STONEGATE 5.2

ADMINISTRATORS GUIDE

F I R EWA L L I N T R U S I ON P R EV E N T I O N S Y S T E M MANAGEMENT CENTER V IR TUAL PRIVATE NETWORKS

Legal InformationEnd-User License AgreementThe use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website: www.stonesoft.com/en/support/eula.html

Third Party LicensesThe StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for those products at the Stonesoft website: www.stonesoft.com/en/support/third_party_licenses.html

U.S. Government AcquisitionsIf Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions apply. If the Software is supplied to the Department of Defense (DoD), the Software is subject to Restricted Rights, as that term is defined in the DOD Supplement to the Federal Acquisition Regulations (DFAR) in paragraph 252.227-7013(c) (1). If the Software is supplied to any unit or agency of the United States Government other than DOD, the Governments rights in the Software will be as defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (FAR). Use, duplication, reproduction or disclosure by the Government is subject to such restrictions or successor provisions.

Product Export RestrictionsThe products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC) N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.

General Terms and Conditions of Support and Maintenance ServicesThe support and maintenance services for the products described in these materials are provided pursuant to the general terms for support and maintenance services and the related service description, which can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/terms/

Replacement ServiceThe instructions for replacement service can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

Hardware WarrantyThe appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/warranty_service/

Trademarks and PatentsThe products described in these materials are protected by one or more of the following European and US patents: European Patent Nos. 1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095, 131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284; 7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534; 7,461,401; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered trademarks are property of their respective owners.

DisclaimerAlthough every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. Copyright 2010 Stonesoft Corporation. All rights reserved. All specifications are subject to change.

Revision: SGAG_20101027

2

TABLE OF CONTENTSG ETTING S TARTEDCHAPTER 1

Using StoneGate Documentation . . . . . . . . . . . 21 Objectives and Audience . . . . . . . . . . . . . . . . . 22 Typographical Conventions . . . . . . . . . . . . . . 22 Documentation Available . . . . . . . . . . . . . . . . . Product Documentation. . . . . . . . . . . . . . . . . Support Documentation . . . . . . . . . . . . . . . . System Requirements. . . . . . . . . . . . . . . . . . Contact Information . . . . . . . . . . . . . . . . . . . . Licensing Issues . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . Your Comments . . . . . . . . . . . . . . . . . . . . . . Security Related Questions and Comments . . Other Queries. . . . . . . . . . . . . . . . . . . . . . . .CHAPTER 2

23 23 24 24 24 24 24 24 25 25

Other Changes in Firewall/VPN 5.2 . . . . . . . . . 64-Bit Software Version . . . . . . . . . . . . . . . . Aggregated Network Links . . . . . . . . . . . . . . Concurrent Connection Rate Limits . . . . . . . . IPv6 Support on Single Firewalls . . . . . . . . . . IGMP Policy Routing . . . . . . . . . . . . . . . . . . . Integrated DHCP Server on Clusters . . . . . . . Rule Hit Counters for NAT Rules . . . . . . . . . . Other Changes in IPS 5.2 . . . . . . . . . . . . . . . . 64-Bit Software Version . . . . . . . . . . . . . . . . DNS Protocol Enforcement . . . . . . . . . . . . . . Fingerprint Improvements . . . . . . . . . . . . . . . Web Filtering . . . . . . . . . . . . . . . . . . . . . . . .

31 31 31 31 31 31 31 31 32 32 32 32 32

Notes on Policy Editing Changes for Upgrading Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Notes on New Rule Table Editing Logic . . . . . 33 Notes on Inspection Rule Changes . . . . . . . . 34CHAPTER 3

Whats New? . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Important Changes . . . . . . . . . . . . . . . . . . . . . 28 VPNs: End of Support for Legacy UDP Encapsulation . . . . . . . . . . . . . . . . . . . . . . 28 SMC: End of Support for Legacy VPN Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Other Changes in SMC 5.2.2. . . . . . . . . . . . . . 28 Automatic Update Proxy Server Authentication 28 Disable Connection Synchronization. . . . . . . . 28 Other Changes in SMC 5.2 . . . . . . . . . . . . . . . Color Selection for Comment Rules . . . . . . . . Connections and Blacklist Snapshots . . . . . . Custom Backup Import for Demo Mode Installations. . . . . . . . . . . . . . . . . . . . . . . . Editing Logic Changes in the Policy Editor . . . . Element Import Enhancements . . . . . . . . . . . Inspection Rule Configuration Reworked. . . . . Integrated MIB Browsing Tool . . . . . . . . . . . . Log to Rule Links for Inspection and NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . New Search Tools . . . . . . . . . . . . . . . . . . . . . OCSP Support . . . . . . . . . . . . . . . . . . . . . . . Save and Browse Logs as Zip Archives. . . . . . Simpler Alert Severity Scale . . . . . . . . . . . . . Statistics-Based Alerts . . . . . . . . . . . . . . . . . Third-Party Device Monitoring Improvements . . VPN Troubleshooting Shortcuts . . . . . . . . . . . 29 29 29 29 29 29 29 29 30 30 30 30 30 30 30 30

Using the Management Client . . . . . . . . . . . . . 35 Overview to the Management Client . . . . . . . . Rearranging the General Layout. . . . . . . . . . . . Bookmarking Views . . . . . . . . . . . . . . . . . . . . Managing Bookmarks. . . . . . . . . . . . . . . . . . Creating New Bookmarks . . . . . . . . . . . . . . . Creating New Bookmark Folders . . . . . . . . . . Adding Bookmarks to the Toolbar . . . . . . . . . Changing the Startup View . . . . . . . . . . . . . . . Using the Search Features . . . . . . . . . . . . . . . Using Basic Element Search . . . . . . . . . . . . . Searching for Element References. . . . . . . . . Searching for Users . . . . . . . . . . . . . . . . . . . Searching for Duplicate IP Addresses . . . . . . Using the DNS Search . . . . . . . . . . . . . . . . . Creating Host Elements Based on DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . Searching for Unused Elements . . . . . . . . . . Using Type-Ahead Search . . . . . . . . . . . . . . . . Saving as PDF or HTML . . . . . . . . . . . . . . . . . PDF Output Settings. . . . . . . . . . . . . . . . . . . Adding Style Templates For PDF Output . . . . . Managing PDF Style Templates . . . . . . . . . . . Sending Messages to Other Administrators . . . Enabling/Disabling Administrator Messaging .Table of Contents

36 40 41 41 42 43 43 44 44 44 46 46 47 48 48 49 49 50 50 51 52 52 52 3

Sending Messages to Other Administrators . . Adding Custom Commands to Element Menus . Creating a Tools Profile . . . . . . . . . . . . . . . . . Attaching a Tools Profile to an Element. . . . . .CHAPTER 4

53 53 53 54

Setting up the System . . . . . . . . . . . . . . . . . . . 55 Getting Started with the Management Center . . 56 Getting Started with the Firewall . . . . . . . . . . . 56 Getting Started with the IPS . . . . . . . . . . . . . . 57CHAPTER 5

Default Arrangement of System Status View . System Summary. . . . . . . . . . . . . . . . . . . . . Viewing System Status for a Selected Element . . . . . . . . . . . . . . . . . . . . . . . . . . Info Panel . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Monitoring Components . . . . . Monitoring Tools in the Main Menu . . . . . . . . Reading Component Statuses. . . . . . . . . . . . Engine Hardware Malfunction Icons . . . . . . . . Replication Malfunction Icon . . . . . . . . . . . . . Element Status Colors . . . . . . . . . . . . . . . . . Node Status Colors . . . . . . . . . . . . . . . . . . . NetLink Status Colors . . . . . . . . . . . . . . . . . VPN Status Colors . . . . . . . . . . . . . . . . . . . . Connectivity Status Colors . . . . . . . . . . . . . . Creating Overviews. . . . . . . . . . . . . . . . . . . . . Creating a New Overview . . . . . . . . . . . . . . . Adding a New System Summary Section to an Overview. . . . . . . . . . . . . . . . . . . . . . . . . Adding a New Statistics Section to an Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting Statistical Items . . . . . . . . . . . . . . Setting Thresholds for Monitored Items . . . . . Monitoring Open Connections and Blacklists . . Checking Open Connections and Blacklists . . Saving Blacklist and Connections Snapshots . Exporting Blacklist and Connections Snapshots. . . . . . . . . . . . . . . . . . . . . . . . . . Opening Blacklist and Connections Snapshots. . . . . . . . . . . . . . . . . . . . . . . . . . Comparing Blacklist and Connections Snapshots. . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring Connections on a Map . . . . . . . . . . Defining a New Geolocation . . . . . . . . . . . . . Setting a Geolocation for an Element in the System Status View . . . . . . . . . . . . . . . . . . . Monitoring Configurations and Policies . . . . . . Monitoring Administrator Actions . . . . . . . . . . . Monitoring Task Execution . . . . . . . . . . . . . . . Checking Maintenance Contract Information . . Enabling Automatic Maintenance Contract Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing Maintenance Contract Information. . . Viewing Maintenance Contract Information for SOHO Firewalls . . . . . . . . . . . . . . . . . . . . . . Fetching Maintenance Contract Information . . Checking When Internal Certificates or Internal CAs Expire . . . . . . . . . . . . . . . . . . . . . . . . . . .

