Post on 26-Dec-2015
transcript
STONEGATE 5.3
ADMINISTRATORS GUIDE
F IREWALL
INTRUSION PREVENTION SYSTEM
MANAGEMENT CENTER
V IR TUAL PRIVATE NETWORKS
2Legal Information
End-User License AgreementThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website:www.stonesoft.com/en/support/eula.html
Third Party Licenses
The StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for those products at the Stonesoft website:www.stonesoft.com/en/support/third_party_licenses.html
U.S. Government AcquisitionsIf Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense (DoD), the Software is subject to Restricted Rights, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations (DFAR) in paragraph 252.227-7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Governments rights in the Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (FAR). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions.
Product Export RestrictionsThe products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.
General Terms and Conditions of Support and Maintenance ServicesThe support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/terms/
Replacement ServiceThe instructions for replacement service can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/return_material_authorization/
Hardware WarrantyThe appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/warranty_service/
Trademarks and PatentsThe products described in these materials are protected by one or more of the following European and US patents: European Patent Nos. 1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534; 7,461,401; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners.
DisclaimerAlthough every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only.
Copyright 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change.
Revision: SGAG_20110916
TABLE OF CONTENTS
GETTING STARTED
CHAPTER 1Using St
Using TTypogr
AdditionProduc
UsinSuppoSystemSuppo
ContactLicensTechniYour CSecuriOther
CHAPTER 2New in T
ImportaSMC:
CellsSMC:
Auth
Other CEnhan
ComNew L
PropNew U
Other CAuthenChangMonitoSnapsUser I
Serv
Other CSub-Po
Other CAnti-SpApplic
Browser-Based User Authentication . . . . . . . . 33Create Multiple Single Firewalls Wizard . . . . . 33Domain Names . . . . . . . . . . . . . . . . . . . . . . 333Table of Contents
oneGate Documentation . . . . . . . . . . . 23
his Documentation. . . . . . . . . . . . . . . . 24aphical Conventions . . . . . . . . . . . . . . 24
al Documentation . . . . . . . . . . . . . . . . 25t Documentation. . . . . . . . . . . . . . . . . 25g Online Help Locally . . . . . . . . . . . . . . 26rt Documentation . . . . . . . . . . . . . . . . 26 Requirements. . . . . . . . . . . . . . . . . . 26
rted Features . . . . . . . . . . . . . . . . . . . 27 Information . . . . . . . . . . . . . . . . . . . . 27ing Issues . . . . . . . . . . . . . . . . . . . . . 27cal Support . . . . . . . . . . . . . . . . . . . . . 27omments . . . . . . . . . . . . . . . . . . . . . . 27ty Related Questions and Comments . . 27Queries. . . . . . . . . . . . . . . . . . . . . . . . 27
his Release . . . . . . . . . . . . . . . . . . . . . 29
nt Changes . . . . . . . . . . . . . . . . . . . . . 30Access Rule User and Authentication Combined . . . . . . . . . . . . . . . . . . . . . 30Name Changes in Elements for User entication . . . . . . . . . . . . . . . . . . . . . . 30
hanges in SMC 5.3.2. . . . . . . . . . . . . . 31cements to Authentication Server ponent . . . . . . . . . . . . . . . . . . . . . . . . 31DAP Server and Active Directory Server erties . . . . . . . . . . . . . . . . . . . . . . . . . 31ser Properties . . . . . . . . . . . . . . . . . . . 31
hanges in SMC 5.3 . . . . . . . . . . . . . . . 31tication Server Component . . . . . . . . . 31
es in Database Replication . . . . . . . . . 31ring Active VPN SAs and Users . . . . . . 32hots of Log, Alert, and Audit Entries . . . 32nterface for Controlling Management ers . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
hanges in Firewall/VPN 5.3.1 . . . . . . . . 32licies in IPv6 Access Rules . . . . . . . . . 32
hanges in Firewall/VPN 5.3 . . . . . . . . . 32am Filtering . . . . . . . . . . . . . . . . . . . . 32
ation Detection . . . . . . . . . . . . . . . . . . 33
IKEv2 Support for VPNs . . . . . . . . . . . . . . . . 33Interface Matching . . . . . . . . . . . . . . . . . . . . 33Plug-and-Play Configuration . . . . . . . . . . . . . . 33User-specific Firewall Rules without
Authentication . . . . . . . . . . . . . . . . . . . . . . 34User Responses in Firewall Access Rules . . . 34
Aggregate Mode in VPN Multi-Link . . . . . . . . . 34Wireless Interfaces . . . . . . . . . . . . . . . . . . . 34
Other Changes in IPS 5.2.100 . . . . . . . . . . . . 34File Context for Situations . . . . . . . . . . . . . . 34
Notes on Policy Editing Changes for Upgrading Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Changes to Authentication Rule Configuration Logic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Enhanced Matching Criteria Definitions . . . . . 35Quick Filtering in Rule Cells . . . . . . . . . . . . . 35
Documentation Changes. . . . . . . . . . . . . . . . . 35New Type of Online Help . . . . . . . . . . . . . . . . 35SOHO Firewall Information Removed . . . . . . . 35
CHAPTER 3Using the Management Client . . . . . . . . . . . . . 37
Overview to the Management Client . . . . . . . . 38Rearranging the General Layout. . . . . . . . . . . . 42Bookmarking Views . . . . . . . . . . . . . . . . . . . . 43
Managing Bookmarks. . . . . . . . . . . . . . . . . . 43Creating New Bookmarks . . . . . . . . . . . . . . . 44Creating New Bookmark Folders . . . . . . . . . . 45Adding Bookmarks to the Toolbar . . . . . . . . . 45
Changing the Startup View . . . . . . . . . . . . . . . 46Using the Search Features . . . . . . . . . . . . . . . 46
Using Basic Element Search . . . . . . . . . . . . . 46Searching for Element References. . . . . . . . . 48Searching for Users . . . . . . . . . . . . . . . . . . . 48Searching for Duplicate IP Addresses . . . . . . 49Using the DNS Search . . . . . . . . . . . . . . . . . 49
Creating Host Elements Based on DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Searching for Unused Elements . . . . . . . . . . 50Using Type-Ahead Search . . . . . . . . . . . . . . . . 51Saving as PDF or HTML . . . . . . . . . . . . . . . . . 52
4PDF Output Settings . . . . . . . . . . . . . . . . . . . 52Adding Style Templates for PDF Output. . . . . . 53Managing PDF Style Templates . . . . . . . . . . . 54
Sending Messages to Other Administrators . . . 54Enabling/Disabling Administrator Messaging . 54Sending Messages to Other Administrators . . 54
Adding CreatiAttach
CHAPTER 4Setting u
GettingGettingGetting
CHAPTER 5Configur
GettingDefiningDefining
DefiniDefiniFirewaDefiniDedicaDefiniEngineDefiniDefiniSecur
SelectinConfigu
CHAPTER 6Managin
Using CConfig
CreatiSelectActivaFilterin
ExportinExportImpor
CreaImpo
RestoLocking
Deleting Elements . . . . . . . . . . . . . . . . . . . . . 81
MONITORING
CHAPTER 7Monitoring the System . . . . . . . . . . . . . . . . . . 85Table of Contents
Custom Commands to Element Menus . 55ng a Tools Profile . . . . . . . . . . . . . . . . . 55ing a Tools Profile to an Element. . . . . . 56
p the System . . . . . . . . . . . . . . . . . . . 57
Started with the Management Center . . 58 Started with the Firewall . . . . . . . . . . . 59 Started with the IPS . . . . . . . . . . . . . . 60
ing System Communications . . . . . . . . 61
Started with System Communications. . 62 Locations . . . . . . . . . . . . . . . . . . . . . 63 Contact IP Addresses. . . . . . . . . . . . . 64
ng Engine Location. . . . . . . . . . . . . . . . 65ng Contact Addresses for a Single ll or a Cluster Virtual IP Address . . . . . . 66ng Contact Addresses for Node ted IP Addresses . . . . . . . . . . . . . . . . 67
ng Contact Addresses for an IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
ng Server Contact Addresses . . . . . . . . 69ng a Contact Address for External ity Gateway End-Point . . . . . . . . . . . . . . 70g the Management Client Location . . . . 71ring Multi-Link System Communications. 72
g Elements . . . . . . . . . . . . . . . . . . . . . 73
ategories . . . . . . . . . . . . . . . . . . . . . . 74uration Overview . . . . . . . . . . . . . . . . . 74
ng New Categories . . . . . . . . . . . . . . . . 74ing Categories for Elements . . . . . . . . . 75ting Categories . . . . . . . . . . . . . . . . . . 75g With Several Categories . . . . . . . . . . 76g, Importing, and Restoring Elements. . 77ing Elements. . . . . . . . . . . . . . . . . . . . 77ting Elements . . . . . . . . . . . . . . . . . . . 78ting a CSV File or a TSV File . . . . . . . . . 78rting Elements from a File . . . . . . . . . . 79ring Elements from Policy Snapshots . . . 80 and Unlocking Elements . . . . . . . . . . . 81
Getting Started with System Monitoring . . . . . . 86Monitoring the System Status . . . . . . . . . . . . . 86
Default Arrangement of System Status View . 87System Summary. . . . . . . . . . . . . . . . . . . . . 88Viewing System Status for a Selected
Element . . . . . . . . . . . . . . . . . . . . . . . . . . 88Viewing Appliance Configuration Status . . . . . 89Info Panel . . . . . . . . . . . . . . . . . . . . . . . . . . 89Commands for Monitoring Components . . . . . 89Monitoring Tools in the Main Menu . . . . . . . . 90
Reading Component Statuses. . . . . . . . . . . . 90Engine Hardware Malfunction Icons . . . . . . . . 91Replication Malfunction Icon . . . . . . . . . . . . . 91Element Status Colors . . . . . . . . . . . . . . . . . 91Node Status Colors . . . . . . . . . . . . . . . . . . . 92NetLink Status Colors . . . . . . . . . . . . . . . . . 92VPN Status Colors . . . . . . . . . . . . . . . . . . . . 93Connectivity Status Colors . . . . . . . . . . . . . . 93
Creating Overviews. . . . . . . . . . . . . . . . . . . . . 94Creating a New Overview . . . . . . . . . . . . . . . 95Adding a New System Summary Section to an Overview. . . . . . . . . . . . . . . . . . . . . . . . . 95Adding a New Statistics Section to an Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Selecting Statistical Items . . . . . . . . . . . . . . 97Setting Thresholds for Monitored Items . . . . . 98
