6.2 users guide - gta.com · dhcp relay ... anti-spam ... performing a manual software update
TRANSCRIPT
User’s Guide
Global Technology Associates3361 Rouse Rd, Suite 240
Orlando, FL 32817
Tel: +1.407.380.0220Fax. +1.407.380.6080Email: [email protected]
Web: www.gta.com
GB-OS®
Version 6.2
GBOSUG201410-01
ii
GB-OS 6.2 User’s Guide
Table of Contents
Table of ContentsPreface ____________________________________________________________________________________ 10About This Guide................................................................................................................................................................................ 11
Conventions …………………………………………………………………………………………………………………………… 11Icons …………………………………………………………………………………………………………………………………… 11
About GTA Firewalls...........................................................................................................................................................................12What is a Firewall? ………………………………………………………………………………………………………………………… 12
A GB-OS fi rewall system is: …………………………………………………………………………………………………………… 13Features …………………………………………………………………………………………………………………………………… 14
New Features …………………………………………………………………………………………………………………………… 14Standard Features ……………………………………………………………………………………………………………………… 14Optional Features ……………………………………………………………………………………………………………………… 14
Support................................................................................................................................................................................................14Support Options ………………………………………………………………………………………………………………………… 15Software Updates ……………………………………………………………………………………………………………………… 15
Additional Documentation .................................................................................................................................................................15
Initial Setup ________________________________________________________________________________ 17Overview .............................................................................................................................................................................................18
Preparation .........................................................................................................................................................................................19Registration ………………………………………………………………………………………………………………………………… 19
Retrieving Your Activation Code ……………………………………………………………………………………………………… 19Planning Your Network ………………………………………………………………………………………………………………… 19
Requirements ……………………………………………………………………………………………………………………………… 20Setup by Temporary Peer Network …………………………………………………………………………………………………… 20Powering On the Firewall ………………………………………………………………………………………………………………… 21
Entering Firewall Network Settings ..................................................................................................................................................22Browser Compatibility …………………………………………………………………………………………………………………… 22Connecting to the Web Interface ……………………………………………………………………………………………………… 22Using the Basic Setup Wizard …………………………………………………………………………………………………………… 23Entering Your Network Information Manually ………………………………………………………………………………………… 28
Using CIDR Notation …………………………………………………………………………………………………………………… 29Setting Your Time ……………………………………………………………………………………………………………………… 29Re-confi guring Your Computer ……………………………………………………………………………………………………… 29
Placing the Firewall on the Network .................................................................................................................................................30
Basic Setup Tasks ___________________________________________________________________________ 31Basic Setup Tasks ..............................................................................................................................................................................32
Setting the Confi guration Mode ………………………………………………………………………………………………………… 32Defi ning a Network ………………………………………………………………………………………………………………………… 33
Entering the Host Name ……………………………………………………………………………………………………………… 33Defi ning Logical Interfaces …………………………………………………………………………………………………………… 34
DNS Setup ………………………………………………………………………………………………………………………………… 35DNS Proxy vs. DNS Server …………………………………………………………………………………………………………… 35Confi guring the DNS Proxy …………………………………………………………………………………………………………… 36
Date/Time Setup …………………………………………………………………………………………………………………………… 37Network Time Setup …………………………………………………………………………………………………………………… 37Designating the Firewall as a NTP Server …………………………………………………………………………………………… 38System Clock ………………………………………………………………………………………………………………………… 38
GB-OS Certifi cate Management ………………………………………………………………………………………………………… 39Defi ning Objects …………………………………………………………………………………………………………………………… 39
Address Objects ………………………………………………………………………………………………………………………… 40Selecting the Address Object’s Type ……………………………………………………………………………………………… 40Using Regular Expressions ………………………………………………………………………………………………………… 41Default Address Objects …………………………………………………………………………………………………………… 42
Bookmark Objects ……………………………………………………………………………………………………………………… 42Service Group Objects ………………………………………………………………………………………………………………… 42
Default Service Group Objects …………………………………………………………………………………………………… 44Time Group Objects …………………………………………………………………………………………………………………… 44IPSec Objects …………………………………………………………………………………………………………………………… 44Encryption Objects …………………………………………………………………………………………………………………… 45
Allowing and Denying Traffi c …………………………………………………………………………………………………………… 45
iii
GB-OS 6.2 User’s Guide
Table of Contents
Policy Sets ……………………………………………………………………………………………………………………………… 45Allowing Inbound Traffi c ……………………………………………………………………………………………………………… 45Blocking Outbound Traffi c …………………………………………………………………………………………………………… 46Country Blocking ……………………………………………………………………………………………………………………… 46Managing Policies ……………………………………………………………………………………………………………………… 47Tips for Using Policies ………………………………………………………………………………………………………………… 48Using Host Names or DNS in Combination with Security Policies ……………………………………………………………… 48
Requirements ………………………………………………………………………………………………………………………… 48Method 1: …………………………………………………………………………………………………………………………… 48Method 2: …………………………………………………………………………………………………………………………… 49
Verifying the Confi guration ……………………………………………………………………………………………………………… 50Navigation Menu Icons ………………………………………………………………………………………………………………… 51Verifi cation Flags ……………………………………………………………………………………………………………………… 51
Applying the Confi guration ……………………………………………………………………………………………………………… 51Importing/Exporting Firewall Confi guration ………………………………………………………………………………………… 53Automatic Backup ………………………………………………………………………………………………………………………… 54
Email Backup ………………………………………………………………………………………………………………………… 54Cloud Backup …………………………………………………………………………………………………………………………… 54USB Backup …………………………………………………………………………………………………………………………… 55Managing Cloud or USB Backups via the Web Interface ………………………………………………………………………… 55
Restoring Backups ………………………………………………………………………………………………………………… 56Downloading Backups ……………………………………………………………………………………………………………… 56Deleting Backups …………………………………………………………………………………………………………………… 56
Restoring Backups Via the Console ………………………………………………………………………………………………… 56Cloud or USB Device Directory ……………………………………………………………………………………………………… 56High Availability and Automatic Backup ……………………………………………………………………………………………… 56
Advanced Setup Tasks _______________________________________________________________________ 58Advanced Setup Tasks ......................................................................................................................................................................59
Firewall User Account and Group Setup ……………………………………………………………………………………………… 59Creating User Accounts ……………………………………………………………………………………………………………… 59
Download User Mobile Confi guration ……………………………………………………………………………………………… 60Creating Groups ………………………………………………………………………………………………………………………… 60
Creating an Administrator Group …………………………………………………………………………………………………… 61Confi guring Remote Administration …………………………………………………………………………………………………… 62
Lockout ……………………………………………………………………………………………………………………………… 63Remote Administration ……………………………………………………………………………………………………………… 63Changing the Remote Administration Port ………………………………………………………………………………………… 63Encryption …………………………………………………………………………………………………………………………… 64Policy Compatibility ………………………………………………………………………………………………………………… 64
Authentication Setup ……………………………………………………………………………………………………………………… 66GTA Authentication …………………………………………………………………………………………………………………… 68
Using GTA Authentication on a GTA Firewall …………………………………………………………………………………… 68LDAPv3 ………………………………………………………………………………………………………………………………… 68
Using LDAPv3 on a GTA Firewall ………………………………………………………………………………………………… 68RADIUS ………………………………………………………………………………………………………………………………… 69
Using RADIUS on a GTA Firewall ………………………………………………………………………………………………… 69Active Directory Single Sign-On ……………………………………………………………………………………………………… 70
Requirements For Single Sign-On ………………………………………………………………………………………………… 70Single Sign-On Server Installation on Windows ………………………………………………………………………………… 70Confi guring Single Sign-On ………………………………………………………………………………………………………… 70
PPP Setup …………………………………………………………………………………………………………………………………… 70PPPoE Transport ……………………………………………………………………………………………………………………… 73PPTP Transport ………………………………………………………………………………………………………………………… 75
DHCP Server ……………………………………………………………………………………………………………………………… 78DHCPv4 ……………………………………………………………………………………………………………………………… 78DHCPv6 ……………………………………………………………………………………………………………………………… 80
DHCP Relay ………………………………………………………………………………………………………………………………… 81DHCP Relay Requirements ………………………………………………………………………………………………………… 81Example DHCP Relay ……………………………………………………………………………………………………………… 81Confi guration ………………………………………………………………………………………………………………………… 82PSN to Protected DHCP Relay …………………………………………………………………………………………………… 82
Dynamic DNS Setup ……………………………………………………………………………………………………………………… 84DNS Server Setup ………………………………………………………………………………………………………………………… 85
Confi guring the DNS Server ………………………………………………………………………………………………………… 85Creating DNS Domains ……………………………………………………………………………………………………………… 87
Routing Traffi c ……………………………………………………………………………………………………………………………… 88Alias Setup ……………………………………………………………………………………………………………………………… 88NAT Setup ……………………………………………………………………………………………………………………………… 89
Creating Inbound Tunnels…………………………………………………………………………………………………………… 89
iv
GB-OS 6.2 User’s Guide
Table of Contents
Creating Static Mappings …………………………………………………………………………………………………………… 91Allowing Static Mapping …………………………………………………………………………………………………………… 92
Pass Through Setup …………………………………………………………………………………………………………………… 92Security Policies ……………………………………………………………………………………………………………………… 93Creating Pass Through Policy Pairs ……………………………………………………………………………………………… 93Defi ning Bridged Protocols ………………………………………………………………………………………………………… 94Protocol Defi nitions ………………………………………………………………………………………………………………… 94Defi ning Hosts/Networks …………………………………………………………………………………………………………… 95
Bridging Interfaces …………………………………………………………………………………………………………………… 96Bridging Mode ……………………………………………………………………………………………………………………… 97
BGP Setup ……………………………………………………………………………………………………………………………… 98OSPF Setup ………………………………………………………………………………………………………………………… 100RIP Setup …………………………………………………………………………………………………………………………… 103Static Routes ………………………………………………………………………………………………………………………… 105Multiple Gateway Setup …………………………………………………………………………………………………………… 106
Gateway Failover ………………………………………………………………………………………………………………… 107Selecting Useful Beacons ………………………………………………………………………………………………………… 107Gateway Sharing ………………………………………………………………………………………………………………… 108Policy Based Routing …………………………………………………………………………………………………………… 108Source Routing …………………………………………………………………………………………………………………… 108
Preferences ……………………………………………………………………………………………………………………………… 109Defi ning the Internet Protocol ……………………………………………………………………………………………………… 109Defi ning Connection Timeouts and Limiting ……………………………………………………………………………………… 109
Creating Advanced Security Policies ……………………………………………………………………………………………… 111Detailed List View …………………………………………………………………………………………………………………… 112Policy Preferences…………………………………………………………………………………………………………………… 112
Options ……………………………………………………………………………………………………………………………… 113Automatic Policies ………………………………………………………………………………………………………………… 113Address Spoof …………………………………………………………………………………………………………………… 113Connection Limiting ……………………………………………………………………………………………………………… 114Country …………………………………………………………………………………………………………………………… 114Doorknob Twist …………………………………………………………………………………………………………………… 114Fragmented Packets ……………………………………………………………………………………………………………… 114Invalid Packets …………………………………………………………………………………………………………………… 114Unexpected Packets ……………………………………………………………………………………………………………… 114Ident Option………………………………………………………………………………………………………………………… 114Stealth Mode ……………………………………………………………………………………………………………………… 114TCP SYN Cookies ………………………………………………………………………………………………………………… 114Advanced: Coalesce ……………………………………………………………………………………………………………… 114
Setting Notifi cations …………………………………………………………………………………………………………………… 115Email ……………………………………………………………………………………………………………………………… 115SMS ………………………………………………………………………………………………………………………………… 116SNMP Trap ………………………………………………………………………………………………………………………… 116Alarms ……………………………………………………………………………………………………………………………… 117
Applying Traffi c Shaping ……………………………………………………………………………………………………………… 117Weight vs. Priority …………………………………………………………………………………………………………………… 117Using Traffi c Shaping ……………………………………………………………………………………………………………… 118
VPN Setup ………………………………………………………………………………………………………………………………… 119VPN Concepts ……………………………………………………………………………………………………………………… 119
Authentication ……………………………………………………………………………………………………………………… 119Multiple Networks ………………………………………………………………………………………………………………… 120Mobile Protocol …………………………………………………………………………………………………………………… 120IPSec Objects ……………………………………………………………………………………………………………………… 120
SSL Client and Browser Setup ……………………………………………………………………………………………………… 121PPTP & L2TP Setup …………………………………………………………………………………………………………………… 121VLAN Setup ……………………………………………………………………………………………………………………………… 121
VLAN Terms and Concepts ………………………………………………………………………………………………………… 122VLAN Interface …………………………………………………………………………………………………………………… 122VLAN IDs …………………………………………………………………………………………………………………………… 122VLAN Trunk ………………………………………………………………………………………………………………………… 122VLAN Switch ……………………………………………………………………………………………………………………… 123
Creating a VLAN …………………………………………………………………………………………………………………… 123SNMP Setup ……………………………………………………………………………………………………………………………… 124Remote Logging Setup ………………………………………………………………………………………………………………… 125
WELF (WebTrends Enhanced Log Format) ……………………………………………………………………………………… 126Unix Facilities ………………………………………………………………………………………………………………………… 127
Policy ……………………………………………………………………………………………………………………………… 127NAT (Network Address Translation) …………………………………………………………………………………………… 127WWW ……………………………………………………………………………………………………………………………… 127
v
GB-OS 6.2 User’s Guide
Table of Contents
Threat Management __________________________________________________________________________ 128Threat Management..........................................................................................................................................................................129
Intrusion Prevention System (IPS) …………………………………………………………………………………………………… 130Running the IPS Setup Wizard …………………………………………………………………………………………………… 131Confi guring the IPS Proxy ………………………………………………………………………………………………………… 132
Confi guring Performance Tuning Settings ……………………………………………………………………………………… 133Confi guring IPS Policies …………………………………………………………………………………………………………… 134
Filtering Displayed IPS Policies ………………………………………………………………………………………………… 135Mail Proxy ………………………………………………………………………………………………………………………………… 135
Mail Proxy Policies ………………………………………………………………………………………………………………… 136Defi ning Email White (Allow) or Black (Deny) Lists …………………………………………………………………………… 139RDNS (Reverse DNS) …………………………………………………………………………………………………………… 140Defi ning a Mail Abuse Prevention System (MAPS) …………………………………………………………………………… 140
Content Filtering ………………………………………………………………………………………………………………………… 141Confi guring the Content Filtering Proxy …………………………………………………………………………………………… 141
Enabling the Traditional Proxy …………………………………………………………………………………………………… 142Transparent Proxy ………………………………………………………………………………………………………………… 142Block Actions ……………………………………………………………………………………………………………………… 142
Content Filtering Policies …………………………………………………………………………………………………………… 142Local Allow and Deny Lists ……………………………………………………………………………………………………… 144Content Blocking ………………………………………………………………………………………………………………… 144Content Filtering Categories……………………………………………………………………………………………………… 145
Creating Advanced Content Filtering Policies …………………………………………………………………………………… 145
Monitoring Reports & Administrative Tools ______________________________________________________ 146Monitoring, Reports, and Administrative Tools ............................................................................................................................ 147
Administrative Tools …………………………………………………………………………………………………………………… 147Interfaces …………………………………………………………………………………………………………………………… 147Network Diagnostics ………………………………………………………………………………………………………………… 147
Ping ………………………………………………………………………………………………………………………………… 147Trace Route ………………………………………………………………………………………………………………………… 148
Packet Capture ……………………………………………………………………………………………………………………… 149Shutdown …………………………………………………………………………………………………………………………… 149
Halt ………………………………………………………………………………………………………………………………… 149Reboot ……………………………………………………………………………………………………………………………… 149Release License …………………………………………………………………………………………………………………… 149
Audit Events......................................................................................................................................................................................150
Viewing Firewall Logs ......................................................................................................................................................................150
Viewing Activity ................................................................................................................................................................................ 151Accounts ………………………………………………………………………………………………………………………………… 151
Authenticated ………………………………………………………………………………………………………………………… 151Locked Out …………………………………………………………………………………………………………………………… 151Sessions ……………………………………………………………………………………………………………………………… 151
Network …………………………………………………………………………………………………………………………………… 152ARP Table …………………………………………………………………………………………………………………………… 152
Flushing the ARP Table …………………………………………………………………………………………………………… 152Connections ………………………………………………………………………………………………………………………… 152Hosts ………………………………………………………………………………………………………………………………… 153Routing ……………………………………………………………………………………………………………………………… 153Statistics ……………………………………………………………………………………………………………………………… 154
Security Policies ………………………………………………………………………………………………………………………… 154Services …………………………………………………………………………………………………………………………………… 154
DHCP Leases ………………………………………………………………………………………………………………………… 154Flushing DHCP Leases …………………………………………………………………………………………………………… 154
Threat Management …………………………………………………………………………………………………………………… 155IPS …………………………………………………………………………………………………………………………………… 155Mail Proxy …………………………………………………………………………………………………………………………… 155
Anti-Spam ………………………………………………………………………………………………………………………… 155Anti-Virus …………………………………………………………………………………………………………………………… 155Statistics …………………………………………………………………………………………………………………………… 155
Content Filtering ……………………………………………………………………………………………………………………… 155VPN ………………………………………………………………………………………………………………………………………… 156
IPSec Tunnels ……………………………………………………………………………………………………………………… 156
Reporting .......................................................................................................................................................................................... 157Report Confi guration …………………………………………………………………………………………………………………… 157Generating Reports …………………………………………………………………………………………………………………… 158
Scheduling Reports ………………………………………………………………………………………………………………… 159Graphs …………………………………………………………………………………………………………………………………… 160
vi
GB-OS 6.2 User’s Guide
Table of Contents
Preferences ………………………………………………………………………………………………………………………… 161
Updating Your Firewall’s Software .................................................................................................................................................162Scheduling Checks for Automatic Updates ……………………………………………………………………………………… 163Performing a Manual Software Update …………………………………………………………………………………………… 163
Troubleshooting ____________________________________________________________________________ 164Troubleshooting Guidelines ............................................................................................................................................................165
Frequently Asked Questions (FAQ) ................................................................................................................................................166Administration …………………………………………………………………………………………………………………………… 167Network Connectivity ………………………………………………………………………………………………………………… 168Services and Options ………………………………………………………………………………………………………………… 171Hardware ………………………………………………………………………………………………………………………………… 174Other ……………………………………………………………………………………………………………………………………… 175Automatic Backup ……………………………………………………………………………………………………………………… 175
User Interface ______________________________________________________________________________ 177Reference A: User Interface ............................................................................................................................................................178
Web Interface …………………………………………………………………………………………………………………………… 178Features ……………………………………………………………………………………………………………………………… 179Web Interface Access ……………………………………………………………………………………………………………… 179
Characteristics …………………………………………………………………………………………………………………… 179How to Access the Web Interface ……………………………………………………………………………………………… 179
Navigation and Data Entry ………………………………………………………………………………………………………… 180Menu ……………………………………………………………………………………………………………………………… 180Verifi cation Icons ………………………………………………………………………………………………………………… 180Main Window ……………………………………………………………………………………………………………………… 181Advanced Tab ……………………………………………………………………………………………………………………… 181
Buttons and Icons ……………………………………………………………………………………………………………………… 182Screen Buttons …………………………………………………………………………………………………………………… 182List Icons …………………………………………………………………………………………………………………………… 183Flags ……………………………………………………………………………………………………………………………… 183Index Numbers …………………………………………………………………………………………………………………… 184Pull Down Menus ………………………………………………………………………………………………………………… 184
System Overview Screen ……………………………………………………………………………………………………………… 185
System Parameters __________________________________________________________________________ 187Reference B: System Parameters ...................................................................................................................................................188
How to fi nd your section: …………………………………………………………………………………………………………… 1882. Confi gure ……………………………………………………………………………………………………………………………… 189
2.2.1 Summary …………………………………………………………………………………………………………………… 1892.2.2 Apply ………………………………………………………………………………………………………………………… 1892.2.3 Backup ……………………………………………………………………………………………………………………… 1902.2.4 Change Mode ……………………………………………………………………………………………………………… 1912.2.5 Import/Export ……………………………………………………………………………………………………………… 1912.2.6 Runtime ……………………………………………………………………………………………………………………… 1912.2.6.1 Options …………………………………………………………………………………………………………………… 1912.2.6.2 Update …………………………………………………………………………………………………………………… 192
2.3 System …………………………………………………………………………………………………………………………… 1932.3.1 Summary …………………………………………………………………………………………………………………… 1932.3.2 Information ………………………………………………………………………………………………………………… 1932.3.3 Activation Codes …………………………………………………………………………………………………………… 1932.3.4 Contact Information ………………………………………………………………………………………………………… 1932.3.5 Date/Time …………………………………………………………………………………………………………………… 1942.3.6 Notifi cations ………………………………………………………………………………………………………………… 194
2.4 Accounts ………………………………………………………………………………………………………………………… 1962.4.1 Summary …………………………………………………………………………………………………………………… 1962.4.2 Authentication ……………………………………………………………………………………………………………… 1962.4.3 Groups ……………………………………………………………………………………………………………………… 1982.4.4 Remote Administration …………………………………………………………………………………………………… 1992.4.5 Users ………………………………………………………………………………………………………………………… 200
2.5 Network …………………………………………………………………………………………………………………………… 2012.5.1 Summary …………………………………………………………………………………………………………………… 2012.5.2 Interfaces …………………………………………………………………………………………………………………… 2012.5.2.1a Settings ………………………………………………………………………………………………………………… 2012.5.2.2 Aliases …………………………………………………………………………………………………………………… 2062.5.3 NAT …………………………………………………………………………………………………………………………… 2072.5.3.1 Inbound Tunnels ………………………………………………………………………………………………………… 2072.5.3.2 Static Mappings…………………………………………………………………………………………………………… 2082.5.4 Pass Through ……………………………………………………………………………………………………………… 209
vii
GB-OS 6.2 User’s Guide
Table of Contents
2.5.4.1 Bridged Protocols ………………………………………………………………………………………………………… 2092.5.4.2 Host/Networks …………………………………………………………………………………………………………… 2092.5.5 Preferences ………………………………………………………………………………………………………………… 2102.5.6 Routing ……………………………………………………………………………………………………………………… 2112.5.6.1 BGP ………………………………………………………………………………………………………………………… 2112.5.6.2 Gateway Policies ………………………………………………………………………………………………………… 2122.5.6.3 OSPF ……………………………………………………………………………………………………………………… 2132.5.6.4 RIP ………………………………………………………………………………………………………………………… 2142.5.6.5 Static Routes ……………………………………………………………………………………………………………… 2162.5.7 Traffi c Shaping ……………………………………………………………………………………………………………… 216
2.6 Objects …………………………………………………………………………………………………………………………… 2172.6.1 Summary …………………………………………………………………………………………………………………… 2172.6.2 Address Objects …………………………………………………………………………………………………………… 2172.6.3 Bookmark Objects ………………………………………………………………………………………………………… 2172.6.4 Encryption Objects ………………………………………………………………………………………………………… 2182.6.5 IPSec Objects ……………………………………………………………………………………………………………… 2192.6.6 Service Groups ……………………………………………………………………………………………………………… 2202.6.7 Time Groups ………………………………………………………………………………………………………………… 220
2.7 Reporting ………………………………………………………………………………………………………………………… 2212.8 Security Policies ………………………………………………………………………………………………………………… 222
2.8.1 Summary …………………………………………………………………………………………………………………… 2222.8.2 Country Blocking …………………………………………………………………………………………………………… 2222.8.3-5 & 2.8.7 Inbound, Outbound, Pass Through, VPN (IPSec, L2TP, PPTP, SSL Client) …………………………… 2222.8.6 Preferences ………………………………………………………………………………………………………………… 224
2.9 Services ………………………………………………………………………………………………………………………… 2252.9.1 Summary …………………………………………………………………………………………………………………… 2252.9.2 DHCP ………………………………………………………………………………………………………………………… 2252.9.3 DNS ………………………………………………………………………………………………………………………… 2262.9.4 Dynamic DNS ……………………………………………………………………………………………………………… 2282.9.5 High Availability …………………………………………………………………………………………………………… 2292.9.6 Remote Logging …………………………………………………………………………………………………………… 2292.9.7 SNMP ………………………………………………………………………………………………………………………… 230
2.10 Threat Management …………………………………………………………………………………………………………… 2312.10.2 IPS ………………………………………………………………………………………………………………………… 2312.10.2.1 Proxy……………………………………………………………………………………………………………………… 2312.10.2.2 Policies …………………………………………………………………………………………………………………… 2322.10.3 Mail Proxy ………………………………………………………………………………………………………………… 2332.10.3.1 Proxy……………………………………………………………………………………………………………………… 2332.10.3.2 Policies …………………………………………………………………………………………………………………… 2332.10.4 Content Filtering …………………………………………………………………………………………………………… 2362.10.4.1 Proxy……………………………………………………………………………………………………………………… 2362.10.4.2 Policies …………………………………………………………………………………………………………………… 236
2.11 VPN ……………………………………………………………………………………………………………………………… 2382.11.1 Summary …………………………………………………………………………………………………………………… 2382.11.2 Certifi cates ………………………………………………………………………………………………………………… 2382.11.3 Preferences ………………………………………………………………………………………………………………… 2392.11.4.1 IPSec …………………………………………………………………………………………………………………… 2392.11.4.2 L2TP ……………………………………………………………………………………………………………………… 2402.11.4.3 PPTP ……………………………………………………………………………………………………………………… 2412.11.4.4 Preferences ……………………………………………………………………………………………………………… 2422.11.4.5 SSL Client ……………………………………………………………………………………………………………… 2432.11.5 Site-to-Site ………………………………………………………………………………………………………………… 244
Utilities ____________________________________________________________________________________ 247Reference C: Utilities .......................................................................................................................................................................248
GBAuth …………………………………………………………………………………………………………………………………… 248GBAuth Download via Firewall Interface ……………………………………………………………………………………… 248Using GBAuth for GTA Authentication ………………………………………………………………………………………… 248Using GBAuth for LDAP Authentication ………………………………………………………………………………………… 249Using GBAuth for RADIUS Authentication ……………………………………………………………………………………… 250
GTA SSOAuth …………………………………………………………………………………………………………………………… 251Using Active Directory Single Sign-On ………………………………………………………………………………………… 251
Upgrading _________________________________________________________________________________ 253Upgrading to GB-OS 6.2 ..................................................................................................................................................................254
Based on the version of GB-OS your GTA fi rewall is currently running: ……………………254Upgrading from GB-OS 6.1.x ………………………………………………………………………………………………………… 254
Updating Runtimes ……………………………………………………………………………………………………………… 255Scheduling Checks for Automatic Updates ……………………………………………………………………………………… 255Performing a Manual Software Update …………………………………………………………………………………………… 256
viii
GB-OS 6.2 User’s Guide
Table of Contents
Step 1: Generate GB-OS 6.2 Feature Activation Codes ……………………………………………………………………… 256Step 2: Load GB-OS 6.2 Feature Activation Codes Into the Confi guration ………………………………………………… 256Step 3: Upgrade to GB-OS 6.2 ………………………………………………………………………………………………… 256
Upgrade Notes …………………………………………………………………………………………………………………………… 257GB-250 Rev A No Longer Supported ……………………………………………………………………………………………… 258IPS Activation Codes ………………………………………………………………………………………………………………… 258GB-Ware Compact Flash Adapters Boards & ATA/IDE Cable Compatibility ………………………………………………… 258
Adapter Boards …………………………………………………………………………………………………………………… 258Conductor ATA Cables …………………………………………………………………………………………………………… 259
Re-sizing Slices and Runtime Upgrades ………………………………………………………………………………………… 259Error Messages Upon Initial Reboot ……………………………………………………………………………………………… 259GB-250 Upgrade Notice …………………………………………………………………………………………………………… 260Corrupt Object Names and Descriptions ………………………………………………………………………………………… 260
Log Messages ______________________________________________________________________________ 261Reference E: Log Messages ...........................................................................................................................................................262
System Notices ………………………………………………………………………………………………………………………… 262Hardware Errors……………………………………………………………………………………………………………………… 262
Failed Network Connectivity ……………………………………………………………………………………………………… 262Implicit Policies ……………………………………………………………………………………………………………………… 262Other Firewall Behaviors …………………………………………………………………………………………………………… 262
Ping Flood/DoS Attack (ICMP Limiting) ………………………………………………………………………………………… 263TCP SYN Flood …………………………………………………………………………………………………………………… 263Spoof Attempt ……………………………………………………………………………………………………………………… 263Stealth Mode Blocked Message ………………………………………………………………………………………………… 263Door Knob Twist (Attempted Connect to Closed Port) ……………………………………………………………………… 263FTP Bounce ……………………………………………………………………………………………………………………… 263User Licenses ……………………………………………………………………………………………………………………… 264Maximum Firewall Users Exceeded …………………………………………………………………………………………… 264Maximum Web Filtering Users Exceeded ……………………………………………………………………………………… 264Confi guration Changes by User ………………………………………………………………………………………………… 264
Automatic Backup …………………………………………………………………………………………………………………… 264Permission/Policy Notices …………………………………………………………………………………………………………… 265
Allowed Connections ………………………………………………………………………………………………………………… 265Inbound Security Policy…………………………………………………………………………………………………………… 265Open ………………………………………………………………………………………………………………………………… 265Close ……………………………………………………………………………………………………………………………… 265FTP Port Updating ………………………………………………………………………………………………………………… 266Outbound …………………………………………………………………………………………………………………………… 266Open ………………………………………………………………………………………………………………………………… 266Close ……………………………………………………………………………………………………………………………… 266Successful Administrative Access Attempts …………………………………………………………………………………… 267
Denied Connections ………………………………………………………………………………………………………………… 267Inbound …………………………………………………………………………………………………………………………… 267Outbound …………………………………………………………………………………………………………………………… 267Block By Country ………………………………………………………………………………………………………………… 267Unsuccessful Administrative Access Attempts ………………………………………………………………………………… 268Web Interface Compromise Attempt …………………………………………………………………………………………… 268
Routing Notices ………………………………………………………………………………………………………………………… 268ICMP Types and Codes ………………………………………………………………………………………………………………… 269
ICMP Types ………………………………………………………………………………………………………………………… 269ICMP Codes ……………………………………………………………………………………………………………………… 270
OSPF ………………………………………………………………………………………………………………………………… 271Network Address Translation (NAT) ……………………………………………………………………………………………… 272
TCP ………………………………………………………………………………………………………………………………… 272Open ……………………………………………………………………………………………………………………………… 272Close ……………………………………………………………………………………………………………………………… 272HTML Sessions …………………………………………………………………………………………………………………… 272Open ………………………………………………………………………………………………………………………………… 272Close ……………………………………………………………………………………………………………………………… 272ICMP ……………………………………………………………………………………………………………………………… 272Open ………………………………………………………………………………………………………………………………… 272Close ……………………………………………………………………………………………………………………………… 272UDP ………………………………………………………………………………………………………………………………… 272Open ……………………………………………………………………………………………………………………………… 272Close ……………………………………………………………………………………………………………………………… 272
Pass Through (No NAT) …………………………………………………………………………………………………………… 273Open ……………………………………………………………………………………………………………………………… 273Close ……………………………………………………………………………………………………………………………… 273
Bridged Interfaces …………………………………………………………………………………………………………………… 273Cabling Loop ……………………………………………………………………………………………………………………… 273
Bridged Protocols …………………………………………………………………………………………………………………… 273Firewall Service Notices ……………………………………………………………………………………………………………… 274
Authentication ………………………………………………………………………………………………………………………… 274Expired Authentication Session ………………………………………………………………………………………………… 274Authentication Denied Due to Closed Authentication Connection …………………………………………………………… 274Authentication Denied Due to Old GBAuth Version …………………………………………………………………………… 275
Gateway Selector …………………………………………………………………………………………………………………… 275Email Notifi cation from Gateway Selector ……………………………………………………………………………………… 275
Intrusion Prevention System (IPS) ………………………………………………………………………………………………… 275Connection Passed ……………………………………………………………………………………………………………… 275Connection Dropped ……………………………………………………………………………………………………………… 275Connection Reset ………………………………………………………………………………………………………………… 275
Mail Proxy Email Filtering …………………………………………………………………………………………………………… 276Email Delivered …………………………………………………………………………………………………………………… 276Email Rejected Due to Source or Destination of Policy ……………………………………………………………………… 276Email Rejected Due to Exhaustion of Policies (Reject by Default If No Match Is Found) ………………………………… 276Email Rejected Due to Reverse DNS …………………………………………………………………………………………… 276Email Rejected Due to MAPS …………………………………………………………………………………………………… 276Email Rejected Due to Invalid Recipient ……………………………………………………………………………………… 277Email Connection Incomplete …………………………………………………………………………………………………… 277Maximum Count of Threads Exceeded ………………………………………………………………………………………… 277Mail Proxy Anti-Virus and Mail Proxy Anti-Spam Options …………………………………………………………………… 277Email Confi rmed Spam by Anti-Spam but Delivered ………………………………………………………………………… 277Email Confi rmed Spam by Anti-Spam and Quarantined ……………………………………………………………………… 277Email Virus Found by Anti-Virus and Cured Then Delivered ………………………………………………………………… 278Email Virus Found by Anti-Virus but Delivered ………………………………………………………………………………… 278Email Virus Found by Anti-Virus and Quarantined …………………………………………………………………………… 278Email Virus Found by Anti-Virus and Rejected ………………………………………………………………………………… 278Email Headers …………………………………………………………………………………………………………………… 279
VPN …………………………………………………………………………………………………………………………………… 280Security Associations……………………………………………………………………………………………………………… 280Mobile Client VPN Authentication and Connection …………………………………………………………………………… 280
Web Content Filtering ……………………………………………………………………………………………………………… 281Transparent Proxy ………………………………………………………………………………………………………………… 282Traditional Proxy …………………………………………………………………………………………………………………… 282Web Filtering Option ……………………………………………………………………………………………………………… 282
Glossary ___________________________________________________________________________________ 283Reference F: Glossary .....................................................................................................................................................................284
License Agreement ..........................................................................................................................................................................298
Legal Notices ....................................................................................................................................................................................300
10
GB-OS 6.2 User’s Guide
Preface
11
GB-OS 6.2 User’s Guide
Preface
About This GuideThe GB-OS User’s Guide covers the confi guration and use of GB-OS version 6.2. Organization of the chapters in this guide is according to common tasks. Exceptions to this rule include the Preface, Troubleshooting and Reference chapters. For the location of specifi c topics, please see the table of contents.
ConventionsA few conventions are used in this guide to help you recognize specifi c elements of the text. If you are viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and new sections.
Bold Italics Emphasis
Italics Publications
Blue Underline Clickable hyperlink (email address, Web site or in-PDF link)
SMALL CAPS On-screen fi eld names
Monospace Font On-screen text
Condensed Bold On-screen menus, menu items
BOLD SMALL CAPS On-screen buttons, links
Icons
Note
Note icons are points of interest GTA has chosen to highlight. These notes represent tips or additional information beyond standard instruction.
CAUTION
Caution icons are used to highlight important information which may affect the use of GTA products.
12
GB-OS 6.2 User’s Guide
Preface
About GTA FirewallsGlobal Technology Associates, Inc. ( GTA) has been designing and building Internet fi rewalls since 1994. In 1996, GTA de vel oped the fi rst truly af ford able commercial-grade fi rewall, the GNAT Box. Now, GB-OS is the engine that drives all GTA Firewall UTM Appliances and GB-Ware fi rewalls.
What is a Firewall?When creating or upgrading a computer network, security is an important consideration. Who should be allowed to see or change your data? What policies should govern the use of the network?
You probably don’t want unknown people using your resources without your consent. You may wish to restrict use, for example, to employees that have been given a login. You may wish to further protect sensitive data from accidental or malicious damage. And in a time when network attacks are increasingly common, you may also wish to provide your clients with additional peace of mind regarding security of customer data.
After assessing these kinds of policy needs, it is important to choose a device that will help you apply your network security decisions.
Many people mistake a router for a fi rewall. While many modern routers do have some fi rewall functionality, their primary task is as their name designates: to route network traffi c. Firewalls differ because they apply sophisticated policy controls to traffi c that is allowed to travel across the network.
Because fi rewall applications also run alongside other software on your computer, which may have unknown vulnerabilities, fi rewall applications are also generally less effective than a dedicated fi rewall device. Firewall applications (which run on your computer) provide some protection. However, they may not be the most secure choice because of disparities in power and sophistication. This is especially true if your network must protect many computers, then it may also be more effi cient to maintain a single fi rewall device rather than copies of fi rewall software installed on every computer. Firewall devices simplify policy application and provide additional strength by securing your network at the gateway level, before an attack can reach your internal network.
As dedicated fi rewall devices, GB-OS systems are devoted entirely to network security. Unlike servers and computers whose many running software applications may inadvertently open your network to vulnerability, GTA Firewall UTM Appliances only run necessary security software. No unrelated applications run on them. An authorized user can log on only to confi gure and administer the fi rewall.
By defi nition, the effectiveness of a fi rewall is determined by the traffi c it denies.
GB-OS is based on the basic fi rewall principle: that which is not explicitly allowed is denied. If all policies were deleted and nothing was explicitly allowed, a GTA Firewall UTM Appliance would deny all traffi c, both inbound and outbound.
13
GB-OS 6.2 User’s Guide
Preface
A GB-OS firewall system is:• A fi rewall that prevents unauthorized access to internal networks, while allowing authorized
con nec tions to operate normally.• A unifi ed threat management appliance that protects your network from spam, viruses and
unauthorized access.• A virtual private network (VPN) gateway between two networks or a network and a mobile
client using IPSec VPN standards; it supports many third-party IPSec-compliant VPN products.• A network address translation (NAT) engine that allows unregistered IP address es to be used
on the protected and PSN networks so that IP addresses are hidden from external networks and translated to the primary external network interface IP address.
• A network gateway that links network to pog ra phies (e.g. 10 Mbps to gigabit) and replaces a router in a PPP con fi g u ra tion.
• A bridging fi rewall that links Ethernet networks together transparently like a bridge, while fi ltering IP packets as a fi rewall.
• An email proxy that restricts access to your email server.• A DNS proxy or server that makes DNS requests or maintains a database of domain names
(host names) and their corresponding IP addresses.• A DHCP server that automates the assignment of IP addresses to host systems on locally
at tached networks.
14
GB-OS 6.2 User’s Guide
Preface
FeaturesGB-OS fi rewall software has a number of features to help you protect your network resources from unauthorized use.
New FeaturesGB-OS provides a graphical user interface accessed using a Web browser with an improved workfl ow and setup wizards. New and improved features in GB-OS 6.2 include:
Place holder - List needs to be updated and edited
• IKE v2 Support• IPSec VPNs do not re-start when adding new IPSec Tunnels or users• Update for the wWeb Interface to better handle modern browsers.• Inbound and Outbound Country Blocking Policies
Standard FeaturesGTA’s NAT (Network Address Translation) and Stateful Packet Inspection engine are at the heart of all GB-OS fi rewalls. These facilities, tightly integrated with the network layer, guarantee maximum data throughput, reliable NAT and unparalleled security. (Pass through policies allow the use of the fi rewall without NAT.) GB-OS version 6.1 features also include:
• Email proxy with anti-virus and optional spam prevention tools• IPSec VPN (Virtual Private Networking)• Encryption methods including DES, 3DES, AES, Blowfi sh and Camellia• User authentication via the GBAuth utility and Active Directory Single Sign-On• Email notifi cations and SMS messaging support• Advanced routing protocols including RIP, BGP and OSPF• DHCP and DNS services via built-in DHCP and DNS servers (available on select GTA fi rewalls)
• Transparent network access for standard IP applications• Protocols including FTP, PASV FTP, RealAudio/Video, ICQ, AIM, online gaming, Net2Phone, PPP,
PPPoE and PPTP• Bridging for user-specifi ed Ethernet protocols• Safe access to servers from external networks using the PSN, GTA’s enhanced DMZ network• Secure remote logging using the GTAsyslog or a third-party syslog• Default stealth (no ping) mode• GB-Ware installation support via Virtual Machine packages• PPTP and L2TP support• Monitoring and data reports• Automatic confi guration backup with Email and Cloud and/or USB storage
GB-OS administrators have a choice of two user interfaces:
• Web interface: A secure platform independent remote management interface providing comprehensive access to confi guration options via a frames-enabled, SSL-compatible Web browser.
• Console interface: On-site serial or video fail-safe and fi rewall recovery access with limited confi guration options.
Optional Features• Secure mobile remote network access with IPSec VPN clients• Email fi ltering with Mail Proxy Anti-Spam and Anti-Virus• Web Filtering subscription add-on to Content Filtering• Firewall failover ability with H2A - High Availability (available on select GTA fi rewalls)
• VPN hardware acceleration (available on select GTA fi rewalls)
15
GB-OS 6.2 User’s Guide
Preface
• A variety of support offerings for fi rmware upgrades
SupportInstallation (“up and running”) support is available to original owners who have registered their product. If you need installation assistance during the fi rst 30 days of ownership, contact the GTA Support team by emailing [email protected]. Be sure to include your product name, serial number, activation code, feature activation code numbers for your optional/subscription features and if possible a Confi guration Report.
Installation support only covers installation and default confi guration of the fi rewall. For further assistance, contact an authorized GTA Channel Partner or GTA Sales staff for information about support offerings.
Support OptionsIf you need support after installation and default confi guration, a variety of support contracts are available. Contact an authorized GTA Channel Partner or GTA Sales staff for more information. Support ranges from support per incident to annual contract coverage.
Other avenues for assistance are available through an authorized GTA Channel Partner, the GTA Firewall User Forum (forum.gta.com), or the GTA Web site (www.gta.com).
Software UpdatesOnce registered, you can view available updates in the GTA Online Support Center section of the GTA Web site (www.gta.com/support/center/login/). Click on the serial number of your registered product to see if an update is available for that specifi c unit.
Click on the DOWNLOADS link to view all available software versions.
Software updates are also available through the GB-OS Web interface. Navigate to Confi gure>Confi guration>
Runtime>Update. If there are no updates, click CHECK NOW. All available updates will appear here.
CAUTION
Before updating, be sure to backup your confi guration.
Additional DocumentationFor additional instructions on installation, registration and setup of a GTA product, see applicable Quick Guides, FAQs or technical papers. For optional features, see the appropriate option guide. Documentation is included on the CD shipped with new GTA products, and is also available for download from the GTA Web site.
16
GB-OS 6.2 User’s Guide
Preface
Note
For the latest documentation, check the GTA Web site for current PDFs.
These manuals and other documentation can also be found on the GTA Web site (www.gta.com). Documents on the Web site are either in plain text (*.txt) or portable document format (*.pdf) which requires Adobe Reader version 7.0 or greater. A free copy of Adobe Reader can be obtained from www.adobe.com.
Available Documentation
Document Topics
GB-OS User’s Guide GB-OS features and Web user interface.
GB-Ware User’s Guide GB-OS features and install for GB-Ware.
Confi guring IPv6 IPv6 confi guration for GTA fi rewalls.
GB-OS Certifi cate Management Confi guration guide for utilizing certifi cates.
GTA VPN Feature Guide VPN (virtual private networks) feature for site-to-site VPNs.
Remote Access Confi guration Guide Firewall confi guration for various remote access methods.
IPSec VPN Client Confi gurations Specifi c client confi gurations for Windows, Linux, Macinosh and Apple devices.
SSL Client & Browser Confi guration Guide
Firewall confi guration for the SSL Client and SSL Browser.
SSL Web Browser Guide Guide for using the SSL Browser.
SSL Client Install Guides Specifi c SSL Client install manuals for Windows, Linux, and Macinosh.
L2TP and PPTP Confi guration Guides Specifi c guides for both L2TP and PPTP installs and confi guration for Windows, Linux, Macinosh and mobile devices.
Mail Proxy Feature Guide Email anti-spam and anti-virus fi ltering feature.
Content Filtering Feature Guide Content fi ltering optional feature.
H2A High Availability Feature Guide High availability optional feature.
www.gta.com Hardware specifi cations, current documentation and examples
17
GB-OS 6.2 User’s Guide
1Initial Setup
18
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
OverviewThe Initial Setup chapter describes how to set up your new GTA Firewall UTM Appliance. Steps include registration, initial physical connection, entering network settings through the fi rewall’s Web interface, and installation on your network.
Instructions assume that the fi rewall is being added to an existing network. If you need help setting up a computer network, instructions for setting up a simple offi ce network (LAN) can be found on the GTA Web site.
This chapter’s content refl ects the Quick Guide included with all new GTA fi rewalls, but provides alternative methods and more detailed instructions. Expected completion time is approximately 30 minutes.
Main steps include:
1. Preparation 2. Connecting Your Computer to the Firewall 3. Entering Firewall Network Settings 4. Placing the Firewall on the Network
What you’ll need:
• Firewall serial number
• Firewall and feature activation code(s)
• Internal and external IP addresses for your fi rewall
• Internal and external subnet masks for your fi rewall
• Gateway/default route IP address for your fi rewall
• DHCP or DNS information if your fi rewall has a static IP address
• A crossover Ethernet cable
• Your new fi rewall with its power cable or power adapter
• A computer with an Ethernet network card and compatible Web browser
Note
These instructions are for GTA Firewall UTM Appliances only, and do not apply to GB-Ware. See the GB-Ware Product Guide for installation and setup of GB-Ware fi rewalls.
Any fi rewall use or administration described in later chapters assumes that you have completed this chapter’s instructions or the equivalent instructions in the GB-Ware Product Guide, as appropriate to your fi rewall model.
19
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
PreparationGather necessary information before proceeding with fi rewall setup. This includes any activation codes and network planning information such as IP addresses and subnet masks for the fi rewall’s network ports.
RegistrationIn order to retrieve activation codes and receive software updates and technical support, you must register your GTA fi rewall. Registration also archives your valuable activation codes and serial numbers with GTA, protecting against their loss should your own records be lost or destroyed. In addition to qualifying you for installation support, your product reg is tra tion will allow GTA to inform you about software updates and special offers.
1. To register, visit www.gta.com. Click on SUPPORT and then the SUPPORT CENTER link. 2. If you do not have an online support account, click the CREATE AN ACCOUNT NOW link and enter
your information. Once the form is completed, click the SUBMIT button to save the profi le.Enter your user ID and password on the login page. Click on the REGISTER A PRODUCT link. Enter your serial number and activation code, then click the SUBMIT button. To view your registered products, click the VIEW PRODUCTS link.
Note
If you cannot retrieve your activation code, or a code does not appear under VIEW PRODUCTS, please email [email protected] with a brief description of your problem in the body of the email. Be sure to include the product’s serial number and your online support account’s user ID in the message subject.
Retrieving Your Activation CodeAll GTA fi rewalls use an activation code to protect software from illegal duplication. Serial numbers and activation codes are included with the packaging. Should you lose records of your activation codes, registration allows them to be retrieved from the GTA Online Support Center (http://www.gta.com/support/center/login/), under VIEW PRODUCTS.
Activation codes are also available throughout the GB-OS Web interface at Confi guration>Confi gure>Runtime>Upd
ate. Select CHECK NOW if now updates display.
The primary activation code is pre-installed in all GTA Firewall UTM Appliance models. Optional features require separate feature activation codes, available through the GTA Online Support Center.
Planning Your NetworkThese instructions assume that you have an existing network. If you do not yet have a network, simple network setup examples are available on the GTA Web site.
To add your fi rewall to your existing network, you will fi rst need to determine a suitable place for attachment. Physical location can partly determine the effectiveness of the fi rewall in performing its role, so choose a location carefully.
• If your fi rewall will be performing a perimeter security role, defending your network from Internet-sourced attacks, then consider placement between your Internet router/gateway and your LAN.
• If your fi rewall will be performing as an internal mediator or routing role on your intranet/LAN, then consider placement between two internal routers.
20
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
Once you have chosen a suitable installation location for your fi rewall, you will need to devise fi rewall network settings (IP addresses and subnet masks) for the fi rewall’s connected ports.
Correct network settings will vary according to the settings of attached devices. For example, many LANs consist of computers with private IP addresses, as defi ned in RFC 1918, such as 192.168.1.xxx using a 24-bit subnet mask of 255.255.255.0; in this case, a valid fi rewall IP address could be 192.168.1.1 with a subnet mask of 255.255.255.0.
Note
For more information on the basics of TCP/IP networking and how to plan a network, one recommended source is TCP/IP Network Administration, 3rd Edition by Craig Hunt from O’Reilly and Associates.
Connecting Your Computer to the FirewallFirst physically connect the fi rewall to your computer using the provided cables. Confi gure your computer to access the fi rewall’s IP address, then add your network settings to the fi rewall. Then add your fi rewall to its intended place on the network.
Connecting your computer to the fi rewall takes about 15 minutes. It assumes you’ve already planned out your network, or have a network already set up.
RequirementsTo connect the fi rewall, gather the following hardware:
• 1 crossover Ethernet cable to connect directly to the fi rewall or through a router; or 1 straight-through cable to connect through a hub or switch (1 yellow crossover cable may be included; consult your package contents list)
• 1 external power supply or power cord (may be included; consult your package contents list)
• 1 computer with an Ethernet network card (NIC)
In addition, you will need:
• IP addresses and subnet mask plans for all devices on your network
• Gateway/router IP address (default path for traffi c going to the Internet or other external network)
• An understanding of TCP/IP networking
Figure 1.1: Choosing the Correct Type of Ethernet Cable
Setup by Temporary Peer NetworkTemporarily join a computer to the fi rewall’s default network. This allows you to connect and confi gure the fi rewall’s network settings to match your own network scheme, integrating it with your network.
1. Connect the computer’s NIC to the fi rewall’s NIC 0 using a crossover cable. (Alternatively, use a straight-through cable to connect the computer to the fi rewall’s NIC 0 through a hub or switch.)
Note
NIC 0 is the Ethernet port/connector labelled with a zero (0) on the fi rewall’s chassis.
21
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
2. Back up the computer’s network settings, then temporarily change your computer’s network settings (this allows you to access the fi rewall’s default network):
IP Address: 192.168.71.253 Gateway/Router: 192.168.71.254 Subnet Mask: 255.255.255.0 DNS Server: none (or 192.168.71.254, if this fi eld is required)
Figure 1.2: Changing Network Settings to Match Firewall Defaults (Windows XP)
Figure 1.3: Changing Network Settings to Match Firewall Defaults (OS X)
3. If necessary, reboot your computer to apply the network confi guration.
Powering On the Firewall1. Connect the power supply to a power outlet.2. Insert the power connector tip into the fi rewall.3. If there is a power switch, turn the fi rewall on; if there is no switch, applying the power cable will
cause the boot process to begin. The system will be operational in approximately one minute.4. Verify your ability to connect to the fi rewall by pinging the default IP address of 192.168.71.254.
Preparation is now complete.
22
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
Entering Firewall Network SettingsThe following sections will describe how to replace the fi rewall’s default confi guration with your own network settings.
Browser Compatibility GTA recommends using an SSL-compatible and frames-capable browser to administer your fi rewall.
CAUTION
Administration of the fi rewall without SSL is insecure and may send sensitive information such as passwords in clear text. It is not recommended if you have a hub or other network device between your computer and the fi rewall appliance.
Connecting to the Web Interface1. Start a Web browser on your computer and enter the fi rewall’s URL into the browser’s location/
address fi eld: https://192.168.71.254. 2. If your network and cables are set up correctly, you will be prompted with a security alert dialog
indicating that the certifi cate authority is not one you have chosen to trust; that the security certifi cate date is valid; and that the name on the security certifi cate does not match the name of the site.
Click YES, or if your alert differs, choose the selection that allows you to proceed. (You may establish your fi rewall’s SSL certifi cate once you have logged on to the fi rewall.)
Figure 1.4: Accepting the Firewall’s SSL Certifi cate (Internet Explorer)
3. Next, in the login screen, enter the default user ID, fwadmin (all lower case). Then enter the default password, also fwadmin (all lower case). Click OK or press the return key when fi nished.
Figure 1.5: Entering the Default User ID and Password
CAUTION
GTA recommends changing the default user ID and password to prevent unauthorized access. Passwords can be changed after logging in.
23
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
Using the Basic Setup WizardUpon initial login to the GTA Firewall UTM Appliance, you will be prompted with the Basic Setup Wizard, which is designed to facilitate the entry of basic network settings. The fi rewall has default settings which need to be changed to match your network settings. Based upon the information you enter, the Basic Setup Wizard will confi gure your fi rewall, generate a default set of policies and create a GB-OS CA and local certifi cate for administrator and VPN. Upon successful completion of the wizard the GB-OS Web interface will unlock, providing full access to confi guration options.
Before running the wizard, it may be helpful to print out and fi ll in the table which follows.
Note
When defi ning the IP address for network interfaces, a class C (24-bit) netmask will automatically be assigned unless a netmask is explicitly entered. For more information on assigning a netmask to your network and CIDR notation, see Using CIDR Notation later in this chapter.
Table 1.1: Basic Setup Wizard Worksheet
Field Description Value
Serial Number
Serial Number The fi rewall’s serial number. This can be found on the card shipped with the fi rewall or physically on the fi rewall’s label.
Activation Code The fi rewall’s activation code. This can be found on the card shipped with the fi rewall or retrieved online from the GTA Online Support Center.
Administrator
User ID The default administrator’s user ID. Minimum 3 characters
Password The administrator’s new password. Minimum 4 characters
Network Preferences
Enable Enable support for IPv4 networks, or both IPv4 and IPv6 networks.
Date/Time
Date The current date.
Time The current time.
Enable NTP NTP (Network Time Protocol) is a protocol that assures accurate local timekeeping. Use of a NTP server is highly recommended. This fi eld is enabled by default.
Server If the NTP checkbox is enabled, enter the NTP server’s location, such as 0.gta.pool.ntp.org.
Protected Interface
IP Address Assign a static IP address and netmask for the protected interface in CIDR notation. . . .
DHCP Server Select ‘DHCP Server’ checkbox to enable the fi rewall’s DHCP server for the protected interface. DHCP
External Interface
Type Select DHCP if you wish to have the fi rewall use DHCP to obtain an IP address.Select PPP to confi gure a PPP, PPPoE or PPTP connection for the external interface. To manually assign a static IP address, select STATIC.
DHCP
PPP
STATIC
24
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
Table 1.1: Basic Setup Wizard Worksheet
Field Description Value
DNS Server If STATIC has been selected for the external interface’s Type, enter the DNS Server. . . .
IP Address If STATIC has been selected for the external interface’s Type, enter the external interface’s IP address. . . .
Default Gateway If STATIC has been selected for the external interface’s Type, enter the Default Gateway. . . .
Host Name
Host Name Enter the identifying host name for the fi rewall. GTA recommends using a fully qualifi ed domain name as the host name (e.g., fi rewall.example.com).
PSN Interface
Enable To confi gure an optional PSN (DMZ) interface, select the Enable checkbox.
IP Address Assign a static IP address and netmask for the PSN interface in CIDR notation. . . .
DHCP Server Select ‘DHCP Server’ checkbox to enable the fi rewall’s DHCP server for the PSN interface.
Running the Basic Setup WizardIf this is your fi rst time logging in to your GTA fi rewall, you will be presented with the Basic Setup Wizard by default. Otherwise, navigate to Wizards>Basic Setup from the fi rewall’s menu.
1. On the fi rst screen of the Basic Setup Wizard, you will be prompted to enter the fi rewall administrator’s contact information.
Click the NEXT ARROW to continue.
Figure 1.6: Entering the Administrator’s Contact Information
2. The next screen will allow for entry of the fi rewall’s serial number and any activation codes for optional features that you purchased along with your product. Enter activation codes (hexadecimal characters only - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F) with dashes included.
The serial number and activation code(s) can be retrieved from the GTA Online Support Center (http://www.gta.com/support/center).
Click the NEXT ARROW to continue.
Figure 1.7: Entering the Serial Number and Activation Codes
25
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
3. You will then be prompted to enter and confi rm a new username and password for the fi rewall’s default administrator account. The username must be a minimum of three (3) characters, and the password a minimum of four (4) characters.
Click the NEXT ARROW to continue.
Figure 1.8: Entering the Firewall Administrator’s Password
4. The following screen pertains to Network Preferences. Select the type of network to support: either IPv4 or both IPv4 and IPv6.
Click the NEXT ARROW to continue.
Figure 1.9: Network Preferences
5. The next screen will confi gure the fi rewall’s date and time settings. Although it is possible to manually confi gure the fi rewall date and time, it is highly recommended that you enable the NTP checkbox and enter an NTP server.
Note
For more information on confi guring Date/Time settings and the NTP service, see Date/Time Setup in Basic Setup Tasks.
Figure 1.10: Confi guring the Date and Time
26
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
6. The next screen will confi gure the protected interface. A protected interface is the interface which is connected to the protected network.
Select DHCP Server to have the fi rewall use DHCP to obtain the protected interface’s IP address. The protected interface does not require a registered IP address.
Click the NEXT ARROW to continue.
Figure 1.11: Confi guring the Protected Interface
7. You will then be prompted to defi ne the external interface. The external interface is used to communicate to the external network, typically the Internet. An external interface requires a public or legitimate IP address (if attached to the Internet).
Select DHCP to have the fi rewall use DHCP to obtain the external interface’s IP address. Select PPP to confi gure a PPP connection for the external interface. Select STATIC to assign a static IP address, default gateway and DNS server to the external interface.
Click the NEXT ARROW to continue.
Note
For more information on confi guring a PPP connection, see PPP Setup in Advanced Setup Tasks.
Figure 1.12: Confi guring the External Interface
8. The host name is the system name assigned to the GTA fi rewall. The host name is used to tag log messages and for creating SSL certifi cates. GTA recommends using a fully qualifi ed domain name as the host name for your GTA fi rewall. A fully qualifi ed domain name is the complete domain name for a specifi c computer (host) on the network, which is broken down to a host, domain and top-level domain (e.g. fi rewall.example.com). Host names must be unique. If your network DHCP servers make IP address assignments based on the system name, enter the host name, often assigned by your ISP.
Click the NEXT ARROW to continue.
Figure 1.13: Entering the Host Name
27
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
9. The next screen confi gures the PSN interface. A Private Service Network (PSN) is optional and may not be required for confi gurations such as intranets or for outbound access only. However, if you offer public access to servers (such as a Web server) the installation of a PSN interface is highly recommended.
To confi gure a PSN interface, select the ENABLE checkbox, otherwise select the NEXT ARROW to proceed with the wizard. Select DHCP to have the fi rewall use DHCP to obtain the interface’s IP address, otherwise select STATIC to assign a static IP address manually. The PSN interface does not require a registered IP address.
Click the NEXT ARROW to continue.
Figure 1.14: Confi guring the PSN Interface
10. The fi nal screen of the Basic Setup Wizard is a summary view of all entered settings. Please review your fi rewall’s setup prior to committing the displayed confi guration. To make changes to your basic setup, select the BACK button to return to the appropriate screen.
Click the SAVE icon to save the displayed confi guration, or select the CANCEL icon to abort.
CAUTION
Saving settings confi gured using the Basic Setup Wizard will erase any existing confi guration settings and will reboot the fi rewall if it is in Live Mode.
Figure 1.15: Reviewing the Firewall’s Basic Setup
Completion of the Basic Setup Wizard will automatically create a new GB-OS CA and local certifi cate signed by the CA, and the NOTIFICATIONS section will set the TO ADDRESS as the CONTACT ADDRESS.
28
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
Entering Your Network Information ManuallyUsing the Basic Setup Wizard is the recommended method to initially confi gure your fi rewall. However, should you wish to enter your network information manually, select the CLOSE icon in the Basic Setup Wizard. Doing so will unlock the rest of GB-OS’ confi guration settings. Navigate to the Confi gure category, click on Network to expand the menu, select Interfaces and then Settings.
Only one external and one protected network interface is initially required to confi gure and test the fi rewall. The other interface(s) can be defi ned as any of the three network types: protected, external or PSN (Private Service Network, GTA’s enhanced DMZ).
To enter your network information:
1. Navigate to Confi gure>Network>Interfaces>Settings.2. Enter the host name for the GTA fi rewall in the SETTINGS section. (e.g, fi rewall.gta.com)3. To edit an existing logical interface, select the desired logical interface and select the EDIT icon.
Otherwise, select the NEW icon to create a new logical interface. • Enter IP addresses and netmasks (in either dotted decimal or CIDR notation) for your
external and protected networks on each network interface. • Disable the DHCP option on the external network interface if necessary. • Enter the default route to your Internet router’s IP address.
4. Once you have com plet ed the net work confi guration, apply the changes by clicking SAVE. The fi rewall will then join the assigned network.
For additional information, see Defi ning a Network in Basic Setup Tasks.
CAUTION
Closing the browser without clicking SAVE will cause entered data to be lost, and your fi rewall will remain in default confi guration. You will then need to re-connect to the fi rewall and re-enter the network information.
Note
If you changed the IP address of eth0’s protected network, the fi rewall will now be on a different logical network than your computer, and you will not be able to access the fi rewall from your computer. You must restore your computer’s original network settings to regain access to the fi rewall.
Figure 1.16: Entering Network Information
29
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
Using CIDR NotationGB-OS uses CIDR (Classless Inter-Domain Routing) notation for subnet masks, not dotted decimal (e.g. 255.255.255.0). This provides more specifi city when defi ning subnetworks.
Dotted decimal, the most common notation, divides network size into 4 classes (A, B, C, or D) using fi xed 8, 16, 24 or 32-bit IP address masks. Because network classes are defi ned by 8-bit-increment masks and only 32 bits are allowed for the whole bit mask, dotted decimal can only represent networks of 4 host capacity magnitudes. For example, a Class D with a 32-bit mask represents a subnetwork of up to 1 network host, Class C with a 24-bit mask represents a subnetwork of up to 254 network hosts, etc.
Note
To determine the limit of the number of hosts on your subnetwork (h), fi rst subtract your bit mask (m) from 32; then raise 2 by the power of your answer, and subtract 2:
h = (2(32-m))-2
By using 1-bit increment masks (instead of 8), CIDR (also called slash (/)) notation can divide the network into 32 subnet sizes. (Subnet defi nitions, in dotted decimal format, are therefore more coarse, lacking the fi ne granularity of CIDR notation.) CIDR notation uses any number from 1 to 32 to determine network class (/32 representing one IP address). For example, the CIDR address 192.168.1.2/24 indicates that the fi rst 24 bits are used for the network class. The /24 mask includes 254 hosts on the network, and is equivalent to 255.255.255.0 (a Class C network) in dotted-decimal notation.
Calculate a CIDR-based notation net mask by converting the dotted decimal net mask to binary and counting the ones. For a Class C network, the dotted decimal net mask is 255.255.255.0. The binary notation of that net mask is 11111111.11111111.11111111.00000000. There are 24 ones, so the CIDR notation would be /24. Using a 255.255.255.240 net mask, the binary representation would be: 11111111.11111111.11111111.11110000. The notation would be /28.
You may also enter a host address that is defi ned by not including a bit mask (e.g. 192.168.123.1). This is equivalent to a /32 bit mask. To enter a r ange of addresses, use a hyphen (-) between the two extremes of the range (e.g. 192.168.123.0-192.168.123.255).
If you prefer to not use CIDR notation, dotted decimal may still be used: enter the dotted decimal net mask after the forward slash (e.g. 192.168.71.254/255.255.255.0).
Setting Your TimeFirewall logs record events and schedule time-based policies by current time. To ensure that the correct time is used, your GTA fi rewall should poll a network time (NTP) server. To enter which network time servers you would like to use, navigate to Confi gure>System>Date/Time. Under the Network Time section, check the ENABLE box and click the NEW icon to add a new network time server. Enter the domain name of a network time server (e.g. time.apple.com), then click the SAVE and OK buttons.
For additional information, see Network Time Setup.
Re-configuring Your ComputerIf you temporarily changed your computer’s network confi guration to connect to the fi rewall, restore the original confi guration now. If you formed a temporary peer network during network confi guration, disassemble it now; reconnect your computer to your network. Reboot your computer if necessary to apply the network confi guration change.
30
GB-OS 6.2 User’s Guide
Chapter 1: Initial Setup
Placing the Firewall on the NetworkTo place your GTA fi rewall on the network, it will need to be powered off. Connect your fi rewall to its intended place on your network. (In most cases, this will connect the fi rewall’s external port directly to the Internet router/gateway, and the internal/protected port to the LAN.) Power on the fi rewall.
The fi rewall should now be active and functioning in basic security mode (all internal users are allowed outbound and no unsolicited inbound connections are allowed). Now your computer and fi rewall should both be members of your network.
Access the fi rewall using a browser and the IP address you assigned to the protected network port. You can now perform any additional confi guration tasks, including changing the administrative password.
CAUTION
Failure to change the default password is a serious security risk. GTA recommends changing the default user ID and password to prevent unauthorized access.
Your fi rewall can perform a number of additional tasks. To confi gure and activate additional fi rewall features, see the Basic Setup Tasks and Advanced Setup Tasks chapters.
31
GB-OS 6.2 User’s Guide
2Basic Setup Tasks
32
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Basic Setup TasksThis chapter covers the basic functions for initial fi rewall setup and confi guration, organized in the order in which GTA recommends they should be completed. Certain tasks explained in this chapter can also be performed using the Basic Setup Wizard. If you have not yet confi gured your fi rewall using the wizard, it is recommended to do so.
Setting the Configuration ModeConfi guration modes allow you to preview changes to the fi rewall’s settings without immediately applying them. Working in Test Mode allows you to confi gure your fi rewall as needed, without compromising your network’s security.
The Confi guration section found within the Confi gure category allows you to toggle between Live and Test confi guration modes, verify your confi guration’s settings, apply a confi guration change and import/export confi guration settings.
The most basic of GB-OS settings toggles the GTA fi rewall between Live and Test confi guration modes. To make any changes to the confi guration, consider working in Test Mode.
• Test Mode is useful for verifying a new confi guration for correctness and adherence to your security policy. All changes, including confi guration changes in multiple areas, can be reviewed in complete safety before applying them to your running fi rewall. Once you have verifi ed your new confi guration in Test Mode, you may apply it to the currently running (Live) confi guration. Test Mode confi gurations may also be reset to factory defaults.
• Live Mode is useful for immediately applying a confi guration change without testing. A Live Mode confi guration can also be copied to the fi rewall’s Test Mode.
To toggle between LIVE MODE and TEST MODE:
1. Navigate to Confi gure>Confi guration>Change Mode
2. Select LIVE MODE or TEST MODE
3. Click SUBMIT to commit the change
Figure 2.1: Setting the Confi guration Mode
33
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Defining a NetworkThe information entered in the Network Settings screen is used to defi ne the network connected to your GTA fi rewall. Much of this information is required to be entered during the initial setup of the fi rewall and can be confi gured using the Basic Setup Wizard.
To defi ne your network manually, navigate to Confi gure>Network>Interfaces>Settings.
Figure 2.2: Defi ning a Network
Entering the Host NameThe host name, located in the SETTINGS box, is the system name assigned to the GTA fi rewall and is used to tag log messages. GTA recommends using a fully qualifi ed domain name as the host name for your GTA fi rewall. A fully qualifi ed domain name is the complete domain name for a specifi c computer (host) on the network, which is broken down to a host, domain and top-level domain (e.g. fi rewall.example.com). Host names must be unique. If your network’s DHCP servers create IP address assignments based on the system name, enter the host name, often assigned by your ISP.