85 86 86 87 87 88 88 89 89 89 90 90 91 91 92 93 93 93 95 96 97 97 99 100 100 101 103 104 105 105 105 106 107 107 107 108 108 108

Configuring System Communications . . . . . . . . 59 Getting Started with System Communications. . Defining Locations . . . . . . . . . . . . . . . . . . . . . Defining Contact IP Addresses. . . . . . . . . . . . . Defining Engine Location . . . . . . . . . . . . . . . . Defining Contact Addresses for a Single Firewall or a Cluster Virtual IP Address . . . . . . Defining Contact Addresses for Node Dedicated IP Addresses . . . . . . . . . . . . . . . . Defining Contact Addresses for an IPS Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining Server Contact Addresses . . . . . . . . Defining a Contact Address for External Security Gateway End-Point . . . . . . . . . . . . . . Selecting the Management Client Location . . . . Configuring Multi-Link System Communications.CHAPTER 6

60 61 62 62 63 65 66 67 68 69 70

Managing Elements . . . . . . . . . . . . . . . . . . . . . 71 Using Categories . . . . . . . . . . . . . . . . . . . . . . 72 Configuration Overview . . . . . . . . . . . . . . . . . 72 Creating New Categories . . . . . . . . . . . . . . . . Selecting Categories for Elements . . . . . . . . . Activating Categories . . . . . . . . . . . . . . . . . . Filtering With Several Categories . . . . . . . . . . Importing, Exporting and Restoring Elements . . Exporting Elements. . . . . . . . . . . . . . . . . . . . Importing Elements . . . . . . . . . . . . . . . . . . . Restoring Elements from Policy Snapshots . . . . Locking and Unlocking Elements . . . . . . . . . . . Deleting Elements . . . . . . . . . . . . . . . . . . . . . 72 73 73 74 75 75 76 78 79 79

M ONITORINGCHAPTER 7

Monitoring the System. . . . . . . . . . . . . . . . . . . 83 Getting Started with System Monitoring . . . . . . 84 Monitoring the System Status . . . . . . . . . . . . . 84 4Table of Contents

CHAPTER 8

Monitoring Third-Party Devices . . . . . . . . . . . . 111 Getting Started with Third-Party Device Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Configuration Overview . . . . . . . . . . . . . . . . . 112 Receiving Logs From External Devices . . . . . . . Creating a Logging Profile Element . . . . . . . . . Defining Ordered Field Logging Patterns . . . . . Defining Key-Value Pair Logging Patterns . . . . Defining Field Resolvers . . . . . . . . . . . . . . . . Defining a Field Resolver for Multiple Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining a Field Resolver for Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Validating a Logging Profile . . . . . . . . . . . . . . Monitoring the Status of Third-Party Devices . . . Importing MIBs. . . . . . . . . . . . . . . . . . . . . . . Creating a Probing Profile . . . . . . . . . . . . . . . Activating Monitoring of a Third-Party Device . . . Configuring a Third-Party Device for Monitoring . Changing the Ports for Third-Party Device Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . Activating/Deactivating Third-Party Status Monitoring Alerts . . . . . . . . . . . . . . . . . . . . . .CHAPTER 9

113 114 115 116 117 118 118 118 119 120 121 123 124 124 125

Changing the Time Zone for Log Browsing . . . Changing Data Columns in the Log Entry Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resolving Log Details to DNS Names or StoneGate Elements . . . . . . . . . . . . . . . . . . Deactivating/Activating Log Entry Highlighting Exporting Data from the Logs View . . . . . . . . . Exporting Extracts of Log Data . . . . . . . . . . . Exporting IPS Traffic Recordings . . . . . . . . . . Attaching Logs to Incident Cases . . . . . . . . . Creating Rules From Logs . . . . . . . . . . . . . . . .CHAPTER 10

139 139 140 141 141 141 142 143 143

Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Getting Started with Reports. . . . . . . . . . . . . . 146 Configuration Overview . . . . . . . . . . . . . . . . . 147 Creating and Editing Report Designs . . . . . . . . Creating a New Report Design . . . . . . . . . . . Adding Sections to a Report Design . . . . . . . Adding Items to a Report Section . . . . . . . . . Generating and Viewing Reports . . . . . . . . . . . Generating a Report . . . . . . . . . . . . . . . . . . . Defining the Report Task . . . . . . . . . . . . . . Selecting Data Sources . . . . . . . . . . . . . . . Cancelling Ongoing Report Tasks . . . . . . . . . Viewing Reports. . . . . . . . . . . . . . . . . . . . . . Exporting Reports . . . . . . . . . . . . . . . . . . . . . Exporting a Report as Tab-delimited Text File . Exporting a Report as a PDF File . . . . . . . . . . Printing a Generated Report to PDF . . . . . . . E-Mailing Reports. . . . . . . . . . . . . . . . . . . . . Creating a System Audit Report. . . . . . . . . . . .CHAPTER 11

Browsing Logged Data . . . . . . . . . . . . . . . . . . . 127 Getting Started with the Logs View. . . . . . . . . . 128 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Opening the Logs View . . . . . . . . . . . . . . . . . 128 Default (Records) Arrangement, Panels, and Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Details Arrangement . . . . . . . . . . . . . . . . . . . Statistics Arrangement . . . . . . . . . . . . . . . . . Browsing Log Data . . . . . . . . . . . . . . . . . . . . . Viewing Log Entry Details in the Side Panel . . Filtering Logs in the Logs View. . . . . . . . . . . . Specifying Filters for a Query . . . . . . . . . . . . Viewing Logs From Specific Components . . . Viewing Logs From Specific Servers and Archive Folders. . . . . . . . . . . . . . . . . . . . . . Browsing Log Entries on a Timeline . . . . . . . . Viewing Temporary Log Entries. . . . . . . . . . . . Sorting Log Entries . . . . . . . . . . . . . . . . . . . . Checking WHOIS Records for IP Addresses in Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing How Data Entries Are Displayed . . . . Increasing and Decreasing Text Size in Data Entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 131 132 133 133 134 134 136 136 137 137 138 138 139 139

148 148 150 151 151 152 153 154 155 155 156 156 156 156 157 157

Filtering Data . . . . . . . . . . . . . . . . . . . . . . . . . 159 Getting Started with Filtering Data . . . . . . . . . . Defining Filter Elements . . . . . . . . . . . . . . . . . Basics of Constructing Data Filters . . . . . . . . Creating a Filter Element . . . . . . . . . . . . . . . Adding and Modifying Filtering Criteria in Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing Filtering Criteria from Filters. . . . . . Organizing Filter Elements . . . . . . . . . . . . . . . Creating New Filter Tags . . . . . . . . . . . . . . . . Changing the Tag of a Filter. . . . . . . . . . . . . . Applying Filters . . . . . . . . . . . . . . . . . . . . . . . 160 160 161 162 163 164 164 164 165 165

Table of Contents

5

CHAPTER 12

Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Getting Started with Diagrams . . . . . . . . . . . . . 168 Configuration Overview . . . . . . . . . . . . . . . . . 168 Creating Diagrams . . . . . . . . . . . . . . . . . . . . . Defining the Diagram Background . . . . . . . . . . Adding Elements to Diagrams . . . . . . . . . . . . . Inserting New Elements Manually . . . . . . . . . Creating Diagrams from Configured Elements . Adding Text Comments to a Diagram . . . . . . . Arranging Elements in Diagrams . . . . . . . . . . . Connecting Elements in Diagrams . . . . . . . . . . Connecting Elements Automatically . . . . . . . . Connecting Elements Manually . . . . . . . . . . . Creating Links Between Diagrams . . . . . . . . . . Specifying a Parent Diagram . . . . . . . . . . . . . Creating Links from One Diagram to Another. . Viewing Diagrams . . . . . . . . . . . . . . . . . . . . . . Adjusting the Element Details in Diagrams . . . Collapsing and Expanding Groups of Elements in Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . Zooming and Navigating Diagrams . . . . . . . . . Printing Diagrams . . . . . . . . . . . . . . . . . . . . . . Exporting Diagrams as Images . . . . . . . . . . . .CHAPTER 13

C ONTROLLING E NGINESCHAPTER 14

Controlling Engine Operation. . . . . . . . . . . . . . 189 Commanding Engines Remotely . . . . . . . . . . . Turning Engines Online . . . . . . . . . . . . . . . . . Turning Engines Offline . . . . . . . . . . . . . . . . . Setting Nodes to Standby . . . . . . . . . . . . . . . Rebooting Nodes . . . . . . . . . . . . . . . . . . . . . Refreshing the Currently Installed Policy . . . . Commanding Engines Locally . . . . . . . . . . . . . Setting Engine Options . . . . . . . . . . . . . . . . . . Enabling/Disabling Engine Status Monitoring . Enabling/Disabling Firewall/VPN Diagnostics . Disabling/Enabling User Database Replication Enabling/Disabling Status Surveillance . . . . . Enabling/Disabling SSH Access to the Engine Changing the Engine Password . . . . . . . . . . . Changing NetLink State Manually . . . . . . . . . . Disabling/Enabling Cluster Nodes . . . . . . . . . . Disabling Nodes of a Cluster Temporarily . . . . Re-Enabling Disabled Cluster Nodes . . . . . . . Editing Engine Configurations . . . . . . . . . . . . .CHAPTER 15

169 169 170 171 171 172 172 173 173 173 174 174 174 175 175 175 176 176 176

190 190 191 191 191 192 192 192 192 193 193 193 194 194 195 195 195 196 196

Incident Cases . . . . . . . . . . . . . . . . . . . . . . . . . 177 Getting Started with Incident Cases . . . . . . . . . 178 Configuration Overview . . . . . . . . . . . . . . . . . 178 Creating a New Incident Case . . . . . . . . . . . . . Setting an Incident Context . . . . . . . . . . . . . . . Attaching Data to Incident Cases . . . . . . . . . . . Attaching Logs and Audit Entries to Incident Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attaching Policy Snapshots to Incident Cases . Attaching Memos to Incident Cases . . . . . . . . Attaching Files to Incident Cases . . . . . . . . . . Adding Players to Incident Cases . . . . . . . . . . . Adding Journal Entries to Incident Cases . . . . . Working With Existing Incident Cases . . . . . . . . Opening an Incident Case for Editing . . . . . . . Changing the Priority of an Incident Case . . . . Changing the State of an Incident Case . . . . . Checking Incident History . . . . . . . . . . . . . . . 179 179 180 180 181 182 182 183 183 184 184 184 185 185

Stopping Traffic Manually . . . . . . . . . . . . . . . . 197 Terminating Connections Manually. . . . . . . . . . 198 Blacklisting Connections Manually. . . . . . . . . . 198CHAPTER 16

Working on the Engine Command Line. . . . . . . 201 Getting Started with the Engine Command Line Accessing the Engine Command Line . . . . . . . Reconfiguring Basic Engine Settings . . . . . . . . Creating Engine Scripts . . . . . . . . . . . . . . . . . Restoring a Previous Configuration Manually . . 202 202 203 204 205

M ANAGEMENT C ENTER C ONFIGURATIONCHAPTER 17

Automatic Updates and Engine Upgrades . . . . . 209 Getting Started with Automatic Updates and Engine Upgrades . . . . . . . . . . . . . . . . . . . . . . 210 Configuring Automatic Updates and Engine Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

