Beruflich Dokumente
Kultur Dokumente
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 1
DISCLAIMER
All rights reserved. This product and related documentation are protected by copyright and distribution under licensing
restricting their use, copy and distribution. No part of this document may be used or reproduced in any form or by any means,
or stored in a database or retrieval system, without prior written permission of the publisher except in the case of brief
quotations embodied in critical articles and reviews. Making copies of any part of this Training Courseware for any other
purpose is in violation of copyright laws.
While every precaution has been taken in the preparation of this document, Astaro assumes no responsibility for errors or
omissions and makes no explicit or implied claims to the validity of this information. This document and features described
herein are subject to change without notice.
This Astaro Training Courseware may not be sold by any company other than Astaro without prior written permission. Neither
Astaro nor any authorized distributor shall be liable to the purchaser or any other person or entity with respect to any liability,
loss or damage caused or alleged to have been caused directly or indirectly by this book.
Trademarks:
© Copyright 2000 - 2005, Astaro AG. Astaro Security Linux is a registered trademark of Astaro AG.
© Copyright 2000 - 2007, Astaro AG. Astaro Security Gateway is a registered trademark of Astaro AG.
© Copyright 2002 - 2005, Astaro AG. Astaro Configuration Manager is a registered trademark of Astaro AG.
© Copyright 1997 - 2005, Solsoft. Solsoft and Solsoft NP are trademarks of Solsoft.
Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective
companies. Specifications and descriptions subject to change without notice.
All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Use of a
term in this book should not be regarded as affecting the validity of any trademark or service mark. Consult your product
manuals for complete trademark information.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 2
Agenda - ACE
DAY ONE DAY TWO DAY THREE
Astaro Product Overview VoIP Security Additional Products
Available Products H.323 ACC
AXG System Architecture SIP Astaro Report Manager
Refresher ACA
Troubleshooting
Networking WebGui
VLAN Command Line
Link Aggregation
Bridging
Policy Routing
OSPF
Quality of Service
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 3
Before we start …
/ ACE Exam
ACE Certificates & Exams
ACE certification signifies that an individual has:
Achieved ACE certification
Passed the ACE web-based exam
Demonstrated knowledge required to implement and configure Astaro Security products with
extended features
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 4
Before we start …
/ Course Objective
Henry Ford
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 5
Astaro Product Overview
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 6
Product Overview
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 7
Available Products
/Astaro Security Gateway
Astaro Security Gateway is blend of open-source, proprietary
and OEM technology, combined to create an all-in-one device
that runs as the perimeter security gateway on a network
Astaro Security Gateway is built on an integrated management
platform that makes it easy to install and administer a complete
security solution
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 8
ASG Overview
/ Security Features
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 9
ASG Overview
/ Available Appliances
Astaro Astaro
Security Security Astaro Security Astaro Security Astaro Security
Gateway Gateway Gateway 320 Gateway 425a Gateway 525
110/120 220a
Small
Home office, Medium business, Large enterprise Large enterprise
Environments business,
small office enterprise division headquarters Core networks
branch office
System
Network ports
3x 10/100 Mbps 8 x 10/100 Mbps 4 x 10/100 Mbps 8 x 10/100/1000 Mbps 10 x 10/100/1000 Mbps
4 x 10/100/1000 Mbps
Performance
Throughput
(Mbps)
Firewall 100 260 420 1200 3000
VPN 30 150 200 265 400
IPS/IDS 55 120 180 450 750
E-mails/day 350,000 500,000 1,000,000 1,500,000 2,200,000
(without Mail-Security)
Concurrent 60,000 400,000 550,000 700,000 >1,000,000
Connections
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 10
Product Overview
/Astaro Web Gateway
Effective “all-in-one” web security for your network:
Single, cost effective and easy to use point solution
Detects and blocks malicious code in HTTP or FTP traffic
Granular control of web site access and use of IM/P2P applications
Deploys as hardware, software, or virtual appliance
Web Interface is the same as the ASG but with less features
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 11
AWG System Overview
/ Available Appliances
Recommended
100 250 750 2000 Unrestricted
Users
System
Network ports
2x 10/100 /1000 2 x 10/100 / 1000 3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps
Mbps Mbps
Performance
Throughput
(Mbps) *Depends on
In-line throughput 50 80 150 250
Antivirus/Web 20 40 80 130 hardware
User Requests 100 req./s 375 req./s 120 req./s 3000 req./s platform used.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 12
Product Overview
/Astaro Email Gateway
Effective “all-in-one” Email security for your network:
Single, cost effective and easy to use point solution
Detects and blocks malicious code and SPAM in SMTP or POP3 traffic
Provides end user Quarantine management through secure portal
and daily SPAM reports
Provides Email Encryption
Web Interface is the same as the ASG but with less features
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 13
AMG System Overview
/ Available Appliances
Recommended
100 250 750 2000 Unrestricted
Users
System
Network ports
2x 10/100 /1000 2 x 10/100 / 1000 3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps
Mbps Mbps
Performance
Throughput
(Mbps) *Depends on
In-line throughput 50 80 150 250
Antivirus/Web 20 40 80 130 hardware
User Requests 100 req./s 375 req./s 120 req./s 3000 req./s platform used.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 14
Product Overview
/ Astaro Report Manager
Data collection and reporting solution for internal security
analysis:
Centralized collection, correlation and analysis of syslog data
Documentation of security infrastructure effectiveness
More than 800 tailored security and activity reports
Real-time monitoring dashboard for instant security incident visibility
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 15
Product Overview
/ Astaro Report Manager
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 16
Product Overview
/ Astaro Compliance Reporter
The Astaro Compliance Reporter for PCI is an automated
service what allows organizations operating under Payment
Card Industry (PCI) regulation to easily conduct a formal risk
assessment, as required by the PCI Data Security Standard.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 17
Product Overview
/ Astaro Command Center
Provides Centralized Management of Large Astaro Gateway
Deployments.
Dashboard views display the most important system parameters for
all selected devices.
List views offer detailed information about specific parameters, such
as detected threats or resources in use.
The world map makes it simple to localize Astaro Security Gateways
within a large global network and enables a quick overview of the
security status.
A complete hardware inventory of all Astaro Security Gateways is
available via a single mouse click.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 18
System Architecture
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 19
AXG System Overview
/ Architecture
© Astaro 2008/ ACA_V7.3 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 20
Architecture
/ Open Source Module
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 21
Configuration
/ Administration Workflow
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 22
Refresher ACA
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 23
Refresher ACA
/ Setting up Ethernet Interfaces
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 24
Refresher ACA
Network Settings / Additional IPs on an Interface
Additional IPs are typically referred to as aliases
and follow the same rules as “Standard Ethernet”
interfaces.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 26
Refresher ACA /Network Settings
/ Multipath Rules
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 27
Refresher ACA
/ Network Address Translation / Masquerading
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 28
Refresher ACA /Network Address Translation
/ DNAT & SNAT
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 29
Refresher ACA
/ Packet filtering Architecture
ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.
incoming • mangle
• filter
outgoing
packets packets
• ips
PRE POST
Routing FORWARD Routing
ROUTING ROUTING
• dnat • masquerading
• conntrack • snat
• mangle • conntrack
• conntrack
• spoofdrop • mangle
INPUT OUTPUT • mangle
• filter
• ips
• ips
• conntrack
OUTPUT • mangle
• dnat
Local Processes
Apache
SOCKS
Tables:
SQUID
IPSEC
EXIM
SSHD
PPTP
BIND
Filter
NAT
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 30
Refresher ACA
/ Packet Filter - Configuration Principles (1)
You only need to maintain one table of filter rules.
