

Note -

To make any troubleshooting easier, do not rename the certificates that were created when you installed a remotely administered SunScreen.

---

Authorized Users

Adding or Modifying an Authorized User

The authorized user object is used to establish a user identity and provide a mechanism to authenticate it by:

• Password

• SecurID

To Add An Authorized User with Password Authentication

Type the following to add an authorized user:

For local administration:

edit> authuser add admin1 PASSWORD={ "foo" }  CONTACT_INFO=br@nncc REAL_NAME="Ben Ruhmduhm" DESCRIPTION="created for remote administration"

Although the password is in plain text when you add a user, it is automatically encrypted and the password will be displayed as empty quotation marks (" "). Enabled is the default.

---

Note -

The description field cannot contain single (` `) or double (" ") quotation marks as in, for example, the description: This user, test_user is for `testing' only.

---

All changes apply immediately.

For the changes to take effect in policy and administrative access rules, you must activate the policy.

To Add An Authorized User and SecurID Name

Type the following to add an authorized user:

• For local administration:

  edit> authuser add admin1 SECURID={ "C2BR" }  CONTACT_INFO=br@nncc  REAL_NAME="Ben Ruhmduhm"  DESCRIPTION="created for remote administration"

• For remote administration:

  edit> authuser add admin1 SECURID={ "C2BR" }  CONTACT_INFO=br@nncc DESCRIPTION="created for remote administration"

Enabled is the default. All changes apply immediately. For the changes to take effect in policy and administrative access rules, you must activate the policy.

To Modify Authorized Users

Type the following to modify the information for a user, for example to change the SecurID name from C3BR to C4BR:

edit> authuser add admin1 SECURID={ "C4BR" } CONTACT INFO=br@nncc  REAL_NAME="Ben Ruhmduhm" DESCRIPTION="reated for remote administration"

The new parameters for the user will overwrite the old parameters. All changes apply immediately.

Modifications to passwords or SecurID passcodes take place immediately. For other changes to take effect in policy and administrative access rules, you must activate the policy.

To Delete an Authorized User

Type the following to delete an authorized user, for example:

edit> authuser delete admin1

All changes apply immediately.

Policy Rules

Defining New Rules

Policy Rules are ordered; that is, they are executed in the order in which they are listed. You can define them in the order in which you want them to take effect or you can reorder your policy rules after you have defined them.

To Create a Packet Filtering Rule

1. Type the following to add a new rule at the end of a policy with the following attributes:

   • ping as the service

     • * as the Source Address

     • * as the Destination Address

     • SKIP Version 2 as the encryption with Encryption Details:

     • From Encryptor is cert-1

     • To Encryptor is cert-2

     • Key Algorithm is DES-CBC

     • Data Algorithm is RC2-40

     • MAC algorithm is MD5

     • NONE for the compression (This is the only possible value at present.)

   • ALLOW as the Action and Action Details:

   • NONE for the compression (This is the only possible value at present.)

     edit> add Rule ping * * ALLOW SKIP_VERSION_2 cert-1 cert-2 DES-CBC RC2-40 MD5 NONE LOG SUMMARY

     ---

     Note -

     All other options assume default values unless specified (for example, SNMP is off).

     ---

2. Type the following to add a new rule at a particular position, for example, at the beginning of the policy:

   edit> insert Rule 1 ping * * ALLOW SKIP_VERSION_2 cert-1 cert-2 DES-CBC RC2-40 MD5 NONE LOG SUMMARY

To Reorder the Rules

1. Type the following to produce an ordered list of rules for the policy:

   edit> list rule

   An ordered list of policy rules is displayed, as shown in this example.

   1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp" "*" "localhost" USER "admin" ALLOW LOG DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE  4 "daytime" "localhost "*" ALLOW 5 "telnet" "*" "*" ALLOW 6 "echo" "localhost" "*" ALLOW

2. Type the following to move a policy rule to a new position:

   edit> move rule 4 5

To Delete a Rule

1. Type the following to delete the policy rule 5:

   edit> del rule 5

2. Type the following to list the edited ordered list of policy rules:

   edit> list rule

   The new list of policy rules is displayed.

   1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp" "*" "localhost" USER "admin" ALLOW LOG DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE  4 "daytime" "localhost "*" ALLOW 5 "telnet" "*" "*" ALLOW 6 "echo" "localhost" "*" ALLOW

To Edit Any Part of a Rule

You can edit a component or the components of a policy rule by using the following procedure. The example shows how to modify the action.

