nokia horizon manager version 1.3 quick start guide...nokia horizon manager v1.3 quick start guide...

Part No. N451055001 Rev A

Published August 2003

Nokia Horizon ManagerVersion 1.3

Quick Start Guide

COPYRIGHT©2003 Nokia. All rights reserved.Rights reserved under the copyright laws of the United States.

RESTRICTED RIGHTS LEGENDUse, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

Nokia reserves the right to make changes without further notice to any products herein.

TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.

Nokia Contact InformationCorporate Headquarters

Regional Contact Information

Web Site http://www.nokia.com

Telephone 1-888-477-4566 or 1-650-625-2000

Fax 1-650-691-2170

Mail Address

Nokia Inc.313 Fairchild DriveMountain View, California94043-2215 USA

Americas Nokia Internet Communications.313 Fairchild DriveMountain View, CA 94043-2215USA

Tel: 1-877-997-9199Outside USA and Canada: +1 512-437-7089email: [email protected]

Europe, Middle East, and Africa

Nokia House, Summit AvenueSouthwood, FarnboroughHampshire GU14 ONG UK

Tel: UK: +44 161 601 8908Tel: France: +33 170 708 166email: [email protected]

Asia-Pacific 438B Alexandra Road#07-00 Alexandra TechnoparkSingapore 119968

Tel: +65 6588 3364email: [email protected]

2 Nokia Horizon Manager v1.3 Quick Start Guide

http://www.nokia.com

mailto:[email protected]




Nokia Customer Support

Web Site: https://support.nokia.com/

Email: [email protected]

Americas Europe

Voice: 1-888-361-5030 or 1-613-271-6721

Voice: +44 (0) 125-286-8900

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666

Asia-Pacific

Voice: +65-67232999

Fax: +65-67232897

021216

Nokia Horizon Manager v1.3 Quick Start Guide 3

https://support.nokia.com/


Contents

In This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Installing the License and Starting Nokia Horizon Manager. . . . . . . . . . . . . . . . . . . 11NHM Main Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Creating Devices in Nokia Horizon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Importing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Grouping Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Filtered Grouping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Unfiltered Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Using Quick Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Communicating with Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Scheduling Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Uploading the SSH Public Keys to Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Changing Device Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Backing Up Device Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Restoring Device Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Extracting and Deploying Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Removing Unused Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Rebooting Selected Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Installing Operating System Images and Application Packages . . . . . . . . . . . . . . 32Executing a Command on Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Uploading Files to Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Using NHM with Check Point VPN-1/FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Example: Updating to Check Point FP3 from FP2 . . . . . . . . . . . . . . . . . . . . . . . . . . 37For More Information.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38


Preface

This manual is written for technical network administrators. It provides information for the administration of Nokia Horizon Manager. Maintainance of NHM should be performed by experienced network professionals only. This preface provides the following information:

In This GuideConventions This Guide UsesRelated Documentation

In This GuideThis guide is organized into the following sections that highlight the major features of NHM:

Introduction provides a brief introduction to NHM.Installing the License and Starting NHM describes how to have NHM find the license file and the path to the NHM startup script.NHM Main Window describes the function of the various panes located in the NHM Main Window.Creating Devices describes how to identify and work with devices in NHM.Grouping Devices describes how to create logical groups of devices on which you perform actions.Communicating with the Selected Devices describes how to run actions and other functions on devices, such as

Scheduling Actions Uploading the SSH Public Keys to the Selected Devices Changing Device Passwords Backing Up Device Configurations Extracting, Configuring, and Deploying Configurations Restoring Device Configurations Deleting Unused Images and Packages Rebooting Selected Devices


Installing Operating System Images and Application Packages describes how to import installable files and select operating systems and applications.Executing a Command on Each Selected Device describes how to use custom commands and scripts on devices.Uploading Files to Selected Devices describes how to upload files.Using NHM with Check Point FireWall-1 describes how to use the various Check Point functions in NHM.Example: Updating to Check Point NG FP3 from FP2 runs through an actual update of devices to Check Point NG FP 3.

Conventions This Guide UsesThe following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.

Notices

WarningWarnings advise the user that bodily injury might occur because of a physical hazard.

CautionCautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.

NoteNotes provide information of special interest or recommendations.

Text ConventionsTable 1 describes the text conventions this guide uses.


Related Documentation

Menu ItemsMenu items in procedures are separated by the greater than sign.For example, choose Actions > Device Management > Backup indicates that you first choose Actions, then choose Device Management, then choose Backup from the menu.

Related Documentation In addition to this guide, documentation for this product includes the following:

Nokia Horizon Manager Getting Started Guide—Provides a description of the system features and an overview of how to get your appliance up and running.Nokia Horizon Manager Basic Operations Reference—Provides a thorough description of all NHM functions organized by main menu item.Nokia Horizon Manager User’s Guide—Provides detailed information on how to use NHM. Nokia Horizon Manager and Check Point—Provides information on how NHM and Check Point work together.

