proventia network mfs administratorguide 4.3

IBM Proventia Network Multi-Function Security (MFS)

Administrator GuideFirmware Version 4.3

Copyright statement

Copyright IBM Corporation 2003, 2009.

All Rights Reserved.

U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Publication Date: February 2009

Trademarks and disclaimerIBM and the IBM logo are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both.ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure,SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Forceand X-Press Update are trademarks or registered trademarks of Internet SecuritySystems, Inc. in the United States, other countries, or both. Internet SecuritySystems, Inc. is a wholly-owned subsidiary of International Business MachinesCorporation.

Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation inthe United States, other countries, or both.

Other company, product and service names may be trademarks or service marks ofothers.

References in this publication to IBM products or services do not imply that IBMintends to make them available in all countries in which IBM operates.

Disclaimer: The information contained in this document may change withoutnotice, and may have been altered or changed if you have received it from asource other than IBM Internet Security Systems (IBM ISS). Use of this informationconstitutes acceptance for use in an AS IS condition, without warranties of anykind, and any use of this information is at the users own risk. IBM InternetSecurity Systems disclaims all warranties, either expressed or implied, includingthe warranties of merchantability and fitness for a particular purpose. In no eventshall IBM ISS be liable for any damages whatsoever, including direct, indirect,incidental, consequential or special damages, arising from the use or disseminationhereof, even if IBM Internet Security Systems has been advised of the possibility ofsuch damages. Some states do not allow the exclusion or limitation of liability forconsequential or incidental damages, so the foregoing limitation may not apply.

Reference herein to any specific commercial products, process, or service by tradename, trademark, manufacturer, or otherwise, does not necessarily constitute orimply its endorsement, recommendation, or favoring by IBM Internet SecuritySystems. The views and opinions of authors expressed herein do not necessarilystate or reflect those of IBM Internet Security Systems, and shall not be used foradvertising or product endorsement purposes.

Links and addresses to Internet resources are inspected thoroughly prior to release,but the ever-changing nature of the Internet prevents IBM Internet SecuritySystems, Inc. from guaranteeing the content or existence of the resource. Whenpossible, the reference contains alternate sites or keywords that could be used toacquire the information by other methods. If you find a broken or inappropriatelink, please send an e-mail with the topic name, link, and its behavior tomailto://[email protected].

Copyright IBM Corp. 2003, 2009 iii

iv Proventia Network MFS: Administrator Guide

ContentsTrademarks and disclaimer . . . . . . iii

Preface . . . . . . . . . . . . . . viiRelated publications . . . . . . . . . . . viiTechnical support contacts . . . . . . . . . viii

Chapter 1. Updates and Licenses . . . . 1Updates and licensing . . . . . . . . . . . 1

Using update tools . . . . . . . . . . . 2Automatic update settings . . . . . . . . . . 2

Opening the Automatic Update Settings page . . 3Configuring update settings . . . . . . . . 3Configuring license and update servers . . . . 5Scheduling installations. . . . . . . . . . 6Configuring event notification for automaticupdates . . . . . . . . . . . . . . . 6

Alternate update server. . . . . . . . . . . 7Copying required certificates manually . . . . 8

Manual Upgrader utility . . . . . . . . . . 9Installing the manual upgrader . . . . . . . 10Running the manual upgrader . . . . . . . 10Copying updates to the XPU server . . . . . 11

Proxy server . . . . . . . . . . . . . . 12Opening the Service Configuration page. . . . 12Configuring HTTP proxy . . . . . . . . . 13

Chapter 2. Maintenance . . . . . . . 15

Using system tools . . . . . . . . . . . . 15Backup and recovery . . . . . . . . . . . 16

Managing backup settings . . . . . . . . 17Creating a system backup . . . . . . . . 18Restoring from backup . . . . . . . . . 18Editing settings files offline . . . . . . . . 19

Generating system support files . . . . . . . 20

Chapter 3. Firmware Installation . . . . 21Requirements for installing firmware . . . . . . 21Installing firmware (appliance with CD drive) . . . 23Installing firmware (appliance with no CD drive). . 24

Chapter 4. System Diagnostics . . . . 25About System Diagnostics . . . . . . . . . 25Requirements for running diagnostics . . . . . 28Diagnostic procedures . . . . . . . . . . . 29

Running diagnostics on an M50 . . . . . . 29Running diagnostics (not M50) . . . . . . . 30Copying results files . . . . . . . . . . 31

Appendix. Safety, environmental, andelectronic emissions notices . . . . . 33

Index . . . . . . . . . . . . . . . 45

Copyright IBM Corp. 2003, 2009 v

vi Proventia Network MFS: Administrator Guide

PrefaceThis preface describes the audience for this guide; identifies related publications;and provides contact information.

Audience

Users of this guide should have a fundamental knowledge of network securitypolicies and IP networks.

Topics

Related publications

Technical support contacts on page viii

Related publicationsUse this topic to help you access information about your Proventia Network MFSappliance.

Publications

The following documents are available for downloading from the IBM InternetSecurity Systems Web site at http://www.iss.net/support/documentation:v IBM Proventia Network Multi-Function Security (MFS) Policy Configuration Guidev IBM Proventia Network Multi-Function Security (MFS) Administrator Guidev IBM Proventia Network Multi-Function Security (MFS) Deployment Guide: Routing

Mode with DMZ

v IBM Proventia Network Multi-Function Security (MFS) Deployment Guide: RoutingMode with No DMZ

v IBM Proventia Network Multi-Function Security (MFS) Deployment Guide:Transparent Mode

v IBM Proventia Network Multi-Function Security (MFS) Deployment Guide: SSLVPNv Configuring L2TP/IPsec VPN Connections from Proventia Network MFS to Windows

XP and Vista Systems

v Configuring VPN from Proventia Network MFS to Check Point Systemsv Configuring VPN from Proventia Network MFS to Cisco PIX 515Ev Configuring VPN from Proventia Network MFS to NetScreen Systemsv Configuring VPN from Proventia Network MFS to Proventia Network MFSv Configuring VPN from Proventia Network MFS to SoftRemote Systemsv Configuring VPN from Proventia Network MFS to Symantec Systemsv Configuring VPN from Proventia Network MFS to Windows XP Systemsv VPNC Interoperability Testing

Getting Started cards are also available on the IBM Internet Security Systems Website.

Copyright IBM Corp. 2003, 2009 vii

The online Help contains all major tasks needed to configure, monitor, andmaintain the Proventia Network MFS appliance.

The Readme file can be downloaded at http://www.iss.net/download/.

License agreement

For licensing information on IBM Internet Security Systems products, downloadthe IBM Licensing Agreement from: http://www-935.ibm.com/services/us/iss/html/contracts_landing.html.

Feedback

Your feedback is important to IBM Internet Security Systems (IBM ISS). Pleasesend comments and suggestions to [email protected].

Technical support contactsIBM Internet Security Systems (ISS) provides technical support through its Web siteand by e-mail or telephone.

The IBM ISS Web site

The IBM Internet Security Customer Support Web page (http://www.ibm.com/services/us/iss/support/) provides direct access to online user documentation,current versions listings, detailed product literature, white papers, and theTechnical Support Knowledgebase.

Hours of support

The following table provides hours for Technical Support at the Americas andother locations:

Location Hours

Americas 24 hours a day

All other locations Monday through Friday, 9:00 A.M. to 6:00 P.M. during their localtime, excluding IBM ISS published holidaysNote: If your local support office is located outside the Americas,you may call or send an e-mail to the Americas office for helpduring off-hours.

Contact information

For contact information, go to the IBM Internet Security Systems Contact TechnicalSupport Web page at http://www.ibm.com/services/us/iss/support/contacts.html.

viii Proventia Network MFS: Administrator Guide

Chapter 1. Updates and LicensesThis chapter discusses different ways you can keep your security modules andlicenses up to date.

