stonesoft administrator's guide 5.4
TRANSCRIPT
-
Stonesoft 5.4
Administrator s Guide
Secur i ty Engines
Management Center
-
2Legal Information
End-User License AgreementThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website:www.stonesoft.com/en/support/eula.html
Third Party LicensesThe Stonesoft software includes several open source or third-party software packages. The appropriate software licensing information for those products at the Stonesoft website:www.stonesoft.com/en/support/third_party_licenses.htmlU.S. Government AcquisitionsIf Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense (DoD), the Software is subject to Restricted Rights, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations (DFAR) in paragraph 252.227-7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Governments rights in the Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (FAR). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions.
Product Export RestrictionsThe products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.
General Terms and Conditions of Support and Maintenance ServicesThe support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/terms/
Replacement ServiceThe instructions for replacement service can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/return_material_authorization/
Hardware WarrantyThe appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website:www.stonesoft.com/en/support/view_support_offering/warranty_service/
Trademarks and PatentsThe products described in these materials are protected by one or more of the following European and US patents: European Patent Nos. 1065844, 1189410, 1231538, 1231754, 1259028, 1271283, 1289183, 1289202, 1304830, 1304849, 1313290, 1326393, 1361724, 1379037, and 1379046 and US Patent Nos. 6,650,621; 6,856,621; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,325,248; 7,360,242; 7,386,525; 7,406,534; 7,461,401; 7,573,823; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners.
DisclaimerAlthough every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only.
Copyright 2012 Stonesoft Corporation. All rights reserved. All specifications are subject to change.
Revision: SGAG_20120911
-
TABLE OF CONTENTS
GETTING STARTED
CHAPTER 1Using Stonesoft Documentation . . . . . . . . . . . . 23
Using This Documentation. . . . . . . . . . . . . . . . 24Typo
AdditiProd
UsSupSystSup
ContaLiceTechYourSecOthe
CHAPTENew in
ImporAnaCha
AvaCha
PoEven
SeInspLayeSec
OtherLocaTraffRouElemImpSMS
ChangAppLoggRouSno
Changes in IPS 5.4 . . . . . . . . . . . . . . . . . . . . 34Application Detection Improvements . . . . . . . 34Logging of Evasion-Related Events . . . . . . . . 34Snort Rules Library Import . . . . . . . . . . . . . . 34
Documentation Changes. . . . . . . . . . . . . . . . . 343Table of Contents
graphical Conventions . . . . . . . . . . . . . . 24
onal Documentation . . . . . . . . . . . . . . . . 25uct Documentation. . . . . . . . . . . . . . . . . 25ing Online Help Locally . . . . . . . . . . . . . . 26
port Documentation . . . . . . . . . . . . . . . . 26em Requirements. . . . . . . . . . . . . . . . . . 27ported Features . . . . . . . . . . . . . . . . . . . 27ct Information . . . . . . . . . . . . . . . . . . . . 27nsing Issues . . . . . . . . . . . . . . . . . . . . . 27nical Support . . . . . . . . . . . . . . . . . . . . . 27 Comments . . . . . . . . . . . . . . . . . . . . . . 27urity Related Questions and Comments . . 27r Queries. . . . . . . . . . . . . . . . . . . . . . . . 27
R 2 This Release . . . . . . . . . . . . . . . . . . . . . 29
tant Changes . . . . . . . . . . . . . . . . . . . . . 30lyzers no Longer Used . . . . . . . . . . . . . . . 30nges to Management Server High ilability . . . . . . . . . . . . . . . . . . . . . . . . . 30
nges to Ready-Made Policies and Template licies . . . . . . . . . . . . . . . . . . . . . . . . . . . 30t Correlation and Analysis on Log rvers and Security Engines . . . . . . . . . . . 30ection Policies . . . . . . . . . . . . . . . . . . . . 31r 2 Firewalls. . . . . . . . . . . . . . . . . . . . . . 31
urity Engines. . . . . . . . . . . . . . . . . . . . . . 31
Changes in SMC 5.4 . . . . . . . . . . . . . . . 32l Filters . . . . . . . . . . . . . . . . . . . . . . . . . 32ic Capture . . . . . . . . . . . . . . . . . . . . . . . 32ting Monitoring . . . . . . . . . . . . . . . . . . . . 32ent Snapshots . . . . . . . . . . . . . . . . . . . 32
rovements to Reporting . . . . . . . . . . . . . . 32 Notifications for 64-Bit SMC . . . . . . . . . 32
es in Firewall/VPN 5.4 . . . . . . . . . . . . . . 33lication Detection Improvements . . . . . . . 33ing of Evasion-Related Events . . . . . . . . . 33
te-Based VPN . . . . . . . . . . . . . . . . . . . . . 33rt Rules Library Import . . . . . . . . . . . . . . 33
Information on Analyzers and Sensor-Analyzers Removed. . . . . . . . . . . . . . . . . . . . . . . . . . 34
CHAPTER 3Using the Management Client . . . . . . . . . . . . . 35
Overview to the Management Client . . . . . . . . 36Rearranging the General Layout. . . . . . . . . . . . 40Bookmarking Views . . . . . . . . . . . . . . . . . . . . 41
Managing Bookmarks. . . . . . . . . . . . . . . . . . 41Creating New Bookmarks . . . . . . . . . . . . . . . 42Creating New Bookmark Folders . . . . . . . . . . 43Adding Bookmarks to the Toolbar . . . . . . . . . 43
Changing the Startup View . . . . . . . . . . . . . . . 44Using the Search Features . . . . . . . . . . . . . . . 44
Using Basic Element Search . . . . . . . . . . . . . 44Searching for Element References. . . . . . . . . 46Using the DNS Search . . . . . . . . . . . . . . . . . 46
Creating Host Elements Based on DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Searching for Duplicate IP Addresses . . . . . . 47Searching for Unused Elements . . . . . . . . . . 47Searching for Users . . . . . . . . . . . . . . . . . . . 48Searching the Trash . . . . . . . . . . . . . . . . . . . 49
Using Type-Ahead Search . . . . . . . . . . . . . . . . 50Saving Elements, Log Data, Reports, and Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
PDF Output Settings. . . . . . . . . . . . . . . . . . . 51Adding Style Templates for PDF Output . . . . . 52Managing PDF Style Templates . . . . . . . . . . . 53
Sending Messages to Other Administrators . . . 53Enabling/Disabling Administrator Messaging . 53Sending Messages to Other Administrators . . 54
Adding Custom Commands to Element Menus . 54Creating a Tools Profile. . . . . . . . . . . . . . . . . 54Attaching a Tools Profile to an Element . . . . . 55
CHAPTER 4Setting up the System . . . . . . . . . . . . . . . . . . . 57
Getting Started with the Management Center . . 58Getting Started with the Firewall . . . . . . . . . . . 59
-
4Getting Started with the IPS . . . . . . . . . . . . . . 60Getting Started with the Layer 2 Firewall. . . . . . 60
CHAPTER 5Configuring System Communications . . . . . . . . 63
Getting Started with System Communications. . 64Defining Locations . . . . . . . . . . . . . . . . . . . . . 66Defining Contact IP Addresses. . . . . . . . . . . . . 66
Defining Engine Location. . . . . . . . . . . . . . . . 67DefiEngiDefiDedDefiClusDefiDefiSec
SelecConfig
CHAPTEManag
UsingCon
CreaSeleActivFilte
ExporExpoImpo
CreIm
ResRes
LockinDeletMovin
ResDele
MONI
CHAPTEMonito
GettinMonit
Defa
System Summary. . . . . . . . . . . . . . . . . . . . . 94Viewing System Status for a Selected
Element . . . . . . . . . . . . . . . . . . . . . . . . . . 94Viewing Appliance Configuration Status . . . . . 96Info Panel . . . . . . . . . . . . . . . . . . . . . . . . . . 96Commands for Monitoring Components . . . . . 97Monitoring Tools in the Main Menu . . . . . . . . 97
Reading Component Statuses. . . . . . . . . . . . 98Table of Contents
ning Contact Addresses for a Single ne or a Cluster Virtual IP Address . . . . . . 68ning Contact Addresses for Node icated IP Addresses . . . . . . . . . . . . . . . . 69ning Contact Addresses for an IPS ter or a Layer 2 Firewall Cluster . . . . . . . . 70ning Server Contact Addresses . . . . . . . . 70ning a Contact Address for External urity Gateway End-Point . . . . . . . . . . . . . . 72ting the Management Client Location . . . . 73uring Multi-Link System Communications. 73
R 6ing Elements . . . . . . . . . . . . . . . . . . . . . 75
Categories . . . . . . . . . . . . . . . . . . . . . . 76figuration Overview . . . . . . . . . . . . . . . . . 76
ting New Categories . . . . . . . . . . . . . . . . 76cting Categories for Elements . . . . . . . . . 77ating Categories . . . . . . . . . . . . . . . . . . 77ring With Several Categories . . . . . . . . . . 78ting, Importing, and Restoring Elements. . 79rting Elements. . . . . . . . . . . . . . . . . . . . 80rting Elements . . . . . . . . . . . . . . . . . . . 81ating a CSV File or a TSV File . . . . . . . . . 81
porting Elements from a File . . . . . . . . . . 82toring Elements from Policy Snapshots . . . 83toring Elements from Element Snapshots . 84g and Unlocking Elements . . . . . . . . . . . 86
ing Elements . . . . . . . . . . . . . . . . . . . . . 86g Elements to the Trash . . . . . . . . . . . . . 87toring Elements from the Trash . . . . . . . . 88ting Elements from the Trash . . . . . . . . . 88
TORING
R 7ring the System. . . . . . . . . . . . . . . . . . . 91
g Started with System Monitoring . . . . . . 92oring the System Status . . . . . . . . . . . . . 92ult Arrangement of System Status View. . 93
Engine Hardware Malfunction Icons . . . . . . . . 98Replication Malfunction Icon . . . . . . . . . . . . . 98Element Status Colors . . . . . . . . . . . . . . . . . 99Node Status Colors . . . . . . . . . . . . . . . . . . . 99NetLink Status Colors . . . . . . . . . . . . . . . . . 100VPN Status Colors . . . . . . . . . . . . . . . . . . . . 100Connectivity Status Colors . . . . . . . . . . . . . . 101
Creating Overviews. . . . . . . . . . . . . . . . . . . . . 102Creating a New Overview . . . . . . . . . . . . . . . 103Adding a New System Summary Section to an Overview. . . . . . . . . . . . . . . . . . . . . . . . . 103Adding a New Statistics Section to an Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Creating a New Statistics Section . . . . . . . . . 105Selecting Statistical Items . . . . . . . . . . . . . . 106Setting Thresholds for Monitored Items . . . . . 107