Table 1 Text Conventions

Convention Description

monospace font Indicates command syntax, or represents computer or screen output, for example:Log error 12453

bold monospace font Indicates text you enter or type, for example:# configure nat

Key names Keys that you press simultaneously are linked by a plus sign (+):Press Ctrl + Alt + Del.

Menu commands Menu commands are separated by a greater than sign (>):Choose File > Open.

The words enter and type Enter indicates you type something and then press the Return or Enter key.Do not press the Return or Enter key when an instruction says type.

Italics • Emphasizes a point or denotes new terms at the place where they are defined in the text.

• Indicates an external book title reference.• Indicates a variable in a command: delete interface if_name


1


IntroductionThis document provides a brief, high-level description of how to use Nokia Horizon Manager v1.3 (NHM) to upgrade software on network security appliances and illustrates its major features.The Nokia IP security devices are referred to as selected devices when NHM applies an action to them. After NHM is installed and stocked with application packages and operating system images, all interaction with the selected devices is done with the Action menu. Use this information after you install and configure NHM successfully. For more information about installation, see the NHM v1.3 Getting Started Guide.

Installing the License and Starting Nokia Horizon ManagerTo start NHM on Windows, choose Start > Programs > Nokia > Nokia Horizon Manager v1.3 Client or, on Solaris, run /usr/local/bin/nhm13/nhmclnt. When you log in to NHM for the first time, NHM prompts you for the path to the license file.


1

NHM Main WindowThe Nokia Horizon Manager main window is divided into the following panes:

For information about one of the panes, see the appropriate topic:Table 2

Pane Type of Information

Groups Displays the groups you created. Click on a group and the devices associated with the group display in the Devices pane on the right. This pane can display all devices or all ungrouped devices.

Check Point Toggles with the Groups pane. Displays all the management servers accessible to NHM.

Action Results Displays information about actions that you have run, such as whether the action succeed or not.

Devices Displays information about the individual devices in the group that you selected in the Groups pane.

Scheduled Actions

Displays information about the actions that you have scheduled to run in the future.

Groups-Check Point pane Devices pane

Action Results pane

Scheduled Actions pane


Creating Devices in Nokia Horizon Manager

You use the pane areas of the main window to create, edit, delete, group, perform actions on, schedule, and view progress and results of actions for all of the devices on your network. The panes are empty until you set up your system options and import or create your devices and groups. Each pane has a set of commands to act on the data it displays, and you can access these commands by right-clicking the pane toolbar buttons or by clicking in the pane and choosing a menu command.

Creating Devices in Nokia Horizon ManagerIn order to use Nokia Horizon Manager, you need to define or create devices in the system. In NHM terminology, the devices are created. Once you create devices, you can view them in the Devices pane and you can select one or more groups of devices. You can populate the devices list by using the following methods:

Manually enter each device into NHM.Import a list of devices from a text file.

To enter each device manually1. Designate each device by choosing Devices > Create Devices from the menu items and the

Create Devices dialog appears.

2. Select the correct Device Type from the list. NHM v1.3 supports the following device types: Internet Traffic Management-ITMNokia Security Platform (all Nokia IPSO-based devices) Nokia Small Office Security Platform (NSOSP)-IP30


1

3. Enter the hostname or IP address of the device in the Device text box. 4. Select the appropriate method of communication with the device.

Communicating with the selected device over a secure connection is the preferable method for management of security platforms. For more information, refer to the Nokia Horizon Manager v1.3 Getting Started Guide.

5. Define the administrator username and password for the device. 6. If you defined additional device attributes, such as location or time zone, you can specify

this information in the additional fields that might appear in this dialog box.7. Click Apply to add the device to NHM. The device is added under Ungrouped Devices in

the Groups pane.8. Repeat this process until all the devices are added. Click OK when finished.This method of defining devices can be time consuming, especially if you are adding hundreds or even thousands of Nokia devices on your network to NHM.

Importing DevicesTo define multiple devices more quickly, you can import the information from a text file into NHM. NHM can import from a tab-, space-, or comma-separated value text file. The preferable method is to use a tab-separated file. The tab character is unlikely to appear in any of the tabular data and this provides the easiest import format to support. This type of data file is easily generated by many applications. The information about hundreds of selected devices for your network can exist in a simple text file. Required fields in the text file are: Device type, Device Hostname, Login, Password, and Connection type.

To import a list of devices from a text file1. Choose Import Devices from the Devices menu. A dialog box opens and requests the name

of the file to import. Enter the filename.2. A dialog box opens and guides you through the process of importing device information

from a text file. The following figure shows the Import Device Information dialog box with information about the devices selected for importing.


Creating Devices in Nokia Horizon Manager


1

Grouping DevicesYou can create groups of devices, you can select devices based on predefined criteria. Grouping provides you with a more efficient method of managing your Nokia devices. You can select large numbers of devices by referring to a single group. Moreover, you can arrange groups in a hierarchy, with one group containing subgroups and each subgroup containing further subgroups. Since any groups you create are virtual entities (because they do not exist outside of NHM), a device can belong to as many groups (500 total and 5 levels) as required to effectively manage the devices.

