AdvancedFirewall Admin

Unified Threat Management
Advanced Firewall Administrators Guide
Smoothwall Advanced Firewall, Administrators Guide, December 2013

Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other
guides delivered with earlier versions of Advanced Firewall.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of Smoothwall.
For more information, contact: docs@smoothwall.net
2001 2013 Smoothwall Ltd. All rights reserved.
Trademark notice
Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd.
Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC.
DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95,
Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered
trademark of Netscape Communications Corporation in the United States and other countries. Apple and
Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation.
Core is a trademark of Intel Corporation.
All other products, services, companies, events and publications mentioned in this document, associated
documents and in Smoothwall software may be trademarks, registered trademarks or service marks of
their respective owners in the UK, US and/or other countries.
Acknowledgements
Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team:
Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley,
Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan
Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S.
Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves
Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul
Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez
Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc
Wormgoor.
Advanced Firewall contains graphics taken from the Open Icon Library project http://
openiconlibrary.sourceforge.net/
Address
Smoothwall Limited
1 John Charles Way
Leeds. LS12 6QA
United Kingdom
Email
info@smoothwall.net
Web
www.smoothwall.net
Telephone
USA and Canada:

United Kingdom:
All other countries:
1 800 959 3760

0870 1 999 500
+44 870 1 999 500
Fax
USA and Canada:

United Kingdom:
All other countries:
1 888 899 9164

0870 1 991 399
+44 870 1 991 399
Contents
Chapter 1
Introduction .................................................... 1
Overview of Advanced Firewall ....................................................... 1
Who should read this guide? ........................................................... 1
Other User Information..................................................................... 1
Annual Renewal................................................................................. 2
Chapter 2
Advanced Firewall Overview......................... 3

Accessing Advanced Firewall .......................................................... 3
Dashboard ......................................................................................... 4
Logs and reports ............................................................................... 5
Reports............................................................................................... 5
Alerts .................................................................................................. 5
Realtime ............................................................................................. 5
Logs.................................................................................................... 6
Settings .............................................................................................. 6
Networking ........................................................................................ 7
Filtering .............................................................................................. 7
Routing............................................................................................... 7
Interfaces ........................................................................................... 7
Firewall............................................................................................... 8
Outgoing ............................................................................................ 8
Settings .............................................................................................. 8
Services.............................................................................................. 9
Authentication ................................................................................... 9
User Portal......................................................................................... 9
Proxies .............................................................................................. 9
SNMP................................................................................................ 11
DNS................................................................................................... 11
Message Censor ............................................................................. 11
Intrusion System ............................................................................. 11
DHCP................................................................................................ 12
System ............................................................................................. 13
Maintenance .................................................................................... 13
Central Management ...................................................................... 13
Preferences ..................................................................................... 13
Administration ................................................................................. 14
Hardware ......................................................................................... 14
Diagnostics ...................................................................................... 14
Certificates ...................................................................................... 14
VPN................................................................................................... 15
Configuration Guidelines................................................................ 15
Specifying Networks, Hosts and Ports ......................................... 15
Using Comments............................................................................. 16
Contents
Creating, Editing and Removing Rules ......................................... 16

Connecting via the Console ........................................................... 17
Connecting Using a Client ............................................................. 17
Secure Communication .................................................................. 18
Unknown Entity Warning ................................................................ 18
Inconsistent Site Address .............................................................. 18
Chapter 3
Working with Interfaces .............................. 19

Configuring Global Settings for Interfaces ................................... 19
Connecting Using an Internet Connectivity Profile ..................... 20
Connecting Using a Static Ethernet Connectivity Profile ........... 20
Connecting using a DHCP Ethernet Connectivity Profile ........... 22
Connecting using a PPP over Ethernet Connectivity Profile ...... 23
Connecting using a PPTP over Ethernet Connectivity Profile .... 25
Connecting using an ADSL/DSL Modem Connectivity Profile ... 27
Connecting using an ISDN Modem Connectivity Profile............. 28
Connecting Using a Dial-up Modem Connectivity Profile........... 30
Creating a PPP Profile .................................................................... 31
Modifying Profiles ........................................................................... 33
Deleting Profiles .............................................................................. 33
Working with Bridges ..................................................................... 33
Creating Bridges ............................................................................. 33
Editing Bridges ................................................................................ 34
Deleting Bridges.............................................................................. 34
Working with Bonded Interfaces ................................................... 34
Creating Bonds ............................................................................... 34
Editing Bonds .................................................................................. 35
Deleting Bonds ................................................................................ 35
Configuring IP Addresses .............................................................. 35
Adding an IP Address ..................................................................... 35
Editing an IP Address ..................................................................... 35
Deleting an IP Address ................................................................... 36
Virtual LANs ..................................................................................... 36
Creating a VLAN.............................................................................. 36
Editing a VLAN................................................................................. 37
Deleting a VLAN .............................................................................. 37
Chapter 4
Managing Your Network Infrastructure..... 39

Creating Subnets ............................................................................ 39
Editing and Removing Subnet Rules............................................. 40
Using RIP ......................................................................................... 40
Sources ............................................................................................ 42
Creating Source Rules.................................................................... 42
Removing a Rule ............................................................................. 43
Editing a Rule .................................................................................. 43
About IP Address Definitions ......................................................... 43
Ports ................................................................................................. 43
Creating a Ports Rule ..................................................................... 44
Creating an External Alias Rule ..................................................... 45
Editing and Removing External Alias Rules ................................. 45
Port Forwards from External Aliases ............................................ 46
ii
Smoothwall Advanced Firewall

Administrators Guide
Creating a Source Mapping Rule .................................................. 46

Editing and Removing Source Mapping Rules............................. 47
Managing Internal Aliases.............................................................. 47
Creating an Internal Alias Rule ...................................................... 47
Editing and Removing Internal Alias Rules................................... 48
Working with Secondary External Interfaces ............................... 48
Configuring a Secondary External Interface ................................ 48
Chapter 5
General Network Security Settings ............ 51

Blocking by IP.................................................................................. 51
Creating IP Blocking Rules ............................................................ 51
Editing and Removing IP Block Rules........................................... 52
Configuring Advanced Networking Features ............................... 52
Working with Port Groups.............................................................. 55
Creating a Port Group .................................................................... 56
Adding Ports to Existing Port Groups ........................................... 56
Editing Port Groups ........................................................................ 57
Deleting a Port Group ..................................................................... 57
Chapter 6
Configuring Inter-Zone Security................. 59

About Zone Bridging Rules ............................................................ 59
Creating a Zone Bridging Rule ...................................................... 59
Editing and Removing Zone Bridge Rules.................................... 61
A Zone Bridging Tutorial ................................................................ 61
Creating the Zone Bridging Rule ................................................... 61
Allowing Access to the Web Server .............................................. 62
Accessing a Database on the Protected Network....................... 62
Group Bridging ................................................................................ 63
Group Bridging and Authentication............................................... 63
Creating Group Bridging Rules...................................................... 63
Editing and Removing Group Bridges........................................... 65
Chapter 7
Managing Inbound and Outbound Traffic.. 67

Introduction to Port Forwards Inbound Security ...................... 67
Port Forward Rules Criteria ........................................................... 67
Creating Port Forward Rules ......................................................... 68
Load Balancing Port Forwarded Traffic........................................ 69
Editing and Removing Port Forward Rules .................................. 69
Advanced Network and Firewall Settings..................................... 69
Network Application Helpers ......................................................... 70
Managing Bad External Traffic ...................................................... 71
Configuring Reflective Port Forwards .......................................... 71
Managing Connectivity Failback ................................................... 71
Managing Outbound Traffic and Services .................................... 72
Working with Port Rules................................................................. 72
Working with Outbound Access Policies...................................... 76
Managing External Services .......................................................... 78
Chapter 8
Advanced Firewall Services ........................ 81

Working with Portals ...................................................................... 81
Creating a Portal ............................................................................. 81
iii
Contents
Configuring a Portal........................................................................ 83
Accessing Portals ........................................................................... 86
Editing Portals ................................................................................. 86
Deleting Portals............................................................................... 86
Managing the Web Proxy Service.................................................. 87
Configuring and Enabling the Web Proxy Service ....................... 88
About Web Proxy Methods ............................................................ 91
Configuring End-user Browsers .................................................... 92
Instant Messenger Proxying .......................................................... 93
Monitoring SSL-encrypted Chats .................................................. 96
SIP Proxying .................................................................................... 96
Types of SIP Proxy .......................................................................... 96
Choosing the Type of SIP Proxying............................................... 97
Configuring SIP ............................................................................... 97
FTP Proxying ................................................................................... 99
Configuring non-Transparent FTP Proxying ................................ 99
Configuring Transparent FTP Proxying ...................................... 100
Reverse Proxy Service.................................................................. 102
Configuring the Reverse Proxy Service ...................................... 103
SNMP.............................................................................................. 104
DNS................................................................................................. 105
Adding Static DNS Hosts ............................................................. 105
Enabling the DNS Proxy Service.................................................. 106
Managing Dynamic DNS............................................................... 107
Censoring Message Content ....................................................... 109
Configuration Overview................................................................ 109
Managing Custom Categories ..................................................... 109
Setting Time Periods .................................................................... 110
Creating Filters.............................................................................. 111
Creating and Applying Message Censor Policies...................... 113
Editing Polices............................................................................... 114
Deleting Policies ........................................................................... 114
Managing the Intrusion System................................................... 114
About the Default Policies............................................................ 114
Deploying Intrusion Detection Policies....................................... 114
Deploying Intrusion Prevention Policies ..................................... 115
Creating Custom Policies............................................................. 117
Uploading Custom Signatures..................................................... 118
DHCP.............................................................................................. 119
Enabling DHCP.............................................................................. 120
Creating a DHCP Subnet.............................................................. 120
Editing a DHCP subnet ................................................................. 123
Deleting a DHCP subnet............................................................... 123
Adding a Dynamic Range ............................................................. 123
Adding a Static Assignment......................................................... 123
Adding a Static Assignment from the ARP Table ...................... 124
Editing and Removing Assignments ........................................... 124
Viewing DHCP Leases .................................................................. 124
DHCP Relaying .............................................................................. 125
Creating Custom DHCP Options ................................................. 125
iv

Chapter 9
Virtual Private Networking ........................ 127

Advanced Firewall VPN Features ................................................ 127
What is a VPN? .............................................................................. 127
About VPN Gateways.................................................................... 128
Administrator Responsibilities..................................................... 128
About VPN Authentication............................................................ 128
PSK Authentication....................................................................... 129
X509 Authentication...................................................................... 129
Working with Certificate Authorities and Certificates............... 131
Creating a CA ................................................................................ 131
Exporting the CA Certificate ........................................................ 132
Importing Another CA's Certificate ............................................. 133
Deleting the Local Certificate Authority and its Certificate ...... 133
Deleting an Imported CA Certificate ........................................... 134
Managing Certificates .................................................................. 134
Creating a Certificate ................................................................... 134
Reviewing a Certificate ................................................................ 135
Exporting Certificates................................................................... 135
Exporting in the PKCS#12 Format............................................... 136
Importing a Certificate.................................................................. 136
Deleting a Certificate .................................................................... 137
Setting the Default Local Certificate ........................................... 137
Site-to-Site VPNs IPSec............................................................. 138
Recommended Settings ............................................................... 138
Creating an IPsec Tunnel ............................................................. 139
IPSec Site to Site and X509 Authentication Example ............. 144
Prerequisite Overview .................................................................. 144
Creating the Tunnel on the Primary System............................... 144
Creating the Tunnel on the Secondary System.......................... 145
Checking the System is Active .................................................... 147
Activating the IPSec tunnel .......................................................... 147
IPSec Site to Site and PSK Authentication................................. 147
Creating the Tunnel Specification on Primary System.............. 147
Creating the Tunnel Specification on the Secondary System .. 148
Checking the System is Active .................................................... 149
Activating the PSK tunnel............................................................. 149
About Road Warrior VPNs............................................................ 150
IPSec Road Warriors .................................................................... 151
Creating an IPSec Road Warrior ................................................. 151
Supported IPSec Clients .............................................................. 154
Creating L2TP Road Warrior Connections ................................. 154
Creating a Certificate ................................................................... 154
Configuring L2TP and SSL VPN Global Settings........................ 154
Creating an L2TP Tunnel .............................................................. 155
Configuring an iPhone-compatible Tunnel................................. 156
Using NAT-Traversal..................................................................... 157
VPNing Using L2TP Clients .......................................................... 157
L2TP Client Prerequisites............................................................. 157
Contents
Connecting Using Windows XP/2000.......................................... 157

Installing an L2TP Client............................................................... 158
VPNing with SSL............................................................................ 162
Prerequisites ................................................................................. 162
Configuring VPN with SSL............................................................ 162
Managing SSL Road Warriors...................................................... 163
Managing Group Access to SSL VPNs ....................................... 163
Managing Custom Client Scripts for SSL VPNs......................... 164
Generating SSL VPN Archives ..................................................... 165
Configuring SSL VPN on Internal Networks ............................... 165
Configuring and Connecting Clients ........................................... 166
VPN Zone Bridging........................................................................ 169
Secure Internal Networking ......................................................... 169
Creating an Internal L2TP VPN .................................................... 169
Advanced VPN Configuration ...................................................... 171
Multiple Local Certificates ........................................................... 171
Creating Multiple Local Certificates............................................ 171
Public Key Authentication ............................................................ 172
Configuring Both Ends of a Tunnel as CAs ................................ 173
VPNs between Business Partners ............................................... 173
Extended Site to Site Routing ...................................................... 174
Managing VPN Systems ............................................................... 175
Automatically Starting the VPN System...................................... 176
Manually Controlling the VPN System ........................................ 176
Viewing and Controlling Tunnels................................................. 177
VPN Logging .................................................................................. 178
VPN Tutorials................................................................................. 178
Example 1: Preshared Key Authentication ................................. 178
Example 2: X509 Authentication .................................................. 180
Example 3: Two Tunnels and Certificate Authentication .......... 182
Example 4: IPSec Road Warrior Connection.............................. 183
Example 5: L2TP Road Warrior.................................................... 186
Working with SafeNet SoftRemote ............................................. 187
Configuring IPSec Road Warriors ............................................... 187
Using the Security Policy Template SoftRemote ....................... 188
Creating a Connection without the Policy File........................... 189
Advanced Configuration............................................................... 191
Chapter 10
Authentication and User Management .... 193

Configuring Global Authentication Settings ............................... 193
About Directory Servers ............................................................... 194
Configuring Directories ................................................................ 195
Configuring a Microsoft Active Directory Connection .............. 195
Configuring an LDAP Connection ............................................... 196
Configuring a RADIUS Connection ............................................. 199
Configuring an Active Directory Connection Legacy Method 200
Configuring a Local Users Directory........................................... 203
Reordering Directory Servers ...................................................... 203
Editing a Directory Server ............................................................ 204
Deleting a Directory Server .......................................................... 204
Diagnosing Directories ................................................................. 204
vi

Managing Local Users.................................................................. 204

Adding Users ................................................................................. 204
Editing Local Users....................................................................... 205
Deleting Users ............................................................................... 205
Mapping Groups............................................................................ 205
Remapping Groups ....................................................................... 206
Deleting Group Mappings ............................................................ 206
Managing Temporarily Banned Users......................................... 206
Creating a Temporary Ban ........................................................... 206
Removing Temporary Bans.......................................................... 207
Removing Expired Bans ............................................................... 207
Managing User Activity ................................................................ 208
Viewing User Activity .................................................................... 208
Logging Users Out ........................................................................ 208
Banning Users ............................................................................... 208
About SSL Authentication ............................................................ 209
Customizing the SSL Login Page ................................................ 209
Reviewing SSL Login Pages ........................................................ 210
Configuring SSL Login.................................................................. 211
Creating SSL Login Exceptions ................................................... 211
Managing Kerberos Keytabs ....................................................... 212
Adding Keytabs ............................................................................. 212
Managing Keytabs ........................................................................ 213
Using WPA Enterprise .................................................................. 213
Pre-requisites ................................................................................ 214
Configuring Access Points........................................................... 214
Configuring WPA Enterprise ........................................................ 215
Provisioning the Advanced Firewall Certificate ......................... 215
Managing Groups of Users .......................................................... 216
About Groups ................................................................................ 216
Adding Groups .............................................................................. 216
Editing Groups............................................................................... 217
Deleting Groups ............................................................................ 217
Chapter 11
Reporting .................................................... 219

About the Summary Page ............................................................ 219
Accessing Reporting .................................................................... 219
Generating Reports....................................................................... 220
Canceling a Report ....................................................................... 220
Saving Reports .............................................................................. 220
About Recent and Saved Reports ............................................... 220
Changing Report Formats............................................................ 220
Managing Reports and Folders ................................................... 221
Report Permissions ...................................................................... 222
Making Reports Available on Portals.......................................... 222
Scheduling Reports ...................................................................... 223
Managing Log Retention .............................................................. 224
Chapter 12
Information, Alerts and Logging............... 227

About the Dashboard.................................................................... 227
About the About Page .................................................................. 227
vii
Contents
Alerts .............................................................................................. 227

Overview ........................................................................................ 227
Available Alerts.............................................................................. 228
Enabling Alerts .............................................................................. 229
Looking up an Alert by Its Reference.......................................... 230
Configuring Alert Settings............................................................ 230
Realtime ......................................................................................... 233
Realtime System Information ...................................................... 233
Realtime Firewall Information...................................................... 234
Realtime IPsec Information.......................................................... 235
Realtime Portal Information ......................................................... 236
Realtime Instant Messaging ........................................................ 237
Realtime Traffic Graphs ............................................................... 237
Logs................................................................................................ 238
System Logs .................................................................................. 239
Firewall Logs ................................................................................. 241
IPSec Logs..................................................................................... 243
Email Logs ..................................................................................... 245
IDS Logs......................................................................................... 246
IPS Logs ......................................................................................... 247
IM Proxy Logs................................................................................ 248
Web Proxy Logs ............................................................................ 249
Reverse Proxy Logs ...................................................................... 249
User Portal Logs ........................................................................... 251
Configuring Log Settings ............................................................. 251
Configuring Other Log Settings................................................... 252
Managing Automatic Deletion of Logs ....................................... 253
Configuring Groups ...................................................................... 254
Creating Groups............................................................................ 254
Editing a Group ............................................................................. 255
Deleting a Group ........................................................................... 255
Configuring Output Settings ........................................................ 255
About Email to SMS Output ......................................................... 256
About Placeholder Tags ............................................................... 256
Configuring Email to SMS Output ............................................... 257
Testing Email to SMS Output....................................................... 257
Output to Email ............................................................................. 257
Generating a Test Alert................................................................. 258
Chapter 13
Managing Your Advanced Firewall........... 259

Installing Updates ......................................................................... 259
Installing Updates ......................................................................... 259
Installing Updates on a Failover System..................................... 260
Managing Modules ....................................................................... 261
Removing a Module ...................................................................... 261
Licenses ......................................................................................... 262
Installing Licenses ........................................................................ 262
Archives ......................................................................................... 262
About Archive Profiles .................................................................. 263
Creating an Archive ...................................................................... 263
Downloading an Archive .............................................................. 263
viii

Restoring an Archive .................................................................... 264

Deleting Archives .......................................................................... 264
Uploading an Archive.................................................................... 264
Scheduling ..................................................................................... 264
Scheduling Remote Archiving ..................................................... 266
Editing Schedules ......................................................................... 267
Shutting down and Rebooting ..................................................... 267
Setting System Preferences ........................................................ 268
Configuring the User Interface .................................................... 268
Setting Time................................................................................... 269
Configuring Registration Options................................................ 270
Configuring the Hostname ........................................................... 271
Configuring Administration and Access Settings ...................... 272
Configuring Admin Access Options ............................................ 272
Referral Checking ......................................................................... 272
Configuring External Access ....................................................... 273
Editing and Removing External Access Rules ........................... 274
Administrative User Settings ....................................................... 274
Managing Tenants ........................................................................ 275
Adding a Tenant ............................................................................ 275
Editing a Tenant ............................................................................ 276
Deleting a Tenant .......................................................................... 276
Hardware ....................................................................................... 276
Managing UPS Devices ................................................................ 277
Managing Hardware Failover....................................................... 279
How does it work? ........................................................................ 279
Prerequisites ................................................................................. 280
Configuring Hardware Failover.................................................... 280
Administering Failover.................................................................. 283
Testing Failover............................................................................. 284
Configuring Modems .................................................................... 284
Installing and Uploading Firmware.............................................. 286
Diagnostics .................................................................................... 286
Configuration Tests ...................................................................... 286
Generating Diagnostics ................................................................ 287
IP Tools .......................................................................................... 288
Whois.............................................................................................. 288
Analyzing Network Traffic ............................................................ 289
Managing CA Certificates ............................................................ 290
Reviewing CA Certificates ........................................................... 290
Importing CA Certificates............................................................. 290
Exporting CA Certificates............................................................. 290
Deleting and Restoring Certificates ............................................ 290
Chapter 14
Centrally Managing Smoothwall Systems291

About Centrally Managing Smoothwall Systems....................... 291
Pre-requirements .......................................................................... 291
Setting up a Centrally Managed Smoothwall System ............... 292
Configuring the Parent Node ....................................................... 292
Configuring Child Nodes .............................................................. 293
Adding Child Nodes to the System ............................................. 294
ix
Contents
Editing Child Node Settings ......................................................... 296

Deleting Nodes in the System...................................................... 297
Managing Nodes in a Smoothwall System ................................. 297
Monitoring Node Status ............................................................... 297
Accessing the Node Details Page ............................................... 298
Working with Updates .................................................................. 298
Rebooting Nodes .......................................................................... 299
Disabling Nodes ............................................................................ 299
Appendix A
Authentication ............................................ 301

Overview ........................................................................................ 301
Verifying User Identity Credentials.............................................. 301
About Authentication Mechanisms ............................................. 301
Other Authentication Mechanisms.............................................. 302
Choosing an Authentication Mechanism.................................... 302
About the Login Time-out ............................................................ 302
Advanced Firewall and DNS......................................................... 302
A Common DNS Pitfall.................................................................. 302
Working with Large Directories................................................... 303
Active Directory............................................................................. 303
Active Directory Username Types............................................... 303
Accounts and NTLM Identification.............................................. 304
About Kerberos ............................................................................. 304
Kerberos Pre-requisites and Limitations.................................... 304
Troubleshooting ............................................................................ 304
Connecting a Windows 7 System to a WPA-Enterprise/802.1X
Wireless Network .......................................................................... 305
Windows 7 802.1X Profile Migration............................................ 306
Appendix B
Understanding Templates and Reports... 307

Programmable Drill-Down Looping Engine................................ 307
Example Report Template............................................................ 308
Example Report............................................................................. 308
Report Templates, Creation and Editing .................................... 308
Viewing Reports, Exporting and Drill Down Reporting ............. 308
Changing Report Formats............................................................ 309
Changing Report Date Ranges .................................................... 309
Navigating HTML Reports ............................................................ 310
Interpreted Results ....................................................................... 310
Saving Reports .............................................................................. 311
Changing the Report..................................................................... 311
Investigating Further (Drill down) ................................................ 312
Creating Template Reports and Customizing Sections ............ 313
Ordering Sections ......................................................................... 313
Grouped Sections ......................................................................... 314
Understanding Groups and Grouped Options ........................... 314
Feed-Forward Reporting .............................................................. 315
Iterative Reporting ........................................................................ 315
Group Ordering ............................................................................. 315
Grouping Sections ........................................................................ 316
Creating Feed-forward and Iterative Groups ............................. 316
Exporting Options ......................................................................... 317

Reporting Folders ......................................................................... 318

Creating a Folder .......................................................................... 320
Renaming Folders ......................................................................... 320
Deleting Folders ............................................................................ 320
Scheduling Reports ...................................................................... 320
Portal Permissions........................................................................ 321
Reporting Sections ....................................................................... 321
Generators and Linkers ................................................................ 321
General Sections ........................................................................... 322
Network Interfaces ....................................................................... 322
The Anatomy of a URL.................................................................. 323
HTTP Request Methods and HTTPS Interception ..................... 324
Guardian Status Filtering.............................................................. 324
Search Terms and Search Phrases ............................................. 325
Filtering by Search Terms ............................................................ 326
URL Extraction and Manipulation................................................ 326
Origin Filtering............................................................................... 328
Appendix C
Troubleshooting VPNs............................... 331

Site-to-site Problems.................................................................... 331
L2TP Road Warrior Problems ...................................................... 332
Enabling L2TP Debugging............................................................ 332
Windows Networking Issues........................................................ 332
Appendix D
Hosting Tutorials........................................ 335

Basic Hosting Arrangement......................................................... 335
Extended Hosting Arrangement .................................................. 336
More Advanced Hosting Arrangement ....................................... 337
Glossary
Index
..................................................................... 341
..................................................................... 349
xi
Contents
xii
Chapter 1
Introduction
In this chapter:
An overview of Advanced Firewall
Who should read this guide
User information.
Overview of Advanced Firewall

Advanced Firewall is the Unified Threat Management system for enterprise networks. Combining the
functions of perimeter and internal firewalls, Advanced Firewall employs Microsoft Active Directory/
LDAP user authentication for policy based access control to local network zones and Internet
services.
Secure wireless, secure remote access and site-to-site IPSec connectivity are provided by the
integrated VPN gateway.
Advanced Firewall provides:
Perimeter firewall multiple Internet connections with load sharing and automatic connection failover
User authentication policy-based access control and user authentication with support for Microsoft
Active Directory, Novell eDirectory and other LDAP authentication servers
Load balancer the ideal solution for the efficient and resilient use of multiple Internet connections.
Internal firewall segregation of networks into physically separate zones with user-level access
control of inter-zone traffic
Email Security: anti-spam, anti-malware, mail relay and control.
VPN Gateway site-to-site, secure remote access and secure wireless connections.
Who should read this guide?

System administrators maintaining and deploying Advanced Firewall should read this guide.
Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall
training. For information on our current training courses, contact your Smoothwall representative.
Other User Information

Apart from this guide, you can also find information at:
http://www.smoothwall.net/support contains the Smoothwall support portal, knowledge base and

the latest product manuals.
Introduction
Other User Information
Annual Renewal
To ensure that you have all the functionality documented in this guide, we recommend that you
purchase annual renewal. For more information, contact your Smoothwall representative.
Chapter 2
Advanced Firewall
Overview
In this chapter:
How to access Advanced Firewall
An overview of the pages used to configure and manage Advanced Firewall.
Accessing Advanced Firewall

To access Advanced Firewall:
1
In a web browser, enter the address of your Advanced Firewall, for example:
https://192.168.72.141:441
Note: The example address above uses HTTPS to ensure secure communication with your Advanced
Firewall. It is possible to use HTTP on port 81 if you are satisfied with less security.
Note: The following sections assume that you have registered and configured Advanced Firewall as
described in the Advanced Firewall Installation and Setup Guide.
2
Accept Advanced Firewalls certificate.The login screen is displayed.
Enter the following information:

Field
Information
Username Enter admin This is the default Advanced Firewall administrator account.
Password Enter the password you specified for the admin account when installing Advanced
Firewall.
Advanced Firewall Overview

Dashboard
4
Click Login. The Dashboard opens.
The following sections give an overview of Advanced Firewalls default sections and pages.
Dashboard
The dashboard is the default home page of your Advanced Firewall system. It displays service
information and customizable summary reports.