The rules in the table are ordered. The first rule to match decides what is
done with the packet.
Astaro Security Gateway starts with an empty table but keeps implicit
internal rules for all services it is using itself.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 31
Refresher ACA
/ Packet Filter - Configuration Principles (2)
Default View
Action
Source and Destination
Service
Enable/Disable
Description
(optional)
Order
Groupname
Edit or delete
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 32
Refresher ACA
/ Packet Filter - Configuration Principles (3)
To create new or
edit existing rules:
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 33
Refresher ACA
/ DNS - Configuration
Global:
Accepts DNS Requests from allowed,
internal networks (e.g. your AD-Servers,
clients in smaller networks)
Forwarders
Forwards DSN requests of ASG to e.g.
Provider DNS servers
Request Routing
When ASG should be able to resolve the
hostnames of an internal domain hosted
on your own internal DNS server, this
server could be used as an alternate
server to resolve DNS which should not
be resolved by DNS forwarders.
Static Entries
Handles static mappings of hostnames to
IP addresses
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 34
Refresher ACA
High Availability & Clustering
/ Overview
redundant switches
redundant
links
redundant
LAN Hardware Internet
:= Aggregated Links
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 35
Refresher ACA
High Availability & Clustering
/ HA Modes
Active-Passive HA (Standby)
Only the Master is active
Passive (Slave) takes over in case of failure
Configuration settings and operational states are synchronized
Each ASG requires it’s own base license. Only 1 set of
subscriptions are necessary for both units.
Active-Active HA (Cluster)
Offers High Availability AND Load balancing
All appliances are active at the same time
Application traffic is actively balanced across the cluster of nodes
A maximum of 10 units can be added to the cluster.
Each unit in the cluster requires the same licenses for both base
and subscriptions.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 36
Refresher ACA
High Availability & Clustering
/ Hot Standby Mode
Master
Slave
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 37
Refresher ACA
High Availability & Clustering
/ Active-Active-Mode
High Availability
(Active/Active) (loadbalancing)
Active/Active Mode
Master runs Packet
Filtering &
Master distributes the
Slave load.
Cluster Nodes
Scalable
1 Gigabit/sec VPN, IPS, AV, AS
LAN Internet
Master
HA port (eth3)
Slave
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 39
Refresher ACA
High Availability & Clustering
/ Auto Configuration (2)
Step 1:
Activate HA (if
necessary)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 40
Refresher ACA
High Availability & Clustering
/ Auto Configuration (3)
Step 2:
Connect other HA device
Make sure the cabling
is correct
Start the device
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 41
Refresher ACA
High Availability & Clustering
/ Disabling Master-Slave
Disabling Master/Slave:
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 42
Refresher ACA
High Availability & Clustering
/ ASG Cluster Configuration (1)
Cluster Configuration:
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 43
Refresher ACA
High Availability & Clustering
/ ASG Cluster Configuration (2)
Cluster Configuration:
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 44
Refresher ACA /User Authentication
/ Groups
The Users>>Groups section on the AxG allows the
administrator to create and manage local and/or remote
user groups
Common Group Types:
Local Groups will consist of static members which
are user accounts located on the AxG. These
accounts can either be locally or remotely
authenticated.
eDirectory
Novell, partly LDAP based
Active Directory
Microsoft, partly LDAP based
RADIUS
Remote Access Dial-In User
Service
Livingston Enterprises, later RFC
TACACS+
Terminal Access Controller
Access-Control System Plus
Cisco, now RFC
LDAP – OSI, X.500, now RFC
Lightweight Directory Access
Protocol
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 46
Refresher ACA /Remote Authentication
/ Global Settings
When using remote authentication the
AxG can be configured to
automatically add user accounts when
users successfully authenticate
against:
HTTP Proxy
End User Portal
SSL VPN
WebAdmin
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 47
Refresher ACA /Remote Authentication
/ Novell eDirectory
With AxG V7 eDirectory SSO, Novell users will only need to authenticate once
at initial client login to gain web access to the Internet.
Once authenticated, Web security capabilities of AxG are applied to web surfing
based on the user or group without the need for further authentication at the
browser level.
Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an
administrator to verify their BIND User DN settings as well as verify individual
user account credentials.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 48
Refresher ACA /Remote Authentication
/ Novell eDirectory
Advanced options let you set the synch interval which is how often the AxG
will query (Poll) the eDirectory server for updated account information
relating to relevant information such as logins/logouts, and group changes.
Prefetching of user accounts can be done on the fly or may be scheduled.
As of version 7.400 the AxG software also supports Event Based eDirectory
synchronization. This new feature is an eDirectory option which requires
version 8.7 or higher.
Event Based synchronization replaces the existing Polling method which
will be used if the
eDirectory server does not
support this feature.
Event Based synchronization
will instruct the eDirectory
server to send notifications of
any changes such as logins or
logouts.
Event Based synchronization
can help to significantly reduce
the network load between the
AxG and the eDirectory server.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 49
Refresher ACA /Remote Authentication
/ Novell eDirectory
NOTE:
• SSO in eDir does not work on machines
where more than one user is logged in.
(Terminal Servers)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 50
Refresher ACA /Remote Authentication
/ Active Directory
With AxG V7 Active Directory SSO, domain users will only need to
authenticate once at initial client login to gain web access to the Internet.
Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an
administrator to verify their BIND User DN settings, verify a user account
is active, and to see what group they belong to.
Administration is
eased via the built in
LDAP browser
Prefetching of user
accounts can be done
on the fly or by
schedule.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 51
Refresher ACA /Remote Authentication
/ Active Directory
As of version 7.400 the AxG software now supports Windows
Server 2008 Native mode.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 52
Refresher ACA /Web Security
/ Overview
Firewall’s only pass HTTP/S traffic and are unable to scan for malware such
as viruses, adware, sypware, and root kits
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 53
Refresher ACA /Proxies
/ Theory
Client Server
Proxy
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 54
Refresher ACA Web Security
/ HTTP/S Proxy – Overview
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 55
Refresher ACA /Web Security
/ HTTP/S Global Configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 56
Refresher ACA Web Security/
/ HTTP/S Global Configuration
HTTPS Proxy configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 57
Refresher ACA Web Security
/ HTTP/S Global Configuration
HTTPS Proxy configuration/testing
To use the HTTPS proxy the client browsers will need to import or “Trust” the
Proxy CA that exists on their AxG. There are 3 ways administrators can deploy
this to their users:
Have the users sign in to the UserPortal, select the “HTTPS Proxy” tab, and
import the proxy CA certificate. Select all option-boxes and select “OK”,
and the import will finish. Note that you should do this for all browsers
you use.
Publish the CA using an Active Directory Group Policy. As the
administrator, navigate to Web SecurityHTTP/S and select the “HTTPS
CAs” tab. From there, click the “Download” Button at the top in the “Signing
CA” section, and use Active Directory to distribute it to your network users.