Monitoring Connections, Blacklists, VPN SAs, and Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Checking Connections, Blacklists, VPN SAs, and Users . . . . . . . . . . . . . . . . . . . . . . . . . . 100Saving Snapshots of Connections, Blacklists, VPN SAs, and Users. . . . . . . . . . . . . . . . . . . 101Exporting Snapshots of Connections, Blacklists, VPN SAs, and Users. . . . . . . . . . . . . . . . . . . 102Viewing Snapshots of Connections, Blacklists, VPN SAs, and Users. . . . . . . . . . . . . . . . . . . 102Comparing Snapshots of Connections, Blacklists, VPN SAs, and Users. . . . . . . . . . . 103
Monitoring Connections on a Map . . . . . . . . . . 105Defining a New Geolocation . . . . . . . . . . . . . 106Setting a Geolocation for an Element in the System Status View . . . . . . . . . . . . . . . . . . . 107
Monitoring Configurations and Policies . . . . . . 108
Monitoring Administrator Actions . . . . . . . . . . . 108Monitoring Task Execution . . . . . . . . . . . . . . . . 108Checking Maintenance Contract Information . . . 109
Enabling Automatic Maintenance Contract Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Viewing Maintenance Contract Information . . . 110Fetchi
CheckinCAs Exp
CHAPTER 8Monitori
Getting Monitor
Config
ConvertCreatiDefininDefininAdding
DefinValueDefinTime
ValidaMonitor
ImportCreati
ActivatinConfiguChanginMonitorActivatinMonitor
CHAPTER 9Browsing
Getting OverviOpenin
DefauTools .DetailsStatist
BrowsinViewinFilterin
SpecView
Viewing Logs From Specific Servers and Archive Folders . . . . . . . . . . . . . . . . . . . . . 138
Analyzing Logs, Alerts, and Audit Entries . . . . 139Saving Snapshots of Log, Alert, and Audit Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Viewing Snapshots of Log, Alert, and Audit Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1395Table of Contents
ng Maintenance Contract Information . . 110g When Internal Certificates or Internal ire . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
ng Third-Party Devices . . . . . . . . . . . . 113
Started with Third-Party Device ing . . . . . . . . . . . . . . . . . . . . . . . . . . . 114uration Overview . . . . . . . . . . . . . . . . . 114
ing Logs From External Devices . . . . . . 115ng a Logging Profile Element. . . . . . . . . 116g Ordered Field Logging Patterns . . . . . 117g Key-Value Pair Logging Patterns . . . . 119 Field Resolvers . . . . . . . . . . . . . . . . . 120ing a Field Resolver for Multiple s. . . . . . . . . . . . . . . . . . . . . . . . . . . . 120ing a Field Resolver for Date and . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121ting a Logging Profile . . . . . . . . . . . . . . 121ing the Status of Third-Party Devices . . . 122ing MIBs. . . . . . . . . . . . . . . . . . . . . . . 123ng a Probing Profile . . . . . . . . . . . . . . . 124g Monitoring of a Third-Party Device . . . 126
ring a Third-Party Device for Monitoring . 127g the Ports for Third-Party Device ing . . . . . . . . . . . . . . . . . . . . . . . . . . . 127g/Deactivating Third-Party Status
ing Alerts . . . . . . . . . . . . . . . . . . . . . . 127
Logged Data . . . . . . . . . . . . . . . . . . . 129
Started with the Logs View. . . . . . . . . . 130ew . . . . . . . . . . . . . . . . . . . . . . . . . . . 130g the Logs View . . . . . . . . . . . . . . . . . 130
lt (Records) Arrangement, Panels, and . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Arrangement . . . . . . . . . . . . . . . . . . . 133ics Arrangement . . . . . . . . . . . . . . . . . 134g Log Data . . . . . . . . . . . . . . . . . . . . . 135g Log Entry Details in the Side Panel . . 135g Logs in the Logs View. . . . . . . . . . . . 136ifying Filters for a Query . . . . . . . . . . . . 136ing Logs From Specific Components . . . 138
Browsing Log Entries on a Timeline . . . . . . . . 140Viewing Temporary Log Entries . . . . . . . . . . . 140Sorting Log Entries . . . . . . . . . . . . . . . . . . . 140Checking WHOIS Records for IP Addresses in Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Changing How Data Entries Are Displayed . . . . 142Increasing and Decreasing Text Size in Data Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Changing the Time Zone for Log Browsing . . . 142Changing Data Columns in the Log Entry Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Resolving Log Details to DNS Names or StoneGate Elements . . . . . . . . . . . . . . . . . . 143Deactivating/Activating Log Entry Highlighting 144
Exporting Data from the Logs View . . . . . . . . . 144Exporting Extracts of Log Data . . . . . . . . . . . 144Exporting IPS Traffic Recordings . . . . . . . . . . 145Attaching Logs to Incident Cases . . . . . . . . . 146
Creating Rules From Logs . . . . . . . . . . . . . . . . 146
CHAPTER 10Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Getting Started with Reports. . . . . . . . . . . . . . 150Configuration Overview . . . . . . . . . . . . . . . . . 150
Creating and Editing Report Designs . . . . . . . . 151Creating a New Report Design . . . . . . . . . . . 152Adding Sections to a Report Design . . . . . . . 153Adding Items to a Report Section . . . . . . . . . 154
Generating and Viewing Reports . . . . . . . . . . . 155Generating a Report. . . . . . . . . . . . . . . . . . . 155
Defining the Report Task . . . . . . . . . . . . . . 156Selecting Data Sources . . . . . . . . . . . . . . . 157
Canceling Ongoing Report Tasks . . . . . . . . . . 158Viewing Reports. . . . . . . . . . . . . . . . . . . . . . 158
Exporting Reports . . . . . . . . . . . . . . . . . . . . . 159Exporting a Report as Tab-delimited Text File . 159Exporting a Report as a PDF File . . . . . . . . . . 159E-Mailing Reports. . . . . . . . . . . . . . . . . . . . . 160
Creating a System Audit Report. . . . . . . . . . . . 160
6CHAPTER 11Filtering Data . . . . . . . . . . . . . . . . . . . . . . . . . 161
Getting Started with Filtering Data . . . . . . . . . . 162Defining Filter Elements . . . . . . . . . . . . . . . . . 163
Basics of Constructing Data Filters . . . . . . . . 163Creating a Filter Element. . . . . . . . . . . . . . . . 164AddingFiltersRemo
OrganizCreatiChang
Applying
CHAPTER 1Working
GettingConfig
CreatinDefiningAdding
InsertCreatiAdding
ArranginConnec
ConneConne
CreatinSpecifCreati
ViewingAdjustCollapin DiaZoomi
PrintingExportin
CHAPTER 1Incident
GettingConfig
CreatinSetting Attachin
AttachCases
Attaching Policy Snapshots to Incident Cases 183Attaching Memos to Incident Cases . . . . . . . 183Attaching Files to Incident Cases . . . . . . . . . 184
Adding Players to Incident Cases. . . . . . . . . . . 184Adding Journal Entries to Incident Cases . . . . . 185Working With Existing Incident Cases. . . . . . . . 185Table of Contents
and Modifying Filtering Criteria in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165ving Filtering Criteria from Filters . . . . . . 166ing Filter Elements . . . . . . . . . . . . . . . . 167ng New Filter Tags . . . . . . . . . . . . . . . . 167ing the Tag of a Filter . . . . . . . . . . . . . . 167 Filters . . . . . . . . . . . . . . . . . . . . . . . . 168
2 With Diagrams . . . . . . . . . . . . . . . . . . 169
Started with Diagrams . . . . . . . . . . . . . 170uration Overview . . . . . . . . . . . . . . . . . 170
g Diagrams . . . . . . . . . . . . . . . . . . . . . 171 the Diagram Background . . . . . . . . . . 171
Elements to Diagrams . . . . . . . . . . . . . 172ing New Elements Manually . . . . . . . . . 172ng Diagrams from Configured Elements . 173 Text Comments to a Diagram . . . . . . . 174g Elements in Diagrams . . . . . . . . . . . 174
ting Elements in Diagrams . . . . . . . . . . 174cting Elements Automatically . . . . . . . . 175cting Elements Manually . . . . . . . . . . . 175g Links Between Diagrams . . . . . . . . . . 175ying a Parent Diagram . . . . . . . . . . . . . 175ng Links from One Diagram to Another. . 176 Diagrams . . . . . . . . . . . . . . . . . . . . . . 176ing the Element Details in Diagrams . . . 176sing and Expanding Groups of Elements grams . . . . . . . . . . . . . . . . . . . . . . . . . 177ng and Navigating Diagrams . . . . . . . . . 177 Diagrams . . . . . . . . . . . . . . . . . . . . . . 177g Diagrams as Images . . . . . . . . . . . . 178
3Cases . . . . . . . . . . . . . . . . . . . . . . . . . 179
Started with Incident Cases . . . . . . . . . 180uration Overview . . . . . . . . . . . . . . . . . 180
g a New Incident Case . . . . . . . . . . . . . 181an Incident Context . . . . . . . . . . . . . . . 181g Data to Incident Cases . . . . . . . . . . . 182ing Logs and Audit Entries to Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Opening an Incident Case for Editing . . . . . . . 185Changing the Priority of an Incident Case. . . . 185Changing the State of an Incident Case . . . . . 186Checking Incident History . . . . . . . . . . . . . . . 186
CONTROLLING ENGINES
CHAPTER 14Controlling Engine Operation. . . . . . . . . . . . . . 189
Commanding Engines Remotely . . . . . . . . . . . 190Turning Engines Online . . . . . . . . . . . . . . . . . 190Turning Engines Offline . . . . . . . . . . . . . . . . . 191Setting Nodes to Standby . . . . . . . . . . . . . . . 191Rebooting Nodes . . . . . . . . . . . . . . . . . . . . . 191Refreshing the Currently Installed Policy . . . . 192
Commanding Engines Locally . . . . . . . . . . . . . 192Setting Engine Options . . . . . . . . . . . . . . . . . . 192
Enabling/Disabling Engine Status Monitoring . 192Enabling/Disabling Firewall/VPN Diagnostics . 193Disabling/Enabling User Database Replication 193Enabling/Disabling Status Surveillance . . . . . 193Enabling/Disabling SSH Access to the Engine 194Changing the Engine Password . . . . . . . . . . . 194
Changing NetLink State Manually . . . . . . . . . . 195Disabling/Enabling Cluster Nodes . . . . . . . . . . 195
Disabling Nodes of a Cluster Temporarily . . . . 195Re-Enabling Disabled Cluster Nodes . . . . . . . 196
Editing Engine Configurations . . . . . . . . . . . . . 196
CHAPTER 15Stopping Traffic Manually . . . . . . . . . . . . . . . . 197
Terminating Connections Manually. . . . . . . . . . 198Blacklisting Connections Manually. . . . . . . . . . 198
CHAPTER 16Working on the Engine Command Line. . . . . . . 201
Getting Started with the Engine Command Line 202Accessing the Engine Command Line . . . . . . . 202Reconfiguring Basic Engine Settings . . . . . . . . 203Creating Engine Scripts . . . . . . . . . . . . . . . . . 204Restoring a Previous Configuration Manually . . 205
MANAGEMENT CENTER CONFIGURATION
CHAPTER 17Configuring Automatic Software Updates . . . . . 209
Getting Started with Automatic Updates and Engine Upgrades . . . . . . . . . . . . . . . . . . . . . . 210ConfiguUpgrade
CHAPTER 1Administ
Getting Config
DefiningLists . .
