IBM Proventia

Network Multi-Function Security (MFS)

Administrator Guide
Firmware Version 4.3

Copyright statement
Copyright IBM Corporation 2003, 2009.
All Rights Reserved.
U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
Publication Date: February 2009
Trademarks and disclaimer
IBM and the IBM logo are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both.
ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure,
SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force
and X-Press Update are trademarks or registered trademarks of Internet Security
Systems, Inc. in the United States, other countries, or both. Internet Security
Systems, Inc. is a wholly-owned subsidiary of International Business Machines
Corporation.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in
the United States, other countries, or both.
Other company, product and service names may be trademarks or service marks of
others.
References in this publication to IBM products or services do not imply that IBM
intends to make them available in all countries in which IBM operates.
Disclaimer: The information contained in this document may change without
notice, and may have been altered or changed if you have received it from a
source other than IBM Internet Security Systems (IBM ISS). Use of this information
constitutes acceptance for use in an AS IS condition, without warranties of any
kind, and any use of this information is at the users own risk. IBM Internet
Security Systems disclaims all warranties, either expressed or implied, including
the warranties of merchantability and fitness for a particular purpose. In no event
shall IBM ISS be liable for any damages whatsoever, including direct, indirect,
incidental, consequential or special damages, arising from the use or dissemination
hereof, even if IBM Internet Security Systems has been advised of the possibility of
such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages, so the foregoing limitation may not apply.
Reference herein to any specific commercial products, process, or service by trade
name, trademark, manufacturer, or otherwise, does not necessarily constitute or
imply its endorsement, recommendation, or favoring by IBM Internet Security
Systems. The views and opinions of authors expressed herein do not necessarily
state or reflect those of IBM Internet Security Systems, and shall not be used for
advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release,
but the ever-changing nature of the Internet prevents IBM Internet Security
Systems, Inc. from guaranteeing the content or existence of the resource. When
possible, the reference contains alternate sites or keywords that could be used to
acquire the information by other methods. If you find a broken or inappropriate
link, please send an e-mail with the topic name, link, and its behavior to
mailto://support@iss.net.
Copyright IBM Corp. 2003, 2009 iii
iv Proventia Network MFS: Administrator Guide
Contents
Trademarks and disclaimer . . . . . . iii
Preface . . . . . . . . . . . . . . vii
Related publications . . . . . . . . . . . vii
Technical support contacts . . . . . . . . . viii
Chapter 1. Updates and Licenses . . . . 1
Updates and licensing . . . . . . . . . . . 1
Using update tools . . . . . . . . . . . 2
Automatic update settings . . . . . . . . . . 2
Opening the Automatic Update Settings page . . 3
Configuring update settings . . . . . . . . 3
Configuring license and update servers . . . . 5
Scheduling installations. . . . . . . . . . 6
Configuring event notification for automatic
updates . . . . . . . . . . . . . . . 6
Alternate update server. . . . . . . . . . . 7
Copying required certificates manually . . . . 8
Manual Upgrader utility . . . . . . . . . . 9
Installing the manual upgrader . . . . . . . 10
Running the manual upgrader . . . . . . . 10
Copying updates to the XPU server . . . . . 11
Proxy server . . . . . . . . . . . . . . 12
Opening the Service Configuration page. . . . 12
Configuring HTTP proxy . . . . . . . . . 13
Chapter 2. Maintenance . . . . . . . 15
Using system tools . . . . . . . . . . . . 15
Backup and recovery . . . . . . . . . . . 16
Managing backup settings . . . . . . . . 17
Creating a system backup . . . . . . . . 18
Restoring from backup . . . . . . . . . 18
Editing settings files offline . . . . . . . . 19
Generating system support files . . . . . . . 20
Chapter 3. Firmware Installation . . . . 21
Requirements for installing firmware . . . . . . 21
Installing firmware (appliance with CD drive) . . . 23
Installing firmware (appliance with no CD drive). . 24
Chapter 4. System Diagnostics . . . . 25
About System Diagnostics . . . . . . . . . 25
Requirements for running diagnostics . . . . . 28
Diagnostic procedures . . . . . . . . . . . 29
Running diagnostics on an M50 . . . . . . 29
Running diagnostics (not M50) . . . . . . . 30
Copying results files . . . . . . . . . . 31
Appendix. Safety, environmental, and
electronic emissions notices . . . . . 33
Index . . . . . . . . . . . . . . . 45
Copyright IBM Corp. 2003, 2009 v
vi Proventia Network MFS: Administrator Guide
Preface
This preface describes the audience for this guide; identifies related publications;
and provides contact information.
Audience
Users of this guide should have a fundamental knowledge of network security
policies and IP networks.
Topics
Related publications
Technical support contacts on page viii
Related publications
Use this topic to help you access information about your Proventia

Network MFS
appliance.
Publications
The following documents are available for downloading from the IBM Internet
Security Systems Web site at http://www.iss.net/support/documentation:
v IBM Proventia

Network Multi-Function Security (MFS) Policy Configuration Guide

v IBM Proventia

Network Multi-Function Security (MFS) Administrator Guide

v IBM Proventia

Network Multi-Function Security (MFS) Deployment Guide: Routing

Mode with DMZ
v IBM Proventia

Network Multi-Function Security (MFS) Deployment Guide: Routing

Mode with No DMZ
v IBM Proventia

Network Multi-Function Security (MFS) Deployment Guide:

Transparent Mode
v IBM Proventia

Network Multi-Function Security (MFS) Deployment Guide: SSLVPN

v Configuring L2TP/IPsec VPN Connections from Proventia Network MFS to Windows
XP and Vista Systems
v Configuring VPN from Proventia Network MFS to Check Point Systems
v Configuring VPN from Proventia Network MFS to Cisco PIX 515E
v Configuring VPN from Proventia Network MFS to NetScreen Systems
v Configuring VPN from Proventia Network MFS to Proventia Network MFS
v Configuring VPN from Proventia Network MFS to SoftRemote Systems
v Configuring VPN from Proventia Network MFS to Symantec Systems
v Configuring VPN from Proventia Network MFS to Windows XP Systems
v VPNC Interoperability Testing
Getting Started cards are also available on the IBM Internet Security Systems Web
site.
Copyright IBM Corp. 2003, 2009 vii
The online Help contains all major tasks needed to configure, monitor, and
maintain the Proventia Network MFS appliance.
The Readme file can be downloaded at http://www.iss.net/download/.
License agreement
For licensing information on IBM Internet Security Systems products, download
the IBM Licensing Agreement from: http://www-935.ibm.com/services/us/iss/
html/contracts_landing.html.
Feedback
Your feedback is important to IBM Internet Security Systems (IBM ISS). Please
send comments and suggestions to document@iss.net.
Technical support contacts
IBM Internet Security Systems (ISS) provides technical support through its Web site
and by e-mail or telephone.
The IBM ISS Web site
The IBM Internet Security Customer Support Web page (http://www.ibm.com/
services/us/iss/support/) provides direct access to online user documentation,
current versions listings, detailed product literature, white papers, and the
Technical Support Knowledgebase.
Hours of support
The following table provides hours for Technical Support at the Americas and
other locations:
Location Hours
Americas 24 hours a day
All other locations Monday through Friday, 9:00 A.M. to 6:00 P.M. during their local
time, excluding IBM ISS published holidays
Note: If your local support office is located outside the Americas,
you may call or send an e-mail to the Americas office for help
during off-hours.
Contact information
For contact information, go to the IBM Internet Security Systems Contact Technical
Support Web page at http://www.ibm.com/services/us/iss/support/
contacts.html.
viii Proventia Network MFS: Administrator Guide
Chapter 1. Updates and Licenses
This chapter discusses different ways you can keep your security modules and
licenses up to date.
Topics
Updates and licensing
Automatic update settings on page 2
Alternate update server on page 7
Manual Upgrader utility on page 9
Proxy server on page 12
Updates and licensing
Use the Updates and Licensing page on your Proventia Network MFS appliance to
keep your protection level up to date, view the status of your licenses, and enable
security modules.
Tips:
v Although this page allows you to manually apply security content updates, it is
better if you schedule those to happen automatically at Configuration System
Update Settings. This assures that your system has the most recent and
comprehensive protections levels.
v You typically would use this page to manually apply firmware upgrades, since
those upgrades reboot your appliance and could cause unexpected network
outages if done automatically.
v If a module is shown as unlicensed and you think it should be licensed, find
your model number and serial number, and contact IBM ISS Technical Support.
Note: When you first open this page, the status information could be out of date.
To assure the latest status information, click Check for updates in the Update Tools
box.
To expand a collapsed module, click on its Expand icon. To expand all of the
modules at once, click on Expand all modules in the Update Tools box.
If you expand a module you can do the following:
v Enable and disable security modules and protections
v See if updates are available
v Update to more recent versions
v Read usage license restrictions and expiration dates
v Read maintenance license expiration dates
Copyright IBM Corp. 2003, 2009 1
Using update tools
Use the Update Tools on the Updates and Licensing page on your Proventia
Network MFS appliance to look for updates, download updates from your local
server, and to view update history.
Procedure
1. To navigate to the Updates and Licensing page, click Maintenance Updates
and Licensing in the navigation pane.
2. Use any of the following tools in the Update Tools box:
Option Description
Check for updates Causes the system to look for updates on
the update server. This step could take a few
minutes. The system responds with a
message when its search is done.
Upload update file Opens a browse dialog box that lets you
open an update file that was saved to a local
server
Show update history Opens a history page
Expand all modules Shows the full detail for each license module
Automatic update settings
Use the Automatic Update Settings page to define how your Proventia Network
MFS appliance locates, downloads, and installs updates.
There are three kinds of updates, and your Proventia Network MFS appliance lets
you manage each separately:
Security updates
Contain virus definitions and intrusion prevention updates, as well as
other updates from the IBM ISS X-Force.
Web filter and antispam database updates
Contain newly acquired classification information that ISS gathers about
Web sites. The appliance uses the information in the database to enforce
Web filters and identify spam e-mail.
Firmware updates
Contain changes to the appliances operating software:
v Feature updates are minor releases at the decimal release version. For
example, upgrading from 3.7 to 3.8 is a feature update.
v Product updates are major releases at the integer release version. For
example, upgrading from 3.8 to 4.1 is a product update.
2 Proventia Network MFS: Administrator Guide
Opening the Automatic Update Settings page
You can access the Automatic Update Settings page from your Proventia Network
MFS appliance Proventia Manager (the local management interface) or from your
SiteProtector Console.
Opening from Proventia Manager
Procedure
Click Configuration System Update Settings in the navigation pane.
Opening from SiteProtector
Procedure
1. Select Policy from the View list.
2. In the left pane, select Network Multi-Function Security from the Agent Type
list.
3. Select the appropriate repository.
4. In the right pane, select Automatic Settings.
5. From the menu bar, select Action Open.
Configuring update settings
Use the Update Settings tab on the Automatic Update Settings page to enable and
schedule automatic updates on your Proventia Network MFS appliance.
Procedure
1. On the Automatic Update Settings page click the Update Settings tab.
2. Select when the appliance should automatically check for updates:
Option Description
Check for updates daily or weekly Specifies the day of week and time of day
Check for updates at given intervals Specifies an interval (in minutes)
3. Select any of the following security updates options:
Option Description
Automatically Download Enables the appliance to download any
applicable updates it finds
Automatically Install Enables the appliance to automatically
install any downloaded updates
4. Select the Automatically update Web filter and antispam databases check box
if you want to enable that feature.
5. Select any of the following firmware updates options:
Option Description
Ignore Feature Upgrades Disables the appliance from automatically
downloading feature upgrades
Ignore Any Product Upgrades or Feature
Upgrades Later Than a Specified Version
Allows you to freeze the upgrades at a
specified version level (by ignoring any
upgrades that come after that version)
Chapter 1. Updates and Licenses 3
Option Description
Automatically Download Enables the appliance to automatically
download firmware upgrades (but restricted
by the two previous check boxes)
6. Select the Perform Full System Backup Before Installation check box if you
want to enable that feature.
7. Click one of the following options:
Option Description
Do Not Install Requires you to do all installations
manually. This option gives you the most
control over how an installation impacts
your operation.
Automatically Install Updates Updates are installed automatically based on
the When To Install choice you click:
v Delayed: Designates the day of week and
time of day the installations occur
v Immediate: Starts the installation as soon
as the update is downloaded. This option
gives you the least control and
predictability of when an installation
occurs.
Attention: Installing an update can take
the system offline while the installation is in
progress.
Schedule One-Time Install Specifies a specific date and time for the
installation
Attention: Installing an update can take
the system offline while the installation is in
progress.
4 Proventia Network MFS: Administrator Guide
Configuring license and update servers
Use the License and Update Servers tab to define what servers you use for
securing updates and licenses on your Proventia Network MFS appliance.
Procedure
1. On the Automatic Update Settings page click the License and Update Servers
tab.
2. Click the Add icon.
3. Specify the following:
Option Description
Enabled Activates that server
Name Plain language description of the server
Host or IP The server DNS name or IP address
Port The port the server listens to for download
requests
v For SiteProtector X-Press Update Servers,
the default port is 3994.
v For the ISS Download Center
(www.iss.net) the port is 443.
Trust Level
v trust all: This product trusts the server.
No certificates are used for authentication.
v first-time-trust: This product trust the
