ACE Engineer

Welcome to the training!
Astaro Certified Engineer

V7
Courseware Version EN-V7.4
© Astaro 2004/ ACE_V7.4 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 1
DISCLAIMER
All rights reserved. This product and related documentation are protected by copyright and distribution under licensing
restricting their use, copy and distribution. No part of this document may be used or reproduced in any form or by any means,
or stored in a database or retrieval system, without prior written permission of the publisher except in the case of brief
quotations embodied in critical articles and reviews. Making copies of any part of this Training Courseware for any other
purpose is in violation of copyright laws.
While every precaution has been taken in the preparation of this document, Astaro assumes no responsibility for errors or
omissions and makes no explicit or implied claims to the validity of this information. This document and features described
herein are subject to change without notice.
This Astaro Training Courseware may not be sold by any company other than Astaro without prior written permission. Neither
Astaro nor any authorized distributor shall be liable to the purchaser or any other person or entity with respect to any liability,
loss or damage caused or alleged to have been caused directly or indirectly by this book.
Trademarks:
© Copyright 2000 - 2005, Astaro AG. Astaro Security Linux is a registered trademark of Astaro AG.
© Copyright 2000 - 2007, Astaro AG. Astaro Security Gateway is a registered trademark of Astaro AG.
© Copyright 2002 - 2005, Astaro AG. Astaro Configuration Manager is a registered trademark of Astaro AG.
© Copyright 1997 - 2005, Solsoft. Solsoft and Solsoft NP are trademarks of Solsoft.
Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective
companies. Specifications and descriptions subject to change without notice.
All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Use of a
term in this book should not be regarded as affecting the validity of any trademark or service mark. Consult your product
manuals for complete trademark information.
Agenda - ACE
DAY ONE DAY TWO DAY THREE
Astaro Product Overview VoIP Security Additional Products
Available Products H.323 ACC
AXG System Architecture SIP Astaro Report Manager
Refresher ACA
Troubleshooting
Networking WebGui
VLAN Command Line
Link Aggregation
Bridging
Policy Routing
OSPF
Quality of Service
Before we start …
/ ACE Exam
ACE Certificates & Exams
ACE certification signifies that an individual has:
Achieved ACE certification
Passed the ACE web-based exam
Demonstrated knowledge required to implement and configure Astaro Security products with
extended features
How do you become an Astaro Certified Engineer?

By passing a web-based exam.
45 questions randomly generated must be answered within 60 min
Training participants have one free trial to pass the ACE Exam
To login you will receive a voucher via e-mail short after the training
ACE Exam site is available at https://my.astaro.com/training/
How should you prepare for the ACE exam?

Actively participate in the training
Study the ACE-Courseware
Work through the Astaro product Manuals
Configure and test the discussed scenarios in practice
Before we start …
/ Course Objective
Upon Completion of this course you should be:
Familiar with the Astaro

product line
Able to configure Astaro
products
„Get together Able to troubleshoot
common problems on
is the beginning - Astaro products
work together is
the success.“
Henry Ford
Astaro Product Overview
Product Overview
The Astaro product portfolio features easy-to-use “all-in-one”

security gateways that enable IT managers to effectively
protect their network from malicious Internet-based threats.
Additional management tools support Astaro’s Gateway
products with centralized management and reporting facilities.
All Astaro Gateway products with the exception of the Astaro
Report Manager are based upon the same architecture. During
the training we will use the term ‘AXG’ whenever we are
referring to the common architecture. The specific product
abbreviation (ASG,AWG) will be used whenever we are
discussing a particular product.
Available Products
/Astaro Security Gateway
Astaro Security Gateway is blend of open-source, proprietary
and OEM technology, combined to create an all-in-one device
that runs as the perimeter security gateway on a network
Astaro Security Gateway is built on an integrated management
platform that makes it easy to install and administer a complete
security solution
ASG Overview
/ Security Features
Astaro Security Gateway, based on Astaro's award-winning Astaro Security Linux,

provides a complete package of 9 perimeter security applications.
Web Security E-mail Security Network Security

• Spyware Protection • Virus Protection for • Intrusion Protection
• Virus Protection e-mail • SPI-Firewall and Proxies
• Content Filtering • Anti-Spam/Phishing • VPN-Gateway
• E-mail Encryption
ASG Overview
/ Available Appliances
Astaro Astaro
Security Security Astaro Security Astaro Security Astaro Security
Gateway Gateway Gateway 320 Gateway 425a Gateway 525
110/120 220a
Users 10/Unrestricted Unrestricted Unrestricted Unrestricted Unrestricted
Small
Home office, Medium business, Large enterprise Large enterprise
Environments business,
small office enterprise division headquarters Core networks
branch office
System
Network ports
3x 10/100 Mbps 8 x 10/100 Mbps 4 x 10/100 Mbps 8 x 10/100/1000 Mbps 10 x 10/100/1000 Mbps
4 x 10/100/1000 Mbps
Performance
Throughput
(Mbps)
Firewall 100 260 420 1200 3000
VPN 30 150 200 265 400
IPS/IDS 55 120 180 450 750
E-mails/day 350,000 500,000 1,000,000 1,500,000 2,200,000
(without Mail-Security)
Concurrent 60,000 400,000 550,000 700,000 >1,000,000
Connections
Product Overview
/Astaro Web Gateway
Effective “all-in-one” web security for your network:
Single, cost effective and easy to use point solution
Detects and blocks malicious code in HTTP or FTP traffic
Granular control of web site access and use of IM/P2P applications
Deploys as hardware, software, or virtual appliance
Web Interface is the same as the ASG but with less features
AWG System Overview
Astaro Web Astaro Web Astaro Web

Astaro Web Astaro Web
Gateway Gateway 4000 Gateway Virtual
Gateway 2000 Gateway 3000
1000 Appliance
Recommended
100 250 750 2000 Unrestricted
Users
Small Medium Small to Large

Environments Medium Networks Large Networks
Networks Networks networks
System
Network ports
2x 10/100 /1000 2 x 10/100 / 1000 3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps
Mbps Mbps
Performance
Throughput
(Mbps) *Depends on
In-line throughput 50 80 150 250
Antivirus/Web 20 40 80 130 hardware
User Requests 100 req./s 375 req./s 120 req./s 3000 req./s platform used.
Product Overview
/Astaro Email Gateway
Effective “all-in-one” Email security for your network:
Single, cost effective and easy to use point solution
Detects and blocks malicious code and SPAM in SMTP or POP3 traffic
Provides end user Quarantine management through secure portal
and daily SPAM reports
Provides Email Encryption
Web Interface is the same as the ASG but with less features
AMG System Overview
Astaro Mail Astaro Mail Astaro Mail

Astaro Mail Astaro Mail
Gateway Gateway 4000 Gateway Virtual
Gateway 2000 Gateway 3000
1000 Appliance
Recommended
Users
Small Medium Small to Large

Environments Medium Networks Large Networks
Networks Networks networks
System
Network ports
2x 10/100 /1000 2 x 10/100 / 1000 3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps
Mbps Mbps
Performance
Throughput
(Mbps) *Depends on
In-line throughput 50 80 150 250
Antivirus/Web 20 40 80 130 hardware
User Requests 100 req./s 375 req./s 120 req./s 3000 req./s platform used.
Product Overview
/ Astaro Report Manager
Data collection and reporting solution for internal security
analysis:
Centralized collection, correlation and analysis of syslog data
Documentation of security infrastructure effectiveness
More than 800 tailored security and activity reports
Real-time monitoring dashboard for instant security incident visibility
Product Overview
/ Astaro Report Manager
The Astaro Report Manager is a

centralized reporting engine which
gives you the ability to collect and
analyze log data from one or more ASG
installations
The Report Manager allows you to

create robust drill down reports in a
variety of output formats like Word,
Excel, HTML and PDF
With advanced attack and event

analysis, users can create rule-based
alerts which can notify administrators
when user defined thresholds have been
passed
Product Overview
/ Astaro Compliance Reporter
The Astaro Compliance Reporter for PCI is an automated
service what allows organizations operating under Payment
Card Industry (PCI) regulation to easily conduct a formal risk
assessment, as required by the PCI Data Security Standard.
Product Overview
/ Astaro Command Center
Provides Centralized Management of Large Astaro Gateway
Deployments.
Dashboard views display the most important system parameters for
all selected devices.
List views offer detailed information about specific parameters, such
as detected threats or resources in use.
The world map makes it simple to localize Astaro Security Gateways
within a large global network and enables a quick overview of the
security status.
A complete hardware inventory of all Astaro Security Gateways is
available via a single mouse click.
Astaro Command Center is

available free of charge!
Based on the same architecture and
management components as the
Astaro Security Gateway, the
Command Center employs similar
flexible deployment options.
System Architecture
AXG System Overview
/ Architecture
AXG is based on Novell/SUSE®

Linux Enterprise 10
AXG comes with its own
hardened and compiled 2.6x
kernel
SLES10 RPMs are used but
completely new compiled
All major processes including
WebGUI run in chroot-
environments.
AXG is built upon a number of
Open Source Projects; many of
those are actively developed in
cooperation with Astaro, others
are sponsored by Astaro.
© Astaro 2008/ ACA_V7.3 Astaro Security Gateway V7 - Astaro Certified Engineer – Page 20
Architecture
/ Open Source Module
Open source software is distributed with the

source code freely available for alteration
and customization
Collective work of many programmers
Resulting software can become more

useful and free of holes and bugs
Astaro leverages the flexibility and

innovation of Linux and Open Source
Configuration
/ Administration Workflow
Every function can be configured and

controlled via the Web-Admin interface.
There is no need to interact with any of

the other components or the Command
Line Interface (CLI) using a shell like
Bash.
Refresher ACA
This chapter provides a

refresher of key areas covered
during the ACA course
Refresher ACA
/ Setting up Ethernet Interfaces
An Ethernet interface is a standard

10/100/1000 Mbit network card
Things to remember:
Set the correct IP address for each
interface with the correct netmask
Only define one default gateway
unless you are using Uplink
Balancing
Make sure that each interface has
a unique address range in your
environment
Refresher ACA
Network Settings / Additional IPs on an Interface
Additional IPs are typically referred to as aliases
and follow the same rules as “Standard Ethernet”
interfaces.
This feature allows administrators to assign

multiple IP addresses to one physical Ethernet
interface.
Commonly used with NAT (Network Address

Translation)
Limited to 100 aliases per interface.
Restrictions NOTE: An IP alias should from the

No DHCP address assignment same IP network range as the primary
address of the interface to prevent
No accounting and monitoring possible problems such as IP spoofing.
No IPSec tunnel endpoint Nevertheless addresses from other
ranges are allowed.
Refresher ACA Network Settings
/ Uplink (WAN) balancing
Allows for ‘bonding’ of multiple internet
connections.
Two modes offered:
Active/Passive (Failover) where second
internet connection only becomes active
when primary goes down
Active/Active (Multipath) where all internet
connections are active and traffic is balanced
across them. Traffic automatically fails over
to other available links in the event of an
outage.
After adding interfaces to Uplink group a new
definition called Uplink Interfaces will be
automatically created and used by any packet
filter and DynDNS rules.
Once Uplink balancing is enabled each interface

can be configured with its own default gateway
and will have its own routing table.
Refresher ACA /Network Settings
/ Multipath Rules
Allows administrators to specify which

internet connection traffic should use.
This is different from policy routing since the

rules benefit from being able to use other
connections if the desired Interface is down.
Ability to create sticky or persistant

connections by:
Combination of source and destination
By connection
By source OR destination
NOTE: In the Site-to-Site VPN section,
By interface there is now a new choice for the “local
interfaces” drop-down box, which allows
you to select “Uplink Interfaces” which
resolves to the first available interface
in the available interfaces box,
increasing the redundancy available to
site-site VPN’s.
Refresher ACA
/ Network Address Translation / Masquerading
Used if one (or multiple) internal networks should be hidden

behind one official IP address.
Especially useful if private IP address ranges are used.
RFC 1918-IP Public IP
Refresher ACA /Network Address Translation
/ DNAT & SNAT
Destination Network Address Translation (DNAT) is used if an

internal resource should be accessible via an IP address
assigned to the firewall, e.g. server in a DMZ
Source Network Address Translation (SNAT) is

used like masquerading, but allows more granular
settings
Note: DNAT occurs before packet filtering takes place.