Logs and reports

The Logs and reports section contains the following sub-sections and pages:
Reports
Pages
Description
Summary
Displays a number of generated reports. For more information, see Chapter 11,
About the Summary Page on page 219.
Reports
Where you generate and organize reports. For more information, see Chapter 11,
Generating Reports on page 220.
Recent and Lists recently-generated and previously saved reports. For more information, see
saved
Chapter 11, Saving Reports on page 220.
Scheduled
Sets which reports are automatically generated and delivered. For more information,
see Chapter 11, Scheduling Reports on page 223.
Custom
Enables you to create and view custom reports. For more information, see Appendix
B, Understanding Templates and Reports on page 307.
Alerts
Pages
Description
Alerts
Determine which alerts are sent to which groups of users and in what format. For
more information, see Chapter 12, Alerts on page 227.
Alert
settings
Settings to enable the alert system and customize alerts with configurable thresholds
and trigger criteria. For more information, see Chapter 12, Configuring Alert Settings
on page 230.
Realtime
Pages
Description
System
A realtime view of the system log with some filtering options. For more information,
see Chapter 12, Realtime System Information on page 233.
Firewall
A realtime view of the firewall log with some filtering options. For more information,
see Chapter 12, Realtime Firewall Information on page 234.
IPSec
A realtime view of the IPSec log with some filtering options. For more information, see
Chapter 12, Realtime IPsec Information on page 235.
Email
Displays the email log viewer running in realtime mode. For more information, see
Chapter 12, Email Logs on page 245.
Portal
A realtime view of activity on user portals. For more information, see Chapter 12,
Realtime Portal Information on page 236.
IM proxy
A realtime view of recent instant messaging conversations. For more information, see
Chapter 12, Realtime Instant Messaging on page 237.
Traffic
graphs
Displays a realtime bar graph of the bandwidth being used. For more information, see
Chapter 12, Realtime Traffic Graphs on page 237.

Logs and reports
Logs
Pages
Description
System
Simple logging information for the internal system services. For more information,
see Chapter 12, System Logs on page 239.
Firewall
Displays all data packets that have been dropped or rejected by the firewall. For
more information, see Chapter 12, Firewall Logs on page 241.
IPSec
Displays diagnostic information for VPN tunnels. For more information, see Chapter
12, IPSec Logs on page 243.
Email
Displays sender, recipient, subject and other email message information. For more
information, see Chapter 12, Email Logs on page 245.
IDS
Displays network traffic detected by the intrusion detection system (IDS). For more
information, see Chapter 12, IDS Logs on page 246.
IPS
Displays network traffic detected by the intrusion detection system (IPS). For more
information, see Chapter 12, IPS Logs on page 247.
IM proxy
Displays information on instant messaging conversations. For more information, see

Chapter 12, IM Proxy Logs on page 248.
Web proxy
Displays detailed analysis of web proxy usage. For more information, see Chapter
12, Web Proxy Logs on page 249.
Reverse
proxy
Displays information on reverse proxy usage. For more information, see Chapter 12,
Reverse Proxy Logs on page 249.
Log settings Settings to configure the logs you want to keep, an external syslog server,
automated log deletion and rotation options. For more information, see Chapter 12,
Configuring Log Settings on page 251.
Settings
Pages
Description
Datastore
settings
Contains settings to manage the storing of log files. For more information, see
Chapter 11, Managing Log Retention on page 224.
Groups
Where you create groups of users which can be configured to receive automated
alerts and reports. For more information, see Chapter 12, Configuring Groups on
page 254.
Output
settings
Settings to configure the Email to SMS Gateway and SMTP settings used for
delivery of alerts and reports. For more information, see Chapter 12, Configuring
Output Settings on page 255.

Networking
The Networking section contains the following sub-sections and pages:
Filtering
Pages
Description
Zone
bridging
Used to define permissible communication between pairs of network zones. For

more information, see Chapter 6, About Zone Bridging Rules on page 59.
Group
bridging
Used to define the network zones that are accessible to authenticated groups of
users. For more information, see Chapter 6, Group Bridging on page 63.
IP block
Used to create rules that drop or reject traffic originating from or destined for single
or multiple IP addresses. For more information, see Chapter 5, Creating IP Blocking
Rules on page 51.
Routing
Pages
Description
Subnets
Used to generate additional routing information so that the system can route traffic
to other subnets via a specified gateway. For more information, see Chapter 4,
Creating Subnets on page 39.
RIP
Used to enable and configure the Routing Information Protocol (RIP) service on the
system. For more information, see Chapter 4, Using RIP on page 40.
Sources
Used to determine which external network interface will be used by internal network
hosts for outbound communication when a secondary external connection is active.
For more information, see Chapter 4, Sources on page 42.
Ports
Used to create rules to set the external interface based on the destination port. For
more information, see Chapter 4, Ports on page 43.
Interfaces
Pages
Description
Interfaces
Configure and display information on your Advanced Firewalls internal interfaces.

For more information, see Chapter 3, Configuring Global Settings for Interfaces
on page 19.
Internal
aliases
Used to create aliases on internal network interfaces, thus enabling a single

physical interface to route packets between IP addresses on a virtual subnet
without the need for physical switches. For more information, see Chapter 4,
Managing Internal Aliases on page 47.
External
aliases
Used to create IP address aliases on static Ethernet external interfaces. External

aliases allow additional static IPs that have been provided by an ISP to be
assigned to the same external interface. For more information, see Chapter 4,
Creating an External Alias Rule on page 45.
Connectivity
Used to create external connection profiles and implement them. For more
information, see Chapter 3, Connecting Using a Static Ethernet Connectivity
Profile on page 20.

Networking
Pages
Description
PPP
Used to create Point to Point Protocol (PPP) profiles that store PPP settings for
external connections using dial-up modem devices. For more information, see
Chapter 3, Creating a PPP Profile on page 31.
Secondaries
Used to configure an additional, secondary external interface. For more

information, see Chapter 4, Working with Secondary External Interfaces on
page 48
Firewall
Pages
Description
Port
forwarding
Used to forward incoming connection requests to internal network hosts. For more
information, see Chapter 7, Introduction to Port Forwards Inbound Security on
page 67.
Source
mapping
Used to map specific internal hosts or subnets to an external alias. For more
information, see Chapter 4, Creating a Source Mapping Rule on page 46
Advanced
Used to enable or disable NAT-ing helper modules and manage bad external traffic.
For more information, see Chapter 7, Network Application Helpers on page 70.
Outgoing
Pages
Description
Policies
Used to assign outbound access controls to IP addresses and networks. For more
information, see Chapter 7, Working with Outbound Access Policies on page 76.
Ports
Used to define lists of outbound destination ports and services that should be
blocked or allowed. For more information, see Chapter 7, Managing Outbound
Traffic and Services on page 72.
External
services
Used to define a list of external services that should always be accessible to

internal network hosts. For more information, see Chapter 7, Managing External
Services on page 78.
Settings
Pages
Description
Port groups Create and edit groups of ports for use throughout Advanced Firewall. For more
information, see Chapter 5, Working with Port Groups on page 55.
Advanced
Used to configure advanced network and traffic auditing parameters. For more
information, see Chapter 5, Configuring Advanced Networking Features on page 52.

Services
The Services section contains the following sub-sections and pages:
Authentication
Pages
Description
Settings
Used to set global login time settings. For more information, see Chapter 10,
Configuring Global Authentication Settings on page 193.
Directories Used to connect to directory servers in order to retrieve groups and apply network
and web filtering permissions and verify the identity of users trying to access network
or Internet resources. For more information, see Chapter 10, About Directory Servers
on page 194.
Groups
Used to customize group names. For more information, see Chapter 10, Managing
Groups of Users on page 216.
Temporary
bans
Enables you to manage temporarily banned user accounts. For more information,
see Chapter 10, Managing Temporarily Banned Users on page 206
User
activity
Displays the login times, usernames, group membership and IP address details of
recently authenticated users. For more information, see Chapter 10, Managing User
Activity on page 208.
SSL login
Used to customize the end-user SSL login page and configure SSL login redirection
and exceptions. For more information, see Chapter 10, About SSL Authentication on
page 209.
Kerberos
keytabs
This is where Kerberos keytabs are imported and managed. For more information,
see Chapter 10, Managing Kerberos Keytabs on page 212.
WPA
Enterprise
Enables you to authenticate users with their own devices and allow them to connect
to the network. For more information, see Chapter 10, Using WPA Enterprise on
page 213.
User Portal
Pages
Description
Portals
This page enables you to configure and manage user portals. For more information,
see Chapter 8, Working with Portals on page 81.
Groups
This page enables you to assign groups of users to portals. For more information,
see Chapter 8, Assigning Groups to Portals on page 85.
User
exceptions
This page enables you to override group settings and assign a user directly to a
portal. For more information, see Chapter 8, Making User Exceptions on page 85.
Proxies
Pages
Description
Web proxy
Used to configure and enable the web proxy service, allowing controlled access to
the Internet for local network hosts. For more information, see Chapter 8, Managing
the Web Proxy Service on page 87.
Instant
Used to configure and enable instant messaging proxying. For more information, see
messenger Chapter 8, Instant Messenger Proxying on page 93.

Services
10
Pages
Description
SIP
Used to configure and enable a proxy to manage Session Initiated Protocol (SIP)
traffic. For more information, see Chapter 8, SIP Proxying on page 96.
FTP
Used to configure and enable a proxy to manage FTP traffic. For more information,
see Chapter 8, FTP Proxying on page 99.
Reverse
proxy
The reverse proxy service enables you to control requests from the Internet and
forward them to servers in an internal network. For more information, see Chapter 8,
Reverse Proxy Service on page 102.

SNMP
Pages
Description
SNMP
Used to activate Advanced Firewalls Simple Network Management Protocol (SNMP)

agent. For more information, see Chapter 8, SNMP on page 104.
DNS
Pages
Description
Static DNS
Used to create a local hostname table for the purpose of mapping the hostnames of
local network hosts to their IP addresses. For more information, see Chapter 8,
Adding Static DNS Hosts on page 105.
DNS proxy
Used to provide a DNS proxy service for local network hosts. For more information,
see Chapter 8, Enabling the DNS Proxy Service on page 106
Dynamic
DNS
Used to configure access to third-party dynamic DNS service providers. For more
information, see Chapter 8, Managing Dynamic DNS on page 107.
Message Censor
Pages
Description
Policies
Enables you to create and manage filtering policies by assigning actions to matched
content. For more information, see Chapter 8, Creating and Applying Message
Censor Policies on page 113.
Filters
This is where you create and manage filters for matching particular types of
message content. For more information, see Chapter 8, Creating Filters on
page 111.
Time
This is where you create and manage time periods for limiting the time of day during
which filtering policies are enforced. For more information, see Chapter 8, Setting
Time Periods on page 110.
Custom
categories
Enables you to create and manage custom content categories for inclusion in filters.
For more information, see Chapter 8, Managing Custom Categories on page 109.
Intrusion System
Pages
Description
Signatures
Enables you to deploy customized and automatic rules in the intrusion detection and
intrusion prevention systems. For more information, see Chapter 8, Uploading
Custom Signatures on page 118.
Policies
Enables you to configure Advanced Firewalls intrusion detection and prevention

rules for inclusion in IDS and IPS policies. For more information, see Chapter 8,
Creating Custom Policies on page 117.
IDS
Used to enable and configure policies to monitor network activity using the Intrusion
Detection System (IDS). For more information, see Chapter 8, Deploying Intrusion
Detection Policies on page 114.
IPS
Used to enable and configure policies to monitor network activity using the Intrusion
Prevention System (IDS). For more information, see Chapter 8, Deploying Intrusion
Prevention Policies on page 115.
11

Services
DHCP
Pages
Description
Global
Used to enable the Dynamic Host Configuration Protocol (DHCP) service and set its
mode of operation. For more information, see Chapter 8, Enabling DHCP on
page 120.
DHCP
server
Used to configure automatic dynamic and static IP leasing to DHCP requests

received from network hosts. For more information, see Chapter 8, Creating a DHCP
Subnet on page 120.
DHCP
leases
Used to view all current DHCP leases, including IP address, MAC address,
hostname, lease start and end time, and the current lease state. For more
information, see Chapter 8, Viewing DHCP Leases on page 124.
DHCP relay Used to configure the DHCP service to forward all DHCP requests to another DHCP
server, and re-route DHCP responses back to the requesting host. For more
information, see Chapter 8, DHCP Relaying on page 125.
Custom
options
12
Used to create and edit custom DHCP options. For more information, see Chapter
8, Creating Custom DHCP Options on page 125.

System
The System section contains the following sub-sections and pages:
Maintenance
Pages
Description
Updates
Used to display and install available product updates, in addition to listing currently
installed updates. For more information, see Chapter 13, Installing Updates on
page 259.
Modules
Used to upload, view, check, install and remove Advanced Firewall modules. For
more information, see Chapter 13, Managing Modules on page 261.
Licenses
Used to display and update license information for the licensable components of the
system. For more information, see Chapter 13, Licenses on page 262.
Archives
Used to create and restore archives of system configuration information. For more
information, see Chapter 13, Archives on page 262.
Scheduler
Used to automatically discover new system updates, modules and licenses. It is also
possible to schedule automatic downloads of system updates and create local and
remote backup archives. For more information, see Chapter 13, Scheduling on
page 264.
Shutdown
Used to shutdown or reboot the system. For more information, see Chapter 13,
Shutting down and Rebooting on page 267.
Central Management
Pages
Description
Overview
This is where you monitor nodes and schedule updates in a Smoothwall system. For
more information, see Chapter 14, Managing Nodes in a Smoothwall System on
page 297.
Child nodes This is where you add and configure nodes in a Smoothwall system. For more
information, see Chapter 14, Configuring Child Nodes on page 293.
Local node This is where you configure a node to be a parent or child in a Smoothwall system
settings
and manage central management keys for use in the system. For more information,
see Chapter 14, Setting up a Centrally Managed Smoothwall System on page 292.
Preferences
Pages
Description
User interface Used to manage Advanced Firewalls dashboard settings. For more information,
see Chapter 13, Configuring the User Interface on page 268.
Time
Used to manage Advanced Firewalls time zone, date and time settings. For more
information, see Chapter 13, Setting Time on page 269.
Registration
options
Used to configure a web proxy if your ISP requires you use one. Also, enables you
configure sending extended registration information to Smoothwall. For more
information, see Chapter 13, Configuring Registration Options on page 270.
Hostname
Used to configure Advanced Firewalls hostname. For more information, see

Chapter 13, Configuring the Hostname on page 271.
13

System
Administration
Pages
Description
Admin options
Used to enable secure access to Advanced Firewall using SSH, and to enable
referral checking. For more information, see Chapter 13, Configuring Admin
Access Options on page 272.
External access
Used to create rules that determine which interfaces, services, networks and
hosts can be used to administer Advanced Firewall. For more information, see
Chapter 13, Configuring External Access on page 273.
Administrative
users
Used to manage user accounts and set or edit user passwords on the system.
For more information, see Chapter 13, Administrative User Settings on
page 274.
Hardware
Pages
Description
UPS
Used to configure the system's behavior when it is using battery power from an
Uninterruptible Power Supply (UPS) device. For more information, see Chapter 13,
Managing UPS Devices on page 277.
Failover
Used to specify what Advanced Firewall should do in the event of a hardware failure.
For more information, see Chapter 13, Managing Hardware Failover on page 279.
Modem
Used to create up to five different modem profiles, typically used when creating
external dial-up connections. For more information, see Chapter 13, Configuring
Modems on page 284.
Firmware
upload
Used to upload firmware used by USB modems. For more information, see Chapter
13, Installing and Uploading Firmware on page 286.
Diagnostics
Pages
Description
Configuration Used to ensure that your current Advanced Firewall settings are not likely to cause
tests
problems. For more information, see Chapter 13, Diagnostics on page 286.
Diagnostics
Used to create diagnostic files for support purposes. For more information, see
Chapter 13, Generating Diagnostics on page 287.
IP tools
Contains the ping and trace route IP tools. For more information, see Chapter 13,
IP Tools on page 288.
Whois
Used to find and display ownership information for a specified IP address or

domain name. For more information, see Chapter 13, Whois on page 288.
Traffic
analysis
Used to generate and display detailed information on current traffic. For more
information, see Chapter 13, Analyzing Network Traffic on page 289.
Certificates
14
Page
Description
Certificate
authorities
Provides certification authority (CA) certificates and enables you to manage them for
clients and gateways. For more information, see Chapter 13, Managing CA
Certificates on page 290.

VPN
The VPN section contains the following pages:
Pages
Description
Control
Used to show the current status of the VPN system and enable you to stop and
restart the service. For more information, see Chapter 9, Managing VPN
Systems on page 175.
Certificate
authorities
Used to create a local certificate authority (CA) for use in an X509 authenticated
based VPN setup. It is also possible to import and export CA certificates on this
page. For more information, see Chapter 9, Working with Certificate Authorities
and Certificates on page 131.
Certificates
Used to create host certificates if a local CA has been created. This page also
provides controls to import, export, view and delete host certificates. For more
information, see Chapter 9, Managing Certificates on page 134.
Global
Used to configure global settings for the VPN system. For more information, see
Chapter 9, Setting the Default Local Certificate on page 137.
IPSec subnets
Used to configure IPSec subnet VPN tunnels. For more information, see Chapter
9, Site-to-Site VPNs IPSec on page 138.
IPSec
roadwarriors
Used to configure IPSec road warrior VPN tunnels. For more information, see
Chapter 9, IPSec Road Warriors on page 151.
L2TP
roadwarriors
Used to create and manage L2TP road warrior VPN tunnels. For more
information, see Chapter 9, Creating L2TP Road Warrior Connections on
page 154.
SSL
roadwarriors
Enables you to configure and upload custom SSL VPN client scripts. For more
information, see Chapter 9, Managing Custom Client Scripts for SSL VPNs on
page 164.
Configuration Guidelines
This section provides guidance about how to enter suitable values for frequently required
configuration settings.
Specifying Networks, Hosts and Ports

IP Address
An IP address defines the network location of a single network host. The following format is used:
192.168.10.1
IP Address Range
An IP address range defines a sequential range of network hosts, from low to high. IP address ranges
can span subnets. For example:
192.168.10.1-192.168.10.20
192.168.10.1-192.168.12.255
15

Configuration Guidelines
Subnet Addresses
A network or subnet range defines a range of IP addresses that belong to the same network. The
format combines an arbitrary IP address and a network mask, and can be entered in two ways:
192.168.10.0/255.255.255.0
192.168.10.0/24
Netmasks
A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address.
Some pages allow a network mask to be entered separately for ease of use. Examples:
255.255.255.0
255.255.0.0
255.255.248.0
Service and Ports

A Service or Port identifies a particular communication port in numeric format. For ease of use, a
number of well known services and ports are provided in Service drop-down lists. To use a custom
port number, choose the User defined option from the drop-down list and enter the numeric port
number into the adjacent User defined field. Examples:
21
7070
Port Range
A 'Port range' can be entered into most User defined port fields, in order to describe a sequential
range of communication ports from low to high. The following format is used:
137:139
Using Comments
Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment.
This feature is provided so that administrators can record human-friendly notes against configuration
settings they implement.
Comments are entered in the Comment fields and displayed alongside saved configuration
information.
Creating, Editing and Removing Rules

Much of Advanced Firewall is configured by creating rules for example, IP block rules and
administration access rules.
Creating a Rule
To create a rule:
1
Enter configuration details in the Add a new rule area.
Click Add to create the rule and add it to the appropriate Current rules area.
Editing a Rule
To edit a rule:
1
16
Find the rule in the Current rules area and select its adjacent Mark option.

2
Click Edit to populate the configuration controls in the Add a new rule area with the rules current
configuration values.
Change the configuration values as necessary.
Click Add to re-create the edited rule and add it to the Current rules area.
Removing a Rule
To remove one or more rules:
1
Select the rule(s) to be removed in the Current rules area.
Click Remove to remove the selected rule(s).
Note: The same processes for creating, editing and removing rules also apply to a number of pages where
hosts and users are the configuration elements being created. On such pages, the Add a new rule
and Current rules area will be Add a new host and Current users etc.
Connecting via the Console

You can access Advanced Firewall via a console using the Secure Shell (SSH) protocol.
Note: By default, Advanced Firewall only allows SSH access if it has been specifically configured. See
Chapter 13, Configuring Admin Access Options on page 272 for more information.
Connecting Using a Client

When SSH access is enabled, you can connect to Advanced Firewall via a secure shell application,
such as PuTTY.
To connect using an SSH client:
1
Check SSH access is enabled on Advanced Firewall. See Chapter 13, Configuring Admin Access
Options on page 272 for more information.
Start PuTTY or an equivalent client.

Field
Description
Host Name (or IP

address)
Enter Advanced Firewalls host name or IP address.
17

Secure Communication
Field
Description
Port
Enter 222
Protocol
Select SSH.
Click Open. When prompted, enter root, and the password associated with it. You are given
access to the Advanced Firewall command line.
Secure Communication
When you connect your web browser to Advanced Firewalls web-based interface on a HTTPS port
for the first time, your browser will display a warning that Advanced Firewalls certificate is invalid. The
reason given is usually that the certificate was signed by an unknown entity or because you are
connecting to a site pretending to be another site.
Unknown Entity Warning

This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which
is signed by a trusted third party. However, Advanced Firewalls certificate is a self-signed certificate.
Note: The data traveling between your browser and Advanced Firewall is secure and encrypted.
To remove this warning, your web browser needs to be told to trust certificates generated by
Advanced Firewall.
To do this, import the certificate into your web browser. The details of how this are done vary
between browsers and operating systems. See your browsers documentation for information on
how to import the certificate.
Inconsistent Site Address

Your browser will generate a warning if Advanced Firewalls certificate contains the accepted site
name for the secure site in question and your browser is accessing the site via a different address.
A certificate can only contain a single site name, and in Advanced Firewalls case, the hostname is
used. If you try to access the site using its IP address, for example, the names will not match.
To remove this warning, access Advanced Firewall using the hostname. If this is not possible, and
you are accessing the site by some other name, then this warning will always be generated.
In most cases, browsers have an option you can select to ignore this warning and which will ignore
these security checks in the future.
Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate
that HTTPS is also about identity as well encryption.
18
Chapter 3
Working with Interfaces

In this chapter:
Configuring global settings for interfaces
Creating an Internet connectivity profile
Working with bridges
Working with bonded interfaces
Managing Advanced Firewalls network interfaces
Changing the IP address.
Configuring Global Settings for Interfaces

Global settings determine Advanced Firewalls default gateway and primary and secondary DNS
addresses.
To configure global settings:
1
Browse to the Networking > Interfaces > Interfaces page.
19

Connecting Using an Internet Connectivity Profile
The following settings global interface settings are available:
Setting
Description
Default gateway This setting determines Advanced Firewalls default gateway.

When using a connectivity profile to connect to the Internet, select the Use
external connectivity profile option. For more information, see Connecting
Using an Internet Connectivity Profile on page 20.
Primary DNS
If Advanced Firewall is to be integrated as part of an existing DNS

infrastructure, enter the appropriate DNS server information within the existing
infrastructure.
For more information, see Appendix A, Advanced Firewall and DNS on
page 302.
Secondary DNS
Enter the IP address of the secondary DNS server, if one is available.
Connecting Using an Internet Connectivity

Profile
Advanced Firewall supports the following Internet connection methods:
Connection Method
Description
Ethernet
An Ethernet NIC routed to an Internet connection, not controlled by

Advanced Firewall.
Modem
An internal or external modem connected to the Internet via an ISP,

controlled by Advanced Firewall.
A modem profile is used solely for connections using dial-up modems. A
modem profile contains hardware and dialling preferences to control the
behavior of dial-up modem devices.
Ethernet/modem
hybrid
An Ethernet NIC routed to an external modem connected to the Internet

via an ISP, controlled by Advanced Firewall.
Up to five different connections to the Internet can be defined, each stored in its own connectivity
profile. Each profile defines the type of connection that should be used and appropriate settings.
The following sections explain how to connect using different connection methods.
Connecting Using a Static Ethernet Connectivity Profile

The following section explains how to connect to the Internet using a static ethernet connectivity
profile. A static Ethernet connection enables Advanced Firewall to use a static IP address as assigned
by your ISP.
To connect using a static ethernet connectivity profile:
1
On the Networking > Interfaces > Interfaces page, configure the following setting:
Setting
Description
Default gateway
Select Use external connectivity profile.

Note: Advanced Firewalls default gateway should only be configured on
one interface. However, if more than one default gateway has been
configured, and you do not select this option, you may lose
connectivity to Advanced Firewall if your network is not set up
correctly.
20

2
Point to the network interface card (NIC) you want to use and select Edit.
In the Edit interface dialog box, configure the following settings:
Setting
Description
Name
Accept the default name or enter a custom name.
Use as
Select External.
MTU
Optionally, enter the maximum transmission unit (MTU) value required in

your environment.
On the Networking > Interfaces > Connectivity page, configure the following settings:
Setting
Description
Profiles
Select Empty from drop-down list and click Select.
Profile name
Enter a name for the connection profile.
Method
Select Static Ethernet.
Auto connect on By default, all connections will automatically connect at boot time. If you wish
boot
to disable this behavior, deselect this option.
Custom MTU
Some ISPs supply additional settings that can be used to improve connection
performance. If your ISP provides a custom MTU value, enter it here.
Automatic
Optionally, select to specify a different external connection profile to switch to
failover to profile if communication cannot be established with the hosts identified in the Primary
failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced
Firewall cannot establish a connection using the specified connection
profile. There is also a reboot option which you can use to restart the
system if all of the connections fail.
Primary failover
ping IP
Enter an IP address known to be contactable if the external connection is

operating correctly.
If the primary and secondary IP addresses cannot be contacted, the
connection will failover, if another profile has been chosen in the Automatic
failover to profile drop-down menu.
Secondary
failover ping IP
Optionally, enter a secondary IP address known to be contactable if the

external connection is operating correctly.
Load balance
outgoing traffic
Select to ensure that outbound NATed traffic is divided among the primary
external connection and any other secondary connections that have been
added to the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Load balance
Select to ensure that web proxy traffic is divided among the primary external
web proxy traffic connection and any other secondary connections that have themselves been
added to the proxy load balancing pool.
Weighting
Select from the drop-down list to assign an external connection in the load
balancing pool. Load balancing is performed according to the respective
weights of each connection.
21

5
Click Update. In the Static Ethernet settings area, configure the following settings:
Setting
Description
Interface
From the drop-down list, select the Ethernet interface for this connection.
Default gateway Enter the default gateway IP address as provided by your ISP.
Address
Enter the static IP address provided by your ISP.
Netmask
Enter the subnet mask as provided by your ISP.
Primary DNS
Enter the primary DNS server details as provided by your ISP.
Secondary DNS
Enter the secondary DNS server details as provided by your ISP.
Click Save and connect to save the profile and connect to the Internet immediately.
Connecting using a DHCP Ethernet Connectivity Profile

The following section explains how to connect to the Internet using a DHCP Ethernet connectivity
profile. A DHCP Ethernet connection enables Advanced Firewall to be allocated a dynamic IP
address, as assigned by the ISP.
To connect using a DHCP Ethernet connectivity profile:
1
Setting
Description
Default gateway

correctly.
Setting
Description
Name
Use as
Select External.
MTU

your environment.
Setting
Description
Profiles
Profile name
Method
Select DHCP Ethernet.
boot
Custom MTU
22

Setting
Description
Automatic
Primary failover
ping IP

Secondary
failover ping IP

Load balance
outgoing traffic
Load balance
Weighting
Click Update and in the DHCP Ethernet settings area, configure the following settings:
Setting
Description
Interface
DHCP
Hostname
Optionally enter a DHCP hostname, if provided by your ISP.
MAC spoof
Enter a spoof MAC value required.
Connecting using a PPP over Ethernet Connectivity Profile

The following section explains how to connect to the Internet using a PPP over Ethernet connectivity
profile.
23

To connect using a PPP over Ethernet connection:
1
Setting
Description
Default gateway

correctly.
Setting
Description
Name
Use as
Select External.
MTU

your environment.
Setting
Description
Profiles
Profile name
Method
Select PPP over Ethernet.
boot
Custom MTU
Automatic
Primary failover
ping IP

Secondary
failover ping IP

24

Setting
Description
Load balance
outgoing traffic
Load balance
Weighting
Click Update. In the PPP over Ethernet settings area, configure the following settings:
Setting
Description
Service name If required, enter the service name as specified by your ISP.
Concentrator If required, enter the concentrator name as specified by your ISP.
Interface
PPP Profile
From the drop-down list, select the PPP profile for this connection. Or, if no PPP
profile has been created, click Configure PPP to go to the Networking >
Interfaces > PPP page and create one.
Connecting using a PPTP over Ethernet Connectivity Profile

This section explains how to configure Advanced Firewall to use a PPTP modem for Internet
connectivity.
To connect using a PPTP over Ethernet connection:
1
Setting
Description
Default gateway

correctly.