DefininDefinin
DefiningCreatiDefininDefininAccouRestricView .
CustomDefiningAdminis
EnabliDefinin
ChanginAuthentMethodDeleting
CHAPTER 1Alert Esc
Getting Config
CreatingDefininDefinin
DefiningDefininCreatiModifyEditingDefinin
DefiningCreati
Modifying Existing Alert Policies . . . . . . . . . . 237Editing Alert Policy Rules . . . . . . . . . . . . . . . 238
Installing Alert Policies . . . . . . . . . . . . . . . . . . 239Acknowledging Alerts . . . . . . . . . . . . . . . . . . . 239
Acknowledging Individual Alerts. . . . . . . . . . . 240Acknowledging All Active Alerts . . . . . . . . . . . 2407Table of Contents
ring Automatic Updates and Engine s . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
8rator Accounts . . . . . . . . . . . . . . . . . . 213
Started with Administrator Accounts . . . 214uration Overview . . . . . . . . . . . . . . . . . 214
Administrator Roles and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214g Administrator Roles . . . . . . . . . . . . . 215g Access Control Lists . . . . . . . . . . . . 217 Administrator Accounts . . . . . . . . . . . 218
ng a New Administrator Element . . . . . . 218g Administrator Permissions . . . . . . . . 220g Rights for Restricted Administrator
nts . . . . . . . . . . . . . . . . . . . . . . . . . . . 221ting the Logs an Administrator Can . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222izing Log Colors. . . . . . . . . . . . . . . . . . 223 Password and Login Settings for trators . . . . . . . . . . . . . . . . . . . . . . . . 224ng Enforcement of Password Settings . . 224g Password Policy Settings . . . . . . . . . 225g Administrator Passwords . . . . . . . . . 226icating Administrators Using RADIUS s . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Administrator Accounts . . . . . . . . . . . 228
9alation . . . . . . . . . . . . . . . . . . . . . . . . 229
Started with Alert Escalation . . . . . . . . 230uration Overview . . . . . . . . . . . . . . . . . 230
Alerts . . . . . . . . . . . . . . . . . . . . . . . . 231g Custom Alerts . . . . . . . . . . . . . . . . . 231g What Triggers an Alert . . . . . . . . . . . 232 Alert Chains . . . . . . . . . . . . . . . . . . . 232g Alert Channels. . . . . . . . . . . . . . . . . 233
ng New Alert Chains. . . . . . . . . . . . . . . 234ing Existing Alert Chains . . . . . . . . . . . 234 Alert Chains . . . . . . . . . . . . . . . . . . . 234g the Final Action of an Alert Chain . . . 236 Alert Policies . . . . . . . . . . . . . . . . . . . 237
ng New Alert Policies . . . . . . . . . . . . . . 237
Using Custom Scripts for Alert Escalation . . . . 240Setting up a Dedicated Alert Server. . . . . . . . . 242Testing Alerts. . . . . . . . . . . . . . . . . . . . . . . . . 242
CHAPTER 20Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Getting Started with Domains . . . . . . . . . . . . . 244Configuration Overview . . . . . . . . . . . . . . . . . 244
Creating Domains . . . . . . . . . . . . . . . . . . . . . 245Defining a Domain Logo . . . . . . . . . . . . . . . . 246
Logging in to a Domain. . . . . . . . . . . . . . . . . . 247Logging out of a Domain. . . . . . . . . . . . . . . . . 248Moving Elements Between Domains . . . . . . . . 248Using the Domain Overview . . . . . . . . . . . . . . 250Deleting Domains . . . . . . . . . . . . . . . . . . . . . 250
CHAPTER 21Setting up the Web Portal . . . . . . . . . . . . . . . . 251
Getting Started with Web Portal Access . . . . . . 252Configuration Overview . . . . . . . . . . . . . . . . . 252
Defining Web Portal Server Settings . . . . . . . . 253Activating HTTPS on the Web Portal Server. . . . 254Allowing Web Portal Connections. . . . . . . . . . . 255Defining Web Portal User Accounts . . . . . . . . . 256
Granting Engines to a Web Portal User . . . . . 257Selecting Policy Permissions for a Web Portal User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Selecting Log Browsing Permissions for a Web Portal User. . . . . . . . . . . . . . . . . . . . . . 259Selecting Report Data Permissions for a Web Portal User . . . . . . . . . . . . . . . . . . . . . . . . . 259
Customizing the Web Portal . . . . . . . . . . . . . . 260Adding a New Web Portal Language. . . . . . . . 260
Importing a Web Portal Language File through the Management Client . . . . . . . . . 260Importing a Web Portal Language File on the Command Line . . . . . . . . . . . . . . . . 261
Enabling/Disabling a Web Portal Localization . 261Customizing the Look of the Web Portal. . . . . 262
Writing Announcements to Web Portal Users . . 262
8CHAPTER 22Distributing Management Clients Through Web Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Getting Started with Web Start Distribution. . . . 266Configuration Overview . . . . . . . . . . . . . . . . . 266
Activating Web Start on the Management Server 267DistribuAccessi
CHAPTER 2Log Serv
DefiningDefiniSelectCertifyConfig
ChanginExportin
DefiniExportConfigCreatiSyslog
CHAPTER 2Seconda
About SInstallin
Config
DefiniElemeInstallManagCreatiManagInstallSoftwa
InstallinConfig
CreatiInstallServeSettinServeCreatiServeInstall
ChanginDisablinReplica
Synchronizing Management Databases Manually 294
CHAPTER 25Reconfiguring the Management Center . . . . . . 295
Modifying a Management Server Element . . . . 296Changing the Management Database Password 297Changing the Management Platform . . . . . . . . 297Table of Contents
ting Web Start from External Servers . . 268ng the Web Start Clients . . . . . . . . . . . 269
3er Configuration . . . . . . . . . . . . . . . . . 271
a Log Server . . . . . . . . . . . . . . . . . . . 272ng a Log Server Element. . . . . . . . . . . . 272ing Secondary Log Servers. . . . . . . . . . 273ing the Log Server . . . . . . . . . . . . . . . . 274uring an Alert Server . . . . . . . . . . . . . . 274g Log Server Configuration Parameters . 275g Log Data to Syslog . . . . . . . . . . . . . . 278
ng General Syslog Settings . . . . . . . . . . 278ing Log Filters for Syslog Sending . . . . . 280uring Syslog Filter Settings. . . . . . . . . . 281ng a Rule Allowing Traffic to the Server . . . . . . . . . . . . . . . . . . . . . . . . 281
4ry SMC Server Configuration . . . . . . . . 283
econdary SMC Servers . . . . . . . . . . . . 284g a Secondary Management Server . . . 284uration Overview . . . . . . . . . . . . . . . . . 284
ng a Secondary Management Server nt . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285ing a License for a Secondary ement Server . . . . . . . . . . . . . . . . . . . 286
ng Access Rules for a Secondary ement Server . . . . . . . . . . . . . . . . . . . 287ing Secondary Management Server re . . . . . . . . . . . . . . . . . . . . . . . . . . . 287g a Secondary Log Server . . . . . . . . . . 288uration Overview . . . . . . . . . . . . . . . . . 289
ng a Secondary Log Server Element . . . 289ing a License for a Secondary Log r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290g a Log Server as a Secondary Log r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291ng Access Rules for a Secondary Log r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291ing Secondary Log Server Software . . . . 291g the Active Management Server . . . . . 292g and Enabling Automatic Database
tion. . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Changing IP Addressing . . . . . . . . . . . . . . . . . 298Changing the Management Server IP Address 298Changing the Log Server IP Address . . . . . . . 299Changing IP Addresses of Combined Management/Log Servers . . . . . . . . . . . . . . 299
If Configuration Changes Prevent Managing the Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
ENGINE ELEMENT CONFIGURATION
CHAPTER 26Creating and Modifying Engine Elements . . . . . 303
Getting Started with Engine Elements . . . . . . . 304Configuration Overview . . . . . . . . . . . . . . . . . 304
Creating New Engine Elements . . . . . . . . . . . . 305Creating a New Single Firewall Element . . . . . 305Creating Multiple Single Firewall Elements . . . 306
Defining Interfaces for the Multiple Single Firewall Elements. . . . . . . . . . . . . . . . . . . . 308Selecting Additional Configuration Options. . 310Defining Tester Settings for the Firewalls . . . 311Defining Permissions for the Firewalls . . . . . 312Defining TLS Inspection for the Firewalls . . . 312Defining Advanced Settings for the Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 312Defining End-Points for the Internal Security Gateways . . . . . . . . . . . . . . . . . . . 313Uploading the Initial Configuration to the Installation Server . . . . . . . . . . . . . . . . . . . 315Selecting a Policy to Install on the Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Creating a New Firewall Cluster Element . . . . 317Creating a New Analyzer Element . . . . . . . . . 318Creating a New Single Sensor Element . . . . . 318Creating a New Sensor Cluster Element. . . . . 319Creating a New Combined Sensor-Analyzer Element . . . . . . . . . . . . . . . . . . . . . . . . . . . 320Creating a New SSL VPN Gateway Element . . 321Duplicating an Existing Engine Element . . . . . 322
Modifying Existing Engine Elements . . . . . . . . . 322Modifying the Properties of One Engine Element . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Modifying Properties of Several Engines at Once . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323Converting a Single Firewall to a Firewall Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Preparing for Conversion to a Firewall Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Converting a Single Firewall Element to a FireActivConv
ConveClusteAddingClusteChang
ChanChanDiffe
Editing Editing Editing Editing Editing Editing About E
CHAPTER 2Network
Getting Config
FirewallDefininEngineAddingAddingAddingConfigFirewaDefininConfigInterfaConfigConfigAddingConfigConfigAddingConfigAddingAdding
Defining Modem Interfaces for Single Firewalls 364Changing/Removing the PIN Code of a Modem Interface . . . . . . . . . . . . . . . . . . . . . 366Setting Firewall Interface Options . . . . . . . . . 367About Using a Dynamic IP Address on a Firewall Interface . . . . . . . . . . . . . . . . . . . . . 369