server once and uses the severs certificate
for all future authentication.
v explicit-trust: This product will use the
local certificate to authenticate the server.
4. Select whether to use the default proxy settings (from the Services
Configuration page) or to specify new proxy settings for this server.
Note: If you choose to specify new proxy settings, you must identify the proxy
host and port. If you enable authentication for that server, you must also
provide a user name and password.
Chapter 1. Updates and Licenses 5
Scheduling installations
Use the Scheduled Installations tab on the Automatic Update Settings page in your
Proventia Network MFS appliance to schedule upgrade and license installations.
Procedure
1. On the Automatic Update Settings page click the Scheduled Installations tab.
2. Click the Add icon.
3. Specify the following:
Option Description
Type Identifies what type of update is being
scheduled
Time Specifies the time and date the update
should be installed
Perform Full System Backup Before
Installation
Specifies if you want to do a full system
backup first
Version System version that the update applies to
Update Identifies the specific update
Comment Lets you annotate the scheduled update for
your purposes
4. Click OK.
Configuring event notification for automatic updates
Use the Event Notification tab on the Automatic Update Settings page on your
Proventia Network MFS appliance to configure the appliance to notify you about
updates.
Before you begin
Tips
v It is easier to set up e-mail notifications for updates if you have configured
e-mail already in Configuration System Notification. However, the user
interface allows you to configure e-mail as you configure the update
notifications.
v It is easier to set up SNMP traps for update events if you have configured
SNMP already in Configuration System Services. However, the user
interface allows you to configure SNMP traps as you configure the update
notifications.
Procedure
1. On the Automatic Update Settings page click the Event Notification tab.
2. Select any of the following check boxes:
v Alert Logging for Available Updates
v Alert Logging for Update Installation
v Alert Logging for Update Errors
6 Proventia Network MFS: Administrator Guide
3. For each of the event types selected above, select any of the following:
Option Description
e-mail Enabled Sends notification by e-mail
Note: This selection requires you to select a
recipient from the e-mail Name list.
SNMP Trap Enabled Sends SNMP (Simple Network Management
Protocol) traps to a consolidated SNMP
server
SiteProtector Enabled Sends alerts to the SiteProtector Appliance
Manager
Important: You must register your
SiteProtector Console with an Agent
Manager in Configuration System
SiteProtector if you want the appliance to
deliver alerts by SiteProtector.
Alternate update server
Use an alternate update server when you do not want the appliance to contact IBM
ISS and download updates over the Internet. Instead of contacting IBM ISS for the
updates, the appliance contacts the update server. The update servers function is
to retrieve and store appliance updates and provide them to the appliance when
requested.
Note: The appliance does not have to be registered in SiteProtector to get updates
from an alternate update server.
Note: This topic assumes that you have installed and configured the update server.
You need the following information about the update server:
v host name or IP address
v portthe port to which the update server is listening for download requests:
For the IBM ISS Download Center (http://www.iss.net), the default port is
443.
For the SiteProtector X-Press Update Server, the default port if 3994.
v authentication level between the appliance and the update server:
trust-all (the appliance always trusts connections with the SiteProtector
update server without the servers digital certificate)
explicit-trust (the appliance verifies the servers identify with the servers
digital certificate)
Chapter 1. Updates and Licenses 7
Copying required certificates manually
If you want to use the explicit-trust authentication level, then you must manually
copy the required certificate to the appliance.
Procedure
1. Locate the following certificate file on the update server:
server-rsa.crt
Note: The file is stored in the following default location on the SiteProtector 2.0
SP5 update server:
Program Files\ISS\RealSecure SiteProtector\X-Press Update
Server\webserver\Apache2\conf\ssl.crt\
Note: The file is stored in the following default location on the SiteProtector 2.0
SP6 update server:
Program Files\ISS\SiteProtector\Application Server\webserver\Apache2\
conf\ssl.crt\
2. Use an SCP (Secure Copy) client such as WinSCP to copy the server-rsa.crt
certificate file to the following directory on the appliance:
/etc
Note: WinSCP is a third-party tool not supported by IBM ISS. For information
about how to run the utility, see the product documentation for the utility.
8 Proventia Network MFS: Administrator Guide
Manual Upgrader utility
The Manual Upgrader utility retrieves update files from the Download Center. This
topic explains how to use the Manual Upgrader to download update files to the
XPU server.
When to use the manual upgrader utility
Upgrade your appliance manually in the following situations:
v Your appliance is configured to get updates from SiteProtector, but the
SiteProtector X-Press Update Server does not have Internet access.
v Your appliance is configured to get updates from a stand-alone update server,
but the server does not have Internet access.
Installing updates with the Manual Upgrader utility
To install updates with the Manual Upgrader utility, you must do the following:
Task Description
1 Configure the alternate update server. (See Configuring license and update
servers on page 5.)
2 Install the Manual Upgrader utility. (See Installing the manual upgrader on
page 10.)
3 Run the Manual Upgrader utility. (See Running the manual upgrader on page
10.)
4 Copy updates to the XPU server. (See Copying updates to the XPU server on
page 11.)
5 Install the updates.
Note: Depending on how you have configured Proventia Manager, the updates
are either installed automatically once they are available or you can install them
manually.
Chapter 1. Updates and Licenses 9
Installing the manual upgrader
Follow these steps to install the manual grader utility.
Procedure
1. Obtain the Manual Upgrader installation file from the IBM ISS Download
Center. The file is located in the SiteProtector area under the Other tab.
2. Copy the file to a computer that has Internet access.
3. Extract the downloaded zip file to a convenient directory.
Note: If you enable the Use Folder Names option when you extract the zip file,
then the program extracts the files to a directory called ManualUpgrader.
Running the manual upgrader
Follow these steps to download updates using the manual upgrader utility.
Procedure
1. On the computer where you installed the Manual Upgrader, navigate to the
folder containing the program.
2. Double-click ManualUpgrader.exe.
3. Browse to a valid license file, and then select the file.
4. Read the End User License Agreement, and then click I Accept.
Note: If the Export Agreement appears, read the agreement, and then click I
Accept.
5. Click Yes on the Manual Upgrader dialog to download a new catalog of
available updates from the Web.
6. If you are prompted to download a Manual Upgrader update, click Yes.
The update is downloaded, and then you are prompted to download the most
recent catalog files.
7. Click Yes.
8. If an export agreement appears, accept it.
The newest catalog files are downloaded and all IBM ISS product lines appear
in the top pane and all available operating systems appear in the bottom
pane.
9. Select Catalog Latest Network Multi-Function Catalog to select only MFS
content.
10. Select the IBM ISS product lines and the operating systems for which you
want to download updates.
Note: You can select multiple product lines and operating systems if needed.
11. You can control how recent the updates are by selecting the Only Get Files
Posted Within This Many Days check box and specifying the number of days
for which you want to get updates.
12. Click Get Selected Updates.
10 Proventia Network MFS: Administrator Guide
Copying updates to the XPU server
You can use either the integrated XPU Server that is installed on the same
computer as the Application Server or an XPU Server that is installed on a separate
computer.
Before you begin
If you did not download the required files to the computer where the XPU Server
is installed, then you must transfer the files to that computer before you can apply
the updates. You must copy the required files to specific directories on the
computer where the XPU Server is installed. If these directories do not exist, then
you must create them before you can apply the updates.
Important: When you create the directories, you must spell and capitalize the
directory names exactly as described in this topic.
Procedure
v If you are creating the directories on the integrated XPU Server and this server is
installed on the same computer as the Application Server, create the directory:
\Program Files\ISS\SiteProtector\Application Server\webserver\Apache2\
htdocs\XPU\Proventia\M-Series
v If you are creating the directories on a remote XPU Server that is not installed
on the same computer as the Application Server, then you must create the
directories in the following directory path on the computer where the remote
XPU Server is installed: \Program Files\ISS\SiteProtector\X-Press Update
Server\webserver\Apache2\htdocs\XPU\
Chapter 1. Updates and Licenses 11
Proxy server
If the appliance must go through a Web proxy server to retrieve updates from IBM
ISS, then you must enable the Web (HTTP) proxy service.
