IBM ISS

7/23/2019 IBM ISS

1/42

IBM SecurityNetwork Protection

IBM Security Network ProtectionInstallation and Configuration Guide

Version 5.1

7/23/2019 IBM ISS

2/42

Copyright statement Copyright IBM Corporation 2012, 2013.

U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Publication Date: July 2013

7/23/2019 IBM ISS

3/42

Contents

About this publication . . . . . . . . vAccess to publications and terminology . . . . . v

Accessibility . . . . . . . . . . . . . . vSupport information . . . . . . . . . . . viStatement of Good Security Practices . . . . . . vi

Chapter 1. Getting Started . . . . . . . 1Installing or replacing a network interface module. . 1Connecting cables and starting the appliance . . . 2Accessing the local management interface . . . . 2Using the LCD . . . . . . . . . . . . . 2Using zero configuration networking . . . . . . 3

How zero configuration networking works withthe IBM Security Network Protection appliance. . 3Using a DNS-SD browser to discover services . . 3Using Bonjour from a Windows command line to

discover services . . . . . . . . . . . . 4Using Avahi command-line programs to discoverservices . . . . . . . . . . . . . . . 5

Chapter 2. Configuring initial appliancesettings . . . . . . . . . . . . . . . 7Local management interface . . . . . . . . . 7Compatibility . . . . . . . . . . . . . . 7Configuring initial appliance settings in the LMI . . 8

Enabling FIPS mode . . . . . . . . . . . 8Installing a license . . . . . . . . . . . 9Installing a settings snapshot . . . . . . . 10

Changing passwords . . . . . . . . . . 10Configuring management interfaces . . . . . 11

Configuring host name and DNS information . . 12Configuring protection interfaces . . . . . . 13Configuring date and time settings . . . . . 15Completing configuration settings . . . . . . 16Installing updates . . . . . . . . . . . 16

CLI initial appliance settings wizard . . . . . . 17Configuring initial appliance settings by using aserial console connection . . . . . . . . . . 18

Chapter 3. Installing firmware . . . . . 19Installing firmware from a USB boot drive:Windows or Linux OS . . . . . . . . . . . 19Installing firmware from a USB boot drive: Mac OS 20Manually backing up firmware . . . . . . . . 21

Appendix. References . . . . . . . . 23Command-line interface . . . . . . . . . . 23Wiping the appliance: Linux . . . . . . . . . 28Wiping the appliance: Mac OS . . . . . . . . 29Wiping the appliance: Windows OS . . . . . . 30

Notices . . . . . . . . . . . . . . 31Trademarks . . . . . . . . . . . . . . 32

Index . . . . . . . . . . . . . . . 33

Copyright IBM Corp. 2012, 2013 iii

7/23/2019 IBM ISS

4/42

iv IBM Security Network Protection: Installation and Configuration Guide

7/23/2019 IBM ISS

5/42

About this publication

The IBM Security Network Protection Installation and Configuration Guide describes how to install andconfigure the IBM Security Network Protection licensed program appliance. This document provides

instructions for connecting the appliance to your network, first-time configuration of the appliance, andinstalling firmware updates. It also includes a list of command-line interface commands and instructionson wiping an appliance that will not boot due to software or configuration errors.

Access to publications and terminology

This section provides:

v Links toOnline publications.

v A link to theIBM Terminology website.

Online publications

IBM posts product publications when the product is released and when the publications are updated atthe following locations:

IBM Security Network Protection Information CenterThe http://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.alps.doc/alps_collateral/alps_dochome_stg.htmsite contains complete information about installing,configuring, and managing your appliance.

IBM Security Information CenterThe http://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/index.jspsite displays an alphabeticallist of and general information about all IBM Security product documentation.

IBM Publications CenterThe http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wsssite offers

customized search functions to help you find all the IBM publications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in one location. You canaccess the Terminology website at http://www.ibm.com/software/globalization/terminology.

Accessibility

Accessibility features help users with a physical disability, such as restricted mobility or limited vision, touse software products successfully. With this product, you can use assistive technologies to hear andnavigate the interface. You can also use the keyboard instead of the mouse to operate all features of thegraphical user interface.

Copyright IBM Corp. 2012, 2013 v
http://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.alps.doc/alps_collateral/alps_dochome_stg.htmhttp://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.alps.doc/alps_collateral/alps_dochome_stg.htmhttp://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/index.jsphttp://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wsshttp://www.ibm.com/software/globalization/terminologyhttp://www.ibm.com/software/globalization/terminologyhttp://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wsshttp://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/index.jsphttp://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.alps.doc/alps_collateral/alps_dochome_stg.htmhttp://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.alps.doc/alps_collateral/alps_dochome_stg.htm

7/23/2019 IBM ISS

6/42

Support information

IBM Support provides assistance with code-related problems and routine, short duration installation orusage questions. You can directly access the IBM Software Support site at http://www.ibm.com/software/support/probsub.html.

The IBM Support Portal

The IBM Support Portal has the latest information to help answer your questions and resolve your issues.Before you contact IBM Security Systems about a problem, see the IBM Support Portal:

http://www.ibm.com/software/support

The IBM Software Support Guide

If you need to contact software support, use the methods described in the IBM Software Support Guide:

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/home.html

The guide provides the following information:

v Registration and eligibility requirements for receiving support

v Customer support telephone numbers for the country in which you are located

v Information you must gather before you call

Note: This product is not intended to be connected directly or indirectly by any means whatsoever tointerfaces of public telecommunications Networks.

This Software Offering does not use cookies or other technologies to collect personally identifiableinformation.

Statement of Good Security Practices

IT system security involves protecting systems and information through prevention, detection andresponse to improper access from within and outside your enterprise. Improper access can result ininformation being altered, destroyed, misappropriated or misused or can result in damage to or misuse ofyour systems, including for use in attacks on others. No IT system or product should be consideredcompletely secure and no single product, service or security measure can be completely effective inpreventing improper use or access. IBM systems, products and services are designed to be part of acomprehensive security approach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOES NOT WARRANT THATANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOURENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

vi IBM Security Network Protection: Installation and Configuration Guide
http://www.ibm.com/software/support/probsub.htmlhttp://www.ibm.com/software/support/probsub.htmlhttp://www.ibm.com/software/supporthttp://www14.software.ibm.com/webapp/set2/sas/f/handbook/home.htmlhttp://www14.software.ibm.com/webapp/set2/sas/f/handbook/home.htmlhttp://www.ibm.com/software/supporthttp://www.ibm.com/software/support/probsub.htmlhttp://www.ibm.com/software/support/probsub.html

7/23/2019 IBM ISS

7/42

Chapter 1. Getting Started

After you determine where to place the IBM Security Network Protection appliance on your network,you can install network cabling and connect to the local management interface to configure initial

appliance settings.