Entering the Default GatewayThe default gateway, located at Confi gure>Network>Routing>Static Routes, is a node on the network that serves as a packet forwarder for all packets for which no routing has been confi gured. Enter the IP address of the selected default route. This value is usually the IP address of the router connecting the network to the Internet and must be on the same logical network as the associated external interface.
If your external interface uses PPP or DHCP to obtain an IP address, entering an IP address in the DEFAULT GATEWAY fi eld is not required.
Figure 2.3: Defi ning a Network
34
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Defining Logical InterfacesA logical interface:
• Assigns a network (represented by an IP address and a subnet mask) to a physical NIC• Designates a network type• Identifi es a gateway (default route)
A GTA fi rewall requires two logical networks, a protected network and an external network. Additional external and protected logical networks can be added, as well as one or more Private Service Networks (PSN).
Defi ned logical interfaces serve as interface objects throughout the confi guration, allowing the administrator to reference the interface quickly when confi guring the fi rewall.
CAUTION
If a logical interface’s name is changed, but a security policy that references it is not updated to refer to the new name, all connections maintained by the security policy will be lost.
Logical network interfaces that do not use PPP or DHCP confi gurations require an IP address and subnet mask. If a subnet mask is not entered, the system will default to a Class C netmask (/24), which helps prevent misconfi guration.
To create a new logical interface, Confi gure>Network>Interfaces>Settings, and click the NEW icon.
Figure 2.4: Defi ning a Logical Interface
Table 2.1: Defi ning Logical Interfaces
Field Description
Disable Disables the confi gured logical interface.
Type Defi ne the type of interface. Options include <Standard>, <Bridge>, <Failover>, <LACP>,
<Load Balance>, <Round Robin>, <PPPOE>, <PPTP> and <Serial>
IP Address Enter the IP address/subnet to assign to the logical interface. Connections using DHCP or PPP do not require an IP address to be entered.
Options
DHCP Dynamic Host Confi guration Protocol. When checked, DHCP is used to obtain an IP address for the specifi ed interface. DHCP is typically required for connections using a cable modem, but may be used on any network interface.
SLAAC Enable this checkbox if you wish to use Stateless Address Autoconfi guration (SLAAC). This option is only available for IPv6.
Gateway Enable this checkbox if you wish to make the logical interface the default gateway. This option is only available for connections using DHCP or PPP.
High Availability Enable this checkbox if confi guring for a High Availability interface.
VLAN Enable this checkbox if confi guring for a VLAN interface.
35
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Table 2.1: Defi ning Logical Interfaces
Field Description
Interfaces
Name Enter a unique name for the logical interface. The name entered may not use a number as its fi rst character.
Zone A selection for the logical interface’s type. Options include <External>,<Protected> and <PSN>.
NIC The network interface card to associate with the network. The pull down menu lists all physical devices on the fi rewall.
Description Enter a description to explain the function of the logical interface.
DNS SetupThe DNS (Domain Name System) service translates alphanumeric server names into IP addresses. Every time you use a server name, the DNS service must translate the name into its corresponding IP address. For example, the server name example.com might translate to 204.96.115.2.
DNS Proxy vs. DNS ServerThe DNS proxy service allows the fi rewall to act as a proxy for translating host (domain) names into IP addresses by passing on DNS information requests to external and internal DNS servers. The DNS proxy is especially helpful when using DHCP or PPP, since the fi rewall will automatically detect the internal or external DNS server’s IP address.
The DNS server allows the fi rewall to be confi gured to function as a primary domain name server, maintaining a database of domain names and the IP addresses of hosts where those domain names reside. The built in DNS server is functional and fl exible enough for most GTA fi rewall users, but may not support all possible DNS options. If your site requires a more complex confi guration, or hosts secondary name services, GTA suggests using a dedicated DNS host.
Since GTA fi rewalls provide network transparency for users on protected and private service networks, all outbound DNS queries operate normally. Users on protected networks and PSNs may use a DNS server on the external network for address resolution. However, a DNS server on the external network cannot be used by hosts on the external network to resolve protected hosts. Network address translation hides all network addresses on both protected networks and PSNs. Therefore, an internal DNS server must be in place to resolve internal host names.
Note
GTA recommends a thorough knowledge of the domain name system before confi guring any DNS server. One reference is DNS and Bind, 5th Edition, by Paul Albitz & Cricket Liu, published by O’Reilly and Associates.
Note
On select GTA fi rewalls, the DNS Server is an option and requires an activation code. See your product specifi cations for more information.
36
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Configuring the DNS ProxyWhen selecting an external DNS server, use a DNS server from outside your network (e.g., a name server accessed through your ISP). If an internal DNS server is available, enter its IP address in the Internal Network Section. At least one DNS server, either internal or external, is required.
See Confi guring the DNS Server in Advanced Setup Tasks to confi gure the fi rewall as a DNS server if an internal DNS server is not available.
Note
A DNS proxy is unnecessary with a local DNS server confi gured, so enabling the DNS server will disable the DNS proxy feature.
To setup the DNS proxy, navigate to Confi gure>Services>DNS.
Figure 2.5: Confi guring the DNS Proxy
Table 2.2: Confi guring the DNS Proxy
Field Description
Name Servers
Disable Disables the name servers listed in this section. Enabled by default.
IP Address IP address(es) of the DNS server(s) that will provide records for your internal DNS server or proxy.
Primary Domain Name Primary domain name used for the network (e.g., example.com). Entering a primary domain name allows hosts on the primary network to be referred by name instead of their fully qualifi ed domain name. For example, server.example.com can be simply referred to as server.
DNS
Enable Enables the DNS service.
Service To confi gure the DNS Proxy, select the DNS PROXY option.
Advanced
Automatic Policies Option to allow connections to the fi rewall on UDP Port 53 from Protected Networks for name resolutions.
DNS Cache Determines how long an IP is cached for a URL when resolved by the fi rewall. The default is 168 hours. DNS Cache is displayed in [Monitor -> Activity -> Services -> DNS Objects].
37
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Date/Time SetupSince the fi rewall’s date and local time are used to tag log messages, having the fi rewall confi gured to operate using accurate time settings is important.
The Date/Time service uses UTC (Universal Time Coordinated) as its default time zone. To set the fi rewall’s time zone to one other than the default, select the appropriate time zone from the Time Zone pull down.
Note
After making changes to the fi rewall’s time zone, GTA recommends rebooting the fi rewall.
To confi gure the fi rewall’s date, local time, time zone and network time service navigate toConfi gure>System>Date/Time.
Figure 2.6: Date/Time Setup
Network Time SetupNetwork time synchronizes your fi rewall and local computers with an NTP (Network Time Protocol) server. Synchronizing with an NTP server allows for accurate time-based logs and security policies. To ensure that the correct date and time is used, your GTA fi rewall should poll an NTP server. Use of an NTP server is highly recommended, and is enabled by default.
NTP is extremely accurate, with a resolution of under a nanosecond (one billionth of a second) and the ability to combine the output of the available time servers to reduce error. It also uses past measurements to estimate the current time should the network go down.
The following NTP resources are available:
• NIST Network Time Servers. www.boulder.nist.gov/timefreq• Network Time Protocol organization. www.ntp.org• Network Time Protocol RFC 1305• NTP Zeit. www.ntp-zeit.de
GB-OS comes standard with four defi ned NTP servers that belong to the NTP Pool Project. GB-OS’ default NTP servers are part of a dynamic collection of servers that are distributed via round robin DNS. This creates a level of redundancy that allows for highly available access to NTP servers, which ensures consistent time-based logs and security policies regardless if an NTP server in the dynamic collection becomes unreachable.
Note
Additional NTP Pool Project servers specifi c to the GTA Firewall UTM Appliance’s locale can be found at the NTP Pool Project Web site, pool.ntp.org.
38
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
To defi ne an additional NTP server:
1. Navigate to Confi gure>System>Date/Time.
2. Check the ENABLE checkbox to enable the service.3. Click the NEW icon to add a new NTP server.4. Enter a description of the NTP server as well as its host name or IP address and click OK.5. Click Save at the Date/Time screen list to save the confi guration.
Figure 2.7: Adding an NTP Server
Designating the Firewall as a NTP ServerThe fi rewall is automatically enabled as an NTP server when the Network Time service is enabled in Confi gure>System>Date/Time. To allow hosts on the network to access the fi rewall’s NTP server, an inbound policy that allows UDP port 123 must be created. See Allowing and Denying Traffi c for more information on creating inbound policies.
Once the inbound policy has been defi ned, confi gure your hosts to indicate the fi rewall as their NTP server.
System Clock Firewall logs record events and schedule time groups by current time. To ensure that the most accurate time is used, the fi rewall will need to poll a network time (NTP) server. To enter which network time servers you would like to use, navigate to Confi gure>System>Date/Time. Check the enable box and enter the domain name of a network time server (e.g. 0.gtantp.pool.ntp.org). Because boot occurs before NTP synchronization, the fi rewall may not have the correct time at bootup.
GB-250GB-250 has no battery and the initial boot is:
2000-01-01 00:00:00
The time will be properly adjusted after NTP synchronization.
GB-WareThe start up time of GB-Ware is either acquired from the on board battery backed up clock or will have the fi xed start up time of 1970-01-01 00:00:00 in the event the hardware does not contain a battery backed clock. GB-Ware default system time will vary depending on the hardware manufacturer and if the system has a functioning battery. It is possible that when using GB-Ware and hardware not supplied by GTA the start up time may not be accurate as some CMOS clocks have time keeping issues. The time will correct after NTP synchronization.
39
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
GB-OS Certificate Management GB-OS 5.3 and above can create signing Certifi cate Authorities (or CA’s) for creating GTA fi rewall certifi cates. These CA’s can be used for remote fi rewall administration, SSL Browsers, and Remote Administration Certifi cates — which are used for the SSL Client and both Mobile IPSec VPN Clients and Firewall to Firewall IPSec VPN’s.
GB-OS will automatically create a GB-OS CA, Remote Administration and VPN certifi cate under the following conditions:
• Basic Setup Wizard is employed to confi gure the fi rewall• Certifi cate section is defaulted (Automatically confi gured based on fi rewall confi guration)
GB-OS will automatically create user certifi cates when:
• Administrator is defi ned during the Basic Setup Wizard• A new user is created and the certifi cate fi eld is set to GENERATE
• During upgrade, if no user certifi cate has been created on previous versions
Note
For detailed information on managing GB-OS certifi cates, see the GB-OS Certifi cate Management Guide.
Defining ObjectsObjects increase speed and consistency when confi guring your GTA Firewall UTM Appliance using GB-OS. By using objects, a user needs to defi ne an address, group or interface only once. From then on, the object can be selected throughout the confi guration where it might be needed. Once an object has been defi ned, only the object will need to be edited in order to modify the defi nition in all the locations where it is used.
Additionally, previously defi ned objects can be combined in the ADDRESS OBJECTS section of the confi guration screen to create a broader defi nition. For example, you may have already defi ned two address objects, Joe’s Computer and Jane’s Computer, each of which points to a specifi c IP address on the protected network. If you wish to apply the same security policy to both IP addresses, you can combine them under a general address object.
Objects are created and defi ned at Confi gure>Objects. To create or edit an object, navigate to its appropriate sub-section.
Note
Confi guration data does not receive automatic updates when an object name is changed, but retains references with the old, invalid name. As a result, connections maintained by that object may be lost when the object name is changed.
To change the object name without losing connectivity:
• Duplicate the object and save it with a different name.• Change references to the new object throughout the fi rewall’s confi guration.• You may then safely delete the original object.
40
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Address ObjectsAddress objects can be used to reference either a single IP address, a range of IP addresses, a subnet specifi ed by an IP address and subnet mask, or another address object.
Note
See product specifi cations for the maximum number of address objects available for your GTA Firewall UTM Appliance.
Figure 2.10: Creating a New Address Object
Selecting the Address Object’s TypeWhen confi guring an address object’s TYPE, a number of options are available. Based upon the selection made, the confi gured object may only be available for use in a specifi c section of the fi rewall’s confi guration.
For example, if an address object of type SECURITY POLICIES is selected, it will only be available when confi guring a security policy. If no TYPE is selected when confi guring an address object, it will only be accessible when confi guring another address object. Not selecting a TYPE is useful when you wish to have a set of IP addresses or domains on hand for pooling into other defi ned objects, but it is not required to be used elsewhere in the confi guration. When no TYPE has been selected for an address object, it will be identifi ed as being of type INTERNAL.
Table 2.8: Address Object Types
Type Description
All An IP address or domain name that is available and can be used throughout the fi rewall’s confi guration.
Content Filtering An IP address or domain name that can only be used when confi guring Content Filtering policies.
Mail Proxy An IP address or domain name that can only be used when confi guring Mail Proxy policies.
Network An IP address that can only be used in confi guration areas that require a location on the fi rewall’s network.
Security Policies An IP address used in any fi rewall policy.
VPN An IP address or domain name that can only be used when creating a IPSec VPN.
To create a new address object:
1. Navigate to Confi gure>Objects>Address Objects and click the NEW icon.2. Enter a unique name by which the object will be referenced in the NAME fi eld. The object’s name
cannot begin with a number.3. Enter a description of the object in the DESCRIPTION fi eld.
41
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
4. To defi ne how the object will be used, select a category from the TYPE category. The TYPE selected will determine where the object may be used, and what addresses are valid entries for the object.
5. To add additional addresses to the object, select the ADD icon on the right side to create additional address object fi elds. Next, select the address’ object from the OBJECT pull down. <USER DEFINED> is used when entering IP addresses, while <USE REGULAR EXPRESSION> is used when entering domain names. Enter the address object’s IP address or domain name in the ADDRESS fi eld and a description in the DESCRIPTION fi eld.
Previously defi ned address objects are also available for selection from the OBJECT pull down.6. Click OK and then SAVE.
Note
To avoid bottlenecks associated with DNS lags or time-outs, specify hosts by IP address instead of their domain name when possible.
Using Regular ExpressionsDomain names can be entered in the ADDRESS fi eld for an address object. Domain name sets can also be specifi ed by using special characters to denote the patterns as regular expressions.
Firewall policies will only require the use of two regular expression characters: the asterisk and the question mark. The * (asterisk) matches any number of any type of characters, while a ? (question mark) matches only one character of any type. For example, *.com will match any domain that ends in .com, such as gta.com or example.com. exa?ple.com will match any domain that triggers the wild card character, such as example.com, exaqple.com or exa4ple.com.
Multiple regular expression characters can also be combined to create a more robust matching. For example, *.exa?ple.com will match any domain that triggers the ? (question mark) wild card character that includes a subdomain, such as mail.example.com or time.exaqple.com.
Advanced users may wish to specify more complex matching rules for domain names. To activate the use of the full regular expression character set, simply begin your domain entry with the ^ (caret) character and end it with the $ (dollar sign) character. For example, ^*.com$.
Table 2.9: Using Regular Expressions
Sample Address Entry Sample Matches Description
example.com example.com Matches exact listing only. Subdomains or variants will not match.
exa?ple.com example.com, exaqple.com, exa4ple.com
Any character replacing the wild card character can trigger a match. In this example, the domain must be eleven characters long, begin with “exa” and end with “ple.com”.
*.com example.com,mail.example.com, gta.com
Any series of characters replacing the wild card character can trigger a match. In this example, the domain must end in “.com”.
*.example.com time.example.com, mail.example.com, server.example.com
Any series of characters replacing the wild card character can trigger a match. In this example, the domain must end in “.example.com”.
Note
One reference for regular expression is Mastering Regular Expressions, Second Edition, by Jeffrey Friedl, published by O’Reilly Media, Inc.
42
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Default Address ObjectsGB-OS has a variety of built-in, un-editable default address objects which can be identifi ed by their lock icon. They can be viewed and duplicated, but cannot be deleted. The ANY_IP and ANY_MULTICAST address objects are examples. All other default address objects can be modifi ed or deleted.
To return the address objects list to its default confi guration, select the DEFAULT icon and SAVE the section.
CAUTION
Restoring the address objects list to its default confi guration will remove all user confi gured address objects.
Bookmark ObjectsBookmark objects are shortcuts for users using the SSL Browser.
Note
Please see the GTA SSL Client Guide for more details on confi guring the SSL service.
Figure 2.11: Creating a Bookmark Object
To create a new bookmark object:
1. Navigate to Confi gure>Objects>Bookmark Objects and click the NEW icon.2. Enter a unique name by which the object will be referenced in the NAME fi eld. The object’s name
cannot begin with a number.3. Enter a description for the object in the DESCRIPTION fi eld.4. Enter a label for the bookmark objects in the LABEL fi eld. This is the label the user will see for the
confi gured bookmark. 5. Select the object type from the OBJECT pulldown.6. Select a built-in icon to represent the type of object from the ICON pulldown.7. Enter the LABEL for the bookmark object.8. Specify the network protocol type and enter the bookmark URL and a brief description.9. To add additional bookmark objects, select the ADD icon on the right for additional rows.10. Click OK and then SAVE.
Service Group ObjectsService group objects defi ne protocols and services for use when creating defi nitions throughout the fi rewall’s confi guration. Administrators can explicitly allow or deny a protocol on a certain port or a range of ports according to confi gured service group objects. Additionally, when used with inbound tunnels, ports can also be redirected.
When creating a service group object, the following syntax is used to defi ne ports:
43
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Table 2.10: Syntax Used When Defi ning Ports
Type Syntax Example Entry
Example Matches
Description
Single Port PN 1 1 Matches the exact listing only. Valid port values are 0
through 65535. In this example, only port 1 is matched.
Multiple Ports
PN1,P
N2 1,2,3,5 1 2 3 5 Matches the exact listing (separated by commas) only. Valid port values are 0 through 65535. Up to 12 ports may be entered into a list. Entering spaces to increase legibility is allowed. In this example, ports 1, 2, 3 and 5 are matched.
Range of Ports
PN1-P
N2 1-5 1 2 3 4 5 Matches the range (defi ned by the starting and ending port values, and separated by a dash). Valid port values are 0 through 65535. In this example, ports 1 through 5 are matched.
Source and Destination Ports
PN1->P
N2 1->5 n/a Matches the source port (the value before the ->) to the destination port (the value after the ->). Valid port values are 0 through 65535. In this example, port 1 is matched to port 5.
Security policies and inbound tunnels interpret ports defi ned in service group objects in slightly different ways. Entering a destination port (the value after ->) is not necessary.
If an explicit destination port is entered:
• A security policy will treat the source port as the port from which the connection originates and the destination port as the connection’s destination.
• An inbound tunnel will interpret the source port as the port on the fi rewall that should be redirected and the destination port as the internal port to which the connection should be redirected.
If an explicit destination port is not entered:
• A security policy will interpret the entered port(s) as referring to a connection’s destination port.• An inbound tunnel will interpret the entered port(s) as the port on the fi rewall that should be
redirected, as well as the internal port to which the connection will be redirected.
Figure 2.12: Creating a Service Group Object
To create a new service group object:
1. Navigate to Confi gure>Objects>Service Groups and click the NEW icon.2. Enter a unique name by which the object will be referenced in the NAME fi eld. The object’s name
cannot begin with a number.3. Enter a description for the object in the DESCRIPTION fi eld.4. To add services to the object, select the service’s object from the OBJECT pull down.
• Select a service group object to use preconfi gured protocol and port number(s), or; • Select <USER DEFINED> to create a custom service group object.
5. If <USER DEFINED> has been selected as the service’s OBJECT, select the service’s PROTOCOL and enter the port number(s). Port numbers can be entered individually (1,2,3,4,5), as a range (1-5) or using a source and destination (1->5). Then enter a description to describe the service.
6. To add additional service group objects, select the ADD icon on the right for additional rows.7. Click OK and then SAVE.
44
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Default Service Group ObjectsGB-OS generates a variety of service group objects, identifi ed by their lock icon, for use throughout the confi guration by default. They can be viewed, but cannot be deleted.
To return the address objects list to its default confi guration, select the DEFAULT icon and SAVE the section.
CAUTION
Restoring the service group objects list to its default confi guration will remove all user confi gured service group objects.
Time Group ObjectsAdministrators can explicitly allow or deny traffi c according to time constraints set by time group objects when confi guring policies. Time group objects are confi gured using a 24-hour clock.
For example, if you wish to confi gure a policy that will only operate during your company’s normal business hours (for example, Monday through Friday, 8:00 AM to 5:00 PM), a time group object will need to be created with a start time of 8:00, an end time of 17:00 and a day range of Monday through Friday.
Figure 2.13: Creating a Time Group Object
To create a new time group object:
1. Navigate to Confi gure>Objects>Time Groups and click the NEW icon.2. Enter a unique name by which the object will be referenced in the NAME fi eld. The object’s name
cannot begin with a number.3. Enter a description of the time group object’s function in the DESCRIPTION fi eld.4. To add time constraints to the object, select the time constraint’s object from the OBJECT pull
down. • Select a time group object to use preconfi gured time constraints, or; • Select <USER DEFINED> to create a custom time constraint.
5. If <USER DEFINED> has been selected as the time constraint’s OBJECT, enter a start time and end time and select all days that the time constraint should be applied.
6. To add additional time group objects, select the ADD icon on the right for additional rows.7. Click OK and then SAVE.
IPSec ObjectsIPSec Objects determine how IPSec VPN connections will be negotiated by defi ning what initiation behavior should be accepted by your GTA fi rewall. For more information on how IPSec VPNs and IPSec Objects work, see the GB-OS VPN Option Guide for Site-to-Site VPNs.
45
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Encryption ObjectsEncryption objects are used to easily reference encryption settings in IPSec Objects. For more information on encryption objects and how they are used in conjunction with IPSec Objects, see the GB-OS VPN Option Guide for Site-to-Site VPNs.
Allowing and Denying TrafficSecurity policies are what control access to and through the GTA fi rewall. Inbound policies control inbound traffi c, while outbound policies control outbound traffi c.
Inbound policies primarily control tunnels, but also control inbound traffi c from any attached network device to any service on the GTA fi rewall as well. Outbound policies control access from hosts on protected networks and PSNs to IP addresses that reside on an external network, and from hosts on a protected network to those that reside on a PSN.
The implicit rule, “that which is not explicitly allowed is denied,” applies to both outbound and inbound packets. Unless a security policy is in place allowing for a situation where a packet is accepted, it will always be denied by default.
Note
All GTA fi rewalls deny all unsolicited inbound packets by default. Security policies must be defi ned in order to control traffi c fl ow.
Policy SetsA policy set is a group of policies of a given type. The order of the policy set is important since each packet is compared to the policy set starting with the fi rst policy (index 1). The packet is compared sequentially against each policy until one of two events occurs:
1. A policy is matched. The packet is either accepted or denied based on the policy defi nition and the actions associated with the policy are performed.
2. No policies are matched and the policy list is exhausted. If this event occurs, the packet is then denied.
Note
An asterisk (*) appearing on the far left of the list icons for any security policy indicates the policy contains an inactive time-based policy. To resolve, select a valid time-group for the policy.
Allowing Inbound TrafficInbound traffi c, packets sent from the external network to the fi rewall, can be controlled by defi ning security policies. An inbound policy makes tunnels accessible to hosts on the external network. Any address object of type Security Policies defi ned in the Address Object Editor (Confi gure>Objects>Address
Objects) can be used in an inbound policy. Additionally, inbound policies control access to services running on the fi rewall.
To confi gure inbound traffi c, navigate to Confi gure>Security Policies>Inbound.
Figure 2.14: Allowing Inbound Traffi c
46
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Blocking Outbound TrafficOutbound traffi c, packets sent from hosts on the protected networks and PSNs through the fi rewall, can be controlled by defi ning outbound security policies. Any address object of type Security Policies defi ned in the Address Object Editor (Confi gure>Objects>Address Objects) can have a outbound policy applied to it.
To confi gure outbound traffi c, navigate to Confi gure>Security Policies>Outbound.
Figure 2.15: Blocking Outbound Traffi c
Country BlockingIP packets can be allowed or denied based upon country by defi ning country blocking fi lters. To confi gure country blocking, for either Inbound or Outbound, navigate to the appropriate sub-menu (Inbound or Outbound) in the Confi gure>Security Policies>Country Blocking menu.
1. Select the ENABLE checkbox to allow country blocking.2. Choose the TYPE - ALLOW or DENY.
• The ALLOW option will deny all countries by default. Only the selected countries/regions will be allowed.
• The DENY option will allow all countries by default. Only the selected countries/regions will be denied.
3. Additionally, administrators can specify a country block WHITE LIST object. The WHITE LIST object will override country blocks.
4. Under the DATABASE settings, select SUBSCRIPTION to allow automatic updates to the country IP database. A valid support contract is required.
47
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Figure 2.16: Country Blocking
Managing PoliciesAll policies (with the exception of country blocking) share the same elements for confi guration. To create a new policy, or to edit an existing one, navigate to Confi gure>Security Policies, select the appropriate sub-section and click the NEW icon to create a new policy or the EDIT icon to edit an existing one.
Figure 2.17: Managing Policies
Table 2.11: Managing Policies
Field Description
Disable Check this option to disable the confi gured policy.
Description Enter a description to explain the function of the policy.
Type A selection for the function of the policy; Accept or deny.
Interface A selection for the interface the policy will be applied to. The selected interface is matched against the interface on which the IP packet arrived. <ANY> will match any interface.
Service TCP, UDP, HTTP or any other service defi ned in the Service Group Object Editor can be selected to match against the packet.
Time Group A selection for the time parameters of the policy as defi ned in the Time Group Object Editor. Selecting *EDIT* allows you to defi ne a new time group object. <ALWAYS> means no time constraints will be applied to the policy.
48
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Source Address A selection for the IP address to be matched against the source IP address of the packet. <ANY_IP> will match any source IP address. Select *EDIT* to defi ne a new address object of type SECURITY POLICIES. Select <USER DEFINED> to enter the IP address manually.
Destination Address A selection for the IP address to be matched against the destination IP address of the packet. <ANY_IP> will match any destination IP address. Select *EDIT* to defi ne a new address object of type SECURITY POLICIES. Select <USER DEFINED> to enter the IP address manually.
Tips for Using PoliciesThe following are some tips for when using policies:
• Once you have defi ned your network, you can use the DEFAULT button to auto-confi gure an initial set of policies according to your network’s confi guration. Auto-confi gured policies will be left enabled or disabled according to the factory default (the most secure setting).If you used the Basic Setup Wizard to initially confi gure your fi rewall, default policies will automatically have been generated.
• The DEFAULT command does not reset to factory original policies but instead attempts to create policies that match your fi rewall’s confi guration.
• When a policy section is defaulted, the policies do not retain manual changes. If you have created custom policies you wish to save, either create new policies manually or print a copy of your confi guration for reference before auto-confi guration.
• Changes to policies will not be effective until the section is saved. Should you leave the policy or policy set before saving, all changes will be lost.
• The DUPLICATE function can be used to duplicate the defi nition of a policy.• Combining multiple policies can be effi cient and useful when they share the same basic criteria.
This often occurs when all the policy parameters are the same except for the destination port. Policies that are often combined are for SMTP, FTP and HTTP since they are all TCP-based protocols and are frequently served from the same system.
Using Host Names or DNS in Combination with Security Policies In version 6.1.0 and later GTA fi rewalls have the ability to use host names in security policies.
Requirements• DNS confi gured and properly working• GB-OS 6.1.0 or later
There are two methods to reference a host name(s) in Security Policies:
Method 1: 1. Create a security policy which uses a host name or domain in the SOURCE ADDRESS or the
DESTINATION ADDRESS of the security policy. The example below illustrates using a host name in the DESTINATION ADDRESS of an outbound policy.
Figure 2.18: Host Name or Domain in Destination Address
49
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Method 2:1. Create a new address object of Type Security Policy or edit an existing security policy. 2. Populate the address object with a list of host’s names. The following example displays use of a
domain and an address object which contains a host name.
Figure 2.19: Domain and Address Object with Host Name
3. Reference the address object in your security policy. The following example displays the use of the Allowed Sites object in an outbound security policy.
Figure 2.20: Allowed Sites Object
Resolved names will be displayed in the summary under DNS Objects. GTA fi rewall will periodically re-resolve the names and update the list of IP address associated with each host name.
Figure 2.21: Resolved DNS Objects
50
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Verifying the ConfigurationGB-OS automatically verifi es confi guration settings for correctness and adherence to your security policy. When working in Test Mode, verifi cation can help point out potential problems with your fi rewall’s confi guration before they are applied to Live Mode.
Detailed descriptions for verifi cation errors and warnings are available at Confi gure>Verify. Descriptions for errors are displayed with a red font, while warnings are displayed with a black font.
Figure 2.22: Verifying the Confi guration
51
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Navigation Menu IconsThe navigation menu, located on the left side of the browser window, is dynamically updated to display the verifi cation status of a confi guration area. Icons displayed alongside a menu item have four states:
• White (default/non-confi gurable): Menu items with a white icon are either using default settings or cannot be confi gured (such as Summary display screens, which do not contain confi guration options).
• Grey (disabled): Menu items with a grey icon are disabled and are not used in the fi rewall’s confi guration.
• Green (verifi ed): Menu items with a green icon have been verifi ed to be confi gured correctly and should not confl ict with the fi rewall’s confi guration.
• Yellow (warning): Menu items with a yellow icon may be incorrectly confi gured and can confl ict with the fi rewall’s confi guration.
• Red (error): Menu items with a red icon are verifi ed to be incorrectly confi gured and can confl ict with the fi rewall’s confi guration.
Icon states move up through the menu tree. For example, in Figure 2.24, confi guration settings in Address
Objects have resulted in a verifi cation error. Since the Address Objects screen is nested within the Objects menu, the verifi cation state is identifi ed by a red icon for the Address Objects screen, and the Objects menu. Errors take precedence over warnings, and warnings take precedence over verifi ed settings. Thus, menus that contain confi guration screens with both errors and warnings will be identifi ed with an error icon.
Verification FlagsIn addition to menu icons, GB-OS also displays verifi cation fl ags if a confi guration area contains warnings or errors. If a confi guration area contains a warning or an error in its confi guration, a verifi cation fl ag will be displayed in the top menu bar of the GB-OS interface. Verifi cation fl ags are hyperlinked to their specifi c section in the Confi gure>Verify screen.
Verifi cation fl ags have two states:
• Yellow (warning): Confi guration areas with a yellow verifi cation fl ag may be incorrectly confi gured and can confl ict with the fi rewall’s confi guration.
• Red (error): Confi guration areas with a red verifi cation fl ag are verifi ed to be incorrectly confi gured and can confl ict with the fi rewall’s confi guration.
If there are no verifi cation warnings or errors for a confi guration area, then no verifi cation fl ags will be displayed.
Figure 2.23: A Verifi cation Flag
Applying the ConfigurationThe Apply sub section allows you to apply your Test Mode confi guration to the fi rewall as well as copy your Live Mode confi guration to a Test Mode confi guration. By copying your Live Mode confi guration to a Test Mode confi guration, you are able to safely make changes to your already working confi guration without compromising security. If you are confi guring the fi rewall in Test Mode, the Reset Confi guration option will be available as well. Resetting the confi guration will restore the Test Mode confi guration to factory defaults.
52
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Figure 2.24: Applying the Confi guration
Note
Selecting Change Mode will switch the Admin to Test or Live mode.
To apply your Test Mode confi guration:
1. Navigate to Confi gure>Confi guration>Apply
2. Select the APPLY TEST CONFIGURATION radio button.3. Select SUBMIT.
Note
Applying your Test confi guration will make it Live.
To copy your Live Mode confi guration to a Test Mode confi guration:
1. Navigate to Confi gure>Confi guration>Apply
2. Select the COPY LIVE CONFIGURATION radio button.3. Select SUBMIT.
To reset your Test Mode confi guration to factory defaults:
1. Verify GB-OS is operating in Test Mode. See Setting the Confi guration Mode if GB-OS is operating in Live Mode.
2. In the fi rewall’s Web Interface menu, navigate to Confi gure>Confi guration>Apply
3. Select the RESET CONFIGURATION radio button.4. Select SUBMIT.
CAUTION
Resetting your Test Mode confi guration will restore the Test Mode confi guration to factory defaults, erasing all user defi ned confi gurations except for entered activation codes.
GTA recommends backing up your confi guration.
53
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Importing/Exporting Firewall ConfigurationOnce all desired changes to the fi rewall’s confi guration have been applied you may export it for backup purposes. GB-OS confi gurations are exported using XML (Extensible Markup Language) fi les and can be exported for backup or for manual confi guration changes.
CAUTION
Manually altering the confi guration’s XML fi le may result in undesired or unforeseen changes to the fi rewall’s confi guration if it is imported back into GB-OS. GTA does not support importing confi guration backup fi les that have been manually altered.
Confi guration fi les are named after the GTA Firewall UTM Appliance’s model, GB-OS version number, host name, confi guration mode and time stamp. For example, an exported confi guration fi le could be called GB-2500_v620_HostName_Live_2014_10_10.xml.
To export your confi guration:
1. Navigate to Confi gure>Confi guration>Import/Export.2. Select the confi guration you wish to export, Live or Test.3. Click the DOWNLOAD button to select a location to store the confi guration fi le.4. Click SAVE.
Note
The Live mode confi guration can also be exported by appending /confi g to the fi rewall’s URL and placing it in a script. For example, to download the fi rewall’s confi guration with a user ID of fwadmin, a password of fwadmin, and host name of fi rewall.example.com, run the following script:
curl -k -o confi g.xml ‘http(s)://fwadmin:fwadmin@fi rewall.example.com/confi g
This will download a fi le, named confi g.xml, which contains the fi rewall’s Live mode confi guration.
Figure 2.25: Exporting Up Your Firewall’s Confi guration
54
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Automatic BackupFirewall confi gurations can be automatically backed up and sent via email or saved to a USB device or Cloud Server. The fi rewall will backup the confi guration, in the format confi gured, when any Live mode changes or modifi cations are saved.
Backup confi gurations can be restored to the fi rewall manually, or via the web interface from a USB device or Cloud Server. Backup confi gurations can also be restored from a USB device via the console. More than one backup method can be used at a time.
To confi gure:
1. Navigate to Confi gure>Confi guration>Backup.2. Select the format in which to save backup fi les. Confi guration fi les are available in XML, 7-Zip
and Zip format. It is recommended to use a password with 7-Zip and Zip.3. Select the maximum backup count. Available options are 50 or 100. Once the limit has been
reached, the oldest saved confi guration fi le will be deleted. 4. Enable at least one of the backup methods below - email, cloud or USB.
Figure 2.26: Automatic Backup Settings
Email Backup 1. To enable automatic backups via email, select ENABLE.2. Enter the origination email address.3. Select an address object or <USER DEFINED> to enter an email address to which the backup
confi guration fi les will be sent. Only one email address can be designated.
Figure 2.27: Automatic Backup via Email
Cloud BackupRequirements:
• GB-OS 6.0.1 or above• Valid support or maintenance contract• Cloud service account via Dropbox or Box.net
To set up Cloud backup, an account must fi rst be created with a Cloud service. GTA currently supports Dropbox and Box.net. Both services have free and paid account options.
Once a Cloud service account has been set up, enable GTA Cloud Backup:
1. Select ENABLE.2. Select the cloud service to be used.3. Select AUTHORIZE. The authorization screen will open up in a new window. Enter applicable cloud
service account credentials. 4. The fi rewall will now display all available backups as well as the available storage.
55
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Figure 2.28: Automatic Backup via Cloud - Authorize
Figure 2.29: Automatic Backup via Cloud
USB BackupRequirements:
• GB-OS 6.0.1 or above• Valid support or maintenance contract• USB device connected directly to the fi rewall• USB device must be FAT32 or NTFS.
To enable USB backup, ensure a properly formatted USB device is connected to the fi rewall. Select ENABLE. All available backups will be displayed.
Figure 2.30: Automatic Backup via USB device
Note
The fi rewall administrator can choose to immediately backup up a confi guration by selecting the BACKUP NOW
button in the Cloud or USB backup sections.
Managing Cloud or USB Backups via the Web Interface The ACTION column in the Automatic Backup section contains three action items: IMPORT, SAVE, and DELETE.
Figure 2.31: Backup Action Items - Import, Save and Delete
56
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
Restoring Backups Cloud and USB backups will be restored to Test mode only. To restore a backup confi guration via the web interface:
1. Select the backup fi le and click the IMPORT icon under the ACTION column. A dialog box will confi rm a successful import to test mode.
2. GTA recommends verifying the backup confi guration before applying to Live mode.3. Navigate to Confi gure>Confi guration>Apply and select APPLY TEST CONFIGURATION. For more
information, see Applying the Confi guration.
Note
If you are restoring a password protected confi guration fi le, the fi rewall will use the password confi gured in the Automatic Backup section. If this password has been changed and does not match the selected fi le’s password, the restore will fail.
Downloading BackupsTo download backups directly to the user machine, without applying the confi guration to the fi rewall, select the backup fi le and click the SAVE icon under the ACTION column.
Deleting BackupsBackups can also be deleted from storage by clicking the DELETE button under the ACTION column.
Restoring Backups Via the ConsoleBackups can be restored via the console from a USB device. For more information, see the GTA Console User’s Guide.
Cloud or USB Device DirectoryThe fi rewall will search the directory for one matching the system’s serial number. Backups will be created and placed in the directory at: GTA/<fw _ serial _ number>/backups
You may manually edit and delete fi les in this directory. To save a backup confi guration from automatic deletion when the maximum limit has been reached, you must move a fi le OUT of the specifi ed directory to another folder on the Cloud Server or USB device.
High Availability and Automatic BackupTo enable automatic backup via Cloud or USB device, each High Availability group must be covered by a valid support contract and the fi rewalls must both be authorized for cloud service.
57
GB-OS 6.2 User’s Guide
Chapter 2: Basic Setup Tasks
58
GB-OS 6.2 User’s Guide
3Advanced Setup Tasks
59
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Advanced Setup TasksAdvanced Setup Tasks covers the advanced functions of your GTA Firewall UTM Appliance’s confi guration, organized in the order in which GTA recommends they should be completed.
Firewall User Account and Group SetupThe Accounts section under the Confi gure category allows the administrator to set up additional user accounts and groups. User accounts can be enabled for general access, VPNs, or other restricted access points. Administrator accounts can be given full access to the fi rewall’s confi guration through the Web interface. This is useful if someone other than the fi rewall’s primary administrator will need to access the fi rewall to alter the confi guration.
Creating User AccountsUser accounts are used for authentication, VPNs, or restricted access points. User groups can be selected in security policies and inbound tunnels to regulate access from outside the protected network and to restrict access from a specifi ed network interface to an IP address/port.
User accounts are confi gured under Confi gure>Accounts>Users. Select NEW to create a new user account or select EDIT to modify a pre-defi ned account.
Note
Administrator user accounts are created by selecting a confi gured administrator group as the Primary Group. See Creating Groups for more information.
Figure 3.1: Creating User Accounts
Table 3.1: Creating User Accounts
Field Name Description
Disable Disables the account.
Identity Used for authentication purposes, this is typically the user’s email account.
Full Name The name for the account.
Description A short description to identify the use of the account.
Primary Group A selection for the user group to bind to the user account. Selecting ??? means no user group has been selected. Select an administrator group to create an Administrator user. Primary Group determines a users Administrative, SSL, and Mobile IPSec Privileges as well as access based on security policies and content fi ltering policies.See Creating Groups for more information.
60
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.1: Creating User Accounts
Certifi cate Default is to generate a new user certifi cate. These are used in IPSec and SSL VPNs. For more information see GB-OS Certifi cate Management.
Authentication
Modify Password A selection for creating or changing a password.
Password The password for user authentication.
Confi rm Re-enter the password to confi rm.
Remote Access
L2TP/PPTP
Disable Disables L2TP/PPTP access for the account
Mobile IPSec
Disable Disables Mobile IPSec access for the account.
Authentication Select the authentication method to be used when the user establishes a VPN connection. Choose Pre-shared Secret or Certifi cate
Pre-shared Secret If the AUTHENTICATION method is set to PRE-SHARED SECRET, then enter the ASCII or HEX value pre-shared secret to be used. Once entered, this fi eld will be obscured. Select modify to enter a new pre-shared secret.
Remote Network The IP address or address object of the remote network from which the mobile IPSec VPN user is connecting from.
Groups
Group A selection for applying additional groups to the user account, making the user a member of the selected groups. Includes all group privileges except for Mobile IPSec.
Description A short description of the group.
Download User Mobile ConfigurationTo download user mobile confi guration and policies, select the DOWNLOAD icon in the user list at Confi gure>Accounts>Users.
Figure 3.2: Downloading User Information
Creating Groups
61
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Groups are a collection of user accounts used for reference throughout the confi guration, much like objects. For example, when defi ning a policy, a user group can be selected to require authentication before a policy can be applied to the group’s traffi c.
When defi ning a group, additional pre-defi ned groups can also be added to reference a larger amount of users. Additionally, GB-OS contains a default user group called ALL_USERS that automatically refers to all confi gured users defi ned in Confi gure>Accounts>Users. Creating a user group with sub-groups or using the ALL_USERS group can be useful if a security policy is required to affect multiple user groups or all confi gured users.
Groups are confi gured under Confi gure>Accounts>Groups. Select NEW to create a new group or select EDIT to modify a pre-defi ned group.
Note
If this user group is to be connecting to the fi rewall using the GTA Mobile IPSec VPN Client, settings are available to defi ne the group’s VPN object and local network. For more information on confi guring a VPN, see the GTA VPN Option Guide.
For additional information on confi guring SSL Browser and Client access, see the GTA SSL Client Guide.
Creating an Administrator GroupAdministrative user accounts are defi ned by creating and assigning an administrator group as a user’s Primary Group. Administrator accounts have full access to the fi rewall and are able to make changes to the confi guration using the Web or Console interface. By default, the user ID and password for the administrator account are both fwadmin.
Read-only groups will not be able to make changes to the fi rewall’s confi guration or view pre-shared secrets.
Figure 3.2: Creating Groups
Table 3.2: Creating Groups
Field Name Description
Disable Disables the group.
62
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.2: Creating Groups
Name The name for the group.
Description A short description to identify the use of the group.
Administrator
Enable Enables administrator privileges for the user group.
Read Only A selection for creating a read-only administrator user group.
Remote Access
L2TP A toggle for enabling L2TP for the user group.
PPTP A toggle for enabling PPTP for the user group.
Mobile IPSec
Enable Enables VPN access for the user group.
Advanced
Authentication Required A toggle for whether users confi gured under the group should be required to authenticate with the fi rewall using the GTA Mobile IPSec VPN Client or not.
Local Network The local network for the VPN which the confi gured user can access. Confi guring this section will override settings defi ned under Confi gure>VPN>Remote Access>IPSec.
SSL
Browser
Enable Enables SSL browser access for the user group.
Bookmarks Only Displays only Bookmarks for SSL Browser access.
Read Only Read only access. Users can only download fi les via the browser.
Bookmarks Displays the defi ned bookmarks for the group.
Client
Enable Allows SSL Client access.
Mobile IPSec
Enable Enables VPN access for the user group.
Authentication Required A toggle for whether users confi gured under the group should be required to authenticate with the fi rewall using the GTA Mobile IPSec VPN Client or not.
IPSec Object The VPN object to be used by the user group.
Local Network The local network for the VPN which the confi gured user can access. Confi guring this section will override settings defi ned under Confi gure>VPN>Remote Access>IPSec.
Groups
Sub Group Select a previously defi ned group for which the main group will include.
Description A short description to explain the use of the included sub-group.
Configuring Remote Administration
63
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
This section allow for the confi guration of lockout, remote administration and customized login screens. Lockout disallows further logins from a user’s IP address if a login is repeatedly entered incorrectly. Remote administration regulates administrative access to the Web interface from outside of the protected network.
Account preferences are confi gured under Confi gure>Accounts>Remote Administration.
LockoutLockout gives the administrator the ability to disable login attempts to the Web or Console interface from a user’s IP address if repeated login attempts are entered incorrectly. Settings available for confi guration include the threshold (the number of times an invalid entry may be entered) and the duration of time the user’s IP address will be blocked. Networks exempt from lockout can also be specifi ed.
Figure 3.3: Confi guring Account Preferences - Lockout
Table 3.3: Lockout
Field Name Description
Enable Disallow further logins from a user’s IP address if a login is entered incorrectly. Enabled by default.
Allowed Specify the network (address object) that is exempt from lockout, if necessary.
Advanced
Threshold The number of attempts a user can make from an IP address before that IP address is locked out. Threshold values may range between 5 and 100.
Duration The number of seconds an IP address is locked out. The duration may range between 30 and 86,400 seconds.
Remote AdministrationThe factory default settings enable remote administration from the protected interface. The Web interface is served on standard TCP port 443 for SSL encryption.
The fi rewall can also be accessed using the Console interface using the accounts with administrative access. Access to the Console interface cannot be disabled.
Figure 3.4: Confi guring Account Preferences - Remote Administration
Changing the Remote Administration Port
64
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
To maintain access when changing the port number used for remote administration, ensure that AUTOMATIC POLICIES are enabled (located under the ADVANCED tab) or confi gure a new service group object and inbound policy for the new port before changing the existing port number.
CAUTION
Changing the TCP port for remote administration without enabling automatic policies or fi rst adding the new port to a inbound policy will result in a loss of remote administration connectivity. To prevent this, either create a new service group object to be used in a inbound policy, or connect to the fi rewall locally.
Table 3.4: Remote Administration
Field Name Description
Enable Enables remote administration for the Web interface. Enabled by default.
Port The TCP port allowing Web administration. SSL encryption default is 443.
Authentication
LDAP Enables LDAP users to administer the fi rewall.
RADIUS Enables Radius users to administer the fi rewall.
Advanced
Encryption A selection for the level of SSL encryption. All levels of SSL encryption are enabled by default. Setting encryption to <none> will turn off SSL encryption.
FIPS Enables FIPS mode for Remote Administration and the SSL Browser. If FIPS is enabled, the fi rewall MUST use SSL encryption.
Policy Compatibility A selection for preserving previous remote administration settings for fi rewalls that do not properly upgrade to GB-OS 6.0.3 and above. Disabling this option allows the web administration to send CAs imported on the fi rewall to a connecting client to assist in validating the authenticity of the remote administration certifi cate.
Timeout Sessions A selection for whether remote connections should be timed out after a period of inactivity.
Virtual Keyboard A selection for whether the virtual keyboard is enabled, disabled or force use.
Automatic Policies
Enable A selection for whether automatic policies should be enabled.
Zone Specifi es the Zone which will be allowed to connect. Options are External, Protected, and PSN.
Source Address Specifi es the source address allowed to connect.
EncryptionFor additional security, SSL (Secure Sockets Layer) encryption is available. SSL encryption (HTTPS) is the standard in Internet security for HTTP, supporting server/client authentication, and maintaining security and integrity in transmission.
SSL encrypted administration requires a inbound policy with a port that matches the remote administration port (443, by default).
Table 3.5: Encryption Levels
Level Key Strength Description
None n/a Disables SSL encryption
SSL 168-bit A high level of SSL encryption.
Policy Compatibility
65
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Upgrading to GB-OS 6.0.3 and above, from GB-OS 6.0.2 and below, may result in remote administration certifi cate errors. These errors may prevent web administration of the fi rewall via Firefox or Google Chrome and some other browsers. A connection error or SSL error will be displayed in the web browser.
GTA recommends resolving all certifi cate errors, but remote administration settings can be preserved by enabling POLICY COMPATIBILITY at Confi gure>Accounts>Remote Administration>Advanced via Internet Explorer or Safari. For more details and additional certifi cate error troubleshooting, see the GB-OS Certifi cate Management guide.
Policy Compatibility may also be enabled through the Console interface at Confi gure>Accounts>Remote
Administration. See the Console Guide for more details or for creating a new certifi cate on the console.
Customized Login Customize the login screen to display a unique title and logo. The logo must be fi le format JPEG, PNG, or GIF, 32 x 32 pixels and 100 KB or less.
Figure 3.5: Customized Login
66
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Authentication SetupAuthentication allows the administrator to require authentication using GBAuth or GTA SSOAuth Service before initiating a connection to or through the fi rewall.
There are four authentication methods available on GTA fi rewalls: GTA Authentication, LDAP, RADIUS and Active Directory Single Sign-On. For more information on confi guring and using GBAuth for user authentication, refer to Reference C: Utilities.
Authentication is confi gured in Confi gure>Accounts>Authentication
Figure 3.6: Authentication Setup
67
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.7: Authentication
Field Name Description
Enable Enables authentication.
Advanced
Automatic Policies A toggle for whether automatic policies should be generated to allow any of the three methods of authentication.
FIPS Enable FIPS compliant options for authentication settings.
Service Port The service port used. The default port for GTA Authentication is 76.
Valid The valid duration for an authenticated user (in minutes). If using a one time password, this value should be high.
Send Keep Alives A toggle for whether keep alives should be sent or not.
LDAPv3
Enable Enables LDAPv3 authentication. AUTHENTICATION must be enabled to allow for LDAPv3 authentication.
Server The server IP address or host name and port number of the LDAP server used. The port number defaults to 389. To enter a specifi c port number, use the format ldap.example.com:389.
Use SSL A toggle for enabling SSL support.
Base DN The root distinguished name of the LDAP server, comparable to the domain name in an Internet address. Used for LDAP searches.
Group Field The group name fi eld where group names are stored on the LDAP server.
Advanced
Automatically Add Groups Select the check box to automatically add groups when GBAuth is used to authenticate with the fi rewall.
Use Full Group Name Select the check box to return the full group name.
Binding Interface The address from which authentication information is sourced. Selecting <AUTOMATIC> will indicate the fi rewall’s IP address to the server location. To force packets to have a specifi c source IP address, choose the interface object from the pull down menu.
Timeout The amount of time, in seconds, that the GTA fi rewall will wait on results from an LDAP search.
Bind Options
Bind Method Select the method that the user will use to bind (authenticate) with the LDAP server.Select <Anonymous> to authenticate with the LDAP server anonymously.Select <User> to authenticate with the LDAP server with a user name.Select <Username Search> to authenticate with the LDAP server using the root distinguished name and password.
User Bind String Enter the user name to bind with the user. This fi eld is only available if <User> is selected for the BIND METHOD.
Append Base DN Select this check box to have the value entered in the BASE DN string appended to the USER BIND STRING value. This fi eld is only available if <User> is selected for the BIND METHOD.
Bind DN Enter the root distinguished name of the LDAP server. This fi eld is only available if <Username Search> is selected for the BIND METHOD.
Password Enter the root password of the LDAP server. This fi eld is only available if <Username
Search> is selected for the BIND METHOD.
Radius
Enable Enables RADIUS authentication. AUTHENTICATION must be enabled to allow for RADIUS authentication.
68
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.7: Authentication
Field Name Description
Server The server IP address or host name and port number of the RADIUS server used. The port number defaults to 1812. To enter a specifi c port number, use the format radius.example.com:1812.
Pre-shared Secret The pre-shared secret as defi ned in the RADIUS service. This fi eld is case sensitive. Once entered, this fi eld will be obscured. Select modify to enter a new pre-shared secret.
Advanced
Binding Interface The address from which authentication information is sourced. Selecting <AUTOMATIC> will indicate the fi rewall’s IP address to the server location. To force packets to have a specifi c source IP address, choose the interface object from the pull down menu.
NAS Identity By default (if the fi eld is empty), this is the fi rewall’s local IP address. Match the RADIUS server’s expected identity for authentication requests.
NAS Channel Matches the RADIUS server’s channel number. Filling out this fi eld is only necessary if the RADIUS server distinguishes between its NAS ports (channels).
NAS Channel Type Matches the RADIUS server’s connection type, namely a modem (Async, etc.) or TCP/IP (Virtual) connection.
Active Directory Single Sign-On
Enable Enables Single Sign-On authentication. AUTHENTICATION must be enabled to allow for Single Sign-On authentication.
Server/Certifi cate The server IP address or host name and port number of the Single Sign-On server used. The port number defaults to 28800. To enter a specifi c port number, use the format 192.168.71.1:2880.
GTA AuthenticationGTA Authentication requires the setup of fi rewall user accounts. Users can be confi gured with the instructions found in the Firewall Administrator and User Setup section of this chapter. GTA Authentication can be selected in inbound tunnels and security policies. Users enter the values defi ned in the IDENTITY and PASSWORD fi elds from Confi gure>Accounts>Users to log in using GBAuth.
Using GTA Authentication on a GTA FirewallTo use GTA Authentication:
1. Enable AUTHENTICATION and enter the desired port (TCP port 76, by default).2. Click SAVE.
LDAPv3LDAP (Lightweight Directory Access Protocol) is a specifi cation for accessing directories on the Internet to obtain information such as email addresses and public keys. Support for TCP/IP for Internet access is also included. Like the Internet protocols HTTP and FTP, LDAP is used in the protocol prefi x of a URL (e.g., ldap://example.com). LDAP version 3, completed in 1997, is the latest implementation of the protocol at the time of this release.
Using LDAPv3 on a GTA FirewallThe LDAP authentication option allows you to accept or deny traffi c by querying an LDAP server. The LDAP authentication option can be used on inbound, outbound and pass through policies. LDAP authentication requires an LDAP server with users, organizational units and domains. GTA Firewall LDAP searches return a user’s primary Active Directory group to the fi rewall.
69
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.8: LDAP Authentication Components
Field Name Description
cn Common name; specifi ed on the LDAP server and entered in the IDENTITY fi eld of GBAuth, e.g. Joe Q User.
rdn Relative distinguished name; the common name plus the “cn=” identifi er, e.g. cn=Joe Q User.
ou Organizational unit; group to which the user has been assigned. There can be a hierarchy of ou’s defi ned. Enter each in the order of its specifi city: if Joe Q User belongs to the FreeBSD group within the support group, ou would be entered into the IDENTITY fi eld of GBAuth, after the cn, as: ou=FreeBSD, ou=support.
dc Domain component; single domain component of an FQDN (fully-qualifi ed domain name) such as qa.gta.com, e.g. dc=qa, dc=com, dc=gta.
dn Distinguished name; entries in an LDAP server are located by way of the distinguished name, a globally unique identifi er designed to be readable by any LDAP-compliant client. This is the entire string sent to the LDAP server by GBAuth: cn=Joe Q User, ou=support,dc=qa, dc=com, dc=gta.
To use LDAPv3:
1. Enable AUTHENTICATION and the LDAPv3 feature.2. Enter the IP address and desired port (TCP port 389, by default) of the LDAP server in the SERVER
fi eld.3. Enter the base distinguished name for your network in the BASE DN fi eld.4. In the GROUP FIELD, enter the location where groups are stored under.5. Next, select the method that the user will bind (authenticate) with the LDAP server.
• To bind with the user, select <User> for the BIND METHOD and enter the USER BIND STRING. Optionally, enable APPEND BASE DN to have the BASE DN value appended to the USER BIND STRING.
• To bind anonymously, select <Anonymous> for the BIND METHOD. When <Anonymous> is selected, the USERNAME FIELD will appear in the LDAPV3 section. Enter the username that will be used for authentication.
• To bind using the root distinguished name and password, select <Username Search> for the BIND METHOD. Enter the root distinguished name in the BIND DN fi eld, and the root password in the ROOT PASSWORD fi eld. When <Username Search> is selected, the USERNAME FIELD will appear in the LDAPV3 section. Enter the username that will be authenticated with in the USERNAME FIELD.
6. Click SAVE.
RADIUSRADIUS (Remote Authentication Dial-In User Service) is an authentication and management system used by many ISPs. RADIUS requires the customer to enter a user ID and password to access the service. The RADIUS server then verifi es the information and authorizes access. Historically, RADIUS has been used to authenticate dial-up connections, but it can be used to authenticate traditional TCP/IP connections as well.
Using RADIUS on a GTA FirewallTo use RADIUS:
1. Enable AUTHENTICATION and the RADIUS feature.2. Enter the IP address, desired port (UDP port 1812, by default) and pre-shared secret of the
RADIUS server in their respective fi elds.3. Click SAVE.
70
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Active Directory Single Sign-OnGTA’s Active Directory Single Sign-On (GTA SSOAuth) is a system which allows a user to authenticate only once while gaining access to multiple software systems. When a user logins into the domain and attempts to access the Internet via a GTA fi rewall, the fi rewall checks to see if the user’s IP address is in the Authentication server database. If yes, the fi rewall retrieves the group, matching policies, to see if the Internet access is allowed. When a user logs in, the GTA SSOAuth service returns the user’s primary group to the fi rewall. The GTA SSOAuth server maintains the database of users that have authenticated via Active Directory.
For more information on using GTA SSOAuth, see Reference C: Utilities.
Note
All Single Sign-On users are members of the Single Sign-On and ALL users groups.
Requirements For Single Sign-OnIn order to use Single Sign-On the following requirements must be met:
1. Windows 2003 server or 2003 R2 server or later.2. Single Sign-On service (GTA-SSOAuth server installed on AD server)3. Active Directory server certifi cate installed on the fi rewall (Confi gure>VPN>Certifi cates)
4. .NET Framework 2.0 (or above)
Single Sign-On Server Installation on WindowsServer Mode
In server mode, the fi rewall can point to up to three servers. The SSOAuth servers are installed on other hosts, or on the AD server itself. The fi rewall and SSOAuth clients then connect to the SSOAuth server.
Client Mode
The client mode is used when there is more than one AD server. In this mode, the clients point to the server and are installed on the AD servers.
Configuring Single Sign-On1. Enable AUTHENTICATION and the Single Sign-On feature.2. Enter the AD server IP address and select the AD server certifi cate.3. Click SAVE.4. Optional: Confi gure the same groups, that are on the AD server, on the fi rewall at
Confi gure>Accounts>Groups. The ALL group or LDAP group can be used if the user does not wish to confi gure the groups.
5. Apply AUTHENTICATION on security policies per corporate policy.
PPP SetupPPP connections are frequently used in conjunction with dial-up modems or DSL ISPs. PPP confi gures a PPP (Point-to-Point Protocol), PPPoE (PPP over Ethernet) or PPTP (Point-to-Point Transport Protocol) connection for the fi rewall. PPP, PPPoE and PPTP are not supported on a bridged interface.
To confi gure a PPP connection, navigate to Confi gure>Network>Interfaces>Settings. PPP connections can be applied to a new or existing interface by changing the interface type.
To enable PPP in Network Interface Settings:1. Navigate to Confi gure>Network>Interfaces>Settings, Create a new interface and change the type to
PPP(SERIAL)2. Select the GATEWAY check box. Once this has been selected, the system will dynamically negotiate
the IP address of the gateway.
71
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
If you wish to confi gure a PPPoE or PPTP connection, please refer to their appropriate subsections.
Figure 3.7: PPP Setup
Table 3.9: PPP Setup
Field Description
Name Enter user defi ned interface name.
Zone Select an interface type: External, Protected or PSN.
NIC Automatically set to PPP0, PPP1, PPP2, PPP3, etc.
Description A user-defi ned description of the connection.
Gateway Use the interface as a gateway.
PPP Connection Type <On-Demand>
Initiates and establishes a link with the remote site whenever a packet arrives on a protected or PSN interface destined for the external network. The link will stay up as long as packets continue to be received before the time-out has expired.<Dedicated>
Establishes a link when the fi rewall boots up and remains up until the interface is manually disabled, or the system is halted.
Primary COM Port COM port or USB port used for the PPP interface.
72
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.9: PPP Setup
Field Description
Phone Number The phone number used to dial the remote site. This fi eld should contain any required access codes (e.g. 9 to dial out). Characters used for pauses and secondary dial tones can be used. Consult your modem or ISDN TA manual for dialing codes.
User Name User ID for remote access. User ID and password are generally issued by the remote site.
Password Password for remote access. Once entered, this fi eld will be obscured. Select modify to enter a new password.
Local IP Address/Remote IP Address
Default A PPP-type link uses a local and remote IP address. If the remote site supports dynamic IP address assignments (as for most ISPs and remote sites), leave the local address set to the default, 0.0.0.0. Set the remote address to an IP address on the remote network, such as the router IP or the DNS server address. PPP will use that address to dynamically negotiate the actual value. If the Remote IP address is static (dedicated), enter the address and leave the Local IP address set to 0.0.0.0. If both addresses are static, set both fi elds to the appropriate IP address.
Advanced
Connection
Login User Name Enter a login user name for cases in which CHAP or PAP is negotiated, and a separate name and password are required to log in.
Login Password Enter a login password for cases in which CHAP or PAP is negotiated, and a separate name and password are required to log in.
Speed DTE (Data Terminating Equipment) speed is the speed at which the fi rewall communicates with the modem. Default is <115200>.
Time Before Retry The amount of time the system waits before re-dialing to establish a connection. Default is 10 seconds.
Timeout The number of seconds during which a connection will stay connected during periods of inactivity. To prevent timing out on a connection, enter a value of 0. Default is 600 (10 minutes).
Link Control Protocol *
Local/Remote
Address/Field Compression Enabled by default.
Line Quality Report Disabled by default.
Protocol Field Compression Enabled by default.
Van Jacobson Compression Enabled by default.
Debug (must be in Detailed List View to see debug messages)
Chat Records dialing and login chat script conversations.
LCP Records LCP conversations. Use to set non-default Link Control Protocol options.
Phase Records network phase conversations. Use to determine LOCAL and REMOTE IP address specifi cations.
ISDN
Don’t Bond Channels Use to confi gure ISDN connections. Check with your provider for required settings. Disabled by default.
Switch Type Use to confi gure ISDN connections. Check with your provider for required settings.
* Each Link Control Protocol (LCP) option has a pair of settings for each link, LOCAL and REMOTE. If a local setting is enabled, the fi rewall will request that the remote side use that LCP. If LOCAL is disabled, the fi rewall will not send a request for that LCP. If REMOTE is enabled, and the remote side of the connection offers to use the protocol, the fi rewall will accept it. If it is disabled, then the fi rewall will not accept the LCP if the remote side offers it.
73
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
PPPoE TransportPPPoE is commonly used to assign IP addresses by DSL service providers.
Note
GB-OS automatically detects connection preferences so that the user is no longer required to enter chat or dial scripts, select CHAP or PAP, or set parity and fl ow control.
Enabling PPPoE in Network Settings:
1. Navigate to Confi gure>Network>Interfaces>Settings, create a new interface and set type to PPP(PPPoE).
2. Select the GATEWAY checkbox. Once this has been selected, the system will dynamically negotiate the IP address of the gateway. The DHCP Selection will be unavailable.
Figure 3.8: PPP Setup using PPPoE Transport
74
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.10: PPP Setup using PPPoE Transport
Field Description
Name Enter a user defi ned interface name.
Zone Select interface type: External, Protected or PSN.
NIC Select the physical interface on which the PPPoE will operate on.
Description A user-defi ned description of the connection.
Gateway Use the interface as a gateway.
PPP Connection Type <On-Demand>
Initiates and establishes a link with the remote site whenever a packet arrives on a protected or PSN interface destined for the external network. The link will stay up as long as packets continue to be received before the time-out has expired.<Dedicated>
Establishes a link when the fi rewall boots up and remains up until the interface is manually disabled, or the system is halted.
NIC A selection for the network interface on which PPPoE will run.
User Name User ID for remote access. User ID and password are generally issued by the remote site.
Password Password remote access. Once entered, this fi eld will be obscured. Select modify to enter a new password.
Local IP Address/Remote IP Address
Default A PPP-type link uses a local and remote IP address. If the remote site supports dynamic IP address assignment (as for most ISPs and remote sites), leave the local address set to the default, 0.0.0.0. Set the remote address to an IP address on the remote network, such as the router IP or the DNS server address. PPP will use that address to dynamically negotiate the actual value. If the Remote IP address is static (dedicated), enter the address and leave the Local IP address set to 0.0.0.0. If both addresses are static, set both fi elds to the appropriate IP address.
Advanced
Connection
PPPoE Provider Designation for the PPPoE Provider. Leave blank if you do not know the exact designation. The value is usually not required for the connection, and an incorrect setting can prevent the connection.
MTU Maximum Transmission Unit. GTA recommends setting the fi eld at 0, which allows the system to negotiate the MTU value for each PPPoE connection. Incorrect values can cause the system to perform poorly, or not at all.
Time Before Retry The amount of time the system waits before re-dialing to establish a connection. Default is 10 seconds.
Timeout The number of seconds during which a connection will stay connected during periods of inactivity. To prevent timing out on a connection, enter a value of 0. Default is 600 (10 minutes).
Link Control Protocol *
Local/Remote
Address/Field Compression Enabled by default.
Line Quality Report Enabled by default.
Protocol Field Compression Enabled by default.
Van Jacobson Compression Disabled by default.
Debug (must be in Detailed List View to see debug messages)
Chat Records dialing and login chat script conversations.
LCP Records LCP conversations. Use to set non-default Link Control Protocol options.
75
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.10: PPP Setup using PPPoE Transport
Field Description
Phase Records network phase conversations. Use to determine LOCAL and REMOTE IP address specifi cations.
* Each Link Control Protocol (LCP) option has a pair of settings for each link, LOCAL and REMOTE. If a local setting is enabled, the fi rewall will request that the remote side use that LCP. If LOCAL is disabled, the fi rewall will not send a request for that LCP. If REMOTE is enabled, and the remote side of the connection offers to use the protocol, the fi rewall will accept it. If it is disabled, then the fi rewall will not accept the LCP if the remote side offers it.
PPTP TransportPPTP is typically used on GTA fi rewalls by some ISPs as an alternative to DHCP when allocating subnet IP addresses. It encapsulates and uses encryption on packets so that data or internal network IPs cannot be seen during transit over phone lines or the Internet. It does this by creating a link from an unroutable internal IP address to an external IP address through the use of an internal PPTP server with a routable IP address.
PPTP requires the creation of a inbound policy for use.
To use PPTP:
1. Create a new logical interface in Confi gure>Network>Settings and set its TYPE to PPP(PPTP).
Figure 3.9: PPP Setup using PPTP Transport
76
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.11: PPP Setup using PPTP Transport
Field Description
DHCP Not selectable.
Gateway Automatically set from the selection in the following section.
IP Address IP address for internal PPTP interface.
Name User defi ne interface name.
Zone Selected External, Protected or PSN.
NIC Select the physical network interface to use for the connection.
Description A user defi ned description of the connection.
PPP
Gateway Use this interface as a gateway.
PPP Connection Type <On-Demand>
Initiates and establishes a link with the remote site whenever a packet arrives on a protected or PSN interface destined for the external network. The link will stay up as long as packets continue to be received before the time-out has expired.<Dedicated>Establishes a link when the fi rewall boots up and remains up until the interface is manually disabled, or the system is halted.
PPTP Server IP Address Enter the IP address of the PPTP server.
Phone Number The phone number used to dial the remote site. This fi eld should contain any required access codes (e.g. 9 to dial out). Characters used for pauses and secondary dial tones can be used. Consult your modem or ISDN TA manual for dialing codes.
User Name User ID for remote access. User ID and password are generally issued by the remote site.
Password Password remote access. Once entered, this fi eld will be obscured. Select modify to enter a new password.
Local IP Address/Remote IP Address
Default A PPP-type link uses a local and remote IP address. If the remote site supports dynamic IP address assignment (as for most ISPs and remote sites), leave the local address set to the default, 0.0.0.0. Set the remote address to an IP address on the remote network, such as the router IP or the DNS server address. PPP will use that address to dynamically negotiate the actual value. If the Remote IP address is static (dedicated), enter the address and leave the Local IP address set to 0.0.0.0. If both addresses are static, set both fi elds to the appropriate IP address.
Advanced
Connection
Time Before Retry The amount of time the system waits before re-dialing to establish a connection. Default is 10 seconds.