6

Table of Contents

CHAPTER 18

Administrator Accounts . . . . . . . . . . . . . . . . . . 213 Getting Started with Administrator Accounts . . . 214 Configuration Overview. . . . . . . . . . . . . . . . . 214 Defining Administrator Roles and Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Defining Administrator Roles . . . . . . . . . . . . . 215 Defining Access Control Lists . . . . . . . . . . . . 217 Defining Administrator Accounts . . . . . . . . . . . 218 Creating a New Administrator Element . . . . . . 218 Defining Administrator Permissions . . . . . . . . 219 Defining Rights for Restricted Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Restricting the Logs an Administrator Can View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Customizing Log Colors. . . . . . . . . . . . . . . . . . 222 Defining Password and Login Settings for Administrators . . . . . . . . . . . . . . . . . . . . . . . . 223 Enabling Enforcement of Password Settings . . 224 Defining Password Policy Settings . . . . . . . . . 225 Changing Administrator Passwords . . . . . . . . . 226 Authenticating Administrators Using RADIUS. . . 226 Deleting Administrator Accounts . . . . . . . . . . . 227CHAPTER 19

Testing Alerts. . . . . . . . . . . . . . . . . . . . . . . . . 244CHAPTER 20

Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Getting Started with Domains . . . . . . . . . . . . . 246 Configuration Overview . . . . . . . . . . . . . . . . . 246 Creating Domains . . . . . . . . . . . . . . . . . . . . . Defining a Domain Logo . . . . . . . . . . . . . . . . Logging in to a Domain . . . . . . . . . . . . . . . . . . Logging out of a Domain. . . . . . . . . . . . . . . . . Deleting Domains . . . . . . . . . . . . . . . . . . . . . Moving Elements Between Domains . . . . . . . . Using the Domain Overview . . . . . . . . . . . . . .CHAPTER 21

247 248 249 250 250 250 252

Setting up the Web Portal . . . . . . . . . . . . . . . . 255 Getting Started with Web Portal Access . . . . . . 256 Configuration Overview . . . . . . . . . . . . . . . . . 256 Defining Web Portal Server Settings . . . . . . . . Activating HTTPS on the Web Portal Server. . . . Allowing Web Portal Connections. . . . . . . . . . . Defining Web Portal User Accounts . . . . . . . . . Granting Engines to a Web Portal User . . . . . Selecting Policy Permissions for a Web Portal User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting Log Browsing Permissions for a Web Portal User. . . . . . . . . . . . . . . . . . . . . . Selecting Report Data Permissions for a Web Portal User . . . . . . . . . . . . . . . . . . . . . . . . . Customizing the Web Portal . . . . . . . . . . . . . . Adding a New Web Portal Language. . . . . . . . Importing a Web Portal Language File through the Management Client . . . . . . . . . Importing a Web Portal Language File on the Command Line . . . . . . . . . . . . . . . . Enabling/Disabling a Web Portal Localization . Customizing the Look of the Web Portal. . . . . Writing Announcements to Web Portal Users . .CHAPTER 22

257 258 259 260 261 262 263 264 264 264 264 265 265 266 266

Alert Escalation . . . . . . . . . . . . . . . . . . . . . . . . 229 Getting Started with Alert Escalation . . . . . . . . 230 Configuration Overview . . . . . . . . . . . . . . . . . 230 Creating Alerts . . . . . . . . . . . . . . . . . . . . . . . . Defining Custom Alerts . . . . . . . . . . . . . . . . . Defining What Triggers an Alert . . . . . . . . . . . Defining Alert Chains . . . . . . . . . . . . . . . . . . . Defining Alert Channels. . . . . . . . . . . . . . . . . Creating New Alert Chains. . . . . . . . . . . . . . . Modifying Existing Alert Chains . . . . . . . . . . . Editing Alert Chains . . . . . . . . . . . . . . . . . . . Defining the Final Action of an Alert Chain . . . Defining Alert Policies . . . . . . . . . . . . . . . . . . . Creating New Alert Policies . . . . . . . . . . . . . . Modifying Existing Alert Policies . . . . . . . . . . . Editing Alert Policy Rules . . . . . . . . . . . . . . . . Installing Alert Policies . . . . . . . . . . . . . . . . . . Acknowledging Alerts . . . . . . . . . . . . . . . . . . . Acknowledging Individual Alerts . . . . . . . . . . . Acknowledging All Active Alerts . . . . . . . . . . . Using Custom Scripts for Alert Escalation. . . . . Setting up a Dedicated Alert Server . . . . . . . . . 231 231 232 233 233 234 235 235 237 238 238 239 239 240 240 241 241 242 243

Distributing Management Clients Through Web Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Getting Started with Web Start Distribution . . . 270 Configuration Overview . . . . . . . . . . . . . . . . . 270 Activating Web Start on Management Server . . 271 Distributing Web Start from External Servers . . 272 Accessing the Web Start Clients . . . . . . . . . . . 273

Table of Contents

7

CHAPTER 23

Log Server Configuration . . . . . . . . . . . . . . . . . 275 Defining a Log Server . . . . . . . . . . . . . . . . . . . Defining a Log Server Element. . . . . . . . . . . . Selecting Secondary Log Servers. . . . . . . . . . Certifying the Log Server . . . . . . . . . . . . . . . . Configuring an Alert Server . . . . . . . . . . . . . . Changing Log Server Configuration Parameters . Exporting Log Data to Syslog . . . . . . . . . . . . . . Defining General Syslog Settings . . . . . . . . . . Exporting Log Filters for Syslog Sending . . . . . Configuring Syslog Filter Settings. . . . . . . . . . Creating a Rule Allowing Traffic to the Syslog Server . . . . . . . . . . . . . . . . . . . . . . . .CHAPTER 24

276 276 277 278 278 279 282 282 284 285 285

Changing the Management Platform . . . . . . . . Changing IP Addressing . . . . . . . . . . . . . . . . . Changing the Management Servers IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the Log Servers IP Address . . . . . . Changing IP Addresses of Combined Management/Log Servers . . . . . . . . . . . . . . If Configuration Changes Prevent Managing the Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

304 304 304 305 306 307

E NGINE E LEMENT C ONFIGURATIONCHAPTER 26

Creating and Modifying Engine Elements . . . . . 311 Getting Started with Engine Elements . . . . . . . 312 Configuration Overview . . . . . . . . . . . . . . . . 312 Creating New Engine Elements . . . . . . . . . . . . Creating a New Single Firewall Element . . . . . Creating a New Firewall Cluster Element . . . . Creating One New SOHO Firewall Element . . . Creating Multiple New SOHO Firewall Elements Creating a New Analyzer Element . . . . . . . . . Creating a New Single Sensor Element . . . . . Creating a New Sensor Cluster Element. . . . . Creating a New Combined Sensor-Analyzer Element . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a New SSL VPN Gateway Element . . Duplicating an Existing Engine Element . . . . . Modifying Existing Engine Elements . . . . . . . . . Modifying the Properties of One Engine Element . . . . . . . . . . . . . . . . . . . . . . . . . . . Modifying Properties of Several Engines at Once. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Converting a Single Firewall to a Firewall Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing for Conversion to a Firewall Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . Converting a Single Firewall Element to a Firewall Cluster . . . . . . . . . . . . . . . . . . . . Activating the Clustered Configuration After Conversion . . . . . . . . . . . . . . . . . . . . . . . . Converting a Single Sensor to a Sensor Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Node to a Firewall or Sensor Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing an Engines Control IP Address . . . . Changing an Engines Control Address . . . . Changing a Firewalls Control Address to a Different Network . . . . . . . . . . . . . . . . . . Editing Single Firewall Properties. . . . . . . . . . . 313 313 314 315 316 318 319 320 321 322 323 323 324 324 325 326 326 329 329 330 331 331 332 333

Secondary SMC Server Configuration . . . . . . . . 287 About Secondary SMC Servers . . . . . . . . . . . . 288 Installing a Secondary Management Server . . . 288 Configuration Overview . . . . . . . . . . . . . . . . . 288 Defining a Secondary Management Server Element . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing a License for a Secondary Management Server . . . . . . . . . . . . . . . . . . . Creating Access Rules for a Secondary Management Server . . . . . . . . . . . . . . . . . . . Installing Secondary Management Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing a Secondary Log Server . . . . . . . . . . Configuration Overview . . . . . . . . . . . . . . . . . Creating a Secondary Log Server Element . . . Installing a License for a Secondary Log Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting a Log Server as a Secondary Log Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Access Rules for a Secondary Log Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing Secondary Log Server Software . . . . Changing the Active Management Server . . . . . Disabling and Enabling Automatic Database Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . Synchronizing Management Databases Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restoring a Backup Taken from a Different Management Server . . . . . . . . . . . . . . . . . . . .CHAPTER 25

289 290 291 291 293 293 293 295 295 296 296 297 298 298 299

Reconfiguring the Management Center . . . . . . . 301 Modifying a Management Server Element . . . . . 302 Changing the Management Database Password 303

8

Table of Contents

Editing Firewall Cluster Properties . . . . . . . . . . Editing SOHO Firewall Properties . . . . . . . . . . . Editing Analyzer Properties . . . . . . . . . . . . . . . Editing Single Sensor Properties . . . . . . . . . . . Editing Sensor Cluster Properties . . . . . . . . . . Editing Combined Sensor-Analyzer Properties . . About Engine Time Synchronization . . . . . . . . .CHAPTER 27

334 335 336 337 338 339 340

Network Interface Configuration . . . . . . . . . . . 341 Getting Started with Interface Configuration . . . 342 Configuration Overview . . . . . . . . . . . . . . . . . 342 Firewall Interface Configuration . . . . . . . . . . . . Defining Physical Interfaces for Firewall Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding VLAN Interfaces for Firewall Engines . . Adding ADSL Interfaces for Single Firewalls . . Configuring Advanced Interface Properties for Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Single Firewall IP Addresses. . . . . Adding an IPv4 Address for a Single Firewall . . Configuring VRRP Settings for Single Firewalls Configuring PPPoE Settings for Single Firewalls Adding an IPv6 Address for a Single Firewall . . Configuring Firewall Cluster IP Addresses . . . . Adding IPv4 Addresses for a Firewall Cluster. . Defining Modem Interfaces for Single Firewalls Changing/Removing the PIN Code of a Modem Interface . . . . . . . . . . . . . . . . . . . . . Setting Firewall Interface Options. . . . . . . . . . About Using a Dynamic IP Address on a Firewall Interface . . . . . . . . . . . . . . . . . . . . . Changing ISP Settings for ADSL Interface . . . . SOHO Firewall Interface Configuration . . . . . . . Selecting SOHO Firewall Interface Types . . . . . Defining External Interfaces for SOHO Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining Ethernet External Interface Properties on SOHO Firewalls . . . . . . . . . . . Defining ADSL or PPPoE Interface Properties on SOHO Firewalls . . . . . . . . . . . Defining Advanced ADSL Settings for SOHO Firewalls . . . . . . . . . . . . . . . . . . . . . Defining Corporate Interfaces for SOHO Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining Guest Interfaces for SOHO Firewalls . 343 344 346 348 349 351 352 353 354 355 356 357 358 360 361 362 363 364 364 366 366 367 368 370 372