1. Type the following to list all the rules in the policy:

   edit> list rule

   An ordered list of policy rules is displayed.

   1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp-proxy" "*" "localhost" USER "admin" ALLOW LOG_DETAIL PROXY_FTP  FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE  4 "daytime" "localhost "*" ALLOW 5 "telnet" "*" "*" ALLOW 6 "echo" "localhost" "*" ALLOW

2. Type the following to change the action of policy rule 5 from ALLOW to DENY by inserting a new policy rule with the action changed:

   edit> replace rule 5 telnet * * DENY LOG DETAIL

3. Type the following to remove the policy rule with the old action.

   • For local administration:

     edit> del rule 5

4. Type the following to list the rules for the policy, for example:

   edit> list rule

   The list of policy rules is displayed, showing the rule with the new values replaces the old rule.

   1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp-proxy" "*" "localhost" USER "admin" ALLOW LOG DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE  4 "daytime" "localhost" "*" ALLOW 5 "telnet" "*" "*" DENY 6 "echo" "localhost" "*" ALLOW

   To have the changes take effect, you must activate the policy whose rules you edited.

To Add an Access Rule for GUI Local Administration

Type the following to add an administrative access rule for local administration:

edit> add accesslocal USER admin3 PERMISSION ALL

To Edit an Access Rule for GUI Local Administration

1. Type the following to list the administrative access rules for local administration:

   edit> list AccessLocal

   By default, an Admin User is created during installation.

   The following approximates the output that is displayed:

   1 USER "admin" PERMISSION ALL 2 USER "admin3" PERMISSION ALL

2. Type the following to replace an administrative access rule with a new value for a particular user for local administration:

   edit> replace AccessLocal 2 USER "admin3" PERMISSION STATUS

To Delete an Access Rule for GUI Local Administration

Do not delete all the administrative access rules.

Type the following to delete the administrative access rule for local administration:

edit> del AccessLocal 2

Where 2 is the number, in the ordered rules, that you want to delete.

To Add an Access Rule for Remote Administration

Type the following to add an administrative access rule for remote administration:

edit> add accessremote USER admin3 * SKIP_VERSION_2 admin-group DES-CBC DES-CBC MD5 NONE

This administrative access rule allows the access level ALL for the admin 3 user at a remote Administration Station on the Internet to use the GUI and command line to administer the Screen.

To Edit an Access Rule for Remote Administration

Make a note of the encryption parameters if you change them because they have to match the encryption parameters on the remote Administration Station.

1. Type the following to list the administrative access rules for remote administration, for example:

   edit> list accessremote

   The following approximates the output that is displayed:

   1 USER "admin" "*" SKIP_VERSION_2 "admin-group" "DES-CBC" "DES- CBC" "NONE" "NONE" PERMISSION ALL 2 USER "admin3" "*" SKIP_VERSION_2 "admin-group" "DES-CBC" "DES- CBC" "NONE" "NONE" PERMISSION ALL

2. Type the following to replace an administrative access rule with the value or values for a particular user for remote administration with a new value, for example, STATUS, for the access level:

   edit> replace accessremote USER admin3 * SKIP_VERSION_2 admin- group DES-CBC DES-CBC NONE NONE PERMISSION STATUS

   This administrative access rule changes the access level for admin3 at a remote Administration Station on the Internet to STATUS.

To Delete an Access Rule for Remote Administration

Do not delete all the administrative access rules.

Type the following to delete an administrative access rule for remote administration:

edit> del accessremote 2

Where 2 is the number, in the ordered rules, that you want to delete.

Network Address Translation

When using NAT, be sure that, when you are defining a static mapping, the ranges and groups used in the Source and Translated Source fields are exactly the same size.

Also, be sure that the ranges and groups used in the Destination and Translated Destination fields are exactly the same size.

To Add ARP Manually

Type the following if the networks that attach to the Screen on the inside have internal addresses, including any network on which there are addresses to which you want to allow external access:

# arp -s IP_Address ether_address pub

---

Note -

You must either add this entry each time that you reboot the Screen or you can write your own script to automate this function. If you are remotely administering the Screen, you either must go to the Screen to add this entry or have a rule in your policy that will allow you to rlogin to the Screen.