Have the users directly download it via a special URL directly from the
Astaro Device, by navigating to https://passthrough.fw-
notify.net/cacert.pem in their browser, and then selecting all the
checkboxes on the import dialog box, and selecting “Ok” to complete the
process.
Once deployed the HTTPS scanning can be verified by using a test file from a
site that vendors use. This file will be reported as “malware/virus” though it is
in fact harmless and designed just for this type of testing.
https://secure.eicar.org/eicar_com.zip.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 58
Refresher ACA /Web Security
/ HTTP/S Operational ModesStandard
Proxy listens on port 8080
Allows any network listed in Allowed
Networks to connect
Client browser must be configured
HTTP proxy service requires a valid
Domain Name Server (DNS)
Transparent
Proxy handles all traffic on port 80
Client doesn’t need to touch browser
configuration
Proxy cannot handle FTP and HTTPS
Packetfilter must allow port 21 and 443
No HTTP on other than port 80
Clients must be able to resolve DNS
hostnames themselves!
*Full transparent mode preserves the
original source IP of the client machine
instead of replacing it with the proxy IP
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 59
Refresher ACA /Web Security
/ HTTP/S Operational Modes
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 60
Refresher ACA /Web Security
/ Content Filter Profiles
HTTP Content Filter Profiles
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 61
Refresher ACA /Web Security
/ Content Filter Profiles
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 62
Refresher ACA / Email Security Mail Manager
/ Overview/Global tab
The Mail Manager allows you to view and manage the Quarantined
SMTP and POP3 messages for all users. Additionally you can view the
SMTP log which contains a record of all messages that have been
handled by the AxG.
Statistics are shown on the Global tab listing e-mails Waiting for
Delivery, Quarantined, and Rejected.
The Mail Manager Utility is reached by
clicking the Open Mail Manager in New
Window button.
HINT:
Notice that only the administrator can release all
type of messages held in quarantine. End users
can only release Spam using the User Portal or
the Quarantine Report
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 63
Refresher ACA / Email Security Mail Manager
/SMTP Quarantine
The SMTP Quarantine Option lets the Administrator view all SMTP mails
being held in Quarantine, and provides information on why it was not
delivered.
Filters are available to sort mails by type (Malware, SPAM, Expression…)
Search by Sender/Subject, Date or any phrase
Global actions for cleanup and release are available
HINT:
SPAM false positives that are
incorrectly quarantined by the
Heuristic engine can be
automatically released and
reported back to Commtouch.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 64
Refresher ACA / Email Security Mail Manager
/SMTP Spool/ Tips
The SMTP Spool Option lets the Administrator view all SMTP mails
processed but not delivered.
The AxG Mail Manager also features Tips which can offer guidance or
explain terms.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 65
Refresher ACA / Email Security Mail Manager
/SMTP Log
The SMTP Log Section displays an entry for all emails processed by the
AxG. Messages can be sorted by Reason or Result.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 66
Refresher ACA /Remote Access
/ Astaro SSL VPN Client
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 67
Refresher ACA
SSL-based Remote Access
/ Configuration/Global
Enable the SSL Remote Access status
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 68
Refresher ACA SSL-based Remote Access
/ Configuration/ Settings
The Server Settings allows you to choose
the protocol (TCP or UDP) to be used. Note
that UDP will be much quicker though may
not work with all applications.
The port number (443 by default). This can
be changed if you already use 443 for a
NAT rule.
The Override hostname field must use a
valid IP or hostname that clients can
resolve!
Pool network: The default settings assign
addresses from the private IP space
10.242.2.x/24. This network is called the
VPN Pool (SSL). If you wish to use a
different network, simply change the
definition of the VPN Pool (SSL) on the
Definitions Networks page.
Duplicate CN allows multiple users with the
same common account name to connect
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 69
Refresher ACA /SSL-based Remote Access
/ Installing the SSL VPN Client on Windows
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 70
Refresher ACA /SSL-based Remote Access
/ Installing the SSL VPN Client on Windows
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 71
Refresher ACA /SSL-based Remote Access
/ Installing the SSL VPN Client on Windows
Connectivity Testing
Connection dialogue
box allows to monitor
the set-up of the
connection.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 72
Refresher ACA /SSL-based Remote Access
/ Installing the SSL VPN Client on Windows
Configuration analysis
& troubleshooting
<Show Status>
provides all details
regarding to
authentication,
encryption, routing,
etc.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 73
Refresher ACA /SSL-based Remote Access
/ Configuring logon Scripts to run automatically
There are three different scripts that the SSL VPN GUI can execute to help with
different tasks like mapping network drives automatically.
Preconnect: If a file named "***_pre.bat" exists in the config folder where *** is the
same as your OpenVPN config file name, this will be executed BEFORE the OpenVPN
tunnel is established.
Connect: If a file named "***_up.bat" exists in the config folder where *** is the
same as your OpenVPN config file name, this will be executed AFTER the OpenVPN
tunnel is established.
Disconnect: If a file named "***_down.bat" exists in the config folder where *** is
the same as your OpenVPN config file name, this will be executed BEFORE the
OpenVPN tunnel is closed.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 74
Network
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 75
Networking
/ VLAN (1)
Virtual LAN (VLAN) technology allows a network to be separated in
multiple smaller network segments on the Ethernet level (layer 2).
A VLAN switch plus a VLAN capable network interface simulate a number
of physical interfaces plus cabling.
Every segment is identified by a "tag“ (an integer number).
Adding a VLAN interface will create a virtual hardware device.
Example
PC1 and PC2 on the first floor and PC4 on the Host4 Host5 Host6
second floor will be connected together on
VLAN 10.
PC3, PC5 and PC6 will be connected together
b3
on VLAN 20. b2 b4
Both VLAN can communicate through ASGs Switch b
b1 Router
Rulebase.
a5
Switch a Switch b Switch a a1
Port VLAN tagged/ Port VLAN tagged/
Tag untagged Tag untagged a2 a3 a4
1 10, 20 T 1 10, 20 T
Firewall
2 (PC1) 10 U 2 (PC4) 10 U
3 (PC2) 10 U 3 (PC5) 20 U
4 (PC3) 20 U 4 (PC6) 20 U Host1 Host2 Host3
5 10,20 T
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 76
Networking
/ VLAN (2)
VLAN segments are distinguished by a
tag (integer value), a 12-bit number,
allowing up to 4095 virtual LANs.
When you add a VLAN interface, you
will create a virtual hardware device
that can be used to add additional
interfaces (aliases) too.
NOTES:
- It is essential to check HCL for ensuring
VLAN capable NIC’s are supported.
- PPPoE and PPPoA devices cannot be run
over VLAN virtual hardware.
- Make sure you have installed a VLAN-
capable NIC or refer to the HCL.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 77
Networking
/ Overview IEEE 802.3ad Link Aggregation
Link aggregation (LA, also known as "port trunking" or "NIC bonding")
allows to aggregate multiple Ethernet network ports into one virtual
interface.
Link Aggregation Control Layer
(LACL) controls the distribution
of the data stream to the
different ports communication
via Link Aggregation Control
Protocol (LACP).