Topics

Updates and licensing

Automatic update settings on page 2

Alternate update server on page 7

Manual Upgrader utility on page 9

Proxy server on page 12

Updates and licensingUse the Updates and Licensing page on your Proventia Network MFS appliance tokeep your protection level up to date, view the status of your licenses, and enablesecurity modules.

Tips:

v Although this page allows you to manually apply security content updates, it isbetter if you schedule those to happen automatically at Configuration System Update Settings. This assures that your system has the most recent andcomprehensive protections levels.

v You typically would use this page to manually apply firmware upgrades, sincethose upgrades reboot your appliance and could cause unexpected networkoutages if done automatically.

v If a module is shown as unlicensed and you think it should be licensed, findyour model number and serial number, and contact IBM ISS Technical Support.

Note: When you first open this page, the status information could be out of date.To assure the latest status information, click Check for updates in the Update Toolsbox.

To expand a collapsed module, click on its Expand icon. To expand all of themodules at once, click on Expand all modules in the Update Tools box.

If you expand a module you can do the following:v Enable and disable security modules and protectionsv See if updates are availablev Update to more recent versionsv Read usage license restrictions and expiration datesv Read maintenance license expiration dates

Copyright IBM Corp. 2003, 2009 1

Using update toolsUse the Update Tools on the Updates and Licensing page on your ProventiaNetwork MFS appliance to look for updates, download updates from your localserver, and to view update history.

Procedure1. To navigate to the Updates and Licensing page, click Maintenance Updates

and Licensing in the navigation pane.2. Use any of the following tools in the Update Tools box:

Option Description

Check for updates Causes the system to look for updates onthe update server. This step could take a fewminutes. The system responds with amessage when its search is done.

Upload update file Opens a browse dialog box that lets youopen an update file that was saved to a localserver

Show update history Opens a history page

Expand all modules Shows the full detail for each license module

Automatic update settingsUse the Automatic Update Settings page to define how your Proventia NetworkMFS appliance locates, downloads, and installs updates.

There are three kinds of updates, and your Proventia Network MFS appliance letsyou manage each separately:

Security updatesContain virus definitions and intrusion prevention updates, as well asother updates from the IBM ISS X-Force.

Web filter and antispam database updatesContain newly acquired classification information that ISS gathers aboutWeb sites. The appliance uses the information in the database to enforceWeb filters and identify spam e-mail.

Firmware updatesContain changes to the appliances operating software:v Feature updates are minor releases at the decimal release version. For

example, upgrading from 3.7 to 3.8 is a feature update.v Product updates are major releases at the integer release version. For

example, upgrading from 3.8 to 4.1 is a product update.

2 Proventia Network MFS: Administrator Guide

Opening the Automatic Update Settings pageYou can access the Automatic Update Settings page from your Proventia NetworkMFS appliance Proventia Manager (the local management interface) or from yourSiteProtector Console.

Opening from Proventia ManagerProcedure

Click Configuration System Update Settings in the navigation pane.

Opening from SiteProtectorProcedure1. Select Policy from the View list.2. In the left pane, select Network Multi-Function Security from the Agent Type

list.3. Select the appropriate repository.4. In the right pane, select Automatic Settings.5. From the menu bar, select Action Open.

Configuring update settingsUse the Update Settings tab on the Automatic Update Settings page to enable andschedule automatic updates on your Proventia Network MFS appliance.

Procedure1. On the Automatic Update Settings page click the Update Settings tab.2. Select when the appliance should automatically check for updates:

Option Description

Check for updates daily or weekly Specifies the day of week and time of day

Check for updates at given intervals Specifies an interval (in minutes)

3. Select any of the following security updates options:

Option Description

Automatically Download Enables the appliance to download anyapplicable updates it finds

Automatically Install Enables the appliance to automaticallyinstall any downloaded updates

4. Select the Automatically update Web filter and antispam databases check boxif you want to enable that feature.

5. Select any of the following firmware updates options:

Option Description

Ignore Feature Upgrades Disables the appliance from automaticallydownloading feature upgrades

Ignore Any Product Upgrades or FeatureUpgrades Later Than a Specified Version

Allows you to freeze the upgrades at aspecified version level (by ignoring anyupgrades that come after that version)

Chapter 1. Updates and Licenses 3

Option Description

Automatically Download Enables the appliance to automaticallydownload firmware upgrades (but restrictedby the two previous check boxes)

6. Select the Perform Full System Backup Before Installation check box if youwant to enable that feature.

7. Click one of the following options:

Option Description

Do Not Install Requires you to do all installationsmanually. This option gives you the mostcontrol over how an installation impactsyour operation.

Automatically Install Updates Updates are installed automatically based onthe When To Install choice you click:

v Delayed: Designates the day of week andtime of day the installations occur

v Immediate: Starts the installation as soonas the update is downloaded. This optiongives you the least control andpredictability of when an installationoccurs.

Attention: Installing an update can takethe system offline while the installation is inprogress.

Schedule One-Time Install Specifies a specific date and time for theinstallation

Attention: Installing an update can takethe system offline while the installation is inprogress.


Configuring license and update serversUse the License and Update Servers tab to define what servers you use forsecuring updates and licenses on your Proventia Network MFS appliance.

Procedure1. On the Automatic Update Settings page click the License and Update Servers

tab.

2. Click the Add icon.3. Specify the following:

Option Description

Enabled Activates that server

Name Plain language description of the server

Host or IP The server DNS name or IP address

Port The port the server listens to for downloadrequests

v For SiteProtector X-Press Update Servers,the default port is 3994.

v For the ISS Download Center(www.iss.net) the port is 443.

Trust Level v trust all: This product trusts the server.No certificates are used for authentication.

v first-time-trust: This product trust theserver once and uses the severs certificatefor all future authentication.

v explicit-trust: This product will use thelocal certificate to authenticate the server.

4. Select whether to use the default proxy settings (from the ServicesConfiguration page) or to specify new proxy settings for this server.

Note: If you choose to specify new proxy settings, you must identify the proxyhost and port. If you enable authentication for that server, you must alsoprovide a user name and password.


Scheduling installationsUse the Scheduled Installations tab on the Automatic Update Settings page in yourProventia Network MFS appliance to schedule upgrade and license installations.

Procedure1. On the Automatic Update Settings page click the Scheduled Installations tab.

2. Click the Add icon.3. Specify the following:

Option Description

Type Identifies what type of update is beingscheduled

Time Specifies the time and date the updateshould be installed

Perform Full System Backup BeforeInstallation

Specifies if you want to do a full systembackup first

Version System version that the update applies to

Update Identifies the specific update

Comment Lets you annotate the scheduled update foryour purposes

4. Click OK.

Configuring event notification for automatic updatesUse the Event Notification tab on the Automatic Update Settings page on yourProventia Network MFS appliance to configure the appliance to notify you aboutupdates.

Before you begin

Tips

v It is easier to set up e-mail notifications for updates if you have configurede-mail already in Configuration System Notification. However, the userinterface allows you to configure e-mail as you configure the updatenotifications.

v It is easier to set up SNMP traps for update events if you have configuredSNMP already in Configuration System Services. However, the userinterface allows you to configure SNMP traps as you configure the updatenotifications.

Procedure1. On the Automatic Update Settings page click the Event Notification tab.2. Select any of the following check boxes:

v Alert Logging for Available Updatesv Alert Logging for Update Installationv Alert Logging for Update Errors


3. For each of the event types selected above, select any of the following:

Option Description

e-mail Enabled Sends notification by e-mailNote: This selection requires you to select arecipient from the e-mail Name list.

SNMP Trap Enabled Sends SNMP (Simple Network ManagementProtocol) traps to a consolidated SNMPserver

SiteProtector Enabled Sends alerts to the SiteProtector ApplianceManagerImportant: You must register yourSiteProtector Console with an AgentManager in Configuration System SiteProtector if you want the appliance todeliver alerts by SiteProtector.

Alternate update serverUse an alternate update server when you do not want the appliance to contact IBMISS and download updates over the Internet. Instead of contacting IBM ISS for theupdates, the appliance contacts the update server. The update servers function isto retrieve and store appliance updates and provide them to the appliance whenrequested.