Setting
Description
Name
Use as
Select External.
MTU

your environment.
25

4
Setting
Description
Profiles
Profile name
Method
Select PPPTP over Ethernet.
boot
Custom MTU
Automatic
Primary failover
ping IP

Secondary
failover ping IP

Load balance
outgoing traffic
Load balance
Weighting
Click Update. In the PPTP over Ethernet settings area, configure the following settings:
Setting
Description
Interface
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to Networking >
Interfaces > Interfaces and create one. For more information, see Creating a PPP
Profile on page 31.
26

Setting
Description
Address
Enter the IP address assigned by your ISP.
Netmask
Enter the netmask assigned by your ISP.
Gateway
Enter the gateway assigned by your ISP
Telephone
Enter the dial telephone number as provided by your ISP.
Connecting using an ADSL/DSL Modem Connectivity Profile

Advanced Firewall can connect to the Internet using an ADSL modem.
Note: To connect using an ADSL modem, the ADSL device must have been either configured during the
initial installation and setup or post-installation by launching the setup program from the system
console. For further information, see the Advanced Firewall Installation and Setup Guide. If your
ADSL connection uses a PPPoE connection, see Connecting using a PPP over Ethernet Connectivity
Profile on page 23 for more information.
To connect using an ADSL/DSL modem connectivity profile:
1
Setting
Description
Profiles
Profile name
Method
Select ADSL modem.
boot
Custom MTU
Automatic
Primary failover
ping IP

Secondary
failover ping IP

27

Setting
Description
Load balance
outgoing traffic
Load balance
Weighting
Click Update. In the ADSL modem settings area, configure the following settings:
Setting
Description
Service name Leave this field blank. It is not required for this type of profile.
Concentrator Leave this field blank. It is not required for this type of profile.
PPP Profile
Or, if no PPP profile has been created, click Configure PPP to go to Networking
> Interfaces > PPP page and create one. For more information, see Creating a PPP
Profile on page 31.
Connecting using an ISDN Modem Connectivity Profile

Note: The following sections apply if an ISDN modem is installed in your Advanced Firewall.
This section explains how to configure Advanced Firewall to connect to the Internet using an ISDN
modem for Internet connectivity.
Note: To connect using an ISDN modem, an ISDN device must have been configured during the initial
installation and setup of Advanced Firewall.
Alternatively, ISDN devices can be configured post-installation by launching the setup program from
the system console. For further information, see the Advanced Firewall Installation and Setup Guide.
To connect using an ISDN modem connectivity profile:
1
Setting
Description
Profiles
Profile name
Method
Select ISDN TA.
boot
Custom MTU
28

Setting
Description
Automatic
Primary failover
ping IP

Secondary
failover ping IP

Load balance
outgoing traffic
Load balance
Weighting
Click Update. In the ISDN settings area, configure the following settings:
Setting
Description
PPP Profile
Or, if no PPP profile has been created, click Configure PPP to go to the
Networking > Interfaces > Interfaces page and create one. For more information,
see Creating a PPP Profile on page 31.
Telephone
Enter the telephone number for the ISDN connection.
Channels
From the drop-down list, select either Single channel or Dual channel,
depending on whether you are using one or two ISDN lines.
Keep
second
channel up
Select to force the second channel to remain open when its data rate falls below a
worthwhile threshold.
Note: ISDN connections sometimes suffer from changeable data throughput rates.
If this occurs in dual channel mode, and the data-rate of the second channel
decreases below a threshold where it is of no benefit, Advanced Firewall will
automatically close it. Forcing the second channel to stay up will help prevent
this from happening.
29

Setting
Description
Minimum
time to keep
second
channel up
(sec)
Enter a minimum time, in seconds, if your ISDN connection experiences intermittent

loss of data throughput for short periods of time.
This option is of use when the second channel data-rate falls below the threshold
for short periods of time.
Click Save to save the profile or Save and connect to save the profile and use it to connect to the
Internet immediately.
Connecting Using a Dial-up Modem Connectivity Profile

This section explains how to connect to the Internet using a dial-up modem for Internet connectivity.
To connect using a dial-up modem connectivity profile:
1
Setting
Description
Profiles
Profile name
Method
Select Modem.
boot
Custom MTU
Automatic
Primary failover
ping IP

Secondary
failover ping IP

Load balance
outgoing traffic
30

Setting
Description
Load balance
Weighting
Click Update. In the Modem settings area, configure the following settings:
Setting
Description
PPP Profile
Or, if no PPP profile has been created, click Configure PPP to go to Networking
> Interfaces > Interfaces and create one. For more information, see Creating a PPP
Profile on page 31.
Modem
profile
From the drop-down list, select the modem profile to use. See Configuring Modems
on page 284 for more information on modem profiles.
Telephone
Enter the telephone number for the connection.
Click Save and connect to save the profile and use it to connect to the Internet immediately.
Creating a PPP Profile

Up to five PPP profiles can be created to store username, password and connection-specific details
for connections where Advanced Firewall controls the connecting device, including ISDN, and
Ethernet/modem hybrid devices, attached to Advanced Firewall.
A PPP profile contains the username, password and other settings used for dial-up type
connections. The advantage of storing these settings in a PPP profile is that multiple connection
profiles can refer to the same authentication and dial settings. This is useful for creating multiple
profiles to ISPs that support a range of access technologies that are authenticated via the same user
account.
31

Creating a PPP Profile
To create a PPP profile:
1
Navigate to the Networking > Interfaces > PPP page.
Configure the following settings:

Setting
Description
Profiles
From the drop-down list, select Empty.
Profile name
Enter a name for the profile.
Dial on Demand Select to ensure that the PPP connection is only established if an outwardbound request is made. This may help reduce costs if your ISP uses per unit time
billing.
Dial on Demand Select to ensure that the system dials for DNS requests this is normally the
for DNS
desired behavior.
Idle timeout
Enter the number of minutes that the connection must remain inactive for before
it is automatically closed by Advanced Firewall. Enter 0 to disable this setting.
Persistent
connection
Select to ensure that once this PPP connection has been established, it will
remain connected, regardless of the value entered in the Idle timeout field.
Maximum
retries
Enter the maximum number of times that Advanced Firewall will try to connect
following failure to connect.
Username
Enter your ISP assigned username.
Password
Enter your ISP assigned password.
Method
Choose the authentication method as specified by your ISP in this field.
Script name
Enter the name of a logon script here, if your ISP informs you to do so. Ensure
that the relevant script type has been selected in the Method drop-down list.
Type
Specifies the DNS type used by your ISP.

Manual select if your ISP has provided you with DNS server addresses to
enter.
Automatic select if your ISP automatically allocates DNS settings upon
connection.
Primary DNS
32
If Manual has been selected, enter the primary DNS server IP address.

Setting
Description
Secondary DNS If Manual has been selected, enter the secondary DNS server IP address.
3
Click Save to save your settings and create a PPP profile.
Modifying Profiles
To modify a profile:
1
On the Networking > Interfaces > Connectivity page, from the Profiles drop-down list, select the
profile you wish to modify and click Select.
Make the changes. See Connecting Using an Internet Connectivity Profile on page 20 for information
on the settings.
Click Save, Advanced Firewall modifies the profile.
Note: Any changes made to a profile used in a current connection will only be applied following reconnection.
Deleting Profiles
To delete a profile:
1
On the Networking > Interfaces > Connectivity page, from the Profiles drop-down list, select the
profile you wish to modify and click Select.
Click Delete. Advanced Firewall deletes the profile.
Note: Deleting a profile used as part of a current connection will cause the current connection to close.
Working with Bridges

It is possible to deploy Advanced Firewall in-line using two or more NICs to create a transparent
bridge on which Deep Packet Inspection is possible.
The following sections explain how to create, edit and delete bridges.
Creating Bridges
To create a bridge:
1
On the Networking > Interfaces > Interfaces page, click Add new interface.
In the Add new interface dialog box, configure the following settings:
Setting
Description
Name
Enter a name for the bridge.
Type
Select Bridge.
Ports
From the ports listed as available, select the ports to be used as bridge members.
Use as
Select one of the following:

External Select to use the bridge as an external interface.
Basic interface Select to use the bridge as an interface with one or more IP
addresses on it.
33

Working with Bonded Interfaces
Setting
Description
MAC
Accept the displayed MAC address or enter a new one.
Click Add. Advanced Firewall adds the bridge to the list on the Networking > Interfaces > Interfaces
page.
Editing Bridges
To edit a bridge:
1
On the Networking > Interfaces > Interfaces page, point to the bridge and click Edit.
In the Edit interface dialog box, make the changes needed. See Creating Bridges on page 33 for
information on the settings available.
Click Save changes. Advanced Firewall applies the changes.
Deleting Bridges
To delete a bridge:
1
On the Networking > Interfaces > Interfaces page, point to the bridge and click Delete.
When prompted, click Delete to confirm you want to delete the bridge. Advanced Firewall deletes
the bridge.
Working with Bonded Interfaces

Advanced Firewall enables you to bind two or more NICs into a single bond. Bonding enables the
NICs to act as one thus providing high availability.
Creating Bonds
To create a bond:
1
Setting
Description
Name
Enter a name for the bond.
Type
Select Bonding.
Ports
From the ports listed as available, select the ports to be used as bond members.
Use as

External Select to use the bond as an external interface.
Basic interface Select to use the bond as an interface with one or more IP
addresses on it.
Bridge member Select to use the bond as a member of a bridge. For more
information, see Working with Bridges on page 33.
MAC
3
34
Accept the displayed MAC address or enter a new one.
Click Add. Advanced Firewall adds the bond to the list on the Networking > Interfaces > Interfaces
page.

Editing Bonds
To edit a bond:
1
On the Networking > Interfaces > Interfaces page, point to the bond and click Edit.
In the Edit interface dialog box, make the changes needed. See Creating Bonds on page 34 for
Deleting Bonds
To delete a bond:
1
On the Networking > Interfaces > Interfaces page, point to the bond and click Delete.
When prompted, click Delete to confirm you want to delete the bond. Advanced Firewall deletes the
bond.
Configuring IP Addresses
The following sections explain how to add, edit and delete IP addresses used by interfaces.
Note: External aliases are configured on the Networking > Interfaces > External aliases page. See Chapter
4, Creating an External Alias Rule on page 45 for more information.
Adding an IP Address
To add an IP address:
1
On the Networking > Interfaces > Interfaces page, click on the interface you want to add an IP
address to.
In the IP addresses dialog box, click Add new address. In the Add new address dialog box,
configure the following settings:
Setting
Description
Status
Select Enabled to enable the IP address for the NIC.
IP address
Enter an IP address.
Subnet mask
Enter the subnet mask.
Gateway
Optionally, enter a gateway.
Click Add. Advanced Firewall adds the IP address to the interface.
Editing an IP Address
To edit an IP address:
1
On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you
want to edit.
In the IP addresses dialog box, point to the address and click Edit.
In the Edit address dialog box, make the changes needed and click Save changes. Advanced
Firewall applies the changes.
35

Virtual LANs
Deleting an IP Address
To edit an IP address:
1
On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you
want to delete.
In the IP addresses dialog box, point to the address and click Delete.
When prompted, click Delete. Advanced Firewall deletes the address.
Virtual LANs
Advanced Firewall supports the creation of Virtual LANs (VLANs) by binding a virtual network
interface to a regular NIC on the system.
Each VLAN is treated by Advanced Firewall as an isolated network zone, just as if it were a regular
network zone attached to a real NIC.
Creating a VLAN
To create a VLAN:
1
Setting
Description
Name
Enter a name for the VLAN.
Type
Select VLAN.
Parent interface
From the drop-down list of NICs available, select the interface to use.
VLAN ID
If required, enter a tag in the range 1 - 4095 to create a separate network.

Note: We do not recommend using a VLAN tag of 1 as this can cause
problems with some equipment
Use as
External Select to use the VLAN as an external interface.

Spoof MAC Optionally, enter a spoof MAC if required.
Some cable modems require the MAC address of the connecting NIC
to be spoofed in order to function correctly. For more information
about whether MAC spoof settings are required, consult the
documentation supplied by your ISP and modem supplier.
Basic interface Select to use the VLAN as a basic interface.
Some cable modems require the MAC address of the connecting NIC to be
spoofed in order to function correctly. For more information about whether
MAC spoof settings are required, consult the documentation supplied by your
ISP and modem supplier.
Bridge member Select to use the VLAN as part of a bridge.
Bridge interface From the drop-down list, select which bridge interface to
use. For more information, see Working with Bridges on page 33.
Some cable modems require the MAC address of the connecting NIC
to be spoofed in order to function correctly. For more information
about whether MAC spoof settings are required, consult the
documentation supplied by your ISP and modem supplier.
36

3
Click Add. The VLAN is added to the list of interfaces below where you can configure it.
Editing a VLAN
To edit a VLAN:
1
On the Networking > Interfaces > Interfaces page, point to the VLAN and click Edit.
In the Edit interface dialog box, make the changes needed and click Save changes. See Creating
a VLAN on page 36 for information on the settings available.
Deleting a VLAN
To delete a VLAN:
1
On the Networking > Interfaces > Interfaces page, point to the VLAN and click Delete.
When prompted, click Delete to confirm. Advanced Firewall deletes the VLAN.
37

Virtual LANs
38
Chapter 4
Managing Your Network

Infrastructure
In this chapter:
Creating subnets and internal subnet aliases
Enabling and configuring the RIP service
Creating Subnets
Large organizations often find it advantageous to group computers from different departments, floors
and buildings into their own subnets, usually with network hubs and switches.
Note: This functionality only applies to subnets available via an internal gateway.
To create a subnet rule:
1
Navigate to the Networking > Routing > Subnets page.

Setting
Description
Network
Enter the IP address that specifies the network ID part of the subnet definition when
combined with a netmask value.
Netmask
Enter a network mask that specifies the size of the subnet when combined with the
network field.
39
Managing Your Network Infrastructure

Using RIP
Setting
Description
Gateway
Enter the IP address of the gateway device by which the subnet can be found.
This will be an address on a locally recognized network zone. It is necessary for
Advanced Firewall to be able to route to the gateway device in order for the subnet to
be successfully configured.
The gateway address must be a network that Advanced Firewall is directly attached
to.
Metric
Enter a router metric to set the order in which the route is taken. This sets the order
in which the route is evaluated, with 0 being the highest priority and the default for
new routes.
Comment
Enter a description of the rule.
Enabled
Select to enable the rule.
Click Add. The rule is added to the Current rules table.
Editing and Removing Subnet Rules

To edit or remove existing subnet rules, use Edit and Remove in the Current rules area.
Using RIP
The Routing Information Protocol (RIP) service enables network-wide convergence of routing
information amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to
its nearest neighbor, typically every 30 seconds.
Advanced Firewalls RIP service can:
Operate in import, export or combined import/export mode
Support password and MD5 authentication
Export direct routes to the systems internal interfaces.

To configure the RIP service:
40
Navigate to the Networking > Routing > RIP page.

2

Setting
Description
Enabled
Select to enable the RIP service.
Scan interval
From the drop-down menu, select the time delay between routing table imports
and exports.
Select a frequent scan interval for networks with fewer hosts. For networks with
greater numbers of hosts, choose a less frequent scan interval.
Note: There is a performance trade-off between the number of RIP-enabled
devices, network hosts and the scan frequency of the RIP service. The
periodic exchange of routing information between RIP-enabled devices
increases the ambient level of traffic on the host network. Accordingly,
administrators responsible for larger networks should consider increasing
the RIP scan interval or the suitability of the RIP service for propagating
routing information.
Direction
From the drop-down menu, select how to manage routing information. The
following options are available:
Import and Export
The RIP service will add and update its routing table from information received
from other RIP enabled gateways. The RIP service will also broadcast its routing
tables for use by other RIP enabled gateways.
Import
The RIP service will add and update its routing table from information received
from other RIP enabled gateways.
Export
The RIP service will only broadcast its routing tables for use by other RIP enabled
gateways.
Logging level
From the drop-down menu, select the level of logging.
RIP interfaces
Select each interface that the RIP service should import/export routing
information to/from.
Authentication
Enabling RIP authentication ensures that routing information is only imported and
exported amongst trusted RIP-enabled devices.
Select one of the following options to manage authentication:
None
In this mode, routing information can be imported and exported between any RIP
device. We do not recommend this option from a security standpoint.
Password
In this mode, a plain text password is specified which must match other RIP
devices.
MD5
In this mode, an MD5 hashed password is specified which must match other RIP
devices.
Password
If Password is selected as the authentication method, enter a password for RIP

authentication.
Again
If Password is selected as the authentication method, re-enter the password to

confirm it.
41

Sources
Setting
Description
Direct routing
interfaces
Optionally, select interfaces whose information should also include routes to the
RIP services own interfaces when exporting RIP data.
This ensures that other RIP devices are able to route directly and efficiently to
each exported interface.
Click Save.
Sources
The Sources page is used to configure source rules which determine which external network
interface will be used by internal network hosts for outbound communication when a secondary
external connection is active.
Source rules can be created for individual hosts, ranges of hosts or subnet ranges.
Creating Source Rules

Source rules route outbound traffic from selected network hosts through a particular external
interface.
To create a source rule:
1
Navigate to the Networking > Routing > Sources page.
42
Setting
Description
Source IP
or network
Enter the source IP or subnet range of internal network host(s) specified by this rule.
For more information, see About IP Address Definitions on page 43.
Internal
interface
From the drop-down menu, select the internal interface that the source IP must
originate from to use the external connection.

Setting
Description
External
interface
From the drop-down menu, select the external interface that is used by the specified
source IP or network for external communication.
Alternatively, select Exception to create an exception rule to ensure that all
outbound traffic from the specified source IP, network and internal interface is routed
via the primary external interface.
Note: If the external interface is set to Exception, any traffic specified here will not be
subject to any load balancing.
Note: Using Exception will always send traffic out via the primary, no matter what
interface is currently being used by the primary connection.
Comment
Optionally, enter a description for the source rule.
Enabled
Select to activate the rule.
Click Add.
Removing a Rule
1
Select each rule in the Current rules area and click Remove.
Editing a Rule
To edit a rule:
1
Locate it within the Current rules region, select it and click Edit to populate the configuration controls
in the Add a new rule region with the rule's current configuration values.
Alter the configuration values as necessary, and click Add.
About IP Address Definitions

Single or multiple IP addresses can be specified in a number of different manners:
IP address An identifier for a single network host, written as quartet of dotted decimal values, e.g.
192.168.10.1
IP subnet [dotted decimal] An arbitrary IP address and network mask that specifies a subnet range
of IP addresses, e.g. 192.168.10.0/255.255.255.0 defines a subnet range of IP addresses
from 192.168.10.0 to 192.168.10.255
IP subnet [network prefix] An arbitrary IP address and network mask in network prefix notation, e.g.
192.168.10.0/24 defines a subnet range of IP addresses from 192.168.10.0 to
192.168.10.255.
Ports
The Ports page is where you route outbound traffic for selected ports through a particular external
interface. For example, you can create a rule to send all SMTP traffic down a specific external
interface.
Note: The rules specified on the sources pages will always be examined first, so a rule will only travel down
this list of ports if it does not first hit a sources rule. For more information, see Sources on page 42.
43

Ports
Creating a Ports Rule

Port rules route outbound traffic for selected ports through a particular external interface.
To create a ports rule:
1
Navigate to the Networking > Routing > Ports page.

Setting
Description
Protocol
From the drop down menu, select the protocol the traffic uses.
Service
From the drop down menu, select the select the services, port range or group of
ports.
Port
If the service is user defined, enter the port number.
External
interface
From the drop-down menu, select the external interface to use.

Select Exception to never route the traffic via an alternative interface.
Note: Using Exception will always send traffic out via the primary, no matter what
interface is currently being used by the primary connection.
Comment
Enabled
Select to enable the rule currently active.
Click Add to create the rule. The rule is created and listed in the Current rules area.
Removing Rules
1
Select each rule in the Current rules area and click Remove.
Editing a Rule
To edit a rule:
1
Select the rule in the Current rules area and click Edit.
In the Add a new rule area, make the changes you require and click Add. The rule is updated and
listed in the Current rules area.
44

Creating an External Alias Rule

Advanced Firewall enables you to associate multiple public IP addresses with a single Advanced
Firewall by creating external aliases. An external alias binds an additional public IP address to
Smoothwall Systems external interface.
To create an external alias rule:
1
Navigate to the Networking > Interfaces > External aliases page.

Setting
Description
External
interface
From the drop-down list, select the external interface to which you want to bind an
additional public IP address.
Select
Click to select the interface.
Connectivity
profile
Used to determine when the external alias is active. Options include:

All The external alias will always be active, irrespective of the currently active
connection profile.
Named connection profile The external alias will only be active if the named
connection profile is currently active. This is particularly useful for creating aliases for
connection profiles that are used as failover connections.
Alias IP
Enter the IP address of the external alias. This address should be provided by your
ISP as part of an multiple static IP address allocation.
Netmask
Used to specify the network mask of the external alias. This value is usually the
same as the external interface's netmask value. This value should be provided by
your ISP.
Comment
A field used to assign a helpful message describing the external alias rule.
Enabled
Determines whether the external alias rule is currently active.
Click Add. The external alias rule is added to the Current rules table.
Editing and Removing External Alias Rules

To edit or remove existing external alias rules, use Edit and Remove in the Current rules region.
45

Creating a Source Mapping Rule
Port Forwards from External Aliases

Advanced Firewall extends your systems port forwarding capabilities by allowing port forward rules
to be created that can forward traffic arriving at an external alias.
No special configuration is required to use this feature. Use the existing Networking > Firewall > Port
forwarding page and select the required external alias from the Source IP drop-down list.
Creating a Source Mapping Rule

Advanced Firewall enables you to map internal hosts to an external IP alias, instead of the default,
real external IP, by creating source mapping rules. This allows outbound communication from
specified hosts to appear to originate from the external alias IP address.
A common use for source mapping rules is to ensure that SMTP mail servers send and receive email
via the same IP address. If the incoming IP address is an external alias, and outbound mail fails to
mirror the IP address as its source, some SMTP servers will reject the mail. This is because the mail
will not appear to originate from the correct IP address, i.e. the Advanced Firewall default external IP
is not the MX for the email domain. This problem can be alleviated by using a source mapping rule
to ensure that the SMTP server uses the same IP address for inbound and outbound traffic.
To create a source mapping rule:
1
Navigate to the Networking > Firewall > Source mapping page.

Setting
Description
Source IP
Enter the source IP or network of hosts to be mapped to an external.

For a single host, enter its IP address.
For a network of hosts, enter an appropriate IP address and subnet mask
combination, for example, enter 192.168.100.0/255.255.255.0 will create a
source mapping rule for hosts in the IP address range 192.168.100.1 through
to 192.168.100.255.
For all hosts, leave the field blank.
3
46
Alias IP
From the drop-down list, select the external alias that outbound communication is
mapped to.
Comment
Enabled
Click Add. The source mapping rule is added to the Current rules table.

Editing and Removing Source Mapping Rules

To edit or remove existing source mapping rules, use Edit and Remove in the Current rules area.
Managing Internal Aliases

Advanced Firewall can be configured to create internal aliases for each installed NIC. Internal aliases
can be used to create logical subnets amongst hosts within the same physical network zone.
Note: This function is recommended only for experienced network administrators, as there are a number
of security implications and limitations that using this feature will impose on the rest of your network.
Internal alias rules are used to create such bindings on an internal network interface, thus enabling it
to route packets to and from IP addresses on a virtual subnet without the need for physical
switches.
Note: No services will run on the alias IP.
Note: Use of this feature is not normally recommended for the following reasons:
No physical separation Internal aliases should not be considered as a substitute for physically
separating multiple networks. Network users can join a logical subnet by changing their IP
address.
No DHCP service DHCP servers cannot serve a logical subnet, as it is impossible for it to know
which subnet (physical or logical) that the client should be on.
No direct DNS or proxy access The DNS proxy and web proxy services cannot be accessed
by hosts on a logical subnet. Requests for such services must be routed via the IP address of the
physical interface this is not the case when an alias is in use.
Generally, internal aliases should only be created in special circumstances.
Creating an Internal Alias Rule

To create an internal alias rule:
1
Navigate to the Interfaces > Internal aliases page.
47

Working with Secondary External Interfaces
2

Setting
Description
Interface
From the drop-down menu, select the internal interface on which to create the alias.
IP address Enter an IP address for the internal alias.
Netmask
Enter a network mask that specifies the size of the subnet accessible via the internal
alias (when combined with a network value).
Comment
Enabled
Click Add. The internal alias rule is added to the Current rules table.
Editing and Removing Internal Alias Rules

To edit or remove existing internal alias rules, use Edit and Remove in the Current rules area.