Installing or replacing a network interface module

Your can install a variety of different network interface modules on your IBM Security NetworkProtection appliance.

Before you begin

Turn off the appliance by either shutting the appliance down from the Local Management Interface (LMI)or by pressing the power button on the front of the appliance.

ProcedurePerform the following steps to install or replace a network interface module.

1. Unplug all power cords to the appliance.

2. Grasp the blue latch on the back of the appliance and pull outward.

3. Pull the lever toward you to pull out the module, as shown in Figure 1.

4. Unpack the new network interface module.

Attention: Make sure that the gold connectors at the rear of the module do not come into contactwith your hands or with the packing material as you unpack the network interface module. Avoiddamaging the gold connectors against the chassis as you insert the replacement module.

5. Carefully align the network interface module, and fully insert and push the module forward into thechassis until the module is in place.

6. Push the blue latch on the back of appliance back in place.

7. Plug in all power cords to the appliance.

8. Turn on the appliance by pressing the power button on the front of the appliance.

9. Verify that the LCD Panel on the front of the appliance is illuminated.

Figure 1. Removing a network interface module from the back of the appliance

Copyright IBM Corp. 2012, 2013 1

7/23/2019 IBM ISS

8/42

What to do next

Check whether the module is working correctly by logging in to the LMI and verifying that the newmodule was recognized by the appliance.

Connecting cables and starting the appliance

Connect the IBM Security Network Protection appliance to your network after you determine where youwant to place it on the network. Install network cabling and verify that traffic flows before you turn onthe appliance.

Procedure

1. Connect the power cable to the IBM Security Network Protection appliance.

2. Connect Management Interface 1 to the network you want to use to manage the Network Protectionappliance.

3. Connect the network cables to the protection interfaces. You must connect both protection interfaces ina pair to enable traffic to flow through the IBM Security Network Protection appliance.

4. Ping a computer on the network on the other side of the Network Protection appliance to verify thattraffic passes.

5. Turn on the IBM Security Network Protection appliance.

What to do next

Navigate to the local management interface to configure network settings for the IBM Security NetworkProtection appliance.

Accessing the local management interface

Access the Web-based local management interface to perform first-time configuration on the IBM SecurityNetwork Protection appliance.

Use one of the following methods to access the local management interface:v Use the LCD panel to determine the IP address of the appliance and connect to the LMI.

v Use zero-configuration networking to discover the appliance on your network.

Using the LCD

Use the LCD panel to determine the IP address of the IBM Security Network Protection appliance.

Procedure

1. Press the OK button on the LCD panel to view the main menu.

2. Use the arrow buttons to selectIP Address, and then press OK.

Note: The LCD panel displays the IP address of the IBM Security Network Protection appliance.Make a note of the address.

3. Type the IP address into your browser to access the local management interface.

2 IBM Security Network Protection: Installation and Configuration Guide

7/23/2019 IBM ISS

9/42

Using zero configuration networking

Zero configuration networking allows you to automatically create a network of devices without having tomanually configure a DHCP server, DNS services, or network settings for each device that you want toconnect to that network.

How zero configuration networking works with the IBM SecurityNetwork Protection applianceYou can use zero configuration networking applications to discover the IBM Security Network Protectionappliance on your network to configure network settings.

Zero configuration networking is based on the following three elements:

v Automatic IP address selection for networked devices (which eliminates the need to configure a DHCPserver)

If the IBM Security Network Protection appliance does not have an IP address assigned to it, then zeroconfiguration networking uses link-local addressing to create an IP address in a range from 169.254.1.0to 169.254.254.255. When an IP address is chosen, the link-local process sends out a query with that IPaddress onto the network to see if the IP address is already in use. If there is no response, the IP

address is then assigned to the IBM Security Network Protection appliance.v Automatic domain name resolution and distribution of computer host names (which eliminates the

need to configure a DNS server)

Zero configuration networking implements multicast DNS (mDNS). mDNS allows the IBM SecurityNetwork Protection appliance to select a domain name in the local namespace and then broadcast thatname using a special multicast IP address, allowing other devices on the network to connect to it byname instead of by numbered IP address.

v Automatic location of network services through DNS service discovery (which eliminates the need foryou to set up a directory server)

Zero configuration networking enables the IBM Security Network Protection appliance to use standardDNS queries to discover devices registered on the network that are broadcasting the services that theyprovide.

Zero configuration networking applications

You can use the following zero configuration networking applications with this release of the IBMSecurity Network Protection appliance:

v Bonjour

Bonjour is a zero configuration networking application from Apple that allows you to automaticallycreate a network of devices in which hosts and services can connect to one another without requiringany user configuration. The services for each device are automatically registered on the network, andcan be discovered by other devices on the network.

If you are using a Windows computer, you must install the Bonjour plug-in for Windows.

If you are using a Mac OS computer, there is no additional configuration needed because the Bonjour

service discovery is already built into the Mac operating system.

v Avahi

Avahi is an implementation of zero configuration networking that you use with Linux operatingsystems. Avahi is installed by default on most Linux systems and can run multicast DNS and DNSservice discovery.

Using a DNS-SD browser to discover servicesUse a DNS-SD enabled browser to discover the IBM Security Network Protection appliance on yournetwork and access the local management interface.

Chapter 1. Getting Started 3

7/23/2019 IBM ISS

10/42

About this task

DNS-SD plugins are available for most web browsers. You must install the appropriate DNS-SD plugin touse zero-configuration networking on your browser. If you are using a Windows computer, you must alsoinstall the Bonjour plug-in for Windows.

Procedure

1. Open your web browser and open a DNS-SD browser window.

2. In the services list, select the IBM Security Network Protection appliance you want to configure. ThemDNS service advertisement is Product name Product version model [serial number].

Example: ISNP 5.1 XGS 5100 [serial number]

Tip: The serial number is located on the IBM Security Network Protection appliance hardware.

3. On the Certificate window, clickAccept Certificate.

4. Navigate to the listed IP address to access the local management interface.

Using Bonjour from a Windows command line to discover services

If you are using a Windows computer, you can use Bonjour through a command line interface (CLI) tobrowse for services that are being broadcast on the local network.

DNS Service Discovery (DNS-SD) protocol

The DNS Service Discovery (DNS-SD) protocol can identify and discover devices on the network that areenabled with the zero configuration standard. DNS-SD uses multicast DNS (mDNS). mDNS sendspackets to every node on the network to resolve duplicate host names and to query the network forservices.

From a Windows command-line, you can use the dns-sd command to browse for services that are beingbroadcast on the local network by mDNSResponder (a Bonjour system service that uses Multicast DNSService Discovery for discovery of services on the local network).