Monitoring Connections, Blacklists, VPN SAs, Users, and Routing . . . . . . . . . . . . . . . . . . . . 108
Checking Connections, Blacklists, VPN SAs, Users, and Routing . . . . . . . . . . . . . . . . . . . 109Saving Snapshots of Connections, Blacklists, VPN SAs, Users, and Routing . . . . . . . . . . . . 111Exporting Snapshots of Connections, Blacklists, VPN SAs, Users, and Routing . . . . . . . . . . . . 112Viewing Snapshots of Connections, Blacklists, VPN SAs, Users, and Routing . . . . . . . . . . . . 112Comparing Snapshots of Connections, Blacklists, VPN SAs, Users, and Routing . . . . 113
Viewing and Comparing Element Snapshots . . . 115Monitoring Connections on a Map . . . . . . . . . . 117
Defining a New Geolocation . . . . . . . . . . . . . 118Setting a Geolocation for an Element. . . . . . . 120Viewing Geolocations and IP Addresses in Google Maps . . . . . . . . . . . . . . . . . . . . . . . . 120
Viewing Geolocation Element Locations in Overviews and Reports. . . . . . . . . . . . . . . . 120Viewing IP Address Locations in the Logs view . . . . . . . . . . . . . . . . . . . . . . . . . 121Viewing IP Address Locations from the Whois Information Dialog . . . . . . . . . . . . . . 121
Monitoring Configurations and Policies . . . . . . 121Monitoring Administrator Actions. . . . . . . . . . . 122
-
Monitoring Task Execution . . . . . . . . . . . . . . . . 122Taking a Traffic Capture . . . . . . . . . . . . . . . . . . 123Checking Maintenance Contract Information . . . 125
Enabling Automatic Maintenance Contract Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Viewing Maintenance Contract Information . . . 126Fetching Maintenance Contract Information . . 126
Checking When Internal Certificates or Internal CAs E
CHAPTEMonito
GettinMonit
Con
ConveCreaDefiDefiAdd
DeVaDeTim
ValidMonit
ImpCrea
ActivaConfigChangMonitActivaMonit
CHAPTEBrowsi
GettinOveOpe
DefaToolDetaStatLog
BrowsView
Filtering Logs in the Logs View . . . . . . . . . . . 154Specifying Filters for a Query. . . . . . . . . . . . 154Viewing Logs From Specific Components . . . 156Viewing Logs From Specific Servers and Archive Folders . . . . . . . . . . . . . . . . . . . . . 156
Analyzing Logs, Alerts, and Audit Entries . . . . 157Saving Snapshots of Log, Alert, and Audit Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Viewing Snapshots of Log, Alert, and Audit 5Table of Contents
xpire . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
R 8ring Third-Party Devices . . . . . . . . . . . . 129
g Started with Third-Party Device oring . . . . . . . . . . . . . . . . . . . . . . . . . . . 130figuration Overview . . . . . . . . . . . . . . . . . 130
rting Logs From External Devices . . . . . . 131ting a Logging Profile Element. . . . . . . . . 132ning Ordered Field Logging Patterns . . . . . 133ning Key-Value Pair Logging Patterns . . . . 135ing Field Resolvers . . . . . . . . . . . . . . . . . 136fining a Field Resolver for Multiple lues. . . . . . . . . . . . . . . . . . . . . . . . . . . . 136fining a Field Resolver for Date and e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137ating a Logging Profile . . . . . . . . . . . . . . 137oring the Status of Third-Party Devices . . . 138orting MIBs. . . . . . . . . . . . . . . . . . . . . . . 139ting a Probing Profile . . . . . . . . . . . . . . . 140ting Monitoring of a Third-Party Device . . . 142uring a Third-Party Device for Monitoring . 143ing the Ports for Third-Party Device oring . . . . . . . . . . . . . . . . . . . . . . . . . . . 143ting/Deactivating Third-Party Statusoring Alerts . . . . . . . . . . . . . . . . . . . . . . 143
R 9ng Logged Data . . . . . . . . . . . . . . . . . . . 145
g Started with the Logs View. . . . . . . . . . 146rview . . . . . . . . . . . . . . . . . . . . . . . . . . . 146ning the Logs View . . . . . . . . . . . . . . . . . 146
ult (Records) Arrangement, Panels, and s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146ils Arrangement . . . . . . . . . . . . . . . . . . . 149istics Arrangement . . . . . . . . . . . . . . . . . 150Analysis Arrangement . . . . . . . . . . . . . . . 152ing Log Data . . . . . . . . . . . . . . . . . . . . . 153ing Log Entry Details in the Side Panel . . 153
Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Browsing Log Entries on a Timeline . . . . . . . . 158Viewing Temporary Log Entries . . . . . . . . . . . 158Sorting Log Entries . . . . . . . . . . . . . . . . . . . 159Checking Whois Records for IP Addresses in Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Changing How Data Entries Are Displayed . . . . 160Increasing and Decreasing Text Size in Data Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Changing the Time Zone for Log Browsing . . . 160Changing Data Columns in the Log Entry Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Resolving Log Details to DNS Names or System Elements. . . . . . . . . . . . . . . . . . . . . 161Deactivating/Activating Log Entry Highlighting 162
Exporting Data from the Logs View . . . . . . . . . 162Exporting Extracts of Log Data . . . . . . . . . . . 162Exporting IPS Traffic Recordings . . . . . . . . . . 164Attaching Logs to Incident Cases . . . . . . . . . 164
Creating Rules From Logs . . . . . . . . . . . . . . . . 165
CHAPTER 10Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Getting Started with Reports. . . . . . . . . . . . . . 168Configuration Overview . . . . . . . . . . . . . . . . . 168
Creating and Modifying Report Designs . . . . . . 169Modifying Report Designs. . . . . . . . . . . . . . . 170Creating New Report Designs . . . . . . . . . . . . 170Creating and Modifying Report Sections . . . . 172
Modifying Report Sections . . . . . . . . . . . . . 172Creating New Report Sections. . . . . . . . . . . 173
Creating and Modifying Report Items . . . . . . . 173Creating Report Items . . . . . . . . . . . . . . . . 174Modifying Report Items . . . . . . . . . . . . . . . 174
Generating and Viewing Reports . . . . . . . . . . . 175Generating a Report. . . . . . . . . . . . . . . . . . . 175
Defining the Report Task . . . . . . . . . . . . . . 176Selecting Data Sources . . . . . . . . . . . . . . . 177
Canceling Ongoing Report Tasks . . . . . . . . . . 178Viewing Reports. . . . . . . . . . . . . . . . . . . . . . 178
-
6Changing the Properties of Generated Reports 179Exporting Reports . . . . . . . . . . . . . . . . . . . . . . 179
Exporting a Report as a PDF File . . . . . . . . . . 180Exporting a Report as an HTML File . . . . . . . . 180E-Mailing Reports . . . . . . . . . . . . . . . . . . . . . 181
Creating a System Audit Report . . . . . . . . . . . . 181
CHAPTER 11Filtering Data . . . . . . . . . . . . . . . . . . . . . . . . . 183
GettinDefin
BasCreaSaviCrea
EdAddFilteRem
OrganCreaCha
CHAPTEWorkin
GettinCon
CreatDefinAddin
InseCreaAdd
ArranConne
ConCon
CreatSpeCrea
ViewinAdjuCollin DZoom
PrintinExpor
CHAPTER 13Incident Cases. . . . . . . . . . . . . . . . . . . . . . . . . 207
Getting Started with Incident Cases. . . . . . . . . 208Configuration Overview . . . . . . . . . . . . . . . . . 208
Creating a New Incident Case . . . . . . . . . . . . . 209Setting an Incident Context. . . . . . . . . . . . . . . 210Attaching Data to Incident Cases . . . . . . . . . . 210
Attaching Logs and Audit Entries to Incident Table of Contents
g Started with Filtering Data . . . . . . . . . . 184ing Filters . . . . . . . . . . . . . . . . . . . . . . . . 185ics of Constructing Filters . . . . . . . . . . . . 185ting and Editing Local Filters. . . . . . . . . . 187ng Local Filters. . . . . . . . . . . . . . . . . . . . 189ting and Editing Filter Elements. . . . . . . . 190iting Filter Elements . . . . . . . . . . . . . . . . 190ing and Modifying Filtering Criteria in rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191oving Filtering Criteria from Filters . . . . . . 193izing Filter Elements . . . . . . . . . . . . . . . . 193ting New Filter Tags . . . . . . . . . . . . . . . . 193
nging the Tag of a Filter . . . . . . . . . . . . . . 194
R 12g With Diagrams . . . . . . . . . . . . . . . . . . 195
g Started with Diagrams . . . . . . . . . . . . . 196figuration Overview . . . . . . . . . . . . . . . . . 196
ing Diagrams . . . . . . . . . . . . . . . . . . . . . 197ing the Diagram Background . . . . . . . . . . 198g Elements to Diagrams . . . . . . . . . . . . . 199rting New Elements Manually . . . . . . . . . 199ting Diagrams from Configured Elements . 199
ing Text Comments to a Diagram . . . . . . . 200ging Elements in Diagrams . . . . . . . . . . . 201cting Elements in Diagrams . . . . . . . . . . 201
necting Elements Automatically . . . . . . . . 201necting Elements Manually . . . . . . . . . . . 202ing Links Between Diagrams . . . . . . . . . . 202cifying a Parent Diagram . . . . . . . . . . . . . 202ting Links from One Diagram to Another. . 203g Diagrams . . . . . . . . . . . . . . . . . . . . . . 203sting the Element Details in Diagrams . . . 203apsing and Expanding Groups of Elements iagrams . . . . . . . . . . . . . . . . . . . . . . . . . 204
ing and Navigating Diagrams . . . . . . . . . 204g Diagrams . . . . . . . . . . . . . . . . . . . . . . 204
ting Diagrams as Images . . . . . . . . . . . . 205
Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Attaching Policy Snapshots to Incident Cases 212Attaching Memos to Incident Cases . . . . . . . 212Attaching Files to Incident Cases . . . . . . . . . 213
Adding Players to Incident Cases. . . . . . . . . . . 213Adding Journal Entries to Incident Cases . . . . . 214Working With Existing Incident Cases. . . . . . . . 214
Opening an Incident Case for Editing . . . . . . . 214Changing the Priority of an Incident Case. . . . 214Changing the State of an Incident Case . . . . . 215Checking Incident History . . . . . . . . . . . . . . . 215
CONTROLLING ENGINES
CHAPTER 14Controlling Engine Operation. . . . . . . . . . . . . . 219
Commanding Engines Remotely . . . . . . . . . . . 220Turning Engines Online . . . . . . . . . . . . . . . . . 220Turning Engines Offline . . . . . . . . . . . . . . . . . 221Setting Nodes to Standby . . . . . . . . . . . . . . . 221Rebooting Nodes . . . . . . . . . . . . . . . . . . . . . 221Refreshing the Currently Installed Policy . . . . 222Backing up and Restoring Dynamic Routing Configurations . . . . . . . . . . . . . . . . . . . . . . . 222