Ensure your packet filtering rules have the translated
address as the destination or use the ‘Automatic
Packet Filter rule’ option.
Refresher ACA
/ Packet filtering Architecture
ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.
incoming • mangle
• filter
outgoing
packets packets
• ips
PRE POST
Routing FORWARD Routing
ROUTING ROUTING
• dnat • masquerading
• conntrack • snat
• mangle • conntrack
• conntrack
• spoofdrop • mangle
INPUT OUTPUT • mangle
• filter
• ips
• ips
• conntrack
OUTPUT • mangle
• dnat
Local Processes
Apache
SOCKS
Tables:
SQUID
IPSEC
EXIM
SSHD
PPTP
BIND
Filter
NAT
Refresher ACA
/ Packet Filter - Configuration Principles (1)
You only need to maintain one table of filter rules.
ASG automatically creates correct entries in the INPUT, OUTPUT or

FORWARD chain as necessary.
The rules in the table are ordered. The first rule to match decides what is
done with the packet.
Possible actions are:

Allow
Drop
Reject
Any action allows optional Logging

If no filter rule matches - the packet is dropped and logged!
Astaro Security Gateway starts with an empty table but keeps implicit
internal rules for all services it is using itself.
Refresher ACA
Default View
Action
Source and Destination
Service
Enable/Disable
Description
(optional)
Order
Groupname
Edit or delete
Refresher ACA
To create new or
edit existing rules:
Assign or create a group

Name: Name for the rule
Move rule to a specific position
The sources: IP or Group

The service: TCP/UDP/IP
The destinations: IP or Group
What to do: Allow, Drop or Reject
When to do: The time
Log Packets: Yes or No
Comment: Whatever helps
Refresher ACA
/ DNS - Configuration
Global:
Accepts DNS Requests from allowed,
internal networks (e.g. your AD-Servers,
clients in smaller networks)
Forwarders
Forwards DSN requests of ASG to e.g.
Provider DNS servers
Request Routing
When ASG should be able to resolve the
hostnames of an internal domain hosted
on your own internal DNS server, this
server could be used as an alternate
server to resolve DNS which should not
be resolved by DNS forwarders.
Static Entries
Handles static mappings of hostnames to
IP addresses
Refresher ACA
High Availability & Clustering
/ Overview
No more single point of failure!
redundant switches
redundant
links
redundant
LAN Hardware Internet
:= Aggregated Links
Refresher ACA
/ HA Modes
Active-Passive HA (Standby)
Only the Master is active
Passive (Slave) takes over in case of failure
Configuration settings and operational states are synchronized
Each ASG requires it’s own base license. Only 1 set of
subscriptions are necessary for both units.
Active-Active HA (Cluster)
Offers High Availability AND Load balancing
All appliances are active at the same time
Application traffic is actively balanced across the cluster of nodes
A maximum of 10 units can be added to the cluster.
Each unit in the cluster requires the same licenses for both base
and subscriptions.
Refresher ACA
/ Hot Standby Mode
Hot Standby Mode
Master
Status & Config

Synchronisation
Slave
All tunnels, SPF-Connections (IP-

Conntrack) and quarantined objects
are synchronized
Stateful Failover < 2sec
Refresher ACA
/ Active-Active-Mode
High Availability
(Active/Active) (loadbalancing)
Active/Active Mode
Master runs Packet
Filtering &
Master distributes the
Slave load.
Cluster Nodes
Scalable
1 Gigabit/sec VPN, IPS, AV, AS
LAN Internet
Fully Fully meshed

meshed
Note:
Packet Filtering runs on the Master only
Slave and
Balanced Services are:
AV for HTTP, FTP, SMTP, POP3 cluster nodes
AS for SMTP, POP3 handle the load.
IPSec
IPS
Cluster Distribution is round robin, except HTTP
which is session based.
Refresher ACA
/ Auto Configuration (1)
Automatic Configuration = Default Configuration

Both devices configure themselves upon connection
through the HA-Port
To configure an Active/Active Cluster, only the Master
needs to be configured to „Cluster Mode“
Appliances: HA interface eth3 (HA port)
Master
HA port (eth3)
Slave
Refresher ACA
Step 1:
Activate HA (if
necessary)
Default setting for

appliances (HA-Port)
If HA is active, Status will look like this.
Refresher ACA
Step 2:
Connect other HA device
Make sure the cabling
is correct
Start the device
If everything is correct, the

system switches to active/passive
operation automatically:
Refresher ACA
/ Disabling Master-Slave
Disabling Master/Slave:
Switch back Operation

mode To „Off“
The slave device will perform a

factory reset and shuts down.
Refresher ACA
/ ASG Cluster Configuration (1)
Cluster Configuration:
For the Master System:
Set Operation Mode to „Cluster“

Configure NIC
Configure Device name, e.g. Node1
Select Node ID (1, 2, 3…)
Configure an encryption Key
By default the Master will configure
any new devices
(Optional) Configure a backup
interface which will be used if
dedicated NIC fails.
Refresher ACA
/ ASG Cluster Configuration (2)
Cluster Configuration:
For the Slave System:
The slave system is still configured

to auto configuration on eth2 from before
(check, if not sure)
Make sure cabling is correct
Power on the device
Once the slave is working, you can see the HA

status.
It will display „Operation Mode: Cluster“
Refresher ACA /User Authentication
/ Groups
The Users>>Groups section on the AxG allows the
administrator to create and manage local and/or remote
user groups
Common Group Types:
Local Groups will consist of static members which
are user accounts located on the AxG. These
accounts can either be locally or remotely
authenticated.
Backend membership groups may be dynamically

updated and modified by making changes to the
group object on the remote authentication server (an
example would an AD security group)
Use the Limit to backend group(s) membership

checkbox to specify a specific security group or
container on your remote authentication server
Use the built in LDAP browser to view the remote

server tree if using eDirectory or Active Directory
Refresher ACA /Remote Authentication
/ Available Methods
Astaro has the following options for
remote user authentication:
eDirectory
Novell, partly LDAP based
Active Directory
Microsoft, partly LDAP based
RADIUS
Remote Access Dial-In User
Service
Livingston Enterprises, later RFC
TACACS+
Terminal Access Controller
Access-Control System Plus
Cisco, now RFC
LDAP – OSI, X.500, now RFC
Lightweight Directory Access
Protocol
/ Global Settings
When using remote authentication the
AxG can be configured to
automatically add user accounts when
users successfully authenticate
against:
HTTP Proxy
End User Portal
SSL VPN
WebAdmin
NOTE: Automatically creating user accounts

for HTTP Proxy users in large environments
(eDirectory) is not suggested and will have an
adverse effect on the AxG performance.
/ Novell eDirectory
With AxG V7 eDirectory SSO, Novell users will only need to authenticate once
at initial client login to gain web access to the Internet.
Once authenticated, Web security capabilities of AxG are applied to web surfing
based on the user or group without the need for further authentication at the
browser level.
Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an
administrator to verify their BIND User DN settings as well as verify individual
user account credentials.
/ Novell eDirectory
Advanced options let you set the synch interval which is how often the AxG
will query (Poll) the eDirectory server for updated account information
relating to relevant information such as logins/logouts, and group changes.
Prefetching of user accounts can be done on the fly or may be scheduled.
As of version 7.400 the AxG software also supports Event Based eDirectory
synchronization. This new feature is an eDirectory option which requires
version 8.7 or higher.
Event Based synchronization replaces the existing Polling method which
will be used if the
eDirectory server does not
support this feature.
Event Based synchronization
will instruct the eDirectory
server to send notifications of
any changes such as logins or
logouts.
Event Based synchronization
can help to significantly reduce
the network load between the
AxG and the eDirectory server.
/ Novell eDirectory
When creating Groups from the Novell eDirectory, ASG

offers a very convenient eDirectory Browser
It allows you to select user groups directly through the Web

Admin Interface
NOTE:
• SSO in eDir does not work on machines
where more than one user is logged in.
(Terminal Servers)
/ Active Directory
With AxG V7 Active Directory SSO, domain users will only need to
authenticate once at initial client login to gain web access to the Internet.
Based on the AxG V7 SSO authenticated user, user/group based access

control and content inspection profiles can be assigned.
AD SSO requires either Kerberos or NTLMv2 for authentication
Features such as the ‘Test Server’ and ‘Test Settings’ buttons allow an
administrator to verify their BIND User DN settings, verify a user account
is active, and to see what group they belong to.
Administration is
eased via the built in
LDAP browser
Prefetching of user
accounts can be done
on the fly or by
schedule.
/ Active Directory
As of version 7.400 the AxG software now supports Windows
Server 2008 Native mode.
To enable AD SSO you must:

Verify that the time, and time zone settings are the same on both the
AxG and on the AD server.
Create a DNS ‘A’ record on the AD server that matches the FQDN
hostname you have assigned to the AxG
Configure the AxG to use the AD server as a DNS forwarder OR you
must create a DNS request route for the AD domain which points to the
AD DNS server
When configuring the AD SSO
section the domain must be
complete (ASTARO.COM),
and should be entered in
ALL CAPS.
Use the same admin username
that you had used in the BIND
DN section
Refresher ACA /Web Security
/ Overview
Astaro’s Web Security is offered as a subscription on the ASG and as a

solution on the Astaro Web Gateway (AWG).
Astaro Web Security provides a complete solution to protect users against

malicious content, and allows an organization to enforce their web usage
policy through flexible policies
Firewall’s only pass HTTP/S traffic and are unable to scan for malware such
as viruses, adware, sypware, and root kits
HTTP/S proxies ensure client pc’s never directly connect to outside

resources
Web Security allows administrators to block anonymous proxies, port

forwarding sites and applications, and block/control IM/P2P applications
Refresher ACA /Proxies
/ Theory
A Proxy (or Application Level Gateway) acts as a relay between a client

and a server.
It plays the roles of client and server at the same time.
It speaks one or a few application specific protocols.
HTTP/S Request HTTP/S Request
Client Server
Proxy
HTTP/S Response HTTP/S Response
Refresher ACA Web Security
/ HTTP/S Proxy – Overview
The HTTP/S Proxy provides:

Different proxy modes including
user Authentication
Antivirus/malware scanning
Extension/MIME type blocking
Content Filtering
HTTP/S Protocol Enforcement
Local content caching
The ability to create different
profiles for different users,
groups, or networks
/ HTTP/S Global Configuration
Networks that are listed in the ‘Allowed

Networks’ section will be allowed to use the
proxy
HTTPS (SSL) traffic can also be proxied and

scanned. To do this the AxG will need to
create maintain the chain of trust between the
client and the web server. This is done via a
system of certificate exchanges.
The HTTP/S live log will provide detailed

information on connections and the ability
to filter on specific users or IP addresses
Information found in Live Log
includes Date, Time, Source IP,
Username, Status of connection
(Pass, Fail, Timed Out, Target
Service Not Allowed), URL
Refresher ACA Web Security/
HTTPS Proxy configuration
To establish the chain of trust the HTTPS proxy

uses Verification CA’s and a Signing CA
A new tab in Web Security called HTTPS CA’s

contains the major Global Verification CA’s
which are in use today and the Signing CA
NOTE: It is also possible to upload your own

