stonegate firewall installation guide 4.3

StoneGate Installation Guide

SMC 4.3 and Firewall/VPN 4.3

Legal Information

End-User License AgreementThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website:www.stonesoft.com/en/support/eula.html

General Terms and Conditions of Support and Maintenance ServicesThe support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/terms/

Replacement ServiceThe instructions for replacement service can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

Hardware WarrantyThe appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/warranty_service/

Trademarks and PatentsThe products described in these materials are protected by one or more of the following European and US patents: European Patent Nos. 1065844, 1259028, 1271283, 1289183, 1289202, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737, 7,234,166, 7,260,843, 7,280,540 and 7,302,480 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners.

SSL VPN Powered by PortWise

DisclaimerAlthough every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only.

Copyright © 2008 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

Revision: SGIG_20080604

www.stonesoft.com/en/support/eula.html

www.stonesoft.com/en/support/view_support_offering/terms/index.html

www.stonesoft.com/en/support/view_support_offering/return_material_authorization/index.html

www.stonesoft.com/en/support/view_support_offering/warranty_service/index.html

Table of Contents

INTRODUCTION

CHAPTER 1 Using StoneGate Documentation 9

How to Use This Guide 10

Typographical Conventions 10

Documentation Available 11

Product Documentation 11Support Documentation 12System Requirements 12

Contact Information 12

Licensing Issues 12Technical Support 12Your Comments 12Other Queries 12

CHAPTER 2 Planning the StoneGate Installation 13

StoneGate System Architecture 14

Example Network Scenario 15

Overview to the Installation Procedure 15

Important to Know Before Installation 16

Supported Platforms 16Date and Time Settings 16Hosts File 16Installation Files 17Checking File Integrity 17License Files 18

Firewall Cluster Interfaces 19

How Does Packet Dispatch Work? 20

INSTALLING THE MANAGEMENT CENTER

CHAPTER 3 Installing the Management Center 23

Installing the Management Center 24

Installing on Linux 24Starting the Installation 25Selecting Basic Installation Options 25Installing a Management Server 28Installing a Log Server 29Installing a Monitoring Server 30Installing a Management Client 31Finishing the Installation 31

Starting the Management Center 33

Starting the Management Server 33Starting the Management Client 33Accepting the Certificate 34Installing Licenses 35Starting the Log Server and Monitoring Server 37Starting Servers Manually 37If the Log Server or Monitoring Server Fails to

Start 38

Generating Server Certificates 39

Installing Dynamic Updates 40

After the Management Center Is Installed 44

Non-Graphical Installation 45

CHAPTER 4 Distributing StoneGate Clients Through Web Start 47

Getting Started with Web Start Distribution 48

Distributing Clients from the SMC Servers 48

Distributing Clients from a Separate Server 49

3

Accessing the Web Start Clients 50

CHAPTER 5 Configuring NAT Addresses for StoneGate Components 53

Configuration Overview 54

Defining Locations 55

Adding SMC Server Contact Addresses 57

Setting Management Client’s Location 59

INSTALLING THE FIREWALL EN-GINE

CHAPTER 6 Configuring SOHO Firewalls 63


Defining SOHO Firewalls 64

Defining a SOHO Firewall Element 65Defining Multiple SOHO Firewall Elements 66

Defining SOHO Firewall Interfaces 68

Defining External Interfaces 69

Configuring an ADSL or PPPoE Interface 69Configuring External Interface Properties for

Ethernet Interface 71

Defining Corporate Interfaces 72

Defining Settings for Wireless Access 76

Defining Security Settings for Wireless Access 76Defining a RADIUS Server Element 79Defining General Wireless Settings 80

Defining Guest Interfaces 81

Saving the Initial Configuration 82

CHAPTER 7 Configuring Single Firewalls 85


Adding a Single Firewall Element 86

Creating a Single Firewall Element 86

Adding Physical Interfaces 88

Adding VLANs 89

Configuring Single Firewall Interfaces 90

Adding Static IP Addresses 90Configuring a Dynamic IP Address 91Setting Global Interface Options 92

Using Management-Bound Licenses 94


CHAPTER 8 Configuring Firewall Clusters 97


Adding a Firewall Cluster Element 98

Adding Nodes to a Firewall Cluster 100


Adding VLANs 102

Configuring Firewall Cluster Interfaces 103

Defining Cluster Interfaces 104Defining Contact Addresses for Firewall

Clusters 106Setting Global Interface Options for Clusters 107

Using Management-Bound Licenses 110


CHAPTER 9 Installing the Engine on Intel Compatible Platforms 115

Installing the Firewall Engine 116

Checking File Integrity 116Starting the Installation 116

Configuring the Engine 117

Configuring the Engine Automatically with a USB Stick 117

Starting the Configuration Wizard 118Configuring the Operating System Settings 119Configuring the Network Interfaces 121Contacting the Management Server 122After Successful Management Server Contact 125

Installing the Engine in Expert Mode 125

Partitioning the Hard Disk Manually 125Allocating Partitions 127

4

ROUTING AND POLICIES

CHAPTER 10 Defining Routing and Basic Policies 131

Defining Routing 132

Adding a Default Route With a Single Network Link 134

Adding a Default Route With Multi-Link 136Defining Other Routes 143Antispoofing 144Using IP Address Count Limited Licenses 145

Defining Basic Policies 145

Adding a NAT Rule for the Example Ping Rule 150Installing the Policy 151

Moving On 153

MAINTENANCE

CHAPTER 11 Upgrading and Updating 159

Getting Started with Upgrading StoneGate 160

Configuration Overview 160Checking File Integrity 161

Upgrading or Generating Licenses 162

Generating a New License 162Upgrading Licenses Under One Proof Code 164Upgrading Licenses Under Multiple Proof

Codes 164Installing Licenses 165

Upgrading the Management Center 166

Upgrading Engines Remotely 168

Upgrading the Engine 169

Upgrading Engines Locally 171

Upgrading From an Engine Installation CD-ROM 172

Upgrading From an Archive File 173

Changing IP Addressing 175

Changing the Management Server’s IP Address 175

Changing the Log Server’s IP Address 176Changing IP Addresses if the Management Server

and the Log Server Run on the Same Machine 176

CHAPTER 12 Uninstalling StoneGate 179

Uninstalling the Management Center 180

Uninstalling in Windows 180Uninstalling in Linux 181

Uninstalling the Engines 181

APPENDICES

APPENDIX A Command Line Tools 185

APPENDIX B StoneGate-Specific Ports 201

APPENDIX C Example Network Scenario 207

APPENDIX D Installation Worksheet for Firewall Clusters 213

Legal Information 219

Index 235

5

Introduction

CHAPTER 1 Using StoneGate Documentation

Welcome to StoneGate™ High Availability Firewall and VPN solution by Stonesoft Corporation. This chapter describes how to use the StoneGate Installation Guide and lists other available documentation. It also provides directions for obtaining technical support and giving feedback.

The following sections are included:

How to Use This Guide, on page 10 Documentation Available, on page 11 Contact Information, on page 12

9

How to Use This GuideThe Installation Guide is intended for the administrators of a StoneGate Firewall/VPN installation. It describes step by step how to install the StoneGate Management Center and the firewall engine(s). The chapters in this guide are organized in the general order you should follow when installing the system.Most tasks are explained using illustrations that include explanations on the steps you need to complete in each corresponding view in your own environment. The explanations that accompany the illustrations are numbered when the illustration contains more than one step for you to perform.

Typographical ConventionsThe following typographical conventions are used throughout the guide:

We use the following ways to indicate important or additional information:

Note – Notes provide important information that may help you complete a task.

Caution – Cautions provide important information that you must take into account before performing an action to prevent critical mistakes.

Tip: Tips provide information that is not crucial, but may still be helpful.

TABLE 1.1 Typographical Conventions

Formatting Informative Uses

Normal text This is normal text.

User Interface textText you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in bold-face.

References, termsCross-references and first use of acronyms and terms are in italics.

Command lineFile names, directories, and text displayed on the screen are monospaced.

User input User input on screen is monospaced bold-face.

Command parametersCommand parameter names are in monospaced italics.

10 Chapter 1: Using StoneGate Documentation

Documentation Avai lableStoneGate documentation is divided into two main categories: Product Documentation and Support Documentation. StoneGate Firewall/VPN and StoneGate IPS have their separate sets of manuals, despite the fact that they are managed through the same user interface. Only the Administrator’s Guide and the Online Help system cover both the Firewall/VPN and IPS products.

Product DocumentationThe table below lists the available product documentation.

PDF versions of the guides are available on the Management Center CD-ROM and at http://www.stonesoft.com/support/.

TABLE 1.2 Product Documentation

Guide Description

Reference Guide

Explains the operation and features of StoneGate comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available for StoneGate Firewall/VPN and StoneGate IPS.

Installation GuideInstructions for planning, installing, and upgrading a StoneGate system. Available for StoneGate Firewall/VPN and StoneGate IPS.

Online Help

Detailed instructions for the configuration and use of StoneGate. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the StoneGate Management Client and the StoneGate Monitoring Client. An HTML-based system is available in the StoneGate SSL VPN Administrator through help links and icons.

Administrator’s Guide

Describes how to configure and manage a StoneGate system step-by-step. Available as a combined guide for both StoneGate Firewall/VPN and StoneGate IPS, and as separate guides for StoneGate SSL VPN and StonGate IPsec VPN Client.

User’s GuideInstructions for end-users. Available for the StoneGate IPsec VPN Client and the StoneGate Monitoring Client.

Appliance Installation GuideInstructions for physically installing and maintaining StoneGate appliances (rack mounting, cabling etc.). Available for all StoneGate hardware appliances.

Documentation Available 11

http://www.stonesoft.com/support/

Support DocumentationThe StoneGate support documentation provides additional and late-breaking technical information. These technical documents support the StoneGate Guide books, for example, by giving further examples on specific configuration scenarios.The latest StoneGate technical documentation is available on the Stonesoft website at http://www.stonesoft.com/support/.

System RequirementsThe system requirements for running StoneGate, including the approved network interfaces, supported operating systems, and other such hardware and software requirements for StoneGate engines and the Management Center can be found at http://www.stonesoft.com/en/products_and_solutions/products/fw/Certified_Servers/.The hardware and software requirements for the version of StoneGate you are running can also be found in the Release Notes included on the Management Center CD-ROM and on the software download page at the Stonesoft website.

Contact InformationFor street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at http://www.stonesoft.com/.

Licensing IssuesYou can view your current licenses at the License Center section of the Stonesoft website at https://my.stonesoft.com/managelicense.do.For license-related queries, e-mail [email protected].

Technical SupportStonesoft offers global technical support services for Stonesoft’s product families. For more information on technical support, visit the Support section at the Stonesoft website at http://www.stonesoft.com/support/.

Your CommentsWe want to make our products fulfill your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements.• To comment on software and hardware products, e-mail [email protected].• To comment on the documentation, e-mail [email protected].

Other QueriesFor queries regarding other matters, e-mail [email protected].

12 Chapter 1: Using StoneGate Documentation

http://www.stonesoft.com

mailto:[email protected]




https://my.stonesoft.com/managelicense.do


http://www.stonesoft.com/en/products_and_solutions/products/fw/Certified_Servers/

http://www.stonesoft.com/en/products_and_solutions/products/fw/Certified_Servers/


CHAPTER 2 Planning the StoneGate Installation

This chapter provides important information to take into account before the installation can begin, including an overview to the installation and information on obtaining the installation and license files.


StoneGate System Architecture, on page 14 Example Network Scenario, on page 15 Overview to the Installation Procedure, on page 15 Important to Know Before Installation, on page 16 Firewall Cluster Interfaces, on page 19

13

StoneGate System ArchitectureA StoneGate system consists of the Management Center, Management Client(s), and one or more engines.

Illustration 2.1 StoneGate System Components

The Management Center consists of the following standard components:• the Management Server• one or more Log ServersThe Management Client is a single unified tool for all configuration and monitoring tasks related to the whole StoneGate system. You can install an unlimited number of Management Clients.Optionally, and for a separate license fee, you can also have:• one or more backup Management Servers• one or more Monitoring Servers for Monitoring Clients• an unlimited number of Monitoring Clients (used for limited view-only access

through the Monitoring Server).The Management Center components can be installed separately on different machines or on the same machine, depending on your requirements.The Management Center can manage several StoneGate firewalls (and IPS Sensors and Analyzers). A StoneGate firewall is either a SOHO firewall, a Single Firewall, or a Firewall Cluster:• A SOHO Firewall has a limited feature set and performance. It is primarily meant for

connecting a small branch office or a home office to the corporate network.• A Single Firewall is a fully-featured firewall with only one physical device. It does

not support load balancing or high availability for firewall activity. A Single Firewall can have both dynamic and static IP addresses.

14 Chapter 2: Planning the StoneGate Installation

• A Firewall Cluster is a fully-featured firewall that can include up to 16 physical devices that work as a single virtual entity. Each engine in the cluster enforces the same set of rules for handling the traffic. A Firewall Cluster can be configured either for dynamic load balancing or for hot standby. A Firewall Cluster always has static IP addresses.

Both single and clustered firewalls support Multi-Link for high availability and load balancing of network links. SOHO firewalls do not support Multi-Link.More background information can be found in the Reference Guide.

Example Network ScenarioTo get a better understanding of how StoneGate fits into a network, you can consult the Example Network Scenario that shows you one way to deploy StoneGate.All illustrations of the software configuration in this Installation Guide are filled in according to this example scenario; this way, you can always compare how the settings in the various dialogs relate to the overall network structure.See Example Network Scenario, on page 207.

Overview to the Instal lation Procedure1. Plan the installation of the StoneGate firewall engines and the Management

Center and check that you have all the necessary files as explained in this chapter.

2. Install and configure the Management Center and a Management Client. This is explained in Installing the Management Center, on page 23.

3. Import licenses for all StoneGate Management Center and firewall components, except SOHO Firewalls. This is explained in Installing Licenses, on page 35.

4. (Optional) Set up Management Client distribution through Java Web Start for automatic installation and upgrade. This is explained in Distributing StoneGate Clients Through Web Start, on page 47.

5. If network address translation (NAT) is applied to communications between system components, define Contact Addresses. This is explained in Configuring NAT Addresses for StoneGate Components, on page 53.

6. Define the firewall element(s) in the Management Client. This is explained in Configuring SOHO Firewalls, on page 63, Configuring Single Firewalls, on page 85, and Configuring Firewall Clusters, on page 97.

7. (Not relevant to SOHO Firewalls) If you have management bound licenses, bind them to the engines. This is explained in page 94 for single firewalls and page 110 for firewall clusters.

8. Generate the initial configuration for the firewall engine(s). This is explained on page 82 for SOHO Firewalls, on page 94 for single firewalls, and page 110 for firewall clusters.

Example Network Scenario 15

9. Install and configure the firewall engines.• For software installations, see Installing the Engine on Intel Compatible

Platforms, on page 115.• For hardware installation and initial configuration of StoneGate appliances, see

the Appliance Installation Guide that is delivered with each appliance.10.(Not relevant to SOHO Firewalls) Configure basic routing and install a policy on

the firewall. This is explained in Defining Routing and Basic Policies, on page 131.

The chapters and sections of this guide proceed in the order outlined above.

Important to Know Before Instal lationConsult the Reference Guide if you need more detailed background information on the operation of StoneGate than what is offered in this chapter.

Supported PlatformsThe Release Notes list the basic requirements for a StoneGate installation. For information on supported and certified hardware, see the Hardware Requirements document available at http://www.stonesoft.com/.

Date and Time SettingsMake sure that the Date, Time, and Time zone settings are correct on any computer you will use as a platform for any Management Center component, including the workstations used for remote management (Management Client or Monitoring Client). The time settings of the engines do not need to be adjusted, as they are automatically synchronized to the Management Server’s time setting (with an NTP server on SOHO firewalls). For this operation, the time is converted to UTC time according to the Management Server’s time zone setting. StoneGate always uses UTC internally.

Hosts FileDue to a restriction of the Java platform, the Management Server and Log Server hostnames must be resolvable on the computer running the Management Client (even if running on the same computer as the servers) to ensure good performance.To ensure that the hostnames can be resolved, you can add the IP address-hostname pairs into the local hosts file on the client computer:• In Linux: /etc/hosts• In Windows: \WINNT\system32\drivers\etc\hosts


http://www.stonesoft.com/

Installation FilesStoneGate hardware appliances have pre-installed software. If you wish to upgrade to a new version, use the remote upgrade feature after the firewall is fully configured.On other systems, the software is installed from CD-ROMs:• Depending on your order, you may have received ready-made Management Center

and the Firewall/VPN engine CD-ROMs.• Otherwise, download CD-ROM .iso image files from the Stonesoft website at

https://my.stonesoft.com/download/ and create the installation CD-ROMs from those.

If you download the installation files as .iso image files, create the installation CD-ROMs from the files with a CD-burning application that can correctly read and burn the CD-structure stored in the .iso images. If the end result is a CD-ROM file with the original .iso file on it, the CD-ROM cannot be used for installation.

Checking File IntegrityBefore installing StoneGate from downloaded files, check that the installation files have not become corrupt. Using corrupt files may cause problems at any stage of the installation and use of the system. File integrity is checked using either an MD5 or SHA-1 file checksum that can be found on the installation CD-ROM and on the download page at the Stonesoft website.Windows does not have MD5 or SHA-1 checksum tools by default, but there are several third-party programs available.

To check MD5 or SHA-1 file checksum1. Look up the correct checksum at https://my.stonesoft.com/download/.2. Change to the directory that contains the file(s) to be checked.3. Generate a checksum of the file using the command md5sum filename or

sha1sum filename, where filename is the name of the installation file.

Illustration 2.2 Checking the File Checksums

4. Compare the displayed output to the checksum on the website. They must match.

Caution – Do not use files that have invalid checksums. If downloading the files again does not help, contact Stonesoft technical support to resolve the issue.

$ md5sum sg_engine_1.0.0.1000.iso869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso

Important to Know Before Installation 17

https://my.stonesoft.com/download/


License FilesYou must generate license files and install them on the Management Server using the Management Client before you can bring your system fully operational. Each Management Server, Log Server, Monitoring Server (optional), and each fully-featured firewall engine must have its own license (although several licenses may be stored in a single file).

Note – SOHO Firewall engines do not require a separate license file.

The Management Center license may be limited to managing a certain number of firewalls and IPS sensors. Each fully-featured single firewall, firewall cluster, single sensor, or sensor cluster is counted as one managed unit. Each five SOHO firewalls are counted as one managed unit.You generate the licenses at the Stonesoft website based on your proof-of-license (for software, included in the order confirmation message sent by Stonesoft) or proof-of-serial number (for appliances, printed on a label attached to the appliance hardware). Evaluation licenses are also available at the website.There are two types of licenses that you can generate:• IP-address-bound licenses: For all Management Center components and optionally

engines with non-dynamic IP addresses. If you want to change the IP address the license is bound to, you must fill in a request at the licensing website. For engine components, the IP address must be the Primary Control IP Address (the one that is used for communications with the Management Server).

• Management-bound licenses: For firewall and IPS engines (bound to the proof-of-license of the Management Server). Management-bound licenses allow you to change the IP addressing of an engine without generating a new license, and they can be switched from one engine to another if you delete or re-license the engine to which it is bound.

To generate a new license1. Go to the License Center at www.stonesoft.com/license/.2. Enter the required code (proof-of-license or proof-of-serial number) to the correct

field and click Submit. The license page opens.3. Click Register. The license generation page opens.4. Read the directions on the page and fill in (at least) the required fields.5. Enter the IP addresses of the Management Center components you want to use.

Note – All IP-address-bound licenses are bound to the IP address you give, and you must return to the licensing page if you need to change the IP address. The IP address must match the IP address configuration of the server.


http://www.stonesoft.com/license/

6. Enter the Management Server’s proof-of-license code or the engine’s primary control IP address for the engines you want to license.• If you are using a dynamic IP address on a firewall’s control interface, you must

bind the engine licenses to the Management Server’s proof-of-license.• The Management Server’s proof-of-license can be found in the e-mail you

received detailing your licenses. Later on, this information is shown in the Management Client for all licenses imported into the system.

7. Click Submit Request. The license file is sent to you in a moment. It will also become available for download at the license page.

All licenses include a maximum version on which they are valid. You may need to upgrade the licenses when you upgrade to a new major release of the software. Software upgrades are included in support contracts. You can either upgrade the licenses at the Stonesoft website or configure in the Management Client that the licenses are upgraded and installed automatically. See the Online Help for more information.

Firewall Cluster InterfacesBecause of their dual role as members of a common virtual entity and as separate physical devices, Firewall engines in a cluster have two types of interfaces:• Cluster Virtual Interface (CVI): interface that is used to handle traffic routed through

the cluster for inspection. This is an interface that is shared by all nodes in a cluster, in effect making the node appear as a single entity for the outside network behind the interface.

• Node Dedicated Interface (NDI): interface that is used to handle traffic from or to a single node in a cluster. These interfaces are not used for normal traffic, but for the heartbeat connections between the engines in a cluster, for control connections from the Management Server, etc.

The nodes in a Firewall cluster use a Heartbeat connection to keep track of the other nodes’ operation and to synchronize their state tables so that the connections can fail-over from a non-operational node to the remaining nodes when necessary.

Caution – The heartbeat connection is essential for the operation of the cluster. Take special care to ensure that the heartbeat network works correctly and reliably. Make sure you are using the correct type of network cables (after testing that they work), that the network interface cards’ duplex and speed settings match, and that any network devices in between the nodes are correctly configured. Problems in the heartbeat network may seriously degrade the performance of the cluster.

There are several operating modes for CVIs. The Packet Dispatch mode is recommended for new installations as it requires no special switch or router configuration. The other modes are provided for backward compatibility.

Firewall Cluster Interfaces 19

How Does Packet Dispatch Work?In Packet Dispatch mode, even though several cluster nodes can process the traffic, there is only one contact MAC address for each CVI interface. This MAC address is controlled by a dispatcher node that forwards the packets to the correct firewall nodes for processing. The dispatcher node is chosen separately for each CVI, so different nodes may be selected as dispatcher nodes for different interfaces. The MAC/IP address relation is maintained with Packet Dispatch CVIs, as the CVI’s MAC address is sent to the firewall node that functions as the dispatcher node.The packet dispatcher for any given CVI is changed when the dispatcher goes offline, for example. When the dispatcher changes, StoneGate sends an ARP message to the switch or router. The switch or router has to update its address table without significant delay when the packet dispatcher MAC address is moved to another firewall node. This is a standard network addressing operation where the switch or router learns that the MAC address is located behind a different port. Then, the switch or router forwards traffic destined to the CVI address to this new packet dispatcher.


Installing the Management Center

CHAPTER 3 Installing the Management Center

This chapter instructs how to install the StoneGate Management Center components on Windows and Linux platforms.


Installing the Management Center, on page 24 Starting the Management Center, on page 33 Generating Server Certificates, on page 39 Installing Dynamic Updates, on page 40 After the Management Center Is Installed, on page 44 Non-Graphical Installation, on page 45

23

Instal l ing the Management CenterThe Management Server contains the configuration information for your system and controls the firewalls. Place the server in a secure location.Log in to the system where you are installing the Management Center with the correct administrative rights. In Windows, you must log in with administrator rights. In Linux you must log in as root.To install the software, you need the Management Center CD-ROM (see Installation Files, on page 17). None of the components can be started without a valid license file for each component (see License Files, on page 18). Before installing StoneGate, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 17.One Management Client must be installed using the Installation Wizard as described in this section. After this, further Management Clients can be installed in the same way or they can be made available through Java Web Start (see Distributing StoneGate Clients Through Web Start, on page 47), which eliminates the need to update all Management Clients individually at each version upgrade.

Caution – Make sure that the operating system version you plan to install on is supported. The supported platforms for running the Management Center are listed in the Release Notes of the Management Center.

Installing on LinuxThe installation creates sgadmin user and group accounts. All the shell scripts are owned by sgadmin and can be executed either by root or the sgadmin user. The shell scripts are executed with sgadmin privileges. After the installation, the sgadmin account is disabled. The sgadmin account is deleted at uninstallation.If the CD-ROM is not automatically mounted, mount the CD-ROM in Linux with “mount /dev/cdrom /mnt/cdrom”.This section guides you through a Management Center installation in a graphical user interface. For command line installation, see Non-Graphical Installation, on page 45.

24 Chapter 3: Installing the Management Center

Starting the Installation

Caution – Do not attempt to install the Management Center on a StoneGate Firewall/VPN appliance. This should not be done, as all StoneGate appliances have a pre-installed software.

To start the Installation Wizard1. Insert the StoneGate installation CD-ROM and run the setup executable:

• On Windows, run CD-ROM\StoneGate_SW_Installer\Windows\install.exe• On Linux, run CD-ROM/StoneGate_SW_Installer/Linux/setup.sh

2. Wait for the Installation Wizard to start. First, the Java Runtime Environment (JRE) is installed for StoneGate, so this may take a while.

3. When the Installation Wizard shows the Introduction screen, click Next to start the installation. The License Agreement appears.

Selecting Basic Installation Options

To select installation options

Illustration 3.1 License Agreement

1. You must accept the license agreement to continue.

You can click Cancel to stop the installation at any time.

You can click Previous at any time to go back.

2. Click Next.


To select the installation directory

Illustration 3.2 Select Installation Directory

Note – If you are going to install any of the server components as a service (so that they start automatically at operating system startup), you must define a directory path that does not contain spaces.

To select where shortcuts are created

Illustration 3.3 Select Shortcut Directory

1. (Optional) To change the installation directory, enter a new location, or click Select to browse.

2. Click Next.

1. (Optional) Change the location where you want to create shortcut icons. Shortcuts can be used to manually start components and to run some maintenance tasks.

2. Click Next.


To select which components to install

Illustration 3.4 Select the StoneGate Components to Be Installed

To select components for the custom installation

Illustration 3.5 Select Installation Set

Note – Make sure you have a license for the Monitoring Server before installing it. The Monitoring Server is an optional component and is not included in standard StoneGate Management Center licenses.