Commanding Engines Locally . . . . . . . . . . . . . 222Setting Engine Options . . . . . . . . . . . . . . . . . . 223
Enabling/Disabling Engine Status Monitoring . 223Enabling/Disabling Firewall/VPN Diagnostics . 223Disabling/Enabling User Database Replication 223Enabling/Disabling Status Surveillance . . . . . 224Enabling/Disabling SSH Access to the Engine 224Changing the Engine Password . . . . . . . . . . . 224
Changing NetLink State Manually . . . . . . . . . . 225Disabling/Enabling Cluster Nodes . . . . . . . . . . 225
Disabling Nodes of a Cluster Temporarily . . . . 225Re-Enabling Disabled Cluster Nodes . . . . . . . 226
Editing Engine Configurations . . . . . . . . . . . . . 226
-
CHAPTER 15Stopping Traffic Manually . . . . . . . . . . . . . . . . 227
Terminating Connections Manually . . . . . . . . . . 228Blacklisting Connections Manually . . . . . . . . . . 228
CHAPTER 16Working on the Engine Command Line . . . . . . . 231
Getting Started with the Engine Command Line. 232Accessing the Engine Command Line . . . . . . . . 232ReconCreatRestoConfig
MANA
CHAPTEConfig
GettinEnginConfigUpgra
CHAPTEAdmin
GettinCon
DefinLists
DefiDefi
DefinCreaDefiDefiAccoResView
CustoDefinAdmin
EnaDefi
ChangAutheMethoDelet
CHAPTEAlert E
Gettin
Configuration Overview . . . . . . . . . . . . . . . . . 262
Creating Alerts. . . . . . . . . . . . . . . . . . . . . . . . 263Defining Custom Alerts. . . . . . . . . . . . . . . . . 263Defining What Triggers an Alert . . . . . . . . . . . 264
Defining Alert Chains . . . . . . . . . . . . . . . . . . . 264Defining Alert Channels . . . . . . . . . . . . . . . . 265Creating New Alert Chains . . . . . . . . . . . . . . 267Modifying Existing Alert Chains . . . . . . . . . . . 2677Table of Contents
figuring Basic Engine Settings . . . . . . . . 233ing Engine Scripts . . . . . . . . . . . . . . . . . . 234ring a Previous Configuration Manually. . . 235uring Dynamic Routing . . . . . . . . . . . . . . 235
GEMENT CENTER CONFIGURATION
R 17uring Automatic Software Updates . . . . . 239
g Started with Automatic Updates and e Upgrades . . . . . . . . . . . . . . . . . . . . . . 240uring Automatic Updates and Engine des . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
R 18istrator Accounts . . . . . . . . . . . . . . . . . . 243
g Started with Administrator Accounts . . . 244figuration Overview . . . . . . . . . . . . . . . . . 244
ing Administrator Roles and Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244ning Administrator Roles . . . . . . . . . . . . . 245ning Access Control Lists . . . . . . . . . . . . 247ing Administrator Accounts . . . . . . . . . . . 248ting a New Administrator Element . . . . . . 248ning Administrator Permissions . . . . . . . . 250ning Rights for Restricted Administrator unts . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
tricting the Logs an Administrator Can . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252mizing Log Colors. . . . . . . . . . . . . . . . . . 253ing Password and Login Settings for istrators . . . . . . . . . . . . . . . . . . . . . . . . 254
bling Enforcement of Password Settings . . 254ning Password Policy Settings . . . . . . . . . 255ing Administrator Passwords . . . . . . . . . 257nticating Administrators Using RADIUS ds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
ing Administrator Accounts . . . . . . . . . . . 259
R 19scalation . . . . . . . . . . . . . . . . . . . . . . . . 261
g Started with Alert Escalation . . . . . . . . 262
Editing Alert Chains . . . . . . . . . . . . . . . . . . . 268Defining the Final Action of an Alert Chain . . . 269
Defining Alert Policies. . . . . . . . . . . . . . . . . . . 270Creating New Alert Policies . . . . . . . . . . . . . . 270Modifying Existing Alert Policies . . . . . . . . . . 270Editing Alert Policy Rules . . . . . . . . . . . . . . . 271
Installing Alert Policies . . . . . . . . . . . . . . . . . . 272Acknowledging Alerts . . . . . . . . . . . . . . . . . . . 272
Acknowledging Individual Alerts. . . . . . . . . . . 273Acknowledging All Active Alerts . . . . . . . . . . . 273
Using Custom Scripts for Alert Escalation . . . . 274Setting up a Dedicated Alert Server. . . . . . . . . 275Creating SMTP Server Elements . . . . . . . . . . . 276Testing Alerts. . . . . . . . . . . . . . . . . . . . . . . . . 277
CHAPTER 20Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Getting Started with Domains . . . . . . . . . . . . . 280Configuration Overview . . . . . . . . . . . . . . . . . 280
Creating Domains . . . . . . . . . . . . . . . . . . . . . 281Defining a Domain Logo . . . . . . . . . . . . . . . . 282
Logging in to a Domain. . . . . . . . . . . . . . . . . . 283Logging out of a Domain. . . . . . . . . . . . . . . . . 284Moving Elements Between Domains . . . . . . . . 284Using the Domain Overview . . . . . . . . . . . . . . 286Deleting Domains . . . . . . . . . . . . . . . . . . . . . 286
CHAPTER 21Setting up the Web Portal . . . . . . . . . . . . . . . . 287
Getting Started with Web Portal Access . . . . . . 288Configuration Overview . . . . . . . . . . . . . . . . . 288
Defining Web Portal Server Settings . . . . . . . . 289Activating HTTPS on the Web Portal Server. . . . 290Allowing Web Portal Connections. . . . . . . . . . . 291Defining Web Portal User Accounts . . . . . . . . . 292
Granting Engines to a Web Portal User . . . . . 293Selecting Policy Permissions for a Web Portal User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
-
8Selecting Log Browsing Permissions for a Web Portal User . . . . . . . . . . . . . . . . . . . . . . 295Selecting Report Data Permissions for a Web Portal User. . . . . . . . . . . . . . . . . . . . . . . . . . 296
Customizing the Web Portal . . . . . . . . . . . . . . . 297Adding a New Web Portal Language . . . . . . . . 297
Importing a Web Portal Language File through the Management Client. . . . . . . . . . 297
Enabling/Disabling a Web Portal Localization . 298Cus
Writin
CHAPTEDistribStart .
GettinCon
ActivaDistriAcces
CHAPTELog Se
DefinDefiSeleCertCon
ChangExpor
DefiExpoConCreaSysl
CHAPTEConfig
AboutInstal
Con
DefiElemInstServCreaManInstSoft
InstalCon
Creating Additional Log Server Elements . . . . 326Installing Licenses for Additional Log Servers. 327Setting a Log Server as a Backup Log Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Creating Access Rules for Additional Log Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328Installing Additional Log Server Software . . . . 328
Changing the Active Management Server . . . . . 329Table of Contents
tomizing the Look of the Web Portal . . . . . 298g Announcements to Web Portal Users . . 299
R 22uting Management Clients Through Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
g Started with Web Start Distribution. . . . 302figuration Overview . . . . . . . . . . . . . . . . . 302
ting Web Start on the Management Server 303buting Web Start from External Servers . . 304sing the Web Start Clients . . . . . . . . . . . 305
R 23rver Configuration . . . . . . . . . . . . . . . . . 307
ing a Log Server . . . . . . . . . . . . . . . . . . . 308ning a Log Server Element. . . . . . . . . . . . 308cting Backup Log Servers . . . . . . . . . . . . 309ifying the Log Server . . . . . . . . . . . . . . . . 310figuring an Alert Server . . . . . . . . . . . . . . 310ing Log Server Configuration Parameters . 310ting Log Data to Syslog . . . . . . . . . . . . . . 314ning General Syslog Settings . . . . . . . . . . 314rting Log Filters for Syslog Sending . . . . . 316
figuring Syslog Filter Settings. . . . . . . . . . 317ting a Rule Allowing Traffic to the og Server . . . . . . . . . . . . . . . . . . . . . . . . 318
R 24uring Additional SMC Servers . . . . . . . . . 319
Additional SMC Servers . . . . . . . . . . . . . 320ling Additional Management Servers . . . . 320figuration Overview . . . . . . . . . . . . . . . . . 320
ning an Additional Management Server ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
alling Licenses for Additional Management ers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322ting Access Rules for Additional agement Servers . . . . . . . . . . . . . . . . . . 323alling Additional Management Server ware . . . . . . . . . . . . . . . . . . . . . . . . . . . 323ling Additional Log Servers . . . . . . . . . . . 325figuration Overview . . . . . . . . . . . . . . . . . 325
Disabling and Enabling Automatic Database Replication . . . . . . . . . . . . . . . . . . . . . . . . . . 330Retrying Automatic Database Replication. . . . . 331Synchronizing Management Databases Manually 332
CHAPTER 25Reconfiguring the Management Center and
Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Modifying a Management Server Element . . . . 336Changing the Management Database Password 337Changing the Management Platform . . . . . . . . 338Changing SMC IP Addressing . . . . . . . . . . . . . 339
Changing the Management Server IP Address 339Changing the Log Server IP Address . . . . . . . 340Changing IP Addresses of Combined Management/Log Servers . . . . . . . . . . . . . . 341
If Configuration Changes Prevent Managing the Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342Changing the Role of Security Engines. . . . . . . 342
Preparing to Change the Security Engine Role 343Clearing the Existing Security Engine Configuration . . . . . . . . . . . . . . . . . . . . . . . . 343Reconfiguring the Security Engine . . . . . . . . . 344
ENGINE ELEMENT CONFIGURATION
CHAPTER 26Creating and Modifying Engine Elements . . . . . 349
Getting Started with Engine Elements . . . . . . . 350Configuration Overview . . . . . . . . . . . . . . . . . 350
Creating New Engine Elements . . . . . . . . . . . . 351Creating a New Single Firewall Element . . . . . 351Creating Multiple Single Firewall Elements . . . 353
Defining Interfaces for Multiple Single Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 355Defining Routing for Multiple Single Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 357Selecting Additional Configuration Options for Multiple Single Firewalls . . . . . . . . . . . . 357Defining Tester Settings for Multiple Single Firewalls . . . . . . . . . . . . . . . . . . . . . 358Defining Permissions for Multiple Single
-