The Secondaries page is used to configure an additional, secondary external interface. A secondary
external interface will operate independently of the primary external interface, NATing its own
outbound traffic.
Once a secondary external interface is active, the system can be configured to selectively route
different internal hosts, ranges of hosts and subnets out across either the primary or secondary
external interface.
Configuring a Secondary External Interface

Note: It is not possible to perform L2TP or OpenVPN connections to secondary interfaces.
To configure a secondary external interface:
1
48
Navigate to the Networking > Interfaces > Secondaries page.

2

Setting
Description
Secondary
external
interface
From the drop-down list, select the interface you want to use as the secondary
external interface.
Select
Click to select the interface.
Address
Enter the IP address.
Netmask
Enter the netmask.
Default gateway Enter the default gateway.

Enabled
Select to enable the interface
Primary failover Optionally, specify an IP address that you know can be contacted if the
ping IP
secondary connection is operating correctly.
When enabled, the IP address is pinged every two minutes over the secondary
to ensure that the connection is active.
If this IP address cannot be contacted, all outbound traffic will be redirected to
the primary connection. If a secondary failover IP has been entered, it must also
fail before failover routing is activated.
Secondary
failover ping IP
Optionally, specify an additional IP address that you know can be contacted if

the secondary connection is operating correctly.
When enabled, the IP address is pinged every two minutes over the secondary
to ensure that the connection is active.
If this IP address and the primary failover ping IP cannot be contacted, all
outbound traffic will be redirected to the primary connection.
Load balance
Optionally, select to add the currently selected secondary address to the load
outgoing traffic balancing pool of connections.
Selecting this option ensures that outbound NATed traffic is divided among the
currently selected secondary address and any other connections, primary or
secondary, that have been added to the load balancing pool.
Note: If no load balance options are enabled, all traffic will be sent out of the
Load balance
web proxy
traffic
Optionally, select to add the currently selected secondary address to the proxy
load balancing pool.
Selecting this option ensures that web proxy traffic is divided among the
currently selected secondary address and any other connections, primary or
secondary, that have themselves been added to the proxy load balancing pool.
Note - If no load balance tick-box controls are selected, all traffic will be sent out
of the primary external connection.
49

Setting
Description
Weighting
Optionally, select to set the weighting for load balancing on the currently
selected secondary address.
A weighting is assigned to all external connections in the load balancing pool
and load balancing is performed according to the respective weights of each
connection. For example:
A connection weighted 10 will be given 10 times as much load as a

connection weighted 1.
A connection weighted 6 will be given 3 times as much load as a

A connection weighted 2 will be given twice as much load as a

The weighting value is especially useful for load balancing external connections
of differing speeds.
3
50
Click Save to save your settings and enable the secondary external interface.
Chapter 5
General Network Security

Settings
In this chapter:
Using IP blocking to block source IPs and networks
Reviewing network interface information
Fine-tuning network communications using the advanced networking features
Creating groups of ports for use throughout Advanced Firewall.
Blocking by IP
IP block rules can be created to block network traffic originating from certain source IPs or network
addresses. IP block rules are primarily intended to block hostile hosts from the external network,
however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal
system has been infected by malware.
IP block rules can also operate in an exception mode allowing traffic from certain source IPs or
network addresses to always be allowed.
Creating IP Blocking Rules

IP block rules block all traffic to/from certain network hosts, or between certain parts of distinct
networks.
To create an IP block rule:
1
Navigate to the Networking > Filtering > IP block page.
51
General Network Security Settings

Configuring Advanced Networking Features
2

Control
Description
Source IP or
network
Enter the source IP, IP range or subnet range of IP addresses to block or

exempt. To block or exempt:
An individual network host, enter its IP address, for example:

192.168.10.1.
A range of network hosts, enter an appropriate IP address range, for

example: 192.168.10.1-192.168.10.15.
A subnet range of network hosts, enter an appropriate subnet range, for

example, 192.168.10.0/255.255.255.0 or 192.168.10.0/24.
Destination IP or Enter the destination IP, IP range or subnet range of IP addresses to block or
network
exempt. To block or exempt:
An individual network host, enter its IP address, for example:

192.168.10.1.
A range of network hosts, enter an appropriate IP address range, for

example: 192.168.10.1-192.168.10.15.

example, 192.168.10.0/255.255.255.0 or 19
Drop packet
Select to ignore any request from the source IP or network. The effect is similar
to disconnecting the appropriate interface from the network.
Reject packet
Select to cause an ICMP Connection Refused message to be sent back to the

originating IP, and no communication will be possible.
Exception
Select to always allow the source IPs specified in the Source IP or Network field
to communicate, regardless of all other IP block rules.
Exception block rules are typically used in conjunction with other IP block rules,
for example, where one IP block rule drops traffic from a subnet range of IP
addresses, and another IP block rule creates exception IP addresses against
it.
Log
Select to log all activity from this IP.
Comment
Optionally, describe the IP block rule.
Enabled
Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the
same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it.
Editing and Removing IP Block Rules

To edit or remove existing IP block rules, use Edit and Remove in the Current rules area.

Advanced Firewalls advanced networking settings can help prevent denial of service (DoS) attacks
and enforce TCP/IP standards to restrict broken network devices from causing disruption.
52

To configure advance networking features:
1
Navigate to the Networking > Settings > Advanced page.
Configure the following feature settings:

Setting
Description
Block and ignore
ICMP ping broadcasts Select to prevent the system responding to

broadcast ping messages from all network zones (including external).
This can prevent the effects of a broadcast ping-based DoS attack.
ICMP ping Select to block all ICMP ping requests going to or through
Advanced Firewall.
This will effectively hide the machine from Internet Control Message
Protocol (ICMP) pings, but this can also make connectivity problems more
difficult to diagnose.
IGMP packets Select this option to block and ignore multi-cast
reporting Internet Group Management Protocol (IGMP) packets.
IGMP packets are harmless and are most commonly observed when
using cable modems to provide external connectivity.
If your logs contain a high volume of IGMP entries, enable this option to
ignore IGMP packets without generating log entries.
Multicast traffic Select this option to block multicast messages on
network address 224.0.0.0 from ISPs and prevent them generating large
volumes of spurious log entries.
SYN+FIN packets Select to automatically discard packets used in
SYN+FIN scans used passively scan systems.
Generally, SYN+FIN scans result in large numbers of log entries being
generated. With this option enabled, the scan packets are automatically
discarded and are not logged.
53

Setting
Enable
Description
SYN cookies Select to defend the system against SYN flood attacks.
A SYN flood attack is where a huge number of connection requests, SYN
packets, are sent to a machine in the hope that it will be overwhelmed.
The use of SYN cookies is a standard defence mechanism against this
type of attack, the aim being to avoid a DoS attack.
TCP timestamps Select this option to enable TCP timestamps
(RFC1323) to improve TCP performance on high speed links.
Selective ACKs Select this option to enable selective ACKs (RFC2018)
to improve TCP performance when packet loss is high.
Window scaling Select this option to enable TCP window scaling to
improve the performance of TCP on high speed links.
ECN Select this option to enable Explicit Congestion Notification (ECN),
a mechanism for avoiding network congestion.
While effective, it requires communicating hosts to support it, and some
routers are known to drop packets marked with the ECN bit. For this
reason, this feature is disabled by default.
ARP filter Select this option to enable the ARP filter. This option can be
enabled if your network is experiencing ARP flux.
ARP table size
You should increase the ARP table size if the number of directly connected
machines or IP addresses is more then the value shown in the drop-down
box.
In normal situations, the default value of 2048 will be adequate, but in very
big networks, select a bigger value.
Directly connected machines are those which are not behind a
intermediate router but are instead directly attached to one of Advanced
Firewall's network interfaces.
Connection tracking Select to store information about all connections known to the system.
table size
This includes NATed sessions, and traffic passing through the firewall.
The value entered in this field determines the tables maximum size. In
operation, the table is automatically scaled to an appropriate size within
this limit, according to the number of active connections and their
collective memory requirements.
Occasionally, the default size, which is set according to the amount of
memory, is insufficient use this field to configure a larger size.
SYN backlog queue
size
Select this option to set the maximum number of requests which may be
waiting in a queue to be answered.
The default value for this setting is usually adequate, but increasing the
value may reduce connection problems for an extremely busy proxy
service.
54

Setting
Description
Audit
Traffic auditing is a means of recording extended traffic logs for the

purpose of analyzing the different types of incoming, outgoing and
forwarded traffic.
Direct incoming traffic Select to log all new connections to all
interfaces that are destined for the firewall.
Forwarded traffic Select to log all new connections passing through
one interface to another.
Direct outgoing traffic Select to log all new connections from any
interface.
Note: It is possible that auditing traffic generates vast amounts of logging
data. Ensure that the quantity of logs generated is acceptable.
Traffic auditing logs are viewable on the Logs and reports > Logs >
Firewall page.
Drop all direct traffic Select any internal interfaces which have hosts on them that do not require
on internal interfaces direct access to the system but do require access to other networks
connected to Advanced Firewall.
3
Click Save to enable the settings you have selected.
Working with Port Groups

You can create and edit named groups of TCP/UDP ports for use throughout Advanced Firewall.
Creating port groups significantly reduces the number of rules needed and makes rules more flexible.
For example, you can create a port group to make a single port forward to multiple ports and modify
which ports are in the group without having to recreate the rules that use it. In this way you could
easily add a new service to all your DMZ servers.
55

Creating a Port Group

To create a port group:
1
Navigate to the Networking > Settings > Port groups page.
In the Port groups area, click New and configure the following settings:
Setting
Description
Group
name
Enter a name for the port group and click Save.
Name
Enter a name for the port or range of ports you want to add to the group.
Port
Enter the port number or numbers.

For one port, enter the number.
For a range, enter the start and end numbers, separated by : for example:
1024:65535
For non-consecutive ports, create a separate entry for each port number.
Comment
3
Optionally, add a descriptive comment for the port or port range.
Click Add. The port, ports or port range is added to the group.
Adding Ports to Existing Port Groups

To add a new port:
1

Setting
Description
Port groups From the drop-down list, select the group you want to add a port to and click Select.
Name
56
Enter a name for the port or range of ports you want to add to the group.

Setting
Description
Port
Enter the port number or numbers.

For one port, enter the number.
For a range, enter the start and end numbers, separated by : for example:
1024:65535
Comment
3
Optionally, add a descriptive comment for the port or port range.
Click Add. The port, ports or range are added to the group.
Editing Port Groups

To edit a port group:
1
From the Port groups drop-down list, select the group you want to edit and click Select.
In the Current ports area, select the port you want to change and click Edit.
In the Add a new port, edit the port and click Add. The edited port, ports or range is updated.
Deleting a Port Group

To delete a Port group:
1
From the Port groups drop-down list, select the group you want to delete and click Select.
Click Delete.
Note: Deleting a port group cannot be undone.
57

58
Chapter 6
Configuring Inter-Zone
Security
In this chapter:
How bridging rules allow access between internal network zones.
About Zone Bridging Rules

By default, all internal network zones are isolated by Advanced Firewall. Zone bridging is the process
of modifying this, in order to allow some kind of communication to take place between a pair of
network zones.
A zone bridging rule defines a bridge in the following terms:
Term
Description
Zones
Defines the two network zones between which the bridge exists.
Direction
Defines whether the bridge is accessible one-way or bi-directionally.
Source
Defines whether the bridge is accessible from an individual host, a range of hosts,
a network or any host.
Destination
Defines whether the bridge allows access to an individual host, a range of hosts, a
network or any hosts.
Service
Defines what ports and services can be used across the bridge.
Protocol
Defines what protocol can be used across the bridge.
It is possible to create a narrow bridge, e.g. a one-way, single-host to single-host bridge, using a
named port and protocol, or a wide or unrestricted bridge, e.g. a bi-directional, any-host to any-host
bridge, using any port and protocol.
In general, make bridges as narrow as possible to prevent unnecessary or undesirable use.
Creating a Zone Bridging Rule

Zone bridging rules enable communications between specific parts of separate internal networks.
59
Configuring Inter-Zone Security

Creating a Zone Bridging Rule
To create a zone bridging rule:
1
Navigate to the Networking > Filtering > Zone bridging page.

Setting
Description
Source
interface
From the drop-down menu, select the source network zone.
Destination
interface
From the drop-down menu, select the destination network zone.
Bidirectional
Select to create a two-way bridge where communication can be initiated from either
the source interface or the destination interface.
Note: To create a one-way bridge where communication can only be initiated from
the source interface to the destination interface and not vice versa, ensure
that this option is not selected.
Protocol
From the drop-down list, select a specific protocol to allow for communication
between the zones or select All to allow all protocols.
Source IP
Enter the source IP, IP range or subnet range from which access is permitted.
To create a bridge from:
Destination
IP
60
A single network host, enter its IP address, for example: 192.168.10.1.
A range of network hosts, enter an appropriate IP address range: for

example, 192.168.10.1-192.168.10.15.

example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24.
Any network host in the source network, leave the field blank.
Enter the destination IP, IP range or subnet range to which access is permitted.
To create a bridge to:
A single network, enter its IP address, for example, 192.168.10.1.
A range of network hosts, enter an IP address range, for example,

192.168.10.1-192.168.10.15.
A subnet range of network hosts, enter a subnet range, for example:

192.168.10.0/255.255.255.0 or 192.168.10.0/24.
To create a bridge to any network host in the destination network, leave the
field blank.

Setting
Description
Service
From the drop-down list, select the services, port range or group of ports to which
access is permitted.
Or, select User defined and leave the Port field blank to permit access to all ports
for the relevant protocol.
Note: This is only applicable to TCP and UDP.
Port
If User defined is selected as the destination port, specify the port number.
Or, leave the field blank to permit access to all ports for the relevant protocol.
Comment
Enter a description of the bridging rule.
Enabled
Editing and Removing Zone Bridge Rules

To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area.
A Zone Bridging Tutorial

In this tutorial, we will use the following two local network zones:
Network zone
Description
IP address
Protected
network
Contains local user workstations and

confidential business data.
192.168.100.0/24
DMZ
Contains a web server.
192.168.200.0/24
Note: The DMZ network zone is a DMZ in name alone until appropriate bridging rules are created, neither
zone can see or communicate with the other.
In this example, we will create a DMZ that:
Allows restricted external access to a web server in the DMZ, from the Internet.
Does not allow access to the protected network from the DMZ.
Allows unrestricted access to the DMZ from the protected network.

A single zone bridging rule will satisfy the bridging requirements, while a simple port forward will
forward HTTP requests from the Internet to the web server in the DMZ.
Creating the Zone Bridging Rule

To create the rule:
1
Navigate to the Networking > Filtering > Zone bridging page and configure the following settings:
Settings
Description
Source interface From the drop-down menu, select the protected network.
Destination
interface
From the drop-down menu, select the DMZ.
Protocol
From the drop-down list, select All.
61

A Zone Bridging Tutorial
Settings
Description
Comment
Enabled
Select to activate the bridging rule once it has been added.
Click Add. Hosts in the protected network will now be able to access any host or service in the DMZ,
but not vice versa.
Allowing Access to the Web Server

To allow access to a web server in the DMZ from the Internet:
1
Navigate to the Networking > Firewall > Port forwarding page and configure the following
settings:
Setting
Description
Protocol
From the drop-down list, select TCP.
Destination
IP
Enter the IP address of the web server 192.168.200.10.
Source
From the drop-down menu, select HTTP (80) to forward HTTP requests to the web
server.
Comment
Enter a description, such as Port forward to DMZ web server.
Enabled
Select to activate the port forward rule once it has been added.
Click Add.
Accessing a Database on the Protected Network

Multiple zone bridging rules can be used to further extend the communication allowed between the
zones. As a extension to the previous example, a further requirement might be to allow the web
server in the DMZ to communicate with a confidential database in the Protected Network.
To create the rule:
1
Navigate to the Networking > Filtering > Zone bridging page and configure the following settings:
Setting
Description
Source interface From the drop-down menu, select DMZ.
62
Destination
interface
From the drop-down menu, select Protected Network.
Protocol
From the drop-down menu, select TCP.
Source IP
Enter the web servers IP address: 192.168.200.10
Destination IP
Enter the databases IP address: 192.168.100.50
Service
Select User defined.
Port
The database service is accessed on port 3306. Enter 3306.
Comment
Enter a comment: DMZ web server to Protected Network DB.
Enabled
Select Enabled to activate the bridging rule once the bridging rule has been
added.
Click Add.

Group Bridging
By default, authenticated users may only access network resources within their current network
zone, or that are allowed by any active zone bridging rules. Group bridging is the process of
modifying this default security policy, in order to allow authenticated users from any network zone to
access specific IP addresses, IP ranges, subnets and ports within a specified network zone.
Authenticated groups of users can be bridged to a particular network by creating group bridging
rules. A group bridging rule defines a bridge in the following terms:
Group The group of users from the authentication sub-system that may access the bridge.
Zone The destination network zone.
Destination Defines whether the bridge allows access to an individual host, a range of hosts, a
subnet of hosts or any hosts.
Service Defines what ports and services can be used across the bridge.
Protocol Defines what protocol can be used across the bridge.
Like zone bridges, group bridges can be narrow (e.g. allow access to a single host, using a named
port and protocol) or wide (e.g. allow access to any host, using any port and protocol).
In general, bridges should be made as narrow as possible to prevent unnecessary or undesirable
use.
Group Bridging and Authentication

Group bridging uses the core authentication mechanism, meaning that users must be preauthenticated before group bridging rules can be enforced by Advanced Firewall.
Users can authenticate themselves using the authentication systems Login mechanism, either
automatically when they try to initiate outbound web access or manually by browsing to the secure
SSL Login page.
Authentication can also be provided by any other mechanism used elsewhere in the system. For
further information about authentication, see Chapter 10, Authentication and User Management on
page 193.
Creating Group Bridging Rules

Group bridging rules apply additional zone communication rules to authenticated users.
63

Group Bridging
To create a group bridging rule:
1
Navigate to the Networking > Filtering > Group bridging page.

Setting
Description
Groups
From the drop-down menu, select the group of users that this rule will apply to.
Select
Click to select the group.
Destination
interface
Select the interface that the group will be permitted to access.
Destination IP Enter the destination IP, IP range or subnet range that the group will be permitted
to access. To create a rule to allow access to:
A single network host in the destination network, enter its IP address, for
example: 192.168.10.1.
A range of network hosts in the destination network, enter an appropriate

IP address range, for example: 192.168.10.1-192.168.10.15.
A subnet range of network hosts in the destination network, enter an

appropriate subnet range, for example: 192.168.10.0/
255.255.255.0 or 192.168.10.0/24.
Any network host in the destination network, leave the field blank.
Protocol
From the drop-down list, select a specific protocol to allow for communication
between the zones or select All to allow all protocols.
Service
From the drop-down list, select the service, port or port range to be used.
To restrict to a custom port, select User defined and enter a port number in the
Port field.
To allow any service or port to be used, select User defined and leave the Port
field empty.
64
Port
If applicable, enter a destination port or range of ports. If this field is blank, all ports
for the relevant protocol will be permitted.
Comment
Enabled

Editing and Removing Group Bridges

To edit or remove existing group bridging rules, use the Edit and Remove buttons in the Current
rules region.
65

Group Bridging
66
Chapter 7
Managing Inbound and

Outbound Traffic
In this chapter:
How port forward rules work
Application helpers which allow traffic passing through the firewall to work correctly
How to manage outbound access to IP addresses and networks.
Introduction to Port Forwards Inbound

Security
Port forwards are used to forward requests that arrive at an external network interface to a particular
network host in an internal network zone.
It is common to think of such requests arriving from hosts on the Internet; however, port forwards
can be used to forward any type of traffic that arrives at an external interface, regardless of whether
the external interface connects to the Internet or some other external network zone.
Port Forward Rules Criteria

Port forward rules can be configured to forward traffic based on the following criteria:
Criterion
Description
External IP
Forward traffic if it originated from a particular IP address, IP address range or

subnet range.
Source IP
Forward traffic if it arrived at a particular external interface or external alias.
Port
Forward traffic if it was destined for a particular port or range of ports.
Protocol
Forward traffic if it uses a particular protocol.
Destination IP
A port forward will send traffic to a specific destination IP.
Destination port
A port forward will send traffic to a specific destination port.
For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server
listening on port 81 in a De-Militarized Zone (DMZ).
If the web server has an IP address of 192.168.2.60, you can create a port forward rule to forward
all port 80 TCP traffic to port 81 on 192.168.2.60.
67
Managing Inbound and Outbound Traffic

Introduction to Port Forwards Inbound Security
Note: It is important to consider the security implications of each new port forward rule. Any network is only
as secure as the services exposed upon it.
Port forwards allow unknown hosts from the external network to access a particular internal host. If
a cracker manages to break into a host that they have been forwarded to, they may gain access to
other hosts in the network.
For this reason, we recommend that all port forwards are directed towards hosts in isolated network
zones, that preferably contain no confidential or security-sensitive network hosts. Use the
Networking > Filtering > Zone bridging page to ensure that the target host of the port forward is
contained within a suitably isolated network, i.e. a DMZ scenario.
Creating Port Forward Rules

To create a port forward rule:
1
Navigate to the Networking > Firewall > Port forwarding page.

Setting
Description
External interface
From the drop-down menu, select the interface that the port forward will
be bound to.
By default, a port forward is bound to the primary external connection.
However, if you have a secondary external connection you can assign a
port forward explicitly to it.
Select
Click to select the external interface specified.
Protocol
From the drop-down list, select the network protocol for the traffic that you
want to forward. For example, to port forward a HTTP request, which is a
TCP-based protocol, choose the TCP option.
External IP or
network
Enter the IP address, address range or subnet range of the external hosts
allowed to use this rule.
Or, to create a port forward rule that will forward all external hosts (such as
that required to port forward anonymous HTTP requests from any network
host to a web server), leave this field blank.
68

Setting
Description
Log
Select to log all port forwarded traffic.
IPS
Select to deploy intrusion prevention. See Chapter 8, Deploying Intrusion

Prevention Policies on page 115 for more information.
Source IP
Select the external IP alias that this rule will apply to. In most cases, this will
be the IP of the default external connection.
Source service
From the drop-down menu, select the service, port, port range or group of
ports. Or, to specify a user defined port, select User defined.
Note: Only applies to the protocols TCP and UDP.
User defined
If User defined is selected in the Source service drop-down menu, enter a

single port or port range.
Port ranges are specified using an A:B notation. For example:
1000:1028 covers the range of ports from 1000 to 1028.
Destination IP
Enter the IP address of the network host to which traffic should be

forwarded.
Destination service
ports. Or, select User defined.
User defined
If User defined is selected as the destination service, enter a destination

port.
Leave this field empty to create a port forward that uses the source port as
the destination port.
If left blank and the source service value specified a port range, the
destination port will be the same as the port that the connection came in
on. If it contains a single port, then this will be used as the target.
Comment
Enter a description of the port forward rule.
Enabled
Click Add. The port forward rule is added to the Current rules table.
Load Balancing Port Forwarded Traffic

Advanced Firewall enables you to load balance port forwarded traffic to different network hosts.
To load balance port forwards:
1
On the Networking > Firewall > Port forwarding page, create a port forward rule to the first
network host. See Creating Port Forward Rules on page 68 for more information.
On the Networking > Firewall > Port forwarding page, create another port forward rule using
exactly the same settings except for the destination IP to the second network host.
Advanced Firewall automatically balances the traffic between the hosts.
Editing and Removing Port Forward Rules

To edit or remove existing port forward rules, use Edit and Remove in the Current rules area.
Advanced Network and Firewall Settings

The following sections explain network application helpers, how you can manage bad traffic actions,
reflective port forwarding and connectivity failback.
69

Advanced Network and Firewall Settings
Network Application Helpers

Advanced Firewall includes a number of helper applications which must be enabled to allow certain
types of traffic passing through the firewall to work correctly.
To enable helper applications:
1
Navigate to the Networking > Firewall > Advanced page.
The following helper applications are available:

Application Description
FTP
IP information is embedded within FTP traffic this helper application ensures that
FTP active mode client connections are not adversely affected by the firewall.
IRC
IP information is embedded within IRC traffic this helper application ensures that
IRC communication is not adversely affected by the firewall.
Advanced When enabled, loads special software modules to help PPTP clients. This is the
PPTP client protocol used in standard Windows VPNing.
support
If this option is not selected, it is still possible for PPTP clients to connect through to
a server on the outside, but not in all circumstances. Difficulties can occur if multiple
clients on the local network wish to connect to the same PPTP server on the Internet.
In this case, this application helper should be used.
Note: When this application helper is enabled, it is not possible to forward PPTP
traffic. For this reason, this option is not enabled by default.
H323
When enabled, loads modules to enable passthrough of H323, a common protocol

used in Voice over IP (VoIP) applications.
Without this option enabled, it will not be possible to make VoIP calls. Additionally,
with this option enabled, it is possible to receive incoming H323 calls through the use
of a port forward on the H323 port.
This option is disabled by default because of a theoretical security risk associated
with the use of H323 passthrough. We recommend that you only enable this feature
if you require VoIP functionality.
70

To enable a helper application:
1
In the Network application helpers area, select the application(s) you require.
Optionally, in the Advanced area, select Drop to drop traffic silently. This runs Advanced Firewall in
a stealth-like manner and makes things like port scans much harder to do.
Click Save changes.
Managing Bad External Traffic

By default, bad traffic is rejected and a No one here ICMP message is bounced back to the sender.
This is what Internet hosts are meant to do.
Using the Bad external traffic action option, you can drop traffic silently which enables you to stealth
your firewall and make things like port scans much harder to do.
To manage bad external traffic:
1
From the Bad external traffic drop-down list, select Drop to silently discard the traffic and not send
a message to the sender, or Reject to reject the traffic and notify the sender.
Click Save changes to implement your selection.
Configuring Reflective Port Forwards

By default, port forwards are not accessible from within the same network where the destination of
the forward resides. However, when enabled, the reflective port forwards option allows port forwards
originating on an internal network to reach a host on the same network.
This makes it possible to access a port forwarded service from inside the internal network using the
same (external) address as an external host would.
To configure reflective port forwards:
1
Enable Reflective port forwards and click Save changes.
Managing Connectivity Failback

The following sections explain how to configure failback and automatic failback for connectivity
profiles. For more information on connectivity profiles, see Chapter 3, Connecting Using a Static
Ethernet Connectivity Profile on page 20.
Configuring Connectivity Failback

The following section explains how to configure Advanced Firewall to revert to a specific connectivity
profile after reboot if its primary connectivity profile has failed.
To configure connectivity failback:
1
On the Networking > Firewall > Advanced page, go to the Connectivity Failback area.
From the Connectivity failback profile drop-down menu, select the profile to use after reboot if
the primary connectivity profile has failed.
Click Save changes. Advanced Firewall applies and saves the changes.
71

Managing Outbound Traffic and Services
Configuring Automatic Failback

It is possible to configure Advanced Firewall to enable automatic failback. When enabled, Advanced
Firewall automatically attempts to revert to the connectivity failback profile specified in the
Connectivity Failback area daily. This is attempted once a day.
To configure automatic failback:
1
On the Networking > Firewall > Advanced page, go to the Connectivity Failback area.
Enable Automatic failback and click Save changes. Advanced Firewall applies and saves the
changes.