Link-local address space

The range for the link-local address space is 169.254.0.0 - 169.254.255.255. However, 169.254.0.1 -169.254.0.255 and 169.254.255.0 - 169.254.255.255 are reserved for future use.

DNS queries that end in .local are sent to the address 224.0.0.251 (for IPv6: FF02::FB / FF02:0:0:0:0:0:0:FB)which is reserved for mDNS. Any packets that are sent to these addresses are not forwarded beyond thelocal link or forwarded to the local link from outside the network. Any link-local multicast packet that issent remains on the local link. Any link-local multicast packets that are received must originate from thelocal link.

Using the DNS-SD protocol to browse for services

Type dns-sd -B _ssh._tcp at the command line to see all SSH service broadcasts on the network.

Looking up the host name of a service

Type dns-sd -L "ISNP 5.1 XGS 5100 [serial number]" _ssh._tcp at the command line. The serialnumber is located on the IBM Security Network Protection appliance hardware.

Important: Make sure you use quotation marks around the instance name.


7/23/2019 IBM ISS

11/42

After you discover the IBM Security Network Protection appliance on your network, navigate to theappliance host name or IP address in your browser to access the local management interface.

Using Avahi command-line programs to discover servicesIf you are using a Linux computer, you can use Avahi to browse for services that are being broadcast onthe local network.

Before you begin: You must install the Avahi RPM package for the Linux operating system you areusing before you can use these command-line programs.

Using the avahi-browse command-line program /usr/bin/avahi-browse

Use the avahi-browse command-line program to do these things

v browse for all mDNS broadcasts on the network

v resolve the host name and IP address of the device performing the broadcasts

Avahi-browse command-line options: avahi-browse

Use the following command-line options with the avahi-browse program:

Option Description

-d Specifies the domain in which you want to browse for services. If you do notspecify a domain, then all domains are browsed. The IBM Security NetworkProtection appliance broadcasts on the .local domain.

--resolve Displays the host name and the IP address of the IBM Security NetworkProtection appliance, including the service advertisement string.Example: "ISNP 5.1 XGS 5100 [serial number]"

-t Terminates the avahi-browse program after dumping the current list ofnamed services. The avahi-browse program no longer runs or listens for newbroadcasts.

-a Displays all service broadcasts on the network. You do not need to specify a

with this command-line option.

--no-db-lookup Instructs the avahi-browse program not to translate service types.Example: Translating_ssh._tcp to a friendlier name such as "SSH RemoteTerminal" or translating_http._tcp to "website"

After you discover the IBM Security Network Protection appliance on your network, navigate to theappliance host name or IP address in your browser to access the local management interface.

Using the avahi-discover-standalone command-line program /usr/bin/avahi-discover-standalone

The avahi-discover-standalone command-line program is an X Window program that displays all thediscoverable services across all domains. You can run this program only from an X Window session.

This command-line program does the same thing that theavahi-browse -a --resolve command does.After you discover the IBM Security Network Protection appliance on your network, type the appliancehost name or IP address in your browser to access the local management interface.

Chapter 1. Getting Started 5

7/23/2019 IBM ISS

12/42


7/23/2019 IBM ISS

13/42

Chapter 2. Configuring initial appliance settings

You can use the local management interface or the command line interface wizard to configure initialappliance settings.

Local management interface

The IBM Security Network Protection appliance offers a browser-based graphical user interface for local,single appliance management.

To log in to the local management interface, type the IP address or host name of your Network Protectionappliance into your web browser.

Tip: You can also manage your appliance using the command-line interface.

Use the default credentials to log in to the LMI the first time:

v

User Name: adminv Password: admin

After you log in for the first time, use the first-time configuration pages to change your password.

To log out of the local management interface, click Logout.

IBM Security Network Protection was developed by using research from the IBM X-Force research anddevelopment team. Click the link on the login page to learn more about X-Force.

This Software Offering does not use cookies or other technologies to collect personally identifiableinformation.

CompatibilityThe following web browsers are currently supported by the IBM Security Network Protection localmanagement interface:

v Internet Explorer 9 or later

v Firefox 20.0 or later

v Google Chrome 26.0 or later

For more information on supported browsers, see technote #1595890on theIBM Support Portal.

http://xforce.iss.net/http://www.ibm.com/support/docview.wss?uid=swg21595890http://www.ibm.com/software/supporthttp://www.ibm.com/software/supporthttp://www.ibm.com/support/docview.wss?uid=swg21595890http://xforce.iss.net/

7/23/2019 IBM ISS

14/42

Configuring initial appliance settings in the LMI

When you log in to the IBM Security Network Protection appliance for the first time, a Welcome pageappears, prompting you to configure initial settings.

About this task

To begin, you must accept the IBM Software License Agreement.

Procedure

1. Select your language and then read the Software License Agreement.

2. Select I agree to accept the Software License Agreement and then click Next Page.

What to do next

Use the first-time configuration wizard to configure the remaining settings.

Enabling FIPS modeIf you need your installation to comply with Federal Information Processing Standards (FIPS), you mustenable FIPS mode during the initial configuration.

About this task

Enable FIPS mode only if you must comply with FIPS requirements. There is no advantage to enablingFIPS mode if your installation does not require it. To disable FIPS mode, you must re-image theappliance. When you re-image the appliance, all the policy configuration and appliance settings are lost.

Procedure

1. On the Welcome page, clickFIPS Mode.

2. To enable FIPS mode, selectEnable FIPS 140-2 mode.

Note: NIST SP800-131a prohibits the use of TLS protocols, version 1.1 or earlier. When you enableFIPS mode on the IBM Security Network Protection appliance, TLS V1.0, TLS V1.1, and all versions ofSSL are automatically disabled for LMI connections. Because TLS V1.2 support is not available in most

browsers, you can configure your appliance to accept TLS V1.0 and V1.1 during the initial setup.

3. To allow users to connect to the LMI using TLS version 1.0 or 1.1, select one or both of the followingoptions:

v Allow TLS V1.0 for LMI sessions

v Allow TLS V1.1 for LMI sessions

Tip: After you complete initial setup, you can configure LMI TLS settings using the followingadvanced tuning parameters:

v lmi.security.tlsv10 =true/false

v lmi.security.tlsv11 =true/false

Important: Change advanced tuning parameter values only under the supervision of IBM Support.

4. Click Save Configuration.

5. Click Yesto confirm.

Note: When you enable FIPS mode, the appliance restarts to run the required integrity checks. Afterthe appliance restarts, log in again to continue the setup process.


7/23/2019 IBM ISS

15/42

Installing a licenseYou must install a current license file to receive updates to the Network Protection appliance.

About this task

Contact your IBM representative to get a license registration number. You can download and register

your license from the IBM License Registration Center at https://www1.iss.net/cgi-bin/lrc.