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 78
Networking
/ Link Aggregation using ASG
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 79
Networking
/ Link Aggregation – Configuration (1)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 80
Networking
/ Link Aggregation – Configuration (2)
Up to four different link aggregation groups with a maximum of four
Ethernet interfaces per group possible.
On top of the bonding interface you can create one of the following:
Ethernet Standard
Cable Modem (DHCP)
Ethernet VLAN
Alias interfaces
To disable a LAG, clear the check boxes of the interfaces that make up the LAG
and click Update This Group.
The status of the bonding interface is shown on the Support / Advanced /
Interfaces Table tab.
Link partner needs to support 802.3ad. MAC-Address of the first NIC in the LAG
will be used for all other NICs within the LAG.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 81
Networking
/ Bridging – Overview (1)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 82
Networking
/ Bridging – Overview (2)
How it works:
The default gateway for
172.16.1.2 and 172.16.1.4 is
172.16.1.1
172.16.1.1 is the bridge
interface br0 with ports eth1 and
eth2
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 83
Networking
/ Bridging – Overview (3)
The idea is that traffic between 172.16.1.4 and 172.16.1.2 is
bridged, while the rest is routed, using masquerading.
How it works:
When ethX interfaces are added to a
bridge, then become a part of the
br0 interface
The Linux 2.6 kernel has built-in
support for bridging via the ebtables
project
Ebtables has very basic IPv4
support
Bridge-nf is the infrastructure that
enables iptables/netfilter to see
bridged IPv4 packets and do
advanced things like transparent IP
NAT
It forces bridged IP frames/packets
go through the iptables chains
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 84
Networking
/ Bridging – Configuration (1)
Configuration Example:
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 85
Networking
/ Bridging – Configuration (2)
There two advanced options available:
Allow ARP Broadcasts
Ageing timeout
By default, ARP broadcasts are not allowed to pass across
the bridged interfaces
If needed, enable the Allow ARP Broadcasts option
As the network can change, we need to specify when to
remove an entry due to in activity, this is the Ageing
timeout.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 86
Networking
/ Policy Based Routing (1)
Policy-based routing provides a mechanism
for expressing and implementing
forwarding/routing of data packets based
on the policies defined by the network
administrators.
Prov. A Prov. B
It provides a more flexible mechanism for
routing packets, complementing the MPLS DSL
existing mechanism provided by routing
Router Router
protocols.
Packets can now be routed based on source
IP address, source port and destination DMZ 1
port, in addition to normal routing which is SMTP
based on the destination IP address.
Example: ERP
LAN 2
Route ERP traffic from Route SMTP traffic from
Finance to MPLS Provider DMZ to DSL Provider LAN 1
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 87
Networking
/ Policy Based Routing (2)
Policy based routing will route by selectors:
Destination
Source
Service
Source Interface
Policy based routing will route to targets:
An interface
A host
Limitations:
It is not possible to select all traffic and route it as this would be a default
gateway
Policy routes have an order which is evaluated in the same way as the packet
filter (top to bottom)
Only user defined policy routes are possible
Network groups in policy routes are not possible
The following benefits can be achieved by implementing policy-based
routing in the networks:
Load Sharing
Cost Savings
Source-Based Transit Provider Selection
Quality of Service (QoS)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 88
OSPF
/ Overview
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 89
OSPF
/ Features & Benefits
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 90
OSPF
/ ASG Configuration – OSPF-ID
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 91
OSPF
/ ASG Configuration – OSPF Area
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 92
OSPF
/ ASG Configuration – OSPF Interfaces (1)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 93
OSPF
/ ASG Configuration – OSPF Interfaces (2)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 94
OSPF
/ ASG Configuration – OSPF Interfaces (3)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 95
Quality of Service
/ Working Principle
ASG left
ASG right
Headquarter Branch Office
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 96
Quality of Service
/ Features and Benefits
and
Ext. NIC
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 97
Quality of Service
/ Configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 98
Quality of Service
/ Configuration: Status Overview
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 99
Quality of Service
/ Configuration: Traffic Selectors
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 100
Quality of Service
/ Configuration: Bandwidth Pools
Bandwidth Pools
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 101
Networking
Review Questions
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 102
Networking
/ Review Questions
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 103
Network Security
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 104
Network Security
/ NAT/ Full NAT
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 105
Network Security
/ NAT/ Two Gateways on the Network
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 106
Network Security
/ NAT/ Routes Do Not Allow Return Traffic
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 107
Network Security
/ Advanced
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 108
Network Security
/ Generic Proxy
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 109
Network Security
/ SOCKS
Where is it used?
Socks
IM clients such as ICQ, AIM
FTP
RealAudio
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 110
Network Security
/ IDENT Relay
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 111
Network Security
/ Review Questions
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 112
VoIP Security
SIP
and
H.323
security work
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 113
VoIP Security
/ SIP/H.323 Security
To IP-A, PORT-S
Astaro’s VoIP Security uses special
connection tracking helper modules for
200 OK
monitoring the control channel to
C = IN IP4 IP-B
determine which dynamic ports are being
M = audio 4000 RTP/AVP 3
used and then only allowing these ports
to pass traffic when the control channel is
busy. Audio stream to IP-A, 2000
Time
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 114
VoIP Security
/ SIP – Session Initiation Protocol
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 115
VoIP Security
/ H323 – Session Initiation Protocol
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 116
VoIP Security
/ SIP/H.323 Security
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 117
General WebAdmin Troubleshooting
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 118
General WebAdmin Troubleshooting
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 119
General WebAdmin Troubleshooting
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 120
General WebAdmin Troubleshooting
Real time logs in the Logging section will show real time
information. If CPU Usage has been running high error messages
may be in the System Messages or Self monitoring logs.
System messages should be checked for errors relating to the
databases. If found a support ticket should be opened with
Astaro.
Self monitoring log should not show many process restarts
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 121
General WebAdmin Troubleshooting
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 122
General WebAdmin Troubleshooting
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 123
Command Line Troubleshooting Guide
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 124
CLI / Linux skills
All configuration can and should be done via the WebAdmin GUI
Shell configuration changes are made at your own risk and can
void support.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 125
CLI/ First steps
When first logging into the Shell some quick things to check are:
System Load
Top processes
Log directories to see which log files are being written to
Disk space utilization
System load and top processes are checked using the ‘top’
command which shows the processor activity in real time.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 126
CLI/ First steps
Top shows information such as
uptime, load average, memory, swap,
and processes running.
Load average depends on the hardware
installed and will be displayed via
WedAdmin as CPU Usage. If CPU is
running high then load will be high.
To determine which process is using the
most CPU look at the %CPU column or
sort by pressing the ‘C’ key
To kill a process press the ‘K’ key and
enter the PID #. If no ‘signal’ is chosen
the TERM signal is sent. If the process
does not stop try specifying the ‘KILL’
by using the number ‘9’ when prompted.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 127
CLI/ First steps
The /var/log directory holds logs for both the
current day as well as directories for past
dates.
Logs can be sorted according to time to see
which was last written to by using the ‘ll –tr’
command.
Logs can be viewed by using utilities such as
‘less’, ‘cat’, or ‘tail’. ‘Tail –f’ will show the log
as it updates in real time. ‘Grep’ can be used
filter on specific information such as
usernames or IP addresses.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 128
CLI/ First steps
The /var/log directory holds logs for both the
current day as well as directories for past
dates. Additional debug and .lock files are
found in the /tmp directory.