Verification CA if necessary. Under most
circumstances though it will not be necessary to make
changes on this tab.
Refresher ACA Web Security
HTTPS Proxy configuration/testing
To use the HTTPS proxy the client browsers will need to import or “Trust” the
Proxy CA that exists on their AxG. There are 3 ways administrators can deploy
this to their users:
Have the users sign in to the UserPortal, select the “HTTPS Proxy” tab, and
import the proxy CA certificate. Select all option-boxes and select “OK”,
and the import will finish. Note that you should do this for all browsers
you use.
Publish the CA using an Active Directory Group Policy. As the
administrator, navigate to Web SecurityHTTP/S and select the “HTTPS
CAs” tab. From there, click the “Download” Button at the top in the “Signing
CA” section, and use Active Directory to distribute it to your network users.
Have the users directly download it via a special URL directly from the
Astaro Device, by navigating to https://passthrough.fw-
notify.net/cacert.pem in their browser, and then selecting all the
checkboxes on the import dialog box, and selecting “Ok” to complete the
process.
Once deployed the HTTPS scanning can be verified by using a test file from a
site that vendors use. This file will be reported as “malware/virus” though it is
in fact harmless and designed just for this type of testing.
https://secure.eicar.org/eicar_com.zip.
/ HTTP/S Operational ModesStandard
Proxy listens on port 8080
Allows any network listed in Allowed
Networks to connect
Client browser must be configured
HTTP proxy service requires a valid
Domain Name Server (DNS)
Transparent
Proxy handles all traffic on port 80
Client doesn’t need to touch browser
configuration
Proxy cannot handle FTP and HTTPS
Packetfilter must allow port 21 and 443
No HTTP on other than port 80
Clients must be able to resolve DNS
hostnames themselves!
*Full transparent mode preserves the
original source IP of the client machine
instead of replacing it with the proxy IP
/ HTTP/S Operational Modes
Active Directory and eDirectory modes

transparently authenticate users but require
that the client browser has been configured to
use a proxy server
These settings can be configured manually in

the browser or pushed out by a group policy
A popular alternative for environments with

laptop users is to use a proxy configuration file
which can be configured to first check the local
network before applying proxy settings. More
information and examples can be found at the
following URL
http://en.wikipedia.org/wiki/Proxy_auto-config
/ Content Filter Profiles
HTTP Content Filter Profiles
HTTP/S Profiles allow you to create different

permissions for different users, groups, and/or
networks.
The configuration is done by linking Proxy Profiles

and Filter Actions through Filter Assignments
/ Content Filter Profiles
Flexible configuration is possible

through Proxy Profiles and Filters.
Each Profile holds a combination

of options and settings.
Allows for time, user and user

group based filtering
The suggested way to create

profiles is to work from the right
to the left.
First create your Filter Actions,

then create your Filter
Assignments, and then create
your Proxy Profiles
Refresher ACA / Email Security Mail Manager
/ Overview/Global tab
The Mail Manager allows you to view and manage the Quarantined
SMTP and POP3 messages for all users. Additionally you can view the
SMTP log which contains a record of all messages that have been
handled by the AxG.
Statistics are shown on the Global tab listing e-mails Waiting for
Delivery, Quarantined, and Rejected.
The Mail Manager Utility is reached by
clicking the Open Mail Manager in New
Window button.
HINT:
Notice that only the administrator can release all
type of messages held in quarantine. End users
can only release Spam using the User Portal or
the Quarantine Report
/SMTP Quarantine
The SMTP Quarantine Option lets the Administrator view all SMTP mails
being held in Quarantine, and provides information on why it was not
delivered.
Filters are available to sort mails by type (Malware, SPAM, Expression…)
Search by Sender/Subject, Date or any phrase
Global actions for cleanup and release are available
HINT:
SPAM false positives that are
incorrectly quarantined by the
Heuristic engine can be
automatically released and
reported back to Commtouch.
/SMTP Spool/ Tips
The SMTP Spool Option lets the Administrator view all SMTP mails
processed but not delivered.
The AxG Mail Manager also features Tips which can offer guidance or
explain terms.
/SMTP Log
The SMTP Log Section displays an entry for all emails processed by the
AxG. Messages can be sorted by Reason or Result.
Refresher ACA /Remote Access
/ Astaro SSL VPN Client
Based on OpenVPN 32 bit version. For 64 bit operating system support

download the latest OpenVPN client and configure per the following KB
article
http://portal.knowledgebase.net/article.asp?article=299973&p=5956
Uses latest SSL version (TLS)
Proven technology
Used for all internet applications
Offers Secure and stable authentication and encryption
Easy client installation and configuration
Platform independent client application
Windows, Linux, Mac OS X, Solaris, OpenBSD, FreeBSD, NetBSD…
Accessible from anywhere
Via NAT, UMTS, GPRS, DSL,..
Using dynamic IP addresses…
Refresher ACA
SSL-based Remote Access
/ Configuration/Global
Enable the SSL Remote Access status
Drag and Drop the Users or Group

objects
Drag and Drop the Local Networks that

users should be able to access
If you unclick Automatic Packet Filter

rules you will have to manually create
PF rules in the Network
Security>>Packet Filter section.
Refresher ACA SSL-based Remote Access
/ Configuration/ Settings
The Server Settings allows you to choose
the protocol (TCP or UDP) to be used. Note
that UDP will be much quicker though may
not work with all applications.
The port number (443 by default). This can
be changed if you already use 443 for a
NAT rule.
The Override hostname field must use a
valid IP or hostname that clients can
resolve!
Pool network: The default settings assign
addresses from the private IP space
10.242.2.x/24. This network is called the
VPN Pool (SSL). If you wish to use a
different network, simply change the
definition of the VPN Pool (SSL) on the
Definitions Networks page.
Duplicate CN allows multiple users with the
same common account name to connect
Refresher ACA /SSL-based Remote Access
/ Installing the SSL VPN Client on Windows
Installing the SSL VPN

Client Software
The installation wizard
copies all needed files to
the client system.
A virtual network card will

be installed during the
installation process.
Since the relevant driver is

not certified by Microsoft, a
caution message will
appear but can be ignored.
Using the SSL Client
Login in with Username and

Password
Connection dialogue box

allows to monitor the set-up
of the connection.
SSL VPN Remote Access can

be disconnected by clicking
<Disconnect>.
Connectivity Testing
Login in with Username

and Password
Connection dialogue
box allows to monitor
the set-up of the
connection.
SSL VPN Remote

Access can be
disconnected by
clicking <Disconnect>.
Configuration analysis
& troubleshooting
<Show Status>
provides all details
regarding to
authentication,
encryption, routing,
etc.
<View Log> shows

details log
information
depending on
/ Configuring logon Scripts to run automatically
There are three different scripts that the SSL VPN GUI can execute to help with
different tasks like mapping network drives automatically.
Preconnect: If a file named "***_pre.bat" exists in the config folder where *** is the
same as your OpenVPN config file name, this will be executed BEFORE the OpenVPN
tunnel is established.
Connect: If a file named "***_up.bat" exists in the config folder where *** is the
same as your OpenVPN config file name, this will be executed AFTER the OpenVPN
tunnel is established.
Disconnect: If a file named "***_down.bat" exists in the config folder where *** is
the same as your OpenVPN config file name, this will be executed BEFORE the
OpenVPN tunnel is closed.
Note that the ‘config’ directory may be named something like

'user@domain.com' and to use the _up.bat you must rename both this
directory and the OpenVPN configuration file that is contained within to
something without special characters such as '@'. So you could rename this
directory and the associated OpenVPN config file to 'userdomain.com'. Once
this is done you can simply put your 'userdomain_up.bat' file into this directory
and it will launch when you run the SSL VPN application.
Network
In this chapter you will learn

about features not covered by
the ACA course:
VLAN
Link Aggregation
Bridging
Policy Routing
OSPF
QOS
Networking
/ VLAN (1)
Virtual LAN (VLAN) technology allows a network to be separated in
multiple smaller network segments on the Ethernet level (layer 2).
A VLAN switch plus a VLAN capable network interface simulate a number
of physical interfaces plus cabling.
Every segment is identified by a "tag“ (an integer number).
Adding a VLAN interface will create a virtual hardware device.
Example
PC1 and PC2 on the first floor and PC4 on the Host4 Host5 Host6
second floor will be connected together on
VLAN 10.
PC3, PC5 and PC6 will be connected together
b3
on VLAN 20. b2 b4
Both VLAN can communicate through ASGs Switch b
b1 Router
Rulebase.
a5
Switch a Switch b Switch a a1
Port VLAN tagged/ Port VLAN tagged/
Tag untagged Tag untagged a2 a3 a4
1 10, 20 T 1 10, 20 T
Firewall
2 (PC1) 10 U 2 (PC4) 10 U
3 (PC2) 10 U 3 (PC5) 20 U
4 (PC3) 20 U 4 (PC6) 20 U Host1 Host2 Host3
5 10,20 T
Networking
/ VLAN (2)
VLAN segments are distinguished by a
tag (integer value), a 12-bit number,
allowing up to 4095 virtual LANs.
When you add a VLAN interface, you
will create a virtual hardware device
that can be used to add additional
interfaces (aliases) too.
NOTES:
- It is essential to check HCL for ensuring
VLAN capable NIC’s are supported.
- PPPoE and PPPoA devices cannot be run
over VLAN virtual hardware.
- Make sure you have installed a VLAN-
capable NIC or refer to the HCL.
Networking
/ Overview IEEE 802.3ad Link Aggregation
Link aggregation (LA, also known as "port trunking" or "NIC bonding")
allows to aggregate multiple Ethernet network ports into one virtual
interface.
Link Aggregation Control Layer
(LACL) controls the distribution
of the data stream to the
different ports communication
via Link Aggregation Control
Protocol (LACP).
Aggregated ports appear as a single IP address.

Link aggregation is useful to
increase the link speed beyond the speed of any one single NIC
to provide basic failover and fault tolerance by redundancy
All traffic routed over the failed port or switch is automatically re-routed
to remaining ports or switches.
Failover is completely transparent to the system using the connection.
NOTES:
– In a HA-Environment, Ethernet connections can even be on different HA units.
– Link partners must support IEEE 802.3ad.
– LA and Bridging cannot be combined. LA cannot work with DSL.
Networking
/ Link Aggregation using ASG
Link aggregation allows to have:

Trunking two links for speed and
Two links in redundancy mode
Requirement:
The link partner needs to support Link
Aggregation
Networking
/ Link Aggregation – Configuration (1)
IEEE 802.3ad Link Aggregation

Link Trunking (for speed)
Link Redundancy (for high availability)
Combination of both
To enable Link Aggregation:

Add Links to the group
Astaro Supports up to 4 Link Aggregation
Groups
Networking
/ Link Aggregation – Configuration (2)
Up to four different link aggregation groups with a maximum of four
Ethernet interfaces per group possible.
To create a link aggregation group (LAG), proceed as follows:

1. Select the interfaces you want to convert into a link
aggregation group.
2. Select check box for each unconfigured interface you
want to add to the LAG.
3. Enable LAG
On top of the bonding interface you can create one of the following:
Ethernet Standard
Cable Modem (DHCP)
Ethernet VLAN
Alias interfaces
To disable a LAG, clear the check boxes of the interfaces that make up the LAG
and click Update This Group.
The status of the bonding interface is shown on the Support / Advanced /
Interfaces Table tab.
Link partner needs to support 802.3ad. MAC-Address of the first NIC in the LAG
will be used for all other NICs within the LAG.
Networking
/ Bridging – Overview (1)
Bridging occurs at the link layer (OSI

layer 2)
The link layer controls data flow,
handles transmission errors, provides
physical (as opposed to logical)
addressing, and manages access to the
physical medium
Bridges analyze incoming frames,
make forwarding decisions based on
information contained in the frames,
and forward the frames toward the
destination
NOTE: Bridging does not require

splitting a network in two subnets
to integrate ASG into an existing
network.
Split Subnet Keep Subnet
Networking
A bridge transparently relays traffic between multiple network

interfaces.
Basically, a bridge connects two or more physical networks
together to form one bigger (logical) network.
How it works:
The default gateway for
172.16.1.2 and 172.16.1.4 is
172.16.1.1
172.16.1.1 is the bridge
interface br0 with ports eth1 and
eth2
NOTE: All devices must have the

same maximum packet size (MTU)
since the bridge doesn't fragment
packets.
Networking
The idea is that traffic between 172.16.1.4 and 172.16.1.2 is
bridged, while the rest is routed, using masquerading.
How it works:
When ethX interfaces are added to a
bridge, then become a part of the
br0 interface
The Linux 2.6 kernel has built-in
support for bridging via the ebtables
project
Ebtables has very basic IPv4
support
Bridge-nf is the infrastructure that
enables iptables/netfilter to see
bridged IPv4 packets and do
advanced things like transparent IP
NAT
It forces bridged IP frames/packets
go through the iptables chains
Networking
/ Bridging – Configuration (1)
Configuration Example:
Networking
/ Bridging – Configuration (2)
There two advanced options available:
Allow ARP Broadcasts
Ageing timeout
By default, ARP broadcasts are not allowed to pass across
the bridged interfaces
If needed, enable the Allow ARP Broadcasts option
As the network can change, we need to specify when to
remove an entry due to in activity, this is the Ageing
timeout.
Networking
/ Policy Based Routing (1)
Policy-based routing provides a mechanism
for expressing and implementing
forwarding/routing of data packets based
on the policies defined by the network
administrators.
Prov. A Prov. B
It provides a more flexible mechanism for
routing packets, complementing the MPLS DSL
existing mechanism provided by routing
Router Router
protocols.
Packets can now be routed based on source
IP address, source port and destination DMZ 1
port, in addition to normal routing which is SMTP
based on the destination IP address.
Example: ERP
LAN 2
Route ERP traffic from Route SMTP traffic from
Finance to MPLS Provider DMZ to DSL Provider LAN 1
interface = any interface = 2

service = SAP service = SMTP
source = Finance source = DMZ1
target = Provider A target = Provider B
Networking
/ Policy Based Routing (2)
Policy based routing will route by selectors:
Destination
Source
Service
Source Interface
Policy based routing will route to targets:
An interface
A host
Limitations:
It is not possible to select all traffic and route it as this would be a default
gateway
Policy routes have an order which is evaluated in the same way as the packet
filter (top to bottom)
Only user defined policy routes are possible
Network groups in policy routes are not possible
The following benefits can be achieved by implementing policy-based
routing in the networks:
Load Sharing
Cost Savings
Source-Based Transit Provider Selection
Quality of Service (QoS)
OSPF
/ Overview
OSPF = Open Shortest Path First