Sensor and Analyzer Interface Configuration. . . 3699Table of Contents
wall Cluster . . . . . . . . . . . . . . . . . . . . 325ating the Clustered Configuration After ersion. . . . . . . . . . . . . . . . . . . . . . . . . 327rting a Single Sensor to a Sensor r . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 a Node to a Firewall or Sensor r . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329ing Engine Control IP Address. . . . . . . . 329ging Engine Control Address . . . . . . . . 330ging Firewall Control Address to a rent Network . . . . . . . . . . . . . . . . . . . . 330Single Firewall Properties . . . . . . . . . . . 331Firewall Cluster Properties . . . . . . . . . . 332Analyzer Properties . . . . . . . . . . . . . . . 333Single Sensor Properties . . . . . . . . . . . 334Sensor Cluster Properties . . . . . . . . . . 335Combined Sensor-Analyzer Properties . . 336ngine Time Synchronization . . . . . . . . . 337
7 Interface Configuration . . . . . . . . . . . 339
Started with Interface Configuration . . . 340uration Overview . . . . . . . . . . . . . . . . . 341
Interface Configuration . . . . . . . . . . . . 341g Physical Interfaces for Firewall s . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 VLAN Interfaces for Firewall Engines . . 345 ADSL Interfaces for Single Firewalls . . 346 Wireless Interfaces for Single Firewalls 348uring Advanced Interface Properties for lls . . . . . . . . . . . . . . . . . . . . . . . . . . . 349g SSID Interfaces for Single Firewalls. . 352
uring Security Settings for SSID ces . . . . . . . . . . . . . . . . . . . . . . . . . . 354uring MAC Filtering for SSID Interfaces . 355uring Single Firewall IP Addresses. . . . . 356 an IPv4 Address for a Single Firewall . . 357uring VRRP Settings for Single Firewalls 358uring PPPoE Settings for Single Firewalls 359 an IPv6 Address for a Single Firewall . . 360uring Firewall Cluster IP Addresses . . . . 361 IPv4 Addresses for a Firewall Cluster. . 362 IPv6 Addresses for a Firewall Cluster. . 363
Defining System Communication Interfaces for IPS Engines . . . . . . . . . . . . . . . . . . . . . . . . . 370Defining Traffic Inspection Interfaces for Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Defining Logical Interfaces for Sensors . . . . 372Defining Reset Interfaces for Sensors . . . . . 372Defining Capture Interfaces for Sensors . . . 373Defining Inline Interfaces for Sensors . . . . . 374Adding VLAN Interfaces for Sensors . . . . . . 376
Setting Interface Options for IPS Engines. . . . 377Configuring Manual ARP Settings . . . . . . . . . . 378Activating the Internal DHCP Server on a Firewall Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
CHAPTER 28Connecting Engines to the Management Center 381
Getting Started with Connecting Engines to the SMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Configuration Overview . . . . . . . . . . . . . . . . . 383
Saving an Initial Configuration for Firewall or IPS Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Creating One-Time Passwords . . . . . . . . . . . . 383Saving Initial Configuration Details . . . . . . . . 384
Connecting SSL VPN Gateways to the SMC . . . 386
CHAPTER 29Configuring the Engine Tester . . . . . . . . . . . . . 387
Getting Started with the Engine Tester . . . . . . . 388Configuration Overview . . . . . . . . . . . . . . . . . 388
Specifying Global Engine Tester Settings . . . . . 389Adding Engine Tests . . . . . . . . . . . . . . . . . . . . 390
Configuring Additional Test-Specific Settings . 392Additional Settings for the External Test . . . 392Additional Settings for the File System Space Test . . . . . . . . . . . . . . . . . . . . . . . . 393Additional Settings for the Free Swap Space Test . . . . . . . . . . . . . . . . . . . . . . . . 393Additional Settings for the Link Status Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393Additional Settings for the Multiping Test. . . 394
Checking Configured Tests . . . . . . . . . . . . . . . 395Removing Engine Tests. . . . . . . . . . . . . . . . . . 396Disabling/Enabling Configured Engine Tests. . . 396
Disabling/Enabling Individual Engine Tests. . . 396
10
Disabling/Enabling All Custom Engine Tests . . 397
CHAPTER 30Engine Permissions . . . . . . . . . . . . . . . . . . . . . 399
Getting Started with Engine Permissions . . . . . 400Configuration Overview . . . . . . . . . . . . . . . . . 400
Defining Administrator Permissions on Engines. 400Selectin
CHAPTER 3Alias Tra
GettingDefining
AddingRemo
CHAPTER 3Advance
GettingAdjustinAdjustinAdjustin
AdjustTuning
ManAddi
AdjustinConfigu
DefiniDefiniDefini
DefinDefiniModifyModify
ConfiguConfiguFirewallConfiguAdjustinAdjustinAdjustin
Adjust
CHAPTER 3Setting u
GettingConfiguConfigu
Configuring What Triggers SNMP Traps. . . . . . . 435Activating the SNMP Agent on Engines. . . . . . . 436
ROUTING
CHAPTER 34Table of Contents
g Permitted Policies for Engines . . . . . . 401
1nslations for Engines . . . . . . . . . . . . . 403
Started with Alias Translations . . . . . . . 404 Alias Translation Values . . . . . . . . . . . 404 Alias Translation Values . . . . . . . . . . . 404
ving Alias Translation Values . . . . . . . . . 405
2d Engine Settings . . . . . . . . . . . . . . . . 407
Started with Advanced Engine Settings . 408g Firewall System Parameters . . . . . . . 408g Firewall Traffic Handling Parameters. . 410g Firewall Clustering Options . . . . . . . . 411ing General Clustering Options . . . . . . . 411 the Firewall Load Balancing Filter. . . . . 413ually Tuning the Load Balancing Filter . . 413ng Load Balancing Filter Entries . . . . . . 414g Single Firewalls Contact Policy . . . . . 415ring Anti-Spam Settings . . . . . . . . . . . . 416ng General Anti-Spam Settings . . . . . . . 416ng Scoring Settings for Anti-Spam . . . . . 418ng Spam Filtering Rules . . . . . . . . . . . . 419ing Anti-Spam Rule Values. . . . . . . . . . 421
ng DNSBL Settings. . . . . . . . . . . . . . . . 422ing Advanced Anti-Spam Settings . . . . . 423ing Anti-Spam Settings Elements . . . . . 425ring Anti-Virus Settings . . . . . . . . . . . . . 426ring Default SYN Flood Protection for a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427ring Log Handling Settings . . . . . . . . . . 428g Sensor-Analyzer Advanced Settings . . 429g Analyzer Advanced Settings. . . . . . . . 429g Sensor Advanced Settings . . . . . . . . 430ing Sensor Clustering Options . . . . . . . 432
3p SNMP for Engines. . . . . . . . . . . . . . 433
Started with SNMP Configuration . . . . . 434ring SNMP Version 1 or 2c . . . . . . . . . . 434ring SNMP Version 3 . . . . . . . . . . . . . . 435
Configuring Routing . . . . . . . . . . . . . . . . . . . . 439
Getting Started with Routing . . . . . . . . . . . . . . 440Configuration Overview . . . . . . . . . . . . . . . . . 440
Adding Routes for Firewalls. . . . . . . . . . . . . . . 441Defining a Single-Link Route for a Firewall . . . 441Defining a Multi-Link Route for a Firewall . . . . 442
Creating NetLinks . . . . . . . . . . . . . . . . . . . 442Adding a Multi-Link Route . . . . . . . . . . . . . . 444
Routing DHCP Messages . . . . . . . . . . . . . . . 445Defining a DHCP Server . . . . . . . . . . . . . . . 446Enabling DHCP Relay . . . . . . . . . . . . . . . . . 447Activating the DHCP Relay Sub-policy. . . . . . 447
Routing Multicast Traffic . . . . . . . . . . . . . . . . 448Defining Static Multicast . . . . . . . . . . . . . . 448Defining IGMP-Based Multicast Forwarding. . 449
Defining Policy Routing . . . . . . . . . . . . . . . . . 451Adding Routes for IPS Components . . . . . . . . . 453Removing Routes . . . . . . . . . . . . . . . . . . . . . . 454Modifying Antispoofing for Firewalls . . . . . . . . . 454
Deactivating Antispoofing for an IP Address/Interface Pair . . . . . . . . . . . . . . . . . . . . . . . . 455Activating Antispoofing for Routable IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . 456
Checking Routes . . . . . . . . . . . . . . . . . . . . . . 456
CHAPTER 35Outbound Traffic Management . . . . . . . . . . . . 457
Getting Started with Outbound Traffic Management458Configuration Overview . . . . . . . . . . . . . . . . . 458
Configuring Outbound Multi-Link Settings . . . . . 459Creating an Outbound Multi-Link Element. . . . 459Selecting NetLinks for an Outbound Multi-Link 461Defining Destination Cache Settings . . . . . . . 462
Creating Outbound Load Balancing NAT Rules . 462Monitoring And Testing Outbound Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . 464
CHAPTER 36Inbound Traffic Management. . . . . . . . . . . . . . 465
Getting Started with Inbound Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . 466
Configuration Overview . . . . . . . . . . . . . . . . . 466
Defining a Server Pool. . . . . . . . . . . . . . . . . . . 467Creating a New Server Pool Element . . . . . . . 467Defining External Address(es) of Server Pool . 467Adding Server Pool Members. . . . . . . . . . . . . 468
Installing Monitoring Agents . . . . . . . . . . . . . . 469Uninstalling Monitoring Agents. . . . . . . . . . . . . 470Configu
EditingEditing
EditinOptioSectMoniExamEditinMoniExamEditinAgenMoni
EnablinEnteringServer .CreatingBalanciConfigu
Config
ImprovDefininDefininDefinin
Monitor
TRAFFI
CHAPTER 3Creating
Getting Config
CreatingCreating
CreatiConve
InstallinTracking
CheckPrevie
Checking and Comparing Policy Versions . . . . 500Viewing Policy Snapshots . . . . . . . . . . . . . . 500Comparing Two Policy Snapshots . . . . . . . . 501
Checking for Untransferred Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Moving the Policy Under a Different Template . . 50211Table of Contents
ring Monitoring Agents . . . . . . . . . . . . . 471 sgagent.local.conf . . . . . . . . . . . . . . . 471 sgagent.conf . . . . . . . . . . . . . . . . . . . 472g the sgagent.conf Statement Section . 473ns in the sgagent.conf Statement
ion . . . . . . . . . . . . . . . . . . . . . . . . . . . 474toring Agent Statement Configuration ples. . . . . . . . . . . . . . . . . . . . . . . . . . 475g the sgagent.conf Test Section . . . . . 477