You access the HTTP Proxy tab from the Service Configuration page.
Opening the Service Configuration page
You can access the Service Configuration page from your Proventia Network MFS
appliance Proventia Manager (the local management interface) or from your
SiteProtector Console.
Opening from Proventia Manager
Procedure
Click Configuration System Services in the navigation pane.
Opening from SiteProtector
Procedure
1. Select Policy from the View list.
2. In the left pane, select Network Multi-Function Security from the Agent Type
list.
3. Select the appropriate repository.
4. In the right pane, select Services.
5. From the menu bar, select Action Open.
12 Proventia Network MFS: Administrator Guide
Configuring HTTP proxy
Use the HTTP Proxy tab on the Service Configuration page of your Proventia
Network MFS appliance to enable and configure a proxy server you will use for
downloading updates.
Procedure
1. On the Service Configuration page, click the HTTP Proxy tab.
2. Configure the following settings:
Option Description
Enable HTTP Proxy Enables the HTTP proxy server
Important: The HTTP proxy server is a
different process than the HTTP advanced
firewall ALG. However, for the appliance to
correctly route HTTP proxy traffic, make
sure that you enable the relevant Advanced
Firewall ALG policies in Configuration
Firewall/VPN Advanced Firewall ALG
Policy if you enable the HTTP Proxy option
here.
Address Specifies the IP address of the proxy server
Port Specifies the port number for the proxy
server
Enable Authentication Requires authentication
Note: If you enable authentication you must
also specify a user ID and password.
Chapter 1. Updates and Licenses 13
14 Proventia Network MFS: Administrator Guide
Chapter 2. Maintenance
This chapter describes the maintenance activities you can perform on your
Proventia Network MFSappliance
Topics
Using system tools
Backup and recovery on page 16
Generating system support files on page 20
Using system tools
Use the System Tools page on your Proventia Network MFS appliance to perform
basic system maintenance and diagnostic functions.
Procedure
1. To open the System Tools page, click Maintenance Tools in the navigation
pane.
2. Use any of the following tools:
Option Description
System Click Reboot or Shutdown.
Ping Type the IP address of the computer you
want to test and click Submit.
Traceroute
1. Type the IP address you want to trace.
2. Select a protocol in the Protocol area.
3. Click Submit.
Network Connection Reconnect to a PPPoE connection or renew a
DHCP lease for selected network
connections.
High Availability Force a failover to the secondary appliance
or initialize a replacement node (restore the
secondary).
Send Gratuitous ARPs The Address Resolution Protocol (ARP) is
the standard method for finding a hosts
hardware address when only its network
layer address is known. A Gratuitous ARP is
a packet (usually an ARP Request)
containing a valid SHA (Sender Hardware
Address) and SPA (Sender Protocol Address)
for the host which sent it, with TPA (Target
Protocol Address) equal to SPA. Such a
request is not intended to solicit a reply, but
merely updates the ARP caches of other
hosts which receive the packet.
Copyright IBM Corp. 2003, 2009 15
Backup and recovery
Use the Backup and Recovery page in your Proventia Network MFS appliance to
manage snapshots of system settings and to make and restore complete system
backups.
Definitions
Settings snapshot
A settings snapshot is a file that stores all of your appliance configuration
settings. You can have many settings snapshots of different configurations.
Settings snapshots can be edited offline using the Offline Settings Editor.
System backup
A system backup stores a complete image of the operating system and
current configuration settings of the appliance. You can have only one
system backup file. When you restore from a system backup, you restore
the appliance to a previous state.
Tips
v Use a settings snapshot file to restore the appliance settings to a known good
configuration.
v Use a settings snapshot file to quickly change to an alternate configuration.
v It is not a good practice to apply the snapshot file to other appliances because a
settings snapshot includes appliance-specific network configuration information.
(If you want to save or propagate group-level policy configuration, use the
central management capabilities of your SiteProtector Console.)
v Create a system backup of a known good configuration and download snapshot
files to a local computer before you apply a firmware update.
v Save a settings snapshot to store a known good configuration before you
reconfigure the appliance.
v Save a settings snapshot to store a known good configuration before you restore
the appliance after a hardware failure using Recovery CDs and firmware
packages
v You can use a USB drive (also called a thumb drive) to install a settings
snapshot
16 Proventia Network MFS: Administrator Guide
Managing backup settings
Use the Settings Backup tab on the Backup and Recovery page to add, delete, and
download backup settings files (settings snapshots) on your Proventia Network
MFS appliance.
Procedure
1. In the navigation pane click Maintenance Backup and Recovery, and then
click the Settings Backup tab.
2. To create a new settings snapshot file of the current settings, click the Add icon
, specify a name for the file, and then click Create. The system creates
a backup file using the current settings and displays the file name in Settings
Backup list.
3. To upload an existing settings snapshot file that is not displayed in the Settings
Backup list, click the Add icon , browse for the file you want to
upload, and then click Upload. The system adds that settings snapshot file to
the Setting Backup list.
4. To apply an existing settings snapshot to the appliance, select a settings
snapshot and click the Apply icon . The system applies the contents
of that settings snapshot to your appliance. You can restore the factory default
settings by selecting the factoryDefault.settings file.
Note: Use this feature only with careful forethought. It overwrites all your
existing configuration settings.
5. To manage existing settings snapshot files displayed in the Settings Backup list,
use the following controls:
Option Description
Removes all settings snapshot files from the
Settings Backup list
Note: The system asks you to verify the
deletion before actually removing the files.
Removes the selected settings snapshot file
from the Settings Backup list
Note: The system asks you to verify the
deletion before actually removing the file.
Saves the selected settings snapshot file to a
location of your choosing.
Note: The system prompts you for where to
save the downloaded file.
Chapter 2. Maintenance 17
Creating a system backup
Use the Full Backup tab on the Backup and Recovery page on your Proventia
Network MFS appliance to create a complete image of the operating system and
current configuration settings.
Procedure
1. In the navigation pane click Maintenance Backup and Recovery, and then
click the Full Backup tab.
2. Click CREATE SYSTEM BACKUP. The system creates a full system backup.
Important: The IP address for the appliance is unavailable during the backup
process, and you cannot access the Proventia Manager in the browser window.
Restoring from backup
Use the Full Backup tab on the Backup and Recovery page on your Proventia
Network MFS appliance to restore the operating system and configuration settings
to the last saved backup.
Before you begin
Important: If you restore from backup before you create a system backup, the
appliance reverts to default settings and you must reconfigure the appliance using
the Proventia Setup utility before you can access the Proventia Manager.
Procedure
1. In the navigation pane click Maintenance Backup and Recovery, and then
click the Full Backup tab.
2. Click RESTORE FROM BACKUP. A message prompts you to continue the
backup.
3. Click OK. The system restores the backup.
Important: The IP address for the appliance is unavailable during the restore
process, and you cannot access the Proventia Manager in the browser window.
4. Close all Web browser windows.
5. Clear your Java cache.
Results
Note: If you enabled Alert Logging for System Informative Events and specified
an e-mail address, you will receive an e-mail notification once the appliance is back
on line. If you have not enabled this notification setting, wait at least 5 minutes
before you attempt to log back into the Proventia Manager.
18 Proventia Network MFS: Administrator Guide
Editing settings files offline
Use the Offline Settings Editor for your Proventia Network MFS appliance to edit a
settings file without being on a specific appliance. You can then upload the revised
settings file to an appliance of the same model.
Editing the settings
Follow this procedure to edit your settings file offline.
Before you begin
Note: You must download a settings backup file before you can edit it offline.
Procedure
1. On the Settings Backup tab of the Backup and Recovery page, click Offline
Settings Editor on the bottom of the page.
2. Open the OfflineSettingsEditor.zip file.
3. Extract all the contents of the zip file to any convenient directory.
4. Navigate to the directory in which you extracted the files.
5. Double click OfflineSettingsEditor.bat. There could be a delay while the
Proventia Offline Settings Editor opens.
6. Click File Open on the menu.
7. In the navigation pane, click the policy you want to edit. As you edit a policy,
an asterisk appears next to its name in the navigation pane.
8. Click File Save on the menu when you are done.
Chapter 2. Maintenance 19
Adding the settings file to an appliance