NoteYou can create a device in a subgroup that does not belong to one of the parent groups. In this case the device does not appear in the Groups pane.

For the best performance groups should be created so that all of the lowest-level groups contain fewer than 200 devices. Nokia Horizon Manager provides you with two methods for grouping devices:

Filtered GroupingUnfiltered Grouping

Filtered GroupingDevices are grouped by using a common criteria that you specify, which is then listed in the device information. This technique is known as filtered grouping and it takes advantage of the information associated with the devices. When you create new data columns in the device table, you can apply filtered group definitions and create useful groupings. An example of filtered grouping is when you select all devices that are part of a high-availability pairing and place them into a single group. The members, or population of a filtered group is dynamic, based on the changing properties of your Nokia devices.

NoteFiltered grouping allows you to describe details of the devices. All Boolean operators (for example, AND, OR, and NOT) are available for the filter definitions. Additionally, filters can be exact matches, indicated by the equals (=) sign, or approximate matches, indicated by the tilde (~) character. You can build filters from several criteria and the criteria can be nested as needed. In addition to these standard methods of defining a filter for device characteristics, all of the criteria selections display an options dialog box that is specific to the selected criteria definition.

To create a filtered group1. Choose Groups > Create Filtered Group. 2. Enter a name for the group.


Grouping Devices

3. Choose the location in the group tree for the group4. Create the filter by using criteria and operators.5. Click OK and the group appears in the Groups pane.

Devices that are not grouped appear in the Groups pane under the Ungrouped Devices label.The following figure shows the specification for a group filtered for available IP30 devices.

The table below lists some device grouping strategies.

Table 3 Example Device Filters

Grouping Descriptions Filter to use

Group the devices by security classification. This could indicate the use of Secure Shell for communications.

Devices using secure communication Use_Secure_Connection = "true"

Devices not using secure communication

Use_Secure_Connection = "false"


1

Unfiltered GroupingYou can also group devices arbitrarily by using unfiltered groups. Device grouping also allows you to create device groups that are based on information not contained in the device properties. The following figure shows a group that is being created based on devices on which you want to perform maintenance. In this case, you add the devices to the group manually from the Devices pane without using a filtering process.

Group by device types. Grouping the small office systems separately from the large security devices creates selected groupings that are more likely to require a similar action to be applied.

The Nokia Small Office Systems Device_Type = "*IP30" OR “*ITM”

All IPSO-based Nokia security platforms

Device_Type = "Nokia Security Platform"

All small IPSO-based Nokia security platforms

Device_Type = "Nokia Security Platform" AND (Model ~ "\\100" OR Model ~ "\\300")

All medium IPSO-based Nokia security platforms


All large IPSO-based Nokia security platforms


Group by functional type. Place all the fire wall platforms in a single group and all intrusion detection systems in another.

All devices running Check Point VPN-1/FireWall-1 NG FP2

Packages = on"Check Point*NG*Pack 2"

All devices running RealSecure Sensor v6.5

Packages = on"RealSecure*6.5"

Group by the disk space utilization of the device.

Any device lacking disk space Disk_Space_Usage = "Insufficient space"

Table 3 Example Device Filters (continued)

Grouping Descriptions Filter to use


Grouping Devices

Using Quick GroupsThe Quick Groups feature allows you to quickly add new subgroups based on column definitions: Device Type, Disk Space Usage, Reachability, and Use Secure Connection. You can also create a quick group based on Boolean or selection list custom columns that you create using the Configure Table Views feature. You can choose to create a hierarchy of groups with this tool by selecting other column items in subsequent descending order. For example, you can select the column item Device Type as a subgroup of All Devices from the Level 1 drop-down menu. You can then add descending subgroups as indicated by a Level 2 column selection. The resulting effect is new subgroups added to the Groups menu, such as the addition of Device Type groups under the All Devices group.The following figure shows groups that are created with the devices sorted by device type, then reachability. Also, because the Edit upon selection box is checked, a popup dialog box lets you edit the selection after you click another level.


1

Communicating with DevicesAfter you define and group your devices, you can begin to perform actions. The initial action is to verify the configured management communication with the devices. When you define a device initially, NHM checks the availability and reachability of the device by performing the following tests:

Connectivity check (http or https) to the management interfaceSimple ping (icmp-request) of the device

NHM displays the results of these automatic tests graphically in the Devices pane, beside the device name.

To communicate with devices1. Select the group that contains all of the security devices and choose Actions > Inventory and

Diagnostics > Verify. The tabs on the dialog box that appears (see the following figure) specify Nokia IP security platforms (NSP), ITM, or NSOSP-IP30 device types. Each tab contains a list of optional information to retrieve during the verify operation. You can configure the type of information that you retrieve for each device type. A tab displays for each device that is in the group you selected.


Communicating with Devices

For NSP devices, NHM tests both HTTP and HTTPS (port 80 and 443) connectivity. NHM confirms command-line access by using SSH (port 22) or Telnet (port 23). The test performed depends on whether or not the device was designated to use secure communications.NHM generates a disk space report. Verify Package configuration validates the images on the device against the Constraints rule set You can download a new SSH server authentication key, if necessary. The operations available for the IP30 device during a Verify action are testing HTTP connectivity and downloading a new SSH server authentication key.