toring Agent Test Configuration ples. . . . . . . . . . . . . . . . . . . . . . . . . . 479g Internal Tests for Monitoring ts. . . . . . . . . . . . . . . . . . . . . . . . . . . . 480toring Agent Internal Test Examples . . . 482g Monitoring Agents . . . . . . . . . . . . . . . 485 Server Pool IP Addresses on Your DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Access Rules for Inbound Load
ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . 486ring Dynamic DNS Updates. . . . . . . . . . 487uration Overview . . . . . . . . . . . . . . . . . 487
ing DDNS Security. . . . . . . . . . . . . . . . 487g an External DNS Server . . . . . . . . . . 488g the Dynamic DNS Update Information 489g a Dynamic DNS Rule . . . . . . . . . . . . 490
ing and Testing Monitoring Agents. . . . . 490
C INSPECTION POLICIES
7 and Managing Policy Elements . . . . . . 493
Started with Policies . . . . . . . . . . . . . . 494uration Overview . . . . . . . . . . . . . . . . . 495
a New Template Policy or a Policy . . . . 495 a New Sub-Policy . . . . . . . . . . . . . . . . 496
ng a New Empty Sub-Policy . . . . . . . . . . 497rting Existing Rules into a Sub-Policy . . . 497g Policies . . . . . . . . . . . . . . . . . . . . . . 498 Policy Changes . . . . . . . . . . . . . . . . . 499ing the Currently Installed Policy . . . . . . 499wing the Currently Installed Policy . . . . . 500
Deleting Policies, Templates, and Sub-Policies . 502
CHAPTER 38Editing Policies . . . . . . . . . . . . . . . . . . . . . . . . 503
Getting Started with Editing the Rules in Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504Using the Policy Editing View. . . . . . . . . . . . . . 505
Editing Rule Tables. . . . . . . . . . . . . . . . . . . . 506Editing Rule Cells. . . . . . . . . . . . . . . . . . . . . 506Defining Source, Destination, and Service
Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . 507Adding Comments in Policies . . . . . . . . . . . . 508Reading Rule Identifiers . . . . . . . . . . . . . . . . 509
Searching in Rules . . . . . . . . . . . . . . . . . . . . 509Finding Unused Rules in Firewall Policies (Hit Counters) . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Adding Insert Points in Policy Templates . . . . . 511Editing Ethernet Rules . . . . . . . . . . . . . . . . . . 511
Defining Logging Options for Ethernet Rules. . 512Defining a MAC Address for Ethernet Rules . . 513
Editing Access Rules . . . . . . . . . . . . . . . . . . . 513Defining What Traffic an Access Rule Matches . . . . . . . . . . . . . . . . . . . . . . . . . . . 514Defining What Action an Access Rule Takes . . 516Defining Access Rule Action Options . . . . . . . 517
Defining Apply Blacklist Action Options . . . . 517Defining Discard Action Options . . . . . . . . . 518Defining Jump Action Options . . . . . . . . . . . 518Defining Firewall Allow Action Options . . . . . 519Defining Firewall Continue Action Options in Access Rules . . . . . . . . . . . . . . . . . . . . . 522Defining Firewall Use VPN Action Options. . . 523Defining IPS Allow Action Options . . . . . . . . 523Defining IPS Continue Action Options in Access Rules. . . . . . . . . . . . . . . . . . . . . . . 524Defining IPS Refuse Action Options . . . . . . . 524
Defining Access Rule Logging Options . . . . . . 525Defining Access Rule Authentication Options . 526
Editing Inspection Rules . . . . . . . . . . . . . . . . . 527Modifying the Inspection Rules Tree . . . . . . . 527
Changing Inspection Rules Tree Settings . . . 528
12
Defining Logging Options for Inspection Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529Adding Situations to the Rules Tree . . . . . . . 530Removing Overrides From the Rules Tree . . . 531
Adding Exceptions to Inspection Rules . . . . . . 531Defining What Traffic an Inspection Exception Rule Matches . . . . . . . . . . . . . . . 531DefinExceDefinin InDefinDefinDefinInspDefinInspDefinDefinExce
Editing AddingDefiniOverw
DefinDefinOptio
OverwNAT R
ExamRuleExamRuleExamRuleExamDest
LimitingValidati
OverriSelectViewinDisabExclud
Changin
CHAPTER 3Defining
GettingDefining
Defini
Defining Alias Elements . . . . . . . . . . . . . . . . 560Defining Domain Name Elements . . . . . . . . . 561Defining Expression Elements. . . . . . . . . . . . 561Defining Group Elements . . . . . . . . . . . . . . . 563Defining Host Elements . . . . . . . . . . . . . . . . 564Defining Network Elements. . . . . . . . . . . . . . 565Table of Contents
ing What Action an Inspection ption Rule Takes . . . . . . . . . . . . . . . . . 533ing Firewall Continue Action Options
spection Exceptions . . . . . . . . . . . . . . . 534ing Firewall Permit Action Options . . . . 534ing Firewall Terminate Action Options . . 535ing IPS Continue Action Options in
ection Exceptions. . . . . . . . . . . . . . . . . 536ing IPS Permit Action Options in
ection Exceptions. . . . . . . . . . . . . . . . . 537ing IPS Terminate Action Options . . . . . 537ing Logging Options for Inspection ptions . . . . . . . . . . . . . . . . . . . . . . . . . 539NAT Rules . . . . . . . . . . . . . . . . . . . . . . 540 a NAT Rule . . . . . . . . . . . . . . . . . . . . 541
ng What Traffic a NAT Rule Matches. . . . 541riting the Source Address in Packets . . . 543ing Static Source Translation Options . . 544ing Dynamic Source Translation ns . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
riting the Destination Address in Packets 546ule Examples. . . . . . . . . . . . . . . . . . . . 548ple of a Static Source Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548ple of a Dynamic Source Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549ple of a Destination Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550ple of a Combined Source And
ination Translation Rule . . . . . . . . . . . . 550 the Time when a Rule Is Active . . . . . . 551ng Rules Automatically . . . . . . . . . . . . . 552ding Default Validation Options for Rules 553ing Rule Validation Settings . . . . . . . . . 554g Policy Validation Issues. . . . . . . . . . . 555ling a Validation Warning for a Rule . . . . 556ing Rules from Policy Validation . . . . . . 556g Default Rules. . . . . . . . . . . . . . . . . . 556
9 IP Addresses . . . . . . . . . . . . . . . . . . . 557
Started with Defining IP Addresses. . . . 558 IP Addresses as Elements . . . . . . . . . 559
ng Address Range Elements . . . . . . . . . 559
Defining Router Elements . . . . . . . . . . . . . . . 566Defining Zone Elements . . . . . . . . . . . . . . . . 567
Using Feature-Specific Elements in Policies . . . 568
CHAPTER 40Defining Network Services. . . . . . . . . . . . . . . . 571
Getting Started with Services . . . . . . . . . . . . . 572Configuration Overview . . . . . . . . . . . . . . . . . 572
Defining Services . . . . . . . . . . . . . . . . . . . . . . 573Defining a New IP-Based Service . . . . . . . . . . 573Defining a New Ethernet Service . . . . . . . . . . 575Grouping Services . . . . . . . . . . . . . . . . . . . . 576
Using Protocol Elements. . . . . . . . . . . . . . . . . 576Defining Protocol Parameters . . . . . . . . . . . . . 577
Defining DNS Protocol Parameters . . . . . . . . 577Defining FTP Protocol Parameters . . . . . . . . . 578Defining GRE Protocol Parameters. . . . . . . . . 579Defining H323 Protocol Parameters. . . . . . . . 580Defining HTTP/HTTPS Protocol Parameters . . 580Defining IPv4 Encapsulation Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 582Defining IPv6 Encapsulation Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 582Defining MSRPC Protocol Parameters . . . . . . 583Defining NetBIOS Protocol Parameters. . . . . . 584Defining Oracle Protocol Parameters . . . . . . . 584Defining Shell (RSH) Protocol Parameters . . . 585Defining SIP Protocol Parameters . . . . . . . . . 586Defining SMTP Protocol Parameters . . . . . . . 587Defining SSH Protocol Parameters . . . . . . . . 587Defining SunRPC Protocol Options. . . . . . . . . 588Defining TCP Proxy Protocol Parameters. . . . . 589Defining TFTP Protocol Parameters . . . . . . . . 590
CHAPTER 41Defining Situations . . . . . . . . . . . . . . . . . . . . . 593
Getting Started With Situations . . . . . . . . . . . . 594Configuration Overview . . . . . . . . . . . . . . . . . 595
Creating New Situation Elements . . . . . . . . . . 595Defining Context Options for Situations . . . . . . 597
Defining HTTP URL Filter Options. . . . . . . . . . 598
Defining Port/Host Scan Detection Options . . 598Defining Context Options for Correlation Situations . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Configuring Compress Contexts . . . . . . . . . . . 600Configuring Count Contexts . . . . . . . . . . . . . . 601Configuring Group Contexts . . . . . . . . . . . . . . 602ConfigConfig
DefiningCreatiAddingAddingRemov
WorkingCreatiAssoc
CHAPTER 4Working
Getting Config
CreatingCreating
OverridDefinitEnabliEnabliRepor
CHAPTER 4Defining
Getting Config
CreatingDefining
CHAPTER 4Quality o
Getting Config
CreatingDefining
CreatiEditing
MatchinDefining
CHAPTER 45Filtering Web Addresses . . . . . . . . . . . . . . . . . 627
Getting Started with Web Filtering . . . . . . . . . . 628Configuration Overview . . . . . . . . . . . . . . . . . 628
Blacklisting/Whitelisting Web URLs Manually . . 629Creating Web Filtering Rules . . . . . . . . . . . . . . 63013Table of Contents
uring Match Contexts. . . . . . . . . . . . . . 603uring Sequence Contexts . . . . . . . . . . . 603 Tags for Situations. . . . . . . . . . . . . . . 604
ng a New Tag . . . . . . . . . . . . . . . . . . . . 604 Tags to One Situation at a Time . . . . . 604 Tags to Several Situations at Once . . . 605ing Tags from Situations . . . . . . . . . . . 605 With Vulnerabilities. . . . . . . . . . . . . . . 606ng New Vulnerability Elements . . . . . . . 606iating Vulnerabilities With Situations . . . 607
2 With Applications. . . . . . . . . . . . . . . . 609
Started With Applications. . . . . . . . . . . 610uration Overview . . . . . . . . . . . . . . . . . 610
TLS Matches. . . . . . . . . . . . . . . . . . . 610 Access Rules for Application Detection 611ing Application Properties in Service ions . . . . . . . . . . . . . . . . . . . . . . . . . . 612ng Logging of Application Information . . 613ng Collection of Application Data for ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
