Programming the Firewall

This procedure applies to the Cisco ASA 5505 and Cisco ASA 5506 Firewalls.

Caution—If you are setting up a System with LINK, a 5506 is required.

Note— Screen shots below are for reference ONLY. Your screens may differ. All information entered into the Firewall Wizard will come from the Panther Site Assessment. Only steps that require further action are described. If selecting no and no further input is needed, it is not described.

Warning—PART B - Connecting the Cisco ASA 5505/5506 to FSE Laptop MUST BE COMPLETED BEFORE CONTINUING

1. Open the Firewall Wizard.

   

2. Confirm Steps 1-4 have been completed and Click Next >.

   

3. Select what action you would like to perform.

   

   1. Configure Firewall.
   2. Configure Firewall but start with a saved configuration file.

      Note— You can only use a saved configuration that was saved with firewall wizard 6.0.1.4

      1. Select the input file you would like to import and click Open

         

      2. Click OK

         

   3. Save the current Firewall configuration.
      1. Click Save

         Note— This will save the file in the XML format, which is needed to configure with a saved configuration

         

      2. Click Yes

         

      3. Click OK, then Exit

         

   4. Install new Firewall OS (5506 only)

      Note— The Install new Firewall OS will be used to install updates that are needed to fix vulnerabilities in the Cisco Operating System. This will allow the firewall to install Cisco Operating System updates and provide protection against newly discovered vulnerabilities.

4. Select Output Directory Location
   1. Click Next if the default location is acceptable

      

   2. To select a different location Click Change

      

      1. Click Make New Folder

         

      2. Type in the folder name and click OK

         

      3. Click Next

         

5. Verification of Firewall SW connection to your laptop

   Note— Automatic Connection Verification When advancing from the Output Directory Location page to the Serial Port Connected to Firewall Page an automatic connection search will begin.

   1. A text box will indicate Connecting to Firewall

      

   2. If successful, the screen below will appear:

      Note— IOS = Version, ASDM = Version and MAC address of the firewall will be displayed

      

   3. If not successful, follow the Testing the Serial Port Connection steps below:

      Testing the Serial Port Connection

      1. Check that all connections are correct: Power, USB, and Serial.
      2. If connected correctly, select the Port drop-down menu.
      3. The Port drop-down menu will display all open ports and found.
      4. Select the COM Port that the Firewall is connected to.
      5. Click Test.
      6. The text box will indicate Testing Connection to COMX where X is the COM port number selected.
      7. The test will automatically connect to the Firewall and if successfully connected, the textbox will display:
         Connection OK. IOS = Version. ASDM = Version. MAC = address
      8. Click Next when the connection is established.
6. Site Information

   Note— By filling in the Site Information page, the wizard will program and record where the firewall is installed and who installed it. This information is programed directly onto the firewall and listed in an instructions.txt file as an output of programing the firewall.

   Fill in the following fields.

   1. Site Name
   2. Your Full Name
   3. Firewall Serial # - located on the bottom of the firewall
   4. Select the Panther radio button in the Hologic Instrument Model box.
   5. Enter the number of instrument that will be connected to the Firewall.

      Note— A maximum of 16 Systemss can be connected to the Firewall.

   6. Click Next >.

      

7. Cisco Syslog Setup

   Note— Cisco network devices use Syslog to send system messages and debug output to a local logging process inside the device. Cisco Syslog is a standard for logging messages. Syslog allows the customer's IT/IS to monitor what the firewall is doing.

   1. Select Yes if the customer requests Syslog to be enabled.
   2. Enter the appropriate IP Address and Port.
   3. Click Next >.

      

8. Windows Update Server

   Note— The Windows Update Server will be used to send Windows Updates that are needed to fix vulnerabilities in the Windows Operating System. This will allow connected Panther Systems to install Operating System updates and provide protection against newly discovered vulnerabilities.

   1. Select Yes if the customer requests Windows Update Server to be enabled and click Next >.

      

9. Read Only User Account

   Note— The Read-Only User Account allows a customer to read the Firewall's configuration but does not allow them to modify settings. The Read-Only User Account allows the customer's IT to access the Firewall with Read Only privileges and view the configuration. The User Name will always default to "readonly" and may not be changed. Passwords must contain 4 to 32 characters.