The installation proceeds in the following order according to the components you have chosen for the installation:• Installing a Management Server, on page 28• Installing a Log Server, on page 29• Installing a Monitoring Server, on page 30• Installing a Management Client, on page 31• Finishing the Installation, on page 31

Default choice Typical installs all mandatory Management Center components.

Select Custom to select components to install individually.

Management Client Only installation is meant for administrators’ workstations.

Click Next after making your choice.

1. Select the components that you want to install.

Custom Installation only

2. Click Next.


Installing a Management Server

To create the first administrator account

Illustration 3.6 Create a Superuser Account

Note – The account you add here is the only account that can be used to log in to the Management Server after the installation has finished.

To configure the Management Server properties

Illustration 3.7 Configure Management Server

1. Type in a user name. This is a special unrestricted administrator account that cannot be deleted or modified.

2. Type in the same password in both fields.

3. Click Next.

1. Enter Management Server’s IP address. The Management Server’s license must be tied to this IP address.

2. Enter IP address for the Log Server that handles any alerts generated by this Management Server.

3. Click Next.

A service automatically starts at operating system start-up.

If you want to install the Management Server as a secondary Management Server, see the Administrator’s Guide or the Online Help of the Management Client for detailed instructions.


Note – The user name for the Management Database is dba. The password is created randomly, but you can change it using the Management Client.

Proceed to Installing a Log Server.

Installing a Log ServerIf you are not installing a Log Server, skip to the first relevant section below:• Installing a Monitoring Server, on page 30• Installing a Management Client, on page 31• Finishing the Installation, on page 31

To configure the Log Server properties

Illustration 3.8 Configure Log Server

Note – If you need to change the port number, check that the Log Server element properties reflect this in the Management Client after the installation is complete.

1. Type in the IP address. The Log Server’s license must be tied to this IP address.

3. (Optional) Select to establish trust with a Management Server. A running Management Server is required, unless it is installed at the same time.

A service automatically starts at operating system start-up.

2. Type in the IP address of the Management Server that controls this server.

4. Click Next.


To select a log storage location

Illustration 3.9 Select Destination for Log Files

If you are installing a Monitoring Server, continue to Installing a Monitoring Server, on page 30. Otherwise, proceed to Installing a Management Client, on page 31.

Installing a Monitoring ServerIf you are not installing a Monitoring Server, skip to the first relevant section below:• Installing a Management Client, on page 31• Finishing the Installation, on page 31

Note – Make sure you have a license for the Monitoring Server before installing it. The Monitoring Server is an optional component and is not included in standard StoneGate Management Center licenses.

We recommend placing the Monitoring Server in a DMZ network.

1. (Optional) Type in the active storage directory for logs or click Select to browse.

2. Click Next.


To configure the Monitoring Server properties

Illustration 3.10 Configure Monitoring Server

Continue to Finishing the Installation, on page 31.

Installing a Management ClientThe Management Client has no configurable parameters. Proceed to Finishing the Installation, on page 31.

Note – The Management Client needs to connect to the Management Server and to Log Servers. See StoneGate-Specific Ports, on page 201 for a list of the ports used.

Finishing the Installation

Caution – If you are installing any server components as a service on a Windows system, make sure the Services window is closed before you proceed.

1. Type in the IP address. The Monitoring Server’s license must be tied to this IP address.

A service automatically starts at operating system startup.

Custom Installation only

2. Type in the IP address for the Management Server that controls this server.

3. (Optional) Select to establish trust with a Management Server. A running Management Server is required, unless installed at the same time.

4. Click Next.


To start the installation

Illustration 3.11 Pre-installation Summary

Depending on the options you selected, you may soon be prompted to generate certificates. If this happens, see Generating Server Certificates, on page 39.

To finish the Installation Wizard

Illustration 3.12 Install Complete

Note – If any Log Server or Monitoring Server certificate was not retrieved during the installation, a certificate must be retrieved manually before the server can be started (see If the Log Server or Monitoring Server Fails to Start, on page 38).

Proceed to Starting the Management Center.

1. Check the displayed information.

2. Click Install to install the selected components or click Previous to make changes.

Click Done to close the installer.


Starting the Management CenterWhen starting the Management Center for the first time, the following steps must be completed (as instructed in the sections that follow):1. Start the Management Server.2. Log in using the Management Client.3. Install license files using the Management Client.4. Start the Log Server.5. If you have installed a Monitoring Server, start it.Proceed to Starting the Management Server.

Starting the Management ServerIf the Management Server has been installed as a service, the server is started automatically after the installation and during the operating system boot process.• In Windows, the StoneGate Management Server service can be started and

stopped manually in the Services window, which can be found in the Windows Control Panel under the Administrative Tools category.

• If the service has started, proceed to Starting the Management Client.Otherwise, the Management Server must be started manually:

To start the Management Server manually• In Windows, use the shortcut icon in the location you selected during installation

(default: Start→Programs →StoneGate→Management Server) or run the script <installation directory>/bin/sgStartMgtSrv.bat.

• In Linux, run the script <installation directory>/bin/sgStartMgtSrv.sh.

Starting the Management ClientAdministrators use StoneGate’s graphical user interface, the Management Client, to connect to the Management Server (remotely or locally) to configure the firewalls, VPNs, or any other feature of StoneGate.

To start the Management Client• In Windows, use the shortcut icon in the location you selected during

installation (default: Start→Programs→StoneGate→Management Client) or run the script <installation directory>/bin/sgClient.bat.

• In Linux, run the script <installation directory>/bin/sgClient.sh. A graphical environment is needed for the Management Client.


Illustration 3.13 Management Client Login

You can access the Online Help system in the Login window or any other window in the Management Client by pressing the F1 key on your keyboard.

Accepting the CertificateThe Accept Certificate dialog is displayed when the Management Client contacts any Management Server for the first time.

Illustration 3.14 Accept Certificate

To check the fingerprint of the Certificate Authority on the Management Server:• In Windows, use the shortcut icon in the location you selected during installation

(default: Start→Programs→StoneGate→Show Fingerprint) or run the script <installation directory>/bin/sgShowFingerPrint.bat.

• In Linux, run the script <installation directory>/bin/sgShowFingerPrint.sh on the Management Server.

If the fingerprint matches, click Accept Certificate.When you accept the certificate, the Management Client opens the System Status view. Proceed as instructed in the next section.

1. Type in the user name and password for the Administrator you defined during Management Server installation.

2. Type in the Management Server address.

3. Leave this option selected if you want the Management Client to add the Management Server’s address permanently in the Server Address list.

4. Click Login.

As a precaution, you can ensure that the communication really is with your Management Server by checking the Certificate Authority fingerprint as explained below.


Installing LicensesTo have a working system, you must have a license for all StoneGate server and engine components. Each Management Server, Log Server, Monitoring Server (optional), and Firewall engine (except for SOHO Firewalls) must have its own license, although all the licenses can be stored together in a single .jar file.If you have not generated all license files yet, see License Files, on page 18. To import licenses, the license files must be available to the computer you use to run the Management Client. All licenses can be installed even though you have not yet defined all the elements the licenses will be bound to.When there is no valid Management Server license, a license information message is shown every time you log in using the Management Client.

Illustration 3.15 License Information Message

The above message is displayed only when there is no valid license for the Management Server. Otherwise, proceed to Install License File(s) dialog as shown in Illustration 3.16.

If you already have the licenses, click Continue. The Install License file(s) dialog (Illustration 3.17) opens automatically.

if you do not have licenses yet, generate them on the Stonesoft website http://www.stonesoft.com/license and then continue by clicking Continue.


http://www.stonesoft.com/license

To install StoneGate licenses

Illustration 3.16 Opening the Install License File(s) Dialog

Illustration 3.17 Install License File(s) (Operating System-specific Dialog)

To check that the licenses were imported correctly

Illustration 3.18 Checking License Import

Select File→System Tools→Install Licenses.The Install License File(s) dialog opens.

1. Browse to the correct folder.2. Select one or more license files you want to import.

3. Click Install.

Click the Configuration button in the toolbar. The Configuration view opens.


Illustration 3.19 Checking Licenses

Note – Management-bound engine licenses are manually bound to the correct engines once you have configured the engine elements. In the All Licenses list, you should see one license for each Management Server, Log Server, Monitoring Server, and Firewall engine in your StoneGate system.

Proceed to the next section, Starting the Log Server and Monitoring Server.

Starting the Log Server and Monitoring ServerIf the Log Server and the (optional) Monitoring Server have been installed as a service, the servers are started automatically during the operating system boot process. However, as the servers did not have a license when the operating system was rebooted, you may need to start them now as explained here.• In Windows, you can start or stop a Log Server or Monitoring Server installed as a

service manually in the Services window, which can be found in the Windows Control Panel under the Administrative Tools category.

• In other cases, you can start the Log Server or Monitoring Server manually as explained in Starting Servers Manually, on page 37.

• If you have problems starting a Log Server or Monitoring Server, see If the Log Server or Monitoring Server Fails to Start, on page 38.

Once you have started the servers successfully, proceed to Installing Dynamic Updates, on page 40.

Starting Servers ManuallyTo start the Log Server or Monitoring Server manually, run the scripts in a console window. Read the console messages for information on the progress. Closing the console stops the service.

To start the Log Server and Monitoring Server manually1. Start the Log Server:

1. Expand the Administration branch of the tree.

2. Select Licenses and click All Licenses in the list.


• In Windows, use the shortcut icon in the location you selected during installation (default: Start→Programs →StoneGate→Log Server) or run the script <installation directory>/bin/sgStartLogSrv.bat.

• In Linux, run the script <installation directory>/bin/sgStartLogSrv.sh.2. If you have a Monitoring Server, start it in the same way:

• In Windows, use the shortcut icon in the location you selected during installation (default: Start→Programs →StoneGate→Monitoring Server) or run the script <installation directory>/bin/sgStartMonitoringServer.bat.

• In Linux, run the script <installation directory>/bin/sgStartMonitoringServer.sh.

Next, continue as follows:• If you have started all servers successfully, proceed to Installing Dynamic Updates,

on page 40.• If you have trouble starting the server, see If the Log Server or Monitoring Server

Fails to Start, on page 38.

If the Log Server or Monitoring Server Fails to StartIf the Log Server or Monitoring Server does not start automatically as a service, first try starting it manually as explained in the previous section above to see if there is some error displayed on the console.• Remember that your Log Server or Monitoring Server must be licensed, and the

licence must be for the IP address in use. The license is a file you import to the system to verify the legal purchase of the software. The licenses can be obtained through the Stonesoft License Center on the Web (or from Stonesoft Order Services). To generate a license file, see License Files, on page 18.

• The Log Server or Monitoring Server must also have a valid certificate, which it uses to prove its identity to the Management Server when the two servers communicate. The certificates are generated within the system itself. If there are certificate-related problems or problems you are not able to identify, try (re)generating the certificate manually as follows:

To manually certify a Server• In Windows, run the <installation directory>/bin/sgCertifyLogSrv.bat or

the <installation directory>/bin/sgCertifyMonitoringServer.bat script depending on server type.

• In Linux, run the <installation directory>/bin/sgCertifyLogSrv.sh or the <installation directory>/bin/sgCertifyMonitoringServer.sh script depending on server type.

Proceed as explained in the next section, Generating Server Certificates, then try starting the servers again.


Generating Server Certif icatesNote – If the Management Server is not running, see Starting the Management Server, on page 33.

To generate a certificate for a StoneGate server

Illustration 3.20 Certificate Generation

Illustration 3.21 Accept Certificate

To check the fingerprint of the Certificate Authority1. Run the script <installation directory>/bin/sgShowFingerPrint[.bat/

.sh] on the Management Server. The CA Fingerprint dialog opens.2. If the fingerprint matches, click Accept in the dialog. The Log Server Selection

or Monitoring Server Selection dialog opens.

Enter the username and password for the account you created during the Management Server installation. “Superuser” refers to the administrator privilege level. Administrators with other privilege levels are not allowed to generate certificates.

As a precaution, you can ensure that the communication really is with your Management Server by checking the Certificate Authority fingerprint as explained below.

Click Accept to accept the certificate.

Generating Server Certificates 39

To certify a Log Server or Monitoring Server

Illustration 3.22 Server Selection

Instal l ing Dynamic UpdatesDynamic updates provide the latest system policies and vulnerability and exploit information for intrusion detection. They may also revise the Inspection rules in the default template as well as the default elements you use to configure the system.During the installation, the update package included on the installation CD-ROM was imported and activated. However, since update packages are released more frequently than new software versions, you must check which update package is active in the system and whether a newer one is available to ensure your system is current.

Note – You can configure the Management Center to periodically check if new update packages are available. You can also configure automatic download and activation of new update packages. See the Online Help for more information.

To find the dynamic updates in the Management Client

Illustration 3.23 Checking for Updates

If not listed above, select Create a New Log Server (or Monitoring Server) and type in a name. The name will be used in the Management Client.

If your server is on the list, select it.

2. Click OK.

1. Specify the server you want certified:

Click the Configuration button in the toolbar. The Configuration view opens.


Illustration 3.24 Checking the Installed/Active Update Package

Note – Dynamic updates with the state Imported are not activated yet. You must activate imported dynamic update packages for them have to have an effect in the system.

To check for the most recent dynamic update1. Go to www.stonesoft.com/download/ and follow the link to dynamic updates.2. If the download page shows that a more recent update is available, download

the latest .jar update package file. If you already have the most recent update package, do one of the following:• If the update package is in the Imported state, see To activate an update

package, on page 42.• If the update package is shown as Active, the most recent update package has

already been activated and no action is needed at this time.3. Save the update package file to a location reachable from the computer you use

to run the Management Client.4. Check that the update package file has not become corrupted during file

transfer(s). Compare the file checksum according to the same procedure as with the installation files (see Checking File Integrity, on page 17).

1. Expand the Administration branch.

3. Select Updates.

4. Check the update package number and state.

2. Expand the Updates and Upgrades branch.


http://www.stonesoft.com/download/

To import a new update package

Illustration 3.25 Importing an Update Package

Illustration 3.26 StoneGate Update Package File Browser (Operating System Specific)

In a while, the new update package appears in the system. Now you must activate it as instructed in the next section.

To activate an update package

Illustration 3.27 Activating an Update Package

Click the Tools icon to open a Update Packages menu and select Import Update Packages from the menu. A File Browser dialog opens.

1. Browse to the correct file and select it.

2. Click Import. The dialog closes and a status bar displays the progress of the import.

Right-click the new update package and select Activate from the menu. A confirmation dialog opens..


Illustration 3.28 Management Server Backup Dialog

Note – Once you have configured your system, taking a backup at this point allows you to quickly revert back to a previous configuration. This may be necessary because changes in system elements may cause firewall Inspection rules to match traffic in a way you do not want, and you may need some time to redesign them.

The update package activation starts. The progress may seem to pause occasionally while the information is processed. The included items are shown in the dialog so that you can view them after the activation is complete.

Illustration 3.29 Update Package Activation

If you have a fresh installation, select No. Otherwise, we recommend that you always take a backup (click Help in the backup dialog to see instructions on how to use the options if you choose to take a backup now).

Close the tab when the activation is finished.


After the Management Center Is Instal ledContinue as follows:• If you want to allow administrators to install Management or Monitoring Clients

through Web Start, continue to Distributing StoneGate Clients Through Web Start, on page 47.

• If NAT is applied to communications between any system components, proceed to Configuring NAT Addresses for StoneGate Components, on page 53.

• Otherwise, you are ready to define the firewall element(s). Continue according to the firewall type:

• Configuring SOHO Firewalls, on page 63• Configuring Single Firewalls, on page 85.• Configuring Firewall Clusters, on page 97.


Non-Graphical Instal lationIn Linux, the Management Center can also be installed on the command line. Before installing StoneGate, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 17.

To run the non-graphical installation1. Open the shell.2. Change to the directory: CD-ROM/StoneGate_SW_Installer/Linux/3. Run the command “./setup.sh -nodisplay” to start the installation.

Illustration 3.30 Accepting the License Agreement

4. Accept the license agreement by typing “Y”.5. After the license agreement display, you are prompted for the installation

directory.6. Press ENTER to install to the default installation directory or define a different

directory. Confirm it by typing in “Y”.

Illustration 3.31 Choosing the Link Location

7. Press ENTER to create the StoneGate links in the default directory or select one of the other options.

DO YOU ACCEPT THE TERMS OF THE LICENSE AGREEMENT? (Y/N)

Choose Link Location-------------Where would you like to create links?

->1 - Default:/StoneGate2 - In your home folder3 - Choose another location...

4 - Don’t create links

ENTER THE NUMBER OF AN OPTION ABOVE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT: 1

Non-Graphical Installation 45

Illustration 3.32 Choosing the Installation Options

8. Select the StoneGate components you want to install. • Press ENTER to install all Management Center components except the

Monitoring Server.• Press 2 to install only the Management Client.• Press 3 for a customized installation.

Note – You need a graphical environment to use the Management Client. It cannot be run on the command line. Only the server components can be run in a command line-only environment.

The installation options for the Management Center components are the same as in the graphical installation. Proceed as follows:• To install a Management Server, see Installing a Management Server, on page 28.• To install a Log Server, see Installing a Log Server, on page 29.• To install a Monitoring Server, see Installing a Monitoring Server, on page 30.• To install a Management Client, see Installing a Management Client, on page 31.• After installing all components, continue to Finishing the Installation, on page 31.

Choose StoneGate Components-----------------

Please choose the Install Set to be installed by this installer.

->1 - Typical2- Management Client Only3- Customize...

ENTER THE NUMBER FOR THE INSTALL SET, OR PRESS <ENTER> TO ACCEPT THE DEFAULT : 1


CHAPTER 4 Distributing StoneGate Clients Through Web Start

The Management Client and Monitoring Client components can be distributed through Web Start. This eliminates the need for each administrator to upgrade their client(s) when the SMC is upgraded to a new version (the version of the client must always match the version of the respective server).


Getting Started with Web Start Distribution, on page 48 Distributing Clients from the SMC Servers, on page 48 Distributing Clients from a Separate Server, on page 49 Accessing the Web Start Clients, on page 50

47

Getting Started with Web Start Distr ibutionDistributing Management Clients or Monitoring Clients through Web Start allows users to log in to the Management Client or Monitoring Client through a Web browser at the address that the Management Server and the Monitoring Server use.Management Clients and Monitoring Clients distributed with Web Start have the same set of features as clients installed with the installation wizard. The only differences are in the installation and update process. When the Management Center is upgraded, the Web Start files are also updated, and Web Start automatically downloads the updated version when the user logs in.There are two ways to configure Web Start access. You can activate an internal Web server on the Management Server and the Monitoring Server (the server distributes only Web Start clients). Alternatively, you can copy the files to a separate Web server and run a script that creates the configuration files for running the application.Begin by Distributing Clients from the SMC Servers, on page 48 or Distributing Clients from a Separate Server, on page 49.

Distributing Clients from the SMC ServersWhen you install the Management Server and the Monitoring Server, the files needed for distributing the Management Clients and Monitoring Clients are included in the installation. You can simply enable Web Start access to these files on the Management Server and the Monitoring Server.

To enable a Web Start server1. Right-click the Management Server or Monitoring Server element that you want

to use as a Web Start server and select Properties. The Properties dialog for the element opens.

2. Switch to the Web Start Server tab.

Illustration 4.1 Web Start Server Properties

3. Select Enable. The Web Start server options are enabled.4. (Optional) Enter the Host Name that the Web Start server uses.5. (Optional) Enter the (TCP) Port Number that the Web Start Server uses in the

Port Number field. By default, the standard HTTP port 80 is used.

48 Chapter 4: Distributing StoneGate Clients Through Web Start

• If both the Monitoring Server and Management server run on the same server, and the server only has a single IP address, you must set the two Web Start servers to run on different ports.

Note – Make sure the port is not used by other listening services on the server. For ports reserved for StoneGate services, see StoneGate-Specific Ports, on page 201.

6. (Optional) Enter the IP address where the Web Start files are available to the Management Client or Monitoring Client users in the Listen Only on Address field if the server has several addresses and only one is allowed for this access.• If you leave the Host Name and Listen Only on Address fields empty, the users

can access the Web Start files at any addresses that the Management Server or Monitoring Server may have.

7. (Optional) Select Access Logs if you want logs to be generated when the Web Start server is accessed.

8. Click OK.Test the Web Start installation by following the instructions in Accessing the Web Start Clients, on page 50.

Distributing Clients from a Separate ServerYou can use Web Start even if you do not want to use the Management Server and the Monitoring Server as Web Start servers. In this case, you can place the Web Start package on any Web server.The Web Start package can also be placed on a shared network drive. There is a limitation to this: the path to the network drive is included in the installation files, so the path, including the drive letter, must be the same for the administrators that wish to use that particular version of the installation package. If the network drive paths vary, consider placing the package on a Web server instead, for example, in the Intranet of your company.

Note – You must install a new Web Start package according to these instructions each time you upgrade the Management Center. Otherwise, any administrators that use Web Start-installed Management Clients are not able to log in.

To install the Web Start package1. Browse to StoneGate_SW_Installer→Webstart on the installation CD-ROM.

Caution – The Web Start installation creates an index.html file. Any existing index.html file will be overwritten. We strongly recommend creating a new directory for the Web Start files.

Distributing Clients from a Separate Server 49

2. Copy all files and all directories from the Webstart directory on the installation CD-ROM to the directory on the Web server or network drive where you want the Web Start files to be served.

3. On the command line, change to the directory where the Web Start files are located on your server.

4. Run the Web Start setup script and give the URL or the path of the directory where the Web Start files are located on your server as the parameter:• Windows: cscript webstart_setup.vbs <web start directory>• Linux: run webstart_setup.sh <web start directory>

Note – The setup script generates Web Start files for both the full Management Client and the Monitoring Client.

5. If necessary, modify the configuration of the Web server to return the appropriate MIME type for.jnlp-files (application/x-java-jnlp-file). Consult the manual of your Web server for instructions on how to configure the MIME type.

6. Delete the webstart_setup.vbs and webstart_setup.sh files from the directory. For security reasons, the webstart_setup.vbs and webstart_setup.sh script files should not be in the same directory as the generated Web Start files and other shared client files.

Accessing the Web Start Cl ientsAfter the Web Start package is installed on a Web server or a network drive, or the Management Server or Monitoring Server has been enabled as a Web Start Server, the administrators can install the Management Client or Monitoring Client using the Web Start package. To be able to install the Management Client or Monitoring Client, there must be a current version of the Java Runtime Environment (JRE) installed (the version required is shown on the example login page provided).

To access the Web Start Clients1. Enter the Web Start download page address in your Web browser

http://<server address>:<port>

TABLE 4.1 Examples

Installation on Example Web Start Directory

Web server http://www.example.com/webstart/

Network drive file://localhost/C:/support/webstart/


• :<port> is only needed if the server is configured to run on a different port from the HTTP standard port 80.

2. Click the link for the Web Start client.• Web Start automatically checks if the version on the server is already installed

on your local computer. If not, the new client is automatically installed on your computer. This is done each time the client is started this way, automatically upgrading your client installation whenever needed without any action from you.

• The client starts and displays the login dialog.3. Log in with the correct account credentials for the type of client.If NAT is applied to communications between any system components, proceed to Configuring NAT Addresses for StoneGate Components, on page 53.Otherwise, you are ready to define the firewall element(s). Proceed to one of the following sections according to the firewall type: Configuring SOHO Firewalls, on page 63, Configuring Single Firewalls, on page 85, or Configuring Firewall Clusters, on page 97.

Accessing the Web Start Clients 51

CHAPTER 5 Configuring NAT Addresses for StoneGate Components

This chapter contains the steps needed to configure Locations and contact addresses when there is a NAT device between communicating StoneGate components.


Configuration Overview, on page 54 Defining Locations, on page 55 Adding SMC Server Contact Addresses, on page 57 Setting Management Client’s Location, on page 59

53

Configuration OverviewStoneGate components communicate with each other using the IP address defined for the corresponding element in StoneGate. If there is Network Address Translation (NAT) between any of the communicating components, the NATed IP addresses must be defined (in the case of the Management Client, only if the Log Server address is NATed).

Note – A contact address is necessary only if there is a NAT device between the communicating StoneGate components.

All communications between the StoneGate components are presented as a table in StoneGate-Specific Ports, on page 201.

Illustration 5.1 Typical Scenario for Using Locations

In the illustration above, there are several remote firewalls that are managed through Management and Log Servers at a central site. The SMC servers use a private IP address in the internal network and the central site firewall applies NAT to route the connections between the SMC and the remote firewalls through the Internet. In this scenario, it is simplest to define a single Location to group all remote sites and then define a contact address for the Management Server and Log Server for that Location. The Management Server, Log Server, and central firewall can be left in the Default Location. Any administrators at the remote sites must change the Location to “Remote Firewalls” in their Management Client to be able to browse logs.The tasks you must complete are as follows:1. Define Location element(s).2. Define contact addresses for the Management Server, Log Server(s), and

Monitoring Server(s).3. Select the correct Location for your Management Client.4. Select the correct Location for firewalls when you create the Firewall elements.Begin by Defining Locations.

54 Chapter 5: Configuring NAT Addresses for StoneGate Components

Defining LocationsStoneGate components use the information you define in the Location elements to determine which IP address is used when there is NAT between the components.After you have the Location elements set up, you open the properties of each element as necessary, and define the contact addresses for the element from each Location’s viewpoint. All components in the other Locations then use the addresses defined for their Location. The contact address is only used when communications cross from one Location to a different Location. Elements that are in the same Location use the element’s main IP address when contacting each other.The first task is to group the elements into Location elements based on which components are on the same side of a NAT device. There is a Default Location to which all elements belong if you do not assign them a specific Location. The Default location behaves in the same way as the other Locations.

To create a new Location

Illustration 5.2 Opening the Configuration View

Illustration 5.3 Creating a New Location

Click the Configuration icon in the toolbar. The Configuration view opens.