3User Responses . . . . . . . . . . . . . . . . . 615
Started with User Responses. . . . . . . . 616uration Overview . . . . . . . . . . . . . . . . . 616
User Responses . . . . . . . . . . . . . . . . 616 User Response Entries. . . . . . . . . . . . 617
4f Service (QoS) . . . . . . . . . . . . . . . . . . 619
Started with QoS. . . . . . . . . . . . . . . . . 620uration Overview . . . . . . . . . . . . . . . . . 621
QoS Classes . . . . . . . . . . . . . . . . . . . 621 QoS Policies . . . . . . . . . . . . . . . . . . . 622
ng New QoS Policies . . . . . . . . . . . . . . 622 QoS Rules. . . . . . . . . . . . . . . . . . . . . 622g QoS Rules to Network Traffic . . . . . . . 623 Speed and QoS Policy for Interfaces . . 624
CHAPTER 46Setting up TLS Inspection . . . . . . . . . . . . . . . . 631
Getting Started with TLS inspection. . . . . . . . . 632Configuration Overview . . . . . . . . . . . . . . . . . 633
Configuring Server Protection . . . . . . . . . . . . . 634Configuring Client Protection . . . . . . . . . . . . . . 635
Creating Client Protection Certificate Authority Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . 635Importing a Private Key and Signing Certificate for HTTPS Client Protection. . . . . . 636Generating a Private Key and Signing Certificate for HTTPS Client Protection. . . . . . 636Exporting an HTTPS Client Protection Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Defining Trusted Certificate Authorities for TLS inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Creating Trusted Certificate Authority Elements 638Importing a Trusted Certificate Authority Certificate for TLS inspection . . . . . . . . . . . . 639Configuring Certificate Revocation List Checks for TLS inspection . . . . . . . . . . . . . . . . . . . . 639
Activating TLS inspection on the Engine . . . . . . 640Excluding Connections from TLS inspection . . . 641
Globally Excluding Connections From Decryption. . . . . . . . . . . . . . . . . . . . . . . . . . 641Excluding Domains from Inspection of HTTPS Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
Defining a Custom HTTPS Service . . . . . . . . . . 643Creating Access Rules for TLS inspection . . . . 644
CHAPTER 47External Content Inspection . . . . . . . . . . . . . . 645
Getting Started with External Content Inspection 646Configuration Overview . . . . . . . . . . . . . . . . . 646
Defining a Content Inspection Server Element . 647Defining a Service for CIS Redirection . . . . . . . 648
Creating a Service for CIS Redirection . . . . . . 648Defining Protocol Parameters for CIS Redirection . . . . . . . . . . . . . . . . . . . . . . . . . 649
Defining Access Rules for CIS Redirection . . . . 650Defining NAT Rules for CIS Redirection . . . . . . 651
14
CHAPTER 48Blacklisting IP Addresses . . . . . . . . . . . . . . . . . 653
Getting Started with Blacklisting . . . . . . . . . . . 654Configuration Overview . . . . . . . . . . . . . . . . . 655
Enabling Blacklist Enforcement . . . . . . . . . . . . 656Configuring Automatic Blacklisting . . . . . . . . . . 657
DefiniBlacklDefiniAutom
AddiDefin
Blacklis
USERS
CHAPTER 4Setting u
GettingConfig
IntegratConfigDirectDefiniDefiniConfigConfigAddingAddingDefiniControDefini
EnablinAllowiCreatiSelectGenerConfigInstall
DefiningDefiniDefiniLinkinExtern
SeleCreaUser
Managi
Adding/Removing Users From User Groups . . 686Importing and Exporting User Information . . . 686
Importing Users from an LDIF File . . . . . . . . 687Exporting Users to an LDIF File . . . . . . . . . . 687
Changing User Passwords . . . . . . . . . . . . . . 687Clearing the Authentication Settings of a Table of Contents
ng Destination Interfaces for Automatic isting . . . . . . . . . . . . . . . . . . . . . . . . . 657ng Which Traffic is Blacklisted atically . . . . . . . . . . . . . . . . . . . . . . . . 658ng a Rule for Automatic Blacklisting. . . . 658ing Blacklisting Rule Action Options . . . 658ting Traffic Manually. . . . . . . . . . . . . . . 659
AND AUTHENTICATION
9p Directory Servers. . . . . . . . . . . . . . . 663
Started with Directory Servers . . . . . . . 664uration Overview . . . . . . . . . . . . . . . . . 664
ing External Directory Servers. . . . . . . . 665uring Schema Files on External ory Servers . . . . . . . . . . . . . . . . . . . . . 666ng Active Directory Server Elements . . . 666ng LDAP Server Elements . . . . . . . . . . . 667uring LDAP Connection Settings . . . . . . 668uring LDAP Attribute Mapping . . . . . . . . 669 LDAP Object Classes . . . . . . . . . . . . . 670 Authentication Methods . . . . . . . . . . . 670
ng the Active Directory Domain llers . . . . . . . . . . . . . . . . . . . . . . . . . . 671
ng LDAP Domains. . . . . . . . . . . . . . . . . 672g Access Control by User . . . . . . . . . . . 674ng Communication With the User Agent . 675ng User Agent Elements . . . . . . . . . . . . 675ing User Agents for Firewalls . . . . . . . . 676ating a Certificate and Saving the uration . . . . . . . . . . . . . . . . . . . . . . . . 676ing User Agents . . . . . . . . . . . . . . . . . . 677 User Accounts . . . . . . . . . . . . . . . . . . 678
ng User Groups . . . . . . . . . . . . . . . . . . 678ng Users . . . . . . . . . . . . . . . . . . . . . . . 679g Authentication Server Users to al Directories . . . . . . . . . . . . . . . . . . . 682cting Domain Nodes for User Linking . . . 682ting and Linking Authentication Server Accounts . . . . . . . . . . . . . . . . . . . . . . 683ng User Information . . . . . . . . . . . . . . . 686
User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688Resetting Local User Database on Firewalls. . 688Setting User Database Replication to Firewalls On or Off . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
CHAPTER 50Setting up User Authentication . . . . . . . . . . . . 689
Getting Started with User Authentication . . . . . 690Configuration Overview . . . . . . . . . . . . . . . . . 691
Integrating External Authentication Services. . . 692Defining RADIUS or TACACS+ Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692Defining Authentication Methods for External Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694
Integrating Authentication Server Services . . . . 695Defining Authentication Server Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 696Defining Authentication Server RADIUS Clients 698Defining Authentication Server Notification Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . 699Creating and Signing Authentication Server Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 701Enabling Federated Authentication With the Authentication Server . . . . . . . . . . . . . . . . . . 702Enabling RADIUS Accounting With the Authentication Server . . . . . . . . . . . . . . . . . . 703
Defining IPv4 Access Rules for Authentication . 703Enabling Browser-Based User Authentication . . 704
Creating and Signing HTTPS Certificates for Browser-Based User Authentication . . . . . . . . 706Defining IPv4 Access Rules for Browser-Based User Authentication . . . . . . . . . . . . . . . . . . . 707Enabling Redirection of Unauthenticated HTTP Connections . . . . . . . . . . . . . . . . . . . . . . . . 707
Authenticating to a StoneGate Firewall. . . . . . . 709Customizing the HTML Pages Profile for Browser-Based User Authentication . . . . . . . . . . . . . . . 709
Exporting the Default HTML Pages Profile . . . 709Customizing the Default HTML Pages . . . . . . 710Importing the Custom HTML Pages . . . . . . . . 710
Customizing the Telnet Authentication Prompt . 711Monitoring and Testing User Authentication . . . 712
VIRTUAL PRIVATE NETWORKS
CHAPTER 51Basic VPN Configurations . . . . . . . . . . . . . . . . 715
Getting Started With Basic VPN Configuration . . 716Configuration 1: Basic VPN Between StoneGate Gatewa
CreatiCreatiCreati
ConfiguGatewa
CreatiConfigCreatiConfigDefininConfigCreatiCreatiCreati
ConfiguManagConfigCreatiAddingConfigCreatiCreatiCreati
ConfiguCreatiConfigCreatiConfigDefininConfigCreati
CHAPTER 5Configur
Getting Config
ConfigDefining
DefininDefining
Creati
Defining End-Points for Internal Security Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . 748Defining End-Points for External Security Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . 751Defining Trusted CAs for a Gateway . . . . . . . . 753Defining Gateway-Specific VPN Client Settings 754
Defining Sites for VPN Gateways . . . . . . . . . . . 75615Table of Contents
ys . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716ng Gateway Elements for Configuration 1 717ng a VPN Element for Configuration 1 . . 718ng Rules for VPN Configuration 1 . . . . . 719ration 2: Basic VPN With a Partner y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720ng an Internal Gateway Element for uration 2 . . . . . . . . . . . . . . . . . . . . . . 721ng an External Gateway Element for uration 2 . . . . . . . . . . . . . . . . . . . . . . 722g a Site for External Gateway in
uration 2 . . . . . . . . . . . . . . . . . . . . . . 723ng a VPN Profile for Configuration 2. . . . 724ng a VPN Element for Configuration 2 . . 726ng Rules for Configuration 2 . . . . . . . . . 728ration 3: Basic VPN for Remote Clients . 729ing VPN Client Addresses in uration 3 . . . . . . . . . . . . . . . . . . . . . . 729ng Gateway Elements for Configuration 3 730 VPN Client Settings for uration 3 . . . . . . . . . . . . . . . . . . . . . . 731ng a VPN Element for Configuration 3 . . 732ng Users for VPN Configuration 3 . . . . . 734ng Rules for VPN Configuration 3 . . . . . 735ration 4: Basic VPN Hub. . . . . . . . . . . . 736ng Gateway Elements for VPN uration 4 . . . . . . . . . . . . . . . . . . . . . . 737ng a VPN Element for VPN uration 4 . . . . . . . . . . . . . . . . . . . . . . 738g Site Properties for VPN
uration 4 . . . . . . . . . . . . . . . . . . . . . . 738ng Rules for VPN Configuration 4 . . . . . 739
2ing IPsec VPNs. . . . . . . . . . . . . . . . . . 741
Started With IPsec VPNs . . . . . . . . . . . 742uration Overview . . . . . . . . . . . . . . . . . 743