Timeout The number of seconds during which a connection will stay connected during periods of inactivity. To prevent timing out on a connection, enter a value of 0. Default is 600 (10 minutes).
77
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.11: PPP Setup using PPTP Transport
Field Description
Link Control Protocol *
Local/Remote
Address/Field Compression Enabled by default.
Line Quality Report Enabled by default.
Protocol Field Compression Enabled by default.
Van Jacobson Compression Disabled by default.
Debug (must be in Detailed List View to see debug messages)
Chat Records dialing and login chat script conversations.
LCP Records LCP conversations. Use to set non-default Link Control Protocol options.
Phase Records network phase conversations. Use to determine LOCAL and REMOTE IP address specifi cations.
* Each Link Control Protocol (LCP) option has a pair of settings for each link, LOCAL and REMOTE. If a local setting is enabled, the fi rewall will request that the remote side use that LCP. If LOCAL is disabled, the fi rewall will not send a request for that LCP. If REMOTE is enabled, and the remote side of the connection offers to use the protocol, the fi rewall will accept it. If it is disabled, then the fi rewall will not accept the LCP if the remote side offers it.
78
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
DHCP ServerThe DHCP service automates assignment of IP addresses and confi gures the DNS server and gateway for computers on local networks using DHCP (Dynamic Host Confi guration Protocol).
When the DHCP service receives an initial request from a client host, it assigns an available IP address from its address range. Upon subsequent requests by the same MAC address, the DHCP Server will attempt to reassign the same IP address. The only case in which it will not reassign the same IP address is when the number of DHCP clients exceeds the number of IP addresses available, and the IP address has been assigned to a different host.
The DHCP service manages a range of IP addresses (e.g. 10.10.10.4 through 10.10.10.254) which can be assigned to hosts. Non-contiguous sets of IP addresses can be defi ned using exclusion ranges. Exclusion ranges, confi gured under the ADVANCED tab, indicate which IP addresses within the previously defi ned address range must not be assigned to hosts.
WINS uses a distributed database that is automatically updated with the names of computers currently available and the IP address assigned to each one. To use WINS, enter the IP address of the WINS server in the WINS SERVER IP ADDRESS fi eld. Hosts on the network must be confi gured to point to the DEFAULT GATEWAY for the location of their WINS server.
The DHCP service can also assign static leases to hosts on the network. Static leases are useful for managing “static” systems, such as print servers, mail servers or other hosts that need fi xed confi gurations. Static leases are confi gured under the ADVANCED tab.
To confi gure the DHCP server, navigate to Confi gure>Services>DHCP>Server and deselect the DISABLE check box. Both DHCPv4 and DHCPv6 are supported.
Changes to the DHCP service are applied when you click SAVE.
DHCPv4
79
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Figure 3.10a: DHCPv4 Server Setup
Table 3.12a: DHCPv4 Setup
Field Description
Disable Disable this DHCP IP address pool.
Type Select DHCPv4.
Description User-defi ned description of the IP address pool.
Beginning Address First IP address of the pool’s range.
Ending Address Last IP address of the pool’s range.
Netmask Subnet mask used to divide hosts into network groups.
Lease Duration Maximum length of time the assigned IP address may be used before renewal. A client must negotiate IP address renewal before the expiration of the lease, or quit using the IP address.
Options
Default Gateway Gateway (default route) given to DHCP clients. For hosts located behind a fi rewall (on protected or PSNs) this will be the IP address of the fi rewall’s corresponding interface.
Domain Name DNS domain name, typically that of the local network.
Name Server IP Address IP address of a DNS server that will be issued to the requesting client. This can be any valid server: a local server, such as the built-in DNS Server, or a remote server, such as one located at an ISP. Up to three name servers can be defi ned.
WINS Server IP Address IP address of the WINS server that will be issued to the requesting client. Up to three WINS servers can be defi ned.
Network Time IP address of the network time server that will be issued to the requesting client. Up to three network time servers can be defi ned.
Advanced
MTU Maximum Transmission Unit. The MTU size determines the greatest packet size that can be transmitted by the DHCP service. A value of 0 means the fi eld is ignored.
TFTP Server Enter the TFTP server for transferring data.
Advanced
Static Leases
Disable Disables the selected row.
Host Name The host name to be used by the static lease.
IP Address The desired IP address to be statically leased to the host.
MAC Address The host’s MAC address.
Description A description of the host’s static lease.
Exclusion Ranges
Exclusion Ranges Defi ne up to fi ve address ranges to exclude from each DHCP range. To exclude a single IP address, enter it in both the beginning and ending address fi elds.
80
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
DHCPv6The IPv6 DHCP Server requires that the fi rewall be confi gured for prefi x advertisement. For more information, see the Confi guring IPv6 Guide.
To confi gure the DHCP server, navigate to Confi gure>Services>DHCP>Server and choose DHCPv6 in the TYPE pulldown.
Figure 3.10b: DHCPv6 Server Setup
Table 3.12b: DHCPv6 Setup
Field Description
Disable Disable this DHCP IP address pool.
Type Select DHCPv6.
Description User-defi ned description of the IP address pool.
Beginning Address First IP address of the pool’s range.
Ending Address Last IP address of the pool’s range.
Prefi x Length Defi ne the prefi x length.
Lease Duration Maximum length of time the assigned IP address may be used before renewal. A client must negotiate IP address renewal before the expiration of the lease, or quit using the IP address.
Options
Domain Name DNS domain name, typically that of the local network.
Name Server IP Address IP address of a DNS server that will be issued to the requesting client. This can be any valid server: a local server, such as the built-in DNS Server, or a remote server, such as one located at an ISP. Up to three name servers can be defi ned.
Advanced
Static Leases
Disable Disables the selected row.
Host Name The host name to be used by the static lease.
IP Address The desired IP address to be statically leased to the host.
Client DUID Enter the client’s DHCP unique identifi er.
Description A description of the host’s static lease.
Exclusion Ranges
Exclusion Ranges Defi ne up to fi ve address ranges to exclude from each DHCP range. To exclude a single IP address, enter it in both the beginning and ending address fi elds.
81
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
DHCP RelayThe DHCP Relay screen is used to relay DHCP (Dynamic Host Confi guration Protocol) traffi c through the fi rewall. GB-OS 5.3.2 and above supports DHCP relay based on RFC3046 and RFC2131. RFC 5107 is not supported.
DHCP Relay Requirements• GB-OS v5.3.2 or above• DHCP server with a scope assigned to the same network as a GTA fi rewall interface upon which
the broadcast messages arrives. • If the fi rewall will be the default route for the host receiving DHCP addresses, the DHCP server
must assign the fi rewall interface IP which received the client broadcast messages as the router or gateway.
Example DHCP Relay The example below displays a Protected Zone to Protected Zone connection. The fi rewall IP address on the DHCP client network is 192.168.1.254/24. The DHCP server, 192.168.71.1, is confi gured to assign addresses from the range (scope) 192.168.1.5 – 192.168.1.25 with a netmask of 255.255.255.0 (24 bits) and default gateway of 192.168.1.254.
GB-2000GB-GB-GB-GB-BBGBGBGG 2022020020020002000000002000000
Figure 3.11: Example DHCP Relay Setup with a Protected Zone to Protected Zone Connection.
82
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Note
DHCP server and DHCP Relay are mutually exclusive. You cannot run both services on the same fi rewall. You also cannot relay DHCP client requests through an IPSec Tunnel/VPN.
Configuration1. Navigate to Confi gure>Services>DHCP>Relay. Check the enable box and enter the DHCP server IP
address.
Figure 3.12: DHCP Relay Setup
2. Under Advanced, enable automatic policies to create an automatic inbound policy as needed to accept DHCP responses from the confi gured DHCP server(s).
Example Automatic Policy: Accept notice ANY nolog udp/67->67 from 192.168.71.254 to 192.168.71.13. Select the type of binding interface.4. The fi rewall will listen for DHCP client broadcast messages, change these requests to unicast
messages, and then forward them to the confi gured DHCP server(s). 5. Once the client has a DHCP address, it will connect directly to the DHCP server when the lease
is renewed. Outbound security policies will control access between the DHCP client and server. By default, all access is allowed between Zones of type Protected. If a restrictive security policy is in place you may need to add an outbound policy to allow connection to and from the DHCP clients and server(s). Below are examples of these policies:
Figure 3.13: Outbound Security Policies
PSN to Protected DHCP RelayIf the DHCP Server is located on an interface whose ZONE is Protected and the clients are on an interface whose ZONE is type PSN or External. The client will receive an initial lease, however, renewals will fail. The fi rewall will log =”Invalid NAT request”.
Example Block Message:
83
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Jun 29 09:27:02 pri=4 pol _ action=block count=3 msg=”Invalid NAT request” duration=11 proto=67/udp src=192.168.1.15 srcport=68 dst=192.168.41.203 dstport=67 interface=”Avlan1” attribute=alarm
Note
GTA fi rewalls confi gured for DHCP relay will pass the DHCP server options such as NTP, DNS and others. More than one DHCP server can be confi gured for relay by creating an address object with the DHCP server address and then reference this in the Servers object.
By default, connections from a PSN or External Network to an internal network whose zone is Protected are not allowed. In addition, connections from a PSN zone to another PSN zone are not allowed.
The initial connection to the DHCP server is handled by the fi rewall DHCP relay server. The client broadcast messages are converted to unicast messages and directed to the DHCP server. Once the initial lease is handed out to the client, the client will send a renewal request directly to the DHCP server. If the client is on PSN or an External network it will attempt to directly connect to the DHCP server, resulting in an invalid NAT request.
Resolution to this issue is to remove Network Address Translation from the DHCP server going to the PSN or External network. This is confi gured in Confi gure>Network>Pass Through>Host/Networks. Next, add a Security Policy to allow access for DHCP requests to the server. This is located in Confi gure>Security
Policies>Pass Through.
Example of the Host Networks and Pass Through Policy to allow DHCP relay from a PSN client to a DHCP server on Protected or another PSN network:
Figure 3.14: Confi guring Hosts/Networks and Pass Through Policies for DHCP Relay
A common problem is that the DHCP client’s initial DHCP request will work, however, the renewals will fail. To correct:
1. Confi rm the DHCP server(s) can route correctly to the DHCP client network. If the DHCP server gateway does not point to the fi rewall performing the DHCP relay service, static routes MAY need to be added to the DHCP server, or to the DHCP servers gateway, to correctly route to the DHCP client network.
84
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
2. Confi rm the gateway option assigned to the client is the fi rewall’s local interface that receives the DHCP client broadcast messages.
Dynamic DNS SetupDynamic DNS automates the process of advising DNS servers when the dynamically assigned IP address for a network device is changed, ensuring that a specifi c domain name always points to the correct IP address. The domain name tracks the dynamic address so that other users on the Internet can easily reach the domain, allowing you to host a Web site, FTP or email server even when your IP address is dynamic.
The Dynamic DNS service allows you to publish your new dynamic IP address by using one of the following services from the SERVICE pull down menu:
• DynDNS (www.dyndns.com)• DyNU (www.dynu.com)• ChangeIP (www.changeip.com)• EasyDNS (web.easydns.com)• No-IP (www.no-ip.com)
Note
To sign up for the Dynamic DNS services and for more information on Dynamic DNS, see the provider’s Web site.
The current external IP address on the fi rewall will update the selected service each time the IP address changes, or once a month, whichever comes fi rst.
To confi gure Dynamic DNS, navigate to Confi gure>Services>Dynamic DNS and toggle to the ENABLE check box to enable the service. Select NEW to create a new Dynamic DNS defi nition or select EDIT to modify a pre-defi ned one.
Figure 3.15: Confi guring Dynamic DNS
Table 3.13: Dynamic DNS Setup
Field Description
Disable Disables the Dynamic DNS service.
Description Enter a description of the Dynamic DNS service.
Host Name The host name registered with the Dynamic DNS service that will be updated.
Interface A selection for the interface to have Dynamic DNS applied to it.
Service A selection for the Dynamic DNS service provider. An active account with the selected service provider is required.
Login User Name The user name registered with your Dynamic DNS service provider.
Login Password The password associated with the registered user name. Once entered, this fi eld will be obscured. Select modify to enter a new password.
85
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
DNS Server SetupThe DNS (Domain Name System) service translates alphanumeric server names into IP addresses. Each time a server name is used, the DNS service must translate the name into its corresponding IP address. For example, the server name example.com might translate to 204.96.115.2.
In this section, confi guration of the DNS server will be explained. To learn more about setting up a DNS proxy, as well as the advantages and disadvantages of running a DNS proxy versus a DNS server, see DNS Setup in Basic Setup Tasks.
Note
GTA recommends a thorough knowledge of the domain name system before confi guring any DNS server. One reference is DNS and Bind, 5th Edition, by Paul Albitz & Cricket Liu, published by O’Reilly and Associates.
Note
On select GTA fi rewalls, the DNS Server is an option and requires an activation code. See your product specifi cations for more information.
Configuring the DNS ServerThe DNS server allows the fi rewall to function as a primary domain name server, maintaining a database of domain names and IP addresses of hosts where those domains reside.
See Confi guring the DNS Proxy in Basic Setup Tasks to confi gure the fi rewall as a DNS proxy if an internal DNS server is not necessary.
To setup the DNS server, navigate to Confi gure>Services>DNS. Select NEW to create a new DNS server defi nition or select EDIT to modify a pre-defi ned one.
Figure 3.16: Confi guring the DNS Server
86
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.14: Confi guring the DNS Server
Field Description
Name Servers
Enable Enables the name servers listed in this section. Disabled by default.
IP Address IP address(es) of the external DNS server(s) that will provide records for your external hosts.
Primary Domain Name Primary domain name used for the network (e.g., example.com)
DNS
Enable Enables the select DNS service. DNS Proxy is selected by default.
Service To confi gure the DNS server, select the DNS server option to allow hosts to use the fi rewall as a DNS resolver.
Advanced
Automatic Policies Enable to have the fi rewall generate automatic policies to allow the use of the DNS server. Enabled by default.
Cache Confi gure DNS cache value. Default is 168 hours.
DNS Server
Server Name Host name of your DNS server. This may be the host name assigned to your fi rewall. When confi guring an external DNS server, this will be the Internet apparent host name. The host name should be listed as a host in the DNS Domain screen or tab.
Secondary Server Names Host names of DNS servers acting as alternate name servers for the domain.
Forwarders Allows the DNS server to act as a proxy and forward DNS lookups to other DNS servers.
Trusted Networks Networks or IP Addresses allowed for recursive DNS searches.
Email Contact Email address of the primary contact for the domain.
Domains
Create New Click the link to create new DNS domains
Advanced
Subnets
Network IP Address Network address/subnet mask of the desired subnet. Class C: /24 (255.255.255.0) and Class B: /16 (255.255.0.0) are commonly used networks.
Reverse Zone Name Optional name used by reverse DNS, which looks up an IP address to obtain a domain name and confi rm a DNS record. The fi rewall can determine the zone name automatically if the subnet uses a Class A, B or C subnet mask. Reverse zone names are typically assigned by your ISP.
87
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Creating DNS DomainsThe DNS Domain screen allows the user to defi ne host names and associated IP addresses (A records), aliases (CNAME records) and email exchangers (MX records) for the selected domain.
Select NEW to create a new DNS domain or select EDIT to modify a pre-defi ned DNS domain.
Figure 3.17: Creating DNS Domains
Table 3.15: DNS Server Setup
Field Description
Disable Disables the domain defi nition so the zone will not be served by the DNS server.
Domain Name Domain name of the defi ned zone (e.g., example.com)
Description Description of the domain for reference.
IP Address IP address of a host to respond to the zone name. A host can have the same name as the zone, e.g., example.com, meaning that if you have a Web server, a visitor can use the zone name rather than the Web server’s host name.
Mail Exchangers When a remote system sends mail to a domain, it will query a DNS server to determine which IP addresses are designated to accept email for the zone. The Mail Exchanger (MX) fi elds defi ne the mail servers for the domain. When there is more than one email exchanger, the order of preference is specifi ed by entering the preferred server in the fi rst fi eld, followed by the second and third entry. The fi rst mail exchanger will be priority 5, the second priority 10 and the third priority 15.
SPF Enter a SPF (Sender Policy Framework) record. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specifi c SPF record (or TXT record) in DNS.
TXT Enter a DNS text entry record.
Hosts
Disable Disables the host entry.
RDNS Optional name used by reverse DNS (RDNS), which looks up an IP address to obtain a domain name and confi rm a DNS record. The fi rewall can determine the zone name automatically if the subnet uses a Class A, B or C subnet mask. Reverse zone names are often assigned by your ISP.
IP Address IP address of the host.
Host Names Primary host name in the fi rst fi eld and aliases in succeeding fi elds. The domain portion of the host name should not be entered. For example, enter mail instead of mail.example.com.To defi ne more than two aliases, repeat the host’s IP address in the next row.
TXT DNS text entry record.
88
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Routing TrafficTraffi c routing is based upon the combined confi guration of aliases, tunnels, pass through policies, RIP (Routing Information Protocol), and gateways.
Note
Any packet that goes through the fi rewall will use the fi rewall’s routing tables. If Confi gure>Network>
Routing>Gateway Policies POLICY BASED ROUTING and appropriate fi rewall policies dictate, the default gateway may also be altered.
Alias SetupAliases allow a network interface to possess multiple IP addresses. An IP alias may be assigned to any network interface.
Aliases are especially useful on the external network interface, or if multiple hosts on the PSN or protected network are required for the same service via a tunnel (e.g., multiple internal Web servers that all serve content to the external network). Aliases used on an external interface attached to the Internet must be legitimate, registered IP addresses. An alias does not need to have the same subnet as the real IP address, since the GTA fi rewall will route packets between all networks to which it is logically attached.
Note
See product specifi cations for the maximum number of IP aliases available on a specifi c model.
To confi gure aliases, navigate to Confi gure>Network>Interfaces>Aliases. Select NEW to create a new alias or select EDIT to modify a pre-defi ned alias.
Figure 3.18: Alias Setup
Table 3.16: Aliases
Field Name Description
Disable A toggle for whether the alias should be disabled or not. Default is off.
Name A unique name to identify the alias elsewhere in the fi rewall’s confi guration. Alias names may not use a number as the fi rst character.
Description A short description to identify the function of the alias.
Interface The interface the alias will be applied to.
IP Address The IP address of the alias.
89
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
NAT SetupNetwork Address Translation (NAT) translates an IP address behind the fi rewall to the IP address of the external network interface, disguising the original IP address. Using NAT makes it possible to use a non-registered IP address within protected networks and PSNs, while still presenting a registered IP address to the external network (typically the Internet).
NAT is active by default on all GTA fi rewalls.
NAT is applied to outbound packets from:
• A protected network to an external network• A protected network to a PSN• A PSN to an external network• A protected network to another protected network
NAT is available in two forms: dynamic and static, which are referred to as default NAT and static mapping. If needed, NAT can be bypassed by using pass through policies.
Creating Inbound TunnelsInbound tunnels allow external hosts to initiate connections with internal hosts using service groups (e.g., TCP, UDP or ICMP). Normally the fi rewall blocks all inbound traffi c to the internal networks. Tunnels allow, for example, computers such as Web (service group HTTP) servers on a PSN to be accessible from the Internet.
Note
See product specifi cations for the number of tunnels available on a specifi c model.
Tunnels can be defi ned for traffi c from either external networks or the PSN. Tunnels are typically used with inbound connections, they are not normally used for traffi c originating from a protected network interface, which is by default allowed access to the other logical network types without use of a tunnel.
Tunnels can be created for these inbound connections:
• From an external network interface to a host on a PSN• From an external network interface to a host on a protected network• From a PSN interface to a host on a protected network
Tunnels are defi ned by an interface, service and an internal destination IP address. The external and internal destination port of the tunnel defi nition need not be the same; it is possible to provide access to multiple hosts for the same service using a single IP address. For example, telnet operates on port 23, but a tunnel could be defi ned with an external destination port of 99 and an internal destination port of 23.
Only the external destination side of the tunnel is visible. Since tunnels transparently forward the connection using NAT, a user on the external network side will never see the ultimate destination of the tunnel. The tunnel appears to be a service operating on the fi rewall to the connecting host.
If a tunnel originates from an IP alias address, you may need to map the destination host to the IP alias using static address mapping so that secondary connections appear to originate from the same address as the tunnel.
To create an inbound tunnel:
1. Navigate to Confi gure>Network>NAT>Inbound Tunnels and click the NEW icon to create a new inbound tunnel.
2. Select the SERVICE the tunnel will use from the drop down list. In the FROM fi eld, select the address object that represents the source interface for the beginning of the tunnel. In the TO fi eld, select the address object that represents the destination IP address for the end of the tunnel.
90
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
3. Unless disabled, AUTOMATIC POLICY will generate policies to allow connection to the inbound tunnel. Otherwise, allow access to the inbound tunnel by using a inbound policy. A tunnel is a mapping from one IP address/port to another IP address/port, allowing the connection to be properly routed. However, the tunnel will not be usable unless an appropriate policy on the fi rewall allows the connection to be made in the fi rst place.
Note
An asterisk (*) appearing on the far left of the list icons for an inbound tunnel indicates the inbound tunnel contains an inactive time-based policy. To resolve, select a valid time-group for the inbound tunnel.
Figure 3.19: Creating Inbound Tunnels
Table 3.17: Inbound Tunnels
Field Name Description
Disable A toggle for whether the inbound tunnel should be disabled or not. Default is off.
Description A short description to identify the function of the inbound tunnel.
Service Select the IP Protocol to be used by the inbound tunnel.
From Select the interface or alias for the beginning of the tunnel.
To Select the internal destination address of the tunnel. Select <USER DEFINED> to manually defi ne the tunnel’s destination. Selecting * EDIT * allows you to create a new address object.
Advanced
Automatic Policy A toggle for whether the fi rewall should automatically accept all traffi c for the tunnel regardless of confi gured policies.Disabling this check box renders the Options and Traffi c Shaping confi guration settings uneditable.
Hide Source Hides the source of the inbound tunnel connection. Hiding the source of the inbound tunnel can be useful for getting around some internal routing confl icts. Normally, hiding the inbound tunnel’s source is not required.
Options
91
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.17: Inbound Tunnels
Field Name Description
Authentication Required Authentication allows the administrator to require users to authenticate to the fi rewall using GBAuth before initiating a connection.
IPS A toggle for whether traffi c travelling along the inbound tunnel should be checked against confi gured Intrusion Prevention policies. See Intrusion Prevention System in the Threat Management chapter for more information.
Source A selection for the source of the inbound tunnel. Select <* EDIT *> to defi ne a new address object
SYN Cookies A toggle for whether TCP SYN Cookies should be used or not.
Time Group A selection for which, if any, time group the inbound tunnel options will be applied.
Traffi c Shaping
Policy Select the traffi c shaping policy to be used. See Applying Traffi c Shaping for more information.
Weight Select the weight of the allocation for the inbound tunnel’s bandwidth. A weight of 10 has the highest priority, a weight of 1 has the lowest. If the AUTOMATIC ACCEPT ALL POLICY check box has been disabled, this fi eld will uneditable.
Creating Static MappingsStatic mapping allows an internal IP address, subnet, alias or interface to be statically mapped to an external IP address during NAT. By default, all IP addresses on the protected networks and PSNs are dynamically assigned to the primary IP address of the outbound network interface. Static address mapping is used when it is desirable to statically assign the IP address used in NAT.
Note
See product specifi cations for the number of static mappings available on a specifi c model.
To use static address mapping, fi rst assign at least one IP alias to the desired outbound network interface (external network interface or PSN interface).
• Mapping is only associated with outbound connections• Map defi nitions may be for a single host or a subnet
To confi gure static mapping, navigate to Confi gure>Network>NAT>Static Mapping. Select NEW to create a new static mapping or select EDIT to modify a pre-defi ned static mapping.
Figure 3.20: Creating Static Mappings
92
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.18: Static Mappings
Field Name Description
Disable A toggle for whether the static mapping should be disabled or not. Default is off.
Description A short description to identify the function of the static mapping.
Service A selection to specify a service group to statically map to an Alias.
From Select the address object that will be mapped.
NAT Select the interface representing the IP address to which the source will be mapped.
Destination Select the address object that will correspond to a destination IP address.
Allowing Static MappingStatic mapping is allowed in the following cases:
• From a host or subnet on the protected network to an IP alias assigned to the PSN interface• From a host or subnet on the protected network to an IP alias assigned to the external network
interface• From a host or subnet on the PSN to an IP alias assigned to the external network interface
Pass Through SetupFunctions in the Confi gure>Network>Pass Through section allow the user to route connections through the fi rewall, thus bypassing NAT. Pass through security policies (found in Confi gure>Security Policies>Pass Through) control what connections are allowed to be passed through the fi rewall.
Note
By default, all outbound connections destined for external or PSN networks are NAT’d to the IP address of the external or PSN interface. Pass through bypasses this default NAT.
NAT is not performed on inbound pass through connections, from the external network to the PSN or protected network, or from the PSN to the protected network. Pass through policies support all IP protocols.
Pass through can defi ne traffi c without NAT for a host on a:
• Protected network to a host on another protected network• Protected network outbound through a PSN and external interface• Protected network outbound through a PSN interface only• Protected network outbound through an external interface only• PSN outbound through an external interface only
A pass through security policy requires:
• Defi ned IP addresses in Hosts/Networks (Confi gure>Network>Pass Through>Hosts\Networks) • Internal hosts to have a routable address on the subnet if the traffi c goes to the Internet through
the external interface• A pass through security policy allowing connections to fl ow from and/or to the internal IP
address
Note
By default, inbound traffi c will not know how to route back to reach the internal pass through hosts. To allow inbound traffi c to pass through hosts, add a static route to the gateway (Internet router) that routes packets for the pass through hosts through the fi rewall’s external interface.
93
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Note
If an IP address in a pass through policy uses the external network or protected network interface as a routable address with the Internet, the IP address must be registered.
See RFC 1918 for more information (http://ietf.org/rfc/rfc1918.txt).
By default, pass through policies are confi gured for outbound traffi c only. Stateful packet inspection information is maintained for outbound sessions originating from hosts on a PSN or a protected network, guaranteeing that only replies to the initiated connections are accepted. If the connection protocol calls for a secondary inbound connection from an external host to the originating internal host, virtual cracks are created to allow the secondary connection. This allows multi-connection protocols such as FTP to be used without arbitrary, semi-permanent inbound connections.
Pass through provides great routing fl exibility. For example, with proper pass through policies, the fi rewall can apply NAT to some traffi c (e.g. protected network packets with a destination within the PSN), but not apply NAT to other traffi c (e.g. external/Internet traffi c).
Security PoliciesPass through security policies control access to and from hosts specifi ed in Hosts/Networks. These policies are different from remote access and outbound policies, since they control both inbound and outbound access, so the fi rewall functions as either a router or gateway for these IP addresses.
Pass through policies use addresses defi ned in Hosts/Networks in their defi nitions, not fi rewall network interface addresses.
Pass through policies are used in two scenarios:
• When pass through hosts/networks are defi ned• When the fi rewall is using bridging mode
Typically, two policies are required for each host/network IP address: outbound and inbound. If hosts/networks are already defi ned, the fi rewall will create a pre-confi gured inbound/outbound policy pair based on those defi ned IP addresses. The pre-confi gured (default) policies vary according to options selected.
Pass through policies are defi ned in the same manner as remote access or outbound policies, and the rules concerning policy index order and order of evaluation also apply. Denial of all traffi c not explicitly allowed applies to pass through policies.
For more information on confi guring security policies, see Allowing and Denying Traffi c in Basic Setup Tasks and Creating Advanced Allow/Deny Policies later in this chapter.
Creating Pass Through Policy PairsPass through addresses need inbound and outbound policies, one policy for each direction of traffi c.
To create a pass through policy pair:
• Create the outbound connection policy by adding a policy. Complete the policy defi nition in the same manner as an outbound policy, specifying the same source address object as the pass through address. Click OK to save.
• Create the inbound connection by adding an empty policy defi nition. Defi ne the policy as you would a inbound policy except the destination address object will be the pass through address,
94
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
not the IP address on the fi rewall’s network interface. Click OK to save.• Once you have completed all the desired pass through policies, click the SAVE button on the
policy set to save the policies and apply them to your fi rewall’s confi guration.• Ensure pass through policies organized above the newly created policies do not supersede
them.
Defining Bridged ProtocolsBridged protocols specify any non-IP Ethernet protocols you wish to explicitly allow to bypass all fi rewall policies between bridged interfaces. (IP protocols on bridged interfaces will still use normal fi rewall policies.) Requires bridge mode to be confi gured.
CAUTION
There are no fi rewall policies applied to protocols that have been allowed in the Bridged Protocols section..
To defi ne a bridged protocol, navigate to Confi gure>Network>Pass Through>Bridged Protocols.
Figure 3.21: Confi guring Bridged Protocols
Table 3.19: Confi guring Bridged Protocols
Field Name Description
Disable A toggle for whether the bridged protocol should be disabled or not. Default is off.
Description A short description to identify the bridged protocol.
Type The number of the packet header of the designated protocol. 0x0 is a placeholder for the full hexadecimal protocol type number. Use the 0x prefi x when entering a number in hex format.
Allowed Enable this check box to allow the protocol’s traffi c on the bridged interface. Disabled by default.
Log Enable to log events of that protocol type. Enabled by default.
Protocol DefinitionsEthernet protocol defi nitions are generally unpublished, but some protocols in use are well known. For a collection of known Ethernet protocol types, please visit IANA’s Web site at http://www.iana.org/assignments/ethernet-numbers.
To locate a defi nition for a protocol you need to bridge:
1. Confi gure the bridged protocol as desired.2. Log blocked non-TCP/IP traffi c on bridged interfaces. By default, this traffi c is denied,
but not logged. To log this denied traffi c, enable logging for DENY UNEXPECTED PACKETS in Confi guration>Security Policies>Preferences under Advanced Options. This will generate log messages (found in Monitor>System>Log Messages) containing the protocol types of the IP packets.
3. Enter the protocol’s hexadecimal number with its prefi x into the TYPE fi eld. Decimal format numbers can also be entered; they will be displayed in hexadecimal.
4. Defi ned non-TCP/IP protocol defi nitions may be enabled and protocol acceptance and logging may be specifi ed on an individual basis. To continue to deny a specifi c protocol but not log it, enter the protocol number and deselect the ALLOWED and LOG check box. To deny a protocol and log the denials, deselect the ALLOWED check box and select the LOG check box. To allow a protocol and not log it, select the ALLOWED check box and deselect the LOG check box.
95
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Defining Hosts/NetworksHosts/Networks specifi es an IP address, subnet or network that will not have NAT applied to its traffi c. See product specifi cations for the number of pass through hosts/networks available on a specifi c model.
Note
A Hosts/Networks entry is not required for pass through in bridging mode because no NAT is applied by defi nition.
To create a new host or network:
1. Navigate to Confi gure>Network>Pass Through>Hosts/Networks.2. In the Hosts/Networks confi guration screen, select an object or <USER DEFINED> and enter an IP
address (for a single host), IP address with subnet mask (for a subnet), or multiple IP address sets (for a network or multiple non-contiguous hosts) in the HOST fi eld. Single IP addresses use /32 or /255.255.255.255, indicating that there is only one host member of that subnet.
3. Select the DESTINATION INTERFACE that should not apply NAT when outbound IP packets are received. The destination interface is the interface the packet exits through.
4. If unsolicited IP packets should be accepted for the specifi ed address, select the INBOUND check box. If you wish to allow only replies to outbound traffi c, deselect INBOUND.
Figure 3.22: Confi guring Hosts/Networks
Table 3.20: Confi guring Hosts/Networks
Field Name Description
Disable A toggle for whether the host/network should be disabled or not. Default is off.
Description A short description to identify the host/network.
From Select the address object that will be used as the host member.
IP Address If an address object cannot be used, enter the IP address and subnet mask that will be mapped (e.g., to a map a single IP address, use a subnet mask of /32 (255.255.255.255)).
Destination Interface Select the destination interface that should not apply NAT when outbound connections are received.
Destination Select the destination address.
Inbound Accepts unsolicited connections from the specifi ed IP address. Disabled by default.
96
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Bridging InterfacesBy bridging interfaces, additional interfaces can be confi gured to share the IP address from one of the primary interfaces. TCP/IP packets pass between these bridged interfaces according to normal fi rewall rules on specifi ed ports if allowed by a pass through security policy. Bridging is only supported for IPv4 interfaces.
CAUTION
Packets with TCP/IP Ethernet protocols that have been allowed in Confi gure>Network>Pass Through>Bridged Protocols can bypass all fi ltering between bridged interfaces. Allowing unnecessary protocols, or protocols that may contain untrusted traffi c, can pose a serious security vulnerability to your network and is not recommended by GTA.
To bridge interfaces:
1. Navigate to Confi gure>Network>Interfaces>Settings.2. Select the EDIT button to bridge a previously confi gured interface or select NEW to create a new
interface.3. In the TYPE fi eld, select Bridge.
4. Inn the IP ADDRESS fi eld, manually enter the IP address for the bridged interface.5. Select the VLAN check box if confi guring a VLAN interface. The HIGH AVAILABILITY fi eld is disabled
in bridge mode.6. Enter a name for the bridged interface in the NAME fi eld.7. Select the bridged interface’s ZONE, options are <External>, <Protected> or <PSN>.8. Select the NIC to associate with the bridged network, such as <eth0>. The pull down menu lists
all physical devices.9. Enter description to explain the function of the bridged interface.10. Click OK and then Save.
Figure 3.23: Bridging Interfaces
Table 3.21: Bridging Interfaces
Field Name Description
Disable Select the DISABLE check box to disable the bridged interface.
Type Select Bridge to in order to create a bridged interface.
IP Address Enter the primary IP address that will be bridged.
Name The logical name for assigned to the bridged interface.
Zone A selection for the interface’s type. Options are <External>, <Protected> or <PSN>
NIC A selection for the network interface card to associate with the bridged network. The pull down lists all physical devices and VLANs.
Description A short description to identify the use of the bridged interface.
97
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Bridging ModeBy default, a GTA fi rewall acts as a fi rewall router so that systems on the internal network see it as a gateway to the external network, and systems on the external network see it as the gateway to the internal network. The GTA fi rewall connects networks transparently like a bridge for specifi ed Ethernet protocol types, while continuing to apply policies to other IP packets as a fi rewall.
A GTA fi rewall in bridging mode can be inserted behind a router to the Internet between the router and the internal networks without changing IP addresses, gateways or any other network addresses for the rest of your network hosts.
A GTA fi rewall in bridging mode can also be inserted into an internal network to separate networks that are at a peer level, or to further segregate PSNs. This confi guration allows two internal networks to communicate as one, while fi ltering non-bridged IP traffi c between them and preventing the passage of non-IP protocols (except ARP, which operates at both data link layer 2, and network layer 3).
When in bridging mode, a GTA fi rewall can be connected directly to a host, a switch, a router or a non-bridged fi rewall.
H2A - High Availability is not supported in bridging mode. PPP, PPPoE and PPTP are not supported on a bridged interface.
If a host points to a router or gateway on a bridged interface as its default route to the Internet, the fi rewall will override that preference, routing the packet through its logical external network interface.
Also, in bridging mode (as in unbridged fi rewall operation) any packet that goes through the fi rewall will use the fi rewall’s routing tables. This means that even though a host may have indicated a particular route, the fi rewall will instead use the routes set up in
Confi gure>Network>Routing>Gateway Policies, Confi gure>Network>Routing>OSPF, Confi gure>Network>Routing>BGP,
Confi gure>Network>Routing>RIP and Confi gure>Network>Routing>Static Routing to route the traffi c.
98
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
BGP SetupBGP (Border Gateway Protocol) is an Exterior Gateway Routing Protocol (EGRP) used for larger networks such as the Internet. BGP uses TCP port 179 to establish a connection between two or more routers. These routers are considered peers. Initially the routers exchange full routing information, once the connection is established the routers only send updates to their routing tables.
Note
BGP is only available on GB-2100, GB-2500 and GB-Ware.
Note
For more information on BGP, one recommended source is IP Routing, 1st Edition by Ravi Malhotra from O’Reilly and Associates.
Requirements for BGP:
1. Basic understanding of BGP.2. Understanding of TCP/IP and routing.3. BGP Neighbor(s) IP and Autonomous System (AS).
To confi gure BGP:
1. Navigate to Confi gure>Network>Routing>BGP.
2. Select ENABLE.3. Defi ne the ROUTER AS in which the fi rewall belongs.4. Confi gure the ROUTER ID. This number must be unique5. Defi ne the NETWORKS. This is the network(s) which will use BGP.6. Defi ne the BGP NEIGHBOR(s).7. Enter the neighbors REMOTE AS and whether the fi rewall will ADVERTISE THE DEFAULT ROUTE.8. Confi gure the ADVANCED REDISTRIBUTE and AGGREGATION options if needed.
Figure 3.24: BGP Setup
99
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.22: Confi guring BGP
Field Description
Enable Enables the BGP interface and starts the service.
Router AS The number assigned to a router or set of routers in a single technical administration.
Router ID Router ID number.
Networks A selection for the network(s) which will use BGP.
Advanced
Automatic Policies Enables the fi rewall to generate a set of automatic policies to allow a confi gured BGP interface to function properly. By default this is enabled. The policy created is for TCP port 179 and is viewable in the Monitor> Activity>Security Policies>Automatic section.
Redistribute
Metric Confi gure the metric when the route is redistributed.
Connected If enabled, routing information is sent for those networks directly assigned to the fi rewall--such as interfaces and aliases
OSPF If enabled, routing information is sent for those networks that are confi gured via IGRP or OSPF.
RIP If enabled, routing information is sent for those networks confi gured via RIP.
Static If enabled, outing information is sent for those networks that are statically assigned to the fi rewall.
100
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Route Aggregation
Aggregate Addresses The network(s) to aggregate.
AS set This selection will generate or send the AS set of other routers to the remote router.
Summary Only This selection fi lters the more specifi c routes when sending updates.
To edit an existing BGP interface, select the EDIT icon. To create a new BGP interface, select the NEW icon.
Figure 3.25: BGP Setup
Table 3.23: Confi guring BGP
Field Description
Disable Disables the BGP interface.
Description A short description to identify the BGP interface.
Neighbor A selection for the IP address used to confi gure the peer routers the fi rewall will use to connect to BGP.
Remote AS The AS number of the peer router.
Weight Enter a BGP neighbor weight to indicate preference.
Advertise Default Route Enable if the fi rewall will advertise itself as the default route.
Advanced
eBGP Multihop Enables BGP multihop.
Next Hop Self This selection disables the NEXT HOP SELF attribute for BGP.
OSPF SetupOSPF (Open Shortest Path First Protocol) is an interior gateway routing protocol (IGRP). Using link state algorithm advertisements (LSA’s) the router builds a database (LSDB) of the networks. OSPF uses protocol 89.
Requirements for OSPF:
1. Basic understanding of OSPF.2. Understanding of TCP/IP and routing.3. OSPF Area information and IP Router ID for Virtual Links if needed.
To confi gure OSPF:
1. Navigate to Confi gure>Network>Routing>OSPF.2. Select ENABLE.3. Enter the ROUTER ID in the form of 0.0.0.0. (Example: 0.0.0.1).4. Under DEFAULT ROUTE, enable the ADVERTISE DEFAULT ROUTE if the fi rewall will be the default route.5. Defi ne the failover metric for the default route. The default setting is 10. 6. Create the OSPF Area(s).
a. Area: Specify the OSPF area.b. Type: Determine the behavior of the fi rewall/router.
101
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
i. Normal: No restriction. ii. Stub: No Type 5 AS-external LSA allowed. iii. Stub No Summary: No Type 3, 4, or 5 LSAs allowed except the default route
summary route. iv: NSSA: No Type 5 AS-external LSAs allowed; Type 7 LSAs that convert to
Type 5 at the NSSA ABR can traverse.. v: NSSA No Summary: No Type 3, 4, or 5 LSAs except the default summary
route; Type 7 LSAs that convert to Type 5 at the NSSA ABR are allowed.c. Networks: Select the network(s) which will use OSPF.d. Authentication: Must be enabled if authentication is required. Other routers in the same
area must have a matching ID and password.e. Virtual Links: Identify if the fi rewall is not directly connected to the back bone (area 0).
Virtual links are used to create a link to another router directly connected to the back bone. The target router should have a virtual link pointing back to this router.
6. Advanced stepsa. Select AUTOMATIC POLICES to enable and set the DISTANCE.b Confi gure redistribution if needed. The DEFAULT METRIC will apply to all routes if there is no
metric set for each individual protocol.
Note
For more information on OSPF, one recommended source is IP Routing, 1st Edition by Ravi Malhotra from O’Reilly and Associates.
Figure 3.26: OSPF Setup
102
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.24: Confi guring OSPF
Field Description
Enable Enables the OSPF interface.
Router ID Uniquely identifi ed for the fi rewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1)
Default Route
Advertise A toggle for whether or not the fi rewall will advertise itself as the default route.
Metric A setting for defi ning the metric for the default route. The default setting is 10.
Advanced
Automatic Policies Enables the fi rewall to generate a set of automatic policies to allow a confi gured OSPF interface to function properly. By default this is enabled. The policy created is for IP Protocol 89 and is viewable in the Monitor>Activity>Security Policies>Automatic section.
Distance A selection used to determine which routes a router should trust if the router receives two routes with identical information.
Redistribute
Default Metric The value used by a routing algorithm by which one route is determined to perform better than another. When a metric does not convert, the default metric will provide a substitute, enabling redistribution to proceed.
Metric Confi gure the metric when the route is redistributed. If the metric is not set for each protocol, the default metric will apply.
BGP If enabled, routing information is sent for those networks that are confi gured via BGP. Only supported on GB-2000, GB-3000, and GB-Ware.
Connected If enabled, routing information is sent for those networks directly assigned to the fi rewall--such as interfaces and aliases
RIP If enabled, routing information is sent for those networks confi gured via RIP.
Static If enabled, outing information is sent for those networks that are statically assigned to the fi rewall.
To edit an existing OSPF interface, select the EDIT icon. To create a new OSPF interface, select the NEW Icon.
103
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Figure 3.27: OSPF Setup
Table 3.25: Confi guring OSPF
Field Description
Disable Disables OSPF for the specifi ed area.
Area This selection specifi es the OSPF area.
Description A short description to identify the OSPF area.
Type This selection is used to determine the behavior of the fi rewall/router.
Networks A selection for the network(s) which will use OSPF.
Advanced
Link Cost The cost to send a packet via an interface. The cost value is set to router-LSA’s metric fi eld and used for SPF calculation
Priority A selection for the priority status of the route. The router with the highest priority will be more eligible to become the Designated Router. Setting the value to 0 makes the router ineligible to become the Designated Router. Default value is 1.
Dead Interval Defi ne the period of time (in seconds) after which the route will be considered down.
Hello Interval Defi ne the period of time (in seconds) in which updates will be sent.
Retransmit Interval Defi ne the period of time (in seconds) in which the router will wait after an update is sent. If time expires, the router will resend the update.
Transmit Delay Defi ne the estimated time (in seconds) to send an update. This value must be greater than zero.
Authentication
KeyID Pre-shared secret key ID.
Password Password that must be used to collect routing information through OSPF. Once entered, this fi eld will be obscured. Select modify to enter a new password.
Virtual Links
Router ID Uniquely identifi ed for the fi rewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1)
RIP SetupRIP (Routing Information Protocol) is typically used by routers to receive updated routing tables. RIP is a TCP/IP routing protocol defi ned by RFC 1058 that allows broadcasting and/or listening to routing information in order to choose the most effi cient route for a packet. Hosts using RIP select the routes that use the fewest hops, or select an alternate path if a route is down or has been slowed by high traffi c. RIP is limited to 15 hops; more than that, and the route is fl agged as unreachable.
CAUTION
Most smaller network confi gurations do not benefi t from RIP. Before using RIP, be aware that the protocol may decrease performance rather than help small networks and acceptance of RIP sources can compromise network security.
RIP is disabled by default on GB-OS, so routing information to redirect packets is not accepted from external sources. If RIP is enabled, the fi rewall can receive and/or broadcast routing information for either RIP version 1 or 2.
To confi gure RIP version 2.0:
1. Navigate to Confi gure>Network>Routing>RIP.2. Check ENABLE to enable the RIP messages over RIP interfaces. 3. Enable the ADVERTISE DEFAULT ROUTE check box if you wish to do so on any protected network or
104
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
PSN on which RIP is enabled.4. Select a RIP interface and click the EDIT icon to confi gure it.5. Select “v2” from either the input or output fi eld, or both, to indicate version 2 of the protocol.6. In the password fi elds, you may select a password encryption scheme from the menu. The
<None> option will require no password and no encryption. <Clear> will send an unencrypted password, while <MD5> will use MD5 encryption on the password.
7. If you selected <Clear>, enter a password in the text box. If you selected <MD5> encryption for your password, you must enter a pre-shared secret along with the password that will be used to encrypt the password.
8. Confi gure REDISTRIBUTION if needed.
CAUTION
Sending unencrypted (clear/plain) passwords can expose your RIP password to the network and potential attackers, and therefore it is not recommended by GTA.
Figure 3.28: RIP Setup
Table 3.26: Confi guring RIP
Field Description
Disable Disables the RIP interface.
Interface The interface for which RIP is being confi gured.
Description A short description to identify the RIP interface.
Input/Output Controls how RIP is implemented. INPUT determines whether any version of RIP will be accepted from other routers. OUTPUT determines whether any version of RIP will be exported or broadcast. The choices are:• <V1>: Version 1 RIP is accepted or exported.• <V2>: Version 2 RIP is accepted or exported.• <Both>: Both version 1 and 2 are used.
Password Type Type of encryption that will be used. If an encryption is selected, the password fi eld is enabled. Encryption types are: None, Clear and MD5.This only applies to RIPv2
Password Password that must be used to collect routing information through RIPv2.
Key ID Pre-shared secret key ID.This only applies to RIPv2 when MD5 encryption is used.
Advanced
Automatic Policies Enables the fi rewall to generate an automatic set of policies to allow confi gured RIP interface settings to function properly. Default is selected.
Default Metric The value used by a routing algorithm by which one route is determined to perform better than another.
105
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.26: Confi guring RIP
Field Description
RIP Timers
Update The rate at which RIP sends a message containing the complete routing table to all neighboring RIP routers. Timer limit is 30 seconds.
Timeout Upon expiration of the timeout, the route is no longer valid. The route is retained in the routing table for a short time so neighbors can be notifi ed that the route has been dropped. Timer limit is 180 seconds.
Garbage Upon expiration of the garbage timer, the route is completely removed from the routing table. Timer limit is 120 seconds.
Static RoutesStatic Routes defi ne routing paths between one subnet and another. Static routes supersede the default gateway defi ned in Confi gure>Network>Routing>Static Routes.
Defi ning a static route is useful when there is a router between different parts of an internal network, creating multiple subnets within your internal network. Without a static route, the fi rewall routes all traffi c, even if it should be directed to a different subnet on the internal network to the default gateway. Traffi c will not travel from internal subnets in this case, causing spoofi ng messages. Static routes solve this problem by diverting internal traffi c back to the appropriate internal subnet instead of the default gateway.
Using a static route, the fi rewall correctly routes internal multi-subnet traffi c to other internal IPs.
To confi gure static routes, navigate to Confi gure>Network>Routing>Static Routes. Select NEW to create a new static route or select EDIT to modify a pre-defi ned static route.
Figure 3.29: Confi guring Static Routes
Table 3.27: Confi guring Static Routes
Field Description
Disable Disables the static route.
Description A short description to identify the static route.
Network IP Address IP address(es) whose traffi c will be subject to the static route, either by selecting the appropriate interface object in the drop down box or by selecting <USER DEFINED> and entering the address and subnet mask, either in CIDR-based (slash) notation or dotted decimal.
Gateway IP address or interface object of the destination/gateway (default route) selected for this static route.
106
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Multiple Gateway SetupGateway policies control entry and exit routing for networks with multiple connections to the Internet or other external networks. It contains controls for:
• Gateway Failover• Gateway Sharing• Policy Based Routing• Source Routing
These features can provide alternative routing if your primary Internet connection fails (gateway failover), distribute outbound connections evenly across multiple Internet connections (gateway sharing), or specify gateways for certain types of connections via indication in a policy (policy based and source routing).
The default gateway is specifi able in Confi gure>Network>Interfaces>Settings. To specify additional gateways, create new GATEWAY POLICIES.
Note
Gateway policies will initially take the fi rst gateway from the default route listed in Confi gure>Network>Routing>Sta
tic Routes. Further modifi cations to Gateway Policies cause it to override the default route listed in Confi gure>Netw
ork>Routing>Static Routes. The fi rst gateway listed in Gateway Policies will become the fi rewall’s default gateway, regardless of the default route listed in Confi gure>Network>Routing>Static Routes.
By default, Gateway Policies gives priority to the fi rst gateway listed. GATEWAY SHARING changes this default behavior, causing policy-selected traffi c to be distributed evenly among the available gateways. Policy based routing and source based routing may also change this default behavior and override gateway sharing by specifying gateway overrides on a per-connection basis, also indicated in your outbound policies.
When the gateway changes, the fi rewall logs a route change notifi cation and sends an email notifi cation (if email notifi cation is enabled). The active routes table, located at Monitor>Activity>Network>Routes, will also be updated with the new gateway. If using only gateway failover (not sharing or policy based routing), alternative gateways will deactivate once the fi rst listed gateway becomes active again.
To defi ne additional gateways, navigate to Confi gure>Network>Routing>Gateway Policies and click NEW.
Figure 3.30: Creating New Gateway Policies
107
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.28: Creating New Gateway Policies
Field Description
Disable Disables the confi gured gateway policy.
Name A unique name used to identify the gateway policy.
Description A brief description to describe the function of the gateway policy.
Route The IP address of the gateway. Select <USER DEFINED> if you wish to manually enter the IP address, otherwise select an address object.
Failover
Enable A toggle to enable gateway failover capabilities.
Beacons Enter pingable IP addresses that are within fi ve hops of the gateway. GTA recommends that both beacons are specifi ed to confi rm when failover is necessary. For more information on selecting useful beacons, see Selecting Useful Beacons.
Advanced
Do Not Ping Gateway A toggle to allow or disallow pinging of the gateway.
Maximum Failures An entry for defi ning the maximum amount of failures are allowed before failover.
Sharing
Enable A toggle to enable traffi c connection balancing across gateways for which you have selected sharing.
Gateway FailoverGateway failover provides alternative routing should your primary Internet connection fail. If your network has multiple routes to the Internet, you can use the GATEWAY FAILOVER feature to automatically switch to an alternate route should your primary gateway to the Internet go down.
To use gateway failover:
• Enable gateway failover by selecting the enable check box on the Gateway Policies screen.• Edit existing gateway policies or create new ones with the failover option enabled. Provide
beacon addresses for those gateways.In addition, the following advanced options for confi guring gateway failover are available on the Gateway
Policies screen:
Table 3.29: Gateway Failover Advanced Settings
Field Description
Add Static Routes For Beacons
Adds a static route for each defi ned beacon. For more information on selecting useful beacons, see Selecting Useful Beacons.
Ping Secondary Only if Primary Down
Pings the failover gateway only if pinging the primary is unsuccessful.
Selecting Useful BeaconsBeacons determine if a route is accessible by testing accessibility. Beacon IP addresses typically reside on the remote side of WAN connection or beyond. Each beacon must be unique. GTA recommends using both beacons.
The Gateway Policies ICMP ping TTL (Time To Live) value is thirty. Therefore, beacons can be no more than thirty (30) hops away (hops are intermediate network nodes such as routers or gateways). A beacon more than thirty hops away will mark routes inaccessible, and Gateway Policies will perform improperly. One way to select a beacon is to test hop count by performing a traceroute from each interface. Once the traceroute is complete, select the next one or two IP addresses in the trace past the gateway as beacons.
108
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
GB-OS pings each beacon address every half second. When a beacon address does not respond for fi ve consecutive pings or 2.5 seconds, Gateway Policies will consider the route down and switch to the next accessible failover route in the Gateway Policies list.
Gateway SharingGateway sharing distributes outbound connections evenly across multiple gateways when enabled.
To use gateway sharing:
1. On the Gateway Policies screen, select the GATEWAY SHARING check box to enable the service.a. Edit existing gateway policies or create new ones with Sharing enabled.b. Click SAVE on the Gateway Polices screen to commit the changes.
2. Navigate to Confi gure>Security Policies>Outbound to confi gure your outbound policies.a. Under the Advanced tab, select <Sharing> for the policy’s ROUTE.b. Click OK. Doing so will bring you back to the Outbound policy.c. Position in the policy list is important since policies are evaluated by their list order and
the fi rewall will ignore further policies if a match is made. Place the policy at the top of the list if it must override all other outbound policies. See Allowing and Denying Traffi c in Basic Setup Tasks and Creating Advanced Allow/Deny Policies later in this chapter for information on creating a fi rewall policy. Click SAVE.
Policy Based RoutingPolicy based routing allows you to route traffi c to a specifi c gateway based upon outbound policy defi nitions.
To use policy based routing:
1. On the Gateway Policies screen:• Select the POLICY BASED ROUTING check box to enable the service.• Click SAVE.
2. Navigate to Confi gure>Security Policies>Outbound to confi gure your outbound policies.• Edit an existing policy or create a new one. Enter a description for your policy, e.g.
Policy Based Route: Use Gateway 2 for Outbound HTTP Packets.• Set the policy’s TYPE to <Accept> and the ROUTE to your desired gateway. If desired, specify
other parameters to limit the connections that should receive policy based treatment, e.g. restrict your gateway policy to only HTTP.
• Click OK. Doing so will bring you back to the Outbound policy.• Position in the policy list is important since policies are evaluated by their list order and
the fi rewall will ignore further policies if a match is made. Place the policy at the top of the list if it must override all other outbound policies. See Allowing and Denying Traffi c in Basic Setup Tasks and Creating Advanced Allow/Deny Policies later in this chapter for information on creating a fi rewall policy. Click SAVE.
Source RoutingSource routing automatically returns connections with NAT through the gateway to their original source.
Requirements
1. Interface Zones of EXTERNAL only can used for Source Based routing.2. Default gateway must be on or via an interface of Zone EXTERNAL.
To use source routing:
• On the Gateway Policies screen:• Select the SOURCE ROUTING check box to enable the service.• Click SAVE.
109
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Preferences Defining the Internet ProtocolDefi ne the internet protocol for the supported network. Choose either IPv4 only, or both IPv4 and IPv6 networks. When IPv6 is enabled, automatic policies for IPv6 neighbor discovery may also be enabled.
When saving changes to this section, the fi rewall must be rebooted to reset appropriate confi gurations sections affected by the change in internet protocols.
Figure 3.31: Defi ning the Internet Protocol
Table 3.30: Defi ning Connection Timeouts
Field Description
Internet Protocol
Enable Select the type of internet protocols to be supported. Options include IPv4 only, or both IPv4 and IPv6.
Advanced
IPv6 Neighbor Discovery
Automatic Policies Select to enable automatic policies.
Defining Connection Timeouts and LimitingTimeouts defi ne how long a connection should be idle before it is marked ready to close. The result of a connection reaching timeout value differs for each protocol. For example, TCP has enough information embedded for the fi rewall to determine when the connection is ready to close, but with ICMP and UDP, it is generally impossible to determine when the connection is ready to close.
To defi ne timeouts for TCP, UDP and ICMP connections, navigate to Confi gure>Network>Preferences.
Figure 3.32: Defi ning Connection Timeouts
110
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.30: Defi ning Connection Timeouts
Field Description
TCP Enter the amount of time, in seconds, a TCP connection is allowed to remain idle before GB-OS closes the connection. Default is 600 seconds (10 minutes).
Wait for ACK As part of the creation of a TCP connection, the client and server exchange several IP packets. All packets sent from the server will have a header bit indicating ACK (acknowledgement). As part of GB-OS’ stateful packet inspection, the fi rewall keeps record of this bit. If it is not seen, it is likely that the remote server is down. If the idle time is reached without an ACK from the server, the connection is marked ready to close. Default is 30 seconds.
Send Keep Alives This fi eld is enabled by default so that if a TCP connection remains idle during the timeout period, a keep alive packet is sent. If the connection is still valid, the fi rewall will set the idle time to zero. If the connection is invalid, the fi rewall will see a reset packet and will mark the connection ready to close. If no response is received within fi ve minutes, the fi rewall will mark the connection ready to close. If the SEND KEEP ALIVES fi eld is disabled, then the connection is marked ready for close.
UDP Enter the amount of time, in seconds, a UDP connection is allowed to remain idle before GB-OS closes the connection. Default is 600 seconds (10 minutes).
ICMP Enter the amount of time, in seconds, a ICMP connection is allowed to remain idle before GB-OS closes the connection. Default is 30 seconds.
Default Enter the amount of time, in seconds, that connections using supported protocols other than TCP, UDP and ICMP are allowed to remain idle. After a connection is marked ready for close, the fi rewall waits fi ve seconds before it actually closes the connection, giving redundant IP packets a chance to clear the fi rewall without causing false doorknob twist error messages.
Wait for Close If the fi rewall experiences spurious blocks from reply packets (typically port 80), increasing this value gives packets from slow or distant connections more time to return before the connection is closed.
Advanced
Connection Limiting
ICMP Packets The limit number of ICMP packets (per second).
Maximum ICMP Packet Size Maximum ICMP packet size is disabled if set to zero (0) and has a range of 84 to 65,536 bytes.
New Connections The limit number of new connections (per second).
New Connections Per Host The limit number of new connections per host (per second).
SIP Support
Enable Enable or disable SIP support.
Remote Licensing Checking Enable or disable. Remote license checking. Note: Remote license checking is required for subscription based options (e.g. Content Filtering) and for GB-Ware licensing.
111
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Creating Advanced Security PoliciesSecurity policies (Confi gure>Security Policies) contain additional, advanced settings not discussed in Basic Setup Tasks. These functions, located under the ADVANCED tab for each policy type, allow for the advanced confi guration of a security policy.
Figure 3.33: Creating Advanced Allow/Deny Policies
Table 3.31: Applying Advanced Allow/Deny Policies
Field Description
Authentication Required Must be authenticated before policy will be matched.
Broadcast Enable if the DESTINATION ADDRESS is a broadcast address.
TCP SYN Cookies Enable or disable TCP SYN fl ood attack protection.
Options
Priority User-defi ned priority used for alarms and logging data.
Action
Alarm Enable to notify the administrator of an event logging of Firewall Control Center alarm mechanisms. Disabled by default.
Email Enable to notify the administrator of an event using email. Disabled by default.
ICMP Enable to respond to the event with ICMP unreachable or TCP reset. Disabled by default.
IPS A toggle for whether traffi c should be checked against confi gured Intrusion Prevention System policies. See Intrusion Prevention System (IPS) in the Threat Management chapter for more information.
Log Options include <Yes>, <No> and <Default>. <Default> is the value defi ned in Confi guration>Security Policies>Preferences.
Report Enable to include policy data in reports.
SMS Enable to notify the administrator of an event using SMS. Disabled by default.
SNMP Trap Enable to notify the administrator of an event using a SNMP trap alarm. Disabled by default.
Stop Interface Enable to shut down the arriving interface. Disabled by default.
112
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.31: Applying Advanced Allow/Deny Policies
Field Description
Coalesce
Source AddressSource PortsDestination AddressDestination Ports
Coalescing blends similar data into a single log event: Source address/ports and destination address/ports. By default, ports and addresses are coalesced when a new or auto-confi gured policy is created.
Detailed List ViewFirewall administrators who wish to view additional details for confi gured security policies can do so by appending ?details to the end of the fi rewall’s URL. For example, to view a detailed security policy list on a fi rewall with a URL of https://fi rewall.example.com, enter https://fi rewall.example.com?details in your browser’s location/address fi eld.
Policy details displayed in the list view are the policy’s criteria for the TYPE, PRIORITY, INTERFACE, OPTIONS, SERVICE, SOURCE ADDRESS, DESTINATION ADDRESS, TRAFFIC SHAPING and COALESCE options.
Figure 3.34: Detailed List View
Policy PreferencesPolicy preferences allow the fi rewall administrator to globally defi ne most logging and policy defi nitions for all defi ned policies in one location. Logging options for automatic policies, tunnel connections (“opens” and “closes”) and policy blocks may be selected. Defi ne BLACK LIST preferences in the pulldown menu.
To confi gure policy preferences, navigate to Confi gure>Security Policies>Preferences.
Figure 3.35: Policy Preferences
113
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
OptionsUnder Preferences, additional options are available for confi guring policy preferences. From the OPTIONS table, the fi rewall administrator can enable or disable automatic policies, generate alarms, send email, send an ICMP “service not available” message, or log an event.
Table 3.32: Preference Options
Field Description
Automatic Policies Options: Enable/Disable; Log; Report. GTA recommends leaving automatic policies enabled. Enabling or disabling automatic policies requires a reboot to take effect.
Connection Limiting Always enabled. Options: Log, Report.
Country Always enabled. Options: Alarm, ICMP, Log, Report.
Deny Address Spoof Always enabled. Options: Alarm, Email, Log, Report.
Deny Doorknob Twist Always enabled. Options: Alarm, Email, ICMP, Log, Report.
Deny Fragmented Packets Options: Enable/Disable, Log, Report. Can be used to block some fragment attacks. GTA recommends leaving this option disabled.
Deny Invalid Packets Always enabled. Option: Log, Report.
Deny Unexpected Packets Always enabled. Option: Enable/Disable, Log, Report.
Ident Option: Enable/Disable
Stealth Mode Options: Enable/Disable, Log, Report.
TCP Syn Cookies Options: Enable/Disable, Log.
Default Logging
Policy Blocks Options: Enable/Disable, Log. Stealth mode has priority over all fi lters.
Tunnel Opens Always enabled. Option: Log, enabled by default.
Tunnel Closes Always enabled. Option: Log, enabled by default.
Automatic PoliciesAutomatic policies create the necessary security policies automatically to allow the use of enabled services and confi gured tunnels. The AUTOMATIC POLICIES check box is a toggle that will enable or disable automatic policies for the following services:
• NTP• IPSec Tunnels• DNS Proxy• DNS Server• SNMP• Authentication• Inbound Tunnels• Remote Administration
GTA recommends leaving automatic policies enabled.
Note
Enabling or disabling automatic policies requires a reboot for changes to take effect.
Address SpoofAn IP address spoof occurs when a packet arrives at one interface and its return path is through a different interface. This may be caused by an intrusion attempt made altering the packet source IP address or a mis-confi gured fi rewall (e.g., networks or hosts located on, or connected to, the internal side of a fi rewall have not been defi ned using static routes or RIP).
114
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Connection LimitingConnection Limiting is confi gured at Confi gure>Network>Preferences>Advanced.
CountryCountry blocking allows system administrators to allow/deny IP packets based upon country. Country blocking is confi gured at Confi gure>Security Policies>Country Blocking.
Doorknob TwistA doorknob twist occurs when a connection is attempted on a port for which there is no service or tunnel in place and a policy has accepted the packet. A doorknob twist usually indicates that the fi rewall is mis-confi gured.
Fragmented PacketsBy default, fragmented packets are reassembled and forwarded only if the resulting packet does not violate a security policy; otherwise, they are dropped. This option is rarely necessary.
Invalid PacketsInvalid packets are those that are not the expected size or have an invalid option bit (e.g., an ICMP port unreachable packet must have at least 28 bytes). Invalid packets are dropped silently by default, but the fi rewall can log dropped packets.
Unexpected PacketsIf a packet is valid, but not expected by the state table, the fi rewall denies it (e.g., a packet can only generate a single ICMP port unreachable response). A second one may indicate an ICMP replay attack. An unexpected packet may also be a packet that does not have the correct fl ags during TCP’s three-way handshake.
Ident OptionIdent receives requests as a server daemon and then sends a response identifying the user as Hidden User. When Ident is disabled, the fi rewall will no longer respond to Ident and may result in timeout delays and will connect slower to external servers that make Ident requests. The Ident option is enabled by default.
Stealth ModeStealth mode is the factory set default for new GTA Firewall UTM Appliances. In stealth mode, the fi rewall will not respond to ICMP ping requests, ICMP traceroute requests or UDP traceroute requests to external interfaces. Policies that allow pings, traceroutes, etc. from the external interface are not functional when the fi rewall is in stealth mode. In addition, the fi rewall will not respond with an ICMP message when a packet arrives for a port without a tunnel or service set on any external network interface.
Stealth mode has priority over other policy types.
TCP SYN CookiesTCP SYN cookies are a SYN fl ood defense technique that works by sending a secure cookie as the sequence number in the second packet of the TCP’s three-way handshake, then discarding all state for that connection. If enabled, the fi rewall can also log sent cookies.
Advanced: CoalesceCoalescing is enabled by default in Confi gure>Security Policies>Preferences. Data coalescing reduces the amount of individual policy event data logged, merging similar data into a single log event. It applies only
115
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
to automatic policies, such as those created by a tunnel when AUTOMATIC ACCEPT ALL POLICY is selected on an inbound tunnel defi nition. The INTERVAL is an option for all policy event coalescing; set the interval to zero (0) to turn off all coalescing.
Table 3.33: Advanced: Coalesce
Field Description
Interval 60 seconds by default. Zero (0) turns off coalescing.
Source Address When selected, it coalesces log messages from like source IP addresses.
Source Ports When selected, it coalesces log messages from like source ports.
Destination Address When selected, it coalesces log messages from like destination IP addresses.
Destination Ports When selected, it coalesces log messages from like destination ports.
Setting NotificationsThis user preference table allows the fi rewall administrator to enable or disable notifi cations by email, SMS, and SNMP trap on the specifi ed service or event. To confi gure notifi cations, navigate to Confi gure>System>Notifi cations.
Figure 3.36: System Notifi cations
EmailThe fi rewall will perform an MX lookup of the domain specifi ed in the TO fi eld. It will then attempt to send an email. If it is unable to connect to the email server, the fi rewall will try the secondary email server set in MX record.
116
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Note
The fi rewall will attempt to send the email 5 times, after which a log will be created for the failure.
Table 3.34: Email
Field Description
Enable Send email and alarm notifi cation. Disabled by default.
From Email address that will appear in “From” fi eld. An invalid address or a server that does not allow email with an empty “From” fi eld can cause an email loop. The address can be a fully-qualifi ed address, such as [email protected], or the mailbox name on the specifi ed email server: jdoe.
To Email address where notifi cations should be sent, fwadmin by default. The address can be a fully-qualifi ed address, such as [email protected], or the mailbox name on the specifi ed email server: jdoe.
SMSTo receive notifi cations via SMS text messaging, the user must have a phone which supports SMS messaging. Check with your provider to determine the formatting of your phone’s email address. For example, a Sprint user would use the format: [email protected]
Table 3.35: SMS
Field Description
Enable Send SMS text message notifi cations. Disabled by default.
From SMS messaging email address from which notifi cations will be sent.
To SMS messaging email address where notifi cations will be sent.
SNMP TrapSimple Network Management Protocol (SNMP) is a standard for managing network confi guration data for each host. If SNMP trap is disabled, selecting SNMP policy actions on the policy defi nition screen has no effect. If SNMP is checked as an action, the fi rewall will generate an enterprise-specifi c generic trap on a policy defi nition when the policy is matched. The SNMP manager is typically on the protected network, though it may reside on any network.