Link-state hierarchical routing protocol
Uses Dijkstra‘s SPF Algorithm to calculate the shortest path tree.
Open standard, developed by IETF
ASG supports OSPF version 2, RFC 2328 (using the Quagga package,
http://www.quagga.net)
Interior Gateway Protocol (IGP) for routing within one autonomous

System (AS)
OSPF uses cost as its routing metric (e.g. by dividing 10^8 through the
bandwidth of the interface in bits per second)
The cost of an OSPF-enabled interface is an indication of the overhead required to
send packets across a certain interface.
The cost of an interface is inversely proportional to the bandwidth of that
interface.
A link state database is constructed of the network topology which is
identical on all routers in the area.
OSPF guarantees loop-less routing.
OSPF
/ Features & Benefits
Area concepts for hierarchical topologies and reduction of CPU – and

memory consumption of routers
Independent from IP subnet classes
Arbitrary, dimensionless metric
Load Balancing for paths with equal costs
Special reserved multicast addresses reduce impact at non-OSPF devices
Authentication
External Route Tags
TOS-Routing possible
Fast database reconciliation after topology changes
Support for large networks
Low susceptibility for fault routing information
OSPF
/ ASG Configuration – OSPF-ID
The OSPF-Id is a unique ID to the router device.
This can be the official Address
It is denoted in x.x.x.x format
OSPF
/ ASG Configuration – OSPF Area
Before you can enable the OSPF

function, you must have at least one
OSPF area configured.
Areas are identified by a 32-bit ID in

dot-decimal notation similar to the
notation of IP addresses.
OSPF
/ ASG Configuration – OSPF Interfaces (1)
The OSPF interface defines Interfaces

that can be used to announce OSPF
networks.
OSPF
The OSPF interface must be

added to the area that will be
announced
OSPF
The OSPF debug section gives information about the

current state of OSPF operations. It shows
neighbors, routes interfaces etc. in pop-up windows.
Quality of Service
/ Working Principle
Quality of Service (QoS) can reserve guaranteed bandwidths for certain

types of outbound network traffic passing between two points in the network.
Inbound traffic is optimized internally by various techniques such as
Stochastic Fairness Queuing (SFQ) or Random Early Detection (RED).
Without traffic shaping.
ASG left
ASG right
Headquarter Branch Office
With traffic shaping.
Quality of Service
/ Features and Benefits
QoS allows to Define traffic directions carefully:
Limit available bandwidth

Guarantee minimum
bandwidth
and
Ext. NIC
downstream Upstream shape

Works per Interface
Int. NIC
Works per Subnet/Host HTTP & FTP

Download from
Works per Service ANY =>
outbound from
the ext. NICs
view
Quality of Service
/ Configuration
Status Traffic Internal & External

Selectors
The Status tab Bandwidth Pool describe the
lists the A traffic bandwidth shared by multiple
interfaces for selector can be sources.
which QoS can regarded as a Bandwidth Pools can also specify
be configured. QoS definition upper bandwidth limits.
By default, for a certain
QoS is type of network
disabled for traffic.
each interface.
Quality of Service
/ Configuration: Status Overview
Display all available interfaces

Define the available, physical bandwidth.
Define the guaranteed uplink and downlink
bandwidth for any Interface, e.g. the DSL line.
By default, QoS is disabled for each interface
Quality of Service
/ Configuration: Traffic Selectors
Traffic Selectors describe what traffic needs to be accounted.

The description contains details about the source of the traffic, its
destination and its service.
TOS/DSCP allows to pay respect to „Type of Service“ and „DiffServ“
flags in the traffic.
It is possible to build groups of Traffic Selectors.
Quality of Service
/ Configuration: Bandwidth Pools
Bandwidth Pools
They describe the available and

guaranteed bandwidth for the available
interfaces
Networking
Review Questions
Networking
/ Review Questions
1. How many VLAN’s can you create on an ASG interface?

You can create up to 4095 VLAN’s on each interface.
2. What are two major benefits of Link aggregation?

LAG can be used to increase the link speed beyond the speed of any one single
NIC, and to provide basic failover and fault tolerance by redundancy.
3. On which OSI layer does bridging occur?

Bridging occurs at the link layer (OSI layer 2)
4. Name some of the benefits of using OSPF.

OSPF guarantees loop-less routing.
Support for very large network.
Low susceptibility for fault routing information
Load Balancing for paths with equal costs
5. What are the two major benefits to using QOS?

Limit available bandwidth
Guarantee minimum bandwidth
Network Security
In this chapter you will learn

about the network security
features not covered by the ACA
course:
Full NAT
Generic Proxy
Socks Proxy
Ident Proxy
Network Security
/ NAT/ Full NAT
A full NAT is a NAT rule that alters both the

source and destination information of a single
packet traversing the ASG.
A Full NAT does not make traffic initiated on
either side of the ASG possible with one rule
-- You still need a DNAT and an SNAT for
this!
A full NAT rule is generally used in a network
in which the routes on the internal network
would prevent a packet's return traffic from
being routed back to the ASG.
There are two common topologies that will
require the use of a full NAT:
Two Gateways on the Network
Routes Do Not Allow Return Traffic
Network Security
/ NAT/ Two Gateways on the Network
In this example, there are two gateways that

the host is using. The default gateway is set
to the other router. Notice that without the
NAT rule, the packet will go out the default
gateway.
A) traffic is initiated from the internet to
an internal host
B) The ASG DNATs the packet to the
internal server, note that the public
source IP of the packet is intact
C) The server sends the return traffic to
its default gateway
D) The packet is sent back and may be
received, but the session is broken as a
result.
Network Security
/ NAT/ Routes Do Not Allow Return Traffic
In this example, there is a switch that

connects a host and a server. If the host
attempts to connect to the server's external
IP address, the session is dropped unless the
1) PC Sends request to Internal Server's
public IP address
2) ASG DNATs The Packet
3) ASG routes the packet to the proper
server
4) Server has a proper route directly to
the host, breaking the session
4a) If you use a Full NAT, the server
will reconnect with the ASG
4b) The ASG will the route the
packet normally and the session is
intact
Network Security
/ Advanced
The Generic SOCKS is an The Ident

Proxy is internet Protocol is
another option protocol to specified in
when private allow clients to RFC 1413 and
networks are use the helps
being used services of a identifying
firewall users of
transparently particular TCP
and is short connection.
for „SOCKetS“
Network Security
/ Generic Proxy
Works as a port forwarder

Combines features of DNAT and
Masquerading
Forwarding all incoming traffic for a
specific service to an arbitrary server.
The difference to standard DNAT, however, is
that a generic proxy also replaces the source
IP address of a request with the IP address of
the ASG interface for outgoing connections.
In addition, the destination (target) port
number can be changed as well.
Network Security
/ SOCKS
What is it used for?

Can build TCP and UDP connections for client applications
Can provide incoming ports to listen on
Used with systems that incorporate NAT
Where is it used?
Socks
IM clients such as ICQ, AIM
FTP
RealAudio
Astaro Security Gateway supports SOCKSv5

User authentication can be used
Network Security
/ IDENT Relay
IDENT is an older protocol

Allows external users to associate a username with a TCP
connection
Not very secure because the connection isn't encrypted
Necessary for some services like IRC and some mail servers
Astaro will respond with the string that you specify as the
default response
Hence the configuration is rather

simple, it offers:
Configuration of the string
to answer with
Optionally the possibility to forward
Ident requests to the internal clients
(which is not always possible)
Network Security
/ Review Questions
1. Why would you use a FULL NAT rule?

Full NAT is generally used in two scenarios: when there are Two Gateways on
the Network, and the existing routes Do Not Allow Return Traffic.
2. What is the difference between DNAT and the generic proxy?

DNAT replaces the destination IP of a connection while the generic proxy also
replaces the source IP with the IP of the ASG interface for outgoing connections.
3. What version of SOCKS does the ASG support?

ASG support SOCKS v5.
4. What is a major disadvantage to IDENT?

IDENT connections are not encrypted
VoIP Security
In this chapter you will learn how
SIP
and
H.323
security work
VoIP Security
/ SIP/H.323 Security
SIP and H.323 are so called “Signaling”

protocols, which are designed to notify
communication partners in telephony like
Rick Cory
To IP-B, PORT-S
connections. These signals contain
information about the state of the INVITE Cory@IP-B
connection, like “INVITE”, “RINGING” or C = IN IP4 IP-A
“HANGUP”. The actual voice connection M = audio 2000 RTP/AVP 0
takes place on a dynamic port.
To IP-A, PORT-S
Astaro’s VoIP Security uses special
connection tracking helper modules for
200 OK
monitoring the control channel to
C = IN IP4 IP-B
determine which dynamic ports are being
M = audio 4000 RTP/AVP 3
used and then only allowing these ports
to pass traffic when the control channel is
busy. Audio stream to IP-A, 2000
To configure VoIP Security, client and

Audio stream to IP-B, 4000
server network definitions need to be
made.
Time
VoIP Security
/ SIP – Session Initiation Protocol
Session Initiation Protocol is is an application-layer

control (signaling) protocol for creating,
modifying, and terminating sessions with one or
more participants. These sessions include Internet INVITE cory@astaro.com
telephone calls, multimedia distribution, and
multimedia conferences." (cit. RFC 3261)
A good starting point for reading about SIP is at

http://en.wikipedia.org/wiki/Session_Initiation_Protocol
Rick SIP Proxy
Cory SIP Registrar
VoIP Security
/ H323 – Session Initiation Protocol
H.323 is an umbrella recommendation from the ITU Telecommunication

Standardization Sector (ITU-T), that defines the protocols to provide
audio-visual communication sessions on any packet network.
H.323 was originally created to provide a mechanism for transporting
multimedia applications over LANs but it has rapidly evolved to address the
growing needs of VoIP networks.
Currently real-time applications such as NetMeeting and Ekiga (the latter
using the OpenH323 implementation) use H323.
A good link to get started with readings about is at

http://en.wikipedia.org/wiki/H323
VoIP Security
/ SIP/H.323 Security
To configure H.323 or SIP Security, go to

the VoIP Security Menu. Each module can
be activated individually.
Both modules are rather easy to configure,

simply add the allowed clients
to the SIP or H.323 configuration and
configure one or more SIP servers
or H.323 gatekeeper.
General WebAdmin Troubleshooting
Most troubleshooting can be done via the WebAdmin GUI

Webadmin dashboards that show real time statistics, reports,
and logs will point to problems and errors
Real time resource indicators such as high CPU usage can
indicate problems with running processes
RAM usage depends on applications being used and hardware
installed
Swap will increase
if system runs out of
RAM
Growing log disks
may indicate logging
errors
Network Statistics can identify most active source hosts,

services, concurrent connections, and total traffic.
Real time logs in the Logging section will show real time
information. If CPU Usage has been running high error messages
may be in the System Messages or Self monitoring logs.
System messages should be checked for errors relating to the
databases. If found a support ticket should be opened with
Astaro.
Self monitoring log should not show many process restarts
Incorrectly Binding a host to a specific interface can prevent

packet filter and NAT rules from working
Incorrectly written NAT rules are common issues. Some common

problems are trying to translate ‘Any’ service to a specific port.
Not using the ‘Automatic Packet’ filter rule option can prevent
many rules from working.
Command Line Troubleshooting Guide
CLI / Linux skills
Command Line or Shell access is not needed during normal

operation of the AxG product line
All configuration can and should be done via the WebAdmin GUI
Shell access is used for more in depth and quicker

troubleshooting
Shell configuration changes are made at your own risk and can
void support.
Basic Linux skills will be needed for shell

