Transcription
Product GuideFail-Open Unit for McAfee Secure Gateway AppliancesMcAfeeNetwork Protection Industry-leading intrusion prevention solutions
Product GuideFail-Open Unit for McAfee Secure Gateway AppliancesMcAfeeNetwork Protection Industry-leading intrusion prevention solutions
COPYRIGHTCopyright 2006 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any meanswithout the written permission of McAfee, Inc., or its suppliers or affiliate companies.TRADEMARK ATTRIBUTIONSACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSIONPREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS,NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUSDEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) areregistered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive ofMcAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVEACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILEAVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTHIN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FORA FULL REFUND.AttributionsThis product includes or may include: Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Cryptographic software written by Eric A. Young andsoftware written by Tim J. Hudson. Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or othersimilar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have accessto the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the sourcecode also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Softwarelicenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rightsshall take precedence over the rights and restrictions herein. Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. Software originally written by Robert Nordier, Copyright 1996-7 Robert Nordier. Software written by Douglas W. Sauder. Software developed by the ApacheSoftware Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. International Components for Unicode ("ICU") Copyright 1995-2002 International Business Machines Corporation and others. Software developed by CrystalClear Software, Inc., Copyright 2000 CrystalClear Software, Inc. FEAD Optimizer technology, Copyright Netopsystems AG, Berlin, Germany. Outside In Viewer Technology 1992-2001 Stellent Chicago, Inc. and/or Outside In HTML Export, 2001 Stellent Chicago, Inc. Software copyrighted by Thai OpenSource Software Center Ltd. and Clark Cooper, 1998, 1999, 2000. Software copyrighted by Expat maintainers. Software copyrighted by The Regents of theUniversity of California, 1996, 1989, 1998-2000. Software copyrighted by Gunnar Ritter. Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle,Santa Clara, California 95054, U.S.A., 2003. Software copyrighted by Gisle Aas. 1995-2003. Software copyrighted by Michael A. Chase, 1999-2000. Software copyrighted by Neil Winton, 1995-1996. Software copyrighted by RSA Data Security, Inc., 1990-1992. Software copyrighted by Sean M. Burke, 1999, 2000. Software copyrighted by Martijn Koster, 1995. Software copyrighted by Brad Appleton, 1996-1999. Software copyrighted by Michael G.Schwern, 2001. Software copyrighted by Graham Barr, 1998. Software copyrighted by Larry Wall and Clark Cooper, 1998-2000. Software copyrightedby Frodo Looijaard, 1997. Software copyrighted by the Python Software Foundation, Copyright 2001, 2002, 2003. A copy of the license agreement for thissoftware can be found at www.python.org. Software copyrighted by Beman Dawes, 1994-1999, 2002. Software written by Andrew Lumsdaine, Lie-Quan Lee,Jeremy G. Siek 1997-2000 University of Notre Dame. Software copyrighted by Simone Bordet & Marco Cravero, 2002. Software copyrighted by StephenPurcell, 2001. Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). Software copyrighted by International BusinessMachines Corporation and others, 1995-2003. Software developed by the University of California, Berkeley and its contributors. Software developed by RalfS. Engelschall rse@engelschall.com for use in the mod ssl project (http:// www.modssl.org/). Software copyrighted by Kevlin Henney, 2000-2002. Softwarecopyrighted by Peter Dimov and Multi Media Ltd. 2001, 2002. Software copyrighted by David Abrahams, 2001, 2002. Seehttp://www.boost.org/libs/bind/bind.html for documentation. Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, 2000. Software copyrighted by Boost.org, 1999-2002. Software copyrighted by Nicolai M. Josuttis, 1999. Software copyrighted by Jeremy Siek, 1999-2001. Software copyrighted by Daryle Walker, 2001. Software copyrighted by Chuck Allison and Jeremy Siek, 2001, 2002. Software copyrighted by SamuelKrempp, 2001. See http://www.boost.org for updates, documentation, and revision history. Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), 2001,2002. Software copyrighted by Cadenza New Zealand Ltd., 2000. Software copyrighted by Jens Maurer, 2000, 2001. Software copyrighted by Jaakko Järvi(jaakko.jarvi@cs.utu.fi), 1999, 2000. Software copyrighted by Ronald Garcia, 2002. Software copyrighted by David Abrahams, Jeremy Siek, and DaryleWalker, 1999-2001. Software copyrighted by Stephen Cleary (shammah@voyager.net), 2000. Software copyrighted by Housemarque Oy http://www.housemarque.com , 2001. Software copyrighted by Paul Moore, 1999. Software copyrighted by Dr. John Maddock, 1998-2002. Softwarecopyrighted by Greg Colvin and Beman Dawes, 1998, 1999. Software copyrighted by Peter Dimov, 2001, 2002. Software copyrighted by Jeremy Siek andJohn R. Bandela, 2001. Software copyrighted by Joerg Walter and Mathias Koch, 2000-2002. Software copyrighted by Carnegie Mellon University 1989,1991, 1992. Software copyrighted by Cambridge Broadband Ltd., 2001-2003. Software copyrighted by Sparta, Inc., 2003-2004. Software copyrighted byCisco, Inc. and Information Network Center of Beijing University of Posts and Telecommunications, 2004. Software copyrighted by Simon Josefsson, 2003. Software copyrighted by Thomas Jacob, 2003-2004. Software copyrighted by Advanced Software Engineering Limited, 2004. Software copyrighted byTodd C. Miller, 1998. Software copyrighted by The Regents of the University of California, 1990, 1993, with code derived from software contributed toBerkeley by Chris Torek.PATENT INFORMATIONProtected by US Patents 6,496,875; 6,499,109; 6,513,122; 6,668,289; 6,728,885; 6,732,157; 6,772,345.Issued June 2006 / Fail-Open UnitDBN-013-EN
Contents1Introducing the Fail-Open Unit7Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Detecting appliance failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Getting product information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Additional documentation for the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . 12Contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Installing the Fail-Open UnitChecking the contents of the box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mounting the unit in a rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Preparing for cable connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Rear view of the Fail-Open Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Front view of the Fail-Open Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Rear view of the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Connecting the Fail-Open Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341515161616171819Testing the Fail-Open Unit21Understanding the indicators on the unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Testing the Fail-Open Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Further testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring the unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Changing settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2223242425Frequently Asked Questions275
Fail-Open Unit Product GuideContents6
1Introducing the Fail-Open UnitThe Fail-Open Unit enables your network to continue operating if your appliance fails.The unit is intended for use with a Secure Gateway appliance that is operating inTransparent Bridge mode.This section describes: Product features. Using this guide on page 10. Getting product information on page 12. Contact information on page 13.Product featuresIn the typical network configuration shown in Figure 1-1, a single appliance operatingin Transparent Bridge mode protects users (shown to the right of a network switch)who access the Internet or mail servers on the other side of the firewall or a router.Figure 1-1 Transparent bridge mode configurationWWWIf the appliance fails, the users have no service.7
