StoneGate Administrator's Guide 4.3

StoneGate Administrators GuideSMC 4.3, Firewall/VPN 4.3, and IPS 4.3

Legal InformationEnd-User License AgreementThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website: www.stonesoft.com/en/support/eula.html

General Terms and Conditions of Support and Maintenance ServicesThe support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/terms/index.html

Replacement ServiceThe instructions for replacement service can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/return_material_authorization/ index.html

Hardware WarrantyThe appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/warranty_service/index.html

Trademarks and PatentsThe products described in these materials are protected by one or more of the following European and US patents: European Patent Nos. 1065844, 1259028, 1271283, 1289183, 1289202, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737, 7,234,166, 7,260,843, 7,280,540 and 7,302,480 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners. SSL VPN Powered by PortWise

DisclaimerAlthough every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. Copyright 2008 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

Revision: SGAG_20080609

Table of ContentsG ETTING S TARTEDCHAPTER 1 Using StoneGate Documentation 25Objectives and Audience 26 Typographical Conventions 26 Documentation Available 27 Product Documentation 27 Support Documentation 28 System Requirements 28 Contact Information 29 Licensing Issues 29 Technical Support 29 Your Comments 29 Security Related Questions and Comments 29 Other Queries 29 IPS System Components 42 Setting up the IPS after Installation 43 Customizing the IPS System 43

CHAPTER 3 Whats New? 45New Common Features in SMC 4.3 46 Administrator Account Improvements 46 Automatic License Upgrade 46 Automatic Memory Allocation 46 Antispoofing Configuration Improvement 46 Bookmark Improvements 46 Diagram Improvements 47 Hardware Monitoring for StoneGate Appliances 47 Log Browsing Improvements 47 Policy Handling Improvements 47 Policy Validation 47 Printing Changes 48 Search for Unused Elements 48 Statistics Improvements 48 StoneGate SSL VPN Logs and Monitoring Integration 48 System Report 48 Tools Icon Menu 48 New Features in Firewall/VPN 4.3 49 Deep Inspection - Support for Additional Protocols 49 DHCP Server 49 Virus Scanning 49 New Features in SOHO Firewalls 49 Direct Internet Access Blocking for Corporate 49 New Features in IPS 4.3 49 IPv6 Inspection Support 49 Tunneled Traffic Inspection 49

CHAPTER 2 Introduction to StoneGate 31Using the Management Client 32 Introduction to the System Status View 33 Introduction to the Configuration View 34 Introduction to Overviews 35 Rearranging the Layout of the Management Client 36 Bookmarking Views 37 Creating New Bookmarks 37 Creating New Bookmark Folders 38 Managing Bookmarks 39 Changing the Startup View 39 Getting Started with the Firewall 40 Firewall System Components 40 Setting up the Firewall after Installation 40 Customizing the Firewall 41 Getting Started with VPNs 42 Getting Started with the IPS 42

3

E NGINE E LEMENTSCHAPTER 4 Creating and Modifying Engine Elements 53Getting Started with Engine Elements 54 Configuration Overview 54 Creating New Engine Elements 55 Creating a New Single Firewall Element 56 Creating a New Firewall Cluster Element 56 Creating One New SOHO Firewall Element 57 Creating Multiple New SOHO Firewall Elements 59 Creating a New Analyzer Element 62 Creating a New Single Sensor Element 63 Creating a New Sensor Cluster Element 64 Creating a New Combined Sensor-Analyzer Element 65 Creating a New SSL VPN Gateway Element 66 Duplicating an Existing Engine Element 67 Modifying Existing Engine Elements 68 Modifying the Properties of One Engine Element 68 Modifying the Common Properties of Several Engine Elements 69 Converting a Single Firewall or Sensor to a Cluster 69 Adding a Node to a Firewall or Sensor Cluster 71 Editing Single Firewall Properties 72 Editing Firewall Cluster Properties 73 Editing SOHO Firewall Properties Editing Analyzer Properties 75 Editing Single Sensor Properties 76 Editing Sensor Cluster Properties 77 Editing Combined Sensor-Analyzer Properties 78 About Engine Time Synchronization 79

Configuration Overview 82 Firewall Interface Configuration 83 Defining Physical Interfaces for Firewall Engines 83 Adding VLAN Interfaces for Firewall Engines 85 Configuring Single Firewalls IP Addresses 87 Configuring VRRP Settings for Single Firewalls 89 Configuring PPPoE Settings for Single Firewalls 90 Configuring Firewall Clusters IP Addresses 91 Setting Firewall Interface Options 92 About Using a Dynamic IP Address on a Firewall Interface 94 SOHO Firewall Interface Configuration 95 Selecting SOHO Firewall Interface Types 96 Defining External Interfaces for SOHO Firewalls 97 Defining Ethernet External Interface Properties on SOHO Firewalls 98 Defining ADSL or PPPoE Interface Properties on SOHO Firewalls 99 Defining Advanced ADSL Settings for SOHO Firewalls 100 Defining Corporate Interfaces for SOHO Firewalls 101 Defining Guest Interfaces for SOHO Firewalls 103 Defining Wireless Settings for SOHO Firewalls 104 Defining Wireless Security Settings for SOHO Firewalls 105 Defining Wireless Channel Settings for SOHO Firewalls 106 Completing the SOHO Firewall Configuration 107 Completing the Create Multiple SOHO Firewalls Wizard 108 Sensor and Analyzer Interface Configuration 109 Defining System Communication Interfaces for IPS Engines 109 Defining Traffic Inspection Interfaces for Sensors 110 Defining Logical Interfaces for Sensors 111 Defining Reset Interfaces for Sensors 112 Defining Capture Interfaces for Sensors 113 Defining Inline Interfaces for Sensors 114 Adding VLAN Interfaces for Sensors 116

74

CHAPTER 5 Network Interface Configuration 81Getting Started with Interface Configuration 82

4

Setting Interface Options for IPS Engines 117 Configuring Manual ARP Settings 118 Adding Manual ARP Entries 118 Suppressing Manual ARP Entries 119 Activating the Internal DHCP Server on a Single Firewall 120

CHAPTER 8 Engine Permissions 141Getting Started with Engine Permissions 142 Configuration Overview 142 Defining Engine-Specific Administrator Permissions 142 Adding an Engine on an Access Control List 143 Modifying an Administrators Permissions for an Engine 143 Selecting Permitted Policies for an Engine 144

CHAPTER 6 Connecting Engines to the SMC 123Getting Started With Connecting Engines to the SMC 124 Configuration Overview 124 Saving an Initial Configuration for Firewall or IPS Engines 125 Creating One-Time Passwords 125 Saving Initial Configuration Details 127 Saving an Initial Configuration for SOHO Firewall Engines 128 Connecting SSL VPN Gateways to the SMC 129

CHAPTER 9 Alias Translations for Engines 145Getting Started with Alias Translations 146 Defining Alias Translation Values 146 Adding Alias Translation Values 147 Removing Alias Translation Values 147

CHAPTER 10 Advanced Engine Settings 149Getting Started with Advanced Engine Settings 150 Adjusting Firewall System Parameters 151 Adjusting Firewall Traffic Handling Parameters 152 Adjusting Firewall Clustering Options 153 Adjusting General Clustering Options 154 Tuning the Firewall Load Balancing Filter 155 Manually Tuning the Load Balancing Filter 156 Adding Load Balancing Filter Entries 157 Adjusting Firewall Contact Policy 158 Configuring Anti-Virus Settings 159 Adjusting Sensor-Analyzer Advanced Settings 159 Adjusting Analyzer Advanced Settings 159 Adjusting Sensor Advanced Settings 160 Configuring the Inspection of Tunneled Traffic 161 Defining Clustering Settings for Sensors 162 Adjusting SOHO Firewall Reopen Delay 163

CHAPTER 7 Configuring the Engine Tester 131Getting Started with the Engine Tester 132 Configuration Overview 132 Specifying Global Engine Tester Settings 133 Adding Engine Tests 134 Configuring Additional Test-Specific Settings 136 Additional Settings for the External Test 137 Additional Settings for the File System Space Test 137 Additional Settings for the Free Swap Space Test 137 Additional Settings for the Multiping Test 138 Removing Engine Tests 139 Deactivating/Reactivating Engine Tests 139 Deactivating/Reactivating Individual Engine Tests 139 Deactivating/Reactivating All Configurable Engine Tests 140

CHAPTER 11 Setting up SNMP for Engines 165Getting Started with SNMP Configuration 166 Configuring SNMP Version 1 or 2c 166

5

Configuring SNMP Version 3 167 Configuring What Triggers SNMP Traps 167 Activating the SNMP Agent on Engines 168

CHAPTER 13 Network Elements 195Getting Started with Network Elements 196 Modifying a Management Server Element 196 Defining and Viewing Network Elements 198 Defining Hosts 199 Defining Routers 200 Defining Networks 201 Defining Server Elements 202 Defining an Authentication Server 202 Defining an LDAP or Active Directory Server 202 Defining a Content Inspection Server 203 Defining a DHCP Server 203 Defining an External DNS Server 204 Defining a Log Server 205 Defining a Log Server Element 205 Selecting Secondary Log Servers 207 Certifying the Log Server 208 Configuring an Alert Server 208 Defining a Monitoring Server 208 Changing the Management Server Database Password 209 Defining Traffic Handlers 209 Defining NetLinks 209 Defining Outbound Multi-Link Elements 210 Defining Server Pools 210 Defining Groups 211 Defining Expressions 212 Example Expressions 214 Defining Address Ranges 214 Defining Aliases 215