Follow this procedure to upload the edited settings file to your Proventia Network
MFS appliance.
Procedure
1. On the Settings Backup tab of the Backup and Recovery page, click the Add
icon.
2. Click Browse in the Upload settings snapshot file field and select the file.
3. Click Upload.
Generating system support files
Use the System Support File page in your Proventia Network MFS appliance to
generate a support file and download it from the Proventia Network MFS
appliance.
About this task
Sometimes IBM ISS customer support must see a recent system support file to help
troubleshoot problems. The following steps explain how to generate the requested
file.
Procedure
1. Click Support System Support File in the navigation pane.
2. Click Generate Support Data File The system generates the file and the file
information appears in the table.
Note: It could take a few minutes for the system to generate the file.
3. Click the files selection button, and then click the Download
button. The system prompts you for a location in which to save the zipped file.
What to do next
You can then attach the downloaded zipped file to an e-mail and send it to
customer support.
20 Proventia Network MFS: Administrator Guide
Chapter 3. Firmware Installation
This chapter explains how to install the firmware.
Topics
Requirements for installing firmware
Installing firmware (appliance with CD drive) on page 23
Installing firmware (appliance with no CD drive) on page 24
Requirements for installing firmware
This topic discusses the prerequisites and requirements for installing firmware on
your Proventia Network MFS appliance.
Considerations
Reinstalling the firmware takes the Proventia Network MFS off line and overwrites
your custom policies with the original factory defaults.
The recovery CD includes the Filter Database that came with your Proventia
Network MFS. This database is quickly out of date because database updates are
released often. IBM Internet Security Systems (ISS) recommends that you reinstall
only the firmware and thenafter the Proventia Network MFS is deployeduse
the Get Filter Database option in Proventia Manager to download the latest
database directly from the IBM ISS Web site.
Prerequisites
v Computer (see Computer Requirements) or keyboard and monitor
v Red crossover cable
v Serial cable
v Recovery CD
Computer requirements
If you are connecting a computer to the Proventia Network MFS for this
procedure, verify the computer requirements below:
Note: No software is installed on the computer during this process; the computer
is used only to reinstall the firmware.
Requirement Description
BIOS setting Computer must be configured to allow it to
boot from the CD drive.
Reference: For information on how to check
or change your BIOS settings, see your
computer documentation or go online and
search for instructions. Commonly, pressing
F12 during bootup allows you to specify
booting from a CD.
Copyright IBM Corp. 2003, 2009 21
Requirement Description
CPU Pentium II or compatible
RAM 64MB
Drive IDE CD-ROM Drive
Port COM1
Network interface
v 3Com 3c905C
v Intel PRO/100 or PRO/1000
v 3Com 3c574 or 3Com 3c575
v Netgear FA511 or Netgear FA411
v Intel PRO/100 S Mobile Adapter
IBM ISS supports only the listed network
cards. The Proventia Network MFS
automatically detects network interface
cards.
Before you reinstall
If your Proventia Network MFS is still operational, do the following before you
reinstall the firmware:
v Back up your policies using a Settings Backup, and then download the backup
files to a remote location. You can restore your policies from the backup files
after you reinstall the Proventia Network MFS firmware.
v Record the networking settings shown in the following table:
Mode Network settings
Routing IP addresses
subnet masks
default gateways for all interfaces
hostname
domain name
DNS name servers
Transparent IP address
subnet mask
default gateway
hostname
domain name
DNS name server
22 Proventia Network MFS: Administrator Guide
Installing firmware (appliance with CD drive)
Follow these steps if your Proventia Network MFS appliance has its own CD drive.
Procedure
1. Connect to the Proventia Network MFS:
If you are using a... Then...
computer
1. Connect the serial cable from your computer to the
serial port on the Proventia Network MFS.
2. Connect the red Ethernet crossover cable from the
Ethernet port on your computer to the Internal ETH0
port on the Proventia Network MFS.
3. On the computer, use an application such as
HyperTerminal to configure a terminal connection
between the computer and the appliance. Use the
following settings:
Port = COM1 or other appropriate port
Bits Per Second = 9600
Data bits = 8
Parity = None
Stop bits = 1
Flow control = None
4. Start the connection.
keyboard and monitor Connect the keyboard and monitor to the Proventia
Network MFS.
2. Remove the front bezel.
3. Insert the Recovery CD in the CD drive of the Proventia Network MFS.
4. Restart the Proventia Network MFS.
5. When you see the boot: prompt, type reinstall, and then press ENTER.
6. Wait until the appliance reinstalls the software and automatically ejects
Recovery CD.
What to do next
You must run the Proventia Setup Assistant again to initialize the system. You
must also either reconfigure your policies or restore your policies from the backup
files you made.
Chapter 3. Firmware Installation 23
Installing firmware (appliance with no CD drive)
Follow these steps if your Proventia Network MFS appliance does not has its own
CD drive.
Procedure
1. Turn off the Proventia Network MFS, and then disconnect it from the
network.
2. Connect the serial cable from the console port on the Proventia Network MFS
to the serial port on your computer.
3. Connect the red Ethernet crossover cable from the internal port on the
appliance to the Ethernet port on your computer.
4. Insert the recovery CD into the CD drive on your computer, and then restart
the computer.
5. Wait until you see the following message:
***You may now boot your Proventia Appliance via the network***
***Starting Terminal Emulator***
***Press Control-G to Exit and Reboot***
Important: In the next step, you have only five seconds to press L after the
Press L prompt appears.
6. Turn on the Proventia Network MFS and watch the screen closely for the
Press L prompt.
7. When you see the Press L to boot from LAN prompt, press the L key.
8. When you see the boot: prompt, type reinstall, and then press ENTER.
9. Wait until the Proventia Network MFS reinstalls the software.
10. When the installation is complete, press CONTROL+G to eject the CD and
restart the computer in normal mode.
What to do next
You must run the Proventia Setup Assistant again to initialize the system. You
must also either reconfigure your policies or restore your policies from the backup
files you made.
24 Proventia Network MFS: Administrator Guide
Chapter 4. System Diagnostics
This chapter describes the system diagnostics utility and provides instructions on
how to run it.
Topics
About System Diagnostics
Requirements for running diagnostics on page 28
Running diagnostics on an M50 on page 29
Running diagnostics (not M50) on page 30
Copying results files on page 31
About System Diagnostics
The system diagnostics utility is included on the recovery CD for your appliance
and provides a way to check for the following types of hardware failures:
v Network interface failures
v Hard disk failures
v File system errors
v Certain general hardware errors
Limitations
The utility does not detect the following:
v A single failed power supply on with dual supplies
v A single failed drive in a RAID mirror
v Bad memory
When to run the tool
You can run the utility at the following times:
v Before you deploy a new appliance
v Before you deploy a replacement appliance
v When you suspect there is a hardware issue with the appliance
v When Technical Support requests it
What tests are available
The utility provides four classes of diagnostic tests available:
v Serial number and model
v Disk
v Network
v Event log analysis
Copyright IBM Corp. 2003, 2009 25
Serial number and model tests
The following table describes serial number and model tests:
Test Description
Model test Verifies that the appliance model matches
the recovery CD used.
Serial number test Verifies that the appliance serial number is
either 9 or 13 digits.
Disk tests
You can skip all disk tests by specifying nodisk. The following table describes disk
tests:
Test Description
Badblock test Finds invalid disk sectors. Each test takes
approximately one hour except when run on
the M10, M10e, and M30 models. On these
models, each test takes approximately two
hours.
Parameters:
v To run this test multiple times, use the
dtbb=(number) parameter.
v To skip this test, use the dtbb=0
parameter.
Files system test Checks the integrity of the Linux file system
on the appliance but does not necessarily
indicate failure.
Parameters:
To skip this test, use the nofsck parameter.
To resolve most file system errors:
1. Reboot the device normally.
2. Log in as the root user.
3. Type reboot.
4. Reload the system diagnostics.
If this does not resolve a file system error
message, you may need to reimage the
appliance.
SMART drive test Checks the hard drive error log for signs of
failure. This test is available on the following
models that dont have multiple disks: M10,
M10e, M30, M30e, MX1004, and MX3006.
Parameters:
To skip this test, use the nosmart parameter.
Network tests
You can skip all network tests by specifying nonet. The following table describes
network tests:
26 Proventia Network MFS: Administrator Guide
Check Description
Network port count check If this test fails, the appliance may require
RMA replacement.
Network interface self test Determines whether all interfaces are
plugged in. Any interface that is not