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 358Defining Add-Ons for Multiple Single Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 359Defining Advanced Settings for Multiple Single Firewalls . . . . . . . . . . . . . . . . . . . . . 360Defining Internal Security Gateway End-Points for Multiple Single Firewalls. . . . . . . . 360Uploading the Multiple Single Firewall Initial Configuration to the Installation Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363SeFir
CreaCrea
DeCluSefor
CreaCreaCreaElemCreaElemCreaDup
ModifModElemModOncConClus
Preto Coa FAcCo
ConClusConClusAddCha
ChtheChDif
EditinEditinEditin
Editing IPS Cluster Properties . . . . . . . . . . . . . 390Editing Single Layer 2 Firewall Properties . . . . . 391Editing Layer 2 Firewall Cluster Properties . . . . 392Adjusting the Global Contact Policy for Single Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393About Engine Time Synchronization . . . . . . . . . 394
CHAPTER 27Network Interface Configuration . . . . . . . . . . . 3959Table of Contents
lecting a Policy to Install on the ewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 364ting a New Firewall Cluster Element. . . . . 365ting Multiple Firewall Cluster Elements . . 366fining Interfaces for Multiple Firewall sters. . . . . . . . . . . . . . . . . . . . . . . . . . . 368lecting Additional Configuration Options Multiple Firewall Clusters . . . . . . . . . . . . 369ting a New Single IPS Element . . . . . . . . 370ting a New IPS Cluster Element. . . . . . . . 371ting a New Single Layer 2 Firewall ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372ting a New Layer 2 Firewall Cluster ent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373ting a New SSL VPN Gateway Element . . . 374licating an Existing Engine Element . . . . . 375ying Existing Engine Elements . . . . . . . . . 376ifying the Properties of Single Engine ents . . . . . . . . . . . . . . . . . . . . . . . . . . . 376ifying Properties of Several Engines at e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377verting a Single Firewall to a Firewall ter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377paring for Converting a Single Firewall a Firewall Cluster . . . . . . . . . . . . . . . . . . 378nverting a Single Firewall Element to irewall Cluster . . . . . . . . . . . . . . . . . . . . 379tivating the Clustered Configuration After nversion. . . . . . . . . . . . . . . . . . . . . . . . . 381verting a Single IPS Engine to an IPS ter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382verting a Single Layer 2 Firewall to a ter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383ing a Node to a Cluster . . . . . . . . . . . . . . 384nging Engine Control IP Address. . . . . . . . 385anging Engine Control Address Within Same Network . . . . . . . . . . . . . . . . . . . 385anging Firewall Control Address to a ferent Network . . . . . . . . . . . . . . . . . . . . 386g Single Firewall Properties . . . . . . . . . . . 387g Firewall Cluster Properties . . . . . . . . . . 388g Single IPS Engine Properties. . . . . . . . . 389
Getting Started with Interface Configuration . . . 396Configuration Overview . . . . . . . . . . . . . . . . . 397
Firewall Interface Configuration . . . . . . . . . . . . 397Defining Physical Interfaces for Firewall Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . 398Adding VLAN Interfaces for Firewall Engines . . 401Adding ADSL Interfaces for Single Firewalls . . 403Adding Wireless Interfaces for Single Firewalls 404Defining Tunnel Interfaces . . . . . . . . . . . . . . 406Configuring Advanced Interface Properties for Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 407Defining SSID Interfaces for Single Firewalls . 410Configuring Security Settings for SSID Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 412Configuring MAC Filtering for SSID Interfaces . 413Configuring Single Firewall IP Addresses . . . . 414Adding IPv4 Addresses for a Single Firewall . . 415Configuring VRRP Settings for Single Firewalls 416Configuring PPPoE Settings for Single Firewalls 417Adding IPv6 Addresses for a Single Firewall . . 418Configuring Firewall Cluster IP Addresses. . . . 419Adding IPv4 Addresses for a Firewall Cluster . 420Adding IPv6 Addresses for a Firewall Cluster . 422Defining Modem Interfaces for Single Firewalls 423Changing/Removing the PIN Code of a Modem Interface . . . . . . . . . . . . . . . . . . . . . 424Setting Interface Options for Firewalls . . . . . . 425About Using a Dynamic IP Address on a Firewall Interface . . . . . . . . . . . . . . . . . . . . . 427
IPS Engine Interface Configuration. . . . . . . . . . 428Defining System Communication Interfaces for IPS Engines . . . . . . . . . . . . . . . . . . . . . . . . . 428Adding VLAN Interfaces for IPS Engines . . . . . 430Configuring IP Addresses for IPS Engines. . . . 432
Configuring IP Addresses for Single IPS Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . 432Configuring IP Addresses for IPS Clusters . . 433
Defining Traffic Inspection Interfaces for IPS Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Defining Logical Interfaces for IPS
-
10
Engines and Layer 2 Firewalls . . . . . . . . . . . 434Defining Reset Interfaces for IPS Engines. . . 435Defining Capture Interfaces for IPS Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . 436Defining Inline Interfaces for IPS Engines . . . 437
Configuring Advanced Interface Properties for IPS Engines . . . . . . . . . . . . . . . . . . . . . . . . . 440Setting Interface Options for IPS Engines . . . . 442
Layer 2 Firewall Interface Configuration . . . . . . 444DefiLayeConFirewConFirew
Co2 FCoFir
Defi2 Fi
DeFir
ConLayeSettFirew
ConfigActivaInterf
CHAPTEConnec
GettinSMC
Con
SavinEngin
CreaSavi
Conne
CHAPTEConfig
GettinCon
SpeciAddin
ConCoExtCo
File System Space Test . . . . . . . . . . . . . . . 473Configuring Additional Settings for the Free Swap Space Test . . . . . . . . . . . . . . . . 473Configuring Additional Settings for the Link Status Test . . . . . . . . . . . . . . . . . . . . 473Configuring Additional Settings for the Multiping Test . . . . . . . . . . . . . . . . . . . . . . 474
Checking Configured Tests . . . . . . . . . . . . . . . 475Removing Engine Tests. . . . . . . . . . . . . . . . . . 476Table of Contents
ning System Communication Interfaces for r Firewalls . . . . . . . . . . . . . . . . . . . . . . . 444figuring VLAN Interfaces for Layer 2 alls . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
figuring IP Addresses for Layer 2 alls . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
nfiguring IP Addresses for Single Layer irewalls . . . . . . . . . . . . . . . . . . . . . . . . . 448nfiguring IP Addresses for Layer 2 ewall Clusters. . . . . . . . . . . . . . . . . . . . . 449ning Traffic Inspection Interfaces for Layer rewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 450fining Inline Interfaces for Layer 2 ewalls . . . . . . . . . . . . . . . . . . . . . . . . . . 450figuring Advanced Interface Properties for r 2 Firewalls. . . . . . . . . . . . . . . . . . . . . . 452ing Interface Options for Layer 2 alls . . . . . . . . . . . . . . . . . . . . . . . . . . . 454uring Manual ARP Settings . . . . . . . . . . . 456ting the Internal DHCP Server on a Firewall ace . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
R 28ting Engines to the Management Center 459
g Started with Connecting Engines to the . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460figuration Overview . . . . . . . . . . . . . . . . . 461
g an Initial Configuration for Security es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461ting One-Time Passwords . . . . . . . . . . . . 461ng Initial Configuration Details . . . . . . . . . 463cting SSL VPN Gateways to the SMC. . . . 465
R 29uring the Engine Tester . . . . . . . . . . . . . 467
g Started with the Engine Tester . . . . . . . 468figuration Overview . . . . . . . . . . . . . . . . . 468
fying Global Engine Tester Settings . . . . . 469g Engine Tests . . . . . . . . . . . . . . . . . . . . 470figuring Additional Test-Specific Settings . . 472nfiguring Additional Settings for the ernal Test . . . . . . . . . . . . . . . . . . . . . . . 472nfiguring Additional Settings for the
Disabling/Enabling Configured Engine Tests. . . 476Disabling/Enabling Individual Engine Tests. . . 476Disabling/Enabling All Custom Engine Tests. . 477
CHAPTER 30Engine Permissions . . . . . . . . . . . . . . . . . . . . . 479
Getting Started with Engine Permissions . . . . . 480Configuration Overview . . . . . . . . . . . . . . . . . 480
Defining Administrator Permissions on Engines 480Selecting Permitted Policies for Engines . . . . . 481
CHAPTER 31Alias Translations for Engines . . . . . . . . . . . . . 483
Getting Started with Alias Translations. . . . . . . 484Defining Alias Translation Values . . . . . . . . . . . 484
Adding Alias Translation Values . . . . . . . . . . . 484Removing Alias Translation Values. . . . . . . . . 485
CHAPTER 32Add-on Features . . . . . . . . . . . . . . . . . . . . . . . 487
Getting Started with Add-On Features . . . . . . . 488Editing Add-On Settings . . . . . . . . . . . . . . . . . 488Configuring Anti-Virus Settings . . . . . . . . . . . . 489Configuring Anti-Spam Settings . . . . . . . . . . . . 489
Defining General Anti-Spam Settings . . . . . . . 490Defining Scoring Settings for Anti-Spam. . . . . 492Defining Spam Filtering Rules . . . . . . . . . . . . 493Defining DNSBL Settings . . . . . . . . . . . . . . . 495Modifying Advanced Anti-Spam Settings. . . . . 497Modifying Anti-Spam Settings Elements . . . . . 499
CHAPTER 33Advanced Engine Settings . . . . . . . . . . . . . . . . 501
Getting Started with Advanced Engine Settings. 502Adjusting Firewall System Parameters . . . . . . . 502Adjusting Firewall Traffic Handling Parameters . 504Adjusting Firewall Clustering Options . . . . . . . . 506
Adjusting General Firewall Clustering Options . 506Tuning the Firewall Load Balancing Filter . . . . 508
Manually Tuning the Load Balancing Filter . . 508Adding Load Balancing Filter Entries . . . . . . 509
-
Adjusting IPS Engine System Parameters . . . . . 510Adjusting IPS Engine Traffic Parameters . . . . . . 511Adjusting IPS Clustering Options . . . . . . . . . . . 512Adjusting Layer 2 Firewall System Parameters. . 514Adjusting Layer 2 Firewall Traffic Parameters. . . 515Adjusting Layer 2 Firewall Clustering Options . . 516Configuring Inspection of Tunneled Traffic . . . . . 518Setting Connection Timeouts. . . . . . . . . . . . . . 519ConfigConfig
