NG Firewall Installation

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

Hello and thanks for your interest in NG Firewall!

This guide will be a quick primer on getting your NG Firewall installed, up and running. Hopefully it will also answer some common configuration questions without causing too much confusion. If you already have NG Firewall in your network you can skip to any relevant section and read from there. If you're new to NG Firewall, we recommend reading this section in its entirety to help familiarize yourself with the software and how it works - it will probably save you a headache or two later on.


What is NG Firewall?

NG Firewall is NGFW/UTM software, bringing together everything your network needs to stay healthy on one box: web content and spam filtering, virus scanning, VPN connectivity, multi-WAN failover capability and much more. We strive to make deployment and administration easy, with a friendly web-based GUI to help you monitor and filter traffic on your network. NG Firewall provides a suite of applications free of charge with the option of subscribing to additional applications as best suits your organization - our website has a full list of features. If you have additional questions the wiki and forums are always open, plus support is just a ticket away. Current pricing for paid applications, packages and appliances can be found in the store.

Deploying NG Firewall

NG Firewall is available in the following deployment options:

  • Cloud Appliance: A virtual appliance available for Amazon Web Services or Microsoft Azure. Learn more about the AWS and Azure public cloud appliances here.
  • Virtual Appliance: A virtual appliance optimized for VMware deployments in private cloud infrastructure. You can download the virtual and software appliances from ETM Dashboard. The virtual appliance is available as an OVA formatted file. See NG Firewall Virtual Appliance on VMware for installation details.
  • Hardware Appliance: An Arista Edge Threat Management network appliance with NG Firewall preinstalled. Learn more about the zSeries appliances here.
  • Software Appliance: An installable version of NG Firewall for most x86 based devices. The software appliance is available as an ISO formatted file that you can image to a USB drive. See Creating a bootable USB installer for imaging instructions.

Installing the NG Firewall Software Appliance

The software appliance method installs to the primary storage of a device, erasing all data on that drive in the process. Please be aware of this before starting the installation. Also note that NG Firewall requires at least two NICs to be installed before you start the installation.

Most users install NG Firewall on the server before the server is placed in-line on their network. To do this plug one interface of your NG Firewall into your network as you would any other computer, then start the installer. This ensures that NG Firewall will have access to the internet during installation.

Power down the server, insert the ISO or USB installer, and power on the server. Make sure the boot options are set to boot from the inserted CD or USB media. Once the installation has started, follow the directions on the screen to complete the installation process.

During the installation, you may need to answer a few questions, for example to confirm writing to the storage device. If you encounter issues while installing NG Firewall onto your server, read the Troubleshooting Server Installation.

UEFI Installation

As of release 16.0, NG Firewall can be installed via BIOS or UEFI. When booting via CD or USB, the installer automatically detects whether it was booted via BIOS or UEFI and tweaks the install process accordingly. To tell whether the installer was booted via BIOS or UEFI, check the installer's menu title. When booted via BIOS, the installer menu title will be "NG Firewall installer boot menu". When booted via UEFI, the installer menu title will be "NG Firewall UEFI Installer".

Serial Console Installation

As of version 16.5 you can install and manage NG Firewall via a serial console port. This is useful if your device does not have video output and supports serial management. This method uses a dedicated ISO installer that you must download. Your system must be configured to use S0 as the serial interface and a baud rate of 1115200.


Setup Wizard

The Setup Wizard will open automatically when NG Firewall first boots. If you do not have a keyboard/mouse/video connected to the NG Firewall server, the Setup Wizard can be reached by plugging into a DHCP-configured laptop into the internal interface opening a browser to http://192.168.2.1/.

Once installed, the setup wizard can be repeated at any time and can be found in the NG Firewall GUI at Config > System > Support > Setup Wizard.

Welcome Page

For versions 16.3 and newer the Setup Wizard begins with a welcome page. Choose to either create an ETM Dashboard account or login with an existing account to get started. Your ETM Dashboard account is free and is necessary to activate a trial or complete license on the device. Your account is also linked to ETM Dashboard, enabling you to remotely manage your Arista Edge Threat Management appliances.

By logging in or creating your ETM Dashboard account, the Add Appliance wizard opens automatically and includes the UID of your appliance. The Add Appliance wizard guides you through the remainder of the setup steps for your new NG Firewall appliance. See Adding Appliances to ETM Dashboard for more details.

If your NG Firewall device is not connected to the Internet or requires specific configuration to connect, the wizard allows you to Configure the Internet Connection. If you are unable to connect to the Internet, you can continue with the local setup wizard by following these instructions: Offline Setup Wizard

The next steps include installing the desired apps and possibly tuning the configuration of your NG Firewall.


Common Post-Setup-Wizard Configuration

At this point NG Firewall has the basic configuration that will work for most networks. However, some networks require more configuration.

Account Registration

NG Firewall will prompt you to sign in or register a new account in ETM Dashboard. Registration is required to install any applications and takes only a second.

Registration has the following benefits:

  • Install free or paid applications on your NG Firewall.
  • Manage your licenses, renewals, servers and contact info all from one dashboard.
  • Easily transfer licenses between servers.

If you signed in with an existing account, the system will check for any unused subscriptions in your account and ask if you would like to apply them to this system.

Once you have completed the process, continue with the steps below. Your account can always be accessed by visiting https://edge.arista.com or clicking My Account in the lower left hand corner of the UI.

Install Applications

Installing applications is covered in the User Guide. It is recommended to finish reading this section and get everything working before configuring/tuning the application settings.