S UPPLEMENTARY E LEMENTSCHAPTER 12 Managing Elements 171Using Categories 172 Configuration Overview 172 Creating New Categories 172 Selecting Categories for Elements 173 Activating Categories 174 Creating Combined Category Filters 175 Modifying Categories 176 Working With Elements IP Addresses 177 Locations and Contact Addresses 177 Example of a Situation Where a Contact Address is Needed 178 Defining Locations 179 Defining Contact IP Addresses 179 Engine Contact Addresses 180 Server Contact Addresses 182 Selecting the Management Client Location 184 Defining Secondary IP Addresses 184 Using DNS Names to Resolve Primary IP Addresses 185 Importing and Exporting Elements 185 Exporting Elements 185 Importing Elements 186 Locking and Unlocking Elements 187 Searching for Elements 187 Using Basic Element Search 187 Searching for Unused Elements 189 Searching for Element References 189 Searching for Users 190 Printing and Copying Element Information 192 Deleting Elements 192

CHAPTER 14 Services 217Getting Started with Services 218 Configuration Overview 218 Defining New Services 219 Defining a New IP-Based Service 219 Defining a New Ethernet Service 221

6

Modifying Existing Services 222 Grouping IP-Based Services 223 Grouping Ethernet Services 223 Using Protocol Elements 224 Using Protocol Agents on Sensors 225 FTP Protocol Agent 226 GRE Agent 227 H.323 Agent 227 HTTP Agents 228 ICMP Agent 228 IPv4 Agent 228 IPv4 Encapsulation Agent 229 IPv6 Agent 229 IPv6 Encapsulation Agent 229 MSRPC Agent 230 NetBIOS Agent 230 Oracle Agent 231 Services in Firewall Agent 232 Shell (RSH) Agent 232 SIP Agent 232 SMTP Agent 233 SSH Agent 234 SunRPC Agent 234 TCP Proxy Agent 235 TFTP Agent 236

Filter Tutorial 2: Setting the Destination Address 248 Filter Tutorial 2: Setting the Destination Ports and Protocol 250 Filter Tutorial 3: Creating an Example Filter for Alerts 250 Filter Tutorial 3: Adding a Sender 251 Filter Tutorial 3: Setting the Severity Value 252 Creating Temporary Filters 253 Editing Temporary Filters 253 Saving Temporary Filters 254 Managing Filters 254 Copying Filters 255 Modifying Filters 255 Exporting Filters 256 Creating Filter Type Tags 256 Adding Filter Type Tags to Filters 257 Removing Filter Type Tags from Filters 257 Deleting Filters 257

CHAPTER 16 Situations, Tags and Vulnerabilities 259Getting Started With Situations 260 Configuration Overview 260 Creating New Situation Elements 261 Defining Context Options for Situations 263 Website Access Control Options 264 Port/Host Scan Detection Options 264 Defining Context Options for Correlation Situations 266 Configuring Configuring Configuring Configuring Configuring Compress Contexts 267 Count Contexts 268 Group Contexts 269 Match Contexts 270 Sequence Contexts 270

CHAPTER 15 Filters 239Getting Started with Filters 240 Configuration Overview 240 Defining Filters 241 Defining Filters in the Filter Properties Window 242 Filter Tutorials 243 Filter Tutorial 1: Creating an Example Filter 243 Filter Tutorial 1: Setting the Source Address 244 Filter Tutorial 1: Setting the Destination Port Range 245 Filter Tutorial 1: Setting the Protocol 246 Filter Tutorial 2: Modifying an Example Filter 247 Filter Tutorial 2: Changing the Filter Operation 247

Defining Tags for Situations 271 Creating a New Tag or Situation Type 271 Adding Tags to One Situation at a Time 272 Adding Tags to Several Situations at Once 272

7

Removing Tags from Situations 273 Working With Vulnerabilities 274 Creating New Vulnerability Elements 274 Associating Vulnerabilities to Situations 275 Removing Vulnerabilities from Situations 275

Creating Outbound Multi-Link Elements 303 Selecting NetLinks for an Outbound Multi-Link 305 Defining Destination Cache Settings 306 Creating Outbound Load Balancing NAT Rules 307 Monitoring And Testing Outbound Traffic Management 308

CHAPTER 17 MAC Address Elements 277Defining a MAC Address Element 278

CHAPTER 20 Inbound Traffic Management 309Getting Started with Inbound Traffic Management 310 Configuration Overview 310 Defining a Server Pool 311 Creating a New Server Pool Element 311 Defining Server Pools External Address(es) 312 Adding Server Pool Members 313 Installing Monitoring Agents 314 Uninstalling Monitoring Agents 315 Configuring Monitoring Agents 316 Editing sgagent.local.conf 316 Editing sgagent.conf 318 Editing the sgagent.conf Statement Section 319 Options in the sgagent.conf Statement Section 320 Editing the sgagent.conf Test Section 324 Monitoring Agent Test Configuration Examples 327 Editing Monitoring Agents Internal Tests 328 Enabling Monitoring Agents 332 Entering the Server Pools IP Addresses on Your DNS Server 333 Creating an Inbound Load Balancing Rule 333 Configuring Dynamic DNS Updates 334 Configuration Overview 334 Improving DDNS Security 335 Adding Probe IP addresses to NetLinks 335 Defining an External DNS Server 337 Defining the Dynamic DNS Update Information 338

R OUTINGCHAPTER 18 Configuring Routing 281Getting Started with Routing 282 Configuration Overview 282 Adding Routes for Firewalls 283 Defining a Single-Link Route for a Firewall 284 Defining a Multi-Link Route for a Firewall 285 Creating NetLinks 286 Adding a Multi-Link Route 287 Defining Policy Routing 288 Configuring Static IP Multicast Routing 290 Routing DHCP Messages 292 Enabling DHCP Relay 292 Activating the DHCP Relay Sub-policy 293 Adding Routes for StoneGate IPS Components 294 Removing Routes 295 Modifying Antispoofing 296 Deactivating Antispoofing for an IP Address/ Interface Pair 296 Activating Antispoofing for Routable IP Addresses 298 Checking Routing 299

CHAPTER 19 Outbound Traffic Management 301Getting Started with Outbound Traffic Management 302 Configuration Overview 302 Configuring Outbound Multi-Link Settings 303

8

Defining a Dynamic DNS Rule 339 Monitoring and Testing Monitoring Agents 339

P OLICIESCHAPTER 21 Creating and Managing Policies 343Getting Started with Policies 344 Configuration Overview 344 Creating Policies, Templates, and Sub-Policies 345 Creating a New Template Policy 345 Creating a New Policy 346 Creating a New Sub-Policy 347 Copying a Policy, Sub-Policy or Template Policy 348 Changing Default Template or IPS System Template Rules 349 Deleting Policies, Templates, and Sub-Policies 349 Using the Policy Editing View 350 Copying Elements Within Policies 351 Removing Elements From Rules 351 Moving and Copying Rules 352 Creating a Sub-Policy from Rules in a Policy 352 Disabling and Enabling Rules 353 Deleting Rules 353 Setting Default Parameters for Rules 353 Checking Rule Properties 354 Adding Comment Rules 355 Defining Policy Rights 355 Setting Allowed Policies for Engine Elements 355 Adding Administrator Rights for Policies 356 Removing Administrator Rights from Policies 357 Switching the Templates of Policies 357 Importing and Exporting Policies 358 Installing and Updating Policies 358 Installing Policies 359 Refreshing the Current Policies 361 Validating Policies 362

Viewing Policy Validation Issues for Rules 364 Excluding Validation Issues for Rules 365 Excluding Rules from Policy Validation 366 Selecting Validation Issues for Rules 366 Comparing Policies with Earlier Policy Versions 368 Finding Rules Based on Values 368

CHAPTER 22 Editing Ethernet Rules 371Getting Started with Editing Ethernet Rules 372 Configuration Overview 372 Adding a New Ethernet Rule 372 Defining the Logical Interface for Ethernet Rules 373 Defining the Source and Destination for Ethernet Rules 374 Defining the Service for Ethernet Rules 374 Defining the Action for Ethernet Rules 375 Defining Logging Options for Ethernet Rules 375 Saving the Policy after Editing 376

CHAPTER 23 Editing Access Rules 377Getting Started with Editing Access Rules 378 Configuration Overview 378 Adding a New Access Rule 379 Defining the Logical Interface for IPS Access Rules 380 Defining the Source and Destination for Access Rules 381 Defining the Service for Access Rules 381 Defining the Action for Access Rules 382 Specifying the Source VPN 383 Defining User Authentication Parameters in Access Rules 384 Defining the QoS Class of Traffic 386 Defining Rule Options for Access Rules 387 Defining Logging Options for Access Rules 387 Setting Connection Tracking Options 388

9

Setting Deep Inspection Options for IPS Access Rules 390 Limiting Allowed Blacklisters 391 Limiting the Time when an Access Rule is Active 392 Saving and Installing the Policy after Editing 393 About Editing Sub-Policies 393

Modifying Rule Options for Inspection Rules 412 Defining Logging Options for Inspection Rules 412 Defining Terminate Action Options for Inspection Rules 413 Defining Reset Options for Inspection Rules 414 Blacklisting Traffic with Inspection Rules 415 Limiting the Time when an Inspection Rule is Active 415 Saving the Policy after Editing 416

CHAPTER 24 Editing IPv6 Access Rules 395Getting Started with Editing IPv6 Access Rules 396 Configuration Overview 396 Adding a New IPv6 Access rules 397 Defining the Logical Interface for IPv6 Access Rules 398 Defining the Source and Destination for IPv6 Access Rules 398 Defining the Service for IPv6 Access Rules 399 Defining the Action for IPv6 Access Rules 399 Defining Rule Options for IPv6 Access Rules 400 Defining Logging Options for IPv6 Acccess Rules 400 Setting Deep Inspection Options for IPv6 Access Rules 401 Limiting the Time when an IPv6 Access Rule is Active 402 Saving and Installing the Policy 403

CHAPTER 26 Editing NAT Rules 417Getting Started with NAT Rules 418 Configuration Overview 419 Defining Network Elements for NAT 419 Adding a New NAT Rule 420 Defining Static Source NAT 421 Defining Static Destination NAT 423 Defining Dynamic Source NAT 425 Preventing NAT Rules from Matching Some Traffic 427 Monitoring and Testing NAT 428