Logs can be sorted according to time to see
which was last written to by using the ‘ll –tr’
command.
Logs can be viewed by using utilities such as
‘less’, ‘cat’, or ‘tail’. ‘Tail –f’ will show the log
as it updates in real time. ‘Grep’ can be used
filter on specific information such as
usernames or IP addresses.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 129
CLI / Packetfiltering basics (1)
ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.
Incoming •mangle Outgoing
packets •filter packets
•ips
PRE POST
Routing FORWARD Routing
ROUTING ROUTING
•dnat •masquerading
•conntrack •snat
•mangle •conntrack
•conntrack
•spoofdrop •mangle
INPUT OUTPUT •mangle
•filter
•ips
•ips
•conntrack
OUTPUT •mangle
•dnat
Local Processes
Apache
Tables:
IPSEC
EXIM
SSHD
Proxy
BIND
HTTP
PPTP
Filter
NAT
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 130
CLI
/ Packetfiltering basics (2)
Verify packet filter rules using the command line interface (CLI) or
Shell
Packet filter rules can be reviewed using the command iptables –L –nv on the CLI.
With this command the table filter with all its chains and sub-tables will be shown by
default.
AUTO_FORWARD – contains rules that are forwarded through the ASG and are configured as a
service within the WebAdmin (e.g. ping through firewall)
USR_FORWARD – contains packet filter rules that are configured by the Administrator manually in
the menu “Packet filter” and do not use an IP address of the ASG itself as source or destination
address.
Note:
Manual changes to the packet filter with the
command iptables will be overridden when a
change is done using the WebAdmin.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 131
CLI
/ Packet filter example (1)
Scenario 1: The administrator has locked out himself from the WebAdmin
The admin has locked himself out by mistake. A network/host was removed from the list of
„Allowed networks“. SSH is activated and the ASG is accessible with SSH.
There is only the network 192.168.140.0/24 allowed for the WebAdmin, all other networks will be
blocked and logged by default.
Add a network:
iptables -I INPUT -j ACCEPT --source 172.16.65.0/24 -p tcp --dport 4444
Once the WebAdmin is accessible, the according network should be added to the “Allowed networks“
and saved with apply. All manually configurations will be deleted after a restart of the
middleware/ASG.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 132
CLI
/ Packet filter example (2)
Scenario 2: A packet filter rule for VPN doesn’t work, the VPN itself is working correctly.
A few packet filter rules where configured for communication with the branch office using the WebAdmin.
The access with HTTP in rule 3 isn’t working.
Solution: The network definition (type: host) for the webserver is bound to interface eth1 (WAN), but
the tunnel uses interface ipsec0.
That is why this rule isn’t working and all packets will be dropped by the „Default drop“.
These errors are hard to find with the WebAdmin and the packet filter table. They are easier to find with
the command iptables using the CLI.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 133
CLI
/ Stateful packet filtering
Scenario 3: Outgoing FTP connections are not working, the packet filter entries are correct.
The Astaro Security Gateway writes every connection to the connection tracking table. The administrator
wants to verify if the FTP connection is visible in this table.
Working connection:
tcp 6 103 TIME_WAIT src=172.16.55.55 dst=192.168.140.213 sport=1114 dport=4045 packets=4 bytes=168
src=192.168.140.213 dst=192.168.140.225 sport=4045 dport=1114 packets=4 bytes=279 [ASSURED] mark=0 use=1
Background: FTP works with a second connection for data transfer on different ports. These ports are
negotiated dynamically for every FTP conneciton. The Astaro Security Gateway has to relate this second
connection to the allowed FTP connection on port 21.
Solution: The connection tracking helper for FTP has to be activated. This is done using Network Security
-> Packetfilter -> Advanced and is activated by default.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 134
Networking
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 135
CLI
/ Network problems (1)
Scenario 1: Slow connections between different networks. (1)
The ASG is connected with multiple switches on different interfaces. Users report slow connections from
one network to an other one. In this case the connections between the internal network (eth0) and the
DMZ (eth2) are very slow. The administrator wants to verify the according interfaces.
RX = number of received packets, errors = receiving, dropped = dropped packets when receiving,
overruns =, frame = received Frames
TX = number of transmitted packets, errors = errors when sending, dropped = dropped packets when
sending, overruns = packets that are bigger than the allowed MTU size, carrier = errors on connection
(mostly a broken network cable)
Note: If there is a problem with the connection and the speed and duplex settings are not correct, errors
are mostly shown here. Always check both sides of the connection, like the switches on the other side
of the cable.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 136
CLI
/ Network problems (2)
Scenario 2: Slow connections between different networks. (2)
There are errors on the interface. The administrator wants to check the speed and duplex settings for the
interfaces. Auto-negotiation is configured on both sides.
There are sometimes network cards (like in VMWare) that are not mii-compatible. For these network
cards the ethtool is useful to see nearly the same information.
In this scenario the verification has shown us that the settings on the ASG and the settings on the switch
are not the same (100baseT/Full vs. 10baseT/Half).
Solution: The configuration for the interfaces can be changed in the WebAdmin menu Network ->
Interfaces -> Hardware. It is possible to configure a fixed speed and duplex mode.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 137
CLI
/ Network tools
Tools to test the connectivity
Check a path to a server on the internet: traceroute <IP/Name> at the command line
or Support -> Tools -> Traceroute in the WebAdmin
traceroute to www.astaro.de (85.115.22.4), 30 hops max, 40 byte packets
1 port-87-234-47-9.static.qsc.de (87.234.47.9) 2.865 ms 5.489 ms 3.428 ms
…
5 DE-CIX2.de.lambdanet.net (80.81.192.74) 22.012 ms 20.533 ms 22.377 ms
6 Telemaxx.FRA-1-eth0-145.de.lambdanet.net (217.71.110.42) 19.606 ms 20.851 ms 19.337 ms
7 sw4ch.ka.telemaxx.net (213.144.4.134) 24.037 ms 25.553 ms 22.330 ms
8 85.115.22.4 (85.115.22.4) 19.359 ms 19.362 ms 18.378 ms
Note: When the same IP address is configured on different hosts this output shows different MAC
addresses.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 138
CLI
/ Network tools/ Tcpdump
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 139
CLI
/ Network tools/ Iftop
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 140
IM/P2P Security
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 141
CLI IM/P2P Security
/ Logging (1)
With version 7.200 the Astaro Security Gateway and the Astaro Web Gateway introduced the service
Astaro Flow Classifier for IM/P2P control. This service is logging to the file /var/log/afc.log.
The log-file can be browsed with the WebAdmin or via command line.
For troubleshooting the AFC, it is necessary to understand the log format correctly.
Aan example line from an AFC log file is shown here (Bittorrent):
Log-Entry Meaning
id="2017" The ID shows the kind of log-entry, 2017 is only logging
2018 is for file transfer block and 2019 blocks completely
Important for troubleshooting are always the ID, action and the fwrule.