Note: The appliance does not have to be registered in SiteProtector to get updatesfrom an alternate update server.

Note: This topic assumes that you have installed and configured the update server.

You need the following information about the update server:v host name or IP addressv portthe port to which the update server is listening for download requests:

For the IBM ISS Download Center (http://www.iss.net), the default port is443.

For the SiteProtector X-Press Update Server, the default port if 3994.v authentication level between the appliance and the update server:

trust-all (the appliance always trusts connections with the SiteProtectorupdate server without the servers digital certificate)

explicit-trust (the appliance verifies the servers identify with the serversdigital certificate)


Copying required certificates manuallyIf you want to use the explicit-trust authentication level, then you must manuallycopy the required certificate to the appliance.

Procedure1. Locate the following certificate file on the update server:

server-rsa.crt

Note: The file is stored in the following default location on the SiteProtector 2.0SP5 update server:

Program Files\ISS\RealSecure SiteProtector\X-Press UpdateServer\webserver\Apache2\conf\ssl.crt\

Note: The file is stored in the following default location on the SiteProtector 2.0SP6 update server:

Program Files\ISS\SiteProtector\Application Server\webserver\Apache2\conf\ssl.crt\

2. Use an SCP (Secure Copy) client such as WinSCP to copy the server-rsa.crtcertificate file to the following directory on the appliance:/etc

Note: WinSCP is a third-party tool not supported by IBM ISS. For informationabout how to run the utility, see the product documentation for the utility.


Manual Upgrader utilityThe Manual Upgrader utility retrieves update files from the Download Center. Thistopic explains how to use the Manual Upgrader to download update files to theXPU server.

When to use the manual upgrader utility

Upgrade your appliance manually in the following situations:v Your appliance is configured to get updates from SiteProtector, but the

SiteProtector X-Press Update Server does not have Internet access.v Your appliance is configured to get updates from a stand-alone update server,

but the server does not have Internet access.

Installing updates with the Manual Upgrader utility

To install updates with the Manual Upgrader utility, you must do the following:

Task Description

1 Configure the alternate update server. (See Configuring license and updateservers on page 5.)

2 Install the Manual Upgrader utility. (See Installing the manual upgrader onpage 10.)

3 Run the Manual Upgrader utility. (See Running the manual upgrader on page10.)

4 Copy updates to the XPU server. (See Copying updates to the XPU server onpage 11.)

5 Install the updates.Note: Depending on how you have configured Proventia Manager, the updatesare either installed automatically once they are available or you can install themmanually.


Installing the manual upgraderFollow these steps to install the manual grader utility.

Procedure1. Obtain the Manual Upgrader installation file from the IBM ISS Download

Center. The file is located in the SiteProtector area under the Other tab.2. Copy the file to a computer that has Internet access.3. Extract the downloaded zip file to a convenient directory.

Note: If you enable the Use Folder Names option when you extract the zip file,then the program extracts the files to a directory called ManualUpgrader.

Running the manual upgraderFollow these steps to download updates using the manual upgrader utility.

Procedure1. On the computer where you installed the Manual Upgrader, navigate to the

folder containing the program.2. Double-click ManualUpgrader.exe.3. Browse to a valid license file, and then select the file.4. Read the End User License Agreement, and then click I Accept.

Note: If the Export Agreement appears, read the agreement, and then click IAccept.

5. Click Yes on the Manual Upgrader dialog to download a new catalog ofavailable updates from the Web.

6. If you are prompted to download a Manual Upgrader update, click Yes.The update is downloaded, and then you are prompted to download the mostrecent catalog files.

7. Click Yes.8. If an export agreement appears, accept it.

The newest catalog files are downloaded and all IBM ISS product lines appearin the top pane and all available operating systems appear in the bottompane.

9. Select Catalog Latest Network Multi-Function Catalog to select only MFScontent.

10. Select the IBM ISS product lines and the operating systems for which youwant to download updates.

Note: You can select multiple product lines and operating systems if needed.11. You can control how recent the updates are by selecting the Only Get Files

Posted Within This Many Days check box and specifying the number of daysfor which you want to get updates.

12. Click Get Selected Updates.


Copying updates to the XPU serverYou can use either the integrated XPU Server that is installed on the samecomputer as the Application Server or an XPU Server that is installed on a separatecomputer.

Before you begin

If you did not download the required files to the computer where the XPU Serveris installed, then you must transfer the files to that computer before you can applythe updates. You must copy the required files to specific directories on thecomputer where the XPU Server is installed. If these directories do not exist, thenyou must create them before you can apply the updates.

Important: When you create the directories, you must spell and capitalize thedirectory names exactly as described in this topic.

Procedurev If you are creating the directories on the integrated XPU Server and this server is

installed on the same computer as the Application Server, create the directory:\Program Files\ISS\SiteProtector\Application Server\webserver\Apache2\htdocs\XPU\Proventia\M-Series

v If you are creating the directories on a remote XPU Server that is not installedon the same computer as the Application Server, then you must create thedirectories in the following directory path on the computer where the remoteXPU Server is installed: \Program Files\ISS\SiteProtector\X-Press UpdateServer\webserver\Apache2\htdocs\XPU\


Proxy serverIf the appliance must go through a Web proxy server to retrieve updates from IBMISS, then you must enable the Web (HTTP) proxy service.

You access the HTTP Proxy tab from the Service Configuration page.

Opening the Service Configuration pageYou can access the Service Configuration page from your Proventia Network MFSappliance Proventia Manager (the local management interface) or from yourSiteProtector Console.

Opening from Proventia ManagerProcedure

Click Configuration System Services in the navigation pane.

Opening from SiteProtectorProcedure1. Select Policy from the View list.2. In the left pane, select Network Multi-Function Security from the Agent Type

list.3. Select the appropriate repository.4. In the right pane, select Services.5. From the menu bar, select Action Open.


Configuring HTTP proxyUse the HTTP Proxy tab on the Service Configuration page of your ProventiaNetwork MFS appliance to enable and configure a proxy server you will use fordownloading updates.

Procedure1. On the Service Configuration page, click the HTTP Proxy tab.2. Configure the following settings:

Option Description

Enable HTTP Proxy Enables the HTTP proxy serverImportant: The HTTP proxy server is adifferent process than the HTTP advancedfirewall ALG. However, for the appliance tocorrectly route HTTP proxy traffic, makesure that you enable the relevant AdvancedFirewall ALG policies in Configuration Firewall/VPN Advanced Firewall ALGPolicy if you enable the HTTP Proxy optionhere.

Address Specifies the IP address of the proxy server

Port Specifies the port number for the proxyserver

Enable Authentication Requires authenticationNote: If you enable authentication you mustalso specify a user ID and password.


Chapter 2. MaintenanceThis chapter describes the maintenance activities you can perform on yourProventia Network MFSappliance

Topics

Using system tools

Backup and recovery on page 16

Generating system support files on page 20

Using system toolsUse the System Tools page on your Proventia Network MFS appliance to performbasic system maintenance and diagnostic functions.

Procedure1. To open the System Tools page, click Maintenance Tools in the navigation

pane.2. Use any of the following tools:

Option Description

System Click Reboot or Shutdown.

Ping Type the IP address of the computer youwant to test and click Submit.

Traceroute 1. Type the IP address you want to trace.2. Select a protocol in the Protocol area.3. Click Submit.

Network Connection Reconnect to a PPPoE connection or renew aDHCP lease for selected networkconnections.

High Availability Force a failover to the secondary applianceor initialize a replacement node (restore thesecondary).

Send Gratuitous ARPs The Address Resolution Protocol (ARP) isthe standard method for finding a hostshardware address when only its networklayer address is known. A Gratuitous ARP isa packet (usually an ARP Request)containing a valid SHA (Sender HardwareAddress) and SPA (Sender Protocol Address)for the host which sent it, with TPA (TargetProtocol Address) equal to SPA. Such arequest is not intended to solicit a reply, butmerely updates the ARP caches of otherhosts which receive the packet.