CHAPTER 27 Quality of Service (QoS) 429Getting Started with QoS 430 Configuration Overview 431 Creating QoS Classes 432 Defining QoS Policies 433 Creating New QoS Policies 433 Editing QoS Rules 434 Matching QoS Rules to Network Traffic 435 Defining Interfaces Speed and QoS Policy 436

CHAPTER 25 Editing Inspection Rules 405Getting Started with Editing Inspection Rules 406 Configuration Overview 406 Adding a New Inspection Rule 407 Defining the Situation for Inspection Rules 408 Defining the Severity for Inspection Rules 409 Defining the Logical Interface for IPS Inspection Rules 409 Defining the Source and Destination for Inspection Rules 410 Defining the Protocol for Inspection Rules 410 Defining the Action for Inspection Rules 411

CHAPTER 28 User Authentication 439Getting Started with User Authentication 440 Configuration Overview 441 Integrating External LDAP Databases 442 Configuring Schema Files 442 Defining an Active Directory Server Element 443

10

Configuring the Active Directory Servers LDAP Settings 443 Configuring Active Directory Servers Authentication Settings 444 Defining a Generic LDAP Server Element 445 Configuring the LDAP Servers User Services 446 Adding Object Classes for the LDAP Server 447 Defining Domains 447 Integrating External Authentication Services 449 Defining an Authentication Server 449 Defining an Authentication Service 451 Defining User Groups and Users 452 Defining User Groups 453 Defining Users 454 Defining Authentication Rules 457 Managing User Information 459 Importing and Exporting User Information 459 Importing Users from an LDIF File 459 Exporting Users to an LDIF File 460 Changing Users Passwords 461 Clearing Users Authentication Settings 461 Forcing User Database Replication to Firewalls 462 Setting User Database Replication to Firewalls on or off 462 Authenticating to a StoneGate Gateway 463 Customizing the User Authentication Dialog 464 Monitoring and Testing User Authentication 465

Configuration Overview 477 Enabling Blacklist Enforcement 478 Configuring Automatic Blacklisting 479 Defining Destination Interfaces for Automatic Blacklisting 479 Defining Which Traffic is Blacklisted Automatically 480 Blacklisting Traffic Manually 483 Viewing Blacklists 484

M ONITORINGCHAPTER 31 System Monitoring 489Getting Started with System Monitoring 490 System Summary 490 Viewing System Statistics 492 Overviews 492 Working With Overviews 493 Creating a New Overview 493 Adding a New System Summary Section to an Overview 494 Adding a New Bookmark Folder Section to an Overview 494 Adding a New Statistics Section to an Overview 495 Checking System Operating Status 496 Checking for Problems 497 Viewing the Systems Status Graphically 497 Reading Statuses 499 Monitoring Open Connections 501 Monitoring Blacklisted Traffic 502 Switching an Elements Monitoring Off and On 502 Switching Status Surveillance On and Off 502 Monitoring Task Progress 503 Monitoring Configurations and Policies 503 Checking the Currently Installed Policy 503 Previewing the Currently Installed Policy 504

CHAPTER 29 External Content Inspection 467Getting Started with External Content Inspection 468 Configuration Overview 468 Defining a Content Inspection Server Element 469 Defining a Service for CIS Redirection 471 Defining CIS Redirection in the Policy 472 Defining NAT Rules for CIS Redirection 473

CHAPTER 30 Blacklisting Traffic 475Getting Started with Blacklisting 476

11

Checking and Comparing Policy Versions 504 Viewing Policy Snapshots 504 Comparing Two Policy Snapshots 505 Comparing Policy Snapshot with Latest Policy Version or with Engines Current Policy 506 Checking for Untransferred Configuration Changes 507 Checking Maintenance Contract Information 508 Enabling Automatic Maintenance Contract Checking 508 Viewing Maintenance Contract Information 508 Viewing Maintenance Contract Information for SOHO Firewalls 509 Checking Maintenance Contract Information Manually 509 Monitoring Administrator Actions 509

Organizing the Logs View 525 Increasing or Decreasing Text Size 526 Selecting the Time Zone for Browsing 526 Selecting Columns to View 526 Arranging Columns 527 Sorting by Column Heading 527 Resolving Log Entry Data to Names or Elements 528 Changing the Log Entry Colors 528 Retrieving Traffic Recordings From Log Entries 528 Printing Extracts of Log Data 529 Exporting Extracts of Log Data 530 Checking Alert Event Traces 531 Attaching Logs to Incident Cases 531

CHAPTER 32 Log and Alert Browsing 511Getting Started with Browsing Data 512 Configuration Overview 512 Introduction to the Logs View 513 Log and Alert Browsing Tutorial 515 Viewing Log, Alert, and Audit Entries 516 Viewing Current Logs 516 Viewing Stored Logs 517 Checking Details of Entries 517 Log Event Summary 518 Opening Element Properties From Log Fields 519 Viewing Policies From the Log 519 Filtering Log Data 519 Specifying Senders 520 Specifying Storage 521 Specifying a Time Range 521 Navigating in the Timeline 522 Creating a Temporary Filter from Logs in the Log Table 522 Creating a Temporary Filter from Data in the Fields Panel 523 Modifying Temporary Filters 524

CHAPTER 33 Reports 533Getting Started with Reports 534 Configuration Overview 535 Generating and Viewing Reports 535 Generating a Report 536 Scheduling the Report Task 537 Selecting Data Sources 538 Finishing Report Generation 539 Troubleshooting Report Creation 539 Cancelling Ongoing Report Tasks 539 Viewing Reports 540 Modifying How Generated Reports Are Displayed 541 Modifying Generated Reports 542 Changing the Properties of Generated Reports 542 Changing the Properties of Report Sections 543 Exporting and E-mailing Reports 545 Exporting a Report as Tab-delimited Text Files 545 Exporting a Report as a PDF File 546 Creating Your Own PDF Report Template 546 Selecting the Template for PDF Exporting 548 Printing a Generated Report to PDF 548 E-mailing Reports 549 Creating New Report Designs 550

12

Creating a New Report Design 550 Adding Items to a Report Design 552 Filtering the Data Included in Reports 553 Editing Existing Report Designs 554 Adding Items to Report Designs 554 Moving Report Design Items 556 Deleting Report Designs, Sections, and Items 556 Modifying the Properties of a Report Design 557 Adjusting the Detail Level 557 Changing Report Sections Appearance 558 Working with the System Report 560

Changing the Detail Level in Diagrams 572 Zooming Diagrams 573 Using the Diagram Navigation Tool 574 Adjusting the Element Details in Diagrams 574 Collapsing Clusters or Groups of Elements in Diagrams 575 Expanding Clusters or Collapsed Elements in Diagrams 575 Printing Diagrams 575 Exporting Diagrams 576

CHAPTER 35 Incident Cases 577Getting Started with Incident Cases 578 Configuration Overview 578 Creating a New Incident Case 579 Attaching Data to Incident Cases 580 Attaching Logs and Audit Entries to Incident Cases 580 Attaching Policy Snapshots to Incident Cases 582 Attaching Memos to Incident Cases 583 Attaching Files to Incident Cases 583 Adding Players to Incident Cases 584 Adding Journal Entries to Incident Cases 584 Working With Existing Incident Cases 585 Opening an Incident Case for Editing 585 Changing the Priority of an Incident Case 585 Changing the State of an Incident Case 586 Checking Incident History 587

CHAPTER 34 Diagrams 561Getting Started with Diagrams 562 Configuration Overview 562 Creating Diagrams 563 Creating Diagrams from Configured Elements 563 Generating Diagrams Automatically 564 Creating Diagrams Manually 565 Creating Diagrams from New Elements 565 Creating Links Between Elements in Diagrams 566 Automatically Creating Links between Elements 566 Manually Creating Links between Elements 566 Creating Relationships Between Diagrams 567 Specifying a Parent Diagram 567 Creating Links from One Diagram to Another 568 Arranging Diagram Layout 568 Automatically Arranging a Selection of Elements 569 Moving Elements in Diagrams 569 Creating Turning Points between Elements 569 Using Background Images in Diagrams 569 Changing the Background Color in Diagrams 570 Editing Diagrams 570 Opening Existing Diagrams 571 Removing Elements from Diagrams 571 Adding Comments to Diagrams 572

V IRTUAL P RIVATE N ETWORKSCHAPTER 36 Basic VPN Configurations 591Getting Started With Basic VPN Configuration 592 Configuration 1: Basic VPN Between StoneGate Gateways 593 Creating Gateway Elements for Configuration 1 593 Creating a VPN Element for Configuration 1 595

13

Creating Rules for VPN Configuration 1 597 Configuration 2: Basic VPN With a Partner Gateway 598 Creating an Internal Gateway Element for Configuration 2 599 Creating an External Gateway Element for Configuration 2 601 Defining Site Properties for External Gateway in Configuration 2 603 Creating a VPN Profile for Configuration 2 604 Creating a VPN Element for Configuration 2 606 Creating Rules for Configuration 2 608 Configuration 3: Basic VPN for Remote Clients 609 Managing VPN Client Addresses in Configuration 3 610 Creating Gateway Elements for Configuration 3 611 Adding VPN Client Settings for Configuration 3 613 Creating a VPN Element for Configuration 3 614 Creating Users for VPN Configuration 3 616 Creating Rules for VPN Configuration 3 618 Configuration 4: Basic VPN With SOHO Firewalls 619 Creating an Internal Gateway Element for Configuration 4 620 Creating a SOHO Gateway Group for Configuration 4 622 Creating a VPN Element for Configuration 4 623 Creating Rules for VPN Configuration 4 624