2. Right-click Locations and select New Location from the menu that opens. The Location properties dialog opens.

1. Expand Administration in the tree view.

Defining Locations 55

Illustration 5.4 Location Properties

Repeat to add other Locations as necessary.If your Management Server, Log Server, Monitoring Server or Management Client needs a contact address configuration, proceed to:• Adding SMC Server Contact Addresses, on page 57• Setting Management Client’s Location, on page 59.If you plan to add contact addresses for only Firewall elements, proceed to defining the elements according to firewall type:• Configuring SOHO Firewalls, on page 63• Configuring Single Firewalls, on page 85• Configuring Firewall Clusters, on page 97.

1. Type in a Name.

2. Select element(s).

3. Click Add.

4. Repeat steps 2-3 until all necessary elements are added.

5. Click OK.


Adding SMC Server Contact AddressesYou can enter one or more contact addresses for each Location on Management and Log Servers to support High Availability setups and allow efficient use of Multi-Link for remote components.

To define the Management Server and Log Server contact addresses

Illustration 5.5 Opening Server Properties

Illustration 5.6 Server Properties

Right-click a server and select Properties from the menu that opens. The Properties dialog for that server opens.

2. Click the Contact Address button. The Contact Addresses dialog opens.

1. Select the Location of this server.

Adding SMC Server Contact Addresses 57

Illustration 5.7 Contact Addresses

Note – Elements that belong to the same Location element always use the primary IP address (defined in the main Properties window of the element) when contacting each other. All elements not specifically put in a certain Location are treated as if they belonged to the same, Default Location.

Click OK to close the server properties and define the contact addresses for other servers as necessary in the same way.Continue with the configuration:• If NAT is performed between your Management Client and a Log Server, proceed to

the next section, Setting Management Client’s Location.• If you are done with setting Locations, you are ready to configure the Firewall

Element(s). Continue according to firewall type:• Configuring SOHO Firewalls, on page 63.• Configuring Single Firewalls, on page 85.• Configuring Firewall Clusters, on page 97.

3. (Optional) Define an address for the Default Location in the same way (see note below).

1. Select a Location and click Add to create an entry in the table below.

2. Click the Contact Address column and enter the IP address(es) that components that belong to this Location must use.Enter multiple addresses separated with commas for Management and Log Servers with backup servers or Multi-Link network connections.

4. Click OK.


Setting Management Client’s LocationWhen NAT is performed between the Management Client and a Log Server, you must also select the correct Location for your Management Client in the status bar at the bottom of the Management Client’s System Status view or Configuration view.

To select the Management Client Location

Illustration 5.8 Configuration View - Bottom Right Corner

You are ready to configure the Firewall Element(s). Continue according to firewall type:• Configuring SOHO Firewalls, on page 63• Configuring Single Firewalls, on page 85• Configuring Firewall Clusters, on page 97.

Click the Default Location name in the status bar at the bottom of the window and select the correct Location from the list that opens.

Setting Management Client’s Location 59

Installing the Firewall Engine

CHAPTER 6 Configuring SOHO Firewalls

This chapter contains the steps needed to complete the SOHO (Small Office/Home Office) Firewall configuration procedure that prepares the Management Center for a StoneGate SOHO Firewall installation.Most of the configuration is done using the Management Client. The engines cannot be successfully installed before defining them in the Management Center as outlined in this chapter.


Configuration Overview, on page 64 Defining SOHO Firewalls, on page 64 Defining SOHO Firewall Interfaces, on page 68 Defining External Interfaces, on page 69 Defining Corporate Interfaces, on page 72 Defining Settings for Wireless Access, on page 76 Defining Guest Interfaces, on page 81 Saving the Initial Configuration, on page 82

63

Configuration OverviewAfter you have the StoneGate Management Center (SMC) installed and running, you must configure the SOHO Firewalls. This is mostly done through the Management Client. This chapter explains all the tasks you must complete before you can install and/or configure the physical SOHO firewalls.The tasks you must complete are as follows:1. Define SOHO Firewall element(s). 2. Define SOHO Firewall network interfaces.3. Save the defined configuration for use during SOHO Firewall installation.Start by Defining SOHO Firewalls.

Defining SOHO FirewallsTo introduce a SOHO Firewall engine to the Management Center, you must define a SOHO Firewall element that stores the configuration information related to the SOHO firewall. The most important part of the configuration is the definition of the SOHO firewall’s network interfaces.This section covers the basic configuration of SOHO Firewall elements. For more information on configuring SOHO Firewalls, see the Online Help (click the help button in the dialogs to see help specific to that dialog) or the Administrator’s Guide.SOHO Firewalls are usually configured in the Configuration view, although they can also be configured in the System Status view.

To open Configuration view

Illustration 6.1 Opening Configuration View

You can define SOHO Firewall elements either one by one or use a Configuration Wizard to create several SOHO Firewall elements. Defining the SOHO Firewalls with the Configuration Wizard is particularly useful if you want to define a large number of SOHO Firewall elements. Proceed to one of the following:• Defining a SOHO Firewall Element, on page 65.• Defining Multiple SOHO Firewall Elements, on page 66.

Click the Configuration icon. The Configuration view opens.

64 Chapter 6: Configuring SOHO Firewalls

Defining a SOHO Firewall Element

To define a SOHO Firewall element

Illustration 6.2 Creating a New SOHO Firewall Element

To define the basic properties of a SOHO Firewall

Illustration 6.3 Defining Basic SOHO Firewall Properties

Proceed to Defining SOHO Firewall Interfaces, on page 68.

Right-click SOHO Configuration and select New→SOHO Firewall. The SOHO Firewall Properties dialog opens.

1. Type in a Name.

2. Select a Log Server for storing this firewall’s logs.

5. (Optional) Enter a Comment for your own reference.

4. Enter the IP address or hostname of an NTP server in at least the Primary Time Server field.

3. If required in your setup, select the Location (see Configuring NAT Addresses for StoneGate Components, on page 53).


Defining Multiple SOHO Firewall Elements

To start the SOHO Firewall Configuration Wizard

Illustration 6.4 Starting the SOHO Firewall Configuration Wizard

To define common properties for multiple SOHO Firewalls

Illustration 6.5 Defining Common Properties for SOHO Firewalls

Right-click SOHO Configuration and select New→Multiple SOHO Firewalls. The Create Multiple SOHO Firewalls dialog opens.

1. Enter the Name Prefix. The system adds a number to this to generate unique names.

2. Enter the Global Corporate IP Range you want to use for the elements.

3. Enter the number of SOHO Firewall elements you want to create.

5. If the DHCP server is active, indicate the number of static addresses to be reserved from the beginning of the IP address range of each firewall. The minimum amount is one static IP address.

4. (Optional) To deactivate the internal DHCP Server, disable DHCP Server.


To generate multiple SOHO Firewalls

Illustration 6.6 Generating Information for Multiple SOHO Firewalls

To select Log and Time Servers

Illustration 6.7 Selecting Log and Time Servers for Multiple SOHO Firewalls

Proceed to Defining SOHO Firewall Interfaces, on page 68.

1. Click Generate to create the name and IP address information for the SOHO Firewall elements.

• If you want to modify any of the information in the table, you must change the values and click Generate again. More detailed modifications are possible only after the elements are ready.

2. Click Next. The General tab opens.

1. Select a Log Server for storing the firewalls’ logs.

2. Enter the IP address or hostname of an NTP server in at least the Primary Time Server field.

3. (Optional) Tick the DNS option and click the Select button to select DNS server(s).


Defining SOHO Firewall InterfacesTo route traffic from the SOHO Firewall, you must define the interfaces:• An External interface for routing traffic to the Internet (ADSL or LAN)• A Corporate interface (LAN and wireless LAN) for internal hosts. Corporate

interfaces allow connections to other corporate sites through a VPN and local traffic between all Corporate interfaces. By default, corporate interfaces also allow access to the Internet, but Internet access can be disabled.

• You can optionally define also Guest interfaces (LAN and wireless LAN) that provide only direct access to the Internet.

When you create SOHO Firewall elements, the configuration includes by default the ADSL interface as External, interfaces 1-3 as Corporate interfaces, as well as interface 4 as a Guest interface. You can change the default mode of the interfaces and disable the interfaces that you do not want to use.

Note – It is recommended that you use Interface 1 as a Corporate interface. This makes it easier to configure the actual SOHO Firewall engine.

To select the interfaces

Illustration 6.8 Selecting SOHO Interfaces

Next, proceed to Defining External Interfaces, on page 69.

2. You must have at least one Corporate interface. Click the arrow to select a different interface mode.

3. (Optional) Select the Guest interface(s) in the same way.

4. (Optional) Select Disabled as the mode for the interfaces that you do not want to use.

1. Select the External interface: either ADSL or one of the Ethernet interfaces 1-4.


Defining External InterfacesThe External interface of a SOHO Firewall is used for connections to the Internet:• If the External interface is an ADSL line or a PPPoE line, proceed to Configuring an

ADSL or PPPoE Interface, on page 69.• Otherwise, proceed to Configuring External Interface Properties for Ethernet

Interface, on page 71.

Configuring an ADSL or PPPoE InterfaceThe ADSL settings include a username and password, which are required by some ISPs for ADSL access. Alternatively, these can be entered through the SOHO Firewalls’ web interface during the initial setup of the appliance.If you are creating multiple SOHO Firewalls, you cannot enter the Username and Password information in the Configuration Wizard. Enter the information in the properties of each SOHO Firewall element after they have been created or during the initial configuration of the appliances.If you are configuring a PPPoE interface, you must first select this as the configuration type. If you are configuring an ADSL interface, skip the first illustration below.

To configure External interface properties for a PPPoE interface

Illustration 6.9 External Interface Properties for Ethernet Interface

To configure ADSL Settings

Illustration 6.10 External Interface Properties for ADSL

1. Switch to the External tab.

2.Select PPP over Ethernet from Configuration.


3. Click Select next to the Service Provider field. The Select Element dialog opens.

2. (Optional) Enter the Username and Password for ADSL access if your ISP has provided these.


Illustration 6.11 Select Element

To create a new ISP element

Illustration 6.12 Creating an ISP Element

Illustration 6.13 Defining ISP Properties

Continue by Defining Corporate Interfaces, on page 72.

Select your service provider from the list and click Select. If your service provider is not listed, you can create a new ISP element as described in the next illustrations.

Click the New icon and Select ISP. The ISP Properties dialog opens.

1. Enter the Name and Country for your reference.

2. Fill in the settings according to information you have received from your service provider.

3. Click OK.


Configuring External Interface Properties for Ethernet Interface

To configure External interface properties for Ethernet interface

Illustration 6.14 External Interface Properties for Ethernet Interface

The options on the External tab depend on the selected Configuration. The static IP address option has more settings available at this point if you are configuring a single new element. With multiple SOHO Firewall creation, you must open the properties of each created element and define the static IP address settings after the elements are created. These are explained directly below. For other configurations:• If you want to use PPPoE, see Configuring an ADSL or PPPoE Interface, on page 69.• If you selected DHCP or you are creating multiple SOHO Firewalls with a static IP

address, you can only configure MTU settings at this point. Continue in Illustration 6.18 on page 72.

To configure static IP address settings for a single SOHO Firewall

Illustration 6.15 Static IP Address Settings for an Individual SOHO Firewall - IP Address


2.Select the IP address allocation method from Configuration.

1. Enter the IP address and Netmask for the external interface of the SOHO firewall.

2. Click Select for Gateway. The Select Element dialog opens.



Illustration 6.17 Static IP Address Settings for an Individual SOHO Firewall - DNS Servers

To configure MTU settings for External interface

Illustration 6.18 MTU Settings

Continue by Defining Corporate Interfaces.

Defining Corporate InterfacesYou must define at least one Corporate interface for users in the protected internal network. If you define several Corporate interfaces, they share the load of the connections that pass through them. There is no separation between the networks behind the different Corporate interfaces; they are treated as a single network.To allow connections outside the internal networks, the SOHO Firewall must establish a VPN to a central site. A SOHO Gateway Group element is used to select a group of

Select a Router element from the list and click Select.To add a new Router to the list, click the New icon and select Router. Fill in a Name and IP Address for the new element.

(Optional) Switch to the General tab.Select the DNS servers in the same way as you selected the Gateway in step 2.

2. If you select the manual mode, type in the MTU. The largest possible MTU is 1500.

1.Select whether you want the maximum packet size to be detected dynamically based on ICMP messages, or whether you want to set it manually.


SOHO firewall engines that are allowed to connect through a particular VPN to the corporate network. When you create a SOHO Firewall element, you must select in which SOHO Gateway Group it is included. Each SOHO Gateway Group can be used in only one VPN at a time. If there is only one VPN in which the SOHO Gateways participate, only one SOHO Gateway Group is needed. For information on configuring VPNs, see the Online Help.

To define Corporate interfaces

Note – If you create multiple SOHO Firewalls, you cannot enter the local IP address information (see below). The IP address is selected based on the information you entered on the first screen in the SOHO Firewall Configuration Wizard.

Illustration 6.19 Corporate Interface Properties


To create a new SOHO Gateway Group

Illustration 6.21 Creating a SOHO Gateway Group Element

1. Switch to the Corporate tab.

2. Enter the Local IP Address and Netmask of the SOHO Firewall in the Corporate network.

3. Click Select for SOHO Gateway Group. The Select Element dialog opens.

Select the correct SOHO Gateway Group element in the Select Element dialog and click Select.If the correct element does not exist, create it first as explained in the two illustrations below.

Click the New icon and select SOHO Gateway Group from the menu. The SOHO Gateway Group Properties dialog opens.


Illustration 6.22 Defining SOHO Gateway Group Properties

Note – If you create multiple SOHO Firewalls, you cannot enter the DHCP Service settings as explained below. The settings are generated based on the information you entered on the first screen in the SOHO Firewall Configuration Wizard.

Illustration 6.23 Corporate Interface Properties

Proceed to one of the following:• If you want to define wireless access to the Corporate network, continue by Defining

Settings for Wireless Access, on page 76.

1. Enter a Name and an optional Comment.

3. Click OK and select the new element for use.

2. Select if NAT-T UDP encapsulation is used in the VPN.

2. If you want the SOHO Firewall to act as a DHCP server for the internal network, select DHCP Service.

3. Fill in the address range for distributing IP addresses and the DNS settings. In Dynamic mode, the SOHO Firewall relays the DNS server information it receives from the ISP. In static mode, you can add the servers manually.4. If you want to prevent the hosts in the corporate network from opening direct connections to the Internet, select Allow only traffic to VPN.

1. (Optional) Select the SOHO Gateway Group and check the generated pre-shared key used for VPN.


• Otherwise, if you want to allow visitors access to the Internet through the SOHO Firewall, continue by Defining Guest Interfaces, on page 81.

• Otherwise, if you used the SOHO Firewall Configuration Wizard and you selected the Static configuration for the External interface, you must enter at least the IP address and the Gateway information individually in the properties of each SOHO Firewall before you continue the configuration. See Defining External Interfaces, on page 69.

• Otherwise, the interface definition of your SOHO Firewall is now ready: Click OK. If you used the Configuration Wizard, click first Next and then Create to create the SOHO Firewall element(s). Proceed to the next step: Saving the Initial Configuration, on page 82.


Defining Settings for Wireless AccessYou can allow wireless access to the Corporate network through a Corporate wireless interface and to the Internet through a Guest wireless interface. Wireless access to the Internet is also allowed by default from the Corporate interface, but it can be diabled. Both interfaces can be active at the same time and you can define different settings for the Corporate and Guest interfaces.

Defining Security Settings for Wireless Access

To define security settings for wireless access

Illustration 6.24 Wireless Settings for Interface

The available Security Modes and their options are explained in Table 6.1.

TABLE 6.1 Security Mode Options

Security Mode Name Description

Disabled None

Wireless traffic is not encrypted.Use this security mode with caution. Although you might allow unencrypted traffic through the Guest interface, it is safest to encrypt the traffic that passes through the Corporate interface to the corporate network.

1. Select Wireless. The options for wireless connections are enabled.

2. Enter the Wireless Network Name. The user has to enter it to connect to the network.

3. Select if the Wireless Network Name is broadcast to any wireless devices in range (Enabled) or if the clients must know the name to connect (Disabled).

4. Select the Security Mode. The options for the selected mode are enabled. See the table below for information about the options.


WEP

WEP 40

Wireless traffic is encrypted with a 40-bit WEP (Wired Equivalent Privacy/Wireless Encryption Protocol) key.

Select the Default Key and enter 1-4 WEP Keys. The user has to enter the WEP Key selected as the Default Key to gain access to the network.Remember to change the Default Key selection and WEP Keys regularly.

WEP 104

Wireless traffic is encrypted with a 104-bit WEP key.

Select the Default Key and enter 1-4 WEP Keys. The user has to enter the WEP Key selected as the Default Key to gain access to the network.Remember to change the Default Key selection and WEP Keys regularly.

WPA-PSK

WPA(with TKIP encryption)

Wireless traffic is encrypted with TKIP (Temporal Key Integrity Protocol) encryption. This security mode is normally used in small networks.

Enter the Pre-Shared Key. The user has to enter it to gain access to the network.Remember to change the Pre-Shared Key regularly.

WPA2(with AES encryption)

Wireless traffic is encrypted with AES (Advanced Encryption Standard) encryption.This security mode is normally used in small networks.


WPA and WPA2

Wireless traffic is encrypted with TKIP or AES. This security mode is normally used in small networks.


TABLE 6.1 Security Mode Options (Continued)



Select the correct security settings and proceed to one of the following: • If you want to use WPA enterprise authentication, continue by Defining a RADIUS

Server Element, on page 79.• Otherwise, continue by Defining General Wireless Settings, on page 80.

WPA Enterprise

WPA(with TKIP encryption)

An external RADIUS server is used to authenticate the users. Wireless traffic is encrypted with TKIP. This security mode is normally used in larger networks to transfer highly sensitive data.Select the RADIUS server. If you have not already defined a RADIUS server element to represent the server, see Defining a RADIUS Server Element, on page 79.

WPA2(with AES encryption)

An external RADIUS server is used to authenticate the users. Wireless traffic is encrypted with AES. This security mode is normally used in larger networks to transfer highly sensitive data.Select the RADIUS server. If you have not already defined a RADIUS server element to represent the server, see Defining a RADIUS Server Element, on page 79.

WPA and WPA2

An external RADIUS server is used to authenticate the users. Wireless traffic is encrypted with TKIP or AES. This security mode is normally used in larger networks to transfer highly sensitive data.Select the RADIUS server. If you have not already defined a RADIUS server element to represent the server, see Defining a RADIUS Server Element, on page 79.

TABLE 6.1 Security Mode Options (Continued)



Defining a RADIUS Server ElementIf you allow wireless connections and want to use the WPA Enterprise as the security mode, you must select a RADIUS server for authenticating the wireless users.

To define a RADIUS Server element for authenticating wireless users

Illustration 6.25 Selecting a RADIUS Server

Illustration 6.26 Creating a RADIUS Server Element

Illustration 6.27 RADIUS Server Properties

Once you have created the RADIUS Server element and selected it, continue by Defining General Wireless Settings, on page 80.

Click Select. The Select Element dialog opens.

Click the New icon and select RADIUS Authentication Server .The RADIUS Authentication Server Properties dialog opens.

1. Fill in the Name and IP address.

2. Change the Port Number, if your RADIUS server uses a non-standard port.3. Enter the Shared Secret for authenticating the SOHO Firewall to the RADIUS server.

4. Click OK and select the new element for use.


Defining General Wireless SettingsGeneral wireless settings apply to both Corporate and Guest interfaces if both allow wireless connections.

To define general wireless settings

Illustration 6.28 Wireless Channel Properties

• If you want to allow visitors access to the Internet through the SOHO Firewall, continue by Defining Guest Interfaces, on page 81.


• Otherwise, the interface definition of your SOHO Firewall is now ready. Click OK. If you used the Configuration Wizard, click first Next and then Create. Proceed to the next step: Saving the Initial Configuration, on page 82.

1. Switch to the Wireless Channel tab.

5. Select the Wireless Mode according to the capabilities of the connecting clients.

2. Select the Usage Area where wireless connections will be made. This affects how the signal is transmitted.

3. Select the Channel. If there are other wireless access points nearby, use channels that are as far apart as possible to avoid interference.

4. Select the Transmit Power of the signal.


Defining Guest InterfacesGuest interfaces are optional interfaces that allow visitors to connect to the Internet. If you define several Guest interfaces, they share the load of the connections that pass through them. Guest interfaces only allow direct Internet access.

To define Guest interfaces

Illustration 6.29 Guest Interface Properties

Proceed as follows: • If you want to allow guests access to the Internet through a wireless connection,

add wireless settings for the Guest interface. Continue by Defining Settings for Wireless Access, on page 76.


• Otherwise, the interface definition of your SOHO Firewall is now ready. Click OK. If you used the Configuration Wizard, click first Next and then Create. Proceed to the next step: Saving the Initial Configuration, on page 82.

1. Switch to the Guest tab.

2. Enter the Local IP Address and the Netmask.

3. If you want the SOHO Firewall to act as a DHCP server for the Guest network, select DHCP Service.

4. Fill in the address range for distributing IP addresses and the DNS settings.• In Dynamic mode, the SOHO Firewall relays the DNS

server information it receives from the ISP.• In static mode, you can add the servers manually.

Defining Guest Interfaces 81

Saving the Init ial ConfigurationAfter defining the SOHO firewall properties, save the initial configuration of each SOHO Firewall element you have created. The SOHO firewall engines are initialized by importing this initial configuration through the SOHO Firewall web interface.

To save the initial configuration

Illustration 6.30 Saving the Initial Configuration

Right-click a SOHO Firewall element and select Create Initial Configuration or Configuration→Create Initial Configuration from the menu. The Save Initial Configuration dialog opens.


Illustration 6.31 Initial Configuration Dialog

After the initial configuration is saved, you are ready to install the appliances. If you do not install the engine(s) yourself, send the initial configuration to the person who takes care of the installation. Send the password(s) separately and securely.To continue, see the installation and initial configuration instructions in the Appliance Installation Guide that was delivered with the appliance.

1. Select where the initial configuration will be saved and enter a file name.

3. (Recommended) Enter a Configuration Encryption Password or click Generate to create one automatically. The password encrypts the initial configuration.

4. Click Save. A new tab opens showing the progress.

2. Enter the Administrator Password and confirm it in the Confirm Administrator Password field. This password is used in logging in to the SOHO Firewall’s web interface.


CHAPTER 7 Configuring Single Firewalls

This chapter contains the steps needed to complete the single firewall or firewall cluster configuration that prepares the Management Center for a StoneGate firewall installation.Very little configuration is done directly on the engines. Most of the configuration is done using the Management Client, so the engines cannot be successfully installed before defining them in the Management Center as outlined in this chapter.


Configuration Overview, on page 86 Adding a Single Firewall Element, on page 86 Adding Physical Interfaces, on page 88 Adding VLANs, on page 89 Configuring Single Firewall Interfaces, on page 90 Using Management-Bound Licenses, on page 94 Saving the Initial Configuration, on page 94

85

Configuration OverviewAfter you have the StoneGate Management Center (SMC) installed and running, you must configure the Firewalls. This is mostly done through the Management Client. This chapter explains all the tasks you must complete before you can install and configure the physical firewalls.The tasks you must complete are as follows:1. Add Firewall element(s).2. Define the interface properties.3. Bind management-bound licenses to specific Firewall elements.4. Save the defined configuration for use during Firewall installation.Start by defining Firewall elements as explained in Adding a Single Firewall Element.

Adding a Single Firewall ElementTo introduce a new single firewall engine to the Management Center, you must define a Single Firewall element that stores the configuration information related to the firewall.Only one interface is needed to install the firewall; the Control Interface that is used for communications between the Management Server and the Firewall/VPN engine. Although you can configure more interfaces at any later time, it is simplest to add more interfaces right away, so that traffic can also be routed through the firewall.The interfaces have their own numbering in the Management Center called Interface ID, which is independent of the operating system interface numbering on the firewall engine. However, if you install and configure the engine automatically with a USB memory stick, the Interface IDs in Management Center are mapped to match the current physical interface numbering in the operating system (eth0 is mapped to Interface ID 0 and so on). If you configure the engine manually, you can choose how the Interface IDs in the Management Center are mapped to the physical interfaces.This section covers the basic configuration of a Single Firewall element. For more information on configuring the firewall, see the Online Help (click the help button in the dialogs to see help specific to that dialog) or the Administrator’s Guide.In the following tasks, the values filled in the images refer to the example network’s Branch Office firewall settings to help exemplify how to configure a single firewall (see the Example Network Scenario, on page 207).

Creating a Single Firewall Element

To create a Single Firewall element



86 Chapter 7: Configuring Single Firewalls

Illustration 7.2 Creating a New Firewall Element

To define the basic properties of a firewall

Illustration 7.3 Single Firewall Properties

If you have a secondary Log Server, you add it in the properties of the primary Log Server you select here (for all firewalls that send data to that primary Log Server).Continue by Adding Physical Interfaces.

Right-click Firewall Configuration and select New→Single Firewall. The Single Firewall Properties dialog opens.

1. Type in a Name.


4. (Optional) Enter a Comment for your own reference.Continue configuring the Firewall properties as explained below.

3. If required in your setup, select the Location (see Configuring NAT Addresses for StoneGate Components, on page 53).

Adding a Single Firewall Element 87

Adding Physical InterfacesTo route traffic through the firewall, you must define interfaces for at least two different physical network interfaces.

To add a physical interface

Illustration 7.4 Interfaces in Firewall Properties

To configure the physical interface properties

Illustration 7.5 Physical Interface Properties

The physical interface is added to the interface list. Add the necessary number of interfaces in the same way. Next, configure the interfaces as follows:• If you want to divide any of the interfaces into VLANs, continue by Adding VLANs, on

page 89.• Otherwise, proceed to Configuring Single Firewall Interfaces, on page 90.

1. Switch to the Interfaces tab.

2. Right-click the interface list and select New Physical Interface. The Physical Interface Properties dialog opens.

1. Select an Interface ID. This will map to a physical interface during the initial configuration of the engine.

2. Click OK.


Adding VLANsTo add a VLAN interface to a physical interface


To configure the VLAN interface properties

Illustration 7.7 VLAN Interface Properties

The specified VLAN ID is added to the physical interface.