plugged in shows up as failed.
Parameters:
To skip this test, use the nonetself
parameter.
Network traffic test Checks the interface traffic flow. Cables must
be connected to the interfaces to run this
test.
Example cable connections on MX5010
Cable connections will be similar on other
models.
v Connect eth0 to eth1
v Connect eth2 to eth3
v Connect eth4 to eth5
v Connect eth 6 to eth7
v Connect eth8 to eth9
Parameters:
To skip this test, use notraffic parameter.
Important: Immediately before this test
begins, you have approximately 30 seconds
to verify that the cables are correctly
connected. The delay may be longer
depending on your appliance version.
Important: Do not run earlier versions of
system diagnostics on M10, M10e, and M30e
models because the test always fails, even
when the interfaces are not defective.
Event log analysis tests for the M50 appliance
On the M50 appliance, event log analysis tests check for fault indicators or
messages such as the following:
v Critical interrupts
v System POST errors
v System temperature issues
Chapter 4. System Diagnostics 27
Requirements for running diagnostics
This topic outlines considerations and requirements for running the system
diagnostic utility.
Considerations
Consider the following before you run the utility:
v Running system diagnostics takes the appliance off line completely.
v Running all tests takes the appliance offline for one to two hours.
Note: The test takes two hours for the M10, M10e, and M30 models.
v You must recable the appliance network interfaces before you run the network
tests.
Requirements
Before you run the utility, verify that you have the following:
v Computer
Note: A computer is required if you want to download the results.
v Red Ethernet crossover cable
v Serial cable
v Recovery CD
Computer requirements
If you are connecting a computer to the appliance for this procedure, verify the
computer requirements:
Note: No software is installed on the computer during this process.
Requirement Description
BIOS Settings Computer must be configured to allow it to
boot from the CD drive
Reference: For information on how to check
or change your BIOS settings, see your
computer documentation or go online and
search for instructions. Commonly, pressing
F12 during bootup allows you to specify
booting from a CD.
CPU Pentium II or compatible
RAM 64MB
Drive IDE CD-ROM Drive
Serial port COM1
28 Proventia Network MFS: Administrator Guide
Requirement Description
Network interface card
v 3Com 3c905C
v Intel PRO/100 or PRO/1000
v 3Com 3c574 or 3Com 3c575
v Netgear FA511 or Netgear FA411
v Intel PRO/100 S Mobile Adapter
IBM ISS supports only the listed network
cards. The Proventia Network MFS
automatically detects network interface
cards.
Diagnostic procedures
Running diagnostics on an M50
Follow these steps to diagnose M50 appliances.
Procedure
1. Connect to the appliance:
Tip: To view output and download diagnostic files after you run the tests, you
must connect a computer to the appliance using the serial cable.
If you are using a... Then...
Computer
1. Connect the serial cable from your
computer to the serial port on the
appliance.
2. On the computer, use an application
such as HyperTerminal to configure a
terminal connection between the
computer and the appliance. Use the
following settings:
Port = COM1 or other appropriate port
Bits Per Second = 9600
Data bits = 8
Parity = None
Stop bits = 1
Flow control = None
3. Start the connection.
Keyboard and monitor Connect the keyboard and monitor to the
appliance.
2. Remove the front bezel.
3. Insert the Recovery CD in the appliance CD drive.
4. Restart the appliance.
5. When you see the boot: prompt, press TAB for the diagnostics menu.
Important: If you plan to run network diagnostic tests, you must recable the
device by connecting crossover cables between all interfaces. Connect ETH0 to
ETH1, port 2 to 3, and so on.
Chapter 4. System Diagnostics 29
6. Do one of the following:
If you want to... Then...
Run all four classes of system diagnostic
tests
Type sysdiag, and press ENTER.
Skip diagnostic test Type sysdiag parametername.
Example: sysdiag nodisk
Tip: Optional parameters and descriptions
are listed on the screen. You can specify
multiple parameters by placing a space
between parameters.
Running diagnostics (not M50)
Use this procedure to run system diagnostics on the M10, M30, MX1004, MX3006,
MX5010, or any other Mseries models that do not include a built-in CD drive.
Procedure
1. In Proventia Manager, select Maintenance Tools.
2. Click Shut Down.
3. Turn off the appliance, and then disconnect it from the network.
4. Connect the serial cable from the console port on the appliance to the serial
port on your computer.
5. Connect the red Ethernet crossover cable from the internal (ETH0) port on the
appliance to the Ethernet port on your computer.
6. Insert the recovery CD into the CD drive on your computer, and then restart
the computer.
7. Wait until you see the following message:
***You may now boot your Proventia Appliance via the network***
***Starting Terminal Emulator***
***Press Control-G to Exit and Reboot***
8. If you plan to run network diagnostic tests, you must now recable the device
by connecting crossover cables between all available interfaces except for
ETH0 and ETH1. Connect port 2 to 3, port 4 to 5, and so on.
Important: In the next step, you have only five seconds to press L after the
Press L prompt appears.
9. Turn on the appliance and watch the screen closely for the Press L prompt.
10. When you see the Press L to boot from LAN prompt, press the L key.
11. When you see the boot: prompt, press TAB for the diagnostics menu.
12. Do one of the following:
If you want to... Then...
Run all four classes of system diagnostic
tests
Type sysdiag, and then press ENTER.
Skip diagnostic test Type sysdiag parametername.
Example: sysdiag nodisk
Tip: Optional parameters and descriptions
are listed on the screen. You can specify
multiple parameters by placing a space
between parameters.
30 Proventia Network MFS: Administrator Guide
13. Wait until you see the messages:
Loading installer
Loading filesystem
Booting, please wait
14. Unplug the network cable from the computer.
15. Connect the remaining two appliance interfaces (ETH0 and ETH1) to each
other.
Results
After the tests are finished, the results are displayed on a summary screen and
included in the following file:
/tmp/sysdiag_(serial).tgz
CAUTION: All output, logs, and diagnostic files are stored in memory only and
are lost when you restart the appliance. To preserve the files, you must transfer
them to another system over the serial cable. Depending on the version of the
system diagnostics utility you are running, the utility may provide an option to
copy the file to an external USB drive.
Copying results files
Follow this procedure to copy the sysdiag_(serial).tgz test results file to another
system.
Procedure
1. Start the computer connected to the appliance.
Important: Do not restart the appliance itself.
2. Start a HyperTerminal connection using the following values:
v Port = COM1 or other appropriate port
v Bits Per Second = 9600
v Data bits = 8
v Parity = None
v Stop bits = 1
v Flow control = None
3. Press ENTER to get a bash prompt.
4. At the prompt, type download.
5. Type exit to safely turn off the appliance.
6. Locate the file on your local system.
Tip: The default location is the following:
C:\Documents and Settings\(username)\sysdiag_(serial).tgz
Chapter 4. System Diagnostics 31
32 Proventia Network MFS: Administrator Guide
Appendix. Safety, environmental, and electronic emissions
notices
Safety notices may be printed throughout this guide. DANGER notices warn you
of conditions or procedures that can result in death or severe personal injury.
CAUTION notices warn you of conditions or procedures that can cause personal
injury that is neither lethal nor extremely hazardous. Attention notices warn you
of conditions or procedures that can cause damage to machines, equipment, or
programs.
DANGER notices
DANGER
To prevent a possible shock from touching two surfaces with different
protective ground (earth), use one hand, when possible, to connect or
disconnect signal cables. (D001)
DANGER
Overloading a branch circuit is potentially a fire hazard and a shock hazard
under certain conditions. To avoid these hazards, ensure that your system
electrical requirements do not exceed branch circuit protection requirements.
Refer to the information that is provided with your device or the power
rating label for electrical specifications. (D002)
DANGER
If the receptacle has a metal shell, do not touch the shell until you have
completed the voltage and grounding checks. Improper wiring or grounding
could place dangerous voltage on the metal shell. If any of the conditions are
not as described, STOP. Ensure the improper voltage or impedance conditions
are corrected before proceeding. (D003)
DANGER
An electrical outlet that is not correctly wired could place hazardous voltage
on the metal parts of the system or the devices that attach to the system. It is
the responsibility of the customer to ensure that the outlet is correctly wired
and grounded to prevent an electrical shock. (D004)
Copyright IBM Corp. 2003, 2009 33
DANGER
When working on or around the system, observe the following precautions:
Electrical voltage and current from power, telephone, and communication
cables are hazardous. To avoid a shock hazard:
v Connect power to this unit only with the IBM ISS provided power cord.
Do not use the IBM ISS provided power cord for any other product.
v Do not open or service any power supply assembly.
v Do not connect or disconnect any cables or perform installation,
maintenance, or reconfiguration of this product during an electrical storm.