Adjusting Tunnel Recovery Settings 640 Assigning the Gateway Settings for a Firewall/VPN Engine 641 Defining Gateway Profiles 642 Defining a Custom Gateway Profile 643 Defining Gateway Profile Properties 643 Defining Security Gateways 645 Defining a DHCP Server Element for a VPN 646 Defining Security Gateway Elements 647 Defining End-Points for Internal Security Gateways 648 Defining End-Points for External Security Gateways 651 Defining Trusted CAs for a Gateway 653 Defining Gateway-Specific VPN Client Settings 653 Defining Sites for VPN Gateways 655 Disabling/Re-Enabling Automatic VPN Site Management 656 Adjusting Automatic VPN Site Management 656 Adding a New VPN Site 657 Defining Protected Networks for VPN Sites 658 Defining Site-Specific SG VPN Client Settings 660 Disabling a VPN Site Temporarily in All VPNs 662 Removing a VPN Site Permanently from All VPNs 662 Creating and Managing VPN Certificates 663 Creating a VPN Certificate or Certificate Request for an Internal Gateway 664 Signing External Certificate Requests 666 Uploading VPN Certificates Manually to the Engines 668 Renewing Internally-Signed VPN Gateway Certificates 668 Exporting a VPN Gateway Certificate 669 Importing a VPN Gateway Certificate 669 Defining VPN Profiles 670 Creating a New VPN Profile 670 Modifying an Existing VPN Profile 671 Defining IKE (Phase 1) Settings for a VPN 671 Defining IPsec (Phase 2) Settings for a VPN 673

CHAPTER 37 Configuring IPsec VPNs 627Getting Started With IPsec VPNs 628 Configuration Overview 629 Configuring IPsec VPNs 631 Defining a Certificate Authority for VPNs 632 Defining Gateway Settings 635 Defining a Custom Gateway Settings Element 635 Adjusting General Gateway Settings 637 Adjusting Negotiation Retry Settings 637 Adjusting Certificate Cache Settings 639 Adjusting Anti-Clogging Settings 639

14

Defining VPN Client Settings 677 Defining Trusted CAs for a VPN 678 Defining a VPN (Element) 679 Creating a New VPN Element 680 Modifying an Existing VPN Element 681 Defining VPN Topology 681 Defining VPN Tunnel Settings 683 Creating VPN Rules 686 Configuring Basic VPN Rules 686 Adding NAT Rules for VPN Traffic 688 Rule for Redirecting VPN Client Connections 689 Rule for Virtual Adapter DHCP Communications 690 Rule for Allowing Connections to VPN Clients 691 Rules for an FIPS-compliant VPN 692 Monitoring VPNs 693 VPN Status Monitoring 693 VPN Logs 693 Checking VPN Certificate Expiration Dates 694 Troubleshooting VPN Connections 694

Renewing VPN Certificates 702 Routing Clients Internet Traffic Through VPNs 703 Configuring a VPN for Redirecting Internet Traffic 704 Configuring Access Rules for Redirected VPN Traffic 705 Configuring NAT Rules for Redirected VPN Traffic 706 Forwarding All Corporate Traffic to the VPN 707 Changing the VPN Clients Default Gateway 707

CHAPTER 39 VPN Client Settings 709Getting Started With VPN Client Settings 710 VPN Client Settings in the Management Client 711 Creating a Client-to-Gateway VPN 713 Managing VPN Client IP Addresses 714 Configuring NAT Pool for VPN Clients 715 Configuring Virtual IP Addressing for VPN Clients 716 Configuring a Security Gateway for Virtual IP Address Clients 717 Activating DHCP Relay Sub-policy 718 Contacting VPN Client Computers 719 Routing VPN Client traffic to a Gateway-to-Gateway VPN 720 Defining Access Rules for VPN Client Hub 721 Exporting VPN Client Configuration to a File 722

CHAPTER 38 Reconfiguring Existing VPNs 695Adding or Removing Tunnels Within a VPN 696 Configuring NAT Settings for an Existing VPN 696 Activating NAT Traversal 697 Translating Addresses of VPN Communications Between Gateways 699 Translating Addresses in Traffic Inside a VPN Tunnel 699 Translating Addresses in VPN Client Traffic 699 Adding New Gateways to an Existing VPN 699 Changing Gateway IP Addressing in an Existing VPN 700 Giving VPN Access to Additional Hosts 701 Renewing or Generating Pre-Shared Keys 701 Generating a New Pre-Shared Key Automatically 701 Configuring Pre-Shared Keys Manually 702

C ONTROLLING E NGINESCHAPTER 40 Operating States and Configurations 725Commanding Engines 726 Turning Engines Online 727 Turning Engines Offline 728 Setting Nodes to Standby 728 Rebooting Nodes 729 Enabling and Disabling SSH Access to the Engine 729

15

Changing the Engine Password 730 Changing an Engines Control IP Address 730 Changing Engine Changing Firewall the Control IP Address of a Local

M ANAGEMENT C ENTER C ONFIGU RATIONCHAPTER 44 Administrator Accounts 755Getting Started with Administrator Accounts 756 Configuration Overview 756 Customizing Administrator Permissions 757 Defining Customized Administrator Roles 757 Defining Customized Access Control Lists 760 Defining Administrator Password Policy 761 Enabling Enforcement of Password Settings 761 Defining Administrator Password Strength Requirements 762 Defining Administrator Password Expiration 763 Defining Failed Login Policy for Administrators 764 Configuring the Timeout for Idle Administrator Sessions 765 Configuring Inactive Administrator Account Expiration 766 Defining Administrator Accounts 767 Creating a New Monitoring User Account 768 Defining Monitoring User Permissions 769 Creating a New Administrator Account 770 Defining Administrator Permissions 772 Defining Rights for Restricted Administrator Accounts 773 Restricting the Logs an Administrator Can View 775 Customizing Log Colors 776 Customizing the Default Set of Log Colors 776 Defining Administrator-Specific Log Color Filters 777 Managing Administrator Accounts 779 Modifying Administrator Accounts 779 Deleting Administrator Accounts 780 Changing Administrator Passwords 780 Authenticating Administrators Using RADIUS 781 Managing Permissions in Engine and Policy Properties 782

731the Control IP Address of a Remote

732

Checking Currently Installed Policies 733 Refreshing Currently Installed Policies 733 Adding and Removing Cluster Nodes 734 Converting a Single Firewall or Sensor to a Cluster 734 Adding Nodes to a Cluster 734 Disabling Nodes of a Cluster Temporarily 734 Re-Enabling Disabled Cluster Nodes 735 Removing Nodes From a Cluster Permanently 735 Editing Engine Configurations 736

CHAPTER 41 Setting Engine Options 737Getting Started with Engine Options 738 Sending Commands to Engines 738 Enabling Firewall/VPN Diagnostics 739 Disabling Firewall/VPN Diagnostics 740 Disabling Firewall/Sensor Monitoring 741

CHAPTER 42 Controlling Firewall Traffic 743Getting Started with Traffic Commands 744 Terminating Connections Manually 744 Blacklisting Connections Manually 745

CHAPTER 43 Working on the Engine Command Line 747Getting Started with Working on the Engine Command Line 748 Accessing the Engine Command Line 748 Reconfiguring Basic Engine Settings 749 Creating Engine Scripts 750 Restoring a Previous Configuration Manually 751

16

Using Access Control Lists in Engine or Policy Properties 782 Modifying Administrator Permissions in Engine or Policy Properties 783 Monitoring Administrator Accounts 784

CHAPTER 45 Alert Escalation 785Getting Started with Alert Escalation 786 Configuration Overview 786 Creating Alerts 787 Defining Custom Alerts 787 Defining What Triggers an Alert 788 Defining Alert Chains 789 Defining Alert Channels 789 Creating New Alert Chains 790 Modifying Existing Alert Chains 791 Editing Alert Chains 791 Defining the Final Action of an Alert Chain 794 Defining Alert Policies 794 Creating New Alert Policies 795 Modifying Existing Alert Policies 795 Editing Alert Policy Rules 796 Installing Alert Policies 797 Acknowledging Alerts 798 Acknowledging Individual Alerts 798 Acknowledging All Active Alerts 799 Using Custom Scripts for Alert Escalation 799 Setting up a Dedicated Alert Server 801 Testing Alerts 802

Installing a License for a Secondary Management Server 807 Creating Access Rules for a Secondary Management Server 808 Installing Secondary Management Server Software 808 Installing Secondary Management Server as a Fresh Installation 808 Converting an Existing Management Server to Secondary 810 Configuring Log Servers for Backup Management Servers 811 Installing a Secondary Log Server 812 Configuration Overview 812 Creating a Log Server Element 813 Installing a License for a Secondary Log Server 814 Setting a Log Server as a Secondary Log Server 814 Creating Access Rules for a Secondary Log Server 815 Installing Log Server Software 815 Changing the Active Management Server 816 Activating a Secondary Management Server 816 Setting an Active Management Server to Standby 817 Disabling and Enabling Automatic Replication 818 Synchronizing Management Databases Manually 818

CHAPTER 47 Reconfiguring the Management Center 821Changing the Management Platform 822 Changing IP Addressing 822 Changing the Management Servers IP Address 823 Changing the Log Servers IP Address 823 Changing IP Addresses if the Management Server and the Log Server Run on the Same Machine 824 If Configuration Changes Prevent Management Connections to Engines 825

CHAPTER 46 Secondary SMC Server Configuration 803About Secondary SMC Servers 804 Installing a Secondary Management Server 805 Configuration Overview 805 Defining a Secondary Management Server Element 806

17

CHAPTER 48 Setting up Monitoring Client Access 827Getting Started with Monitoring Client Access 828 Configuration Overview 828 Defining a Monitoring Server Element 829 Restricting Which Data is Displayed 829 Allowing Monitoring Client Connections 830 Configuring Web Start for Monitoring Client Users 831 Setting up the Monitoring Clients 831