Defining Wireless Settings for SOHO Firewalls 373 Defining Wireless Security Settings for SOHO Firewalls . . . . . . . . . . . . . . . . . . . . . 374 Defining Wireless Channel Settings for SOHO Firewalls . . . . . . . . . . . . . . . . . . . . . 375 Completing the SOHO Firewall Configuration . 376 Completing the Create Multiple SOHO Firewalls Wizard . . . . . . . . . . . . . . . . . . . . . 376 Sensor and Analyzer Interface Configuration. . . 377 Defining System Communication Interfaces for IPS Engines . . . . . . . . . . . . . . . . . . . . . . . . . 378 Defining Traffic Inspection Interfaces for Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Defining Logical Interfaces for Sensors . . . . 380 Defining Reset Interfaces for Sensors . . . . . 381 Defining Capture Interfaces for Sensors . . . 381 Defining Inline Interfaces for Sensors . . . . . 383 Adding VLAN Interfaces for Sensors . . . . . . 384 Setting Interface Options for IPS Engines. . . . 385 Configuring Manual ARP Settings . . . . . . . . . . 387 Activating the Internal DHCP Server on a Firewall Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388CHAPTER 28

Connecting Engines to the StoneGate Management Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Getting Started with Connecting Engines to the SMC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Configuration Overview . . . . . . . . . . . . . . . . 392 Saving an Initial Configuration for Firewall or IPS Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating One-Time Passwords . . . . . . . . . . . . Saving Initial Configuration Details . . . . . . . . Saving an Initial Configuration for SOHO Firewall Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connecting SSL VPN Gateways to the SMC . . .CHAPTER 29

393 393 394 395 396

Configuring the Engine Tester . . . . . . . . . . . . . 397 Getting Started with the Engine Tester . . . . . . . 398 Configuration Overview . . . . . . . . . . . . . . . . . 398 Specifying Global Engine Tester Settings . . . . . Adding Engine Tests . . . . . . . . . . . . . . . . . . . . Configuring Additional Test-Specific Settings . Additional Settings for the External Test . . . Additional Settings for the File System Space Test . . . . . . . . . . . . . . . . . . . . . . . . Additional Settings for the Free Swap Space Test . . . . . . . . . . . . . . . . . . . . . . . . Additional Settings for the Link Status Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Additional Settings for the Multiping Test. . .Table of Contents

399 400 402 402 403 403 403 404 9

Checking Configured Tests . . . . . . . . . . . . . . . Removing Engine Tests . . . . . . . . . . . . . . . . . . Disabling/Enabling Configured Engine Tests . . . Disabling/Enabling Individual Engine Tests . . . Disabling/Enabling All Custom Engine Tests . .CHAPTER 30

404 405 406 406 406

R OUTINGCHAPTER 34

Configuring Routing . . . . . . . . . . . . . . . . . . . . 439 Getting Started with Routing . . . . . . . . . . . . . . 440 Configuration Overview . . . . . . . . . . . . . . . . . 440 Adding Routes for Firewalls . . . . . . . . . . . . . . . Defining a Single-Link Route for a Firewall . . . Defining a Multi-Link Route for a Firewall . . . . Creating NetLinks . . . . . . . . . . . . . . . . . . . Adding a Multi-Link Route . . . . . . . . . . . . . . Routing DHCP Messages . . . . . . . . . . . . . . . Defining a DHCP Server . . . . . . . . . . . . . . . Enabling DHCP Relay . . . . . . . . . . . . . . . . . Activating the DHCP Relay Sub-policy. . . . . . Routing Multicast Traffic . . . . . . . . . . . . . . . . Defining Static Multicast . . . . . . . . . . . . . . Defining IGMP-Based Multicast Forwarding. . Defining Policy Routing . . . . . . . . . . . . . . . . . Adding Routes for IPS Components . . . . . . . . . Removing Routes . . . . . . . . . . . . . . . . . . . . . . Modifying Antispoofing for Firewalls . . . . . . . . . Deactivating Antispoofing for an IP Address/ Interface Pair . . . . . . . . . . . . . . . . . . . . . . . . Activating Antispoofing for Routable IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . Checking Routes . . . . . . . . . . . . . . . . . . . . . .CHAPTER 35

Engine Permissions . . . . . . . . . . . . . . . . . . . . . 407 Getting Started with Engine Permissions . . . . . 408 Configuration Overview . . . . . . . . . . . . . . . . . 408 Defining an Engines Administrator Permissions 408 Selecting Permitted Policies for an Engine . . . . 409CHAPTER 31

Alias Translations for Engines . . . . . . . . . . . . . 411 Getting Started with Alias Translations . . . . . . . Defining Alias Translation Values . . . . . . . . . . . Adding Alias Translation Values . . . . . . . . . . . Removing Alias Translation Values . . . . . . . . .CHAPTER 32

412 412 413 413

Advanced Engine Settings . . . . . . . . . . . . . . . . 415 Getting Started with Advanced Engine Settings . Adjusting Firewall System Parameters . . . . . . . Adjusting Firewall Traffic Handling Parameters. . Adjusting Firewall Clustering Options . . . . . . . . Adjusting General Clustering Options . . . . . . . Tuning the Firewall Load Balancing Filter. . . . . Manually Tuning the Load Balancing Filter . . Adding Load Balancing Filter Entries . . . . . . Adjusting Single Firewalls Contact Policy . . . . . Configuring Anti-Virus Settings . . . . . . . . . . . . . Configuring Default SYN Flood Protection for a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Log Handling Settings . . . . . . . . . . Adjusting Sensor-Analyzer Advanced Settings . . Adjusting Analyzer Advanced Settings. . . . . . . . Adjusting Sensor Advanced Settings . . . . . . . . Adjusting Sensor Clustering Options . . . . . . . Adjusting SOHO Firewall Management Connection. . . . . . . . . . . . . . . . . . . . . . . . . . .CHAPTER 33

416 416 418 419 419 421 421 422 423 424 425 426 427 427 428 429 430

441 441 442 443 444 445 446 447 447 447 448 449 451 453 454 454 455 456 456

Outbound Traffic Management . . . . . . . . . . . . 459 Getting Started with Outbound Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . 460 Configuration Overview . . . . . . . . . . . . . . . . . 461 Configuring Outbound Multi-Link Settings . . . . . Creating an Outbound Multi-Link Element. . . . Selecting NetLinks for an Outbound Multi-Link Defining Destination Cache Settings . . . . . . . Creating Outbound Load Balancing NAT Rules . Monitoring And Testing Outbound Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . .CHAPTER 36

461 462 463 464 465 466

Setting up SNMP for Engines. . . . . . . . . . . . . . 431 Getting Started with SNMP Configuration . . . . . Configuring SNMP Version 1 or 2c . . . . . . . . . . Configuring SNMP Version 3 . . . . . . . . . . . . . . Configuring What Triggers SNMP Traps . . . . . . . Activating the SNMP Agent on Engines . . . . . . . 432 432 433 434 435

Inbound Traffic Management. . . . . . . . . . . . . . 467 Getting Started with Inbound Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . 468 Configuration Overview . . . . . . . . . . . . . . . . . 469 Defining a Server Pool . . . . . . . . . . . . . . . . . . 469 Creating a New Server Pool Element . . . . . . . 469 Defining Server Pools External Address(es) . . 470

10

Table of Contents

Adding Server Pool Members. . . . . . . . . . . . . Installing Monitoring Agents . . . . . . . . . . . . . . Uninstalling Monitoring Agents. . . . . . . . . . . . . Configuring Monitoring Agents . . . . . . . . . . . . . Editing sgagent.local.conf . . . . . . . . . . . . . . . Editing sgagent.conf . . . . . . . . . . . . . . . . . . . Editing the sgagent.conf Statement Section . Options in the sgagent.conf Statement Section . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring Agent Statement Configuration Examples. . . . . . . . . . . . . . . . . . . . . . . . . . Editing the sgagent.conf Test Section . . . . . Monitoring Agent Test Configuration Examples. . . . . . . . . . . . . . . . . . . . . . . . . . Editing Monitoring Agents Internal Tests . . . Monitoring Agent Internal Test Examples . . . Enabling Monitoring Agents . . . . . . . . . . . . . . . Entering the Server Pools IP Addresses on Your DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Access Rules for Inbound Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Dynamic DNS Updates. . . . . . . . . . Configuration Overview . . . . . . . . . . . . . . . . . Improving DDNS Security. . . . . . . . . . . . . . . . Defining an External DNS Server . . . . . . . . . . Defining the Dynamic DNS Update Information Defining a Dynamic DNS Rule . . . . . . . . . . . . Monitoring and Testing Monitoring Agents. . . . .

