Title Page IP390 Security Platform Installation Guide Part No. N450000381 Rev 001 Published October 2008...
Page 2
IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services;...
Page 3
44 1252 868900 Africa Asia-Pacific 65 6723 2999 International 1 613 271 6721 Non-Technical Support For non-technical support issues, including your Nokia Support Agreement, licensing, and Web site access, use the following contact information: E-mail: es.service@nokia.com 080919 IP390 Security Platform Installation Guide...
Page 11
Figure 7 Back Panel Power Switch and Socket ......25 Figure 8 Nokia Network Voyager Reference Access Points ....35 Figure 9 Four-Port Ethernet NIC Front Panel Details .
About This Guide This guide describes how to install and use Nokia IP390 security appliances. Installation and maintenance should be performed by experienced technicians or Nokia-approved service providers only. This preface provides the following information: In this Guide Conventions this Guide Uses...
This required element is usually the product name or other short word that invokes the product or calls the compiler or preprocessor script for a compiled Nokia product. It might appear alone or precede one or more options. You must spell a command exactly as shown and use lowercase letters.
Conventions this Guide Uses Table 1 Command-Line Conventions Convention Description Square brackets [ ] Indicates optional arguments. delete [slot slot_num] For example: delete slot 3 -flag A flag is usually an abbreviation for a function, menu, or option name, or for a compiler or preprocessor argument.
CLI Reference Guide for the version of Nokia IPSO you are using Getting Started Guide and Release Notes for the version of Nokia IPSO you are using Nokia IPSO Boot Manager Reference Guide, which describes how to use the Nokia IPSO...
Overview The Nokia IP390 appliance combines the power of Nokia IPSO software with your choice of firewall and VPN applications. These appliances are ideally suited for growing companies and satellite offices that want high-performance IP routing combined with the industry-leading Check Point VPN-1 enterprise applications.
Overview Figure 1 Component Locations Front View System status LEDs PMC NIC slots (slots 1 and 2) Flash-memory PC card slots unpopulated in base bundle IP390 00525 Console port AUX port Reset button Four-port Gigabit Ethernet Figure 2 Component Locations Rear View Power switch 00527 Power socket...
Note Nokia products only support NICs purchased from Nokia or Nokia-approved resellers. The Nokia Global Support Services group can provide support only for Nokia products that use Nokia-approved accessories. For sales or reseller information, contact a Nokia service provider listed in the “Nokia Contact Information”...
You can manage the IP390 appliance by using one of the following interfaces: Nokia Network Voyager—an SSL-secured, Web-based element management interface to Nokia IP appliances. Network Voyager is preinstalled on the IP390 appliance and enabled through the Nokia IPSO operating system. With Network Voyager, you can manage, monitor, and configure the IP390 appliance from any authorized location within the network by using a standard Web browser.
Check Point application upgrades. Site Requirements, Warnings, and Cautions Before you install a Nokia IP390 appliance, ensure that your computer room or wiring closet conforms to the environmental specifications listed in Chapter A, “Technical Specifications.”...
The Nokia IP390 appliance supports the following operating system and applications: Nokia operating system software requirements—Nokia IPSO v4.1 or later Check Point VPN-1 versions compatible with the version of Nokia IPSO you are using For information about updates to the software requirements or additional applications that have become available since this guide was published, contact your Nokia service provider, as listed “Nokia Contact Information”...
Installing the Nokia IP390 Appliance This chapter describes how to install the Nokia IP390 appliance. The following topics are covered: Before You Begin Rack Mounting the Appliance Connecting Power Connecting to the Console or Auxiliary Port Connecting to Network Interfaces...
Installing the Nokia IP390 Appliance Figure 5 Mounting Screws Location IP390 00525 Mounting screw slots Two mounting positions are available allowing you to mount the unit either flush with the rack, or two inches forward of the rack. Figure 6 Adjustable Mounting Brackets...
2. Plug the other end of the cord into a three-wire grounded power strip or wall outlet. Connecting to the Console or Auxiliary Port If you do not use DHCP to perform the initial configuration of your Nokia IP390 appliance, you must use a serial console connection (RJ-45 null-modem cable included). For information about using DHCP for initial configurations, see Chapter 3, “Performing the Initial Configuration.”...
Page 26
2. Connect the other end of the cable to the VT100 console or to a system running a terminal- emulation program. The cable that Nokia provides with IP390 appliances includes a latching mechanism used to secure the cable to the console port or auxiliary port of your appliance.