---

To Define NAT Mappings

1. Type the following command to create a static NAT entry that maps an internal address to an external address.

   • For local administration:

     edit> add nat STATIC src dest translated_src translated_dest

   In most cases when defining a static mapping, the internal address and external address are each a single address, but can be a range or a list.

2. Repeat for every mapping that you want.

   Use the same command to map for dynamic NAT. Use DYNAMIC instead of STATIC as the type of NAT entry desired.

   You may also use a range of addresses or a group of addresses.

   To have the changes take effect, you must activate the policy whose rules you edited

To Delete NAT Mappings

Type the following command to delete a NAT entry that maps internal address to an external address, regardless of whether mapping is static or dynamic:

edit> del nat 1

To have the changes take effect, you must activate the policy whose rules you edited.

To List the NAT Mappings

Type the following command to list a NAT entry that maps internal address to a external address, regardless of whether mapping is static or dynamic:

edit> list nat

You will see a listing that shows type of NAT, the internal address, and the external address:

1 STATIC "105-range" "*" "nat-range" "*"

Virtual Private Network (VPN)

To Add a VPN Gateway

Setting up a VPN requires you to have a certificate per screen, and define the address groups involved. For descriptions and concepts of the Virtual Private network, the SunScreen Reference Manual.

1. At the command line prompt, type:

   edit> add vpngateway vpn-net addrgrp-a SKIP cert-a KEY DES-CBC DATA RC4-40 MAC MD5 COMPRESSION NONE

   Where vpn-net is the name of the VPN network, addrgrp-a is an address group that uses the following certificate, and SKIP cert-a is the certificate.

   If you are using a tunnel, append TUNNEL address name to the add/replace.

   To setup the VPN completely, you should have all the keys, address groups, and vpngateways on each screen. So in a VPN configuration that has two networks connected, you would see something like the following:

   edit> list vpngateway 1 "vpn-net" "addrgrp-a" SKIP "cert-a" KEY "DES-CBC" DATA "RC4-40" MAC "MD5" COMPRESSION "NONE" 2 "vpn-net" "addrgrp-b" SKIP "cert-b" KEY "DES-CBC" DATA "RC4-40" MAC "MD5" COMPRESSION "NONE"

2. Create an address group containing the address groups for both networks, for example:

   edit> add address vpn-grp GROUP { addrgrp-a addrgrp-b } {}

3. Define a rule specifying the VPN Gateway:

   edit> add rule common vpn-grp vpn-grp ALLOW VPN vpn-net

To Replace a VPN Gateway

VPN Gateways are setup in an ordered manner. To change values, at the command line prompt, type (for example):

edit> replace vpngateway 1 vpn-net addrgrp-a SKIP cert-new KEY DES-CBC DATA RC4-40 MAC MD5 COMPRESSION NONE

To Remove a VPN Gateway

To remove the VPN gateway you must delete the rules and VPN object.

At the command line prompt, type (for example):

edit> del vpngateway 1

Information, Statistics, and Logs

To View the Information

(Optional)

(Optional) Type the following to display information, such as Product, System Boot Time, SunScreen Boot Time, and Version:

• For local administration:

  # ssadm sys_info

• For remote administration:

  # ssadm -r Screen_name sys_info

To View the Statistics

(Optional)

(Optional) Type the following to display the statistics about the traffic flowing through the Screen:

• For local administration:

  # ssadm traffic_stats

• For remote administration:

  # ssadm -r Screen_name traffic_stats

All changes apply immediately.

To Set Up Packet Logging

SunScreen provides flexible logging of packets. A packet can be logged when it matches a policy rule, when does not match a policy rule, or when it matches a policy rule whose action is DENY.

1. Configure SunScreen to log packets that do not match any particular policy rule.

   Most frequently packets are logged because of the DENY action in a rule, or because they do not match any policy rule.

2. Set the type of logging that you want in the details for the ALLOW action in a policy rule and the type of ICMP reject in the details for DENY action.

3. Set logging for packets that are dropped because they do not match any policy rule on the Interfaces panel of the Interface page.

To Examine Packets

Once a log is retrieved, it can be examined using the ssadm logdump command.

Examining logged packets can be a very useful for troubleshooting problems in setting up security policies. For example, when first creating policies, make the default DENY action "log packets." This way, you can review the logs easily. You can also use logging to capture any attempts to break in.