Backup and recoveryUse the Backup and Recovery page in your Proventia Network MFS appliance tomanage snapshots of system settings and to make and restore complete systembackups.

DefinitionsSettings snapshot

A settings snapshot is a file that stores all of your appliance configurationsettings. You can have many settings snapshots of different configurations.Settings snapshots can be edited offline using the Offline Settings Editor.

System backupA system backup stores a complete image of the operating system andcurrent configuration settings of the appliance. You can have only onesystem backup file. When you restore from a system backup, you restorethe appliance to a previous state.

Tipsv Use a settings snapshot file to restore the appliance settings to a known good

configuration.v Use a settings snapshot file to quickly change to an alternate configuration.v It is not a good practice to apply the snapshot file to other appliances because a

settings snapshot includes appliance-specific network configuration information.(If you want to save or propagate group-level policy configuration, use thecentral management capabilities of your SiteProtector Console.)

v Create a system backup of a known good configuration and download snapshotfiles to a local computer before you apply a firmware update.

v Save a settings snapshot to store a known good configuration before youreconfigure the appliance.

v Save a settings snapshot to store a known good configuration before you restorethe appliance after a hardware failure using Recovery CDs and firmwarepackages

v You can use a USB drive (also called a thumb drive) to install a settingssnapshot


Managing backup settingsUse the Settings Backup tab on the Backup and Recovery page to add, delete, anddownload backup settings files (settings snapshots) on your Proventia NetworkMFS appliance.

Procedure1. In the navigation pane click Maintenance Backup and Recovery, and then

click the Settings Backup tab.2. To create a new settings snapshot file of the current settings, click the Add icon

, specify a name for the file, and then click Create. The system createsa backup file using the current settings and displays the file name in SettingsBackup list.

3. To upload an existing settings snapshot file that is not displayed in the Settings

Backup list, click the Add icon , browse for the file you want toupload, and then click Upload. The system adds that settings snapshot file tothe Setting Backup list.

4. To apply an existing settings snapshot to the appliance, select a settings

snapshot and click the Apply icon . The system applies the contentsof that settings snapshot to your appliance. You can restore the factory defaultsettings by selecting the factoryDefault.settings file.

Note: Use this feature only with careful forethought. It overwrites all yourexisting configuration settings.

5. To manage existing settings snapshot files displayed in the Settings Backup list,use the following controls:

Option Description

Removes all settings snapshot files from theSettings Backup listNote: The system asks you to verify thedeletion before actually removing the files.

Removes the selected settings snapshot filefrom the Settings Backup listNote: The system asks you to verify thedeletion before actually removing the file.

Saves the selected settings snapshot file to alocation of your choosing.Note: The system prompts you for where tosave the downloaded file.

Chapter 2. Maintenance 17

Creating a system backupUse the Full Backup tab on the Backup and Recovery page on your ProventiaNetwork MFS appliance to create a complete image of the operating system andcurrent configuration settings.


click the Full Backup tab.2. Click CREATE SYSTEM BACKUP. The system creates a full system backup.

Important: The IP address for the appliance is unavailable during the backupprocess, and you cannot access the Proventia Manager in the browser window.

Restoring from backupUse the Full Backup tab on the Backup and Recovery page on your ProventiaNetwork MFS appliance to restore the operating system and configuration settingsto the last saved backup.

Before you begin

Important: If you restore from backup before you create a system backup, theappliance reverts to default settings and you must reconfigure the appliance usingthe Proventia Setup utility before you can access the Proventia Manager.


click the Full Backup tab.2. Click RESTORE FROM BACKUP. A message prompts you to continue the

backup.3. Click OK. The system restores the backup.

Important: The IP address for the appliance is unavailable during the restoreprocess, and you cannot access the Proventia Manager in the browser window.

4. Close all Web browser windows.5. Clear your Java cache.

Results

Note: If you enabled Alert Logging for System Informative Events and specifiedan e-mail address, you will receive an e-mail notification once the appliance is backon line. If you have not enabled this notification setting, wait at least 5 minutesbefore you attempt to log back into the Proventia Manager.


Editing settings files offlineUse the Offline Settings Editor for your Proventia Network MFS appliance to edit asettings file without being on a specific appliance. You can then upload the revisedsettings file to an appliance of the same model.

Editing the settingsFollow this procedure to edit your settings file offline.

Before you begin

Note: You must download a settings backup file before you can edit it offline.

Procedure1. On the Settings Backup tab of the Backup and Recovery page, click Offline

Settings Editor on the bottom of the page.2. Open the OfflineSettingsEditor.zip file.3. Extract all the contents of the zip file to any convenient directory.4. Navigate to the directory in which you extracted the files.5. Double click OfflineSettingsEditor.bat. There could be a delay while the

Proventia Offline Settings Editor opens.6. Click File Open on the menu.7. In the navigation pane, click the policy you want to edit. As you edit a policy,

an asterisk appears next to its name in the navigation pane.8. Click File Save on the menu when you are done.

Chapter 2. Maintenance 19

Adding the settings file to an applianceFollow this procedure to upload the edited settings file to your Proventia NetworkMFS appliance.

Procedure1. On the Settings Backup tab of the Backup and Recovery page, click the Add

icon.2. Click Browse in the Upload settings snapshot file field and select the file.3. Click Upload.

Generating system support filesUse the System Support File page in your Proventia Network MFS appliance togenerate a support file and download it from the Proventia Network MFSappliance.

About this task

Sometimes IBM ISS customer support must see a recent system support file to helptroubleshoot problems. The following steps explain how to generate the requestedfile.

Procedure1. Click Support System Support File in the navigation pane.2. Click Generate Support Data File The system generates the file and the file

information appears in the table.

Note: It could take a few minutes for the system to generate the file.

3. Click the files selection button, and then click the Downloadbutton. The system prompts you for a location in which to save the zipped file.

What to do next

You can then attach the downloaded zipped file to an e-mail and send it tocustomer support.


Chapter 3. Firmware InstallationThis chapter explains how to install the firmware.

Topics

Requirements for installing firmware

Installing firmware (appliance with CD drive) on page 23

Installing firmware (appliance with no CD drive) on page 24

Requirements for installing firmwareThis topic discusses the prerequisites and requirements for installing firmware onyour Proventia Network MFS appliance.

Considerations

Reinstalling the firmware takes the Proventia Network MFS off line and overwritesyour custom policies with the original factory defaults.

The recovery CD includes the Filter Database that came with your ProventiaNetwork MFS. This database is quickly out of date because database updates arereleased often. IBM Internet Security Systems (ISS) recommends that you reinstallonly the firmware and thenafter the Proventia Network MFS is deployedusethe Get Filter Database option in Proventia Manager to download the latestdatabase directly from the IBM ISS Web site.

Prerequisitesv Computer (see Computer Requirements) or keyboard and monitorv Red crossover cablev Serial cablev Recovery CD

Computer requirements

If you are connecting a computer to the Proventia Network MFS for thisprocedure, verify the computer requirements below:

Note: No software is installed on the computer during this process; the computeris used only to reinstall the firmware.

Requirement Description

BIOS setting Computer must be configured to allow it toboot from the CD drive.Reference: For information on how to checkor change your BIOS settings, see yourcomputer documentation or go online andsearch for instructions. Commonly, pressingF12 during bootup allows you to specifybooting from a CD.



CPU Pentium II or compatible

RAM 64MB

Drive IDE CD-ROM Drive

Port COM1

Network interface v 3Com 3c905Cv Intel PRO/100 or PRO/1000v 3Com 3c574 or 3Com 3c575v Netgear FA511 or Netgear FA411v Intel PRO/100 S Mobile Adapter

IBM ISS supports only the listed networkcards. The Proventia Network MFSautomatically detects network interfacecards.

