Virtual firewalls - Installation guide

GUIDE

STORMSHIELD NETWORK SECURITY

VIRTUAL FIREWALLS -INSTALLATION GUIDE

Product concerned: SNS 3.7-LTSB

Document last update: February 1, 2021

Reference: sns-en-sn_virtual_appliance-installation_guide

Table of contentsRequirements 3

Requirements relating to the hypervisor 3Requirements by model of virtual firewall 3

Registering a productStormshield 5

Installing a virtual firewall 6Downloading installation files 6Downloading the license 6Deploying a virtual image in VMware 7Deploying a virtual image in Xenserver 7

Configuring the virtual firewall 9Connecting to the firewall 9Activating the virtual image 10

Firewalls in high availability (VSphere hypervisor) 11Explanation 12Solution 12Using the web administration interface 12Using the system console 12

Questions / answers 14

Further reading 15

SNS - GUIDEVIRTUAL FIREWALLS - INSTALLATION GUIDE

Page 2/16 sns-en-sn_virtual_appliance-installation_guide - 02/01/2021

RequirementsThe user must be familiar with VMware Xenserver, Microsoft Hyper-V or Linux KVM virtualenvironments in order to deploy virtual firewalls. The following tables set out all the technicalrequirements.

Requirements relating to the hypervisor

The "Number of interfaces" column in the table represents the number of interfaces connected tothe virtual machine.

Version of the hypervisor Number of interfaces

VMWare ESX/ESXi version 5.5 and upwards Min. 1 interfaceMax. 10 interfaces

Citrix Xen Server version 6.2 and upwards Min. 1 interfaceMax. 7 interfaces

Microsoft Hyper-V Windows Server 2012 and upwards Min. 1 interfaceMax. 8 interfaces

Linux KVM Linux 7.2 and upwards Min. 1 interfaceMax: depends on the Linux vendorchosen.

Requirements by model of virtual firewall

Model Module Value

V50 RAMHDDVirtual CPU

1 GB10 GB (2 GB of swap)1 (max=1)







VS5 RAMHDDVirtual CPU

2 GB10 GB (4 GB of swap)1 (max = 2) 1

VS10 RAMHDDVirtual CPU




VU RAMHDDVirtual CPU


1: recommended value, the number of Virtual CPUs can be set to 2

2: recommended value, the number of Virtual CPUs can be set to 4



Registering a productStormshieldTo register your product:

1. After having placed your order, check your mailbox in order to retrieve the e-mail containingyour serial number and password.

2. Log in to your private-access area (https://mystormshield.eu).

3. If this is your first time registering, you must create a client account:

l On the Mystormshield connection page, click on Create a new account.

l Fill in the form that appears.

l Confirm the data in the form by clicking on Create a new account.

4. Log in using your ID (e-mail address) and password.

5. Go to the Products > Register an SNS product menu.

6. Read and accept the conditions of use.

7. Fill in themandatory fields (Serial number, Password and Reseller).

8. Click on Register.

NOTEFor further information, refer to the page Registering products.



https://mystormshield.eu/

https://mystormshield.eu/documentation/fr/Content/ProductRegistration-LandingTopic.htm

Installing a virtual firewallVU virtual firewalls can only be activated from the disk image (OVA) if the virtual machine has atleast 4 GB of memory. This capacity, indicated for VUs, is due to the firmware switching to a 64-bitversion.

By default, thememory size initially configured in the disk image (OVA) for all VS models is 2 GB.