CHAPTESetting
GettinConfigConfigConfigActiva
ROUT
CHAPTEConfig
GettinCon
AddinDefiDefi
CreAd
DefiRou
DeEnAc
RouDeDe
DefiAddinFirewaRemoModif
DeaInteActivAdd
Check
CHAPTER 36Outbound Traffic Management . . . . . . . . . . . . . 549
Getting Started with Outbound Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . 550
Configuration Overview . . . . . . . . . . . . . . . . . 551
Configuring Outbound Multi-Link Settings . . . . . 551Creating an Outbound Multi-Link Element. . . . 552Selecting NetLinks for an Outbound Multi-Link 55311Table of Contents
uring Default SYN Flood Protection . . . . . 520uring Default Log Handling Settings . . . . 521
R 34 up SNMP for Engines . . . . . . . . . . . . . . 523
g Started with SNMP Configuration . . . . . 524uring SNMP Version 1 or 2c . . . . . . . . . . 524uring SNMP Version 3 . . . . . . . . . . . . . . 525uring What Triggers SNMP Traps . . . . . . . 525ting the SNMP Agent on Engines . . . . . . . 526
ING
R 35uring Routing. . . . . . . . . . . . . . . . . . . . . 529
g Started with Routing . . . . . . . . . . . . . . 530figuration Overview . . . . . . . . . . . . . . . . . 530
g Routes for Firewalls . . . . . . . . . . . . . . . 531ning a Single-Link Route for a Firewall . . . 531ning a Multi-Link Route for a Firewall . . . . 532ating NetLinks. . . . . . . . . . . . . . . . . . . . 532
ding a Multi-Link Route . . . . . . . . . . . . . . 534ning Routing for the Route-Based VPN . . . 535ting DHCP Messages . . . . . . . . . . . . . . . 536fining a DHCP Server . . . . . . . . . . . . . . . 536abling DHCP Relay . . . . . . . . . . . . . . . . . 537tivating the DHCP Relay Sub-policy . . . . . . 538ting Multicast Traffic . . . . . . . . . . . . . . . . 538fining Static Multicast . . . . . . . . . . . . . . . 539fining IGMP-Based Multicast Forwarding . . 540ning Policy Routing . . . . . . . . . . . . . . . . . 541g Routes for IPS Engines and Layer 2 lls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543ving Routes . . . . . . . . . . . . . . . . . . . . . . 544ying Antispoofing for Firewalls . . . . . . . . . 544ctivating Antispoofing for an IP Address/rface Pair . . . . . . . . . . . . . . . . . . . . . . . . 545ating Antispoofing for Routable IP
resses . . . . . . . . . . . . . . . . . . . . . . . . . . 546ing Routes . . . . . . . . . . . . . . . . . . . . . . 546
Defining Destination Cache Settings . . . . . . . 554Creating Outbound Load Balancing NAT Rules . 554Monitoring And Testing Outbound Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . 556
CHAPTER 37Inbound Traffic Management . . . . . . . . . . . . . . 557
Getting Started with Inbound Traffic Management 558Configuration Overview . . . . . . . . . . . . . . . . . 558
Defining a Server Pool . . . . . . . . . . . . . . . . . . 559Creating a New Server Pool Element . . . . . . . 559Defining External Address(es) of Server Pool . 559Adding Server Pool Members . . . . . . . . . . . . 560
Installing Monitoring Agents . . . . . . . . . . . . . . 561Uninstalling Monitoring Agents . . . . . . . . . . . . 563Configuring Monitoring Agents. . . . . . . . . . . . . 563
Editing sgagent.local.conf . . . . . . . . . . . . . . . 564Editing sgagent.conf. . . . . . . . . . . . . . . . . . . 564
Editing the sgagent.conf Statement Section. 566Options in the sgagent.conf Statement Section . . . . . . . . . . . . . . . . . . . . . . . . . . . 567Monitoring Agent Statement Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . 568Editing the sgagent.conf Test Section . . . . . 570Monitoring Agent Test Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . 572Editing Internal Tests for Monitoring Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . 573Monitoring Agent Internal Test Examples . . . 575
Enabling Monitoring Agents. . . . . . . . . . . . . . . 578Entering Server Pool IP Addresses on Your DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578Creating Access Rules for Inbound Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . 579Configuring Dynamic DNS Updates . . . . . . . . . 580
Configuration Overview . . . . . . . . . . . . . . . . . 580
Improving DDNS Security . . . . . . . . . . . . . . . 580Defining an External DNS Server . . . . . . . . . . 581Defining the Dynamic DNS Update Information 582Defining a Dynamic DNS Rule . . . . . . . . . . . . 583
-
12
Monitoring and Testing Monitoring Agents. . . . . 583
TRAFFIC INSPECTION POLICIES
CHAPTER 38Creating and Managing Policy Elements . . . . . . 587
Getting Started with Policies . . . . . . . . . . . . . . 588Configuration Overview . . . . . . . . . . . . . . . . . 590
CreatCreat
CreaCon
InstalTracki
ChePrevChe
VieCo
CheCha
MovinDelet
CHAPTEEditing
GettinUsing
EditEditDefi
CriAddRea
SeaFindCou
AddinEditin
DefiDefi
EditinDefiMatDefi
Defining Access Rule Action Options . . . . . . . 616Defining Apply Blacklist Action Options . . . . 616Defining Discard Action Options . . . . . . . . . 617Defining Refuse Action Options. . . . . . . . . . 617Defining Jump Action Options . . . . . . . . . . . 618Defining Firewall Allow Action Options . . . . . 618Defining Continue Action Options in Access Rules. . . . . . . . . . . . . . . . . . . . . . . 622Defining Firewall Use VPN Action Options. . . 622Table of Contents
ing a New Template Policy or a Policy . . . . 591ing a New Sub-Policy . . . . . . . . . . . . . . . . 592ting a New Empty Sub-Policy . . . . . . . . . . 592
verting Existing Rules into a Sub-Policy . . . 593ling Policies . . . . . . . . . . . . . . . . . . . . . . 594ng Policy Changes . . . . . . . . . . . . . . . . . 596cking the Currently Installed Policy . . . . . . 596iewing the Currently Installed Policy . . . . . 596cking and Comparing Policy Versions . . . . 596wing Policy Snapshots . . . . . . . . . . . . . . 597mparing Two Policy Snapshots. . . . . . . . . 597cking for Untransferred Configuration nges . . . . . . . . . . . . . . . . . . . . . . . . . . . 598g the Policy Under a Different Template . . 598ing Policies, Templates, and Sub-Policies . 599
R 39 Policies . . . . . . . . . . . . . . . . . . . . . . . . 601
g Started with Editing the Rules in Policies 602 the Policy Editing View . . . . . . . . . . . . . . 603ing Rule Tables . . . . . . . . . . . . . . . . . . . . 604ing Rule Cells . . . . . . . . . . . . . . . . . . . . . 605ning Source, Destination, and Service teria . . . . . . . . . . . . . . . . . . . . . . . . . . . 606ing Comments in Policies. . . . . . . . . . . . . 607ding Rule Identifiers . . . . . . . . . . . . . . . . 607
rching in Rules . . . . . . . . . . . . . . . . . . . . 608ing Unused Rules in Firewall Policies (Hit nters). . . . . . . . . . . . . . . . . . . . . . . . . . . 609g Insert Points in Policy Templates . . . . . . 610g Ethernet Rules. . . . . . . . . . . . . . . . . . . 610ning Logging Options for Ethernet Rules . . 611ning a MAC Address for Ethernet Rules . . 612g Access Rules. . . . . . . . . . . . . . . . . . . . 612ning What Traffic an Access Rule ches . . . . . . . . . . . . . . . . . . . . . . . . . . . 613ning What Action an Access Rule Takes . . 615
Defining IPS and Layer 2 Firewall Allow Action Options . . . . . . . . . . . . . . . . . . . . . . 623
Defining Access Rule Logging Options . . . . . . 624Defining Firewall Access Rule Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Editing Firewall NAT Rules . . . . . . . . . . . . . . . . 626Adding a NAT Rule . . . . . . . . . . . . . . . . . . . . 627Defining What Traffic a NAT Rule Matches . . . 628Overwriting the Source Address in Packets. . . 629
Defining Static Source Translation Options . 630Defining Dynamic Source Translation Options. . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Overwriting the Destination Address in Packets 632NAT Rule Examples . . . . . . . . . . . . . . . . . . . 634
Example of a Static Source Translation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634Example of a Dynamic Source Translation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635Example of a Destination Translation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636Example of a Combined Source And Destination Translation Rule. . . . . . . . . . . . 637
Editing Inspection Policies . . . . . . . . . . . . . . . 638Modifying the Inspection Rules Tree . . . . . . . 638
Adding Situations to the Rules Tree. . . . . . . 640Removing Overrides From the Rules Tree. . . 640
Adding Exceptions to the Inspection Policy . . . 640Defining What Traffic an Inspection Exception Rule Matches . . . . . . . . . . . . . . . 641Defining What Action an Exception Rule Takes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643Defining Continue Action Options in Exception Rules. . . . . . . . . . . . . . . . . . . . . 643Defining Permit Action Options in Exception Rules. . . . . . . . . . . . . . . . . . . . . 644Defining Terminate Action Options in Exception Rules. . . . . . . . . . . . . . . . . . . . . 645
Defining Logging Options for Inspection Rules and Exceptions . . . . . . . . . . . . . . . . . . . . . . 647Importing Snort Rules Libraries. . . . . . . . . . . 648
Limiting the Time when a Rule Is Active . . . . . . 652Validating Rules Automatically. . . . . . . . . . . . . 653
-
Overriding Default Validation Options for Rules 654Viewing Policy Validation Issues. . . . . . . . . . . 656Disabling a Validation Warning for a Rule . . . . 657Excluding Rules from Policy Validation . . . . . . 657
Changing Default Rules. . . . . . . . . . . . . . . . . . 657
CHAPTER 40Defining IP Addresses . . . . . . . . . . . . . . . . . . . 659
Getting Started with Defining IP Addresses. . . . 660Defin
DefiDefiDefiDefiDefiDefiDefiDefiDefi
Using
CHAPTEDefinin
GettinCon
DefinDefiDefiGrou
UsingDefin
DefiDefiDefiDefiDefiDefiParaDefiParaDefiDefiDefiDefiDefiDefiDefiDefi
Defining TCP Proxy Protocol Parameters. . . . . 691Defining TFTP Protocol Parameters . . . . . . . . 692
CHAPTER 42Defining Situations . . . . . . . . . . . . . . . . . . . . . 695
Getting Started With Situations . . . . . . . . . . . . 696Configuration Overview . . . . . . . . . . . . . . . . . 697
Creating New Situation Elements . . . . . . . . . . 697Defining Context Options for Situations . . . . . . 69913Table of Contents