Note – The VLAN ID must be the same VLAN ID used in the switch at the other end of the VLAN trunk.

Repeat the steps above to add further VLANs to the interface (up to 4095).A VLAN interface is now ready to be used as a network interface. The VLAN interface is identified as Interface-ID.VLAN-ID, for example 2.100 for Interface ID 2 and VLAN ID 100.Next, configure the VLAN interfaces just like any other network interface. Proceed to Configuring Single Firewall Interfaces, on page 90.


2. Right-click a physical interface and select New→VLAN Interface. The VLAN Interface Properties dialog opens.

Enter the VLAN ID and click OK.

Adding VLANs 89

Configuring Single Firewall InterfacesTo add an interface definition for a Single Firewall interface

Illustration 7.8 Single Firewall Properties

Continue according to the type of IP address you want to configure for this interface:• Adding Static IP Addresses, on page 90.• Configuring a Dynamic IP Address, on page 91.

Adding Static IP Addresses

To add a static IP address for an interface

Illustration 7.9 IP Address Properties for Static IP Address

The same Interface ID can have more than one static IP address definition. Repeat the steps to define more static IP address for this or some other interface.

1. Make sure you are on the Interfaces tab.

2. Right-click a physical interface or VLAN and select New→IP Address. The Interface Properties dialog opens.

1. Enter the IP Address.


5. Click OK.

2. Click Netmask and adjust the automatically added netmask if necessary. The Network Address and Broadcast IP Address are updated accordingly.

4. If the interface carries system communications and NAT is applied, click Contact Address and see Illustration 7.10.


To define a Contact Address


Configuring a Dynamic IP AddressInterfaces with a dynamic IP address are identified by a DHCP Index, which is used for identification in other parts of the configuration (like Firewall Policies) to represent the possibly changing IP address.

To define an interface for dynamic IP addressing

Illustration 7.11 IP Address Properties for Dynamic IP Address

3. Define an address for the Default Location in the same way if the IP address on the row is not correct.


2. Click the Contact Address column and enter the IP address components grouped in the Location must use to contact this firewall node.

4. Repeat as necessary, then click OK.

1. Select Dynamic.

2. Select a DHCP Index.


4. If this IP address is assigned through PPPoE, click PPPoE Settings and configure the settings as explained in the next illustration below.

5. Click OK.

4. If the interface carries system communications and NAT is applied, click Contact Address and see Illustration 7.10 above.


Illustration 7.12 PPPoE Settings

The same Interface ID can only have one dynamic IP address definition. Repeat the steps to define dynamic IP addressing for some other interface.

Setting Global Interface OptionsThe interfaces you have defined are shown as a tree on the Interfaces tab.

To access the global interface options

Illustration 7.13 Single Firewall Interfaces

1. Select Enable PPPoE.

2. Fill in the User Name, Password, and (optional) Service Name. If you do not have these, contact your service provider.

3. Click OK.

Click Options. The Interface Options dialog opens.


To set global interface options for a Single Firewall

Illustration 7.14 Interface Options

Note – If you use an IP-address-bound license for the engine, the license of the engine must be tied to the Primary Control IP address.

Click OK to close the Firewall Properties when you are finished defining all of the interfaces. The Single Firewall element is added to the tree view.Proceed as follows:• If you have Firewall licenses that you generated based on the POL code of the

Management Server (instead of the firewall’s IP address), proceed to Using Management-Bound Licenses, on page 94.

• Otherwise, proceed to Saving the Initial Configuration, on page 94.

4. Select the interface used as Identity for Authentication Requests.• This has no effect on routing; the

address identifies the firewall to external authentication servers.

• The address is also shown in the default authentication prompt for authenticating users.

1. Set the interface that is used as the Primary interface for Management Server contact.

2. (Optional, recommended) Select a Backup interface for Management Server Contact (used if the Primary fails).

5. Click OK.

3. Select Node-initiated contact to Management Server if the control IP of the node is dynamically NATted.


Using Management-Bound LicensesManagement-bound licenses are licenses created based on the Management Server’s POL code instead of the firewall’s primary control IP address. After you have configured the Firewall elements in the Management Center, management-bound licenses must be manually bound to a specific firewall element, because they contain no IP address information that would automatically bind them to the correct engine.

To bind a management-bound license to an engine1. In the Configuration view, navigate to Administration→Licenses→Firewall in the

left panel. All imported firewall licenses appear in the right panel.2. Right-click a management-bound license (licenses that state Dynamic in place

of an IP address) and select Bind from the menu that opens. The Select License Binding dialog opens.

3. Select the correct firewall from the list and click Select to bind the license to this firewall. The license is now bound to the selected firewall element.

4. If you made a mistake, right-click the license and select Unbind.

Caution – When you make a configuration change on the engine (policy upload or refresh), the license is permanently bound to that engine. Such licenses cannot be re-bound to some other engine without re-licensing or deleting the engine element it is bound to; until you do that, the unbound license is shown as Retained.

Proceed to Saving the Initial Configuration, on page 94.

Saving the Init ial ConfigurationAfter defining the firewall properties, save the initial configuration for all firewalls. The initial configuration sets some basic parameters for the firewall and triggers the creation of one-time passwords needed to establish a connection with the Management Server.There are three ways to initialize your firewall engines and establish contact between them and the Management Server:• You can write down the one-time password and enter all information manually in the

command-line Configuration Wizard on the engines.• You can save the configuration on a floppy disk or a USB memory stick to import

some of the information in the command-line Configuration Wizard on the engines.• You can save the initial configuration on a USB memory stick and use the memory

stick to automatically configure the engine without using the Configuration Wizard.

Note – The automatic configuration is primarily intended to be used with StoneGate appliances, and may not work in all other environments.




Depending on the method you want to use, follow the instructions in Illustration 7.16 (Configuration Wizard) or Illustration 7.17 (fully automatic).

To prepare for configuration using the Configuration Wizard


2. Expand Firewalls and right-click your firewall.

3. Select Configuration→Save Initial Configuration. The Initial Configuration dialog opens.

1. Click the System Status icon to switch to the Status view.

1. (Optional) If you plan to enter the information manually, write down or copy-paste the Management Server fingerprint for additional security.

2. If you plan to enter the information manually, write down or copy-paste the One-Time Password for each engine. Keep track on which password belongs to which engine node.

3. If you plan to import the configuration while you are in the Configuration Wizard, click Save As and save the configuration on a USB memory stick.


To prepare for fully automatic configuration


Once the firewall is fully configured, the SSH daemon can be set on and off using the Management Client. Enabling SSH in the initial configuration gives you remote command line access in case the configuration is imported correctly, but the engine fails to establish contact with the Management Server.The time zone selection is used only for converting the UTC time that the engines use internally for display on the command line. All internal operations use UTC time, which is synchronized with the Management Server time once the engine is configured.If you lose the one-time password or the saved configuration, you can repeat the procedure for the affected firewall engines.

Caution – Handle the configuration files securely. They include the one-time password that allows establishing trust with your Management Server.

You are now ready to install the StoneGate engine(s). Please see the platform-specific chapter to install the engine(s):• Installing the Engine on Intel Compatible Platforms, on page 115• If you have a StoneGate appliance, see installation and initial configuration

instructions in the Appliance Installation Guide that was delivered with the appliance. After this, you can return to this guide to set up basic routing and policies (see Defining Routing and Basic Policies, on page 131) or see the more detailed instructions in the Online Help of the Management Client (or the Administrator’s Guide pdf).

4. Click Save As and save the configuration to the root directory of a USB memory stick, so that the system can boot from it.

3. Set the engine time zone and keyboard layout.

1. Disable the backward-compatible configuration file generation.

2. (Optional) Enable the SSH daemon to allow remote access to the engine command line.


CHAPTER 8 Configuring Firewall Clusters

This chapter contains the steps needed to complete the firewall cluster configuration procedure that prepares the Management Center for a StoneGate firewall installation.Very little configuration is done directly on the engines. Most of the configuration is done using the Management Client, so the engines cannot be successfully installed before defining them in the Management Center as outlined in this chapter.


Configuration Overview, on page 98 Adding a Firewall Cluster Element, on page 98 Adding Nodes to a Firewall Cluster, on page 100 Adding Physical Interfaces, on page 101 Adding VLANs, on page 102 Configuring Firewall Cluster Interfaces, on page 103 Using Management-Bound Licenses, on page 110 Saving the Initial Configuration, on page 110

97

Configuration OverviewAfter you have the StoneGate Management Center (SMC) installed and running, you must configure the Firewalls. This is mostly done through the Management Client. This chapter explains all the tasks you must complete before you can install and configure the physical firewalls.The tasks you must complete are as follows:1. Add Firewall Cluster element.2. Add the necessary number of nodes to the Firewall Cluster.3. Define the interface properties.4. Bind management-bound licenses to specific firewall elements.5. Save the defined configuration for use during Firewall installation.Start by defining Firewall elements as explained in Adding a Firewall Cluster Element.

Adding a Firewall Cluster ElementTo introduce a new firewall cluster to the Management Center, you must define a Firewall Cluster element that stores the configuration information related to the firewalls.Only one interface is needed to install the firewall; the Control Interface that is used for communications between the Management Server and the Firewall/VPN engine. Although you can configure more interfaces at any later time, it is simplest to add more interfaces right away, so that traffic can also be routed through the firewall. You can use the Installation Worksheet for Firewall Clusters, on page 213 to document the interfaces.The interfaces have their own numbering in the Management Center called Interface ID, which is independent of the operating system interface numbering on the firewall engine. However, if you install and configure the engine automatically with a USB memory stick, the Interface IDs in Management Center are mapped to match the current physical interface numbering in the operating system (eth0 is mapped to Interface ID 0 and so on). If you do the initial configuration manually, you can choose how the Interface IDs in the Management Center are mapped to the physical interfaces.This section covers only the basic configuration of a firewall cluster element. For information on all the options, see the Online Help (click the Help button in the dialogs) or the Administrator’s Guide.In the following tasks, the values filled in the images refer to the example network’s Headquarters firewall cluster settings to exemplify how to configure a firewall cluster (see the Example Network Scenario, on page 207).

98 Chapter 8: Configuring Firewall Clusters

To create a Firewall Cluster element


Illustration 8.2 Creating a New Firewall Element

To define the basic properties

Illustration 8.3 Firewall Cluster Properties

If you have a secondary Log Server, you add it in the properties of the primary Log Server you select here (for all firewalls that send data to that primary Log Server).


Right-click Firewall Configuration and Select New→Firewall Cluster.

1. Type in a Name.


3. (Optional) Enter a Comment for your own reference.Continue configuring the Firewall properties as explained in the sections that follow.

3. If required in your setup, select the Location (see Configuring NAT Addresses for StoneGate Components, on page 53)

Adding a Firewall Cluster Element 99

Adding Nodes to a Firewall ClusterBy default, the Firewall Cluster properties have placeholders for two nodes when the element is created. Add more nodes if needed. A Firewall Cluster can have up to 16 nodes. Add all nodes you plan to install before you begin configuring the interfaces.

To add a node to a Firewall Cluster

Illustration 8.4 Firewall Cluster Properties

Illustration 8.5 Engine Node Properties

The node is added to the Firewall Cluster. Repeat these steps for each node you want to add, then continue by Adding Physical Interfaces.

Click Add Node. The Engine Node Properties dialog opens.

Existing Nodes are listed in this table.

1. (Optional) Change the Name.


3. Click OK.


Adding Physical InterfacesTo add a physical interface


To configure the physical interface properties

Illustration 8.7 Physical Interface Properties


2. Right-click in the empty area and select New Physical Interface. The Physical Interface Properties dialog opens.

1. Select an Interface ID. This will map to a physical interface during the initial configuration of the engine.

2. Select the CVI Mode and enter the MAC Address (see Table 8.1 for more information.)

4. Click OK.

3. Adjust the MTU, if this link requires a lower MTU than the Ethernet-default 1500.


Note – Different CVI modes can be used for different interfaces of a firewall cluster without limitations.

To route traffic through the firewall, you must define at least two different physical network interfaces.Next, configure the interface settings as follows:• If you want to divide any of the interfaces into VLANs, continue by Adding VLANs, on

page 102.• Otherwise, proceed to Configuring Firewall Cluster Interfaces, on page 103.

Adding VLANsTo add a VLAN to a physical interface


TABLE 8.1 MAC Address Requirements by Mode

Mode MAC Address

Packet Dispatch Type in a unicast MAC address with an even number as the first octet (e.g., 10:12:34:56:78:90). All unicast CVIs and NDIs that are defined for the same physical network interface must use the same unicast MAC address.Unicast MAC

Multicast MACType in a multicast MAC address with an odd number as the first octet (e.g., 01:12:34:56:78:90).

Multicast MAC with IGMP

Type in a multicast IP address in the range from 239.252.0.0 to 239.255.255.255. This multicast IP address is used only for automatically calculating a valid multicast MAC for the CVI (e.g., 01:00:5e:12:34:56). Thus, the interface has a unicast IP address and a multicast MAC address, and it sends IGMP messages when joining or leaving the multicast group.

1. Switch to Interfaces.

2. Right-click a physical interface and select New→VLAN Interface. The VLAN Interface Properties dialog opens.


To configure the VLAN interface properties

Illustration 8.9 VLAN Interface Properties

The specified VLAN ID is added to the physical interface. Repeat the steps to add further VLANs to the interface (up to 4095).

Note – The VLAN ID must be the same VLAN ID used in the switch at the other end of the VLAN trunk.

A VLAN interface is now ready to be used as a network interface. The VLAN interface is identified as Interface-ID.VLAN-ID, for example 2.100 for Interface ID 2 and VLAN ID 100. Proceed to Configuring Firewall Cluster Interfaces, on page 103.

Configuring Firewall Cluster InterfacesCluster Virtual Interfaces (CVI) handle the traffic that is routed through the firewall for inspection. Node Dedicated Interfaces (NDI) are used for traffic that the nodes themselves send or receive (such as the communications they have with the Management Server or between the nodes in the cluster). Several CVIs and NDIs can be defined for the same physical network interface or VLAN segment. To route traffic through the firewall, you must define at least two CVIs. For a working cluster, you also need at least two NDIs (one for management connections and one for the heartbeat traffic between the nodes).

Note – Heartbeat and state synchronization (which take place on the same interface) are time-critical communications, and network latency from other traffic may interfere with the operation of the cluster. Heartbeat traffic can include details about traffic processed. Therefore, we recommend using separate and protected networks for this traffic. If protecting Heartbeat segments is not possible, state synchronization security can be changed from the default value signed to encrypted.

Enter the VLAN ID and click OK.


Interfaces may have just a CVI or just an NDI. We recommend that you define an NDI for each interface that has a CVI, if practical, as some features may not work reliably without an NDI. A CVI is needed only if traffic the firewall inspects is routed to/from the interface.

Defining Cluster Interfaces

To add an interface definition for a Firewall Cluster

Illustration 8.10 Firewall Cluster Interfaces

1. Make sure you are on the Interfaces tab.

2. Right-click a physical interface or VLAN and select New→Interface. The Interface Properties dialog opens.


To set the interface properties

Illustration 8.11 Interface Properties

Repeat the same steps to add further CVIs and/or NDIs. The same Interface ID can have more than one CVI and/or NDI definition if you want to define more IP addresses on the same physical interface. After adding all necessary interface definitions, continue by Setting Global Interface Options for Clusters, on page 107.

5. Click Netmask and adjust the value as necessary.

1. (Optional) Deselect Cluster VIrtual Interface if no CVI is needed (e.g., if this is a dedicated heartbeat interface).

2. If this interface has a CVI, enter an IP address for the cluster.

3. (Optional) Deselect Node Dedicated Interface if no NDI is needed (e.g., if the physical interface already has one).

4. Click the IP Address cell and type in an IP address. Repeat for each node.

6. If the interface(s) carry system communications and NAT is applied, complete the configuration in Defining Contact Addresses for Firewall Clusters, on page 106. Otherwise, click OK.


Defining Contact Addresses for Firewall Clusters

To define contact addresses for a Firewall Cluster

Illustration 8.12 Interface Properties for a Firewall Cluster


Repeat the same steps to add further CVIs and/or NDIs. The same Interface ID can have more than one CVI and/or NDI definition if you want to define more IP addresses on the same physical interface. After adding all necessary interface definitions, continue by Setting Global Interface Options for Clusters, on page 107.

(Optional) To define a contact address for a CVI, click the Contact Address button (this may be necessary for some additional features).

To define a contact address for the node NDIs, double-click the node’s Contact Address cell.

3. Define an address for the Default Location in the same way if the IP address on the row is not correct.


2. Click the Contact Address column and enter the IP address components grouped in the Location must use to contact this firewall node.

4. Repeat as necessary, then click OK.


Setting Global Interface Options for Clusters

To set global interface options


Click Options. The Interface Options dialog opens.


Illustration 8.15 Interface Options 1/2 - Options for System-Internal Communications

Note – Also the Backup Heartbeat interface has constant light activity even when the Primary heartbeat is active to test the link.

Illustration 8.16 Interface Options 2/2 - Options for System-External Communications

2. (Optional, recommended) Select a Backup interface for Management Server Contact (used if the Primary fails).

3. Set the interface that is used as the Primary interface for communications between the clustered firewall engines.

4. (Optional, recommended) Select a Backup interface for communications between the clustered firewall engines (used if the Primary fails).

1. Set the interface that is used as the Primary interface for Management Server contact.

3. Click OK.

1. Select the interface used as Identity for Authentication Requests.• This has no effect on routing; the

address identifies the firewall to external authentication servers.

• The address is also shown in the default authentication prompt for authenticating users.

2. Select the Default IP for Outgoing Connections that the cluster uses if a node must communicate through an interface that does not have an NDI definition for that node (has only a CVI).


Note – Heartbeat and state synchronization (which take place on the same interface) are time-critical communications, and network latency from other traffic may interfere with the operation of the cluster. Heartbeat traffic can include details about traffic processed. Therefore, we recommend using separate and protected networks for this traffic. If protecting Heartbeat segments is not possible, state synchronization security can be changed from the default value signed to encrypted.

The interfaces you have defined are shown as a tree-table on the Interfaces tab:


Click OK to close the Firewall Cluster Properties when you are finished defining the interfaces. The new Firewall Cluster element is added to the main tree view.Proceed as follows:• If you generated firewall licenses based on the POL code of the Management Server

(instead of the firewall’s IP address), proceed to Using Management-Bound Licenses, on page 110.

• Otherwise, proceed to Saving the Initial Configuration, on page 110.

Double-click to edit the interface.Pay attention that you do this at the correct level for the properties you wish to edit.

Global interface options have codes in the tree-table (also note the Info column):• “A” signifies the interface used as the identity for authentication requests• “C” and “c” signify the Primary and Secondary Control Interfaces• “H” and “h” signify the Primary and Secondary Heartbeat Interfaces• “O” signifies the default IP address for outgoing connections


Using Management-Bound LicensesManagement-bound licenses are licenses created based on the Management Server’s POL code instead of the firewall’s primary control IP address. After you have configured the Firewall elements in the Management Center, management-bound licenses must be manually bound to a specific firewall element, because they contain no IP address information that would automatically bind them to the correct engine.

To bind a management-bound license to an engine1. In the Configuration view, navigate to Administration→Licenses→Firewalls in

the left panel. All imported firewall licenses appear in the right panel.2. Right-click a management-bound license (licenses that state Dynamic in place

of an IP address) and select Bind. The Select License Binding dialog opens.3. Select the correct firewall from the list and click Select to bind the license to

this firewall. The license is now bound to the selected firewall element.4. If you made a mistake, right-click the license and select Unbind.

Caution – When you make a configuration change on the engine (policy upload or refresh), the license is permanently bound to that engine. Such licenses cannot be re-bound to some other engine without re-licensing or deleting the engine element it is bound to; until you do that, the unbound license is shown as Retained.

Proceed to Saving the Initial Configuration.

Saving the Init ial ConfigurationAfter defining the firewall properties, save the initial configuration for all firewalls. The initial configuration sets some basic parameters for the firewall and triggers the creation of one-time passwords needed to establish a connection with the Management Server.There are three ways to initialize your firewall engines and establish contact between them and the Management Server:• You can write down the one-time password and enter all information manually in the

command-line Configuration Wizard on the engines.• You can save the configuration on a floppy disk or a USB memory stick to import

some of the information in the command-line Configuration Wizard on the engines.• You can save the initial configuration on a USB memory stick and use the memory

stick to automatically configure the engine without using the Configuration Wizard.

Note – The automatic configuration is primarily intended to be used with StoneGate appliances, and may not work in all other environments.




Depending on the method you want to use, follow the instructions in Illustration 8.19 (Configuration Wizard) or Illustration 8.20 (fully automatic).

To prepare for configuration using the Configuration Wizard


2. Expand Firewalls and right-click your firewall cluster.

3. Select Configuration→Save Initial Configuration. The Initial Configuration dialog opens.

1. Click the System Status icon to switch to the System Status view.

1. (Optional) If you plan to enter the information manually, write down or copy-paste the Management Server fingerprint for additional security.

2. If you plan to enter the information manually, write down or copy-paste the One-Time Password for each node. Keep track on which password belongs to which engine node.

3. If you plan to import the configuration while you are in the Configuration Wizard, click Save As and save the configuration on a USB memory stick.


To prepare for fully automatic configuration


Once the firewall is fully configured, the SSH daemon can be set on and off using the Management Client. Enabling SSH in the initial configuration gives you remote command line access in case the configuration is imported correctly, but the engine fails to establish contact with the Management Server.The time zone selection is used only for converting the UTC time that the engines use internally for display on the command line. All internal operations use UTC time, which is synchronized with the Management Server time once the engine is configured.If you lose the one-time password or the saved configuration, you can repeat the procedure for the affected firewall engines.

Caution – Handle the configuration files securely. They include the one-time password that allows establishing trust with your Management Server.

You are now ready to install the StoneGate engine(s). Please see the platform-specific chapter to install the engine(s):• Installing the Engine on Intel Compatible Platforms, on page 115• If you have a StoneGate hardware appliance, see installation and initial

configuration instructions in the Appliance Installation Guide that was delivered with the appliance. After this, you can return to this guide to set up basic routing and policies (see Defining Routing and Basic Policies, on page 131) or see the more

4. Click Save As and save the configuration. Copy the files to the root directory of a USB memory stick, so that the system can boot from it.

3. Set the engine time zone and keyboard layout.

1. Disable the backward-compatible configuration file generation.

2. (Optional) Enable the SSH daemon to allow remote access to the engine command line.


detailed instructions in the Online Help of the Management Client (or the Administrator’s Guide pdf).


CHAPTER 9 Installing the Engine on Intel Compatible Platforms

This chapter instructs how to install the StoneGate engine on any standard Intel or Intel compatible platform, such as AMD.


Installing the Firewall Engine, on page 116 Configuring the Engine, on page 117 Installing the Engine in Expert Mode, on page 125

115

Instal l ing the Firewall Engine

Caution – Check that the Automatic Power Management (APM) and Advanced Configuration and Power Interface (ACPI) settings are disabled in BIOS. Otherwise, the engine may not start after installation or may shut down unexpectedly.

Note – The server must be dedicated to the firewall. No other software can be installed on it.

Before you proceed to installing the firewalls, make sure you have the initial configuration or a one-time password for management contact for each firewall engine. These are generated in the Management Center.What you see on your screen may have a different appearance from the illustrations in this guide depending on your system configuration.StoneGate appliances are delivered with pre-installed software. Configure the software as instructed in the Appliance Installation Guide delivered with the appliance.

Checking File IntegrityBefore installing StoneGate, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 17.

Starting the InstallationThe installation is started by booting the engine machine from the installation CD-ROM as explained below.

Caution – Installing StoneGate deletes all existing data on the hard disk.

To install StoneGate engine from a CD-ROM1. To begin, insert the StoneGate engine installation CD-ROM into the drive and

reboot the machine. The License Agreement appears.2. After going through the License Agreement, type YES and press ENTER to accept

the license agreement and continue with the configuration.

Illustration 9.1 Selecting Install Mode

116 Chapter 9: Installing the Engine on Intel Compatible Platforms

3. Choose between two types of installations: Full Install and Full Install in expert mode.• Type 1 for the normal Full Install.• If you want to partition the hard disk manually, type 2 for the Full Install in

expert mode and continue in Installing the Engine in Expert Mode, on page 125.4. Indicate the number of processors:

• For a uniprocessor machine, type 1 and press ENTER.• For a multiprocessor machine, type 2 and press ENTER.

5. To accept automatic hard disk partitioning, type YES and press ENTER. The installation process is started.

6. The automatic installation process starts.• If you want to use the automatic configuration method, do not reboot once the

installation finishes, but continue in Configuring the Engine Automatically with a USB Stick below.

• Otherwise, remove the CD-ROM and press ENTER to reboot when prompted to do so. Continue in Starting the Configuration Wizard, on page 118

Configuring the EngineDuring the initial configuration, the operating system settings, network interfaces, and the Management Server connection are defined.

Configuring the Engine Automatically with a USB StickThe automatic configuration is primarily intended to be used with StoneGate appliances, and may not work in all environments when you use your own hardware. If the automatic configuration does not work, you can still run the Configuration Wizard as explained in the next section and import or enter the information manually.When automatic configuration is used, Interface IDs are mapped to physical interfaces in sequential order: Interface ID 0 is mapped to eth0, Interface ID 1 is mapped to eth1, and so on.

Note – The imported configuration does not contain a password for the root account, so you must set the password manually in the Management Client before you can log in for command line access to the engine. See the Online Help of the Management Client or the StoneGate Administrator’s Guide for more information.

To install and configure the engine with a USB stick1. Insert the USB stick.2. Remove the CD-ROM and press ENTER at the installation finished prompt.

StoneGate reboots, imports the configuration from the USB stick, and makes the initial contact to the Management Server.