Selecting <Automatic> from the BINDING INTERFACE pull down menu will select the interface confi gured in Confi gure>Network>Interface>Settings through which the packet would normally exit based on the routing table.
Table 3.36: SNMP Trap
Field Description
Enable Enable the SNMP alarm facility. Disabled by default.
Manager Host IP address to receive SNMP trap messages.
Advanced
Binding Interface Address from which SNMP traps are sourced, <Automatic> by default. To force the SNMP traps to have a specifi c source IP address, choose the pre-confi gured interface object from the drop down list. Normally, this is only used if an SNMP manager accessed over a VPN.
117
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
AlarmsAlarms sets the default parameters for generating alarm notifi cations. When a policy with alarm enabled is matched, an alarm event is activated. Each alarm event increments the alarm count by one. When the Threshold for Generating Email is exceeded within the Threshold Interval, a notifi cation will be sent documenting all of the events. Multiple messages will be sent if the number of events exceeds the Maximum Alarms Per Email.
Table 3.37: Alarms
Field Description
Threshold for Generating Email
Number of alarms above which a notifi cation is sent.
Threshold Interval Length of time after which to send alarms.
Maximum Alarms Per Email Maximum number of alarm messages included in a per email message. An alarm message is generally 200 bytes.
Attempt to Log Host Names Attempt to resolve the host name of the IP address that generated the alarm.
Applying Traffic ShapingTraffi c shaping restricts users to the amount of bandwidth specifi ed. All users affected will share the allocated bandwidth; policies and tunnels can be defi ned to command more or less of the allocated or available bandwidth by selecting a weight for each of the policies that use the same traffi c shaping policy.
The DEFAULT policy does not restrict traffi c fl ow, allowing traffi c to utilize all available bandwidth, fi rst come, fi rst served. If traffi c shaping is enabled, the default policy cannot be disabled, but an alternate selection for a policy can be made.
A security policy or tunnel using a traffi c shaping policy restricts users to the amount of bandwidth specifi ed. All users affected will share the allocated bandwidth. Security policies and tunnels can be defi ned to command more or less of the allocated or available bandwidth by selecting a weight for each of the security policies that utilize the same traffi c shaping policy. Confi gure traffi c shaping at Confi gure>Network>Traffi c Shaping
Figure 3.37: Applying Traffi c Shaping
Weight vs. PriorityThe weight applied to a security policy or tunnel when using a traffi c shaping policy is similar, but not the same as, priority (the security policy’s order in the security policy set). Two connections with different priorities in the policy list will use a connection one at a time, the one with the highest priority fi rst. On the other hand, a connection with a higher weight applied to its matching policy or tunnel will use a higher percentage of available bandwidth, still allowing the lower weight connection to use a percentage (though smaller) of the available bandwidth. Weights of 10 have the greatest percentage, and 1 has the lowest percentage of available bandwidth.
118
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Using Traffic ShapingTraffi c shaping policies can be used in security policies as well as inbound tunnels. The following example shows the use of a traffi c shaping policy in an outbound or pass through policy and in an inbound tunnel.
Figure 3.38: Creating a Traffi c Shaping Policy
Table 3.38: Creating a Traffi c Shaping Policy
Field Description
Disable Selecting this check box disables the traffi c shaping policy.
Name A unique name used to identify the traffi c shaping policy throughout the confi guration.
Description A brief description of the function of the traffi c shaping policy.
Bandwidth The number of kilobits per second to which policies or tunnels using this pipe will be restricted. The largest amount of bandwidth that can be specifi ed is 1,000,000 Kb. Entering a value of 0 indicates that the policy allows unlimited use of the available bandwidth.
The following example traffi c shaping policy is intended to limit the bandwidth that slow FTP connections can use, allowing other, faster traffi c more bandwidth.
1. Create a new traffi c shaping policy:• Navigate to Confi gure>Network>Traffi c Shaping
• Click the ENABLE check box to enable the service.• Click the NEW icon to confi gure a new traffi c shaping policy.
2. Create an outbound or pass through policy for the traffi c. In the outbound policy, select the traffi c shaping policy previously created from the TRAFFIC
SHAPING pull down. Using this, the policy will restrict all inbound and outbound packets, including the virtual crack created for the data the size of the traffi c shaping policy pipe.
3. Select a weight for the connection. The weight selected will prioritize the connections that match the policy.
Figure 3.39: Selecting the Policy’s Traffi c Shaping Policy and Weight
4. Create an inbound tunnel (Confi gure>Network>NAT>Inbound Tunnels) for your bandwidth limitedconnection. (Other protocols can be added to the inbound tunnels list by adding the protocol/port number combination in Confi gure>System>Objects>Service Groups).
Under the ADVANCED tab is the TRAFFIC SHAPING section. Select the traffi c shaping policy previously created for the policy. When selected, the tunnel will restrict all inbound and outbound packets, including the virtual crack created for the data the size of the traffi c shaping policy pipe.
5. Select a weight for the connection. The weight selected will prioritize the connections that match the fi lter.
119
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Figure 3.40: Selecting the Inbound Tunnel’s Traffi c Shaping Policy and Weight
VPN SetupA Virtual Private Network (VPN) is a combined method of tunneling, authentication and encryption that allows a host on an external, untrusted network (e.g., the Internet) to connect to an internal, protected network. VPNs are typically used by telecommuters or remote offi ces that need access to resources on the protected network.
Before manually confi guring a VPN, consider running the IPSec Setup Wizard, located at Wizards>IPSec
Setup. The IPSec Setup Wizard is designed to help confi gure a simple VPN quickly and easily.
Note
For detailed information on Site to Site IPSec VPN Setup, confi guration and certifi cate management, see the GB-OS VPN Option Guide for Site-to-Site VPNs. For information on Mobile IPSec Clients, PPTP and L2TP see the guide, Confi guring GTA Firewalls for Remote Access.
VPN ConceptsThe following are concepts used when defi ning a VPN using a GTA fi rewall.
AuthenticationWhen a VPN is being confi gured using the IKE IPSec key mode, authentication is performed with either pre-shared secrets or VPN certifi cates. GB-OS supports both methods of authentication for IPSec key mode VPNs.
A pre-shared secret is used to identify a party during the authentication phase of the VPN connection. By its defi nition, a pre-shared secret is shared with the other party before the VPN connection can be established.
VPN certifi cates, which contain a public key, can be distributed to parties that wish to connect to the VPN. During the authentication phase of the connection, the requesting party then authenticates using the VPN certifi cate and the private key.
To create VPN certifi cates for authentication, see the GB-OS VPN Option Guide.
120
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Security AssociationsA Security Association (SA) specifi es the parameters connecting two hosts. Security Associations are one-way, so each active two-way VPN connection uses a minimum of two SAs, one for each direction of communication.
For the total number of potential SAs used by each VPN authorization, see the VPN section in the Confi gure>VPN>Summary. To see the current number of VPN security associations, navigate to Monitor>Activity>VPN>IPSec Tunnels. For the number of security associations supported by a specifi c model, see its product specifi cations.
Note
Each authorization in the confi guration report will contain one or more VPNs, depending on the number of networks represented by each VPN or address object.
Multiple NetworksA VPN authorization can defi ne one VPN connection or many, depending on the number of networks represented by each object. For example, if a VPN authorization contains an object with two separate local networks and single remote network, two VPNs are defi ned, for a total of four SAs.
Figure 3.41: Two VPNs, Four VPN Security Associations
Mobile ProtocolA VPN using mobile protocol - either a mobile IPSec VPN created in the Confi gure>Accounts>Users section, or gateway-to-gateway VPN with FORCE MOBILE PROTOCOL selected - will use SAs while active. The number of SAs potentially used by mobile and gateway-to-gateway VPNs can be higher than the number of licensed SAs; however, the number of SAs used by active VPNs, mobile IPSec VPNs included, cannot exceed this number.
IPSec ObjectsIPSec Objects determine how incoming VPN connections will be negotiated by defi ning what client or VPN gateway initiation behavior should be acceptable by your GTA fi rewall.
121
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
SSL Client and Browser SetupGTA’s SSL Service has two components:
• Browser – The SSL Browser provides client-less remote network access. Using a standard Web browser, users launch a customized Web portal (the SSL Browser) for access to fi les, applications and internal and external web sites. Supported protocols include http, https, ftp, ftps, and cifs.
• Client – The SSL Client is a remote access VPN client that uses SSL to establish a secure, encrypted connection to the network fi rewall. Via the SSL Browser, the SSL Client is downloaded and installed to the authorized remote user’s machine.
Browser access for SSL users is determined by their group privileges. Some users may only have access to browse fi les and only use bookmarks. While other users may have access to browse any internal host using http, https, CIFS or ftp. In addition, users may be restricted to read only access for browsing or have upload and download access.
Client access is also determined by group privileges. A user must have SSL Browser capability in order to have Client access. The SSL Client is downloaded via the SSL Browser Interface for each user.
Note
For more information on SSL installation, confi guration and use, see the GTA SSL Client Guide.
PPTP & L2TP SetupGTA’s remote access options include PPTP and L2TP. Users can easily connect via mobile devices, such as iPhone and Android phones and the iPad.
For more information on connecting via PPTP or L2TP, see the GTA Remote Access Guide.
VLAN SetupShort for Virtual Local Area Network and defi ned in the IEEE 802.1Q standard, a VLAN is a network of hosts, servers and other network devices that appear and behave as if they are on the same LAN, regardless of their physical location. With a confi gured VLAN, workstations scattered across an offi ce or complex can be physically independent in their connection to the network, yet still be able to access one another.
VLANs are confi gured through software instead of hardware, allowing for fl exible implementations. A large advantage of segregating network devices by setting up a VLAN is that when a computer is physically moved to another location, it can remain on the same VLAN without any hardware reconfi guration.
Each VLAN is treated as a broadcast domain. For example, if a physical network has two VLANs confi gured, VLAN 1 and VLAN 2, devices located on VLAN 1 can communicate with other devices on VLAN 1, but cannot connect with devices that are located on VLAN 2 unless the two networks are bridged.
To confi gure a network managed by a GTA fi rewall to make use of VLANs, an IEEE 802.1Q- compliant VLAN switch is required.
Note
For information on how to confi gure your VLAN switch so it can direct VLAN traffi c, consult your switch’s documentation.
122
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Figure 3.42: Basic VLAN Topology with Two VLANs.
VLAN Terms and ConceptsThe following are terms and concepts used when working with a VLAN.
VLAN InterfaceA VLAN interface is the physical interface that is connected to a VLAN switch. A VLAN interface can be assigned to any physical interface, even if it is not defi ned in Confi gure>Network>Settings. For example, a VLAN interface can be assigned to eth0, which may already be assigned to your protected network. Adding a VLAN interface to a physical interface that has already been assigned as an external network, protected network or PSN will not create confl icts.
Like physical interfaces, VLANs can be bridged. For more information on bridging interfaces, see Bridging Interfaces.
Note
See product specifi cations for the number of available VLANs for your GTA fi rewall.
VLAN IDsA VLAN segregates devices that are physically separate from each other based upon the IEEE 802.1Q VLAN ID tag that has been sent and received by the devices in the VLAN. For example, packets with a VLAN ID of 1 will only be sent to network devices logically located on the VLAN 1 network. The VLAN ID can be any number between 1 and 4095, and must match the VLAN ID confi gured on the VLAN switch.
When confi guring multiple VLANs over one physical interface, it is not possible to have a VLAN interface share the same VLAN ID. It is possible, however, to add a VLAN interface to another physical interface that has the same VLAN ID. For example, a VLAN interface on eth0 with a VLAN ID of 1 and a VLAN interface on eth1 with a VLAN ID of 1 can both be created without confl ict.
VLAN TrunkIn a typical confi guration, VLAN routers or switches and GTA fi rewalls add VLAN IDs to packets travelling to or from a VLAN. A VLAN trunk is the physical connection between the two devices. Packets travelling along a VLAN trunk must be handled by a VLAN router, VLAN switch or GTA fi rewall.
123
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
VLAN IDs are only added to data packets when travelling along the VLAN trunk. Once the data packet passes through a VLAN network device, such as a GTA fi rewall or VLAN switch, the VLAN ID is stripped.
VLAN SwitchA VLAN switch is the network device that resides on the other end of a VLAN trunk. When data packets with a VLAN ID travel through the switch, its logic will direct the traffi c to the appropriate VLAN. For example, a header with a VLAN ID of 12 will be directed to VLAN 12.
Since VLAN confi guration varies with each make and model, it is necessary to consult your VLAN switch’s documentation for instructions on defi ning VLAN settings.
Creating a VLANTo confi gure a VLAN, navigate to Confi gure>Network>Interfaces>Settings
1. Click the NEW icon to create a defi ne a new interface.2. Select the type of interface being created. For example, <Standard>
3. If DHCP will not be used to obtain the VLAN interface’s IP address, enter it manually in the IP address fi eld.
4. Select the DHCP check box if DHCP will be used to obtain the VLAN interface’s IP address. 5. Select the VLAN check box to defi ne the interface as a VLAN.6. Enter the VLAN’s VLAN ID. This ID must be matched on the VLAN switch or router.7. Enter a name for the VLAN, such as Marketing.8. Select the interface’s Zone, such as <Protected>.9. For the VLAN’s NIC, select the physical interface that will be connected to the VLAN switch or
router. For example, <eth0>.10. Enter a description to explain the use of the VLAN, such as VLAN for marketing department11. Click OK and then SAVE.
Note
VLANs are not supported if using link aggregation. Bridged interfaces are supported for IPv4 only.
Figure 3.43: Creating a VLAN
124
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.49: Creating a VLAN
Field Description
Disable A toggle to disable the confi gured VLAN.
Type A selection for the interface’s Type. Options are <Standard> and <Bridge>.
DHCP If DHCP will be used to obtain the VLAN interface’s IP address, enable the DHCP check box. Enabling DHCP will disable the IP Address fi eld.
Gateway The GATEWAY toggle is only available if DHCP is enabled.
IP Address If DHCP will not be used to obtain the VLAN interface’s IP address, enter it manually.
Options
High Availability Select the HIGH AVAILABILITY check box if High Availability will be confi gured. Enabling High Availability will disable the DHCP and Gateway fi elds.
Router Advertisement Select to confi gure the router advertisement section.
VLAN Select the VLAN check box to create the VLAN interface.
VLAN ID The VLAN ID that matches the VLAN ID of packets to be received by the VLAN switch or router. Valid VLAN IDs are range from 1 to 4095.
Interfaces
Name A unique name used to identify the VLAN.
Zone Determine the interface zone. Options are <External>, <Protected> or <PSN>.
NIC A selection for the network interface card to associate with the VLAN.
Description A brief description to describe the function of the VLAN.
SNMP SetupSNMP (Simple Network Management Protocol) is a standard for managing IP devices and sending and retrieving data with designated hosts. In its full implementation, SNMP uses both read and write access. In GB-OS, SNMP is read-only (preventing write access security issues). SNMP data, contained in the Management Information Base (MIB) and organized in report form, helps the administrator ensure optimal performance in the managed devices.
• SNMP version 2 provides enhancements including security and an RMON (Remote Monitoring) MIB, which provides continuous feedback without being queried by the SNMP facility.
• SNMP version 3 introduced a revised nomenclature for SNMP, a new access method using authentication, and the ability to encrypt SNMP data packets.
To confi gure SNMP, navigate to Confi gure>Services>SNMP.
CAUTION
GTA strongly recommends restricting SNMP access to specifi c hosts in order to reduce dissemination of information about the network. Allow access to the information only from designated, secure hosts because the data could be transmitted in clear (non-encrypted) text, providing potential attack information to any unauthorized users between the host and the fi rewall.
125
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Figure 3.44: SNMP Setup
Table 3.50: SNMP
Field Description
Enable Enables the SNMP service. Disabled by default.
Contact Information Email address of the administrator.
Location User defi ned description of the administrator’s location.
Version 2 Confi guration
Enable Enables SNMP version 2.
Community Essentially, a password. With the password, those with access can see SNMP information and/or receive trap notifi cations. In the full SNMP implementation, there are three community levels: read access, read-write access and trap notifi cation. Members of a community can access information at the level allowed in the community.
Version 3 Confi guration
Enable Enables SNMP version 3.
User ID User name assigned separately from other user authorization names. An extra layer of protection against unauthorized and undesirable interest in your network.
Password Password for this extra authorization level. This is an encrypted password. Once entered, this fi eld will be obscured. Select modify to enter a new password.
Security Level Security levels: <AuthPriv> (Authentication, Privacy): Access to SNMP information only with both authentication and data encryption of all SNMP packets (privacy). <AuthNoPriv>: Access to SNMP information with only authentication.
Advanced
Automatic Policies Enable to have the fi rewall generate a set of automatic policies to allow use of the SNMP service. If disabled, remote access policies must be created.
Remote Logging SetupGTA fi rewalls support remote logging of events. Remote logging provides a means to confi gure how and where log information is sent. Recent events are stored in a local buffer on the fi rewall and can be accessed under Monitor>Log Messages.
To enable remote logging:
1. Navigate to Confi gure>Services>Remote Logging.2. Select the Enable check box.3. Select the source IP address object from the BINDING INTERFACE drop down box.4. Enter the server IP address and port number in the SYSLOG SERVER fi eld.
See Reference E: Log Messages for more information about logs and default logging.
Figure 3.45: Remote Logging Setup
126
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
Table 3.52: Remote Logging
Field Description
Enable Enables remote logging. Disabled by default.
Syslog Server IP address or host name of a system that will accept the remote logging data. Data can be accepted by any program that accepts the syslog protocol. The port is 514 by default. To enter a different port number, use the standard format, e.g. 192.168.71.2:514 or example.gta.com:514.
Advanced
Binding Interface Address from which logging is sourced. <Automatic> by default. Selecting <Automatic> will indicate the fi rewall’s usual source IP address to the syslog server location. To force the logging packets to have a specifi c source IP address, choose the interface object from the drop down menu.
Facility
Policy Facility Logs information associated with any policy that has logging enabled. Any attempts at unauthorized access will be logged to the policy log stream.
NAT Facility Logs information associated with Network Address Translation. Essentially, outbound packets.
WWW Facility Logs all URLs accessed through the fi rewall.
WELF (WebTrends Enhanced Log Format)The remote logging facility uses the WebTrends Enhanced Logging Format (WELF) to record log messages. The following table shows the fi elds used:
Table 3.53: WELF Fields
Field Description
arg For HTTP and FTP, this is the URL.
attribute Action taken when the policy was triggered, e.g. Alarm, Email, Stop.
cat_action Action performed by the fi lter: Block or Pass.
cat_action Action performed by the fi lter: Block or Pass.
country Two letter country code of the external side of the connection.
dst IP address that received the event.
dstport Port number where the event was generated. In the case of ICMP this is the ICMP type code.
duration Time required for the event operation, in seconds.
fl ags The fl ags associated with a given protocol TCP or ICMP in hexadecimal (e.g. fl ags=0x02)
fw Firewall logging the event.
id Type of record.
interface Network interface where the event occurred.
msg Details events such as a VPN starting, the confi guration changing, or a port scan being detected; also captures the index/rule number of the generating fi lter or facility.
nat IP address where NAT was performed for the event.
nat_port Port number where NAT was performed for the event.
op For HTTP and FTP, an operation such as GET or POST.
pol_action Security policy action: Block or Accept.
pol_type Security policy description: Default, OBP - Outbound Policy, IBP - Inbound Policy, PTP - Pass Through Policy, IPSEC - IPSec VPN, SSL - SSL VPN, PPTP - PPTP Remote Access, L2TP - L2TP Remote Access, ATP - Automatic Policy , CBP - Country Blocking Policy
127
GB-OS 6.2 User’s Guide
Chapter 3: Advanced Setup Tasks
pri Event priority: 0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=information, 7=debug.
proto Protocol or service used by the event.
rcvd Number of bytes transferred from destination to source.
rule Index number of the item that triggered the entry.
sent Number of bytes transferred from source to destination.
src IP address that generated the event.
srcport Port number where the event was generated. In the case of ICMP this is the ICMP type code.
time Local date and time of the event in UTC format.
type VPN or management events. Values can be combined (e.g. type=vpn, mgmt) Values: vpn, ssl or mgmt
user User name.
vpn Specifi c VPN object – shows the most used connections.
Unix FacilitiesA syslog service (daemon) that can accept and record the log data is a standard feature on Unix or Linux operating systems. GB-OS logging provides for Unix syslog, as well as auth, authpriv, console, cron, daemon, ftp, kern, lpr, mail, news, ntp, security, user, uucp and local0 through local7.
Since syslog redirects logs to another location, a confi guration fi le must direct the log stream to a fi le or receiving software. The priority (set on each policy defi nition under the ADVANCED tab) is used by the remote log host to determine if and where the information in the syslog log stream should be displayed or stored.
PolicyPolicy log messages are generated due to a policy rule, either explicit or automatic. Policy messages are logged by default to local1.
NAT (Network Address Translation)Network Address Translation log messages are generated due to a NAT action, which can be both outbound traffi c and inbound tunnel traffi c. All NAT messages are logged by default to local0 and NAT session closes are logged at priority. Notice, and NAT session opens are not logged.
WWWWWW log messages are generated when an outbound HTTP access occurs. The complete URL is logged. By default, all HTTP URLs are logged to local2. Log messages are sent at priority ”Notice”.
128
GB-OS 6.2 User’s Guide
4Threat Management
129
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Threat Management
Threat Management covers the confi guration of GB-OS’ standard threat management features, which ensure unhindered user productivity by defending against dynamic Internet-based threats. Threat management features described in this chapter are:
• Intrusion Prevention System (IPS): IPS acts as a front line defense to safeguard your network against Internet-based attacks. Powerful policy defi nitions create a secure, tailored solution that helps protect against the theft and destruction of sensitive data.
• Mail Proxy: Mail Proxy allows you to take back control of your email. Basic Mail Proxy features allow for customized email delivery settings. Use the Anti-Virus feature and the Anti-Spam subscription based option to unlock Mail Proxy’s full potential as a gateway-level solution.
• Content Filtering: Content Filtering assists organizations by reducing risk of legal and privacy issues with the implementation of Internet content fi ltering on a per policy basis. When the Content Filtering subscription based option has been activated, Web requests are not only fi ltered by policies, but by rating categories as well.
GTA’s full featured threat management suite of products provides a robust gateway level solution. While enabling all services will provide the greatest level of protection possible, it may affect network performance, especially during high traffi c loads. GTA Firewall UTM Appliance administrators should adjust confi guration settings to ensure a proper balance between performance and threat management.
Note
30-day evaluations are available for Mail Proxy Anti-Spam and Content Filtering. Simply click on Request Evaluation besides the specifi c header on the System Overview screen or visit the GTA Web site at www.gta.com/options.
CAUTION
The GB-250 and GB-250e were designed for small business networks, yet offer a full complement of threat management and network services to allow administrators to select the features that best match their needs. In order to provide network administrators with the broadest range of choices, GTA offers all threat management features (Anti-Spam, Anti-Virus, and Content Filtering) on the GB-250 and GB-250e. Additionally, many advanced network services (traditional and transparent proxy, authentication server, SNMP server, DHCP server, and VPN) are also available on these units.
However, the hardware specifi cations of these products necessitates limitations on utilizing every threat management and network service, as each additional service places greater demands the fi rewall’s CPU and memory. Firewall administrators should carefully select which threat management features and network services to activate on the fi rewall, and monitor the results to prevent undesired interruptions of service.
By activating all threat management and network services it is possible to exceed the available resources of the GB-250 and GB-250e. Should enabled services exceed the GB-250 or GB-250e’s resources, administrators will notice that GB-OS will restart enabled services as they exceed available memory and will generate a log message. These periodic restarts may result in a temporary loss of enabled services or network connectivity. GB-250 and GB-250e administrators with multiple threat management services should monitor GB-OS log messages to ensure continuous network connectivity.
If the GB-250 or GB-250e consistently exceeds available memory, administrators should consider disabling unnecessary GB-OS services or reducing defi ned threat management settings. If all services are desired, administrators may wish to consider one of GTA’s more powerful products, such as the GB-850, GB-2100 or GB-2500 Firewall UTM Appliance family, which are designed to meet the needs of more robust network implementations.
130
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Intrusion Prevention System (IPS)As network attacks become more sophisticated, viruses and spam are not the only threats that network administrators must face. Increasingly powerful network attack tools and applications are readily available on the Internet, which makes intrusion prevention a vital component for a secure network. A successful attack or network intrusion can result in the loss of confi dential information, bring the network down, or even use network resources to launch other attacks.
GB-OS’ Intrusion Prevention System (IPS) uses robust signature-based policy defi nitions to recognize attacks and protect against network anomalies. IPS carefully analyzes traffi c and automatically blocks attacks before they can reach the network. Administrators are notifi ed of intrusions and intrusion attempts using either log messages or email alerts.
GB-OS comes with a standard set of policies that are designed to help create a powerful, customized IPS confi guration. GTA Firewall UTM Appliances that have a current GTA support contract and IPS activation code can receive automatically updated IPS policies. Administrators can incorporate these updated policies into their IPS confi guration as new security threats are identifi ed.
Although IPS settings are confi gured using the IPS Setup Wizard or the IPS proxy and IPS policy screens, IPS settings are applied when defi ning security policies, security policy preferences and inbound tunnels. Security policies and inbound tunnels that have the IPS checkbox enabled will have GB-OS’ IPS settings applied to their traffi c. If the IPS checkbox is not enabled in a security policy or inbound tunnel, traffi c allowed by the security policy or inbound tunnel that would otherwise be restricted by IPS settings will pass through the fi rewall unhindered.
Note
For more information on selecting the IPS checkbox in a security policy and inbound tunnels, see Creating Advanced Security Policies and Creating Inbound Tunnels in Advanced Setup Tasks.
Figure 4.1: The IPS Checkbox in a Security Policy (Left) and an Inbound Tunnel (Right)
To effectively use IPS, a network administrator is required to monitor and analyze log messages in order to determine the nature and potential threat of an attack. Small businesses or home offi ces that do not have a dedicated network administrator may fi nd themselves overwhelmed with log messages. The IPS Setup Wizard is designed to help such users by providing a simple two-step confi guration process.
IPS settings can either be confi gured using the IPS Setup Wizard or manually using the IPS proxy and IPS policies screens. The IPS Setup Wizard is designed to quickly confi gure and defi ne settings to establish an Intrusion Prevention System for network traffi c. Manually defi ning the IPS proxy and IPS policies allows for a custom, tailored IPS solution.
131
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Running the IPS Setup WizardThe IPS Setup Wizard is used to confi gure and defi ne IPS settings suitable for most networks. Settings are defi ned for a group of similar exploits and anomalies. For example, if the IM CLIENTS group toggle is selected, GB-OS will handle all IM client traffi c according to settings applied by the IPS Setup Wizard.
When defi ning settings for a group, the following actions may be available:
• Block: The Block action blocks all traffi c related to the selected group from passing through the fi rewall.
• Protect: The Protect action protects all traffi c related to the selected group by blocking known vulnerabilities while allowing legitimate traffi c to pass through the fi rewall.
• Log: The Log action logs all traffi c related to the selected group.For example, an administrator would like to protect a network from vulnerabilities that stem from IM client traffi c. To do so, the administrator will use the IPS Setup Wizard and select the IM CLIENTS toggle. Since the administrator wants to protect against IM client vulnerabilities, and does not want to block all IM client traffi c, they will select the Protect option from the pull down. After saving the IPS Setup Wizard’s settings, GB-OS will now protect the network from known exploits and vulnerabilities related to IM client traffi c.
To run the IPS Setup Wizard, navigate to Wizards>IPS Setup.
1. The fi rst screen of the wizard will allow you to select the groups to confi gure, and whether GB-OS should block or protect traffi c related to the selected groups. Once settings have been confi gured as desired, select the NEXT icon to continue.
Note
Confi guring IPS settings for a network that does not receive traffi c related to a group can add unnecessary overhead and may impact network performance. For example, IPS settings designed to protect against known Web server vulnerabilities should not be enabled if the GTA Firewall UTM Appliance is not protecting any Web servers.
Figure 4.2: Protecting IM Clients Using the IPS Setup Wizard
2. The fi nal screen of the IPS Setup Wizard is a summary view of all entered settings. Please review the wizard’s settings prior to committing the displayed confi guration. To make changes to your setup, select the BACK icon to return to the appropriate screen.
Click the SAVE icon to save the displayed confi guration, or select the CANCEL icon to abort.
Figure 4.3: Reviewing the IPS Setup Wizard’s Settings
132
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Configuring the IPS ProxyThe IPS proxy contains settings to enable the IPS service, the IPS rule set as well as performance tuning options.
If the GTA Firewall UTM Appliance has a valid GTA support contract, administrators can elect to have GB-OS automatically download updated IPS policies as they become available. Up-to-date IPS policies provide an additional level of defense against known exploits and anomalies. As new IPS policies are downloaded into GB-OS’ confi guration, administrators can confi gure them as desired. To automatically download new IPS policies from GTA servers, select the Subscription checkbox.
If the IPS Setup Wizard has been previously used to confi gure IPS settings, a WIZARD SETTINGS box will be visible. The WIZARD SETTINGS box displays a summary of the settings applied by the IPS Setup Wizard and contains a PERSISTENT checkbox. If the PERSISTENT checkbox is enabled, the IPS proxy will persistently use settings defi ned by the IPS Setup Wizard and will lock confi guration options for the IPS policies screen. Disabling the PERSISTENT checkbox will result in the loss of all settings applied by the IPS Setup Wizard.
To enable the IPS proxy, navigate to Confi gure>Threat Management>IPS>Proxy and select the ENABLE checkbox.
Figure 4.4: Confi guring the IPS Proxy
Table 4.1: Confi guring the Intrusion Prevention Proxy
Field Name Description
Enable A toggle for whether the Intrusion Protection proxy should be enabled or not. Default is unselected.
Subscription A selection for the IPS rule set used by the IPS proxy. GTA Firewall UTM Appliances that do not have a valid GTA support contract will be set to Default.
Advanced
133
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Table 4.1: Confi guring the Intrusion Prevention Proxy
Performance Tuning
Networks
External Any external IP the IPS applies to; not editable.
Protected A selection for the GTA Firewall UTM Appliance’s internal networks the IPS proxy should protect. Default is FW-Networks-Local.
External Servers
AIM A selection for the address object that contains addresses of known AOL Instant Messenger servers.
Internal Servers
DNS A selection for defi ning the IP of internal DNS servers.
Email A selection for defi ning the IP of internal email servers.
FTP A selection for defi ning the FTP server.
SIP A selection for defi ning the SIP server.
SNMP A selection for defi ning the IP of internal SNMP servers.
SQL A selection for defi ning the SQL server.
SSH A selection for defi ning the SSH server.
Telnet A selection for defi ning the internal servers allowing telnet.
Web A selection for defi ning the internal Web server IP address.
Services
DNS A selection for defi ning the DNS service.
File Inspection A selection for defi ning the File Inspection service.
FTP A selection for defi ning the FTP service.
Email A selection for defi ning the Email service.
SIP A selection for defi ning the SIP service.
SSH A selection for defi ning the SSH service.
Telnet A selection for defi ning the Telnet service.
Web A selection for defi ning the Web service.
* Wizard settings are only displayed if the IPS Setup Wizard has been used to confi gure IPS settings.
Configuring Performance Tuning SettingsAdditional, advanced options designed to fi ne tune the performance of the IPS proxy are available under the ADVANCED tab. Performance tuning settings can be used to improve the overall performance of the IPS proxy.
Networks
The PROTECTED NETWORKS pull down selects an address object that contains the networks to be protected and monitored by the IPS proxy. Assigning a protected network to the IPS proxy can improve performance and reduce the occurrence of false positives. To select two or more networks, add additional IP addresses, as required, to the address object.
Note
If no network is selected for the PROTECTED NETWORKS pull down, Intrusion Prevention will monitor and analyze all traffi c, which may impact network performance.
External Servers
134
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
The AIM pull down selects an address object that contains IP addresses of known AOL Instant Messenger (AIM) servers. By enabling the IPS policies related to AOL Instant Messenger traffi c, network administrators can effectively restrict access to AOL Instant Messenger and other similar chat programs.
Internal Servers
The internal servers section allows the administrator to further defi ne the specifi c internal servers for which the IPS policies will apply.
Services
The services section allows the administrator to further defi ne the specifi c services for which the IPS policies will apply.
Configuring IPS PoliciesIPS policies defi ne which traffi c is allowed to pass through the fi rewall to the networks protected by the IPS proxy. Each IPS policy contains specifi c criteria that checks for known vulnerabilities and weaknesses. By default, the majority of the IPS policies are disabled to prevent interference with legitimate traffi c. For each enabled IPS policy, confi gure the action the policy should perform against any packet that triggers it.
Three actions are available when confi guring an IPS policy:
• Drop: GB-OS drops the packet that triggered the IPS policy.• Pass: GB-OS allows the packet that triggered the IPS policy pass through the fi rewall.• Reset: GB-OS drops the packet that triggered the IPS policy and sends a reset to both the
client and server.IPS policies that are designed to protect against similar vulnerabilities are organized into groups. For example, all IPS policies that detect known P2P (peer to peer) vulnerabilities are organized in the P2P group. Administrators who wish to block all P2P traffi c can fi lter displayed policies that contain ‘P2P’ in their group name, enable them and select their ACTION to drop all packets.
Note
Disabling unneeded IPS policies can improve system performance and reduce the amount of log messages generated. For example, IPS policies designed to protect against known Web server attacks should be disabled if the GTA fi rewall is not protecting any Web servers.
To confi gure IPS policies, navigate to Confi gure>Threat Management>IPS>Policies.
Figure 4.5: Defi ning Intrusion Prevention System Policies
Table 4.2: Confi guring Intrusion Prevention Policies
135
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Field Description
Enable Enables the IPS policy.
Log If enabled, GB-OS will generate a log message when the policy is triggered.
Alarm If enabled, GB-OS will generate an alarm when the policy is triggered.
Action Selections include <Drop>, <Pass> and <Reset>.
Group The policy’s group.
Name The policy’s name. Clicking the policies name will launch a new browser window with detailed information on the IPS policy.
ID The policy’s unique ID.
Filtering Displayed IPS PoliciesGB-OS ships with a diverse set of IPS policies designed to protect networks from a variety of attacks. Displayed policies can be fi ltered down to a more manageable amount by using fi ltering options located along the top of the IPS policies screen. The UP and DOWN arrows allow for navigation through the displayed policies. Adjusting the displayed rows changes the number of policies shown on each page.
Note
Displaying 500 or more rows per page may impact the Web browser’s performance.
Under the ADVANCED tab are additional fi ltering options. Each column has a set of options that can be used to sort through the available IPS policies. Filtered columns will have the fi lter icon displayed next to the column name change from blue to red. Once fi ltering options have been confi gured as desired, select the FILTER icon to display the fi ltered results.
For example, to display only IPS policies that have been enabled, select Enable from the COLUMN pull down, toggle the FILTER checkbox on and select Yes from the FIELD pull down. Then select the FILTER icon to display only IPS policies that have been enabled.
Figure 4.6: Filtering Displayed IPS Policies
Mail Proxy
136
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
The Mail Proxy can be used to shield an internal email server from unauthorized access and reduce unsolicited email (“spam”). Basic Mail Proxy features provide a foundation that allows you to control your email by utilizing customized policies. The Anti-Virus feature and the Anti-Spam subscription option build upon the capabilities of the basic feature set by adding a strong defense at the perimeter that safeguards against unsolicited spam and viruses (subscription charges apply). Mail Proxy confi gures an SMTP (Simple Mail Transfer Protocol) email proxy for inbound email on TCP port 25.
To enable the email proxy, navigate to Confi gure>Threat Management>Mail Proxy>Proxy and select the ENABLE checkbox. Mail Proxy’s connection settings defi ne how long an idle connection to an email server should remain active, as well as the maximum number of simultaneous connections Mail Proxy should allow.
Note
For information on instructions on confi guring the Anti-Virus feature and the Anti-Spam subscription option, please refer to the Mail Proxy Feature Guide.
Figure 4.7: Enabling Mail Proxy
Table 4.3: Confi guring Mail Proxy
Field Description
Enable Enables the Mail Proxy.
Connection
Timeout The amount of time before an idle connection will be dropped.
Maximum Connections The number of simultaneously allowed connections. The maximum number of connections for GB-250, GB-820, and GB-Ware 10 user license is 50. GB-2100 has a maximum of 1000 connections and GB-2500 and GB-Ware Enterprise have a maximum number of 5000 connections.
Advanced
Options
Automatic Policies Enables GB-OS to automatically confi gure the necessary security policies to allow Mail Proxy to operate.
Log Enables Mail Proxy logging.
Report Enables saving of Mail Proxy data for Reports.
Mail Proxy Policies
137
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
With every email message, Mail Proxy must choose to accept or deny transmission. Mail Proxy policies contain the criteria that cause an email to be accepted or denied (much like white lists and black lists), and can defi ne the destination server. Policies also contain Anti-Spam and Anti-Virus options which you may apply on a per-policy basis.
By default, the email proxy denies all email. This default will be enacted if an email does not match any listed policy. To ensure that email is not rejected by default, at least one policy of type <Accept> must be created.
Note
Mail Proxy policies are evaluated in the order in which they are listed. When the email proxy receives an email, policies are each tested for matching conditions. Once an email property is matched with a policy indicating acceptance or denial, that policy action is performed and no further policies will be tested for matching. If the policy list has been exhausted but no match has been found, the email will be rejected.
Policies accept or deny email based upon address objects, reverse DNS, message size, mail exchange (MX) or mail abuse prevention system (MAPS) criteria. Using multiple policies in conjunction can sort email types to different destination SMTP servers.
When considering the destination domain for a policy match, three cases arise:
• No email recipients match the policy’s destination domain• One or more email recipients match the policy’s destination domain• All the email recipients match the policy’s destination domain
If no email recipients match, Mail Proxy checks the next policy for a match. Behavior for the other two cases is controlled by the MATCH ALL ADDRESSES check box: when unchecked, any one or more matching email recipients will cause a policy match, but when checked, all of the email recipients must match to cause a policy match.
To create a new Mail Proxy policy, navigate to Confi gure>Threat Management>Mail Proxy>Policies and click the NEW icon.
Note
To accept or reject email regardless of their fi le size, enter 0 (zero) as the maximum fi le size in your Mail Proxy policy. A maximum size of zero does not mean that only email with no fi le size will be considered; instead, it means that the size limit consideration has been removed from the policy.
CAUTION
The IP address receiving email from the Mail Proxy should not simultaneously have an inbound tunnel on TCP port 25 because this will bypass the email proxy, and could compromise your security.
138
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Figure 4.8: Confi guring Mail Proxy Policies
Table 4.4: Confi guring Mail Proxy Policies
Field Description
Disable Disables the confi gured Mail Proxy policy.
Description Enter a description to explain the function of the policy.
Email Server Specifi es which email server should receive email if the policy’s criteria has been matched.
Type Specifi es the action that should be done to an email matching the source, destination and other criteria. <Accept> allows transmission while <Deny> disallows it.
Source
Address Specifi es a source (sender) match criteria for email. Only address objects of type ALL or MAIL PROXY are available for selection.
Destination
Address Specifi es a destination (recipient) match criteria for email.
Match Against MX Makes a DNS MX (Mail Exchanger) recorded query that tries to match the target IP address to the recipient in the SMTP mail header. The email is rejected if there is no match, preventing the domain from being used to relay email to other domains.
139
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Table 4.4: Confi guring Mail Proxy Policies
Field Description
Match All Addresses If checked, the policy will match only if all email recipients contain the destination address. If unchecked, the policy will match if any one or more email recipients contain the destination address.
Options
DNS White List Select the check box to enable the DNS whitelist and then select an address object.
Mail Abuse Prevention System
MAPS; a special DNS server that contains only reverse DNS entries of known spam servers.
Maximum Size The maximum size (in kilobytes) of an email message to be accepted. Confi guring a maximum size can prevent “email bombs” (large attachments that cause problems for email clients). Enter a value of 0 to allow any email message size.
Reject if RDNS Fails If enabled, the policy will perform a Reverse DNS lookup on the remote host and refuse the connection if the lookup fails to match the host’s offered identity.
Anti-Spam *
Enable Enables the Anti-Spam service.
Anti-Spam - Confi rmed *
Reject Rejects email evaluated as confi rmed spam if enabled.
Anti-Spam - Suspect *
Reject Rejects email evaluated as suspect spam if enabled.
Anti-Virus
Enable Enables the Anti-Virus service.
Reject Rejects email containing known viruses if enabled.
*The Anti-Spam subscription option is purchased separately. Feature activation codes must be entered before Anti-Spam can be utilized. Instructions for Anti-Spam and/or Anti-Virus are available in the Mail Proxy Feature Guide.
Defining Email White (Allow) or Black (Deny) ListsWhite lists and black lists consist of policies set to unconditionally accept or deny connections from a group of email servers. For example, you may wish to white list the email server of a known business partner to accept all email from that IP, or black list a known spam server to reject all email from that IP.
To defi ne a white (allow) or black (deny) list:
1. Create an address object of type MAIL PROXY (you may use the pre-defi ned white list and black list defaults as templates).
2. Add the IP addresses from which you want to accept or deny transmissions and save the object.3. Save the address object.4. Create Mail Proxy policy that specifi es an accept or deny action for that address object. Click the
OK and then the SAVE button.To ensure that your white list or black list has priority over other policy rules, place it at the top of your Mail Proxy policy list.
White listing or black listing by source, destination, or a combination of the two may have very different effects. For example, black listing a sender (source) will prevent everyone on your network from receiving email from that source; however, setting a destination of [email protected] in addition to a source will block email from that source only when it is sent [email protected]. Conversely, setting a white list for all email with a destination of [email protected] would allow anyone to email that address, but allow you to black list sources sending to any other destination in subsequent policies. A combination of policy order (priority) and source and/or destination contents can provide for complex email accept and deny rules.
140
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
RDNS (Reverse DNS)Selecting the REJECT IF RDNS FAILS check box can prevent the reception of spoofed or spam email. It performs a reverse DNS lookup on the IP address of the remote host trying to make an SMTP connection, and then compares it to a DNS lookup of the offered host name. If the lookup fails or domain name and IP address records don’t match (as may be the case with illegitimate mail servers), the connection is refused. RDNS requires a defi ned DNS server to function correctly.
Note
If “REJECT IF RDNS FAILED” is selected, legitimate hosts with misconfi gured DNS entries will not be able to deliver email to your domain.
Defining a Mail Abuse Prevention System (MAPS)When deciding to accept or reject email, you may wish to check the message for criteria known to a Mail Abuse Prevention System (MAPS). When validating email connections, you may use one of the pre-defi ned MAPS or specify a custom MAPS by using an Email Abuse type address object.
A custom MAPS object may refer to a MAPS provider (such as zen.spamhouse.org) or to your own MAPS server. A MAPS server is a DNS server whose reverse DNS entries are spam servers. Any name resolved by the MAPS server therefore indicates that the email originated from a spam server. Additional information on creating your own MAPS server or subscribing to MAPS services is available from many sources.
To specify which address object to use as a MAPS, select an object from the pull-down menu labeled MAIL ABUSE PREVENTION SYSTEM under the EMAIL TO BLOCK heading in your Mail Proxy policy.
To defi ne a custom MAPS solution:
1. Create an address object of type MAIL PROXY and name it MAPS server.2. Specify your domain name or IP address under the ADDRESS fi eld and add a DESCRIPTION if you
wish. Note that you can defi ne multiple MAPS servers in a single address object; this can be useful if the fi rst MAPS is slow or unresponsive.
3. Save the address object.4. In the Mail Proxy policy, select the MAIL ABUSE PREVENTION SYSTEM toggle and select the previously
defi ned address object. To fi nalize your MAPS object defi nition, click the OK and then the SAVE button.
141
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Content FilteringWith every Web page request, GB-OS must choose to accept or deny transmission. Content Filtering controls Web site access based upon the domain name and content of the site. Content Filtering policies allow the use of the Content Filtering subscription option (subscription charges apply).
Note
Content Filtering’s performance relies on an effi cient, enabled DNS server.
Content Filtering requires the use of an HTTP proxy. The Content Filtering Proxy section allows the administrator to specify a traditional proxy, a transparent proxy, or both. In addition, an action concerning blocked content can be selected.
Note
For information on instructions on confi guring the Content Filtering subscription option, please refer to the Content Filtering Feature Guide.
Configuring the Content Filtering ProxyTo confi gure the Content Filtering HTTP proxy, navigate to Confi gure>Threat Management>Content Filtering>Proxy.
Figure 4.9: Confi guring the Content Filtering Proxy
Table 4.5: Confi guring the Content Filtering Proxy
Field Description
Traditional Proxy
Enable Enables the traditional proxy. Disabled by default.
Port The port through which the proxy will run. Default is 2784.
Advanced
Automatic Policies A toggle for whether the fi rewall should automatically generate the required policies for the email proxy to function. If unselected, it is necessary to defi ne remote access policies.
Log Enables Content Filtering logging.
Report Enables saving of Content Filtering data for Reports.
Transparent Proxy
Enable Enables the transparent proxy. Disabled by default.
142
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Block Action
Action A selection for the action to be performed when a request for blocked content is performed.
Message If <Use message> is selected for the ACTION, the message will be displayed.
URL If <Redirect to URL> is selected for the ACTION, the user will be directed to the entered URL.
Enabling the Traditional ProxyWhen the fi rewall is operating without Content Filtering enabled, it does not use a proxy. When the HTTP proxy is used in conjunction with a Content Filtering facility, it runs on TCP port 2784 by default. To run the HTTP proxy on a different port, enter the desired port number in the PORT fi eld. In order to enable access to the traditional proxy, a remote access policy that allows connection to the entered PORT value must be confi gured and enabled.
The traditional proxy requires users located on protected networks to have browsers confi gured to use a proxy connection with the proxy IP address and port number. Only users specifying the traditional proxy port will use Content Filtering for their traffi c.
Transparent ProxyThis method is invisible to users located on the protected network. No modifi cation to their browser’s settings is required, and there is no PORT fi eld. The transparent proxy allows the fi rewall to fi lter and mediate HTTP traffi c transparently to end users.
The following are inspected by the transparent proxy:
• Port 80• Port 8080 (http)• Port 443 (https)
HTTP represents URL based fi ltering, while HTTPS represents DNS and IP address based fi ltering.
Block ActionsIf a policy blocks a Web address (URL) and a user attempts to load a page from that address, the user will see a custom message, or be redirected to a URL (e.g., an internal Web site that defi nes the company’s Internet policies and the administrative process to gain access to a blocked Web site).
Content Filtering PoliciesContent Filtering policies contain the criteria that cause a Web page to be accepted or denied and defi ne any scripts or applets that should be blocked.
Note
Content Filtering policies are evaluated in the order they are listed. When the fi rewall receives a Web page request, policy rules are each tested for matching conditions. Once a Web page request is matched with a policy indicating acceptance or denial, the policy’s actions are performed and no further policies will be tested for matching. If the policy list has been exhausted and no match has been found, the Web page will be denied.
By default, Content Filtering denies all Web page requests. This default will be enacted if a Web page request does not meet any listed policy. To ensure that all Web page requests are not rejected by default, at least one policy of type <Accept> must be in place.
143
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
To confi gure Content Filtering policies, navigate to Confi gure>Threat Management>Content Filtering>Policies and click the NEW icon to create a new policy.
Figure 4.10: Confi guring Content Filtering Policies
Table 4.6: Confi guring Content Filtering Policies
Field Description
Disable Disables the policy.
Description A description for the policy.
Source Address If a request matches an element of the specifi ed address object of type CONTENT FILTERING, the packet will be compared to the policy.
Time Group Select a user-defi ned time group in which the policy will be enabled. Time groups are defi ned at Confi gure>Objects>Time Groups.
Advanced
Authentication Required Enable to require user authentication.
Destination Address A selection for restricting access based on the destination address.
HTTPS Filtering Enable fi ltering of https protocols.
Content Filtering Facilities
Local Allow List Enable to use the fi rewall’s local allow list by selecting its address object.
Local Deny List Enable to use the fi rewall’s local deny list by selecting its address object.
Web Filtering * Enable to use the Content Filtering Categories list.
Content Blocking
ActiveX Objects Enable to block ActiveX controls.
Java Enable to block Java applets.
Javascript Enable to block Javascript.
Unknown HTTP Commands Enable to block unknown HTTP commands and unencrypted HTTP protocols.
Categories *
Accept / Deny * Specify allowed or blocked Content Filtering categories. Switch a category from one list to the other by selecting the item and clicking the left or right arrow button.
* Requires a feature activation code and a valid Content Filtering subscription (purchased separately).
144
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Local Allow and Deny ListsLocal allow and deny lists allow customization of content fi ltering using customized address objects. You can choose to execute all content fi ltering locally, allow access to sites that aredisallowed by another content fi ltering facility or deny access to sites that are otherwise allowed.
To add domain names to the local allow and deny lists:
1. Navigate to Confi gure>Objects>Address Objects.2. Select the local list you wish to edit.3. In the ADDRESS fi eld, enter the desired domain name and an optional description.4. For additional domain names, select the ADD button for additional rows.5. Click OK and then SAVE.
Enter domain names in the following format: example.com. WWW and other such subdomain prefi xes (www2, www3) limit the effectiveness of the local allow or deny lists. For example, the value www.example.com only accepts or denies access for the specifi c site only, not to sites such as www2.example.com or subdomain.example.com. Thus, if you wish to block an entire domain and all of its subdomains, enter example.com.
Additionally, you may use regular expressions to create more elaborate local allow and deny lists. See Using Regular Expressions for more information.
Figure 4.11: Editing Local Allow List
Content BlockingPortable code blocking for ActiveX objects, Java, Javascript and unknown HTTP commands can protect your network from malicious programs such as viruses spread by Web pages (applets or scripts appear in inbound TCP ports 80 and 8080). In addition to blocking mobile programs embedded in Web pages, CONTENT BLOCKING can also prevent tunneled, unencrypted non-HTTP connections over standard HTTP ports.
Non-HTTP protocols (such as FTP) or unknown HTTP commands may be transmitted over standard HTTP ports. For example, if your fi rewall is confi gured to allow only Web traffi c, this may indicate an effort of internal network users to bypass your policy by redirecting blocked non-HTTP protocols ports to open HTTP ports. To block transmission of non-standard HTTP commands and unencrypted non-HTTP protocols over HTTP ports, check the UNKNOWN HTTP COMMANDS box in the CONTENT BLOCKING section.
145
GB-OS 6.2 User’s Guide
Chapter 4: Threat Management
Content Filtering CategoriesContent Filtering is a subscription option that provides fi rewall system administrators with a user-friendly interface and easy access to an exhaustive list of Web categories for content fi ltering. Content Filtering is superior to local allow and deny lists alone. Using local allow and deny lists, an administrator is able to enter only a limited number of URLs. With Content Filtering, the administrator can easily allow or deny whole categories of content. Local allow and deny lists then allow further customization. Specifi c time groups can also be applied to Content Filtering policies, allowing the administrator to specify more or less access during various time periods.
Content Filtering is specifi cally designed for fi rewalls as a complete content fi ltering solution. It features a small, ultra-light footprint. An annual subscription for Content Filtering can be purchased from GTA, or through an authorized GTA Channel Partner. With your subscription, use the Content Filtering Feature Guide, which provides more information and understanding on using Content Filtering categories.
Creating Advanced Content Filtering PoliciesContent Filtering policies contain additional, advanced settings. Policies can require user groups to authenticate with the fi rewall using GBAuth or Single Sign-On authentication as well as control Internet access based on the destination address. Restricting access by destination address is useful if the administrator wishes to block content on a certain Web site, such as ActiveX objects. Regular expression can also be used when defi ning the policy’s DESTINATION ADDRESS. For example, entering a value of *.edu will result in a policy match whenever a destination address ending in “.edu” is entered.
CAUTION
Using regular expression in policy defi nitions may result in an unexpected policy match. See Using Regular Expressions for more information on using regular expressions.
Advanced settings for Content Filtering policies are confi gured from Confi gure>Threat Management>Content
Filtering>Policies under the ADVANCED tab.
Figure 4.12: Advanced Content Filtering Policies
Table 4.7: Advanced Content Filtering Policies
Field Description
Authentication Required Enable to require users to authenticate with the GTA fi rewall using GBAuth or Single Sign-On auhentication. When enabled, a pull down will appear with confi gured user groups that will have the policy applied to them.
Destination Address A selection of address objects that are of type Content Filtering. Select <USER DEFINED> to manually enter a destination address.
HTTPS Filtering Enable to allow fi ltering of HTTPS protocols.
146
GB-OS 6.2 User’s Guide
5Monitoring Reports & Administrative Tools
147
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
Monitoring, Reports, and Administrative ToolsThis chapter details the administrative tools which are available, monitoring capabilities such as viewing activities, and reporting features.
Administrative ToolsThe Tools section under the Monitor action button contains a number of tools useful for administrating and troubleshooting the fi rewall’s confi guration.
InterfacesThe Interfaces confi guration screen, located at Monitor>Tools>Interfaces, allows a network interface on the fi rewall to be <Up> (capable of sending/receiving packets), or <Down> (incapable of sending/receiving packets).
CAUTION
Disabling the network interface on which your computer resides will result in loss of connectivity to the fi rewall.
Figure 5.1: Confi guring Firewall Interfaces
Network DiagnosticsThe Network Diagnostics confi guration screen, located at Monitor>Tools>Network Diagnostics, contains ping and trace route tests, which are useful for verifying connectivity.
PingThe ping function executes the network ping connectivity test by using the ICMP protocol. The ping is executed from the GTA fi rewall, not from your computer. Pinging an IP address is useful for verifying connectivity from the fi rewall to any target host on the external or internal network.
The fi rewall will attempt to send fi ve ICMP ping packets to the target destination and will display relevant statistics.
Note
Pinging IP addresses instead of domain names is recommended when possible, as it eliminates the possibility of DNS errors. Pinging a domain name may only function when a DNS proxy or DNS server has been enabled.
148
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
To ping an IP address or domain name:
• Navigate to Monitor>Tools>Network Diagnostics and select the PING radio button.• In the HOST fi eld, enter the desired IP address or fully qualifi ed domain name to ping. If an IP
address is entered, it must be entered in dotted decimal notation.• Click the SUBMIT to execute the ping command.
Figure 5.2: Pinging an IP Address
Figure 5.3: Reviewing Ping Results
Trace RouteThe trace route function performs a routing trace from the fi rewall to a designated IP address or domain name. Like PING, TRACE ROUTE is useful for testing network connectivity. To determine whether a route to an Internet host is viable, the trace route function launches UDP probe packets with a short time to live (TTL), and then listens for an ICMP “time exceeded” reply from a gateway.
When the trace is active, three probes are launched from each gateway, with the output showing the TTL, address of the gateway, and round trip time of each probe.
Note
Performing a trace route on IP addresses instead of domain names is recommended when possible, as it eliminates the possibility of DNS errors. Tracing a domain name may only function when a DNS proxy or DNS server has been enabled.
To perform a trace route:
• Navigate to Monitor>Tools>Network Diagnostics and select the TRACE ROUTE radio button.• In the HOST fi eld, enter the desired IP address or fully qualifi ed domain name to ping. If an IP
address is entered, it must be entered in dotted decimal notation.• Click the SUBMIT to execute the trace route command.
Figure 5.4: Tracing a Domain Name
Figure 5.5: Reviewing Trace Route Results
149
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
Packet CapturePacket captures can be monitored at Monitor>Tools>Packet Capture. Select the EDIT button to defi ne packet capture fi lters.
Figure 5.6: Packet Capture
ShutdownThe Shutdown confi guration screen, located at Monitor>Tools>Shutdown, contains halt and reboot services plus the ability to release licenses for GB-Ware fi rewalls. Under the ADVANCED tab, selecting the disk purge options for country blocking, historical statistics, IPS, Mail Proxy and reporting will clean up all old fi les.
Figure 5.7: Shutting down the Firewall
Note
GTA recommends halting the system prior to disconnecting the fi rewall to ensure proper shutdown. Additionally, use the reboot feature as necessary.
HaltHALT properly shuts down all services, preparing the fi rewall so it can be powered off. Once halted, the fi rewall must be restarted from the Console interface or be physically reset.
RebootREBOOT will restart the fi rewall.
Release LicenseSelecting RELEASE LICENSE will free licenses to be used by another fi rewall and will halt the system. This option is only available for GB-Ware fi rewalls using online licenses.
150
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
Audit EventsAudit Events, located at Monitor>Audit Events, contains a log of activity performed by administrators to the fi rewall’s confi guration. Normal events are displayed in black text, while warnings and higher priority events will be displayed in red. The audit events are divided into two sections: access and system.
Viewing Firewall LogsRecent event messages are locally stored in a buffer on the fi rewall. The size of the buffer is dependent on the GTA Firewall UTM Appliance’s memory confi guration. When the buffer is fi lled, it will begin writing over the oldest data. Log messages are displayed in reverse order, with the most recent message appearing at the top.
Messages are written in the standard WebTrends Enhanced Log Format (WELF). Warning messages are displayed in red. For more information on interpreting log messages, refer to Reference E: Log Messages.
To view log messages, navigate to Monitor>System>Log Messages. The Log Messages menu allows for log messages to be viewed in their entirety by selecting the All menu item, or they can be fi ltered based upon menu selections such as Connections or Management.
The display is static; if you wish to update the list, click the REFRESH button, or confi gure the REFRESH button to automatically reload after a desired time frame.
Figure 5.8: Viewing Firewall Logs
151
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
Viewing ActivityThe Activity section under the Monitor action button provides direct access to fi rewall account, network, threat management and VPN statistics. System data is continuously updated, so activity snapshots will always be current. Some statistics may not appear if they are not activated in your confi guration. Data displayed on-screen is static; to update the displayed data click the REFRESH button located along the top of the screen, or confi gure the REFRESH button to automatically reload after a desired time frame.
To review system activity navigate to Monitor>Activity.
Note
All activity reported is based upon the fi rewall’s Live Mode confi guration.
AccountsAccounts activity, located at Monitor>Activity>Accounts, displays statistics for authenticated users and failed authentication attempts.
AuthenticatedAuthenticated tracks access by users authenticated through the fi rewall with GBAuth for GTA, GB SSOAuth, LDAP and RADIUS authentication. The record includes:
• The outbound user’s name as defi ned in Confi gure>Accounts>Authorization
• The LDAP confi guration or the RADIUS confi guration• The GBAuth IDENTITY fi eld• The source IP address• The user’s group• The number of minutes the user has been active, and when their lease expires (if applicable)
The last column, lease duration (time remaining), applies only to mobile VPN users. If a user is actively connected with the GTA Mobile VPN Client, the lease will renew each time a request is made. If the user remains inactive for the timeout period, the lease duration column will report an expiration until the license is required for another user or the original user renews the lease.
Note
Flush Authenticated Users: Flush will drop all authenticated users from the fi rewall. Users will need to re-authenticate.
Locked OutLocked Out lists IP addresses from which unsuccessful login attempts exceed the threshold number of attempts set in the Confi gure>Accounts>Preferences LOCKOUT THRESHOLD fi eld. A failed logon attempt occurs when the wrong fi rewall administration user name and/or password has been entered. The duration shows how long the IP address will be locked out and is expressed as a count-down, (e.g. if the administrator has set fi ve minutes as the lockout duration, the counter will start at 00:05:00 and count down to zero (00:00:00)). At that time, the user may again attempt logon from the IP address. When the lockout time duration expires, the IP address will disappear from Locked Out.
SessionsSessions displays recent fi rewall account sessions. Information displayed includes the user, the location from which the fi rewall was accessed, whether or not the user has administrative privileges, SSL and the duration of the session.
152
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
NetworkNetwork activity, located at Monitor>Activity>Network, displays statistics for the ARP table, connections, routes and more.
ARP TableAddress Resolution Protocol (ARP) is used to dynamically map host addresses to Ethernet addresses. When an interface requests a routing map for an IP address not in the cache, ARP queues the message and broadcasts a request for the map on the associated network. If a response is provided, the new map is cached, and any pending message is transmitted.
ARP will queue at most one packet while waiting for a response to a map request and only the most recent packet is kept. If the target host does not respond after several requests, the host is considered to be down for a short period (20 seconds), allowing an error to be returned for transmission attempts during this interval. The error “host is down” indicates a non-responding destination host, and “host unreachable” indicates a non-responding router.
The ARP Table list displays a list of currently known ARP addresses. The list displays the IP address to MAC address translations and the TTL (Time to Live) for each entry. ARP table entries are kept for 20 minutes and are scanned every fi ve (5) minutes to check for expired entries. Once an entry is expired, the fi rewall will not try to re-map the address for 20 seconds.
Flushing the ARP TableClicking the FLUSH X at the top will clear the cache of IP addresses resolved by the address resolution protocol and recorded in the ARP table.
ConnectionsConnections displays a list of currently active inbound and outbound connections by protocol, port, type, internal, NAT and address, route, time the connection has been active and/or idle as well as packets and bytes that have been sent and received. Select and defi ne the FILTERS to Not display selected connection types.
Figure 5.9: Connections
153
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
HostsHosts appears only on fi rewalls with a restricted number of concurrent users. For the number of concurrent users licensed on your model, navigate to Monitor>System>Overview.
Hosts tracks and regulates outbound access. The number of licenses used is determined by the number of IP addresses from which outbound requests are currently being made. This count includes:
• Connections from a protected to external network• Connections from a protected to PSN• Connections from a PSN to external network• Outbound connections opened by a protected network or PSN when responding to requests
The record includes the outbound user’s IP address and lease duration (time remaining). If the user continues to send outbound requests, remaining active, the lease will renew each time a request is made. If the user remains inactive for the timeout period, the lease duration column will report “expired” until the license is required for another user or the original user renews the lease.
RoutingRouting displays the active routing tables for BGP, OSPF, RIP, Neighbor Discovery and normal routes, which can be helpful in troubleshooting routing problems. The list displays destination, gateway and fl ags. Flags are defi ned in the table below.
Table 5.1: Routes
Field Description
B Recently discarded packets.
b The route represents a broadcast address.
C Generate new routes on use.
c Protocol-specifi ed generate new routes on use.
D Created dynamically.
G Destination requires forwarding by intermediary.
H Host entry.
L Valid protocol to link address translation.
M Modifi ed dynamically.
R Host or network unreachable.
S Static route, manually added.
U Route is usable.
W Route was generated as a result of cloning.
X External daemon translates protocol to link address.
1 Protocol specifi c.
154
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
StatisticsStatistics displays the fi rewall’s current connections of TCP, UDP, ICMP or other protocols by utilization and bandwidth used. A summary of the information appears at the bottom of the list, including total packets, current average packets, peak average packets, date, CPU usage – percentage of user process, percentage of system process, percentage of interrupt, and percentage of idle - and fi rewall update.
Figure 5.10: Viewing Activity Statistics
Security PoliciesSecurity Policies, located at Monitor>Activity>Security Policies, displays a list of policies for each of the policy types: Country Blocking, Inbound, Outbound, IPSec, Pass Through, PPTP, L2TP, SSL Client and Automatic. Information includes the policy’s order in its policy list (index number) the number of hits (count) and a description of the policy. Inactive time-based policies have a red asterisk (*) next to the entry.
ServicesServices, located at Monitor>Activity>Services, contains statistics on DHCP lease activity.
DHCP LeasesDHCP Leases lists DHCP-assigned IP addresses and their host identities.
If activated, DHCP (Dynamic Host Confi guration Protocol) automatically assigns IP addresses to internal hosts logging onto a TCP/IP network. It eliminates having to manually assign permanent IP addresses. DHCP dynamically updates DNS servers after making assignments.
Flushing DHCP LeasesClicking the FLUSH X at the top will clear all DHCP-assigned IP addresses resolved by the DHCP Server and recorded in the DHCP Leases table.
155
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
Threat ManagementThreat Management, located at Monitor>Activity>Threat Management, contains statistics on IPS, the Mail Proxy Anti-Spam, Anti-Virus, and Content Filtering with Web Filtering.
Note
Mail Proxy Anti-Spam activities will not be available unless you have purchased and activated the Anti-Spam subscription option. See the Mail Proxy Feature Guide for more information.
Rejected emails are those for which a “message undeliverable” signal has been returned to the sender. Quarantined emails are those that have been sent to a quarantine email address. Other emails are delivered normally.
Percentages are relative to the total for the section. For example, the percentage of rejected Confi rmed spam email is relative to the total number of email processed by Anti-Spam, and is not relative to the total number of email processed by the email proxy as a whole.
IPSIPS displays a statistical summary on IPS activity.
Mail Proxy
Anti-SpamAnti-Spam displays a statistical summary on the number of processed emails with spam, number of rejected emails that are both suspected and confi rmed, number of quarantined emails that are both suspected and confi rmed as well as the total number of received emails of unknown status, as well as greylisting statistics.
Anti-VirusAnti-Virus displays a statistical summary on the number of processed emails with viruses, number of rejected emails, number of quarantined emails as well as the total number of confi rmed viruses. The bottom table displays a current list of the most recent viruses identifi ed by Anti-Virus.
StatisticsThe Mail Proxy Statistics statistical summary includes fi elds describing total connections, rejected and timed-out connections, as well as email processed by Mail Proxy’s policies.
Access Control List statistics assist troubleshooting by indicating the count of messages that triggered a Mail Proxy policy of a given index number. The index and description columns describe which Mail Proxy policy was triggered by email of the given number (count). Because the last time the Mail Proxy policies were saved or changed may not be the time when the Mail Proxy engine was last initialized, the total count of Mail Proxy policy matches may be less than the total number of email processed by Mail Proxy.
Note
Not all email processed by the email proxy are necessarily processed by Anti-Spam or Anti-Virus, so these email totals may not be equivalent.
Content FilteringThe Content Filtering Statistics statistical summary includes fi elds describing total Web access and the percentage denied as well as policy counts with descriptions. Inactive time based policies are marked with a red asterisk.
156
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
VPNVPN, located at Monitor>Activity>VPN, displays IPSec tunnel statistics.
IPSec TunnelsIPSec Tunnels displays all current active IPSec tunnels. There is an inbound and outbound tunnel for each VPN connection.
Table 5.2: IPSec Tunnels
Field Description
Security Associations
Active The percent of active security associations.
Connections
Source Source IP address of the gateway.
Destination Destination IP address of the gateway.
Type The type of VPN connection.
Hash Algorithm The hash algorithm used by the VPN.
State Values include: larval, mature, dying and dead. Larval and dead states frequently occur to quickly to be observed.
Active The amount of time the VPN connection has been active.
Idle The amount of time the VPN connection has been idle.
Bytes The number of bytes transferred by the connection.
Description The description used in the IPSec tunnel’s confi guration for identifi cation.
157
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
ReportingThe Reporting section, located at Monitor>Reporting, provides access to confi gurations, executive reports and historical statistics. Scheduling reports and defi ning graph preferences are available at Confi gure>Reporting.
Report ConfigurationNavigate to Monitor>Reporting>Confi guration, to send via email, or download, system confi guration and reports.
1. Select the report FORMAT. 7-Zip and Zip require a password.2. Customize the SUBJECT and COMMENT(S) fi elds as necessary.3. Select the CONFIGURATION fi le and specify the REPORTS format to be included as attachments.
Reports can be generated in 7-Zip, Zip, or HTML format. 7-Zip and Zip require a password.4. If Email was selected as the FORMAT, enter the destination and origination email addresses.5. Under Advanced, select the reports to be included.6. Click SUBMIT at the top of the confi guration page to download or email the confi guration and
reports.