To Use ssadm logdump Command

Type the following to display packets in the log file:

# ssadm logdump -i ssadm_log_file

You can only examine a saved log file from the command line.

ssadm_log_file is the name of a log file that has been downloaded from the Screen.

To View the Log

Type the following to view the current log:

• For local administration:

  # ssadm log get | ssadm logdump -i -

To Save the Log

Type the following to save a log record to a file:

• For local administration:

  # ssadm log get > filename

• For remote administration:

  # ssadm -r Screen_name log get > filename

To Clear the Log

This action clears the log browser's display of any log records without saving them and clears the SunScreen log file.

Type the following to clear the log file:

• For local administration:

  # ssadm log clear

• For remote administration:

  # ssadm -r Screen_name log clear

To Save and Clear the Log

This action saves a log to a file and clears the display of any log records.

Type the following to save the log to a file and clear the log:

• For local administration:

  # ssadm log get_and_clear > filename

• For remote administration:

  # ssadm -r Screen_name log get_and_clear > filename

Setting Up High Availability (HA)

See Chapter 6, "High Availability," and the SunScreen Reference Manual before using the command line to set up HA.

To Set Up HA

1. To install HA on the Screen designated to be the Primary HA Screen (thereby creating a new HA cluster containing one Screen), type the following:

   # ssadm ha init_primary interface

2. To install HA on the Screen designated to be the Secondary HA Screen type the following:

   # ssadm ha init_secondary interface primaryIP

   Where:

   • interface is the interface to be used for the HA heartbeat and synchronization.

   • primaryIP is the IP address (on the HA network) of the Primary Screen in the cluster.

3. To add the HA secondary Screen to the existing HA cluster, execute the following command on the primary machine in the cluster:

   # ssadm ha add_secondary secondaryIP

   Where:

   • secondaryIP is the IP address (on the dedicated HA network) of the Secondary Screen to be added.

   ---

   Note -

   After adding an HA Secondary Screen and activating your policy, the new Secondary Screen may become active. If you need to perform additional administration on the Primary Screen, you must direct the Secondary Screen to become passive in order to communicate with the Primary Screen.

   ---

To Remove an HA Host

An HA setup is installed by using commands outside the configuration editor. Removing the HA setup would consist of removing the HA_* options from the Screen objects on the machines.

For example, a list of the HA setup would be:

edit> list screen
"vorticity" MASTER "barotropic" CDP
RIP NIS HA_SECONDARY HA_IP 129.192.1.2
"barotropic" ADMIN_CERTIFICATE "barotropic.admin" CDP
DNS NIS HA_PRIMARY HA_IP 129.192.1.5 HA_ETHER 8:0:20:9e:e0:66
 
edit> del screen vorticity
edit> add screen barotropic ADMIN_CERTIFICATE barotropic.admin CDP DNS NIS 

Save and activate your configuration.

To View HA Information

Type the following to display information, such as the current Active or Passive status of the local HA machine and the current state of the HA daemon.

• For local administration:

  # ssadm ha status

• For remote administration:

  # ssadm -r Screen_name ha status

Centralized Management Group

Change a Screen Object to be in a Cluster

Use the following commands to set up a Cluster. Centralized Management Groups are explained in Chapter 6 and in the SunScreen Reference Manual.

The example below illustrates a two-machine cluster setup.

Type the following on both machines in the cluster:

edit> add screen sphere ADMIN_CERTIFICATE "sphere.admin" CDP RIP NIS LOGSIZE 100 edit> add screen velocity ADMIN_IP 10.100.105.5 ADMIN_CERTIFICATE vorticity.admin KEY"DES-CBC" DATA "RC4-40" MAC "MD5" COMPRESSION "NONE" MASTER sphere CDP DNS NIS

To Remove a Screen Object from a Cluster

1. Type the following on the Primary Screen ("sphere" in this example):

   edit> del screen vorticity

2. Type the following on the Secondary ("vorticity" in this example):

   edit> del screen sphere edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin CDP RIP DNS

Gathering Information From Your System to Report to SunService

If you have any support issues, call your authorized service provider. For further information about support, use the following URL to contact Enterprise Services: http://www.sun.com/service/contacting.