uring IPsec VPNs . . . . . . . . . . . . . . . . . 744 Gateway Profiles . . . . . . . . . . . . . . . . 744g a Custom Gateway Profile. . . . . . . . . 745 Security Gateways . . . . . . . . . . . . . . . 747
ng a New Security Gateway Element . . . 747
Disabling/Re-Enabling Automatic VPN Site Management . . . . . . . . . . . . . . . . . . . . . . . . 756Adjusting Automatic VPN Site Management . . 757Adding a New VPN Site. . . . . . . . . . . . . . . . . 758Defining Protected Networks for VPN Sites. . . 758Adjusting VPN-Specific Site Settings . . . . . . . 759Disabling a VPN Site Temporarily in All VPNs . 759Removing a VPN Site Permanently from All VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
Defining VPN Profiles . . . . . . . . . . . . . . . . . . . 760Creating a New VPN Profile . . . . . . . . . . . . . . 761Modifying an Existing VPN Profile. . . . . . . . . . 761Defining IKE SA Settings for a VPN . . . . . . . . 762Defining IPsec SA Settings for a VPN. . . . . . . 764Defining VPN Client Settings . . . . . . . . . . . . . 766Defining Trusted CAs for a VPN . . . . . . . . . . . 768
Defining a VPN Element . . . . . . . . . . . . . . . . . 769Creating a New VPN Element . . . . . . . . . . . . 769Modifying an Existing VPN Element . . . . . . . . 770Defining VPN Topology . . . . . . . . . . . . . . . . . 771Defining VPN Tunnel Settings . . . . . . . . . . . . 772Editing VPN Link Modes . . . . . . . . . . . . . . . . 775
Creating VPN Rules . . . . . . . . . . . . . . . . . . . . 776Creating Basic VPN Rules for Gateway Connections . . . . . . . . . . . . . . . . . . . . . . . . 777Creating Basic Rules for VPN Client Connections . . . . . . . . . . . . . . . . . . . . . . . . 778Creating Forwarding VPN Rules on Hub Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . 779Preventing Other Access Rules from Matching VPN Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . 780Creating NAT Rules for VPN Traffic . . . . . . . . . 781
Monitoring VPNs . . . . . . . . . . . . . . . . . . . . . . 782
CHAPTER 53Managing VPN Certificates . . . . . . . . . . . . . . . 783
Getting Started With VPN Certificates . . . . . . . 784Configuration Overview . . . . . . . . . . . . . . . . . 784
Defining a VPN Certificate Authority . . . . . . . . . 785Creating and Signing VPN Certificates . . . . . . . 787
Creating a VPN Certificate or Certificate Request for an Internal Gateway . . . . . . . . . . 787
16
Signing External Certificate Requests Internally . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
Uploading VPN Certificates Manually . . . . . . . . 790Renewing VPN Certificates . . . . . . . . . . . . . . . 790Exporting the Certificate of VPN Gateway or VPN CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792Importing a VPN Gateway Certificate . . . . . . . . 793CheckinCheckin
CHAPTER 5Reconfig
Adding Configu
ActivaTranslBetweTranslTunne
Adding ChanginVPN. . Giving VRoutingRoutingRenewi
GenerAutomConfig
AdvanceDefini
AdjuAdjuAdju
AssignFirewa
CHAPTER 5VPN Clie
GettingList of VClient. Managi
ConfigConfigClientConfigAddreAllowi
Exportin
MAINTENANCE AND UPGRADES
CHAPTER 56Backing up and Restoring System Configurations . . . . . . . . . . . . . . . . . . . . . . . . 819
Getting Started with Backups . . . . . . . . . . . . . 820Table of Contents
g When Gateway Certificates Expire . . . 793g When an Internal VPN CA Expires . . . 794
4uring Existing VPNs . . . . . . . . . . . . . . 795
or Removing Tunnels Within a VPN . . . . 796ring NAT Settings for an Existing VPN . . 796ting NAT Traversal . . . . . . . . . . . . . . . . 796ating Addresses of VPN Communications en Gateways . . . . . . . . . . . . . . . . . . . . 797ating Addresses in Traffic Inside a VPN l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797New Gateways to an Existing VPN . . . . . 798g Gateway IP Addressing in an Existing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798PN Access to Additional Hosts . . . . . . . 799 Internet Traffic Through VPNs. . . . . . . . 799 Traffic Between VPN Tunnels . . . . . . . . 800ng or Generating Pre-Shared Keys . . . . . 801ating a New Pre-Shared Key atically . . . . . . . . . . . . . . . . . . . . . . . . 801uring Pre-Shared Keys Manually . . . . . . 801d VPN Tuning . . . . . . . . . . . . . . . . . . . 802
ng a Custom Gateway Settings Element . 802sting MOBIKE Settings . . . . . . . . . . . . . 803sting Negotiation Retry Settings . . . . . . 804sting Certificate Cache Settings . . . . . . 805ing the Gateway Settings for a ll/VPN Engine . . . . . . . . . . . . . . . . . . . 805
5nt Settings . . . . . . . . . . . . . . . . . . . . . 807
Started With VPN Client Settings . . . . . 808PN Client Settings in the Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809ng VPN Client IP Addresses . . . . . . . . . 812uring NAT Pool for VPN Clients . . . . . . . 813uring Virtual IP Addressing for VPN s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813uring the Gateway for Virtual IP ss Clients . . . . . . . . . . . . . . . . . . . . . . 814ng DHCP Relay in the Policy . . . . . . . . . 816g VPN Client Configuration to a File . . . 816
Configuration Overview . . . . . . . . . . . . . . . . . 820
Creating Backups. . . . . . . . . . . . . . . . . . . . . . 821Storing Backup Files . . . . . . . . . . . . . . . . . . . 822Restoring Backups . . . . . . . . . . . . . . . . . . . . . 822
Restoring a Management Server Backup . . . . 823Restoring a Log Server Backup . . . . . . . . . . . 823Restoring an Authentication Server Backup . . 824
Recovering from a Hardware Failure . . . . . . . . . 824
CHAPTER 57Managing Log Data . . . . . . . . . . . . . . . . . . . . . 827
Getting Started with Log Data Management . . . 828Configuration Overview . . . . . . . . . . . . . . . . . 828
Defining When Logs Are Generated . . . . . . . . . 829Archiving Log Data . . . . . . . . . . . . . . . . . . . . . 830
Creating an Archive Log Task . . . . . . . . . . . . 830Selecting Log Data for Archiving . . . . . . . . . . 831Selecting Operation Settings for Archiving Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
Deleting Log Data . . . . . . . . . . . . . . . . . . . . . 832Creating a Delete Log Task . . . . . . . . . . . . . . 832Selecting Data for Deleting Logs . . . . . . . . . . 833Selecting Operation Settings for Deleting Logs 834Pruning Log Data . . . . . . . . . . . . . . . . . . . . . 835Disabling Pruning Filters . . . . . . . . . . . . . . . . 836
Exporting Log Data. . . . . . . . . . . . . . . . . . . . . 837Creating an Export Log Task . . . . . . . . . . . . . 837Selecting Data for Log Export . . . . . . . . . . . . 838Selecting Operation Settings for Log Export . . 839
Viewing a History of Executed Log Tasks . . . . . 840
CHAPTER 58Managing and Scheduling Tasks. . . . . . . . . . . . 841
Getting Started with Tasks . . . . . . . . . . . . . . . 842Configuration Overview . . . . . . . . . . . . . . . . . 842
Task Types. . . . . . . . . . . . . . . . . . . . . . . . . . . 843Creating New Task Definitions . . . . . . . . . . . . . 844
Creating Backup Tasks . . . . . . . . . . . . . . . . . 845Creating Policy Refresh Tasks . . . . . . . . . . . . 845Creating Policy Upload Tasks. . . . . . . . . . . . . 846Creating Remote Upgrade Tasks . . . . . . . . . . 847
Creating SGInfo Tasks. . . . . . . . . . . . . . . . . . 847Scheduling Tasks . . . . . . . . . . . . . . . . . . . . . . 848Starting Tasks Manually . . . . . . . . . . . . . . . . . 848Pausing the Scheduled Execution of a Task . . . 849Cancelling a Task Schedule . . . . . . . . . . . . . . . 849Stopping Task Execution . . . . . . . . . . . . . . . . . 850
CHAPTER 5Managing
Getting GeneratUpgradiChanginInstallin
InstallCompoReplacLicens
CheckinCheckin
CHAPTER 6Upgradin
Getting Config
ObtaininUpgradiDefault
CHAPTER 6Upgradin
Getting Config
ObtaininUpgradi
CHAPTER 6Manual D
Getting Config
ImportinActivatin
TROUB
CHAPTER 6General T
If Your PTools Fo
CHAPTER 64Troubleshooting Accounts and Passwords . . . . 881
Forgotten Passwords . . . . . . . . . . . . . . . . . . . 882User Account Changes Have no Effect . . . . . . . 883Creating an Emergency Administrator Account . 883
CHAPTER 6517Table of Contents
9 Licenses. . . . . . . . . . . . . . . . . . . . . . 851
Started with Licenses . . . . . . . . . . . . . 852ing New Licenses . . . . . . . . . . . . . . . . 854ng Licenses Manually . . . . . . . . . . . . . 855g License Binding Details . . . . . . . . . . 856g Licenses . . . . . . . . . . . . . . . . . . . . . 857ing a License for an Unlicensed nent . . . . . . . . . . . . . . . . . . . . . . . . . 857ing the License of a Previously ed Component . . . . . . . . . . . . . . . . . . 858g If All Components Are Licensed . . . . . 859g License Validity and State . . . . . . . . . 859
0g the Management Center. . . . . . . . . . 861
Started with Upgrading the SMC. . . . . . 862uration Overview . . . . . . . . . . . . . . . . . 863
g the SMC Installation Files. . . . . . . . . 863ng Management Center Servers . . . . . . 864Installation Directories for SMC . . . . . . 865
1g the Engines . . . . . . . . . . . . . . . . . . . 867
Started with Upgrading Engines . . . . . . 868uration Overview . . . . . . . . . . . . . . . . . 868
g Engine Upgrade Files . . . . . . . . . . . . 869ng Engines Remotely . . . . . . . . . . . . . . 870
2ynamic Updates . . . . . . . . . . . . . . . . . 873
Started with Manual Dynamic Updates . 874uration Overview . . . . . . . . . . . . . . . . . 874
g an Update Package . . . . . . . . . . . . . 875g an Update Package . . . . . . . . . . . . . 875
LESHOOTING
3roubleshooting Tips . . . . . . . . . . . . . . 879
roblem Is Not Listed . . . . . . . . . . . . . . 880r Further Troubleshooting. . . . . . . . . . . 880
Troubleshooting Alert, Log, and Error Messages 885
Alert Log Messages . . . . . . . . . . . . . . . . . . . . 886Certificate Authority Expired/Expiring Alerts . . 886Certificate Expired/Expiring Alerts . . . . . . . . . 886Log Spool Filling . . . . . . . . . . . . . . . . . . . . . 886Status Surveillance: Inoperative Security Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . 886System Alert . . . . . . . . . . . . . . . . . . . . . . . . 887Test Failed. . . . . . . . . . . . . . . . . . . . . . . . . . 887Throughput License Exceeded. . . . . . . . . . . . 887