Fail-Open Unit Product GuideIntroducing the Fail-Open UnitProduct featuresThe Fail-Open Unit has four ports and can be connected between the devices in thisconfiguration as shown in the following figure.Figure 1-2 Configuration with Fail-Open UnitWWWWhen the appliance is working normally, the Fail-Open Unit is in its online state, and itdirects network traffic along two paths — the first port and third port are linked, and thesecond port and fourth port are linked:Figure 1-3 Paths through the unit in online stateIf the appliance fails, the Fail-Open Unit detects the failure, then changes to its bypassstate. The unit redirects network traffic along a different path — the first and secondport are linked, isolating the other two ports:Figure 1-4 Path through the unit in bypass stateThe following figures show how the unit directs traffic with this configuration.When the appliance is working normally, the Fail-Open Unit directs traffic through theappliance:Figure 1-5 Connection paths during online stateWWW81
Fail-Open Unit Product GuideIntroducing the Fail-Open UnitProduct featuresWhen the appliance fails, the Fail-Open Unit directs traffic through itself, isolating theappliance:Figure 1-6 Connection path during bypass stateWWWDetecting appliance failureThe Fail-Open Unit detects a failure of the appliance by monitoring its response to aregular signal and optionally detecting link faults on the inside and outside networklinks.The unit sends a regular heartbeat packet to the appliance from its third port (port C).Figure 1-7 Monitoring the heartbeatIf the Fail-Open Unit does not receive the heartbeat packet in return on its fourthport (port D) after a specified interval (equivalent to several heartbeats), theFail-Open Unit goes into the bypass state.91
Fail-Open Unit Product GuideIntroducing the Fail-Open UnitUsing this guideUsing this guideThis guide provides information on installing, configuring and using your product. Thesetopics are included: Introducing the Fail-Open Unit.An overview of the product, with a description of new or changed features; anoverview of this guide; McAfee contact information. Installing the Fail-Open Unit on page 15.How to mount the unit in the rack and connect the cables. Testing the Fail-Open Unit on page 21.How to test the installed unit. Frequently Asked Questions on page 27.AudienceThis information is intended for network administrators who are responsible forinstalling and managing the appliance.101
Fail-Open Unit Product GuideIntroducing the Fail-Open UnitUsing this guideConventionsThis guide uses the following conventions:BoldCondensedAll words from the interface, including options, menus, buttons, and dialogbox names.Example:Type the User name and Password of the appropriate account.The path of a folder or program; text that represents something the usertypes exactly (for example, a command at the system prompt).CourierExamples:The default location for the program is:C:\Program Files\McAfee\EPO\3.5.0Run this command on the client computer:scan --helpItalicFor emphasis or when introducing a new term; for names of productdocumentation and topics (headings) within the material.Example:Refer to the VirusScan Enterprise Product Guide for more information.BlueA web address (URL) and/or a live link.Example:Visit the McAfee web site at:http://www.mcafee.com TERM Angle brackets enclose a generic term.Example:In the console tree, right-click SERVER .Note: Supplemental information; for example, another method ofexecuting the same command.NoteTip: Suggestions for best practices and recommendations from McAfee forthreat prevention, performance and efficiency.TipCaution: Important advice to protect your computer system, enterprise,software installation, or data.CautionWarningWarning: Important advice to protect a user from bodily harm when usinga hardware product.111
Fail-Open Unit Product GuideIntroducing the Fail-Open UnitGetting product informationGetting product informationUnless otherwise noted, product documentation comes as Adobe Acrobat .PDF files,available on the product CD or from the McAfee download site.Additional documentation for the applianceInstallation Guide — System requirements and instructions for installing theappliance.Product Guide — Introduction to the appliance and its features; detailed instructionsfor configuring the software; information on deployment, recurring tasks, and operatingprocedures.Concepts Guide — Conceptual information about how you can use the appliance.Help — High-level and detailed information accessed from the software applicationusing the Quick Help button for page-level help.Configuration Guide — For use with ePolicy Orchestrator . Procedures for deployingand managing appliances through the ePolicy Orchestrator management software.Release Notes — ReadMe. Product information, resolved issues, any known issues,and last-minute additions or changes to the product or its documentation.License Agreement — The McAfee License Agreement booklet that includes all ofthe license types you can purchase for your product. The License Agreement presentsgeneral terms and conditions for use of the licensed product.Contacts — Contact information for McAfee services and resources: technicalsupport, customer service, Security Headquarters (AVERT), beta program, and training.121