v The product might be equipped with multiple power cords. To remove all
hazardous voltages, disconnect all power cords.
v Connect all power cords to a properly wired and grounded electrical outlet.
Ensure that the outlet supplies proper voltage and phase rotation according
to the system rating plate.
v Connect any equipment that will be attached to this product to properly
wired outlets.
v When possible, use one hand only to connect or disconnect signal cables.
v Never turn on any equipment when there is evidence of fire, water, or
structural damage.
v Disconnect the attached power cords, telecommunications systems,
networks, and modems before you open the device covers, unless
instructed otherwise in the installation and configuration procedures.
v Connect and disconnect cables as described in the following procedures
when installing, moving, or opening covers on this product or attached
devices.
To disconnect:
1. Turn off everything (unless instructed otherwise).
2. Remove the power cords from the outlets.
3. Remove the signal cables from the connectors.
4. Remove all cables from the devices.
To connect:
1. Turn off everything (unless instructed otherwise).
2. Attach all cables to the devices.
3. Attach the signal cables to the connectors.
4. Attach the power cords to the outlets.
5. Turn on the devices.
(D005)
CAUTION notices
CAUTION:
Data processing environments can contain equipment transmitting on system
links with laser modules that operate at great than Class 1 power levels. For this
reason, never look into the end of an optical fiber cable or open receptacle.
(C027)
34 Proventia Network MFS: Administrator Guide
CAUTION:
The battery contains lithium. To avoid possible explosion, do not burn or charge
the battery.
Do not:
v Throw or immerse into water
v Heat to more than 100C (212F)
v Repair or disassemble
Exchange only with the IBM ISS-approved part. Recycle or discard the battery as
instructed by local regulations. In the United States, IBM ISS has a process for
the collection of this battery. For information, call 1-800-426-4333. Have the IBM
ISS part number for the battery unit available when you call. (C003)
CAUTION:
For 19 rack mount products:
v Do not install a unit in a rack where the internal rack ambient temperatures
will exceed the manufacturers recommended ambient temperature for all your
rack-mounted devices.
v Do not install a unit in a rack where the air flow is compromised. Ensure that
air flow is not blocked or reduced on any side, front, or back of a unit used
for air flow through the unit.
v Consideration should be given to the connection of the equipment to the
supply circuit so that overloading the circuits does not compromise the supply
wiring or overcurrent protection. To provide the correct power connection to a
rack, refer to the rating labels located on the equipment in the rack to
determine the total power requirement of the supply circuit.
v (For sliding drawers) Do not pull or install any drawer or feature if the rack
stabilizer brackets are not attached to the rack. Do not pull out more than one
drawer at a time. The rack might become unstable if you pull out more than
one drawer at a time.
v (For fixed drawers) This drawer is a fixed drawer and must not be moved for
servicing unless specified by the manufacturer. Attempting to move the
drawer partially or completely out of the rack might cause the rack to become
unstable or cause the drawer to fall out of the rack.
(R001 Part 2 of 2)
Product handling information
One of the following two safety notices may apply to this product. Please refer to
the specific product specifications to determine the weight of the product to see
which applies.
CAUTION:
This part or unit is heavy but has a weight smaller than 18 kg (39.7 lb). Use care
when lifting, removing, or installing this part or unit. (C008)
CAUTION:
The weight of this part or unit is between 18 and 32 kg (39.7 and 70.5 lb). It
takes two persons to safely lift this part or unit. (C009)
Appendix. Safety, environmental, and electronic emissions notices 35
Product safety labels
One or more of the following safety labels may apply to this product.
DANGER
Hazardous voltage, current, or energy levels are present inside any component
that has this label attached. Do not open any cover or barrier that contains
this label. (L001)
DANGER
Multiple power cords. The product might be equipped with multiple power
cords. To remove all hazardous voltages, disconnect all power cords. (L003)
World trade safety information
Several countries require the safety information contained in product publications
to be presented in their national languages. If this requirement applies to your
country, a safety information booklet is included in the publications package
shipped with the product. The booklet contains the safety information in your
national language with references to the US English source. Before using a US
English publication to install, operate, or service this IBM ISS product, you must
first become familiar with the related safety information in the booklet. You should
also refer to the booklet any time you do not clearly understand any safety
information in the US English publications.
36 Proventia Network MFS: Administrator Guide
Laser safety information
The following laser safety notices apply to this product:
CAUTION:
This product may contain one or more of the following devices: CD-ROM drive,
DVD-ROM drive, DVD-RAM drive, or laser module, which are Class 1 laser
products. Note the following information:
v Do not remove the covers. Removing the covers of the laser product could
result in exposure to hazardous laser radiation. There are no serviceable parts
inside the device.
v Use of the controls or adjustments or performance of procedures other than
those specified herein might result in hazardous radiation exposure. (C026)
CAUTION:
Data processing environments can contain equipment transmitting on system
links with laser modules that operate at greater than Class 1 power levels. For
this reason, never look into the end of an optical fiber cable or open receptacle.
(C027)
Laser compliance
All lasers are certified in the U.S. to conform to the requirements of DHHS 21 CFR
Subchapter J for class 1 laser products. Outside the U.S., they are certified to be in
compliance with IEC 60825 as a class 1 laser product. Consult the label on each
part for laser certification numbers and approval information.
Product recycling and disposal
This unit must be recycled or discarded according to applicable local and national
regulations. IBM encourages owners of information technology (IT) equipment to
responsibly recycle their equipment when it is no longer needed. IBM offers a
variety of product return programs and services in several countries to assist
equipment owners in recycling their IT products. Information on IBM ISS product
recycling offerings can be found on IBMs Internet site at http://
www.ibm.com/ibm/environment/products/prp.shtml.
Esta unidad debe reciclarse o desecharse de acuerdo con lo establecido en la
normativa nacional o local aplicable. IBM recomienda a los propietarios de equipos
de tecnologa de la informacin (TI) que reciclen responsablemente sus equipos
cuando stos ya no les sean tiles. IBM dispone de una serie de programas y
servicios de devolucin de productos en varios pases, a fin de ayudar a los
propietarios de equipos a reciclar sus productos de TI. Se puede encontrar
informacin sobre las ofertas de reciclado de productos de IBM en el sitio web de
IBM http:// www.ibm.com/ibm/environment/products/prp.shtml.
Appendix. Safety, environmental, and electronic emissions notices 37
Notice: This mark applies only to countries within the European Union (EU) and
Norway.
Appliances are labeled in accordance with European Directive 2002/96/EC
concerning waste electrical and electronic equipment (WEEE). The Directive
determines the framework for the return and recycling of used appliances as
applicable through the European Union. This label is applied to various products
to indicate that the product is not to be thrown away, but rather reclaimed upon
end of life per this Directive.
In accordance with the European WEEE Directive, electrical and electronic
equipment (EEE) is to be collected separately and to be reused, recycled, or
recovered at end of life. Users of EEE with the WEEE marking per Annex IV of the
WEEE Directive, as shown above, must not dispose of end of life EEE as unsorted
municipal waste, but use the collection framework available to customers for the
return, recycling, and recovery of WEEE. Customer participation is important to
minimize any potential effects of EEE on the environment and human health due
to the potential presence of hazardous substances in EEE. For proper collection and
treatment, contact your local IBM representative.
Remarque: Cette marque sapplique uniquement aux pays de lUnion Europenne
et la Norvge.
Letiquette du systme respecte la Directive europenne 2002/96/EC en matire de
Dchets des Equipements Electriques et Electroniques (DEEE), qui dtermine les
dispositions de retour et de recyclage applicables aux systmes utiliss travers
lUnion europenne. Conformment la directive, ladite tiquette prcise que le
produit sur lequel elle est appose ne doit pas tre jet mais tre rcupr en fin de
vie.
Battery return program
This product contains a lithium battery. The battery must be recycled or disposed
of properly. Recycling facilities may not be available in your area. For information
38 Proventia Network MFS: Administrator Guide
on disposal of batteries outside the United States, go to http://www.ibm.com/
ibm/environment/products/ batteryrecycle.shtm or contact your local waste
disposal facility.
In the United States, IBM has established a return process for reuse, recycling, or