Configuration Overview 850 Defining When Logs Are Generated 851 Pruning Log Data 852 Pruning Selected Data Immediately 852 Pruning Selected Data Before Storing 854 Disabling Pruning Filters 855 Exporting Log Data 857 Creating an Export Log Task 857 Selecting Data for Log Export 858 Selecting Operation Settings for Log Export 859 Archiving Log Data 860 Creating an Archive Log Task 860 Selecting Log Data for Archiving 861 Selecting Operation Settings for Archiving Log Data 862 Deleting Log Data 863 Creating a Delete Log Task 863 Selecting Data for Deleting Logs 864 Selecting Operation Settings for Deleting Logs 865 Exporting Traffic Recordings 866 Creating an Export Log Task for Traffic Recordings 866 Selecting the Data for Exporting Traffic Recordings 867 Selecting Operation Settings for Exporting Traffic Recordings 868 Viewing a History of Executed Log Tasks 869 Defining Alternative Log Archive Directories 869 Exporting Log Data to Syslog 870 Defining General Syslog Settings 870 Exporting Log Filters 872 Configuring Syslog Filter Settings 873 Creating a Rule Allowing Traffic to the Syslog Server 874

CHAPTER 49 Distributing StoneGate Clients Through Web Start 833Getting Started With Web Start Distribution 834 Configuration Overview 834 Distributing Clients from the SMC Servers 835 Distributing Clients from a Separate Server 836 Accessing the Web Start Clients 837

M AINTENANCECHAPTER 50 Backups 841Getting Started with Backups 842 Configuration Overview 842 Creating Backups 843 Storing Backup Files 844 Restoring Backups 845 Restoring a Management Server Backup 845 Configuring a New Management Server IP Address on the Management Server 846 Restoring a Log Server Backup 847 Configuring a New Management Server IP Address on the Log Server 848 Deleting Backups 848

CHAPTER 51 Log Management 849Getting Started with Log Data Management 850

CHAPTER 52 Scheduled Tasks 875Getting Started with Task Elements 876

18

Configuration Overview 876 Task Definition Types 877 Creating Task Definitions 879 Creating Backup Tasks 879 Creating Policy Refresh Tasks 880 Creating Policy Upload Tasks 881 Creating Remote Upgrade Tasks 881 Creating SGInfo Tasks 882 Scheduling Tasks 883 Starting Tasks 884 Managing Running Tasks 884 Checking the Status of Running Tasks 884 Aborting Running Tasks 885 Managing Scheduled Tasks 885 Rescheduling Tasks 886 Suspending Scheduled Tasks 886 Restarting a Suspended Scheduled Task 887 Removing Tasks from the Schedule 887 Managing Task Definitions 887 Editing Task Definitions 888 Deleting Task Definitions 888 Checking Executed Tasks 889

Upgrading Engines Remotely 904 Importing Engine Upgrade File 905 Upgrading StoneGate Firewall and IPS Remotely 905 Checking Management Center and Engine Version 908

CHAPTER 54 Manual Dynamic Updates 909Getting Started with Manual Dynamic Updates 910 Configuration Overview 910 Importing an Update Package 911 Activating an Update Package 911

CHAPTER 55 Automatic Updates and Engine Upgrades 913Getting Started with Automatic Updates and Engine Upgrades 914 Configuring Automatic Updates and Engine Upgrades 915

T ROUBLESHOOTINGCHAPTER 56 General Troubleshooting Tips 921If Your Problem Is Not Listed 922 Tools For Further Troubleshooting 922

U PDATES

AND

U PGRADES

CHAPTER 53 Upgrading StoneGate 893Getting Started with Upgrading StoneGate 894 Configuration Overview 894 Checking File Integrity 895 Upgrading or Generating Licenses 896 Generating a New License 897 Upgrading Licenses Under One Proof Code 898 Upgrading Licenses Under Multiple Proof Codes 899 Installing Licenses 900 Upgrading the Management Center 901

CHAPTER 57 Troubleshooting Accounts and Passwords 923Forgotten Passwords 924 User Account Changes Have no Effect 924 Creating an Emergency Administrator Account 925

CHAPTER 58 Troubleshooting Alerts, Errors, and Log Messages 927Alert Messages 928 Certificate Expired/Certificate Expiring Alerts 928 Status Surveillance: Inoperative Security Engines 928 Test Failed 929

19

Throughput Based License Exceeded 929 Error Messages When Commanding an Engine 930 Log Messages 930 Connection Timeout... 930 Incomplete Connection Closed 931 NAT Balance: Remote Host Does Not Respond 931 Not a Valid SYN packet 932 Requested NAT Cannot Be Done 933 Spoofed Packets 933 VPN-Related Log Messages 933

CHAPTER 63 Troubleshooting the Management Client 955Cannot View Online Help: Help File Not Found 956 Some Options Are Disabled 956 Slow Startup and Use 957 Problems Logging In with the Management Client 957 Problems with Layout and Views 958 Problems With Viewing Statistics 958 Problems with Status Monitoring 959 Problems Installing Web Start on an External Server 959

CHAPTER 59 Troubleshooting Certificates 935Understanding Certificate-Related Problems 936 Replacing Expired/Missing Certificates 937 Renewing SMC Server Certificates 937 Renewing Engine Certificates 938

CHAPTER 64 Troubleshooting NAT 961Troubleshooting NAT Errors 962 NAT Is Not Applied Correctly 962 NAT Is Applied When it Should Not Be 963

CHAPTER 60 Troubleshooting Engine Operation 941Node Does not Go or Stay Online 942 Error Commanding an Engine 942 Errors with Heartbeat and Synchronization 943 Problems Contacting the Management Server 943

CHAPTER 65 Troubleshooting Policies 965Troubleshooting Firewall Policy Installation 966 Problems in Communications Between the Engine and the Management Server 966 Warning Automatic Proxy ARP Option Is Ignored 967 Policy Installation Fails for Some Other Reason 967 Troubleshooting IPS Policy Installation 967 Troubleshooting Rules 968 Validating Rules 968 Rule That Allows ANY Service Does Not Allow All Traffic 968 Inspection Rules Produce False Positives 969 How to Enable Passthrough for PPTP Traffic 969 Traffic I Want to Allow Is Stopped by the Firewall 969 Packets Are Dropped as Spoofed 971 Unsupported Definitions in IPv6 Access Rules 971

CHAPTER 61 Troubleshooting Licensing 945Troubleshooting Licensing 946 Checking If All Components Are Licensed 947 Checking License Validity and State 947 License Is Shown as Retained 948 Throughput Based License Exceeded Alerts 949 Changing Information in Existing Licenses 949

CHAPTER 62 Troubleshooting Logging 951Problems With Viewing Logs 952 Logs Are Filling up the Engine or Log Server Storage Space 953 Log Server Does not Run 953

CHAPTER 66 Troubleshooting Reporting 973Troubleshooting Reporting 974

20

No Report is Generated at All 974 Empty Report Sections or Incomplete Data 975

CHAPTER 67 Troubleshooting Upgrades 977Upgrade Fails Because of Running Services 978 StoneGate will not be installed properly 978

CHAPTER 68 Troubleshooting VPNs 979Checking Automatic VPN Validation Results 980 VPN Certificate Issues 980 Problems with Internal to External Gateway VPN 981 Problems Connecting With a StoneGate VPN Client 982 Reading VPN-related Logs 982

R EFERENCEAPPENDIX A Command Line Tools 987 APPENDIX B StoneGate-Specific Ports 1003 APPENDIX C Predefined Aliases 1013 APPENDIX D Regular Expression Syntax 1017 APPENDIX E SNMP Traps and MIBs 1027 APPENDIX F Log Field Values 1041 APPENDIX G Advanced Log Server Configuration 1075 APPENDIX H Keyboard Shortcuts 1081

Glossary 1087 Legal Information 1121 Index 1137

21

22

Getting Started

CHAPTER 1

Using StoneGate Documentation

Welcome to the StoneGate product family by Stonesoft Corporation. This chapter describes how to use this guide and related documentation. It also provides directions for obtaining technical support and giving feedback on the documentation. The following sections are included: Objectives and Audience, on page 26 Documentation Available, on page 27 Contact Information, on page 29

25

Objectives and AudienceThe StoneGate Administrators Guide is intended for the administrators of any StoneGate installation in tasks that involve the StoneGate Management Center (SMC) and the various components that the SMC controls. This guide describes step by step how to complete StoneGate configuration and management tasks. This guide is organized in parts and chapters that contain short introductions and detailed instructions for StoneGate management and configuration tasks. The guide continues from where the Installation Guide ends. The chapters in this guide are organized according to StoneGate administrative tasks. Each chapter focuses on one area of administration. As a general rule, the chapters proceed from basic configuration tasks to more advanced topics. Although overviews are provided, the emphasis in this guide is more on completing specific tasks than developing a deep understanding of how the system works. This guide explains features included in the software versions mentioned on page 1. If you are using older versions of the software you will not be able to use all the features explained in this manual and some features that are available may not work as explained. To launch the Online Help system, press F1 on your keyboard in any Management Client window or dialog.

Typographical ConventionsWe use the following typographical conventions throughout the guide:TABLE 1.1 Typographical Conventions

FormattingNormal text User interface text References, terms Command line User input Command parameters This is normal text.

Informative Uses

Interface elements (buttons, menus, icons) and any other interaction with the user interface are in bold-face. Cross-references and first use of acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is monospaced bold-face. Command parameter names are in monospaced italics.

We use the following ways to indicate important or additional information:

26

Chapter 1: Using StoneGate Documentation

Prerequisites: Many of the sections start with a list of prerequisites that point out tasks you must perform before the procedure outlined in the section. Obvious prerequisites (such as having installed a firewall if you want to configure a firewall feature) are not included in these prerequisites.

Note Notes provide important information that may help you complete a task. Caution Cautions provide important information that you must take into account before performing an action to prevent critical mistakes. Tip: Tips provide information that is not essential, but makes working with the system easier. Example: Examples clarify points made in the adjacent text.

Whats Next? The Whats Next lists at the ends of secions contain tasks that you must or may want to perform after completing a procedure. If several of the procedures listed apply, pick the first one; you will encounter a new Whats Next section when you are finished with the first item.