Getting Support for SunScreen Products

Collect this information by saving the output of the following SunScreen support commands, as shown in the following table.

The commands are used for remote diagnostics and are sent from a remote Administration Station. Type the following to start these support commands:

# ssadm -r Screen_name lib/support Command

Gathering Data From the Screen

You can use several commands to gather system information from the Screen. This information may be requested by Sun Service, should you encounter problems with your Screen.

Using the ssadm lib/statetables Command

To gather data for a Screen, type:

# ssadm lib/statetables

To Use the ssadm lib/screeninfo Command

Use this command to gather a complete set of data for your Sun Service representative, including:

• Statetables

• ARP table information

• Disk usage

• Streams information

• SunScreen configuration information and files

• Uptime

• SKIP information

At the command line prompt, type:

# ssadm lib/screeninfo

To Use the ssadm lib/support Command

This command gives you access to the commands in the support directory. All the commands in the support directory are invoked by the screeninfo command, yet it may be advantageous to run this command alone if you are seeking limited data.

At the command line prompt, type:

# ssadm lib/support subcommand parameters

To Use the Help Option

At the command line prompt, type:

# ssadm lib/support help

Troubleshooting

You can use the ssadm debug_level command to control the printing of debugging information from the SunScreen kernel.

To Use the ssadm debug_level Command

If you type it with no arguments, ssadm debug_level displays the current debug-level mask. By default, this mask is "1," which means it only reports significant errors.

If you specify a hexadecimal number as an argument for ssadm debug_level, it sets the kernel debugging mask to that level.

1. Type the following to list the debugging bit choices:

   # ssadm debug_level ?

2. Select a ssadm debug_level mask by setting all of the debugging bits in which you are interested.

Probably the most useful example of the ssadm debug_level debugging bit is DEFAULT_DROP.

To Install and Configure the Netscape Browser

When using the Java Plug-in for Netscape Navigator, follow the instructions in the Netscape release notes. In particular, you should define the MOZILLA_HOME environment variable and include the Netscape installation directory in your PATH, so you do not have to type the full path name every time you run Netscape.

Perform the following steps to install and configure the Netscape browser for SunScreen administration.

1. Set up environment for installing and running the Java Plug-in.

   1. For sh or ksh users, type:

      # unset CLASSPATH # MOZILLA_HOME=/opt/netscape # PATH=$MOZILLA_HOME:$PATH # export PATH MOZILLA_HOME

   2. For csh users, type:

      % unsetenv CLASSPATH % setenv MOZILLA_HOME /opt/netscape % set path = ( $MOZILLA_HOME $path )

2. Install the Java Plug-in by typing:

   # sh Java_Plugin_File_Name.sh

3. Save the identitydb.obj file. See "Saving the identitydb.obj File".

4. Access the SunScreen administration GUI in one of two ways:

   1. Access the SunScreen administration GUI with no access to local files by typing:

      # netscape http://screenhost:3852/

   2. Access the SunScreen administration GUI using the Java Plug-in with access to local files for backup and restore by typing:

      # netscape http://screenhost:3852/plugin/

Setting the CLASSPATH

Set the CLASSPATH environment variable only if you need to install special Java files in Netscape Communicator.

Communicator uses CLASSPATH to find local .class files. If CLASSPATH is set in your environment, only the .jar files and directories specified in the CLASSPATH are searched. If you set your CLASSPATH, you must make sure that each .jar file in $MOZILLA_HOME/java/classes is listed individually in your CLASSPATH.

Saving the identitydb.obj File

After installing the Java Plug-in, save the identitydb.obj file to distribute to the Administration Stations.

1. Save the file identitydb.obj by going to:

   http://localhost:3852/plugin/plugins/

2. Press your MENU mouse button and save the link as a file.

   If your browser does not support this save, access identitydb.obj in the directory: /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/.

3. Copy the identitydb.obj file onto a diskette to distribute to all Administration Stations.

   If the identitydb.obj file already exists in its proper location, per the following:

   UNIX: $HOME single-user Win95: C:\WINDOWS multi-user Win95/98: C:\WINDOWS\PROFILES\username WinNT: C:\WINNT\PROFILES\username

4. Add SunScreen as an accepted signer.

   1. If the identitydb.obj file does not exist, copy the file from the diskette to one of the above locations.

   2. You can also copy identitydb.obj from the diskette to its proper location.