• If the automatic configuration fails, and you do not have a display connected, you can check for the reason in the log (sg_autoconfig.log) written on the USB stick.

• If you see a “connection refused” error message, ensure that the Management Server IP address is reachable from the node.

The configuration is complete when the appliance successfully contacts the Management Server and reboots itself. Continue the configuration in After Successful Management Server Contact, on page 125, where you can also find an explanation on how successful management contact is indicated in the Management Client.

Starting the Configuration WizardIf there is no USB memory stick with an engine configuration inserted when the machine is rebooted after the installation, the StoneGate Configuration Wizard starts. The wizard can always be run again by issuing the sg-reconfigure command on the engine command line.If you have stored the configuration on a floppy disk or a USB memory stick (see Saving the Initial Configuration, on page 94 for single firewalls or Saving the Initial Configuration, on page 110 for firewall clusters), you can import it now to reduce the need for typing in information.

To select the configuration method

Illustration 9.2 Welcome

To select the import source

Illustration 9.3 Import Configuration

To import a saved configuration, highlight Import using the arrow keys and press ENTER.

To skip the import, highlight Next using the arrow keys and press ENTER. Proceed to Configuring the Operating System Settings, on page 119.

Select Floppy Disk or USB Memory and press ENTER


To import the configuration1. Select the correct configuration file. Remember that these are specific to each

individual firewall engine node.2. Highlight Next and press ENTER to continue.Continue the configuration as explained in the next section.

Configuring the Operating System SettingsThe Configure OS Settings screen is displayed. Some of the settings may be filled in, if you imported a configuration as explained above (depending on the type of configuration imported).

To set the keyboard layout

Illustration 9.4 Configure OS Settings

Illustration 9.5 Select Keyboard Layout

Note – If the desired keyboard layout is not available, use the best-matching available layout, or select US_English.

Highlight the entry field for Keyboard Layout using the arrow keys and press ENTER. The Select Keyboard Layout dialog opens.

Highlight the correct layout and press ENTER.

Tip: Type in the first letter to move forward more quickly.


To set the engine’s timezone


Note – The timezone setting affects only the way the time is displayed on the engine command line. The actual operation always uses UTC time.

Note – You do not need to manually adjust the engine time. It is automatically synchronized with the Management Server clock.

To set the rest of the operating system settings


1. Highlight the entry field for Local Timezone using the arrow keys and press ENTER. The Select Timezone dialog opens.

2. Select the timezone from the list in the same way you selected the keyboard layout.

1. Type in the name of the firewall.

2. Type in the password for the user root. This is the only account for command line access to the engine.

3. Highlight Enable SSH Daemon and press the spacebar on your keyboard to select the option and allow remote access to engine command line using SSH.

4. Highlight Next and press ENTER. The Configure Network Interfaces window is displayed.


Configuring the Network InterfacesThe configuration utility can automatically detect which network cards are in use. You can also add interfaces manually, if necessary. If the list is not populated automatically, you can launch the autodetect as explained in the illustration below.

To define the network interface drivers automatically

Illustration 9.8 Configure Network Interfaces

Check that the autodetected information is correct and that all interfaces have been detected. If there are problems, add the network interfaces manually as explained in the section To define the network interface drivers manually, on page 122 (you can overwrite any autodetected setting).

Tip: The Sniff option can be used for troubleshooting the network interfaces. Select Sniff on an interface to run network sniffer on that interface.

To map the physical interfaces to Interface IDs

Illustration 9.9 Assigning Network Interfaces

Note – The Management interface must be the same that is configured as the primary control interface for the corresponding Firewall element in the Management Center. Otherwise the engine cannot contact the Management Center.

Highlight Next and press ENTER to continue. Proceed to Contacting the Management Server, on page 122.

Highlight Autodetect and press ENTER.

1. Change the IDs as necessary to define how physical interfaces are mapped to the IDs you defined in the Firewall element.

3. Highlight the Mgmt column and press the spacebar on your keyboard to select the correct interface for contact with the Management Server.

2. If necessary, highlight the Media column and press ENTER to change settings to match those used by the device at the other end of the link.


To define the network interface drivers manually

Illustration 9.10 Configure Network Interfaces

Illustration 9.11 Add Device Driver

Contacting the Management ServerThe Prepare for Management Contact window opens. If the initial configuration was imported from a floppy or USB memory stick, most of this information is filled in.

Note – If there is any intermediate firewall between this firewall and the Management Server, make sure that the intermediate firewall’s policy allows the initial contact and all subsequent communications. See StoneGate-Specific Ports, on page 201 for a listing of the ports and protocols used.

This task has two parts. First, you activate an initial configuration on the firewall. The initial configuration contains the information that the engine needs to connect to the Management Server for the first time. The initial configuration is replaced with a working configuration when you install a Firewall Policy on this engine using the Management Client. The initial configuration contains a simple firewall policy that only allows connections between the firewall engine and the Management Server and blocks everything else.

Highlight Add and press ENTER.

Select the correct driver for your network card and press ENTER.Repeat as necessary, then map the interfaces to Interface IDs as explained above.


To activate the initial configuration

Illustration 9.12 Preparing for Management Contact - Initial Configuration Settings

Note – If the engine and the Management Server are on the same network, you can leave the Gateway to management field empty.

To define PPPoE settings

Illustration 9.13 Opening PPPoE Settings

Illustration 9.14 Filling in PPPoE Account Information

In the second part of the configuration, you define the information needed for establishing a trust relationship between the engine and the Management Server.

• If the IP address of the control interface is assigned by a DHCP server, select Obtain Node IP address from a DHCP server and continue in Illustration 9.15 on page 124.

• If the IP address of the control interface is assigned through PPPoE, select Use PPPoE and continue in Illustration 9.13

• If the IP address of the control interface is static, select Enter node IP address manually and fill in the IP address and Netmask (always), and Gateway to management (if the Management Server is not in a directly connected network).

Highlight Settings and press ENTER. The PPPoE Settings dialog opens.

1. Fill in the account details according to the information you have received from your service provider.

2. Highlight Ok and press ENTER.


To fill in the Management Server information

Illustration 9.15 Preparing for Management Contact - Contact Management Server

Note – The one-time password is engine-specific and can be used only for one initial connection to the Management Server. Once initial contact has been made, the engine receives a certificate from the Management Center for identification. If the certificate is deleted or expires, you need to repeat the initial contact.

If you selected the Contact at reboot option for contacting the Management Server, the firewall engine installation is now finished. This option is useful, for example, if you want to configure the engine for use in a remote office. The local administrator will then only need to power on the engine without any further configuration.If you selected the Contact option instead, the engine now tries to make initial Management Server contact. The progress is displayed on the command line.If you see a “connection refused” error message, ensure that the one-time password is correct and the Management Server IP address is reachable from the node. You can save a new initial configuration if unsure about the password (see Saving the Initial Configuration, on page 94 for single firewalls or Saving the Initial Configuration, on page 110 for firewall clusters).If the initial management contact fails for some reason, the configuration can be started again with the sg-reconfigure command. The command can also be used to change any of the settings operating system settings and network card settings later on. The settings on the last screen of the Configuration Wizard are replaced by information stored on the Management Server when a policy is installed on the firewall and changes must be done through the Management Client to remain permanent.

1. Select the suitable option for Contact Management Server and press the spacebar to activate.

2. Fill in the Management Server IP address and the one-time password that was created for this engine when you saved the initial configuration.

3. (Optional) Fill in the Key fingerprint (also shown when you saved the initial configuration). Filling it in increases the security of the communications.

4. Highlight Finish and press ENTER


After Successful Management Server ContactAfter you see a notification that Management Server contact has succeeded, the firewall engine installation is complete and the firewall is ready to receive a policy. In a while, the firewall’s status changes in the Management Client from Unknown to No Policy Installed, and the connection state is Connected indicating that the Management Server can connect to the node.To finish your firewall configuration, proceed to Defining Routing and Basic Policies, on page 131.

Caution – When using the command prompt, use the reboot command to reboot and halt command to shut down the node. Do not use the init command. You can also reboot the node using the Management Client.

Instal l ing the Engine in Expert ModeTo start the installation, reboot from the CD-ROM (see Installing the Firewall Engine, on page 116).The difference between the normal and expert installation is that in expert mode, you partition the hard disk manually. If you are unfamiliar with partitioning hard disks in Linux, we recommend that you use the normal installation process.To continue with the expert mode installation, continue in Partitioning the Hard Disk Manually, on page 125.

Partitioning the Hard Disk ManuallyTypically, you need five partitions for a StoneGate engine as explained in Table 9.1.

TABLE 9.1 StoneGate Partitions

Partition Recommended size Description

Engine root A 200 MB The bootable root partition for StoneGate engine.

Engine root B 200 MBAlternative root partition for StoneGate engine. Used in engine upgrade.

SwapTwice the physical memory

Swap partition for StoneGate engine.

Data 500 MB or moreUsed for the boot configuration files and the root user’s home directory.

SpoolRest of free disk space

Used for spooling


The partitions are allocated in two phases. First, disk partitions are created and second, the partitions are allocated for their use purposes.

Caution – Partitioning deletes all the existing data on the hard disk.

To partition the hard disk1. If you are asked whether you want to create an empty partition table, type y to

continue.

Illustration 9.16 Starting Partitioning

2. Press ENTER to continue.

Illustration 9.17 Defining Partition Table

3. Create the partitions for the engine as follows:3.1 For engine root A: 200 MB, bootable, Primary, Linux partition3.2 For engine root B: 200 MB, Primary, Linux partition3.3 For swap: twice the size of physical memory, Logical, Linux swap partition.

• To change the partition type to Linux swap, select Type and enter 82 as the file system type.

3.4 For data: 500 MB or more, Logical, Linux partition3.5 For spool: allocate rest of the free disk space, Logical, Linux partition.

4. Check that the partition table information is correct.5. Select Write to commit the changes and confirm by typing yes.6. Select Quit and pressing ENTER.


Allocating PartitionsAfter partitioning the hard disk, the partitions are allocated for StoneGate.

To allocate the partitions

Illustration 9.18 Checking Partition Table

1. Check that the partition table is correct. Type YES to continue.

Illustration 9.19 Allocating Partitions

2. Using the partition numbers of the partition table (see Illustration 9.18), assign the partitions for the engine, for example:

2.1 For the engine root A partition, type 1.2.2 For the engine root B partition, type 2.2.3 For the swap partition, type 5.2.4 For the data partition, type 6.2.5 For the spool partition, type 7.

Illustration 9.20 Accepting Partition Allocation


3. Check the partition allocation and type YES to continue.

Illustration 9.21 Installation Finished

4. The StoneGate engine installation process is started. When installation is complete, remove the CD-ROM from the machine and press ENTER to reboot.

5. Continue the configuration as described in Configuring the Engine, on page 117.


Routing and Policies

CHAPTER 10 Defining Routing and Basic Policies

After successfully installing the firewall and establishing a contact between the firewall engine(s) and the Management Server, the firewall is left in the initial configuration state. Now you must define basic routing and policies to be able to use the firewall for access control. Both of these tasks are done using the Management Client.


Defining Routing, on page 132 Defining Basic Policies, on page 145 Moving On, on page 153

131

Defining RoutingIn StoneGate, routing is done entirely through the Management Client.The routing information of SOHO Firewalls is automatically generated on the basis of the interfaces defined for the SOHO Firewall elements. To change the routing information, you must edit the interface definitions in the SOHO Firewall properties (see Configuring SOHO Firewalls, on page 63). For information on defining basic policies that allow traffic through a SOHO Firewall and setting up monitoring for SOHO Firewalls, see the sections Defining Basic Policies, on page 145 and Moving On, on page 153.To define routing information for Firewall elements, most often only one or two simple tasks are needed:• Define the default route. This is the route packets to any IP addresses not

specifically included in the routing configuration should take. The default route should always lead to the Internet if the site has Internet access.

• Add routes to your internal networks that are not directly connected to the firewall, if there are any. Directly connected networks are added automatically based on the IP addresses you defined for the firewall’s interfaces.

Routing is most often done using the following elements:• Network elements: represent a group of IP addresses.• Router elements: represent next-hop routers that are used for basic (non-Multi-Link)

routing and to represent the ISP routers inside Outbound Multi-Link elements.• NetLink elements: represent next-hop routers that are used for Multi-Link routing.

In Multi-Link routing, traffic is automatically distributed between two (usually Internet) connections so that the fastest available connection is used for outgoing traffic. Multi-Link routing is not supported for SOHO Firewalls.

To access routing information

Illustration 10.1 Opening the Routing View for a Firewall

2. Select Routing from the menu that opens. The Routing Configuration view for the selected Firewall opens.

1. Right-click the Firewall whose routing you want to configure.

132 Chapter 10: Defining Routing and Basic Policies

Illustration 10.2 Routing View

Illustration 10.3 Expanded Routing Tree

First, add a default route. This is done using the Any Network element as explained on the next pages. Routing decisions are done from the most specific to the least specific route. The Any Network element (which covers all IP addresses) is always the last route that is considered. In other words, only packets that have a destination IP address that is not included anywhere in your routing configuration are forwarded to the interface with the Any Network element.

Note – Adding a Network in the Routing tree makes that network routable, but does not allow any host in that network to make connections. The firewall’s policy defines which connections are allowed. All other connections are blocked.

A StoneGate firewall always includes the Multi-Link feature, which automatically selects the fastest network link for outgoing connections if you have more than one default (Internet) interface. If two or more network interfaces can be used as the default route (you have more than on Internet connection), follow the Multi-Link instructions.Proceed to the correct section below:• Adding a Default Route With a Single Network Link, on page 134• Adding a Default Route With Multi-Link, on page 136

Now that the Routing View is open, you can switch between Firewalls through this menu.

Networks Corresponding to the interface definitions have been automatically added under all interfaces.


Adding a Default Route With a Single Network Link

To add a router

Illustration 10.4 Adding a Router

If this interface receives its IP address from a DHCP server, a special Router named Gateway (DHCP Assigned) is now added to the Routing tree; if that is the case, skip to Illustration 10.6 on page 135. If the interface has a fixed IP address, the Router Properties dialog opens, and you must define the Router properties as explained in the next illustration.

To define a Router

Illustration 10.5 Router Properties

Right-click the Network under the interface to be used as the default route (to the Internet) and select New→Router from the menu that opens.

1. Type a name for the Router

2. Enter the IP address of your Internet router.

3. Click OK.


To add the default route

Illustration 10.6 Adding The Any Network Element

Actually, you are not creating a new element in this case, but just inserting the existing default element “Any Network”. This is the only existing element available through this menu. Others are stored in Resources on the left.

Note – The Any Network element must appear in the Routing tree only once for each firewall in the single-link configuration described here. If you need to insert Any Network more than once, use the Multi-Link configuration instead (see Adding a Default Route With Multi-Link, on page 136).

Right-click the Router you just created and select New→Any Network.


Illustration 10.7 Finished Default Route

In the illustration above, one internal network is connected to the Internet through StoneGate. Do note that in StoneGate, it makes no difference to the firewall which interfaces are internal and which are external. The configuration you create for the firewall is the only deciding factor for which traffic is allowed and which is not.

Adding a Default Route With Multi-Link

To add a NetLink

Illustration 10.8 Adding a NetLink

Internal network is behind this interface

The Internet is behind this interface

Right-click the Network under an interface that should be used as one of the default routes (to the Internet) and select New→Static NetLink


If this interface receives its IP address from a DHCP server, a special NetLink named Gateway (DHCP Assigned) is now added to the Routing tree; if that is the case, skip to Illustration 10.19 on page 141. If the interface has a fixed IP address, the NetLink Properties dialog opens, and you must configure the NetLink as explained below.

To add a Router

Illustration 10.9 NetLink Element Properties

Illustration 10.10 Select Element - Navigating to Network Elements

Illustration 10.11 Select Element - Adding a New Router

1. Give the NetLink a name 2. Click

Select for Gateway

Click Network Elements.

Right-click Routers and select New Router from the menu that opens.



Create a Router element for all NetLinks in the same way, so that they are ready in the system when you create the other NetLinks.


1. Type a name for the Router

2. Enter the IP address of the Internet router for this NetLink.

3. Click OK.

1. Click Routers.

2. Select the correct Router and click Select.


To add a Network


Next, select the Network(s) that belong to the NetLink (the ISP network).


Illustration 10.16 Network Element Properties

All Routers you created are now available directly in the Gateway list.

Click Select for Network.

2. If the correct Network(s) are not on the list, click the New button and select Network.If the correct Network(s) are listed, skip to Illustration 10.17.

1. Navigate to Networks. Existing elements are listed.

1. Type in a name for the Network.

2. Type in the IP address and netmask.

3. (Optional) Select this option to include broadcast addresses in the Network.

4. Click OK.



To define the remaining properties


Select the correct Network and click the Select button.

1. Type in the name of the service provider for your reference.

Probing settings and Input Speed and Output Speed are used for specific Multi-Link features that are explained in the other guidebooks and the Online Help. Leave these empty for now.

2. Click OK.


Define all the necessary NetLinks in the same way.Next, you will use the NetLinks to define the default route to the Internet.

To add the default route

Illustration 10.19 Adding the Any Network Element

Actually, you are not creating a new element in this case, but just inserting the existing default element “Any Network”. This is the only existing element available through this menu. Others are stored in Resources on the left.

Right-click each NetLink and select New→Any Network.


Illustration 10.20 Finished Default Route

In the illustration above, internal networks are connected to the Internet using two Internet connections. Do note that in StoneGate, it makes no difference to the firewall which interfaces are internal and which are external. The configuration you create for the firewall is the only deciding factor for which traffic is allowed.

Caution – The configuration outlined above is only a part of the Multi-Link configuration. For additional steps required for a fully-featured Multi-Link, see the Reference Guide for an overview and the Online Help or the Administrator’s Guide PDF for step-by-step instructions.

The Internet is behind these interfaces


Defining Other RoutesYou may have more internal networks than just those connected directly to the firewall. Those have to be manually added to the Routing tree.Usually, non-ISP routes use a single-link configuration, as explained below, but a Multi-Link configuration can be used instead, if there are alternative links to the same network. If that is the case, add the routes using NetLinks instead of Routers in a similar way as with the default route (see Adding a Default Route With Multi-Link, on page 136).

To add a router

Illustration 10.21 Adding a Router Element


Right-click the Network that is the correct route to some other network and select New→Router.Once created, elements are stored in the All Elements tree. You can drag and drop existing elements from there.

1. Type a name for the Router.

2. Enter the IP address of the gateway device that connects the networks.

3. Click OK.


To add networks

Illustration 10.23 Adding Internal Network

Illustration 10.24 Network Element Properties

Add as many Networks as you need to the Router element.

AntispoofingSpoofing an IP address means that someone uses the IP address of some legitimate (internal) host to gain access to protected resources. Antispoofing, which prevents spoofing, is done automatically in StoneGate. Antispoofing is not supported for SOHO Firewalls.Antispoofing is based on the routing information. Often, you do not have to change antispoofing rules at all; by default, connection attempts with a source IP address from a certain internal network are only allowed through if they are coming from the correct interface as defined in the Routing tree. As the routing entry is usually needed for the communications to work, antispoofing rarely needs additional modifications.

Right-click the Router you just added and select New→Network.Existing Networks can be added by dragging and dropping them from the Resources list on the left.

1. Type in a name for the Network.

2. Type in the IP address and netmask.

3. (Optional) Select this option to include broadcast addresses in the Network.

4. Click OK.


If you need to make exceptions to this rule, you can add individual Host elements in the Antispoofing view behind interfaces through which they are allowed to make transmissions. For more information, see the Online Help (press F1 on your keyboard when any Management Client window is active).

Using IP Address Count Limited LicensesIf you have a license that is based on a restriction on the number of IP addresses in your networks, you must exclude the Internet interface from the IP address counting. Otherwise, addresses on the Internet are counted towards the license restriction and some of your internal hosts may not be allowed to connect through the firewall.Firewalls that have some other type of license do not require this action, so if you have such a license (an unlimited license or a throughput-based license), continue in the next section, Defining Basic Policies.

To exclude an interface from IP address counting• Right-click the Internet interface in the Routing tree and select Exclude from IP

Counting from the menu that opens.Only one interface can be excluded from IP address counting.

Note – If you want to use Multi-Link with an IP address limited license, all network links must be made accessible through a single interface. See more information at www.stonesoft.com/support.

Defining Basic PoliciesThe final step in getting your firewall up and running is creating the rules according to which the traffic is inspected. In addition to the rules in the policy, also the other configuration information is transferred to the firewall when you install a policy on it (including the interface definitions and routing information). The configuration of SOHO Firewalls is based on the network interface definitions. You do not need to create separate policy elements for SOHO Firewalls. The configuration (interface definitions and routing information) is transferred to the engines when you install or refresh the configuration on the SOHO Firewall appliances. Make sure that your Firewall Policies allow connections between the SOHO Firewalls engines and the Management Center components (Management Server and Log Server) as well as VPN traffic between the SOHO Firewall and the VPN Gateways, if VPN traffic is allowed in the SOHO Firewall properties. In addition, if you allow wireless traffic through the SOHO Firewall and use an external RADIUS server for authenticating wireless users, make sure that connections to the RADIUS server are allowed.To walk you through the basics of rule editing in StoneGate, the following illustrations show you how to create a simple rule that allows pinging from one host in your internal network to any address.


http://www.stonesoft.com/support

To create a policy

Illustration 10.25 Viewing Firewall Policies

Illustration 10.26 Creating A Policy

Illustration 10.27 Firewall Policy Properties

Click the Security Policies shortcut icon in the toolbar and select Firewall Policy.

Right-click Firewall Policies and select New→Firewall Policy.

1. Name the new Policy.

2. Select a template. Only the Default template is available, as you have not created your own templates yet.

3. Click OK.


To add a rule for pinging

Illustration 10.28 Security Policy Editor

Note – Inherited rules are not editable through the policy that inherits the rules.

Illustration 10.29 Create a Host

1. (Optional) Click the Tools button and select the Inherited Rules menu item to view and hide rules inherited from the Default template.

2. Double-click the green row now to add a rule.

Right-click Hosts and select New Host from the menu that opens.


Illustration 10.30 Host Properties

Illustration 10.31 Setting The Source

Illustration 10.32 Setting The Destination

1. Type in a name for the Host.2. Enter the IP address of the computer.

3. Click OK. The new host is added to the list of hosts in Resources.

2. Drag and drop the Host you created to the Source Cell.

1. Click Hosts in the Resources list. The list of hosts is shown.

Right-click the Destination cell and select Set to ANY from the menu that opens.


Illustration 10.33 Adding the Service

Note – The default Services cannot be edited, but you can create a new Service of any type and set its properties as you please. See the Online Help for more information.

Illustration 10.34 Setting the Action

Illustration 10.35 Adding More rules

1. Click the Service cell in the rule to display Services in the Resources list.

2. Navigate to ICMP and drag and drop the Ping item to the Service Cell.

Click the Action cell and select Allow from the list of Actions.

Or right-click the rule and select either Add Rule Before or Add Rule After to create more rules.


By default, the firewall maintains connection tracking information on connections allowed by a rule. As one result, you only have to add rules for allowing the opening of connections. Once the connection is opened, reply packets that belong to that connection are then allowed through as long as they are appropriate for the state of that particular connection. Only if connection opening needs to be allowed from the other end as well, a second rule needs to be added.In the case of the ping rule in our example, the replies to pings made by the Test host are allowed through without any modification to the rules. However, if someone else tries to ping our Test host through the firewall, the connection is blocked. To continue:• If you want to ping between a private and a public IP address, add a rule on the NAT

Rules tab to translate the IP address as explained in the next section.• If you do not want to create NAT rules now, proceed to Installing the Policy, on

page 151.

Note – Multi-Link Load balancing requires additional configuration and a specific type of NAT rule. Search for “Outbound Traffic Management” in the Online Help or in the Administrator’s Guide PDF for information on these additional steps.

Adding a NAT Rule for the Example Ping Rule

To add a NAT rule

Illustration 10.36 Adding the First NAT Rule

Illustration 10.37 Filling the Source, Destination, and Service

1. Switch to the NAT Rules tab.

2. Double-click the green row.

2. Right-click to Set to ANY. 3. Drag and drop the ICMP Ping Service.

4. Double-click the empty cell in the NAT column.

1. Drag and drop the Host element you created.


Illustration 10.38 Network Address Translation Options

The NAT rule is now finished. Again, there is no need to specify that the destination address in the reply packets must be translated back to the test host’s private IP address. This return translation is done automatically. The static translation used in this rule is only practical for a small number of hosts. Dynamic translation is more suitable for a large number of translations, such as for Internet access for the whole office network. Next, move on to Installing the Policy, on page 151.

Installing the Policy

To Install the firewall policy

Illustration 10.39

1. Select Static as the Translation Type.

Original IP address is the contents of the Source cell in the NAT rule, since we are defining source address translation.

3. Click OK.

2.Click Address and type in the public IP address of the test host.

Click the Save and Install icon in the toolbar when you are finished to save the new rule and transfer changes to the firewall.


Illustration 10.40 Policy Install

Continue as discussed in Moving On, on page 153.

1. Select the correct Firewall.

2. Click the Add button.

3. Click OK.


Moving OnAfter a successful policy installation on Firewall engines or configuration installation on SOHO Firewall engines, your system is ready to process traffic. You can control the firewalls using the right-click menu as shown in Illustration 10.41.

To check system status and issue commands to firewalls

Illustration 10.41 Right-Click Menu For Nodes - Commands

3. Use the Commands submenu to command engines Online/Offline. Only nodes in Online mode process traffic.Depending on the selection in the Status tree, you can give commands individually for each node, for a selected group of nodes, for a whole cluster, or several firewalls at once.

2. Check the status of the firewalls and SMC in the Status tab.You can select a firewall or server to view more information about it in the Info tab.

1. Switch to the System Status view.

Moving On 153

Illustration 10.42 Right-Click Menu for the Firewall

This concludes the configuration instructions in this Installation Guide. To continue setting up your system, consult the Online Help (or the Administrator’s Guide PDF), particularly the Introduction to StoneGate in the Getting Started section.You can access the Online Help by pressing the F1 key, by selecting Help→Help Topics in the main menu or by clicking the Help button in a dialog. Depending on which window is currently active, you see either a help topic that is related to the current window or the front page of the help system.