ing IP Addresses as Elements . . . . . . . . . 661ning Address Range Elements . . . . . . . . . 661ning Alias Elements . . . . . . . . . . . . . . . . 662ning Domain Name Elements. . . . . . . . . . 663ning Expression Elements . . . . . . . . . . . . 664ning Group Elements. . . . . . . . . . . . . . . . 666ning Host Elements . . . . . . . . . . . . . . . . 667ning Network Elements . . . . . . . . . . . . . . 668ning Router Elements . . . . . . . . . . . . . . . 668ning Zone Elements . . . . . . . . . . . . . . . . 670 Feature-Specific Elements in Policies . . . 670
R 41g Network Services . . . . . . . . . . . . . . . . 673
g Started with Services . . . . . . . . . . . . . 674figuration Overview . . . . . . . . . . . . . . . . . 674
ing Services . . . . . . . . . . . . . . . . . . . . . . 675ning a New IP-Based Service . . . . . . . . . . 675ning a New Ethernet Service . . . . . . . . . . 677ping Services . . . . . . . . . . . . . . . . . . . . 678 Protocol Elements . . . . . . . . . . . . . . . . . 678ing Protocol Parameters . . . . . . . . . . . . . 679ning DNS Protocol Parameters . . . . . . . . . 679ning FTP Protocol Parameters . . . . . . . . . 680ning GRE Protocol Parameters . . . . . . . . . 681ning H323 Protocol Parameters . . . . . . . . 682ning HTTP/HTTPS Protocol Parameters. . . 682ning IPv4 Encapsulation Protocol meters . . . . . . . . . . . . . . . . . . . . . . . . . 684ning IPv6 Encapsulation Protocol meters . . . . . . . . . . . . . . . . . . . . . . . . . 684ning MSRPC Protocol Parameters. . . . . . . 685ning NetBIOS Protocol Parameters . . . . . . 686ning Oracle Protocol Parameters . . . . . . . 686ning Shell (RSH) Protocol Parameters. . . . 687ning SIP Protocol Parameters. . . . . . . . . . 688ning SMTP Protocol Parameters . . . . . . . . 689ning SSH Protocol Parameters . . . . . . . . . 689ning SunRPC Protocol Options . . . . . . . . . 690
Defining HTTP URL Filter Options. . . . . . . . . . 700Defining Port/Host Scan Detection Options . . 700
Defining Context Options for Correlation Situations . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
Configuring Compress Contexts . . . . . . . . . . 703Configuring Count Contexts. . . . . . . . . . . . . . 704Configuring Group Contexts . . . . . . . . . . . . . 705Configuring Match Contexts . . . . . . . . . . . . . 706Configuring Sequence Contexts. . . . . . . . . . . 706
Defining Tags for Situations . . . . . . . . . . . . . . 707Creating a New Tag . . . . . . . . . . . . . . . . . . . 707Adding Tags to One Situation at a Time . . . . . 708Adding Tags to Several Situations at Once . . . 708Removing Tags from Situations . . . . . . . . . . . 709
Working With Vulnerabilities . . . . . . . . . . . . . . 709Creating New Vulnerability Elements . . . . . . . 709Associating Vulnerabilities With Situations . . . 710
CHAPTER 43Working With Applications . . . . . . . . . . . . . . . 711
Getting Started With Applications . . . . . . . . . . 712Configuration Overview . . . . . . . . . . . . . . . . . 712
Creating TLS Matches . . . . . . . . . . . . . . . . . . 712Creating Access Rules for Application Detection 714
Overriding Application Properties in Service Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . 714Logging Application Use . . . . . . . . . . . . . . . . 716
CHAPTER 44Defining User Responses . . . . . . . . . . . . . . . . . 717
Getting Started with User Responses . . . . . . . 718Configuration Overview . . . . . . . . . . . . . . . . . 718
Creating User Responses . . . . . . . . . . . . . . . . 718Defining User Response Entries . . . . . . . . . . . 719
CHAPTER 45Quality of Service (QoS) . . . . . . . . . . . . . . . . . 721
Getting Started with QoS . . . . . . . . . . . . . . . . 722Configuration Overview . . . . . . . . . . . . . . . . . 723
Creating QoS Classes . . . . . . . . . . . . . . . . . . 723
-
14
Defining QoS Policies . . . . . . . . . . . . . . . . . . . 724Creating New QoS Policies . . . . . . . . . . . . . . 724Editing QoS Rules. . . . . . . . . . . . . . . . . . . . . 725
Matching QoS Rules to Network Traffic . . . . . . . 726Defining Speed and QoS Policy for Interfaces . . 727
CHAPTER 46Filtering Web Addresses . . . . . . . . . . . . . . . . . . 729
Getting Started with Web Filtering . . . . . . . . . . 730Con
BlackCreat
CHAPTESetting
GettinCon
ConfigConfig
CreaElemImpoCertGenCertExpoCert
DefinInspe
CreaImpoCertConfor T
ActivaExclud
GlobExclTraff
DefinCreat
CHAPTEExtern
GettinCon
DefinDefin
Crea
Defining Protocol Parameters for CIS Redirection . . . . . . . . . . . . . . . . . . . . . . . . . 753
Defining Access Rules for CIS Redirection . . . . 754Defining NAT Rules for CIS Redirection . . . . . . 755
CHAPTER 49Blacklisting IP Addresses . . . . . . . . . . . . . . . . 757
Getting Started with Blacklisting . . . . . . . . . . . 758Configuration Overview . . . . . . . . . . . . . . . . . 758Table of Contents
figuration Overview . . . . . . . . . . . . . . . . . 730
listing/Whitelisting Web URLs Manually . . 731ing Web Filtering Rules . . . . . . . . . . . . . . 732
R 47 up TLS Inspection . . . . . . . . . . . . . . . . 733
g Started with TLS inspection . . . . . . . . . 734figuration Overview . . . . . . . . . . . . . . . . . 735
uring Server Protection. . . . . . . . . . . . . . 736uring Client Protection . . . . . . . . . . . . . . 737ting Client Protection Certificate Authority ents . . . . . . . . . . . . . . . . . . . . . . . . . . . 737rting a Private Key and Signing
ificate for HTTPS Client Protection . . . . . . 738erating a Private Key and Signing ificate for HTTPS Client Protection . . . . . . 739rting an HTTPS Client Protection ificate . . . . . . . . . . . . . . . . . . . . . . . . . . 740ing Trusted Certificate Authorities for TLS ction . . . . . . . . . . . . . . . . . . . . . . . . . . . 740ting Trusted Certificate Authority Elements 741rting a Trusted Certificate Authority
ificate for TLS inspection . . . . . . . . . . . . 741figuring Certificate Revocation List Checks LS inspection. . . . . . . . . . . . . . . . . . . . . 742ting TLS inspection on the Engine . . . . . . 743ing Connections from TLS inspection . . . 744ally Excluding Domains From Decryption . 744uding Domains from Inspection of HTTPS ic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745ing a Custom HTTPS Service . . . . . . . . . . 746ing Access Rules for TLS inspection . . . . . 747
R 48al Content Inspection. . . . . . . . . . . . . . . 749
g Started with External Content Inspection 750figuration Overview . . . . . . . . . . . . . . . . . 750
ing a Content Inspection Server Element . 751ing a Service for CIS Redirection . . . . . . . 752ting a Service for CIS Redirection . . . . . . 752
Enabling Blacklist Enforcement . . . . . . . . . . . . 759Configuring Automatic Blacklisting . . . . . . . . . . 760
Defining Which Traffic is Blacklisted Automatically . . . . . . . . . . . . . . . . . . . . . . . . 760
Adding a Rule for Automatic Blacklisting . . . 760Defining Blacklisting Rule Action Options . . . 761
Blacklisting Traffic Manually . . . . . . . . . . . . . . 763
USERS AND AUTHENTICATION
CHAPTER 50Setting up Directory Servers . . . . . . . . . . . . . . 767
Getting Started with Directory Servers . . . . . . . 768Configuration Overview . . . . . . . . . . . . . . . . . 769
Integrating External Directory Servers . . . . . . . 769Configuring Schema Files on External Directory Servers . . . . . . . . . . . . . . . . . . . . . 770Defining Active Directory Server Elements . . . 771Defining LDAP Server Elements. . . . . . . . . . . 771Configuring LDAP Connection Settings . . . . . . 773Adding LDAP Object Classes . . . . . . . . . . . . . 774Configuring LDAP Attribute Mapping. . . . . . . . 775Adding Authentication Methods. . . . . . . . . . . 776Defining LDAP Domains . . . . . . . . . . . . . . . . 778
Enabling Access Control by User . . . . . . . . . . . 779Defining the Active Directory Domain Controllers for Access Control by User. . . . . . 780Creating User Agent Elements. . . . . . . . . . . . 781Selecting User Agents for Firewalls . . . . . . . . 782Generating a Certificate and Saving the Configuration . . . . . . . . . . . . . . . . . . . . . . . . 782Allowing Communication With the User Agent. 783Installing User Agents . . . . . . . . . . . . . . . . . 783
Defining User Accounts . . . . . . . . . . . . . . . . . 784Defining User Groups . . . . . . . . . . . . . . . . . . 785Defining Users. . . . . . . . . . . . . . . . . . . . . . . 786
-
Linking Authentication Server Users to External Directories . . . . . . . . . . . . . . . . . . . 788
Selecting Domain Nodes for User Linking . . . 788Creating and Linking Authentication Server User Accounts . . . . . . . . . . . . . . . . . . . . . . 790
Managing User Information . . . . . . . . . . . . . . . 792Adding/Removing Users From User Groups . . 792Importing and Exporting User Information. . . . 793
Importing Users from an LDIF File . . . . . . . . 793Ex
ChaCleaUseResSettOn o
CHAPTESetting
GettinCon
IntegrDefiServDefiServ
IntegrDefiDefiMetDefiDefiChaCreaCertEnaAuthEnaAuthEnaServ
DefinEnabl
CreaBrowDefiUseEnaCon
Authe
Customizing the HTML Pages Profile for Browser-Based User Authentication . . . . . . . . . . . . . . . 822
Exporting the Default HTML Pages Profile . . . 822Customizing the Default HTML Pages . . . . . . 823Importing the Custom HTML Pages . . . . . . . . 823
Customizing the Telnet Authentication Prompt . 824Monitoring and Testing User Authentication . . . 82515Table of Contents
porting Users to an LDIF File . . . . . . . . . . 793nging User Passwords . . . . . . . . . . . . . . . 794ring the Authentication Settings of a r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794etting Local User Database on Firewalls . . 794ing User Database Replication to Firewalls r Off . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
R 51 up User Authentication. . . . . . . . . . . . . 797
g Started with User Authentication . . . . . 798figuration Overview . . . . . . . . . . . . . . . . . 799
ating External Authentication Services . . . 800ning RADIUS or TACACS+ Authentication ers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800ning Authentication Methods for External ers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802ating Authentication Server Services . . . . 803ning Authentication Server Elements . . . . 804ning Authentication Server Authentication hods . . . . . . . . . . . . . . . . . . . . . . . . . . . 805ning Authentication Server RADIUS Clients 809ning Authentication Server Notification nnels . . . . . . . . . . . . . . . . . . . . . . . . . . . 810ting and Signing Authentication Server ificates . . . . . . . . . . . . . . . . . . . . . . . . . 812bling Federated Authentication With the entication Server . . . . . . . . . . . . . . . . . . 814
