test

SunScreen 3.1 Configuration Examples

Detailed Centralized Management Group Configuration

The following detailed steps show how to set up this simple centralized management group configuration:

  1. Install and configure Screen sf-screen1 in routing mode with remote Administration Station sf-host4.

    Be sure to write down the Screen's certificate ID for use in the next step. Refer to "Installing a Screen In Routing Mode" in the first example in this document for instructions on this step.

  2. Install the Screen bos-screen1 in stealth mode with remote administration.

    Refer to "Installing a Screen In Stealth Mode" described earlier in this document for instructions on this step.

    Use the certificate generated in Step 1 when asked to type the Administration Station's certificate ID. This certificate is given the name "remote" by default.

    Be sure to write down the Screen's certificate ID for use in a later step.

  3. Configure the Screen bos-screen1 as a secondary Screen in the centralized management group.

    Create the following objects to enable Screen sf-screen1 to push the security policy to bos-screen1.

    • Address objects (to enable definition of the stealth interfaces), screen objects, and policy rules, as shown in the following table:

      Table 8-1 Address Object Definitions

      Name 

      Type 

      Address 

      sf-screen1

      Host 

      192.168.1.2

      bos-screen1

      Host 

      10.0.2.200

      bos-ext-router

      Host 

      192.168.2.1

      bos-net-10

      Range 

      10.0.2.0 - 10.0.2.255

      bos-net-192

      Range 

      192.168.2.0 - 192.168.2.255

      bos-internal

      Group 

      Include: bos-net-10, bos-net-192Exclude: bos-ext-router, *

      bos-external

      Group 

      Include: *, bos-ext-routerExclude: bos-net-10, bos-net-192

    • Screen object for primary Screen sf-screen1 containing the administrative IP Address (sf-screen1) and certificate (remote) under the HA/Master Config Tab, as shown in the following figure.

      Figure 8-2 Screen Object for sf-screen1

      Graphic

    • Interface objects, as shown in the following table:

      Table 8-2 Interface Object Definitions

      Name 

      Screen 

      Type 

      Address Group 

      qfe0

      bos-screen1

      STEALTH  

      bos-external

      qfe1

      bos-screen1

      STEALTH  

      bos-internal

      hme0

      bos-screen1

      ADMIN 

      bos-screen1_hme0 (created by default)

  4. Modify the Screen object for bos-screen1 to show sf-screen1 as the primary Name, and be sure it contains bos-admin1 as the Administrative IP Address and bos-screen1.admin as the Administrative Certificate, as shown in the following figure.

    Figure 8-3 Screen Object for bos-screen1

    Graphic

  5. Create policy rules to enable SunScreen SKIP and CDP packets from sf-screen1 to pass through the Screen, as shown in the following figure:

    Figure 8-4 Policy Rules to Allow SunScreen SKIP and CDP Packet Flow

    Graphic

  6. Save and activate the policy on bos-screen1.

  7. Configure primary Screen sf-screen1 to push the policy to secondary Screen bos-screen1 by creating the following objects:

    • Address objects enable configuration of the stealth interfaces, screen objects, and policy rules for secondary Screen bos-screen1, as shown in the following table (same as in Step 3 above):

      Table 8-3 Address Objects To Enable Configuration

      Name 

      Type 

      Address 

      sf-screen1

      Host 

      192.168.1.2

      bos-screen1

      Host 

      10.0.2.200

      bos-ext-router

      Host 

      192.168.2.1

      bos-net-10

      Range 

      10.0.2.0 - 10.0.2.255

      bos-net-192

      Range 

      192.168.2.0 - 192.168.2.255

      bos-internal

      Group 

      Include: bos-net-10, bos-net-192Exclude: bos-ext-router, *

      bos-external

      Group 

      Include: *, bos-ext-routerExclude: bos-net-10, bos-net-192

    • Certificate object called bos-screen1.admin using the Associate MKID selection under the Certificate -> Add New in the Policy Objects area. Use the certificate ID that was generated in Step 2 above.

    • Screen object for bos-screen1 containing sf-screen1 as the primary Name, bos-admin1 as the Administrative IP Address, and bos-screen1.admin as the Administrative Certificate.

    This looks the same as it did on the secondary Screen, as shown in Figure 8-3.

    • Interface objects are created for bos-screen1, as shown in the following table:

      Table 8-4 Interface Objects For bos-screen1

      Name 

      Screen 

      Type 

      Address Group 

      qfe0 

      bos-screen1 

      STEALTH  

      bos-external 

      qfe1 

      bos-screen1 

      STEALTH  

      bos-internal 

      hme0 

      bos-screen1 

      ADMIN 

      bos-screen1_hme0 (created by default)  

    Be sure that all interface definitions for the primary Screen sf-screen1 contain sf-screen1 in the Screen field.

  8. Add policy rules to enable SunScreen SKIP and CDP packets from sf-screen1 to pass through Screen bos-screen1, as shown in Figure 8-4 in Step 5.

    Be sure that each rule has an entry in the screen object field to tell it which Screen(s) is to implement the particular rule.

  9. Save and activate the policy on sf-screen1.

Your centralized management group is now configured, and is ready for you to implement your full security policy.

In the network diagram, as shown in , the primary routing-mode Screen sf-screen1 is shown in an HA cluster configuration. You can configure your primary centrally managed Screen with HA if you desire. However, you should first follow the steps to get your centralized management group working, then follow the procedure for adding the secondary HA Screen into the configuration.