CautionDownloading a new SSH server authentication key can possibly expose NHM to a man-in-the-middle attack and should only be done if absolutely necessary.

NoteA man-in-the-middle or bucket-brigade attack is one in which the attacker intercepts messages in a public-key exchange and then retransmits them, substituting their own public key for the requested one, so that the two original parties still appear to be communicating with each other directly. The attacker uses a program that appears to be the server to the client and appears to be the client to the server. The attack might be used simply to gain access to the messages, or enable the attacker to modify them before retransmitting them.


1

2. Click Start. When NHM completes the Verify action successfully, the disk space icon appears in the left frame. While the disk space icon approximates the current disk status, double-clicking the icon produces a dialog box that contains the detailed disk space report. Many of the data columns in the right frame are filled. The model number, installed operating system versions, and installed application packages are listed. The network configuration summary is retrieved by the Verify action, as well as any high-availability information, such as VRRP.

3. Select all of the devices and choose Actions > Inventory and Diagnostics > Get Software Inventory. This action retrieves information about the installed operating system versions and application package versions from the selected devices. It only performs the package confirmation option available under the Verify action.After the management communication is verified and the software inventory generated, you can generate a hardware inventory.

4. Select all of the devices and choose Actions > Inventory and Diagnostics > Get Hardware Inventory. This intensive action depends on the computational resources available on the selected device. After the Get Hardware Inventory action is complete, the Hardware Inventory data column is filled.

5. Double-click any of the cells in this data column to view the information for the selected device.

The combination of the Verify, Get Software Inventory, and Get Hardware Inventory actions provide NHM with a complete description of the selected devices it is managing.

Scheduling ActionsNokia Horizon Manager v1.3 includes a scheduler that allows you to schedule actions to be performed on devices in the future. By using the scheduler, you can select a set of devices and assign an action to start and recur at a specified time. You can schedule the action any time in the future by specifying a particular time (for instance, 05/02/2003, 01:30) based on the time at the server. Times are not adjusted for changes the user makes of system time or daylight savings time changes. The action can be repeated as a periodic scheduled action. The scheduler allows you to select a time interval (hours, days, weeks, etc), a time, and the number of times to repeat the action. The repeat options can be:

A fixed number of repeats Until a stop dateUntil cancelled

If you define a scheduled action to operate on a filtered group, the devices used at the time of execution are those that meet the filter criteria at the time of execution. This can be different than



those that met the criteria at the time you created the scheduled action because the group is dynamic.Scheduled actions execute independent of a client connection to the server, however the server must be running for the action to execute. If the server is not running at the time a scheduled action is due, the NHM administrator or owner is queried to restart the past-due scheduled action once the NHM server is restarted. NHM supports an unlimited number of scheduled actions. By scheduling the actions in NHM, you can produce a list of actions that will be performed on the selected devices.

NoteIf you schedule too many actions across too many selected devices, you can consume all of the available resources on the NHM system, should the console have insufficient CPU or memory resources for the managed network. This will result in very long response times from the selected devices. To monitor available resources, use the Windows Task Manager (Windows 2000 installation) or top (not distributed with Solaris 8, but available from http://www.sunfreeware.com/) alongside NHM. These applications provide an indication of the CPU load and memory use (real and swap).


1

Scheduled actions are associated with the server on which they were scheduled. This association is necessary because the same scheduled actions run only on the server where they were initially configured.Scheduled actions execute at the time of the local server or UTC and not the time of the selected devices. If you schedule an action to be performed on devices in several different locations and time zones, the scheduled action takes place at the time of the server. To have the action occur at a specific time for a device, create a filtered group for each location or time zone, then set up a scheduled action for each location group with the correct time for the selected devices.The Scheduled Action pane displays between the Groups pane and the Action Results pane. Once an action is scheduled, the action appears in the Scheduled Action pane. The pane provides you with a view of all actions scheduled for the server. The scheduled action window also allows you to delete, review, and update an action and the scheduler.

Uploading the SSH Public Keys to DevicesUsing public-key authentication provides an environment in which NHM can track and audit user actions against selected devices. By associating each NHM administrative user role with an individual SSH public key, you can avoid using the single admin password login for Nokia security platforms. Should an administrator’s status change, this association allows individual user access to be allowed or denied without affecting all users. This use of SSH keys allows you to manage individual user access to your Nokia devices without changing passwords or keys for all NHM users.NHM maintains both RSA and DSA key pairs for every NHM user. The IPSO-based devices use RSA key pairs for SSH v1 communications and DSA key pairs for SSH v2 communications. NHM provides a one-step action for establishing, and updating, public-key authenticated communications to the selected devices.To avoid a man-in-the-middle type of security vulnerability, you should only perform the upload public keys procedure over a secure communications channel, such as SSH.

To upload SSH public keys to devices1. Select the appropriate devices and choose Actions > Device Security > Upload Public Keys.