471 472 473 474 474 475 476 477 478 480 482 483 485 488 488 489 490 490 490 491 492 493 493

Moving the Policy Under a Different Template . . 506 Deleting Policies, Templates, and Sub-Policies . 507CHAPTER 38

Editing Policies . . . . . . . . . . . . . . . . . . . . . . . . 509 Getting Started with Editing the Rules in Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the Policy Editing View. . . . . . . . . . . . . . Editing Rule Tables. . . . . . . . . . . . . . . . . . . . Editing Rule Cells. . . . . . . . . . . . . . . . . . . . . Adding Comments in Policies . . . . . . . . . . . . Reading Rule Identifiers . . . . . . . . . . . . . . . . Searching in Rules . . . . . . . . . . . . . . . . . . . . Finding Unused Rules in Firewall Policies (Hit Counters) . . . . . . . . . . . . . . . . . . . . . . . . . . Adding Insert Points in Policy Templates . . . . . Editing Ethernet Rules . . . . . . . . . . . . . . . . . . Defining Logging Options for Ethernet Rules. . Defining a MAC Address for Ethernet Rules . . Editing Access Rules . . . . . . . . . . . . . . . . . . . Defining What Traffic an Access Rule Matches . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining What Action an Access Rule Takes . . Defining Access Rule Action Options . . . . . . . Defining Apply Blacklist Action Options . . . Defining Jump Action Options . . . . . . . . . Defining Firewall Allow Action Options. . . . Defining Firewall Continue Action Options in Access Rules . . . . . . . . . . . . . . . . . . . . . Defining Firewall Use VPN Action Options . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining IPS Allow Action Options. . . . . . . Defining IPS Continue Action Options in Access Rules. . . . . . . . . . . . . . . . . . . . . . . Defining IPS Discard Action Options . . . . . Defining IPS Refuse Action Options . . . . . Defining Access Rule Logging Options . . . . . . Defining Access Rule Authentication Options . Editing Inspection Rules . . . . . . . . . . . . . . . . . Modifying the Inspection Rules Tree . . . . . . . Changing Inspection Rules Tree Settings . . . Defining Logging Options for Inspection Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding Situations to the Rules Tree. . . . . . . Removing Overrides From the Rules Tree. . . Adding Exceptions to Inspection Rules. . . . . . Defining What Traffic an Inspection Exception Rule Matches . . . . . . . . . . . . . . . 510 511 512 512 513 513 514 515 516 516 517 518 518 519 521 522 522 522 523 526 526 527 527 528 528 528 530 531 531 532 533 534 535 535 536

T RAFFIC I NSPECTION P OLICIESCHAPTER 37

Creating and Managing Policy Elements . . . . . . 497 Getting Started with Policies . . . . . . . . . . . . . . 498 Configuration Overview . . . . . . . . . . . . . . . . . 498 Creating a New Template Policy or a Policy . . . . Creating a New Sub-Policy . . . . . . . . . . . . . . . . Creating a New Empty Sub-Policy . . . . . . . . . . Converting Existing Rules into a Sub-Policy . . . Installing Policies . . . . . . . . . . . . . . . . . . . . . . Tracking Policy Changes . . . . . . . . . . . . . . . . . Checking the Currently Installed Policy . . . . . . Previewing the Currently Installed Policy . . . . . Checking and Comparing Policy Versions . . . . Viewing Policy Snapshots . . . . . . . . . . . . . . Comparing Two Policy Snapshots. . . . . . . . . Checking for Untransferred Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 500 500 500 501 504 504 504 504 505 505 506

Table of Contents

11

Defining What Action an Inspection Exception Rule Takes . . . . . . . . . . . . . . . . . Defining Firewall Continue Action Options in Inspection Exceptions . . . . . . . . . . . . . . . Defining Firewall Permit Action Options . . . Defining Firewall Terminate Action Options . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining IPS Continue Action Options in Inspection Exceptions . . . . . . . . . . . . . . . . . Defining IPS Permit Action Options in Inspection Exceptions . . . . . . . . . . . . . . . . . Defining IPS Terminate Action Options . . . Defining Logging Options for Inspection Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . Editing NAT Rules . . . . . . . . . . . . . . . . . . . . . . Adding a NAT Rule . . . . . . . . . . . . . . . . . . . . Defining What Traffic a NAT Rule Matches. . . . Overwriting the Source Address in Packets . . . Defining Static Source Translation Options . . Defining Dynamic Source Translation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . Overwriting the Destination Address in Packets NAT Rule Examples. . . . . . . . . . . . . . . . . . . . Example of a Static Source Translation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example of a Dynamic Source Translation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example of a Destination Translation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example of a Combined Source And Destination Translation Rule . . . . . . . . . . . . Limiting the Time when a Rule Is Active . . . . . . Validating Rules Automatically . . . . . . . . . . . . . Overriding Default Validation Options for Rules Selecting Rule Validation Settings . . . . . . . . . Viewing Policy Validation Issues. . . . . . . . . . . Disabling a Validation Warning for a Rule . . . . Excluding Rules from Policy Validation . . . . . . Adding Comments to Policies . . . . . . . . . . . . . Changing Default Rules. . . . . . . . . . . . . . . . . .CHAPTER 39

537 538 538 539 541 541 542 543 545 546 546 547 548 549 550 551 551 552 553 554 555 556 557 558 558 559 559 560 560

Defining Network Elements . . . . . . . . . . . . . . 569 Defining Router Elements . . . . . . . . . . . . . . . 570 Using Feature-Specific Elements in Policies . . . 571CHAPTER 40

Defining Network Services. . . . . . . . . . . . . . . . 573 Getting Started with Services . . . . . . . . . . . . . 574 Configuration Overview . . . . . . . . . . . . . . . . . 574 Defining Services . . . . . . . . . . . . . . . . . . . . . . Defining a New IP-Based Service . . . . . . . . . . Defining a New Ethernet Service . . . . . . . . . . Grouping Services . . . . . . . . . . . . . . . . . . . . Using Protocol Elements. . . . . . . . . . . . . . . . . Defining Protocol Parameters . . . . . . . . . . . . . Defining DNS Protocol Parameters . . . . . . . . Defining FTP Protocol Parameters . . . . . . . . . Defining GRE Protocol Parameters. . . . . . . . . Defining H323 Protocol Parameters. . . . . . . . Defining HTTP/HTTPS Protocol Parameters . . Defining IPv4 Encapsulation Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . Defining IPv6 Encapsulation Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . Defining MSRPC Protocol Parameters . . . . . . Defining NetBIOS Protocol Parameters. . . . . . Defining Oracle Protocol Parameters . . . . . . . Defining Shell (RSH) Protocol Parameters . . . Defining SIP Protocol Parameters . . . . . . . . . Defining SMTP Protocol Parameters . . . . . . . Defining SSH Protocol Parameters . . . . . . . . Defining SunRPC Protocol Options. . . . . . . . . Defining TCP Proxy Protocol Parameters. . . . . Defining TFTP Protocol Parameters . . . . . . . .CHAPTER 41

575 575 577 578 579 579 580 580 582 582 583 584 585 585 586 587 588 589 590 590 591 592 593

Defining Situations . . . . . . . . . . . . . . . . . . . . . 595 Getting Started With Situations . . . . . . . . . . . . 596 Configuration Overview . . . . . . . . . . . . . . . . . 597 Creating New Situation Elements . . . . . . . . . . Defining Context Options for Situations . . . . . . Defining HTTP URL Filter Options. . . . . . . . . . Defining Port/Host Scan Detection Options . . Defining Context Options for Correlation Situations . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Compress Contexts . . . . . . . . . . Configuring Count Contexts. . . . . . . . . . . . . . Configuring Group Contexts . . . . . . . . . . . . . Configuring Match Contexts . . . . . . . . . . . . . 597 599 600 600 602 603 604 604 605

Defining IP Addresses . . . . . . . . . . . . . . . . . . . 561 Getting Started with Defining IP Addresses . . . . Defining IP Addresses as Elements . . . . . . . . . Defining Address Range Elements . . . . . . . . . Defining Alias Elements . . . . . . . . . . . . . . . . Defining Expression Elements . . . . . . . . . . . . Defining Group Elements. . . . . . . . . . . . . . . . Defining Host Elements. . . . . . . . . . . . . . . . . 562 563 563 564 565 567 568

12

Table of Contents

Configuring Sequence Contexts . . . . . . . . . . . Defining Tags for Situations . . . . . . . . . . . . . . . Creating a New Tag . . . . . . . . . . . . . . . . . . . . Adding Tags to One Situation at a Time . . . . . Adding Tags to Several Situations at Once . . . Removing Tags from Situations . . . . . . . . . . . Working With Vulnerabilities. . . . . . . . . . . . . . . Creating New Vulnerability Elements . . . . . . . Associating Vulnerabilities With Situations . . .CHAPTER 42

606 607 607 607 608 608 609 609 610

Defining User Responses . . . . . . . . . . . . . . . . . 611 Getting Started with User Responses. . . . . . . . 612 Configuration Overview . . . . . . . . . . . . . . . . . 612 Creating User Responses . . . . . . . . . . . . . . . . 612 Defining User Response Entries. . . . . . . . . . . . 613CHAPTER 43

Quality of Service (QoS) . . . . . . . . . . . . . . . . . . 615 Getting Started with QoS. . . . . . . . . . . . . . . . . 616 Configuration Overview . . . . . . . . . . . . . . . . . 617 Creating QoS Classes . . . . . . . . . . . . . . . . . . . Defining QoS Policies . . . . . . . . . . . . . . . . . . . Creating New QoS Policies . . . . . . . . . . . . . . Editing QoS Rules. . . . . . . . . . . . . . . . . . . . . Matching QoS Rules to Network Traffic . . . . . . . Defining Interfaces Speed and QoS Policy . . . .CHAPTER 44

Defining User Accounts for Authentication . . . . Defining User Groups . . . . . . . . . . . . . . . . . . Defining Users. . . . . . . . . . . . . . . . . . . . . . . Defining Authentication Rules . . . . . . . . . . . . . Managing User Information . . . . . . . . . . . . . . . Adding/Removing Users From User Groups . . Importing and Exporting User Information . . . Importing Users from an LDIF File . . . . . . . . Exporting Users to an LDIF File . . . . . . . . . . Changing Users Passwords . . . . . . . . . . . . . Clearing Users Authentication Settings . . . . . Resetting the Firewalls Local User Database. Setting User Database Replication to Firewalls on or off . . . . . . . . . . . . . . . . . . . . . . . . . . . Authenticating to a StoneGate Firewall. . . . . . . Customizing the User Authentication Dialog . . . Monitoring and Testing User Authentication . . .CHAPTER 45

637 638 640 642 644 644 644 644 645 646 646 646 647 647 648 649

Filtering Web Addresses . . . . . . . . . . . . . . . . . 651 Getting Started with Web Filtering . . . . . . . . . . 652 Configuration Overview . . . . . . . . . . . . . . . . . 652 Blacklisting/Whitelisting Web URLs Manually . . 653 Creating Web Filtering Rules . . . . . . . . . . . . . . 654CHAPTER 46