Fail-Open Unit Product GuideIntroducing the Fail-Open UnitContact informationContact informationThreat Center: McAfee Avert Labs http://www.mcafee.com/us/threat center/default.aspAvert Labs Threat Libraryhttp://vil.nai.comAvert Labs WebImmune & Submit a Sample (Logon credentials t Labs DAT Notification Servicehttp://vil.nai.com/vil/signup DAT notification.aspxDownload Site http://www.mcafee.com/us/downloads/Product Upgrades (Valid grant number required)Security Updates (DATs, engine)HotFix and Patch Releases For Security Vulnerabilities (Available to the public) For Products (ServicePortal account and valid grant number required)Product EvaluationMcAfee Beta ProgramTechnical ase Searchhttp://knowledge.mcafee.com/McAfee Technical Support ServicePortal (Logon credentials required)https://mysupport.mcafee.com/eservice enu/start.sweCustomer mlPhone — US, Canada, and Latin America toll-free: 1-888-VIRUS NO or 1-888-847-8766 Monday – Friday, 8 a.m. – 8 p.m., Central TimeProfessional rise/services/index.htmlSmall and Medium ex.html131
Fail-Open Unit Product GuideIntroducing the Fail-Open UnitContact information141
2Installing the Fail-Open UnitThe Fail-Open kit includes network cables and power cables, enabling it to beconnected and mounted in a standard 19-inch rack. This section describes: Checking the contents of the box. Mounting the unit in a rack on page 16. Preparing for cable connections on page 16. Connecting the Fail-Open Unit on page 19.Checking the contents of the boxBesides the unit and this guide, the box also contains: Four CAT-5e cables with RJ45 connectors, or four fiber cables with LC connectors.One cable is a cross-over. RS-232 cable. Power cable(s) to suit your location.15
Fail-Open Unit Product GuideInstalling the Fail-Open UnitMounting the unit in a rackMounting the unit in a rackBefore mounting the unit, observe the following points: When deciding where to put the unit in the rack, remember to load the rack fromthe bottom up. If you are installing several units, start with the lowest availableposition first. Do not open the unit's case. No user-serviceable parts are inside, and opening thecase might invalidate your warranty. To avoid possible electric shock, or damage to other equipment, do not connectcables until the unit is mounted in the rack. Ensure that the power cord is suitable for the country of use. Do not modify thepower cord. Ensure that the power outlet connected to the unit meets all electrical standards forthe country of use. When connecting the appliance to the power outlet and other equipment, ensurethat the cables are stowed or grouped safely, so that no one can trip over them.Mount the unit using the integral thumbscrews. Two units can be mounted side byside.Preparing for cable connectionsBefore connecting cables to the appliance and the Fail-Open Unit, familiarize yourselfwith the main components on their front and rear sides.Rear view of the Fail-Open UnitThe following figure of the rear of the Fail-Open Unit shows the relevant parts forinstalling the Fail-Open Unit.Figure 2-1 Rear view of the Fail-Open UnitRRPRS-232 socketP16DC power jacks, with retaining clip.2
Fail-Open Unit Product GuideInstalling the Fail-Open UnitPreparing for cable connectionsFront view of the Fail-Open UnitThe unit is available with copper ports or fiber ports. The following figures of the frontof the Fail-Open Unit show the relevant parts for installing the Fail-Open Unit.Figure 2-2 Front view of the copper-port Fail-Open UnitMSLPBFigure 2-3 Front view of the fiber-port Fail-Open UnitMPBLBBypass indicatorsPPorts, labelled A, B,C, DLLink and activity indicatorsSMPower indicatorsLink speed indicators (The key onthe right of the unit explains thecolors that represent the speeds.)For fiber ports: The left port of the pair transmitslight from the unit. The right port of the pair receiveslight into the unit.172
