The Forum Sentry API Security Gateways (hardware and virtual) support multiple network topology modes. Before physical installation, Sentry Administrators must decide which network topology mode best matches your network structure.
Network configuration options for Sentry include:
- One port mode
- In-line 2 IP Addresses mode
One Port Mode
In the 1-port mode configuration, Sentry processes all runtime traffic using only the WAN interface. Management traffic for the devices (WebAdmin and SSH) should be done through the MGMT port, usually in a different subnet. With this configuration 2 interfaces would be physically connected to the network.
- It is possible to move the MGMT interface for management traffic to either the WAN or LAN. For instance, in One Port mode you could have all management and runtime traffic use a single physical interface (WAN). This is common with POCs.
- if the MGMT and WAN interfaces are in the same subnet the Management Filter needs to be disabled, see: https://helpdesk.forumsys.com/entries/98406903-FAQ-Can-the-MGMT-and-WAN-Interfaces-both-be-on-the-same-Network-
In-line 2 IP Addresses Mode
With in-line configuration with 2 IP addresses, Sentry sits between the corporate “Local Area Network” and the outside “Wide Area Network” with two network interfaces being used for bi-directional network traffic via distinct IPs. In-line configuration means the product provides physical network connectivity between clients and application server(s). Management traffic for the devices (WebAdmin and SSH) should be done through the MGMT port, usually in a different subnet. With this configuration 3 interfaces would be physically connected to the network.
Physical Interfaces on the Sentry 456X Rev B and Rev C Models
WAN Port: The WAN port, the left most of the two upper NIC ports next to each other on the right half of the rear of the gateway, is used in both in-line and 1-port modes for data traffic. With in-line mode, the WAN port should be the external-facing (Internet) port, connected to whichever upstream device (router, firewall, etc.) is applicable. In 1-port mode, only the WAN port is used for data traffic. When in in-line or 1-port mode, traffic is directed to the security system based on the defined IP(s) on the system.
LAN Port: The LAN port, the right most of the two upper NIC ports next to each other on the right half of the rear of the gateway, is only used in in-line mode. This is the internal-facing port, connected to the internal network or a network device that provides connectivity to the internal network.
MGMT Port: Sentry an be managed out-of-band using the lower left most NIC port on the rear of the gateway. This means that management connectivity and associated network traffic are provided from an interface that is separate from the interface(s) used for regular traffic. Access to the Command Line Interface (CLI) and the WebAdmin is provided on this interface. The MGMT interface can be moved to the LAN or WAN port after initial setup.
There is a single MANAGEMENT IP address on the device that applies to the Management Ethernet interface only. The IP address used for the MANAGEMENT port is completely independent of whether the device is configured to run in in-line or 1-port mode. The MANAGEMENT port must have an IP associated, even if you intend to manage the product via the WAN or LAN interface. If you do not have a physical network connection to the MANAGEMENT interface, set the IP to the non-routable IP, 169.254.0.1, per RFC 3330.
Console Port: The DB9 (serial) port at the left rear of the gateway next to the power supplies is used for connecting the product console for direct CLI access.
Smart Card Reader Serial Connector: The smart card reader (HSM models only) is the small round connector on the bottom left hand side of the gateway which is used for HSM configuration.
System Schematics: The diagram below displays the back of the Forum Sentry 456X Rev B and Rev C gateways.
For more information on topology modes and the initial setup of the Sentry gateway please see the attached Hardware Installation Guide and/or the VirtualOS Installation guide.
Important Note: Sentry software instances running on Windows, Linux, or Solaris rely on the host OS for all networking and none of the information above applies.