Figure 5.11: Generating Confi guration Reports
158
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
Generating ReportsNavigate to Monitor>Reporting>Reports, to generate a report.
1. Select the TYPE of report to be generated. Options include Allowed, Country, Denied, Executive, Inbound, Mail Proxy, Network Traffi c, Outbound, Web Filtering, System Resources and VPN.
2. Select the DURATION of the report to be generated. Options include Hourly, Daily, Weekly, Monthly or Yearly.
2. Select the FORMAT for the report. Option include HTML, MHTML, 7-Zip and Zip. Passwords are required for 7-Zip and Zip.
3. Under Advanced, modify the data that will be generated with the report as necessary. This list will change depending on the type of report selected.
4. Click SUBMIT at the top of the page to generate and download the report.
Figure 5.12: Generating Reports
159
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
Scheduling ReportsReports can be scheduled by navigating to Confi gure>Reporting>Schedule. Edit an existing schedule or select Create New.
1. Check DISABLE to disable a scheduled report. 2. Enter a DESCRIPTION for the scheduled report.3. Under Report, choose the TYPE of report to be generated. Options include Allowed, Country,
Denied, Executive, Inbound, Mail Proxy, Network Traffi c, Outbound, Web Filtering, System Resources and VPN.
4. Select the DURATION of the report to be generated. Options include Hourly, Daily, Weekly, Monthly or Yearly.
Note
Daily will include data from the past 24 hours, weekly the past 7 days, and monthly the past 30 days.
5. Select the language LOCALE. 6. Under Schedule, designate the frequency and time at which the report will run. Reports can be
scheduled to run daily, weekly, or monthly.
Note
Reports scheduled to run monthly will run on the fi rst of every month.
7. Under Email, customize the Subject line of the email as necessary. Enter the destination email address or email lists.
8. Under Advanced, select and modify the data that will be generated for the report as necessary. This list will change depending on the type of report selected.
9. Click OK to save changes.
Figure 5.13: Scheduling Reports
160
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
GraphsHistorical Statistics, located at Monitor>Reporting>Graphs, contains graphical information representing past activity. Activity is displayed in Hourly, Daily, Weekly, Monthly and Yearly graphs. The graphs are organized in four main categories:
• System Resources - CPU, Memory Usage, Licences Used, Security Associations
• Network Traffi c - Connections, Packets Denied
• Bandwidth - Bandwidth, External, Protected
• Mail Proxy - Mail Proxy, SPAM, Rejected
• Web Filtering - Web Filtering, Categorized, Licenses Used
Current time period is an average for each graph, representing the last set of data points in an interval:
• Hour - average for the last 10 seconds of the period
• Day - average for the last 3 minutes of the period
• Week - average for the last 21 minutes of the period
• Month - average for the last 2 hours of the period
• Year - average for the last 18 hours and 15 min of the period
Figure 5.14: Historical Statistics (Network Traffi c-Packets Denied shown)
161
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
PreferencesReport preferences are set by navigating to Confi gure>Reporting>Preferences.
1. Under GRAPHS, defi ne the colors to be used for graph data. Enter the Hex code or click to use the color picker to select a color.
2. Under HISTORICAL STATISTICS and REPORTING, administrators have the options to enable storage. Storage options are INTERNAL or USB.
3. Click SAVE when fi nished.
Figure 5.15: Report Preferences
162
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
Updating Your Firewall’s SoftwareGTA routinely publishes updates to GB-OS. These updates provide new features and enhanced security options. When GTA publishes an update to GB-OS, availability will be announced at Confi gure>Confi guration>Runtime>Update in the AVAILABLE UPDATE(S) section.
In order to check for available updates, GB-OS requires that the fi rewall is registered in the GTA Online Support Center, that the fi rewall has access to the Internet and that SSL connections are allowed. Available updates are displayed depending on whether a current support contract is available for the GTA Firewall UTM Appliance.
If there is a current support contract, the following will be displayed:
• The highest available patch level upgrade• The latest available version of GB-OS• Any intermediate versions of GB-OS that are required to upgrade to the latest available version
If there is no current support contract, the following will be displayed:
• The highest available patch level upgrade• The latest available version of GB-OS
Note
Updating the GB-OS runtime always takes place as a Live Mode change.
To check for and install updates to GB-OS:
1. Navigate to Confi gure>Confi guration>Runtime>Update.2. In the AVAILABLE UPDATE(S) section, click the CHECK NOW button.3. Download the available runtime by clicking DOWNLOAD. The runtime will be stored on the fi rewall
until installed. Rebooting the fi rewall or selecting CHECK NOW will remove the stored runtime.4. Install the runtime by clicking INSTALL.
Figure 5.16: Updating GB-OS
163
GB-OS 6.2 User’s Guide
Chapter 5: Monitoring and Administrative Tools
Scheduling Checks for Automatic UpdatesGB-OS can automatically check for eligible software updates. By enabling automatic updates, administrators can rest assured knowing their GTA Firewall UTM Appliance is operating the most current available version of GB-OS.
To schedule automatic runtime updates, navigate to Confi gure>Confi guration>Runtime>Update.
Figure 5.17: Scheduling Automatic Updates
Table 5.3: Scheduling Automatic Updates
Field Description
Schedule Update Check
Enable Select the ENABLE checkbox to schedule automatic runtime updates.
Frequency Select the frequency that GB-OS will check for updates. Options are Daily and Weekly.
Day Select the day that GB-OS will check for updates.
Time Select the time that GB-OS will check for updates.
Email Notifi cation Select the EMAIL NOTIFICATION checkbox to have GB-OS email the fi rewall administrator when a new runtime is available, or when an automatic update has been performed.
Performing a Manual Software UpdateIf a new version of GB-OS has been announced at Confi gure>Confi guration>Runtime>Update, administrators can log into the GTA Support Center (https://www.gta.com/support/center/) to download the runtime. If you are not eligible for an upgrade, contact the GTA Sales staff ([email protected]) or your local GTA Channel Partner for information on support contracts.
Once the runtime has been downloaded, navigate to Confi gure>Confi guration>Runtime>Update and click the ADVANCED tab. In the RUNTIME section, click the CHOOSE FILE button and select the runtime. The fi le will have an extension of .rtm. Select UPLOAD to upload the runtime fi le. GB-OS will then validate the fi le. If it is valid, the system will install it.
Figure 5.18: Manually Updating Your Firewall’s Software
Note
If upgrading to a major version (such as 6.1 to 6.2) new activation codes are required. The activation codes can be obtained from the GTA Support Center.
164
GB-OS 6.2 User’s Guide
6Troubleshooting
166
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
Troubleshooting GuidelinesLog messages, reports and activity snapshots are your fi rst resource for general troubleshooting. This section contains useful troubleshooting procedures and frequently asked questions for solving fi rewall confi guration errors. GTA Support recommends the following guidelines as a starting point when troubleshooting network problems:
• Check your policies. Are the correct policies in place for the type of traffi c you are trying to allow or disallow?
• Start with the simplest case of hosts directly attached to the fi rewall.
• Use IP addresses, not names. The problem could be DNS.
• Work with one network segment at a time.
• Verify your fi rewall system confi guration by navigating to Confi gure>Verify. The verifi cation check is the best method of ensuring that your system is confi gured correctly. Correct all errors and warnings listed.
• Your fi rst tests should be connectivity tests. Ping and traceroute are very useful tools for testing connectivity.
• Make sure the network cabling is connected to the correct network interface. Some useful guidelines are:
• Verify the network interface numbers, MAC addresses and logical names listed on the Monitor>System>Overview screen and in log reports.
• Use the logical elimination method. Connect a network cable to the fi rst network interface and use the ping facility to test for connectivity with a host on the desired network. If unsuc-cessful, move the cable to the next network interface and perform the test again. Repeat until successful, or all network interfaces have been tested.
• View the hardware report located at Monitor>System>Hardware. Check the report to ensure all your network devices have been recognized by the system at boot time.
167
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
Frequently Asked Questions (FAQ)Common confi guration errors or questions are grouped by the feature type. Select a question from the list below. If your question is not answered below, please contact GTA Support for more information.
AdministrationI lost my user name and/or password. How can I log on to my fi rewall?Why can’t I access the Web interface from the protected network?How do I revert to my previous runtime after a version upgrade?
Network ConnectivityWhy is my GB-250 or GB-250e periodically resetting services?Which policy should I use?How do I determine which rule or policy is causing rejected traffi c?Why can’t ALL hosts (computers and devices) behind the fi rewall reach the Internet?Why can’t ONE host (computers and devices) behind the fi rewall reach the Internet?I can’t access a tunnel that I have created. Why? Why can’t I “see” or ping the protected network interface?How do I bypass NAT, allowing no-NAT routing to an IP address on the internal network?I get a bridging loop error message when I am in bridging mode.My Microsoft Exchange server located on the PSN can’t fi nd the PDC (Primary Domain Controller) on the protected network. Why?
Services and OptionsIPS policies cannot be confi gured. Why?I enabled Mail Proxy options. Why did the fi rewall automatically disable them?My email quarantine does not work. Why?Mail Proxy rejects too little email. Why?Mail Proxy rejects too much email. Why?Mail Proxy rejects all email. Why?
HardwareWhy are the interface’s green LEDs not lighting up?I get an “alarm: Interface down” message.
OtherI get errors when using GBAuth. What do they mean?AOL Web email access is blocked when I use Content Filtering. How do I allow it?
Automatic Backup I get an error message “Hardware does not support USB devices.”Firewall shows as not licensed for Cloud backup.
168
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
Administration
Q: I lost my user name and/or password. How can I log on to my firewall?If login information has been irretrievably lost, a fi rewall can be reset to factory defaults, erasing all current confi guration data and resetting both the case-sensitive user name and password to “fwadmin”.
CAUTION
Resetting the fi rewall will cause it to lose current confi guration data, The confi guration data can only be restored by loading a saved confi guration, or by manually entering the information.
To reset your fi rewall to factory defaults, attach either a terminal (using a serial console cable), or a computer with terminal emulation software (using a DB-9 null-modem cable). Enter these settings for the console connection:
Table 5.1: Connecting to the Console Interface
Field Description
Emulation VT-100 or PuTTY
Port COM port connected via DB-9 cable to the fi rewall
Baud Rate 38400 or 115,200 (GB-300 and GB-850)
Data/Bit Rate 8
Parity None
Stop 1
Flow Control Hardware
Power on the GTA fi rewall. The following will be displayed:
GB-OS 6.x.x
loading ...
When the word “loading” appears, immediately press CONTROL-R. The system will begin to load, and confi guration and hardware data will appear on screen. Finally, a confi rmation question displays:
Are you sure you want to reset your fi rewall confi guration?: (“yes” or “no”)
To reset to factory defaults, type the word “yes” in lower case letters. Typing any other key will reboot the system without resetting to defaults. If there is no input after two minutes, the fi rewall will continue its boot process.
Q: Why can’t I access the Web Interface from the protected network?The default remote access policy set is generated from the confi guration parameters entered in the Basic Setup Wizard or in the Confi gure>Network>Interfaces>Settings screen. It is possible that the fi rewall’s protected network interface is on a different subnet from your host. Enable automatic policies or check the remote access policy for the Web interface; it may need to be adjusted.
169
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
Q: How do I revert to my previous runtime after a version upgrade?The fi rewall’s fl ash memory is in two sections (“slices”); one contains the current software version plus any saved confi guration, the other contains the previous software version and confi guration. A new fi rewall’s two memory slices are identical.
When the fi rewall is upgraded to a new runtime, the upgrade process automatically overwrites the memory slice not in use with the new software version and the existing confi guration, leaving the production fi rewall version and confi guration intact. When the fi rewall is rebooted, the updated memory slice will load by default.
To select a memory slice other than the default, navigate to Confi gure>Confi guration>Runtime>Options.
CAUTION
Changing the active slice will cause the fi rewall to reboot.
Network Connectivity
Q: Why is my GB-250 or GB-250e periodically resetting services?The GB-250 and GB-250e were designed for small business networks, yet offer a full complement of threat management and network services to allow administrators to select the features that best match their needs. In order to provide network administrators with the broadest range of choices, GTA offers all threat management features (Mail Proxy Anti-Spam, Mail Proxy Anti-Virus, and Content Filtering with optional Web Filtering) on the GB-250 and GB-250e. Additionally, many advanced network services (traditional and transparent proxy, authentication server, SNMP server, DHCP server, and VPN) are also available on these units.
However, the hardware specifi cations of these products necessitates limitations on utilizing every threat management and network service, as each additional service places greater demands the fi rewall’s CPU and memory. Firewall administrators should carefully select which threat management features and network services to activate on the fi rewall, and monitor the results to prevent undesired interruptions of service.
By activating all threat management and network services it is possible to exceed the available resources of the GB-250 and GB-250e. Should enabled services exceed the GB-250 or GB-250e’s resources, administrators will notice that GB-OS will restart enabled services as they exceed available memory and will generate a log message. These periodic restarts may result in a temporary loss of enabled services or network connectivity. GB-250 and GB-250e administrators with multiple threat management services should monitor GB-OS log messages to ensure continuous network connectivity.
If the GB-250 or GB-250e consistently exceeds available memory, administrators should consider disabling unnecessary GB-OS services or reducing defi ned threat management settings. To assist administrators in evaluating threat management features and their impact on performance of these units, GTA offers 30 day evaluation versions of Mail Proxy Anti-Spam and Web Filtering. These evaluation versions may be requested at www.gta.com. If all services are desired, administrators may wish to consider one of GTA’s more powerful products, such as the GB-850, GB-2100 or GB-2500 Firewall UTM Appliance family, which are designed to meet the needs of more robust network implementations.
Q: Which policy should I use?As packets fl ow into the fi rewall, they may be stopped, redirected or transformed depending on the types of policies that the packet ‘hits.’ If a packet succeeds through all possible checks and transformations, it is transmitted to a network destination on the other side of the fi rewall. But which policy set should you use to create your desired traffi c fl ow to your desired destination? You must use policies to tell the fi rewall how traffi c should be handled by the fi rewall’s logic.
170
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
Policies are enacted according to the fi rewall’s logical order. Based upon the type of packet, remote access, outbound, and/or pass-through policies may be required to permit a connection.
• Is the packet outgoing from a network protected by the fi rewall?
• Create an outbound policy.• Is the packet incoming to a network protected by the fi rewall (including from a PSN)?
• If it has NAT or VPN tunnel encapsulation, create a remote access policy. If it has no NAT, or has had NAT removed during decapsulation, use a pass through policy. Note that for en-capsulated traffi c, this may mean that you need both a remote access and a pass through policy.
Also note that even if all your fi rewall policies are correct, a packet without a valid route cannot be delivered, even if it is allowed! If policies have been ruled out as the source of your problem, check routing settings.
Q: How do I determine which rule or policy is causing rejected traffic?When the fi rewall evaluates a packet for acceptance or rejection, many rules may be used. However, they are not evaluated in a random order, but sequentially, and you can use this knowledge to help you trace conditions that may be causing fi rewall misconfi guration.
Order of evaluation is indicated on some screens by the index number (listed order on the screen) of a rule. Start by testing the confi gurations on the top of the page, and work your way down until all confi gurations have been tested. For example, a rule/policy with an index of 1 will be evaluated before a rule/policy with an index of 5, and should be tested fi rst.
Q: Why can’t ALL hosts (computers and devices) behind the firewall reach the Internet? This is usually a routing problem. The traceroute facility can be very useful in debugging routing problems. Check for these problems:
• Are the hosts that can’t reach the Internet on a different network subnet from the fi rewall?
• Have you added a static route on the fi rewall to tell it which router is used to reach the Internet? Have you set the router’s default route to be the fi rewall? Have you set the default route for hosts on the problem network to be the router or fi rewall?
• Is the wrong IP address assigned to the hosts or fi rewall? All network interfaces on the fi rewall must be on different logical networks.
• Is the default route incorrectly assigned? The default route should always be on the same subnet as the network interface of the host (this is true for all hosts, not just the fi rewall). For a fi rewall, the default route must be an IP address on the network which is attached to the network interface.
Note
When using PPP, PPTP or PPPoE, the default route is not necessarily on the same subnet. The route is assigned by your PPP provider.
Q: Why can’t ONE host (computers and devices) behind the firewall reach the Internet?This may indicate that the default route is assigned incorrectly (or not at all) to hosts on the protected or Private Service Networks. All hosts protected by the fi rewall must use the IP address of the fi rewall’s network interface for the respective network. Hosts that reside behind routers or other gateways on these networks generally use the IP address of the gateway or router instead.
171
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
Q: I can’t access a tunnel that I have created. Why?There are a few key points to remember about tunnels:
• You cannot access a tunnel from the protected network, since you can access the host directly (use the real IP address of the host).
• The source side of the tunnel must use an interface or alias that is on the external network for tunnels from the external network to the PSN or to the protected network.
• The source side of the tunnel must use an interface or alias that is on the Private Service Network for tunnels from the PSN to the protected network.
• You must have a inbound security policy that allows access to the tunnel from the host in question. A tunnel that has no inbound security policy, or an improperly confi gured policy assigned to it, will generate a blocked packet message to the log fi le. Policies can be defi ned by using the tunnel’s automatic policies, located under the Advanced tab, or by manually creating inbound security policies.
• Ensure that your tunnel is active. Check the Monitor section to verify that both your tunnel and remote access policies are active.
• Check the log messages for policy blocks when a remote host attempts to access the tunnel. If you see a block message, your remote access policy is most likely not confi gured correctly. If no block message appears, check the host that is specifi ed as the target in the tunnel defi nition. The target host should have a default route confi gured, with the service in question running on the specifi ed port. From the target host try to ping the remote host.
Q: Why can’t I “see” or ping the protected network interface?You may have the wrong cable for your connection.
• For a direct connection (GTA Firewall to host or router) you need a crossover cable.
• For a connection to a hub or switch you need a straight-through cable.
A yellow crossover cable and grey straight-through cable may be included with hardware appliances.
Note
Distinguish between crossover cables and straight-through cables by comparing the connection ends. On a straight-through cable, the wire order matches; on a crossover cable: pins 1->3, 2->6, 3->1, 6->2.
Also check that your computer belongs to the same subnet as the IP address of the protected network interface.
Q: How do I bypass NAT, allowing no-NAT routing to an IP address on the internal net-work?NAT is applied by default, using connection state tracking to hide and protect internal IP addresses from the external network. In some cases, it is desirable to bypass NAT and make an internal host’s IP address visible to the external network. To bypass NAT, use pass through.
172
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
Pass through connections require two main confi guration aspects on the fi rewall:
• Hosts/Networks to defi ne groups of hosts that may bypass NAT
• Policies to specify conditions (such as specifi c ports or times) pass through hosts/networks’ connections must satisfy to be accepted
Note that pass through hosts must have an externally routable IP address; internal (RFC 1918) IP addresses (e.g. 192.168.1.2) cannot be used with pass through, because they do not have valid routes. Additionally, some paths may need to be added to external routers, indicating the fi rewall’s external interface as the gateway for the pass through hosts/networks.
Because pass through bypasses NAT, its policies are bidirectional: they can allow both inbound and outbound connections from pass through hosts/networks. An outbound policy is not necessary.
Q: I get a bridging loop error message when I am in bridging mode.A bridging loop message indicates a physical loop in the network cabling.
Feb 2 02:04:30 pri=4 msg=”Bridging loop (13) 00:00:5e:00:01:60->01:00:5e:00:00:12 eth1->eth0 (muted)” src=199.120.225.53 dst=224.0.0.18
Check physical wiring of hubs and switches to be sure there are no crossed wires. Bridged networks must be physically isolated.
Q: My Microsoft Exchange server located on the PSN can’t find the PDC (Primary Do-main Controller) on the protected network. Why?Normally, NetBIOS locates the primary domain controller (PDC) and other peer hosts by using broadcast packets. Since the fi rewall blocks all broadcast packets, another method of locating the PDC needs to be used. The solution is to use an LMHOST fi le and add an entry for the PDC providing a conduit for NetBIOS traffi c to the PDC via a tunnel and allow access via remote access policies.
1. Create a LMHOST fi le and insert an entry for the PDC. This entry will use the PDC’s NetBIOS name, the NetBIOS domain name, and the PSN interface IP address where the tunnel will be created.
2. Create three tunnels from the PSN interface to the PDC for NetBIOS services. UDP 137 - NetBIOS name resolutionUDP 138 - NetBIOS datagramsTCP 139 - NetBIOS data transfer
3. Create three remote access policies that allow the MS Exchange server on the PSN to access the three tunnels you created in step 2.
4. Reboot the Microsoft Exchange server.
Services and Options
Q: IPS policies cannot be configured. Why?
173
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
If IPS settings are initially confi gured using the IPS Setup Wizard, the IPS Proxy will persistently use settings defi ned by the wizard. As a result, settings in the IPS policies screen will be locked. To unlock settings defi ned by the IPS Setup Wizard and to manually confi gure IPS policies, navigate to Confi gure>Threat Management>IPS>Proxy and disable the PERSISTENT checkbox in the WIZARD SETTINGS section.
Q: I enabled Mail Proxy options. Why did the firewall automatically disable them?Mail Proxy Anti-Spam and Anti-Virus require Internet access over TCP port 443 (SSL) in order to authorize and update from GTA servers. If Mail Proxy cannot access GTA servers (*.gta.com) on TCP port 443, or if there is no DNS Proxy or Service enabled, then the email proxy may wait for the option authentication that it cannot get; if the SSL connection times out, the email proxy will disable Mail Proxy options and continue processing email according to standard policy rules.
The email proxy will then log that it has disabled the options, and will periodically check for Internet SSL connection restoration. If the connection is restored and activation codes are valid, the email proxy automatically re-enables those options that were automatically disabled.
To correct this problem, check that your network allows SSL connections to the Internet over an external network interface (no routing rules may deny port 443). Use ping and traceroute to verify connectivity to the Internet, including gta.com and its sub-domains, and check all routers that may block Internet SSL access.
Q: My email quarantine does not work. Why?An email quarantine object must be an address object that contains only a single email address such as [email protected]. It is not valid to enter only the domain name of your email server; your quarantine object must have a full email address that contains an account as well as a domain name. Use of wild card (regular expression) characters is also not allowed.
If you wish to use multiple email addresses as quarantines in different fi rewall confi guration areas, you should create one quarantine address object per quarantine email address. For example, if you wish to separate suspect spam email and virus email, you might create address objects named “Suspect Quarantine” (containing [email protected]) and “Virus Quarantine” (containing [email protected]).
Q: Mail Proxy rejects too little email. Why?First check that your email proxy policies reject those domains or IP address ranges that are known spam servers. Remember that email proxy policies evaluate in the order they are listed. Make sure that
174
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
an all-accepting policy is listed underneath those exclusion policies to ensure that every email is not accepted before being tested for a spam domain.
Check the specifi c policy that you expected the email to match for confi guration errors that may cause failed matches. Correct confi guration errors in any policies before they may cause a premature match.
To rule out either Anti-Spam or Anti-Virus options as a source of the problem, uncheck all of the ENABLE check boxes in the Anti-Spam and Anti-Virus sections of your email proxy’s access control lists (policies). When you re-enable Anti-Spam and Anti-Virus in each policy, be sure to do it one at a time so you can narrow down the source of the misconfi guration.
Note
The Mail Proxy System Activity report can provide useful diagnostic information to determine whether Mail Proxy options are causing email rejection.
Indicating a large maximum email fi le size in either the EMAIL TO BLOCK or Anti-Virus sections of your email proxy policy will allow larger email through. To limit the size of email that your fi rewall accepts for transmission, reduce the maximum fi le size to a small, non-zero number.
Be sure to allow external Internet access from your fi rewall to the Internet. Mail Proxy uses various servers to keep its options up-to-date; if you have routing rules preventing this access, your options may lapse or use old spam and virus defi nitions, allowing newer spam and viruses through.
Note
A maximum size of zero does not mean that only zero-sized email will be considered; instead, it means that the size limit consideration has been removed from the policy.
If you notice that some spam email is still not being caught by Anti-Spam, consider adjusting your Anti-Spam threshold or greylisting options to a more aggressive setting. You might also choose to restrict Suspect category email as well as Confi rmed category email. Additional use of a MAPS (a kind of real-time black list, or RBL) can also help.
Q: Mail Proxy rejects too much email. Why?When the fi rewall evaluates a packet for acceptance or rejection, many rules may be used. It is important to check other rules such as routing rules before investigating Mail Proxy policy rules.
175
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
Remember that email proxy policies evaluate in the order they are listed. Make sure that any white list policies are listed above any black list policies to ensure that all email is not rejected before being tested for a known-good email address.
To rule out Mail Proxy options as a source of the problem, un-check the ENABLE check box in the ANTI-SPAM and ANTI-VIRUS headings of your email proxy’s access control lists (policies). When you re-enable Anti-Spam and Anti-Virus, be sure to do it one at a time so you can narrow down the source of the misconfi guration.
Note
The Mail Proxy System Activity report can provide useful diagnostic information to determine whether options or other policy rules are causing email rejection.
Indicating a small maximum email fi le size is also a common cause for rejected email. Indicating a low threshold for the Anti-Spam categories can also be a common cause.
Q: Mail Proxy rejects all email. Why?If your fi rewall rejects all email, fi rst check to see that email TCP ports (especially the standard SMTP port 25) have not been fi ltered out in other policies, and that your email proxy is enabled. If your fi rewall accepts port 25 connections but still rejects all email, check your email proxy’s policy settings. If your policies are set to reject email fi tting your rules and all email matches your rules, all email will be rejected. Make sure you have at least one email proxy policy set to accept email; denial-type policies or an absence of policies will cause email to be rejected.
Note
The Mail Proxy activity reports (Monitor>Activity>Threat Management>Mail Proxy) can provide useful diagnostic information to determine whether Mail Proxy options or other policy rules are causing email rejection.
Additionally, if all email servers are listed on your MAPS, all email could be rejected.
Hardware
Q: Why are the interface’s green LEDs not lighting up?
176
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
This indicates that you do not have network connectivity.
Make sure all cables are functional, the fi rewall is powered on, and the connected computers are correctly confi gured.
You may have selected the wrong network connection type. Check under the ADVANCED tab in Confi gure>Network>Interfaces>Settings to ensure the appropriate connection type is selected. If you have selected one of the specifi c settings, try resetting to Auto, the factory setting.
Q: I get an “alarm: Interface down” message.An interface down error message indicates that an interface has dropped.
Feb 2 13:44:18 pri=4 msg=”alarm: Interface EXTERNAL (rl1) down” type=mgmt
This could be caused by a loose or disconnected cable or disconnected Internet service.
Other
Q: I get errors when using GBAuth. What do they mean?GBAuth requires use of remote access policies, users, SSL certifi cates, and authorization services on your fi rewall. GBAuth 1.1.2 and Java Runtime Environment 1.4 are also required to be installed on the client computer. If any of these are set up improperly, if your password or other entry was incorrect, or if you are using an older version of GBAuth, errors may be generated.
RMCAuth: Command ‘authLoginGet’ (400) rejected, incorrect size errors may be caused by using an older version of GBAuth. This error is logged on the fi rewall as well as displayed on the GBAuth client. To correct this error, upgrade to GBAuth 1.1.2.
IOException errors generally refer to inability to form a network connection (e.g. incorrect remote access policies cause traffi c denial by the fi rewall and the connection times out, or incorrect Firewall fi eld entry) or problems with the SSL certifi cate (e.g. the computer and fi rewall have out-of-sync clocks so that according to the computer’s clock, the SSL certifi cate has not yet become valid).
Verify your remote access policies, network connections and your computer’s clock. If you have repeated “java.security.cert.Certifi cateException: Certifi cate not yet valid.” problems with SSL certifi cates due to your computer’s or fi rewall’s clock, you may wish to use an NTP service such as the fi rewall’s Network Time Service to keep its clock correct.
Q: AOL Web email access is blocked when I use Content Filtering. How do I allow it?AOL uses pr.atwola.com, an advertisement server, to redirect to Webmail.aol.com. If Web Filtering is set to block the Advertisement category, access to pr.atwola.com will be blocked, and Webmail.aol.com will never be reached.
To allow AOL Web email access, fi rst create an address object of type Content Filtering that contains pr.atwola.com. Next, create a Content Filtering policy that uses the address object as the local allow list. AOL Web email should now be accessible.
Automatic Backup
Q: I get an error message “Hardware does not support USB devices.”
177
GB-OS 6.2 User’s Guide
Chapter 6: Troubleshooting
Confi rm hardware USB ports are properly functioning and enabled. GB-250 Rev A devices do not support USB devices.
Q: Firewall shows as not licensed for Cloud backup.Confi rm that DNS is confi gured. Confi rm valid support or maintenance contract. Cloud backup and restore requires a valid support or mainenance contract.
178
GB-OS 6.2 User’s Guide
AUser Interface
179
GB-OS 6.2 User’s Guide
Reference A: User Interface
Reference A: User InterfaceGB-OS introduces an updated user interface with this release. Used as the primary interface, it includes comprehensive administrative access and user-friendly hints.
A second interface, the console, is primarily a fail-safe. It is used for resetting a misconfi gured fi rewall to default, recovering a GTA fi rewall and for basic confi guration. The console interface has limited functionality.
Note
See the Console Interface User’s Guide for additional information on using the Console interface.
In this reference, the Web interface is illustrated and described, including navigation, tool bars, menu items and buttons.
For confi guration, use the setup chapters of this user’s guide.
Web InterfaceThe Web interface is platform-independent and can be used on any frames-capable, Javascript-enabled browser such as Internet Explorer, Apple Safari or Mozilla Firefox running on platforms such as Windows, Mac and Unix.
Figure A.1: The Web Interface
180
GB-OS 6.2 User’s Guide
Reference A: User Interface
Features• SSL Encryption Option• Secure administration from any location connected to the Internet• Intuitive browser-based user interface• Platform-independent, compatible with most browsers and platforms• Immediate modifi cation as changes are saved to the fi rewall• Live Mode and Test Mode confi gurations
Web Interface AccessBy default, the fi rewall’s Web server operates on the standard SSL-encrypted port 443.
Characteristics• Changes take place immediately upon saving when operating in Live Mode• Re-sizing the browser window will change the size of the main screen• Password authorization is persistent for a session• The fi rewall contains a built-in Web server that only serves the fi rewall’s remote administration Web
pages; it cannot be used for other purposes• The factory default user ID and password are both fwadmin
How to Access the Web InterfaceTo access the Web interface, start a JavaScript-enabled, frames-capable Web browser.
Enter the IP address or host name of the fi rewall’s protected network interface as a URL in the address/location fi eld (e.g. https://192.168.71.254). If your computer does not have an IP address on the same logical network as the fi rewall’s protected network interface, you will need to adjust the remote access policy that controls access.
CAUTION
Firewall login persists until the user quits the browser application. To prevent unauthorized access, remember to quit the browser application.
181
GB-OS 6.2 User’s Guide
Reference A: User Interface
Navigation and Data EntryThe Web interface uses HTML frames to subdivide the browser’s display. The main parts of the Web interface screen are:
• Menu: Provides access to all command functions.• Main Window: Work area where data is entered and displayed.• Hints: Brief explanations of the functions of the section being worked on.
MenuThe menu is the main navigation tool, and is displayed on the left side of the browser window. There are four main categories within the menu:
• Wizards: Contains setup wizards.• Confi gure: Contains settings and options for confi guring the GTA Firewall UTM Appliance.• Monitor: Contains an overview based on the GTA Firewall UTM Appliance’s log fi les.• SSL: Contains the set up for the SSL Browser.• Support: Contains helpful links and documentation.
Each category is divided into sections. When selected, sections expand to reveal items in a functional area. Click on functions within the sections to display their confi guration screen. While optional features will appear within sections on your GTA Firewall UTM Appliance, they will not be functional until a valid activation code has been entered.
Figure A.2: Menu Categories
Verification IconsThe menu is dynamically updated to display the verifi cation status of a confi guration area. Icon states move up through the menu tree. Errors take precedence over warnings, and warnings take precedence over verifi ed settings. Thus, menus that contain confi guration screens with both errors and warnings will be identifi ed with an error icon.
Table A.1: Verifi cation Icons
Button Value Description
Default Settings
Menu items with a grey icon are either using default settings or cannot be confi gured (such as Summary display screens, which do not contain confi guration options).
Verifi ed Menu items with a green icon have been verifi ed to be confi gured correctly and should not confl ict with the fi rewall’s confi guration.
Warning Menu items with a yellow icon may be confi gured incorrectly and can confl ict with the fi rewall’s confi guration.
Error Menu items with a red icon are verifi ed to be confi gured incorrectly and can confl ict with the fi rewall’s confi guration.
182
GB-OS 6.2 User’s Guide
Reference A: User Interface
Main WindowThe main window displays screens selected from the menu located along the left hand side of the screen. The main window can be broken down into three sections:
1. Control Bar: Contains screen buttons that vary depending on the nature of the display. 2. Display Screen: The main work area where data is entered and displayed. 3. Hints: Displays a brief summary of the nature of the display screen. By clicking the LIVE or TEST
tab you can change the fi rewall’s confi guration mode. When the fi rewall is operating in Test Mode, the background behind the Hints area will change to a construction theme. The hints area can be hidden to maximize workspace by clicking the arrow in HINTS tab. When the hints area is hidden, clicking either tab will make the hints area reappear.
Figure A.3: Main Window Displaying the Control Bar (Red), Display Screen (Green) and Hints (Blue)
Advanced TabThe ADVANCED tab allows for the confi guration of additional settings that are generally not required for basic confi guration. By default, advanced confi guration settings are hidden by the ADVANCED tab. To reveal advanced confi guration settings, click the ADVANCED tab.
Figure A.4: Advanced Tab
Note
For information on settings available under advanced tabs, please refer to Advanced Setup Tasks and Reference B: System Parameters.
183
GB-OS 6.2 User’s Guide
Reference A: User Interface
Buttons and Icons
Screen ButtonsScreen buttons, located along the top of the Web interface, allow the user to navigate, manipulate data and display information. Not all buttons are always displayed, they only appear when they pertain to the data being displayed.
Table A.2: Screen Buttons
Button Value Description
Back Goes back to the previous screen or sorts backwards through IPS policy rows.
Copy Copies the selected list entry to memory.
Default Uses default values for a list or confi guration screen.
Delete Deletes the selected items.
Add Adds a new row in the network settings, address objects, service groups, time groups, account groups, DHCP static leases, DNS hosts and DNS subnet sections.
Duplicate Duplicates the selected list item.
Edit Allows editing of the selected list item.
Filter Filters displayed list items according to specifi c criteria.
Forward Sorts forwards through IPS policy rows
New Creates a new list item or object.
OK Applies changes to the modifi ed list entry.
Paste Pastes a copied list entry from memory.
Print Prints the displayed screen.
Refresh Refreshes the displayed screen.
Reset Resets the confi guration screen to initial values.
Save Saves the section and applies it to the fi rewall’s confi guration.
Sort Re-sorts the index order.
Sync Synchronizes confi guration section from Live mode to Test mode. Only available in Test mode.
184
GB-OS 6.2 User’s Guide
Reference A: User Interface
List IconsList icons, which are always the left most object in a table’s row, provide quick at-a-glance information regarding the line item.
Table A.3: List Icons
Button Value Description
General List Icons
Locked Indicates that the list entry is built-in and cannot be modifi ed. To edit a locked list entry, select the DUPLICATE button to duplicate the item’s confi guration in to a new object or policy.
, Edit Indicates that the list entry is editable. If the icon is greyed out, then the list item has been disabled.
Confi gure>Accounts
, Admin Status
Indicates the status of the confi gured administrator account. If the icon is greyed out, then the administrator account has been disabled.
, User Status
Indicates the status of the confi gured user account. If the icon is greyed out, then the user account has been disabled.
, Groups Indicates the status of the confi gured group. If the icon is greyed out, then the group has been disabled.
Download Select to download the user confi guration and policies.
Confi gure>Network>Interfaces>Settings
, Interface Status
Indicates the status of the confi gured logical interface. A green, upwards pointing arrow means the interface is up, while a red, downwards pointing arrow means the interface is down.
Confi gure>Security Policies / Confi gure>Threat Management>IPS>Policies
, Accept Indicates the status of the confi gured policy of type accept. If the icon is greyed out, then the policy has been disabled.
, Deny Indicates the status of the confi gured policy of type deny. If the icon is greyed out, then the policy has been disabled.
FlagsFlags are displayed along the top of the Web interface when the confi guration screen contains an error, a warning or if the screen’s Test mode settings differ from the screen’s Live mode settings.
Table A.4: Flags
Button Value Description
Warning Indicates a verifi cation warning. The fl ag is hyperlinked to the confi guration screen’s verifi cation section in Confi gure>Verify.
Error Indicates a verifi cation error. The fl ag is hyperlinked to the confi guration screen’s verifi cation section in Confi gure>Verify.
Test mode Indicates that the confi guration screen’s Test mode settings differ from the screen’s Live mode settings. The fl ag is hyperlinked to Confi gure>Confi guration>Apply.
185
GB-OS 6.2 User’s Guide
Reference A: User Interface
Index NumbersIndex numbers are used in lists. In some instances they are editable, allowing the data to be resorted based on importance. For instance, since policies are evaluated in sequential order, sorting the order affects their primacy.
To sort editable index numbers, simply enter new values corresponding to the order you wish to sort the table rows and click SORT or save the confi guration screen to update the listing.
Figure A.4: Index Numbers
Note
Sorting will not take effect until the section has been saved.
Text FieldsText fi elds allow the user to enter data by typing.
Pull Down MenusValues available in pull down menus vary by the confi guration screen in which they are found. Click on the downward pointing arrow to open a pull down menu, then click on an item to select it. An item labeled as <* EDIT *> will allow for the confi guration of a new confi guration object. An item labeled with three question marks, <???>, indicates an unknown value. Fields with a value of <???> require information in order to be used in the confi guration being attempted.
Figure A.5: Pull Down Menus
186
GB-OS 6.2 User’s Guide
Reference A: User Interface
System Overview ScreenThe Overview screen, initially displayed after successfully logging on to a confi gured fi rewall, displays a snapshot of the fi rewall’s current status. Displayed data includes the current state of the fi rewall’s interfaces, CPU and memory usage, traffi c fl ow, and more.
The Overview screen can be accessed by clicking next to the GTA logo at top of the Web interface, which acts as a shortcut. Additionally, the Overview screen can also be viewed by navigating to Monitor>System>Overview.
When working in Live mode, EDIT buttons will be available next to editable fi elds. When working in Test mode, the Overview screen will only display confi guration data and will not be editable.
Figure A.5: System Overview Shortcut
At the top of the Overview screen, the REFRESH button also includes a drop down menu to select a time frame for which the page will automatically refresh. Available time fi elds are: Off, 30 seconds, 1 minute, 5 minutes and 10 minutes.
Figure A.6: Refresh Button
The Overview screen displays the following containers:
• AUDIT EVENTS contains a log of activity performed by administrators to the fi rewall’s confi guration.
• VERIFICATION displays the number of verifi cation warnings and errors in the GB-OS confi guration.
• RUNTIME displays the GB-OS version the GTA Firewall UTM Appliance is running, the current slice, whether updates are available and the last update check. If a runtime update has been downloaded, but not yet installed, the update status will be displayed here.
• SYSTEM displays basic information regarding the fi rewall’s confi guration, such as the fi rewall administrator, host name, product, license, serial number, date/time and fi rewall uptime.
• HISTORICAL STATISTICS displays graphical information representing past activity. Categories include CPU Usage, Memory Usage and Security Associations. By placing the mouse over each graph, a larger graph will display. Clicking on any of the graphs will open the Historical Statistics screen.
• ACTIVATION CODES displays all entered activation codes.
• INTERFACES provides a summary view of the fi rewall’s logical interfaces and their status (up or down).
• SYSTEM RESOURCES gives an overview of the fi rewall’s CPU usage, memory usage and security associates. The enabled/disabled status of the High Availability feature with total user licences and feature licenses shown as percentage used. The GTA SSL Browser and Client, and IPSec/L2TP/PPTP licenses percentage used are also displayed.
• NETWORK TRAFFIC shows the amount of denied packets from policy blocks, the number of active connections to the fi rewall as well as current and peak bandwidth usage.
• CONTRACTS displays current contracts and licenses for GB-OS, Mail Proxy Anti-Spam, Anti-Virus, IPS, Web Filtering, and support contracts. The date/time of the last update check is also displayed.
• ANTI-SPAM displays information on Anti-Spam activity. If this feature has not been activated and confi gured, no data will be displayed.
• ANTI-VIRUS provides a summary on Anti-Virus activity. If this feature has not been activated and confi gured, no data will be displayed.
• WEB FILTERING displays information on Web Filtering activity. If this feature has not been activated and confi gured, no data will be displayed.
• IPS displays the rule set used by the IPS proxy.
• CURRENT ADMINISTRATORS displays a list of administrators currently logged in to GB-OS.
187
GB-OS 6.2 User’s Guide
Reference A: User Interface
Figure A.7: System Overview
188
GB-OS 6.2 User’s Guide
BSystem Parameters
189
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Reference B: System ParametersThis section describes the input type, range and general results of each fi eld in the fi rewall confi guration. It is most useful for network engineers who are already familiar with networking terminology but wish to know the exact specifi cations of a confi guration option.
How to find your section:For rapid lookups on a particular confi guration section or fi eld, this reference contains sections indexed by a number formatted as x.y.z where:
x: Menu button’s numbery: Menu tree item’s number within the button areaz: Menu tree sub-item’s number within the parent section
As shown in this example, a confi guration section located in the second section, second tree item and fi fth tree sub-item would be indexed as 2.2.5 Import/Export.
Tables within a reference section contain fi eld details from the confi guration section. Entries are in order from top- and left-most positions on the screen. Groups of fi elds that are labeled areas will be titled by their label. Fields listed under an ADVANCED tab will be labeled as such. Note that not all areas may not be immediately visible, as they may be hidden under an ADVANCED tab.
190
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2. Configure The Confi gure section provides access to manual confi guration options. This area may be especially useful to network engineers who are designing more complex confi gurations as it allows for total customization.
2.1 VerifyThe Verify sub-section allows the user to verify their confi guration. Verifi cation points out potential problems with the fi rewall’s confi guration. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
CAUTION
Verifi cation may not catch all errors in the confi guration. GTA recommends that administrators always check their confi guration to ensure that no potential security issues are present.
Note
GTA recommends that verifi cation should always be performed before applying a Test Mode confi guration to a Live Mode confi guration. This prevents errors in the Test Mode’s confi guration from being applied to network traffi c.
2.2 ConfigurationThe Confi guration section allows the user to toggle between Live and Test confi guration modes, verify or apply confi gurations, change the active slice and import or export saved confi gurations.
2.2.1 SummaryThe Summary sub-section provides on overview of the current fi rewall mode’s confi guration settings. Links to containers pertaining to specifi c sections of the fi rewall’s confi guration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.2.2 Apply The Apply sub-section allows the user to apply their Test Mode confi guration to the fi rewall to make it Live, as well as copy their Live Mode confi guration to the Test Mode confi guration.
Table 2.2.2: Confi gure > Confi guration > Apply
Field Name Field Type Value Range Description
Apply Test Confi guration
Radio Button Enabled/Disabled A toggle to apply the test confi guration to the fi rewall, making it Live.
Copy LiveConfi guration
Radio Button Enabled/Disabled A toggle to copy the Live mode confi guration to the Test mode confi guration. This option is only available when GB-OS is in Test mode. Default is selected.
Reset Confi guration Radio Button Enabled/Disabled A toggle to reset the Test mode confi guration to factory defaults. This option is only available when GB-OS is in Test mode.
191
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.2.3 BackupThe Backup sub-section provides automatic backup settings and access to backups on the GTA Cloud Server.
Table 2.2.3: Confi gure > Confi guration > Backup
Field Name Field Type Value Range Description
Automatic Backup
Format Pulldown XML, 7-Zip, Zip The format for the confi guration.
Password Text Up to 255 characters Enter the password for the confi guration fi le.
Maximum Backup Count
Pulldown 50, 100 The format for the confi guration.
Enable Checkbox Enabled/Disabled Enable the emailing of automatic backups created when changes/modifi cations during live mode are saved.
From Text Up to 255 characters Enter the email address from which the backup confi gurations will be sent.
To Text Up to 255 characters The email address to which backup confi gurations will be sent.
Cloud
Enable Checkbox Enabled/Disabled Enable cloud storage.
Service Pulldown Dropbox, Box.net Select the Cloud service to be used for automatic backups.
Account
Name n/a n/a Login user name for Cloud service.
Email n/a n/a Login email for cloud service.
Storage
Total n/a n/a Displays total size of connected USB device.
Usage n/a n/a Displays total usage of connected USB device
Available Backups
Upload/Restore Button Restore Backups available on the GTA Cloud Server. Click Restore to restore to the selected backup.
Download Button Download Click Download to save the selected backup to the host machine, without restoring to the fi rewall.
Delete Button Delete Click Delete to delete to the selected backup.
USB
Enable Checkbox Enabled/Disabled Enable USB device backup storage.
Available Backups
Upload/Restore Button Restore Backups available on the attached USB device. Click Restore to restore to the selected backup.
Download Button Download Click Download to save the selected backup to the host machine, without restoring to the fi rewall.
Delete Button Delete Click Delete to delete to the selected backup.
192
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.2.4 Change ModeThe Change Mode sub-section allows the user to toggle between Live Mode and Test Mode confi guration modes. Live Mode is useful for immediately applying a confi guration change to the fi rewall. Test Mode is useful for modifying and verifying a new confi guration for correctness and adherence to your security policy before applying it.
Table 2.2.4: Confi gure > Confi guration > Change Mode
Field Name Field Type Value Range Description
Live Mode Radio Button
Enabled/Disabled A toggle to set the fi rewall’s confi guration mode to Live Mode.
Test Mode Radio Button
Enabled/Disabled A toggle to set the fi rewall’s confi guration mode to Test Mode.
2.2.5 Import/Export The Import/Export sub-section allows the user to back up their confi guration, upload a partially updated back up confi guration or a complete back up confi guration.
Import/Export settings are only available when the fi rewall is operating in Live Mode.
Table 2.2.5: Confi gure > Confi guration > Import/Export
Field Name Field Type Value Range Description
Confi guration
Mode: Live Radio Button
Enabled/Disabled A toggle to set the fi rewall to Live confi guration mode. Default is selected.
Mode: Test Radio Button
Enabled/Disabled A toggle to set the fi rewall to Test confi guration mode. Default is unselected.
File Text n/a File name of the confi guration fi le.
Browse Button n/a Opens a window to select the confi guration fi le.
Import Button n/a Imports the selected confi guration fi le.
Partial Update Checkbox Enabled/Disabled Partially updates the fi rewall’s confi guration if the confi guration fi le contains partial, selective confi guration changes. Default is unselected.
Preserve Section
Activation Codes Toggle Enabled/Disabled Preserves correct serial numbers and activation codes when importing confi gurations.
Export Button n/a Downloads the selected confi guration.
Format Drop Down XML, 7-Zip, Zip File format.
2.2.6 RuntimeThe Runtime section contains options to change the fi rewall’s active slice as well as the ability to update the fi rewall’s runtime and schedule automatic updates.
2.2.6.1 Options
The Options sub-section allows the user to select the memory section of the fi rewall’s fl ash memory to be used when confi guring the fi rewall. The fi rewall’s fl ash memory is in two sections (“slices”); one contains the current software version plus any saved confi guration, the other contains the previous software version and confi guration.
CAUTION
Changing the active slice will cause the fi rewall to reboot.
193
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.2.6.1: Confi gure > Confi guration > Runtime > Options
Field Name Field Type Value Range Description
Runtime Slice
Current Slice Radio Button Enabled/Disabled The current runtime slice used by the fi rewall. Default is selected.
Alternate Slice Radio Button Enabled/Disabled A toggle to change to the alternate runtime slice.
Console Mode
Video Radio Button Enabled/Disabled A toggle to defi ne Video for the Console Mode.
Serial Radio Button Enabled/Disabled A toggle to defi ne Serial for the Console Mode.
Advanced
Update MBR Checkbox Enabled/Disabled A toggle to enable an update of MBR. Default is selected.
2.2.6.2 Update
The Update sub-section allows the user to schedule checks for available updates to GB-OS and to update the fi rewall’s runtime by either applying an automatically downloaded runtime or by importing a new runtime manually.
CAUTION
Updating the fi rewall’s runtime will cause the fi rewall to reboot.
Note
Settings for updating the fi rewall’s runtime are only available in Live Mode.
Table 2.2.6.2: Confi gure > Confi guration > Runtime > Update
Field Name Field Type Value Range Description
Current Version n/a n/a The current version of GB-OS installed.
Last Update Check n/a n/a The last time a check for an available update was performed.
Available Updates
Check Now Button n/a Checks for available updates.
Download Button n/a Downloads available updates.
Install Button n/a Installs available updates. Option only available after available updates have been downloaded.
Schedule Update Check
Enable Checkbox Enabled/Disabled A toggle to enable scheduling to check for updates. Default is unselected.
Frequency Pulldown <Daily>, <Weekly> A selection for the frequency of checks for available updates.
Day Pulldown <Sunday> - <Saturday> A selection for the day the check for available updates should be performed. This fi eld is only available when the Frequency pulldown is set to <Weekly>.
Time Pulldowns <00> - <24>, <00> - <50> A selection for the time the check for available updates should be performed.
Advanced
File Text n/a File location of the runtime fi le.
Import Button n/a Uploads the selected runtime fi le.
194
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.3 SystemThe System section contains the Objects, which allows the user to confi gure address, encryption objects, service group objects, time group objects and IPSec Objects.
2.3.1 SummaryThe Summary sub-section provides on overview of the current fi rewall mode’s confi guration settings found in the System section. Links to containers pertaining to specifi c sections of the fi rewall’s confi guration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.3.2 InformationThe Information sub-section displays an overview of the current fi rewall mode’s functionality. Editable fi elds can be edited by selecting the EDIT icon. The display is static; if you wish to update the list, click the REFRESH icon.
2.3.3 Activation CodesThe Activation Codes sub-section allows the entry of the fi rewall’s serial number and activation codes that unlock additional fi rewall features. Activation codes can be found on the card that shipped with your fi rewall or in the GTA Online Support Center. Selecting the NEW icon allows for entry of new activation codes.
Table 2.3.3: Confi gure > System > Activation Codes
Field Name Field Type Value Range Description
Serial Number Text Up to 8 characters The fi rewall’s serial number.
Activation Code Text Up to 35 characters The product activation code.
2.3.4 Contact InformationThe Contact Information sub-section allows for the entry of the fi rewall administrator’s contact information.
Table 2.3.4: Confi gure > System > Contact Information
Field Name Field Type Value Range Description
Administrator
Name Text Up to 119 characters The fi rewall administrator’s name.
Company Text Up to 119 characters The fi rewall administrator’s company.
Email Address Text Up to 119 characters The fi rewall administrator’s email address.
Phone Number Text Up to 119 characters The fi rewall administrator’s phone number.
Country Pulldown n/a The fi rewall administrator’s country.
State/Region Text Up to 119 characters The fi rewall administrator’s state or region.
City/Locality Text Up to 119 characters The fi rewall administrator’s city.
Advanced
Support
Email Address Text Up to 119 characters The email address for the fi rewall’s support contact. Default is gbconfi [email protected].
195
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.3.5 Date/TimeThe Date/Time sub-section allows the confi guration of the fi rewall’s local time and network time service. The network time service allows the administrator to synchronize the fi rewall and the computers behind it with an NTP server located on the Internet.
Table 2.3.5.a: Confi gure > System > Date/Time
Field Name Field Type Value Range Description
Date/Time
Date (yyyy-mm-dd) Pulldown Up to 10 characters The local date, to be entered in YYYY-MM-DD format. For example, December 31st, 2008 would be entered as 2008-12-31.
Time (hh-mm-ss) Pulldown Up to 8 characters The local time, to be entered in HH-MM-SS format. The fi eld uses the 24 hour time format.
Time Zone Pulldown n/a Select to edit the fi rewall’s local time zone. Default is UTC (Coordinated Universal Time).
Network Time
Enable Checkbox Enabled/Disabled A toggle to enable the network time service. Default is selected.
Advanced
Automatic Policies Checkbox Enabled/Disabled A toggle to enable the fi rewall to generate an automatic set of policies to allow the network time service to function properly. Default is selected.
Selecting the NEW icon allows for entry of a new network time server.
Table 2.3.5.b: Confi gure > System > Date/Time > Edit Network Time Server
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the network time server should be enabled or not. Default is unselected.
Description Text Up to 79 characters A description of the network time server.
Server Text Up to 79 characters The network time server’s IP address or DNS resolvable host name.
Advanced
Peer Checkbox Enabled/Disabled A toggle for whether or not Peer should be used. Disabled by default.
Key Text Up to 5 characters The key of the network time server, if any.
2.3.6 NotificationsThe Notifi cations section allows the fi rewall administrator to manage settings for all notifi cations.
Table 2.3.6: Confi gure > System > Notifi cations
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether the email server should be enabled or not.
From Text Up to 55 characters Email address that will appear in “From” fi eld.
To Text Up to 55 characters Email address where notifi cations will be sent.
196
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.3.6: Confi gure > System > Notifi cations
SMS
Enable Checkbox Enable/Disable A toggle for whether SMS should be enabled or not.
From Text Up to 55 characters SMS messaging email address from which notifi cations will be sent.
To Text Up to 55 characters SMS messaging email address where notifi cations will be sent.
SNMP Trap
Enable Checkbox Enabled/Disabled A toggle for whether SNMP Traps should be enabled or not. Default is unselected.
Manager Text Up to 55 characters Host IP address to receive SNMP trap messages.
Type Pulldown SNMPv1 Trap, SNMPv2c Trap, SNMPv2 c Inform
Selects the SNMP Trap version.
Advanced
Binding Interface Pulldown <AUTOMATIC>, all defi ned interfaces, all defi ned aliases, all defi ned VLANs
Address from which SNMP traps are sourced. Default is <AUTOMATIC>.
Notifi cations
Alarms Checkboxes Enable/Disable: Email, SMS, SNMP Trap
Enable to send an alarm notifi cation when Alarm threshold is met.
Gateway Failover Checkboxes Enable/Disable: Email, SMS
Enable to send a notifi cation when the Gateway fail over event occurs.
High Availability Checkboxes Enable/Disable: Email, SMS
Enable to send a notifi cation when HA state change occurs.
IPSec Tunnels Checkboxes Enable/Disable: Email, SMS, SNMP Trap
Enable to send a notifi cation with IPSec Tunnel changes and events.
License Checkboxes Enable/Disable: Email, SMS
Enable to send a notifi cation when License changes occur.
Lockout Checkboxes Enable/Disable: Email, SMS
Enable to send a notifi cation when Login failure occurs for specifi ed number of times.
Runtime Updates Checkboxes Enable/Disable: Email, SMS
Enable to send a notifi cation an update to the runtime is ready.
Security Policies Checkboxes Enable/Disable: Email, SMS, SNMP Trap
Enable to send a notifi cation when a security policy is matched and email/SMS/SNMP is confi gured on the alarm.
Advanced
Alarms
Threshold for Generating Email
Text Up to 5 characters Number of alarms above which a notifi cation is sent. Default is 50.
Threshold Interval Text Up to 5 characters Length of time after which to send alarms. Default is 120.
Maximum Alarms Per Email
Text Up to 5 characters Maximum number of alarms per email sent. Default is 500.
Attempt to Log Host Names
Checkbox Enabled/Disabled A toggle for whether an attempt should be made to resolve the host name of the IP address that generated the alarm or not. Default is unselected.
197
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.4 AccountsThe Accounts section allows the administrator to edit, delete and create new administrator or user accounts, assign them to groups, confi gure authentication and customize preferences.
2.4.1 SummaryThe Summary sub-section provides an overview of the current fi rewall mode’s confi guration settings found in the System section. Links to containers pertaining to specifi c sections of the fi rewall’s confi guration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.4.2 AuthenticationThe Authentication sub-section allows the administrator to require users to authenticate using GBAuth before initiating a connection to or through the fi rewall.
Table 2.4.2: Confi gure > Accounts > Authentication
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether authentication should be used or not. Must be enabled if LDAPv3 or RADIUS authentication is to be used. Default is unselected.
Advanced
Automatic Policies Checkbox Enabled/Disabled A toggle to enable the fi rewall to generate an automatic set of policies to allow confi gured authentication settings to function properly. Default is selected.
Service Port Text Up to 5 characters The service port used. The default port for GTA Authentication is 76.
Valid Text Up to 5 characters The valid duration for an authenticated user (in minutes). If using one-time passwords, this should be a high value.
Send Keep Alives Checkbox Enabled/Disabled A toggle for selecting whether or not keep alives are sent.
FIPS Checkbox Enabled/Disabled Applies FIPS compliant algorithms for authentication.
LDAPv3
Enable Checkbox Enabled/Disabled A toggle for whether the LDAPv3 authentication should be used or not. Default is unselected.
Server Text Up to 79 characters Server IP address or host name and port number of the LDAP server. The service port number defaults to 389. To enter a specifi c port number, use the format ldap.example.com:398.
Use SSL Checkbox Enabled/Disabled A toggle for whether SSL should be used or not. Default is unselected.
Base DN Text Up to 127 characters
Root distinguished name on the LDAP server.
Group Field Text Up to 127 characters
The group name fi eld where group names are stored on the LDAP server.
Advanced
Automatically Add Groups
Checkbox Enabled/Disabled A toggle for whether groups will be added automatically. Default is unselected.
Use Full Group Name
Checkbox Enabled/Disabled A toggle for whether the entire group name should be returned or not. Default is unselected.
Binding Interface Pulldown <AUTOMATIC>, all defi ned interfaces and aliases
A selection for the binding interface to be used.
198
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.4.2: Confi gure > Accounts > Authentication
Timeout Text Up to 5 characters The amount of time, in seconds, that the GTA fi rewall will wait on results from an LDAP search. Default is 120.
Bind Options
Bind Method Pulldown User, Username Search, Anonymous
Select the method that the user will use to bind (authenticate) with the LDAP server. To bind with the user, select <User>; to bind anonymously, select <Anonymous>; to bind using the root distinguished name and password, select <Username Search>. Default is <User>.
User Bind String Text Up to 127 characters
Enter the user name to bind with the user. This fi eld is only available if <User> is selected for the BIND METHOD.
Append Base DN Checkbox Enabled/Disabled Select to have the value entered in the BASE DN string appended to the USER BIND STRING value. This fi eld is only available if <User> is selected for the BIND METHOD. Default is selected.
Bind DN Text Up to 127 characters
Enter the distinguished name used for searching the LDAP server. This fi eld is only available if <Username Search> is selected for the BIND METHOD.
Password Text Up to 127 characters
Enter the password of the bind DN. This fi eld is only available if <Username Search> is selected for the BIND METHOD.
RADIUS
Enable Checkbox Enabled/Disabled A toggle for whether the RADIUS authentication should be used or not. Default is unselected.
Server Text Up to 79 characters Server IP address or host name and port number of the RADIUS server. The service port number defaults to 1812. To enter a specifi c port number, use the format radius.example.com:1812.
Pre-shared Secret Text Up to 127 characters
Pre-shared secret as defi ned in the RADIUS service. Alphanumeric value.
Advanced
Binding Interface Pulldown <AUTOMATIC>, all defi ned interfaces and aliases
A selection for the binding interface to be used.
NAS Identity Text Up to 127 characters
Match the RADIUS server’s expected identity for authentication requests. If this fi eld is empty, then it is the fi rewall’s IP by default.
NAS Channel Text Up to 5 characters Matches the RADIUS server’s channel number. Only necessary if the RADIUS server distinguishes between its NAS ports (channels).
NAS Channel Type Pulldown Async, Sync, ISDN Sync, ISDN Async v. 120, ISDN Async v.110, Virtual
Matches the RADIUS server’s connection type, namely a modem (async etc.) or TCP/IP (virtual) connection.
Active Directory Single Sign-On
Enable Checkbox Enabled/Disabled Enables Single Sign-On authentication. AUTHENTICATION must be enabled to allow for Single Sign-On authentication.
Server Text Up to 79 characters The server IP address or host name and port number of the Single Sign-On server used. The port number defaults to 8443. To enter a specifi c port number, use the format 192.268.71.1:8443.
Certifi cate Pulldown All defi ned certifi cates.
A selection of certifi cate the Active Directory Single Sign-On server will use.
199
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.4.2: Confi gure > Accounts > Authentication Binding Interface Pulldown <AUTOMATIC>, all
defi ned interfaces and aliases
A selection for the binding interface to be used.
2.4.3 GroupsThe Groups section allows the administrator to defi ne a pool to group users. Additional groups can be combined in the GROUPS section to create a broader defi nition.
Table 2.4.3: Confi gure > Accounts > Groups
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the group should be disabled or not. Default is unselected.
Name Text Up to 19 characters A unique identifi er for the group.
Description Text Up to 79 characters A description used to further identify the group.
Administrator
Enable Checkbox Enabled/Disabled A selection for creating a group with Administrator privileges.
Read Only Checkbox Enabled/Disabled A selection for creating a read-only Administrator group.
Remote Access
L2TP Checkbox Enabled/Disabled A selection for enabling L2TP remote access for the group.
PPTP Checkbox Enabled/Disabled A selection for enabling PPTP remote access for the group.
Mobile IPSec
Enable Checkbox Enabled/Disabled Enables the group to access the fi rewall using the GTA Mobile VPN Client.
Advanced
Authentication Required
Checkbox Enabled/Disabled A toggle for whether users associated with the group should require authentication or not. Default is unselected.
Override Local Network
Pulldown ???, <USER DEFINED>, all defi ned address objects of type All or VPN, *EDIT *
A selection for the local network that the user group will connect to. Select <USER DEFINED> to manually enter the network’s IP address. Select <* EDIT *> to defi ne a new local network. This will override confi guration settings defi ned under Confi gure>VPN>Remote
Access>IPSec.
SSL
Browser
Enable Checkbox Enabled/Disabled Enables SSL browser access for the user group.
Bookmarks Only Checkbox Enabled/Disabled Displays only Bookmarks for SSL Browser access.
Read Only Checkbox Enabled/Disabled Read only access. Users can only download fi les via the browser.
Bookmarks Pulldown All confi gured bookmark objects
Displays the defi ned bookmarks for the group.
Client
Enable Checkbox Enabled/Disabled Allows SSL Client access.
200
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.4.3: Confi gure > Accounts > Groups
Groups
Sub Group Pulldown <???>, all defi ned groups
A selection of groups to be pooled under the group being confi gured. <???> means no group has been selected.
Description Text Up to 79 characters A description of the selected group.
2.4.4 Remote AdministrationThe Remote Administration section allows the administrator to set account preferences such as remote administration and lockout.
Table 2.4.4: Confi gure > Accounts > Preferences
Field Name Field Type Value Range Description
Lockout
Enable Checkbox Enabled/Disabled A toggle for whether lockout should be enabled or not. Default is selected.
Allowed Pulldown ???, <USER DEFINED>, all available address objects, *EDIT *
A selection for specifying a network (address object) as exempt from lockout.
Advanced
Threshold Text Up to 3 characters Number of tries a user can make from an IP address before that IP address is locked out. Default is 5.
Duration Text Up to 5 characters The amount of time, in minutes and seconds, that an IP address is locked out. Default is 300.
Remote Administration
Enable Checkbox Enabled/Disabled A toggle for whether remote administration should be enabled or not. Default is selected.
Port Text Applicable port number
The TCP port allowing Web administration. SSL encryption default is 443.
Authentication
LDAP Checkbox Enabled/Disabled Enables LDAP users to administer the fi rewall.
RADIUS Checkbox Enabled/Disabled Enables RADIUS users to administer the fi rewall.
Advanced
Encryption Pulldown <SSL>, <None> The level of SSL encryption. Default is <SSL>,.
FIPS Mode Checkbox Enable/Disable Enables FIPS mode for Remote Administration and the SSL Browser. If FIPS is enabled, the fi rewall MUST use SSL encryption. Default is disabled.
Policy Compatibility Checkbox Enable/Disable Preserve previous remote administration settings for fi rewalls that do not properly upgrade to GB-OS 6.0.3 and above. Disabling this option allows the web administration to send CAs imported on the fi rewall to a connecting client to assist in validating the authenticity of the remote administration certifi cate.
Timeout Sessions Checkbox Enable/Disable A toggle for whether sessions should be timed out after a period of inactivity or not. Default is unselected. Valid range is 5 to 1440 minutes.
Virtual Keyboard Pulldown Disable/Enable/Require
A selection for whether the virtual keyboard is used.
Automatic Policies
Enable Radio Button
Enable/Disable A toggle for whether automatic policies should be disabled for remote administration or not. Default is unselected.
201
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.4.4: Confi gure > Accounts > Preferences
Zone Pulldown <Enable>, <Disable>, <Force Use>
Specifi es the Zone which will be allowed to connect. Options are External, Protected, and PSN.
Source Address Pulldown ???, <USER DEFINED>, all available networks, *EDIT *
Specifi es the source address allowed to connect.
Customization
Login
Title Text Up to 62 characters Customized title to be displayed upon login.
Logo Browser fi eld
32 x 32 pixels; 100KB max
Logo to be displayed upon login. JPEG, GIF or PNG
2.4.5 UsersThe Users section allows the administrator to edit, delete and create new user accounts. User accounts are used for controlling connections passing through the fi rewall or services running on the fi rewall.
Table 2.4.5: Confi gure > Accounts > Users
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the user account should be disabled or not. Default is unselected.
Identity Text Up to 127 characters
The user’s identity to be used when authenticating with the fi rewall. Typically, this is an email address such as [email protected].
Full Name Text Up to 59 characters A unique identifi er for the account. The user’s name cannot begin with a number.
Description Text Up to 79 characters A description used to further identify the account.
Primary Group Pulldown ???, all defi ned user groups, * EDIT *
A selection for the user group to pool the confi gured user. Selecting <* EDIT *> allows for the creation of a new user group. Administrator accounts are confi gured by choosing a confi gured Admin user group.
Certifi cate Pulldown ???, <Generate>, all defi ned certifi cates, *EDIT*
If the Authentication method is set to Certifi cates, select the certifi cate from the pulldown.
Authentication
Modify Password Checkbox Enabled/Disabled Select to edit or set a password.
Password Text Up to 127 characters
A text string used to protect access to the account.
Remote Access
L2TP / PPTP
Disable Checkbox Enabled/Disabled A toggle for whether the L2TP/PPTP should be disabled or not. Default is unselected.
Mobile IPSec
Disable Checkbox Enabled/Disabled A toggle for whether the account can connect over a mobile VPN. Default is selected.
Authentication Radio Button
Certifi cates/Pre-shared secret
A selection for the authentication method the user will use when connecting over a mobile VPN. Default is Pre-shared secret.
Pre-shared secret Pulldown/Text
ASCII, HEX/Up to 59 characters
If the Authentication method is set to Pre-shared secrets, then enter the pre-shared secret as either ASCII or HEX.Valid HEX characters: 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F
202
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.4.5: Confi gure > Accounts > Users
Remote Network Pulldown <???>,<USER DEFINED>, * EDIT *, all defi ned address objects of type All or VPN
If the Authentication method is set to Pre-shared secrets, then enter the Remote Network to be used by the VPN connection.
2.5 NetworkThe Network section allows the administrator to adjust network settings, defi ne aliases as well as confi gure NAT, pass through and routing.