Fail-Open Unit Product GuideInstalling the Fail-Open UnitPreparing for cable connectionsRear view of the applianceThis section describes the relevant parts on the appliance for installing the Fail-OpenUnit. The rear panel of an appliance varies according to the type, but can have thefollowing parts: Power socketIf the appliance has two power modules, one acts as a redundant backup powersystem. The second module is in standby mode, and operates if the first modulefails. The indicators on such power modules show their status: Operational (top indicator) — Glows green when the module is in use. Standby mode (bottom indicator) — Flashes green when the module is receivingstandby power but is not in use. No power — The indicators are off when the module is not receiving power fromthe power outlet. Copper or fiber portsFor copper cables, the appliance has two RJ45 10/100/1000 Mbps autonegotiatingEthernet network ports. The ports must be used only with equipment where theconnections are intended for 10 Mbps, 100 Mbps or 1000 Mbps (1 Gbps) Ethernetnetworks.For fiber cables, the appliance has two fiber LC connectors for 1000 BASE-SXEthernet network connections. Remove the dust covers before use. To protect thefibers from dust, replace the dust covers when not in use.LAN1 and LAN2 ports connect the appliance to your network. They receive andtransmit the inbound and outbound traffic, and they handle communication with theweb browser that remotely manages the appliance.The labels on the back of the appliance identify the ports, LAN1 and LAN2. For details,see the Product Guide for your type of appliance. RS-232 serial port System identification buttonTo locate the appliance within a rack, push the system identification button to flashindicators on the front and back panels. Push the button again to stop the indicatorsflashing.182
Fail-Open Unit Product GuideInstalling the Fail-Open UnitConnecting the Fail-Open UnitConnecting the Fail-Open UnitBefore connecting the Fail-Open Unit: Configure the ports of attached network terminations (such as those devicesconnected to the A and B ports of the Fail-Open Unit) for autonegotiation of speedand duplex. Mismatches caused by fixed settings can disrupt network traffic. If your appliance is in regular use, choose the least busy time to install the unit, orwarn users of the temporary break in service.To connect the Fail-Open Unit:1 Install your appliance and configure it in Transparent Bridge Mode.2 Connect the Fail-Open Unit to the same power source as the appliance.3 Power up the Fail-Open Unit.4 From a browser interface, open the Network Settings page. Under Bypass DeviceSettings, select Copper/Fiber Fail Open 2000.5 Click Apply All Changes, and type a comment when prompted.6 Connect the RS-232 serial cable between the Fail-Open Unit and the appliance.7 Connect LAN 1 port of the appliance to port D of the Fail-Open Unit.8 Connect LAN 2 port of the appliance to port C of the Fail-Open Unit.9 Connect a device (typically a router) on the outside network to port B of theFail-Open Unit using a cross-over cable. This will act as your DTE interface.10 Connect a device (typically a network switch) on the inside network to port A of theFail-Open Unit using a straight-through cable. This will act as your DCE interface.The unit should now be operating. See Testing the Fail-Open Unit on page 21 for teststo ensure that the unit is working correctly.192
Fail-Open Unit Product GuideInstalling the Fail-Open UnitConnecting the Fail-Open Unit202
3Testing the Fail-Open UnitAfter you have installed the unit and connected the copper or fiber cables, you can testthat the unit is operating correctly. This section describes: Understanding the indicators on the unit on page 22.Read this first to become familiar with the unit. Testing the Fail-Open Unit on page 23. Further testing on page 24. Configuring the unit on page 24.For troubleshooting, see Frequently Asked Questions on page 27.21