Before you reinstall

If your Proventia Network MFS is still operational, do the following before youreinstall the firmware:v Back up your policies using a Settings Backup, and then download the backup

files to a remote location. You can restore your policies from the backup filesafter you reinstall the Proventia Network MFS firmware.

v Record the networking settings shown in the following table:

Mode Network settings

Routing IP addresses

subnet masks

default gateways for all interfaces

hostname

domain name

DNS name servers

Transparent IP address

subnet mask

default gateway

hostname

domain name

DNS name server


Installing firmware (appliance with CD drive)Follow these steps if your Proventia Network MFS appliance has its own CD drive.

Procedure1. Connect to the Proventia Network MFS:

If you are using a... Then...

computer 1. Connect the serial cable from your computer to theserial port on the Proventia Network MFS.

2. Connect the red Ethernet crossover cable from theEthernet port on your computer to the Internal ETH0port on the Proventia Network MFS.

3. On the computer, use an application such asHyperTerminal to configure a terminal connectionbetween the computer and the appliance. Use thefollowing settings:

Port = COM1 or other appropriate port

Bits Per Second = 9600

Data bits = 8

Parity = None

Stop bits = 1

Flow control = None

4. Start the connection.

keyboard and monitor Connect the keyboard and monitor to the ProventiaNetwork MFS.

2. Remove the front bezel.3. Insert the Recovery CD in the CD drive of the Proventia Network MFS.4. Restart the Proventia Network MFS.5. When you see the boot: prompt, type reinstall, and then press ENTER.6. Wait until the appliance reinstalls the software and automatically ejects

Recovery CD.

What to do next

You must run the Proventia Setup Assistant again to initialize the system. Youmust also either reconfigure your policies or restore your policies from the backupfiles you made.

Chapter 3. Firmware Installation 23

Installing firmware (appliance with no CD drive)Follow these steps if your Proventia Network MFS appliance does not has its ownCD drive.

Procedure1. Turn off the Proventia Network MFS, and then disconnect it from the

network.2. Connect the serial cable from the console port on the Proventia Network MFS

to the serial port on your computer.3. Connect the red Ethernet crossover cable from the internal port on the

appliance to the Ethernet port on your computer.4. Insert the recovery CD into the CD drive on your computer, and then restart

the computer.5. Wait until you see the following message:

***You may now boot your Proventia Appliance via the network***

***Starting Terminal Emulator***

***Press Control-G to Exit and Reboot***

Important: In the next step, you have only five seconds to press L after thePress L prompt appears.

6. Turn on the Proventia Network MFS and watch the screen closely for thePress L prompt.

7. When you see the Press L to boot from LAN prompt, press the L key.8. When you see the boot: prompt, type reinstall, and then press ENTER.9. Wait until the Proventia Network MFS reinstalls the software.

10. When the installation is complete, press CONTROL+G to eject the CD andrestart the computer in normal mode.

What to do next

You must run the Proventia Setup Assistant again to initialize the system. Youmust also either reconfigure your policies or restore your policies from the backupfiles you made.


Chapter 4. System DiagnosticsThis chapter describes the system diagnostics utility and provides instructions onhow to run it.

Topics

About System Diagnostics

Requirements for running diagnostics on page 28

Running diagnostics on an M50 on page 29

Running diagnostics (not M50) on page 30

Copying results files on page 31

About System DiagnosticsThe system diagnostics utility is included on the recovery CD for your applianceand provides a way to check for the following types of hardware failures:v Network interface failuresv Hard disk failuresv File system errorsv Certain general hardware errors

Limitations

The utility does not detect the following:v A single failed power supply on with dual suppliesv A single failed drive in a RAID mirrorv Bad memory

When to run the tool

You can run the utility at the following times:v Before you deploy a new appliancev Before you deploy a replacement appliancev When you suspect there is a hardware issue with the appliancev When Technical Support requests it

What tests are available

The utility provides four classes of diagnostic tests available:v Serial number and modelv Diskv Networkv Event log analysis


Serial number and model tests

The following table describes serial number and model tests:

Test Description

Model test Verifies that the appliance model matchesthe recovery CD used.

Serial number test Verifies that the appliance serial number iseither 9 or 13 digits.

Disk tests

You can skip all disk tests by specifying nodisk. The following table describes disktests:

Test Description

Badblock test Finds invalid disk sectors. Each test takesapproximately one hour except when run onthe M10, M10e, and M30 models. On thesemodels, each test takes approximately twohours.Parameters:

v To run this test multiple times, use thedtbb=(number) parameter.

v To skip this test, use the dtbb=0parameter.

Files system test Checks the integrity of the Linux file systemon the appliance but does not necessarilyindicate failure.Parameters:

To skip this test, use the nofsck parameter.

To resolve most file system errors:

1. Reboot the device normally.2. Log in as the root user.3. Type reboot.4. Reload the system diagnostics.

If this does not resolve a file system errormessage, you may need to reimage theappliance.

SMART drive test Checks the hard drive error log for signs offailure. This test is available on the followingmodels that dont have multiple disks: M10,M10e, M30, M30e, MX1004, and MX3006.Parameters:

To skip this test, use the nosmart parameter.

Network tests

You can skip all network tests by specifying nonet. The following table describesnetwork tests:


Check Description

Network port count check If this test fails, the appliance may requireRMA replacement.

Network interface self test Determines whether all interfaces areplugged in. Any interface that is notplugged in shows up as failed.Parameters:

To skip this test, use the nonetselfparameter.

Network traffic test Checks the interface traffic flow. Cables mustbe connected to the interfaces to run thistest.

Example cable connections on MX5010

Cable connections will be similar on othermodels.

v Connect eth0 to eth1v Connect eth2 to eth3v Connect eth4 to eth5v Connect eth 6 to eth7v Connect eth8 to eth9Parameters:

To skip this test, use notraffic parameter.Important: Immediately before this testbegins, you have approximately 30 secondsto verify that the cables are correctlyconnected. The delay may be longerdepending on your appliance version.Important: Do not run earlier versions ofsystem diagnostics on M10, M10e, and M30emodels because the test always fails, evenwhen the interfaces are not defective.

Event log analysis tests for the M50 appliance

On the M50 appliance, event log analysis tests check for fault indicators ormessages such as the following:v Critical interruptsv System POST errorsv System temperature issues

Chapter 4. System Diagnostics 27

Requirements for running diagnosticsThis topic outlines considerations and requirements for running the systemdiagnostic utility.

Considerations

Consider the following before you run the utility:v Running system diagnostics takes the appliance off line completely.v Running all tests takes the appliance offline for one to two hours.

Note: The test takes two hours for the M10, M10e, and M30 models.v You must recable the appliance network interfaces before you run the network

tests.

Requirements

Before you run the utility, verify that you have the following:v Computer

Note: A computer is required if you want to download the results.v Red Ethernet crossover cablev Serial cablev Recovery CD

Computer requirements

If you are connecting a computer to the appliance for this procedure, verify thecomputer requirements:

Note: No software is installed on the computer during this process.


BIOS Settings Computer must be configured to allow it toboot from the CD driveReference: For information on how to checkor change your BIOS settings, see yourcomputer documentation or go online andsearch for instructions. Commonly, pressingF12 during bootup allows you to specifybooting from a CD.

CPU Pentium II or compatible

RAM 64MB

Drive IDE CD-ROM Drive

Serial port COM1



Network interface card v 3Com 3c905Cv Intel PRO/100 or PRO/1000v 3Com 3c574 or 3Com 3c575v Netgear FA511 or Netgear FA411v Intel PRO/100 S Mobile Adapter

IBM ISS supports only the listed networkcards. The Proventia Network MFSautomatically detects network interfacecards.

Diagnostic procedures

Running diagnostics on an M50Follow these steps to diagnose M50 appliances.

Procedure1. Connect to the appliance:

Tip: To view output and download diagnostic files after you run the tests, youmust connect a computer to the appliance using the serial cable.

If you are using a... Then...

Computer 1. Connect the serial cable from yourcomputer to the serial port on theappliance.