Procedure

1. Optional: If you are not configuring your appliance for the first time, clickManage > Licensing andPerformance.

2. On the Licensing page, clickSelect License and locate the license file that you want to install.

3. Select the license file and clickOpen.

Tip: If you use one of the following browsers, you can select multiple license files at one time:Firefox, Chrome, or Internet Explorer 10. (Internet Explorer 9 does not support multiple file selection.)


5. Optional: To change the appliance performance level, take one of the following actions:

Option Description

In the Local Management Interface... Move theCurrent Performance Level slider, and thenclick Save ConfigurationRestriction: Flexible performance options are notavailable during first time setup.

In the SiteProtector System... A license can include multiple performance increaseunits. Each performance increase uses one performanceincrease unit per appliance.

To change the number of performance level increasesyou are using, take the following actions:

1. Select the Policy view. In the My Sites pane, expand

theLocally Configured Agents menu item, and thenselect your Network Protection agent.

2. In the Local Policies pane, selectFlexiblePerformance, and then click Action > Open.

3. Move the Current Performance Level slider, and thenclick Save Configuration

To view the number of allocated performance increaseunits, perform the following actions:

1. ClickTools > Licenses > Agent/Module. The systemdisplays the Agent/Module License Informationwindow.

2. Select the Summarytab. The number of allocated

performance increase units is listed in the In Usecolumn.

Note: OCNID stands for Order Confirmation Number and ID.A warning is displayed to inform you that the change is undeployed. To deploy the change, click thelinkClick here to review the changes or apply them to the system.

Chapter 2. Configuring initial appliance settings 9

7/23/2019 IBM ISS

16/42

Installing a settings snapshotYou can install a settings snapshot during first time configuration to restore prior configuration andpolicy settings.

About this task

You can download a settings snapshot to restore the IBM Security Network Protection appliance in caseof system failure. You can also apply a settings snapshot that you downloaded from another appliance.

Procedure

1. On the Settings Snapshots page, clickBrowse.

2. In the Snapshots pane, use one or more of the following commands:

Option Description

New To create a snapshot, click New, type a commentdescribing the snapshot, and then click Submit.

Edit To edit the comment for a snapshot, select the snapshot,clickEdit, type a new comment, and then click Submit.

Delete To delete snapshots, select one or more snapshots, andthen click Delete.

Apply To apply a snapshot, select the snapshot, and then clickApply.Note: If configuration or policy versions are newer thanthe firmware version, the settings are rejected. If theconfiguration and policy versions are older than thefirmware version, the settings are migrated to the currentfirmware version.

Download To download a snapshot, select the snapshot, clickDownload, browse to the drive where you want to savethe snapshot, and then click Save.Note: If you download multiple snapshots, the

snapshots are compressed into a .zip file.Upload To upload snapshots, click Upload, browse to the

snapshots you want to upload, select the snapshots, andthen click OK.Note: You can only upload one snapshot at a time.

Refresh To refresh the list of snapshots, click Refresh.

Changing passwordsUse the Password page to change the password you use to access your IBM Security Network Protectionappliance.

Procedure1. On the Password page, type the password you want to change in theCurrent Password box.

2. To change the timeout interval for administrator sessions, type or select a value (in minutes) in theSession Timeout box.

3. Type your new password twice to confirm it, and then click Save Configuration.

4. When you see the confirmation message, clickNext Page to configure the next setting.


7/23/2019 IBM ISS

17/42

Configuring management interfacesUse the Management Interfaces page to view and configure the network management interfaces for theappliance.

About this task

Navigating in the Local Management Interface: Click Manage > Management Interfaces.

Navigating in the SiteProtector System:

1. Select the Policy view.

2. In the My Sites pane, expand the Locally Configured Agents menu item, and then select yourNetwork Protection agent.

3. In the Local Policies pane, selectManagement Interfaces, and then click Action > Open.

Remember: When you change the IP address of the management interfaces, connect your web browserto the new IP address for future sessions.

Note: Changing the appliance host name causes the system to reset the network connection. You must

reconnect after the network connection is reset. This process does not interrupt traffic through theappliance protection interfaces.

Procedure

1. On the Management Interfaces page, type aHost name.

2. To enable network users to locate the appliance by using zero configuration networking, selectAdvertise management interface using multicast DNS.

3. Select the Default Interface.

4. Optional: To configure a secondary management interface to inject TCP reset frames in monitoringmode make the following selections:

a. On the tab for the interface you want to use as a secondary management, selectEnable interfacename.

b. On the General tab, select the secondary management interface in the Use as monitoring modeTCP reset interface list.

c. Optional: To ensure that injected TCP resets are correctly routed to their destination, you canspecify the MAC address of the gateway that is connected to the same network segment as theTCP reset interface. Type the Gateway MAC addressto use as the destination of the TCP resetframe in the Gateway MAC Address field.

Restriction: You cannot select the default management interface as the TCP reset interface.

5. Click the tab for the primary interface, and then configure the following IPV4 and IPV6 options:

6. Configure the following options:

Option Description

Auto/Manual Choose the appropriate mode:

v Select Autoto acquire an IP address from a DHCPserver.

v Select Manualto specify a static IP address, Netmask,and Gateway (IPv4) or Prefix (IPv6).

Address If you selectedStatic mode, type the IP address that youwant to use for the interface.

Gateway If you selectedStatic mode, type the Gateway for theinterface.


7/23/2019 IBM ISS

18/42

Option Description

Netmask (IPv4)Note:

If you selected Static mode for IPv4, type the SubnetMask for the interface.

Prefix (IPv6) If you selectedStatic mode for IPv6, type the prefixlength for the interface.

7. Click the DNS tab, and then configure the following options:

Option Description

Auto/Manual Choose the appropriate mode:

v Select Auto to acquire DNS server addresses from aDHCP server.

v Select Manualto specify DNS servers.

Primary DNS Specifies the IP address of the primary DNS server.

Secondary DNS Specifies the IP address of the secondary DNS server.

Tertiary DNS Specifies the IP address of an optional third DNS server.

DNS Search Path Specifies one or more DNS search paths. Use a comma to

separate each path.

8. Click the tab for the secondary interface, and then configure the following IPV4 and IPV6 options:

Note: IP addresses are not assigned to an interface that is designated as the TCP reset interface formonitoring mode.

9. To enable more management interfaces, selectEnableinterface name on the related interfacemanagement tabs.

10. ClickSave Configuration.

Configuring host name and DNS informationUse the Hosts page to set any network options, such as a host name, a DNS server, or a search path.

Procedure

1. On the Hosts page, click Edit, and then configure the following options:

Option Description

Host Name Specifies a name for the host.