Google searches will return plenty of information about
Linux
http://www.linux.org/lessons/ offers some free easy
beginner courses
CLI/ First steps
When first logging into the Shell some quick things to check are:
System Load
Top processes
Log directories to see which log files are being written to
Disk space utilization
System load and top processes are checked using the ‘top’
command which shows the processor activity in real time.
CLI/ First steps
Top shows information such as
uptime, load average, memory, swap,
and processes running.
Load average depends on the hardware
installed and will be displayed via
WedAdmin as CPU Usage. If CPU is
running high then load will be high.
To determine which process is using the
most CPU look at the %CPU column or
sort by pressing the ‘C’ key
To kill a process press the ‘K’ key and
enter the PID #. If no ‘signal’ is chosen
the TERM signal is sent. If the process
does not stop try specifying the ‘KILL’
by using the number ‘9’ when prompted.
CLI/ First steps
The /var/log directory holds logs for both the
current day as well as directories for past
dates.
Logs can be sorted according to time to see
which was last written to by using the ‘ll –tr’
command.
Logs can be viewed by using utilities such as
‘less’, ‘cat’, or ‘tail’. ‘Tail –f’ will show the log
as it updates in real time. ‘Grep’ can be used
filter on specific information such as
usernames or IP addresses.
CLI/ First steps
The /var/log directory holds logs for both the
current day as well as directories for past
dates. Additional debug and .lock files are
found in the /tmp directory.
Logs can be sorted according to time to see
which was last written to by using the ‘ll –tr’
command.
Logs can be viewed by using utilities such as
‘less’, ‘cat’, or ‘tail’. ‘Tail –f’ will show the log
as it updates in real time. ‘Grep’ can be used
filter on specific information such as
usernames or IP addresses.
CLI / Packetfiltering basics (1)
ASG uses the stateful packet filtering capabilities of the 2.6 Linux kernel.
Incoming •mangle Outgoing
packets •filter packets
•ips
PRE POST
Routing FORWARD Routing
ROUTING ROUTING
•dnat •masquerading
•conntrack •snat
•mangle •conntrack
•conntrack
•spoofdrop •mangle
INPUT OUTPUT •mangle
•filter
•ips
•ips
•conntrack
OUTPUT •mangle
•dnat
Local Processes
Apache
Tables:
IPSEC
EXIM
SSHD
Proxy
BIND
HTTP
PPTP
Filter
NAT
CLI
/ Packetfiltering basics (2)
Verify packet filter rules using the command line interface (CLI) or
Shell
Packet filter rules can be reviewed using the command iptables –L –nv on the CLI.
With this command the table filter with all its chains and sub-tables will be shown by
default.
The available tables can be seen with the command

cat /proc/net/ip_tables_names.
Important chains within the table filter are:

AUTO_INPUT – contains rules that have one of the ASG IP addresses as destination and are
configured as a service within the WebAdmin (e.g. DNS to the ASG)
AUTO_FORWARD – contains rules that are forwarded through the ASG and are configured as a
service within the WebAdmin (e.g. ping through firewall)
USR_FORWARD – contains packet filter rules that are configured by the Administrator manually in
the menu “Packet filter” and do not use an IP address of the ASG itself as source or destination
address.
Note:
Manual changes to the packet filter with the
command iptables will be overridden when a
change is done using the WebAdmin.
CLI
/ Packet filter example (1)
Scenario 1: The administrator has locked out himself from the WebAdmin
The admin has locked himself out by mistake. A network/host was removed from the list of
„Allowed networks“. SSH is activated and the ASG is accessible with SSH.
Verify with: iptables -L AUTO_INPUT -nv |grep 4444
Chain AUTO_INPUT (1 references)

pkts bytes target prot opt in out source destination
0 0 LOGACCEPT tcp -- * * 192.168.140.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:4444
LOGMARK match 60006
3 180 LOGDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:4444
LOGMARK match 60005
There is only the network 192.168.140.0/24 allowed for the WebAdmin, all other networks will be
blocked and logged by default.
Add a network:
iptables -I INPUT -j ACCEPT --source 172.16.65.0/24 -p tcp --dport 4444
Verify with: iptables -L INPUT -nv |grep 4444
Chain INPUT (policy DROP 0 packets, 0 bytes)

0 0 ACCEPT tcp -- * * 172.16.65.0/24 0.0.0.0/0 tcp dpt:4444
Once the WebAdmin is accessible, the according network should be added to the “Allowed networks“
and saved with apply. All manually configurations will be deleted after a restart of the
middleware/ASG.
CLI
/ Packet filter example (2)
Scenario 2: A packet filter rule for VPN doesn’t work, the VPN itself is working correctly.
A few packet filter rules where configured for communication with the branch office using the WebAdmin.
The access with HTTP in rule 3 isn’t working.
Verify with: iptables -L USR_FORWARD -nv |grep 172.16.67.2

Chain USR_FORWARD (1 references)
0 0 LOGACCEPT tcp -- * eth1 172.16.55.0/24 172.16.67.2 tcp spts:1:65535 dpt:80
LOGMARK match 3
Solution: The network definition (type: host) for the webserver is bound to interface eth1 (WAN), but
the tunnel uses interface ipsec0.
That is why this rule isn’t working and all packets will be dropped by the „Default drop“.
These errors are hard to find with the WebAdmin and the packet filter table. They are easier to find with
the command iptables using the CLI.
CLI
/ Stateful packet filtering
Scenario 3: Outgoing FTP connections are not working, the packet filter entries are correct.
The Astaro Security Gateway writes every connection to the connection tracking table. The administrator
wants to verify if the FTP connection is visible in this table.
Verify with: conntrack –L| grep 192.168.140.213
Working connection:
tcp 6 103 TIME_WAIT src=172.16.55.55 dst=192.168.140.213 sport=1114 dport=4045 packets=4 bytes=168
src=192.168.140.213 dst=192.168.140.225 sport=4045 dport=1114 packets=4 bytes=279 [ASSURED] mark=0 use=1
tcp 6 431987 ESTABLISHED src=172.16.55.55 dst=192.168.140.213 sport=1113 dport=21 packets=15 bytes=696

Not working connection (only one entry):
tcp 6 431982 ESTABLISHED src=172.16.55.55 dst=192.168.140.213 sport=1192 dport=21 packets=9 bytes=419

Background: FTP works with a second connection for data transfer on different ports. These ports are
negotiated dynamically for every FTP conneciton. The Astaro Security Gateway has to relate this second
connection to the allowed FTP connection on port 21.
Solution: The connection tracking helper for FTP has to be activated. This is done using Network Security
-> Packetfilter -> Advanced and is activated by default.
Networking
CLI
/ Network problems (1)
Scenario 1: Slow connections between different networks. (1)
The ASG is connected with multiple switches on different interfaces. Users report slow connections from
one network to an other one. In this case the connections between the internal network (eth0) and the
DMZ (eth2) are very slow. The administrator wants to verify the according interfaces.
Verify with: ifconfig eth0, ifconfig eth2

ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:15:E2:DA
inet addr:172.16.55.225 Bcast:172.16.55.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3095 errors:120 dropped:30 overruns:0 frame:0
TX packets:13426 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:233056 (227.5 Kb) TX bytes:19608084 (18.6 Mb)
Interrupt:177 Base address:0x1424
RX = number of received packets, errors = receiving, dropped = dropped packets when receiving,
overruns =, frame = received Frames
TX = number of transmitted packets, errors = errors when sending, dropped = dropped packets when
sending, overruns = packets that are bigger than the allowed MTU size, carrier = errors on connection
(mostly a broken network cable)
Note: If there is a problem with the connection and the speed and duplex settings are not correct, errors
are mostly shown here. Always check both sides of the connection, like the switches on the other side
of the cable.
CLI
/ Network problems (2)
Scenario 2: Slow connections between different networks. (2)
There are errors on the interface. The administrator wants to check the speed and duplex settings for the
interfaces. Auto-negotiation is configured on both sides.
Verify with: mii-diag eth2
fw:/root # mii-diag eth2

Basic registers of MII PHY #1: 3000 782d 02a8 0154 05e1 c1e1 0009 0000.
The autonegotiated capability is 01e0.
The autonegotiated media type is 100baseTx-FD.
Basic mode control register 0x3000: Auto-negotiation enabled.
You have link beat, and everything is working OK.
Your link partner advertised c1e1: 100baseTx-FD 100baseTx 10baseT-FD 10baseT.
End of basic transceiver information.
There are sometimes network cards (like in VMWare) that are not mii-compatible. For these network
cards the ethtool is useful to see nearly the same information.
In this scenario the verification has shown us that the settings on the ASG and the settings on the switch
are not the same (100baseT/Full vs. 10baseT/Half).
Solution: The configuration for the interfaces can be changed in the WebAdmin menu Network ->
Interfaces -> Hardware. It is possible to configure a fixed speed and duplex mode.
CLI
/ Network tools
Tools to test the connectivity
Check if a host is accessible: ping <IP> at the command line

or Support -> Tools -> Ping Check in the WebAdmin
PING 172.16.55.56 (172.16.55.56) 56(84) bytes of data.
64 bytes from 172.16.55.56: icmp_seq=1 ttl=128 time=2.45 ms
Check a path to a server on the internet: traceroute <IP/Name> at the command line
or Support -> Tools -> Traceroute in the WebAdmin
traceroute to www.astaro.de (85.115.22.4), 30 hops max, 40 byte packets
1 port-87-234-47-9.static.qsc.de (87.234.47.9) 2.865 ms 5.489 ms 3.428 ms
…
5 DE-CIX2.de.lambdanet.net (80.81.192.74) 22.012 ms 20.533 ms 22.377 ms
6 Telemaxx.FRA-1-eth0-145.de.lambdanet.net (217.71.110.42) 19.606 ms 20.851 ms 19.337 ms
7 sw4ch.ka.telemaxx.net (213.144.4.134) 24.037 ms 25.553 ms 22.330 ms
8 85.115.22.4 (85.115.22.4) 19.359 ms 19.362 ms 18.378 ms
Discover duplicate IP addresses within your network: arping <IP>

ARPING 172.16.55.56 from 172.16.55.225 eth0
Unicast reply from 172.16.55.56 [00:0C:29:68:40:72] 4.687ms
Note: When the same IP address is configured on different hosts this output shows different MAC
addresses.
CLI
/ Network tools/ Tcpdump
Tcpdump is a packet sniffer utility that allows an administrator to

intercept and display traffic traversing a network interface. With
tcpdump network traffic can be analyzed for problems and either
displayed on the screen in real time or saved into a file which can then
be viewed by programs such as ‘Wireshark’.
Parameters can be specified to filter on specific interfaces, ports, and IP
networks or addresses.
Basic examples are:
tcpdump -i eth0 port 25 (the ‘i’ specifies which interface to use)
tcpdump -i eth0 port 25 –w test.pcap (the ‘w’ specifies a file name)
tcpdump -i eth0 host 10.10.12.12 and port 25
CLI
/ Network tools/ Iftop
Iftop can be used to display bandwidth usage on an interface by host

Common parameters which can be used are:
-i = specify the interface to use.
-n = will not resolve IP’s to DNS names
-P = will show ports
as well as IP’s
IM/P2P Security
CLI IM/P2P Security
/ Logging (1)
With version 7.200 the Astaro Security Gateway and the Astaro Web Gateway introduced the service
Astaro Flow Classifier for IM/P2P control. This service is logging to the file /var/log/afc.log.
The log-file can be browsed with the WebAdmin or via command line.
For troubleshooting the AFC, it is necessary to understand the log format correctly.
Aan example line from an AFC log file is shown here (Bittorrent):
2008:11:19-15:33:27 (none) ulogd[2517]: id="2017" severity="info" sys="SecureNet" sub="packetfilter"