2. On the computer, use an applicationsuch as HyperTerminal to configure aterminal connection between thecomputer and the appliance. Use thefollowing settings:

Port = COM1 or other appropriate port

Bits Per Second = 9600

Data bits = 8

Parity = None

Stop bits = 1

Flow control = None

3. Start the connection.Keyboard and monitor Connect the keyboard and monitor to the

appliance.

2. Remove the front bezel.3. Insert the Recovery CD in the appliance CD drive.4. Restart the appliance.5. When you see the boot: prompt, press TAB for the diagnostics menu.

Important: If you plan to run network diagnostic tests, you must recable thedevice by connecting crossover cables between all interfaces. Connect ETH0 toETH1, port 2 to 3, and so on.


6. Do one of the following:

If you want to... Then...

Run all four classes of system diagnostictests

Type sysdiag, and press ENTER.

Skip diagnostic test Type sysdiag parametername.

Example: sysdiag nodiskTip: Optional parameters and descriptionsare listed on the screen. You can specifymultiple parameters by placing a spacebetween parameters.

Running diagnostics (not M50)Use this procedure to run system diagnostics on the M10, M30, MX1004, MX3006,MX5010, or any other Mseries models that do not include a built-in CD drive.

Procedure1. In Proventia Manager, select Maintenance Tools.2. Click Shut Down.3. Turn off the appliance, and then disconnect it from the network.4. Connect the serial cable from the console port on the appliance to the serial

port on your computer.5. Connect the red Ethernet crossover cable from the internal (ETH0) port on the

appliance to the Ethernet port on your computer.6. Insert the recovery CD into the CD drive on your computer, and then restart

the computer.7. Wait until you see the following message:

***You may now boot your Proventia Appliance via the network***

***Starting Terminal Emulator***

***Press Control-G to Exit and Reboot***

8. If you plan to run network diagnostic tests, you must now recable the deviceby connecting crossover cables between all available interfaces except forETH0 and ETH1. Connect port 2 to 3, port 4 to 5, and so on.

Important: In the next step, you have only five seconds to press L after thePress L prompt appears.

9. Turn on the appliance and watch the screen closely for the Press L prompt.10. When you see the Press L to boot from LAN prompt, press the L key.11. When you see the boot: prompt, press TAB for the diagnostics menu.12. Do one of the following:

If you want to... Then...

Run all four classes of system diagnostictests

Type sysdiag, and then press ENTER.

Skip diagnostic test Type sysdiag parametername.Example: sysdiag nodiskTip: Optional parameters and descriptionsare listed on the screen. You can specifymultiple parameters by placing a spacebetween parameters.


13. Wait until you see the messages:Loading installer

Loading filesystem

Booting, please wait

14. Unplug the network cable from the computer.15. Connect the remaining two appliance interfaces (ETH0 and ETH1) to each

other.

Results

After the tests are finished, the results are displayed on a summary screen andincluded in the following file:

/tmp/sysdiag_(serial).tgz

CAUTION: All output, logs, and diagnostic files are stored in memory only andare lost when you restart the appliance. To preserve the files, you must transferthem to another system over the serial cable. Depending on the version of thesystem diagnostics utility you are running, the utility may provide an option tocopy the file to an external USB drive.

Copying results filesFollow this procedure to copy the sysdiag_(serial).tgz test results file to anothersystem.

Procedure1. Start the computer connected to the appliance.

Important: Do not restart the appliance itself.2. Start a HyperTerminal connection using the following values:

v Port = COM1 or other appropriate portv Bits Per Second = 9600v Data bits = 8v Parity = Nonev Stop bits = 1v Flow control = None

3. Press ENTER to get a bash prompt.4. At the prompt, type download.5. Type exit to safely turn off the appliance.6. Locate the file on your local system.

Tip: The default location is the following:

C:\Documents and Settings\(username)\sysdiag_(serial).tgz


Appendix. Safety, environmental, and electronic emissionsnotices

Safety notices may be printed throughout this guide. DANGER notices warn youof conditions or procedures that can result in death or severe personal injury.CAUTION notices warn you of conditions or procedures that can cause personalinjury that is neither lethal nor extremely hazardous. Attention notices warn youof conditions or procedures that can cause damage to machines, equipment, orprograms.

DANGER notices

DANGER

To prevent a possible shock from touching two surfaces with differentprotective ground (earth), use one hand, when possible, to connect ordisconnect signal cables. (D001)

DANGER

Overloading a branch circuit is potentially a fire hazard and a shock hazardunder certain conditions. To avoid these hazards, ensure that your systemelectrical requirements do not exceed branch circuit protection requirements.Refer to the information that is provided with your device or the powerrating label for electrical specifications. (D002)

DANGER

If the receptacle has a metal shell, do not touch the shell until you havecompleted the voltage and grounding checks. Improper wiring or groundingcould place dangerous voltage on the metal shell. If any of the conditions arenot as described, STOP. Ensure the improper voltage or impedance conditionsare corrected before proceeding. (D003)

DANGER

An electrical outlet that is not correctly wired could place hazardous voltageon the metal parts of the system or the devices that attach to the system. It isthe responsibility of the customer to ensure that the outlet is correctly wiredand grounded to prevent an electrical shock. (D004)


DANGER

When working on or around the system, observe the following precautions:

Electrical voltage and current from power, telephone, and communicationcables are hazardous. To avoid a shock hazard:

v Connect power to this unit only with the IBM ISS provided power cord.Do not use the IBM ISS provided power cord for any other product.

v Do not open or service any power supply assembly.v Do not connect or disconnect any cables or perform installation,maintenance, or reconfiguration of this product during an electrical storm.

v The product might be equipped with multiple power cords. To remove allhazardous voltages, disconnect all power cords.

v Connect all power cords to a properly wired and grounded electrical outlet.Ensure that the outlet supplies proper voltage and phase rotation accordingto the system rating plate.

v Connect any equipment that will be attached to this product to properlywired outlets.

v When possible, use one hand only to connect or disconnect signal cables.v Never turn on any equipment when there is evidence of fire, water, orstructural damage.

v Disconnect the attached power cords, telecommunications systems,networks, and modems before you open the device covers, unlessinstructed otherwise in the installation and configuration procedures.

v Connect and disconnect cables as described in the following procedureswhen installing, moving, or opening covers on this product or attacheddevices.

To disconnect:

1. Turn off everything (unless instructed otherwise).2. Remove the power cords from the outlets.3. Remove the signal cables from the connectors.4. Remove all cables from the devices.

To connect:

1. Turn off everything (unless instructed otherwise).2. Attach all cables to the devices.3. Attach the signal cables to the connectors.4. Attach the power cords to the outlets.5. Turn on the devices.

(D005)

CAUTION notices

CAUTION:Data processing environments can contain equipment transmitting on systemlinks with laser modules that operate at great than Class 1 power levels. For thisreason, never look into the end of an optical fiber cable or open receptacle.(C027)


CAUTION:The battery contains lithium. To avoid possible explosion, do not burn or chargethe battery.

Do not:

v Throw or immerse into waterv Heat to more than 100C (212F)v Repair or disassemble

Exchange only with the IBM ISS-approved part. Recycle or discard the battery asinstructed by local regulations. In the United States, IBM ISS has a process forthe collection of this battery. For information, call 1-800-426-4333. Have the IBMISS part number for the battery unit available when you call. (C003)

CAUTION:For 19 rack mount products:

v Do not install a unit in a rack where the internal rack ambient temperatureswill exceed the manufacturers recommended ambient temperature for all yourrack-mounted devices.

v Do not install a unit in a rack where the air flow is compromised. Ensure thatair flow is not blocked or reduced on any side, front, or back of a unit usedfor air flow through the unit.

v Consideration should be given to the connection of the equipment to thesupply circuit so that overloading the circuits does not compromise the supplywiring or overcurrent protection. To provide the correct power connection to arack, refer to the rating labels located on the equipment in the rack todetermine the total power requirement of the supply circuit.

v (For sliding drawers) Do not pull or install any drawer or feature if the rackstabilizer brackets are not attached to the rack. Do not pull out more than onedrawer at a time. The rack might become unstable if you pull out more thanone drawer at a time.

v (For fixed drawers) This drawer is a fixed drawer and must not be moved forservicing unless specified by the manufacturer. Attempting to move thedrawer partially or completely out of the rack might cause the rack to becomeunstable or cause the drawer to fall out of the rack.