The following sections discuss port and access rules which are used to control outbound network
traffic and services.
Working with Port Rules

Port rules are used when creating outbound access rules which determine how outbound network
traffic and services are managed. For more information on outbound access rules, Working with
Outbound Access Policies on page 76.
Predefined Port Rules

Advanced Firewall contains a number of predefined, customizable port rules which allow or reject
network traffic or specific services access on certain ports. Currently, the following port rules are
predefined:
Predefined port rules Description
Allow all
Allow unrestricted outbound access to the Internet.
Allow basic services
Allow services common to most user computers, including web browsing

(HTTP and HTTPS) and DNS on listed ports.
Allow email services
Allow email services on listed ports.
Reject all
Reject all outbound access to the Internet except for listed ports.
Reject all P2P
Reject all peer to peer outbound access to the Internet on listed ports. For
more information, see Managing Blocked Services on page 74.
Reject all with logging Reject all outbound access to the Internet except for listed ports and log
the rejections.
72
Reject known
exploits
Reject outbound access on the listed ports which are associated with
many common exploits against programs and services.
Reject MS ports
Reject outbound access on the listed ports which are associated with
Microsoft Windows local area networking.

Creating a Port Rule

It is possible to create a custom port rule.
To create a port rule:
1
Navigate to the Networking > Outgoing > Ports page.
Click Add new port rule. The following dialog box opens.

Setting
Description
Name
Enter a name for the port rule. This name will be displayed where ever the rule
can be selected.
Action
Select one of the following actions:

Reject only listed ports Reject outbound access on listed ports but allow
on all other ports.
Allow only listed ports Allow outbound access on listed ports but reject
on all other ports.
73

Setting
Description
Rejection logging
Select if you want to log outbound requests rejected by this rule.

Note: This generates a lot of data and should be used with care.
Stealth mode
4
Select if you want to log but not reject outbound requests.
Click Add. Advanced Firewall adds the port rule to the Port rules list. Click the rules content arrow.
The ports/services in the rule are displayed.
Note: Some services use unpredictable port numbers to evade port-based outbound access rules. To
control access to these services, see, see Managing Blocked Services on page 74
5
Click Add new port/service. The following dialog box opens.

Setting
Description
Status
Protocol
From the drop-down menu, select the network protocol to add to the port.
Destination port
Comment
7
Any Any destination port.
From the drop-down menu, select the port, port range or group of ports
you want to allow or deny access to.
Enter a custom port number or range of ports if User defined is selected

in the Service drop-down list. A port range is specified using from:to
notation, for example: 1024:2048.
Enter a description of the port.
Click Add. The port is added to the port rule.
Managing Blocked Services

Advanced Firewall is able to detect and block service activity such as Skype and BitTorrent using
deep packet inspection.
To configure blocking services:
1
74
On the Networking > Outgoing > Ports page, locate the port rule for which you want to configure
services.

2
Click the rules content arrow. The ports/services contained in the rule are displayed.
Point to Blocked services and click Edit. The following dialog box opens.
Select the services you want to block.
Note: The types of services available depend on what Deep Packet Inspection licensing you have
purchased. Contact your Smoothwall representative for more information
5
Click Save to save the settings and close the dialog box. Advanced Firewall applies the settings and
starts blocking the services selected.
Editing a Port Rule

To edit a port rule:
1
On the Networking > Outgoing > Ports page, point to the port rule and select Edit.
In the Edit port rule dialog box, make any changes required. See Creating a Port Rule on page 73 for
Click Save changes to apply the changes and close the dialog box.
Deleting a Port Rule

To delete a port rule:
1
On the Networking > Outgoing > Ports page, point to the rule and select Delete. When prompted,
click Delete to confirm that you want to delete the rule and its contents.
Editing a Port Rules Contents

To edit the contents of a port rule:
1
On the Networking > Outgoing > Ports page, click the rules content arrow. The ports/services
contained in the rule are displayed.
Point to the port/service and click Edit. In the Edit port/service dialog box, make any changes
required. See Creating a Port Rule on page 73 for information on the settings available.
75

Working with Outbound Access Policies

Advanced Firewall enables you to create policies which determine outbound access for network
traffic and services depending on:
the group(s) an authenticated user belongs to, or
the source and/or destination of the traffic.
Note: Once the network traffic matches a policy, Advanced Firewall does not apply any further policy
matching.
By default, Advanced Firewall contains a default outbound access policy which uses the Allow all port
rule and allows unrestricted outbound access to the Internet.
You can reorder outbound access policies to suit your requirements. If the outbound network traffic
or service does not match any policy, the Default policy is applied.
Creating Outbound Access Policies for Groups

The Groups section is used to assign outbound access policies to traffic or services from users in an
authenticated groups of users.
To assign a policy to a group of users:
1
Navigate to the Networking > Outgoing > Policies page.
Click Add new policy. The following dialog box opens.

Setting
Description
Status
Select Enabled to enable the policy.
Group
From the drop-down menu, select the group to which the outbound access
policy applies.
Port rule
From the drop-down menu, select which port rule to use in the outbound
access policy. For more information on port rules, see Working with Port Rules
on page 72.
Comment
Enter a description for the policy.
Click Add. The policy is added to the list of groups.
Place the policy where it is required by selecting it and using Up or Down, or by dragging it to the
correct position and clicking Save moves.
Note: Once traffic matches a policy, Advanced Firewall does not apply any further policy matching.
76

Note: Group policies cannot be enforced in all circumstances. If a user has not actively authenticated
themselves, using the SSL Login page or by some other authentication method, the user is unknown
to the system and a policy cannot be applied.
Group policies are often more suitable for allowing access to ports and services. In such situations,
users have a reason to pro-actively authenticate themselves so that they can gain access to an
outbound port or service.
Creating Outbound Access Policies for Traffic from Sources and/or Destinations
When the source and/or destination IP addresses of outbound traffic match a policy in the Sources
and Destination addresses, Advanced Firewall checks that the traffic does not break the port rule(s)
assigned to that source and/or destination.
To create a policy:
1
Browse to the Networking > Outgoing > Policies page.
Click Add new Policy.
In the Add new policy dialog box, configure the following settings:
Setting
Description
Status
Select to enable the policy.
Name
Enter a name for the policy.
Source
Configure one of the following to apply the policy to.
Destination
Any Any source IP address.
A single source IP address, a range (x.x.x.x-y.y.y.y) or a subnet

(x.x.x.x/y).
Configure one of the following to apply the policy to.
Any Any destination IP address.
A single destination IP address, a range (x.x.x.x-y.y.y.y) or a

subnet (x.x.x.x/y).
Port rule
From the drop-down list, select the port rule to apply. For more information,
see Working with Port Rules on page 72.
Comment
Enter a description for the policy.
77

Managing External Services
4
Click Add. The policy is added to the list of sources and destinations.
Place the policy where it is required by selecting it and using Up or Down, or by dragging the rule to
the correct position and clicking Save moves.
Note: Once traffic matches a policy, Advanced Firewall does not apply any further policy matching.
Editing a Policy
To edit a policy:
1
On the Networking > Outgoing > Policies page, point to the rule and select Edit.
In the Edit policy dialog box, make any changes required. See Creating Outbound Access Policies
for Traffic from Sources and/or Destinations on page 77 for information on the settings available.
Deleting a Policy
To delete a policy:
1
On the Networking > Outgoing > Policies page, point to the rule and select Delete. When
prompted, click Delete to confirm that you want to delete the policy.

Note: The External services page has been superseded by the functionality on the Networking > Outgoing
> Policies page and has been deprecated. It will be removed in a future Advanced Firewall update.
You can prevent local network hosts from using external services by creating appropriate policies to
stop outbound traffic.
To create an external service rule:
1
Navigate to the Networking > Outgoing > External services page and configure the following
settings:
Setting
Description
Service
Select Empty from the drop-down list.
Service rule name
Enter a name for the rule.
Protocol
Select the protocol used by the service.
Service
ports. Or, to specify a user defined port, select User defined.
Port
If User defined is selected in the Service drop-down menu, enter a single

port or port range.
Port ranges are specified using an A:B notation. For example:
1000:1028 covers the range of ports from 1000 to 1028.
78
Rejection logging
Select to log all traffic rejected by the external services rule
Stealth mode
Select to allow traffic that would normally be rejected by the external

services rule and log all traffic in the firewall logs.
Click Save. In the Add a new rule area:

Setting
Description
Destination IP
Enter the IP address of the external service to which the rule applies.

Setting
Description
Comment
Enabled
Click Add. The external service rule is added to the Current rules region:
Editing and Removing External Service Rules

To edit or remove existing external service rules, use Edit and Remove in the Current rules area.
79

80
Chapter 8
Advanced Firewall
Services
In this chapter:
Working with portals
Managing the Web Proxy Service on page 87
Instant Messenger Proxying on page 93
Monitoring SSL-encrypted Chats on page 96
SIP Proxying on page 96
FTP Proxying on page 99
Reverse Proxy Service on page 102
SNMP on page 104
DNS on page 105
Censoring Message Content on page 109
Managing the Intrusion System on page 114
DHCP on page 119

For information on authentication services, see Chapter 10, Authentication and User Management
on page 193.
Working with Portals

Advanced Firewall enables you to create portals which can be configured to make reports and
software downloads available and enable users with the correct privileges to ban other users or
locations from web browsing.
For information on using a portal, see the Advanced Firewall Portal Users Guide.
Creating a Portal
The following section explains how to create a portal and make it accessible to users in a specific
group.
81
Advanced Firewall Services

To create a user portal and make it available to users:
1
Browse to the Services > User portal > Portals page.
In the Portals area, enter a name for the portal and click Save. Advanced Firewall creates the portal
and makes it accessible on your Advanced Firewall system at, for example: http://
192.168.72.141/portal/
Browse to the Services > User portal > Groups page.
82

4

Setting
Description
Group
From the drop-down menu, select the group containing the users you want to
authorize to use the portal. For more information on users and groups, see Chapter
10, Managing Groups of Users on page 216.
Portal
From the drop-down menu, select the portal you want the group to access.
Click Add. Advanced Firewall authorizes the group to use the portal.
The next step is to configure the portal to enable authorized users to use it to download files, manage
web access and display reports.
Configuring a Portal
The following sections explain how to configure a Advanced Firewall portal so that authorized users
can view reports, enable the policy tester, block other users from accessing the web, download VPN
client files and receive a custom welcome message.
Making Reports Available

To make reports available on a portal:
1
Browse to the Logs and reports > Reports > Reports page, locate the report you want to publish
on a portal.
On the Permissions tab, click Portal Access. A dialog box containing report details opens.
From the Add access drop-down list, select the portal where you want to publish the report and
click Add.
Click Close to close the dialog box.
Browse to the Services > User portal > Portals page and, in the Portals area, configure the
following settings:
Setting
Description
Portals
From the drop-down list, select the portal on which you want to
make reports available and click Select.
In the Portal published reports and templates area, configure the following settings:
Setting
Description
Enabled
Select Enabled.
Top reports displayed on

portal home page
From the drop-down list, select the number of reports you want to
display on the portals home page.
Advanced Firewall will display the most often viewed reports.
Browse to the bottom of the page and click Save to save the settings and make the reports available
on the portal.
Enabling the Policy Tester

The policy tester enables portal users to test if a URL is accessible to a user at a specific location and
time. It also enables them to request that content reported by the tool as blocked be unblocked by
Advanced Firewalls system administrator.
For more information, see Chapter 5, Using the Policy Tester on page 58.
83

To enable the policy tester:
1
Browse to the Services > User portal > Portals page and configure the following setting:
Setting
Description
Policy tester
Select Enabled.
Allow unblock requests
Select to allow portal users to send an unblock request to

Advanced Firewalls system administrator.
Administrator's email address
Enter the email address to send the unblock request to.
Browse to the bottom of the page and click Save to save the settings.
Enabling Groups to Block Users Access

You can enable users in a specific group which can access the portal to block individual user web
access.
To authorize blocking:
1
following settings:
Setting
Description
Portals
From the drop-down list, select the portal on which you want to authorize
groups to block users.
In the Portal permissions for web access blocking, configure the following settings:
Setting
Description
Enabled
Select Enabled.
Allow control of
groups
Select this option and, in the list of groups displayed, select the group(s)
containing the users that the group is authorized to block from accessing
the web.
To select consecutively listed groups, hold down the Shift key while
selecting. To select non-consecutively listed groups, hold down the Ctrl
key while selecting.
Enabling Groups to Block Location-based Web Access

You can enable users in a specific group which can access a Advanced Firewall portal to block
specific locations from accessing the other networks or external connections. For information on
locations, see Chapter 5, Working with Location Objects on page 39.
To enable a group to block users:
1
84
following settings:
Setting
Description
Portals
From the drop-down list, select the portal on which you want to enable groups to
block users.
In the Portal permissions for web access blocking, configure the following settings:
Setting
Description
Enabled
Select Enabled.

Setting
Description
Allow control
of locations
Select this option and, in the list of locations displayed, select the location(s) that
the group is authorized to block from accessing the web.
To select consecutively listed locations, hold down the Shift key while selecting.
To select non-consecutively listed locations, hold down the Ctrl key while
selecting.
Making the SSL VPN Client Archive Available

You can configure Advanced Firewall portals to make an SSL VPN client archive available for
download on the portal.
To make the archive available:
1
In the VPN connection details area, select SSL VPN client archive download. See Chapter 9, Virtual
Private Networking on page 127 for information on how to create the archive.
Configuring a Welcome Message

Advanced Firewall enable you to display a customized welcome message when a user visits a portal.
To display a welcome message on a portal:
1
Browse to the Services > User portal > Portals page and, in the Welcome message area,
configure the following settings:
Setting
Description
Welcome message
Select to display the message on the portal.

In the text box, enter a welcome message and/or any information
you wish the user to have, for example regarding acceptable usage
of the portal.
Assigning Groups to Portals

The following section explains how to assign a group of users to a portal so that they can access it.
To assign a group to a portal:
1
Browse to the Services > User portal > Groups page.
Setting
Description
Group
From the drop-down menu, select the group you want to allow access to the portal.
For more information on groups, see Chapter 10, Managing Groups of Users on
page 216.
Portal
From the drop-down menu, select the portal you want the group to access.
Click Add. Advanced Firewall will allow members of the group to access the specified portal.
Making User Exceptions

You can configure Advanced Firewall so that a user uses a specific portal. This setting overrides
group settings.
85

To make user exceptions on a portal:
1
Browse to the Services > User portal > User exceptions page.
Setting
Description
Username
Enter the username of the user you want to access the portal.
Portal
From the drop-down list, select the portal you want the user to access.
Click Add. Advanced Firewall gives the user access to the portal.
Accessing Portals
The following section explains how to access a portal.
To access a portal:
1
In the browser of your choice, enter the URL to the portal on your Advanced Firewall system, for
example: http://192.168.72.141/portal/
Accept any certificate and other security information. Advanced Firewall displays the login page for
the portal.
Enter a valid username and password and click Login. The portal is displayed.
For more information, see the Advanced Firewall Portal User Guide.
Editing Portals
The following section explains how to edit a portal.
To edit a portal:
1
Browse to the Services > User portal > Portals page.
From the Portals drop-down list, select the portal you want to edit.
Make the changes you require, see Configuring a Portal on page 83 for information on the settings
available.
Click Save to save the changes.
Deleting Portals
The following section explains how to delete a portal.
86

To delete a portal:
1
Browse to the Services > User portal > Portals page
From the Portals drop-down list, select the portal you want to delete.
Click Delete. Advanced Firewall deletes the portal.
Managing the Web Proxy Service

Advanced Firewalls web proxy service provides local network hosts with controlled access to the
Internet with the following features:
Transparent or non-transparent operation
Caching controls for improved resource access times
Support for automatic configuration scripts
Support for remote proxy servers.
87

Configuring and Enabling the Web Proxy Service

To configure and enable the web proxy service:
1
88
Navigate to the Services > Proxies > Web proxy page.

2

Control
Description
Cache size
Enter the amount of disk space, in MBytes, to allocate to the web proxy service
for caching web content, or accept the default value.
Web and FTP requests are cached. HTTPS requests and pages including
username and password information are not cached.
The specified size must not exceed the amount of free disk space available. The
cache size should be configured to an approximate size of around 40% of the
systems total storage capacity, up to a maximum of around 10 gigabytes
approximately 10000 megabytes for a high performance system with storage
capacity in excess of 25 gigabytes.
Larger cache sizes can be specified, but may not be entirely beneficial and can
adversely affect page access times. This occurs when the system spends more
time managing the cache than it saves retrieving pages over a fast connection.
For slower external connections such as dial-up, the cache can dramatically
improve access to recently visited pages.
Remote proxy
Optionally, enter the IP address of a remote proxy in the following format:

hostname:port
In most scenarios this field will be left blank and no remote proxy will be used.
Used to configure the web proxy to operate in conjunction with a remote web
proxy. Larger organizations may wish to use a dedicated proxy or sometimes
ISPs offer remote proxy servers to their subscribers.
Remote proxy
username
Enter the remote proxy username if using a remote proxy with user
authentication.
Remote proxy
password
Enter the remote proxy password when using a remote proxy with user
authentication.
Max object
size
Specify the largest object size that will be stored in the proxy cache. Objects
larger than the specified size will not be cached. This prevents large downloads
filling the cache.
The default of 4096 K bytes (4 M bytes) should be adjusted to a value suitable for
the needs of the proxy end-users.
Min object size Specify the smallest object size that will be stored in the proxy cache.
Objects smaller than the specified size will not be cached. The default is no
minimum this should be suitable for most purposes.
This can be useful for preventing large numbers of tiny objects filling the cache.
Max outgoing
size
Specify the maximum amount of outbound data that can be sent by a browser in
any one request. The default is no limit.
This can be used to prevent large uploads or form submissions.
Max incoming
size
Specify the maximum amount of inbound data that can be received by a browser
in any one request. This limit is independent of whether the data is cached or not.
The default is no limit.
This can be used to prevent excessive and disruptive download activity.
89

Control
Description
Transparent
Select to enable transparent proxying. When operating in transparent mode,

network hosts and users do not need to configure their web browsers to use the
web proxy.
All requests are automatically redirected through the cache. This can be used to
prevent network hosts from browsing without using the proxy server. In nontransparent mode, proxy server settings (IP address and port settings) must be
configured in all browsers.
For more information, see About Web Proxy Methods on page 91.
Disable proxy
logging
Select to disable the proxy logging.
Enabled
Select to enable the web proxy service.
Allow admin
port access
Select to permit access to other network hosts over ports 81 and 441.
This is useful for accessing remote a Smoothwall System, or other non-standard
HTTP and HTTPS services, through the proxy. In normal circumstances such
communication would be prevented.
Note: By selecting this option, it is possible to partially bypass the admin access
rules on the System > Administration > Admin options page. This would
allow internal network hosts to access the admin logon prompt via the
proxy.
Do not cache
Enter any domains that should not be web cached. Enter domain names without
the www. prefix, one entry per line.
This can be used to ensure that old content of frequently updated web sites is not
cached.
Exception
local IP
addresses
Enter any IP addresses on the local network that should be completely exempt
from authentication restrictions.
Banned local
IP addresses
Enter any IP addresses on the local network that are completely banned from
using the web proxy service.
Exception local IP addresses are typically used to grant administrator

workstations completely unrestricted Internet access.
If any hosts contained in this list try to access the web they will receive an error
page stating that they are banned.
No user
Select to allow users to globally access the web proxy service without
authentication authentication.
Proxy
Select to allow users to access the web proxy service according to the username
authentication and password that they enter when prompted by their web browser.
The username and password details are encoded in all future page requests
made by the user's browser software.
Note: You can only use proxy authentication if the proxy is operating in nontransparent mode.
Core
Select to allow users to access the web proxy service by asking the
authentication authentication system whether there is a known user at a particular IP address.
If the user has not been authenticated by any other authentication mechanism,
the users status is returned by the authentication system as unauthenticated.
Groups
Authenticated users can be selectively granted or denied access to the web
allowed to use proxy service according to their authentication group membership.
web proxy
Proxy access permissions are only applied if an authentication method other than
No user authentication has been selected.
90

Control
Description
Automatic
configuration
script custom
direct hosts
Enter any additional hosts required to the automatic configuration scripts list of
direct (non-proxy routing) hosts.
This is useful for internal web servers such as a company intranet server. All hosts
listed will be automatically added to a browser's Do not use proxy server for these
addresses proxy settings if they access the automatic configuration script for their
proxy settings.
Note: Browsers must be configured to access the automatic configuration script
to receive this list of direct routing hosts
Use automatic After enabling and restarting the service, the automatic configuration script
configuration location is displayed here.
script address Note: Microsoft Internet Explorer provides only limited support for automatic
configuration scripts.
Tests by Smoothwall indicate a number of intermittent issues regarding the
browsers implementation of this feature. Smoothwall recommends the
use of Mozilla-based browsers when using the automatic configuration
script functionality.
Manual web
After enabling and restarting the service, the proxy address and port settings to
browser proxy be used when manually configuring end-user browsers are displayed here.
settings
Interfaces
3
Select the interface for the web proxy traffic.
Save and restart the web proxy service by clicking Save and Restart or Save and Restart with
cleared cache.
Note: Save and Restart with cleared cache Used to save configuration changes and empty the proxy
cache of all data. This is useful when cache performance has been degraded by the storage of stale
information typically from failed web-browsing or poorly constructed web sites. The web proxy will
be restarted with any configuration changes applied.
Note: Restarting may take up to a minute to complete. During this time, end-user browsing will be
suspended and any currently active downloads will fail. It is a good idea to a restart when it is
convenient for the proxy end-users.
About Web Proxy Methods

The following sections discuss the types of web proxy methods supported by Advanced Firewall.
Transparent Proxying
If Advanced Firewall's web proxy service has been configured to operate in transparent mode, all
HTTP port 80 requests will be automatically redirected through the proxy cache.
If you are having problems with transparent proxying, check that the following settings are not
configured in end-user browsers:
Automatic configuration
Proxy server.
Non-Transparent Proxying
If Advanced Firewalls web proxy service has not been configured to operate in transparent mode,
all end-user browsers on local workstations in Advanced Firewall network zones must be configured.
91

You can configure browser settings:
Manually Browsers are manually configured to enable Internet access.
Automatically using a configuration script Browsers are configured to receive proxy

configuration settings from an automatic configuration script, proxy.pac. The configuration script is
automatically generated by Advanced Firewall and is accessible to all network zones that the web
proxy service is enabled on.
WPAD automatic script Browsers are configured to automatically detect proxy settings and a
local DNS server or Advanced Firewall static DNS has a host wpad.YOURDOMAINNAME added.
Configuring End-user Browsers

The following steps explain how to configure web proxy settings in the latest version of Internet
Explorer available at the time of writing.
To configure Internet Explorer:
1
Start Internet Explorer, and from the Tools menu, select Internet Options.
On the Connections tab, click LAN settings.

Method:
To configure:
Manual
In the Proxy server area, select Use a proxy server for your LAN
Enter your Advanced Firewall's IP address and port number 800. This
information is displayed on the Services > Proxies > Web proxy page, in the
Automatic configuration script area.
Click Advanced to access more settings.
In the Exceptions area, enter the IP address of your Advanced Firewall and
any other IP addresses to content that you do not want filtered, for example,
your intranet or local wiki.
Click OK and OK to save the settings.
1
Automatic
configuration
script
2
In the Automatic configuration area, select Use automatic configuration

script.
Enter the location of the script, for example: http://192.168.72.141/
proxy.pac. The location is displayed on the Services > Proxies > Web
proxy page, in the Automatic configuration script area.
92
Ensure that no other proxy settings are enabled or have entries.

Method:
To configure:
WPAD
Note: This method is only recommended for administrators familiar with

configuring web and DNS servers.
1
In the Automatic configuration area, select Automatically detect settings.
On a local DNS server or using Advanced Firewall static DNS, add the host
wpad.YOURDOMAINNAME substituting your domain name. The host must
resolve to the Advanced Firewall IP.

When enabled in end-user browsers, Web Proxy Auto-Discovery (WPAD)
prepends the hostname wpad to the front of its fully qualified domain name
and looks for a web server on port 80 that can supply it a wpad.dat file.
The file tells the browser what proxy settings it should use.
Note: PCs will have had to be configured with the same domain name as the A
record for it to work. However, Microsoft Knowledge Base article Q252898
suggests that the WPAD method does not work on Windows 2000. They
suggest that you should use a DHCP auto-discovery method using a PAC
file. See the article for more information. This is contrary to some of our
testing.
Instant Messenger Proxying

Advanced Firewalls Instant Messenger (IM) proxy service can log the majority of IM traffic. Advanced
Firewall can also censor instant messaging content, for more information, see Censoring Message
Content on page 109.
Note: Advanced Firewall cannot monitor IM sessions within HTTP requests, such as when Microsoft MSN
connects through an HTTP proxy. Neither can Advanced Firewall intercept conversations which are
secured by end-to-end encryption, such as provided by Off-the-Record Messaging (http://
www.cypherpunks.ca/otr/). However, using SSL Intercept, see below, Advanced Firewall can
monitor Jabber/Google Talk and AIM sessions protected by SSL.
93

Instant Messenger Proxying
To configure the instant messaging proxy service:
1
Browse to the Services > Proxies > Instant messenger page.
94
Setting
Description
Enabled
Select to enable the instant messaging proxy service.

Setting
Description
Enable Message
Censor
Select to enable censoring of words usually considered unsuitable.
Hide conversation
text
Select this option to record instant message events, such as messages in

and out, but to discard the actual conversation text before logging.
Block all filetransfers
Select this option to block file transfers using certain IM protocols.
MSN
Select to proxy and monitor Microsoft Messenger conversations.
AIM and ICQ
Select to proxy and monitor ICQ and AIM conversations.
Yahoo
Select to proxy and monitor Yahoo conversations.
GaduGadu
Select to proxy and monitor GaduGadu conversations.
Jabber
Select to proxy and monitor conversations which use the Jabber protocol.
Intercept SSL
Select to monitor conversations on Google Talk or AIM instant messaging

clients which have SSL mode enabled. For more information, see
Monitoring SSL-encrypted Chats on page 96.
Blocked response
Select to inform IM users that their message or file transfer has been
blocked.
Advanced Firewall censors unsuitable words by replacing them with *s.

For more information, see Censoring Message Content on page 109.
Currently, when enabled, this setting blocks files transferred using MSN,
ICQ, AIM and Yahoo IM protocols.
This option does not work with the ICQ/AIM protocol.