Documentation AvailableStoneGate technical documentation is divided into two main categories: guide books and support documentation. StoneGate firewall/VPN and StoneGate IPS have their separate sets of manuals, despite the fact that they are managed through the same user interface. Only the Administrators Guide and the Online Help cover both the firewall/VPN and IPS products.

Product DocumentationThe table below lists the available guides.TABLE 1.2 Product Documentation

Guide

DescriptionExplains the operation and features of StoneGate comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available for StoneGate Firewall/VPN and StoneGate IPS. Instructions for planning, installing, and upgrading a StoneGate system. Available for StoneGate Firewall/VPN and StoneGate IPS.

Reference Guide

Installation Guide

Objectives and Audience

27

TABLE 1.2 Product Documentation (Continued)

Guide

DescriptionDetailed instructions for the configuration and use of StoneGate. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the StoneGate Management Client and the StoneGate Monitoring Client. An HTML-based system is available in the StoneGate SSL VPN Administrator though help links and icons. Describes how to configure and manage a StoneGate system step-by-step. Available as a combined guide for both StoneGate Firewall/VPN and StoneGate IPS, and as separate guides for StoneGate SSL VPN and StoneGate IPsec VPN Client. Instructions for end-users. Available for the StoneGate IPsec VPN Client and the StoneGate Monitoring Client. Instructions for physically installing and maintaining StoneGate appliances (rack mounting, cabling etc.). Available for all StoneGate hardware appliances.

Online Help

Administrators Guide

Users Guide Appliance Installation Guides

PDF versions are available on the Management Center CD-ROM and at http:// www.stonesoft.com/support/.

Support DocumentationThe StoneGate support documentation provides additional and late-breaking technical information. These technical documents support the StoneGate guide books, for example, by giving further examples on specific configuration scenarios. The latest StoneGate technical documentation is available on the Stonesoft website at http://www.stonesoft.com/support/.

System RequirementsThe system requirements for running StoneGate, including the approved network interfaces, supported operating systems, and other such hardware and software requirements for StoneGate engines and the Management Center can be found at http://www.stonesoft.com/en/products_and_solutions/supported_platforms/ intel_servers/ (see the technical requirements section at the bottom of the page). The hardware and software requirements for the version of StoneGate you are running can also be found in the Release Notes included on the Management Center CD-ROM and on the software download page at the Stonesoft website.

28


Contact InformationFor street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at http://www.stonesoft.com/.

Licensing IssuesYou can view your current licenses at the License Center section of the Stonesoft website at https://my.stonesoft.com/managelicense.do. For license-related queries, e-mail [email protected].

Technical SupportStonesoft offers global technical support services for Stonesofts product families. For more information on technical support, visit the Support section at the Stonesoft website at http://www.stonesoft.com/support/.

Your CommentsWe want to make our products fulfill your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements. To comment on software and hardware products, e-mail [email protected]. To comment on the documentation, e-mail [email protected].

Security Related Questions and CommentsYou can send any questions or comments relating to StoneGate IPS and network security to [email protected].

Other QueriesFor queries regarding other matters, e-mail [email protected].

Contact Information

29

30


CHAPTER 2

Introduction to StoneGate

The sections listed below provide an overview to the graphical user interface and the most common tasks in managing your StoneGate system. The following sections are included: Using the Management Client, on page 32 Getting Started with the Firewall, on page 40 Getting Started with VPNs, on page 42 Getting Started with the IPS, on page 42

31

Using the Management ClientThis section presents the general views and useful actions related to managing the different views. Some individual tasks, like log browsing and policy editing open their own specific views, which are not explained in this section, but in sections where the tasks related to those views are explained. See the Related Tasks for those.

Related TasksGetting Getting Getting Getting Started Started Started Started with with with with System Monitoring, on page 490 Browsing Data, on page 512 Reports, on page 534 Policies, on page 344

32

Chapter 2: Introduction to StoneGate

Introduction to the System Status ViewIllustration 2.1 Management Client Window with the System Status view

Shortcuts to views. With a simple click, the new view replaces the current one. Ctrl-click opens the view in a new tab. Shift-click opens the view in a new window.

Connectivity diagram.

Status of monitored system elements. Details of the selected element.

Information messages of the Management Client itself. In addition to the toolbar icons, you can navigate to the different views and open new tabs and windows through the main menu or by following a link from one view to another (for example, from a log entry to the related rule in a policy). Also these methods allow opening the item in a new window using Shift-click or in a new tab using Ctrl-click.

Using the Management Client

33

Introduction to the Configuration ViewIllustration 2.2 Management Client with the Configuration View

Full tree of all elements in the system.

Elements of the type selected in the Elements tree.

Details of selected element as in System Status view.

A new alert has been triggered in the system. If you see the icon, click it to view all active alerts. Right-click for a menu.

Note Open a Configuration view to see the list of all element types and the defined elements. Other views display only elements that can be used in tasks you do in each particular view.

34


Introduction to OverviewsOverviews are customizable views that can contain information on the systems status, shortcuts to views you use often (such as logs filtered with specific criteria) and statistical charts on the systems operation (such as engine load) and the traffic flow.Illustration 2.3 Example Overview with System Status, Bookmarks, and Various Statistics

Overviews button Viewspecific toolbar

Related TasksWorking With Overviews, on page 493


35

Rearranging the Layout of the Management ClientSome layout options are specific to the view that is active, some are global. You can select different panels and view options through the options and submenus under the View menu. The number of panel types available depends on the view you are in. You can drag and drop the panels to several preconfigured places within each specific view. The layout is saved as your preference for further use, but you can reset it through the ViewLayoutReset Layout option in the menu.Illustration 2.4 Resizing and Moving Panels

To resize a panel, drag by the outer edges as usual.

To move a panel, drag by the thick title bar at the top.

Illustration 2.5 Positioning a Panel

You can move the panels in a number of positions that are highlighted as you drag the panel around. Drop the panel where you prefer to have it. If the highlighted area completely covers some other panel, the second panel adds a new tab.

You can also bookmark views to quickly return to a specific view and layout at any later time. See Bookmarking Views, on page 37.

36


Bookmarking ViewsBookmark-related actions can be found through the Bookmark menu. Bookmarks can be used as quick links to particular views. For example, you can bookmark a Log view with only a certain set of logs filtered for viewing. Several windows and tabs can be stored behind a single click when you combine bookmarks into Bookmark Folders. Bookmarks in the default Shared Bookmarks group are shown to all administrators that log in to the same Management Server. Other bookmarks are private to the Management Client of individual administrators.

Creating New BookmarksYou can create a bookmark for the currently active tab and other window-level elements in the configuration you select. Some view-specific options are also stored in bookmarks, such as the currently active filter in the Logs view, or the type of elements that are listed in a Configuration view at the time the bookmark is created. Bookmarking is a main window action, so the properties dialogs for the various elements cannot be bookmarked. To bookmark a view 1. Arrange the view as you would like to see it when the bookmark is opened. 2. Select BookmarkAdd Bookmark from the menu. The Bookmark Properties dialog opens.Illustration 2.6 Bookmark Properties

3. (Optional) Change the Name and add a Comment for your reference. The default name is taken from the bookmarked windows title. 4. Click the Select button and select the Group where the Bookmark is placed or leave the selection to the default Bookmarks to create the Bookmark at the top level of the bookmarks tree. You can add the new bookmark to the Toolbar by selecting Toolbar in the In Folder selection. Select the Shared Bookmarks group if you want other administrators to see this Bookmark. Bookmarks in all other Groups are private to you. 5. Click OK.


37

Creating New Bookmark FoldersBookmark Folders help you to organize bookmarks and make it easier to open several bookmarks at once. You can create Bookmark Folders also inside other Bookmark Folders. When you create an All Tabs Bookmark Folder, all the tabs that are open in the current view are included as new bookmarks in the new Bookmark Folder. If you do not want to create bookmarks for some of the open tabs, close those tabs before creating the Bookmark Folder. Alternatively, you can later remove unnecessary bookmarks from the Bookmark Folders as described in Managing Bookmarks, on page 39. To create a new All Tabs bookmark folder 1. Select BookmarkBookmark All Tabs from the menu. The Bookmark Folder properties dialog opens.Illustration 2.7 Bookmark Folder Properties

2. Enter a Name and optionally add also a Comment for your reference. 3. Click the Select button and select the Folder where the Bookmark Folder is placed, or leave the selection to the default Bookmarks to create the folder at the top level of the bookmarks tree. Note also, that you can add the new bookmark folder to the Toolbar, by selecting Toolbar in the In Folder selection. Select the Shared Bookmarks folder if you want other administrators to see this Bookmark Folder. All other Folders are private to you. 4. Click OK.

38


Managing BookmarksBookmarks can be managed in the Configuration view in the Bookmarks tree branch. There is a shortcut to this view: select BookmarkManage Bookmarks in the menu. You can, for example, copy Bookmarks and Bookmark Folders from one group to another and delete Bookmarks.Illustration 2.8 Bookmarks

Select Manage Bookmarks from Bookmark menu to show bookmarks tree as seen here. This is a Bookmark Group. Right-click for a menu of actions, for example, to open all bookmarks in the group at once or to create a new group. Individual Bookmarks are shown in a tree below the Bookmark Group name. Rightclick to copy or delete the bookmark or to change its Properties.

Changing the Startup ViewYou can freely choose which view opens whenever you log in with your Management Client, replacing the default System Status view. To change the startup view 1. Arrange the screen to your liking with the windows, tabs, and views you want to have open at each login. 2. Select BookmarkSave as Startup Session from the menu.