In Properties, you can change Interface settings and many other settings for the selected firewalls.

Turn on Status Surveillance if you want to receive alerts when the status of the Firewall changes.

Use Monitoring menu, for example, to view Logs pre-filtered to entries generated by the selected firewalls.

In Current Policy you can check current firewall policy and refresh changes.


Illustration 10.43 Online Help

See instructions for setting up and customizing the firewall.The top-level “book” icons open with a double-click.

Moving On 155

Maintenance

CHAPTER 11 Upgrading and Updating

When there is a new version of the StoneGate Management Center or the firewall engine software, you should upgrade as soon as possible. You can download the new version and generate licenses for it if needed at the Stonesoft website as explained below.


Getting Started with Upgrading StoneGate, on page 160 Upgrading or Generating Licenses, on page 162 Upgrading the Management Center, on page 166 Upgrading Engines Remotely, on page 168 Upgrading Engines Locally, on page 171 Changing IP Addressing, on page 175

159

Getting Started with Upgrading StoneGateYou can upgrade Management Center components as well as the firewall engines without uninstalling the previous version. The firewall engines may be upgraded locally or remotely. Only remote upgrades are supported for SOHO Firewall engines.You can configure the Management Server to automatically check for new updates and engine upgrades and inform you of them. See the Online Help for more information.During a Firewall cluster upgrade, it is possible to have the upgraded nodes online and operational side by side with the older version nodes. For full functionality, all nodes should be upgraded to the same version as soon as possible. Also, you can change the hardware of the nodes one by one while the other nodes handle the traffic.It is important to upgrade the Management Center components before upgrading the engines, because the old Management Center version may not be able to recognize the new version engines and generate a valid configuration for them. Older versions of engines can be controlled by newer Management Center versions. See the Release Notes for possible version-specific restrictions.

Caution – All the Management Center components (Management Server, Management Client, Log Server, and the optional Monitoring Server and Monitoring Client) must use the same software version.

If you also want to change the component’s IP addressing, see Changing IP Addressing, on page 175 for more information. For more detailed instructions, see the Online Help.Proceed to the Configuration Overview to begin with the configuration.

Configuration OverviewThe upgrade procedure is the same for StoneGate Firewall/VPN and IPS systems:1. Check the latest known issues list on the Stonesoft website for the version you

are about to install at http://www.stonesoft.com/en/support/technical_support_and_documents/.

2. Obtain the installation files at https://my.stonesoft.com/download/ and check the installation file integrity (see Checking File Integrity, on page 161).

3. If you downloaded the installation files as .iso image files, create the installation CD-ROMs from the files with a CD-burning application that can correctly read and burn the CD-structure stored in the .iso images. If the end result is a CD-ROM file with the original .iso file on it, the CD-ROM cannot be used for installation.

4. Read the release notes for the new version you are about to install. They can be found at the Stonesoft website (at http://www.stonesoft.com/en/support/technical_support_and_documents/).

160 Chapter 11: Upgrading and Updating

http://www.stonesoft.com/en/support/technical_support_and_documents/





5. (If automatic updates have not been configured for licenses) Update the licenses (see Upgrading or Generating Licenses, on page 162). See the Online Help for information on configuring automatic updates for licenses.

6. Upgrade the Management Server, the Log Servers, and the Monitoring Servers (if any) (see Upgrading the Management Center, on page 166). The operation of StoneGate Firewall engines is not interrupted even if the Management Center is offline.

7. Upgrade the Management Clients and the Monitoring Clients (if any) (see Distributing StoneGate Clients Through Web Start, on page 47).

8. Upgrade the firewall engines one by one. Confirm that the upgraded engine operates normally before upgrading the next engine (see Upgrading Engines Remotely, on page 168 or Upgrading Engines Locally, on page 171).

9. Check if there are new dynamic update packages available and import and activate them (see Installing Dynamic Updates, on page 40).

Checking File IntegrityBefore installing StoneGate, check the installation file integrity using the MD5 or SHA-1 file checksums. The checksums are on the StoneGate installation CD-ROM and on the product-specific download pages at the Stonesoft website at http://www.stonesoft.com/download/. For more information on MD5 and SHA-1, see RFC1321 and RFC3174, respectively. The RFCs can be obtained from http://www.rfc-editor.org/.Windows does not have MD5 or SHA-1 checksum programs by default, but there are several third-party programs available. If you plan to upgrade the engine locally from a .zip file, you can run the check on the engine when you import the upgrade file (see Upgrading From an Archive File, on page 173).

To check MD5 or SHA-1 file checksum1. Obtain the checksum files from the Stonesoft website at http://

www.stonesoft.com/download/.2. Change to the directory that contains the file(s) to be checked.3. Generate a checksum of the file using the command md5sum filename or

sha1sum filename, where filename is the name of the installation file.

Illustration 11.1 Checking the File Checksums

4. Compare the displayed output to the checksum on the website.

Caution – Do not use files that have invalid checksums.

$ md5sum sg_engine_1.0.0.1000.iso869aecd7dc39321aa2e0cfaf7fafdb8f sg_engine_1.0.0.1000.iso

Getting Started with Upgrading StoneGate 161



http://www.rfc-editor.org/

http://www.rfc-editor.org/



Create the installation CD-ROM for the Management Center and possibly the engines with a CD-burning application that can correctly read and burn the CD-structure stored in the .iso images. Then proceed to Upgrading or Generating Licenses. If you are absolutely sure you do not need to upgrade your licenses, proceed to Upgrading the Management Center, on page 166.

Upgrading or Generating LicensesWhen you installed StoneGate for the first time, you installed licenses that work with all versions of StoneGate up to that particular version. If the first two numbers in the old and the new version are the same, the upgrade can be done without upgrading licenses (for example, when upgrading from 1.2.3 to 1.2.4). When either of the first two numbers in the old version and the new version are different, you must first upgrade your licenses (for example, when upgrading from 1.2.3 to 1.3.0). You can either upgrade the licenses at the Stonesoft website or configure in the Management Client that the licenses are regenerated and installed automatically. See the Online Help for information on upgrading the licenses automatically.If you are simultaneously installing new StoneGate components that you have not previously licensed, or if you want to change the IP address for an IP address bound license, you must also generate new licenses.SOHO Firewall engines do not have separate licenses. You can add SOHO Firewalls to your system if your current Management Server license allows you to configure new engines. One engine licensing unit allows a maximum of five SOHO Firewall elements or one engine element of any other type.If you do not need to upgrade licenses or create new ones, proceed to Upgrading the Management Center, on page 166.If you need new licenses:• Proceed to Upgrading Licenses Under Multiple Proof Codes, on page 164 to upgrade

one or more licenses at once.• Proceed to Upgrading Licenses Under One Proof Code, on page 164 to upgrade the

licenses one by one.• Proceed to Generating a New License to generate a completely new license.

Generating a New LicenseYou generate the licenses at the Stonesoft website based on your proof-of-license (POL, for software, included in the order confirmation message sent by Stonesoft) or proof-of-serial number (POS, for appliances, printed on a label attached to the appliance hardware). Evaluation licenses are also available at the website.Generated licenses are always for the newest software version you are entitled to, but you can use them with older versions as well.If you are licensing several components of the same type, remember to generate one license for each (it may be more convenient to use the multi-upgrade feature, see Upgrading Licenses Under Multiple Proof Codes, on page 164).


There are two types of licenses that you can generate:• IP-address-bound licenses: For all Management Center components and optionally

engines with non-dynamic control IP addresses. If you want to change the IP address the license is bound to, you need to fill in a request at the licensing website.

• Management-bound licenses: For Firewall and IPS engines (bound to the proof-of- license of the Management Server). These licenses can be switched from one engine to another if you delete the previous element it was bound to or re-license it and refresh its policy.

Note – Management-bound licenses can only be imported to Management Server version 3.0 or newer. If necessary, upgrade your Management Server before importing the engine licenses.

To generate a new license1. Take your Web browser to www.stonesoft.com/license/.2. Enter the required code (proof-of-license or proof-of-serial number) to the correct

field and click Submit. The license page opens.3. Click Register. The license generation page opens.4. Read the directions on the page and fill in (at least) the required fields.5. Enter the IP addresses of the Management Center components you want to

license (if any). The license is bound to the IP address you give, and you will have to return to the licensing page if you need to change the IP address.

6. Enter the Management Server’s proof-of-license code (or the engine’s IP address) for the engines you want to license (if any).

7. Click Submit Request. The license file is sent to you in a moment, and also becomes downloadable in the License Center.

Note – Evaluation license orders or requests for an IP address change of an existing license may need manual processing. See the license page for current delivery times and details.

Proceed to Installing Licenses, on page 165.



Upgrading Licenses Under One Proof CodeA license file generated under one POL or POS code contains the license information for several components. You can also always use the multi-upgrade form to upgrade the licenses (see Upgrading Licenses Under Multiple Proof Codes, on page 164).

To generate a new license1. Take your Web browser to www.stonesoft.com/license/.2. Enter the required code (proof-of-license or proof-of-serial number) in the correct

field and click Submit. The license page opens.3. Click Update. The license upgrade page opens.4. Follow the directions on the page that opens to upgrade the license.Repeat for other licenses. When done, proceed to Installing Licenses, on page 165.

Upgrading Licenses Under Multiple Proof CodesIf you have several existing licenses with different POL or POS codes that you need to upgrade, you can make the work easier by generating the new licenses all at once.• With any version of the Management Center, you can generate the new licenses by

selecting StoneGate multi-upgrade on the licensing website and copy-pasting the POL or POS codes (from the Management Client, e-mail, or elsewhere) directly in the field reserved for this on the Upgrade Multiple StoneGate Licenses page. Proceed to Installing Licenses, on page 165 after doing this.

• With Management Center version 3.2 or newer, you can generate a text file by exporting information on licenses from the Management Client and import the text file to the licensing website as explained below.

To upgrade multiple licenses1. Click the Configuration button.2. Expand the Administration tree and navigate to the type of Licenses you want to

upgrade, or to All Licenses.3. Ctrl-select or Shift-select the licenses you want to upgrade.

Illustration 11.2 Exporting License Information

Select one or more licenses for elements of any type.

Right-click to export.



4. Right-click one of the selected items and select Export License Info from the menu that opens. A file save dialog opens.

5. Select a location and type in a name for the file. The default file ending is .req, but you may change this to something else if required.

6. Click Save. The license information is exported to the file you specified and a message pops up.

7. (Optional) Click Yes in the message to launch the Stonesoft License Center website’s multi-upgrade form in the default Web browser of your system.

8. Upload the license file to the Stonesoft License Center website using the multi-upgrade form, and submit the form with the required details. The upgraded licenses are sent to you.

You can view and download your current licenses at the license website (log in by entering the proof-of-license or proof-of-serial number code at the License Center main page).After receiving the new licenses, proceed to Installing Licenses.

Installing LicensesAfter you have generated a license file (Generating a New License, on page 162), you import the license file into the Management Center.

To install StoneGate licenses1. Click the Configuration button.2. Expand the Administration tree and navigate to Licenses.3. If the firewall or IPS engine(s) you want to re-license have a management bound

license, unbind the previous license by right-clicking the license or the engine and selecting Unbind from the menu that opens.

4. Import the licenses from a .jar license file by selecting File→System Tools→Install Licenses from the menu.

5. Select a license file and click Install. The licenses are imported and activated.

Illustration 11.3 Binding a Dynamic License

6. You need to bind each license to a specific engine if your engine licenses are management bound (i.e., tied to the Management Server’s proof-of-license).


6.1 Right-click the license and select Bind. The Select License Binding dialog opens.

6.2 Select the correct engine from the list and click Select to bind the license to this element. The license is now bound to the selected element.

6.3 If you made a mistake, unbind the license by right-clicking it and selecting Unbind.

Caution – When you upload a policy on the engine, the license is permanently bound to that engine. Such licenses cannot be re-bound to some other engine without re-licensing or deleting the engine element it is bound to in the Management Client. When unbound, such a license is shown as Retained.

7. Check the displayed license information, and that all the components you meant to license have disappeared from the Unlicensed Components folder.

8. You can leave the old licenses as they are, but if you so wish, you can remove them by right-clicking them and selecting Delete from the menu that opens.

If you are upgrading your system, proceed to Upgrading the Management Center.

Upgrading the Management CenterThis section provides an outline that should be sufficient in most cases. For more detailed instructions on how to upgrade the StoneGate Management Center, refer to the Management Center installation process described in Installing the Management Center, on page 23.There is no need to uninstall the previous version. The installer will detect the components that need to be upgraded. When upgrading from an older version, you may need to do an intermediate upgrade before upgrading to the most recent version. See the Release Notes for more information.It is possible to revert automatically to the previous installation, if the Management Center upgrade fails for some reason.We recommend that you backup the Management Server before upgrading it. You are also prompted for making an automatic backup of the Management Server data during the upgrade process. For more information on backing up StoneGate, refer to the Online Help.Before you start the installation, stop the previously installed Management Center components running on the target machine.

To upgrade StoneGate Management Center components1. Check that the StoneGate Management Server and Log Server processes or

services have stopped and that the Management Client is not running on the machine.

2. Insert the StoneGate installation CD-ROM and run the install executable. The License Agreement is shown.


3. Read and accept the License Agreement to continue with the installation.

Illustration 11.4 Defining the Installation Directory

Illustration 11.5 Selecting the Components for Upgrade

4. When upgrading the Management Server, you are prompted to back up the current Management Server data as a precaution. Select Yes to back up the Management Server data to the <installation directory>/backups/ directory.

Caution – If you are working on a Windows system and you run any StoneGate component as a service, make sure the Services window is closed before you complete the next step.

5. Check the pre-installation summary and click Install to continue. The upgrade begins.

Installation directory is detected automatically.

All installed components must be upgraded at the same time. You can add more components, if you wish (in that case, see Installing the Management Center, on page 23 for installation instructions).

You can automatically revert to the previously installed version if there are problems with the upgrade.

Upgrading the Management Center 167

• If any system components change in the upgrade, you will be notified of the changes at the end of the upgrade. Click the link(s) in the notification to view the report(s) of system changes in your Web browser.

6. When the upgrade is complete, click Done to close the window. You may have to reboot before you can start the upgraded components.

All Management Clients and Monitoring Clients (if used) must also be upgraded to the new version:• If administrators have Management Clients or Monitoring Clients that were installed

locally, they must be upgraded in the same way as explained above.• If you are distributing Web Start Management Clients from an external server, install

a new Web Start package in the same way as the original installation was made, see Distributing StoneGate Clients Through Web Start, on page 47.

• If you are distributing Web Start clients from the SMC servers, there is no need for a separate update. The local client installations are upgraded automatically when the administrators launch the clients after the SMC servers are upgraded.

The Management Center upgrade is complete. If you are installing new engine versions as well, proceed to Upgrading Engines Remotely or Upgrading Engines Locally, on page 171.

Upgrading Engines RemotelyAll StoneGate firewall engines including SOHO Firewall engines can be upgraded from the Management Server remotely. During a Firewall cluster upgrade process, it is possible to have the upgraded nodes online and operational side by side with the older version nodes.The remote upgrade has two separate parts, transfer and activation. You can choose to do both parts consecutively, or you can choose to transfer the configuration now and then launch a separate task for the activation at a later time. You can also create a scheduled Task for the remote upgrade as instructed in the Online Help.You can set up the Management Server to check periodically for engine upgrades on the Stonesoft website and to inform you of the engine upgrades. You can also configure that the engine upgrades are automatically downloaded. See the Online Help for more information.

Caution – If you are upgrading a Firewall cluster, all the nodes must be together online between upgrading individual nodes. Do not command another node offline before the upgraded node is back online.

Before upgrading, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity, on page 161.If you have not configured the engine upgrade files to be downloaded automatically, you must first import the engine upgrade file in the system. If the file is already in the system, proceed to Upgrading the Engine below.


To manually import the upgrade file1. If you have not configured automatic remote upgrades for engines, select

File→Import→Import Engine Upgrades. The StoneGate Engine Upgrades File Browser dialog opens.

2. Select the engine upgrade (sg_engine_version_platform.zip file) from the installation CD-ROM and click Import. • The engine upgrade is imported to the <installation directory>/data/engineupgrades/ directory on your Management Server.

Upgrading the Engine

To command a node offline for the upgrade

Illustration 11.6 Commanding Node Offline for Upgrade

2. If you want to activate the new version now (and not just transfer it), right-click the node you want to upgrade and select Commands→Go Offline from the menu that opens.

1. Click the System Status button.

Upgrading Engines Remotely 169

To start the upgrade

Illustration 11.7 Starting Upgrade Process

To select remote upgrade task options

Illustration 11.8 Remote Upgrade

Caution – Do not activate the new configuration simultaneously on all the nodes of a Firewall cluster. Activate the new configuration one node at a time.

When you have made the selections, click OK. A new tab opens showing the progress of the upgrade. The time it takes to upgrade the node varies depending on the performance of your machine and the network environment.

Right-click the node and select Upgrade Software from the menu that opens.

1. Select whether you want to just transfer the new software and activate it later, or whether you want to do both now.

2. Check the node selection and modify, if necessary.

3. Check the Engine Version for the upgrade and change it, if necessary.


If you chose to activate the new configuration, once the engine is successfully upgraded, the machine is automatically rebooted and the upgraded engine is brought up to offline state.

To finish the upgradeWhen upgrade is ready, right-click the upgraded node and select Commands→Go Online to command the node online.

If you are upgrading a Firewall cluster, begin the upgrade on the next node only after the upgraded node is back online. StoneGate operates normally with two different versions of the engines online during the upgrade.

Note – The engines have two partitions. When an engine is upgraded, the inactive partition is used. When the upgrade is finished, the active partition is switched. The earlier configuration is kept on the inactive partition. You can use the sg-toggle-active command to change the active partition or to downgrade to the previous engine version. See Command Line Tools, on page 185 for more information.

Proceed to check for new dynamic updates and import and activate them as explained in Installing Dynamic Updates, on page 40.

Upgrading Engines Local lyIn addition to upgrading the firewall engines remotely from the Management Server, it is possible to upgrade the engines locally at the site as described in this section. During a firewall cluster upgrade process, it is possible to have the upgraded nodes online and operational side by side with the older version nodes.

Caution – If you are upgrading a firewall cluster, always upgrade the nodes one by one and make sure each upgraded node is online before commanding the next node offline for the upgrade.

SOHO Firewalls cannot be upgraded locally. To upgrade a SOHO Firewall engine, see Upgrading Engines Remotely, on page 168.Proceed to:• Upgrading From an Engine Installation CD-ROM if the hardware has a CD-ROM drive

(a USB CD-ROM drive can be used) and you have a full StoneGate installation CD shipped by Stonesoft or that you have created from an .iso image file.

• Upgrading From an Archive File if you want to upgrade from a .zip archive file on a USB stick or on a CD-ROM.


Upgrading From an Engine Installation CD-ROMFollow the procedure below to upgrade StoneGate engines to the latest version locally from a CD-ROM that you have created from an .iso image downloaded from the Stonesoft website or shipped to you by Stonesoft.

To upgrade the firewall locally from an installation CD-ROM1. (Optional) Log in to the node as root with the password set for the engine (you

can set the password through the Management Client).2. Insert the StoneGate engine installation CD-ROM into the engine’s CD-ROM

drive.3. There are two ways to upgrade the node:

• Normal upgrade: type the command sg-upgrade to start the upgrade process. Continue in Step 8.

• Upgrade with configuration options: reboot the node from the CD-ROM with the command reboot (recommended) or by cycling the power (if you cannot log in). The upgrade uses the Installation Wizard. Continue in Step 4.

Illustration 11.9 Upgrade Options

4. If the node is rebooted from the CD-ROM, choose one of these four options:• Upgrade existing installation: choose this option to upgrade the previous

installation to a new version. This option is recommended for most upgrades.• Re-install using configuration from existing installation: choose this option to

re-install the engine with the existing settings.• Full re-install: choose this option to reinstall the engine completely by removing

the engine’s current configuration. This clears all settings, including the password and the network card settings. You must configure the engine in the same way as after the first installation: refer to Configuring the Engine, on page 117 for instructions on how to make the engine operational again.

• Full re-install in expert mode: choose this option to re-install the engine in expert mode by removing the engine’s current configuration. This clears all settings, including the password and the network card settings. You must configure the engine in the same way as after the first installation: refer to Configuring the Engine, on page 117 for instructions on how to make the engine operational again.

5. Select 1 to upgrade the previous installation and press ENTER to continue. The upgrade process starts.


Illustration 11.10 Upgrading Engine

6. When the process is finished, remove the CD-ROM from the CD-ROM drive and press ENTER to reboot.

7. If the Configuration Wizard opens, configure the engine in the same way as after the first installation: refer to Configuring the Engine, on page 117 for instructions on how to make the engine operational again.

8. In the Management Client, right-click the upgraded node and select Go Online to command the node online. The node can also be brought online with the command sg-cluster online on the node.

9. If you are upgrading a Firewall cluster, start the upgrade on the next firewall node only after the upgraded node is brought online and operational. StoneGate can operate normally with two different versions of the firewall engines online during the upgrade. Prolonged use with mismatching versions is not recommended.


Check for new dynamic updates and import and activate them as explained in Installing Dynamic Updates, on page 40.

Upgrading From an Archive FileFollow the instructions below, if you do not want to use the remote upgrade, but you want to use a .zip archive to upgrade the firewall software.

To upgrade the engine locally from an archive file1. Log in to the node as root with the password set for the engine (you can set the

password through the Management Client).2. Insert the USB stick or the CD-ROM.3. Run the command sg-reconfigure. The engine Configuration Wizard opens.4. Select Upgrade using the arrow keys and press ENTER.


Illustration 11.11 Upgrade StoneGate Engine

5. Select the correct device where the upgrade file is located.

Illustration 11.12 Engine Image Verification (optional)

6. (Optional) You can calculate the checksum at this stage, if you have not done so already by selecting Calculate SHA1. The calculation will take some time. The calculated checksum must be identical to the one from the .zip file.

Caution – Do not use files that have invalid checksums. Select Cancel, if the checksum does not match and acquire a new copy of the upgrade file.

7. Select Ok. The software is upgraded.8. When prompted, press ENTER. The firewall reboots to the new version.



Changing IP AddressingThe following instructions explain how you can change IP addresses without losing management connectivity. When you change IP addressing, other connections between the different components may be temporarily lost. Make sure that the connections return to normal after the IP address changes.

Note – If you do not mind losing management connectivity, you can change IP addressing by running the sg-reconfigure command on the engine command line to return the engine to the initial configuration state and to re-establish initial contact between the engine and the Management Server. See the Online Help for more information.

See the following sections:• Changing the Management Server’s IP Address, on page 175• Changing the Log Server’s IP Address, on page 176• Changing IP Addresses if the Management Server and the Log Server Run on the

Same Machine, on page 176

Changing the Management Server’s IP AddressThis section explains how to change the Management Server’s IP address if the Management Server and the Log Server are on different machines. If your Management Server and Log Server are on the same machine, see Changing IP Addresses if the Management Server and the Log Server Run on the Same Machine, on page 176.

Note – If your firewall policies do not use the Default template, check that they allow all the necessary connections.

To change the Management Server’s IP address1. Request an IP address change for your Management Server license at the

Stonesoft License Center (see Upgrading or Generating Licenses, on page 162).2. For firewalls only: Edit your firewall policies and add Access rules (and possibly

NAT rules) that allow policy upload connections from the new Management Server IP address to the firewall.• The services needed for the communications between the different StoneGate

components are explained in StoneGate-Specific Ports, on page 201.3. Run the sgChangeMgtIPOnMgtSrv script on the Management Server (see

Command Line Tools, on page 185.4. Run the sgChangeMgtIPOnLogSrv script on all the Log Servers (see Command

Line Tools, on page 185).5. For firewalls only: Remove the rules that you created in Step 2. After running the

IP change scripts, the Alias elements in the inherited rules point to the right IP addresses, so the rules have become useless.


Changing the Log Server’s IP AddressWhen you change the Log Server’s IP address, the traffic between the Log Server and the engines is interrupted but the logs are spooled on the engines. Changing the IP address may also mean that the transfer of engine status and statistics information is temporarily interrupted.

To change the Log Server’s IP address1. Request an IP address change for your Log Server license at the Stonesoft

License center (see Upgrading or Generating Licenses, on page 162).2. Open the <installation directory>/data/LogServerConfiguration.txt

file on the Log Server and update the IP address information.3. Open the Log Server properties and update the IP address.4. Refresh the policies on the engines to transfer the changed IP address

information to them.

Changing IP Addresses if the Management Server and the Log Server Run on the Same MachineThis section explains how to change the Management Server’s IP address if the Management Server and the Log Server are on the same machine. If your Management Server and Log Server are on separate machines, see Changing the Management Server’s IP Address, on page 175 and Changing the Log Server’s IP Address, on page 176.When you change the Log Server’s IP address, the traffic between the Log Server and the engines is interrupted but the logs are spooled on the engines. Changing the IP address may also mean that the transfer of engine status and statistics information is temporarily interrupted.

Note – If your firewall policies do not use the Default template, check that they allow all the necessary connections.

To change IP Addresses if the Management Server and Log Server run on the same machine

1. Request an IP address change for your Management Server and Log Server licenses at the Stonesoft License Center (see Upgrading or Generating Licenses, on page 162).

2. For firewalls only: Edit your firewall policies and Access rules (and possibly NAT rules) that allow policy upload connections from the new IP addresses to the firewall.• The services needed for the communications between the different StoneGate

components are explained in StoneGate-Specific Ports, on page 201.3. Run the sgChangeMgtIPOnMgtSrv script on the Management Server (see

Command Line Tools, on page 185).


4. Run the sgChangeMgtIPOnLogSrv script on the Log Server (see Command Line Tools, on page 185).

5. Open the <installation directory>/data/LogServerConfiguration.txt file on the Log Server and update the IP address information.