2.5.1 SummaryThe Summary sub-section provides an overview of the current fi rewall mode’s confi guration settings found in the Network section. Links to containers pertaining to specifi c sections of the fi rewall’s confi guration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.5.2 InterfacesThe Interfaces section contains confi guration settings for network interfaces, PPP connections, VLANs and aliases.
2.5.2.1a SettingsThe Settings sub-section allows the administrator to adjust network settings such as the host name and default gateway, as well as defi ne logical interfaces.
Table 2.5.2.1a: Confi gure > Network > Interfaces > Settings
Field Name Field Type Value Range Description
Settings
Host Name Text Up to 51 characters The host name of the GTA fi rewall. GTA recommends using a fully qualifi ed domain name as the host name for your GTA fi rewall.
Logical Interfaces
Name n/a n/a The name of the defi ned logical interface.
Type n/a n/a The type of the defi ned logical interface.
Zone n/a n/a The zone of the defi ned logical interface.
IP Address n/a n/a The IP address of the defi ned logical interface.
NIC n/a n/a The NIC used by the defi ned logical interface.
Options n/a n/a The actual connection option of the logical interface. Values differ based on the logical interface’s TYPE.
Description n/a n/a The description of the defi ned logical interface.
Advanced
Network Interface Cards
NIC n/a n/a Network interface (Ethernet) cards detected, including confi gured PPP (modem) connections.
Device n/a n/a The device name of the confi gured NIC.
MAC Address n/a n/a If the physical interface device is an Ethernet card, the card’s MAC address will be displayed. Otherwise, the fi eld will be blank.
Connection Pulldown <AUTO>, <10baseT/UTP>, <100baseTX>
<AUTO> is generally recommended.<AUTO>: Auto-select the active network connection.<10baseT/UTP>: Unshielded twisted pair interface at 10 Mbps.<100baseTX>: Unshielded twisted pair interface at 100 Mbps.
203
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.2.1a: Confi gure > Network > Interfaces > Settings
Option Pulldown <Default>, <full_duplex>
Default (full- or half-duplex) full duplex or half duplex.
MTU Text Up to 5 characters. Maximum Transmission Unit. Default is 1500. Incorrect MTUs can cause poor performance, but it may be benefi cial to increase MTU for a gigabit Ethernet interface when jumbo packets are to be used.
2.5.2.1b Edit Logical InterfaceSelecting EDIT or NEW icon from the Network Settings screen allows for the confi guration of an existing or new logical interface as well as bridged interfaces, High Availability interfaces and VLANs.
Table 2.5.2.1b: Confi gure > Network > Interfaces > Settings > Edit Logical Interfaces
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle to disable the selected/defi ned interface. Default is unselected.
Type Pulldown <Standard>, <Bridge>, <Link Aggregation (Failover)>, <Link Aggregation (LACP)>, <Link Aggregation (Load Balance)>, <Link Aggregation (Round Robin)>, <PPP(PPPoE)>, <PPP(PPTP)>, <PPP(serial)>
Defi nes the type of interface that will be confi gured. When confi guring a bridged interface, bridge must be selected. Selecting Bridge will also disable the DHCP, Gateway, and High Availability fi elds below.
IP Address
DHCP Checkbox Enabled/Disabled A toggle for whether DHCP should be used to obtain the logical interface’s IP address or not. This fi eld is disabled if the primary interface uses PPP. Default is unselected.
SLAAC Checkbox Enabled/Disabled A toggle for enabling SLAAC (Stateless Address Auto confi guration) for IPv6 interfaces.
Gateway Checkbox Enabled/Disabled A toggle enabling the interface as the default gateway.
IP Address Text IP address The IP Address of the logical interface. This fi eld is disabled if DHCP is toggled or if the primary interface uses PPP. IPv4 and IPv6 fi elds will be available as confi guration is allowed.
Options
High Availability Checkbox Enabled/Disabled Select the High Availability Checkbox if High Availability will be confi gured. Enabling High Availability will disable the DHCP and Gateway fi elds.
Router Advertisement
Checkbox Enabled/Disabled A toggle for enabling router advertisement confi guration.
VLAN Checkbox Enabled/Disabled A toggle defi ning the interface as a VLAN.
VLAN ID Text The VLAN ID that matches the VLAN ID of packets to be received by the VLAN switch or router. Valid VLAN IDs are range from 1 to 4095.
Interfaces
Name Text Up to 19 characters The interface object name for this bridged connection.
204
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.2.1b: Confi gure > Network > Interfaces > Settings > Edit Logical Interfaces
Field Name Field Type Value Range Description
Zone Pulldown <External>, <Protected>, <PSN>
A selection for the interface zone.
NIC Pulldown <???>, <eth0> - <ethX>
A selection for the NIC to associate with the bridged network.
Description Text Up to 79 characters A description of the bridged interface.
High Availability (only available if High Availability is enabled above)
Description Text Up to 127 characters
Enter a description to describe the nature of the High Availability interface.
Virtual IP Address Text IP address Enter the virtual IP address that will be used for a given network interface. This IP address is used by fi rewall users.
Beacon IP Address Text/Text/Text
IP address/IP address/IP address
Enter up to three beacon IP addresses. Normally, one beacon is the IP address of the interface on the other high availability system, but do not confi gure it as the only beacon. Doing so could lead to improper confi guration.
Router Advertisement (only available if Router Advertisement is selected above; required for IPv6 DHCP servers)
DHCPv6 Override Pulldown Disable, Non-Address Information, All
Select the setting for the DHCPv6 override.
Domain Text Up to 31 characters Enter the domain assigned to the hosts using the prefi x advertisement.
Name Server IP Address
Text Up to 31 characters Enter the DNS server IP. Up to two (2) DNS servers may be defi ned.
Preference Pulldown Low, Medium, High Select the preference as a gateway.
Advanced
Maximum Interval Text Up to 4 characters Enter the maximum time allowed between sending unsolicited multicast router advertisements from the interface, in seconds. Valid range is 4-1800 seconds.
MTU Text Up to 4 characters The maximum transmission unit to ensure that all nodes on a link use the same MTU. Must not be greater than the MTU specifi ed on the interface.
Preferred Lifetime Text Up to 4 characters Enter the length of time that addresses generated from the prefi x via Stateless Address Auto confi guration (SLAAC) remain preferred.
Valid Lifetime Text Up to 4 characters Enter the length of time the prefi x is valid.
Table 2.5.2.1c: Confi gure > Network > Interfaces > Settings > PPP Common Fields
Field Name Field Type Value Range Description
Name n/a n/a PPP0, 1, 2 or 3. The name is automatically assigned.
Description Text Up to 31 characters The IP Address of the logical interface.
Table 2.5.2.1d: Confi gure > Network > Interfaces > Settings > PPP (Serial)
Field Name Field Type Value Range Description
Transport Radio Button
Serial PPP connection using a serial transport.
205
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.2.1d: Confi gure > Network > Interfaces > Settings > PPP (Serial)
PPP Connection Type
Pulldown <On-Demand>, <Dedicated>
A selection for the connection type of the PPP connection.
Primary COM Port Pulldown <COM1>-<COM4>, <USB>
A selection for the COM port or USB port used by the PPP connection.
Phone Number Text Up to 39 characters The phone number used to dial the remote site.
User Name Text Up to 51 characters The user name used for remote access.
Password Text Up to 51 characters The password used for remote access.
Local IP Address
Default Text IP address The default local IP address of the PPP link. Default is 0.0.0.0.
Remote IP Address
Default Text IP address The default remote IP address of the PPP link. Default is 0.0.0.0.
Advanced
Connection
Login User Name Text Up to 51 characters For cases in which CHAP or PAP is negotiated, and a separate name and password are required to login.
Login Password Text Up to 51 characters For cases in which CHAP or PAP is negotiated, and a separate name and password are required to login.
Speed Pulldown 1200, 2400, 4800, 9600, 19200, 38400, 57600, 76800, 115200, 230400
The speed at which the fi rewall communicates with the modem.
Time Before Retry Text Up to 4 characters The amount of time, in seconds, before the fi rewall attempts to retry establishing a connection. Default is 10.
Timeout Text Up to 4 characters The number of seconds during which a connection will stay connected during periods of inactivity. Default is 600.
Link Control Protocol
Local/Remote
Address Field Compression
Checkbox Enabled/Disabled A toggle for whether address/fi eld compression should be enabled or not. Default is selected.
Line Quality Report Checkbox Enabled/Disabled A toggle for whether the line quality report should be enabled or not. Default is unselected.
Protocol Field Compression
Checkbox Enabled/Disabled A toggle for whether protocol fi eld compression should be enabled or not. Default is selected.
Van Jacobson Compression
Checkbox Enabled/Disabled A toggle for whether Van Jacobson compression should be enabled or not. Default is selected.
Debug
Chat Checkbox Enabled/Disabled A toggle for whether dialing and logging chat scripts should be recorded or not. Default is unselected.
LCP Checkbox Enabled/Disabled A toggle for whether LCP conversations should be recorded or not. Default is unselected.
Phase Checkbox Enabled/Disabled A toggle for whether network phase conversations should be recorded or not. Default is unselected.
206
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.2.1d: Confi gure > Network > Interfaces > Settings > PPP (Serial)
ISDN
Don’t Bond Channels
Checkbox Enabled/Disabled A toggle for whether or not channels should be bonded. Default is unselected.
Switch Type Pulldown <Default>, <NI-1>, <DMS-100>, <5ESS P2P>, <5ESS MP>
A selection of the switch type used to confi gure ISDN connections.
Table 2.5.2.1e: Confi gure > Network > Interfaces > Settings > PPP (PPPoE)
Field Name Field Type Value Range Description
Transport Button PPPoE PPP connection using PPPoE transport.
PPP Connection Type
Pulldown <On-Demand>, <Dedicated>
A selection for the connection type of the PPP connection.
NIC Pulldown <eth0>-<ethX> A selection for the NIC on which PPPoE will run.
User Name Text Up to 51 characters The user name used for remote access.
Password Text Up to 51 characters The password used for remote access.
Local IP Address
Default Text IP address The default local IP address of the PPP link. Default is 0.0.0.0.
Remote IP Address
Default Text IP address The default remote IP address of the PPP link. Default is 0.0.0.0.
Advanced
Connection
PPPoE Provider Text Up to 51 characters Designation for the PPPoE provider.
MTU Text Up to 4 characters The Maximum Transmission Unit of the PPPoE connection.
Time Before Retry Text Up to 4 characters The amount of time, in seconds, before the fi rewall attempts to retry establishing a connection. Default is 10.
Timeout Text Up to 4 characters The number of seconds during which a connection will stay connected during periods of inactivity. Default is 600.
Link Control Protocol
Local/Remote
Address Field Compression
Checkbox Enabled/Disabled A toggle for whether address/fi eld compression should be enabled or not. Default is selected.
Line Quality Report Checkbox Enabled/Disabled A toggle for whether the line quality report should be enabled or not. Default is selected.
Protocol Field Compression
Checkbox Enabled/Disabled A toggle for whether protocol fi eld compression should be enabled or not. Default is selected.
Van Jacobson Compression
Checkbox Enabled/Disabled A toggle for whether Van Jacobson compression should be enabled or not. Default is unselected.
Debug
Chat Checkbox Enabled/Disabled A toggle for whether dialing and logging chat scripts should be recorded or not. Default is unselected.
LCP Checkbox Enabled/Disabled A toggle for whether LCP conversations should be recorded or not. Default is unselected.
Phase Checkbox Enabled/Disabled A toggle for whether network phase conversations should be recorded or not. Default is unselected.
207
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.2.1f: Confi gure > Network > Interfaces > Settings > PPP (PPTP)
Field Name Field Type Value Range Description
Transport Button PPTP PPP connection using PPTP transport.
PPP Connection Type
Pulldown <On-Demand>, <Dedicated>
A selection for the connection type of the PPP connection.
Interface Pulldown Confi gured logical interfaces
A selection for the interface on which PPTP will run.
PPTP Server IP Address
Text IP address The IP address of the internal PPTP server.
Phone Number Text Up to 39 characters The phone number used to dial the remote site.
User Name Text Up to 51 characters The user name used for remote access.
Password Text Up to 51 characters The password used for remote access.
Local IP Address
Default Text IP address The default local IP address of the PPP link. Default is 0.0.0.0.
Remote IP Address
Default Text IP address The default remote IP address of the PPP link. Default is 0.0.0.0.
Advanced
Connection
Time Before Retry Text Up to 4 characters The amount of time, in seconds, before the fi rewall attempts to retry establishing a connection. Default is 10.
Timeout Text Up to 4 characters The number of seconds during which a connection will stay connected during periods of inactivity. Default is 600.
Link Control Protocol
Local/Remote
Address Field Compression
Checkbox Enabled/Disabled A toggle for whether address/fi eld compression should be enabled or not. Default is selected.
Line Quality Report Checkbox Enabled/Disabled A toggle for whether the line quality report should be enabled or not. Default is unselected.
Protocol Field Compression
Checkbox Enabled/Disabled A toggle for whether protocol fi eld compression should be enabled or not. Default is selected.
Van Jacobson Compression
Checkbox Enabled/Disabled A toggle for whether Van Jacobson compression should be enabled or not. Default is unselected.
Debug
Chat Checkbox Enabled/Disabled A toggle for whether dialing and logging chat scripts should be recorded or not. Default is unselected.
LCP Checkbox Enabled/Disabled A toggle for whether LCP conversations should be recorded or not. Default is unselected.
Phase Checkbox Enabled/Disabled A toggle for whether network phase conversations should be recorded or not. Default is unselected.
2.5.2.2 Aliases
Aliases allow a network interface to possess multiple IP addresses. An IP alias may be assigned to any network interface. Aliases can be used wherever interfaces can be selected, such as in security policies, inbound tunnels and IPSec tunnels. The Aliases sub-section displays the name and description of all defi ned aliases. The administrator is able to edit, delete and create new aliases from this sub-section.
208
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.2.2: Confi gure > Network > Interfaces > Aliases
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the alias should be disabled or not. Default is unselected.
Name Text Up to 19 characters A unique identifi er for the alias, used for reference elsewhere in the confi guration.
Description Text Up to 79 characters A description used to further identify the alias.
Interface Pulldown ???, all defi ned logical interfaces
A selection for the interface to assign to the alias.
IP Address Text Up to 31 characters The IP Address of the alias. If no netmask is entered, it will default to /32. IPv4 and IPv6 IP address fi elds are available.
2.5.3 NATThe NAT sub-section allows the administrator to confi gure the Inbound Tunnels and Static Mappings aspects of the NAT facility.
2.5.3.1 Inbound Tunnels
The Inbound Tunnels sub-section displays the name and description of all defi ned inbound tunnels. Inbound tunnels allow a host to initiate a connection with an otherwise inaccessible host. The administrator is able to edit, delete and create new inbound tunnels from this sub-section.
Table 2.5.3.1: Confi gure > Network > NAT > Inbound Tunnels
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the inbound tunnel should be disabled or not. Default is unselected.
Description Text Up to 79 characters An identifi er used to describe the function of the inbound tunnel.
Service Pulldown <ANY_SERVICE>, <TCP>, <HTTP>, etc.
A selection for the IP Protocol to be used by the inbound tunnel.
From Pulldown All defi ned interfaces and aliases, <ANY_IP>, * EDIT *
A selection for the source side of the tunnel. Select <* EDIT *> to defi ne a new address object.
To Pulldown ???, all defi ned address objects of type All or Network, * EDIT *
A selection for the destination side of the tunnel. If multiple IP addresses are referenced in the inbound tunnel, the inbound tunnel will utilize round-robin load balancing. Select <* EDIT *> to defi ne a new address object.
Advanced
Automatic Policies Checkbox Enabled/Disabled A toggle for whether the inbound tunnel should use automatic policies or not.
Hide Source Checkbox Enabled/Disabled A toggle for whether the source side of the tunnel should be hidden from the destination side or not. Default is unselected.
Options
Authentication Required
Checkbox /Pulldown
Enabled/Disabled /???, ALL_USERS, all confi gured user groups, * EDIT *
A toggle for whether a user should be required to authenticate or not. If selected, select the user group that is to require authentication. Select <* EDIT *> to defi ne a new user group. Default is unselected. If the AUTOMATIC ACCEPT ALL POLICY Checkbox is unselected, this fi eld will uneditable.
209
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.3.1: Confi gure > Network > NAT > Inbound Tunnels
IPS Checkbox Enabled/Disabled A toggle for whether traffi c on the inbound tunnel should be checked against confi gured IPS policies. Default is unselected.
Source Pulldown All defi ned interfaces, <ANY_IP>, * EDIT *
A selection for the source interface/IP.
SYN Cookies Checkbox Enabled/Disabled A toggle for whether TCP SYN Cookies should be used or not. Default is selected. If the AUTOMATIC ACCEPT ALL POLICY Checkbox is unselected, this fi eld will uneditable.
Time Group Pulldown All defi ned time groups
A selection for which, if any, time group the inbound tunnel options will be applied.
Traffi c Shaping
Policy Pulldown <DEFAULT>, Defi ned Policy, * EDIT *
Traffi c Shaping policy to be used as defi ned in Confi guration>Confi gurations>Network>Traffi c Shaping.
Selecting <* EDIT *> allows for the creation of a new traffi c shaping policy. If the AUTOMATIC ACCEPT ALL POLICY Checkbox is unselected, this fi eld will uneditable.
Weight Pulldown 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
A selection for the weight of the allocation of the inbound tunnel’s bandwidth. A weight of 10 has the highest priority, a weight of 1 has the lowest. If the AUTOMATIC ACCEPT ALL POLICY Checkbox is unselected, this fi eld will uneditable.
2.5.3.2 Static Mappings
The Static Mappings sub-section displays the name and description of all defi ned static mappings. Static mappings allow an internal IP address or subnet to be statically mapped to an interface during NAT. The administrator is able to edit, delete and create new static mappings from this sub-section.
Table 2.5.3.2: Confi gure > Network > NAT > Static Mappings
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the static mapping should be disabled or not. Default is unselected.
Description Text Up to 79 characters An identifi er used to describe the function of the static mapping.
From Pulldown ???, <USER DEFINED>, all defi ned address objects of type All or Network, * EDIT *
A selection for the object to be statically mapped. Select <* EDIT *> to defi ne a new address object.If <USER DEFINED> has been selected in the FROM fi eld, the IP address will need to be entered manually. To map a single IP address, use a subnet mask of /32 (255.255.255.255).
Service Pulldown ???, <USER DEFINED>, all defi ned address objects of type All or Network, * EDIT *
A selection to specify a service group to statically map to an Alias.
NAT Pulldown ???, <USE_IP_ADDRESS>, all defi ned address objects of type All or Network, all defi ned aliases, all defi ned H2A interfaces * EDIT *
A selection for the object to which the source will be matched. Select <* EDIT *> to defi ne a new address object.
210
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.3.2: Confi gure > Network > NAT > Static Mappings
Destination Pulldown ???, <USE_IP_ADDRESS>, all defi ned address objects of type All or Network, all defi ned aliases, all defi ned H2A interfaces * EDIT *
A selection for the object to which the destination will be matched. Select <*EDIT*> to defi ne a new address object.
2.5.4 Pass ThroughThe Pass Through sub-section allows the administrator to confi gure the Bridged Protocols and Hosts/Networks aspects of the Pass Through facility.
2.5.4.1 Bridged Protocols
The Bridged Protocols sub-section displays the name, type and description of all defi ned bridged protocols. The administrator is able to edit, delete and create new bridged protocols from this sub-section.
Table 2.5.4.1: Confi gure > Network > Pass Through > Bridged Protocols
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether or not the bridged protocol should be used. Default is selected.
Description Text Up to 59 characters Description of the bridged protocol type.
Type Text Up to 6 characters Hexadecimal number of the Ethernet protocol. 0x0 is a placeholder for the full hexadecimal protocol type number. Use the 0x prefi x when entering a number in hex format.
Allowed Checkbox Enabled/Disabled Allows the protocol’s traffi c on the bridged interface. Default is unselected.
Log Checkbox Enabled/Disabled Logs events of the protocol type. Default is selected.
2.5.4.2 Host/Networks
The Hosts/Networks sub-section displays all defi ned hosts/networks. The administrator is able to edit, delete and create new hosts or networks from this sub-section.
Table 2.5.4.2: Confi gure > Network > Pass Through > Host/Networks
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the host or network should be disabled of not. Default is selected.
Description Text Up to 79 characters An identifi er used to describe the function of the host or network.
From Pulldown <USER DEFINED>, <ANY_IP>, all defi ned address objects of type All or Network, * EDIT *
A selection of objects for use as a host. Select <* EDIT*> to defi ne a new address object.
Destination Interface Pulldown ???, <ANY>, all defi ned fi rewall interfaces and VLANs
A selection of the destination interface to have NAT not applied when outbound IP packets are received.
211
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.4.2: Confi gure > Network > Pass Through > Host/Networks
Destination Pulldown <USER DEFINED>, <ANY_IP>, all defi ned address objects of type All or Network, * EDIT *
A selction of objects from use as a destination. Select <*EDIT*> to defi ne a new address object.
Inbound Checkbox Enabled/Disabled A toggle for whether unsolicited IP packets should be accepted for the selected address.
2.5.5 PreferencesThe Preferences section defi nes timeout settings for network connections.
Table 2.5.6: Confi gure > Network > Timeouts
Field Name Field Type Value Range Description
Internet Protocol
Enable Pulldown IPv4, IPv4 and IPv6 A toggle for defi ning the internet protocol. Options include IPv4 only or both IPv4 and IPv6.
Advanced
IPv6 Neighbor Discovery
Automatic Policies Checkbox Enabled/Disabled A toggle for enabling automatic policies for IPv6 neighbor discovery.
Timeouts
TCP Text Up to 4 characters The amount of time, in seconds, before a TCP packet will time out. Default is 600.
Wait for ACK Text Up to 4 characters The amount of time, in seconds, for the fi rewall to wait for an Acknowledgement code. Default is 30.
Send Keep Alives Checkbox Enabled/Disabled A toggle for whether the fi rewall should send TCP Keep Alives or not. Default is selected.
UDP Text Up to 4 characters The amount of time, in seconds, before a UDP packet will time out. Default is 600.
ICMP Text Up to 4 characters The amount of time, in seconds, before a ICMP packet will time out. Default is 15.
Default Text Up to 4 characters The amount of time, in seconds, before a supported protocol other than TCP, UDP or ICMP packet will time out. Default is 600.
Wait for Close Text Up to 4 characters If the fi rewall experiences spurious blocks from reply packets (typically port 80), increasing this value gives packets from slow or distant connections more time to return before the connection is closed. Default is 20.
Advanced
Connection Limiting
ICMP Packets Text Up to 5 characters The limit number of ICMP packets (per second).
Maximum ICMP Packet Size
Text up to 5 characters The maximum size limit of an ICMP packet.
New Connections Text Up to 5 characters The limit number of new connections (per second).
New Connections Per Host
Text Up to 5 characters The limit number of new connections per host (per second).
SIP Support
Enable Checkbox Enabled/Disabled A toggle for enabling or disabling SIP support. Default is selected.
212
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.5.6 RoutingThe Routing sub-section allows the administrator to confi gure the Gateway Policies, RIP and Static Routes aspects of the Routing facility.
2.5.6.1 BGP
The BGP (Border Gateway Protocol) sub-section displays the name, type and description of all BGP protocols. The administrator is able to edit, delete and create new BGPs from this sub-section.
Table 2.5.6.1a: Confi gure > Network > Routing > BGP
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled Enables the BGP interface and starts the service. Default is unselected.
Router AS Text Up to 5 characters The number assigned to a router or set of routers in a single technical administration.
Router ID Text Up to 31 characters Router ID number.
Networks Pulldown, Text
???, <USER DEFINED>, all defi ned networks, *EDIT*;
A selection for the network(s) which will use BGP.
Advanced
Automatic Policies Checkbox Enabled/Disabled Enables the fi rewall to generate a set of automatic policies to allow a confi gured BGP interface to function properly. The policy created is for TCP port 179 and is viewable in the Monitor> Activity>Security Policies>Automatic section. Default is selected.
Redistribute (Categories for Connected, OSPF, RIP, and Static)
Enable Checkbox Enabled/Disabled A toggle for whether redistribution should be used or not.
Metric Checkbox, Text
Enabled/Disabled, Up to 2 characters
Confi gure the metric when the route is redistributed.
Route Aggregation
Aggregate Addresses
Pulldown ???, <USER DEFINED>, all defi ned networks, *EDIT*
The network(s) to aggregate.
AS Set Checkbox Enabled/Disabled This selection will generate or send the AS set of other routers to the remote router. Default is unselected.
Summary Only Checkbox Enabled/Disabled This selection fi lters the more specifi c routes when sending updates. Default is unselected.
To edit an existing BGP interface, select the EDIT icon. To create a new BGP interface, select the NEW Icon.
Table 2.5.6.1b: Confi gure > Network > Routing > BGP > Edit BGP Interface
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled Disables the BGP interface. Default is unselected.
Description Text Up to 70 characters A short description to identify the BGP interface.
Neighbor Text Up to 31 characters A selection for the IP address used to confi gure the peer routers the fi rewall will use to connect to BGP.
Remote AS Text Up to 5 characters The AS number of the peer router.
Advertise Default Route
Checkbox Enabled/Disabled Enable if the fi rewall will advertise itself as the default route. Default is unselected.
213
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.6.1b: Confi gure > Network > Routing > BGP > Edit BGP Interface
Advanced
Next Hop Self Checkbox Enabled/Disabled This selection disables the NEXT HOP SELF attribute for BGP. Default is unselected.
2.5.6.2 Gateway Policies
The Gateway Policies sub-section displays the name, type and description of all defi ned gateway policies. The administrator is able to enable or disable various options in this sub-section.
Table 2.5.6.2a: Confi gure > Network > Routing > Gateway Policies
Field Name Field Type Value Range Description
Gateway Failover
Enable Checkbox Enabled/Disabled A toggle for whether gateway failover capabilities should be used or not. Default is unselected.
Advanced
Add Static Routes For Beacons
Checkbox Enabled/Disabled A toggle for whether static routes should be added for defi ned beacons. Default is selected.
Ping Secondary Only if Primary Down
Checkbox Enabled/Disabled A toggle for whether the failover gateway should be pinged only if pinging the primary gateway is unsuccessful. Default is unselected.
Gateway Sharing
Enable Checkbox Enabled/Disabled A toggle for whether traffi c connection sharing between the selected gateways should be enabled or not. Default is unselected.
Policy Based Routing
Enable Checkbox Enabled/Disabled A toggle for whether the ability to select a gateway for connections with outbound policies should be enabled or not. Default is unselected.
Source Routing
Enable Checkbox Enabled/Disabled A toggle for whether the ability to select a return gateway for connections with inbound policies or not. Default is unselected.
The Edit Gateway Policy screen can be accessed by selecting NEW along the top right of the Gateway Policies screen.
Table 2.5.6.2b: Confi gure > Network > Routing > Edit Gateway Policies
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether gateway policy should be used or not. Default is unselected.
Name Text Up to 19 characters A unique identifi er for the gateway policy, used for reference elsewhere in the confi guration.
Description Text Up to 79 characters A description used to further identify the gateway policy.
Route Pulldown ???, <USER DEFINED>, all defi ned dynamic, external interfaces
A selection for the route to be used by the gateway policy.
IP Address Text Up to 15 characters The IP address of the gateway policy’s route if <USER DEFINED> is selected in ROUTE.
214
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.6.2b: Confi gure > Network > Routing > Edit Gateway Policies
Failover
Enable Checkbox Enabled/Disabled A toggle for whether gateway failover should be enabled for the gateway policy (if gateway failover is enabled). Default is selected.
Beacons Text / Text IP address /IP address
Pingable IP addresses that are within fi ve (5) hops of the gateway.
Advanced
Do Not Ping Gateway
Checkbox Enabled/Disabled A toggle to allow or disallow pinging of the gateway.
Maximum Failures Text User defi ned number An entry for defi ning the maximum amount of failures are allowed before failover.
Sharing
Enable Checkbox Enabled/Disabled A toggle for whether to share traffi c load with this gateway (if gateway sharing is enabled). Default is selected.
2.5.6.3 OSPF
The OSPF (Open Shortest Path First Protocol) sub-section displays the name, type and description of all defi ned OSPF protocols. The administrator is able to edit, delete and create new OSPFs from this sub-section.
Table 2.5.6.3a: Confi gure > Network > Routing > OSPF
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether or not OSPF should be used. Default is unselected.
Router ID Text Up to 31 characters Uniquely identifi ed for the fi rewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1)
Advertise Default Route
Checkbox Enabled/Disabled A toggle for whether or not the fi rewall will advertise itself as the default route.
Advanced
Automatic Policies Checkbox Enabled/Disabled Enables the fi rewall to generate a set of automatic policies to allow a confi gured OSPF interface to function properly. The policy created is for IP Protocol 89 and is viewable in the Monitor>Activity>Security Policies>Automatic section. Default is selected.
Default Metric Text Up to 8 characters The value used by a routing algorithm by which one route is determined to perform better than another. When metrics do not convert, the default metric will provide a substitute, enabling redistribution to proceed.
Distance Text Up to 3 characters A selection used to determine which routes a router should trust if the router receives two routes with identical information.
Redistribute (Categories for Connected, OSPF, RIP, and Static)
Enable Checkbox Enabled/Disabled A toggle for whether redistribution should be used or not.
Metric Checkbox, Text
Enabled/Disabled, Up to 2 characters
Confi gure the metric when the route is redistributed.
215
GB-OS 6.2 User’s Guide
Reference B: System Parameters
To edit an existing OSPF interface, select the EDIT icon. To create a new OSPF interface, select the NEW Icon.
Table 2.5.6.3b: Confi gure > Network > Routing > OSPF > Edit OSPF Interface
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled Disables OSPF for the specifi ed area. Default is unselected.
Area Text Up to 19 characters This selection specifi es the OSPF area.
Description Text Up to 79 characters A short description to identify the OSPF area.
Type Pulldown Normal, NSSA, NSSA-No Summary, Stub, Stub-No Summary
This selection is used to determine the behavior of the fi rewall/router.
Networks Pulldown ???, <USER DEFINED>, all defi ned networks, *EDIT*;
A selection for the network(s) which will use OSPF.
Advanced
Link Cost Text Up to 5 characters The cost to send a packet via an interface.
Priority Text Up to 3 characters A selection for the priority status of the route.
Dead Interval Text Up to 5 characters Defi ne the period of time (in seconds) after which the route will be considered down.
Hello Interval Text Up to 5 characters Defi ne the period of time (in seconds) in which updates will be sent.
Retransmit Interval Text Up to 5 characters Defi ne the period of time (in seconds) in which the router will wait after an update is sent. If time expires, the router will resend the update.
Transmit Delay Text Up to 5 characters Defi ne the estimated time (in seconds) to send an update. This value must be greater than zero.
Authentication
KeyID Text Up to 3 characters KEYID identifi es secret key used to create the message digest. This ID is part of the protocol and must be consistent across routers on a link. Valid numbers 1-255.
Password Text Up to 16 characters The password that must be used to collect routing information through OSPF.
Virtual Links
Router ID Text Up to 31 characters Uniquely identifi ed for the fi rewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1)
2.5.6.4 RIP
The RIP (Routing Information Protocol) sub-section displays the name, type and description of all defi ned routing information protocols. The administrator is able to edit, delete and create new RIPs from this sub-section.
Table 2.5.6.4a: Confi gure > Network > Routing > RIP
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether or not RIP should be used. Default is unselected.
Advertise Default Route
Checkbox Enabled/Disabled A toggle for whether or not the default route (gateway) on any protected network or PSN should be advertised or not. Default is unselected.
216
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.5.6.4a: Confi gure > Network > Routing > RIP
Advanced
Automatic Policies Checkbox Enabled/Disabled A toggle to enable the fi rewall to generate an automatic set of policies to allow confi gured RIP interface settings to function properly. Default is selected.
Default Metric Field Up to 2 characters The value used by a routing algorithm by which one route is determined to perform better than another.
RIP Timers
Update Text Up to 5 characters The rate at which RIP sends a message containing the complete routing table to all neighboring RIP routers. Timer limit is 30 seconds.
Timeout Text Up to 5 characters Upon expiration of the timeout, the route is no longer valid. The route is retained in the routing table for a short time so neighbors can be notifi ed that the route has been dropped. Timer limit is 180 seconds.
Garbage Text Up to 5 characters Upon expiration of the garbage timer, the route is completely removed from the routing table. Timer limit is 120 seconds.
Redistribute (Categories for Connected, OSPF, RIP, and Static)
Enable Checkbox Enabled/Disabled A toggle for whether redistribution should be used or not
Metric Checkbox, Text
Enabled/Disabled, Up to 2 characters
A toggle for whether a metric should be used and to what degree.
To edit an existing RIP interface, select the EDIT icon. To create a new RIP interface, select the NEW Icon.
Table 2.5.6.4b: Confi gure > Network > Routing > RIP > Edit RIP Interface
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the RIP Interface should be disabled or not. Default is unselected.
Interface n/a n/a The interface being used.
Description Test Up to 79 characters A description of the RIP interface.
Input Pulldown <None>, <Both>, <v1>, <v2>
A selection to determine what version of RIP will be accepted by other routers.
Output Pulldown <None>, <Both>, <v1>, <v2>
A selection to determine what version of RIP will be exported or broadcast.
Password Pulldown <None>, <Clear>, <MD5>
A selection for the type of encryption that will be used for the password.
Password Text Up to 19 characters The password that must be used to collect routing information through RIP version 2.
Key ID Text Up to 5 characters Pre-shared secret key ID. This only applies to RIPv2 when MD5 encryption is used.
217
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.5.6.5 Static Routes
The Static Routes sub-section displays the name, type and description of all defi ned static routes. The administrator is able to edit, delete and create new static routes from this sub-section.
Table 2.5.6.5a: Confi gure > Network > Routing > Static Routes
Field Name Field Type Value Range Description
Default Gateway
IPv4 Text IP Address IPv4 IP address.
IPv6 Text IP Address IPv6 IP address.
Table 2.5.6.5b: Confi gure > Network > Routing > Static Routes
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the static route should be disabled or not. Default is unselected.
Description Text Up to 79 characters A description of the static route.
Network IP Address Pulldown All confi gured address objects of type All or Network
The address object(s) whose traffi c will be reached via the static route.
Gateway Pulldown/Text
All defi ned address objects of type All or Network
The address object or IP address of the destination/gateway selected for this static route.
2.5.7 Traffic ShapingThe Traffi c Shaping section list displays the name and description of all defi ned Traffi c Shaping policies. Traffi c Shaping policies allow the administrator to allocate available bandwidth for specifi c security policies and tunnels by defi ning a bandwidth pipe. Traffi c shaping policies are used in tunnels and security policies.
The DEFAULT policy does not restrict traffi c fl ow, allowing traffi c to utilize all available bandwidth, fi rst come, fi rst served. If traffi c shaping is enabled, the default policy cannot be disabled, but an alternate selection can be made.
Traffi c Shaping is enabled by selecting the ENABLE Checkbox on the top of the Traffi c Shaping list.
Table 2.5.6.7a: Confi gure > Network > Traffi c Shaping
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether the Traffi c Shaping should be disabled or not. Default is unselected.
Default Text ???, all defi ned traffi c shaping policies
A selection for the traffi c shaping policy to be used by default if Traffi c Shaping is enabled.
To create a new traffi c shaping policy, select the NEW icon.
Table 2.5.7b: Confi gure > Network> Traffi c Shaping > Edit Traffi c Shaping Policy
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the Traffi c Shaping Object should be disabled or not. Default is unselected.
Name Text Up to 59 characters A unique identifi er for the object, used to reference it elsewhere in the confi guration.
Description Text Up to 79 characters A brief description used to further identify the use of the Traffi c Shaping Object.
Bandwidth Text Up to 10 characters The data transfer speed limit of the Traffi c Shaping Object. Values entered as kilobits per second.
218
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.6 ObjectsThe Objects section allows the administrator to add or edit address objects, encryption objects, service group objects, time group objects and IPSec Objects. An object needs only to be defi ned once, after that it can be selected throughout the Confi guration section where the defi ned object is required.
Note
If an object that is used throughout the confi guration is updated, confi guration settings may inadvertently change.
2.6.1 Summary
2.6.2 Address ObjectsThe Address Object list displays the name, type and description of all defi ned address objects. The administrator is able to edit, delete and create new objects from this sub-section by double-clicking on a previously confi gured object or by selecting the NEW icon.
Additional address objects can be pooled together in the ADDRESS OBJECTS section to create a broader defi nition.
Table 2.6.2: Confi gure > Objects > Address Object > Edit Address
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the confi gured address object should be disabled or not. Default is unselected.
Name Text Up to 19 characters A unique identifi er for the address object. The object’s name must not begin with a number.
Description Text Up to 79 characters A brief description of the address object.
Type Checkboxes All, Content Filtering, Mail Proxy, Network, Security Policies, VPN
A selection for how the address object will be used. ALL allows for the object to be used throughout the confi guration, while other options restrict use to their specifi c section. Not selecting a TYPE creates an internal object that can only be pooled into another object’s defi nition.
Address Objects
Object Pulldown All defi ned address objects
A selection for the previously defi ned address object to be pooled in the defi nition.
Address Text Up to 499 characters If <USER DEFINED> has been selected, enter the address manually.
Description Text Up to 79 characters A brief description explaining the use of the additional address object.
2.6.3 Bookmark ObjectsThe administrator is able to edit, delete and create new objects from this sub-section by double-clicking on a previously confi gured object or by selecting the NEW icon.
Table 2.6.3: Confi gure > Objects > Bookmark Objects > Edit Address
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the confi gured bookmark object should be disabled or not. Default is unselected.
Name Text Up to 19 characters A unique identifi er for the bookmark object. The object’s name must not begin with a number.
Description Text Up to 79 characters A brief description of the bookmark object.
Label Text Up to 19 characters A brief label for the bookmark object.
219
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.6.3: Confi gure > Objects > Bookmark Objects > Edit Address
Bookmarks
Object Pulldown All defi ned bookmark objects
A selection for the previously defi ned bookmark object to be pooled in the defi nition.
Icon Pulldown None, Browser, Document, Email, Folder, Network, Web
A selection to display a built-in icon for the bookmark.
Label Text Up to 19 characters Enter a label for the bookmark object.
Type Pulldown <cifs://>, <ftp://>, <ftps://>, <http://>, <https://>
The type of protocol used for the bookmark object’s URL.
URL Text Up to 499 characters The URL for the bookmark object.
Description Text Up to 79 characters A brief description explaining the use of the additional bookmark object.
2.6.4 Encryption ObjectsEncryption objects defi ne encryption settings and are used when creating IPSec Objects. The Encryption
Object list displays the name, type and description of all defi ned encryption objects. The administrator is able to edit, delete and create new objects from this sub-section by double-clicking on a previously confi gured object or by selecting the NEW icon.
Table 2.6.4: Confi gure > Objects > Encryption Objects > Edit Encryption Object
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the confi gured encryption object should be disabled or not. Default is unselected.
Name Text Up to 19 characters A unique identifi er for the encryption object. It is recommended that the encryption object’s NAME includes the encryption algorithms used. The object’s name must not begin with a number.
Description Text Up to 79 characters A brief description of the encryption object.
Object Pulldown <???>, <USER DEFINED>, all defi ned objects.
A selection for a user defi ned encryption object or a default encryption object.
Encryption Method Pulldown <none>, <null>, <Camilla>, <AES-128>, <AES-192>, <AES-256>, <blowfi sh>, <des>, <3des>, <strong>
A selection for the encryption method to be used by the object.For an explanation on available encryption methods, see Encryption Methods.
Hash Algorithm Pulldown <none>, <hmac-md5>, <hmac-sha1>, <hmac-sha2>, <all>
A selection for the hash algorithm to be used by the object.For an explanation on available hash algorithms, see Hash Algorithms.
Key Group Pulldown <any>, <DH Group 1>, <DH Group 2>, <DH Group 5>, <DH Group 14>, <DH Group 15>, <DH Group 16>
A selection for the key group to be used by the object.For an explanation on key groups, see Key Group.
Description Text Up to 79 characters A brief description of the encryption object to identify multiple objects contained in an encryption object.
220
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.6.5 IPSec ObjectsIPSec Objects are used when defi ning IPSec tunnels and user groups. The IPSec Object list displays the name and description of all defi ned IPSec Objects. IPSec Objects confi gure how incoming VPN connections will be negotiated by defi ning what client or VPN gateway initiation behavior should be accepted by your GTA fi rewall.
Table 2.6.5: Confi gure > Objects > VPN Object
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether access to the VPN Object should be disabled or not. The Default is unselected.
Name Text Up to 19 characters A unique identifi er for the network connection, used to reference it elsewhere in the confi guration. The object’s name cannot begin with a number.
Description Text Up to 80 characters A description used to further identify the use for the specifi c VPN Object.
IKE Checkbox Version 1, Verson 2 Select the IKE version to be supported by the IPSec object
Phase I
Exchange Mode Pulldown Main, Aggressive A selection for fl exible (Main) or forced (Aggressive) negotiation of acceptable encryption algorithms for IKE. Aggressive mode is required if one component of the VPN has a dynamic (DHCP or PPP) IP address, such as with a dynamically addressed VPN gateway or mobile VPN client.
Encryption Object Pulldown ???, All defi ned encryption objects, *EDIT *
A selection for the encryption object to be used during Phase I. Selecting * EDIT * allows for the editing of an existing or creation of a new encryption object.
Force Mobile Protocol
Checkbox Enable/Disable Forces mobile protocl for gateway to gateway VPNs
Advanced
NAT-T Pulldown <Automatic>, <Disable>, <Force>
A selection for whether the NAT-Transversal (a method for circumventing IPSec NATing problems) should be forced. Default is <Automatic>.
Lifetime Text Up to 5 characters The length of time in minutes before the Phase I (IKE) security associations must be renewed. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection.
DPD Interval Text Up to 5 characters The interval in seconds between checks for continued viability of the VPN connection (also known as dead peer detection). To disable DPD queries made by the fi rewall, set the interval to 0. The fi rewall will continue to respond to DPD signals from other VPN gateways and clients, but will not initiate any signals of its own.
Phase II
Encryption Object Pulldown ???, All defi ned encryption objects, * EDIT *
A selection for the encryption object to be used during Phase II. Selecting * EDIT * allows for the creation of a new encryption object.
Advanced
Lifetime Text Up to 5 characters The length of time in minutes before the Phase II security associations must be renewed. This time must be smaller than the Lifetime value set for Phase I. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection.
221
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.6.6 Service GroupsService group objects are used when defi ning security policies and inbound tunnels. The Service Group object list displays the name, type and description of all defi ned service group objects. The administrator is able to edit, delete and cr eate new objects from this sub-section.
Additional service group objects can be pooled together in the SERVICES section to create a broader defi nition.
Table 2.6.6: Confi gure > Objects > Service Groups
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the confi gured service group object should be disabled or not. Default is unselected.
Name Text Up to 19 characters A unique identifi er for the service group object. The object’s name must not begin with a number.
Description Text Up to 79 characters A brief description of the service group object.
Services
Object Pulldown <???>, <USER DEFINED>, All defi ned service group objects
A selection for the service group object to be used.
Protocol Pulldown <TCP>, <UDP>, <ICMP>, <IP>
If <USER DEFINED> has been selected, select the protocol to be added.
Port(s) Text Up to 12 port and/or port ranges
If <USER DEFINED> has been selected, enter the port number manually. Port numbers can be entered individually (1,2,3,4,5) or as a pool (1-5).
Description Text Up to 79 characters A brief description of the service.
2.6.7 Time GroupsThe Time Group object list displays the name, type and description of all defi ned time group objects. Time Group objects can be used when creating security policies. The administrator is able to edit, delete and create new objects from this sub-section.
Additional time group objects can be pooled together in the TIME GROUPS section to create a broader defi nition.
Table 2.6.7: Confi gure > Objects > Time Groups
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the confi gured time object should be disabled or not. Default is unselected.
Name Text Up to 19 characters A unique identifi er for the time group object. The object’s name must not begin with a number.
Description Text Up to 79 characters A brief description of the time group object.
Time Groups
Object Pulldown <???>, <USER DEFINED>, all defi ned time group objects.
A selection for the time group object to be used. Selecting a previously defi ned object allows for additional edits.
Start Pulldowns 00:00-24:00 If <USER DEFINED> has been selected, a selection for the start period of the time group.
End Pulldowns 00:00-24:00 If <USER DEFINED> has been selected, a selection for the end period of the time group.
Sun, Mon, Tue, Wed, Thr, Fri, Sat
Checkboxes Enabled/Disabled If <USER DEFINED> has been selected, a toggle for the days of the week that the start and end times will be applied to the time group. Default is unselected.
222
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.7 ReportingThe Reporting section allows the administrator to schedule executive reports and confi gure preferences for historical statistic graphs.
2.7.1 SummaryThe Summary sub-section provides on overview of the current fi rewall mode’s confi guration settings found in the Reporting section. Links to containers pertaining to specifi c sections of the fi rewall’s confi guration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.7.2 Preferences The Preferences sub-section allows administrators to customize the colors for the Historical Statistics graphs displayed in the user interface and included in the Executive Reports. Edit the colors by entering the color Hex number or using the color picker.
2.7.3 Schedule The Schedule sub-section allows administrators to schedule daily, weekly or monthly executive reports/
Table 2.7.3: Confi gure > Reporting > Schedule
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for enabling or disabling the scheduled report.Default is unselected.
Description Text Up to 79 characters A description for the scheduled report.
Report
Type Pulldown Allowed, Country, Denied, Executive, Inbound, Mail Proxy, Network Traffi c, Outbound, Web Filtering, System Resources, VPN
The type of report to be run. Executive reports will include all report data. Additional report selections can be specifi ed under the Advanced tab.
Duration Hourly, Daily, Weekly, Monthly, Yearly
The time duration for the report data.
Locale Pulldown Default, English The locale option determines the report language.
Schedule
Frequency Pulldown Daily, Weekly, Monthly
The frequency for which the scheduled report will run.
Time Pulldown 00:01 - 23.59 Select the time of day at which the scheduled report will run.
Subject Text Up to 255 characters The subject line for the report email.
To Pulldown Address Objects, <USER DEFINED>
The email(s) to which the scheduled report will be sent.
Advanced
Reporting Options Checkbox Enabled/Disabled Data options for the scheduled report. Select the categories for which the report will display data and graphs.
223
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.8 Security PoliciesThe Security Policies section allows the administrator to edit policies as well as adjust security preferences.
2.8.1 SummaryThe Summary sub-section provides on overview of the current fi rewall mode’s confi guration settings found in the Security Policies section. Links to containers pertaining to specifi c sections of the fi rewall’s confi guration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.8.2 Country BlockingThe Country Blocking sub-section allows the administrator to create a country security policy to allow or deny connections based upon country and inbound/outbound connections.
Table 2.8.2 Confi gure > Security Policies > Country Blocking (inbound/outbound)
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether country blocking should be enabled.
Type Pulldown Allow, Deny A selection for choosing to allow specifi c countries only, or deny specifi c countries only.
White List Pulldown Country White List A selection for specifying a white list object. The object will override country blocks.
Database
Subscription Checkbox Enabled/Disabled A toggle for enabling automatic updates to the country IP database. A valid support contract is required.
2.8.3-5 & 2.8.7 Inbound, Outbound, Pass Through, VPN (IPSec, L2TP, PPTP, SSL Client)All security policies contain identical confi guration options. To defi ne a specifi c security policy, navigate to its appropriate screen. The administrator is able to edit, delete and create new policies.
Table 2.8.2.1-5: Confi gure > Security Policies > *sub-section
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether or not the policy is to be used. Default is unselected.
Description Text Up to 79 characters Description of the policy.
Type Pulldown Accept, Deny A selection for the nature of the policy. Default is Deny.
Interface Pulldown <ANY>, all defi ned logical interfaces
A selection for the interface to which the policy will apply.
Service Pulldown ???, all defi ned service group objects, * EDIT *
A selection for the service group object to be used by the policy. Selecting <*EDIT*> allows for the confi guration of new object.
Time Groups Pulldown ???, all defi ned time group objects, * EDIT *
A selection for the time group object to be used by the policy. Selecting <* EDIT*> allows for the confi guration of new object.
Source Address Pulldown ???, <USER DEFINED>, <ANY_IP>, all defi ned address objects of type All or Security Policy, * EDIT *
A selection for the source IP address of the policy. Selecting <USER DEFINED> will allow for the manual entry of the source address.
224
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.8.2.1-5: Confi gure > Security Policies > *sub-section
Destination Address Pulldown ???, <USER DEFINED>, all defi ned interfaces and address objects of type All or Security Policy,* EDIT *
A selection for the destination IP address of the policy. Selecting <USER DEFINED> will allow for the manual entry of the destination address.
Advanced
Broadcast Checkbox Enabled/Disabled A toggle for whether the Destination Address is a broadcast address or not. Default is unselected.
Authentication Required
Checkbox Enable/Disabled Must be authenticated before policy will be matched.
TCP SYN Cookies Checkbox Enable/Disabled Enable TCP SYN fl ood protection.
Options
Priority Pulldown <0> - <7> A value for the priority of the policy to be tagged in log messages.
Action
Alarm Checkbox Enabled/Disabled A toggle for whether or not the administrator should be notifi ed if a policy alarm is triggered. Default is unselected.
Email Checkbox Enabled/Disabled A toggle for whether or not the administrator should be notifi ed by email if the policy is triggered. Default is unselected.
ICMP Checkbox Enabled/Disabled A toggle for whether the policy should respond with ICMP unreachable or TCP reset if triggered. Default is unselected.
IPS Checkbox Enabled/Disabled A toggle for whether traffi c on the security policy should be checked against confi gured IPS policies. Default is unselected.
Log Pulldown <Default>, <Yes>, <No>
A selection for whether the action should be logged or not. <Default> is the value defi ned in Confi gure>Security
Policies>Preferences.
Report Checkbox Enabled/Disabled A toggle for whether or not the policy should be included in report data.
SMS Checkbox Enabled/Disabled A toggle for whether or not the administrator should be notifi ed by SMS policy alarm if the policy is triggered. Default is unselected.
SNMP Trap Checkbox Enabled/Disabled A toggle for whether or not the administrator should be notifi ed if an SNMP trap policy alarm is triggered. Default is unselected.
Stop Interface Checkbox Enabled/Disabled A toggle for whether or not the administrator should be notifi ed if a stop interface policy alarm is triggered. Default is unselected.
Coalesce
Source Address Checkbox Enabled/Disabled A toggle for whether the source address should be coalesced or not. Default is unselected.
Source Ports Checkbox Enabled/Disabled A toggle for whether source ports should be coalesced or not. Default is unselected.
Destination Address Checkbox Enabled/Disabled A toggle for whether the destination address should be coalesced or not. Default is unselected.
Destination Ports Checkbox Enabled/Disabled A toggle for whether the destination ports should be coalesced or not. Default is unselected.
225
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.8.2.1-5: Confi gure > Security Policies > *sub-sectionTraffi c Shaping
Policy Pulldown Traffi c Shapping Objects
Traffi c shapping object to be applied to the policy.
Weight Pulldown <1> - <10> Weight to apply to the policy.
2.8.6 PreferencesThe Preferences sub-section allows the fi rewall administrator to set global preferences to be applied to security policies.1
Table 2.8.3: Confi gure > Security Policies > Preferences
Field Name Field Type Value Range Description
Options
Black List Pulldown Address Object A selection for an address object to black list. Default is ALWAYS_BLOCK.
Automatic Policies Checkbox Enabled/Disabled Options include enabling the use of automatic policies and logging activity generated by them, as well as inclusion in report data.
Connection Limiting Checkbox Enabled/Disabled Allways enabled. An option is available to log and report connection limiting.
Country Checkbox Enabled/Disabled Always enabled. An option is available to log, report, alarm or ICMP coutry blocks.
Deny Address Spoof Checkbox Enabled/Disabled Always enabled. Options include generating alarms, emailing the administrator and logging activity when an alarm is tripped.
Deny Doorknob Twist
Checkbox Enabled/Disabled Always enabled. Options include generating alarms, emailing the administrator, enabling ICMP and logging activity when an alarm is tripped.
Deny Fragmented Packets
Checkbox Enabled/Disabled Options include enabling the ability to deny fragmented packets and logging activity generated by them.
Deny Invalid Packets
Checkbox Enabled/Disabled Always enabled. An option is available to log denied invalid packets.
Deny Unexpected Packets
Checkbox Enabled/Disabled Always enabled. An option is available to log denied unexpected packets.
Ident Checkbox Enabled/Disabled Options include enabling Ident.
Stealth Mode Checkbox Enabled/Disabled Options include enabling the ability to have the fi rewall operate in stealth mode and logging activity generated by it.
TCP SYN Cookies Checkbox Enabled/Disabled Options include enabling the ability the use of TCP SYN cookies and logging activity generated by them.
Policy Blocks Checkbox Enabled/Disabled Always enabled. An option is available to log policy blocks.
Tunnel Opens Checkbox Enabled/Disabled Always enabled. An option is available to log tunnel opens.
Tunnel Closes Checkbox Enabled/Disabled Always enabled. An option is available to log tunnel closes.
226
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.8.3: Confi gure > Security Policies > Preferences
Coalesce
Interval Text Up to 5 characters Entering a value of zero (0) turns off coalescing. Default is 60.
Source Address Checkbox Enabled/Disabled A toggle for whether log messages should be coalesced from similar source addresses or not. Default is selected.
Source Ports Checkbox Enabled/Disabled A toggle for whether log messages should be coalesced from similar source ports or not. Default is selected.
Destination Address Checkbox Enabled/Disabled A toggle for whether log messages should be coalesced from similar destination addresses or not. Default is selected.
Destination Ports Checkbox Enabled/Disabled A toggle for whether log messages should be coalesced from similar destination ports or not. Default is selected.
2.9 ServicesThe Services section allows the administrator to enable and edit services such as DHCP, DNS, Dynamic DNS, Firewall Control Center, High Availability, Remote Logging and SNMP. Some of these services are optional on select GTA fi rewalls.
2.9.1 SummaryThe Summary sub-section provides on overview of the current fi rewall mode’s confi guration settings found in the Services section. Links to containers pertaining to specifi c sections of the fi rewall’s confi guration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.9.2 DHCPThe DHCP sub-section allows the administrator to edit, delete or create new DHCP address pools.
Table 2.9.2a: Confi gure > Services > DHCP
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether or not the DHCP service should be used. Default is unselected.
Selecting NEW creates a new DHCP address range.
Table 2.9.2b: Confi gure > Services > DHCP > Edit DHCP Address Range
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the DHCP address range should be used or not. Default is unselected.
Type Pulldown DHCPv4, DHCPv6 Selection of DHCPv4 versus DHCPv6.
Description Text Up to 79 characters A description of the IP address pool range.
Beginning Address Text IP address The fi rst IP address of the pool’s range.
Ending Address Text IP address The last IP address of the pool’s range.
Netmask Text IP address Subnet mask used to divide hosts into network groups. Default is 255.255.255.0. Only for IPv4 networks.
Prefi x Length Text Up to 5 characters Enter the prefi x length for DHCPv6.
227
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.9.2b: Confi gure > Services > DHCP > Edit DHCP Address Range
Lease Duration Text/Text/Text
Up to 5 characters/Up to 2 characters/ Up to 2 characters
The length of the lease, entered in day/hours/minutes. Default is 1 day, 0 hours, 0 minutes.
Options
Default Gateway Text IP address Gateway given to DHCP clients.
Domain Name Text Up to 57 characters DNS domain name.
Name Server IP Address
Text IP address IP address of the DNS that will be issued to the requesting client. Up to three DNSs can be assigned.
WINS Server IP Address
Text IP address IP address of the WINS server that will be issued to the requesting client. Up to three WINS servers can be assigned.
Network Time Text IP Address IP address of the network time server that will be issued to the requesting client. Up to three network time servers can be assigned.
Advanced
MTU Text Up to 5 characters The MTU size determines the greatest packet size that can be transmitted by the DHCP service. A value of 0 means the fi eld is ignored.
Advanced
Static Leases
Disable Checkbox Enabled/Disabled A toggle for whether the confi gured static lease should be disabled or not. Default is unselected.
Host Name Text Up to 119 characters
The host name to be used by the static lease.
IP Address Text IP address The desired IP address to be statically leased to the host.
MAC Address Text Up to 17 characters The host’s MAC address.
Description Text Up to 159 characters
A description of the host’s static lease.
Exclusion Ranges
Range Text/Text IP address/IP address
Defi ne up to fi ve address ranges to exclude from each DHCP range. To enter a single IP address, enter its value in both the beginning and ending address fi elds.
2.9.3 DNSThe DNS sub-section allows the administrator to confi gure the fi rewall as a primary Domain Name Server, maintaining a database of domain names and their corresponding IP addresses. Toggling between the DNS Proxy and DNS Server radio buttons will allow for the confi guration of each.
Table 2.9.3a: Confi gure > Services > DNS Proxy
Field Name Field Type Value Range Description
Name Servers
Enable Checkbox Enabled/Disabled A toggle for whether or not the external name server should be enabled. Default is unselected.
IP Address Text IP address The IP address of the external name server.
Primary Domain Name
Text Up to 79 characters The primary domain name used for the network.
228
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.9.3a: Confi gure > Services > DNS Proxy
DNS
Enable Checkbox Enabled/Disabled A toggle for whether or not the DNS service should be enabled. Default is unselected.
Service Radio Button
Enabled/Disabled To confi gure the DNS Proxy, select the DNS Proxy option.
Advanced
Automatic Policies Checkbox Enabled/Disabled A toggle to have the DNS proxy automatically accept all policies. Default is selected.
Table 2.9.3b: Confi gure > Services > DNS Server
Field Name Field Type Value Range Description
Name Servers
Enable Checkbox Enabled/Disabled A toggle for whether the external name server should be enabled or not. Default is unselected.
IP Address Text IP address The IP address of the external name server.
Service Radio Button
Enabled/Disabled To confi gure the DNS server, select the DNS Server option.
Advanced
Automatic Policies Checkbox Enabled/Disabled A toggle to have the DNS proxy automatically accept all policies. Default is selected.
DNS Server
Server Names Text Up to 79 characters The host name of your DNS server.
Secondary Server Names
Text Up to 79 characters The host names of DNS servers acting as alternate name servers for the domain.
Forwarders Text/Text/Text
IP address/IP address/IP address
DNS servers that will be utilized as DNS forwarders.
Trusted Networks Pulldown ???, <USER DEFINED>, * EDIT *, all confi gured networks
Networks or IP Addresses allowed for recursive DNS searches.
Email Contact Text Up to 127 characters
The email contact for the DNS server.
Advanced
Subnets
Network IP Address Text IP address The network IP address of the subnet.
Reverse Zone Name Text IP address The reverse zone name of the subnet.
Clicking the NEW icon or the PRESS CREATE NEW link in the Domains section will open the Edit DNS Domain screen.
Table 2.9.3.2c: Confi gure > Services > Edit DNS Domain
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether or not DNS Domain should be disabled. Default is unselected.
Domain Name Text Up to 79 characters The domain name of the defi ned zone.
Description Text Up to 79 characters A description of the DNS domain.
IP Address Text IP address The IP address of a host to respond to the zone name.
229
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.9.3.2c: Confi gure > Services > Edit DNS Domain
Mail Exchangers Text Up to 79 characters The mail exchangers for the DNS domain.
SPF Text Up to 79 characters Enter a SPF (Sender Policy Framework) record. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specifi c SPF record (or TXT record) in DNS.
TXT Text Up to 79 characters DNS text entry record.
Hosts
Disable Checkbox Enabled/Disabled A toggle for whether the host entry should be disabled or not. Default is selected.
RDNS Checkbox Enabled/Disabled A toggle for whether reverse DNS should be used by the entry or not. Default is unselected.
IP Address Text IP address The IP address of the host entry.
Host Names Text Up to 79 characters Enter the primary host name in the fi rst fi eld and aliases in succeeding fi elds.
TXT Text Up to 79 characters DNS text entry record.
2.9.4 Dynamic DNSThe Dynamic DNS sub-section allows the administrator to automate the process of advising DNS servers when the automatically assigned IP address for a network device is changed, ensuring that a specifi c domain name always points to the correct machine.
Table 2.9.4a: Confi gure > Services > Dynamic DNS
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether or not Dynamic DNS should be used. Default is unselected.
Selecting NEW creates a new a new Dynamic DNS entry.
Table 2.9.4b: Confi gure > Services > Dynamic DNS
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether the Dynamic DNS entry should be disabled or not. Default is unselected.
Description Text Up to 79 characters A description of the Dynamic DNS entry.
Host Name Text Up to 79 characters The host name of the service that will use Dynamic DNS.
Interface Pulldown All confi gured logical interfaces
A selection for the logical interface for the Dynamic DNS entry.
Service Pulldown <DynDNS>, <Dynu>, <ChangeIP>, <easyDNS>, <No-IP>
A selection for the Dynamic DNS service provider. An active account with the selected service provider is required.
Login User Name Text Up to 79 characters The login name for the selected Dynamic DNS service account.
Login Password Text Up to 79 characters The login password for the selected Dynamic DNS service account.
230
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.9.5 High AvailabilityThe High Availability sub-section allows the administrator to confi gure two systems to operate as a single virtual fi rewall, ensuring network access and security are maintained with minimum downtime.
Table 2.9.5: Confi gure > Services > High Availability
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether or not H2A - High Availability should be used. Default is unselected.
Status n/a n/a An indication of the service’s status.
VRID Text Up to 2 characters Enter a value between 0 and 15 to uniquely identify the H2A group. All systems within the group must have the same VRID.
Priority Text Up to 3 characters Enter a value between 1 and 255. The fi rewall with the highest number and confi rmed communications beacons will operate in Master mode and will process network traffi c as the virtual fi rewall.
Advanced
Automatic Policies Checkbox Enabled/Disabled A toggle for whether automatic policies are used.
Settle Time Text Up to 5 characters A setting for how long a fi rewall will stay (in seconds in a mode during a HA transition, before probing its beacons.
Update HA Group
Addresses Text ???, all defi ned interfaces
A selection for the slave address(es).
User ID Text Up to 19 characters User name for slave login.
Password Checkbox/Text
Up to 59 characters Encrypted password assigned to the user name.
Manual Button Update Update the status of the H2A slave fi rewall.
High Availability Interfaces
Name n/a n/a The name of the confi gured H2A fi rewall.
Interface Pulldown ???, all defi ned interfaces
The interface of the confi gured H2A fi rewall.
Virtual IP Address Pulldown ???, all defi ned interfaces
The virtual IP address of the confi gured H2A fi rewall.
Description n/a n/a A description of the confi gured H2A fi rewall.
2.9.6 Remote LoggingThe Remote Logging sub-section allows the administrator to confi gure how and where log information is sent.
Table 2.9.6: Confi gure > Services > Remote Logging
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether or not the Remote Logging service should be used. Default is unselected.
Syslog Server Text Up to 79 characters IP Address or host name of a system that will accept the remote logging data.
Advanced
Binding Interface Pulldown <AUTOMATIC>, all defi ned interfaces and VLANs
Address from which logging is sourced. Default is <AUTOMATIC>.
231
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.9.6: Confi gure > Services > Remote Logging
Facilities
Policy Facility Pulldown Syslog facility Logs information associated with any policy that has logging enabled. Default is local1.
NAT Facility Pulldown Syslog facility Logs information associated with outbound packets. Default is local0.
WWW Facility Pulldown Syslog facility Logs all URLs accessed through the GTA fi rewall. Default is local2.
2.9.7 SNMPThe SNMP sub-section allows the administrator to manage IP devices, retrieving data from each device on a network and sending it to designated hosts.
Table 2.9.7: Confi gure > Services > SNMP
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether or not the SNMP service should be used. Default is unselected.
Contact Information Text Up to 59 characters Email address of the administrator.
Location Text Up to 59 characters User defi ned description of the location of the administrator.
Version 2 Confi guration
Enable Checkbox Enabled/Disabled A toggle for whether or not the SNMP version 2 service should be used. Default is unselected.
Community Text Up to 59 characters User defi ned description of community members. Doubles as a password.
Version 3 Confi guration
Enable Checkbox Enabled/Disabled A toggle for whether or not the SNMP version 3 service should be used. Default is unselected.
User ID Text Up to 19 characters User name assigned separately from other user authorization names.
Password Text Up to 59 characters Encrypted password assigned to the user name.
Security Level Pulldown <AuthPriv>, <AuthNoPriv>
Security level of the SNMP server. Default is AuthPriv.
Advanced
Automatic Policies Checkbox Enabled/Disabled A toggle for whether the fi rewall should automatically generate a set of policies to allow user of the SNMP service. If disabled, remote access policies must be defi ned. Default is selected.
232
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.10 Threat ManagementThe Threat Management section allows the administrator to enable and confi gure IPS, Mail Proxy and Content Filtering.
2.10.1 SummaryThe Summary sub-section provides an overview of the current fi rewall mode’s confi guration settings found in the Threat Management section. Links to containers pertaining to specifi c sections of the fi rewall’s confi guration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.10.2 IPSThe IPS sub-section allows the administrator to enable and confi gure GB-OS’ Intrusion Prevention System.
2.10.2.1 Proxy
The Proxy sub-section allows the administrator to enable and confi gure IPS.
Table 2.10.2.1 Confi gure > Threat Management > IPS > Proxy
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether the Intrusion Protection proxy should be enabled or not. Default is unselected.
Subscription Checkbox Enabled/Disabled A selection to used subscription updates to IPS proxy.GTA Firewall UTM Appliances that do not have a valid GTA support contract can not use this option.
Advanced
Performance Tuning
Networks
External N/A N/A Any external IP the IPS applies to; not editable.
Protected Pulldown All defi ned address objects of type Network
A selection for the GTA Firewall UTM Appliance’s networks the IPS proxy should protect.
External Servers
AIM Pulldown All defi ned address objects of type Network
A selection for the address object that contains addresses of known AOL Instant Messenger servers.
Internal Servers
DNS Pulldown All defi ned address objects of type Network
Defi nes IP of internal DNS servers.
Email Pulldown ???, <USER DEFINED>, all defi ned address objects of type Email, *EDIT*
Defi nes IP of internal email servers.
SNMP Pulldown All defi ned address objects of type Network
Defi nes IP of internal SNMP servers.
Telnet Pulldown All defi ned address objects of type Network
Defi nes IP of internal servers allowing telnet.
233
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.10.2.1 Confi gure > Threat Management > IPS > Proxy
Web Pulldown All defi ned address objects of type Network
Defi nes internal Web server IP address.
Services
DNS Pulldown All defi ned services Defi nes the DNS service.
FTP Pulldown All defi ned services Defi nes the FTP service.
Email Pulldown All defi ned services Defi nes the email service.
SSH Pulldown All defi ned services Defi nes the SSH service.
Telnet Pulldown All defi ned services Defi nes the telnet service.
Web Pulldown All defi ned services Defi nes the Web service.
2.10.2.2 Policies
The Policies sub-section allows for the confi guration of Intrusion Protection policies.
Table 2.10.2.2: Confi gure > Threat Management > IPS > Policies
Field Name Field Type Value Range Description
Filter
Row Text Up to 6 characters A selection for the row number that should be displayed.
Rows per Page Pulldown 50, 100, 500, all A selection for the number of rows to be displayed. Displaying 500 or more rows per page may impact browser performance.