617 618 618 619 620 621

Setting up HTTPS Inspection. . . . . . . . . . . . . . 655 Getting Started with HTTPS Inspection. . . . . . . 656 Configuration Overview . . . . . . . . . . . . . . . . . 657 Configuring Server Protection . . . . . . . . . . . . . 658 Configuring Client Protection . . . . . . . . . . . . . . 659 Creating Client Protection Certificate Authority Elements. . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Importing a Private Key and Signing Certificate for HTTPS Client Protection. . . . . . 660 Generating a Private Key and Signing Certificate for HTTPS Client Protection. . . . . . 661 Exporting an HTTPS Client Protection Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 662 Defining Trusted Certificate Authorities for HTTPS Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 Creating Trusted Certificate Authority Elements 663 Importing a Trusted Certificate Authority Certificate for HTTPS Inspection . . . . . . . . . . 663 Configuring Certificate Revocation List Checks for HTTPS Inspection . . . . . . . . . . . . . . . . . . 664 Activating HTTPS Inspection on the Engine. . . . 665 Excluding Domains from HTTPS Inspection. . . . 666 Defining a Custom HTTPS Service . . . . . . . . . . 667

Setting up User Authentication . . . . . . . . . . . . 623 Getting Started with User Authentication . . . . . 624 Configuration Overview . . . . . . . . . . . . . . . . . 625 Integrating External LDAP Databases . . . . . . . . Configuring Schema Files on External LDAP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining an Active Directory Server Element . . Configuring the Active Directory Servers LDAP Settings . . . . . . . . . . . . . . . . . . . . . . Configuring Active Directory Servers Authentication Settings. . . . . . . . . . . . . . . . Defining a Generic LDAP Server Element . . . . Configuring the LDAP Servers User Services . . . . . . . . . . . . . . . . . . . . . . . . . . Adding Object Classes for the LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining LDAP Domains . . . . . . . . . . . . . . . . Integrating External Authentication Services . . . Defining an Authentication Server . . . . . . . . . Defining an Authentication Service. . . . . . . . . 626 627 627 628 629 629 631 632 633 634 635 637

Table of Contents

13

Creating Access Rules for HTTPS Inspection . . . 668CHAPTER 47

External Content Inspection. . . . . . . . . . . . . . . 669 Getting Started with External Content Inspection 670 Configuration Overview . . . . . . . . . . . . . . . . . 670 Defining a Content Inspection Server Element . Defining a Service for CIS Redirection . . . . . . . Creating a Service for CIS Redirection . . . . . . Defining Protocol Parameters for CIS Redirection . . . . . . . . . . . . . . . . . . . . . . . . . Defining Access Rules for CIS Redirection . . . . Defining NAT Rules for CIS Redirection . . . . . . .CHAPTER 48

671 672 672 673 674 675

Blacklisting Traffic . . . . . . . . . . . . . . . . . . . . . 677 Getting Started with Blacklisting . . . . . . . . . . . 678 Configuration Overview . . . . . . . . . . . . . . . . . 679 Enabling Blacklist Enforcement . . . . . . . . . . . . Configuring Automatic Blacklisting . . . . . . . . . . Defining Destination Interfaces for Automatic Blacklisting . . . . . . . . . . . . . . . . . . . . . . . . . Defining Which Traffic is Blacklisted Automatically . . . . . . . . . . . . . . . . . . . . . . . . Adding a Rule for Blacklisting . . . . . . . . . . . Defining Blacklisting Rule Action Options . . . Blacklisting Traffic Manually. . . . . . . . . . . . . . . 680 681 681 682 682 683 684

Managing VPN Client Addresses in Configuration 3 . . . . . . . . . . . . . . . . . . . . . . Creating Gateway Elements for Configuration 3 . . . . . . . . . . . . . . . . . . . . . . Adding VPN Client Settings for Configuration 3 . . . . . . . . . . . . . . . . . . . . . . Creating a VPN Element for Configuration 3 . . Creating Users for VPN Configuration 3 . . . . . Creating Rules for VPN Configuration 3 . . . . . Configuration 4: Basic VPN Hub . . . . . . . . . . . Creating Gateway Elements for VPN Configuration 4 . . . . . . . . . . . . . . . . . . . . . . Creating a VPN Element for VPN Configuration 4 . . . . . . . . . . . . . . . . . . . . . . Defining Site Properties for VPN Configuration 4 . . . . . . . . . . . . . . . . . . . . . . Creating Rules for VPN Configuration 4 . . . . .CHAPTER 50

701 702 703 705 706 707 709 709 710 711 712

Configuring IPsec VPNs . . . . . . . . . . . . . . . . . 715 Getting Started With IPsec VPNs . . . . . . . . . . . 716 Configuration Overview . . . . . . . . . . . . . . . . . 717 Configuring IPsec VPNs . . . . . . . . . . . . . . . . Defining Gateway Profiles . . . . . . . . . . . . . . . . Defining a Custom Gateway Profile . . . . . . . . Defining Security Gateways . . . . . . . . . . . . . . . Creating a New Security Gateway Element . . . Defining End-Points for Internal Security Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . Defining End-Points for External Security Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . Defining Trusted CAs for a Gateway . . . . . . . . Defining Gateway-Specific VPN Client Settings Defining Sites for VPN Gateways . . . . . . . . . . . Disabling/Re-Enabling Automatic VPN Site Management . . . . . . . . . . . . . . . . . . . . . . . . Adjusting Automatic VPN Site Management . . Adding a New VPN Site. . . . . . . . . . . . . . . . . Defining Protected Networks for VPN Sites. . . Adjusting VPN-Specific Site Settings . . . . . . . Disabling a VPN Site Temporarily in All VPNs . Removing a VPN Site Permanently from All VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining VPN Profiles . . . . . . . . . . . . . . . . . . . Creating a New VPN Profile . . . . . . . . . . . . . . Modifying an Existing VPN Profile. . . . . . . . . . Defining IKE (Phase 1) Settings for a VPN . . . Defining IPsec (Phase 2) Settings for a VPN. . Defining VPN Client Settings . . . . . . . . . . . . . 718 718 718 720 721 722 724 726 727 729 730 731 731 732 732 733 734 734 734 735 735 737 740

V IRTUAL P RIVATE N ETWORKSCHAPTER 49

Basic VPN Configurations . . . . . . . . . . . . . . . . 687 Getting Started With Basic VPN Configuration . . Configuration 1: Basic VPN Between StoneGate Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Gateway Elements for Configuration 1 Creating a VPN Element for Configuration 1 . . Creating Rules for VPN Configuration 1 . . . . . Configuration 2: Basic VPN With a Partner Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating an Internal Gateway Element for Configuration 2. . . . . . . . . . . . . . . . . . . . . . . Creating an External Gateway Element for Configuration 2. . . . . . . . . . . . . . . . . . . . . . . Defining a Site for External Gateway in Configuration 2. . . . . . . . . . . . . . . . . . . . . . . Creating a VPN Profile for Configuration 2. . . . Creating a VPN Element for Configuration 2 . . Creating Rules for Configuration 2 . . . . . . . . . Configuration 3: Basic VPN for Remote Clients . 14Table of Contents

688 688 689 690 691 692 693 694 695 696 698 700 701

Defining Trusted CAs for a VPN . . . . . . . . . . . Defining a VPN Element . . . . . . . . . . . . . . . . . Creating a New VPN Element . . . . . . . . . . . . . Modifying an Existing VPN Element . . . . . . . . Defining VPN Topology . . . . . . . . . . . . . . . . . Defining VPN Tunnel Settings. . . . . . . . . . . . . Creating VPN Rules. . . . . . . . . . . . . . . . . . . . . Creating Basic VPN Rules for Gateway Connections. . . . . . . . . . . . . . . . . . . . . . . . . Creating Basic Rules for VPN Client Connections. . . . . . . . . . . . . . . . . . . . . . . . . Creating Forwarding VPN Rules on Hub Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . Preventing Other Access Rules from Matching VPN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . Creating NAT Rules for VPN Traffic . . . . . . . . . Monitoring VPNs . . . . . . . . . . . . . . . . . . . . . . .CHAPTER 51

742 742 743 744 744 746 748 749 750 751 752 752 753

Forwarding All SOHO Corporate Traffic to the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing Traffic Between VPN Tunnels . . . . . . . . Renewing or Generating Pre-Shared Keys . . . . . Generating a New Pre-Shared Key Automatically . . . . . . . . . . . . . . . . . . . . . . . . Configuring Pre-Shared Keys Manually . . . . . . Advanced VPN Tuning . . . . . . . . . . . . . . . . . . . Defining a Custom Gateway Settings Element Adjusting General Gateway Settings . . . . . . Adjusting Negotiation Retry Settings . . . . . . Adjusting Certificate Cache Settings . . . . . . Adjusting Anti-Clogging Settings . . . . . . . . . Assigning the Gateway Settings for a Firewall/VPN Engine . . . . . . . . . . . . . . . . . . .CHAPTER 53

772 772 773 773 774 774 774 776 777 778 778 779

VPN Client Settings . . . . . . . . . . . . . . . . . . . . 781 Getting Started With VPN Client Settings . . . . . List of VPN Client Settings in the Management Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing VPN Client IP Addresses . . . . . . . . . Configuring NAT Pool for VPN Clients . . . . . . . Configuring Virtual IP Addressing for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Gateway for Virtual IP Address Clients . . . . . . . . . . . . . . . . . . . . . . Allowing DHCP Relay in the Policy . . . . . . . . . Exporting VPN Client Configuration to a File . . . 782 783 785 786 787 787 789 789

Managing VPN Certificates . . . . . . . . . . . . . . . 755 Getting Started With VPN Certificates. . . . . . . . 756 Configuration Overview . . . . . . . . . . . . . . . . . 756 Defining a VPN Certificate Authority . . . . . . . . . 757 Creating and Signing VPN Certificates . . . . . . . 759 Creating a VPN Certificate or Certificate Request for an Internal Gateway . . . . . . . . . . 759 Signing External Certificate Requests Internally 761 Uploading VPN Certificates Manually . . . . . . . . 762 Renewing VPN Certificates . . . . . . . . . . . . . . . 763 Exporting the Certificate of VPN Gateway or VPN CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764 Importing a VPN Gateway Certificate . . . . . . . . 765 Checking When Gateway Certificates Expire . . . 765 Checking When an Internal VPN CA Expires . . . 766CHAPTER 52

M AINTENANCECHAPTER 54

AND

U PGRADES

Backing up and Restoring System Configurations . . . . . . . . . . . . . . . . . . . . . . . . 793 Getting Started with Backups . . . . . . . . . . . . . 794 Configuration Overview . . . . . . . . . . . . . . . . . 794 Creating Backups. . . . . . . . . . . . . . . . . . . . . . Storing Backup Files . . . . . . . . . . . . . . . . . . . Restoring Backups . . . . . . . . . . . . . . . . . . . . . Restoring a Management Server Backup . . . . Restoring a Log Server Backup . . . . . . . . . . . Recovering from a Hardware Failure . . . . . . . . .CHAPTER 55