6. Open the Log Server properties and update the IP address.7. For firewalls only: Remove the rules that you created in Step 2. After running the

IP change scripts, the Alias elements in the inherited rules point to the right IP addresses, so the rules have become useless.


CHAPTER 12 Uninstalling StoneGate

This chapter instructs how to uninstall the StoneGate software.


Uninstalling the Management Center, on page 180 Uninstalling the Engines, on page 181

179

Uninstal l ing the Management CenterThe Management Client uses a “.stonegate” directory in the user’s home directory in the operating system. The directory contains the Management Client configuration files. These files are not automatically deleted but can be removed manually after the uninstallation.

Uninstalling in WindowsIt is not possible to uninstall components one by one. If you have several Management Center components installed on the same computer, they are always all uninstalled.

To uninstall in graphical mode1. Stop the Management Center components on the machine before you uninstall

StoneGate.2. Go to Start→Control Panel→Programs and Features (or

Start→Settings→Control Panel→Add/Remove Programs in Windows XP) or alternatively run the <installation directory>\uninstall\uninstall.bat script.

3. In the window that opens, right-click StoneGate and in the menu that opens, select Uninstall.

Illustration 12.1 Uninstall StoneGate Management Center

4. Click Uninstall. All installed components are uninstalled..

To uninstall in non-graphical mode1. Run the uninstall script

“<installation directory>\uninstall\uninstall.bat -nodisplay”.

180 Chapter 12: Uninstalling StoneGate

Uninstalling in Linux

To uninstall in graphical mode1. Stop the Management Center components on the machine before you uninstall

StoneGate.2. Run the <installation directory>/uninstall/uninstall.sh script.

To uninstall in non-graphical mode• Run the uninstall script

“. <installation directory>/uninstall/uninstall.sh -nodisplay”.The sgadmin account is deleted during the uninstallation.

Uninstal l ing the EnginesServers on which StoneGate Firewall engines are installed are dedicated to their task as a Firewall/VPN device. To remove StoneGate and transfer your server to other use, you must format the hard disk and install an operating system.

Caution – StoneGate appliances are designed to run only the StoneGate firewall software. Do not attempt to remove the firewall software or install any other software on the appliances. To clear an appliance, use the system restore options in the appliance’s boot menu.

Uninstalling the Engines 181

182 Chapter 12: Uninstalling StoneGate

Appendices

APPENDIX A Command Line Tools

This appendix describes the command line tools for StoneGate Management Center and the engines.


Management Center Commands, on page 186 Engine Commands, on page 194.

185

Management Center CommandsMost of the Management Server and Log Server commands are found in the <installation directory>/bin/ directory. In Windows, the command line tools are *.bat script files. In Linux and Unix, the files are *.sh scripts.

Note – Using the Management Client is the recommended configuration method, as most of the same tasks can be done through it.

The command for post-processing report files is in the <installation directory>/data/reports/bin/ directory. It runs the sgPostProcessReport.bat (in Windows) or .sh script (in Linux/Unix) on the Management Server.

TABLE A.1 Management Center Command Line Tools

Command Description

sgArchiveExport i=INPUT_FILEpass=PASSWORD [ e=FILTER_EXPRESSION ] [ f=FILTER_FILE ] [ format=CSV|XML ] [ host=ADDRESS ] [ login=LOGIN_NAME ] [ o=OUTPUT_FILE ] [ -v ] [ -h ]

Displays or exports logs from the log archive files. This command is available only on the Log Server.Enclose the file and filter names in double quotes if they contain spaces.i=INPUT_FILE parameter defines the source archive from which the logs will be exported.pass=PASSWORD parameter defines the password for the user account used for this export.e=FILTER_EXPRESSION parameter defines the filter that you want to use for filtering the log data for exporting. Type the name as shown in the Management Client. f=FILTER_FILE parameter defines the StoneGate filter exported to a file that you want to use for filtering the log data for exporting.format=[CSV|XML] parameter defines the file format for the output file. If this parameter is not defined, the XML format is used.host=ADDRESS parameter defines the address of the Management Server used for checking the login information. If this parameter is not defined, Management Server is expected to be on the same host where the script is run.login=LOGIN_NAME parameter defines the username for the account that is used for this export. If this parameter is not defined, the username root is used.o=OUTPUT_FILE parameter defines the destination file where the logs will be exported. If this parameter is not defined, the output is displayed on screen.-h option displays information on using the script.-v option displays verbose output on the command execution.

186 Appendix A: Command Line Tools

sgBackupLogSrv

Creates a backup of Log Server configuration data. The backup file is stored in the <installation directory>/backups/ directory. You can restore the backup using the sgRestoreLogBackup command. When creating or restoring the backup, twice the size of log database is required on the destination drive. Otherwise, the backup or restoration process fails.

sgBackupMgtSrv

Creates a backup of all Management Server configuration and database data. The backup file is stored in the <installation directory>/backups/ directory. You can restore the entire backup (the Management Server database and/or configuration files) using the sgRestoreMgtBackup command. You can restore just the Management Server database using the sgRecoverMgtDatabase command.When creating or restoring the backup, twice the size of the Management Server database is required on the destination drive. Otherwise, the backup or restoration process fails.

sgCertifyLogSrv

Certifies the Log Server on the Management Server. The certificate is required to allow secure communication between the Log Server and the Management Server.As long as the new certificate is issued by a trusted certificate authority, renewing the certificate does not require changing the configuration of any other system components.

sgCertifyMgtSrv

Recreates the Management Server’s certificate. The Management Server certificate is required for secure communications between the StoneGate system components, as well as for the VPN connections that use the certificate authentication.As long as the new certificate is issued by a trusted certificate authority, renewing the certificate does not require changing the configuration of any other system components.

sgCertifyMonitoringServer

Certifies the Monitoring Server on the Management Server. The certificate is required to allow secure communication between the Monitoring Server and the Management Server.As long as the new certificate is issued by a trusted certificate authority, renewing the certificate does not require changing the configuration of any other system components.

TABLE A.1 Management Center Command Line Tools (Continued)

Command Description

Management Center Commands 187

sgChangeMgtIPOnLogSrv NEW_IP_ADDR

Changes the Management Server’s IP address on the Log Server. Use this command to configure a new Management Server’s IP address on the Log Server. Restart the Log Server after this command.NEW_IP_ADDR is the new Management Server’s IP address.

sgChangeMgtIPOnMgtSrv NEW_IP_ADDR

Changes the Management Server’s IP address. Use this command when you want to change the Management Server’s IP address to reflect changes made in the operating system. Restart the Management Server after this command. NEW_IP_ADDR is the new Management Server’s IP address

sgClient Starts the StoneGate Management Client.

sgCreateAdminCreates a superuser administrator account. The Management Server needs to be stopped before running this command.

sgDeleteElement[-host=MANAGEMENT_SERVER_ADDRESS][-user=LOGIN_NAME][-password=PASSWORD][-name=ELEMENT_TO_DELETE][-multiple=DELETE_ALL_MATCHES][-type=TYPE_OF_OBJECT][-listType=ALLOWED_OBJECT_TYPE][ -h ]

Deletes elements from the Management Server database. Run the command without arguments to see usage instructions.host=MANAGEMENT_SERVER_ADDRESS parameter defines the address of the Management Server from whose database the element(s) are deleted. If this parameter is not defined, the default address 127.0.0.1 is used for the operation.user=LOGIN_NAME parameter defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used.password=PASSWORD parameter defines the password for the user account used for this operation.name=ELEMENT_TO_DELETE parameter defines the name of the element(s) to be deleted. Be default, only the first matching element is deleted.multiple=DELETE_ALL_MATCHES option defines that all the elements matching the value(s) set for the selected parameter(s) (for example, the name parameter) are deleted.type=TYPE_OF_OBJECT parameter defines the Type of the element(s) to be deleted.listType=ALLOWED_OBJECT_TYPE option lists the values that may be used with the type parameter.-h option displays information on using the script.


Command Description


sgExport [-host=host] -login=login name -password=password -file=file path and name -type= <all|nw|ips|sv|pa|rb|al>

[-recursion] [-name= <Element Name 1, Element Name 2, ...>]

Exports StoneGate Management Server database elements from an XML file. Run the command without arguments to see usage instructions.The optional Host parameter specifies the address of the host that holds or will hold the import file. If no specific host address is given, the host where the script is executed is used for the operation.Login and password can be for any valid Administrator account.The type parameter specifies which types of elements are included in the export file: all=all exportable elements, nw=network elements, ips=IPS elements sv=services, pa=protocol agents, rb=security policies, al=alerts.The optional recursion parameter includes referenced elements in the export, for example, the network elements used in a policy that you export.The optional name parameter allows you to specify by name the element(s) that you want to export.

sgHA [host=host] login=login name password=password [-h|--help] [-set-active] [-set-standby][-force-active][-sync]

Switches between the active and the standby management servers.-h | --help options display the help message.-set-active option sets a standby management server as the active management server, sets the formerly active management server as a standby management server, and synchronizes the database between them.-set-standby option sets the active management server as a standby management server.-force-active option sets a standby management server as the active management server without synchronizing the database with the formerly active management server.-sync option functions differently on a standby management server and an active management server. If you run it on an active management server, it replicates the active database to every standby management server that does not have the Disable Database Replication option selected in its properties. If you run it on a standby management server, it replicates the active database from the active management server only to this standby management server (regardless of whether the Disable Database Replication option is or is not selected in the standby management server’s properties).


Command Description


sgImport [host=host] login=login name password=password file=file path and name

Imports StoneGate Management Server database elements from an XML file. Run the command without arguments to see usage instructions.The optional Host parameter specifies the address of the host that holds or will hold the import file. If no specific host address is given, the host where the script is executed is used for the operation.Login and password can be for any valid Administrator account.When importing, existing (non-default) elements are overwritten, unless the element types mismatch.

sgImportExportUser [host=host] login=login name pass=password action=[import|export] file=file path and name

Imports and exports a list of Users and User Groups in an LDIF file from/to the Management Server’s internal LDAP database. To import User Groups, all User Groups in the LDIF file must be directly under the stonegate top-level group (dc=stonegate).Host specifies the address of the host that holds or will hold the LDIF file. If no specific host address is given, the host where the script is executed is used for the operation.Example: sgImportExportUser login=ricky pass=abc123 action=export file=c:\temp\exportedusers.ldif

The user information in the export file is stored as plaintext. Handle the file securely.

sgInfo

Creates a ZIP file that contains copies of configuration files and the system trace files containing logs on problem situations. The ZIP file is stored in the user’s home directory. The file location is displayed on the last line of screen output. Provide the generated file to Stonesoft support for troubleshooting purposes.

sgReinitializeLogServerRecreates the Log Server configuration if the configuration file has been lost.


Command Description


sgReplicate [-h|--help] [-nodiskcheck] [-backup backupname]-standby-server management-name

Replicates Management Server backup to the Secondary Management Server.-h | --help options display the help message-backup backupname option specifies the location of the backup file. If this is not specified, you are prompted to select the backup file from a list of files found in the backups directory.-nodiskcheck option disables the free disk space check before the backup restoration.-standby-server management-name option specifies the Secondary Management Server on which the backup is replicated.

sgRestoreArchive ARCHIVE_DIR

Restores logs from archive files to the Log Server. This command is available only on the Log Server. ARCHIVE_DIR is the number of the archive directory (0 – 31) from where the logs will be restored. By default, only archive directory 0 is defined. The archive directories can be defined in the <installation directory>/data/LogServerConfiguration.txt file: ARCHIVE_DIR_xx=PATH.

sgRestoreCertificateRestores the Certificate Authority (CA) or the Management Server certificate from a backup file in the <installation directory>/backups/ directory.

sgRestoreLogBackupRestores the Log Server (logs and/or configuration files) from a backup file in the <installation directory>/backups/ directory.

sgRestoreMgtBackupRestores the Management Server (database and/or configuration files) from a backup file in the <installation directory>/backups/ directory.

sgShowFingerPrintDisplays the CA certificate’s fingerprint on the Management Server.

sgStartLogDatabaseStarts the Log Server’s database. (The Log Server’s database is started and stopped automatically when starting/stopping the Log Server service.)

sgStartLogSrv Starts the Log Server and its database.


Command Description


sgStartMgtDatabaseStarts the Management Server’s database. (The Management Server’s database is started and stopped automatically when starting/stopping the Management Server service.)

sgStartMgtSrv Starts the Management Server and its database.

sgStartMonitoringServer Starts the Monitoring Server used by the Monitoring Client.

sgStopLogDatabase Stops the Log Server’s database.

sgStopMgtDatabaseStops the Management Server’s database. (The Management Server’s database is started and stopped automatically when starting/stopping the Management Server service.)

sgStopMonitoringServer Stops the Monitoring Server used by the Monitoring Client.

sgStopRemoteMgtSrv [-host HOST] [-port PORTNUM] [-login LOGINNAME] [-pass PASSWORD]

Stops the Management Server service when run without arguments. To stop a remote Management Server service, provide the arguments to connect to the Management Server.HOST is the Management Server’s host name if not localhost.PORT is the Management Server’s Management Client port number (by default, 8902).LOGINNAME is a StoneGate administrator account for the login.PASSWORD is the password for the administrator account.


Command Description


sgTextBrowser pass=PASSWORD [ e=FILTER_EXPRESSION ] [ f=FILTER_FILE ] [ format=CSV|XML ] [ host=ADDRESS ] [ login=LOGIN_NAME ] [ o=OUTPUT_FILE ] [ m=current|stored ] [ -v ] [ -h ]

Displays or exports current or stored logs. This command is available only on the Log Server.Enclose the file and filter names in double quotes if they contain spaces.pass=PASSWORD parameter defines the password for the user account used for this operation.e=FILTER_EXPRESSION parameter defines the filter that you want to use for filtering the log data. Type the name as shown in the Management Client. f=FILTER_FILE parameter defines the StoneGate filter exported to a file that you want to use for filtering the log data.format=[CSV|XML] parameter defines the file format for the output file. If this parameter is not defined, the XML format is used.host=ADDRESS parameter defines the address of the Management Server used for checking the login information. If this parameter is not defined, Management Server is expected to be on the same host where the script is run.login=LOGIN_NAME parameter defines the username for the account that is used for this export. If this parameter is not defined, the username root is used.o=OUTPUT_FILE parameter defines the destination file where the logs will be exported. If this parameter is not defined, the output is displayed on screen.m=current|stored parameter defines whether you want to view or export logs as they arrive on the Log Server (current) or logs stored in the active storage directory (stored). If this option is not defined, the current logs are used.-h option displays information on using the script.-v option displays verbose output on the command execution.


Command Description


Engine CommandsStoneGate engine commands can be run from the command line on the firewalls. Engine commands are not supported on SOHO firewalls.

TABLE A.2 StoneGate-specific Command Line Tools on Engines

Command Engine Type Description

sg-blacklist [-i FILENAME] [-f FILENAME] [-v]show |add [src ADDR/MASKLEN] [dst ADDR/MASKLEN][ proto {tcp|udp|icmp|NUM}] [srcport PORT[-PORT][dstport PORT[-PORT][duration NUM] |del [src ADDR/MASKLEN] [dst ADDR/MASKLEN][ proto {tcp|udp|icmp|NUM}] [srcport PORT[-PORT][dstport PORT[-PORT][duration NUM] |iddel NODE_ID ID |flush

firewall

Used to manage blacklisting on the engine command line if blacklisting is configured. You must enter one of the commands, as well as any parameters required by the command.-i option takes input to add/delete from a file.-f option only shows entries in one blacklist file.-v option enables verbose mode.show command shows the currently active blacklist entries.add command adds a new blacklist entry with the specified parameters.del command deletes a blacklist entry that contains the specified parameters.iddel NODE_ID ID command deletes a blacklist entry on the specified node number with the specified ID number.flush command clears all blacklist entries.src ADDR/MASKLEN parameter defines the source address to add or delete in the blacklist entry.dst ADDR/MASKLEN parameter defines the destination address to add or delete in the blacklist entry.proto {tcp|udp|icmp|NUM} parameter defines the protocol type and number to add or delete in the blacklist entry.srcport PORT[-PORT] parameter defines the TCP/UDP source port or range to add or delete in the blacklist entry.dstport PORT[-PORT] parameter defines the TCP/UDP destination port or range to add or delete in the blacklist entry.duration NUM parameter defines the duration of the blacklist entry in seconds.


sg-bootconfig[--primary-console=tty0|ttyS PORT,SPEED][--secondary-console= [tty0|ttyS PORT,SPEED]][--flavor=up|smp][--initrd=yes|no][--crashdump=yes|no|Y@X][--append=kernel options][--help]apply

firewall

Can be used to edit boot command parameters for future bootups.--primary-console=tty0|ttyS PORT,SPEED parameter defines the terminal settings for the primary console.--secondary-console= [tty0|ttyS PORT,SPEED] parameter defines the terminal settings for the secondary console.--flavor=up|smp [-kdb] parameter defines whether the kernel is uniprocessor or multiprocessor.--initrd=yes|no parameter defines whether Ramdisk is enabled or disabled.--crashdump=yes|no|Y@X parameter defines whether kernel crashdump is enabled or disabled, and how much memory is allocated to the crash dump kernel (Y). The default is 24M. X must always be 16M.--append=kernel options parameter defines any other boot options to add to the configuration.--help parameter displays usage information.apply command applies the specified configuration options.

sg-clear-all firewall

Use this only if you want to return a StoneGate appliance to its factory settings.Clears all configuration from the engine. You must have a serial console connection to the engine to use this command.

TABLE A.2 StoneGate-specific Command Line Tools on Engines (Continued)


Engine Commands 195

sg-cluster[status [-c SECONDS]][online][lock-online][offline][lock-offline][standby]

firewall

Used to display or change the status of the node.status [-c SECONDS] command displays cluster status. When -c SECONDS is used, status is shown continuously with the specified number of seconds between updates.online command sends the node online.lock-online command sends the node online and keeps it online even if another process tries to change its state.offline command sends the node offline.lock-offline command sends the node offline and keeps it offline even if another process tries to change its state.standby command sets an active node to standby.

sg-contact-mgmt firewall

Used for establishing a trust relationship with the Management Server as part of engine installation or reconfiguration (see sg-reconfigure below). The engine contacts the Management Server using the one-time password created when the engine’s initial configuration is saved.

sg-logger -f FACILITY_NUMBER -t TYPE_NUMBER [-e EVENT_NUMBER] [-i "INFO_STRING"][-s] [-h]

firewall

Can be used in scripts to create log messages with the specified properties.-f FACILITY_NUMBER parameter defines the facility for the log message.-t TYPE_NUMBER parameter defines the type for the log message.-e EVENT_NUMBER parameter defines the log event for the log message. The default is 0 (H2A_LOG_EVENT_UNDEFINED).-i "INFO_STRING" parameter defines the information string for the log message.-s parameter dumps information on option numbers to stdout-h parameter displays usage information.




sg-raid[-status] [-add] [-re-add] [-force] [-help]

firewall

Configures a new hard drive on a StoneGate appliance. This command is only available for StoneGate appliances that support RAID (Redundant Array of Independent Disks) and have two hard drives.-status option displays the status of the hard drive.-add options adds a new empty hard drive. Use -add -force if you want to add a hard drive that already contains data and you want to overwrite it.-re-add adds a hard drive that is already partitioned. This command prompts for the drive and partition for each degraded array. Use -re-add -force if you want to check all the arrays.-help option option displays usage information.

sg-reconfigure[--boot][--maybe-contact][--no-shutdown]

firewall

Used for reconfiguring the node manually.--boot option applies bootup behavior. Do not use this option unless you have a specific need to do so.--maybe-contact option contacts the Management Server if requested. This option is only available on firewall engines.--no-shutdown option allows you to make limited configuration changes on the node without shutting it down. Some changes may not be applied until the node is rebooted.

sg-selftest [-d] [-h] firewallRuns cryptography tests on the engine.-d option runs the tests in debug mode.-h option displays usage information.

sg-status [-l] [-h] firewall

Displays information on the engine’s status.-l option displays all available information on engine status.-h option displays usage information.



Engine Commands 197

sg-toggle-active SHA1 SIZE |--force [--debug]

firewall

Switches the engine between the active and the inactive partition. This change takes effect when you reboot the engine.You can use this command, for example, if you have upgraded an engine and want to switch back to the earlier engine version. When you upgrade the engine, the active partition is switched. The earlier configuration remains on the inactive partition. To see the currently active (and inactive) partition, see the directory listing of /var/run/stonegate (ls-l /var/run/stonegate.The SHA1 SIZE option is used to verify the signature of the inactive partition before changing it to active. If you downgrade the engine, check the checksum and the size of the earlier upgrade package by extracting the signature and size files from the sg_engine_[version.build]_i386.zip file.--debug option reboots the engine with the debug kernel.--force option switches the active configuration without first verifying the signature of the inactive partition.

sg-upgrade firewallUpgrades the node by rebooting from the installation CD-ROM. Alternatively, the node can be upgraded remotely using the Management Client.

sg-version firewallDisplays the software version and build number for the node.




The table below lists some general operating system commands that may be useful in running your StoneGate engines. Some commands can be stopped by pressing Ctrl+c.

sginfo[-f] [-d] [-s] [-p] [--] [--help]

firewall

Gathers system information you can send to Stonesoft support if you are having problems. Use this command only when instructed to do so by Stonesoft support.-f option forces sgInfo even if the configuration is encrypted.-d option includes core dumps in the sgInfo file.-s option includes slapcat output in the sgInfo file.-p option includes passwords in the sgInfo file (by default passwords are erased from the output).-- option creates the sgInfo file without displaying the progress--help option displays usage information.



TABLE A.3 General Command Line Tools on Engines

Command Description

dmesgShows system logs and other information. Use the -h option to see usage.

halt Shuts down the system.

ipDisplays IP-address related information. Type the command without options to see usage. Example: type ip addr for basic information on all interfaces.

pingTool for sending ICMP echo packages to test connectivity. Type the command without options to see usage.

ps Reports status of running processes.

rebootReboots the system. Upon reboot, you enter a menu with startup options. For example, this menu allows you to return the engine to the previous configuration.

scp Secure copy. Type the command without options to see usage.

sftpSecure FTP (for transferring files securely). Type the command without options to see usage.

Engine Commands 199

sshSSH client (for opening a terminal connection to other hosts). Type the command without options to see usage.

tcpdumpGives information on network traffic. Use the -h option to see usage.

topDisplays the top CPU processes taking most processor time. Use the -h option to see usage.

tracerouteTraces the route packets take to the specified destination. Type the command without options to see usage.

vpninfoOutputs various VPN related information. Type the command without options to see usage.

TABLE A.3 General Command Line Tools on Engines (Continued)

Command Description


APPENDIX B StoneGate-Specific Ports

The following illustrations show the connections between the StoneGate components, as well as the ports that are used for gateway-to-gateway VPN and mobile VPN connections. The complete list of ports is presented in the table that follows.

Illustration B.1 Basic Communications Between StoneGate Components

201

Illustration B.2 Service Communications of Firewall/VPN Engine

Illustration B.3 Communications between SOHO Firewall engines and SMC components

202 Appendix B: StoneGate-Specific Ports

The following table lists all the ports used in communication between various StoneGate Firewall/VPN components. The ports used by StoneGate IPS are detailed in StoneGate IPS Reference Guide.

TABLE B.1 StoneGate-Specific Ports

Listening Host Port/Protocol Contacting

Hosts Service DescriptionService Element

Name

DHCP server 67/UDPFW/VPN Engine

DHCP requests relayed by the firewall and requests from a firewall that uses dynamic IP address.

BOOTPS (UDP)

DNS server 53/TCPFW/VPN Engine

Optional dynamic DNS updates for inbound load sharing

DNS (TCP)

DNS server 53/UDP

Management Client, Management Server, Log Server

DNS queries to resolve DNS names

DNS (UDP)

External LDAP server

389/TCPManagement Server, FW/VPN Engine

External LDAP queries. LDAP (TCP)

FW/VPN Engine

15000/TCPManagement Server, Analyzer

Blacklist entries sent to firewall SG Blacklisting

FW/VPN Engine

161/UDP SNMP server SNMP monitoring. SNMP (UDP)

FW/VPN Engine

2535/TCP VPN Client VPN Client configuration downloadSG VPN Client Configuration

FW/VPN Engine

2543/TCP Any User authentication (Telnet)SG User Authentication

FW/VPN Engine

2746/UDP VPN Client UDP encapsulated IPsecSG UDP Encapsulation

FW/VPN Engine

3000-3001/UDP3002-3003, 3010/TCP

FW/VPN Engine

Heartbeat and state synchronization between the cluster nodes.

SG State Sync (Multicast), SG State Sync (Unicast), SG Data Sync

203

FW/VPN Engine

4500/UDP VPN Client NAT-Traversal for VPN Client. NAT-T

FW/VPN Engine

4950/TCPManagement Server

Engine remote upgradeSG Remote Upgrade

FW/VPN Engine


Policy upload SG Commands

FW/VPN Engine

500/UDPVPN Client, external VPN gateway

Internet Key Exchange (IKE) for IPsec.

ISAKMP (UDP)

FW/VPN Engine


StoneGate internal LDAPS replication.

LDAPS (TCP)

FW/VPN Engine

67/UDP Any DHCP relay on firewall engine. BOOTPS (UDP)

FW/VPN Engine

68/UDP DHCP server Replies to DHCP requests. BOOTPC (UDP)

FW/VPN Engine


Connectivity monitoring, status monitoring for old version engines

SG Monitoring

Log Server 3020/TCPFW/VPN Engine, Log Server

Log and alert messages, monitoring (status, statistics).

SG Log

Log Server8914-8918/TCP

Management Client, Monitoring Server

Management Client and Monitoring Server connections to the Log Server.

SG Data Browsing, SG Data Browsing (Monitoring Server)

Log Server 8923/TCPSOHO Firewall engine

SOHO Firewall logging connections to the Log Server.

