Getting Started

For MetaDefender Media Firewall (MMF) to operate, it will need the public key of the signing certificate in order validate media processed by Kiosk. The following sections outline the setup process and configuration of the Media Firewall.

Setup Steps

  1. Setup Media Manifest usage

    1. Windows Kiosk (Core + Kiosk sections only)
    2. Linux Kiosk

  2. Unpack the MMF

    1. connect the power cable
    2. connect the MMF to a host system via the COMP port

  3. Power on the MMF - it will immediately start in Setup Mode

    1. Power indicator shows solid GREEN and the USB-A indicator shows flashing RED
    2. FirewallCfg drive appears on the Host

  4. Drag and drop the public certificate into the drive root

    1. If the certificate is valid and correctly formatted, the USB-A indicator will switch to a solid GREEN display

  5. Restart the MMF by powering off & on

Only the certificate is mandatory for setup.

The MMF can be optionally configured to connect to the internet and associated to a My OPSWAT account.

Windows Kiosk: 4.6.3

Linux Kiosk: 5.5.2

It is highly recommended to use these Kiosk versions, at a minimum, in order for the reports from Media Firewall to contain accurate information.

Setup Mode

Setup Mode provides the ability to configure the MMF and provision the public certificate for validation.

When the MMF is started for the first time, it will automatically start in Setup Mode.

The USB-A indicator will be flashing red and a drive named FirewallCfg with a config.ini file will be displayed when connected to a Host system.

Once the certificate has been approved the MMF will be operational after a power cycle.

Apart from the certificate, all other configuration is optional and the MMF will operate normally if any config is invalid.

Accessing & modifying the configuration can only be done in Setup Mode.

Setup Mode is only accessible on first startup or after a Factory Reset.

Configuration

In Setup Mode, MMF will mount a drive named FirewallCfg when connected to a Host.

This drive is used to contain the public certificate for the MMF to validate manifests and a config.ini for configuring the firewall.

config.ini

config.ini

Renaming or deleting the config.ini will result in it reverting back to default configuration

[Certificate]

This section specifies attributes of the public certificate used to validate a media manifest.

SettingDescriptionDefault ValueNote
FormatFormat of the public certificatePEMPEM - certificate is in PEM format

[Network]

This section allows to connect the MMF to a network.

By connecting the MMF to a network, updates will automatically be retrieved when released and allow the ability for the unit to be centrally managed.

SettingDescriptionDefault ValueNote
AddressIP address of the unitDHCP

Allowed values:

  • DHCP - negotiate auto IP configuration
  • (ip address) - static IP will be established
  • (empty) - no connection will be negotiated
NetMask32-bit subnet mask(empty)
GatewayIP of the network gateway(empty)
DNSIP of the domain name server(empty)

[Management]

This section sets the connection to the Central Management server to view statistics, reports and health details of the MMF.

SettingDescriptionDefault ValueNote
URLURL of the management server(empty)My OPSWAT is only supported
RegCodeRegistration code of the account(empty)Log into your My OPSWAT account to obtain your registration code
InstanceNameName of the device displayed in the management server(empty)

[SecureDataWrite]

This section sets the ability to allow copying files from the Host to the media inserted.

SettingDescriptionDefault ValueNote
EnabledTo enable the featuretrue

Allowed values:

  • true - allow copying files from Host to Media
  • false - disallow copying files from Host to Media

[PortAlarmProtection]

This section sets the ability to monitor blocked ports and the connection to the Host. If any disconnect is detected, the Media Firewall will alert.

SettingDescriptionDefault ValueNote
EnabledTo enable the featurefalse

Allowed values:

  • true - allow monitoring and alert
  • false - disallow monitoring and alert

[syslog]

SettingDescriptionDefault ValueNote
ServerEnabledEnable sending messages(empty)

Allowed values:

  • true - allow sending messages
  • false - disallow sending messages
ServerIpAddressIP address of the syslog server(empty)
ServerPortPort of the syslog server(empty)
ServerProtocolProtocol to utilize for message transmission(empty)

__ Allowed values:

  • TCP
  • UDP

Upon applying any changes to the syslog configuration, Media Firewall will attempt to log: Logging to remote syslog configured.

If this message is seen, the syslog configuration can be confirmed valid and working.

If no message is seen, the Media Firewall's connection may not have to ability to reach the server.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
On This Page
Getting StartedSetup StepsSetup ModeConfiguration[Certificate][Network][Management][SecureDataWrite][PortAlarmProtection][syslog]