Since the Nokia appliances running IPSO differ from the Nokia small office devices (IP30) in how they handle SSH public keys, the Upload Public Keys dialog box presents tabs



appropriate for the action and devices. All tabs in the Upload Public Keys dialog box display the valid NHM user public keys, as shown in this graphic.

For the IPSO-based devices, both SSH v1 and v2 are supported protocols. 2. After you select the user keys to upload, choose the appropriate SSH version for the local

security policy. NHM removes any public keys from the device that are of the incorrect SSH version, if you select that option in this dialog box. The IP30 uses SSH v1 only for secure communications. The small office devices allow the NHM user to update up to ten public keys per device, delete the selected public key from the device, or delete all public keys from the device. Once the user keys are selected, along with the correct options for each selected type, NHM begins to upload the keys to the selected devices in the queue.

3. After the upload is complete, change the authentication method NHM uses by selecting Use public key to authenticate under the SSH Authentication tab in the Administration > User Security Administration dialog box.The private key from this pair is stored, encrypted, in the local user account directory, under the SSH directory (C:\Documents and Settings\username\ssh for Windows and /export/home/<username>/.ssh for Solaris) on the NHM console. Only the key pair owner (the appropriate NHM administrator account) can decrypt this private key. Therefore, only the key-pair owner can use the private key to establish secure communications with the selected device. NHM generates a user key when the user first logs on to the NHM account. Any SSH keys that exist in the user account are imported by NHM rather than generating new keys. NHM indicates this by denoting the Key Creation Date as imported. You can view


1

all NHM SSH key information under the SSH Authentication tab in the Administration > User Security Administration dialog box.

4. After NHM is configured to use public keys for communication authentication, remove the admin passwords from the device records. Do not use unsecured methods (Telnet or FTP) to communicate with any device. Disable the local FTP server on the device. Remove the FTP server information (Local FTP Server, Account login, and Account password) from the Action tab in the Options > NHM Options dialog box. Removing this information ensures the security of communications with the selected devices.

Changing Device PasswordsWhile all network management connectivity to the Nokia IP security platforms should use SSH key pairs, console and Voyager access requires a standard device password. When you need to change the console password of a device that NHM administrates, use NHM to update the password.

To change device passwords1. Select the appropriate devices and then choose Actions > Device Password Update.

Since the IPSO-based Nokia IP security platforms support multiple user accounts, the Device Password Update dialog requests that the username be specified. The IP30 device type supports a single user account; therefore, the username is not requested during the application of this action.

2. Once you enter the new password (with a confirmation), initiate the action.



Backing Up Device ConfigurationsThe majority of the administrative maintenance effort for any network element is often the configuration and log backup. NHM allows the network security administrator to batch backup all of the configuration information of the selected devices to the NHM console.

To back up device configurations1. Select the appropriate devices and choose Action > Backup.

The Backup dialog box appears. Tabs for each of the device types selected display in the Backup dialog box. The right pane contains a list of the devices selected.

2. For a first-time backup operation, select the Backup Log Files and Backup Home Directory options. The Backup Home Directory option includes the files in the admin directory for NSP selected devices. You must provide the name of the backup set for the operation to proceed. Each device type requires its own backup set name; the device backup sets are not


1

intermingled. Select the Append Date to Name option. This will provide you with more information about the backup file when you are reviewing it in the future. Each device type present has a field to place a comment.

3. Select the package configuration files you want to back up for each device. A few backup customization options allow the administrator to modify the default backup operation. For the majority of installations, the default backup options are sufficient. Once you complete configuring the backup options, you can initiate or schedule the backup action. NHM copies files, according to the backup configuration and selected device type, from each selected device until the device queue is processed.

Restoring Device ConfigurationsNHM can restore device configuration information from any of the previous backup records of the selected device.

To restore a device configuration1. Select the device to restore and choose Actions > Restore.

The dialog box that appears displays a hierarchical view of the available backup sets. Within each backup set is an individual device selection. This information allows the administrator to select a group and deselect one or more devices.

2. Select the devices and backup sets.The final Restore dialog box appears.

NoteThe Restore action cannot clone device configurations. Use the Extract and Deploy Configuration feature to deploy configuration information to devices. The Restore action returns the configuration (and additional files) only to the device from which it was originally retrieved. Additionally, the Restore action could corrupt the selected device to an extent that NHM would be unable to communicate with it, if an application such as Check Point VPN-1/FireWall-1 is restored without the correct policy being available.

Extracting and Deploying Configurations The Extract and Deploy Configuration features reduce the initial configuration effort. Together with the scheduler, role-based access control, filtered groups, and constraints, Extract/Deploy Configuration forms a useful combination that reduces the initial deployment time required for Nokia appliances.The Extract/Deploy Configuration feature is currently only supported by NSP devices running the Nokia IPSO operating system, versions 3.5, 3.5.1, 3.6 and 3.7).