Multicast DNS Specifies whether to enable Multicast DNS (mDNS).Enabling mDNS will broadcast its availability so that youcan configure the appliance using an mDNS browserutility, such as Bonjour.Note: When you disable the mDNS Responder, theappliance does not broadcast a local management web

interface or SSH. The appliance firewall will rejectmulticast packets to destination address 224.0.0.251.

Primary DNS Specifies the primary DNS server IP address.

Secondary DNS Specifies the secondary DNS server IP address.

Tertiary DNS Specifies an optional third DNS server IP address.

Search Paths Specifies one or more DNS search paths. Type each pathseparated by a comma.


3. Click Next Page to configure the next setting.


7/23/2019 IBM ISS

19/42

Configuring protection interfacesUse the Protection Interfaces page to configure the Protection Mode and the Speed and Duplex mode foreach interface.

About this task

Navigating in the Local Management Interface: If you are not configuring your appliance for the firsttime, click Manage> Protection Interfaces.

Navigating in SiteProtector Management: select the Protection Interfaces policy.

Procedure

1. On the Protection Interfaces page, select a protection interface pair, and then click Edit.


Option Description

Enable Enables or disables the protected interface pair.

Inspection Mode Use this setting to determine how the appliance monitors

and inspects traffic.Note: The default inspection mode is Protection.

v Protection. The appliance monitors all traffic inlineand blocks packets as configured by the NetworkAccess Policy rules.

v Simulation. The appliance monitors traffic inline, butdoes not block any traffic. Instead, the appliancemonitors traffic and provides passive responses.

v Monitoring. The appliance monitors traffic from a tap,hub, or span (mirror) interface of switches. Interfacesthat are configured in Monitoring mode are not pairedand each can be used to monitor a different networksegment.

Tip: To select or disable high availability (HA) modes,use the High Availability tab on the Protection Interfacespage.

Unanalyzed Policy Use this setting to determine what happens to any datathe network driver is not able to place into the analysisqueue.

v Forward. The driver transmits packets that cannot bequeued without any inspection.

v Drop. The driver discards any packets that cannot bequeued.

Propagate Link Use this setting with inline protection interface pairs.

v Yes. The link on the corresponding inline interface

breaks when one of the links is down (such as when acable is broken or disconnected).

v No. The link on the corresponding inline interface isleft intact when one of the links is down.

v Auto. The appliance selects the appropriate settingthat is based on the interface mode. In inline modes,link propagation is enabled. In Monitoring mode, linkpropagation is disabled.


7/23/2019 IBM ISS

20/42

Option Description

Hardware Bypass Mode Select the mode to allow or prevent traffic if theappliance fails or is powered off:

v Auto. In non-HA modes, all traffic is allowed to passthrough the appliance (fail open). In HA mode,interface links are taken down and traffic is preventedfrom passing through the appliance (fail closed).

v Fail Open. Allows all network traffic to pass throughthe appliance.

v Fail Closed. Takes down the links for the interfacepair and prevents any network traffic from passingthrough the appliance.

Interface Settings Select the link speed and mode for each interface in aprotected interface pair.

v Auto. Allows two interfaces on a link to select the bestcommon mode automatically, the moment a cable isconnected. This setting is the best option for mostenvironments. Exceptions include environments with aswitch or other network device that does not support

auto-negotiation, or in situations where theauto-negotiation process is taking too long to establisha link.

v 10 Mb Full Duplex. Allows information to betransmitted at 10 megabits per second in bothdirections at the same time.

v 10 Mb Half Duplex. Allows a device to either transmitor receive at 10 megabits per second, but not at thesame time.


v 100 Mb Half Duplex. Allows a device to either

transmit or receive at 100 megabits per second, but notboth at the same time.


v 10,000 Mb Full Duplex. Allows information to betransmitted at 10,000 megabits per second in bothdirections at the same time.


7/23/2019 IBM ISS

21/42

Option Description

TCP Resets

(Monitoring mode only)

This setting indicates the interface that is used to injectTCP reset frames to terminate TCP connections inmonitoring mode. The appliance cannot block or rejecttraffic in monitoring mode, but it can terminate TCPtraffic connections. Select one of the following settings:

v This interface. The appliance injects the TCP resetframe into the same monitoring interface that receivedthe TCP traffic that triggered an IPS event or matcheda Network Access Policy rule. This option cannot beused if the monitoring interface is connected to aread-only link, such as a read-only tap.

v TCP reset interface. The appliance injects the TCPreset frame into the management interface that isdesignated as the TCP Reset interface. You mustconfigure a management interface as the TCP Resetinterface on the Management Interfaces page.

v Disabled. The appliance does not inject any TCP resetsfor the traffic received on this monitoring interface.

Important: Terminating TCP connections by injectingresets is not guaranteed to be effective in Monitoringmode. To ensure effective blocking, use Protection mode.

IPv4/IPv6 Settings This setting provides the IP address that users areredirected to by a Network Access Policy rule thatrequires user authentication or blocks HTTP traffic. SelecteitherIPv4 Settingsor IPv6 Settings, and then type theappropriate information in each box.

IPv4 Settings:

v Address

v Netmask

v Gateway

IPv6 Settings:

v Address

v Prefix

v Gateway

3. Click Submit.

4. Optional: If you are configuring your appliance for the first time, clickNext Page to configure thenext setting.

What to do next

If you are not configuring your appliance for the first time, you must deploy the updated policy for thechanges to take effect.

Configuring date and time settingsUse the Date/Time Configuration page to configure the date, time, time zone, and NTP serverinformation.

Procedure

1. On the Date/Time page, clickEdit.



7/23/2019 IBM ISS

22/42

Option Description

Time Zone Specifies the time zone for the appliance.

Date/Time Specifies the day, month, year, and time for theappliance.

NTP Server address Lists the NTP (NIST Internet Time Service) servers theappliance uses. You can enter multiple NTP servers,

separated by commas.

Note: You cannot set the Time Zone or Date/Time using the SiteProtector System console. You canonly specify NTP server addresses.


4. Click Next Page to configure the next setting.

Completing configuration settingsReview the summary of the IBM Security Network Protection management settings and all configurationsettings before completing the setup process.

Procedure

Verify that all settings are correct, and then click Complete Setup. The appliance might take severalminutes to complete the setup process.

What to do next

After the setup process is complete, you must log in to the Local Management Interface to access theappliance.

Installing updatesInstall firmware and intrusion prevention updates to improve the Network Protection appliance and the

network protection provided by the appliance.

About this task

Important: After you install firmware updates, you must restart the appliance.

Firmware updates contain new program files, fixes or patches, enhancements, and online help. Firmwareupdates are available in the IBM Security Systems Download Center.

Intrusion prevention updates contain the most recent security content provided by IBM X-Force researchand development team.