(R001 Part 2 of 2)

Product handling information

One of the following two safety notices may apply to this product. Please refer tothe specific product specifications to determine the weight of the product to seewhich applies.

CAUTION:This part or unit is heavy but has a weight smaller than 18 kg (39.7 lb). Use carewhen lifting, removing, or installing this part or unit. (C008)

CAUTION:The weight of this part or unit is between 18 and 32 kg (39.7 and 70.5 lb). Ittakes two persons to safely lift this part or unit. (C009)

Appendix. Safety, environmental, and electronic emissions notices 35

Product safety labels

One or more of the following safety labels may apply to this product.

DANGER

Hazardous voltage, current, or energy levels are present inside any componentthat has this label attached. Do not open any cover or barrier that containsthis label. (L001)

DANGER

Multiple power cords. The product might be equipped with multiple powercords. To remove all hazardous voltages, disconnect all power cords. (L003)

World trade safety information

Several countries require the safety information contained in product publicationsto be presented in their national languages. If this requirement applies to yourcountry, a safety information booklet is included in the publications packageshipped with the product. The booklet contains the safety information in yournational language with references to the US English source. Before using a USEnglish publication to install, operate, or service this IBM ISS product, you mustfirst become familiar with the related safety information in the booklet. You shouldalso refer to the booklet any time you do not clearly understand any safetyinformation in the US English publications.


Laser safety information

The following laser safety notices apply to this product:

CAUTION:This product may contain one or more of the following devices: CD-ROM drive,DVD-ROM drive, DVD-RAM drive, or laser module, which are Class 1 laserproducts. Note the following information:

v Do not remove the covers. Removing the covers of the laser product couldresult in exposure to hazardous laser radiation. There are no serviceable partsinside the device.

v Use of the controls or adjustments or performance of procedures other thanthose specified herein might result in hazardous radiation exposure. (C026)

CAUTION:Data processing environments can contain equipment transmitting on systemlinks with laser modules that operate at greater than Class 1 power levels. Forthis reason, never look into the end of an optical fiber cable or open receptacle.(C027)

Laser compliance

All lasers are certified in the U.S. to conform to the requirements of DHHS 21 CFRSubchapter J for class 1 laser products. Outside the U.S., they are certified to be incompliance with IEC 60825 as a class 1 laser product. Consult the label on eachpart for laser certification numbers and approval information.

Product recycling and disposal

This unit must be recycled or discarded according to applicable local and nationalregulations. IBM encourages owners of information technology (IT) equipment toresponsibly recycle their equipment when it is no longer needed. IBM offers avariety of product return programs and services in several countries to assistequipment owners in recycling their IT products. Information on IBM ISS productrecycling offerings can be found on IBMs Internet site at http://www.ibm.com/ibm/environment/products/prp.shtml.

Esta unidad debe reciclarse o desecharse de acuerdo con lo establecido en lanormativa nacional o local aplicable. IBM recomienda a los propietarios de equiposde tecnologa de la informacin (TI) que reciclen responsablemente sus equiposcuando stos ya no les sean tiles. IBM dispone de una serie de programas yservicios de devolucin de productos en varios pases, a fin de ayudar a lospropietarios de equipos a reciclar sus productos de TI. Se puede encontrarinformacin sobre las ofertas de reciclado de productos de IBM en el sitio web deIBM http:// www.ibm.com/ibm/environment/products/prp.shtml.


Notice: This mark applies only to countries within the European Union (EU) andNorway.

Appliances are labeled in accordance with European Directive 2002/96/ECconcerning waste electrical and electronic equipment (WEEE). The Directivedetermines the framework for the return and recycling of used appliances asapplicable through the European Union. This label is applied to various productsto indicate that the product is not to be thrown away, but rather reclaimed uponend of life per this Directive.

In accordance with the European WEEE Directive, electrical and electronicequipment (EEE) is to be collected separately and to be reused, recycled, orrecovered at end of life. Users of EEE with the WEEE marking per Annex IV of theWEEE Directive, as shown above, must not dispose of end of life EEE as unsortedmunicipal waste, but use the collection framework available to customers for thereturn, recycling, and recovery of WEEE. Customer participation is important tominimize any potential effects of EEE on the environment and human health dueto the potential presence of hazardous substances in EEE. For proper collection andtreatment, contact your local IBM representative.

Remarque: Cette marque sapplique uniquement aux pays de lUnion Europenneet la Norvge.

Letiquette du systme respecte la Directive europenne 2002/96/EC en matire deDchets des Equipements Electriques et Electroniques (DEEE), qui dtermine lesdispositions de retour et de recyclage applicables aux systmes utiliss traverslUnion europenne. Conformment la directive, ladite tiquette prcise que leproduit sur lequel elle est appose ne doit pas tre jet mais tre rcupr en fin devie.

Battery return program

This product contains a lithium battery. The battery must be recycled or disposedof properly. Recycling facilities may not be available in your area. For information


on disposal of batteries outside the United States, go to http://www.ibm.com/ibm/environment/products/ batteryrecycle.shtm or contact your local wastedisposal facility.

In the United States, IBM has established a return process for reuse, recycling, orproper disposal of used IBM sealed lead acid, nickel cadmium, nickel metalhydride, and other battery packs from IBM equipment. For information on properdisposal of these batteries, contact IBM at 1-800-426- 4333. Please have the IBMpart number listed on the battery available prior to your call.

For Taiwan:

Please recycle batteries

For the European Union:

Notice: This mark applies only to countries within the European Union (EU).

Batteries or packing for batteries are labeled in accordance with European Directive2006/66/EC concerning batteries and accumulators and waste batteries andaccumulators. The Directive determines the framework for the return and recyclingof used batteries and accumulators as applicable throughout the European Union.This label is applied to various batteries to indicate that the battery is not to bethrown away, but rather reclaimed upon end of life per this Directive.

Les batteries ou emballages pour batteries sont tiquets conformment auxdirectives europennes 2006/66/EC, norme relative aux batteries et accumulateursen usage et aux batteries et accumulateurs uss. Les directives dterminent lamarche suivre en vigueur dans lUnion Europenne pour le retour et le recyclagedes batteries et accumulateurs uss. Cette tiquette est applique sur diversesbatteries pour indiquer que la batterie ne doit pas tre mise au rebut mais pluttrcupre en fin de cycle de vie selon cette norme.


In accordance with the European Directive 2006/66/EC, batteries and accumulatorsare labeled to indicate that they are to be collected separately and recycled at endof life. The label on the battery may also include a symbol for the metal concernedin the battery (Pb for lead, Hg for the mercury, and Cd for cadmium). Users ofbatteries and accumulators must not dispose of batteries and accumulators asunsorted municipal waste, but use the collection framework available to customersfor the return, recycling, and treatment of batteries and accumulators. Customerparticipation is important to minimize any potential effects of batteries andaccumulators on the environment and human health due to potential presence ofhazardous substances. For proper collection and treatment, contact your local IBMrepresentative.

For California:

Perchlorate Material - special handling may apply. See http://www.dtsc.ca.gov/hazardouswaste/perchlorate.

The foregoing notice is provided in accordance with California Code ofRegulations Title 22, Division 4.5, Chapter 33. Best Management Practices forPerchlorate Materials. This product, part, or both may include a lithium manganesedioxide battery which contains a perchlorate substance.

Electronic emissions notices

The following statements apply to this IBM product. The statement for other IBMproducts intended for use with this product will appear in their accompanyingmanuals.

