test

SunScreen 3.1 Configuration Examples

Detailed Mixed-Mode Configuration

  1. Configure the interfaces qfe2 and qfe3 with the correct IP addresses.

  2. Confirm that the Screen can contact the addresses of both the internal router and the internal hosts.

    Tip -

    Ensure that the correct routing and netmasks are used.

  3. Follow the procedure for remotely installing a Screen using Administration Station lon-host4, as described previously in the Hong-Kong example.

    Note -

    Check the "routing mode" box when installing the firewall software even though this Screen has both stealth- and routing-mode interfaces.

  4. After rebooting the Screen, start a browser on the Administration Station and log into the Screen.

    See the SunScreen Installation Guide for information regarding which browsers are supported for SunScreen.

  5. Define the following Address objects, as shown in the following table:

    Table 9-1 Address Objects

    Name 

    Type 

    Details 

    external-router

    HOST

    192.168.3.1

    168.3-private

    RANGE

    192.168.3.2 to 192.168.3.254

    mail-server

    HOST

    192.168.3.10

    168.4-net

    RANGE

    192.168.4.1 to 192.168.4.254

    10.0.3-net

    RANGE

    10.0.3.1 to 10.0.3.254

    ftp-server

    HOST

    10.0.3.3

    qfe3_grp

    GROUP

    Include {10.0.3-net} exclude {}

    qfe2_grp

    GROUP

    Include {*} exclude {10.0.3-net}

    qfe1_grp

    GROUP

    Include {168.3-private 168.4-net 10.0.3-net} exclude {}

    Internet

    GROUP

    Include {*} exclude {qfe1_grp}

    qfe0_grp

    GROUP

    Include {Internet} exclude {}

    Note -

    The address groups (for example, qfe1_grp) must contain all the IP addresses that can be reached from that interface.

  6. Verify that the interfaces qfe2 and qfe3 were defined by the installation procedure.

    They must have the interface groups qfe2_grp and qfe3_grp assigned to them, respectively.

  7. Add INTERFACE objects for qfe0 and qfe1 using the address groups qfe0_grp and qfe1_grp.

    These interfaces must be defined as TYPE: STEALTH.

  8. Edit the Screen object ensuring that the STEALTH SUBNET/NETMASK are defined (129.168.3.0 and 255.255.255.0 in this example).

  9. Install an open, or test, policy.

  10. Save and activate the policy.

  11. Verify that the configuration works by using ping to the mail-server from an external host.

  12. Verify that this host can ping the Screen's external routing interface qfe2.