Reconfiguring Existing VPNs . . . . . . . . . . . . . . 767 Adding or Removing Tunnels Within a VPN . . . . Configuring NAT Settings for an Existing VPN . . Activating NAT Traversal . . . . . . . . . . . . . . . . Translating Addresses of VPN Communications Between Gateways . . . . . . . . . . . . . . . . . . . . Translating Addresses in Traffic Inside a VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding New Gateways to an Existing VPN . . . . . Changing Gateway IP Addressing in an Existing VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Giving VPN Access to Additional Hosts . . . . . . . Routing Internet Traffic Through VPNs. . . . . . . . 768 768 768 769 769 770 770 771 771

795 796 796 797 797 798

Managing Log Data . . . . . . . . . . . . . . . . . . . . . 799 Getting Started with Log Data Management . . . 800 Configuration Overview . . . . . . . . . . . . . . . . . 800 Defining When Logs Are Generated . . . . . . . . . 801 Archiving Log Data . . . . . . . . . . . . . . . . . . . . . 802Table of Contents

15

Creating an Archive Log Task . . . . . . . . . . . . . Selecting Log Data for Archiving. . . . . . . . . . . Selecting Operation Settings for Archiving Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting Log Data . . . . . . . . . . . . . . . . . . . . . . Creating a Delete Log Task . . . . . . . . . . . . . . Selecting Data for Deleting Logs . . . . . . . . . . Selecting Operation Settings for Deleting Logs Pruning Log Data . . . . . . . . . . . . . . . . . . . . . Disabling Pruning Filters . . . . . . . . . . . . . . . . Exporting Log Data . . . . . . . . . . . . . . . . . . . . . Creating an Export Log Task . . . . . . . . . . . . . Selecting Data for Log Export . . . . . . . . . . . . Selecting Operation Settings for Log Export . . Viewing a History of Executed Log Tasks . . . . .CHAPTER 56

802 803 804 805 805 806 806 807 808 809 809 810 811 812

CHAPTER 58

Upgrading the Management Center . . . . . . . . . 833 Getting Started with Upgrading the SMC . . . . . 834 Configuration Overview . . . . . . . . . . . . . . . . . 835 Obtaining the SMC Installation Files . . . . . . . . 835 Upgrading Management Center Servers . . . . . . 836 Default Installation Directories for SMC . . . . . . 837CHAPTER 59

Upgrading the Engines . . . . . . . . . . . . . . . . . . 839 Getting Started with Upgrading Engines . . . . . . 840 Configuration Overview . . . . . . . . . . . . . . . . . 840 Obtaining Engine Upgrade Files . . . . . . . . . . . . 841 Upgrading Engines Remotely. . . . . . . . . . . . . . 841CHAPTER 60

Manual Dynamic Updates. . . . . . . . . . . . . . . . . 845 Getting Started with Manual Dynamic Updates . 846 Configuration Overview . . . . . . . . . . . . . . . . . 846 Importing an Update Package . . . . . . . . . . . . . 846 Activating an Update Package . . . . . . . . . . . . . 847

Managing and Scheduling Tasks . . . . . . . . . . . . 813 Getting Started with Tasks. . . . . . . . . . . . . . . . 814 Configuration Overview . . . . . . . . . . . . . . . . . 814 Task Types . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating New Task Definitions . . . . . . . . . . . . . Creating Backup Tasks . . . . . . . . . . . . . . . . . Creating Policy Refresh Tasks . . . . . . . . . . . . Creating Policy Upload Tasks . . . . . . . . . . . . . Creating Remote Upgrade Tasks . . . . . . . . . . Creating SGInfo Tasks. . . . . . . . . . . . . . . . . . Scheduling Tasks . . . . . . . . . . . . . . . . . . . . . . Starting Tasks Manually . . . . . . . . . . . . . . . . . Pausing the Scheduled Execution of a Task . . . Cancelling a Task Schedule . . . . . . . . . . . . . . . Stopping Task Execution . . . . . . . . . . . . . . . . .CHAPTER 57

815 817 817 818 818 819 820 820 821 821 821 822

T ROUBLESHOOTINGCHAPTER 61

General Troubleshooting Tips. . . . . . . . . . . . . . 851 If Your Problem Is Not Listed. . . . . . . . . . . . . . 852 Tools For Further Troubleshooting . . . . . . . . . . 852CHAPTER 62

Troubleshooting Accounts and Passwords . . . . 853 Forgotten Passwords . . . . . . . . . . . . . . . . . . . 854 User Account Changes Have no Effect . . . . . . . 854 Creating an Emergency Administrator Account . 855CHAPTER 63

Managing Licenses. . . . . . . . . . . . . . . . . . . . . . 823 Getting Started with Licenses . . . . . . . . . . . . . Generating New Licenses . . . . . . . . . . . . . . . . Upgrading Licenses Manually . . . . . . . . . . . . . Changing License Binding Details . . . . . . . . . . Installing Licenses . . . . . . . . . . . . . . . . . . . . . Installing a License for an Unlicensed Component . . . . . . . . . . . . . . . . . . . . . . . . . Replacing the License of a Previously Licensed Component . . . . . . . . . . . . . . . . . . Checking If All Components Are Licensed . . . . . Checking License Validity and State . . . . . . . . . 824 826 827 828 828 828 829 831 831

Troubleshooting Alerts, Errors, and Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857 Alert Log Messages . . . . . . . . . . . . . . . . . . . . Certificate Authority Expired/Expiring Alerts . . Certificate Expired/Expiring Alerts . . . . . . . . . Log Spool Filling . . . . . . . . . . . . . . . . . . . . Status Surveillance: Inoperative Security Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . System Alert. . . . . . . . . . . . . . . . . . . . . . . Test Failed . . . . . . . . . . . . . . . . . . . . . . . . Throughput Based License Exceeded . . . . . Log Messages . . . . . . . . . . . . . . . . . . . . . . . . Connection Closed/Reset by Client/Server . . 858 858 858 858 858 859 859 859 860 860

16

Table of Contents

Connection Removed During Connection Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connection State Might Be Too Large . . . . . Connection Timeout... . . . . . . . . . . . . . . . . Incomplete Connection Closed . . . . . . . . . . NAT Balance: Remote Host Does Not Respond . . . . . . . . . . . . . . . . . . . . . . . . . . Not a Valid SYN packet . . . . . . . . . . . . . . . Requested NAT Cannot Be Done. . . . . . . . . Spoofed Packets . . . . . . . . . . . . . . . . . . . . . IPsec VPN Log Messages . . . . . . . . . . . . . . . Error Messages . . . . . . . . . . . . . . . . . . . . . . . Command Failed/Connect Timed out . . . . . . . PKIX Validation Failed . . . . . . . . . . . . . . . . . . Policy Installation Errors . . . . . . . . . . . . . . . . Unexpected Error . . . . . . . . . . . . . . . . . . . . .CHAPTER 64

860 860 861 862 862 863 864 864 864 864 864 865 865 865

Problems Logging In with the Management Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Problems with Layout and Views . . . . . . . . . . . Problems With Viewing Statistics. . . . . . . . . . . Problems with Status Monitoring . . . . . . . . . . . Problems Installing Web Start on an External Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CHAPTER 69

889 890 890 890 891

Troubleshooting NAT . . . . . . . . . . . . . . . . . . . 893 Troubleshooting NAT Errors . . . . . . . . . . . . . . . 894 NAT Is Not Applied Correctly . . . . . . . . . . . . . . 894 NAT Is Applied When it Should Not Be . . . . . . . 895CHAPTER 70

Troubleshooting Policies . . . . . . . . . . . . . . . . . 897 Troubleshooting Firewall Policy Installation . . . . The Engine Performs a Roll-Back at Policy Installation . . . . . . . . . . . . . . . . . . . . . . . . . The Management Server Contact to Nodes Times Out . . . . . . . . . . . . . . . . . . . . . . . . . . Policy Installation Fails for Some Other Reason . . . . . . . . . . . . . . . . . . . . . . . . . . . . Warning Automatic Proxy ARP Option Is Ignored . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting IPS Policy Installation . . . . . . . Troubleshooting Rules . . . . . . . . . . . . . . . . . . Validating Rules . . . . . . . . . . . . . . . . . . . . . . Rule That Allows ANY Service Does Not Allow All Traffic. . . . . . . . . . . . . . . . . . . . . . . Inspection Rules Produce False Positives. . . . How to Enable Passthrough for PPTP Traffic . . Traffic I Want to Allow Is Stopped by the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . Packets Are Dropped as Spoofed . . . . . . . . . Unsupported Definitions in IPv6 Access RulesCHAPTER 71

898 898 898 899 899 900 900 900 900 901 901 902 903 903

Troubleshooting Certificates . . . . . . . . . . . . . . 867 Understanding Certificate-Related Problems . . . Replacing Expired/Missing Certificates . . . . . . Renewing SMC Server Certificates. . . . . . . . . Renewing Engine Certificates . . . . . . . . . . . . Dealing with Expiring Certificate Authorities . . .CHAPTER 65

868 870 870 871 872

Troubleshooting Engine Operation . . . . . . . . . . 875 Node Does not Go or Stay Online. . . . . . . . . . . Error Commanding an Engine. . . . . . . . . . . . . . Errors with Heartbeat and Synchronization . . . . Problems Contacting the Management Server. .CHAPTER 66

876 876 877 877

Troubleshooting Licensing . . . . . . . . . . . . . . . . 879 Troubleshooting Licensing . . . . . . . . . . . . . . . . License Is Shown as Retained . . . . . . . . . . . . License Is Shown as Unassigned. . . . . . . . . . Throughput Based License Exceeded Alerts. .CHAPTER 67

880 880 881 881

Troubleshooting Reporting . . . . . . . . . . . . . . . 905 Troubleshooting Reporting . . . . . . . . . . . . . . . 906 No Report is Generated at All . . . . . . . . . . . . . 906 Empty Report Sections or Incomplete Data . . . 907CHAPTER 72

Troubleshooting Logging . . . . . . . . . . . . . . . . . 883 Problems With Viewing Logs . . . . . . . . . . . . . . 884 Logs Are Filling up the Storage Space . . . . . . . 884 Log Server Does not Run . . . . . . . . . . . . . . . . 885CHAPTER 68