The particular values for ID, action and fwrule are explained in detail in the Astaro knowledge base article
290351.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 142
CLI IM/P2P Security
/ Logging (2)
Here is another example for skype blocking, noticeable with the fwrule (Skype) and the ID (Block
completly):
2008:11:19-15:36:41 (none) ulogd[2517]: id="2019" severity="info" sys="SecureNet" sub="packetfilter"
name="AFC Block" action="drop" fwrule="60103" outitf="eth0" srcip="192.168.99.3" dstip="62.214.209.43"
proto="6" length="124" tos="0x00" prec="0x00" ttl="127" srcport="1238" dstport="21510" tcpflags="ACKPSH"
Scenario 1: High logging impact when activating IM/P2P control with all protocols
When activating logging for Instant Messaging and Peer-to-Peer protocols and a high volume of data is
processed by the Astaro Security Gateway, there is a lot of logging traffic and this could possibly fill up
the log-partition.
Solution: Using IM/P2P -> Settings –> Advanced it is possible to configure a logging limit.
Off – deactivates logging completely; there is no reporting for IM/P2P any more.
Limit all 5/sec – there will be only 5 log entries per second for all hosts alltogether.
Limit host 1/sec – there is a limit of one log entry per second per host. (default)
Log all – the complete traffic will be logged (Attention!)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 143
High Availability &
Clustering
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 144
CLI High Availability & Clustering / HA-Status
Scenario 1: The administrator wants to check the HA status. The actual status for a ha-cluster can be
seen in the WebAdmin. A more detailed view can be shown using the CLI.
- Status -----------------------------------------------------------------------
Current mode: HA MASTER with id 1 in state ACTIVE
-- Nodes -----------------------------------------------------------------------
MASTER: 1 Node1 198.19.250.1 7.302 ACTIVE since Mon Nov 3 09:17:46 2008
SLAVE: 2 Node2 198.19.250.2 7.302 ACTIVE since Mon Nov 3 09:18:44 2008
-- Load ------------------------------------------------------------------------
Node 1: [1m] 0.50 [5m] 0.41 [15m] 0.39
Node 2: [1m] 0.08 [5m] 0.10 [15m] 0.09
- Kernel -----------------------------------------------------------------------
Current mode: enabled master
interface: eth3
Local ID: 198.19.250.1
debug: off
verbose: off
tso: off
ppp sync: off
- Ctsyncd ----------------------------------------------------------------------
MASTER
-IPSec ------------------------------------------------------------------------
000 #1460: "S_REF_RxrkmFZPsh_0" esp.9a063cd9@212.202.98.74 esp.179febde@138.246.20.242; tunnel
[…]
- PostgreSQL ------------------------------------------------------------------------
reporting: […]
pop3: […]
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 145
CLI High Availability & Clustering / Connection to
slave system
Scenario 2: The administrator wants to view the log files from the HA-slave.
Two ASGs are connected within a HA-configuration and the formerly master has done a reboot.
Because of the failover the log files from the old master are now on the “new” slave and are not
accessible through the WebAdmin.
An administrator wants to access the log files from the old master (now slave) and save these files for
troubleshooting.
Access to the slave via: ha_utils ssh (only as root from the master ASG)
A SSH connection to the slave will be established, the administrator doesn’t need to know the IP
address of the slave. This connection is only possible when the SSH daemon is configured on the default
Port 22.
The log files can be found in /var/log/ and can be display by the standard linux tools like tail, less and
grep. The log files can be copied to the master via SCP.
Example for copying the high-availability.log from the slave to the master:
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 146
CLI High Availability & Clustering / Connection
problems
Scenario 3: The front panel of the ASG shows »MTU ERROR« and the appliance is shutdown completely.
Solution: The HA-cluster interface uses a MTU of 2000 Byte when connecting via a gigabit interface.
The connected switch should support Jumbo Frames, and this feature should be activated on the switch.
When the switch doesn’t support Jumbo Frames, the interface configuration should be configured to fixed
100 Mbit/s full-duplex (= MTU 1500) to avoid problems with the ha-cluster interface.
Scenario 4: The link status from one or more interfaces shows »down« frequently, whereby a failover is
initiated over and over again.
Where can more detailed information about a link lost for all interfaces be found?
Solution: Check the kernel log using the WebAdmin or on the command line in the file
/var/log/kernel.log
For more information about the interfaces have a look at the networking chapter.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 147
User Authentication
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 148
CLI User Authentication
/ Overview (1)
This diagram demonstrates the different work flows for the three authentication methods Active
Directory, eDirectory and LDAP. Within Active Directory and eDirectory there is a differentiation
between basic authentication and Single Sign On.
It is discernable which attributes are synced between the different directory services and the local user
database of the Astaro Security Gateway.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 149
CLI User Authentication
/ Overview (2)
The authentication messages are logged into the file /var/log/aua.log and can be reviewed via
command line or the WebAdmin.
Log-Entry Meaning
srcip=„172.16.65.2“ Client IP
If this information is not enough for troubleshooting authentication problems it is possible to activate the
debug mode for the aua daemon. This is done on the command line with:
killall –USR2 aua.bin.
There is a lot of information provided in the aua.log file in debug mode. To disable the debug mode for the
aua daemon just use the command killall -USR2 aua.bin again.
Note: When having problems with authentication in conjunction with the HTTP proxy it is possible to
start the HTTP process in debug mode.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 150
CLI User Authentication
/ Active Directory (1)
Scenario 1: The administrator wants to check if the AD connection is working properly.
Possible Answer 1:
Connection to ldap://192.168.140.215:389 failed
Solution 1: The IP address of the AD server is not correct or the LDAP service is not accessible.
(Maybe a firewall between AD server and ASG is blocking the connection. Missing packet filter rule on this firewall?)
Possible Answer 2:
Server exists and accepts connections, but bind to ldap://192.168.140.213:389 failed with this
Bind DN and Password
Solution 2: The LDAP service can be accessed but the Bind User DN or the password is not correct.
Scenario 2: Joining the domain with Active Directory Single-Sign-On (SSO) fails.
Joining the domain failed.
When this is not the case a DNS request route can be configured under: Networking » DNS » Request Routing
Example: Domain: MYDOMAIN.LOCAL ->Target Servers: Active Directory Server
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 151
CLI User Authentication
/ Active Directory (2)
Active Directory SSO
There is a tool wbinfo on the command line to see detailed information about the Active Directory SSO
connection. Active Directory users and groups can be displayed.
Examples:
Command Meaning
wbinfo –u Shows all AD users
wbinfo –r <user> Shows all groups for a specific user (Note: it shows only group IDs, not the name!)
Detailed information for the tool can be seen with the command wbinfo –-help.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 152
CLI User Authentication
/ eDirectory
There is a test tool provided in the WebAdmin for Novell eDirectory to test single users.
(see Microsoft Active Directory)
Detailed information for Novell eDirectory can be seen in the aua.log file when activating the debug
mode for the responsible processes. This can be done on the cli using the command
killall –USR2 aua.bin aua_edirsync.plx.
Scenario 3: The administrator wants to check if an eDirectory user is in the cache of the ASG.
Verify with: Bring both processes into debug mode (see above) and check the aua.log.
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: Writing cache entry for dn
cn=testuser,ou=FW,ou=Support,o=Karlsruhe
2008:10:27-12:25:28 (none) aua[1293]: id="3007" severity="debug" sys="System" sub="auth" name="SSO: adding
IP address 172.26.3.17 to cache“
Scenario 4: The administrator wants to check which eDirectory groups are imported for one user.