bling RADIUS Accounting With the entication Server . . . . . . . . . . . . . . . . . . 814
bling Web Services With the Authentication er . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
ing IPv4 Access Rules for Authentication. . 815ing Browser-Based User Authentication . . 817ting and Signing HTTPS Certificates for ser-Based User Authentication . . . . . . . . 818
ning IPv4 Access Rules for Browser-Based r Authentication . . . . . . . . . . . . . . . . . . . 819bling Redirection of Unauthenticated HTTP nections. . . . . . . . . . . . . . . . . . . . . . . . . 820nticating to a Stonesoft Firewall . . . . . . . 821
VIRTUAL PRIVATE NETWORKS
CHAPTER 52Basic Policy-Based VPN Configurations . . . . . . 829
Getting Started With Basic Policy-Based VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 830Configuration 1: Basic VPN Between Stonesoft Firewall/VPN Engines . . . . . . . . . . . . . . . . . . . 831
Creating Gateway Elements for Configuration 1 831Creating a VPN Element for Configuration 1 . . 832Creating Rules for VPN Configuration 1 . . . . . 834
Configuration 2: Basic VPN With a Partner Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
Creating an Internal Gateway Element for Configuration 2 . . . . . . . . . . . . . . . . . . . . . . 835Creating an External Gateway Element for Configuration 2 . . . . . . . . . . . . . . . . . . . . . . 837Defining a Site for External Gateway in Configuration 2 . . . . . . . . . . . . . . . . . . . . . . 838Creating a VPN Profile for Configuration 2 . . . 838Creating a VPN Element for Configuration 2 . . 841Creating Rules for Configuration 2. . . . . . . . . 843
Configuration 3: Basic VPN for Remote Clients. 844Managing VPN Client Addresses in Configuration 3 . . . . . . . . . . . . . . . . . . . . . . 844Creating Gateway Elements for Configuration 3 845Adding VPN Client Settings for Configuration 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846Creating a VPN Element for Configuration 3 . . 848Creating Users for VPN Configuration 3 . . . . . 849Creating Rules for VPN Configuration 3 . . . . . 850
Configuration 4: Basic VPN Hub . . . . . . . . . . . 852Creating Gateway Elements for VPN Configuration 4 . . . . . . . . . . . . . . . . . . . . . . 852Creating a VPN Element for VPN Configuration 4 . . . . . . . . . . . . . . . . . . . . . . 853Defining Site Properties for VPN Configuration 4 . . . . . . . . . . . . . . . . . . . . . . 854Creating Rules for VPN Configuration 4 . . . . . 855
-
16
CHAPTER 53Configuring IPsec VPNs. . . . . . . . . . . . . . . . . . 857
Getting Started With IPsec VPNs . . . . . . . . . . . 858Configuration Overview . . . . . . . . . . . . . . . . . 859
Configuring IPsec VPNs . . . . . . . . . . . . . . . . . 860Defining Gateway Profiles . . . . . . . . . . . . . . . . 861
Defining a Custom Gateway Profile. . . . . . . . . 861Defining Security Gateways . . . . . . . . . . . . . . . 863
CreaDefiGateDefiGateDefiDefi
DefinDisaManAdjuAddDefiAdjuDisaRemVPN
DefinCreaModDefiDefiDefiDefi
DefinCreaModDefiDefiVPNEditCreaCreaPolicCreaPolicCreafor PPrevPolic
Creating NAT Rules for Policy-Based VPN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 898
Editing the Route-Based VPN . . . . . . . . . . . . . 899Selecting the Default Encryption for the Route-Based VPN. . . . . . . . . . . . . . . . . . . . . 899Defining Route-Based VPN Tunnels . . . . . . . . 900Using the Route-Based VPN in Tunnel Mode. . 902
Monitoring VPNs . . . . . . . . . . . . . . . . . . . . . . 903Table of Contents
ting a New Security Gateway Element . . . 864ning End-Points for Internal Security ways . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
ning End-Points for External Security ways . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
ning Trusted CAs for a Gateway . . . . . . . . 869ning Gateway-Specific VPN Client Settings 870ing Sites for VPN Gateways . . . . . . . . . . . 872bling/Re-Enabling Automatic VPN Site agement . . . . . . . . . . . . . . . . . . . . . . . . 873sting Automatic VPN Site Management . . 873ing a New VPN Site . . . . . . . . . . . . . . . . . 874ning Protected Networks for VPN Sites . . . 874sting VPN-Specific Site Settings. . . . . . . . 875bling a VPN Site Temporarily in All VPNs. . 876oving a VPN Site Permanently from All s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876ing VPN Profiles . . . . . . . . . . . . . . . . . . . 877ting a New VPN Profile . . . . . . . . . . . . . . 877ifying an Existing VPN Profile . . . . . . . . . . 878ning IKE SA Settings for a VPN. . . . . . . . . 879ning IPsec SA Settings for a VPN . . . . . . . 881ning VPN Client Settings . . . . . . . . . . . . . 883ning Trusted CAs for a VPN . . . . . . . . . . . 885ing Policy-Based VPNs . . . . . . . . . . . . . . . 886ting a New VPN Element . . . . . . . . . . . . . 886ifying an Existing VPN Element . . . . . . . . 887ning VPN Topology for Policy-Based VPNs . 888ning VPN Tunnel Settings for Policy-Based s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889ing VPN Link Modes in Policy-Based VPNs. 892ting Rules for Policy-Based VPNs. . . . . . . 893ting Rules for Gateway Connections in y-Based VPNs . . . . . . . . . . . . . . . . . . . . 894ting Rules for VPN Client Connections in y-Based VPNs . . . . . . . . . . . . . . . . . . . . 895ting Forwarding Rules on Hub Gateways olicy-Based VPNs . . . . . . . . . . . . . . . . . . 897enting Other Access Rules from Matching y-Based VPN Traffic . . . . . . . . . . . . . . . . 898
CHAPTER 54Managing VPN Certificates . . . . . . . . . . . . . . . 905
Getting Started With VPN Certificates . . . . . . . 906Configuration Overview . . . . . . . . . . . . . . . . . 906
Defining a VPN Certificate Authority . . . . . . . . . 907Creating and Signing VPN Certificates . . . . . . . 909
Creating a VPN Certificate or Certificate Request for an Internal Gateway . . . . . . . . . . 909Signing External Certificate Requests Internally 911
Uploading VPN Certificates Manually . . . . . . . . 912Renewing VPN Certificates . . . . . . . . . . . . . . . 913Exporting the Certificate of VPN Gateway or VPN CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914Importing a VPN Gateway Certificate . . . . . . . . 915Checking When Gateway Certificates Expire . . . 915Checking When an Internal VPN CA Expires . . . 916
CHAPTER 55Reconfiguring Existing VPNs . . . . . . . . . . . . . . 917
Adding or Removing Tunnels in a VPN . . . . . . . 918Configuring NAT Settings for an Existing VPN . . 918
Activating NAT Traversal . . . . . . . . . . . . . . . . 918Translating Addresses of VPN Communications Between Gateways. . . . . . . . . . . . . . . . . . . . 919Translating Addresses in Traffic Inside a VPN Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
Adding New Gateways to an Existing VPN . . . . . 920Changing Gateway IP Addressing in an Existing VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920Giving VPN Access to Additional Hosts. . . . . . . 921Routing Internet Traffic Through Policy-Based VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 922Redirecting Traffic Between VPN Tunnels . . . . . 922Renewing or Generating Pre-Shared Keys . . . . . 923
Generating a New Pre-Shared Key Automatically . . . . . . . . . . . . . . . . . . . . . . . . 923Renewing Pre-Shared Keys Manually . . . . . . . 924
Advanced VPN Tuning . . . . . . . . . . . . . . . . . . . 924
-
Defining a Custom Gateway Settings Element . 925Adjusting MOBIKE Settings . . . . . . . . . . . . . 925Adjusting Negotiation Retry Settings . . . . . . 926Adjusting Certificate Cache Settings . . . . . . 926
Assigning the Gateway Settings for a Firewall/VPN Engine . . . . . . . . . . . . . . . . . . . 927
CHAPTER 56VPN Client Settings . . . . . . . . . . . . . . . . . . . . . 929
GettinList oClientMana
ConConClieConAddAllow
Expor
MAIN
CHAPTEBackin
GettinCon
CreatStorinResto
ResResRes
Recov
CHAPTEManag
GettinCon
DefinArchiv
CreaSeleSeleData
DeletCreaSeleSele
Pruning Log Data . . . . . . . . . . . . . . . . . . . . . 956Disabling Pruning Filters . . . . . . . . . . . . . . . . 958
Exporting Log Data. . . . . . . . . . . . . . . . . . . . . 958Creating an Export Log Task . . . . . . . . . . . . . 959Selecting Data for Log Export . . . . . . . . . . . . 960Selecting Operation Settings for Log Export . . 961
Viewing a History of Executed Log Tasks . . . . . 962
CHAPTER 5917Table of Contents
g Started With VPN Client Settings . . . . . 930f VPN Client Settings in the Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931ging VPN Client IP Addresses . . . . . . . . . 934figuring NAT Pool for VPN Clients . . . . . . . 934figuring Virtual IP Addressing for VPN nts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935figuring the Gateway for Virtual IP ress Clients . . . . . . . . . . . . . . . . . . . . . . 936ing DHCP Relay in the Policy . . . . . . . . . 937
ting VPN Client Configuration to a File . . . 938
TENANCE AND UPGRADES
R 57g up and Restoring System Configurations 941
g Started with Backups . . . . . . . . . . . . . 942figuration Overview . . . . . . . . . . . . . . . . . 942
ing Backups . . . . . . . . . . . . . . . . . . . . . . 943g Backup Files . . . . . . . . . . . . . . . . . . . . 944ring Backups . . . . . . . . . . . . . . . . . . . . . 945toring a Management Server Backup . . . . 945toring a Log Server Backup . . . . . . . . . . . 946toring an Authentication Server Backup . . 947ering from a Hardware Failure . . . . . . . . . 947
R 58ing Log Data . . . . . . . . . . . . . . . . . . . . . 949
g Started with Log Data Management . . . 950figuration Overview . . . . . . . . . . . . . . . . . 950
ing When Logs Are Generated . . . . . . . . . 951ing Log Data . . . . . . . . . . . . . . . . . . . . . 952ting an Archive Log Task . . . . . . . . . . . . . 952cting Log Data for Archiving. . . . . . . . . . . 953cting Operation Settings for Archiving Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953