   1. Select Yes, if the customer requests a Read-Only User Account and click Next >.

      

   2. Enter the password provided by the Customer in both the Password and Confirm Password fields and click Next >.

      

10. VPN Setup (Only applicable on the 5506)

    Note— VPN connections are only necessary at customer sites when Panthers are physically separated and cannot be physically connected to a single switch. If the customer’s ethernet infrastructure allows separated Panthers to be connected to a single switch, VPN is not needed. The maximum number of VPN connections is 10. Each physical location will require a Firewall installed. If setting up a VPN, the external IP addresses of each Firewall MUST have a static IP address provided by the customer.

    1. Select Yes, if the customer has Panthers at different physical locations that are to be connected.
    2. Specify the total number of locations (Firewalls) and click Next >.

       

    3. Enter the External IP Address, External IP Mask, and External Gateway IP for each location and click Next >.

       Caution— Make sure you select Current Firewall for the Firewall you are programming.

       

11. External Interface IP Address

    Note— The Firewall must obtain an IP address from the customer network. Three ways of obtaining an IP address are: Dynamic Address - DHCP DHCP Gateway - A DHCP Server will administer an IP address to the firewall. DHCP Range - A DHCP Server will administer an IP address to the firewall within a specified range of addresses. Static IP - A Static IP address will be administered by the customer for the firewall to use as its IP address.

    1. Dynamic Address - DHCP
       
       1. For DHCP Gateway or DHCP Range select the DHCP radio button and click Next >.

          

       2. Dynamic IP Address - DHCP Gateway
          A DHCP Server will administer an IP address to the firewall.

          Note— In some cases, a customer site may require a reservation within their DHCP server. If a customer requires a MAC address or physical address, the MAC address of the firewall is in the Serial Port Connected to Firewall page.

          1. Select Use Gateway if the customer requests DHCP Gateway and click Next >.

             

          2. Enter the Gateway IP Address and click Next >.

             

       3. Dynamic IP Address — DHCP Range
          A DHCP Server will administer an IP address to the firewall within a specified range of addresses.
          1. Select Use IP Address Range if the customer requests DHCP Range and click Next >.

             

          2. Enter the starting and ending IP addresses and click Next >.

             

    2. Static IP Address (Permanent IP address)
       A Static IP address will be administered by the customer for the firewall to use as its IP address.
       1. Select Static IP Address if the customer requests Static IP and click Next.

          

       2. Enter the Firewall IP Address, Firewall IP Subnet Mask, and Default Gateway and click Next >.

          

12. Domain Name Server (DNS) Settings

    Note— A Domain Name Server is used to resolve a hostname such as connect.hologicsecurecare.com to an IP address. OpenDNS (208.67.222.220) and Google DNS (8.8.8.8) are pre-filled as default by the Wizard.

    1. Verify the check mark box is selected for:

       
       

       Note—This should only be unchecked if connecting to the Hologic Network (internal)

    2. Populate a new Preferred DNS in the text box if one is provided.
    3. Populate a new Alternate DNS in the text box if one is provided.
    4. Click Next >

       

13. Network Printer

    Note— There are two possibilities for networking the printer. Option 1 is to network through the customer network. An IP Address for the printer will be required from the customer. Option 2 is to network within the Hologic network. If Option 2 is needed, select NO when asked if the network printer will be used outside the firewall. If the customer does not want the network printer on the customer’s network, there is the option for the printer to be connected to the switch. Configure the IP address of the network printer to be 172.23.1.99, subnet 255.255.255.0 and Gateway of 172.23.1.1

    1. Select Yes if the customer requests a Network Printer.

       

    2. Enter the IP Address of the Network Printer and click Next >.

       

14. Panther Link Dashboard Setup

    Note— Panther Link allows multiple Panthers to share a common database If setting up a Dashboard Server, a Cisco ASA 5506 MUST be used. The Dashboard Server requires a static IP address on the customer’s network which will use NAT to connect to an internal Panther network IP address. During this setup, the external (customer network) NAT IP address will need to be mapped. The instructions.txt file will hold the necessary IP address and ports that will be used during configuration of the Dashboard server.