Configure Other Subnets

NG Firewall will route all traffic according to its routing table, even in when installed as a Transparent Bridge. This means NG Firewall must have the proper routing table for all subnets on your network.

If you have other subnets on the network aside from those configured in the Setup Wizard you will need to configure NG Firewall to know about these networks. For example, if you are running as a bridge with NG Firewall having an address 192.168.1.2 with a netmask 255.255.255.0 but you also have a 192.168.20.* network and also a 10.0.*.* network you will need to tell NG Firewall where to reach these hosts.

There are several ways to do this:

  • Add a route in Config > Network > Routes telling NG Firewall how to reach those subnets. If 10.0.*.* is local on Internal then you simple need to create a 10.0.0.0/16 route to "Local on Internal." If 10.0.*.* lives behind another router on your network like 192.168.1.100 then you will need to add a route to send all 10.0.0.0/16 traffic to 192.168.1.100.
  • Add an alias on the appropriate interface. In Config > Network > Interface click edit on the appropriate interface and add an alias IP. This effectively tells NG Firewall that this IP range is local and can be reached locally on that interface. It also provides NG Firewall a local address on those subnets should any of those clients need to reach NG Firewall using a local IP.

Each subnet on your network will need to be configured so NG Firewall knows how to reach them. The "Ping Test" in Config > Network > Troubleshooting can be used to verify that NG Firewall can reach the configured subnets.

More in depth information about how the network is configured is found in Network Configuration.

Configure Other Interfaces

In the setup wizard you configured both the Internal and External interfaces. If you have more than 2 interfaces, the 3rd and beyond are Disabled by default.

If you plan to use them, they must be configured and it is suggested to choose a name reflecting its use.

Common uses include:

Additional WAN interfaces (if you have multiple internet connections) for failover/balancing
To do this just configure it as a WAN interface with the ISP's provided values. Read more about WAN Failover and WAN Balancer for more information about failover/balancing.
Other internal networks
To do this just configure it as a non-WAN interface with a static internal IP. For example if you used 192.168.1.1/24 on your internal, you could use 192.168.2.1/24 on your 3rd interface. This is useful on larger networks, for guest networks, for wireless networks etc.
Public segment for public servers (DMZ)
If you have servers with public address you can stick them on the additional interface(s) and bridge those interfaces to your WAN. Then configure them with IPs on the same subnet as the WAN interface.
Additional NICs for existing networks
If you want additional NICs for you Internal (for example) you can bridge the 3rd interface to your Internal and plug in additional internal machines to that NIC. This behaves similar to a switch, but traffic going through the NG Firewall to reach other internal hosts is scanned by the apps.
Configuring a WiFi interface
If your hardware platform includes a supported WiFi adapter, you can configure your WiFi interface. Be sure to select the appropriate Regulatory Country option for your country.

More in depth information about how the network is configured is found in Network Configuration.

Email

Some NG Firewall applications and functions rely on sending email like reports and spam quarantine digests. Email sending is configured in Config > Email. By default email will be sent directly using DNS MX records like a mail server. However, some ISPs and networks block port 25 to prevent spam and in this case you must configure a SMTP relay (and the appropriate authorization credentials if required).

Hostname

You can configure the hostname (and domain) for the NG Firewall server in Config > Network > Hostname.

Port Forward Rules

If NG Firewall is installed as a router and have internal servers with services that need to be publicly accessible you need to configure port forward rules to forward that traffic to the appropriate server. You can configure port forward rules in Config > Network > Port Forward Rules.

Bypass Rules

Unlike many next-generation firewalls, NG Firewall scans All TCP and UDP traffic on all ports at the application layer by default, except for VoIP traffic. This is ideal for most deployments but if you are running a very large (1000s of users) network it probably makes sense to bypass traffic that you are not interested in scanning. Traffic can be bypassed in Config > Network > Bypass Rules. More is described in the Network documentation.

Public Address

If you use OpenVPN or quarantine or other publicly accessible services on NG Firewall, you may wish to configure the "public address" of NG Firewall so that it sends the appropriate URL to remote users. Public Address can be configured in Config > Administration > Public Address.

External Administration

If you'd like to be able to administer NG Firewall via HTTPS remotely you will need to enable HTTPS access on WAN interfaces in the Filter Rules#Input Filter Rules.

Installing NG Firewall on the Network

At this point NG Firewall should be ready to drop into the network if it is not already in place.

If NG Firewall is configured in bridge mode an easy way to test is to install it with only one or a few computers behind it - plug the External interface into your network then plug a switch with a few computers into the Internal interface so they must go through NG Firewall. Only those computers will be filtered, allowing you to test without disturbing there rest of your network.

If you are running as a Transparent Bridge verify that NG Firewall is not plugged in backwards by unplugging the network cables one at a time and looking at the green lights in Config > Network > Interfaces. If NG Firewall is configured as a bridge and plugged in backwards it will pass traffic but some functionality will not work correctly. NG Firewall also provides Administrative Alerts which will bring this to your attention so you can fix it.

  • NG Firewall is designed to drop in to your network with minimum disruption. When testing we recommend putting the system in place, keeping most defaults unless you're having problems. This way you can get a feel for how it works before making possibly major changes that may affect system operation.

Using NG Firewall

The next step is installing the applications and configuring NG Firewall to meet your needs. The User Guide provides in depth documentation of the various functions of NG Firewall and the applications.

Welcome to NG Firewall! ʘ‿ʘ