DB-9 female adaptor) or to a DB-25 modem connection (using the appliance auxiliary port and the DB-25 male adaptor). The DB-9 adapter is provided with the cable. The DB-25 adaptor is provided with Nokia modem cable kits for the IP390. 00552...
Installing the Nokia IP390 Appliance Table 6 Pin Assignments Console Connector and Cable Console Port RJ-45 to RJ-45 Rollover RJ-45 to DB-9 (DTE) Cable Terminal Adapter Remote Device Signal RJ-45 Pin RJ-45 Pin DB-9 Pin Signal The console cable provided with the IP390 is comprised of two parts:...
Modem Adapter Modem Connecting to Network Interfaces Connect at least one network interface to use as the Nokia Network Voyager system management interface. This interface is configured during the system startup procedure, as described in Chapter 3, “Performing the Initial Configuration.”...
Page 30
Installing the Nokia IP390 Appliance After you connect the network interfaces, continue with Chapter 3, “Performing the Initial Configuration.” IP390 Security Platform Installation Guide...
Performing the Initial Configuration The first time you turn power on to a Nokia IP390 appliance, the initial configuration process begins. This process enables you to configure the network settings and provides access to the admin account. You can perform the initial configuration in two ways.
Page 32
Check the power LED on the front panel of the appliance (the Nokia logo) to ensure that the power supply is operating correctly. The power LED should be illuminated. For more information about the system status LEDs, see “System Status LEDs”...
Enter. For more information about how to respond to the prompts during the initial configuration process, see the Getting Started Guide and Release Notes for the version of Nokia IPSO you are using. 5. After you complete the initial configuration, you can use Network Voyager to configure the remaining network ports.
Network Voyager interface, as shown in Figure Nokia Network Voyager Reference Guide—This guide is the comprehensive reference source for Nokia Network Voyager. To access this source, look at the list in the navigation tree on the left side of the window (as shown in Figure 8).You can also access the Nokia...
You can now execute CLI commands from the CLI shell and the Nokia IPSO shell. The Nokia IPSO shell is what you see when you initially log on to the appliance.
The argument must be the name of a filename regular file. For more information about how to access and use the CLI, see the Nokia CLI Reference Guide for the version of Nokia IPSO you are using. Using Nokia Horizon Manager Nokia Horizon Manager is an extension of the Network Voyager management functionality.
Four-Port 10/100 Mbps Ethernet Network Interface Card The IP390 appliance supports Nokia-approved, four-port UTP5 dual-mode 10-Mbps and 100- Mbps Ethernet NICs. When you purchase an Ethernet NIC with your IP390 appliance, the NIC is installed before the appliance is delivered to you.
About IP390 Appliance Network Interface Cards Compliance with IEEE 802.3 Ethernet specification You can configure and monitor Ethernet interfaces with Nokia Network Voyager. Specifically, you set the port speed and full-duplex or half-duplex mode by using Network Voyager. The following figure shows Ethernet NIC front panel and LED details.
Four-Port 10/100 Mbps Ethernet Network Interface Card The following figure shows the pin assignments for the cable. The RJ-45 cable output connector is numbered from right to left, with the copper tabs facing up and toward you. Figure 10 Ethernet Cable Connector Pin Assignments Pin# Assignment 00270...
Note Copper Gigabit Ethernet NICs you use in IP390 appliances need to be the Version 2 type, as indicated on the right end of the NIC faceplate. These NICs are sold by Nokia under the order code NIF4425. Copper Gigabit Ethernet NIC Features...
Two-Port Copper Gigabit Ethernet Network Interface Card The following figure shows the front panel details for the two-port copper Gigabit Ethernet NIC you use in the Nokia IP390 appliance. Figure 13 Two-Port Copper Gigabit Ethernet NIC Link LED (solid yellow for 10/100 Mbps, solid green for 1000 Mbps)
About IP390 Appliance Network Interface Cards In the following figure, the RJ-45 cable output connector is numbered from right to left, with the copper pins facing up and toward you. Figure 14 Copper Gigabit Ethernet Cable Connector Pin Assignments Gigabit Ethernet 10/100 Mbps Pin#...
The long-range single-mode fiber (SMF) fiber-optic Gigabit Ethernet NICs in the IP390 run on Nokia IPSO v4.2 or higher. You can configure and monitor Gigabit Ethernet NIC interfaces with Nokia Network Voyager. Specifically, you set the port speed and full-duplex mode with Network Voyager.
About IP390 Appliance Network Interface Cards The following figure shows the front panel details for the two-port long-range (1000 Base-LX) fiber-optic Gigabit Ethernet NIC you can use in your IP390. Figure 17 PMC Two-Port Long-Range Gigabit Ethernet NIC SFP Modules Link LEDs (solid green) Activity LEDs (blinking amber) LINK...