Verify with: Both processes are in debug mode, check the aua.log.
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'attrs' => {
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'modifytimestamp' => [
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: '20081027112505Z‘],
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'cn' => [
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'testuser',
[…] ],
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'groupmembership' => [
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'ou=FW,ou=Support,o=Karlsruhe'
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: ],
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 153
Web Security
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 154
CLI Web Security
/ Categorization
Since Version 7.302 the Astaro Security Gateway includes the content filter product SmartFilter
XL from Secure Computing.
Scenario 1: The administrator wants to check in which category a particular web site is included.
Verify with: Start the browser and open the web page:
http://www.astaro.com/support/support_resources and click the link “Astaro Web Filtering Site
Test”.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 155
CLI Web Security
/ Details of Content Filter Log
On this slide the important fields of the http proxy log file are described for a detailed troubleshooting.
Log-Entry Meaning
sub="http" name="http access" action="pass" Access allowed
srcip=„172.16.65.2“ Client IP
cached="0" The web page was not loaded from the cache
filteraction="action_REF_DefaultHTTPCFFAction" Used filter action, the reference can be resolved in the WebAdmin
using Support » Advanced » Resolve REF_.
size="6835" time="782 ms" Size and download time for this request
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 156
CLI Web Security
/ HTTP Proxy in Debug Mode
Common problems with the HTTP proxy can be solved with an in depth log analysis or are in
conjunction with authentication problems (see there). More detailed information is provided when
activating the debug mode for the HTTP proxy.
Attention: All debug levels are only active until the next change or restart of the http proxy
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 157
E-Mail Security
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 158
CLI E-mail Security
/ SMTP Log (1)
The MailManager provides a SMTP Log whree the administrator can easily see the results of the mail
processing and can filter these messages by different filter criteria.
More information about the MailManager can be found in the courseware in the according chapter.
A new window with more information about an e-mail and the Message ID for this e-mail will be opened
with a double click on an entry in the log view.
The Message ID can be used to find more information about this particular e-mail in the actual SMTP-
Log. For an advanced search the last two parts of the ID are necessary to find all information about the
e-mail in the log file. For example 0002EF-2t is used to find every log line for this particular e-mail.
This advanced search can be done in the WebAdmin using Logging -> Search Log Files or on the
command line in the file /var/log/smtp.log.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 159
CLI E-mail Security
/ SMTP Log (2)
Scenario 1: An administrator wants to see all log entries for a particular e-mail.
Verify with: Click on the entry in the MailManager log view, type in the command
grep "0002EF-2t" /var/log/smtp.log on the command line
Scenario 2: The information provided by the SMTP log is not enough for troubleshooting.
Solution: The debug mode for the SMTP proxy can be activated like this:
Change the following line the file /var/mdw/scripts/smtp:
Note: The SMTP proxy in debug mode generates a lot of logging messages
which can cause a flooded log partition!
The debug mode should only be activated for a short period and deactivated after
troubleshooting with the same procedure.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 160
CLI E-mail Security
/ Greylisting
Scenario 3: An urgent e-mail was sent by an external partner and the administrator wants to check if
the e-mail was delayed by Greylisting.
Solution: Inspection of the log file on the command line. Attention: The message can not bee seen
in the MailManager and has to be searched manually.
In this example above Greylisting rejects temporarily the message first. The second part of this log
extract shows the successful retry to deliver the message.
Please note that a new message ID is generated when the message is received for the second time.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 161
Reporting
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 162
CLI Reporting
/ Overview (1)
Since version 7.300 all Reporting data is stored in the new PostgreSQL database.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 163
CLI Reporting
/ Overview (2)
The administrator can check if all database processes and all reporter processes are running properly
using the command line.
Verify with: ps -ef |grep postgres on the command line
ps -ef |grep postgres
postgres 2939 1 0 Nov17 ? 00:00:09 /usr/bin/postgres -D /var/storage/pgsql/data
postgres 2948 2939 0 Nov17 ? 00:00:03 postgres: writer process
postgres 2949 2939 0 Nov17 ? 00:00:01 postgres: wal writer process
postgres 2950 2939 0 Nov17 ? 00:00:01 postgres: autovacuum launcher process
postgres 2951 2939 0 Nov17 ? 00:00:12 postgres: stats collector process
postgres 14097 2939 0 Nov18 ? 00:00:04 postgres: reporting reporting [local] idle
postgres 14333 2939 0 Nov18 ? 00:00:02 postgres: postgres smtp 127.0.0.1(36013) idle
postgres 7043 2939 0 00:15 ? 00:00:52 postgres: postgres smtp 127.0.0.1(58014) idle
PID 2939 is the postgres main process and the processes 2948-2951 are copying data within the
database. Furthermore there are two processes for the SMTP database visible for storing e-mails in the
quarantine.
These lines show the running reporter processes that are collecting data from logging (syslog-ng) and are
writing this information in the three databases RRD, ACCU, PostgreSQL.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 164
CLI Reporting
/ Logging & Storage
All database errors can be found in the file /var/log/system.log and can be reviewed via WebAdmin
or the command line.
In case of problems with the database or the reporting, the administrator should search the log file for
postgreSQL entries.
If there are messages like the following found in the log file, the administrator is requested to open a
support call to restore the database with the help of the Astaro support.
Note: The database files are not included in the backup file and can not be restored after a
database restore.
Scenario1: The reporting is not working any more, the administrator wants to check if the storage
partition is full.
Verify with: at the command line df -h /var/storage/pgsql/data
Filesystem Size Used Avail Use% Mounted on
/dev/disk/by-label/storage 745M 208M 499M 30% /var/storage
Attention: The database files are stored under /var/storage/pqsql/data but this is only a subfolder of
the storage partition /var/storage in which in addition the HTTP proxy cache, the SMTP quarantine e-
mails and more is stored. When this partition is full it is not necessarily a database problem, but it could
be as well a problem with the HTTP cache or the SMTP proxy.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 165
Site-To-Site VPN using
certificates
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 166
CLI Site-To-Site VPN using certificates / General
Scenario 1: The administrator wants to check if the IPSec connection is established successfully.
Verify with: Check in the WebAdmin with a click on „Site-to-Site VPN“ or on the command line using the
command cat /proc/net/ipsec_eroute
When all lights are green the connection is established with both phases.
The output on the command line shows in addition the number of packets sent through the established
tunnel.
The following lines should be (similar to these) in the log file for an established tunnel:
2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #273: ISAKMP SA established
2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #276: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP
2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #276: Dead Peer Detection (RFC 3706) enabled
2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #276: sent QI2, IPsec SA established
There you can see that both phases are established successfully. The administrator should check the log
file after the first build-up of the tunnel. This log file can be found under /var/log/ipsec.log.
Note: If the tunnel is fully established in both phases but no packets pass through the tunnel, the packet
filter log and the packet filter rules should be checked.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 167
CLI Site-To-Site VPN using certificates/ Connection
problems (1)
Scenario 1: The tunnel can not be established.