Logging warning
response
Select to inform IM users that their conversation is being logged.
Blocked response
message
Optionally, enter a message to display when a message or file is blocked;

or accept the default message.
Note: This option does not work with the ICQ/AIM protocol.
If multiple messages or files are blocked, this message is displayed at 15

minute intervals.
Logging warning
response message
Optionally, enter a message to display informing users that their

conversations are being logged.
This message is displayed once a week.
Automatic
whitelisting
Settings here enable you to control who can instant message your local
users.
Block unrecognized remote users Select this option to automatically
add a remote user to the white-list when a local user sends them an instant
message. Once added to the white-list, the remote user and the local use
can instant message each other freely.
When this option selected, any remote users who are not on the white-list
are automatically blocked.
Number of current entries Displays the number of entries currently in
the whitelist user list.
Clear Automatic Whitelisted user list Click to clear the white-list.
White-list users
To whitelist a user, enter their instant messaging ID, for example

JohnDoe@hotmail.com.
Black-list users
To blacklist a user, enter their instant messaging ID, for example

JaneDoe@hotmail.com.
Enabled on
interfaces
Select the interfaces on which to enable IM proxying.
95

Monitoring SSL-encrypted Chats
Setting
Description
Exception local IP
addresses
To exclude specific IP addresses, enter them here.
Click Save to save and implement your settings.
Monitoring SSL-encrypted Chats

Advanced Firewall can monitor Google Talk and AIM instant message (IM) chats which use SSL for
encryption.
Note: Using Network Guardian to monitor SSL-encrypted IM chats reduces security on IM clients as the
clients are unable to validate the real IM server certificate.
To monitor SSL-encrypted conversations:
1
Browse to the Services > Proxies > Instant messenger page. Enable IM proxying and configure
the settings you require. For full information on the settings available, see Instant Messenger Proxying
on page 93.
Select Intercept SSL, select the interfaces on which to enable the monitoring and click Save.
Click Export Certificate Authority certificate. Advanced Firewall generates a Advanced Firewall
CA certificate.
Download and install the certificate on PCs which use Google Talk and SSL-enabled AIM IM clients.
Advanced Firewall will now monitor and log the chats.
SIP Proxying
Advanced Firewall supports a proxy to manage Session Initiation Protocol (SIP) traffic. SIP is often
used to set up calls in Voice over Internet Protocol (VoIP) systems.
SIP normally operates on port 5060, and is used to set up sessions between two parties. In the case
of VoIP, it is an RealTime Protocol (RTP) session that is set up, and it is the RTP stream that carries
voice data.
RTP operates on random unprivileged ports, and, as such, is not NAT friendly. For this reason,
Advanced Firewalls SIP proxy ensures that RTP is also proxied, allowing VoIP products to work
correctly.
Advanced Firewalls SIP proxy is also able to proxy RTP traffic, solving some of the problems involved
in setting up VoIP behind NAT.
Types of SIP Proxy

There are two types of SIP proxy: a registering SIP proxy, and a pass-through proxy. A registering
proxy or registrar allows SIP clients to register so that they may be looked up and contacted by
external users. A pass-through proxy merely rewrites the SIP packets such that the correct IP
addresses are used and the relevant RTP ports can be opened.
Some clients will allow users to configure one SIP proxy this is invariably the registering proxy,
others will allow for two proxies, one to which the client will register, and one which the client users
for access, a pass-through.
96

Choosing the Type of SIP Proxying

As with many types of proxy, the SIP proxy can be used in transparent mode. In transparent mode,
the proxy is only useful as a pass-through.
This mode is useful for those clients which do not support a second proxy within their configuration.
If all your clients can be properly configured with a second proxy, transparent mode is not required.
If the proxy is operating in transparent mode, the non-transparent proxy is still available, so a mixture
of operation is possible.
Configuring SIP
To configure and enable the SIP proxy:
1
Browse to the Services > Proxies > SIP page.

Setting
Description
Enabled
Select to enable the SIP proxy service.
SIP client internal

interface
From the drop-down list, select the interface for the SIP proxy to listen for
connections on. This is the interface on which you will place your SIP clients.
Logging
Select the logging level required. Select from:

Normal Just warnings and errors
Detailed Warnings, errors and informational messages
Very detailed Everything, including debugging messages.
Log calls
Select if you require individual call logging.
Maximum number
of clients
Select the maximum number of clients which can use the proxy.
Setting the maximum number of clients is a useful way to prevent malicious
internal users performing a DoS on your registering proxy.
97

SIP Proxying
Setting
Description
Diffserv mark for

RTP packets
From the drop-down menu, select a Diffserv mark to apply to SIP RTP
packets. This traffic can be traffic shaped with SmoothTraffic, if it is installed.
The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for
which it proxies. This is useful because it is otherwise quite tricky to define
RTP traffic, as it may occur on a wide range of ports. Prioritizing SIP traffic
on port 5060 would not make any difference to VoIP calls.
The standard mark is BE which is equivalent to doing nothing. Other marks
may be interpreted by upstream networking equipment, such as that at your
ISP, and can also be acted upon by SmoothTraffic, Smoothwalls Quality of
Service (QoS) module if it is installed. In this way, traffic passing through the
firewall may be prioritized to give a consistent call quality to VoIP users.
Transparent
The SIP proxy may be configured in both transparent and non-transparent

mode. Select this option if you require a transparent SIP proxy.
When operating transparently, the SIP proxy is not used as a registrar, but
will allow internal SIP devices to communicate properly with an external
registrar such as an ITSP.
Exception IPs
Hosts which should not be forced to use the transparent SIP proxy must be
listed in the Exception IPs box below.
Click Save to enable and implement SIP proxying.
Note: If a client is using the proxy when transparent proxying is turned on, the existing users may fail to use
the transparent proxy until the firewall is rebooted. This is due to the in-built connection tracking of
the firewalls NAT.
98

FTP Proxying
Advanced Firewall provides you with a proxy to manage FTP traffic and also makes transparent
proxying possible.
Configuring non-Transparent FTP Proxying

The following section explains how to configure FTP proxying in non-transparent mode.
1
Browse to the Services > Proxies > FTP page.

Setting
Description
Status
Select Enabled to enable the FTP proxy.
Anti-malware
scanning
Select to scan files for malware.
Proxy port
From the drop-down list, select the port for FTP traffic.
Note: For performance reasons, files larger than 100 MB are not scanned
for malware.
Note: The port you select must be open for the FTP client. You configure
this on the System > Administration > External access page. See
Chapter 13, Configuring External Access on page 273 for more
information.
99

FTP Proxying
Setting
Description
Access control
Allow connections to Select to allow FTP connections to all servers.

any server
Only connections to
specified servers
Select to specify which remote FTP connections

are allowed and configure the following:
Remote FTP server white-list Enter the
hostname or IP address of any remote FTP servers
you want to white-list.
Enter one hostname or IP, colon and port per line,
for example: ftp.company.com or 1.2.3.4
If no information is listed, all hostnames on all ports
will be accessible.
Click Save changes to save the settings and enable non-transparent FTP proxying.
Configure FTP clients as follows:

Setting
Description
Remote host
Enter Advanced Firewalls hostname or IP address.
Remote port
Enter the FTP proxy port configured on Advanced Firewall, either 21 or 2121.
See Configuring non-Transparent FTP Proxying on page 99 for more
information.
Remote
username
Enter the username in the following format:

remoteusername@remoteftpserver
Configuring Transparent FTP Proxying

To configure transparent FTP proxying:
1
100
Browse to the Services > Proxies > FTP page.

2

Setting
Description
Status
Select Enabled to enable the FTP proxy.
Anti-malware
scanning
Select to scan files for malware.
Proxy port
From the drop-down list, select the port for FTP traffic.
Note: For performance reasons, files larger than 100 MB are not scanned
for malware.
Note: The port you select must be open for the FTP client. You configure
this on the System > Administration > External access page. See
Chapter 13, Configuring External Access on page 273 for more
information.
Access control
Allow connections to Select to allow FTP connections to all servers.

any server
Only connections to
specified servers
Select to specify which remote FTP connections

are allowed and configure the following:
Remote FTP server white-list Enter the
hostname or IP address of any remote FTP servers
you want to white-list.
Enter one hostname or IP, colon and port per line,
for example: ftp.company.com or 1.2.3.4
If no information is listed, all hostnames on all ports
will be accessible.
In the Transparent proxy settings area, configure the following settings:

Setting
Description
Source IPs
Transparently proxy all IPs Select to transparently FTP proxy for all
source IPs.
Transparently proxy only
the following IPs
Select to transparently FTP proxy for the

source IPs specified.
Enter the IP addresses of local machines
which are to be allowed access to
transparent FTP proxying.
Enter one IP address per line, for example:
1.2.3.4
Transparently proxy all

except the following IPs
Select to transparently FTP proxy all

except the source IPs specified.
Enter the IP addresses of local machines
which are to be excluded from transparent
FTP proxying.
1.2.3.4
101

Reverse Proxy Service
Setting
Description
Destination IPs
Transparently proxy all IPs Select to transparently FTP proxy for all
destination IPs.
Transparently proxy only
the following IPs
Select to transparently FTP proxy for the

destination IPs specified.
Enter the IP addresses of the machines
which are to be allowed access to
transparent FTP proxying.
1.2.3.4
Transparently proxy all

except the following IPs
Select to transparently FTP proxy all

except the destination IPs specified.
Enter the IP addresses of the machines
which are to be excluded from transparent
FTP proxying.
1.2.3.4
Transparent proxy
interfaces
4
Select the interface on which to transparently proxy FTP traffic.
Click Save changes to save the settings and enable transparent FTP proxying.
When running Advanced Firewalls FTP proxy in transparent mode, you do not need to configure FTP
client applications.
Reverse Proxy Service

Advanced Firewalls reverse proxy service enables you to control requests from the Internet and
forward them to servers in an internal network. The reverse proxy service:
Provides the ability to route multiple HTTP and HTTPS sites to each of their own internal servers.
Provides the ability to publish Microsoft Exchange services such as Outlook Web Access (OWA) and
Outlook Anywhere (previously RPC over HTTPS)
Monitors traffic passing through the reverse proxy
Increases server efficiency by SSL off-loading.
Improves web server security using intrusion prevention system (IPS).
102

Configuring the Reverse Proxy Service

The following sections explain how to enable, configure and deploy the reverse proxy service.
To enable, configure and deploy the reverse proxy service:
1
Navigate to the Services > Proxies > Reverse proxy page.
In the Global options area, configure the following settings:

Setting
Description
Reverse
proxy
Select one of the following settings:

Enable Select to enable the service.
Disable Select to disable the service.
SSL
certificate
The reverse proxy service caters for HTTPS sites using an SSL certificate. Select
one of the following options to specify the SSL certificate to use:
Built-in Select this option to use Advanced Firewalls built in SSL certificate.
Custom certificate Select this option to upload a custom certificate and key file.
Note: The certificate and key files must be distinct and separate and they must be
in the unencrypted PEM format.
To upload a custom certificate and key:
1
Certificate Click the Choose file/Browse button and browse to and

select the certificate. Click Upload to upload the certificate.
Key Click the Choose file/Browse button and browse to and select the
key. Click Upload to upload the certificate.
Tip:
You can use the XCA certificate and key management client to import and
export your SSL certificates and key files in any standard format.
103

SNMP
3
Optionally, click Advanced and configure the following settings:

Setting
Description
Intrusion
prevention
Advanced Firewalls intrusion prevention system (IPS) policies stop intrusions such
as known and zero-day attacks, undesired access and denial of service.
Select Enable apply to apply an enabled IPS policy.
For more information, see Managing the Intrusion System on page 114.
Failback
internal
address
4
Enter the IP address, e.g. 192.168.1.1 or IP address and port, e.g.

192.168.1.1:1234, of the web server to failback to, if a request does not match
an address already configured.
Click Save to save the global options. In the Manage rule area, configure the following settings:
Setting
Description
Name
Enter a descriptive name for the reverse proxy rule.
External
address
Enter the URL, domain or IP address of the site you want to publish in the following
format: http://example.com, https://www.example.com/, http://
.example.com or http://example.com/path/
You must include http or https in the address.
You can also enter a path to the site you want to publish in the URL.
Note: When configuring: www.example.com and example.com, they are
treated as distinct and separate sites, unless you use a wildcard for the
domain. To use a wildcard, specify it as: .example.com
Internal
address
Enter the protocol with the IP address or IP address and port of the web server, e.g.
http://192.168.1.1, https://192.168.1.1, http://
192.168.1.1:1234
A port number is optional on the internal address, this enables you to specify
custom destination ports for various internal web servers. If no port is specified,
Advanced Firewall will default to 80 for HTTP sites and 443 for HTTPS sites.
Click Save. Advanced Firewall enables and deploys the reverse proxy service and lists it in the Rules
area.
Repeat the steps above to enable, configure and deploy more rules.
SNMP
Simple Network Management Protocol (SNMP) is part of the IETFs Internet Protocol suite. It is used
to enable a network-attached device to be monitored, typically for centralized administrative
purposes.
Advanced Firewalls SNMP service operates as an SNMP agent that gathers all manner of system
status information, including the following:
System name, description, location and contact information
Live TCP and UDP connection tables
Detailed network interface and usage statistics
Network routing table
Disk usage information
Memory usage information.

In SNMP terminology, Advanced Firewall can be regarded as a managed device when the SNMP
service is enabled. The SNMP service allows all gathered management data to be queried by any
104

SNMP-compatible NMS (Network Management System) devices, that is a member of the same
SNMS community.
The Community field is effectively a simple password control that enables SNMP devices sharing the
same password to communicate with each other.
To enable and configure the SNMP service:
1
Navigate to the Services > SNMP > SNMP page.
Select Enabled and enter the SNMP community password into the Community text field. The default
value public is the standard SNMP community.
Click Save.
Note: To view information and statistics provided by the system's SNMP service, a third-party SNMP
management tool is required. For specific details about how to view all the information made
accessible by Advanced Firewalls SNMP service, please refer to the product documentation that
accompanies your preferred SNMP management tool.
Note: To access the SNMP service, remote access permissions for the SNMP service must be configured.
For further information, see Chapter 13, Configuring Administration and Access Settings on
page 272.
DNS
The following sections discuss domain name system (DNS) services in Advanced Firewall.
Adding Static DNS Hosts

Advanced Firewall can use a local hostname table to resolve internal hostnames. This allows the IP
addresses of a named host to be resolved by its hostname.
Note: Advanced Firewall itself can resolve static hostnames regardless of whether the DNS proxy service
is enabled.
105

DNS
To add a static DNS host:
1
Navigate to the Services > DNS > Static DNS page.
Setting
Description
IP address
Enter the IP address of the host you want to be resolved.
Hostname
Enter the hostname that you would like to resolve to the IP address.
Comment
Enter a description of the host.
Enabled
Select to enable the new host being resolved.
Click Add. The static host is added to the Current hosts table.
Editing and Removing Static Hosts

To edit or remove existing static hosts, use Edit and Remove in the Current hosts area.
Enabling the DNS Proxy Service

The DNS proxy service is used to provide internal and external name resolution services for local
network hosts.
In this mode, local network hosts use Advanced Firewall as their primary DNS server to resolve
external names, if an external connection is available, in addition to any local names that have been
defined in the Advanced Firewalls static DNS hosts table.
106

To enable the DNS proxy service on a per-interface basis:
1
Navigate to the Services > DNS > DNS Proxy page.
Setting
Description
Interfaces
Select each interface that should be able to use the DNS proxy.
Advanced
Forward SRV & SOA records Optionally, select this setting to stop the DNS proxy
from filtering out SRV & SOA records. Any such filtering would prevent SIP, Kerberos
and other services from functioning.
Click Save.
Note: If the DNS proxy settings were configured as 127.0.0.1 during the initial installation and setup
process of Advanced Firewall, the system will use the DNS proxy for name resolution.
Managing Dynamic DNS

Advanced Firewalls dynamic DNS service is useful when using an external connection that does not
have a static IP.
The dynamic DNS service can operate with a number of third-party dynamic DNS service providers,
in order to enable consistent routing to Advanced Firewall from the Internet.
Dynamic host rules are used to automatically update leased DNS records by contacting the service
provider whenever the system's IP address is changed by the ISP.
The following dynamic DNS service providers are supported:
DNS service providers
dhs.org
hn.org
easydns.com
dyndns.org (Dynamic)
dyndns.org (Custom)
dyndns.org (Static)
dyns.cx
no-ip.com
ods.org
ez-ip.net
zoneedit.com
Many of these service providers offer a free of charge, basic service.
107

DNS
To create a dynamic host:
1
Navigate to the Services > DNS > Dynamic DNS page.

Setting
Description
Service
From the drop-down list, select your dynamic DNS service provider.
Behind a proxy Select if your service provider is no-ip.com and the system is behind a web
proxy.
Enable
wildcards
Select to specify that sub-domains of the hostname should resolve to the same
IP address, for example domain.dyndns.org and
sub.domain.dyndns.org will both resolve to the same IP.
Note: This option cannot be used with no-ip.com, it must be selected from
their web site.
Hostname
Enter the hostname registered with the dynamic DNS service provider.
Note: This is not necessary when using dyndns.org as the service provider.
Domain
Enter the domain registered with the dynamic DNS service provider.
Username
Enter the username registered with the dynamic DNS service provider.
Password
Enter the password registered with the dynamic DNS service provider.
Comment
Enter a description of the dynamic DNS host.
Enabled
Select to enable the service.
Click Add. The dynamic host will be added to the Current hosts table.
Editing and Removing Dynamic Hosts

To edit or remove existing dynamic hosts, use Edit and Remove in the Current hosts area.
Forcing a Dynamic DNS Update

The dynamic DNS service will update the DNS records for the host whenever the hosts IP address
changes. However, it may be necessary on some occasions to forcibly update the service provider's
records.
To force an update:
1
108
Click Force update.

Note: Dynamic DNS service providers do not like updating their records when an IP address has not
changed, and may suspend the user accounts of users they deem to be abusing their service.
Censoring Message Content

Advanced Firewall enables you to create and deploy policies which accept, modify, block and/or log
content in messages.
Configuration Overview
Configuring an message censor policy entails:
Defining custom categories required to cater for situations not covered by the default Advanced
Firewall phrase lists, for more information, see Creating Custom Categories on page 109
Configuring time periods during which policies are applied, for more information, see Setting Time
Periods on page 110
Configuring filters which classify messages by their textual content, for more information, see
Creating Filters on page 111
Configuring and deploying a policy consisting of a filter, an action, a time period and level of severity,
see Creating and Applying Message Censor Policies on page 113.
Managing Custom Categories

Custom categories enable you to add phrases which are not covered by the default Advanced
Firewall phrase lists. The following sections explain how to create, edit and delete custom categories.
Creating Custom Categories

The following section explains how to create a custom category.
To create a custom category:
1
Browse to the Services > Message censor > Custom categories page.
109

2

Setting
Description
Name
Enter a name for the custom category.
Comment
Optionally, enter a description of the category.
Phrases
Enter the phrases you want to add to the category.

Enter one phrase, in brackets, per line, using the format:
(example-exact-phrase) Advanced Firewall matches exact phrases without
taking into account possible spelling errors.
(example-approximate-phrase)(2) For the number specified, Advanced
Firewall uses fuzzy matching to take into account that number of spelling mistakes
or typographical errors when searching for a match.
Click Add. Advanced Firewall adds the custom category to the current categories list and makes it
available for selection on the Services > Message censor > Filters page.
Editing Custom Categories

The following section explains how to edit a custom category.
To edit a custom category:
1
In the Current categories area, select the category and click Edit.
In the Phrases area, add, edit and/or delete phrases. When finished, click Add to save your changes.
At the top of the page, click Restart to apply the changes.
Deleting Custom Categories

The following section explains how to delete custom categories.
To delete custom categories:
1
In the Current categories area, select the category or categories and click Remove.
Setting Time Periods

You can configure Advanced Firewall to apply policies at certain times of the day and/or days of the
week.
110

To set a time period:
1
Browse to the Services > Message censor > Time page.
Setting
Description
Active from
to
From the drop-down lists, set the time period.
Name
Enter a name for the time period.
Comment
Optionally, enter a description of the time period.
Select the weekdays when the time period applies.
Click Add. Advanced Firewall creates the time period and makes it available for selection on the
Services > Message censor > Policies page.
Editing Time Periods

The following section explains how to edit a time period.
To edit a time period:
1
In the Current time periods area, select the time and click Edit.
In the Time period settings, edit the settings. When finished, click Add to save your changes.
Deleting Time Periods

The following section explains how to delete time periods.
To delete time periods:
1
In the Current time periods area, select the period(s) and click Remove.
Creating Filters
Advanced Firewall uses filters to classify messages according to their textual content. Advanced
Firewall supplies a default filter. You can create, edit and delete filters. You can also create custom
categories of phrases for use in filters, for more information, see Creating Custom Categories on
page 109.
111

To create a filter:
1
Browse to the Services > Message censor > Filters page.
Setting
Description
Name
Enter a name for the filter.
Comment
Optionally, enter a description of the filter.
Custom phrase list
Select the categories you want to include in the filter.
Click Add. Advanced Firewall creates the filter and makes it available for selection on the Services >
Message censor > Policies page.
Editing Filters
You can add, change or delete categories in a filter.
To edit a filter:
1
In the Current filters area, select the filter and click Edit.
In the Custom phrase list area, edit the settings. When finished, click Add to save your changes.
Deleting Filters
You can delete filters which are no longer required.
To delete filters:
1
In the Current filters area, select the filter(s) and click Remove.
112

Creating and Applying Message Censor Policies

The following section explains how to create and apply a censor policy for message content. A policy
consists of a filter, an action, a time period and a level of severity.
To create and apply a censor policy:
1
Browse to the Services > Message censor > Policies page.

Setting
Description
Service
From the drop-down menu, select one of the following options:

IM proxy incoming Select to apply the policy to incoming instant message content.
IM proxy outgoing Select to apply the policy to outgoing instant message content.
Click Select to update the policy settings available.
Filter
From the drop-down menu, select a filter to use. For more information on filters, see
Creating Filters on page 111.
Time
period
From the drop-down menu, select a time period to use, or accept the default setting.
For more information on filters, see Setting Time Periods on page 110.
Action
From the drop-down menu, select one of the following actions:

Block Content which is matched by the filter is discarded.
Censor Content which is matched by the filter is masked but the message is
delivered to its destination.
Categorize Content which is matched by the filter is allowed and logged.
Allow Content which is matched by the filter is allowed and is not processed by any
other filters.
Log
severity
level
Based on the log severity level, you can configure Advanced Firewall to send an alert
if the policy is violated.
From the drop-down list, select a level to assign to the content if it violates the policy.
See Chapter 12, Configuring the Inappropriate Word in IM Monitor Alert on page 232
for more information.
Comment Optionally, enter a description of the policy.

Enabled
Select to enable the policy.

113

Managing the Intrusion System
3
Click Add and, at the top of the page, click Restart to apply the policy. Advanced Firewall applies
the policy and adds it to the list of current policies.
Editing Polices
You can add, change or delete a policy.
To edit a policy:
1
Browse to the Services > Message censor > Policies page.
In the Current policies area, select the policy and click Edit.
Edit the settings as required, see Creating and Applying Message Censor Policies on page 113 for
information on the settings available. When finished, click Add to save your changes.
Deleting Policies
You can delete policies which are no longer required.
To delete policies:
1
Browse to the Services > Message censor > Services > Message censor > Policies page.
In the Current policies area, select the policy or policies and click Remove.

Advanced Firewalls intrusion system performs real-time packet analysis on all network traffic in order
to detect and prevent malicious network activity. Advanced Firewall can detect a vast array of wellknown service exploits including buffer overflow attempts, port scans and CGI attacks.
All violations are logged and the logged data can be used to strengthen the firewall by creating IP
block rules against identified networks and source IPs.
Note: Currently, it is not possible to deploy Advanced Firewall intrusion prevention policies and run
SmoothTraffic at the same time. This limitation will be removed as soon as possible. Contact your
Smoothwall representative if you need more information.
About the Default Policies

By default, Advanced Firewall comes with a number of intrusion policies which you can deploy
immediately. The default policies will change as emerging threats change and will be updated
regularly.
Deploying Intrusion Detection Policies

Advanced Firewalls default policies enable you to deploy intrusion detection immediately to identify
threats on your network.
114

To deploy an intrusion detection policy:
1
Browse to the Services > Intrusion system > IDS page.

Setting
Description
IDS Policy
From the drop-down list, select the policy you want to deploy. See About the Default
Policies on page 114 for more information on the policies available.
You can select from the default policies provided with Advanced Firewall or
customize a policy to suit your network, see Chapter 8, Creating Custom Policies
on page 117.
Interface
From the drop-down list, select the interface on which you want to deploy the
policy.
Comment
Enter a description for the policy
Enabled
Select this option to enable the policy.
Click Add. Advanced Firewall deploys the policy and lists it in the Current IDS policies area.
Removing Intrusion Detection Policies

To remove an intrusion detection policy from deployment:
1
Browse to the Services > Intrusion system > IDS page.
In the Current IDS policies area, select the policy you want to remove.
Click Remove. Advanced Firewall removes the policy.
Deploying Intrusion Prevention Policies

Note: Currently, it is not possible to deploy Advanced Firewall intrusion prevention policies and run
SmoothTraffic at the same time. This limitation will be removed as soon as possible. Contact your
Smoothwall representative if you need more information.
Advanced Firewall enables you to deploy intrusion prevention policies to stop intrusions such as
known and zero-day attacks, undesired access and denial of service.
115

To deploy an intrusion prevention policy:
1
Browse to the Services > Intrusion system > IPS page.

Setting
Description
IPS Policy
From the drop-down list, select the policy you want to deploy. See About the Default
Policies on page 114 for more information on the policies available.
You can select from the default policies provided with Advanced Firewall or
customize a policy to suit your network, see Chapter 8, Creating Custom Policies
on page 117.
Comment
Enter a description for the policy
Enabled
Select this option to enable the policy.
Click Add. Advanced Firewall lists the policy in the Current IPS policies area.
Removing Intrusion Prevention Policies

To remove an intrusion prevention policy from deployment:
1
Browse to the Services > Intrusion system > IPS page.
In the Current IPS policies area, select the policy you want to remove.
Click Remove. Advanced Firewall removes the policy.
116

Creating Custom Policies

By default, Advanced Firewall contains a number of policies which you can deploy to detect and
prevent intrusions. It is also possible to create custom policies to suit your individual network.
To create a custom policy:
1
Browse to the Services > Intrusion system > Policies page.
117

Tip:
If the list of signatures takes some time to load, try upgrading to the latest version of your browser to
speed up the process.
Setting
Description
Name
Enter a name for the policy you are creating.
Comment
Enter a description for the custom policy.
Signatures
From the list, select the signatures you want to include in the policy. For information
on how to add custom signatures, see Uploading Custom Signatures on page 118.
Click Add. Advanced Firewall creates the policy and lists it in the Current policies area.
The policy is now available when deploying intrusion detection and intrusion prevention policies. For
more information, seeDeploying Intrusion Detection Policies on page 114 andDeploying Intrusion
Prevention Policies on page 115.
Uploading Custom Signatures

Advanced Firewall enables you to upload custom signatures and/or Sourcefire Vulnerability Research
Team (VRT) signatures and make them available for use in intrusion detection and prevention
policies.
To upload custom signatures:
1
Navigate to the Services > Intrusion system > Signatures page.