Advanced
Column
Column Pulldown Enable, Log, Alarm, Action, Name, ID, Group
A selection for the column to fi lter.
Filter Checkbox Enabled/Disabled A toggle for whether the selected column should be fi ltered or not. Default is unselected.
Field Pulldown Variable A selection for the value to be fi ltered according to the selected COLUMN.
Policies
Enable Checkbox Enabled/Disabled A toggle for whether the selected IPS policy should be enabled or not. Default is unselected.
Log Checkbox Enabled/Disabled A toggle for whether the selected IPS policy should be logged or not. Default is unselected.
Alarm Checkbox Enabled/Disabled A toggle for whether the selected IPS policy should generate alarms if triggered or not. Default is unselected.
Action Pulldown Drop, Pass, Reset A selection for the action to be performed by the IPS policy if triggered. <Drop> drops the packet, <Pass> passes the packet through the fi rewall, <Reset> responds to the start and end points of the connection with a reset packet.
234
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.10.3 Mail ProxyThe Mail Proxy sub-section allows the administrator to enable and confi gure Mail Proxy. Some of these services are optional on select GTA fi rewalls.
2.10.3.1 Proxy
The Proxy sub-section allows for the confi guration of the mail proxy.
Table 2.10.3.1: Confi gure > Threat Management > Mail Proxy > Proxy
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled A toggle for whether the Mail Proxy should be enabled or not. Default is unselected.
Connection
Time Out Text Up to 5 characters The amount of time, in seconds, before the connection will time out. Default is 120.
Maximum Connections
Text Up to 5 characters The number of simultaneously allowed connections. Default is 25.
Advanced
Options
Automatic Policies Checkbox Enabled/Disabled A toggle for whether the fi rewall should automatically generate the required policies for the email proxy to function. Default is selected.
Log Checkbox Enabled/Disabled A toggle for enabling or disabling logging for the Mail Proxy.
Report Checkbox Enabled/Disabled A toggle for enabling or disabling saving of Mail Proxy data for reports.
2.10.3.2 Policies
The Policies sub-section allows for the confi guration of Mail Proxy policies.
Table 2.10.3.2: Confi gure > Threat Management > Mail Proxy > Policies
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether or not the Mail Proxy policy should be used. Default is unselected.
Description Text Up to 79 characters A brief description of the policy’s function.
Email Server Pulldown <???>, all confi gured address objects of type Mail Proxy, * EDIT *
A selection for the email server to apply to the Mail Proxy policy. Select <* EDIT *> to defi ne a new address object.
Type Pulldown <Accept>, <Deny> A selection for the nature of the policy.
Source
Address Pulldown ???, <USER DEFINED>, ANY_IP, all confi gured address objects of type Mail Proxy, * EDIT*
A selection for the source (sender) of the email. Select <* EDIT *> to defi ne a new address object.
235
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.10.3.2: Confi gure > Threat Management > Mail Proxy > Policies
Destination
Address Pulldown ???, <USER DEFINED>, ANY_IP, all confi gured address objects of type Mail Proxy, * EDIT*
A selection for the destination (recipient) of the email. Select <* EDIT *> to defi ne a new address object.
Match Against MX Checkbox Enabled/Disabled A toggle for whether a DNS Mail Exchanger record query should be checked against the domain in the To: fi eld, causing the email to be rejected if there is no match. Default is unselected.
Match All Addresses Checkbox Enabled/Disabled A toggle for whether the policy should be matched only if all email recipients contain the destination address. Default is unselected.
Options
DNS White List Checkbox, Pull down
Enabled/Disabled, All defi ned DNS White Lists
Select the Checkbox to enable the DNS whitelist and then select an address object.
Mail Abuse Prevention System
Checkbox, Pulldown
Enabled/Disabled, All defi ned address objects of type Mail Proxy, * EDIT *
MAPS; a special DNS server that contains only reverse DNS entries of known spam servers. Default of custom MAPS objects may be specifi ed. Select <*
EDIT *> to defi ne a new address object.
Maximum Size Text Up to 8 characters Maximum size in kilobytes (KB) of email message to accept. The default, 0, allows any email message size.
Reject if RDNS Fails Checkbox Enabled/Disabled A toggle for whether a Reverse DNS lookup on the remote host should be performed or not. If enabled, the connection will be refused if the lookup fails to match the host’s offered identity.
Anti-Spam*
Greylisting
Enable Checkbox Enabled/Disabled A toggle for whether greylisting settings should be applied to the Mail Proxy policy or not. Default is unselected.
Default Radio Button
Enabled/Disabled A selection for using default greylisting settings. Default is selected.
USER DEFINED Radio Button
Enabled/Disabled A selection for using customized greylisting settings. Default is unselected.
Deny Text Up to 5 characters If USER DEFINED is selected, enter the amount of time, in seconds, before Mail Proxy will accept a repeat connection from the originating mail server. Default is 20.
Expires Text Up to 5 characters If USER DEFINED is selected, enter the amount of time, in hours, until Mail Proxy stops waiting for a repeat connection from the originating mail server. Default is 4.
Time to Live Text Up to 5 characters If USER DEFINED is selected, enter the amount of time, in hours, that Mail Proxy will keep a record of the connection. Default is 36.
236
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.10.3.2: Confi gure > Threat Management > Mail Proxy > Policies
Categorization
Enable Checkbox Enabled/Disabled A toggle for whether Mail Proxy Anti-Spam’s categorization features should be enabled or not. Default is unselected.
Confi rmed
Reject Checkbox Enabled/Disabled A toggle for whether email evaluated as confi rmed spam should be rejected or not. Disabled by default.
Advanced
Threshold Text Up to 3 characters The score email must receive before being categorized as confi rmed spam. Higher scores are more tolerant of spam-like qualities.
Tag CheckboxText
Enabled/Disabled, Up to 39 characters
A toggle for whether confi rmed spam should be tagged with the confi gured text string.
Quarantine Checkbox, Pulldown
Enabled/Disabled, All address objects of type Mail Proxy
A selection for an email address object that should receive quarantined (redirected) confi rmed spam.
Suspect
Reject Checkbox Enabled/Disabled A toggle for whether email evaluated as suspected spam should be rejected or not. Disabled by default.
Advanced
Threshold Text Up to 3 characters The score email must receive before being categorized as suspected spam. Higher scores are more tolerant of spam-like qualities.
Tag CheckboxText
Enabled/Disabled, Up to 39 characters
A toggle for whether confi rmed spam should be tagged with the confi gured text string.
Quarantine Checkbox, Pulldown
Enabled/Disabled, All address objects of type Mail Proxy
A selection for an email address object that should receive quarantined (redirected) suspect spam.
Anti-Virus**
Enable Checkbox Enabled/Disabled A toggle for whether Mail Proxy Anti-Virus should be enabled or not. Disabled by default.
Reject Checkbox Enabled/Disabled A toggle for whether email with known viruses should be rejected or not. Disabled by default.
Advanced
Tag CheckboxText
Enabled/Disabled, Up to 39 characters
A toggle for whether email with known viruses should be tagged with the confi gured text string.
Quarantine Pulldown Enabled/Disabled, All defi ned address objects of type Mail Proxy
A selection for an email address object that should receive quarantined (redirected) email with known viruses.
Maximum Size Text Up to 8 characters Maximum size in kilobytes (KB) of email message to scan for viruses. If this value is lower than the Mail Proxy policy’s Maximum Size, email may not be fully scanned for viruses. A value of 0 will scan any size email.
*Optional feature requires purchase separately. Requires activation code.
**Optional feature requires support contract or annual maintenance contract.
237
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.10.4 Content FilteringThe Content Filtering sub-section allows the administrator to enable and confi gure Content Filtering. Some of these services are optional on select GTA fi rewalls.
2.10.4.1 Proxy
The Proxy sub-section allows for the confi guration of the Content Filtering proxy.
Table 2.10.4.1: Confi gure > Threat Management > Content Filtering > Proxy
Field Name Field Type Value Range Description
Traditional Proxy
Enable Checkbox Enabled/Disabled A toggle for whether or not the Content Filtering proxy should be enabled. Default is unselected.
Port Text Up to 5 characters. The port through which the proxy will run. Default is 2784.
Advanced
Automatic Policies Checkbox Enabled/Disabled A toggle for whether the fi rewall should automatically generate the required policies for the email proxy to function. Default is selected.
Log Checkbox Enabled/Disabled A toggle for enabling or disabling logging for Content Filtering.
Report Checkbox Enabled/Disabled A toggle for enabling or disabling saving of Content Filtering data for reports.
Transparent Proxy
Enable Checkbox Enabled/Disabled A toggle for whether the transparent proxy should be enabled or not. Default is unselected.
Block Action
Action Pulldown <Use Message>, <Redirect to URL>
A selection for the action to be performed should a user’s request be blocked.
Message Text Up to 159 characters
If <Use message> is selected for the ACTION, the entered message will be displayed. Default is Local policy denies access to Web page.
URL Text Up to 127 characters
If <Redirect to URL> is selected for the ACTION, the user will be directed to the entered URL.
2.10.4.2 Policies
The Policies sub-section allows for the confi guration of Content Filtering policies.
Table 2.10.4.2: Confi gure > Threat Management > Content Filtering > Policies
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether or not the Content Filtering policy should be used. Default is unselected.
Description Text Up to 79 characters/ A brief description of the Content Filtering policy.
Source Address Pulldown ???, <USER DEFINED>, ANY_IP, all defi ned address objects of type All or Content Filtering, * EDIT *
If a request matches an element of the specifi ed address object, the packet will be compared to the policy. Select <* EDIT *> to defi ne a new address object.
Time Group Pulldown ???, Always, all defi ned time group objects, * EDIT *
A selection to apply a time group object to the Content Filtering Policy.
238
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.10.4.2: Confi gure > Threat Management > Content Filtering > Policies
Advanced
Authentication Required
Checkbox Enabled/Disabled A toggle for whether the user should require authentication or not. Default is unselected.
Destination Address Pulldown ???, <USER DEFINED>, ANY_IP, all defi ned address objects of type All or Content Filtering, * EDIT *
A selection for the destination address. If <USER DEFINED> is selected, enter the address manually.This fi eld is useful if the administrator wishes to restrict access based on the destination.Select <* EDIT *> to defi ne a new address object.
HTTPS Filtering Checkbox Enabled/Disabled A toggle for enabling or disabling fi ltering of https protocols. Default is enabled.
Content Filtering Facilities
Local Allow List Pulldown All defi ned address objects of type All or Content Filtering
Use the fi rewall’s Allow list.
Local Deny List Pulldown All defi ned address objects of type All or Content Filtering
Use the fi rewall’s Deny list.
Web Filtering* Checkbox Enabled/Disabled Use the Web Filtering categories list. Requires an optional Web Filtering subscription. Purchased separately.
Content Blocking
ActiveX Objects Checkbox Enabled/Disabled A toggle for whether ActiveX objects should be blocked or not. Default is unselected.
Java Checkbox Enabled/Disabled A toggle for whether Java applets should be blocked or not. Default is unselected.
Javascript Checkbox Enabled/Disabled A toggle for whether Javascript should be blocked or not. Default is unselected.
Unknown HTTP Commands
Checkbox Enabled/Disabled A toggle for whether Unknown HTTP commands should be blocked or not. Default is unselected.
Web Filtering Categories*
Accept Selection Web Filtering Categories
Specify allowed Web Filtering categories. Switch a category from one list to the other by selecting the item and clicking the left or right arrow button. Web Filtering subscription must be enabled.
Deny Selection Web Filtering Categories
Specify blocked Web Filtering categories. Switch a category from one list to the other by selecting the item and clicking the left or right arrow button. Web Filtering subscription must be enabled.
*Optional feature requires purchase separately. Requires activation code.
239
GB-OS 6.2 User’s Guide
Reference B: System Parameters
2.11 VPNThe VPN section allows the administrator to enable and confi gure VPN IPSec Tunnels and remote access options - the Mobile IPSec Client and SSL Browser and Client. Some of these services are optional on select GTA fi rewalls.
2.11.1 SummaryThe Summary sub-section provides on overview of the fi rewall’s confi guration settings found in the VPN section. Links to containers pertaining to specifi c sections of the fi rewall’s confi guration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.11.2 CertificatesThe Certifi cates section allows for the creation and confi guration of certifi cates.
Table 2.11.2: Confi gure > VPN > Certifi cates
Field Name Field Type Value Range Description
Disable Checkbox Enable/Disable A selection to disable the certifi cate. Default is unselected.
Name Text Up to 19 characters A unique identifi er for the certifi cate.
Description Text Up to 19 characters A brief description of the certifi cate.
Certifi cate Radio Button
<Import>, <Generate> Selection to either import a certifi cate or generate a new certifi cate. Import will allow a certifi cate to be uploaded.
Generate
Type Pulldown <Certifi cate>, <CA>, <CSR>
A selection for the certifi cate’s type. <Certifi cate> generates a self signed certifi cate. <CA> creates a certifi cate authority. <CSR> creates a certifi cate for submission to a certifi cate authority.
Common Name Text Up to 127 characters The certifi cate’s common name.
Subject Alt Name Text Up to 127 characters The certifcate’s resolvable DNS name.
Email Address Text Up to 127 characters This fi eld is pre-populated with the administrator’s email address.
Country Pulldown Countries The certifi cate’s country.
State/Region Text Up to 127 characters The certifi cate’s state or region.
City/Locality Text Up to 127 characters The certifi cate’s state or region.
Organization Text Up to 127 characters The certifi cate’s organization.
Organizational Unit Text Up to 127 characters The certifi cate’s organizational unit.
Duration Text Up to 3 characters The valid duration of the certifi cate, in years.
Key Size Pulldown 512, 1024, 1536, 2048 The certifi cate’s key size, in bits. Larger key sizes are more CPU intensive.
Import
Certifi cate
File Pulldown <DER>, <PEM>, <PKCS #12>, <PKCS #7>
A selection for the certifi cate’s type.
Browse Button n/a Select the button to browse the certifi cate fi le’s location.
Password Text Up to 127 characters If the certifi cate’s fi le format is PKCS #12 or PKCS #7, enter the fi le’s associated password, if any.
Private Key
File Pulldown <DER>, <PEM> A selection for the certifi cate’s private key’s type.
240
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.11.2: Confi gure > VPN > Certifi cates
Browse Button n/a Select the button to browse the certifi cate’s private key’s location.
2.11.3 PreferencesThe Preferences section is used to confi gure IPSec options for the IPSec Client and Firewall.
Table 2.11.3.1 Confi gure > VPN > Preferences
Field Field Type Value Range Description
IPSec
Advanced
Automatic Policies Checkbox Enabled/Disabled A selection for enabling automatic policies for IPSec.
FIPS Mode Checkbox Enabled/Disabled Enables FIPS mode for IPSec VPNs. If FIPS mode is enabled, the fi rewall only supports 3DES and AES Encryption, and SHA Hash Algorithms. Default is disabled.
2.11.4 Remote AccessThe Remote Access section allows for the confi guration of the IPSec Client and SSL service.
2.11.4.1 IPSecThe IPSec sub-section allows for the confi guration of the Mobile IPSec Client.
Table 2.11.4.1 Confi gure > VPN > Remote Access > IPSec
Field Field Type Value Range Description
Client
Enable Checkbox Enabled/Disabled Enable or disable the IPSec Client.
IPSec Object Pulldown ???, *EDIT*, all confi gured IPSec Objects
A selection for the IPSec Object to be used by the IPSec Client. Selecting <* EDIT *> allows for the confi guration of a new IPSec Object.
Local Network Pulldown ???, <USER DEFINED>, All confi gured networks, * EDIT *
Select the host/subnetwork that should be accessible from the VPN. Select <* EDIT *> to defi ne a new address object.
Pool Network Pulldown ???, <USER DEFINED>, All confi gured pool networks, * EDIT *
Select the DHCP pool that will be assigned to connecting clients. Select <* EDIT *> to defi ne a new address object.
Domain Name Text Up to 127 characters
Domain assigned to the Mobile IPSec Client
Name Server IP Address
Text IP Address DNS server(s) pushed to IPSec Client.
WINS Server IP Address
Text IP Address WINS server(s) pushed to IPSec Client.
Advanced
Override Host Name Text Up to 127 characters
Allows an administrator to override default fi rewall host name, which is confi gured in Network Settings. Entry can be an IP address or a fully qualifi ed host name.
Authentication
Local Identity Pulldown IP Address, Domain, Email Address, Certifi cate
Firewall’s identity used for mobile IPSec client connections.
241
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.11.4.1 Confi gure > VPN > Remote Access > IPSec
Field Field Type Value Range Description
Method
Hybrid + XAUTH Checkbox Enabled/Disabled Enable or disable Hybrid + XAUTH authentication.
EAP-MSCHAP(IKE) Checkbox Enabled/Disabled Enable or disable EAP-MSCHAP(IKE) authentication.
Pre-shared Secret Checkbox Enabled/Disabled Enable or disable pre-shared secret authentication.
RSA Checkbox Enabled/Disabled Enable or disable RSA authentication.
RSA + XAUTH Checkbox Enabled/Disabled Enable or disable RSA + XAUTH authentication.
Hybrid + XAUTH
LDAPv3 Checkbox Enabled/Disabled Enables LDAP users.
RADIUS Checkbox Enabled/Disabled Enables RADIUS users.
Login Banner
Enable Checkbox Enabled/Disabled Enable or disable the login banner message.
Message Text Up to 4095 characters
Enter a message to be displayed upon logging into the IPSec Client.
2.11.4.2 L2TP
The L2TP sub-section allows for the confi guration of L2TP remote access.
Table 2.11.4.2 Confi gure > VPN > Remote Access > L2TP
Field Field Type Value Range Description
Enable Checkbox Enabled/Disabled Enable or disable L2TP.
Interface Pulldown ???, ANY, External, Protected
The interface in which to access connections.
Local Network Pulldown ???, <USER DEFINED>, All confi gured networks, * EDIT *
Select the host/subnetwork that should be accessible from the VPN. Select <* EDIT *> to defi ne a new address object.
Pool Network Pulldown ???, <USER DEFINED>, All confi gured pool networks, * EDIT *
Select the range IP address assigned to the host connecting to the L2TP server. The Pool Address must be in a logically different network than any network assigned to the fi rewall. Select <* EDIT *> to defi ne a new address object.
Name Server IP Address
Text IP Address DNS server(s) pushed to L2TP.
WINS Server IP Address
Text IP Address WINS server(s) pushed to L2TP.
Authentication
Preshared Secret Checkbox Enabled/Disabled Enable or disable pre-shared secret authentication.
Table 2.11.4.2 Confi gure > VPN > Remote Access > L2TP
Field Field Type Value Range Description
Radius Checkbox Enabled/Disabled Enable or disable Radius authentication. Requires Radius server and authentication for Radius confi gured on the fi rewall at Confi gure>Accounts>
Authentication.
Advanced
Automatic Policies Checkbox Enabled/Disabled Enable to create an automatic policy to TCP port 1723 and GRE connections to establish the L2TP session with the client.
MTU Text Up to 5 characters Defi ne the Maximum Transmission Unit (MTU) assigned to the client. Default value is 1460.
Time Out Text Up to 5 characters Defi ne the number of seconds during which a connection will stay connected during periods of inactivity in the Time Out fi eld. To prevent timing out on a connection, enter a value of 0.
Debug
Chat Checkbox Enabled/Disabled Select Chat to record dialing and login chat script conversations.
LCP Checkbox Enabled/Disabled Select LCP to record LCP conversations.
Phase Checkbox Enabled/Disabled Select Phase to record network phase conversations.
2.11.4.3 PPTP
The PPTP sub-section allows for the confi guration of PPTP remote access.
Table 2.11.4.3 Confi gure > VPN > Remote Access > PPTP
Field Field Type Value Range Description
Enable Checkbox Enabled/Disabled Enable or disable PPTP.
Local Network Pulldown ???, <USER DEFINED>, All confi gured networks, * EDIT *
Select the host/subnetwork that should be accessible from the VPN. Select <* EDIT *> to defi ne a new address object.
Pool Network Pulldown ???, <USER DEFINED>, All confi gured pool networks, * EDIT *
Select the range IP address assigned to the host connecting to the PPTP server. The Pool Address must be in a logically different network than any network assigned to the fi rewall. Default network is 192.168.75.0/24 Select <* EDIT *> to defi ne a new address object.
Name Server IP Address
Text IP Address DNS server(s) pushed to PPTP.
WINS Server IP Address
Text IP Address WINS server(s) pushed to PPTP.
Authentication
Radius Checkbox Enabled/Disabled Enable or disable Radius authentication. Requires Radius server and authentication for Radius confi gured on the fi rewall at Confi gure>Accounts>
Authentication.
243
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.11.4.3 Confi gure > VPN > Remote Access > PPTP
Field Field Type Value Range Description
Advanced
Automatic Policies Checkbox Enabled/Disabled Enable to create an automatic policy to TCP port 1723 and GRE connections to establish the PPTP session with the client.
Encryption Pulldown None, 40 Bits, 56 Bits, 128 Bits, All
Select the level of encryption to be used for the connection.
MTU Text Up to 5 characters Defi ne the Maximum Transmission Unit (MTU) assigned to the client. Default value is 1460.
Time Out Text Up to 5 characters Defi ne the number of seconds during which a connection will stay connected during periods of inactivity in the Time Out fi eld. To prevent timing out on a connection, enter a value of 0.
Debug
Chat Checkbox Enabled/Disabled Select Chat to record dialing and login chat script conversations.
LCP Checkbox Enabled/Disabled Select LCP to record LCP conversations.
Phase Checkbox Enabled/Disabled Select Phase to record network phase conversations.
2.11.4.4 Preferences
The Preferences sub-section allows for the confi guration Remote Access Preferences including alternative port options and SSL Browser customization.
Table 2.11.4.4 Confi gure > VPN > Remote Access > Preferences
Field Field Type Value Range Description
Alternative Port
Enable Checkbox Enabled/Disabled Starts the SSL Browser service.
Port Text Up to 5 characters Port through which browser access will be allowed. Default is TCP port 443.
Authentication
LDAP Checkbox Enabled/Disabled Enables LDAP users.
RADIUS Checkbox Enabled/Disabled Enables RADIUS users.
Advanced
Encryption Pulldown <None>, <SSL> Level of encryption to be used.
FIPS Mode Checkbox Enabled/Disable Enables FIPS mode. Default is disabled
Timeout Sessions Text 5 - 1440 minutes Defi ne the timeout range. Default is 10 minutes.
Virtual Keyboard Pulldown <Disable>, <Enable>, <Force Use>
Force Use: requires users to use the virtual keyboard for logins to the browser interface; Enable: allows users to use or not use the virtual keyboard; Disable: turn off the virtual keyboard
Automatic Policies
Enable Checkbox Enabled/Disabled Allows the fi rewall to automatically create policies for SSL.
Zone Pulldown <ANY>, <External>, <Protected>, <PSN>
Specifi es the Zone which will be allowed to connect. Options are External, Protected, and PSN.
Source Address Pulldown ???, <USER DEFINED>, All confi gured networks, * EDIT *
Specifi es the source address allowed to connect.
Customization
244
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.11.4.4 Confi gure > VPN > Remote Access > Preferences
Field Field Type Value Range Description
Login
Title Text Up to 127 characters
Enter a customized title for the SSL Browser.
Logo Upload Field
JPG, GIF, PNG; 100KB max; 32 x 32 pixels
Upload a logo to be displayed on the SSL login. Images must be 100 KB or less, JPEG, PNG, or GIF format.
Disclaimer
Enable Checkbox Enabled/Disabled Enable the disclaimer message to appear upon login
Message Text Up to 4095 Characters
Enter a disclaimer, note or welcome to appear when users login to the SSL Browser.
Characters Remaining
Field Uneditable Character count fi eld detailing the number of characters remaining for the disclaimer message. Maximum characters is 4095.
2.11.4.5 SSL Client
The SSL Client sub-section allows for the confi guration the SSL Client.
Table 2.11.4.5 Confi gure > VPN > Remote Access > SSL Client
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled Starts the SSL Client Service.
Port Text Up to 5 characters Port for SSL Client access.
Local Network Pulldown ???, <USER DEFINED>, All confi gured networks, * EDIT *
Default Local Protected Networks.
Client DHCP Network
Pulldown ???, <USER DEFINED>, All confi gured networks, * EDIT *
Default DHCP range of 192.168.72.0/24
Domain Text Up to 127 characters
Domain assigned to SSL Client.
Name Server IP Address
Text IP address DNS server(s) pushed to SSL Client.
WINS Server IP Address
Text IP address WINS server pushed to SSL Client.
Advanced
Automatic Policies Checkbox Enabled/Disabled Creates an auto policy based on SSL port.
Encryption Objects Pulldown All encryption objects
Encryption used for SSL.
FIPS Mode Checkbox Enabled/Disabled Enables FIPS mode for SSL Clients. If FIPS mode is enabled, the fi rewall only supports 3DES and AES Encryption, and SHA Hash Algorithms. Default is disabled.
Lifetime Text Up to 5 characters Re-key time.
Allow Duplicate CN Checkbox Enabled/Disabled Allows duplicate certifi cates.
Table 2.11.4.5 Confi gure > VPN > Remote Access > SSL Client
Override Host Name Text Up to 127 characters
Allows an administrator to override default fi rewall host name, which is confi gured in Network Settings. Entry can be an IP address or a fully qualifi ed host name.
Redirect Client Gateway
Checkbox Enabled/Disabled Force all client connections via VPN.
UDP Checkbox Enabled/Disabled Use UDP instead of TCP for SSL connection.
Use Compression Checkbox Enabled/Disabled Disable to not use compression.
Verbose Logging Checkbox Enabled/Disabled Increase SSL logging for debug purposes.
2.11.5 Site-to-SiteThe Site-to-Site sub-section allows for the confi guration of a VPN connection when used in conjunction with VPN and encryption objects.
Table 2.11.5a: Confi gure > VPN > Site-to-Site
Field Name Field Type Value Range Description
Enable Checkbox Enabled/Disabled Enable or disable the site to site VPN.
Clicking the NEW icon or editing an existing Site-to-Site VPN will display the Edit Site-to-Site screen.
Table 2.11.5b: Confi gure > VPN > Site-to-Site - IKE IPSec Key Mode
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether or not the IPSec tunnel should be disabled. Default is unselected.
Description Text Up to 79 characters A brief description of the IPSec tunnel.
IPSec Object Pulldown ???, all defi ned IPSec Objects, * EDIT *
A selection for the IPSec Object to be used by the IP Tunnel. Selecting <* EDIT *> allows for the confi guration of a new VPN object.
Advanced
IPSec Key Mode Radio Buttons
IKE, Manual A selection for the IPSec Tunnel’s key mode. For an IKE IPSEC KEY MODE VPN connection, select <IKE>.
Notifi cations
Email Checkbox Enabled/Disabled A toggle for whether email notifi cations will be sent.
SMS Checkbox Enabled/Disabled A toggle for whether SMS notifi cations will be sent.
SNMP Trap Checkbox Enabled/Disabled A toggle for whether SNMP Trap notifi cations will be sent.
Authentication
Method Radio Buttons
RSA / Pre-shared Secrets
A selection for the method of authentication. Default is RSA.
Pre-shared Secret Pulldown/Text
<ASCII>, <HEX>/Up to 59 characters
If Pre-shared secret is selected, the ASCII or HEX format value preshared secret as defi ned in the VPN. This same key needs to be entered in the GTA Mobile VPN Client when confi guring the security policy.
Options
Failover Checkbox Enabled/Disabled A toggle to enable failover.
Send Keep Alives Checkbox Enabled/Disabled A toggle for whether keep alives should be sent to keep the connection alive or not. If enabled, GB-OS will send a keep alive packet every 20 seconds to maintain the connection. Default is unselected.
246
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.11.5b: Confi gure > VPN > Site-to-Site - IKE IPSec Key Mode
Advanced
Gateway (A Primary fi eld will always be available. A Secondary fi eld will be available if Failover is enabled above.)
Local Pulldown ???, <External>, <Protected>
The type of interface for the local fi rewall that will serve as the VPN gateway.
Remote Text IP Address The IP address of the remote gateway.
Identity Pull down/Text
IP Address, Domain Name, Email Address / Up to 127 characters
A selection for the identity of the tunnel. If <Domain
Name> or <Email Address> are selected, enter the appropriate value in the corresponding text fi eld. Available if authentication method is set to Pre-shared Secret.
Local
NAT Checkbox Enabled/Disabled A toggle for whether NAT should be applied to local VPN traffi c or not. Default is unselected.
Network Pulldown ???, <USER DEFINED>, all confi gured IP address objects of type All or VPN, * EDIT *
Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. Select <* EDIT *> to defi ne a new address object.
Identity Pulldown/Text
IP Address, Domain Name, Email Address/Up to 127 characters
A selection for the local identity of the tunnel. If <Domain Name> or <Email Address> are selected, enter the appropriate value in the corresponding text fi eld.
Remote
NAT Checkbox Enabled/Disabled A toggle for whether NAT should be applied to remote VPN traffi c or not. Default is unselected.
Network Pulldown/Text
???, <USER DEFINED>, all confi gured IP address objects of type All or VPN, * EDIT */Up to 31 characters
Previously defi ned address object or an IP address of the network that resides behind the remote fi rewall. This can be just the part of the network to which access is desired. If <USER DEFINED> has been selected, enter the remote network’s IP address manually. Select <* EDIT *> to defi ne a new address object. Not available if NAT is enabled.
Table 2.11.5c: Confi gure > VPN > Site-to-Site - Manual IPSec Key Mode
Field Name Field Type Value Range Description
Disable Checkbox Enabled/Disabled A toggle for whether or not the IPSec tunnel should be disabled. Default is unselected.
Description Text Up to 79 characters A brief description of the IPSec tunnel.
IPSec Object Pulldown ???, all defi ned IPSec Objects, * EDIT *
A selection for the IPSec Object to be used by the IP Tunnel. Selecting <* EDIT *> allows for the confi guration of a new IPSec Object.
Advanced
IPSec Key Mode Radio Buttons
IKE, Manual A selection for the IPSec Tunnel’s key mode. For a Manual IPSEC KEY MODE VPN connection, select <Manual>.
Gateway
Local Pulldown ???, <External>, <Protected>
The type of interface for the local fi rewall that will serve as the VPN gateway.
Remote Text IP Address The IP address of the remote gateway.
247
GB-OS 6.2 User’s Guide
Reference B: System Parameters
Table 2.11.5c: Confi gure > VPN > Site-to-Site - Manual IPSec Key Mode
Identity Pull down/Text
IP Address, Domain Name, Email Address / Up to 127 characters
A selection for the identity of the tunnel. If <Domain
Name> or <Email Address> are selected, enter the appropriate value in the corresponding text fi eld. Available if authentication method is set to Pre-shared Secret.
Local
Network Pulldown ???, <USER DEFINED>, All confi gured IP address objects of type All or VPN, * EDIT *
Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. If <USER DEFINED> has been selected, enter the local network’s IP address manually.
Remote
Network Pulldown/Text
<USER DEFINED>, all confi gured IP address objects of type All or VPN/Up to 31 characters
Previously defi ned address object or an IP address of the network that resides behind the remote fi rewall. This can be only the part of the network to which access is desired. If <USER DEFINED> has been selected, enter the remote network’s IP address manually.
Manual
Encryption Key Pulldown/Text
<ASCII>, <HEX>, Up to 59 characters
ASCII or hexadecimal format value encryption key as defi ned in VPN.
Hash Key Pulldown/Text
<ASCII>, <HEX>/Up to 59 characters
ASCII or hexadecimal format value hash algorithm for the authentication transformation.
Security Parameter Index (SPI)
Inbound SPI Text Up to 9 characters Default is 256.
Outbound SPI Text Up to 9 characters Default is 256.
248
GB-OS 6.2 User’s Guide
CUtilities
249
GB-OS 6.2 User’s Guide
Reference C: Utilities
Reference C: UtilitiesThis chapter describes the utility software used in conjunction with your GTA Firewall UTM Appliance.
GBAuth If authentication is required by a policy or tunnel, a user accessing the GTA Firewall UTM Appliance may use the GBAuth utility to authenticate themselves. This is done by entering the GTA Authentication, LDAP or RADIUS name and password into GBAuth before initiating a connection. To use authentication, both the desired authentication method and a user authentication remote access policy must be enabled and confi gured on the GTA fi rewall.
GBAuth is a platform-independent, Java application. Install the software on the computer from which authentication will be used.
As long as data is being exchanged, GBAuth automatically re-authenticates. To manually close GBAuth, either right-click on the system tray icon and select Close or click the DISCONNECT button.
Note
All data is sent from GBAuth to the fi rewall via SSL.
GBAuth Download via Firewall InterfaceGBAuth is available for download via the fi rewall remote access portal for all users which have the IPSec Remote Access Client or SSL Remove Access client enabled.
Figure C.1: Downloading GBAuth
Using GBAuth for GTA AuthenticationTo use GTA Authentication:
• The authentication feature must be enabled on the GTA fi rewall.• A user authentication remote access policy must be confi gured and enabled on the GTA fi rewall.• Users must be created on the GTA fi rewall.• Users must have the GBAuth client installed on their computer.
To authenticate with the fi rewall using GBAuth, users enter values from Confi gure>Accounts>Users:
1. Enter the name or IP address of the fi rewall in the FIREWALL fi eld, or if previously entered, they can select it from the pulldown menu.
2. Enter the user’s identity in email format in the IDENTITY fi eld, or if previously entered, they can select it from the pulldown menu.
3. Click the CONNECT button.4. If you are authenticating for the fi rst time, or if the SSL certifi cate was recently changed, a
security alert may appear. If you know the certifi cate is correct, click YES.5. The cursor will move to the RESPONSE fi eld. Enter the password from Confi guration>Accounts>
Users, and click Connect. Should the identity or password not be recognized, an Authentication Failed notice will appear. If the information is correct, the unlocked padlock icon will replace itself with a locked padlock icon, indicating that other actions can now be performed, e.g., initiating a VPN connection through the fi rewall.
250
GB-OS 6.2 User’s Guide
Reference C: Utilities
Figure C.2: GBAuth
Table C.1: GBAuth for GTA Authentication
Field Name Description
Firewall Name or IP address of the GTA fi rewall.
Identity Login data provided to the user: the value from the User’s IDENTITY fi eld. The fi eld allows up to 127 characters and is case sensitive.
Challenge N/A
Response Alphanumeric password from the User’s PASSWORD fi eld under Authentication.
Using GBAuth for LDAP AuthenticationTo use LDAPv3 Authentication:
• The Authentication and LDAPv3 features must both be enabled on the GTA fi rewall.• A user authentication remote access policy must be confi gured on the GTA fi rewall.• The LDAP server must be confi gured with users, domains and passwords.• Users must have the GBAuth client installed on their computer.
To authenticate with the fi rewall using LDAP:
1. Enter the name or IP address of the fi rewall in the FIREWALL fi eld, or if previously entered, they can select it from the pulldown menu.
2. Either the cn and ou identifi er plus the value in the user’s Identity fi eld using the format User Name.
3. Click the CONNECT button.4. The cursor will move to the RESPONSE fi eld. Enter the users’s password from the LDAP server.
Should the identity or password not be recognized, an Authentication Failed notice will appear. If the information is correct, the unlocked padlock icon will replace itself with a locked padlock icon, indicating that other actions can now be performed, e.g., initiating a VPN connection through the fi rewall.
Table C.2: GBAuth for LDAP Authentication
Field Name Description
Firewall Name or IP Address of the GTA fi rewall.
Identity Login data provided to the user: cn (common name) and ou (organizational unit) combined. Do not enter the “cn=” identifi er, this will be prepended when the data is sent to the LDAP server. The fi eld allows up to 127 characters and is case sensitive.
Challenge N/A
Response Alphanumeric password specifi ed for the user on the LDAP server.
251
GB-OS 6.2 User’s Guide
Reference C: Utilities
Using GBAuth for RADIUS AuthenticationTo use RADIUS Authentication:
• The Authentication and RADIUS features must both be enabled on the GTA fi rewall.• A user authentication remote access policy must be confi gured on the GTA fi rewall.• The RADIUS server must be confi gured.• Users must have the GBAuth client installed on their computer.
To authenticate with the fi rewall using RADIUS:
1. Enter the name or IP address of the fi rewall in the FIREWALL fi eld, or if previously entered, they can select it from the pulldown menu.
2. Enter the RADIUS identity.3. Click the CONNECT button.4. The cursor will move to the RESPONSE fi eld. Enter the user’s password from the Radius server.
Should the identity or password not be recognized, an Authentication Failed notice will appear. If the information is correct, the unlocked padlock icon will replace itself with a locked padlock icon, indicating that other actions can now be performed, e.g., initiating a VPN connection through the fi rewall.
Table C.3: GBAuth for RADIUS Authentication
Field Name Description
Firewall Name or IP Address of the GTA fi rewall.
Identity Login data provided to the user, specifi ed on the RADIUS server. The fi eld allows up to 127 characters and is case sensitive.
Challenge N/A
Response Alphanumeric pre-shared secret (password) specifi ed for the user in the RADIUS section of Authentication. This fi eld is case sensitive.
252
GB-OS 6.2 User’s Guide
Reference C: Utilities
GTA SSOAuthIf authentication is required by a policy or tunnel, a user may authenticate through use of the GTA SSOAuth service.
To utilize the GTA SSOAuth service, install the service and confi guration utility on all Active Directory servers (up to three) in the domain on which the service will be utilized. In order to make a secure connection between the fi rewall and the GTA SSOAuth service, all Active Directory servers must have a valid SSL certifi cate. It is required that each servers’ SSL certifi cate be imported into the GTA Firewall UTM Appliance. Repeat this process for confi guring each additional GTA SSOAuth service, as necessary, on up to three Active Directory servers.
When a user attempts to login using an enabled authentication policy, the fi rewall will contact each confi gured GTA SSOAuth service until a matching IP address is found for the client machine. If the IP address is associated with a vaild domain user, the user’s group and user name are provided to the fi rewall. The fi rewall then checks the group’s confi gured security policies to determine whether or not the user is allowed access to the client machine.
Note
All data sent between the GTA SSOAuth service and the fi rewall is encrypted via SSL.
The GTA SSOAuth confi guration utility has the ability to easily start/stop the GTA SSOAuth service and to apply confi guration changes.
CAUTION
Applying confi guration changes will stop and restart the GTA SSOAuth service, which will purge the database of authenticated domain users. The database will repopulate automatically as domain users authenticate.
Note
For GTA SSOAuth requirements and installation, refer to the GTA SSOAuth Guide.
Using Active Directory Single Sign-OnTo use Active Directory Single Sign-On
• Authentication and the Active Directory Single Sign-On features must both be enabled on the GTA fi rewall.
• A user authentication remote access policy must be confi gured on the GTA fi rewall.• A Single Sign-On server must be confi gured.
To authenticate with the fi rewall using Active Directory Single Sign-On:
1. A user authenticates by logging onto the Windows Active Directory domain using a client machine.
2. Any access through the fi rewall (using a policy that requires authentication) is then verifi ed by the GTA SSOAuth service to validate the domain user’s access.
Figure C.3: GTA SSOAuth
253
GB-OS 6.2 User’s Guide
Reference C: Utilities
Table C.4: Active Directory Single Sign-On Authentication
Field Name Description
Mode GTA SSOAuth service operates in two modes, either Server or Client. Client mode can only be utilized if more than one Active Directory server is running GTA SSOAuth. Server mode allows fi rewalls to connect directly to the Active Directory server to query its database of authenticated domain users. When a direct connection between the Active Directory server and the fi rewall is not available, client mode is utilized. Client mode will connect to a GTA SSOAuth service running in server mode to propagate domain authentication information.
Valid Duration The amount of time an authenticated domain user remains in the GTA SSOAuth database before requiring the user to reauthenticate with the domain.
Port The SSL port the GTA SSOAuth service uses for fi rewall and GTA SSOAuth client connections.
Server (Client mode only) The address of a GTA SSOAuth service running in server mode.
Service Starts or stops the GTA SSOAuth Service.
Certifi cate Exports the Active directory server certifi cate. If not highlighted, this indicates the Active Directory server certifi cate may not be valid.
Database Show Contents in the Event Log: Exports current database to the Windows Event log.Clear: Clears the entire authenticated user database. Clearing the database may force users to re-login to their systems.
254
GB-OS 6.2 User’s Guide
DUpgrading
255
GB-OS 6.2 User’s Guide
Reference D: Upgrading
Upgrading to GB-OS 6.2In order to determine what upgrade path is required for upgrading to GB-OS 6.2, you must fi rst establish the version from which you will be upgrading. To do so, login to your GTA fi rewall using the Web interface. Upon logging in, navigate to (Confi gure>Confi guration>Runtime>Update). Located at the top of this page is the current GB-OS version.
Figure D.1: Locating the GB-OS Version Number in Web User Interface
Based on the version of GB-OS your GTA fi rewall is currently running:
• If the version number is 6.1.x follow the instructions in Upgrading from GB-OS 6.1.x.• If the version number is 6.0.x or below follow the instructions in the one of the previous upgrade
guides found in the document section of GTA’s website.
You must be on GB-OS 6.1.x in order to upgrade to GB-OS 6.2. If your system is not on GB-OS 6.1.x then you will need to upgrade it to version 6.1.x before you will be able to upgrade to GB-OS 6.2.
Note
GTA recommends to read and review the Upgrade Notes section of this reference before upgrading a GTA Firewall UTM Appliance to avoid complications during the upgrade process
Note
Test mode confi guration data is reset to default when upgrading runtimes.
Upgrading from GB-OS 6.1.xGTA routinely publishes updates to GB-OS. These updates provide new features and enhanced security options. When GTA publishes an update to GB-OS, availability will be announced at Confi gure>Confi guration>Runtime>Update in the AVAILABLE UPDATE(S) section.
In order to check for available updates, GB-OS requires that the fi rewall is registered in the GTA Online Support Center, that the fi rewall has access to the Internet and that SSL connections are allowed. Version updates may be available only to fi rewalls covered by a valid support contract.
Note
Updating the GB-OS runtime always takes place as a Live Mode change.
To check for and install updates to GB-OS:
• Navigate to Confi gure>Confi guration>Runtime>Update.• In the AVAILABLE UPDATE(S) section, click the CHECK NOW button.• If an update is available, installation notes and an INSTALL button will appear for the update.
256
GB-OS 6.2 User’s Guide
Reference D: Upgrading
Figure D.2: Updating GB-OS
Updating RuntimesGB-250, GB-300, GB-820, GB-850, GB-2100 and GB-2500 fi rewall appliance families running GB-OS 6.1.x will have a two step process for updating runtimes.
1. Download the available runtime by clicking DOWNLOAD. The runtime will be stored on the fi rewall until installed. Rebooting the fi rewall or selecting CHECK NOW will remove the stored runtime.
2. Install the runtime by clicking INSTALL.
Figure D.3: Download Runtime
Figure D.4: Install Runtime
Scheduling Checks for Automatic UpdatesGB-OS can automatically check for eligible software updates. By enabling automatic update check, administrators can rest assured knowing their GTA Firewall UTM Appliance is operating the most current available version of GB-OS.
To schedule automatic update checks, navigate to Confi gure>Confi guration>Runtime>Update.
Figure D.5: Scheduling Automatic Update Checks
Table D.1: Scheduling Automatic Updates
Field Description
Schedule Update Check
Enable Select the ENABLE checkbox to schedule automatic update checks .
257
GB-OS 6.2 User’s Guide
Reference D: Upgrading
Frequency Select the frequency that GB-OS will check for updates. Options are Daily and Weekly.
Day Select the day that GB-OS will check for updates.
Time Select the time that GB-OS will check for updates.
Performing a Manual Software UpdateIf a new version of GB-OS has been indicated at Confi gure>Confi guration>Runtime>Update, administrators can log into the GTA Support Center (https://www.gta.com/support/center/) to download the runtime. If available updates cannot be applied to the fi rewall, contact the GTA Sales staff ([email protected]) or your local GTA Channel Partner for information on support contracts.
Step 1: Generate GB-OS 6.2 Feature Activation CodesIn order to upgrade your version of GB-OS to version 6.2, fi rst you must generate GB-OS 6.2 feature activation codes from the GTA Online Support Center (https://www.gta.com/support/center/).
Login to the GTA Online Support Center and navigate to the View Products page. The View Products page displays all products registered with GTA. If your fi rewall is eligible for the upgrade, an UPGRADE TO 6.2.0 link will be available in the ACTION row. Click the link to generate the GB-OS 6.2 feature activation code(s).
Now that the GB-OS 6.2 feature activation codes have been generated, they must be loaded into the fi rewall’s confi guration.
Step 2: Load GB-OS 6.2 Feature Activation Codes Into the ConfigurationLog in to your fi rewall using an administrative account and navigate to (Confi gure>System>Activation Codes).Clicking the New button will allow you to paste your activation code into this section. After clicking the OK button, save this section to keep your new code(s).
If entered correctly, the row’s description should display GB-XX 6.2 - Registered, where XX is your GTA fi rewall’s model number.
Now that the GB-OS 6.2 feature activation codes have been loaded into the fi rewall’s confi guration, the GB-OS 6.2 runtime fi le must be uploaded.
Step 3: Upgrade to GB-OS 6.2After the GB-OS 6.2 feature activation codes have been successfully inserted into the fi rewall’s confi guration, you may upgrade the fi rewall to GB-OS 6.2.
To obtain the GB-OS 6.2 runtime, login to the GTA Online Support Center (https://www.gta.com/support/center/) and navigate to Downloads>System Software. Select the appropriate GB-OS 6.2 runtime for your fi rewall (e.g., if you are upgrading a GB-2100, select the GB-2100 FIREWALL runtime fi le saved for your operating system under the 6.2 section). Download and extract the runtime fi le to an easy to remember location on your workstation, such as the desktop (if you are running Microsoft Windows, the runtime will extract to C:\Program Files\GTA\GB-X-6.2\GB-X-62.rtm, where X is the GTA fi rewall’s model number).
Next, login to your GTA fi rewall using an administrative account and navigate to Confi gure>Confi guration>R
untime>Update and click the ADVANCED tab. In the RUNTIME section, click the BROWSE button and select the runtime. The fi le will have an extension of .rtm. Select UPLOAD to upload the runtime fi le. GB-OS will then validate the fi le. If it is valid, the system will install it.
258
GB-OS 6.2 User’s Guide
Reference D: Upgrading
Figure D.6: Manually Updating Your Firewall’s Software
Upgrade NotesThe following are noted issues that may occur when upgrading to GB-OS 6.2.
GB-250 Rev A No Longer SupportedGB-250 Rev A fi rewalls are no longer supported in GB-OS 6.2.0. To determine if your GB-250 fi rewall is Rev A or Rev B: GB-250 Rev A fi rewalls do not have USB ports, while GB-250 Rev B fi rewalls do have USB ports. GB-250 Rev B serial numbers are 65002101 and above, and 65902101 and above.
IPS Activation CodesStarting with GB-OS 6.2.0, separate IPS activaction codes are no longer required.
GB-Ware Compact Flash Adapters Boards & ATA/IDE Cable Compatibility
WARNING
Before checking your hardware for compatibility, turn off the power to your fi rewall and disconnect all power cables.
Adapter BoardsGB-Ware running GB-OS 6.2.0 and above will no longer support the CFDISK.1B or CFDISK.1C IDE/Compact Flash Adapter from PC Engines. Any GB-Ware fi rewall using the CFDISK.1B IDE or CFDISK.1C IDE/Compact Flash Adapter boards should have the adapter board replaced prior to upgrading to GB-OS 6.2.0 and above.
To determine which adapter board is installed in your GB-Ware fi rewall, physically examine the board. Model Number CFDISK.1E must appear on the board in order for it to be supported for GB-OS 6.2.0 and above.
Figure D.10: Supported CFDISK.1E Adapter Board
259
GB-OS 6.2 User’s Guide
Reference D: Upgrading
Figure D.11: Unsupported CFDISK.1C Adapter Board
Conductor ATA CablesGB-Ware running GB-OS 6.2.0 and above will no longer support 40-Conductor ATA cables. GB-Ware running GB-OS 6.2.0 or above should use an 80-conductor cable, which supports Ultra DMA IDE/ATA.
To determine which conducter cable is used, physically examine the cable by counting the number of lines present on the cable itself.
Figure D.12: Supported 80-Conductor Ultra ATA/IDE Cable
Figure D.13: Unsupported 40-Conductor ATA/IDE Cable
Re-sizing Slices and Runtime Upgrades
260
GB-OS 6.2 User’s Guide
Reference D: Upgrading
In order to support the new features in GB-OS 6.2, some fi rewalls may require partition re-sizing during the upgrade process. Upon re-sizing, both runtime slices will have GB-OS 6.1, and fi rewall administrators WILL NOT be able to revert to previous runtimes via the Console or Web interface.
CAUTION
GTA strongly recommends backing up current fi rewall confi gurations PRIOR to upgrading.
Firewalls requiring re-sized partitions will take approximately 5-8 minutes to reboot and fully update once the runtime has been applied. DO NOT switch off or reboot the fi rewall during this process.
Error Messages Upon Initial RebootUpon rebooting after successful installation, the GTA Firewall UTM Appliance may display errors when accessed using the Web interface. This is expected, these errors are generated because the browser’s cache is trying to access fi les and locations that no longer apply. Click OK to any displayed errors and refresh the browser window to access GB-OS 6.2.
If the error messages persist, clear your browser’s cache.
GB-250 Upgrade NoticeGB-250 Firewall UTM Appliances may reboot multiple times, and may install GB-OS 6.2 on both memory slices during the upgrade process. It is important that administrators do not shut down their fi rewall when upgrading to GB-OS 6.2. If GB-OS 6.2 is installed on both memory slices, it will not be possible to revert back to the previously installed version of GB-OS.
Corrupt Object Names and DescriptionsGB-OS 6.2 uses the UTF-8 character set, wherein the past previous versions of GB-OS allowed administrators to select the character set according to their locale.
When upgrading to GB-OS 6.2, it is necessary to match your Web browser’s character set with the character set used by GB-OS.
261
GB-OS 6.2 User’s Guide
ELog Messages
262
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Reference E: Log MessagesBy default, fi rewall log messages are kept locally on the fi rewall. If you have enabled remote logging, log messages may also be sent to an external log. External logging can provide extra reporting on fi rewall activity and attack analysis.
GB-OS fi rewall log messages follow WELF logging standards.
To view fi rewall logs kept locally on the fi rewall, navigate to Monitor>Log Messages.
System Notices
Hardware ErrorsHardware messages include physical connectivity or memory errors. They are always logged.
Failed Network ConnectivityHardware errors most commonly indicate that the network interface (Ethernet port) is not operational, possibly due to a disconnected or failed network cable. The key identifi er for failure of a network port is the word “interface” in the “msg” attribute.
Mar 4 21:06:44 pri=4 msg=”alarm: Interface EXTERNAL (rl1) down” type=mgmt
PPP, PPPoE and PPTP interface errors all log as failed PPP interfaces.
Mar 4 21:06:44 pri=6 msg=”PPP1: [PPP1] can’t connect bypass,link0 and [b]:,session-PPP1: File exists” type=mgmt
If another host is using the fi rewall’s broadcast IP address and attempts to modify the fi rewall’s IP address, the MAC address of the host will be logged. Check IP addresses and netmasks assigned to hosts on the local network. The key identifi er for this type of message is “attempts to modify permanent entry”.
Mar 4 21:06:44 pri=3 msg=”kernel: arp: 00:d0:68:04:98:b5 attempts to modify permanent entry for 192.168.71.255 on en1” type=mgmt
Implicit PoliciesSome fi rewall policies are implemented automatically based upon services running on the fi rewall.
By default, automatic policy activations (immutable fi rewall behaviors) are logged. The key identifi er for automatic policies is “POLICY: ATP”.
Automatic policies are logically necessary for expected fi rewall operation. Automatic Accept All policies are merely a shorthand way of specifying remote access, outbound, or other policy application for a whole set of IP addresses or ports, rather than entering each one.
Mar 4 21:06:44 fi rewall.example.com POLICY: ATP (5) accept - notice ICMP [192.168.1.12:3]->[192.168.1.78:3] External l=32 f=0x3.
Other Firewall BehaviorsSome fi rewall behaviors, such as dropping invalid or fragmented TCP packets, are not an explicit connection refusal or acceptance, but nonetheless part of loggable fi rewall behavior.
Mar 4 21:06:44 fi rewall.example.com POLICY: Rejecting invalid packet: warning TCP [10.10.1.98:0]->[10.10.1.78:0] Protected l=20 f=0x0
Additionally, some remote access or other types of policies have special rules called Automatic Accept All policies; these policies cause the remote access or other policy rule to be applied to all IP addresses or ports, rather than just those manually specifi ed.
263
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Ping Flood/DoS Attack (ICMP Limiting)ICMP Limiting is logged by default.
When excessive pings are executed against the fi rewall or its networks, such as during a denial of service (DoS) or distributed denial of service (DDoS) attack, the fi rewall limits the number of ICMP/ping packets it will process per second to maintain normal traffi c throughput.
The key identifi er for this event’s message is “Limiting ICMP ping responses”.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 msg=”POLICY: Limiting ICMP ping responses from 149 to 100 packets per second.” type=mgmt
TCP SYN FloodExcessive TCP SYN signals, indicative of a SYN fl ood attack, may be blocked and logged according to preferences. The key identifi ers for this kind of message include “Blocking TCP SYN fl ood attack“.
Jan 1 00:02:04 pri=4 msg=”kernel: Blocking TCP SYN fl ood attack (4416)” type=mgmt
Spoof AttemptIP address spoof attempts are logged by default.
In this example, a packet is arriving on PROTECTED eth0 (protected network interface) destined for the external network. The protected network consists of only 192.168.181.0/24, but the sender IP address is not part of that logical network (192.168.191.1). Therefore, the packet is considered a spoof, since it should be arriving on the EXTERNAL interface (eth1). The key identifi er for this type of message is “Possible spoof” in the “msg” attribute.
Jan 12 09:03:19 pri=4 pol _ action=block count=1 msg=”Possible spoof, return interface doesn’t match arrival interface” proto=icmp src=192.168.191.1 srcport=8 dst=192.168.181.254 dstport=8 interface=”PROTECTED” returnInterface=”EXTERNAL” attribute=alarm
Stealth Mode Blocked MessageStealth Mode with logging enabled. Confi gured at Confi gure>Security Policies>Preferences.
Jan 6 12:59:46 pri=4 pol _ action=block count=2 msg=”Stealth mode” duration=4.571011 proto=icmpV4 country=US src=199.120.225.20 srcport=0 dst=199.120.225.20 dstport=0 interface=”EXTERNAL-eth4”
Door Knob Twist (Attempted Connect to Closed Port) Door knob twists are logged by default.
When a packet arrives for a closed port, attempting to open a connection for attack purposes, the fi rewall blocks the attempt by default. The key identifi er for this type of message is “Connect to closed port” in the “msg” attribute.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=3 pol _ type=default msg=”Connect to closed port” proto=23/TCP src=199.120.220.100 srcport=1036 dst=199.120.225.80 dstport=23 interface=External fl ags=0x2
FTP BounceFor this attack type, the FTP session is immediately dropped and all successive connections are denied as unexpected. The key identifi ers for this kind of message include “FTP: illegal access attempt“ and an access attempt from an IP address that differs from the original source of the FTP connection.
Mar 4 21:06:44 pri=4 msg=”FTP: illegal access attempt (192.168.1.1) inbound, pass through” proto=21/tcp src=192.168.1.2 srcport=32876 dst=192.168.2.5 dstport=21 rule=1
Mar 4 21:06:45 pri=4 pol _ action=block count=1 msg=”Packet unexpected” proto=21/tcp src=192.168.1.2 srcport=32876 dst=192.168.2.5 dstport=21 interface=sis1 fl ags=0x18
264
GB-OS 6.2 User’s Guide
Reference E: Log Messages
User LicensesBy default, exceeding the count of licensed users on the fi rewall or a fi rewall option is logged. The method of counting user licenses may vary by feature; generally, however, unique host IP addresses or email addresses are counted as one user for a particular service.
Maximum Firewall Users ExceededMar 4 21:06:44 pri=3 msg=”NAT: Max of 25 simultaneous hosts reached (192.168.71.50 denied).” type=mgmt
Maximum Web Filtering Users ExceededMar 4 21:06:44 pri=4 msg=”proxyWWW: Surf Sentinel host licenses reached (25), 192.168.71.92 denied.” type=mgmt
Configuration Changes by UserChanges made to the fi rewall’s confi guration are logged with the administrator account used. The key identifi er for this kind of message is the user= tag.
Mar 8 19:56:30 pri=5 msg=”WWWadmin: Add address object ‘Protected Networks’.” type=mgmt user=”fwadmin” src=10.10.1.2 srcport=52334 dst=10.10.1.84 dstport=443
Automatic BackupUSB drive not connected or identifi ed.
Aug 24 10:08:25 pri=3 msg=”XMLverify: Unable to backup confi guration to USB device” type=mgmt
Aug 24 10:08:25 pri=3 msg=”XMLverify: Unable to mount USB device” type=mgmt
USB device is full.
Aug 24 15:54:19 pri=3 msg=”WWWadmin: Unable to copy confi guration backup to USB device. No space left on device” type=mgmt user=”fwadmin” src=10.10.1.163 srcport=60695 dst=10.10.1.80 dstport=443 duration=86
Cannot back up – USB is read only drive.
Aug 29 12:51:05 pri=4 msg=”WWWadmin: Mounted MSDOS fi lesystem as readonly” type=mgmt user=”fwadmin” src=10.10.1.163 srcport=51064 dst=10.10.1.80 dstport=443 duration=43
Confi gured password is not correct. If the confi gured password for the confi guration fi le and the automatic backup section do not match, or if the cloud service password is incorrect, error messages will be logged.
Aug 15 09:37:52 pri=3 msg=”WWWadmin: Unable to delete fi le ‘GB-Ware _ v620 _ gb-ware _Live _ 2014 -08-15 _ 092922 _ EDT.7z’ from cloud” type=mgmt user=”fwadmin” src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197
Aug 15 09:37:52 pri=4 msg=”WWWadmin: Unable to open old confi guration. No error: 0” type=mgmt user=”fwadmin” src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197
Aug 15 09:37:52 pri=3 msg=”WWWadmin: Unable to uncompress input fi le; No such fi le or directory” type=mgmt user=”fwadmin” src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197
Aug 15 09:37:52 pri=4 msg=”WWWadmin: Program ‘7za’ exited with code 2.” type=mgmt user=”fwadmin” src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197
265
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Permission/Policy Notices
Allowed ConnectionsTo allow a connection to the fi rewall, two components are required: permission and routing rules. Permission for the connection can be granted by either an outbound policy or a remote access policy. Routing for permitted connections can be created via NAT or passthrough.
By default, if a packet matches an acceptance policy/rule – regardless of destination (inbound, outbound or directly to the fi rewall) – it will be logged.
The message includes the policy type (designated as “OBP”, “RAP”, “NAT” “PASS”, or “SSL”), the policy number, the word “accept”, log priority level, protocol, source IP, source port, destination IP, destination port, network interface, packet length and TCP fl ags if appropriate.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 pol _ type=OBP pol _ action=pass msg=”Accept OBP (2)” rule=2 proto=500/UDP src=192.168.71.12 srcport=500 dst=199.120.225.8 dstport=500 interface=sis0
Inbound Security PolicyInbound security policies create permission for inbound connections. The key identifi er for inbound connection messages is “incoming” in the “msg” attribute.
When an authorized inbound connection is made via an inbound security policy (for permission) and a passthrough or NAT tunnel (for routing), three possible log messages can be generated. By default, one is created only when the session is closed. To generate a log message when an inbound session is started, enable the TUNNEL OPENS fi eld in Preferences under Security Policies.
The log messages for a permitted inbound connection are almost identical in both the open and close messages, except that the close message contains connection information such as duration, packets sent/received and bytes transmitted. The IP address/port pairs in the log message detail the route of the packet.
Note
There is no explicit tag in the log message indicating that the packet was permitted, since the log message indicates this implicitly by logging the opened connection.
OpenMar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Open incoming NAT tunnel” proto=80/tcp src=199.120.225.3 srcport=4175 nat=199.120.225.78 natport=80 dst=192.168.71.98 dstport=80
CloseMar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Allow incoming NAT tunnel” proto=80/tcp src=199.120.225.3 srcport=4175 nat=199.120.225.78 natport=80 dst=192.168.71.98 dstport=80 duration=22 sent=144 rcvd=120
266
GB-OS 6.2 User’s Guide
Reference E: Log Messages
FTP Port UpdatingFTP connections may require some additional negotiation for the opening connection. During this exchange, the port may be updated (but this will only be logged if you have also elected to log opening connections).
The initial opening port is logged as port 0 until the actual connection port is determined, and an updated port is logged. This occurs for both tunneled (NAT) and passthrough connections.
The key indicator of a port update is “Update” in the “msg” attribute.
Mar 4 21:14:43 pri=5 msg=”Open inbound, NAT” proto=54834/tcp src=192.168.81.233 srcport=0 nat=192.168.71.117 natport=54834 dst=192.168.51.137 dstport=54834 rule=1
Mar 4 21:14:43 pri=5 msg=”Update inbound, NAT” proto=54834/tcp src=192.168.81.233 srcport=2053 nat=192.168.71.117 natport=54834 dst=192.168.51.137 dstport=54834 rule=1
Mar 4 21:06:44 pri=5 msg=”Open outbound, pass through” proto=1988/tcp src=192.168.51.137 srcport=0 dst=192.168.71.233 dstport=1988 rule=1
Mar 4 21:06:44 pri=5 msg=”Update outbound, pass through” proto=1988/tcp src=192.168.51.137 srcport=20 dst=192.168.71.233 dstport=1988 rule=1
OutboundOutbound policies create permission for NATed connections. The key identifi er for outbound connection messages is “outbound” in the “msg” attribute.
When an authorized outbound connection is made, two possible log messages can be generated. By default, one is created only when the session is closed. To generate a log message when an outbound session is created, enable the TUNNEL CLOSES fi eld in Preferences under Security Policies (enabled by default).
The log messages for a permitted outbound request are almost identical for an open and close messages, except that the close message contains connection information such as duration, packets sent/received, and bytes transmitted. An outbound request can be identifi ed by the direction the arrows are pointing in the Active Connections list: left for inbound and right for outbound. The IP address/port pairs in the log message detail the route of the packet. The packet below shows an outbound request from the protected network to a web server on the Internet.
Note
There is no explicit tag in the log message indicating that the packet was permitted, since the log message indicates this implicitly by logging the opened connection.
OpenMar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Open outbound NAT” proto=80/tcp src=192.168.71.12 srcport=1683 nat=207.69.99.201 natport=1683 dst=160.239.1.10 dstport=80 rule=2
CloseMar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Allow outgoing NAT” cat _ action=pass dstname=www.soliton.co.jp proto=80/tcp src=192.168.71.12 srcport=1684 nat=207.69.99.201 natport=1684 dst=160.239.1.10 dstport=80 rule=2 op=GET arg=/img/privacy _ txt.gif duration=50 sent=777 rcvd=9657.
267
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Successful Administrative Access AttemptsWhen a successful access attempt is made from the web interface, a log entry is created for the fi rst access. Since HTTP is stateless and continuous connections are not maintained, each subsequent access from the same authenticated host is not logged (as if it is automatically authenticated). Once an hour, however, a successful access entry is added to the log if the same HTTP session is still in existence.
A successful log message for a web interface administrative access includes the tag “WWWadmin,” a message indicating remote administration access, and the IP address of the client’s computer.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”WWWadmin: Remote administration access.” type=mgmt src=192.168.71.12 srcport=1107 dst=10.10.1.78 dstport=443
When a successful access attempt is made from console, a log message is generated. The message includes the tag “cci” (console command interface) and a message indicating a successful administrative access.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”cci: Successful administration login.” type=mgmt
Denied ConnectionsBy default, if a packet is denied access either explicitly by a policy or implicitly by the default rule (deny all unless explicitly allowed) it will be logged.
The log message includes the policy type (OBP: outbound, IBP: inbound, NAT: NAT or PASS: pass through), the policy number, the word “block”, log priority level, protocol, source IP, source port, destination IP, destination port, the word “alarm” if an alarm was generated due to policy settings, network interface, packet length and TCP fl ags if appropriate.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 pol _ type=RAP pol _ action=block msg=”Block RAP (20)” rule=20 proto=23/TCP src=199.120.225.4 srcport=1601 dst=207.69.99.201 dstport=23 interface=PPP0 attribute=”alarm” fl ags=0x2
InboundOct 16 14:33:56 pri=4 pol _ type=IBP pol _ action=block count=3 msg=”Block IBP” duration=1.406000 rule=7 proto=31645/udp src=10.10.1.9 srcport=53 dst=10.10.1.96 dstport=”31645 (1), 28546 (1), 32181 (1)” interface=”10 NET” attribute=”alarm,report”
OutboundMar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 pol _ type=OBP pol _ action=block msg=”Block OBP” proto=80/TCP src=10.254.254.80 srcport=1755 dst=199.120.225.3 dstport=80 interface=Protected fl ags=0x2
Block By CountryJan 5 13:16:58 pri=4 pol _ type=CBP pol _ action=block count=1 msg=”Block CBP” proto=23563/tcp country=CN src=27.24.40.217 srcport=80 dst=68.62.240.13 dstport=23563 interface=”EXTERNAL” fl ags=0x14
CBP = Country IP
268
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Unsuccessful Administrative Access AttemptsWhen an unsuccessful access attempt is made from the web interface, a log message is generated. The message includes the tag “WWWadmin” and a message indicating a failed remote administrative access attempt along with the IP address of the client’s host system.
The fi rst message indicates a failed login without coalescing enabled, while the second message indicates a failed login with coalescing enabled. “Login failure” represents a bad user ID/password combination and “Remote” indicates the access attempt was via IP.
Jan 6 14:14:27 pri=4 msg=”WWWadmin: Remote login failure” type=mgmt user=”foobar” src=10.10.1.223 srcport=2230 dst=10.10.1.79 dstport=443 count=1
Jan 6 14:15:46 pri=4 msg=”WWWadmin: Remote login failures” type=mgmt user=”foo” src=10.10.1.223 srcport=2231 dst=10.10.1.79 dstport=443 duration=43 count=2
When an unsuccessful access attempt is made from the console, a log message is generated. “Console” indicates the access attempt was via console.
Jan 6 14:18:12 pri=4 msg=”WWWadmin: Console login failure” type=mgmt user=”foobar” dst=10.10.1.79 dstport=443 duration=58 count=1
Web Interface Compromise AttemptRemote management using a web browser normally uses SSL; attempts to access the administrative interface without SSL may therefore represent a compromise attempt.
(Although the web interface can be confi gured to operate without SSL encryption, this can compromise your security, and is not recommended.)
The “WWWadmin” tag indicates that the message is associated with web interface remote administration access. The fi rst example indicates that a remote host (192.168.71.12) connected to the fi rewall on the web interface port (by default 443 for SSL or 80 for non-SSL). The next message indicates that the connection was rejected as a key could not be negotiated. This could indicate that SSL was not running, or that an attempt to compromise the fi rewall was made via the web interface).