Downloading installation files

After registering the appliance, you will be able to download the files required for the installationfrom your private-access area (https://mystormshield.eu/):

l The installation file (virtual image)

l The license as well as the subscribed options (activation kit)

Depending on the virtual firewall model used (V or VS-VU), the installation file comes in fourformats that correspond to the four hosting/virtualization platforms:

Virtual Image for V50-A, V100-A, V200-A and V500-A

l utm-SNS-VM-version no..ova for VMWare platforms,

l utm-SNS-VM-version no..openstack.qcow2.gz for Openstack-based platforms,

l utm-SNS-VM-version no..kvm.qcow2.gz for KVM-based platforms,

l utm-SNS-VM-version no..hyperv.vhd.zip for Microsoft Hyper-V platforms,

Virtual Image for VU-A, VS5-A and VS10-A

l utm-SNS-VS-VU-version no..ova for VMWare platforms,

l utm-SNS-VS-VU-version no..openstack.qcow2.gz for Openstack-based platforms,

l utm-SNS-VS-VU-version no..kvm.qcow2.gz for KVM-based platforms,

l utm-SNS-VS-VU-version no..hyperv.vhd.zip for Microsoft Hyper-V platforms,

To download the installation file:

1. Log in to your private-access area on https://mystormshield.eu.

2. Go to the Downloads > Downloads > Latest Versions menu.

3. Expand the Stormshield Network Security - Firmware - V X.YZ menu corresponding to thedesired firmware version.

4. Select the virtual image in the desired installation format.

5. Save this virtual image on your workstation.

Downloading the license

1. In your private-access area, go to Products > Product management.

2. Select themodel then serial number of your firewall from the list of registered firewalls.

3. In the Downloads window, click on the name of the license file.

4. Save this file on your workstation.

5. Indicate the version of the activation kit you wish to install.

6. Click on the Download the activation kit link.

7. Save this file on your workstation.





Deploying a virtual image in VMware

1. Open the vSphere client from your administration workstation.

2. Enter the login parameters for vCenter Server:

l IP address/Name,

l User name,

l Password.

3. Click Connect.

4. Click on the File menu then on Deploy OVF template....

5. Click on Browse.

6. Select the access path of the OVA file downloaded earlier (see section Downloadinginstallation files).

7. Click on Next.


9. Click on Next.

10. Select the location of the inventory in which the virtual machine will be installed.

11. Click on Next.

12. Select the Host/Cluster that will host the virtual machine.

13. Click on Next.

14. Select the storage location.

15. Click on Next.

16. Confirm the disk format by clicking on Next.

17. Select the network(s) that the virtual machine uses.

18. Click on Next.

19. Fill in the form on the firewall's minimum configuration:

l Hostname: firewall's name,

l IP address: firewall's IP address (DHCP for dynamic assignment),

l Netmask: network mask (empty if DHCP),

l Gateway: IP address of the default gateway (empty if DHCP),

l Password: password of the firewall's admin account (confirm it).

The Stormshield Network virtual firewall is now deployed in your virtual infrastructure.

NOTEIn the case of VU virtual firewalls, their memory size needs to bemodified so that they hold at least4 GB of memory before they can be run.

Deploying a virtual image in Xenserver

1. Open XenCenter from your administration workstation.

2. Log on to the hypervisor.

3. Enter the login parameters for Xenserver (IP address/Name, user name and password).



4. Click on the File menu then Import.

5. Select Browse and indicate the access path to the .OVA* file.


7. Complete the steps in the installation of Xenserver.

The Stormshield Network virtual firewall is now deployed in your virtual infrastructure.

*: File downloaded from Stormshield's website. See section Downloading installation files.



Configuring the virtual firewallWewill now proceed to the configuration and activation of the Stormshield Network virtual firewall.

Connecting to the firewall

These operations are not necessary for machines deployed over VMWare if you have filled in theform for the base configuration during the deployment (step Deploying a virtual image inVMware). In this case, you can go on directly to Activating the virtual image.

In all other cases:

1. Select and start up the virtual firewall.

2. Access the Stormshield Network firewall's administration console by going to the Console tab.

3. An initial wizard will help you in the configuration of your appliance.Choose your keyboard language.

4. Enter the password for the admin user and confirm it:

5. Indicate the IP address, subnet mask and the default gateway that will be applied to thebridge created initially on your firewall. This IP address must be accessible from yourworkstation:



6. The wizard will also offer the possibility of allowing firewall administration from its outinterface. Confirm simply by pressing "Enter":

The Stormshield Network firewall is now configured. You can manage it by opening your webbrowser and entering the IP address that you have configured in the previous step (https://fw_ip_address /admin/).