Solution 1: Check the network definitions on both sides of the tunnel. The „Local Networks“ on one side have to be
configured as “Remote Networks” on the other site and vice versa.
packet from 192.168.140.226:500: initial Main Mode message received on 192.168.140.225:500 but no
connection has been authorized with policy=PSK
Solution 2: Check the policy configuration on both gateways. This is important especially in case of different
gateway vendors.
Note: All default policies on the ASG have „strict policy“ disabled. If you see the error message above, it is
possible that a connection is established but with different policy settings than specified in the policy. In this case
the ASG tries to establish a connection using “higher” security credentials.
In case of activated „strict policy“ on both gateways the following messages will appear in the log file:
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 168
CLI Site-To-Site VPN using certificates/ Connection
problems (2)
Scenario 3: The tunnel can not be established.
Solution 3: Check the preshared keys on both gateways. These messages indicate different keys.
Solution 4: In this case the authentication was done with certificates and the branch office still use the
old local self signed certificate configured using the option “Local X509 Certificate” and not the
certificate provided by the head quarter. Check the certificate configuration.
Note: A good overview of the actual tunnel configuration is given in the file /var/chroot-
ipsec/etc/ipsec.conf. The entries stating “left” are for the local ASG, the entries stating “right” are for
the remote gateway. The file is dynamically created when activating a tunnel and changes to this file are
discarded and ignored.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 169
Miscellaneous issues
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 170
CLI CLI /Lost passwords
dot10:/root # cc
127.0.0.1 MAIN >RAW
127.0.0.1 RAW >system_password_reset
127.0.0.1 RAW >Ctrl c (keys)
Log back into the WebGui and a set password prompt will appear.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 171
CLI Miscellaneous issues/ Lost passwords
Download a suitable Linux LiveCD. the latest Ubuntu Linux distribution is confirmed to
work. Burn the iso image to a CD.
Attach the peripherals to the ASG. You should see a command prompt that says 'login:' on
screen. Insert the LiveCD into the CD ROM and reboot the system. You should now be
booting into the LiveCD. Depending on the LiveCD, you may need to choose options to
boot into the system.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 172
CLI Miscellaneous issues/ Lost passwords
Once booted, enter the console. gain root privileges, this is done with the 'su' commad in
most distributions. For Ubuntu, it is 'sudo su'. Run the following, commands that must be
typed are in bold.
Linux> su
Linux# mkdir /mnt/asg
Linux# mount LABEL=root /mnt/asg
Linux# chroot /mnt/asg /bin/bash
Linux# passwd loginuser Changing password for user loginuser Password:Retype
Password:
Linux# passwd Changing password for user root Password:Retype password:
Linux# exit
Linux# umount /mnt/asg Now take the CD out of the CD ROM and reboot the ASG. Once
you have rebooted the ASG, you can now sign in as root on the console of the system
using your new root password.
Reset the admin password from the ASG's console:
Log into the ASG via console and enter the following commands that are in BOLD.
dot10:/root # cc
127.0.0.1 MAIN >RAW
127.0.0.1 RAW >system_password_reset
127.0.0.1 RAW >Ctrl c (keys)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 173
CLI Miscellaneous issues/ Up2date troubleshooting
(1)
Scenario System up2dates when applied in WebAdmin do not up2date the system to latest version.
This is useful for up2dating to a specific version rather than all the way to the latest in particular with
up2dates making large changes as noted by our feature releases of 7.100, 7.200, 7.300, 7.400. Prior to
up2dating completely it is usually useful and causes less problems to first up2date to the latest in the
series prior to a feature release. As an example up2date only to 7.202 first, then up2date to 7.30x latest
after the system reboots with a running 7.202 version.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 174
CLI Miscellaneous issues/ Up2date troubleshooting
(2)
Scenario A ‘Force’ of an up2date is required
For up2date issues the combination of the --rpmargs and --force will have the greatest effect on loading
all current up2dates. In addition these can be combined with the --upto version in order to create a
powerful up2date order. This command is standard to run to effectively force all up2dates present to load
on a system despite previous up2date failures which may be triggered by customized RPM packages
having been loaded on the system previously.
Sometimes a new download or removal of an up2date will be required to resolve an issue if an up2date
has been corrected on the up2date servers or is otherwise corrupted on a customer system. Remove any
affected system up2dates from the AxG and run a new download:
dot10:/root # cd /var/up2date/sys
dot10:/var/up2date/sys # rm u2d-sys-7.301* (or whatever up2date you wish to remove)
If the download cannot communicate or authenticate to a server the download can be pulled directly from
the Astaro ftp servers into the /var/up2date/sys directory with a wget command such as:
dot10:/root # cd /var/up2date/sys
dot10:/var/up2date/sys # wget http://ftp.astaro.com/ASG/v7/up2date/u2d-sys-7.300.tgz.gpg
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 175
CLI Miscellaneous issues/ Restore a Backup from
SSH
Scenario WebAdmin access is unavailable but shell access is and there are backups stored on the AxG.
In the event that webadmin access is unavailable it is possible to restore a currently saved backup file
from ssh or direct console.
1) Login to ssh:
login: loginuser
password: loginuser password
root access: su
password: root password
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 176
Introduction to ACC
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 177
Astaro Command Center
/ Overview
Max Gateways
20 50 100 200 Unrestricted
supported
System
Network ports
2x 10/100 /1000 2 x 10/100 / 1000 3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps
Mbps Mbps
System Storage
30 GB 30 GB 30 GB 60 GB
*Depends on
Log/Reporting 40 GB 40 GB 40 GB 80 GB
hardware
platform used.
*Admin with full-access, clients with access to an average of 5 Gateways and 1/3 of the clients simultaneously logged in.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 179
Astaro Command Center
/ Features
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 180
Astaro Command Center
/ ASG Configuration
AxG’s must be configured with the IP/Hostname of the ACC Server and shared
secret.
The connection between ASG and ACC is SSL encrypted using port 4433
Packet filter rules to allow this communication are created automatically
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 181
Astaro Command Center
/ ACC Configuration (1)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 182
Astaro Command Center
/ ACC Configuration (2)
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 183
Astaro Command Center
/ Gateway Manager
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 184
Astaro Command Center
/ Gateway Manager
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 185
Astaro Command Center
/ Gateway Manager
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 186
Astaro Command Center
/ Gateway Manager
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 187
Astaro Command Center
Review Questions
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 188
Astaro Command Center
/ Review Questions
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 189
Astaro Report Manager
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 190
Astaro Report Manager
/ Overview
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 191
Astaro Report Manager
/ Overview/ Security Center
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 192
Astaro Report Manager
/ Overview / Security Center
The Reporting Section offers more than 800 reports on
information such as
Attacks
Bandwidth
Content Categorization
Event
Web Activity
Historical information
can be viewed using
the built in calendar
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 193
Astaro Report Manager
/ Overview / Security Center
Information can be viewed in different formats and exported or
printed
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 194
Astaro Report Manager
/ Installation/Configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 195
Astaro Report Manager
/ Installation/Configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 196
Astaro Report Manager
/ Installation/Configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 197
Astaro Report Manager
/ Installation/Configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 198
Astaro Report Manager
/ Installation/Configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 199
Astaro Report Manager
/ Installation/Configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 200
Astaro Report Manager
/ Installation/Configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 201
Astaro Report Manager
/ Installation/Configuration
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 202
THE END.
Questions
&
Answers.
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 203