proper disposal of used IBM sealed lead acid, nickel cadmium, nickel metal
hydride, and other battery packs from IBM equipment. For information on proper
disposal of these batteries, contact IBM at 1-800-426- 4333. Please have the IBM
part number listed on the battery available prior to your call.
For Taiwan:
Please recycle batteries
For the European Union:
Notice: This mark applies only to countries within the European Union (EU).
Batteries or packing for batteries are labeled in accordance with European Directive
2006/66/EC concerning batteries and accumulators and waste batteries and
accumulators. The Directive determines the framework for the return and recycling
of used batteries and accumulators as applicable throughout the European Union.
This label is applied to various batteries to indicate that the battery is not to be
thrown away, but rather reclaimed upon end of life per this Directive.
Les batteries ou emballages pour batteries sont tiquets conformment aux
directives europennes 2006/66/EC, norme relative aux batteries et accumulateurs
en usage et aux batteries et accumulateurs uss. Les directives dterminent la
marche suivre en vigueur dans lUnion Europenne pour le retour et le recyclage
des batteries et accumulateurs uss. Cette tiquette est applique sur diverses
batteries pour indiquer que la batterie ne doit pas tre mise au rebut mais plutt
rcupre en fin de cycle de vie selon cette norme.
Appendix. Safety, environmental, and electronic emissions notices 39
In accordance with the European Directive 2006/66/EC, batteries and accumulators
are labeled to indicate that they are to be collected separately and recycled at end
of life. The label on the battery may also include a symbol for the metal concerned
in the battery (Pb for lead, Hg for the mercury, and Cd for cadmium). Users of
batteries and accumulators must not dispose of batteries and accumulators as
unsorted municipal waste, but use the collection framework available to customers
for the return, recycling, and treatment of batteries and accumulators. Customer
participation is important to minimize any potential effects of batteries and
accumulators on the environment and human health due to potential presence of
hazardous substances. For proper collection and treatment, contact your local IBM
representative.
For California:
Perchlorate Material - special handling may apply. See http://www.dtsc.ca.gov/
hazardouswaste/perchlorate.
The foregoing notice is provided in accordance with California Code of
Regulations Title 22, Division 4.5, Chapter 33. Best Management Practices for
Perchlorate Materials. This product, part, or both may include a lithium manganese
dioxide battery which contains a perchlorate substance.
Electronic emissions notices
The following statements apply to this IBM product. The statement for other IBM
products intended for use with this product will appear in their accompanying
manuals.
Federal Communications Commission (FCC) Statement
Note: This equipment has been tested and found to comply with the limits for a
Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are
designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. this equipment generates,
uses, and can radiate radio frequency energy and, if not installed and used in
accordance with the instructions contained in the installation manual, may cause
harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference, in which case the user will
be required to correct the interference at his own expense.
Note: Properly shielded and grounded cables and connectors must be used in
order to meet FCC emission limits. IBM is not responsible for any radio or
television interference caused by using other than recommended cables and
connectors, by installation or use of this equipment other than xvi IBM Internet
Security Systems as specified in the installation manual, or by any other
unauthorized changes or modifications to this equipment. Unauthorized changes
or modifications could void the users authority to operate the equipment.
40 Proventia Network MFS: Administrator Guide
Note: This device complies with Part 15 of the FCC Rules. Operation is subject to
the following two conditions: (1) this device may not cause harmful interference,
and (2) this device must accept any interference received, including interference
that may cause undesired operation.
Canadian Department of Communications Compliance Statement
This Class A digital apparatus complies with Canadian ICES-003.
Avis de conformit aux normes du ministre des Communications du Canada
Cet appareil numrique de las classe A est conform la norme NMB-003 du
Canada.
European Union (EU) Electromagnetic Compatibility Directive
This product is in conformity with the protection requirements of EU Council
Directive 2004/108/ EEC on the approximation of the laws of the Member States
relating to electromagnetic compatibility. IBM ISS cannot accept responsibility for
any failure to satisfy the protection requirements resulting from a
non-recommended modification of the product, including the fitting of non-IBM
ISS option cards.
This product has been tested and found to comply with the limits for Class A
Information Technology Equipment according to European Standard EN 55022. The
limits for Class equipment were derived for commercial and industrial
environments to provide reasonable protection against interference with licensed
communication equipment.
Warning:
This is a Class A product. In a domestic environment, this product may cause radio
interference in which case the user may be required to take adequate measures.
European Community contact:
IBM Technical Regulations
Pascalstr. 100, Stuttgart, Germany 70569
Telephone: 0049 (0) 711 785 1176
Fax: 0049 (0) 711 785 1283
e-mail: tjahn@de.ibm.com
EC Declaration of Conformity (In German)
Deutschsprachiger EU Hinweis: Hinweis fr Gerte der Klasse A EU-Richtlinie zur
Elektromagnetischen Vertrglichkeit
Dieses Produkt entspricht den Schutzanforderungen der EU-Richtlinie
89/336/EWG zur Angleichung der Rechtsvorschriften ber die elektromagnetische
Vertrglichkeit in den EUMitgliedsstaaten und hlt die Grenzwerte der EN 55022
Klasse A ein.
Um dieses sicherzustellen, sind die Gerte wie in den Handbchern beschrieben zu
installieren und zu betreiben. Des Weiteren drfen auch nur von der IBM
empfohlene Kabel angeschlossen werden. IBM bernimmt keine Verantwortung fr
die Einhaltung der Schutzanforderungen, wenn das Produkt ohne Zustimmung der
Appendix. Safety, environmental, and electronic emissions notices 41
IBM verndert bzw. wenn Erweiterungskomponenten von Fremdherstellern ohne
Empfehlung der IBM gesteckt/eingebaut werden.
EN 55022 Klasse A Gerte mssen mit folgendem Warnhinweis versehen werden:
Warnung: Dieses ist eine Einrichtung der Klasse A. Diese Einrichtung kann im
Wohnbereich Funk-Strungen verursachen; in diesem Fall kann vom Betreiber
verlangt werden, angemessene Manahmen zu ergreifen und dafr
aufzukommen.
Deutschland: Einhaltung des Gesetzes ber die elektromagnetische
Vertrglichkeit von Gerten
Dieses Produkt entspricht dem Gesetz ber die elektromagnetische Vertrglichkeit
von Gerten (EMVG). Dies ist die Umsetzung der EU-Richtlinie 89/336/EWG in
der Bundesrepublik Deutschland.
Zulassungsbescheinigung laut dem Deutschen Gesetz ber die
elektromagnetische Vertrglichkeit von Gerten (EMVG) vom 18. September
1998 (bzw. der EMC EG Richtlinie 89/336) fr Gerte der Klasse A.
Dieses Gert ist berechtigt, in bereinstimmung mit dem Deutschen EMVG das
EGKonformittszeichen - CE - zu fhren.
Verantwortlich fr die Konformittserklrung nach Paragraf 5 des EMVG ist die
IBM Deutschland GmbH, 70548 Stuttgart.
Informationen in Hinsicht EMVG Paragraf 4 Abs. (1) 4:
Das Gert erfllt die Schutzanforderungen nach EN 55024 und EN 55022 Klasse
A
update: 2004/12/07
Peoples Republic of China Class A Compliance Statement:
This is a Class A product. In a domestic environment, this product may cause radio
interference in which case the user may need to perform practical actions.
Japan Class A Compliance Statement:
This product is a Class A Information Technology Equipment and conforms to the
standards set by the Voluntary Control Council for Interference by Information
Technology Equipment (VCCI). In a xviii IBM Internet Security Systems domestic
environment, this product may cause radio interference in which case the user may
be required to take adequate measures.
42 Proventia Network MFS: Administrator Guide
Korean Class A Compliance Statement:
Appendix. Safety, environmental, and electronic emissions notices 43
44 Proventia Network MFS: Administrator Guide
Index
A
Address Resolution Protocol (ARP) 15
ARP (Address Resolution Protocol) 15
automatic updates 2
event notification 6
update settings 3
automatic updates settings 3
B
backup 16, 17, 18
D
database updates 2
DHCP, releasing and renewing 15
E
event notification
automatic updates 6
F
failover, forcing 15
firmware updates 2
I
IBM Internet Security Systems
technical support viii
Web site viii
L
licenses 1
O
offline settings editor 19
P
pinging 15
PPPoE, restoring 15
PXE boot server 21, 28
R
recovery 16, 18
reinstalling appliance firmware
procedure for M50 21
procedure for Mx1004 21, 24
procedure for Mx3006 21, 24
requirements 22
S
safety notices 33
security updates 2
service configuration 12
HTTP proxy 13
snapshots 16, 17
SNMP traps 6
support 20
support files 20
T
technical support, IBM Internet Security
Systems viii
traceroute 15
traps, SNMP 6
U
updates 1
alternate update servers 7
obtaining from SiteProtector 7
updates, automatic 2
updates, databases 2
updates, firmware 2
updates, security 2
W
Web site, IBM Internet Security
Systems viii
X
X-Press update server 7
Copyright IBM Corp. 2003, 2009 45
46 Proventia Network MFS: Administrator Guide

Printed in USA