Activating the virtual image

By default the serial number of virtual images is V50XXA0A0000001. The activation of the virtualimage will assign themodel of the virtual firewall, its permanent serial number, its license as wellas the subscribed options.

1. Open the web browser,

2. Log on to the firewall at the address https://firewall_ip_address/admin,

3. Enter the name of the admin user as well as the password defined during the installation,

4. Go to the SystemUpdate tab in the System> Maintenancemenu.

5. Select the activation kit (*.maj file),

6. Confirm the update.



Firewalls in high availability (VSphere hypervisor)Whenever you create a high availability firewall cluster in a VSphere environment, you mayencounter issues when attempting to connect to the cluster remotely in the followingarchitectures:

Firewalls hosted on the same ESX server and connected to vSwitches:

Firewalls hosted on two separate ESX servers and connected to vSwitches:



Firewalls hosted on two separate ESX servers and connected to dvSwitches:

Explanation

Thanks to VMWare tools, the virtual switch (vSwitch/dvSwitch) automatically learns the MACaddresses of appliances connected to these ports.

Since both members of a firewall cluster have the sameMAC address by default, when there arenetwork packets for a particular MAC address, the virtual switch always sends them only to thefirewall bearing this address regardless of its status in the cluster (active or passive).StormshieldTherefore, if the virtual switch (vSwitch/dvSwitch) sends packets to the passive firewall, thesepackets will be automatically ignored.

Solution

The solution is to delete the MAC addresses imposed in the configuration of both firewalls. Thisoperation can be performed through the web administration interface or the firewall's systemconsole.

Using the web administration interface

In the Network > Interfaces menu > Advanced properties tab > Physical (MAC) address field,delete all customized MAC addresses for network interfaces on virtual firewalls and apply yourchanges.

Using the system console

1. In the configuration file /usr/Firewall/ConfigFiles/network, delete all lines containing the entry"MacAddress=".

2. Next, type the system commands ennetwork and then hasync in order to apply thesechanges and synchronize the active firewall's configuration with the passive firewall'sconfiguration.



Depending on the network devices connected to the Stormshield Network firewalls, and mainlyaccording to their set ARP timeout values, more timemay be required to restore connections whenthe roles of the firewalls are changed within the cluster (active/passive).



Questions / answersSymptom: The serial number of my firewall is V50XXA0A0000001.

Solution: Your Stormshield Network firewall has not been activated (this is the default serialnumber). Please refer to the section Activating the virtual image

Symptom: Some features are not available.

Solutions:

l Check that the serial number of your firewall is not V50XXA0A0000001. If this is so, thismeans that your firewall has not been activated. Please refer to the section Activating thevirtual image.

l Your firewall has been activated. Check your license and the subscribed options by clickingon the System> Licensemenus in the firewall's administration interface.



Further readingTo get help regarding your product, you can refer to Stormshield's documentation portal:https://documentation.stormshield.eu/.

Stormshield has also set up a Technical Assistance Center offering several resources and tools toresolve technical problems on your firewall:

l A knowledge base that you can access using the same login credentials you use for yourMystormshield client area,

l A certified distribution network. You can therefore ask your reseller for advice,

For further information on technical assistance, please refer to the document StormshieldTechnical Assistance Center (TAC) Support Charter .



https://documentation.stormshield.eu/

https://kb.stormshield.eu/




[email protected]

All images in this document are for representational purposes only, actual products may differ.

Copyright © Stormshield 2021. All rights reserved. All other company and product namescontained in this document are trademarks or registered trademarks of their respectivecompanies.

Documents

Virtual firewalls - Installation guide