name="AFC Alert" action="log" fwrule="60202" outitf="eth2" srcip="79.213.68.225" dstip="192.168.99.101"
proto="6" length="57" tos="0x00" prec="0x00" ttl="115" srcport="57389" dstport="18710" tcpflags="ACKPSH“
Log-Entry Meaning
id="2017" The ID shows the kind of log-entry, 2017 is only logging
2018 is for file transfer block and 2019 blocks completely
name="AFC Alert" action="log" name and action, corresponding to the ID
fwrule="60202" shows the kind of protocol, 60202 stands for „P2P/Bittorrent“
srcip="79.213.68.225“ dstip="192.168.99.101“ source and destination IP address of the packet
srcport="57389" dstport="18710" source and destination port of the packet
Important for troubleshooting are always the ID, action and the fwrule.
The particular values for ID, action and fwrule are explained in detail in the Astaro knowledge base article
290351.
CLI IM/P2P Security
/ Logging (2)
Here is another example for skype blocking, noticeable with the fwrule (Skype) and the ID (Block
completly):
2008:11:19-15:36:41 (none) ulogd[2517]: id="2019" severity="info" sys="SecureNet" sub="packetfilter"
name="AFC Block" action="drop" fwrule="60103" outitf="eth0" srcip="192.168.99.3" dstip="62.214.209.43"
proto="6" length="124" tos="0x00" prec="0x00" ttl="127" srcport="1238" dstport="21510" tcpflags="ACKPSH"
Scenario 1: High logging impact when activating IM/P2P control with all protocols
When activating logging for Instant Messaging and Peer-to-Peer protocols and a high volume of data is
processed by the Astaro Security Gateway, there is a lot of logging traffic and this could possibly fill up
the log-partition.
Solution: Using IM/P2P -> Settings –> Advanced it is possible to configure a logging limit.
There are four options to choose from:
Off – deactivates logging completely; there is no reporting for IM/P2P any more.
Limit all 5/sec – there will be only 5 log entries per second for all hosts alltogether.
Limit host 1/sec – there is a limit of one log entry per second per host. (default)
Log all – the complete traffic will be logged (Attention!)
High Availability &
Clustering
CLI High Availability & Clustering / HA-Status
Scenario 1: The administrator wants to check the HA status. The actual status for a ha-cluster can be
seen in the WebAdmin. A more detailed view can be shown using the CLI.
Verify with: ha_utils on the command line
- Status -----------------------------------------------------------------------
Current mode: HA MASTER with id 1 in state ACTIVE
-- Nodes -----------------------------------------------------------------------
MASTER: 1 Node1 198.19.250.1 7.302 ACTIVE since Mon Nov 3 09:17:46 2008
SLAVE: 2 Node2 198.19.250.2 7.302 ACTIVE since Mon Nov 3 09:18:44 2008
-- Load ------------------------------------------------------------------------
Node 1: [1m] 0.50 [5m] 0.41 [15m] 0.39
Node 2: [1m] 0.08 [5m] 0.10 [15m] 0.09
- Kernel -----------------------------------------------------------------------
Current mode: enabled master
interface: eth3
Local ID: 198.19.250.1
debug: off
verbose: off
tso: off
ppp sync: off
- Ctsyncd ----------------------------------------------------------------------
MASTER
-IPSec ------------------------------------------------------------------------
000 #1460: "S_REF_RxrkmFZPsh_0" esp.9a063cd9@212.202.98.74 esp.179febde@138.246.20.242; tunnel
[…]
- PostgreSQL ------------------------------------------------------------------------
reporting: […]
pop3: […]
This output shows a HA-configuration with 2 Nodes in active-passive mode.

Under IPSec the messages for active tunnels are displayed.
CLI High Availability & Clustering / Connection to
slave system
Scenario 2: The administrator wants to view the log files from the HA-slave.
Two ASGs are connected within a HA-configuration and the formerly master has done a reboot.
Because of the failover the log files from the old master are now on the “new” slave and are not
accessible through the WebAdmin.
An administrator wants to access the log files from the old master (now slave) and save these files for
troubleshooting.
Access to the slave via: ha_utils ssh (only as root from the master ASG)
A SSH connection to the slave will be established, the administrator doesn’t need to know the IP
address of the slave. This connection is only possible when the SSH daemon is configured on the default
Port 22.
The log files can be found in /var/log/ and can be display by the standard linux tools like tail, less and
grep. The log files can be copied to the master via SCP.
Example for copying the high-availability.log from the slave to the master:
<S> asg:/var/log # scp high-availability.log loginuser@198.19.250.1:/home/login/high-availability.log.node2
CLI High Availability & Clustering / Connection
problems
Scenario 3: The front panel of the ASG shows »MTU ERROR« and the appliance is shutdown completely.
Solution: The HA-cluster interface uses a MTU of 2000 Byte when connecting via a gigabit interface.
The connected switch should support Jumbo Frames, and this feature should be activated on the switch.
When the switch doesn’t support Jumbo Frames, the interface configuration should be configured to fixed
100 Mbit/s full-duplex (= MTU 1500) to avoid problems with the ha-cluster interface.
Scenario 4: The link status from one or more interfaces shows »down« frequently, whereby a failover is
initiated over and over again.
Where can more detailed information about a link lost for all interfaces be found?
Solution: Check the kernel log using the WebAdmin or on the command line in the file
/var/log/kernel.log
There is detailed information of the interface status provided in this file.
For more information about the interfaces have a look at the networking chapter.
User Authentication
CLI User Authentication
/ Overview (1)
This diagram demonstrates the different work flows for the three authentication methods Active
Directory, eDirectory and LDAP. Within Active Directory and eDirectory there is a differentiation
between basic authentication and Single Sign On.
It is discernable which attributes are synced between the different directory services and the local user
database of the Astaro Security Gateway.
/ Overview (2)
The authentication messages are logged into the file /var/log/aua.log and can be reviewed via
command line or the WebAdmin.
2008:11:19-16:26:17 (none) aua[5534]: id="3004" severity="info" sys="System" sub="auth"

name="Authentication successful" srcip=“172.16.65.2" user=“berlin" caller="portal" engine="adirectory“
Log-Entry Meaning
sub="auth" name="Authentication successful“ Authentication successful
srcip=„172.16.65.2“ Client IP
user=„berlin“ Authenticated user
caller="portal" Calling system process: WebAdmin, User Portal or HTTP Proxy
engine="adirectory“ Authentication method
If this information is not enough for troubleshooting authentication problems it is possible to activate the
debug mode for the aua daemon. This is done on the command line with:
killall –USR2 aua.bin.
There is a lot of information provided in the aua.log file in debug mode. To disable the debug mode for the
aua daemon just use the command killall -USR2 aua.bin again.
Attention: Passwords can be seen in clear text in the debug log.
Note: When having problems with authentication in conjunction with the HTTP proxy it is possible to
start the HTTP process in debug mode.
/ Active Directory (1)
Scenario 1: The administrator wants to check if the AD connection is working properly.
Verify with: Click the button „Test Server“
Possible Answer 1:
Connection to ldap://192.168.140.215:389 failed
Solution 1: The IP address of the AD server is not correct or the LDAP service is not accessible.
(Maybe a firewall between AD server and ASG is blocking the connection. Missing packet filter rule on this firewall?)
Possible Answer 2:
Server exists and accepts connections, but bind to ldap://192.168.140.213:389 failed with this
Bind DN and Password
Solution 2: The LDAP service can be accessed but the Bind User DN or the password is not correct.
Scenario 2: Joining the domain with Active Directory Single-Sign-On (SSO) fails.
Joining the domain failed.
Solution: The following premises have to be fulfilled to join a domain:

The ASG needs a FQDN (e.g. firewall.mydomain.local), which can be resolved in the local AD domain.
The time difference between the DC and the ASG must not be more than 5 minutes.
The following DNS entries have to be resolvable by the ASG:
$host -t SRV _kerberos._udp.MYDOMAIN.LOCAL
$host -t SRV _ldap._tcp.dc._msdcs.MYDOMAIN.LOCAL
When this is not the case a DNS request route can be configured under: Networking » DNS » Request Routing
Example: Domain: MYDOMAIN.LOCAL ->Target Servers: Active Directory Server
/ Active Directory (2)
Active Directory SSO
There is a tool wbinfo on the command line to see detailed information about the Active Directory SSO
connection. Active Directory users and groups can be displayed.
Examples:
Command Meaning
wbinfo –u Shows all AD users
wbinfo –g Shows all AD groups
wbinfo –r <user> Shows all groups for a specific user (Note: it shows only group IDs, not the name!)
wbinfo -D <domain> Shows information about a specific AD domain
Detailed information for the tool can be seen with the command wbinfo –-help.
/ eDirectory
There is a test tool provided in the WebAdmin for Novell eDirectory to test single users.
(see Microsoft Active Directory)
Detailed information for Novell eDirectory can be seen in the aua.log file when activating the debug
mode for the responsible processes. This can be done on the cli using the command
killall –USR2 aua.bin aua_edirsync.plx.
Scenario 3: The administrator wants to check if an eDirectory user is in the cache of the ASG.
Verify with: Bring both processes into debug mode (see above) and check the aua.log.
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: Writing cache entry for dn
cn=testuser,ou=FW,ou=Support,o=Karlsruhe
2008:10:27-12:25:28 (none) aua[1293]: id="3007" severity="debug" sys="System" sub="auth" name="SSO: adding
IP address 172.26.3.17 to cache“
Scenario 4: The administrator wants to check which eDirectory groups are imported for one user.
Verify with: Both processes are in debug mode, check the aua.log.
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'attrs' => {
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'modifytimestamp' => [
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: '20081027112505Z‘],
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'cn' => [
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'testuser',
[…] ],
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'groupmembership' => [
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: 'ou=FW,ou=Support,o=Karlsruhe'
2008:10:27-12:25:30 (none) aua_edir_sync[23466]: ],
Web Security
CLI Web Security
/ Categorization
Since Version 7.302 the Astaro Security Gateway includes the content filter product SmartFilter
XL from Secure Computing.
Scenario 1: The administrator wants to check in which category a particular web site is included.
Verify with: Start the browser and open the web page:
http://www.astaro.com/support/support_resources and click the link “Astaro Web Filtering Site
Test”.
It is possible to send an optional

suggestion for a different category.
All filter categories are described in detail in

the Astaro Knowledgebase article 297586.
CLI Web Security
/ Details of Content Filter Log
On this slide the important fields of the http proxy log file are described for a detailed troubleshooting.
2008:11:18-18:42:46 (none) httpproxy[1729]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http

access" action="pass" method="GET" srcip=„172.16.65.2" user="user1" statuscode="200" cached="0"
profile="profile_0" filteraction="action_REF_DefaultHTTPCFFAction„ size="6835" time="782 ms"
request="0xb385b88" url="http://www.google.de/" error="" category="145" categoryname="Search Engines"
content-type="text/html“
Log-Entry Meaning
sub="http" name="http access" action="pass" Access allowed
srcip=„172.16.65.2“ Client IP
user=„user1“ Logged in user at the http proxy
statuscode="200" HTTP status code »OK«
cached="0" The web page was not loaded from the cache
profile="profile_0" First profile in Web Security » HTTP Profiles
filteraction="action_REF_DefaultHTTPCFFAction" Used filter action, the reference can be resolved in the WebAdmin
using Support » Advanced » Resolve REF_.
size="6835" time="782 ms" Size and download time for this request
url="http://www.google.de/" Requested URL
category="145" Secure Computing SmartFilter XL category ID
categoryname="Search Engines" Category name
content-type="text/html“ MIME type
CLI Web Security
/ HTTP Proxy in Debug Mode
Common problems with the HTTP proxy can be solved with an in depth log analysis or are in
conjunction with authentication problems (see there). More detailed information is provided when
activating the debug mode for the HTTP proxy.
Solution: Changing the debug level for the HTTP proxy

The debug level can only be configured by editing the file:
/var/chroot-http/etc/httpproxy.ini [global] » debug= …
Debug level Explanation

none Debugging is deactivated
dns DNS resolution debugging
profile Detailed profile parsing and matching
auth Authentication debugging (NTLM, Basic, E-Dir, etc)
conn connection debugging
hdr HTTP header debugging
scan Content scanning debugging
ssl SSL communication debugging
cache Hard disk cache debugging
Attention: All debug levels are only active until the next change or restart of the http proxy
E-Mail Security
CLI E-mail Security
/ SMTP Log (1)
The MailManager provides a SMTP Log whree the administrator can easily see the results of the mail
processing and can filter these messages by different filter criteria.
More information about the MailManager can be found in the courseware in the according chapter.
A new window with more information about an e-mail and the Message ID for this e-mail will be opened
with a double click on an entry in the log view.
The Message ID can be used to find more information about this particular e-mail in the actual SMTP-
Log. For an advanced search the last two parts of the ID are necessary to find all information about the
e-mail in the log file. For example 0002EF-2t is used to find every log line for this particular e-mail.
This advanced search can be done in the WebAdmin using Logging -> Search Log Files or on the
command line in the file /var/log/smtp.log.
CLI E-mail Security
/ SMTP Log (2)
Scenario 1: An administrator wants to see all log entries for a particular e-mail.
Verify with: Click on the entry in the MailManager log view, type in the command
grep "0002EF-2t" /var/log/smtp.log on the command line
2008:11:20-12:04:50 (none) exim[8571]: 2008-11-20 12:04:50 1L37L7-0002EF-2t <= tony@extern.corp