For more information about product issues and updates, see the IBM Security Network Protection readme

file on the IBM Security Systems Download Center at http://www.iss.net/download/.

Tip: You can also install available updates from the Overview page.

Procedure

1. Click Manage > Available Updates.

2. In the Available Updates pane, use one or more of the following commands:

http://www.iss.net/download/http://www.iss.net/download/

7/23/2019 IBM ISS

23/42

Option Description

Upload To manually add an update, clickUpload. In the NewUpdate window, click Select Update, browse to theupdate file, click Open, and then click Submit.Note: You can install the update after you manually addit.

Refresh To check for updates, clickRefresh.Install To install an update, select the update, and then click

Install.

Schedule To create or edit an update schedule, select an update,and then click Schedule. In the Edit Schedule window,perform one or more of the following actions:

v To remove an update schedule, selectRemoveSchedule.

v To create an update schedule, select a date and time toinstall the update.

Click Submitto save your changes.

CLI initial appliance settings wizard

The initial appliance settings wizard runs the first time an administrator logs in to the command-lineinterface (CLI) of an unconfigured appliance.

Navigation

You can move between screens in the wizard using the following options:

v p: Previous Screen

v n: Next Screen

To cancel the setup process at any time, use the exit command.

Modules

You must configure the following modules to set up your appliance:

Module Description

Welcome Describes the appliance settings that you can configureusing the wizard.

Software License Agreement Describes the appliance license agreement, IBM terms,and non-IBM terms.

FIPS mode Allows you to enable FIPS mode, if necessary. If youfinish the initial setup without enabling FIPS mode, youcannot enable it later without reinstalling the appliance.When you enable FIPS mode, the appliance restarts torun the required integrity checks. After the appliancerestarts, log in again to continue the setup process.Note: Do not enable FIPS mode if you do not need to becompliant with FIPS or if your firmware is not FIPScertified.

Password Configuration Allows you to change your password.

Host Configuration Allows you to change the host name.


7/23/2019 IBM ISS

24/42

Module Description

Management Interface Settings Allows you to configure the management networkinterfaces. Displays device settings and the currentworking-set policy for the primary and secondaryinterfaces.

DNS Configuration Allows you to configure the DNS servers used by the

appliance.Time Configuration Allows you to configure the time, date, and time zone on

the appliance.

FIPS TLS ConfigurationNote: This module appears only if you have enabledFIPS mode.

Allows you to configure Transport Layer Security (TLS)communication for browsers connecting to the LMI.

Configuring initial appliance settings by using a serial console

connection

Use a terminal emulation program to configure initial settings for the Network Protection appliance.

Procedure

1. Connect the serial console cable to the appliance and to a computer.

2. Connect to the appliance with Hyperterminal or another terminal emulation program by using thefollowing settings:

Option Description

Communication Port TypicallyCOM1

Emulation VT100

Bits per second 9600

Data bits 8

Parity NoneStop bits 1

Flow control None

3. Follow the instructions listed in the documentation for the terminal emulation program to configureinitial appliance settings.


7/23/2019 IBM ISS

25/42

Chapter 3. Installing firmware

This chapter provides important information about installing firmware on the IBM Security NetworkProtection appliance to resolve software and configuration errors that cause your appliance not to work

properly.

Installing firmware from a USB boot drive: Windows or Linux OS

Create a USB boot drive in a Windows OS and use it to install firmware on the Network Protectionappliance.

About this task

You might choose to install new firmware to resolve software and configuration errors that cause yourappliance not to work properly. For example, you can use this procedure to install new firmware on anappliance that does not boot due to a software error.

Refer to the IBM Support Portal for help troubleshooting appliance problems.

Procedure

1. Download the appliance firmware from the IBM ISS Download Center and save it to a secure host inyour network.

2. Insert the USB flash drive into a USB port on the same host and note where the operating systemassigns the USB flash drive.

3. Use an image writer program to overwrite the contents of the USB flash drive with the firmwareimage.

Tip: Common writer programs for Windows include Win32DiskImager.exe and USB Image Tool. USB

ImageWriter is included in most Linux distributions.4. Turn off the appliance.

5. Connect the USB flash drive to the appliance and turn the appliance on. The appliance boots from theUSB boot drive.

6. Log on to the installer command-line interface as an administrator.

v install login: admin

v password:admin

Tip: You can type help for a list of commands available in the current mode.

7. Typerestore.

8. TypeYES and press Enter.

Note: The installation takes approximately 30 minutes to complete.The firmware is installed and the appliance restarts.


7/23/2019 IBM ISS

26/42

Installing firmware from a USB boot drive: Mac OS

Create a USB boot drive in a Mac OS and use it to install firmware on the Network Protection appliance.

About this task

You might choose to install new firmware to resolve software and configuration errors that cause your

appliance not to work properly. For example, you can use this procedure to install new firmware on anappliance that does not boot due to a software error.

Refer to the IBM Support Portal for help troubleshooting appliance problems.

Procedure


2. On the secure host, open the Terminal application.

3. In the Terminal application window, run diskutil list to get a current list of devices.

4. Connect the USB flash drive to the secure host.

5. Rundiskutil list again and determine which device node the system assigned the USB device to.6. Run sudo dd if=/path/to/downloaded.img of=/dev/rdiskN bs=1m. Replace /path/to/downloaded.img

with the path to the firmware file.

Note: If you get the following error, replace bs=1m withbs=1M:

dd: Invalid number `1m, you are using GNU dd

7. Rundiskutil eject /dev/diskN and remove your device after the command is complete.

8. Turn off the appliance.

9. Connect the USB flash drive to the appliance and turn the appliance on. The appliance boots fromthe USB boot drive.


v

install login: adminv password:admin

Tip: You can type helpfor a list of commands available in the current mode.

11. Typerestore.

12. TypeYES and press Enter.

Note: The installation takes approximately 30 minutes to complete.The firmware is installed and the appliance restarts.


7/23/2019 IBM ISS

27/42

Manually backing up firmware

Use the Firmware Settings page to manually create a backup of your active firmware version beforeapplying a fix pack.

About this task

It is only necessary to perform a manual backup if you need to install a fix pack provided by IBMSoftware Support.

Note: The backup process can take several minutes to complete.

Procedure

1. Click Manage > Firmware Settings.

2. On the Firmware Settings page, select the active partition.

3. Click Create Backup.

What to do next

Next, apply the fix pack provided by IBM Software Support.

Chapter 3. Installing firmware 21

7/23/2019 IBM ISS

28/42


7/23/2019 IBM ISS

29/42

Appendix. References

Command-line interface

The command-line interface (CLI) provides a limited set of commands to control and receive responsesfrom the Network Protection appliance.