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”WWWadmin: Remote administration access.” type=mgmt src=10.254.254.205 srcport=1028 dst=10.254.254.1 dstport=443
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 msg=”WWWadmin: Unable to establish SSL session” type=mgmt src=10.254.254.205 srcport=1028 dst=10.254.254.1 dstport= 443 duration=2
When an unsuccessful access attempt is made from the console, a log message is generated. The message includes the tag “cci” and a message indicating a failed access attempt.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 msg=”cci: Password verifi cation failure.” type=mgmt
Routing NoticesPermitted connections require a valid route to reach their destinations. Routing may be achieved with either a NAT tunnel, to hide internal IP addresses from untrusted networks, or with a pass through policy to make internal IP addresses apparent to untrusted networks.
If selected, any arriving packets matching a protocol on any of the fi rewall’s network interfaces can be logged.
The log message includes the protocol, source IP, source port, destination IP, destination port, network card (NIC), packet length and TCP fl ags if appropriate.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=6 pol _ type=RAP pol _ action=pass msg=”Received (4)” rule=4 proto= 443/TCP src=192.168.71.12 srcport=1599 dst=192.168.71.254 dstport=443 interface=sis0 fl ags=0x11
Inbound or outbound connections are evaluated for permission before routes are constructed. This means that logs for remote access or outbound policy (which affect permission) appear before their corresponding NAT or pass through policy (which affect routing) message.
269
GB-OS 6.2 User’s Guide
Reference E: Log Messages
ICMP Types and CodesICMP log messages have sections indicating the ICMP type and the ICMP code. In the log message below, srcport & dstport indicate the ICMP Type while the fl ags indicate the ICMP Code.
Aug 1 11:47:46 pri=4 pol _ action=block count=1 msg=”Packet invalid” rule=1 proto=icmpV4 src=192.168.51.1 srcport=3 dst=10.10.1.76 dstport=3 interface=”PROTECTED-192” fl ags=0x7
Full details on ICMP parameters can be found here: http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml
IPv6 parameters are also available here: http://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xml
ICMP TypesLog messages can be identifi ed by their type as follows:
ICMPv4 Log Message - Type
Type Name
0 Echo Reply
1 Unassigned
2 Unassigned
3 Destination Unreachable
4 Source Quench
5 Redirect
6 Alternate Host Address
7 Unassigned
8 Echo
9 Router Advertisement
10 Router Solicitation
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply
17 Address Mask Request
18 Address Mask Reply
19 Reserved
20-29 Reserved
30 Traceroute
31 Datagram Conversion Error
32 Mobile Host Redirect
33 IPv6 Where-Are-You
34 IPv6 I-Am-Here
35 Mobile Registration Request
36 Mobile Registration Reply
37 Domain Name Request
38 Domain Name Reply
270
GB-OS 6.2 User’s Guide
Reference E: Log Messages
ICMPv4 Log Message - Type
Type Name
39 SKIP
40 Photuris
41 ICMP messages utilized by experimental mobility protocols
42-255 Reserved
ICMPv6 Log Message - Type
Type Name
0 Source Route
1 Nimrod
2 Type 2 Routing Header
3-252 Unassigned
253 RFC3692-style Experiment 1
254 RFC3692-style Experiment 2
255 Reserved
ICMP CodesMany of the ICMP types have codes - listed below:
ICMPv4 Type 3 - Destination Unreachable
Code Description
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don’t Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is Administratively Prohibited
10 Communication with Destinaation Host is Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
271
GB-OS 6.2 User’s Guide
Reference E: Log Messages
ICMPv4 Type 5 - Redirect
Code Description
0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service and Network
3 Redirect Datagram for the Type of Service and Host
ICMPv4 Type 6 - Alternate Host Address
Code Description
0 Alternate Address for Host
ICMPv4 Type 9 - Router Advertisement
Code Description
0 Normal Router Advertisement
16 Does not route common traffi c
ICMPv4 Type 11 - Time Exceeded
Code Description
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
ICMPv4 Type 12 - Parameter Problem
Code Description
0 Pointer indicates the error
1 Missing a required option
2 Bad length
ICMPv4 Type 40- Photuris
Code Description
0 Bad SPI
1 Authentication Failed
2 Decompresssion Failed
3 Decryption Failed
4 Need Authentication
5 Need Authorization
OSPFMis-matched key or mis-matched password in OSPF authentication.
Apr 17 18:01:48 pri=4 msg=”ospfd: interface fxp3:172.16.4.1: auth-type mismatch, local 2, rcvd 0, router-id 0.0.0.4” type=mgmt
Apr 17 19:12:26 pri=4 msg=”ospfd: interface sis0:172.16.4.2: auth-type mismatch, local 0, rcvd 2, router-id 0.0.0.5” type=mgmt
272
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Network Address Translation (NAT)Connections using NAT translate internal IP addresses to external IP addresses when passing through the fi rewall, hiding internal IP addresses from untrusted networks. NAT connections can be of any type including TCP/IP (with HTTP, FTP, etc.), ICMP, or UDP connections. The key identifi er for NAT messages is “NAT” in the “msg” attribute.
TCPOpen
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Open outbound NAT” proto=22/TCP src=192.168.71.12 srcport=1026 nat=199.120.225.78 natport=1026 dst=199.120.225.4 dstport=22 rule=2
Close Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Close outbound NAT” proto=22/TCP src=192.168.71.98 srcport=1025 nat=199.120.225.78 natport=1025 dst=199.120.225.4 dstport=22 rule=2 duration=176 sent=847 rcvd=788
HTML Sessions OpenOpening NAT’d connections are not logged by default, but may be enabled as a debug aid.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Open outbound NAT” proto=80/tcp src=192.168.71.12 srcport=1569 nat=199.120.225.78 natport
Close Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Accept outgoing NAT” cat _ action=pass dstname=www.gta.com proto=80/tcp src=192.168.71.12 srcport=1569 nat=199.120.225.78 natport=1569 dst=199.120.225.2 dstport=80 rule=2 op=GET arg=/Media/GB-Group.jpg duration=47 sent=547 rcvd=340
ICMP Open
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Open outbound NAT” proto=icmp src=192.168.71.12 srcport=3 nat=199.120.225.78 natport=3 dst=199.120.225.1 dstport=3 rule=2
CloseAug 30 11:19:46 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Close outbound NAT” proto=icmp src=192.168.71.12 srcport=3 nat=199.120.225.78 natport=3 dst=199.120.225.1 dstport=3 rule=2 duration=70 sent=3240 rcvd=3240
UDP Open
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Open outbound NAT” proto=53/UDP src=192.168.71.98 srcport=1035 nat=199.120.225.78 natport=1035 dst=204.94.136.5 dstport=53 rule=1
Close Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Close outbound NAT” proto=22/TCP src=192.168.71.98 srcport=1025 nat=199.120.225.78 natport=1025 dst=199.120.225.4 dstport=22 rule=2 duration=176 sent=847 rcvd=788
273
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Pass Through (No NAT) Connections using IP pass through don’t perform any NAT; internal IP addresses are fully apparent to untrusted networks. Pass through connections can be of any type including TCP/IP (with HTTP, FTP, etc.), ICMP, or UDP connections.
Pass through messages are mostly identical to the messages for connections with NAT. The chief difference is the “msg” attribute will contain “pass through” instead of “NAT”. Other details in the message related to the accept/deny status, IP addresses, ports and others remain the same.
The key identifi er for pass through policy messages is “pol _ type=PASS”.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 pol _ type=PASS pol _ action=block msg=”Block PASS” proto=23/TCP src=10.254.254.205 srcport=1030 dst=192.168.71.12 dstport=23 interface=Protected fl ags=0x2
Open Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Open outbound pass through” proto=23/TCP src=192.168.71.98 srcport=1027 dst=10.254.254.80 dstport=23
Close Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Close outbound pass through” proto=23/TCP src=192.168.71.98 srcport=1027 dst=10.254.254.80 dstport=23 duration=89 sent=444 rcvd=400
Bridged InterfacesCabling LoopWhen a physical loop in the cabling exists in the network a log message is generated. Check physical wiring of hubs and switches to be sure no cables loop back into the same device. Bridged networks must be physically distinct. The key identifi er for this type of message is “msg=”Bridging loop”.
Mar 4 21:06:44 pri=4 msg=”Bridging loop (13) 00:00:5e:00:01:60->01:00:5e:00:00:12 External->Protected (muted)” src=199.120.225.53 dst=224.0.0.18
Bridged ProtocolsNon-TCP/IP protocols may be encapsulated in a TCP/IP layer (“bridged”) to allow them to pass over the Internet, which requires TCP/IP.
CAUTION
No fi rewall policies are performed on bridged protocols; this can result in a weakening of your security perimeters. Great care should be taken in allowing bridged protocol packets.
Denied protocols are logged only when the fi rewall is set to log invalid packets. If desired, allow packets of these protocol types by adding them to the bridged protocol list.
The key identifi er for bridged protocol messages is “Bridged protocol” in the “msg” attribute.
Feb 2 13:28:53 pri=3 msg=”Bridged protocol type 0x42 denied (00:08:83:08:82:2a->01:80:c2:00:00:00)”
274
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Firewall Service NoticesAuthentication
Inbound security polices give permission for authentication connections to the fi rewall. Therefore every authentication log message is accompanied by an associated inbound security log message. Authentication log messages are also written for both successful open and close of an authenticated session. The key identifi ers for authenticated connections are “user=”[Username]”” and “RMCauth”.
Mar 4 21:06:44 pri=5 msg=”Open inbound, NAT tunnel” proto=smtp src=199.120.225.77 srcport=1753 user=”Nick” nat=199.120.225.78 natport=25 dnat=10.10.1.78 dnatport=1753 dst=10.10.1.9 dstport=25 rule=1
Mar 4 21:06:44 pri=6 msg=”RMCauth: Allow ‘[email protected]’, authentication successful.” type=mgmt src=192.178.71.254 srcport=3630 dst=10.10.1.84 dstport=76 duration=7
Jun 13 11:06:52 pri=5 msg=”AUTH: Assign 192.178.71.254, to ‘Mary’” type=mgmt Jun 13 11:06:46 pri=5 msg=”RMCauth: Accepted connection” type=mgmt src=192.178.71.254 srcport=3630 dst=10.10.1.84 dstport=76 duration=1
Mar 4 21:06:44 pri=5 msg=”RMCauth: Close connection” type=mgmt src=192.178.71.254 srcport=3630 dst=10.10.1.84 dstport=76 duration=675 Jun 13 11:18:00 pri=5 msg=”AUTH: Release 192.178.71.254, from ‘Mary’” type=mgmt
Tunnel accesses by an authenticated user are labeled with their account name.
Mar 4 21:06:44 pri=5 msg=”Open inbound, NAT tunnel” proto=smtp src=199.120.225.20 srcport=1806 user=”Nick” nat=199.120.225.78 natport=25 dnat=10.10.1.78 dnatport=1806 dst=10.10.1.9 dstport=25 rule=1
Without a remote access policy, the authentication connection attempt will be denied.
Mar 4 21:06:44 pri=4 pol _ type=IBP pol _ type=block msg=”Rejecting unathenticated access (1)” rule=1 proto=25/tcp src=199.120.225.77 srcport=1700 dst=199.120.225.78 dstport=25 interface=sis1 fl ags=0x2
Expired Authentication SessionUsers whose authenticated sessions have expired must authenticate again to gain access to restricted areas of the network. The key identifi er for this message is “Release” in the “msg” attribute.
Mar 4 21:06:44 pri=5 msg=”USER: Release 199.120.225.20, from ‘Nick’” type=mgmt
Authentication Denied Due to Closed Authentication ConnectionIf the authentication connection is closed, the user must reinitiate the authentication connection and complete it before they will be fully authenticated.
The key identifi ers for this event occur in a sequence of messages. First a message with “RMCauth: Close connection” in the “msg” attribute occurs; then, if the user attempts to continue authentication on the closed connection, a message with “RMCauth: Deny [username], authentication failure” in the “msg” attribute occurs. If the user reattempts authentication, a third message with “RMCauth: Accepted connection” in the “msg” attribute will occur.
Mar 4 21:06:44 pri=5 msg=”RMCauth: Close connection” type=mgmt src=192.178.71.254 srcport=3569 dst=10.10.1.84 dstport=76 duration=17
Jun 13 11:04:38 pri=4 msg=”RMCauth: Deny ‘[email protected]’, authentication failure.” type=mgmt src=192.178.71.254 srcport=3569 dst=10.10.1.84 dstport=76 duration=16
Jun 13 11:04:22 pri=5 msg=”RMCauth: Accepted connection” type=mgmt src=192.178.71.254 srcport=3569 dst=10.10.1.84 dstport=76
275
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Authentication Denied Due to Old GBAuth VersionVersions of GBAuth prior to 1.2.7 are not compatible with GB-OS 6.2.
Mar 4 21:06:44 pri=3 msg=”RMCauth: command ‘authLoginGet’ (400) rejected, incorrect size.” type=mgmt src=192.168.71.253 srcport=4192 dst=192.168.71.254 dstport=76
Gateway SelectorThe gateway selector service fi rst listens for a series of failed pings to its beacons through the primary route (current default gateway). If these beacons remain unreachable (“no reply”), then a new default gateway is set.
The key identifi er for gateway selector messages is “selector”.
Mar 4 21:06:44 selector: No reply from 199.120.225.79.
Mar 4 21:06:44 selector: No reply from 205.111.80.180.
Mar 4 21:06:44 selector: No reply from 205.111.110.180.
Mar 4 21:06:44 selector: Verifi cation of default gateway 199.120.225.79 failed.
Mar 4 21:06:44 selector: Default gateway set to 200.120.225.79.
Email Notification from Gateway SelectorIf email notifi cation is selected, the gateway selector logs the email notifi cation when it is sent.
NOTIFICATION TYPE: Default gateway change
NAME: fi rewall.example.com
DATE: Wed 2002-05-29 12:59:18 EDT
Default gateway changed to 200.120.225.79.
Intrusion Prevention System (IPS)IPS policies can be confi gured to generate a log message when they are triggered.
The typical identifi er for IPS log messages is “msg=”IPS:”. The action= value declares the action performed by the triggered IPS policy.
Connection PassedApr 28 00:38:04 pri=4 msg=”IPS: MISC MS Terminal server request” action=pass rule _ id=1448 rule _ rev=13 classifi cation=”Generic Protocol Command Decode” proto=3389/tcp src=24.227.126.130 srcport=2647 dst=192.168.172.25 dstport=3389
Connection DroppedApr 28 01:21:16 pri=4 msg=”IPS: BLEEDING-EDGE RDP connection confi rm” action=drop rule _ id=2001330 rule _ rev=5 classifi cation=”Misc activity” proto=3007/tcp src=192.168.172.25 srcport=3389 dst=24.227.126.130 dstport=3007
Connection ResetApr 28 00:45:13 pri=4 msg=”IPS: BLEEDING-EDGE RDP connection confi rm” action=reset rule _ id=2001330 rule _ rev=5 classifi cation=”Misc activity” proto=2681/tcp src=192.168.172.25 srcport=3389 dst=24.227.126.130 dstport=2681
276
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Mail Proxy Email FilteringBy default, the Mail Proxy email proxy will block all email from reaching your email server, and log each denied email. Email proxy policies must be created to specify which email you wish to allow.
The typical identifi er for Mail Proxy log messages is “smtp _ action”.
Email DeliveredDelivered email is not logged by default. However, it may be enabled as a debug aid.
Mar 4 21:06:44 pri=5 msg=”SMTP: Close” smtp _ action=pass virus=”none found” spam=unknown,2 rule=5 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4711 dst=199.120.225.5 dstport=25 duration=2 sent=136 rcvd=1709
Email Rejected Due to Source or Destination of PolicyIf an email proxy policy is set to reject all email from a source or destination, that rejection will be logged. Additionally, the index number of the policy that triggered the rejection will be logged in the “rule” attribute.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 msg=”SMTP: Rejected (rule)” smtp _ action=block rule=6 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=34813 dst=199.120.225.5 dstport=25 duration=2 sent=42 rcvd=67
Email Rejected Due to Exhaustion of Policies (Reject by Default If No Match Is Found)If no email proxy policies exist, or an email has exhausted the list of policies while looking for a match, the default rule to reject the email is enacted. The key identifi er is “rule=0”.
Mar 4 21:06:44 pri=4 msg=”SMTP: Rejected (rule)” smtp _ action=block rule=0 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=2107 dst=199.120.225.5 dstport=25 duration=13 sent=70 rcvd=68
Email Rejected Due to Reverse DNSIf the email has matched an email proxy policy specifying reverse DNS lookups and has failed the lookup, the log message will contain “RDNS” in its “msg” attribute.
Mar 4 21:06:44 pri=4 msg=”SMTP: Rejected (RDNS)” smtp _ action=block rule=1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=1696 dst=199.120.225.5 dstport=25 duration=10 sent=74 rcvd=60
Email Rejected Due to MAPSIf the email has matched an email proxy policy specifying MAPS lookup and has failed the lookup, the log message will contain “MAPS” in its “msg” attribute.
Mar 4 21:06:44 pri=4 msg=”SMTP: Rejected (MAPS list.dsbl.org)” smtp _ action=block rule=2 proto=smtp user=”[email protected],[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=2327 dst=199.120.225.5 dstport=25 duration=4 sent=111 rcvd=107
277
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Email Rejected Due to Invalid RecipientIf the email initially matches a policy causing its acceptance, but the receiving email server returns a code indicating that the recipient does not exist for its domain, the email proxy may reject the email. The key identifi er for this type of message is “550 Invalid recipient” in the “msg” attribute.
Mar 4 21:06:44 pri=4 msg=”SMTP: Server returned, 550 Invalid recipient <[email protected]>” type=mgmt proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4599 dst=199.120.225.5 dstport=25 duration=5
If there is no spam or virus scanning enabled for that email, you may see that message paired with one for an incomplete SMTP connection. This message occurs when the email data is stopped during transmission. The internal email server may have determined that an email account does not exist, and cause the Mail Proxy email proxy to terminate the SMTP data reception.
Email Connection IncompleteIf the email transmission was incomplete, it is handled as a rejection. This could be caused by a premature termination from either the sender or recipient server. The key identifi er for this type of message is “Incomplete” in the “msg” attribute.
Mar 4 21:06:44 pri=4 msg=”SMTP: Incomplete” smtp _ action=block virus=”not found” spam=confi rmed,96 rule=8 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4599 dst=199.120.225.5 dstport=25 duration=5 sent=214 rcvd=2765
Maximum Count of Threads Exceeded If the Mail Proxy email proxy has been overloaded with connection attempts (which generate email proxy threads), some connections will be delayed or rejected. The key identifi er for this type of message is “Maximum number of threads exceeded” in the “msg” attribute.
Mar 4 21:06:44 pri=3 msg=”SMTP: Maximum number of threads exceeded” type=mgmt proto=smtp
Mail Proxy Anti-Virus and Mail Proxy Anti-Spam OptionsIf you have installed Anti-Spam or Anti-Virus options on your email proxy, additional controls may be available to your email proxy ACLs. These options have key identifi ers of “virus” or “spam” in their associated log messages.
Email Confirmed Spam by Anti-Spam but DeliveredIf the matching email proxy ACL specifi ed Anti-Spam scanning, but did not elect to reject or quarantine confi rmed spam, it will be delivered normally. The key identifi ers for this type of message are “spam=confi rmed” and “smtp _ action=pass”.
Mar 4 21:06:44 pri=4 msg=”SMTP: Close” smtp _ action=pass virus=”none found” spam=confi rmed,99 rule=5 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=3260 dst=199.120.225.5 dstport=25 duration=4 sent=110 rcvd=3396
Email Confirmed Spam by Anti-Spam and QuarantinedIf the matching email proxy ACL specifi ed Anti-Spam scanning, and elected to quarantine confi rmed spam, it will be delivered to the indicated quarantine email address. The key identifi ers for this type of message are “spam=confi rmed” and “smtp _ action=quarantine”.
Mar 4 21:06:44 pri=4 msg=”SMTP: Close” smtp _ action=quarantine virus=”none found” spam=confi rmed,98 rule=3 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4282 dst=199.120.225.5 dstport=25 duration=2 sent=110 rcvd=3549
278
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Email Virus Found by Anti-Virus and Cured Then DeliveredIf the matching email proxy ACL specifi ed Anti-Virus scanning, but did not elect to reject or quarantine viruses, Anti-Virus attempts to remove the virus from the email attachment before it will be delivered normally. The key identifi er for this type of message is “virus=Cured”.
Mar 4 21:06:44 pri=4 msg=”SMTP: Close” smtp _ action=block virus=Cured,”I-Worm.Bagle.au” spam=unknown,50 rule=5 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4124 dst=199.120.225.5 dstport=25 duration=83 sent=82 rcvd=26436
Email Virus Found by Anti-Virus but DeliveredIf the matching email proxy ACL specifi ed Anti-Virus scanning, but did not elect to reject or quarantine viruses, and the virus was not removable from the fi le, virus email will be delivered normally. The key identifi ers for this type of message are “virus=[Virus name]” and “smtp _ action=pass”.
Mar 4 21:06:44 pri=4 msg=”SMTP: Close” smtp _ action=pass virus=”I-Worm.Bagle.as” spam=unknown,64 rule=5 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=3364 dst=199.120.225.5 dstport=25 duration=10 sent=82 rcvd=31669
Email Virus Found by Anti-Virus and QuarantinedIf the matching email proxy ACL specifi ed Anti-Virus scanning, and elected to quarantine viruses, virus email will be delivered to the quarantine email address. The key identifi ers for this type of message are “virus=[Virus name]” and “smtp _ action=quarantine”.
Mar 4 21:06:44 pri=4 msg=”SMTP: Close” smtp _ action= quarantine virus=”I-Worm.NetSky.q” spam=confi rmed,98 rule=5 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4272 dst=199.120.225.5 dstport=25 duration=5 sent=110 rcvd=41496
Email Virus Found by Anti-Virus and RejectedIf the matching email proxy ACL specifi ed Anti-Virus scanning, and elected to reject viruses, virus email will be rejected. The key identifi ers for this type of message are “virus=[Virus name]” and “smtp _
action=block”.
Mar 4 21:06:44 pri=4 msg=”SMTP: Close” smtp _ action=block virus=”I-Worm.Bagle.au” spam=unknown,50 rule=5 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4124 dst=199.120.225.5 dstport=25 duration=83 sent=82 rcvd=26436
279
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Email HeadersEmail headers, often invisible to a user unless they view the email source or view it as plain text, contain information about email delivery and processing.
The Mail Proxy email proxy adds additional SMTP X-headers to processed email. These headers can help diagnostic or tracking processes. Some X-headers specifi cally track events of an email proxy that has enabled Mail Proxy options. The “GB” prefi x shows that this header was appended by a receiving GTA fi rewall.
Headers can include:
X-GB-Received: from domain.example.com (192.168.71.9) by fi rewall.example.com (3.6.0) Lists the host that the email originated from, followed by the host name and IP address of the
receiving fi rewall.X-GB-From: [email protected] Lists the email address of the sender. (The originating domain and the domain in the sender’s
email are not necessarily the same.) X-GB-To: [email protected] Lists the email address of the intended recipient. If an email has been cleared from quarantine,
this header allows the email to be sent on to its fi nal destination. X-GB-Mail-Format-Warning : Bad RFC2822 line length Describes a badly-formatted email.X-GB-Rule : 5
Lists the email proxy ACL that was matched.X-GB-AS Lists the spam category assigned to the email (e.g. Confi rmed or Suspect) and the score that
caused the categorization. May describe any error conditions that occurred during Anti-Spam processing, causing it to not
process the email. These errors can include an expired Anti-Spam license or inability to contact the Anti-Spam license server.
X-GB-AS-Summary Contains the Anti-Spam engine processing summary.X-GB-AV Lists any viruses found; if they could be removed from the email, it will also say “cured”. May describe any error conditions that occurred during Anti-Virus processing, causing it to not
process the email. X-GB-Quarantined Lists the email address that a quarantined email was sent to.
Note
For ease of identifi cation, GTA recommends that the host name be a fully qualifi ed domain name (FQDN), as in the example above. The fi rewall host name is entered in the HOST NAME fi eld of the Confi guration>Network>Interfaces>Settings section.
280
GB-OS 6.2 User’s Guide
Reference E: Log Messages
VPNVPN connections tunnel network traffi c over untrusted networks using authentication and encryption for security. If an IKE type of VPN is used, IKE messages may appear in the log (“IKE server”); another key identifi er is “type=mgmt, vpn”.
When the IKE server starts up due to fi rewall reboot or saving a VPN confi guration section, the startup is logged, along with the number of allowed concurrent mobile users.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”WWWadmin: Starting IKE server.” type=mgmt src=192.168.71.2 srcport=2206 dst=192.168.71.254 dstport=80 duration=2
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2002-08-30 14:12:18” fw=”ipsec” pri=5 msg=”Licensed for 100 mobile client connections. type=mgmt,vpn
Failed VPN authentications are logged with the account name.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”RMCauth: Accepted connection” type=mgmt src=199.120.225.78 srcport=2197 dst=199.120.225.200 dstport=76
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 msg=”RMCauth: Authentication failure for ‘[email protected]’.” type=mgmt src=199.120.225.78 srcport=2197 dst=199.120.225.200 dstport=76 duration=4
Security AssociationsBy default, each IPSec security association (SA) creation is logged. VPN connections require at least two SAs.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”IPsec-SA established type=mgmt,vpn src=199.120.225.200 dst=24.170.164.183
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”IPsec-SA established type=mgmt,vpn src=24.170.164.183 dst=199.120.225.200
VPN phases occasionally expire and renew themselves to prevent attacks using compromised keys. After expiration, they must be renewed or the connection will be closed.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”ipsec” pri=5 msg=”IPsec-SA established type=mgmt,vpn src=199.120.225.200 dst=24.170.164.183
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”ipsec” pri=5 msg=”IPsec-SA expired type=mgmt,vpn src=199.120.225.200 dst=24.170.164.183
Mobile Client VPN Authentication and Connection Mobile clients must authenticate fi rst before establishing a connection.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”RMCauth: Accepted connection” type=mgmt src=199.120.225.78 srcport=2170 dst=199.120.225.200 dstport=76
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=6 msg=”RMCauth: Authentication successful for ‘[email protected]’.” type=mgmt src=199.120.225.78 srcport=2170 dst=199.120.225.200 dstport=76
duration=4
Attempts to connect without authentication will be denied.
Mar 4 21:06:44 pri=4 msg=”Authentication needed, access for ‘[email protected]’ denied.” type=mgmt,vpn src=65.33.234.134 dst=199.120.225.78
281
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Web Content FilteringOn GTA fi rewalls utilizing content fi ltering, two different HTTP proxy mechanisms are possible: traditional proxy or transparent proxy.
If the traditional proxy is used, each user must confi gure their browser to use a proxy (the IP address is that of the protected network interface of the fi rewall). The transparent proxy requires no confi guration of the user’s browser, as it occurs transparently with normal port 80 HTTP.
Content policies can accept or deny TCP/IP packets based upon their HTTP content as well as their TCP/IP properties. Local content lists (LCLs) cause “cat _ site” to be “Local Accept” or “Local Deny”.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 msg=”Block outbound NAT” cat _ action=block cat _ site=”Local Deny” dstname=ad.doublclk.net proto=80/tcp src=src=192.168.71.33 srcport=4991 nat=199.20.136.33 natport=4991 dst=205.138.3.82 dstport=80 rule=2 duration=22 sent=861 rcvd=60 pkts _ sent=3 pkts _ rcvd=1 op=GET arg=/adi/caranddriver.lana.com/kw=;;ord=180587622710292244
Persistent (secondary) web connections will be logged.
Mar 4 21:06:44 pri=5 msg=”Accept persistent outbound, NAT” cat _ action=pass cat _site=”Reference” dstname=www.example.com proto=80/tcp src=192.168.1.1 srcport=1043 nat=200.200.200.200 natport=1043 dst=100.100.100.100 dstport=80 rule=5 duration=0 sent=633 rcvd=400 pkts _ sent=2 pkts _ rcvd=1 op=GET arg=/images/example.gif
Unknown HTTP commands being transmitted over HTTP ports (such as tunnels for non-HTTP protocols such as AIM) may be blocked. The key identifi er for this type of message is “op=Unknown“.
Mar 4 21:06:44 pri=4 msg=”Block outbound, NAT” cat _ action=block dstname=200.200.200.200 proto=80/tcp src=192.168.1.1 srcport=1688 nat=100.100.100.100 natport=1688 dst=200.200.200.200 dstport=80 rule=1 duration=22 sent=138 rcvd=94 pkts _ sent=3 pkts _ rcvd=2 op=Unknown
Saving the content policy preferences causes the HTTP proxy (transparent or traditional; “proxyWWW”) to restart.
Mar 4 21:06:44 pri=5 msg=”proxyWWW: Surf Sentinel successfully initialized” type=mgmt
Mar 4 21:06:44 pri=6 msg=”proxyWWW: Listening at port 2784.” type=mgmt
Mar 4 21:06:44 pri=6 msg=”proxyWWW: Reinitializing.” type=mgmt
Mar 4 21:06:44 pri=5 msg=”WWWadmin: Update of ‘URL Access Lists’.” type=mgmt src=192.168.71.243 srcport=2447 dst=192.168.71.77 dstport=443
Saving an LCL (black list/white list) or an ACL (who should follow the black lists/white lists) causes the HTTP proxy to update and reinitialize.
Mar 4 21:06:44 pri=5 msg=”WWWadmin: Update of ‘Local Content Lists’.” type=mgmt src=192.168.71.243 srcport=2460 dst=192.168.71.77 dstport=443
Mar 4 21:06:44 pri=6 msg=”proxyWWW: Reinitializing.” type=mgmt
Mar 4 21:06:44 pri=5 msg=”WWWadmin: Update of ‘URL Access Lists’.” type=mgmt src=192.168.71.243 srcport=2447 dst=192.168.71.77 dstport=443
Mar 4 21:06:44 pri=6 msg=”proxyWWW: Reinitializing.” type=mgmt
Attempts to use the HTTP proxy without policy permission for port 2784 (or other HTTP proxy port) will log an error.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 pol _ type=RAP pol _ action=block msg=”Block RAP (25)” rule=25 proto=2784/TCP src=192.168.71.12 srcport=1521 dst=10.10.1.78 dstport=2784 interface=External attribute=”alarm” fl ags=0x2
282
GB-OS 6.2 User’s Guide
Reference E: Log Messages
Transparent ProxyA “cat _ action=pass” or “cat _ action=block” and a “msg=”Allow outgoing NAT”” or “msg=”Block outgoing NAT”” determines if a transparent proxy connection was accepted or denied.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Allow outgoing NAT” cat _ action=pass dstname=www.gta.com cat _ site=”Information Technology/Computers” proto=80/tcp src=192.168.71.12 srcport=1439 nat=199.120.225.78 natport=1439 dst=199.120.225.2 dstport=80 rule=2
op=GET arg=/ duration=43 sent=2701 rcvd=1141
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 msg=”Block outgoing NAT” cat _ action=block dstname=www.playboy.com cat _ site=”Pornography” proto=80/tcp src=192.168.71.12 srcport=1454 nat=199.120.225.78 natport=1454 dst=209.247.228.201 dstport=80 rule=2 op=GET arg=/ duration=25 sent=666 rcvd=44
Traditional ProxyA “cat _ action=pass” or “cat _ action=block” determines if a traditional proxy connection was accepted or denied.
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=5 msg=”Proxy” cat _ action=pass proto=80/tcp src=192.168.71.12 dst=199.120.225.3 cat _ site=”Information Technology/Computers” op=GET dstname=www.gnatbox.com arg=/GeneratedItems/CSScriptLib.js
Mar 4 21:06:44 fi rewall.example.com id=fi rewall time=”2005-03-04 21:06:44” fw=”fi rewall” pri=4 msg=”Proxy” cat _ action=block proto=80/tcp src=192.168.71.12 dst=209.247.228.201 cat _ site=”Pornography” op=GET dstname=www.playboy.com arg=/
Web Filtering OptionWeb Filtering can cause traffi c to be accepted or denied based upon their content category (look for a message such as “msg=”Accept outbound, NAT”” or “msg=”Block outbound, NAT””). If Web Filtering was used to determine packet acceptance or rejection, cat _ site will be set to the category of the content requested, such as “Entertainment and Arts”, “Adult and Pornograpy” or “Hacking”.
Web Filtering can be used with either the transparent or traditional HTTP proxy.
Persistent Connection message
May 15 18:37:16 pri=5 msg=”Accept persistent outbound, NAT” cat _ action=pass cat _ site=”Sports” dstname=www.cmdarts.com proto=80/tcp src=192.168.71.199 srcport=3817 nat=24.227.126.130 natport=3817 dst=64.34.176.47 dstport=80 rule=11 duration=6 sent=1205 rcvd=12709 pkts _ sent=11 pkts _ rcvd=12 op=GET arg=/images/newlogo.gif
Accept message
May 15 18:39:03 pri=5 msg=”Accept outbound, NAT” cat _ action=pass cat _ site=”News and Media” dstname=technology.timesonline.co.uk proto=80/tcp src=192.168.71.199 srcport=2452 nat=24.227.126.130 natport=2452 dst=72.247.134.216 dstport=80 rule=11 duration=327 sent=260 rcvd=636 pkts _ sent=5 pkts _ rcvd=3 op=GET arg=/tol/img/global/chevron-back-to-top.gif
Deny message
May 15 18:39:27 pri=4 msg=”Block outbound, NAT” cat _ action=block cat _ site=”Adult and Pornography” dstname=www.playboy.com proto=80/tcp src=192.168.71.199 srcport=3827 nat=24.227.126.130 natport=3827 dst=216.163.137.3 dstport=80 rule=11 duration=22 sent=486 rcvd=48 pkts _ sent=3 pkts _ rcvd=1 op=GET arg=/favicon.ico
283
GB-OS 6.2 User’s Guide
FGlossary
284
GB-OS 6.2 User’s Guide
Reference F: Glossary
Reference F: GlossaryThe following are common terms and phrases encountered when confi guring a GTA fi rewall.
A
Address ObjectARP ProtocolARP TableAuthenticationAutomatic Policy
B
BandwidthBandwidth Capping (Bandwidth Limiting)BGPBridged InterfaceBridged Protocol
C
Content FilteringCrack
D
DHCPDHCP LeaseDMZDNSDNS ProxyDomain NameDynamic (default) NATDynamic DNS
E
Email ProxyEncapsulationEthernetEthernet CardExternal Network
F
FailoverFeatureFirewall
G
Gateway
H
H2A High AvailabilityHop CountHostHTTPHTTP Proxy
I
Inbound Security PolicyInbound TunnelInterface ObjectInternal NetworkIntrusion Prevention SystemIP AddressIP AliasIP ProtocolIPSec Object
L
L2TPLANLCLLeaseLogical NetworkLog Message
M
Mail ProxyMail Proxy Anti-SpamMail Proxy Anti-Virus
N
NATNet MaskNetworkNetwork CardNetwork ClassNetwork TransparencyNetwork TypeNICNTP
O
ObjectOptionOSPFOutbound Security Policy
P
PacketPass Through PolicyPhishingPingPolicyPolicy TypePort ScanPPPPPTPPrivate NetworkProtected Network
ProxyPSN
R
Remote AdministrationRemote LoggingRIPRouterRoutingRuntime
S
SecureSNMPSpamSpoofi ngSSLSSL Browser & ClientStateful Packet InspectionStatic Address MappingStatic NATStatic RoutesStealth ModeSubnet MaskSubscriptionSyslog
T
TCP/IP ProtocolTime GroupTimeoutTracerouteTraffi c ShapingTraffi c Shaping ObjectTrojanTunnel
U
URL
V
Verifi cationVirtual CrackVirusVLANVPNVPN Certifi cate
W
Web FilteringWorm
285
GB-OS 6.2 User’s Guide
Reference F: Glossary
Address Object An object type containing IP addresses, domain names or email addresses. For example, creating the address objects “Home Offi ce” and “Branch Offi ce” with their respective IP address groups would help to rapidly reference those IP addresses in all areas of the fi rewall confi guration.
ARP Protocol Address Routing Protocol; one of the protocols fi rewalls and routers use when deciding how to send network traffi c to its destination.
ARP Table A data set containing the IP addresses of recently-determined routes; it is a cache used to speed routing, and may be fl ushed (erased) to force a router or fi rewall to update its routing information.
Authentication Verifying the identity of a user, usually by testing that a user knows a valid account name and the secret value (password) associated with that record.
Automatic Policy A fi rewall policy that is part of inherent fi rewall logic, and is therefore not confi gurable by the administrator. A default, uneditable fi rewall policy that may only be enabled or disabled.
Bandwidth The amount of network traffi c that may be sent per unit of time. Usually expressed in the units bits per second or kilobits per second (1 kilobit = 1,024 bits).
Bandwidth Capping (Bandwidth Limiting)
Limiting bandwidth a host/network may send over time, and prioritizing which hosts/networks should be allowed to reach that limit before allocating the remaining bandwidth to other hosts/networks.
BGP BGP (Border Gateway Protocol) is an Exterior Gateway Routing Protocol (EGRP) used for larger networks such as the Internet. BGP uses TCP port 179 to establish a connection between two or more routers. These routers are considered peers. Initially the routers exchange full routing information, once the connection is established the routers only send updates to their routing tables.
Bridged Interface A network interface whose network traffi c is selected to be transmitted to another network interface as if they were part of the same logical network. This is different from pass through hosts because it applies a static NAT/route to join discontiguous networks, rather than applying no NAT.
Bridged Protocol A non-TCP/IP protocol selected to be transmitted without applying fi rewall policies.
Content Filtering Denial of network content according to known content; this usually refers to denial of web page traffi c based upon the domain name or IP address range serving the web page, or by categorization within a content rating system. Local content lists provide basic domain/IP-based content fi ltering, while the Web Filtering option provides more sophisticated rating-based content fi ltering.
Crack An open network port; an exception or “hole” made in fi rewall policies to allow certain types of traffi c. Cracks must be carefully designed to allow desirable traffi c while still denying undesirable traffi c, otherwise network security may be compromised.
DHCP Dynamic Host Control Protocol; a TCP/IP protocol used by a DHCP server to automatically assign IP addresses, assign gateways, and propagate DNS server information to network hosts.
DHCP Lease The amount of time before a host must renew the request for an IP address and DNS proxy information from the DHCP server.
DMZ De-militarized zone; see PSN.
286
GB-OS 6.2 User’s Guide
Reference F: Glossary
DNS Domain Name System; a TCP/IP protocol and same-named server or proxy that provides information to requestors about which domain names are found on an IP address.
DNS Proxy A service that passes on DNS information requests to a DNS server, and returns the response to the original requestor. Because it does not keep DNS records itself, it is not considered a DNS server, but only a requestor stand-in.
Domain Name A host name registered within a DNS hierarchy, such as fi rewall.example.com. This allows the convenience of referring to a host by an easily-remembered name rather than an IP address.
Dynamic DNS A service that automatically receives dynamic (such as DHCP-driven) IP address updates to its DNS records, and propagates them. DNS normally assumes the use of hosts with static IP addresses, so a dynamic DNS service automates the DNS update process for hosts without static IP addresses.
Dynamic (default) NAT A NAT that is determined automatically by the fi rewall or router when network traffi c has been sent without an applicable static (manual) NAT.
Email Proxy An SMTP server stand-in that serves to determine which communications should be allowed to reach the SMTP (email) server, and to relay valid connections. See Mail Proxy.
Encapsulation Wrapping a traffi c packet within another protocol to facilitate routing, add encryption, or bypass restrictions. For example, encapsulating HTTP traffi c within an SSH tunnel wraps HTTP within the SSH protocol commands and adds a layer of encryption.
Figure F.1: How Encapsulation Works
287
GB-OS 6.2 User’s Guide
Reference F: Glossary
Ethernet A family of TCP/IP and other protocols and networking hardware standards.
Ethernet Card Network card specializing in Ethernet communications. See Network Card.
External Network A network that is logically outside of the scope of fi rewall protection. Since all fi rewalls have limited processing power and not all networks are under your direct responsibility, it is desirable, for example, to put the Internet on the external network, where the fi rewall will not attempt to apply policies to traffi c passing into it.
Failover A mechanism for automatically replacing a failed unit with a functionally equivalent substitute unit. In networking, failovers are used to minimize interruptions in service when a hardware or software malfunction occurs. See H2A High Availability.
Feature An aspect of software functionality, either standard or optional.
Firewall A network device specializing in security policy enforcement for the acceptance or denial of network traffi c. Because routers specialize in routing policy but lack sophisticated security policy enforcement tools, they should not be considered a substitute for a fi rewall.
Gateway A default route, a host through which all outbound network traffi c must pass. If NAT is applied, outbound traffi c packets receive the external IP address of the gateway host when leaving the internal network.
H2A High Availability A failover service option available on select GTA fi rewalls.
Hop Count The number of network hosts, such as routers or fi rewalls, that a packet reaches before arriving at its fi nal destination.
Host A computer or other network device such as a fi rewall or router.
HTTP Hyper-Text Transfer Protocol; a TCP/IP protocol specializing in the transfer of web pages (HTML documents and their embedded media), typically used by web browsers like Internet Explorer, Firefox and Safari.
HTTP Proxy An HTTP (web page) request stand-in service. On GTA fi rewalls, it may restrict transmitted web page traffi c requests based upon confi guration of Content Filtering policies.
Inbound Security Policy A fi rewall policy affecting external connections to and through the fi rewall’s external network interface, such as remote administration connections, user authentication connections, and VPN connections.
Inbound Tunnel A fi rewall policy enacted to allow traffi c from external or PSN networks to protected or PSN networks. Tunnels are different from bridging because they may involve the application of NAT to hide the IP addresses and open ports of hosts on the internal, destination network. Because it typically applies NAT and is not an unconditional acceptance of network traffi c, inbound tunnels are not generally considered “cracks”.
Interface Object An object type containing network interface confi guration information, such as Ethernet/NIC or modem.
Internal Network A logically protected network; by default, GTA Firewall UTM Appliances allow all outbound traffi c from internal (protected or PSN) networks, but deny inbound traffi c from external (external or PSN) networks.
288
GB-OS 6.2 User’s Guide
Reference F: Glossary
Intrusion Prevention System
An Intrusion Prevention System (IPS) is used to protect hosts behind the GTA Firewall UTM Appliance by using policies that allow or deny traffi c based upon access control restrictions, rather than IP address or port restrictions.
IP Address A number used with IP protocols to signify a host. Sometimes this also includes the subnet mask, a number which specifi es the network to which a host belongs. An IP address consists of four network class designation numbers, each ranging from 0 to 255, each separated by a period character; an example internal IP address is 192.168.71.254.
IP Alias An IP address that is not the real IP address of a host, but is merely a pointer to a real IP address. By using an IP alias, fi rewall fi lters can create additional alias-based policies to refl ect more complex security policies.
Figure F.2: Using IP Aliases
IP Protocol A type of protocol hosts use to communicate with other hosts who also have an IP address.
IPSec Object An object type storing confi guration data used by IPSec connections.
L2TP Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs).
289
GB-OS 6.2 User’s Guide
Reference F: Glossary
LAN Local Area Network; typically the internal network, using Ethernet 10/100/1000 Mbps connections facilitated by Ethernet network cards.
Internet
GB-2500GB-GB-GB-GB-B-BBGBGBG 25252502502502500000052550250000500Internet Router(Gateway)
Firewall
Switch
Personal Computers
Server Computers
Simple LAN Setup
Figure F.3: Simple LAN Setup
LCL Local Content List; on GTA fi rewalls, a list of accepted and denied URLs used when the traditional or transparent HTTP proxy receives a host’s request for web page network traffi c.
Lease A period of time that a host is given to possess a given resource. Typically this is a DHCP lease or VPN lease.
Log Message A record that a host keeps of its activities. On GTA fi rewalls, messages use the WELF standard to record GB-OS and network activities. This is especially useful when tracing network attacks or unintentionally denied network traffi c.
Logical Network An organizationally separate part of a larger network. Hosts within a given logical network differ in some semantically important way from hosts on other logical networks, this is usually refl ected in the fi rewall confi guration. Basic GTA fi rewall logical network types include protected, PSN and external.
290
GB-OS 6.2 User’s Guide
Reference F: Glossary
Figure F.4: 3 Logical Network Types
Mail Proxy The SMTP proxy on GTA fi rewalls. Mail Proxy options allow extended SMTP proxy features, such as virus and spam scanning.
Mail Proxy Anti-Spam A subscription option providing email categorization and acceptance, conditional acceptance (quarantine) or denial based upon spam-like characteristics.
Mail Proxy Anti-Virus A feature providing email acceptance, conditional acceptance (quarantine), or denial based upon the presence of a known virus in an email attachment. Anti-Virus is available with a valid support contract.
NAT Network Address Translation; a dynamic (automatic) or static (manual) translation of source and destination of IP addresses applied to TCP/IP packet headers. This is usually used to hide the IP addresses and open ports of internal networks from potential attackers on outside networks. On GTA fi rewalls, NAT translation is kept in a connection state table, allowing for stateful packet inspection.
Net Mask See Subnet Mask.
Network One or more hosts connected to each other with a communication method such as TCP/IP over Ethernet cables.
Network Card Network Interface Card (NIC); a hardware device providing a type of connection point on the host for networks such as Ethernet or serial modem (PPP).
Network Class The size level of a network, as determined by its subnet mask. For example, Class A networks (subnet mask of 255.0.0.0) have up to 16,777,215 hosts or subnetworks, while Class B networks (subnet mask of 255.255.0.0) have only up to 65,535 hosts or subnetworks. Most internal networks are typically Class C networks, containing up to 255 hosts or subnetworks.
Network Transparency The ability for network-capable computer software to transmit data through the fi rewall without additional software workarounds, as if it were a router or other non-fi rewall network device.
291
GB-OS 6.2 User’s Guide
Reference F: Glossary
Network Type See Logical Network.
NIC See Network Card.
NTP Network Time Protocol; this is used by NTP servers worldwide to synchronize clocks on hosts, assuring atomically accurate time stamps for the purpose of log stamping and other time-based software.
Object A data set that is defi ned once but may be referred to many times throughout the GTA fi rewall confi guration. Types may include address objects, encryption objects, service group objects, time group objects or IPSec Objects.
Option A non-standard feature that must be purchased separately; payment may be either one-time or subscription-based.
OSPF OSPF (Open Shortest Path First Protocol) is an interior gateway routing protocol (IGRP). Using link state algorithm advertisements (LSA’s) the router builds a database (LSDB) of the networks. OSPF uses protocol 89.
Outbound Security Policy
A type of fi rewall rule affecting outbound traffi c. By default, all outbound traffi c from the protected network is allowed; outbound policies are useful when restricting certain internal hosts to accessing only certain external hosts, rather than the whole Internet.
Packet The basic unit of data transmission in TCP/IP computer networks. A packet contains a header portion, including the source and destination IP address of the data (for routing purposes), and a data portion, containing the portion of data payload. Size (MTU) of a TCP/IP packet is typically 1,500 bytes, but is adjustable.
Figure F.5: The Packet
Pass Through Policy A type of fi rewall fi lter describing traffi c that should not have NAT applied. This is different from a bridged interface because it bypasses NAT rather than applying a static route.
292
GB-OS 6.2 User’s Guide
Reference F: Glossary
Phishing The use of communications such as email, web pages or instant messages to present a fraudulent identity causing a person to divulge personal information to an attacker. For example, an attacker might send an email that looks like a bank communication with a link to a web page, asking recipients to click the link and confi rm some bank information, where the attacker then gathers their account information. Restrictive security policies on a fi rewall’s email and web proxy combined with user education can successfully combat phishing attacks.
Ping A network connectivity test that sends ICMP packets to a host and times the response, if any. Also, software of the same name.
Port Scan A systematic test for open ports within a network. By identifying open communication ports, points of network security weakness and potential points of attack can be found, so this information is frequently gathered as a security tool, although it is also used by attackers; nmap is some software frequently used to perform port scans.
Policy A fi rewall rule to accept or deny network traffi c, “fi ltering” out undesirable network traffi c transmission according to your network security policy. GTA fi rewalls may employ ACLs to confi gure fi lter behavior.
Internet
inbo
und
traffi
c
outbound traffic
If you can’t connect through the firewall:
1. Is access allowed?(inbound/outbound policies)2. Is the connection routable?(tunnels/static address maps/pass-through)3. Is the content permissable
(if the connection is proxied)? (Mail Proxy/Content Filtering/Web Filtering)
Inbound security policies
Outbound policies
Tunnels and pass-through policies
Static address maps and pass-through policies
Mail Proxy and Content Filtering/Web Filtering
How to Connect Through the Firewall
GB-2500GB-GB-GB-B-GB-BBBBB 2225252525252525025025025250255225 0
Figure F.6: How to Connect Through the Firewall
Policy Type Fundamentally, all fi rewall fi lters are rules about traffi c acceptance or denial. Basis of accepted or denied traffi c may include time, location on a logically internal (protected or PSN) or external network, or protocol type.
293
GB-OS 6.2 User’s Guide
Reference F: Glossary
PPP Point-to-Point Protocol; a protocol frequently used to negotiate serial modem network connections.
PPTP The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
Private Network An internal (protected or PSN) network.
Protected Network A logical network type. It is most protected by default, as all outgoing connections are allowed but all unsolicited inbound connections are denied. A type of internal network, typically the LAN.
Proxy A stand-in between a requestor host and a server that mediates requests, such as an HTTP proxy or SMTP proxy. Because proxies are an intermediate point, they are also a point where policy enforcement can occur, such as refusing invalid email connections or refusing web page requests to inappropriate URLs.
PSN Private Service Network; a type of semi-internal network that is protected by the fi rewall, but has many more open ports (“cracks”) to allow for services made available to the external network. Because it is less sheltered than the protected network type, it is logically separate. GTA’s DMZ provides additional protection over the standard DMZ implementation, and so is called a PSN instead.
Remote Administration A method or its software used to confi gure the fi rewall through the network without a direct console connection (serial, terminal or monitor and keyboard). If performed from the external network, this requires an inbound security policy to allow that connection.
Remote Logging Providing a copy of fi rewall event notices on a network host other than the fi rewall. This is useful as a diagnostic and recovery tool, especially since attackers’ fi rst objectives is to remove attack evidence such as logs from compromised hosts.
RIP Routing Information Protocol; a way of distributing best-known routing information amongst a group of routers and fi rewalls on a network experiencing heavy traffi c.
Router A network device whose primary function is to route network traffi c packets to their correct destination. Because routers do not provide frameworks for security policy enforcement but are merely traffi c directors, they should not be considered a replacement for a fi rewall.
Routing The reception and redirection of a network packet according to delivery rules. Static and dynamic routing rules, as well as router protocols, help a router or fi rewall to determine network traffi c paths (routes).
Runtime A runnable software program. On GTA fi rewalls, this is the fi rewall software that runs on appliances and software fi rewalls.
Secure Protected from harm; in computing, this usually also implies that access has been restricted, authentication has been used, and encryption has been applied as measures of knowing all users of the computing resources, logging unusual behavior, and cryptographically protecting resource information from unauthorized users.
SNMP Simple Network Management Protocol; a way of sending router or fi rewall confi guration information among a group of routers or fi rewalls, making it faster to confi gure groups of network appliances. Without authentication and encryption, this is inherently insecure, but the third version of the protocol has enabled a secure version.
294
GB-OS 6.2 User’s Guide
Reference F: Glossary
Spam Unsolicited bulk email. While some security professionals do not consider spam to be a security threat, there is an increasing correlation between spam, electronic fraud and worms that may make spam a signifi cant security threat. GTA fi rewalls equipped with Mail Proxy Anti-Spam can reduce spam transmission.
Spoofi ng Presenting a fraudulent identity such as an email or IP address in the attempt to pose as a known person or host, or gaining access to network resources. GTA fi rewalls prevent spoofi ng by maintaining a connection table, checking against it to make sure that connections arrive on expected channels, and performing other policy checks on all incoming traffi c to verify its authenticity.
SSL Secure Socket Layers; a way of providing authenticated and encrypted communications using certifi cates or keys; this is primarily used for secure web browser communications, but is used in many other ways as well.
SSL Browser & Client GTA’s remote access SSL Browser and Client.
Stateful Packet Inspection
On GTA fi rewalls, a system of checks that is performed on each network packet to verify that it meets transmission expectations logically deduced from the routing state table. Packets that do not meet these expectations are attacks such as IP address spoofs, and are denied.
Static Address Mapping A routing rule that directs outbound NAT’d traffi c through an IP alias other than the default route.
Static NAT Default NAT is automatically determined, but in some cases a pre-determined IP address translation for outgoing traffi c is desirable, and a manual (static) NAT mapping may be applied.
Static Routes A routing rule that overrides the subnet mask gateway indicator when determining whether a network packet is outbound traffi c or internal traffi c. For example, packets from an IP address of 200.200.200.200 on a class C network could be routed to another internal class C IP address of 300.300.300.300 using a static route, even though their class C subnet masks of 255.255.255.0 would normally indicate routing the traffi c externally.
Stealth Mode A set of fi rewall rules specifying that no ping or traceroute requests for the fi rewall IP from the external network should be answered. Because this means that the fi rewall cannot be “seen” using these conventional connection tests, it is hidden from some network scans.
Subnet Mask A numerical exclusion value often shown as an IP address, like 255.255.255.0 (which assigns all IP addresses beginning with the same nine numbers to the same internal subnetwork), that shows which network (or subnetwork) an IP address belongs to. Without a static route, IP addresses outside the range indicated by the subnet mask are assumed to be external traffi c, and hence the packets are routed to the gateway.
Subscription GTA fi rewall optional features that require periodic renewal fees.
Syslog A style of logging and same-named Unix software that facilitates both local and remote event logging.
TCP/IP Protocol A group of defi ned network behaviors that allow networked hosts to exchange data.
Time Group A method of defi ning time-dependent fi lters on GTA fi rewalls.
295
GB-OS 6.2 User’s Guide
Reference F: Glossary
Timeout The expiration of a waiting period for an expected event. For example, many network connections have timeouts, after which the connection is closed if there is no further data transmission.
Traceroute A network connectivity test that uses ICMP packets to determine which routers or fi rewalls that packets encounter on their way to a given destination by gradually increasing the hop count and waiting for a hop count expiration response after each increase. Also, software of the same name.
Traffi c Shaping Bandwidth Limiting. Because a fi nite amount of data can be transmitted per time unit, the resource must sometimes be allocated according to need and priority. On GTA fi rewalls, traffi c shaping policies apply bandwidth need and priority policies. Also, an object type that stores a traffi c shaping confi guration.
Traffi c Shaping Object An object that defi nes traffi c shaping policies that may be applied to traffi c passing through a GTA fi rewall.
Trojan A type of computer virus that might normally be prevented, but uses psychological tricks to convince users to activate them and unwittingly override other security measures.
Tunnel The path established by one network to send its data via another network’s connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. Sometimes also called “port forwarding”.
Internetnetnetetnetnetnetnetnetnetnetnetttetetetetetetetnetnetnetnetnetnetnet
4
3
1
2
Destination receives packets.
A destination tunnel gateway removesthe wrapper, allowing packets to be routed to an internal destination.Additional encryption is removed.
Outgoing port and externalIP address wrapper added bythe source’s gateway.Encryption may be added.
Packet sent with internalsource IP address.
Tunnels encrypt/encapsulate packets within other packets
to facilitate routing (non-IP protocol traffic over the Internet, TCP/IP port redirection)and security (encryption). VPN and SSH connections are types of frequently tunneled connections.
To 10.10.1.8:22To 201.201.2.8:2288
How IPSec Tunnels Work
ttttttttttPPPaacsosouPPPaac
GB-2500
n)
GB-GB-GB-B-B-BBBGBGGG 2525252525025025025025050050000005005050
2TToToTToToTTToToT 2 ToToToToTT
001100101..00110 ..20011 2..2011..20011 200111 220
oo 2200oTo 22002200oo 2200oTo 22220000oTo 220000000022000
To 10.1To 10.10.
To 10.10.
To 10.10.
To 10.10To 10.10To 10.10To 10.10To 10.1To 10.1
Figure F.7: How Tunnels Work
URL Uniform Resource Locator; the protocol prefi x, host address and fi le location of a network resource, such as a web page or folder. An example is http://www.gta.com/index.php.
296
GB-OS 6.2 User’s Guide
Reference F: Glossary
Verifi cation In authentication, the process of checking provided credentials for a match with known acceptable credentials. This may include checking the user name and/or a password and/or an SSL certifi cate.
Virtual Crack A temporary, automatic crack created by the fi rewall when stateful packet inspection determines that a secondary connection is necessary and allowable. Because fi rewalls are by defi nition security policy enforcement devices, “cracks” in this security are not advisable but sometimes nevertheless necessary to provide application functionality. Virtual cracks used by GTA fi rewalls reduce administrator burden and security risk by minimizing the amount of risk time and human error normally associated with the creation of cracks.
Virus A self-replicating computer program that attempts to spread itself to other computers, usually with unauthorized methods and usually with bad effects. Computer viruses exist for many kinds of electronic devices, including cell phones and computers, and are considered a compromise of network security. Viruses can be denied with anti-virus scanning software such as Mail Proxy Anti-Virus and with secure network policies enacted on the fi rewall.
VLAN Virtual Local Area Network; a network of computers that behave as if they are connected to the same wire even though they may actually be physically located on different segments of a LAN. VLANs are confi gured through software rather than hardware, which makes them extremely fl exible.
VPN Virtual Private Network; a combined method of packet encapsulation (tunneling), authentication and encryption used to connect a host on an external, untrusted network (e.g. the Internet) to the internal (private) network. Secure VPN connections are typically used by travelers, remote offi ces or telecommuters to access internal network resources from abroad without creating cracks that could compromise internal network security.
Internet
GB-2500GB-GB-GB-B-B-BBGBGBGG 25252502500500025000025250025005 00
1a
1b
2
1. Authorization ensures that only trusted hosts can gain network access.
If a computer has not logged in with the VPN gateway (GTA firewall), the connection is denied (1a). If a computer provides authorization credentials such as a password and pre-shared secret, the VPN gateway adds the computer to its list of computers allowed to connect (1b). 2. Encryption defeats interception of traffic by scrambling data. Once authorized, a computer can use encryption to prevent digitaleavesdropping (”packet sniffing”) by any in-between points on the Internet, including unauthorized hosts.
unauthorized host
authorized host withVPN client/gatewaysoftware,which handlesauthorization andencryption
firewall with VPNoption (VPN gateway)
internal network
Virtual private networks use two things to connect external hosts securely:authorization and encryption.
How VPNs Work
Figure F.8: How VPNs Work
297
GB-OS 6.2 User’s Guide
Reference F: Glossary
VPN Certifi cate A VPN certifi cate is a data structure used to authenticate parties when initiating a VPN connection.
Web Filtering A GTA fi rewall content fi ltering option. Web Filtering is a subscription-based option that allows for more detailed content fi ltering via URL categorization.
Worm A type of virus that spreads automatically by network connection to other susceptible hosts. Worm propagation can be effectively contained if the fi rewall denies communication on ports a worm requires to transmit itself.
298
GB-OS 6.2 User’s Guide
Legal
License AgreementREAD THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THIS SOFTWARE OR THE ACCOMPANYING USER DOCUMENTATION (THE “PROGRAM”). THE PROGRAM IS COPYRIGHTED AND LICENSED (NOT SOLD). BY USING THE PROGRAM, YOU ARE ACCEPTING AND AGREEING TO THE TERMS OF THIS LICENSE AGREEMENT. IF YOU ARE NOT WILLING TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT, PROMPTLY RETURN THE UNUSED PROGRAM WITHIN TEN (10) DAYS AND YOU WILL RECEIVE A FULL REFUND OF THE AMOUNTS YOU PAID FOR THE USE OF THE PROGRAM.
Global Technology Associates, Inc.License Agreement for GB-OS
15 October 2014
The enclosed Licensed Program (“Software”) from Global Technology Associates, Inc. (“GTA”) contains modules contributed by or licensed from other third parties. Copyrights in the Software are claimed by GTA, The Regents of the University of California (the “Regents”) and other contributors as indicated by proprietary notices located within their respective modules.
© Copyright 1996-2014 Global Technology Associates, Inc. All rights reserved.1. License Grant. Under the terms of this license, you are hereby granted and you accept a non-exclusive license to use
the Software and the accompanying user documentation (“User’s Guide”) only as authorized in this license agreement. This license agreement allows you to run one copy of the Software on a single system (the “System”) only. In addition, you may make copies of the Software in machine-readable form for backup purposes only in the event that the supplied Media are damaged or destroyed. All copies of the Software must be kept in your possession and are the property of GTA. Any such copies of the Software and the User’s Guide shall include the GTA copyright notice and other proprietary notices as contained in the original materials licensed to you. Except as authorized under this paragraph, no copies of the Software or User’s Guide or any portions thereof may be made by you or any person under your authority or control.
2. Restrictions. You agree that you will not assign, sublicense, transfer, pledge, lease, rent, or share your rights under this License Agreement. You agree that you may not reverse engineer, reverse assemble, reverse compile, or otherwise translate the Software. You may not modify, distribute or create derivative works based on the Software in whole or part. You agree that you may not reverse engineer, reverse assemble or attempt to duplicate any copy protection mechanism.
3. Licensor’s Rights. You acknowledge and agree that the Software and the User’s Guide are proprietary products of GTA and/or GTA’s licensors protected under U.S. Copyright law. You further agree that all right, title and interest in and to the Software, including associated intellectual property rights, are and shall remain with GTA and/or GTA’s licensors.
4. Term. This license will terminate immediately without notice from GTA if you fail to comply with any provision of this license agreement. Upon such termination, you agree to return to GTA or destroy all copies of the Software and User’s Guide, along with any backup or other copies in your possession and a signed statement to the effect that no other customer-made copies are in existence.
5. Limited Warranty.
5.1. GTA warrants, for your benefi t alone, that the Media on which the Software is contained is free from defects in material and workmanship under normal use for a period of thirty (30) days from the date of delivery (referred to as the “Warranty Period”). GTA’s entire liability and your exclusive remedy if the Media is defective, and which is returned to GTA, shall be the replacement of the Software during the warranty period.
5.2. GTA warrants, for your benefi t alone, that during the Warranty Period the Software shall operate substantially in accordance with the functional specifi cations in the User’s Guide. If during the Warranty Period, a defect in the Software appears, GTA’s sole obligation under this warranty shall be limited to either replacement of the Software or using reasonable efforts to correct such defects and provide you with a corrected version of such Software as soon as practicable after you have notifi ed GTA of such defects. GTA does not warrant that operation of any of the Software shall be error-free or uninterrupted or the Software will meet your requirements.
5.3. This Limited Warranty is void, if failure of the Software or Media is the result of accident, abuse or misapplication.
5.4. Except for the warranties set forth above, the Software is licensed “as is” and GTA specifi cally disclaims any and all other warranties, whether express or implied, including, without limitation, any implied warranties of merchantability or fi tness for a particular purpose.
6. Limitation of Liability. In no event shall GTA’s cumulative liability to you or any other party for any loss or damages resulting from any claims, demands, or actions arising out of or relating to this Agreement exceed the amount paid by you for use of the Software. IN NO EVENT SHALL GTA BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR EXEMPLARY DAMAGES OR LOST PROFITS, EVEN IF GTA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.
7. Trademark. GNAT Box is a registered trademark of GTA. No right, license, or interest to such trademark is granted hereunder, and you agree that no such right, license, or interest shall be asserted by you with respect to such trademark.
299
GB-OS 6.2 User’s Guide
Legal
8. U.S. Government Restricted Rights. The Licensed Program is “Restricted Computer Software” as that term is defi ned in Clause 55.227-19 of the Federal Acquisition Regulations (“FAR”) and is “Commercial Computer Software” as that term is defi ned in Subpart 227.401 of the Department of Defense Federal Acquisition Regulation Supplemental (“DFARS”). If the Licensed Program is supplied to the Department of Defense (“DoD”), it is classifi ed as “Commercial Computer Software” and the Government is acquiring only “restricted rights” in the Licensed Program and its documentation as that term is defi ned in Clause 252.227-7013 of the DFARS. If the Licensed Program is supplied to any unit or agency of the United States Government other than the DoD, the Government’s rights in it and its documentation will be as defi ned in Clause 55.227-7013. Where the terms and conditions of this Software License Agreement confl ict in any manner with the FAR or DFARS, the terms and conditions specifi ed herein shall take precedence.
Under the terms of this license, you are required to include the foregoing restrictions in all license agreements with the United Stated government or any subdivision thereof and in all sublicense agreements with other third parties which permit further sublicense of the Licensed Program for eventual end-use by the United States government or any subdivision thereof.
9. Governing Law and Severability. This license agreement shall be governed by and construed in accordance with the laws of the State of Florida. Should any term of this license agreement, or portion thereof, be declared void or unenforceable by any court of competent jurisdiction, such declaration shall have no effect on the remaining terms thereof.
10. Compliance with Law; Export. You agree not to export or re-export the Software and other technical data received from GTA (i) into (or to a national or resident of) Cuba, Iraq, Libya, Sudan, North Korea, Iran, Syria or any other country to which the U.S. has embargoed goods; or (ii) to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Commerce Department’s Table of Denial Orders. By using the Software, you are agreeing to the foregoing and you are representing and warranting that you are not located in, under the control of, or a national or resident of any such country or on any such list.
11. Complete Agreement. You acknowledge that you have read this agreement and understand it and agree to be bound by its terms and conditions. You further agree that it is the complete and exclusive statement of the agreement between GTA and you which supersedes any proposal or prior written agreement, oral or written, and any other communications between us relating to the subject matter of this agreement. No amendment to or modifi cation of this agreement will be binding unless in writing and signed by a duly authorized representative of GTA.
12. The Regents Copyright and Disclaimer. © Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. This product includes software developed by the University of California, Berkeley and its contributors.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS’’ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.The views and conclusions contained in the software and documentation are those of the authors and should not be interpreted as representing offi cial policies, either expressed or implied, of the Regents of the University of California.
300
GB-OS 6.2 User’s Guide
Legal
Legal NoticesCopyright © 1996-2014, Global Technology Associates, Incorporated (GTA). All rights reserved.
Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated.
Technical Support GTA includes 30 days “up and running” installation support from the date of purchase. See GTA’s Web site for more information.
GTA’s direct customers in the USA should call or email GTA using the telephone and email address below. International customers should contact a local Authorized GTA Channel Partner.
Tel: +1.407.380.0220 Email: [email protected]
Disclaimer Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the
software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fi tness for a particular purpose. GTA shall not be liable for any lost profi ts or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifi cations of the program and contents of the manual without obligation to notify any person or organization of such changes.
Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products.
Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors.
Trademarks & Copyrights ‘GB-OS’ and ‘GB-Ware’ are registered trademarks of Global Technology Associates, Incorporated. ‘Global Technology
Associates’ and ‘GTA’ are service marks of Global Technology Associates, Incorporated.
Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries.
Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.
UNIX is a registered trademark of The Open Group.
Linux is a registered trademark of Linus Torvalds.
BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley.
WELF and WebTrends are trademarks of NetIQ.
Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries.
Java software may include software licensed from RSA Security, Inc.
Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/.
Some products include software developed by the OpenSSL Project (http://www.openssl.org/).
All other products are trademarks of their respective companies.
Global Technology Associates, Inc.3361 Rouse Rd, Suite 240 • Orlando, FL 32817 USA
Tel: +1.407.380.0220 • Fax: +1.407.380.6080 • Web: http://www.gta.com • Email: [email protected]