Using Extract Configuration FeatureThe network administrator configures one device according to guidelines and policies. This procedure involves installing the correct operating system and software packages and configuring parameters of the underlying platform. To do so, use the Web-based element manager, Nokia Network Voyager, available on all Nokia security platforms.Use the Extract Configuration action. This action:

Identifies the operating system version.Reads common configuration parameters.Identifies the software packages installed on the appliance and their state.Extracts Check Point configuration settings.Stores the information in the NHM server as an XML file.

The common configuration parameters include all parameters that are not specific to the particular device and parameters that typically have the same value in a large deployment. Typical parameters are:

the primary and secondary DNS server addresses NTP, policies about whether Telnet, FTP, or SSH is enabled or disabled on the device.

This extraction action also allows you to specify a name and description for the extracted configuration.Role-based management allows only users with appropriate privileges to create and extract a configuration.NHM GUI clients can download the configuration file to the local computer where the client is running. The following figure shows the Extract Configuration dialog box. To create the file, insert a filename in the Destination XML Template File field.


1

Using Configure and Deploy FeatureWith the NHM v1.3 configuration management feature, you can deploy configuration data to selected devices automatically. Using a previously obtained configuration file as a starting point or IPSO operating system version 3.5, 3.5.1, 3.6, or 3.7 as a template, you can modify settings and deploy new software to the devices.NHM displays the OS types/versions, software packages required as part of the configuration, and a table with all configuration items (name/value pairs). Each entry in the table has an enable/disable checkbox, that identifies whether that particular item is to be set on the device or left as it is.When you start the action, it performs the following for each selected device:

Checks the Constraint rules.Installs a new OS, if required, as specified in the stored configuration.Installs new packages, if required, as specified in the stored configuration.Enables/Disables packages as specified in the configuration.Sets all the configuration parameters.

The Configure and Deploy action also can download multiple files and run scripts and commands in a sequence that you specify. These optional steps help the device administrator to perform customization of the devices after the operating system and packages are installed.The example shows the IPSO tab with the OS Configuration Element Tree and value pairs table displayed. Use this tab to edit, enable, and disable IPSO records in the configuration template.



To manage and deploy configurations1. Select devices for the action.2. Choose Actions > Device Configuration > Configure and Deploy. Information about the

current configuration, if any, displays in the Info tab.3. Click either New to use a standard IPSO template or Open to use a previously saved

template.4. Click the IPSO tab to view and make changes to the IPSO configuration information.5. Click Packages to set the template to delete or enable packages on the selected devices.

Click Add or Delete to add or delete packages to the configuration for deployment.6. Click Check Point to initially configure Check Point packages. Note that the edited

configurations are deployed by adding them as packages to the Packages tab, then deploying them.

7. Click Post Actions to add actions will be executed after the configuration has been deployed.8. Click Show Devices to verify the list of devices for the action.

9. Click Start to start the action or Schedule to run it at another time.


1

Removing Unused ImagesThe Nokia IP security platforms tend to accumulate operating system images and application packages as part of the upgrade process. The Nokia small office systems overwrite the current operating system image or application in the upgrade process. This action provides a convenient method with which to quickly return to the previous state of the device if necessary. When you use NHM, you do not need to leave old versions of IPSO or applications on devices. The combination of Backup and Restore actions with local storage of operating system images and application packages is more efficient than leaving unused images on your Nokia appliance.

To remove unused images1. To select the IPSO-based IP security platforms that you want to remove unused images

from, choose Devices or Results > Table > Open Cell Details.Select the table cells in the Packages column and look at the content of each cell to review the list of installed packages.

2. Choose Actions > OS and Package Management > Delete Package or OS.The Delete dialog box appears and lists unused IPSO images and application packages that exist on the selected devices. After the Delete action starts, NHM processes the list of selected devices and removes the indicated components from each one.

Rebooting Selected DevicesAfter you select the devices that you want to reboot, choose Actions > Reboot Devices. Any device reboot action effectively removes the Nokia IP security platform from the network while the reboot is in process.

Installing Operating System Images and Application PackagesInstalling new versions of the operating systems or applications is among the most tedious and time consuming of all network or system management activities. NHM greatly accelerates these operations for multiple Nokia IP security platforms. Moreover, NHM constrains installation, and upgrade, actions (operating system images and applications) to minimize any deleterious effects that might cause the selected devices to become unusable or unreachable. These constraints are rules that NHM uses to determine the compatibility of different software packages, operating system versions, and device types. These rules are used when an installation, upgrade, or version change on any device is initiated. Incompatible versions of operating systems, software packages, and hardware devices can cause software to function incorrectly and place the devices in an unstable, or unusable, state. You can view the constraint rules under Options > Constraints. Additionally, you should check the constraint files for updates with each new operating system image or application package that you add to the NHM data storage area. To obtain a new operating system image or application package, go to the Nokia Web Support site at https://support.nokia.com.



Importing Installable FilesNokia Horizon Manager needs to detect the operating system images and applications packages that you transferred into the data storage area.

To import installable files1. Select Installable Files from the Options menu.