ing Log Data . . . . . . . . . . . . . . . . . . . . . . 954ting a Delete Log Task . . . . . . . . . . . . . . 954cting Data for Deleting Logs . . . . . . . . . . 955cting Operation Settings for Deleting Logs 956
Managing and Scheduling Tasks . . . . . . . . . . . . 963
Getting Started with Tasks . . . . . . . . . . . . . . . 964Configuration Overview . . . . . . . . . . . . . . . . . 964
Task Types. . . . . . . . . . . . . . . . . . . . . . . . . . . 965Creating New Task Definitions . . . . . . . . . . . . . 967
Creating Backup Tasks . . . . . . . . . . . . . . . . . 967Creating Policy Refresh Tasks . . . . . . . . . . . . 968Creating Policy Upload Tasks. . . . . . . . . . . . . 968Creating Remote Upgrade Tasks . . . . . . . . . . 969Creating sgInfo Tasks . . . . . . . . . . . . . . . . . . 970
Scheduling Tasks . . . . . . . . . . . . . . . . . . . . . . 970Starting Tasks Manually . . . . . . . . . . . . . . . . . 971Pausing the Scheduled Execution of a Task . . . 971Cancelling a Task Schedule. . . . . . . . . . . . . . . 972Stopping Task Execution . . . . . . . . . . . . . . . . . 972
CHAPTER 60Managing Licenses . . . . . . . . . . . . . . . . . . . . . 973
Getting Started with Licenses . . . . . . . . . . . . . 974Generating New Licenses . . . . . . . . . . . . . . . . 976Upgrading Licenses Manually . . . . . . . . . . . . . 977Changing License Binding Details . . . . . . . . . . 978Installing Licenses . . . . . . . . . . . . . . . . . . . . . 979
Installing a License for an Unlicensed Component . . . . . . . . . . . . . . . . . . . . . . . . . 979Replacing the License of a Previously Licensed Component . . . . . . . . . . . . . . . . . . 980
Checking If All Components Are Licensed. . . . . 981Checking License Validity and State. . . . . . . . . 982
CHAPTER 61Upgrading the Management Center . . . . . . . . . 983
Getting Started with Upgrading the SMC . . . . . 984Configuration Overview . . . . . . . . . . . . . . . . . 985
Obtaining the SMC Installation Files . . . . . . . . 985Upgrading Management Center Servers . . . . . . 986Default Installation Directories for SMC . . . . . . 987
-
18
CHAPTER 62Upgrading the Engines . . . . . . . . . . . . . . . . . . . 989
Getting Started with Upgrading Engines . . . . . . 990Configuration Overview . . . . . . . . . . . . . . . . . 991
Obtaining Engine Upgrade Files . . . . . . . . . . . . 991Upgrading Engines Remotely . . . . . . . . . . . . . . 992Upgrading Legacy IPS Engines . . . . . . . . . . . . . 994
Upgrading Sensors and Sensor Clusters to IPS UpgSingRem
CHAPTEManua
GettinCon
ImporActiva
TROU
CHAPTEGenera
If YouTools
CHAPTETrouble
ForgoUser Creat
CHAPTETrouble
Alert CertCertLog StatEngiSystTestThro
Log MConConConCon
Incomplete Connection Closed . . . . . . . . . . . 1014NAT Balance: Remote Host Does Not Respond . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014Not a Valid SYN Packet. . . . . . . . . . . . . . . . . 1015Requested NAT Cannot Be Done . . . . . . . . . . 1016Spoofed Packets . . . . . . . . . . . . . . . . . . . . . 1016IPsec VPN Log Messages . . . . . . . . . . . . . . . 1016
Error Messages . . . . . . . . . . . . . . . . . . . . . . . 1017Table of Contents
Engines . . . . . . . . . . . . . . . . . . . . . . . . . 994rading a Legacy Sensor-Analyzer to a le IPS Engine . . . . . . . . . . . . . . . . . . . . . 995oving Unused Analyzers . . . . . . . . . . . . . 996
R 63l Dynamic Updates . . . . . . . . . . . . . . . . . 997
g Started with Manual Dynamic Updates . 998figuration Overview . . . . . . . . . . . . . . . . . 998
ting an Update Package . . . . . . . . . . . . . 999ting an Update Package . . . . . . . . . . . . . 999
BLESHOOTING
R 64l Troubleshooting Tips . . . . . . . . . . . . . . 1003
r Problem Is Not Listed . . . . . . . . . . . . . . 1004For Further Troubleshooting. . . . . . . . . . . 1004
R 65shooting Accounts and Passwords . . . . . 1005
tten Passwords. . . . . . . . . . . . . . . . . . . . 1006Account Changes Have no Effect . . . . . . . 1007ing an Emergency Administrator Account. . 1007
R 66shooting Alert, Log, and Error Messages 1009
Log Messages . . . . . . . . . . . . . . . . . . . . 1010ificate Authority Expired/Expiring Alerts . . 1010ificate Expired/Expiring Alerts . . . . . . . . . 1010Spool Filling . . . . . . . . . . . . . . . . . . . . . . 1010us Surveillance: Inoperative Security nes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1010em Alert . . . . . . . . . . . . . . . . . . . . . . . . 1011 Failed . . . . . . . . . . . . . . . . . . . . . . . . . . 1011ughput License Exceeded . . . . . . . . . . . . 1011essages . . . . . . . . . . . . . . . . . . . . . . . . 1012
nection Closed/Reset by Client/Server. . . 1012nection Removed During Connection Setup 1012nection State Might Be Too Large. . . . . . . 1012nection Timeout . . . . . . . . . . . . . . . . . . . 1013
Command Failed/Connect Timed out. . . . . . . 1017PKIX Validation Failed . . . . . . . . . . . . . . . . . . 1017Policy Installation Errors . . . . . . . . . . . . . . . . 1017Unexpected Error . . . . . . . . . . . . . . . . . . . . . 1017
CHAPTER 67Troubleshooting Certificates . . . . . . . . . . . . . . 1019
Understanding Certificate-Related Problems. . . 1020Replacing Expired/Missing Certificates . . . . . . 1022
Renewing SMC Server Certificates . . . . . . . . 1022Renewing Engine Certificates . . . . . . . . . . . . 1023
Dealing with Expiring Certificate Authorities . . . 1024
CHAPTER 68Troubleshooting Engine Operation . . . . . . . . . . 1027
Node Does not Go or Stay Online . . . . . . . . . . 1028Error Commanding an Engine . . . . . . . . . . . . . 1028Errors with Heartbeat and Synchronization . . . . 1029Problems Contacting the Management Server . 1029
CHAPTER 69Troubleshooting Licensing . . . . . . . . . . . . . . . . 1031
Troubleshooting Licensing. . . . . . . . . . . . . . . . 1032License Is Shown as Retained . . . . . . . . . . . . 1032License Is Shown as Unassigned . . . . . . . . . . 1033Throughput License Exceeded Alerts . . . . . . . . 1033
CHAPTER 70Troubleshooting Logging . . . . . . . . . . . . . . . . . 1035
Problems With Viewing Logs . . . . . . . . . . . . . . 1036Logs Are Filling up the Storage Space . . . . . . . 1036Log Server Does not Run . . . . . . . . . . . . . . . . 1037
CHAPTER 71Troubleshooting the Management Client. . . . . . 1039
Some Options Are Disabled . . . . . . . . . . . . . . 1040Slow Startup and Use. . . . . . . . . . . . . . . . . . . 1040Problems Logging In with the Management Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1041Problems with Layout and Views . . . . . . . . . . . 1041Problems With Viewing Statistics. . . . . . . . . . . 1041Problems with Status Monitoring . . . . . . . . . . . 1042
-
Problems Installing Web Start on an External Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042Problems Controlling Management Servers. . . . 1043
CHAPTER 72Troubleshooting NAT . . . . . . . . . . . . . . . . . . . . 1045
Troubleshooting NAT Errors . . . . . . . . . . . . . . . 1046NAT Is Not Applied Correctly . . . . . . . . . . . . . . 1046NAT Is Applied When it Should Not Be . . . . . . . 1047
CHAPTETrouble
TroubThe InstThe TimePolicReaWarIgno
TroubValidRuleAllowInspEnaTraffFirewPackUns
CHAPTETrouble
TroubNo ReEmpty
CHAPTETrouble
UpgraStone1062
CHAPTETrouble
CheckResulReadiVPN CProbleProbleClient
Traffic Does Not Use the Route-Based VPN . . . 1067
REFERENCE
APPENDIX ACommand Line Tools . . . . . . . . . . . . . . . . . . . . 1071
Management Center Commands . . . . . . . . . . . 1072Engine Commands . . . . . . . . . . . . . . . . . . . . . 108219Table of Contents
R 73shooting Policies . . . . . . . . . . . . . . . . . 1049
leshooting Policy Installation . . . . . . . . . . 1050Engine Performs a Roll-Back at Policy allation. . . . . . . . . . . . . . . . . . . . . . . . . . 1050Management Server Contact to Nodes s Out . . . . . . . . . . . . . . . . . . . . . . . . . . 1050y Installation Fails for Some Other
son . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051ning Automatic Proxy ARP Option Is red . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051leshooting Rules. . . . . . . . . . . . . . . . . . . 1052ating Rules . . . . . . . . . . . . . . . . . . . . . . 1052 That Allows ANY Service Does Not All Traffic . . . . . . . . . . . . . . . . . . . . . . . 1052
ection Policy Produces False Positives . . . 1052bling Passthrough for PPTP Traffic. . . . . . . 1053ic I Want to Allow Is Stopped by the all . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053ets Are Dropped as Spoofed. . . . . . . . . . 1054
upported Definitions in IPv6 Access Rules 1055
R 74shooting Reporting . . . . . . . . . . . . . . . . 1057
leshooting Reporting . . . . . . . . . . . . . . . . 1058port is Generated at All . . . . . . . . . . . . . 1058 Report Sections or Incomplete Data. . . . 1059
R 75shooting Upgrades . . . . . . . . . . . . . . . . 1061
de Fails Because of Running Services . . . 1062soft Management Center Installation Failed
R 76shooting IPsec VPNs . . . . . . . . . . . . . . 1063
ing Automatic IPsec VPN Validation ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1064ng IPsec VPN-Related Logs . . . . . . . . . . . 1064ertificate Issues . . . . . . . . . . . . . . . . . . 1065ms with Internal to External Gateway VPN 1065ms Connecting With a Stonesoft IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1066
Server Pool Monitoring Agent Commands. . . . . 1089
APPENDIX BDefault Communication Ports . . . . . . . . . . . . . 1091
Management Center Ports . . . . . . . . . . . . . . . 1092Security Engine Ports . . . . . . . . . . . . . . . . . . . 1095
APPENDIX CPredefined Aliases . . . . . . . . . . . . . . . . . . . . . . 1099
Pre-Defined User Aliases . . . . . . . . . . . . . . . . 1100System Aliases . . . . . . . . . . . . . . . . . . . . . . . 1100
APPENDIX DRegular Expression Syntax. . . . . . . . . . . . . . . . 1103
Syntax for Stonesoft Regular Expressions . . . . 1104Special Character Sequences . . . . . . . . . . . . . 1106Pattern-Matching Modifiers . . . . . . . . . . . . . . . 1107Bit Variable Extensions . . . . . . . . . . . . . . . . . . 1108Variable Expression Evaluation . . . . . . . . . . . . 1110
Stream Operations. . . . . . . . . . . . . . . . . . . . 1112Other Expressions . . . . . . . . . . . . . . . . . . . . 1113
System Variables . . . . . . . . . . . . . . . . . . . . . . 1114Independent Subexpressions . . . . . . . . . . . . . 1115Para