Global commands

Table 1. Global commands

Global command Description

back Return to the previous command mode.

exit Log off from the appliance.

help Display the information for using the specifiedcommand.

reboot Reboot the appliance.

shutdown End system operation and turn off the power.

top Return to the top level.

Mode commands

Table 2. Installer mode commands.

Note: The installer mode is only available when the appliance is booted from a USB flash drive.

Installer mode command Description

restore Restore a firmware image.

wipe Wipe the appliance hard disk drive.

Table 3. Top mode commands

Top mode command Description

fips Work with FIPS mode status.

firmware Work with firmware images.

fixpacks Work with fix packs.

license Work with licenses.

management Work with management settings.

protection Work with protection interfaces.

snapshots Work with policy snapshot files.

support Work with support information files.

tools Work with network diagnostic tools.

updates Work with security updates.


7/23/2019 IBM ISS

30/42

Table 4. FIPS mode commands

Note: FIPS mode commands are available only on anappliance running in FIPS mode. If the appliance is inFIPS error state, only the FIPS, Firmware and Supportmode commands are available.FIPS mode command Description

status View the status of FIPS mode. If the appliance is runningin FIPS mode with no errors, it displays:

FIPS 140-2 Status: OKAppliance has enabled FIPS mode successfully.

If the appliance is in FIPS error state, it displays:

FIPS 140-2 Status: ErrorAppliance has entered FIPS error state.

Note: If the appliance is in FIPS error state, you can usethe Support mode commands to generate a supportinformation file to send to IBM Support. You can alsouse the Firmware mode commands to revert to apreviously installed firmware version.

view_events View all FIPS related events from the system eventdatabase.

view_log View all FIPS related messages from the system log.

Table 5. Firmware mode commands

Firmware mode command Description

backup Back up firmware on the primary partition to thesecondary partition.

get_comment [] View the comment that is associated with a firmwareimage.

get_info [] View the version information that is associated with afirmware image.

list List information about installed firmware images.Firmware information includes the active firmwareimage, a description of the firmware, the date thefirmware was installed, and optional backup information.

set_comment [ [ ...] ] Replace the comment that is associated with a firmwareimage.

swap_active Swap the active firmware image. The appliance restartsthe system using the backup firmware image.

backup Back up firmware on the active partition to the inactivepartition.

Table 6. Fixpacks mode commands

Fixpacks mode command Description

view_history Display installation history for all fix packs.

install Install available fix packs from the inserted USB flashdrive.

list List available fix packs on the inserted USB flash drive.

rollback Uninstall most recently installed fix pack.


7/23/2019 IBM ISS

31/42

Table 7. License mode commands

License mode command Description

install Install a license file from inserted USB flash drive.

list List the available license files on the inserted USB flashdrive.

show Display current active license information.

Table 8. Management mode commands

Management mode command Description

dns Work with the DNS appliance settings.

The following commands are available for dns:

v set [dns]: Set the appliance DNS.

v show: Show the appliance DNS.

hostname Work with the appliance hostname.

The following commands are available for hostname:

v set [hostname]: Set the appliance host name.

v show: Show the appliance host name.

interfaces Work with management interface settings.

The following commands are available for interfaces:

v list: List the management interfaces on the appliance.

v set [interface-name]: Set the network configurationfor a management interface.

v show[interface-name]: Display the configuration of amanagement network interface.

set_password Set the appliance password.

Table 9. Protection mode commands

Protection mode command Description

list List the names of the protection interfaces available onthis appliance.

show [] Display the link status (up or down) and the negotiatedspeed and duplex for the specified interface. If thiscommand runs with no arguments, the system displaysthe current link status and the speed and duplex for allprotection interfaces.

Table 10. Session mode commands

Session mode command Description

delete [] Deletes the active session associated with the specifiedaddress.

delete_all [] Deletes all active sessions.

list Lists the active sessions. Shows all users that have beenauthenticated against the appliance.

Appendix. References 25

7/23/2019 IBM ISS

32/42

Table 11. Snapshots mode commands

Snapshots mode command Description

apply [] Apply a policy snapshot file to the system.

create [ ...] Create a snapshot of current policy files.

delete [] Delete a policy snapshot file.

download Download a policy snapshot file to a USB flash drive.get_comment [] View the comment associated with a policy snapshot file.

list List the policy snapshot files.

set_comment [ [ ...] ] Replace the comment associated with a policy snapshotfile.

upload Upload a policy snapshot file from a USB flash drive.

Table 12. Support mode commands

Support mode command Description

create [ ...] Create a support information file.

delete [] Delete a support information file.download [] Download a support information file to a USB flash

drive.

get_comment [] View the comment associated with a support informationfile.

list List the support information files.

set_comment [ [ ...] ] Replace the comment associated with supportinformation file.

Table 13. Tools mode commands

Tools mode command Description

nslookup [] [] Query internet domain name servers.

ping [-6] [-c ] [-s ] Send an ICMP ECHO_REQUEST to network hosts.Note: The count must be 0 - 5535. If the count is 0 thenthe system sends ICMP ECHO_REQUEST pings untilinterrupted by the user with CTRL+C. The default count is0. The size must be 0 - 65535. The default size is 56bytes.

traceroute [-6] [] Trace a packet from a computer to a remote destination,showing how many hops the packet required to reachthe destination and how long each hop took.Note: Size must be 38 - 32768. Default size is 38 bytes.

Table 14. Updates mode commandsUpdates mode command Description

view_history Display installation and rollback history for all updates.

install[type][usb|server] Install an update from the inserted USB flash drive orupdate server.Note: The types of updates that are available depend onthe model of your appliance.


7/23/2019 IBM ISS

33/42

Table 14. Updates mode commands (continued)

Updates mode command Description

list[type] [usb|server] List available updates on the inserted USB flash drive oron the update server.

Any of the following updates might be available:

v firmware

v IPS

Note: The types of updates that are available depend onthe model of your appliance.

rollback Undo a security update.

show Display version information for the security update thatis installed and current.


7/23/2019 IBM ISS

34/42

Wiping the appliance: Linux

Perform a secure wipe on the appliance when you want to make it impossible to recover any data thatwas previously on the drive.

About this task

You might wipe an appliance as part of the RMA process or before you discard the appliance. You canwipe an appliance that will not boot due to software or configuration errors. You can also wipe anappliance with some hardware failures. However, a wipe is unlikely to work on some hardware failures,such as a failed hard disk.

Wiping an appliance does not restore functionality to the appliance.

Procedure



3. On the secure host, from the command line, typedd if=file.usb of=/dev/yourflashdevice.

Note: /dev/yourflashdevice is the full drive path, not a partition. For example, type/dev/sdb (not/dev/sdbl).





v password:admin

Tip: You can type helpfor a list of commands available in the current mode.7. Typewipeand press Enter.