The first time this dialog box appears, it is empty. 2. Click Import and select the location of the operating system images and application

packages. NHM recursively scans the directory for operating system images and application packages. Content information from each package is extracted and displayed in the Installable Files dialog box. As new operating system images and application packages are released, they need to be imported into the NHM Installable Files list. NHM can now install the images and packages on the selected devices.

To install files on the Nokia security platform1. Select the appropriate devices on which to install the operating system image or application

package. The selection can be accomplished by a number of methods:

Individual device selectionPredefined groupNew grouping for the current action


1

2. Operating system and application package installations are two separate actions; therefore, their execution is isolated from each other.a. For an operating system installation, choose Actions > Install OS.

The Install OS action is available for all Nokia security platform types; a dialog box appears that contains tabs for each selected device type (for example, NSP and IP30).

b. For an application package installation, choose Actions > Install Package and perform the procedure described in To install application packages.

The operating system installation performs the following possible operations on IPSO-based devices:

Configuration backupImage installationDevice reboot

The configuration backup operation is identical to the individual backup action. Precede any operating system installation by a complete configuration backup. This allows the device to be returned to a previously known good state, if necessary. The installation requires that you select an IPSO image and activate it after a device reboot. This procedure allows NHM to place an additional version of IPSO on the selected device for later, rather than immediate, activation. Only one IPSO image can be installed in the course of an action. NHM applies the Nokia constraints during the installation operation. If selected, NHM reboots the selected device after the image installation is complete. This reboot is only required if an immediate upgrade to the new version of IPSO is desired, although separating the reboot action from the Install OS action is also possible.The backup and install operations are available for Small Office Systems devices (IP30). The Small Office Systems devices reboot at the completion of the new operating system image installation into the new operating system. When you are working with the IP30 devices, plan for automatic reboot as the result of an operating system installation.The Install Package action is only available for NSP devices (such as IPSO-based devices). The small office devices incorporate their application in the operating system image, thus making the use of the Install Package action on the IP30 devices unnecessary.

To install application packages1. After the appropriate devices are selected, choose Actions > Install Package.

The Install Package dialog box contains the same options as the Install OS dialog box: configuration backup, package installation, and device reboot. You select the application packages you want installed from the packages listed in the dialog. You can install more than one application in the Install Package action.

NotePrecede any application package installation by a complete configuration backup.



2. Once the action is initiated, NHM processes the list of selected devices. NHM applies the package installation constraints during the installation operation.

Selecting Operating System and Application VersionsThe selection of operating system and application versions is only available on IPSO-based NSPs. These devices can contain multiple operating system images and applications. While only one version of the operating system or application can be active at one time, older installations can remain loaded on the device. This feature of the IPSO-based NSPs allows the operating system and applications to be readily rolled forward or backward. NHM allows the device administrator to select the versions of the operating system and applications easily for all selected devices. Once the devices are selected, choose either Change Active OS or Change Package Selection from the Action > OS and Package Management menu. For the Change Active OS action, all potential IPSO image versions are listed in the Change Active OS dialog box. You can choose only one IPSO image from the dialog box. For the Change Package Selection action, the dialog box lists all available application versions. The NHM administrator must first select which application packages will change activation state. Only after an application package is selected in the Change Package Selection dialog box, can its activation state be set. By default, the activation state of any package is OFF in the Change Package Selection dialog box and it is not necessarily the current package state on each device. Each package activation state must be properly set before you initiate the Change Package Selection action; otherwise, an application package might be inadvertently disabled.Both selection actions have an option to reboot the selected device after the selection action is complete. This option is necessary to make a change in the operating system image that is being used by the selected device. This option is not always necessary for the application packages. As the selected action progresses through the list of devices, NHM applies the constraint rules to the selection action. While the constraint rules minimize the risk of incompatible hardware or software revisions, they do not eliminate all risk that results from misconfiguration. The OS Version Selection and Package Selection actions could disable communication with the selected devices.

Executing a Command on DevicesNHM can execute a shell command on designated devices. You can execute single line commands on each device by choosing Actions > General > Execute Command. The Execute Command dialog box allows you to enter a single line command. On the IPSO-based Nokia IP security platforms you can compound individual commands by separating them with a semicolon. A 32 KB (approximately 32,000 characters) output size is the largest acceptable size for any device. After the command execution action is complete, the status that the command returns, and any results, appear in the action results pane.


1

Using Custom Commands and Scripts on a DeviceNHM can transfer any file to an IPSO-based Nokia IP security platform. This functionality is in addition to the operating system and application package action. The device administrator can create command scripts to perform specific functions that are not directly available from IPSO or place a file on the device for later use. Some example files are available in the NHM scripts directory (C:\Nokia\nhm13\server\plugins\scripts in Windows or /opt/nhm13/server/plugins/scripts in Solaris). To run a script, choose Actions > General > Run Scripts. The Run Scripts dialog box appears. Once you select the script and specify any command-line arguments, you can initiate the action. The script is downloaded to the selected devices, executed, and then deleted. The result of the script is indicated in the Action Results pane. An administrator who uses this action needs to be certain that a custom script does not place the selected device in an unstable condition before they attempt to use the script on a group of devices.