Setting
Description
Custom signatures
Click Browse to locate and select the signatures file you want to upload.
Click Upload to upload the file. Advanced Firewall uploads the file and
makes it available for inclusion in detection and prevention policies on the
Services > Intrusion system > Policies page.
Note: Use custom signatures with caution as Advanced Firewall cannot
verify custom signature integrity.
118

Setting
Description
Use syslog for

Intrusion logging
Select this option to enable logging intrusion events in the syslog.
Oink code
If you have signed-up with Sourcefire to use their signatures, enter your
Oink code here.
Click Update to update and apply the latest signature set. Advanced
Firewall downloads the signature set and makes it available for inclusion in
detection and prevention policies on the Services > Intrusion system >
Policies page.
Note: Updating the signatures can take several minutes.
Click Save. Any custom signatures you have uploaded to Advanced Firewall or Sourcefire VRT
signatures you have downloaded to Advanced Firewall will be listed on the Services > Intrusion
system > Policies page. For information on deploying intrusion policies, see Deploying Intrusion
Detection Policies on page 114 and Deploying Intrusion Prevention Policies on page 115.
Deleting Custom Signatures

It is possible to delete custom signatures that have been made available on the Services > Intrusion
system > Policies page.
Note: If you choose to delete custom signatures, Advanced Firewall will delete all custom signatures. If
there are detection or prevention policies which use custom signatures, the signatures will be deleted
from the policies.
To delete custom signatures:
1
On the Services > Intrusion system > Signatures page, click Delete.
Advanced Firewall prompts you to confirm the deletion. Click Confirm, Advanced Firewall deletes
the signatures.
DHCP
Advanced Firewall's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to
automatically obtain IP address and other network settings.
Advanced Firewall DHCP provides a fully featured DHCP server, with the following capabilities:
Support for 2 DHCP subnets
Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet
Automate the creation of static assignments using the ARP cache.
119

DHCP
Enabling DHCP
To enable DHCP:
1
Navigate to the Services > DHCP > Global page.
Setting
Description
Enabled
Select to enable the DHCP service.
Server
Select to set the DHCP service to operate as a DHCP server in standalone

mode for network hosts.
Relay (forwarding
proxy)
Select to set the DHCP service to operate as a relay, forwarding DHCP

requests to another DHCP server.
Enable logging
Select to enable logging.
Click Save to enable the service.
Creating a DHCP Subnet

The DHCP service enables you to create DHCP subnets. Each subnet can have a number of dynamic
and static IP ranges defined.
120

To create a DHCP subnet:
1
Navigate to the Services > DHCP > DHCP server page.

Setting
Description
DHCP Subnet
From the drop-down menu, select Empty and click Select.
Subnet name
Enter a name for the subnet.
Network
Enter the IP address that specifies the network ID of the subnet when
combined with the network mask value entered in the netmask field. For
example: 192.168.10.0.
Netmask
Define the subnet range by entering a network mask, for example

255.255.255.0.
Primary DNS
Enter the value that a requesting network host will receive for the primary DNS
server it should use.
Secondary DNS
Optionally, enter the value that a requesting network host will receive for the
secondary DNS server it should use.
121

DHCP
Setting
Description
Default gateway
Enter the value that a requesting network host will receive for the default
gateway it should use.
Enabled
Determines whether the DHCP subnet is currently active.
Click Advanced to access the following settings:

Primary WINS
primary WINS server it should use. This is often not required on very small
Microsoft Windows networks.
Secondary WINS
secondary WINS server it should use. This is often not required on very small
Microsoft Windows networks.
Primary NTP
Optionally, enter the IP address of the Network Time Protocol (NTP) server
that the clients will use if they support this feature.
Tip:
Secondary NTP
Enter Advanced Firewalls IP address and clients can use its time
services if enabled. See Chapter 13, Setting Time on page 269 for
more information.
Optionally, enter the IP address of a secondary Network Time Protocol (NTP)

server that the clients will use if they support this feature.
Tip:
Enter Advanced Firewalls IP address and clients can use its time
services if enabled. See Chapter 13, Setting Time on page 269 for
more information.
Default lease time Enter the lease time in minutes assigned to network hosts that do not request
(mins)
a specific lease time. The default value is usually sufficient.
Max lease time

(mins)
Enter the lease time limit in minutes to prevent network hosts requesting, and
being granted, impractically long DHCP leases. The default value is usually
sufficient.
TFTP server
Enter which Trivial File Transfer Protocol (TFTP) server workstations will use
when booting from the network.
Network boot
filename
Specify to the network booting client which file to download when booting off
the above TFTP server.
Domain name
suffix
Enter the domain name suffix that will be appended to the requesting host's
hostname.
Automatic proxy
config URL
Specify a URL which clients will use for determining proxy settings. Note that
it should reference an proxy auto-config (PAC) file and only some systems and
web browsers support this feature.
Custom DHCP
options
Any custom DHCP options created on the Services > DHCP > Custom
options page are listed for use on the subnet. For more information, see
Creating Custom DHCP Options on page 125.
Click Save.
Note: For the DHCP server to be able to assign these settings to requesting hosts, further configuration is
required. Dynamic ranges and static assignments must be added to the DHCP subnet so that the
server knows which addresses it should allocated to the various network hosts.
122

Editing a DHCP subnet

To edit a DHCP subnet:
1
From the DHCP Subnet drop-down list, select the subnet and click Select.
Edit the settings displayed in the Settings area.
Click Save.
Deleting a DHCP subnet

To delete a DHCP subnet:
1
From the DHCP Subnet drop-down list, select the subnet and click Select.
Click Delete.
Adding a Dynamic Range

Dynamic ranges are used to provide the DHCP server with a pool of IP addresses in the DHCP
subnet that it can dynamically allocate to requesting hosts.
To add a dynamic range to an existing DHCP subnet:
1
Choose an existing DHCP subnet from the DHCP subnet drop-down list, and click Select.
In the Add a new dynamic range, configure the following settings:

Setting
Description
Start
address
Enter the start of an IP range over which the DHCP server should supply dynamic
addresses from.
This address range should not contain the IPs of other machines on your LAN with
static IP assignments.
End
address
Enter the end of an IP range over which the DHCP server should supply dynamic
addresses to. For example, enter 192.168.10.15.
This address range should not contain the IPs of other machines on your LAN with
static IP assignments.
Comment
Enter a description of the dynamic range.
Enabled
Select to enable the dynamic range.
Click Add dynamic range. The dynamic range is added to the Current dynamic ranges table.
Adding a Static Assignment

Static assignments are used to allocate fixed IP addresses to nominated hosts. This is done by
referencing the unique MAC address of the requesting hosts network interface card. This is used to
ensure that certain hosts are always leased the same IP address, as if they were configured with a
static IP address.
To add a static assignment to an existing DHCP subnet:
1
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select.
123

DHCP
3
Scroll to the Add a new static assignment area and configure the following settings:
Setting
Description
MAC
address
Enter the MAC address of the network hosts NIC as reported by an appropriate
network utility on the host system.
This is entered as six pairs of hexadecimal numbers, with a space, colon or other
separator character between each pair, e.g. 12 34 56 78 9A BC or
12:34:56:78:9A:BC
IP address
Enter the IP address that the host should be assigned.
Comment
Enter a description of the static assignment.
Enabled
Select to enable the assignment.
Click Add static. The static assignment is added to the Current static assignments table.
Adding a Static Assignment from the ARP Table

In addition to the previously described means of adding static DHCP assignments, it is possible to
add static assignments automatically from MAC addresses detected in the ARP table.
To add a static assignment from the ARP cache to an existing DHCP subnet:
1
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select.
Scroll to the Add a new static assignment from ARP table area:
Select one or more MAC addresses from those listed and click Add static from ARP table.
Click Save.
Editing and Removing Assignments

To edit or remove existing dynamic ranges and static assignments, use the options available in the
Current dynamic ranges and Current static hosts areas.
Viewing DHCP Leases

To view free leases:
1
124
Navigate to the Services > DHCP > DHCP leases page.

2
Select Show free leases and click Update. The following information is displayed:
Field
Description
IP address
The IP address assigned to the network host which submitted a DHCP request.
Start time
The start time of the DHCP lease granted to the network host that submitted a DHCP
request.
End time
The end time of the DHCP lease granted to the network host that submitted a DHCP
request.
MAC
address
The MAC address of the network host that submitted a DHCP request.
Hostname
The hostname assigned to the network host that submitted a DHCP request.
State
The current state of the DHCP lease.

The state can be either Active, that is, currently leased; or Free, the IP address is
reserved for the same MAC address or re-used if not enough slots are available.
DHCP Relaying
Advanced Firewall DHCP relay enables you to forward all DHCP requests to another DHCP server
and re-route DHCP responses back to the requesting host.
To configure DHCP relaying:
1
Connect to Advanced Firewall and navigate to the Services > DHCP > DHCP relay page.
Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary
DHCP server and Secondary DHCP server fields. Click Save.
Note: DHCP relaying must be enabled on the Services > DHCP > Global page.
Creating Custom DHCP Options

Advanced Firewall enables you to create and edit custom DHCP options for use on subnets.
For example, to configure and use SIP phones you may need to create a custom option which
specifies a specific option code and SIP directory server.
125

DHCP
To create a custom option:
1
Browse to the Services > DHCP > Custom options page.

Setting
Description
Option code From the drop-down list, select the code to use.
The codes available are between the values of 128 and 254, with 252 excluded as
it is already allocated.
Option type
From the drop-down list, select the option type.

IP address Select when creating an option which uses an IP address.
Text Select when creating an option which uses text.
126
Description
Enter a description for the option. This description is displayed on the Services >
DHCP > DHCP server page.
Comment
Optionally, enter any comments relevant to the option.
Enabled
Select to enable the option.
Click Add. Advanced Firewall creates the option and lists it in the Current custom options area. For
information on using custom options, see Creating a DHCP Subnet on page 120.
Chapter 9
Virtual Private Networking

In this chapter:
All about Advanced Firewall, VPNs and tunnels.
Advanced Firewall VPN Features

Advanced Firewall contains a rich set of Virtual Private Network (VPN) features:
Feature
Description
IPSec site-to-site
Industry-standard IPSec site-to-site VPN tunneling.
L2TP road warriors
Mobile user VPN support using Microsoft Windows 2000 and XP, as well
as older versions of Windows. No client software required; the software is
part of the Windows operating system.
IPSec road warriors Mobile user VPN support using IPSec road warriors clients such as
SafeNet SoftRemote, as well as others.
SSL VPN
Mobile user VPN support using OpenVPN SSL and a light-weight client
installed on the users computer/laptop.
Authentication
Industry-standard X509 certificates or PreShared Keys (subnet VPN

tunnels).
Certificate
management
Full certificate management controls built into the interface, with import and
export capabilities in a number of formats. Self-signed certificates can be
generated.
Tunnel controls
Individual controls for all VPN tunnels.
Internal VPNs
Support for VPNs routed over internal networks.
Logging
Comprehensive logging of individual VPN tunnels.
What is a VPN?
A VPN, in the broadest sense, is a network route between computer networks, or individual
computers, across a public network. The public network, in most cases, is the Internet. Typically, a
VPN replaces a leased line or other circuit which is used to link networks together over some
geographic distance.
In a similar way to how a VPN can replace leased line circuits used to route networks together, a VPN
can also replace Remote Access Server (RAS) phone or ISDN lines. These types of connections are
usually referred to as road warriors.
The P in VPN technologies refers to the encryption and authentication employed to maintain an
equivalent level of privacy that one would expect using a traditional circuit which a VPN typically
replaces.
There are several technologies which implement VPNs. Some are wholly proprietary, others are open
standards. The most commonly deployed VPN protocol is called IPSec, for IP Security, and is a well
127

About VPN Authentication
established and open Internet standard. Many implementations of this standard exist, and generally
all vendors of network security products will have an offering in their product portfolio.
VPNs are mostly used to link multiple branch office networks together, site-to-site VPNs, or to
connect mobile and home users, road warriors, to their office network.
The network route between a site-to-site or road warrior VPN is provided by a VPN tunnel. Tunnels
can be formed between two VPN gateways. All data traversing the tunnel is encrypted, thus making
the tunnel and its content unintelligible and therefore private to the outside world.
About VPN Gateways

A VPN gateway is a network device responsible for managing incoming and outgoing VPN
connections. A VPN gateway must perform a number of specific tasks:
Allow VPN tunnels to be configured.
Authenticate the other end of a VPN connection, i.e. ensure it can be identified and trusted.
Route all data received from its own Local Area Network (LAN) to the correct VPN tunnel.
Encrypt all data presented to the VPN tunnel into secure data packets.
Decrypt secure data received from the VPN tunnel.
Route all data received from the tunnel to the correct computer on the LAN.
Allow VPN tunnels to be managed.
Administrator Responsibilities
A network administrator has three responsibilities:
Specify the tunnel define the tunnel on each VPN gateway.
Configure authentication define a secure means for each VPN gateway to identify the other.
Manage tunnels control the opening and closing of tunnels.
About VPN Authentication

Authentication is the process of validating that a given entity, that is a person, system or device, is
actually who or what it identifies itself to be. Since VPN gateways are not usually in the same physical
location, it is not readily determinable that either gateway is genuine.
A gateway that initiates a VPN connection must be assured that the remote gateway is the right one.
Conversely, the remote gateway must be assured that the initiating gateway is not an imposter.
Advanced Firewall supports several authentication methods that can be used to validate a VPN
gateways identity:
Authentication
method
Pre-Shared Key
Description
Usually referred to as PSK, this is a simplistic authentication method
based on a password challenge.
For more information, see PSK Authentication on page 129.
X509
An industry strength and internationally recognized authentication method

using a system of digital certificates, as published by the ITU-T and ISO
standardization bodies.
For more information, see X509 Authentication on page 129.
128

Authentication
method
Description
Username/password In addition to using X509, all users of L2TP road warrior connections must
enter a valid username and password, as specified when the L2TP tunnel
definition is created.
This ensures that both the user and the VPN gateway (the L2TP client) are
authenticated.
A more in depth examination of the PSK and X509 authentication methods can be found in the
following sections, including recommendations for the usage of each.
PSK Authentication
To use the Pre-Shared Key (PSK) method, connecting VPN gateways are pre-configured with a
shared password that only they know. When initiating a VPN connection, each gateway requests the
others password. If the password received by each gateway matches the password stored by each
gateway, both gateways know that the other must be genuine. Hence, each gateway is authentic
and a secure, trusted VPN tunnel can be established.
The simplicity of PSK is both its strength and its weakness. While PSK tunnels are quick to set up,
there are human and technological reasons that make this method unsuitable for larger
organizations. Password protection is easily circumvented as passwords are frequently written
down, spoken aloud or shared amongst administrator colleagues. Some VPN configurations will also
require multiple tunnels to use the same password highly undesirable if your organization intends
to create multiple road warrior VPN connections.
PSK authentication is best suited when a single site-to-site or road warrior VPN capability is required.
While it is possible to create large VPN networks based entirely on PSK authentication, such a
scheme is likely to prove unmanageable in the long run and liable to misuse.
X509 Authentication
In this model, each VPN gateway is given a digital certificate that it can present to prove its identity,
much like a traveler can present his or her passport. Digital certificates are created and issued by a
trusted entity called a Certificate Authority (CA), just like a government is entrusted to provide its
citizens with passports. In the world of digital certificates, a CA can be called upon to validate the
authenticity of a certificate, in the same way that a government can be asked to validate a citizen's
passport.
About Digital Certificates

A digital certificate, referred to here as a certificate, is an electronic document that uniquely identifies
its owner, and contains the following information:
Information
Description
Subject
Information about who the certificate was issued to, their country, company name
etc.
Issuer
Information about the CA that created and signed the certificate.
Certificate ID
An alternative identifier for the certificate owner in abbreviated form.
Validity period The start and expiry dates, during which time the certificate is valid.
Certificates contain information about both its owner, i.e. the subject and its issuer, i.e. the CA.
However, it is not yet clear whether the certificate is a forgery to prove absolute authenticity, X509
utilizes public-key cryptography.
129

Public-key cryptography is an encryption mechanism that involves the use of a mathematically
related pair of encryption keys, one called a private key and the other called a public key. The
mathematical relationship allows messages encrypted with the private key to be decrypted by the
public key and vice versa.
It is computationally infeasible to derive either key from the other. It is also impossible for any other
key to decrypt a message apart from the encrypting key's counterpart. If the private key is kept secret
by its owner, and the public key is freely accessible to all, any message successfully decrypted using
the public key can only have originated from the private key owner. This concept is exploited by CAs
to sign all certificates they create, thus proving that the certificate is genuine.
To sign a certificate, the CA takes the content of the certificate and encrypts it using its private key.
The encrypted content is inserted into the certificate, much like a watermark or other security feature
is added to a passport by a government. Anybody wishing to determine the authenticity of the
certificate can therefore attempt to decrypt the CA signature using the public key attainable from the
issuing CA. If the signature can be successfully decrypted and matches the issuer details declared
in the certificate, the certificate is proven to be authentic.
However, this only proves that the CA genuinely issued the certificate. Just because a passport was
validly issued by a government does not mean that the person presenting it is its rightful owner. This
is solved by one further stage of encryption, this time the certificate owner uses its private key to
encrypt the entire certificate (including the CA's signature) before presenting the certificate. It can
now be proven beyond all doubt that the certificate is the property of its rightful owner (by decrypting
it using the owner's public key) and that the certificate was issued by the specified CA (by decrypting
the CA's signature from the certificate using the CA's public key).
Advanced Firewall and Digital Certificates

Advanced Firewall is equipped to handle all aspects of setting up a self-contained X509
authentication system. Advanced Firewall enables you to:
Create a trusted CA.
Create signed, digital certificates.
Manage exporting and installing certificates on other Advanced Firewall / VPN gateway systems.
Alternatively, digital certificates can be leased from companies like Verisign or Thawte and then
imported, or they can be created by a separate CA such as the one included in Microsoft Windows
2000. The use of a local Advanced Firewall CA is recommended as a more convenient and equally
secure approach.
It is usual for a single CA to provide certificates for an entire network of peer systems, but there are
alternative schemes that use multiple CAs which will be discussed later.
The following sections cover the separate topics of CAs, certificates, site-to-site VPNs, road warrior
VPNs, internal VPNs and management in great depth.
As an overview to these sections, these are the steps required to create a typical site-to-site VPN
connection:
1
On the master Advanced Firewall system, create a local Certificate Authority. For details, see
Creating a CA on page 131.
Create certificates for the master Advanced Firewall system and the remote Advanced Firewall
system.
Install the master Advanced Firewalls certificate as its default local certificate.
Create a tunnel specification on the master Advanced Firewall system that points to the remote
Advanced Firewall system.
130

5
Export the CA certificate and the remote Advanced Firewall certificate from the master Advanced
Firewall system.
Import the CA certificate on the remote Advanced Firewall system, as exported by step 5.
Import and install the remote Advanced Firewall systems certificate, as exported by step 5.
Create a tunnel specification on the remote Advanced Firewall system that matches the one created
by step 4.
Bring the connection up.
10
Ensure that appropriate zone bridging rules are configured and active in order to permit traffic to and
from the VPN tunnel. For further information see Chapter 6, Configuring Inter-Zone Security on
page 59.
Note: For VPN configuration tutorials, see VPN Tutorials on page 178.
Working with Certificate Authorities and

Certificates
A Certificate Authority (CA) is an implicitly trusted system that is responsible for issuing and managing
digital certificates. A certificate created by a known CA can be authenticated as genuine.
The following sections explain how to create a local CA using Advanced Firewall, for the purpose of
creating certificates for VPN tunnel authentication. They also explain how to export and import CA
certificates so that a remote Advanced Firewall has knowledge of the CA. Maintenance tasks such
as how to delete CAs are also discussed.
Creating a CA
To create your own certificates for use in VPN tunnel authentication, you require access to at least
one CA. It is possible to purchase certificates from an externally managed CA, but this can be
inconvenient and costly. This section explains how to create a CA using Advanced Firewall.
If you already have a CA on your network, it may be useful to use that, in which case refer to Importing
Another CA's Certificate on page 133.
131

Working with Certificate Authorities and Certificates
To create a CA:
1
Navigate to the VPN > VPN > Certificate authorities page.

Setting
Description
Common name Enter an easily identifiable name.

Email
Enter an administrative email address.
Organization
Enter an organizational identifier.
Department
Enter a departmental identifier.
Locality or town Enter a locality or town.
State or
province
Enter a state or province.
Country
Enter a two letter country code.
Life time
From the drop-down menu, select the length of time that the CA will remain valid
for.
User defined
(days)
If User defined is selected as the life time value of the CA, enter the number of
days the CA will be valid.
Click Create Certificate Authority. The local CA is created and displayed.

Once a CA has been created, you can use it to create digital certificates for network hosts. You can
also export the CAs own certificate to other systems which can use it to authenticate digital
certificates issued by the CA.
Exporting the CA Certificate

Once a CA has been created, you need to export its certificate so that other systems can recognize
and authenticate any signed certificates it creates. There are two different export formats:
132

To export the CA certificate:
1
Navigate to the VPN > VPN > Authorities page and configure the following settings:
Setting
Description
Name
In the Installed Certificate Authority certificates area, locate and select the local
CA certificate.
Export format
From the drop-down list, select the format in which to export the certificate
authoritys certificate. The following formats are available:
CA certificate in PEM An ASCII (textual) certificate format commonly used
by Microsoft operating systems. Select this format if the certificate is to be used
on another Smoothwall System.
CA certificate in BIN A binary certificate format, select if the certificate is to
be used on a system which requires this format. Consult the systems
documentation for more information.
Click Export and choose to save the file to disk from the dialog box launched by your browser.
You can deliver the certificate to another system without any special security requirements since it
contains only public information.
Importing Another CA's Certificate

To authenticate a signed certificate produced by a non-local CA, you must import the non-local CAs
certificate into Advanced Firewall.
This is usually done on secondary Advanced Firewall systems so that they can authenticate
certificates created by a master Advanced Firewall system's CA.
Note: The certificate must be in PEM format to be imported.
To import the CA's certificate:
1
Navigate to the VPN > VPN > Authorities page.
In the Import Certificate Authority certificate area, click Browse.
Locate and open the CAs certificate that you wish to import.
Click Import CA cert from PEM. The certificate is listed in the Installed Certificate Authority
certificates list of certificates area.
Deleting the Local Certificate Authority and its Certificate

To delete the local CA and its certificate:
1
In the Delete local Certificate Authority region, select Confirm delete.
Click Delete Certificate Authority.
Note: Deleting the local CA will invalidate all certificates that it has created.
Once the local CA has been deleted, the Create local Certificate Authority region will be displayed.
This change in layout occurs because a CA no longer exists on the Advanced Firewall system. The
Create local Certificate Authority region replaces the Delete local Certificate Authority region.
133

Managing Certificates
Deleting an Imported CA Certificate

To delete an imported CA's certificate:
1
Locate and select the non-local CA certificate in the Installed Certificate Authority certificates region.
Click Delete. The CA certificate will no longer appear in the Installed Certificate Authority certificates
region and Advanced Firewall will not be able to authenticate any certificates created by it.
The following sections explain how to create, view, import, export and delete certificates in Advanced
Firewall.
Creating a Certificate
Once a local Certificate Authority (CA) has been created, you can generate certificates.
The first certificate created is usually for the Advanced Firewall system that the CA is installed on. This
is because the Advanced Firewall VPN gateway is a separate entity to the CA, and therefore requires
its own certificate.
It is normal for a single CA to create certificates for all other hosts that will be used as VPN gateways,
i.e. all other Advanced Firewall systems.
To create a new signed certificate:
1
134
Navigate to the VPN > VPN > Certificates page.

2
Scroll to the Create new signed certificate area and configure the following settings:
Setting
Description
ID type
From the drop-down menu, select the certificatess ID type. The options are:
No ID Not recommended but available for inter-operability with other VPN
gateways.
Host & Domain Name Recommended for most site-to-site VPN
connections. This does not need to be a registered DNS name.
IP address Recommended for site-to-site VPNs whose gateways use static
IP addresses.
Email address Recommended for road warrior or internal VPN connections.
This does not need to be a real email address, although the use of a real email
address is recommended.
ID value
Enter an ID value.
For a site-to-site Advanced Firewall VPN this is typically a hostname. For a road
warrior this is usually the users email address.
Common name Enter a common name for the certificate, for example Head Office.
Email
Enter an email address for the individual or host system that will own this
certificate.
Organization
Enter an organizational identifier for the certificate owner.
Department
Enter a departmental identifier for the certificate owner.
Locality or town Enter a locality or town for the certificate owner.
State or
province
Enter a state or province for the certificate owner.
Country
Enter a two letter country code.
Life time
From the drop-down menu, select the length of time that the certificate will
remain valid for.
User defined
(days)
If User defined is selected as the life time value of the certificate, enter the
number of days the certificate will be valid for.
Click Create signed certificate. The certificate is listed in the Installed signed certificates area.
Reviewing a Certificate
You can review the content of a certificate. Reviewing certificates can be useful for checking
certificate content and validity.
To review a certificate:
1
Locate the certificate that you wish to view in the Installed signed certificates region.
Click the certificate name. The content is displayed in a new browser window.
Close the browser window to return to Advanced Firewall.
Exporting Certificates
Any certificates you create for the purpose of identifying other network hosts must be exported so
that they can be distributed to their owner.
To export a certificate:
1
Navigate to the VPN > VPN > Certificates page and scroll to the Installed signed certificates area.
135

2
Select the certificate you want to export and configure the following settings:
Setting
Description
Export format
From the drop-down menu, select the format in which to export the
certificate. The following formats are available:
Certificate in PEM An ASCII (textual) certificate format commonly used by
Microsoft operating systems. Recommended for all Advanced Firewall to
Advanced Firewall VPN connections.
Certificate in DER A binary certificate format for use with non-Advanced
Firewall VPN gateways.
Private key in DER Exports just the private key in binary for use with nonAdvanced Firewall VPN gateways.
Click Export. Choose to save the certificate file (a .pem or .der file) to disk in the dialog box launched
by your browser software. The certificate will be saved to the browsers local file system in the
specified format.
Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that
should only be known by the certificate owner.
Exporting in the PKCS#12 Format

PKCS#12 is a container format used to transport a certificate and its private key. It is recommended
for use in all Advanced Firewall to Advanced Firewall VPNs and L2TP road warriors.
To export a certificate in the PKCS#12 container format:
1
In the Installed signed certificates region, locate and select the certificate that you wish to export.
Enter and confirm a password in the Password and Again fields.
Click Export certificate and key as PKCS#12.
Choose to save the PKCS#12 container file (a .p12 file) to disk in the dialog box launched by your
browser software. The PKCS#12 file will be saved to the browser's local file system.
Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that
should only be known by the certificate owner.
Importing a Certificate
Advanced Firewall systems that do not have their own CA will be required to import and install a host
certificate to identify themselves. This is the normal process for secondary Advanced Firewall
systems, for example, branch office systems connecting to a head office that has a Advanced
Firewall system and CA.
To import a certificate:
1
136
Navigate to the VPN > VPN > Certificates page. In the Import certificates area, configure the
following settings:
Setting
Description
Password
Enter the password that was specified when the certificate was created.