Log Messages . . . . . . . . . . . . . . . . . . . . . . . . 888Connection Closed/Reset by Client/Server . . 888Connection Removed During Connection Setup 888Connection State Might Be Too Large . . . . . . 888Connection Timeout . . . . . . . . . . . . . . . . . . . 889Incomplete Connection Closed . . . . . . . . . . . 890NAT Balance: Remote Host Does Not Respond . . . . . . . . . . . . . . . . . . . . . . . . . . . 890Not a Valid SYN Packet. . . . . . . . . . . . . . . . . 891Requested NAT Cannot Be Done . . . . . . . . . . 892Spoofed Packets . . . . . . . . . . . . . . . . . . . . . 892IPsec VPN Log Messages . . . . . . . . . . . . . . . 892
Error Messages . . . . . . . . . . . . . . . . . . . . . . . 893Command Failed/Connect Timed out. . . . . . . 893PKIX Validation Failed . . . . . . . . . . . . . . . . . . 893Policy Installation Errors . . . . . . . . . . . . . . . . 893Unexpected Error . . . . . . . . . . . . . . . . . . . . . 893
CHAPTER 66Troubleshooting Certificates . . . . . . . . . . . . . . 895
Understanding Certificate-Related Problems. . . 896Replacing Expired/Missing Certificates . . . . . . 898
Renewing SMC Server Certificates . . . . . . . . 898Renewing Engine Certificates . . . . . . . . . . . . 899
Dealing with Expiring Certificate Authorities . . . 900
CHAPTER 67Troubleshooting Engine Operation . . . . . . . . . . 903
Node Does not Go or Stay Online . . . . . . . . . . 904Error Commanding an Engine . . . . . . . . . . . . . 904Errors with Heartbeat and Synchronization . . . . 905Problems Contacting the Management Server . 905
18
CHAPTER 68Troubleshooting Licensing . . . . . . . . . . . . . . . . 907
Troubleshooting Licensing . . . . . . . . . . . . . . . . 908License Is Shown as Retained . . . . . . . . . . . . . 908License Is Shown as Unassigned. . . . . . . . . . . 909Throughput License Exceeded Alerts . . . . . . . . 909
CHAPTER 6Troubles
ProblemLogs ArLog Ser
CHAPTER 7Troubles
Some OSlow StProblemClient. ProblemProblemProblemProblemServer
CHAPTER 7Troubles
TroubleNAT Is NNAT Is A
CHAPTER 7Troubles
TroubleThe EnInstallThe MTimesPolicy ReasoWarninIgnore
TroubleTrouble
ValidaRule TAllow InspecHow tTrafficFirewaPacke
Unsupported Definitions in IPv6 Access Rules 931
CHAPTER 73Troubleshooting Reporting . . . . . . . . . . . . . . . 933
Troubleshooting Reporting . . . . . . . . . . . . . . . 934No Report is Generated at All . . . . . . . . . . . . . 934Empty Report Sections or Incomplete Data . . . 935Table of Contents
9hooting Logging . . . . . . . . . . . . . . . . . 911
s With Viewing Logs . . . . . . . . . . . . . . 912e Filling up the Storage Space . . . . . . . 912ver Does not Run . . . . . . . . . . . . . . . . 913
0hooting the Management Client . . . . . . 915
ptions Are Disabled. . . . . . . . . . . . . . . 916artup and Use . . . . . . . . . . . . . . . . . . . 916s Logging In with the Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917s with Layout and Views . . . . . . . . . . . 917s With Viewing Statistics . . . . . . . . . . . 917s with Status Monitoring . . . . . . . . . . . 918s Installing Web Start on an External
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
1hooting NAT . . . . . . . . . . . . . . . . . . . . 921
shooting NAT Errors . . . . . . . . . . . . . . . 922ot Applied Correctly . . . . . . . . . . . . . . 922pplied When it Should Not Be . . . . . . . 923
2hooting Policies . . . . . . . . . . . . . . . . . 925
shooting Firewall Policy Installation . . . . 926gine Performs a Roll-Back at Policy
ation. . . . . . . . . . . . . . . . . . . . . . . . . . 926anagement Server Contact to Nodes Out . . . . . . . . . . . . . . . . . . . . . . . . . . 926Installation Fails for Some Other n . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927g Automatic Proxy ARP Option Is d . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927shooting IPS Policy Installation . . . . . . . 928shooting Rules. . . . . . . . . . . . . . . . . . . 928ting Rules . . . . . . . . . . . . . . . . . . . . . . 928hat Allows ANY Service Does Not All Traffic . . . . . . . . . . . . . . . . . . . . . . . 928tion Rules Produce False Positives . . . . 929
o Enable Passthrough for PPTP Traffic . . 929 I Want to Allow Is Stopped by the ll . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930ts Are Dropped as Spoofed. . . . . . . . . . 931
CHAPTER 74Troubleshooting Upgrades . . . . . . . . . . . . . . . . 937
Upgrade Fails Because of Running Services . . . 938StoneGate Will Not Be Installed Properly . . . . . 938
CHAPTER 75Troubleshooting VPNs. . . . . . . . . . . . . . . . . . . 939
Checking Automatic VPN Validation Results . . . 940Reading VPN-related Logs. . . . . . . . . . . . . . . . 940VPN Certificate Issues . . . . . . . . . . . . . . . . . . 941Problems with Internal to External Gateway VPN 941Problems Connecting With a StoneGate VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942
REFERENCE
APPENDIX ACommand Line Tools . . . . . . . . . . . . . . . . . . . . 945
Management Center Commands . . . . . . . . . . . 946Engine Commands . . . . . . . . . . . . . . . . . . . . . 955Server Pool Monitoring Agent Commands. . . . . 961
APPENDIX BDefault Communication Ports . . . . . . . . . . . . . 963
Management Center Ports . . . . . . . . . . . . . . . 964Firewall/VPN Engine Ports . . . . . . . . . . . . . . . 966IPS Engine Ports . . . . . . . . . . . . . . . . . . . . . . 969 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971
APPENDIX CPredefined Aliases. . . . . . . . . . . . . . . . . . . . . . 973
Pre-Defined User Aliases . . . . . . . . . . . . . . . . 974System Aliases . . . . . . . . . . . . . . . . . . . . . . . 974
APPENDIX DRegular Expression Syntax. . . . . . . . . . . . . . . . 977
Syntax for StoneGate Regular Expressions. . . . 978Special Character Sequences . . . . . . . . . . . . . 980Pattern-Matching Modifiers . . . . . . . . . . . . . . . 981Bit Variable Extensions . . . . . . . . . . . . . . . . . . 982Variable Expression Evaluation . . . . . . . . . . . . 984
Stream Operations. . . . . . . . . . . . . . . . . . . . 986Other Expressions . . . . . . . . . . . . . . . . . . . . 987
System Variables . . . . . . . . . . . . . . . . . . . . . . 988
Independent Subexpressions. . . . . . . . . . . . . . 989Parallel Matching Groups. . . . . . . . . . . . . . . . . 990
APPENDIX ESNMP Traps and MIBs . . . . . . . . . . . . . . . . . . . 991
APPENDIX FSchema Updates for External LDAP Servers . . . 1007
APPENDIX Log Field
Log EntNon-exExportExportExportExportExportExportExport
Facility Type FieAction FEvent FIPsec V
VPN NVPN EVPN E
Audit EnSyslog ELog FielOption .Connec
APPENDIX Keyboard
GeneralShortcuOther V
Glossary
Index. . .19Table of Contents
Gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1009
ry Fields . . . . . . . . . . . . . . . . . . . . . . . 1010portable Log Entry Fields. . . . . . . . . . . 1010able Alert Log Entry Fields . . . . . . . . . . 1014able Alert Trace Log Entry Fields. . . . . . 1014able Audit Log Entry Fields. . . . . . . . . . 1015able Firewall Log Entry Fields . . . . . . . . 1016able IPS Log Entry Fields . . . . . . . . . . . 1018able IPS Recording Log Entry Fields . . . 1030able SSL VPN Log Entry Fields . . . . . . . 1031Field Values. . . . . . . . . . . . . . . . . . . . . 1031ld Values . . . . . . . . . . . . . . . . . . . . . . 1033ield Values . . . . . . . . . . . . . . . . . . . . . 1034ield Values . . . . . . . . . . . . . . . . . . . . . 1034PN Log Messages . . . . . . . . . . . . . . . . 1039otifications . . . . . . . . . . . . . . . . . . . . . 1039rrors . . . . . . . . . . . . . . . . . . . . . . . . . . 1041rror Codes. . . . . . . . . . . . . . . . . . . . . . 1043try Types . . . . . . . . . . . . . . . . . . . . . . 1044ntries . . . . . . . . . . . . . . . . . . . . . . . . 1049
ds Controlled by the Additional Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1049tion States . . . . . . . . . . . . . . . . . . . . . 1050
H Shortcuts . . . . . . . . . . . . . . . . . . . . . 1053
Shortcuts . . . . . . . . . . . . . . . . . . . . . 1054ts for Browsing Logs and Alerts . . . . . . 1055iew-Specific Shortcuts . . . . . . . . . . . . . 1057 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1089
20 Table of Contents
21
GETTING STARTED
In this section:
Using StoneGate Documentation - 23
New in This Release - 29
Using the Management Client - 37
Setting up the System - 57
Configuring System Communications - 61
Managing Elements - 73
22
CHAPTER 1
U
Whte
ThSING STONEGATE DOCUMENTATION
elcome to the StoneGate product family by Stonesoft Corporation. This chapter describes ow to use this guide and related documentation. It also provides directions for obtaining chnical support and giving feedback on the documentation.
e following sections are included:
Using This Documentation (page 24)Additional Documentation (page 25)Contact Information (page 27)23
24
Using This Documentation
This documentation is intended for StoneGate administrators. It includes step-by-step instructions for the configuration, operation, and maintenance of the StoneGate Management Center (SMC) and all of the various security engine components that the SMC controls. Initial system installation is not covered here. For other documentation, see Additional Documentation
Tip
Example
PrprChapter 1 Using StoneGate Documentation
(page 25).
Typographical ConventionsThe following conventions are used throughout the documentation:
We use the following ways to indicate important or additional information:
Tips provide additional helpful information, such as alternative ways to complete steps.
Examples present a concrete scenario that clarifies the points made in the adjacent text.
erequisites: Prerequisites point out tasks you must perform before the procedure you are reading. Obvious erequisites (such as installing a firewall to be able to configure a firewall feature) are not included.
Table 1.1 Typographical Conventio