IP390 to a T1 circuit. T1 circuits are commonly used for Enterprise branch office WAN connectivity deployments The Nokia T1 NIC provides up to 1.5 Mbps of throughput and is deployed in the United States. The following figure shows T1 NIC front panel details.
Remove the T1 cable before working on any Nokia appliance. Caution Nokia requires that this equipment be installed by authorized, experienced service personnel who have the equipment installation instructions. Nokia requires that all equipment be connected to a power source using a socket-outlet with protective earthing connection.
Page 47
Four-Port T1 Network Interface Card Note Your T1 cable might not include straight-through wiring for pins 3, 6, 7, and 8. It will, however, work properly with your Nokia T1 NICs. IP390 Security Platform Installation Guide...
(ESD) by making sure you are properly grounded before touching any electronic components. Deactivating Configured Interfaces If you are removing or replacing an installed NIC, use Nokia Network Voyager to deactivate any configured ports on the NIC before removing it. Deactivate all of the logical interfaces on the NIC.
Use these instructions to remove, install, or replace a NIC in the IP390 appliance. Some steps are not applicable to all procedures. The instructions point out steps appropriate to each procedure. Before You Start To remove, install, or replace a Nokia NIC, you need the following: A Phillips-head screwdriver Physical access to the appliance...
Page 51
Removing, Installing, and Replacing NICs 2. Use your fingers or a screwdriver to loosen the retaining screws that hold the chassis tray assembly. IP390 00525 Chassis tray assembly retaining screws 3. Gently pull the chassis tray assembly forward to expose the NIC connectors. Remove the tray completely to avoid damaging components.
Page 52
Installing and Replacing Network Interface Cards 5. From above the chassis tray assembly, remove the NIC retaining screws from the back of the NIC. 00530 6. Remove the NIC by lifting the back of the NIC (as close as possible to the connector locations) away from the chassis tray assembly and pulling the NIC gently away from the front panel.
Page 53
Removing, Installing, and Replacing NICs If you are installing or replacing a NIC, insert the NIC. a. Insert the NIC bezel into the front panel. 00532a b. Gently push the back of the NIC (as close as possible to the connector locations) down toward the chassis tray assembly.
Page 54
Installing and Replacing Network Interface Cards 8. From the top of the chassis tray assembly, screw the NIC retaining screws into the standoffs on the back of the NIC. 00531 9. From beneath the chassis tray assembly, screw in the bezel retaining screws. 00528 10.
Use Network Voyager to access detailed port information. For information about accessing Network Voyager, see “Using Nokia Network Voyager” on page 33. You can also use the Nokia IPSO tcpdump command to examine the track on a specific port. IP390 Security Platform Installation Guide...
Check Point application are stored on the hard-disk drive. Use the internal compact flash to boot the system and install the Nokia IPSO operating system on the disk. The compact flash memory card is located on the motherboard in a slot behind the hard-disk drive location.
Installing and Replacing Components Other than Network Interface Cards Figure 21 Compact Flash Memory Card Slot IP 39 00550 Caution To protect the appliance and the compact flash memory card from electrostatic discharge damage, make sure you are properly grounded before you touch these components.
Page 59
Replacing the Compact Flash Memory Card To replace compact flash memory card in your appliance 1. Use Nokia Network Voyager or the CLI to halt the appliance. To use Network Voyager to shut the appliance down, select System > Configuration > Reboot or Shutdown > Halt.
9. Turn on the power supply at the back of the appliance. Installing a Flash-Memory PC Card You can use the flash-memory PC card to store local system logs, Nokia IPSO images, and configuration files.The IP390 appliance has two PCMCIA slots that can support a flash-memory PC card having a capacity of 1 GB or higher.
/dev/wd2 /cdrom The /cdrom directory is a default directory in Nokia IPSO for mounting media. 4. Use the cp command to transfer Nokia IPSO images or configuration files to and from the flash-memory PC card. For example, to copy the current Nokia IPSO image from the compact flash memory to the flash-memory PC card, use the following command: cp /image/current/ipso.tgz /cdrom/...
Before You Start To install or replace the hard-disk drive in your appliance, you need the following: Physical access to the appliance A Nokia-approved hard-disk drive Access to the appliance through Network Voyager A Phillips-head screwdriver A torque screwdriver capable of a 69.4ozf*in (5kgf*cm) setting To install or replace a hard-disk drive 1.