Fail-Open Unit Product GuideTesting the Fail-Open UnitUnderstanding the indicators on the unitUnderstanding the indicators on the unitThe indicators on the front panel show the state of the unit.Figure 3-1 Indicators on the front panel of the Fail-Open UnitCopperMFiberSLMBBLKeyLabelThe unit has two power supplies. The green indicators (labeled 1 and 2)show which power supply is providing power.MBSDescriptionBYPASSLINKTwo green indicators show whether the unit is bypassing traffic: The OFF indicator glows while the appliance is working correctly. The ON indicator glows if the appliance fails, and the unit isbypassing the traffic.The copper unit has a link speed indicator in the top left of each port.Each indicator glows with a color corresponding to the link speed. Seethe key on the right of the unit. The fiber unit has a group of fourindicators — one per port.Each indicator glows steadily when a good link is established.LACTThe copper unit has an activity indicator in the top left of each port. Thefiber unit has a group of four indicators — one per port.The indicator flashes when there is activity on a good link.223
Fail-Open Unit Product GuideTesting the Fail-Open UnitTesting the Fail-Open UnitTesting the Fail-Open UnitThis test ensures that a Fail-Open Unit is correctly connected and working. If the testfails, check the connections, and see Frequently Asked Questions on page 27.To test the unit:1 At the front panel, check that the unit is on — the power and the BYPASS OFFindicators glow.2 At the appliance interface, open the Network Settings page, and under Copper/FiberFail-Open 2000: Set Watchdog Polling Rate to 1 second, and Watchdog Time to 10 seconds. Set the line speed. If applicable, select Enable Gigabit, Autonegotiate, and Full Duplex.3 Click Apply All Changes, and type a comment when prompted.4 Remove the cable from the C port.a After approximately 10 seconds (the Watchdog Time), notice that the BYPASS ONindicator glows.b Re-insert the cable.c After approximately one second (the Watchdog Polling Rate), notice that the BYPASSOFF indicator glows.5 Repeat Step 4 for the D port.6 When the test is finished, set the values at the Network Settings page to suit yournetwork. See Configuring the unit on page 24.For further testing, see page 24.233
Fail-Open Unit Product GuideTesting the Fail-Open UnitFurther testingFurther testingYou can run further tests on the unit. During normal operation, the appliance blocksemails or websites that contain viruses. However, while the unit is bypassing theappliance, a virus can enter the network. We recommend that you use test files thatcan cause a response from the appliance and other anti-virus software in your network.These files are not viruses and therefore are not harmful.Try these tests on the unit when it is bypassing the appliance and when it is not. Whenan appliance is bypassed, it cannot detect the test files. To test email, use an email message containing a single line, ZQZXJVBVT. The emailcan be detected by any McAfee scanner. To test access to the Internet, visit www.eicar.com, and try to view the anti-virustest file. The file can be detected by any anti-virus scanner. To avoid any misleadingresults with your web browser, clear the web cache while viewing.Configuring the unitBesides the returned heartbeats, the unit also receives configuration information fromthe appliance. To configure the Fail-Open Unit, use the Network Settings page orNetwork Setup Wizard page of the appliance.Adjusting the switching timesThe unit switches between directing traffic through the appliance or bypassing theappliance, according to the state of the links or the heartbeat. To prevent spuriousswitching, you can configure the Fail-Open Unit from the appliance in the followingways: Change the Watchdog Polling Rate (the heartbeat rate). Change the Watchdog Time. Change the line speed and autonegotiation.243
Fail-Open Unit Product GuideTesting the Fail-Open UnitConfiguring the unitChanging settingsThe default settings are usually suitable but you can change them at any time from theappliance interface on the Network Settings page under Bypass Device Settings.Table 3-1 Settings at the appliance nSelect bypassswitchOff/1000/2000OffSelect 2000 for this Fail-Open Unit. This enables theappliance to operate with the Fail-Open Unit. (If youhave an earlier design, select 1000.)If you select Off, any values that you have set in theother fields are retained so that you can use themagain later.WatchdogPolling Rate1-254seconds1 secondThis determines how often the Fail-Open Unit sendsa heartbeat packet to the appliance.WatchdogTime1 - 254seconds10secondsIf this time
Using this guide 1 Using this guide This guide provides information on installing, configuring and using your product. These topics are included: Introducing the Fail-Open Unit. An overview of the product, with a description of new or changed features; an overview of this guide; McAfee contact information. Installing the Fail-Open Unit on page 15.