H=([192.168.140.158]) [192.168.140.158]:2198 P=esmtp S=682 id=49254017.6070709@extern.corp
2008:11:20-12:04:51 (none) smtpd[4015]: QMGR[4015]: 1L37L7-0002EF-2t moved to work queue
2008:11:20-12:05:01 (none) smtpd[8573]: SCANNER[8573]: id="1000" severity="info" sys="SecureMail"
sub="smtp" name="email passed" srcip="192.168.140.158" from="tony@extern.corp" to="trainer@asllab.net"
subject="Standardtestmail an den Trainer" queueid="0z2kWS-0002EF-2t" size="102"
2008:11:20-12:05:01 (none) exim[8592]: 2008-11-20 12:05:01 0z2kWS-0002EF-2t => trainer@asllab.net
R=static_route_hostlist T=static_smtp H=192.168.140.213 [192.168.140.213]:25
2008:11:20-12:05:01 (none) exim[8592]: 2008-11-20 12:05:01 0z2kWS-0002EF-2t Completed
Scenario 2: The information provided by the SMTP log is not enough for troubleshooting.
Solution: The debug mode for the SMTP proxy can be activated like this:
Change the following line the file /var/mdw/scripts/smtp:
chroot $CHROOT /bin/smtpd.bin $WORKER

into
chroot $CHROOT /bin/smtpd.bin $WORKER –debug
and restart the SMTP proxy with /var/mdw/scripts/smtp restart.
Note: The SMTP proxy in debug mode generates a lot of logging messages
which can cause a flooded log partition!
The debug mode should only be activated for a short period and deactivated after
troubleshooting with the same procedure.
CLI E-mail Security
/ Greylisting
Scenario 3: An urgent e-mail was sent by an external partner and the administrator wants to check if
the e-mail was delayed by Greylisting.
Solution: Inspection of the log file on the command line. Attention: The message can not bee seen
in the MailManager and has to be searched manually.
2008:11:20-12:24:21 (none) exim[9364]: 2008-11-20 12:24:21 1L37e0-0002R2-2s Greylisting: Greylisted

192.168.140.158
2008:11:20-12:24:21 (none) exim[9364]: [1\19] 2008-11-20 12:24:21 1L37e0-0002R2-2s H=([192.168.140.158])
[192.168.140.158]:2397 F=<tony@extern.corp> temporarily rejected after DATA: Temporary local problem,
please try again!
2008:11:20-12:24:21 (none) exim[9364]: [2\19] Envelope-from: <tony@extern.corp>
2008:11:20-12:24:21 (none) exim[9364]: [3\19] Envelope-to: <trainer@asllab.net>
2008:11:20-12:24:21 (none) exim[9364]: [4\19] P Received: from [192.168.140.158] (port=2397)
2008:11:20-12:24:21 (none) exim[9364]: [5\19] by asg225.asllab.net with esmtp (Exim 4.69)
2008:11:20-12:24:21 (none) exim[9364]: [6\19] (envelope-from <tony@extern.corp>)
2008:11:20-12:24:21 (none) exim[9364]: [7\19] id 1L37e0-0002R2-2s
[…]
---------------------------------------------------------------------------------------------------------
--
2008:11:20-12:32:02 (none) exim[9630]: 2008-11-20 12:32:02 1L37lS-0002VK-1Y Greylisting: Successful
greylist retry from 192.168.140.158 (original host was 192.168.140.158/32)
[…]
2008:11:20-12:32:13 (none) exim[9650]: 2008-11-20 12:32:13 0zJj0D-0002VK-1Y => trainer@asllab.net
R=static_route_hostlist T=static_smtp H=192.168.140.213 [192.168.140.213]:25
2008:11:20-12:32:13 (none) exim[9650]: 2008-11-20 12:32:13 0zJj0D-0002VK-1Y Completed
In this example above Greylisting rejects temporarily the message first. The second part of this log
extract shows the successful retry to deliver the message.
Please note that a new message ID is generated when the message is received for the second time.
Reporting
CLI Reporting
/ Overview (1)
Since version 7.300 all Reporting data is stored in the new PostgreSQL database.
To generate all kind of reports the ASG uses

three different data sources:
RRD files to create the graphs
ACCU files with absolute values
of the last 30 days
PostgreSQL for long-time data storage
for up to 6 month
Furthermore there are 7 reporters

for different scopes which can
be configured in the WebAdmin separately:
Websec reporter
Mailsec reporter
VPN reporter
IPS reporter
Pfilter reporter
Admin reporter
System reporter
CLI Reporting
/ Overview (2)
The administrator can check if all database processes and all reporter processes are running properly
using the command line.
Verify with: ps -ef |grep postgres on the command line
ps -ef |grep postgres
postgres 2939 1 0 Nov17 ? 00:00:09 /usr/bin/postgres -D /var/storage/pgsql/data
postgres 2948 2939 0 Nov17 ? 00:00:03 postgres: writer process
postgres 2949 2939 0 Nov17 ? 00:00:01 postgres: wal writer process
postgres 2950 2939 0 Nov17 ? 00:00:01 postgres: autovacuum launcher process
postgres 2951 2939 0 Nov17 ? 00:00:12 postgres: stats collector process
postgres 14097 2939 0 Nov18 ? 00:00:04 postgres: reporting reporting [local] idle
postgres 14333 2939 0 Nov18 ? 00:00:02 postgres: postgres smtp 127.0.0.1(36013) idle
postgres 7043 2939 0 00:15 ? 00:00:52 postgres: postgres smtp 127.0.0.1(58014) idle
PID 2939 is the postgres main process and the processes 2948-2951 are copying data within the
database. Furthermore there are two processes for the SMTP database visible for storing e-mails in the
quarantine.
Verify with: ps -ef |grep reporter under the command line

ps -ef |grep reporter
root 4805 2508 0 00:00 ? 00:00:01 /usr/bin/perl /usr/local/bin/reporter/websec-reporter.pl
root 4806 2508 0 00:00 ? 00:00:03 /usr/bin/perl /usr/local/bin/reporter/mailsec-reporter.pl
root 4807 2508 0 00:00 ? 00:00:00 /usr/bin/perl /usr/local/bin/reporter/vpn-reporter.pl
root 4808 2508 0 00:00 ? 00:00:01 /usr/bin/perl /usr/local/bin/reporter/ips-reporter.pl
root 4809 2508 0 00:00 ? 00:00:01 /usr/bin/perl /usr/local/bin/reporter/pfilter-reporter.pl
root 4810 2508 0 00:00 ? 00:00:01 /usr/bin/perl /usr/local/bin/reporter/admin-reporter.pl
These lines show the running reporter processes that are collecting data from logging (syslog-ng) and are
writing this information in the three databases RRD, ACCU, PostgreSQL.
CLI Reporting
/ Logging & Storage
All database errors can be found in the file /var/log/system.log and can be reviewed via WebAdmin
or the command line.
In case of problems with the database or the reporting, the administrator should search the log file for
postgreSQL entries.
If there are messages like the following found in the log file, the administrator is requested to open a
support call to restore the database with the help of the Astaro support.
ERROR: invalid page header in block 7002 of relation "accounting“

ERROR: could not open relation 17747/16519/18546: No such file or directory
PANIC: right sibling 1672 of block 110 is not next child of 3 in index "websec_bud_dayidx“
FATAL: bogus data in lock file "/var/run/postgresql/.s.PGSQL.5432.lock": "#
Note: The database files are not included in the backup file and can not be restored after a
database restore.
Scenario1: The reporting is not working any more, the administrator wants to check if the storage
partition is full.
Verify with: at the command line df -h /var/storage/pgsql/data
Filesystem Size Used Avail Use% Mounted on
/dev/disk/by-label/storage 745M 208M 499M 30% /var/storage
Attention: The database files are stored under /var/storage/pqsql/data but this is only a subfolder of
the storage partition /var/storage in which in addition the HTTP proxy cache, the SMTP quarantine e-
mails and more is stored. When this partition is full it is not necessarily a database problem, but it could
be as well a problem with the HTTP cache or the SMTP proxy.
Site-To-Site VPN using
certificates
CLI Site-To-Site VPN using certificates / General
Scenario 1: The administrator wants to check if the IPSec connection is established successfully.
Verify with: Check in the WebAdmin with a click on „Site-to-Site VPN“ or on the command line using the
command cat /proc/net/ipsec_eroute
asg225:/root # cat /proc/net/ipsec_eroute

14 172.16.55.0/24 -> 192.168.150.0/24 => tun0x1014@192.168.140.226
When all lights are green the connection is established with both phases.
The output on the command line shows in addition the number of packets sent through the established
tunnel.
The following lines should be (similar to these) in the log file for an established tunnel:
2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #273: ISAKMP SA established
2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #276: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP
2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #276: Dead Peer Detection (RFC 3706) enabled
2008:11:20-12:00:31 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #276: sent QI2, IPsec SA established
There you can see that both phases are established successfully. The administrator should check the log
file after the first build-up of the tunnel. This log file can be found under /var/log/ipsec.log.
Note: If the tunnel is fully established in both phases but no packets pass through the tunnel, the packet
filter log and the packet filter rules should be checked.
CLI Site-To-Site VPN using certificates/ Connection
problems (1)
Scenario 1: The tunnel can not be established.
cannot respond to IPsec SA request because no connection is known for

172.16.55.0/24===192.168.140.225...192.168.140.226===192.168.150.0/24
Solution 1: Check the network definitions on both sides of the tunnel. The „Local Networks“ on one side have to be
configured as “Remote Networks” on the other site and vice versa.
packet from 192.168.140.226:500: initial Main Mode message received on 192.168.140.225:500 but no
connection has been authorized with policy=PSK
Solution 2: Check the policy configuration on both gateways. This is important especially in case of different
gateway vendors.
Note: All default policies on the ASG have „strict policy“ disabled. If you see the error message above, it is
possible that a connection is established but with different policy settings than specified in the policy. In this case
the ASG tries to establish a connection using “higher” security credentials.
In case of activated „strict policy“ on both gateways the following messages will appear in the log file:
2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #309: Oakley Transform [OAKLEY_AES_CBC

(256), OAKLEY_MD5, OAKLEY_GROUP_MODP1536] refused due to strict flag
2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #309: no acceptable Oakley Transform
2008:11:20-12:50:02 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #309: sending notification
NO_PROPOSAL_CHOSEN to 192.168.140.226:500
2008:11:20-12:50:25 (none) pluto[13925]: packet from 192.168.140.226:500: ignoring informational payload,
type NO_PROPOSAL_CHOSEN
CLI Site-To-Site VPN using certificates/ Connection
problems (2)
2008:11:20-14:41:16 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #494: byte 2 of ISAKMP Identification

Payload must be zero, but is not
2008:11:20-14:41:16 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #494: probable authentication failure
(mismatch of preshared secrets?): malformed payload in packet
2008:11:20-14:41:25 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #492: max number of retransmissions (2)
reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted
message
Solution 3: Check the preshared keys on both gateways. These messages indicate different keys.

2008:11:20-15:04:43 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #520: issuer cacert not found
2008:11:20-15:04:43 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #520: X.509 certificate rejected
2008:11:20-15:04:43 (none) pluto[13925]: "S_REF_iYeXsYhyWs_0" #520: Signature check (on
@asg226.asllab.net) failed (wrong key?); tried *AwEAAdhkV
Solution 4: In this case the authentication was done with certificates and the branch office still use the
old local self signed certificate configured using the option “Local X509 Certificate” and not the
certificate provided by the head quarter. Check the certificate configuration.
Note: A good overview of the actual tunnel configuration is given in the file /var/chroot-
ipsec/etc/ipsec.conf. The entries stating “left” are for the local ASG, the entries stating “right” are for
the remote gateway. The file is dynamically created when activating a tunnel and changes to this file are
discarded and ignored.
Miscellaneous issues
CLI CLI /Lost passwords
Scenario WebAdmin password has been forgotten or lost.
If the ‘Root & Login’ user passwords are known:

Use SSH or use connect a monitor and keyboard directly to the AxG to login to the shell:
Once at the shell prompt enter the configuration utility by following the directions below:
dot10:/root # cc
127.0.0.1 MAIN >RAW
127.0.0.1 RAW >system_password_reset
127.0.0.1 RAW >Ctrl c (keys)
Log back into the WebGui and a set password prompt will appear.
CLI Miscellaneous issues/ Lost passwords
Scenario All passwords have been forgotten or lost (1)
Reset the console passwords with a Linux LiveCD

In order to reset the password to a system that you can not access, you will need to
download a Linux LiveCD. There are many distributions and if you have one, it will likely
work. The distribution that was used to test this article was Ubuntu Linux. The iso image
can be found here:
http://mirror.cs.umn.edu/ubuntu-releases/intrepid/ubuntu-8.10-desktop-i386.iso
What that you will need:

*Physical access to the ASG
*Keyboard
*Mouse (optional, depending on the distribution you are using)
*Monitor
*Suitable CD ROM drive (USB for appliances, various types for software based systems).
*PC with network access and a CD burner (or access to a LiveCD)
Download a suitable Linux LiveCD. the latest Ubuntu Linux distribution is confirmed to
work. Burn the iso image to a CD.
Attach the peripherals to the ASG. You should see a command prompt that says 'login:' on
screen. Insert the LiveCD into the CD ROM and reboot the system. You should now be
booting into the LiveCD. Depending on the LiveCD, you may need to choose options to
boot into the system.
CLI Miscellaneous issues/ Lost passwords
Scenario All passwords have been forgotten or lost (2)
Once booted, enter the console. gain root privileges, this is done with the 'su' commad in
most distributions. For Ubuntu, it is 'sudo su'. Run the following, commands that must be
typed are in bold.
Linux> su
Linux# mkdir /mnt/asg
Linux# mount LABEL=root /mnt/asg
Linux# chroot /mnt/asg /bin/bash
Linux# passwd loginuser Changing password for user loginuser Password:Retype
Password:
Linux# passwd Changing password for user root Password:Retype password:
Linux# exit
Linux# umount /mnt/asg Now take the CD out of the CD ROM and reboot the ASG. Once
you have rebooted the ASG, you can now sign in as root on the console of the system
using your new root password.
Reset the admin password from the ASG's console:
Log into the ASG via console and enter the following commands that are in BOLD.
dot10:/root # cc
127.0.0.1 MAIN >RAW
127.0.0.1 RAW >system_password_reset
127.0.0.1 RAW >Ctrl c (keys)
CLI Miscellaneous issues/ Up2date troubleshooting
(1)
Scenario System up2dates when applied in WebAdmin do not up2date the system to latest version.
Simulation of RPM installs

Simulation of an up2date install is useful for determining why a particular up2date may be failing such as
no connection to the Up2date servers. The output will appear in the standard /var/log/up2date.log file or
for an individual test by sending to a file will make examination easier. From the shell run the commands
in BOLD.
dot10:/root # auisys.plx –simulation

Or to pipe the output to a specific file such as ‘up2datetest.log’
dot10:/root # auisys.plx --simulation >>up2datetest.log
Scenario Up2date to a specific version is desired
This is useful for up2dating to a specific version rather than all the way to the latest in particular with
up2dates making large changes as noted by our feature releases of 7.100, 7.200, 7.300, 7.400. Prior to
up2dating completely it is usually useful and causes less problems to first up2date to the latest in the
series prior to a feature release. As an example up2date only to 7.202 first, then up2date to 7.30x latest
after the system reboots with a running 7.202 version.
dot10:/root # auisys.plx --upto 7.300
CLI Miscellaneous issues/ Up2date troubleshooting
(2)
Scenario A ‘Force’ of an up2date is required
For up2date issues the combination of the --rpmargs and --force will have the greatest effect on loading
all current up2dates. In addition these can be combined with the --upto version in order to create a
powerful up2date order. This command is standard to run to effectively force all up2dates present to load
on a system despite previous up2date failures which may be triggered by customized RPM packages
having been loaded on the system previously.
dot10:/root # auisys.plx --rpmargs –force

Or combined with ‘upto’ version
dot10:/root # auisys.plx --rpmargs --force --upto 7.300
Scenario A downloaded up2date appears corrupt and must be downloaded again.
Sometimes a new download or removal of an up2date will be required to resolve an issue if an up2date
has been corrected on the up2date servers or is otherwise corrupted on a customer system. Remove any
affected system up2dates from the AxG and run a new download:
dot10:/root # cd /var/up2date/sys
dot10:/var/up2date/sys # rm u2d-sys-7.301* (or whatever up2date you wish to remove)
dot10:/var/up2date/sys # audld.plx (Triggers a new download)
If the download cannot communicate or authenticate to a server the download can be pulled directly from
the Astaro ftp servers into the /var/up2date/sys directory with a wget command such as:
dot10:/root # cd /var/up2date/sys
dot10:/var/up2date/sys # wget http://ftp.astaro.com/ASG/v7/up2date/u2d-sys-7.300.tgz.gpg
CLI Miscellaneous issues/ Restore a Backup from
SSH
Scenario WebAdmin access is unavailable but shell access is and there are backups stored on the AxG.
In the event that webadmin access is unavailable it is possible to restore a currently saved backup file
from ssh or direct console.
1) Login to ssh:
login: loginuser
password: loginuser password
root access: su
password: root password
2) Identify the backup file needed:

cd /var/confd/var/storage/snapshots
ls -l
Files will appear as example: cfg_21707_1200723302
3) Restore the backup file

/usr/local/bin/backup.plx -i /var/confd/var/storage/snapshots/cfg_21707_1200723302
Introduction to ACC
In this chapter you will see:

Astaro Command Center
/ Overview
Centralized and efficient management of

multiple Astaro Gateway’s
Central threat-level monitoring
IPSec VPN Tunnel creation and
monitoring
Central Up2date cache
Using state-of-the-art Web 2.0 technologies

like AJAX (Asynchronous JavaScript And
XML)
Tracking of critical system parameters in
real-time
detected threats
license status
software updates
resource usage
No license needed!! It‘s free!!!

ACC System Overview
Astaro Astaro Astaro Command Astaro Command

Astaro Command
Command Command Center 4000 Center Virtual
Center 3000
Center 1000 Center 2000 Appliance
Max Gateways
supported
Administrators* 1 2 3 4 Small to Large

Clients* 4 10 20 40 networks
System
Network ports
2x 10/100 /1000 2 x 10/100 / 1000 3 x 10/100 /1000 Mbps 3 x 10/100 /1000 Mbps
Mbps Mbps
System Storage
30 GB 30 GB 30 GB 60 GB
*Depends on
Log/Reporting 40 GB 40 GB 40 GB 80 GB
hardware
platform used.
*Admin with full-access, clients with access to an average of 5 Gateways and 1/3 of the clients simultaneously logged in.
/ Features
Inventory management provides

comprehensive information about each
device (CPU, hard disk, memory,
network interfaces, software version and
more)
All Astaro Security Gateway devices are
automatically organized into device
groups
Single-sign-on eases configuration
management
Central update management
enables the possibility of
updating multiple devices
through a single click
Role-based multi-
administrative support
/ ASG Configuration
AxG’s must be configured with the IP/Hostname of the ACC Server and shared
secret.
The connection between ASG and ACC is SSL encrypted using port 4433
Packet filter rules to allow this communication are created automatically
/ ACC Configuration (1)
ACC has an ‘Administrative’ GUI and a

‘Gateway Manger’ GUI
The Administrative GUI is accessed via
port 4444 just like the other AxG
products
Look and feel is the same with sections
for Management, Network settings,
etc.
/ ACC Configuration (2)
Gateway Manager submenu controls

access for Administrators, Clients, and
Networks
/ Gateway Manager
Gateway Manager access is via port

4422 by default
Different Monitoring views display
information on connected Gateways
such as:
Threats
Licenses
Versions
Resources
Services
Availability
/ Gateway Manager
Maintenance shows Inventory

information and allows for scheduled
operations on individual Gateways.
Options are to:
Reboot
Shutdown
Prefetch Up2dates
Install Firmware
Install Patters
/ Gateway Manager
Management allows for selective

control of which Gateways can connect
via the Registration submenu
Access Control allows for role based
access for Users
/ Gateway Manager
Configuration offers a Site to Site VPN

configuration wizard.
Easily create and monitor VPN
connections between Astaro Security
Gateways
Additional configuration options such
as Centralized Object creation and
management will be available
in later releases
Review Questions
/ Review Questions
1. Which technology is ACC built upon?

2. What features does ACC offer?
3. What port is used for communication between ACC and ASG?
4. Is the traffic encrypted?
5. Is it possible to cache the Up2Date packages for multiple ASGs?
Astaro Report Manager
The topics in this chapter will be:

Overview of the Astaro Report
Manager
Installation/Configuration of ARM and
Syslog software
/ Overview
ARM is a data collection, analysis, and

reporting tool
Aggregates and parses syslog data from
network devices
Includes:
Real time monitoring
Alerts based on configurable
parameters
Built in and customizable
reports
Forensic analysis
/ Overview/ Security Center
The Security Center offers manageable

Monitoring views and the ability to create
‘Drill Down’ reports by simply double
clicking items to bring up a ‘Workbench’
/ Overview / Security Center
The Reporting Section offers more than 800 reports on
information such as
Attacks
Bandwidth
Content Categorization
Event
Web Activity
Historical information
can be viewed using
the built in calendar
/ Overview / Security Center
Information can be viewed in different formats and exported or
printed
/ Installation/Configuration
Hardware requirements are dependant

on the number of devices sending data.
Recommended specs:
Pentium 4- 2.8 Ghz or higher
100 GB or higher disk space
2 GB or higher of RAM
Windows server 2k/2003
IIS or Apache (Apache Recommended)
Fast IO
Internet Explorer 6.0 or higher with Java
ARM is available on the Astaro FTP

servers accessible through
http://my.astaro.com/
Current version is 4.6 which is the only
release that works with AxG V7
FTP site contains both the ARM software
and the Syslog server software
Installation requires admin rights
Choose ‘Standalone’ for most

installations
Encrypt traffic with SSL

Choose Apache Server for most
installations
Once Astaro Report Manager installation

is complete it will prompt you to install
the Syslog server
Choose all of the defaults unless a

change is needed for the Sylog port (UDP
514) or you need to use trusted IP’s for
connections.
By default the ARM software will check for the

presence of a new device sending syslog data
every 60 seconds.
Devices will appear on the Devices tab
Devices must have a valid license before
Monitoring will begin
Licenses are managed via the License Manger

Icon located in the Upper left corner of the
ARM screen
The License Manager offers the ability to Add,
Manage, and Update licenses and devices
Once a device is licensed and has a checkbox

under the Monitoring column it should be
accepting Syslog data from your AxG. To
confirm that the system is receiving data use
the AppStatus Icon
Syslog Statistics will be shown here and
clicking the Refresh button should show
updated counts
The Astaro Report manager default collection

policy does not offer monitoring of event logs.
This will result in minimal information on
dashboard screens. To enable monitoring
change the collection policy by clicking on the
Policies button to open the Policy Manager.
Highlight and edit the ‘Collect All’ policy and
add your device. Once saved the dashboards
should start displaying real time information
THE END.
Questions
&
Answers.

ACE Engineer

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ACE Engineer

Hochgeladen von

Copyright:

Verfügbare Formate

Welcome to the training!

Astaro Certified Engineer

Courseware Version EN-V7.4

How do you become an Astaro Certified Engineer?

How should you prepare for the ACE exam?

Upon Completion of this course you should be:

Familiar with the Astaro

The Astaro product portfolio features easy-to-use “all-in-one”

Astaro Security Gateway, based on Astaro's award-winning Astaro Security Linux,

Web Security E-mail Security Network Security

Users 10/Unrestricted Unrestricted Unrestricted Unrestricted Unrestricted

Astaro Web Astaro Web Astaro Web

Small Medium Small to Large

Astaro Mail Astaro Mail Astaro Mail

Small Medium Small to Large

The Astaro Report Manager is a

The Report Manager allows you to

With advanced attack and event

Astaro Command Center is

AXG is based on Novell/SUSE®

Open source software is distributed with the

Collective work of many programmers

Resulting software can become more

Astaro leverages the flexibility and

Every function can be configured and

There is no need to interact with any of

This chapter provides a

An Ethernet interface is a standard

This feature allows administrators to assign

Commonly used with NAT (Network Address

Limited to 100 aliases per interface.

Restrictions NOTE: An IP alias should from the

Once Uplink balancing is enabled each interface

Allows administrators to specify which

This is different from policy routing since the

Ability to create sticky or persistant

Used if one (or multiple) internal networks should be hidden

RFC 1918-IP Public IP

Destination Network Address Translation (DNAT) is used if an

Source Network Address Translation (SNAT) is

Note: DNAT occurs before packet filtering takes place.

ASG automatically creates correct entries in the INPUT, OUTPUT or

Possible actions are:

Any action allows optional Logging

Assign or create a group

The sources: IP or Group

No more single point of failure!

Hot Standby Mode

Status & Config

All tunnels, SPF-Connections (IP-

Stateful Failover < 2sec

Fully Fully meshed

Automatic Configuration = Default Configuration

Default setting for

If HA is active, Status will look like this.

If everything is correct, the

Switch back Operation

The slave device will perform a

For the Master System:

Set Operation Mode to „Cluster“

For the Slave System:

The slave system is still configured

Once the slave is working, you can see the HA