39

Getting Started with the FirewallFirewall System ComponentsBefore you can use a StoneGate Firewall, you need to have installed at least the following mandatory components: A Management Server, which stores the configuration of the system. At least one Log Server to handle and store logs and alerts (can be installed simultaneously on the same machine with the Management Server). At least one Management Client to connect with the Management Server to change settings and monitor the system. At least one Firewall Engine that handles the actual traffic processing (always a separate machine). Licenses for all abovementioned components, except the Management Client(s). If you do not have the license files, see Generating a New License, on page 897. All of the installation and initial configuration tasks are explained in the StoneGate Installation Guide, which is available as a PDF document on the product CD-ROM (or the .iso image file), at the Stonesoft Website at http://www.stonesoft.com/en/ support/technical_support_and_documents/manuals/, and as a printed book if you ordered the product kit. The rack-mounting and other hardware-specific tasks that concern StoneGate appliances are covered in the booklet that was delivered with the appliance. This overview begins from where the Installation Guide ends. It explains the most common management tasks. Proceed to Setting up the Firewall after Installation.

Setting up the Firewall after InstallationNote The configuration information is stored on the Management Server, and most changes are transferred to the engines only when you install or refresh the firewall policy after making the changes. This section is meant to help you get started after you have completed the firewall installation, installed a basic firewall policy, and turned the engine online as instructed in the Installation Guide. The very basic administration tasks you must learn or complete next include the following: Scheduling automatic backup tasks to safekeep the essential configuration information stored on the Management Server as instructed in Backups, on page 841. Checking the log data generated by the system as instructed in Log and Alert Browsing, on page 511. Setting up automated tasks to manage the gathered log data and prevent the Log Server storage space from filling up with logs as instructed in Log Management, on page 849.

40


Defining additional administrator accounts and delegating administrative tasks as instructed in Administrator Accounts, on page 755. Setting up automatic updates to ensure that your system stays current, see Getting Started with Automatic Updates and Engine Upgrades, on page 914. Developing your Firewall Policies further as instructed in Editing Access Rules, on page 377 and Editing Inspection Rules, on page 405. Monitoring the system operation as instructed in System Monitoring, on page 489. After you are comfortable with the basic set up and use as outlined above, you can proceed to Customizing the Firewall.

Customizing the FirewallThe most typical customization steps include: Creating filters for use in various tasks, see Filters, on page 239. Defining custom services to be used in firewall policies. By using custom services in the Service cell, you can adjust the scope of each rule. See Services, on page 217. Defining custom alerts and alert escalation policies as instructed in Alert Escalation, on page 785. In addition to the administrative tasks presented above, there are other steps that you may find useful in managing your StoneGate solution: Creating network diagrams (for visualizing, documenting, and graphically monitoring your network environment) as instructed in Diagrams, on page 561. Modifying certain firewall settings such as the test subsystem or clustering mode. Refer to Editing Single Firewall Properties, on page 72 or Editing Firewall Cluster Properties, on page 73. Generating statistical reports from the logs and statistical data produced by the system, see Reports, on page 533. Categorizing various system elements such as network elements and security policies. You can, for example, create a separate category for the elements of various customers, departments, or offices and then use the categories for filtering the data presented in the Management Client. Refer to Using Categories, on page 172. StoneGate Management Center provides you with an extensive set of tools for configuring and optimizing your StoneGate Firewall and IPS solutions; to make the most out of them, read the Reference Guide, which gives you an overall view of the firewall system and its features.

Getting Started with the Firewall

41

Getting Started with VPNsA VPN connection is encrypted to prevent anyone from viewing the transmitted information while it travels in untrusted networks. Usually, the VPN features are used alongside the StoneGate Firewall, but StoneGate VPN can be used as a standalone product as well. In both cases, you need to have set up the StoneGate Management Center components described in Firewall System Components, on page 40 before you can proceed with configuring a VPN. StoneGate Reference Guide provides background information for planning and implementing your VPN system. To set up a VPN connection, proceed to Configuring IPsec VPNs, on page 627.

Getting Started with the IPSIPS System ComponentsBefore you can use a StoneGate IPS, you need to have installed at least the following mandatory components: A Management Server, which stores the configuration of the system. At least one Log Server to handle and store logs and alerts (can be installed simultaneously on the same machine with the Management Server). At least one Management Client to connect with to the Management Server to change settings and monitor the system. At least one Sensor-Analyzer, or at least one Sensor and one Analyzer that handle the actual traffic processing. Licenses for all abovementioned components, except the Management Client(s). If you do not have the license files, see Generating a New License, on page 897. All of the installation and initial configuration tasks are explained in the StoneGate IPS Installation Guide, which is available as a PDF document on the product CD-ROM (or the .iso image file), at the Stonesoft Website at http://www.stonesoft.com/en/ support/technical_support_and_documents/manuals/, and as a printed book if you ordered the product kit. The rack-mounting and other hardware-specific tasks that concern StoneGate appliances are covered in the booklet that was delivered with the appliance. Proceed to Setting up the IPS after Installation.

42


Setting up the IPS after InstallationNote The configuration information is stored on the Management Server, and most changes are transferred to the sensor and analyzer engines only when you install or refresh the engines policy after making the changes. This overview begins from where the Installation Guide ends. Once you have installed the System policy, your next task is gathering information about the events detected in your networks during a tuning period. The very basic administration tasks you must learn or complete next include the following: Scheduling automatic backup tasks to safekeep the essential configuration information stored on the Management Server as instructed in Backups, on page 841. Checking the log data generated by the system as instructed in Log and Alert Browsing, on page 511. Setting up automated tasks to manage the gathered log data and prevent the Log Server storage space from filling up with logs as instructed in Log Management, on page 849. Defining additional administrator accounts and delegating administrative tasks as instructed in Administrator Accounts, on page 755. Setting up automatic update checking or otherwise ensuring that your system stays current, see Getting Started with Automatic Updates and Engine Upgrades, on page 914. After you have done the basic set up and use as outlined above, you can proceed to Customizing the IPS System, on page 43.

Customizing the IPS SystemOnce you have enough information on what kind of trafficmalicious and harmless can be seen in your network, you can modify your policies to improve the detection accuracy and to get rid of false alarms. The most typical customization steps include: Creating filters for use in various tasks. Refer to Filters, on page 239. Creating your own policy or policy template as explained in Creating and Managing Policies, on page 343. Modifying the Ethernet rules, Access rules, and Inspection rules as explained in Editing Ethernet Rules, on page 371, Editing Access Rules, on page 377, and Editing Inspection Rules, on page 405. Creating your own custom Situations as explained in Situations, Tags and Vulnerabilities, on page 259. Defining custom alerts and alert escalation policies as instructed in Alert Escalation, on page 785.

Getting Started with the IPS

43

In addition to the administrative tasks presented above, there are other steps that you may find useful in managing your StoneGate solution: Creating network diagrams (for visualizing, documenting, and graphically monitoring your network environment) as instructed in Diagrams, on page 561. Modifying certain analyzer and sensor settings such as the test subsystem or clustering mode. Refer to Editing Analyzer Properties, on page 75, Editing Single Sensor Properties, on page 76, Editing Sensor Cluster Properties, on page 77, or Editing Combined Sensor-Analyzer Properties, on page 78. Generating statistical reports from the logs and statistical data produced by the system, see Reports, on page 533. Categorizing various system elements such as network elements and security policies to reduce screen clutter. Refer to Using Categories, on page 172. StoneGate Management Center provides you with an extensive set of tools for configuring and optimizing your StoneGate firewall and IPS solutions; to make the most out of them, read the IPS Reference Guide, which gives you an overall view of the IPS system and its features.

44


CHAPTER 3

Whats New?

This section lists major changes since the previous release. Most new or reworked features in the software are listed here. Changes that do not significantly affect the way StoneGate is configured are not listed. For a full list of changes in the software, consult the Release Notes. The following sections are included: New New New New Common Features in SMC 4.3, on page 46 Features in Firewall/VPN 4.3, on page 49 Features in SOHO Firewalls, on page 49 Features in IPS 4.3, on page 49

45

New Common Features in SMC 4.3Administrator Account ImprovementsYou can now activate password quality checks that enforce password guidelines for Administrator accounts. You can also activate automatic logging out of administrators that have been inactive for a set period of time. For more details, see Getting Started with Administrator Accounts, on page 756.

Automatic License UpgradeStoneGate licenses indicate a maximum software version that the license entitles you to install. You can now activate automatic checks for new license versions and have the licenses upgraded automatically to the highest available version that your organization is entitled to. When you are ready to upgrade the software, there is no need for manual license upgrades. For more details, see Configuring Automatic Updates and Engine Upgrades, on page 915.

Automatic Memory AllocationDue to restrictions of the Java platform, the memory allocations for the StoneGate Management Center servers are fixed. In some cases, the default allocations were not sufficient and administrators had to edit configuration files manually. Now, the installer checks the available memory and automatically increases the allocations if there is enough memory installed. A minor portion of the memory is left unallocated for the system to use. This is done at each installation and upgrade. It is still possible to edit the configuration files manually in the rare cases that further adjustments are needed. For the minimum requirements, see the SMC Release Notes. For more details on editing the memory allocations manually, visit the StoneGate Technical Knowledge Base at www.stonesoft.com/support.

Antispoofing Configuration ImprovementAntispoofing now allows setting network definitions as Absolute. When the option is set, antispoofing allows all addresses included in the network even if there is a more specific definition for some address behind a different interface. For more details, see Modifying Antispoofing, on page 296.

Bookmark ImprovementsYou can now add your bookmarks into the main toolbar in the Management Client. This allows you to customize the toolbar shortcuts for quick access to any view. The sidebar for managing Bookmarks has been removed and bookmarks can now be managed in the same way as other elements in the Configuration view, in a dedicated Bookmarks branch of the element tree. For more details, see Bookmarking Views, on page 37.

46

Chapter 3: Whats New?

Diagram ImprovementsThere are now two types of diagrams: IP Diagrams for network topology documentation and Connectivity Diagrams for monitoring the system components and system communications graphically. Both types of diagrams can be generated automatically. By default, Connectivity Diagrams are generated automatically as you select components in the System Status view. For more details, see Getting Started with Diagrams, on page 562.