Troubleshooting Upgrades . . . . . . . . . . . . . . . . 909 Upgrade Fails Because of Running Services . . . 910 StoneGate will not be installed properly . . . . 910CHAPTER 73

Troubleshooting the Management Client. . . . . . 887 Cannot View Online Help: Help File Not Found 888 Some Options Are Disabled. . . . . . . . . . . . . . . 888 Slow Startup and Use . . . . . . . . . . . . . . . . . . . 889

Troubleshooting VPNs. . . . . . . . . . . . . . . . . . . 911 Checking Automatic VPN Validation Results . . . 912 Reading VPN-related Logs . . . . . . . . . . . . . . . . 912 VPN Certificate Issues . . . . . . . . . . . . . . . . . . 913Table of Contents

17

Problems with Internal to External Gateway VPN 913 Problems Connecting With a StoneGate VPN Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914

A PPENDICESAPPENDIX A

Command Line Tools . . . . . . . . . . . . . . . . . . . . 917 Management Center Commands . . . . . . . . . . . 918 Engine Commands . . . . . . . . . . . . . . . . . . . . . 926 Server Pool Monitoring Agent Commands . . . . . 931APPENDIX B

Default Communication Ports. . . . . . . . . . . . . . 933 Management Center Ports. . . . . . . . . . . . . . . . 934 Firewall/VPN Engine Ports . . . . . . . . . . . . . . . . 936 IPS Engine Ports. . . . . . . . . . . . . . . . . . . . . . . 940APPENDIX C

Exportable SSL VPN Log Entry Fields . . . . . . . Facility Field Values . . . . . . . . . . . . . . . . . . . . Type Field Values . . . . . . . . . . . . . . . . . . . . . . Action Field Values . . . . . . . . . . . . . . . . . . . . . Event Field Values . . . . . . . . . . . . . . . . . . . . . IPsec VPN Log Messages . . . . . . . . . . . . . . . . VPN Notifications . . . . . . . . . . . . . . . . . . . . . VPN Errors. . . . . . . . . . . . . . . . . . . . . . . . . . VPN Error Codes . . . . . . . . . . . . . . . . . . . . . Audit Entry Types . . . . . . . . . . . . . . . . . . . . . . Syslog Entries . . . . . . . . . . . . . . . . . . . . . . . . Log Fields Controlled by the Additional Payload Option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connection States . . . . . . . . . . . . . . . . . . . . .APPENDIX H

997 997 999 1000 1000 1005 1005 1007 1009 1010 1014 1015 1016

Keyboard Shortcuts. . . . . . . . . . . . . . . . . . . . . 1019 General Shortcuts . . . . . . . . . . . . . . . . . . . . . Shortcuts for Browsing Logs and Alerts . . . . . . Other View-Specific Shortcuts . . . . . . . . . . . . . Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020 1021 1023 1025

Predefined Aliases . . . . . . . . . . . . . . . . . . . . . . 943 Pre-Defined User Aliases . . . . . . . . . . . . . . . . . 944 System Aliases. . . . . . . . . . . . . . . . . . . . . . . . 944APPENDIX D

Regular Expression Syntax . . . . . . . . . . . . . . . . 947 Syntax for StoneGate Regular Expressions . . . . Special Character Sequences . . . . . . . . . . . . . Pattern-Matching Modifiers . . . . . . . . . . . . . . . Bit Variable Extensions . . . . . . . . . . . . . . . . . . Variable Expression Evaluation . . . . . . . . . . . . Stream Operations . . . . . . . . . . . . . . . . . . . . Other Expressions . . . . . . . . . . . . . . . . . . . . System Variables . . . . . . . . . . . . . . . . . . . . . . Independent Subexpressions. . . . . . . . . . . . . . Parallel Matching Groups. . . . . . . . . . . . . . . . .APPENDIX E APPENDIX F

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055

948 950 951 952 954 956 957 958 959 960

SNMP Traps and MIBs . . . . . . . . . . . . . . . . . . . 961 Schema Updates for External LDAP Servers . . . 973APPENDIX G

Log Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975 Log Entry Fields . . . . . . . . . . . . . . . . . . . . . . . Non-exportable Log Entry Fields. . . . . . . . . . . Exportable Alert Log Entry Fields . . . . . . . . . . Exportable Alert Trace Log Entry Fields . . . . . . Exportable Audit Log Entry Fields . . . . . . . . . . Exportable Firewall Log Entry Fields . . . . . . . . Exportable IPS Log Entry Fields . . . . . . . . . . . Exportable IPS Recording Log Entry Fields . . . 18Table of Contents

976 976 980 980 981 982 984 996

G ETTING S TARTEDIn this section:Using StoneGate Documentation - 21 Whats New? - 27 Using the Management Client - 35 Setting up the System - 55 Configuring System Communications - 59 Managing Elements - 71

19

20

C H A P TE R 1

USING STONEGATE DOCUMENTATION

Welcome to the StoneGate product family by Stonesoft Corporation. This chapter describes how to use this guide and related documentation. It also provides directions for obtaining technical support and giving feedback on the documentation. The following sections are included: Objectives and Audience (page 22) Documentation Available (page 23) Contact Information (page 24)

21

Objectives and AudienceThe StoneGate Administrators Guide is intended for the administrators of any StoneGate installation in tasks that involve the StoneGate Management Center (SMC) and the various components that the SMC controls. This guide describes step by step how to complete StoneGate configuration and management tasks. The guide continues from where the Installation Guide ends. The chapters in this guide are organized according to StoneGate administrative tasks. Each chapter focuses on one area of administration. As a general rule, the chapters proceed from basic configuration tasks to more advanced topics. Although overviews are provided, the emphasis in this guide is more on completing specific tasks than developing a deep understanding of how the system works (consult the Reference Guides for more background information). This guide explains features included in the software versions mentioned on page 1. If you are using older versions of the software you will not be able to use all the features explained in this manual and some features that are available may not work as explained. To launch the Online Help system, press F1 on your keyboard in any Management Client window or dialog.

Typographical ConventionsWe use the following typographical conventions throughout the guide:Table 1.1 Typographical Conventions

FormattingNormal text User interface text References, terms Command line User input Command parameters This is normal text.

Informative Uses

Interface elements (buttons, menus, etc.) and any other interaction with the user interface are in bold-face. Cross-references and first use of acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is monospaced bold-face. Command parameter names are in monospaced italics.

We use the following ways to indicate important or additional information:Prerequisites: Many of the sections start with a list of prerequisites that point out tasks you must perform before the procedure outlined in the section. Obvious prerequisites (such as having installed a firewall if you want to configure a firewall feature) are not included in these prerequisites.

Note Notes provide important information that may help you complete a task.22Chapter 1 Using StoneGate Documentation

Caution Cautions provide important information that you must take into account before performing an action to prevent critical mistakes. Tip Tips provide information that is not essential, but makes working with the system easier. Example Examples clarify points made in the adjacent text.

Whats Next? The Whats Next lists at the ends of secions contain tasks that you must or may want to perform after completing a procedure. If several of the procedures listed apply, pick the first one; you will encounter a new Whats Next section when you are finished with the first item.

Documentation AvailableStoneGate technical documentation is divided into two main categories: product documentation and support documentation.

Product DocumentationThe table below lists the available product documentation. PDF guides are available on the Management Center CD-ROM and at http://www.stonesoft.com/support/.Table 1.2 Product Documentation

Guide

DescriptionExplains the operation and features of StoneGate comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available for StoneGate Management Center, Firewall/VPN, and StoneGate IPS. Instructions for planning, installing, and upgrading a StoneGate system. Available for StoneGate Management Center, Firewall/VPN, IPS, and SOHO firewall products. Describes how to configure and manage the system step-by-step. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the StoneGate Management Client and the StoneGate Web Portal. An HTML-based system is available in the StoneGate SSL VPN Administrator through help links and icons. Describes how to configure and manage the system step-by-step. Available as a combined guide for both StoneGate Firewall/VPN and StoneGate IPS, and as separate guides for StoneGate SSL VPN and StoneGate IPsec VPN Client. Instructions for end-users. Available for the StoneGate IPsec VPN Client and the StoneGate Web Portal.

Reference Guide

Installation Guide

Online Help

Administrators Guide

Users Guide

Documentation Available

23

Table 1.2 Product Documentation (Continued)

GuideAppliance Installation Guide

DescriptionInstructions for physically installing and maintaining StoneGate appliances (rack mounting, cabling, etc.). Available for all StoneGate hardware appliances.

Support DocumentationThe StoneGate support documentation provides additional and late-breaking technical information. These technical documents support the StoneGate guide books, for example, by giving further examples on specific configuration scenarios. The latest StoneGate technical documentation is available on the Stonesoft website at http:// www.stonesoft.com/support/.

System RequirementsThe certified platforms for running StoneGate engine software can be found at the product pages at www.stonesoft.com/en/products_and_solutions/products/ (select the correct product and click Software Solutions on the left). The hardware and software requirements for the Management Center and version-specific details for all software products can be found in the Release Notes included on the Management Center CD-ROM and on the software download page at the Stonesoft website.

Contact InformationFor street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at http://www.stonesoft.com/.

Licensing IssuesYou can view your current licenses at the License Center section of the Stonesoft website at https://my.stonesoft.com/managelicense.do. For license-related queries, e-mail order@stonesoft.com.

Technical SupportStonesoft offers global technical support services for Stonesofts product families. For more information on technical support, visit the Support section at the Stonesoft website at http:// www.stonesoft.com/support/.

Your CommentsWe want to make our products fulfill your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements. To comment on software and hardware products, e-mail feedback@stonesoft.com. To comment on the documentation, e-mail documentation@stonesoft.com.

24

Chapter 1

Using StoneGate Documentation

Security Related Questions and CommentsYou can send any questions or comments relating to StoneGate IPS and network security to security-alert@stonesoft.com.

Other QueriesFor queries regarding other matters, e-mail info@stonesoft.com.

Contact Information

25

26

Chapter 1

Using StoneGate Documentation

C H A P TE R 2

WHATS NEW?

This section lists major changes since the previous release. Most new or reworked features in the software are listed here. Changes that do not significantly affect the way StoneGate is configured are not listed. For a full list of changes in the software and detailed version-specific information, consult the Release Notes. The following sections are included: Important Changes (page 28) Other Changes in SMC