Page 63
Installing or Replacing a Hard-Disk Drive 2. Loosen the retaining screws that hold the chassis tray assembly. IP390 00525 Chassis tray assembly retaining screws 3. Gently slide the chassis tray assembly forward to remove the tray from the appliance so you can access the hard-disk drive retaining screws from the bottom of the tray.
Page 64
Installing and Replacing Components Other than Network Interface Cards 4. If a you are replacing a hard-disk drive, remove the retaining screws that hold the hard-disk drive unit from the bottom of the chassis tray assembly. 00534 Gently remove the hard-disk drive from the motherboard, taking care not to damage the connector.
On the flash-based IP390, you can save log files locally by installing and configuring an optional hard-disk drive. The Nokia Network Voyager Reference Guide and the CLI Reference Guide for Nokia IPSO contain instructions for configuring a Nokia appliance to store Nokia IPSO log messages on the disk.
For more information about storing Nokia IPSO system logs, see the Nokia Network Voyager Reference Guide or the CLI Reference Guide for the version of Nokia IPSO you are using. For more information about storing Check Point log messages, see Important Information: Storing Check Point Log Messages on Flash-Based Platforms.
Replacing or Upgrading Memory Note Nokia recommends that you obtain memory kits only from Nokia or authorized resellers. For further information, contact the appropriate Nokia customer support site listed “Nokia Contact Information” on page 3. The DIMM sockets are located at the right of the motherboard, as you look at the appliance from...
Page 68
Installing and Replacing Components Other than Network Interface Cards To add or replace DIMMs 1. Use Network Voyager or the CLI to halt the appliance. To use Network Voyager to shut the appliance down, select System > Configuration > Reboot or Shutdown > Halt. To use the CLI to do this, enter halt at the prompt.
Page 69
Replacing or Upgrading Memory 4. Remove any memory module necessary by pressing the two retaining clips outward and carefully pulling each DIMM upward as the following figure shows. IP 39 00545 You might need to pull opposite ends of the DIMM alternately to gradually free it from the contact pins.
Chassis tray assembly retaining screws The appliance automatically recognizes the new memory configuration. You can verify this from the Network Voyager, the CLI, or from the Nokia IPSO shell. To verify the memory from the CLI, enter: show asset hardware To verify the memory from the Nokia IPSO shell, enter: dmesg | grep ‘real memory’...
Page 71
Replacing the Battery Warning Risk of explosion if battery is replaced by an incorrect type. Replace the battery only with the same or equivalent type that the manufacturer recommends. Dispose of used batteries according to the manufacturer's instructions. Warning Make certain to remove the power cord from the appliance before you proceed with any of the following steps.
Page 72
Installing and Replacing Components Other than Network Interface Cards 4. Gently slide the chassis tray assembly forward to expose the DIMM sockets. Remove the tray completely to avoid damaging components. IP 3 00537 Note Because power to an IP390 appliance is automatically disconnected when the chassis tray assembly is opened, you do not need to manually disconnect the power for this procedure.
Page 73
Replacing the Battery 6. Remove the old battery. Use a small nonconductive device, such as a plastic probe, to slide the battery out of the battery holder through the cutout in the holder. Caution Replace the battery only with the same or equivalent type battery recommended by the manufacturer.
Page 74
Installing and Replacing Components Other than Network Interface Cards IP390 Security Platform Installation Guide...
Troubleshooting This chapter provides troubleshooting tips, problems, and solutions related to IP390 appliance installations. General Troubleshooting Information The information in this section relates to non-routing problems. For information about how to troubleshoot routing problems, see “Troubleshooting Routing Problems” on page 82. Unable to Log in to the Console Port—No Error Message Two laptop computers (using terminal emulation programs) or terminals should be able to communicate back to back in the same way that the terminal communicates with the IP390...
Page 76
“Nokia Contact Information” page 3. Problem Database is corrupt. Solution Return to default settings according to the instructions included in the instructions for resetting the default password, or contact the Nokia customer support site listed in “Nokia Contact Information” on page 3.
Page 77
This procedure erases any configuration database on the appliance. For information about how to complete the full installation procedure, see the current release notes. The release notes are located on the Nokia customer support Web site as listed in the “Nokia Contact Information”...
Page 78
Do Not See Interfaces that Should be Present Problem Local IP390 appliance ports do not appear. Solution Your NIC might be defective. Contact the appropriate Nokia customer support site as listed in “Nokia Contact Information” on page 3.
Page 79
Network Voyager to delete the invalid entry. For information about how to access Network Voyager and the related reference materials, see “Using Nokia Network Voyager” on page 33. To delete the invalid entry 1.