Federal Communications Commission (FCC) Statement

Note: This equipment has been tested and found to comply with the limits for aClass A digital device, pursuant to Part 15 of the FCC Rules. These limits aredesigned to provide reasonable protection against harmful interference when theequipment is operated in a commercial environment. this equipment generates,uses, and can radiate radio frequency energy and, if not installed and used inaccordance with the instructions contained in the installation manual, may causeharmful interference to radio communications. Operation of this equipment in aresidential area is likely to cause harmful interference, in which case the user willbe required to correct the interference at his own expense.

Note: Properly shielded and grounded cables and connectors must be used inorder to meet FCC emission limits. IBM is not responsible for any radio ortelevision interference caused by using other than recommended cables andconnectors, by installation or use of this equipment other than xvi IBM InternetSecurity Systems as specified in the installation manual, or by any otherunauthorized changes or modifications to this equipment. Unauthorized changesor modifications could void the users authority to operate the equipment.


Note: This device complies with Part 15 of the FCC Rules. Operation is subject tothe following two conditions: (1) this device may not cause harmful interference,and (2) this device must accept any interference received, including interferencethat may cause undesired operation.

Canadian Department of Communications Compliance Statement

This Class A digital apparatus complies with Canadian ICES-003.

Avis de conformit aux normes du ministre des Communications du Canada

Cet appareil numrique de las classe A est conform la norme NMB-003 duCanada.

European Union (EU) Electromagnetic Compatibility Directive

This product is in conformity with the protection requirements of EU CouncilDirective 2004/108/ EEC on the approximation of the laws of the Member Statesrelating to electromagnetic compatibility. IBM ISS cannot accept responsibility forany failure to satisfy the protection requirements resulting from anon-recommended modification of the product, including the fitting of non-IBMISS option cards.

This product has been tested and found to comply with the limits for Class AInformation Technology Equipment according to European Standard EN 55022. Thelimits for Class equipment were derived for commercial and industrialenvironments to provide reasonable protection against interference with licensedcommunication equipment.

Warning:

This is a Class A product. In a domestic environment, this product may cause radiointerference in which case the user may be required to take adequate measures.

European Community contact:

IBM Technical RegulationsPascalstr. 100, Stuttgart, Germany 70569Telephone: 0049 (0) 711 785 1176Fax: 0049 (0) 711 785 1283e-mail: [email protected]

EC Declaration of Conformity (In German)

Deutschsprachiger EU Hinweis: Hinweis fr Gerte der Klasse A EU-Richtlinie zurElektromagnetischen Vertrglichkeit

Dieses Produkt entspricht den Schutzanforderungen der EU-Richtlinie89/336/EWG zur Angleichung der Rechtsvorschriften ber die elektromagnetischeVertrglichkeit in den EUMitgliedsstaaten und hlt die Grenzwerte der EN 55022Klasse A ein.

Um dieses sicherzustellen, sind die Gerte wie in den Handbchern beschrieben zuinstallieren und zu betreiben. Des Weiteren drfen auch nur von der IBMempfohlene Kabel angeschlossen werden. IBM bernimmt keine Verantwortung frdie Einhaltung der Schutzanforderungen, wenn das Produkt ohne Zustimmung der


IBM verndert bzw. wenn Erweiterungskomponenten von Fremdherstellern ohneEmpfehlung der IBM gesteckt/eingebaut werden.

EN 55022 Klasse A Gerte mssen mit folgendem Warnhinweis versehen werden:Warnung: Dieses ist eine Einrichtung der Klasse A. Diese Einrichtung kann imWohnbereich Funk-Strungen verursachen; in diesem Fall kann vom Betreiberverlangt werden, angemessene Manahmen zu ergreifen und dafraufzukommen.

Deutschland: Einhaltung des Gesetzes ber die elektromagnetischeVertrglichkeit von Gerten

Dieses Produkt entspricht dem Gesetz ber die elektromagnetische Vertrglichkeitvon Gerten (EMVG). Dies ist die Umsetzung der EU-Richtlinie 89/336/EWG inder Bundesrepublik Deutschland.

Zulassungsbescheinigung laut dem Deutschen Gesetz ber dieelektromagnetische Vertrglichkeit von Gerten (EMVG) vom 18. September1998 (bzw. der EMC EG Richtlinie 89/336) fr Gerte der Klasse A.

Dieses Gert ist berechtigt, in bereinstimmung mit dem Deutschen EMVG dasEGKonformittszeichen - CE - zu fhren.

Verantwortlich fr die Konformittserklrung nach Paragraf 5 des EMVG ist dieIBM Deutschland GmbH, 70548 Stuttgart.

Informationen in Hinsicht EMVG Paragraf 4 Abs. (1) 4:

Das Gert erfllt die Schutzanforderungen nach EN 55024 und EN 55022 KlasseA

update: 2004/12/07

Peoples Republic of China Class A Compliance Statement:

This is a Class A product. In a domestic environment, this product may cause radiointerference in which case the user may need to perform practical actions.

Japan Class A Compliance Statement:

This product is a Class A Information Technology Equipment and conforms to thestandards set by the Voluntary Control Council for Interference by InformationTechnology Equipment (VCCI). In a xviii IBM Internet Security Systems domesticenvironment, this product may cause radio interference in which case the user maybe required to take adequate measures.


Korean Class A Compliance Statement:


IndexAAddress Resolution Protocol (ARP) 15ARP (Address Resolution Protocol) 15automatic updates 2

event notification 6update settings 3

automatic updates settings 3

Bbackup 16, 17, 18

Ddatabase updates 2DHCP, releasing and renewing 15

Eevent notification

automatic updates 6

Ffailover, forcing 15firmware updates 2

IIBM Internet Security Systems

technical support viiiWeb site viii

Llicenses 1

Ooffline settings editor 19

Ppinging 15PPPoE, restoring 15PXE boot server 21, 28

Rrecovery 16, 18reinstalling appliance firmware

procedure for M50 21procedure for Mx1004 21, 24procedure for Mx3006 21, 24requirements 22

Ssafety notices 33security updates 2service configuration 12

HTTP proxy 13snapshots 16, 17SNMP traps 6support 20support files 20

Ttechnical support, IBM Internet SecuritySystems viii

traceroute 15traps, SNMP 6

Uupdates 1

alternate update servers 7obtaining from SiteProtector 7

updates, automatic 2updates, databases 2updates, firmware 2updates, security 2

WWeb site, IBM Internet SecuritySystems viii

XX-Press update server 7


Printed in USA

IBM Proventia Network Multi-Function Security (MFS) Administrator GuideCopyright StatementTrademarks and disclaimerContentsPrefaceRelated publicationsTechnical support contacts

Chapter 1. Updates and LicensesUpdates and licensingUsing update tools

Automatic update settingsOpening the Automatic Update Settings pageOpening from Proventia ManagerOpening from SiteProtector

Configuring update settingsConfiguring license and update serversScheduling installationsConfiguring event notification for automatic updates

Alternate update serverCopying required certificates manually

Manual Upgrader utilityInstalling the manual upgraderRunning the manual upgraderCopying updates to the XPU server

Proxy serverOpening the Service Configuration pageOpening from Proventia ManagerOpening from SiteProtector

Configuring HTTP proxy

Chapter 2. MaintenanceUsing system toolsBackup and recoveryManaging backup settingsCreating a system backupRestoring from backupEditing settings files offlineEditing the settingsAdding the settings file to an appliance

Generating system support files

Chapter 3. Firmware InstallationRequirements for installing firmwareInstalling firmware (appliance with CD drive)Installing firmware (appliance with no CD drive)

Chapter 4. System DiagnosticsAbout System DiagnosticsRequirements for running diagnosticsDiagnostic proceduresRunning diagnostics on an M50Running diagnostics (not M50)Copying results files

Appendix. Safety, environmental, and electronic emissions noticesIndexABDEFILOPRSTUWX

proventia network mfs administratorguide 4.3

Documents

ibm internet securitysystems

ibm products

ibm logo

ibm internetsecurity

internet scanner

eventshall ibm iss

internet resources

united states