Basic Device Configuration

±

31

CLI

unset interface bgroup0 port ethernet0/3

unset interface bgroup0 port ethernet0/4

set interface bgroup1 port ethernet0/3

set interface bgroup1 port ethernet0/4

set interface bgroup1 port wireless0/2

set interface bgroup1 zone DMZ

set interface bgroup1 ip 10.0.0.1/24

save

Administrative Access

By default, anyone in your network can manage a device if they know the login and

password. To configure the device to be managed only from a specific host on your

network, use the WebUI or CLI as follows:

WebUI

Configuration > Admin > Permitted IPs: Enter the following, then click

Add

:

IP Address/Netmask:

ip_addr/mask

CLI

set admin manager-ip

ip_addr/mask

save

Management Services

ScreenOS provides services for configuring and managing the device, such as

SNMP, SSL, and SSH, which you can enable on a per-interface basis. To configure

the management services on the device, use the WebUI or CLI as follows:

WebUI

Network > Interfaces > List > Edit (for ethernet0/0): Under

Management

Services

, select or clear the management services you want to use on the

interface, then click

Apply

.

CLI

set interface ethernet0/0 manage web

unset interface ethernet0/0 manage snmp

save

SSG 5 Hardware Installation and Configuration Guide

32

±

Basic Device Configuration

Hostname and Domain Name

The domain name defines the network or subnetwork that the device belongs to,

while the hostname refers to a specific device. The hostname and domain name

together uniquely identify the device in the network. To configure the hostname

and domain name on a device, use the WebUI or CLI as follows:

WebUI

Network > DNS > Host: Enter the following, then click

Apply

:

Host Name:

name

Domain Name:

name

CLI

set hostname

name

set domain

name

save

Default Route

The default route is a static route used to direct packets addressed to networks that

are not explicitly listed in the routing table. If a packet arrives at the device with an

address for which the device does not have routing information, the device sends

the packet to the destination specified by the default route. To configure the default

route on the device, use the WebUI or CLI as follows:

WebUI

Network > Routing > Destination > New (trust-vr): Enter the following, then

click

OK

:

IP Address/Netmask: 0.0.0.0/0.0.0.0

Next Hop

Gateway: (select)

Interface: ethernet0/2 (select)

Gateway IP Address:

ip_addr

CLI

set route 0.0.0.0/0 interface ethernet0/2 gateway

ip_addr

save

Management Interface Address

The Trust interface has the default IP address 192.168.1.1/24 and is configured for

management services. If you connect the 0/2—0/4 port on the device to a

workstation, you can configure the device from a workstation in the 192.168.1.1/24

subnetwork using a management service such as Telnet.

You can change the default IP address on the Trust interface. For example, you

might want to change the interface to match IP addresses that already exist on your

LAN.

Basic Wireless Configuration

±

33

Backup Untrust Interface Configuration

The SSG 5 device allows you to configure a backup interface for untrust failover. To

set a backup interface for untrust failover, perform the following steps:

1.

Set the backup interface in the Null security zone with the

unset interface

interface

[

port

interface

] CLI command.

2.

Bind the backup interface to the same security zone as the primary interface

with the

set interface

interface

zone

zone_name

CLI command.

To set the ethernet0/4 interface as the backup interface to the ethernet0/0 interface,

use the WebUI or CLI as follows:

WebUI

Network > Interfaces > Backup > Enter the following, then click

Apply

.

Primary: ethernet0/0

Backup: ethernet0/4

Type: track-ip (select)

CLI

unset interface bgroup0 port ethernet0/4

set interface ethernet0/4 zone untrust

set interface ethernet0/0 backup interface ethernet0/4 type track-ip

save

Basic Wireless Configuration

This section provides information for configuring the wireless interface on the

SSG 5-WLAN device. Wireless networks consist of names referred to as Service Set

Identifiers (SSIDs). Specifying SSIDs allows you to have multiple wireless networks

reside in the same location without interfering with each other. An SSID name can

have a maximum of 32 characters. If a space is part of the SSID name string, then

the string must be enclosed with quotation marks. Once the SSID name is set, more

SSID attributes can be configured. To use the wireless local area network (WLAN)

capabilities on the device, you must configure at least one SSID and bind it to a

wireless interface.