Note: The wipe procedure takes approximately 30 minutes to complete.


7/23/2019 IBM ISS

35/42

Wiping the appliance: Mac OS


About this task



Procedure


2. On the secure host, open the Terminal application.

3. In the Terminal application window, run diskutil list to get a current list of devices.

4. Connect the USB flash drive to the secure host.

5. Rundiskutil list again and determine which device node the system assigned the USB device to.

6. Run sudo dd if=/path/to/downloaded.img of=/dev/rdiskN bs=1m. Replace /path/to/downloaded.imgwith the path to the firmware file.

Note: If you get the following error, replace bs=1m withbs=1M:

dd: Invalid number `1m, you are using GNU dd

7. Rundiskutil eject /dev/diskN and remove your device after the command is complete.


9. Connect the USB flash drive to the appliance and turn the appliance on. The appliance boots fromthe USB boot drive.



v password:admin


11. Typewipe and press Enter.



7/23/2019 IBM ISS

36/42

Wiping the appliance: Windows OS


About this task



Procedure



3. Use an image writer program to overwrite the contents of the USB flash drive with the firmwareimage.

Tip: Common writer programs for Windows include Win32DiskImager.exe and USB Image Tool. USBImageWriter is included in most Linux distributions.





v password:admin


7. Typewipeand press Enter.



7/23/2019 IBM ISS

37/42

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply thatonly that IBM product, program, or service may be used. Any functionally equivalent product, program,or service that does not infringe any IBM intellectual property right may be used instead. However, it isthe user's responsibility to evaluate and verify the operation of any non-IBM product, program, orservice.

IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual PropertyDepartment in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-ku

Tokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS ORIMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Somestates do not allow disclaimer of express or implied warranties in certain transactions, therefore, thisstatement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not inany manner serve as an endorsement of those Web sites. The materials at those Web sites are not part ofthe materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate withoutincurring any obligation to you.


7/23/2019 IBM ISS

38/42

Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM CorporationProject ManagementC55A/74KB

6303 Barfield Rd.,Atlanta, GA 30328U.S.A

Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.

The licensed program described in this document and all licensed material available for it are providedby IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement orany equivalent agreement between us.

All statements regarding IBM's future direction or intent are subject to change or withdrawal withoutnotice, and represent goals and objectives only.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the Web atCopyright and trademark information at Copyright and trademark informationat www.ibm.com/legal/copytrade.shtml.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, orboth.

http://www.ibm.com/legal/copytrade.shtmlhttp://www.ibm.com/legal/copytrade.shtml

7/23/2019 IBM ISS

39/42

Index

Aaccessibility v

appliancewipe Linux 28wipe Mac OS 29wipe Windows OS 30

apply command 23Avahi 3, 4

installing 5RPM file 5service discovery 5

avahi-browse 5avahi-discover-standalone 5

Bback command 23backup 21backup command 23Bonjour 3, 4

service discovery 4broadcasts 3

CChange password 10command-line interface 23

initial appliance settings wizard 17commands

firmware mode commandsbackup 23

get_comment 23list 23set_comment 23swap_active 23

fixpacks mode commandshistory 23install 23list 23rollback 23

global commandsback 23exit 23help 23reboot 23shutdown 23top 23

installer mode commandsrestore 23wipe 23

license mode commandsinstall 23list 23show 23

management mode commandshostname 23interfaces 23password 23

session mode commandsdelete 23

commands (continued)session mode commands (continued)

list 23snapshots mode commands

apply 23create 23delete 23download 23get_comment 23list 23set_comment 23upload 23

support mode commandscreate 23delete 23download 23get_comment 23get_info 23

list 23set_comment 23

tools mode commandsnslookup 23ping 23traceroute 23

top mode commandsfirmware 23fixpacks 23license 23management 23snapshot 23support 23tools 23updates 23

updates mode commandshistory 23install 23list 23rollback 23show 23

completion 16Configuration settings 16configure 8configuring

managementinterface settings 11port settings 11ports 11

protection

ports 13Configuring appliance settings 8connecting cables 2connection 2create command 23

Ddate and time 15delete command 23DNS queries 4DNS Servers 12DNS service discovery 3

DNS service discovery (continued)SeeDNS-SD

DNS-SD 4browsing for services 4

download command 23

EEnabling FIPS 8exit command 23

FFederal Information Processing

Standards 8FIPS

mode 8

firmwareUSB Mac OS 20USB Windows OS 19

firmware command 23firmware release

installing 19fix pack 21fixpacks command 23

Gget_comment command 23get_info command 23GUI 7

Hhelp command 23history command 23host name

configuration 17hostname command 23hyperterminal 18

IIBM

Software Support viSupport Assistant vi

install command 23installation

firmware 19, 20Installing

flexible 9License 9performance 9

interfaces command 23Intrusion Prevention System 27IP address 2IPS Local Management Interface

compatibility 7supported browsers 7


7/23/2019 IBM ISS

40/42

IPv4DNS queries 4

IPv6DNS queries 4

LLCD 2

licenseagreement 17

license command 23link-local address 3, 4Linux

appliance wipe 28list command 23LMI 7, 8

access 2LMI access 2local

management interfaces 11Local

Management Interface 8, 9, 10, 12,15, 16

local management interface 2, 7log in 7log out 7

MMac OS

appliance wipe 29management command 23management interface 7Management settings 16mDNS 4mDNS Responder 12mDNSResponder 4Multicast

DNS 12

Nnslookup command 23NTP servers 15

Oonline

publications vterminology v

Ppartition 21password

configuration 17Password 10password command 23ping command 23problem-determination viprotection

interface 13publications

accessing online vlist of for this product v

Rreboot command 23restore 21restore command 23revert 21rollback 21rollback command 23

Sserial console 18service discovery 4set command 23set_comment command 23settings 8

appliance 17management port 17

settings snapshot 10setup 18show command 23shutdown command 23snapshot 10snapshot command 23support command 23swap_active command 23

Tterminal emulation 18terminology vtime zone 15tools command 23top command 23traceroute command 23troubleshoot

appliance wipe Linux 28appliance wipe Mac OS 29

appliance wipe Windows OS 30troubleshooting vi

Uupdates

firmware 16intrusion prevention 16manual 16scheduling 16

updates command 23upload command 23USB boot drive

Mac OS 20Windows OS 19

Wweb browser compatibility 7Windows OS

appliance wipe 30wipe

Linux 28Mac OS 29Windows OS 30

wipe command 23wizards

initial appliance settings 17

Zzero configuration networking 3

applications 3zeroconf

Seezero configuration networking


7/23/2019 IBM ISS

41/42

7/23/2019 IBM ISS

42/42

Printed in USA

IBM ISS

Documents