Hardware Monitoring for StoneGate AppliancesYou can now monitor the hardware status (such as fan speed, temperature, RAID and NIC status) of compatible StoneGate appliances through the Management Client. All appliances do not provide all types of information. All appliance models are not supported. This feature requires Firewall/VPN and IPS engine software version 4.3.

Log Browsing ImprovementsThere is a new way to browse log entries in the Logs view. The customizable Details view fills the main panel with an overview of one log entry at a time. This format allows you to see all necessary details related to that entry at one glance. The log entry table has a new Service column that shows the Service that corresponds to the traffic in the log entry. The log entries columns can now resolve the data for display as StoneGate elements (active by default) for a clearer, more visual display. For more details, see Getting Started with Browsing Data, on page 512.

Policy Handling ImprovementsUsefulness of the rule tags that identify rules has been improved: the rule tag now contains a static part that allows the rule to be identified and linked to even after it has been edited. Each rule tag also has a new variable part that marks the revisions of the rule, but which is ignored when a static reference to the rule is needed. Example: A rule tag that reads @123.5 will change to @123.6 when the rule is edited. You can now select several consecutive Access Rules in a policy and create a SubPolicy out of them through the right-click menu. Also, history information is now available for individual rules (Info panel).

Policy ValidationYou can now run various validation checks in the policy views and at policy installations. The checks include, for example, searches for duplicate rules and rules that can never match because of the policy structure. The warnings and errors displayed at policy installation are now shown in a separate panel from the policy installation progress display. You can disable warnings related to rule validation based on rule or issue type. For more details, see Validating Policies, on page 362.

New Common Features in SMC 4.3

47

Printing ChangesDirect printing is being progressively phased out. Instead, a Print to PDF action is used to provide a more versatile and reliable output across the various supported platforms. A PDF reader (such as the free Adobe Acrobat Reader) must be installed on the computer that runs the Management Client to view and print out the information.

Search for Unused ElementsThere is a new search tool that allows you to list all elements in the system that are not used in any configuration, and may therefore be potentially obsolete. This helps you clean up the system of unnecessary clutter. For more details, see Searching for Unused Elements, on page 189.

Statistics ImprovementsNew Overviews are collections of Statistical charts and tables, which you can arrange in a grid for easy monitoring of several statistical charts at once. You can save several Overviews to have quick access to different favorite displays. The Overviews make obsolete the single statistical chart that was previously shown in the Status/Statistics view (that view is now called System Status view to reflect its new role). Some new statistical items are available for information that is derived from log data. You can now also select one of a few available Statistical items for display in the Info view of an engine. For more details, see Overviews, on page 492.

StoneGate SSL VPN Logs and Monitoring IntegrationYou can now connect your StoneGate SSL VPN appliance to the Management Center to centrally monitor the status and logs of the SSL VPN appliances. Any changes to the SSL VPN configuration are still done through a Web browser as before. This feature requires SSL VPN engine software version 1.2. For more details, see Connecting SSL VPN Gateways to the SMC, on page 129.

System ReportA new type of report is available. The System report gathers information about the StoneGate configuration and formats it into a summary. The report helps you check the systems correspondence to internal guidelines and provide information required by external auditors. For more details, see Working with the System Report, on page 560.

Tools Icon MenuMany of the view-specific actions that had their own icon in a secondary toolbar have now been collected into a view-specific menu that opens through a Tools icon that depicts a spoked wheel. The menu displays a textual label along with the icons, making it easier to see all available actions at a glance.

48


New Features in Firewall/VPN 4.3Deep Inspection - Support for Additional ProtocolsDeep inspection now supports also the IMAP POP3, and SMTP protocols in addition to , the previously supported protocols (SIP and HTTP). To activate deep inspection for these protocols, activate deep inspection for these protocols in the Access Rules and make sure the Inspection Rules cover the relevant Situations.

DHCP ServerSingle firewalls now have an integrated DHCP server for assigning IP addresses to local clients. For more details, see Activating the Internal DHCP Server on a Single Firewall, on page 120.

Virus ScanningIntegrated anti-virus is now available as part of the StoneGate UTM appliance solution. For more details, see Configuring Anti-Virus Settings, on page 159.

New Features in SOHO FirewallsDirect Internet Access Blocking for CorporateThe Corporate interface type previously always allowed direct outgoing connections to the Internet. Starting from SMC 4.2.3, there is an option to either allow or disallow direct Internet connections (access to/from the VPN tunnel is still always allowed). For more details, see Defining Corporate Interfaces for SOHO Firewalls, on page 101.

New Features in IPS 4.3IPv6 Inspection SupportStoneGate IPS now supports the inspection of IPv6, the next-generation Internet protocol. There is a new tab in the IPS policy for the IPv6 Access Rules. IPv4 rules remain as they are and also the tab name remains simply Access Rules. Inspection Rules also remain as they are, although there are new Situation elements to detect IPv6-specific threats. For more details, see Getting Started with Editing IPv6 Access Rules, on page 396.

Tunneled Traffic InspectionStoneGate IPS can now inspect IP-in-IP tunneled (cleartext) traffic. The main application is to inspect IPv6 traffic that is tunneled inside IPv4 for transport across

New Features in Firewall/VPN 4.3

49

IPv4 networks, but other combinations of IP-in-IP tunneling are also supported. If the tunneling involves encryption, the IPS cannot inspect the traffic. For more details, see Configuring the Inspection of Tunneled Traffic, on page 161.

50


Engine Elements

CHAPTER 4

Creating and Modifying Engine Elements

Engine elements contain the configuration information that is directly related to the firewalls, sensors, and analyzers, such as the interface definitions, cluster mode selection, tester settings, and other such engine-specific options. This section explains how to create and modify these elements and lists the tasks you can do in the engine element properties (in the Editing... sections below). The following sections are included: Getting Started with Engine Elements, on page 54 Creating New Engine Elements, on page 55 Modifying Existing Engine Elements, on page 68 Editing Single Firewall Properties, on page 72 Editing Firewall Cluster Properties, on page 73 Editing SOHO Firewall Properties, on page 74 Editing Analyzer Properties, on page 75 Editing Single Sensor Properties, on page 76 Editing Sensor Cluster Properties, on page 77 Editing Combined Sensor-Analyzer Properties, on page 78 About Engine Time Synchronization, on page 79

53

Getting Started with Engine ElementsPrerequisites: None

What Engine Elements Do Engine elements are the center point of all configuration and management tasks related to your firewalls, sensors, and analyzers. They contain settings that cannot be reused in the configuration of other components, such as the network interface configuration. The engine elements also determine which of the reusable elements the configuration of a particular component includes, for example, the Log Server to which the component sends its log data. All engines are centrally configured and controlled through the Management Server. What Do I Need to Know Before I Begin? If you are configuring new engine elements for the first time, we recommend that you follow the instructions in the Installation Guide instead of the instructions here. For background information on how the system works, see the Firewall/VPN Reference Guide or the IPS Reference Guide. Note To follow these instructions, you must have installed the StoneGate Management Center (SMC). See the Firewall/VPN Installation Guide or the IPS Installation Guide for instructions.

Configuration OverviewThe overview below does not cover the StoneGate SSL VPN product. See Creating a New SSL VPN Gateway Element, on page 66. For information on configuring StoneGate SSL VPN, see the SSL VPN Administrators Guide. 1. Import a license file for the engine (see Upgrading or Generating Licenses, on page 896). 2. Create a new engine element and define the basic properties, see Creating New Engine Elements, on page 55. 3. Configure the engines interfaces, see Getting Started with Interface Configuration, on page 82. 4. (Not applicable to SOHO Firewalls) Configure the routing, see Getting Started with Routing, on page 282. 5. Generate the initial configuration for the engine and use it to establish a connection between the engine and the Management Server (see Connecting Engines to the SMC, on page 123). 6. (Not applicable to SOHO Firewalls) Install a policy on the engine, see Installing and Updating Policies, on page 358.

54

Chapter 4: Creating and Modifying Engine Elements

Related TasksEditing Single Firewall Properties, on page 72 Editing Firewall Cluster Properties, on page 73 Editing SOHO Firewall Properties, on page 74 Editing Analyzer Properties, on page 75 Editing Single Sensor Properties, on page 76 Editing Sensor Cluster Properties, on page 77 Editing Combined Sensor-Analyzer Properties, on page 78

Creating New Engine ElementsPrerequisites: None

You can create a new engine element either by defining a blank new element or by duplicating the properties of an existing element. Before you define a new engine element, make sure you have a license file for it. The element can be configured without a license, but you must have a license to make the engine operational. You can either create a new element as instructed in the sections listed below or you can copy and modify an existing element as explained in Duplicating an Existing Engine Element, on page 67. Whats Next? Creating a New Single Firewall Element, on page 56 Creating a New Firewall Cluster Element, on page 56 Creating One New SOHO Firewall Element, on page 57 Creating Multiple New SOHO Firewall Elements, on page 59 Creating a New Analyzer Element, on page 62 Creating a New Single Sensor Element, on page 63 Creating a New Sensor Cluster Element, on page 64 Creating a New Combined Sensor-Analyzer Element, on page 65 Creating a New SSL VPN Gateway Element, on page 66

Creating New Engine Elements

55

Creating a New Single Firewall ElementSingle Firewall elements represent firewalls that consist of one physical device. They can be later converted to cluster elements. To create a new Single Firewall element 1. Select ConfigurationConfiguration from the menu. The Configuration view opens. 2. Right-click Firewall Configuration in the All Elements tree and select NewSingle Firewall from the menu that opens. The Single Firewall Properties dialog opens.Illustration 4.1 Single Firewall Properties

3. Give the element a unique Name. 4. Select the Log Server that is used for sending the logs this engine creates. 5. Select the correct Location for this engine if there is a NAT device between system components affecting this firewalls communicat

Date post:	09-Apr-2015
Category:	Documents
Upload:	joe1602
View:	1,796 times
Download:	1 times

StoneGate Administrator's Guide 4.3

Documents