SG SOHO Log

Management Server

3021/TCPFW/VPN Engine

Engine's initial contact. SG Initial Contact

Management Server

3023/TCPFW/VPN Engine

Monitoring (status) connection.SG Reverse Monitoring

TABLE B.1 StoneGate-Specific Ports (Continued)



Name


Management Server

5936/TCP Log Server Log Server's initial contact.SG Log Initial Contact

Management Server

8902-8913/TCP

Management Client, Log Server, Alert Server, Monitoring Server

Management Client, Log Server, Alert Server, and Monitoring Server connections to the Management Server.

SG Control

Management Server

8906/TCP

FW/VPN Engine with dynamic IP address

Management connection for engine with a dynamic IP address.

SG Dynamic Control

Management Server

8922/TCPSOHO Firewall engine

SOHO Firewall configuration and status communication to the Management Server.

SG SOHO Control

Management Server

8924/TCPSOHO Firewall engine

SOHO Firewall initial contact (certificate request) to the Management Server

SG SOHO Initial Contact

Monitoring Agent on Server Pool members

7777/UDPFW/VPN Engine

If servers belonging to a Server Pool are configured with the Monitoring Agent, the engines will frequently poll the servers’ Monitoring Agent on this port for availability and load information.

SG Server Pool Monitoring

Monitoring Server

8919-8921/TCP

Monitoring Client

Monitoring Client connection to Monitoring Server.

SG Control (Monitoring Client)

NTP server 123/UDPSOHO Firewall engine

Time synchronization. NTP (UDP).

Primary Management Server

8903, 8907/TCP

Secondary Management Server

Management database replication to the secondary Management Server.

SG Control

RADIUS server

1812, 1645/UDP

FW/VPN Engine

RADIUS authentication requests.RADIUS (Authentication), RADIUS (Old)




Name

205

RPC server111/UDP, 111/TCP

FW/VPN Engine

RPC number resolve.SUNRPC (UDP), Sun RPC (TCP)

Secondary Management Server

8902, 8905, 8913/TCP

Primary Management Server

Management database replication to the secondary Management Server.

SG Control

SNMP Server 162/UDPFW/VPN Engine

SNMP traps from the engine. SNMP Trap (UDP)

Stonesoft Server


Queries availability of new dynamic update packages and engine upgrades.

HTTPS

TACACS+ server

49/TCPFW/VPN Engine

TACACS+ authentication requests. TACACS (TCP)

VPN Client 2535/TCPFW/VPN Engine

Configuration downloadSG VPN Client Configuration

VPN Client 2543/TCPFW/VPN Engine

User authenticationSG User Authentication

VPN Client 2746/UDPFW/VPN Engine

UDP encapsulationSG UDP Encapsulation

VPN Client 500/UDPFW/VPN Engine

Internet Key Exchange (IKE) for IPsec

ISAKMP (UDP)




Name


APPENDIX C Example Network Scenario

To give you a better understanding of how StoneGate fits into a network, this section outlines a network with two firewalls: a single firewall at a branch office and a firewall cluster at headquarters.


Overview of the Example Network, on page 208 Example Management Center, on page 209 Example Single Firewall, on page 210 Example Firewall Cluster, on page 210

207

Overview of the Example NetworkThe illustration below shows you the whole example network. The different components of this configuration are explained in detail in the sections that follow.

Illustration C.1 The Example Network Scenario

208 Appendix C: Example Network Scenario

Example Management CenterThe Management Center in the example scenario is distributed across three networks: the Management Server and the HQ Log Server are at the headquarters site, the Branch Office Log Server is at the Branch office site and the Monitoring Server is placed in a DMZ so that access to the management network can be kept as limited as possible.

TABLE C.1 Management Center in the Example Network Scenario

Management Center

ComponentDescription

Management Server

This Management Server manages all the StoneGate firewalls and Log Servers of the example network.The Management Server in the Headquarters’ Management Network with the IP address 192.168.10.200.

HQ Log ServerThis Log Server receives log data from the HQ firewall.The server is located in the Headquarters’ Management Network with the IP address 192.168.10.201.

Branch Office Log Server

This Log Server receives log data from the Branch Office firewall.The server is located in the Branch Office Intranet with the IP address 172.16.2.201.

Monitoring Server

The Monitoring Server provides limited access to logs for administrators who need no other functions of the Management System.The Monitoring Server is located in DMZ 3 network with address 192.168.3.230.

Management Client

The Management Client can be at any location where it can connect to the Management Server and the Log Servers (for alert and log management). It is also possible to use multiple Management Clients in different locations. In this example, the Management Client is located on the Management Server and in the Headquarters intranet.

Example Management Center 209

Example Single FirewallIn the example network scenario, Branch Office Firewall is a single firewall located in the Branch Office network.

Example Firewall ClusterIn the example network scenario, Headquarters Cluster is located in the Headquarters network. The cluster consists of two cluster nodes: Node1 and Node2.

TABLE C.2 Single Firewall in the Example Network Scenario

Network Description

External network

The Branch Office site is connected to the Internet through this link.

IP address: 212.20.2.254.

Next hop router: 212.20.2.1.

Internal networkThe Branch Office has one internal network.

IP address: 172.16.2.1.

Leased Line

In addition to the Internet connection, the example organization has a leased line between the Headquarters and the Branch Office site.

IP address: 192.168.40.254


TABLE C.3 Firewall Cluster in the Example Network Scenario

Network Description

Heartbeat network

The heartbeat and cluster synchronization goes through the heartbeat network.

CVI: no CVI defined.

NDI: 10.42.1.1 (Node1) and 10.42.1.2 (Node2).

Management network

The management network interface is used for the control connections from the Management Server and for connecting to the HQ Log Server, the Authentication Server and the External LDAP server.

CVI: 192.168.10.1.

NDI: 192.168.10.21 (Node1) and 192.168.10.22 (Node2).


ISP A external network

This is one of the two Internet connections from the Headquarters site. It is provided by ISP A.

CVI: 212.20.1.254.

NDI: 212.20.1.21 (Node1) and 212.20.1.22 (Node2).


ISP B external network

This is the other of the two Internet connections from the Headquarters site. It is provided by ISP B.

CVI: 129.40.1.254.

NDI: 129.40.1.21 (Node1) and 129.40.1.22 (Node2).


Leased Line

In addition to the two Internet connections, the example organization has a leased line between the Headquarters and the Branch Office site. The physical network interface card connected to ISP B external network is also connected to the HQ Leased Line.

CVI: 192.168.30.254.

NDI: 192.168.30.21 (Node1) and 192.168.30.22 (Node2).


HQ intranet

This VLAN (VLAN ID 16) is connected to the same network interface on the firewall with the HQ Accounting VLAN.

CVI: 172.16.1.1.

NDI: 172.16.1.21 (Node1) and 172.16.1.22 (Node2).

HQ Accounting network

This VLAN (VLAN ID 17) is connected to the same network interface on the firewall with the HQ Intranet VLAN.

CVI: 172.17.1.1.

NDI: 172.17.1.21 (Node1) and 172.17.1.22 (Node2).

DMZ 1 network

This is the Headquarters’ DMZ 1 network for the publicly available servers.

CVI: 192.168.1.1.

NDI: 192.168.1.21 (Node1) and 192.168.1.22 (Node2).

DMZ 2 network


CVI: 192.168.2.1.

NDI: 192.168.2.21 (Node1) and 192.168.2.22 (Node2).

TABLE C.3 Firewall Cluster in the Example Network Scenario (Continued)

Network Description

Example Firewall Cluster 211

DMZ 3 network


CVI: 192.168.3.1.

NDI: 192.168.3.21 (Node1) and 192.168.3.22 (Node2).

DMZ 4 network


CVI: 192.168.4.1.

NDI: 192.168.4.21 (Node1) and 192.168.4.22 (Node2).

TABLE C.3 Firewall Cluster in the Example Network Scenario (Continued)

Network Description


APPENDIX D Installation Worksheet for Firewall Clusters

For planning the configuration of network interfaces for the StoneGate engine nodes, use the worksheet in Table D.1:• In Interface ID, write the Interface ID (and the VLAN ID, if VLAN tagging is used)• On the CVI line, write the Interface ID’s CVI information (if any) and on the NDI line,

write the interfaces NDI information (if any). Use multiple lines for a Interface ID if it has multiple CVIs/NDIs defined.

• For Mode, mark all the modes that apply for this Interface ID.• In IP Address and Netmask, define the CVI or NDI network address.• In MAC/IGMP IP Address, define the MAC address used, or if the interface is CVI

that uses Multicast with IGMP, define the multicast IP address used for generating automatically the multicast MAC address.

• In Comments, define for example a name of the connected network, or how the NDI addresses differ between the nodes, or a management interface’s contact address if different from the interface’s IP address.

Interface modes are explained below the table. These same character codes are displayed in the firewall element interface properties of the Management Client.

213

214 Appendix D: Installation Worksheet for Firewall Clusters

TAB

LE

D.1

Sto

neG

ate

Fir

ewal

l Eng

ine

Inte

rfac

es

Inte

rfa

ce

IDT

ype

Mod

eaIP

Add

ress

Net

mas

kM

AC

/ IG

MP

IP

Add

ress

Com

men

ts

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

____

_

CVI

UM

IK

A__

___

.___

__._

____

.___

____

___

.___

__._

____

.___

__M

AC:

___

: ___

: __

_ : __

_ : _

__ : _

__or

IGM

P IP

:__

___

.___

__._

____

.___

_

ND

IH

hC

cD

____

_ ._

____

.___

__._

____

____

_ ._

____

.___

__._

____

MAC

:__

_ : _

__ :

___

: __

_ : _

__ : _

__

a.CV

I mod

es: U

=U

nica

st M

AC, M

=M

ultic

ast M

AC, I

=M

ultic

ast w

ith IG

MP,

K=

Pack

et D

ispat

ch, A

=In

terf

ace’s

IP a

ddre

ss u

sed

as th

e id

entit

y fo

r aut

hent

icatio

n re

ques

tsN

DI m

odes

: H=

Prim

ary

hear

tbea

t, h=

Back

up h

eartb

eat,

C=

Prim

ary

cont

rol I

P ad

dres

s, c=

Back

up c

ontro

l IP

addr

ess,

D=

Def

ault

IP a

ddre

ss fo

r out

goin

g co

nnec

tions

Legal Information

LicensesStonesoft products are sold pursuant to their relevant End-User License Agreements. By installing or otherwise using Stonesoft products in any way, end-users agree to be bound by such agreement(s). See Stonesoft's website, www.stonesoft.com for further details.If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions.

Product Export RestrictionsThe products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.

Licenses 219

http://www.stonesoft.com/

Patent NoticeMulti-Link, Multi-Link VPN, and the StoneGate clustering technology—as well as other technologies included in StoneGate—are protected by pending patent applications in the U.S. and other countries.

End-User Licence AgreementThe use of the Stonegate products is subject to the then current end-user license agreement, which can be found at the Stonesoft website: www.stonesoft.com/en/support/eula.html.

Software Licensing InformationThe StoneGate software includes several open source or third-party software packages to support certain features. This section provides the appropriate software licensing information for those products.

GNU General Public LicenseVersion 2, June 1991Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAEveryone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.The precise terms and conditions for copying, distribution and modification follow.

220 Legal Information



GNU GENERAL PUBLIC LICENSETERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may

be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided

that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your

Software Licensing Information 221

rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE

EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONSHow to Apply These Terms to Your New ProgramsIf you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.


To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.>Copyright (C) <year> <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAAlso add information on how to contact you by electronic and paper mail.If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of authorGnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program‘Gnomovision’ (which makes passes at compilers) written by James Hacker. <signature of Ty Coon>, 1 April 1989 Ty Coon, President of ViceThis General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.

GNU LESSER GENERAL PUBLIC LICENSEVersion 2.1, February 1999Copyright (C) 1991, 1999 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAEveryone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.]PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.


To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.GNU LESSER GENERAL PUBLIC LICENSETERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you".A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:a) The modified work must itself be a software library.b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.


c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.This option is useful when you wish to copy part of the code of the Library into a program that is not a library.4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that workunder terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified


Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version


or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OROTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFYAND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONSHow to Apply These Terms to Your New LibrariesIf you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.<one line to give the library's name and a brief idea of what it does.>Copyright (C) <year> <name of author>This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USAAlso add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names:Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker.<signature of Ty Coon>, 1 April 1990Ty Coon, President of ViceThat's all there is to it!

OpenSSL ToolkitThis software includes the OpenSSL toolkit.LICENSE ISSUES==============The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact [email protected] License---------------Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.


Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.All advertising materials mentioning features or use of this software must display the following acknowledgment:“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.(http://www.openssl.org/)”The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected] derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.Redistributions of any form whatsoever must retain the following acknowledgment: ‘This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes cryptographic software written by Eric Young, ([email protected]). This product includes software written by Tim Hudson ([email protected]).Original SSLeay License-----------------------Copyright (C) 1995-1998 Eric Young ([email protected]). All rights reserved.This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscape’s SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.All advertising materials mentioning features or use of this software must display the following acknowledgement: “This product includes cryptographic software written by Eric Young ([email protected])” The word ‘cryptographic’ can be left out if the rouines from the library being used are not cryptographic related:-).If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: ‘This product includes software written by Tim Hudson ([email protected])”THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

OpenLDAPThis software includes the OpenLDAP client developed by The OpenLDAPFoundation. Original version of the OpenLDAP client can be downloaded from http://www.openldap.org This software includes the OpenLDAP server. The OpenLDAP Public License Version 2.7, 7 September 2001Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain copyright statements and notices,


2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and3. Redistributions must contain a verbatim copy of this document.The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use the Software under terms of this license revision or under the terms of any subsequent revision of the license.THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.OpenLDAP is a trademark of the OpenLDAP Foundation.Copyright 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distributed verbatim copies of this document is granted.

libradius1This software includes the libradius1 package.Copyright (C) 1995,1996,1997,1998 Lars Fenneberg <[email protected]>Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copy ight and permission notice appear on all copies and supporting documentation, the name of Lars Fenneberg not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Lars Fenneberg.Lars Fenneberg makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.------------------------------------------------------------------------------Copyright 1992 Livingston Enterprises, Inc.Livingston Enterprises, Inc. 6920 Koll Center Parkway Pleasanton, CA 94566Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies and supporting documentation, the name of Livingston Enterprises, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that copying and distribution is by permission of Livingston Enterprises, Inc.Livingston Enterprises, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.------------------------------------------------------------------------------[C] The Regents of the University of Michigan and Merit Network, Inc. 1992, 1993, 1994, 1995 All Rights Reserved.Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies of the software and derivative works or modified versions thereof, and that both the copyright notice and this permission and disclaimer notice appear in supporting documentation.THIS SOFTWARE IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN AND MERIT NETWORK, INC. DO NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET LICENSEE'S REQUIREMENTS OR THAT OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. The Regents of the University of Michigan and Merit Network, Inc. shall not be liable for any special, indirect, incidental or consequential damages with respect to any claim by Licensee or any third party arising from use of the software.------------------------------------------------------------------------------Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function.License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind.These notices must be retained in any copies of any part of this documentation and/or software.


TACACS+ ClientThis software contains TACACS+ client.Copyright (c) 1995-1998 by Cisco systems, Inc.Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted, provided that this copyright and permission notice appear on all copies of the software and supporting documentation, the name of Cisco Systems, Inc. not be used in advertising or publicity pertaining to distribution of the program without specific prior permission, and notice be given in supporting documentation that modification, copying and distribution is by permission of Cisco Systems, Inc.Cisco Systems, Inc. makes no representations about the suitability of this software for any purpose. THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithmCopyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function.License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing the derived work.RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind.These notices must be retained in any copies of any part of this documentation and/or software.

libwwwThis software contains libwww software.Copyright © 1995-1998 World Wide Web Consortium, (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University). All Rights Reserved.This program is distributed under the W3C's Intellectual Property License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See W3C License http://www.w3.org/Consortium/Legal/ for more details.------------------------------------------------------------------------------Copyright © 1995 CERN. "This product includes computer software created and made available by CERN. This acknowledgment shall be mentioned in full in any product which includes the CERN computer software included herein or parts thereof."

W3C® SOFTWARE NOTICE AND LICENSEhttp://www.w3.org/Consortium/Legal/2002/copyright-software-20021231This work (and included software, documentation such as READMEs, or other related items) is being provided by the copyright holders under the following license. By obtaining, using and/or copying this work, you (the licensee) agree that you have read, understood, and will comply with the following terms and conditions.Permission to copy, modify, and distribute this software and its documentation, with or without modification, for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the software and documentation or portions thereof, including modifications: 1. The full text of this NOTICE in a location viewable to users of the redistributed or derivative work. 2. Any pre-existing intellectual property disclaimers, notices, or terms and conditions. If none exist, the W3C Software Short Notice should be included (hypertext is preferred, text is permitted) within the body of any redistributed or derivative code. 3. Notice of any changes or modifications to the files, including the date changes were made. (We recommend you provide URIs to the location from which the code is derived.)THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION.The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software without specific, written prior permission. Title to copyright in this software and any associated documentation will at all times remain with copyright holders.____________________________________This formulation of W3C's notice and license became active on December 31 2002. This version removes the copyright ownership notice such that this license can be used with materials other than those owned by the W3C, reflects that ERCIM is now a host of the W3C, includes references to this specific dated version of the license, and removes the ambiguous


grant of "use". Otherwise, this version is the same as the previous version and is written so as to preserve the Free Software Foundation's assessment of GPL compatibility and OSI's certification under the Open Source Definition. Please see our Copyright FAQ for common questions about using materials from our site, including specific terms and conditions for packages like libwww, Amaya, and Jigsaw. Other questions about this notice can be directed to [email protected] Reagle <[email protected]>Last revised by Reagle $Date: 2003/01/16 15:01:10 $Last revised by Reagle $Date: 2003/01/16 15:01:10 $

XML-RPC C Library LicenseThis software contains software covered by the XML-RPC C Library License.Copyright (C) 2001 by First Peer, Inc. All rights reserved.Copyright (C) 2001 by Eric Kidd. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Expat LicenseThis software contains software covered by the Expat License.Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center LtdPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ABYSS Web Server LicenseThis software contains software covered by the ABYSS Web Server LicenseCopyright (C) 2000 by Moez Mahfoudh <[email protected]>. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING


NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Python 1.5.2 LicenseThis software contains software covered by the Python 1.5.2 License.Copyright 1991, 1992, 1993, 1994 by Stichting Mathematisch Centrum, Amsterdam, The Netherlands.All Rights ReservedPermission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the names of Stichting Mathematisch Centrum or CWI or Corporation for National Research Initiatives or CNRI not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.While CWI is the initial source for this software, a modified version is made available by the Corporation for National Research Initiatives (CNRI) at the Internet address ftp://ftp.python.org.STICHTING MATHEMATISCH CENTRUM AND CNRI DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM OR CNRI BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The Apache Software License, Version 1.1This product includes software developed by the Apache Software Foundation (http://www.apache.org/)."Copyright (C) 1999 The Apache Software Foundation. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: "This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.4. The names "log4j" and "Apache Software Foundation" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected]. Products derived from this software may not be called “Apache”, nor may “Apache” appear in their name, without prior written permission of the Apache Software Foundation.THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Foundation. For more information on the Apache Software Foundation, please see <http://www.apache.org/>.

Bouncy Castle notice and license.Copyright (c) 2000 The Legion Of The Bouncy Castle (http://www.bouncycastle.org) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


Package: discover-dataDebian package author: Branden RobinsonThe contents of this package that are not in the debian/ subdirectory are simple compilations of data and are therefore not copyrightable in the United States (c.f. _Feist Publications, Inc., v. Rural Telephone Service Company, Inc., 499 U.S. 340 (1991)_)._Feist_ holds that: Article I, s 8, cl. 8, of the Constitution mandates originality as a prerequisite for copyright protection. The constitutional requirement necessitates independent creation plus a modicum of creativity. Since facts do not owe their origin to an act of authorship, they are not original and, thus, are not copyrightable. Although a compilation of facts may possess the requisite originality because the author typically chooses which facts to include, in what order to place them, and how to arrange the data so that readers may use them effectively, copyright protection extends only to those components of the work that are original to the author, not to the facts themselves. This fact/expression dichotomy severely limits the scope of protection in fact-based works. Therefore, the hardware information lists that comprise the "meat" of this package enjoy no copyright protection and are thus in the public domain. Note, however, that a number of trademarks may be referenced in the hardware lists (names of vendors and products). Their usage does not imply a challenge to any such status, and all trademarks, service marks, etc. are the property of their respective owners.The remainder of this package is copyrighted and licensed as follows: Package infrastructure: Copyright 2001,2002 Progeny Linux Systems, Inc. Copyright 2002 Hewlett-Packard Company Written by Branden Robinson for Progeny Linux Systems, Inc.lst2xml conversion script: Copyright 2002 Progeny Linux Systems, Inc. Copyright 2002 Hewlett-Packard Company Written by Eric Gillespie, John R. Daily, and Josh Bressers for Progeny Linux Systems, Inc.Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Copyright (c) 1999, 2004 Tanuki SoftwarePermission is hereby granted, free of charge, to any person obtaining a copy of the Java Service Wrapper and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sub-license, and/or sell copies of the Software, and to permit persons towhom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Portions of the Software have been derived from source code developed by Silver Egg Technology under the following license:Copyright (c) 2001 Silver Egg TechnologyPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sub-license, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.


Index

A

administration client, see management cli-ent

advanced configuration and power interface (ACPI), 116

automatic power management (APM), 116

B

BIOS settings, 116

C

certificate authoritychecking fingerprint, 34, 39

changing IP addressing, 175–177checking file integrity, 17, 161checksum, 161checksums, 17cluster virtual interface, see CVIcommand line installation

see non-graphical installationcommand line tools, 185commands

engine, 194log server, 186management server, 186

compatibility with different platforms, 16

configuringengine on Intel or compatible, 117

contact addresslog server, 58management server, 57

contact information, 12creating

web start files manually, 49–50customer support, 12CVI, 19

defining mode for, 105CVIs

interface modes, 19

D

database user account, 28date and time settings, 16defining

firewall cluster, 98single firewall, 86SOHO firewalls, 64

deployment example, 207Distributing, 48documentation available, 11dynamic updates, 40

E

end-user license agreement, 219

235

example network scenario, 15, 207

F

file integrity, 17, 161fingerprint of certificates, 34, 39, 191firewall

defining cluster, 98defining single, 86defining SOHO firewalls, 64engine commands, 153–155firewall cluster interfaces, 19

G

generating licenses, 162–163, 165–166GUI client, see management client

H

hardware requirements, 12heartbeat connection, 19host files, 16

I

importing initial configuration, 119importing licenses, 165–166initial configuration

activating on Intel and compatible, 122saving, 82, 94, 110

installation files, 17installing

clients using web start, 48–50dynamic updates, 40engine on Intel or compatible, 115files for, 17licenses, 35log server, 29management center, 23–46management client, 31management clients, 47–51

management server, 28–29monitoring server, 30overview to, 15

integrity of files, 17interface mode for CVIs, 105interface modes for CVIs, 19interface types for firewall cluster, 19IP-address-bound licenses, 18

J

java web start, 47–51

L

legal information, 219license files, 18–19licenses, 18–19

generating, 162–163installing, 35, 165–166IP-address-bound, 18management bound, 18retained, 94, 110retained type, 166upgrading, 19, 162, 164–165

linux for management center, 24locations, 55–56log server, 29–30, 37

changing IP address, 176–177contact address, 58

M

management bound licenses, 18, 94, 110management center

components, 14installing, 23–46uninstalling, 180–181upgrading, 166

management clientconfiguration files, 180installing, 31

236236

starting, 33web start, 50

management clientsinstalling, 47–51

management serverchanging IP address, 175–177contact address, 57installing, 28–29starting, 33

management server database user account, 28

MD5 checksum, 17, 161monitoring server, 30–31

N

NAT (network address translation)locations, 55–56

NDI, 19network interfaces

cluster, 103CVI (Cluster Virtual Interface), 104single firewall, 90SOHO firewalls, 68

node dedicated interface, 19non-graphical installation, 45–46

O

one-time passwordcreating, 94, 110on Intel and compatible, 124

overview to the installation, 15

P

packet dispatch mode, 20partitioning

engine hard disk on Intel or compatible, 125platforms supported, 16policies, 145–150

R

requirements for hardware, 12restart engine configuration

on Intel and compatible, 124retained licenses, 94, 110, 166routing, 132–145

S

serverslog server, 29–30management server, 28–29monitoring server, 30–31

sgadmin user account, 24SHA-1 checksum, 17, 161single firewall

defining VLAN ID, 89, 103network interfaces, 90VLAN tagging, 88

sniffing network interfaceon Intel and compatible, 121

SOHO firewalls, 63–83starting

log server, 37management client, 33management server, 33

stonegate architecture, 14support services, 12supported platforms, 16system architecture, 14system requirements, 12

T

technical support, 12typographical conventions, 10

U

uninstallingengines, 181

237

management center, 180–181updating, 159–177upgrades

changing IP addressing, 175–177upgrading, 159–177

engine, locally, 171engine, remotely, 168licenses, 162, 164–165management center, 166

V

VLAN IDdefining on single firewall, 89, 103

VLAN taggingsingle firewall, 88

W

web start, 47–51web start server

enabling, 48–49

238238

Available StoneGate Guides:

Administrator Documentation• Administrator’s Guide• Installation Guides• Reference Guides• IPsec VPN Client Administrator’s Guide

End-User Documentation• Monitoring Client User’s Guide• IPsec VPN Client User’s Guide

For PDF versions of the guides and the StoneGate technical knowledge base, visitwww.stonesoft.com/support

Stonesoft CorporationItälahdenkatu 22 AFI-00210 HelsinkiFinlandTel. +358 9 476 711Fax +358 9 4767 1234

Stonesoft Inc.1050 Crown Pointe ParkwaySuite 900Atlanta, GA 30338USATel. +1 770 668 1125Fax +1 770 668 1131

Copyright 2008 Stonesoft Corporation. All rights reserved. All specifications are subject to change.


stonegate firewall installation guide 4.3

Documents