    1. Select Yes if the customer requests to be connected with Link Dashboard and click Next >.

       

       1. Select Yes If the Dashboard Server will be connected to the Firewall currently being configured.
       2. Enter the Dashboard Server IP.
       3. Select Yes if the Dashboard Server will need to access Panthers connected to other Firewalls and click Next >.

          Note— Only needed for VPN setups

          

15. Track System

    Note— With the addition of Track Systems, new network connections are required. The Panther has integrated with two different track systems, IDS and Inpeco.

    Note— IDS The Panther Trax solution requires network connections with WMS using an IDS track. IDS does not require any additional input.

    Note— Inpeco The Panther Track Ready System has the compatibility to be integrated and connected to a pre-existing Inpeco Track System. To connect to the Inpeco System, the customer technical support admin or the Inpeco Track System service organization will supply an External NAT IP Address as well as a dedicated port for each Panther that is to be connected to the track system.

    1. Select IDS-WMS if an IDS track will be connected to the firewall and Click Next >.

       

    2. Select Inpeco, if an Inpeco track will be connected to the firewall and click Next >.

       

       1. Enter the NAT IP Address for the Inpeco system
       2. Enter in the Interface Module Port for each Panther, then select the Right arrow to add to the defined Interface Port List until all ports are mapped and click Next >.

          

16. Grifols Middleware

    Note— Not for Hologic Track systems

    1. Select the Yes button if the customer is using Grifols Middleware and click the Next >
       

       

       1. Enter the Grifols IP Address then add the appropriate number of ports (ONE per System) and click Next >..

          

17. Remote Diagnostics

    Note— TeamViewer and Grifols Remote Desktop Protocol (RDP) are only used by Grifols. RDXM and SecureLink Do not require any additional input. SecureLink will only work with System SW v7.2 and above You cannot connect multiple systems on a single firewall if they use SecureLink (System SW v7.2 and above) and RDXM/Pro360 (System SW v7.1 and below). All systems with System SW v7.2 and above (SecureLink) can be connected on 1 Firewall. All systems with System SW v7.1.5.4 and below (RDXM/Pro360) can be connected on 1 Firewall.

    1. Select the Remote Diagnostics method to be used at the customer site and click Next >.

       
       

       1. HSCN (N3) Remote Desktop Protocol

          Note— This is for UK NHS Network Only

          1. Select the HSCN (N3) Remote Desktop Protocol radio button.
          2. Enter the HSCN IP Address and click Next >.

             

          3. Enter the External NAT IP Address and click Next >.

             

18. Laboratory Information System (LIS)

    Note—If LIS uses a serial connection, select No

    1. Select Yes if LIS will be used and click Next>.

       

    2. Select the LIS connections needed and click Next>
       1. LIS is Networked – For TCP/IP connections
       2. LIS uses Remote File Share
       3. For Pooling:

          Note— Pooling will be configured with the use of a mapped network drive.

          1. TCP/IP LIS Connection: Check BOTH boxes.
          2. Serial LIS Connection: Check “LIS uses Remote File Share”.

       
    3. LIS Uses Remote File Share
       
       1. Enter the IP address(es) for the mapped network drive and click Next >.

          

          1. Enter the LIS IP Address and the port for each system and click Next >.

             

             Note—WMS to LIS Port will only appear if IDS-WMS was selected for Track System

             

       2. To configure a Test LIS Server, enter the Networked LIS IP and Ports Mapping information, select the Check box and click Next >

          

          1. Enter the Test LIS Server IP and Port for each system and click Next >

             

             Note—WMS to LIS Port will only appear if IDS-WMS was selected for Track System

             

19. Review Your Input
    1. Review your input

       

    2. Select Configure.

       

       Note—DO NOT click the Abort button unless it is necessary to cancel the configuration.

    3. Once configuration is complete, verify settings are correct and click OK.

       

    4. Upload the 4 Configuration files shown below to the SR in Oracle OR the Panther Asset page in H1.

       

20. Proceed to Setting a Panther IP Address on the Panther Workstation