Page 80
. For more information about how to use the -i interface proto igmp tcpdump command, see the Nokia Network Voyager Reference Guide. Under Routing Options in the Routing Configuration section in Network Voyager, you can also enable several types of trace options for DVMRP. These traces are logged into /var/tmp/ ipsrd.log...
Page 81
Solution Repeat memory installation procedures. Make sure DIMMs are fully seated in sockets. Be sure DIMMs click into place. Appliance locks up after you upgrade Nokia IPSO with a console connection. No error messages appear, but the appliance stops responding to console and network.
An example use of the ICLID command is shown below. For information about the ICLID command, see the Nokia Network Voyager Reference Guide. For information about how to access Network Voyager and the related reference materials, see “Using Nokia Network Voyager”...
Page 83
-i interface proto ospf For more information about how to use the tcpdump command, see the Nokia Network Voyager Reference Guide. Under routing options in Network Voyager, you can also enable several types of trace options for OSPF.
Page 84
-i interface proto rip For more information about how to use the tcpdump command, see the Nokia Network Voyager Reference Guide. Under routing options in Network Voyager, you can also enable several types of trace options for routing information protocol (RIP).
Page 85
Troubleshooting Routing Problems For information about how to access Network Voyager and the related reference materials, see “Using Nokia Network Voyager” on page 33. Problem Routing protocol is not functioning properly. Solution to ensure that each routing protocol is functioning properly, see “Common Problems...
Do not place objects over the ventilation holes on the appliance. The appliance might overheat and become damaged. Operating Temperature The operating temperature range for the Nokia IP390 appliance is 0° C to 45° C (32° F to 113° IP390 Security Platform Installation Guide...
Technical Specifications NIC Interfaces NIC Type Cable Type Cable Connector 10/100 Ethernet IEEE 802.3 100 Base-TX or 1000 Base-T RJ-45 unshielded twisted pair, full-duplex or half-duplex. Straight-through cable (Cat 5 type) or crossover cable; in some cases, shielded Cat 5 Ethernet cable can be used to improve interference radiated emissions.
Compliance Information This appendix contains declaration of conformity, compliance, and related regulatory information. Declaration of Conformity According to ISO/IEC 17050: Manufacturer’s Name: Nokia Inc. Manufacturer’s Address: 313 Fairchild Drive Mountain View, CA 94043-2215 declares that the product: Product Name: IP390...
Compliance Information Christopher Saleem Compliance & Reliability Engineering Manager Security & Mobile Connectivity, Enterprise Solutions Mountain View, California May 2008 Compliance Statements This hardware complies with the standards listed in this section. Emissions Standards FCC Part 15 Subpart B Class A US/Canada EMI-ICES-003 Class A Canada...
FCC Requirements (US) Safety Standards UL60950/EN60950 US/European Community(CE) CAN/CSA-C22.2 No.60950 Canada Telecom FCC Part 68, CS-03 FCC Requirements (US) This equipment complies with FCC rules, Part 68. On the bottom of this equipment is a label that contains, among other things, the FCC Registration Number. When you are ready to install this unit, contact your local telephone company and supply them with the following information: Standard Jack(s) for connection to the network: RJ48 Universal Service Order Code (USOC): 6.0...
Page 92
Compliance Information against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications.
21 declaration of conformity 89 using the 35 depth specification 87 compact flash memory card (internal) DHCP server 31 Nokia IPSO storage 17 DIMMs replacing 57 see memory (RAM) compliance information 89 declaration of conformity 89 FCC notice 92...
Page 94
Gigabit Ethernet NICs, compliance with 40 specifications 17, 88 Ethernet NICs, compliance with 38 T1 45 fiber-optic Gigabit Ethernet NICs, compliance with 43 Nokia Horizon Manager installing overview 21 battery 70 using the 36 compact flash memory card (internal) 57...
Page 95
Ethernet connections, for 37 Gigabit Ethernet connections, for copper 40 Gigabit Ethernet connections, for fiber-optic 43 technical specifications 87 transferring files with flash-memory PC cards 61 transferring Nokia IPSO images 61 troubleshooting 75 IP390 Security Platform Installation Guide Index - 95...
Page 96
Index - 96 IP390 Security Platform Installation Guide...
Page 97
We Welcome Your Comments Nokia is interested in improving our documentation to better serve our customers. Please feel free to send comments and suggestions to docfeedback@nokia.com. If you are using Adobe Acrobat Reader 6.0 or later, we invite you to provide feedback to us by using the following form.