The SSG 5-WLAN device allows you to create up to 16 SSIDs, but only 4 of them can

be used simultaneously. You can configure the device to use the 4 SSIDs on either

one of the transceivers or split the use on both (for example, 3 SSIDs assigned to

WLAN 0 and 1 SSID assigned to WLAN 1). Use the

set interface

wireless_interface

wlan

{ 0 | 1 | both } CLI command to set the radio transceivers on the SSG 5-WLAN

device. Figure 12 shows the default configuration for the SSG 5-WLAN device.

Once you have set an SSID to the wireless0/0 interface, you can access the device

using the default wireless0/0 interface IP address in the steps described in

“Accessing a Device” on page 24.

NOTE:

The primary and backup interfaces must be in the same security zone. One

primary interface has only one backup interface, and one backup interface has

only one primary interface.

SSG 5 Hardware Installation and Configuration Guide

34

±

Basic Wireless Configuration

Figure 12:

Default SSG 5-WLAN Configuration

By default, the wireless0/0 interface is configured with the IP address

192.168.2.1/24. All wireless clients that need to connect to the Trust zone must

have an IP address in the wireless subnetwork. You can also configure the device to

use DHCP to automatically assign IP addresses in the 192.168.2.1/24 subnetwork to

your devices.

By default, the wireless0/1 – wireless0/3 interfaces are defined as Null and do not

have IP addresses assigned to them. If you want to use any of the other wireless

interfaces, you must configure an IP address for it, assign an SSID to it, and bind it

to a security zone. Table 6 displays the wireless authentication and encryption

methods.

NOTE:

If you are operating the SSG 5-WLAN device in a country other than the United

States, Japan, Canada, China, Taiwan, Korea, Israel, or Singapore, then you must

use the

set wlan country-code

CLI command or set it on the Wireless > General

Settings

WebUI page before a WLAN connection can be established. This

command sets the selectable channel range and the transmit power level.

If your regional code is ETSI, you must set the correct country code that meets

your local radio spectrum regulations.

SSG 5

V.92

STATUS

POWER

CONSOLE

TX /RX

CD

0

1

2

3

4

5

6

B /G

WLAN

V.92

802. 1A

Ca louts

Ca louts

Untrust

Zone

Trust

Zone

wireless0/0

Console

Basic Wireless Configuration

±

35

Table 6:

Wireless Authentication and Encryption Options

Refer to the

Concepts & Examples ScreenOS Reference Guide

for configuration

examples, SSID attributes, and CLI commands relating to wireless security

configurations.

To configure a wireless interface for basic connectivity, use the WebUI or CLI as

follows:

WebUI

1.

Set the WLAN country code and IP address.

Wireless > General Settings > Select the following, then click

Apply

:

Country code: Select your code

IP Address/Netmask:

ip_add/netmask

2.

Set the SSID.

Wireless > SSID > New: Enter the following, then click

OK

:

SSID:

Authentication:

Encryption:

Wireless Interface Binding:

3.

(Optional) set the WEP key.

SSID > WEP Keys: Select the key ID, then click

Apply

.

4.

Set the WLAN mode.

Network > Interfaces > List > Edit (wireless interface): Select

Both

for the

WLAN mode, then click

Apply

.

5.

Activate wireless changes.

Wireless > General Settings > Click

Activate Changes

.

Authentication

Encryption

Open

Allows any wireless client to access the device

Shared-key

WEP shared-key

WPA-PSK

AES/TKIP with pre-shared key

WPA

AES/TKIP with key from RADIUS server

WPA2-PSK

802.11i compliant with a pre-shared key

WPA2

802.11i compliant with a RADIUS server

WPA-Auto-PSK

Allows WPA and WPA2 type with pre-shared key

WPA-Auto

Allows WPA and WPA2 type with RADIUS server

802.1x

WEP with key from RADIUS server