Uploading Files to DevicesNHM can distribute any file to its devices. This feature allows the device administrator to deposit any file on the device. Once the file is ready and available on the NHM console, choose Actions > General > Upload File. This opens the Upload File dialog box. The dialog box contains a source and a destination field. You can select the file to be transferred to the device from a drop-down list or from the file system; the desired location on the selected device (only the /var mount in an IPSO filesystem is writable) must be indicated. Two options are available for this action:

Overwrite an existing file of the same name.Calculate the checksum for the file.

NHM processes the list of selected devices and transfers the designated file to each device.

Using NHM with Check Point VPN-1/FireWall-1NHM provides several actions to interact with the Check Point VPN-1/FireWall-1 application. These actions provide a basic configuration interaction with the VPN-1/FireWall-1 application that fills the gap between the Check Point VPN-1/FireWall-1 graphical user interface and the necessary command-line configuration for each firewall module.

Licensing VPN-1/FireWall-1Each instance of VPN-1/FireWall-1 must have its own license before Check Point firewall software can become functional. NHM applies Check Point VPN-1/FireWall-1 licenses to any selected device specified. With a valid license string (obtained from the Check Point license center: http://license.checkpoint.com/) in a text file, NHM can apply the license to the selected devices. Once the Check Point VPN-1/FireWall-1 licenses are ready to be delivered, choose Actions > Application Management > License Check Point Firewall. The resulting dialog box contains two


Example: Updating to Check Point FP3 from FP2

panes: Backup and License. The application of a new license to the Check Point VPN-1/FireWall-1 application might disrupt the selected device, should the license string contain any errors. Therefore, you must use the backup options in this dialog box. You must apply the license option to the appropriate license file. NHM applies the Check Point VPN-1/FireWall-1 license to the designated firewall devices.

Starting or Stopping VPN-1/FireWall-1Nokia Horizon Manager can manipulate the operational state of the VPN-1/FireWall-1 application by issuing a cpstart or cpstop command to any designated device. These actions are essential to complete the installation of a new license. Since the VPN-1/FireWall-1 license is incorporated into the VPN-1/FireWall-1 application kernel during the application start, you must restart the application to apply a new license.Either operation has the potential to deny access to the firewall device itself or any network attached to the device. If IP forwarding is only available while the VPN-1/FireWall-1 is running (a common configuration and a good security practice), stopping VPN-1/FireWall-1 denies network access through the selected device. Conversely, if the security policy for VPN-1/FireWall-1 blocks the NHM console from communicating with the selected device, access to that device is lost after VPN-1/FireWall-1 starts.

Configuring VPN-1/FireWall-1In addition to the initial installation of the application package and application license, you must configure VPN-1/FireWall-1 operating parameters by using the cpconfig command. This means that the firewall administrator needs to access each firewall gateway device to configure the running parameters for VPN-1/FireWall-1.NHM supports the bulk configuration of Check Point VPN-1/FireWall-1 running parameters for VPN-1/FireWall-1 v4.1 and NG. NHM can update the VPN-1/FireWall-1 NG default filter to allow ICMP and SSH packets. Each configuration action for VPN-1/FireWall-1 supports a standalone or distributed type of configuration.For all three configuration actions, NHM collects the necessary configuration parameters and processes each selected device in the queue. Thus, NHM can initially configure the Check Point VPN-1/FireWall-1 application from a centralized, secure location. You must use the backup option present in the Configuration dialog boxes as part of the configuration process. The ability to roll back a configuration change to a known good configuration minimizes potential downtime from configuration errors.

Example: Updating to Check Point FP3 from FP2This procedure describes how to upgrade from Check Point NG Feature Pack 2 to Feature Pack 3 in an IPSO management server and enforcement module configuration.Do not disable the Check Point NG FP2 package or any other Check Point packages.


1

To update to Check Point FP3 from FP21. Choose Actions > OS and Package Management > Upgrade Package from Check Point NG

FP2 to Check Point VPN-1/FireWall-1 NG Feature Pack 3 wrapper package.2. Check the check box for the package and click On.

Make sure you select Reboot Device.

WarningIf you do not select Reboot Device, your Check Point package cannot be properly activated and the management server cannot communicate with any other Check Point NG FP3 component.

3. Click Start. NHM enables the SVN Foundation and the VPN-1/FireWall-1 packages. You should be able to communicate with the management server by using Check Point SmartDashboard NG FP3. At this point, you can still manage your Check Point NG FP2 enforcement modules that use the NG FP3 management server.

For More Information...In addition to this guide, you can find detailed information about NHM in Online Help the following documents:

Nokia Horizon Manager Getting Started Guide—Provides a description of the system features and an overview of how to get your appliance up and running.Nokia Horizon Manager User’s Guide—Provides detailed information on how to use NHM. Nokia Horizon Manager and Check Point—Provides information on how NHM and Check Point work together.NHM v1.3 Basic Operations Reference Guide—contains detailed descriptions of using menu commands, dialog boxes, and other aspects of the user interface.