Setting
Import
PKCS#12
filename
Description
To import a certificate in PKCS#12 format:
1
Click Browse and navigate to and select the certificate file.
Click Import certificate and key from PKCS#12.
Import PEM
filename
1
2
To import a certificate in PEM format:

Click Browse and navigate to and select the certificate file.
Click Import certificate from PEM.
Advanced Firewall imports the signed certificate lists it in the Installed signed certificates area.
Deleting a Certificate
To delete an installed certificate:
1
In the Installed signed certificates region, locate and select the certificate that you wish to delete.
Click Delete. The signed certificate will be removed from the Installed signed certificates region.
Setting the Default Local Certificate

One of the most important configuration tasks is to set the default local certificate on each Advanced
Firewall host. The default local certificate should be the certificate that identifies its host.
137

Site-to-Site VPNs IPSec
To set the default local certificate:
1
Navigate to the VPN > VPN > Global page.
In the Default local certificate region, select the hosts certificate from the Certificate drop-down list
and click Save. This certificate will now be used by default in all future tunnel specifications, unless
otherwise specified.
When prompted by Advanced Firewall, click Restart to deploy the certificate.

The following sections explain how to create a site-to-site VPN tunnel between two Advanced
Firewall systems.
The tunnel will use the IPSec protocol to create a secure, encrypted tunnel between head office and
a branch office.
Recommended Settings
For Advanced Firewall to Advanced Firewall connections, the following settings are recommended
for maximum security and optimal performance:
138
Setting
Selection
Encryption
AES
Authentication type
ESP

Setting
Selection
Hashing algorithm
SHA
Perfect Forward Secrecy
Enabled
Compression
Enabled unless predominant VPN traffic is already encrypted or

compressed.
Creating an IPsec Tunnel

To create a site-to-site tunnel:
1
On the Advanced Firewall at head office, browse to the VPN > VPN > IPSec subnets page.
Note: Many parameters are used when creating an IPSec site-to-site VPN tunnel. For Advanced Firewall to
Advanced Firewall connections, many settings can be left at their default values.
However, for maximum compatibility with other VPN gateways, some settings may require
adjustment. This section describes each parameter that can be configured when creating an IPSec
tunnel. For more VPN tutorials, see VPN Tutorials on page 178.
2
Configure the following settings:.

Setting
Description
Name
Enter a descriptive name for the tunnel connection, for example: New York to
London.
Enabled
Select to enable the connection.
Local IP
Enter the IP address of the external interface used on the local Advanced Firewall
host.
Note: This field should usually be left blank to automatically use the default
external IP (recommended).
139

Setting
Description
Local
network
Specify the local subnet that the remote host will have access to.
Local ID type
From the drop-down list, select the type of the ID that will be presented to the
remote system. The choices available are:
This is specified using the IP address/network mask format, e.g.

192.168.10.0/255.255.255.0.
Default local Certificate Subject Uses the subject field of the default local
certificate as the local certificate ID.
Local IP Uses the local IP address of the host as the local certificate ID.
User specified Host & Domain Name Uses a user specified host and domain
name as the local certificate ID.
User specified IP address Uses a user specified IP address name as the local
certificate ID.
User specified Email address Uses a user specified email address as the local
certificate ID.
User specified Certificate Subject Uses a user specified certificate subject as
the local certificate ID.
Note: User specified types are mostly used when connecting to non-Advanced
Firewall VPN gateways. Consult your vendor's administration guide for
details regarding the required ID type and its formatting.
Local ID value This field is only used if the local ID type is a User specified type (this is typically
used when connecting to non-Advanced Firewall VPN gateways).
In most cases, you can leave this field blank because its value will be automatically
retrieved by Advanced Firewall during the connection process (according to the
chosen ID type).
Remote IP or
hostname
Enter the IP address or hostname of the remote system. The remote IP can be left
blank if the remote peer uses a dynamic IP address.
Remote
network
This should specify the remote subnet that the local host will have access to.
Remote ID
type
From the drop-down menu, select the type of ID that the remote gateway is
expected to present. The choices are:
This is specified using the IP address/network mask format, e.g.

192.168.20.0/255.255.255.0.
Remote IP (or ANY if blank Remote IP) The remote ID is the remote IP
address, or any other form of presented ID
User specified Host & Domain Name Allows the user to specify a custom
host and domain name that it should expect the remote gateway to present as ID.
User specified IP address Allows the user to specify a custom IP address that
it should expect the remote gateway to present as ID.
User specified Email address Allows the user to specify a custom email
address that it should expect the remote gateway to present as ID.
User specified Certificate Subject Allows the user to specify a custom
certificate subject string that it should expect the remote gateway to present as ID
(typically used for non-Advanced Firewall VPN gateways).
140
Remote ID
value
Enter the value of the ID used in the certificate that the remote peer is expected to
present.
Authenticate
by
From the drop-down list, select the authentication method.

For more information on PSK and X509 authentication, About VPN Authentication
on page 128.

Setting
Description
Preshared
key
Enter the preshared key when PSK is selected as the authentication method.
Preshared
key again
Re-enter the preshared key entered in Preshared key field if PSK is selected as the
authentication method.
Use
compression
Select to compresses tunnel communication. This is useful for low bandwidth

connections, but it does increase CPU utilization on both host systems.
The benefits of compression also vary depending on the type of traffic that will flow
through the tunnel. For example, compressing encrypted data such as HTTPS, or
VPN tunnels within tunnels may decrease performance. The same rule applies
when transferring data that is already compressed, for example streaming video.
For any tunnel with a high proportion of encrypted or already-compressed traffic,
compression is not recommended. For non-encrypted, uncompressed traffic
compression is recommended. This setting must be the same on the tunnel
specifications of both connecting gateways.
Initiate the
connection
Comment
Select to enable the local VPN system to initiate this tunnel connection if the
remote IP address is known.
Enter a descriptive comment for the tunnel, for example: London connection
.100 to Birmingham .250.
Optionally, click Advanced.
Note: Advanced settings are usually used for compatibility with other VPN gateway systems, although they
can be tweaked for performance gains in Advanced Firewall to Advanced Firewall VPN connections.
4

Setting
Description
Local certificate
This is used in non-standard X509 authentication arrangements. For more

information, see Advanced VPN Configuration on page 171.
Interface
Select which interface will be used for this connection either on external or
internal interfaces.
PRIMARY means the connection will be on the external interface.
Perfect Forward
Secrecy
Select to enable the use of the PFS key establishment protocol, ensuring that
previous VPN communications cannot be decoded should a key currently in
use be compromised.
PFS is recommended for maximum security. VPN gateways must agree on the
use of PFS.
Authentication
type
Select the authentication type used during the authentication process. This
setting should be the same on both tunnel specifications of two connecting
gateways.
ESP Encapsulating Security Payload uses IP Protocol 50 and ensures
confidentiality, authenticity and integrity of messages. Recommended for
optimal performance.
AH IP Authentication Header uses IP Protocol 51 and ensures authentication
and integrity of messages. This is useful for compatibility with older VPN
gateways. Because AH provides only authentication and not encryption, AH is
not recommended.
141

Setting
Description
Phase 1
cryptographic
algo
Select the encryption algorithm to use for the first phase of VPN tunnel
establishment. This setting should be the same on both tunnel specifications
of two connecting gateways.
3DES A triple strength version of the DES cryptographic standard using a
168-bit key. The 3DES is a very strong encryption algorithm though it has been
exceeded in recent years. It is the default encryption scheme on most VPN
gateways and is therefore recommended for maximum compatibility.
AES 128 Advanced Encryption Standard replaces DES/3DES as the US
governments cryptographic standard. AES offers faster and stronger
encryption than 3DES.
encryption than 3DES. It is recommended for maximum security and
performance.
Phase 1 hash
algo
Select the hashing algorithm to use for the first phase of VPN tunnel
MD5 A cryptographic hash function using a 128-bit key. Recommended for
faster performance and compatibility.
SHA Secure Hashing Algorithm uses a 160-bit key and is the US
government's hashing standard. Recommended for maximum security.
Phase 2
cryptographic
algo
Selects the encryption algorithm to use for the second phase of VPN tunnel
See Phase 1 cryptographic algo for more information on the options.
Phase 2 hash
algo
Selects the hashing algorithm to use for the second phase of VPN tunnel
See Phase 1 hash algo for more information on the options.
Key life
Set the length of time that a set of keys can be used for. After the key-life value
has expired, new encryption keys are generated, thus reducing the threat of
snooping attacks.
The default and maximum value of 60 minutes is recommended.
Key tries
Set the maximum number of times the host will attempt to re-try the
connection before failing.
The default value of zero tells the host to endlessly try to re-key a connection.
However, a non-initiating VPN gateway should not use a zero value because if
an active connection drops, it will persistently try to re-key a connection that it
can't initiate.
142
IKE lifetime
Set how frequently, in minutes, the Internet Key Exchange keys are reexchanged.
Do not rekey
Select to disable re-keying. This can be useful when working with NAT-ed endpoints.

Setting
Description
Local internal IP
This optional setting is used when Advanced Firewall itself sends traffic in the
IPsec tunnel.
Note: If you do not use this setting, Advanced Firewall will not, itself, be able
to send traffic in the IPsec tunnel.
Enter the IP of the network interface to use when Advanced Firewall itself sends
traffic in the tunnel.
Click Add to create the tunnel.
143

IPSec Site to Site and X509 Authentication Example
IPSec Site to Site and X509 Authentication

Example
This example explains how to create a site-to-site IPSec tunnel using X509 authentication between
two Advanced Firewall systems.
Prerequisite Overview
Before you start, you must do the following:
1
Create a CA on the local system for information on how to do this, see Creating a CA on page 131
Create certificates for the local and remote systems using Host and Domain Name as the ID type,
for information on how to do this, see Creating a Certificate on page 134.
Install the local certificate as the default local certificate on the local system, for information on how
to do this, see Importing a Certificate on page 136.
Export the CA certificate in PEM format, for information on how to do this, see Exporting Certificates
on page 135.
Export the remote certificate in the PKCS#12 container format, for information on how to do this, see
Exporting in the PKCS#12 Format on page 136.
Import and install the certificate as the default local certificate on the remote system, for information
on how to do this, see Importing a Certificate on page 136.
Once the above steps have been completed, proceed with creating tunnel specifications on the
local and remote systems as detailed in the following sections.
Creating the Tunnel on the Primary System

To create the tunnel on the primary system:
1
On the primary system, navigate to the VPN > VPN > IPSec subnets page and configure the
following settings:
Setting
Description
Name
Enter a descriptive name for the tunnel.
Enabled
Select to ensure that the tunnel can be activated once configuration is

completed.
Local IP
Leave empty.
It will be automatically generated as the default external IP address at
connection time
Local network
Specify the local network that the secondary system will be able to access.
This should be given in the IP address / network mask format and should
correspond to an existing local network. For example, 192.168.10.0/
255.255.255.0.
Local ID type
From the drop-down list, select Default local Certificate ID.

This will identify the primary system to the secondary system by using the
host and domain name ID value in the primary systems default local
certificate.
Local ID value
Leave empty.
Its value will be automatically retrieved by Advanced Firewall during the
connection process.
144

Setting
Description
Remote IP or
hostname
If the secondary system has a static IP address or hostname, enter it here.
Remote network
Specify the network on the secondary system that the primary system will
be able to access.
If the secondary system has a dynamic IP address, leave this field blank.
This should be given in the IP address/network mask format and should

255.255.255.0.
Remote ID type
From the drop-down list, select User specified Host & Domain Name.
Remote ID value
Enter the ID value (the hostname) of the secondary systems default local
certificate.
Authenticate by
From the drop-down list, select Certificate provided by peer. This will
instruct Advanced Firewall to authenticate the secondary system by
validating the certificate it presents as its identity credentials.
Preshared Key
Leave empty.
Preshared Key
again
Leave empty.
Use compression
Select to reduce bandwidth consumption. This is useful for low bandwidth

connections, however, it will require more processing power.
Initiate the
connection
Do not select. It will be the responsibility of all secondary systems to initiate

their own connection to the primary Advanced Firewall system.
Comment
Enter a descriptive comment. For example, Tunnel to Branch Office.
Click Add to create the tunnel specification and list it in the Current tunnels area:
The advanced settings are left to their default values in this example. The next step is to create a
matching tunnel specification on the remote system.
Creating the Tunnel on the Secondary System

To create the tunnel on the secondary system:
1
On the secondary system, navigate to the VPN > VPN > IPSec subnets page and configure the
following settings:
Setting
Description
Name
Enabled

completed.
Local IP
Leave empty.
It will be automatically generated as the default external IP address at
connection time.
Local network
Specify the local network that the primary system will be able to access.
255.255.255.0.
Local ID type
From the drop-down list, select Default local Certificate ID.

This will identify the secondary system to the primary system by using the
host and domain name ID value in the secondary systems default local
certificate.
145

IPSec Site to Site and X509 Authentication Example
Setting
Description
Local ID value
Leave empty.
Its value will be automatically retrieved by Advanced Firewall during the
connection process.
Remote IP or
hostname
Enter the external IP address of the primary system.
Remote network
Enter the network on the primary system that the secondary system will
be able to access.
Unlike the first tunnel specification, this cannot be left blank. The
secondary system will act as the initiator of the connection and therefore
requires a destination IP address in order to make first contact.

255.255.255.0.
Remote ID type
From the drop-down list, select User specified Host & Domain Name.
This matches the primary systems certificate type of Host and Domain
Name, as listed in Prerequisite Overview on page 144.
Remote ID value
Enter the ID value (the hostname) of the primary systems default local
certificate.
Authenticate by
From the drop-down list, select Certificate provided by peer.

This instructs Advanced Firewall to authenticate the primary system by
validating the certificate it presents as its identity credentials.
Preshared Key
Leave empty.
Preshared Key again
Leave empty.
Use compression
Select if you selected it on the primary system.
Initiate the connection Select as the secondary system is responsible for its connection to the
primary Advanced Firewall system.
Comment
2
146
Enter a descriptive comment, for example, Tunnel to Head Office.
Click Add. All advanced settings can be safely left at their defaults.

Checking the System is Active

Once the tunnel specifications have been created, the tunnel can be activated. To do this, first ensure
that the VPN subsystem is active on both the primary and secondary systems.
To ensure the VPN subsystem is active on both systems:
1
On the primary system, navigate to the VPN > VPN > Control page.
In the Manual control region, identify the current status of the VPN system. If the status is Running,
you do not need to do anything. If the status is Stopped, click Restart.
On the secondary system, navigate to the VPN > VPN > Control page.
Activating the IPSec tunnel

Next, the secondary system should initiate the VPN connection.
To initiate the VPN connection:
1
In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate
the connection and bring the tunnel up.
Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure
that appropriate zone bridging rules are configured. For further information, see Chapter 6,
Configuring Inter-Zone Security on page 59.
IPSec Site to Site and PSK Authentication

Pre-Shared Key (PSK) authentication is useful for creating a basic VPN site-to-site connection where
there is no requirement for multiple tunnel authentication and management controls.
Creating the Tunnel Specification on Primary System

To create the primary tunnel specification:
1
On the primary system, navigate to the VPN > VPN > IPSec subnets page and configure the
following settings:
Setting
Description
Name
Enabled

completed.
Local IP
Leave blank so that it is automatically generated as the default external IP

address at connection time.
Local network
Specify the local network that the secondary system will be able to access.
255.255.255.0.
Local ID type
From the drop-down list, select Local IP. This will identify the primary
system to the secondary system by using the local IP address of the
primary systems external IP address.
147

IPSec Site to Site and PSK Authentication
Setting
Description
Local ID value
Leave empty. It will be automatically generated as Local IP was chosen as

the local ID type.
Remote IP or
hostname
If the secondary system has a static IP address or hostname, enter it here.

If the secondary system has a dynamic IP address, leave this field blank.
Remote network
Specify the network on the secondary system that the primary system will
be able to access.
This should be given in the IP address / network mask format and should
255.255.255.0.
Remote ID type
From the drop-down list, select Remote IP (or ANY if blank Remote IP).
This will allow the primary system to use the secondarys IP address (if one
was specified).
Remote ID value
Enter the local IP address of the secondary system.
Authenticate by
From the drop-down list, select Preshared Key. This will instruct
Advanced Firewall to authenticate the secondary system by validating a
shared pass phrase.
Preshared Key
Enter a passphrase.
Preshared Key
again
Re-enter the passphrase to confirm it.
Use compression
Select this option if you wish to reduce bandwidth consumption. It is useful

for low bandwidth connections but requires more processing power.
Initiate the
connection
Do not select this option. It will be the responsibility of all secondary

systems to initiate their own connection to the primary Advanced Firewall
system.
Comment
Enter a description, for example: Tunnel to Birmingham Branch
Click Add. All advanced settings can be safely left at their defaults. Advanced Firewall lists it in the
Current tunnels area. The next step is to create a matching tunnel specification on the remote
system.
Creating the Tunnel Specification on the Secondary System

To create the secondary tunnel specification:
1
148
On the secondary system, navigate to the VPN > VPN > IPSec subnets page and configure the
following settings:
Setting
Description
Name
Enabled

completed.
Local IP
Leave blank so that it is automatically generated as the default external

IP address at connection time.
Local network
Specify the local network that the primary system will be able to access.
correspond to an existing local network. For example,
192.168.10.0/255.255.255.0.

Setting
Description
Local ID type
From the drop-down list, select Local IP. This will identify the primary
system to the secondary system by using the local IP address of the
primary systems external IP address.
Local ID value
Leave empty. It will be automatically generated as Local IP was chosen

as the local ID type.
Remote IP or
hostname
Enter the external IP address of the primary system. Unlike the first
tunnel specification, this cannot be left blank. The secondary system will
act as the initiator of the connection and thus it requires a destination IP
address in order to make first contact.
Remote network
Specify the network on the primary system that the secondary system
will be able to access. This should be given in the IP address/network
mask format and should correspond to an existing local network. For
example, 192.168.10.0/255.255.255.0.
Remote ID type
From the drop-down list, select Remote IP (or ANY if blank Remote
IP). This will allow the primary system to use the secondary's IP address
(if one was specified).
Remote ID value
Enter the local IP address of the secondary system.
Authenticate by
From the drop-down list, select Preshared Key. This will instruct
Advanced Firewall to authenticate the secondary system by validating a
shared pass phrase.
Preshared Key
Enter the same passphrase as was entered in the Preshared Key field
on the primary system.
Preshared Key again
Re-enter the passphrase to confirm it.
Use compression
Select this option if compression was enabled on the primary system.
Initiate the connection Select this option as it is the responsibility of the secondary system to
initiate its connection to the primary Advanced Firewall system.
Comment
2
Enter a descriptive comment, for example, Tunnel to Head Office.
Click Add. All advanced settings can be safely left at their defaults.
Checking the System is Active

Once the tunnel specifications have been created, the tunnel can be activated. To do this, first ensure
that the VPN subsystem is active on both the primary and secondary systems.
To check the system is active:
1
On the primary system, navigate to the VPN > VPN > Control page.
Activating the PSK tunnel

Next, the secondary system should initiate the VPN connection.
To activate the tunnel:
1
149

About Road Warrior VPNs
2
In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate
the connection and bring the tunnel up.
Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure
that appropriate zone bridging rules are configured. For further information, see Chapter 6,
Configuring Inter-Zone Security on page 59.
About Road Warrior VPNs

This part of the manual explains how to create road warrior VPN connections to enable mobile and
home-based workstations to remotely join a host network.
Advanced Firewall supports two different VPN protocols for creating road warrior connections:
L2TP L2TP connections are extremely easy to configure for road warriors using Microsoft
operating systems. There are fewer configuration parameters to consider when creating a tunnel
specification. However, all L2TP road warriors must connect to the same internal network.
IPSec IPSec road warrior connections use the same technology that Advanced Firewall uses to
create site-to-site VPNs. It is recommended for road warriors using Apple Mac, Linux or other nonMicrosoft operating systems. IPSec road warriors must have IPSec client software installed and
configured to connect to Advanced Firewall. IPSec road warriors can be configured to connect to
any internal network.
Note: Road warrior configuration tutorials are provided in VPN Tutorials on page 178.
Typically, a road warrior connection is configured as follows:
1
Create a certificate for each road warrior user, usually with the user's email address as its ID type.
Decide which VPN protocol best suits your road warrior's needs L2TP for Win 2000/XP, IPSec for
all others.
Decide which internal networks and what IP ranges to allocate to road warriors.
Create the tunnel specification on the Advanced Firewall system.
Install the certificate and any necessary client software on the road warrior system and configure.
Connect.
Ensure that inbound and outbound access to the road warrior have been configured using
appropriate zone bridging rules. For further information, see Chapter 6, Configuring Inter-Zone
Security on page 59.
When a road warrior connects to Advanced Firewall, it is given an IP address on a specified internal
network. When connected, the road warrior client machine will, to all intents and purposes, be on the
configured internal network. You can route to other subnets, including other VPN-connected ones.
Other machines on the same internal network can see the client, just as if it was plugged into the
network directly.
Each road warrior must use a unique, unused IP address. Typically, you would choose a group of IP
addresses outside of either the DHCP range, or statically assigned machines such as servers.
When configuring a tunnel, the client IP settings is used to assign the road warrior's IP address on
the local network. This IP address must match the network that the road warrior connects too
(globally specified for L2TP connections, individually specified for each IPSec road warrior.
Each user requires their own tunnel, so create as many tunnels as there are road warriors.
150

IPSec Road Warriors

Before creating a road warrior connection using IPSec, check the following list to assess whether it
is the right choice:
Each connection can be routed to a different internal network.
Each connection can use different types of cryptographic and authentication settings.
Client software will need to be installed on road warrior systems.

Also note that the same advanced options that are available when configuring IPSec site-to-site
VPNs are also available to IPSec road warriors. This includes overriding the default local certificate.
Creating an IPSec Road Warrior

To create an IPSec road warrior connection:
1
Navigate to the VPN > VPN > IPSec roadwarriors page.

Setting
Description
Name
Enabled
Select to activate the tunnel once it has been added.
Local network Enter the IP address and network mask combination of the local network. For
example, 192.168.10.0/255.255.255.0.
Note: It is possible to restrict (or extend) the hosts that a road warrior can see on
its assigned internal network by changing this setting.
For example, if you wish to restrict the connected road warrior to a specific
IP address such as 192.168.2.10, set the local network to
192.168.2.10/3
Accordingly, enter the value 192.168.2.0/24 or 192.168.2.0/
255.255.255.0 to allow the road warrior to access all addresses in the
range 192.168.2.0 to 192.168.2.255.
Client IP
Enter a client IP address for this connection. The IP address must be a valid and
available address on the network specified in the Local network field.
151

IPSec Road Warriors
Setting
Description
Local ID type
From the drop-down list, select the local ID type. Default local Certificate Subject
is recommended for road warrior connections.
Local ID value
If you chose a User Specified ID type, enter a local ID value.
Remote ID
type
From the drop-down list, select Remote IP (or ANY if blank Remote IP). This
is recommended as it allows the road warrior to present any form of valid ID.
Remote ID
value
Enter the value of the ID used in the certificate that the road warrior is expected
to present.
Authenticate
by
From the drop-down list, select one of the following options:

To use the road warrior's certificate, select it.
To use a certificate created by a different CA, choose Certificate presented by
peer. Authenticating by a named certificate is recommended for ease of
management.
Preshared Key, select to use the global preshared key as defined on the VPN >
VPN > Global.
Use
compression
Select to reduce bandwidth consumption (useful for low bandwidth connections).

This will require more processing power.
Comment
Enter a descriptive comment, for example: IPSec connection to Joe Blogg's on

.240.
Click Advanced and enter the following information:

Setting
Description
Local certificate This is used in less standard X509 authentication arrangements. For more
information, see Advanced VPN Configuration on page 171.
Interface
Used to specify whether the road warrior will connect via an external IP or an
internal interface.
Perfect Forward This enables the use of the PFS key establishment protocol, ensuring that
Secrecy
previous VPN communications cannot be decoded should a key currently in use
be compromised. PFS is recommended for maximum security. VPN gateways
must agree on the use of PFS.
Authentication
type
Provides a choice of ESP or AH security during the authentication process. For

further details, see below. This setting should be the same on both tunnel
specifications of two connecting gateways.
ESP Encapsulating Security Payload uses IP Protocol 50 and ensures
confidentiality, authenticity and integrity of messages. Recommended for
optimal performance.
AH IP Authentication Header uses IP Protocol 51 and ensures authentication
and integrity of messages. This is useful for compatibility with older VPN
gateways. Because AH provides only authentication and not encryption, AH is
not recommended.
152

Setting
Description
Phase 1
cryptographic
algo
This selects the encryption algorithm used for the first phase of VPN tunnel
establishment. This setting should be the same on both tunnel specifications of
two connecting gateways.
3DES A triple strength version of the DES cryptographic standard using a
168-bit key. The 3DES is a very strong encryption algorithm though it has been
exceeded in recent years. It is the default encryption scheme on most VPN
gateways and is therefore recommended for maximum compatibility.
encryption than 3DES.
encryption than 3DES. It is recommended for maximum security and
performance.
Phase 1 hash
algo
This selects the hashing algorithm used for the first phase of VPN tunnel
MD5 A cryptographic hash function using a 128-bit key. Recommended for
faster performance and compatibility.
SHA Secure Hashing Algorithm uses a 160-bit key and is the US
government's hashing standard. Recommended for maximum security.
Phase 2
cryptographic
algo
This selects the encryption algorithm used for the second phase of VPN tunnel
See Phase 1 cryptographic algo for more information on the options.
Phase 2 hash
algo
This selects the hashing algorithm used for the second phase of VPN tunnel
See Phase 1 hash algo for more information on the options.
Key life
This sets the duration that a set of keys can be used for. After the key-life value
has expired, new encryption keys are generated, thus reducing the threat of
snooping attacks.
The default and maximum value of 60 minutes is recommended.
Key tries
This sets the maximum number of times the host will attempt to re-try the
connection before failing.
The default value of zero tells the host to endlessly try to re-key a connection.
However, a non-initiating VPN gateway should not use a zero value because if
an active connection drops, it will persistently try to re-key a connection that it
can't initiate.
IKE lifetime
Sets how frequently the Internet Key Exchange keys are re-exchanged.
Do not Rekey
Turns off re-keying which can be useful for example when working with NAT-ed
end-points.
Click Add at the bottom of the page to add the tunnel to the list of current tunnels.
Note: The advanced settings of an IPSec road warrior tunnel operate in exactly the same manner as those
for a site-to-site IPSec connection. For details on the operation of each advanced control, see
Section 5.1 Introduction to Site to Site VPNs.
153

Supported IPSec Clients
Supported IPSec Clients

Smoothwall currently recommends the use of the following third-party IPSec client applications for
IPSec road warriors with Microsoft Operating Systems:
SafeNet SoftRemote LT
SafeNet SoftRemote 10
SafeNet SoftRemote 9
Creating L2TP Road Warrior Connections

This section covers the steps required to create an external road warrior connection using L2TP.
Such connections have the following features:
All connections share the same, globally specified subnet.
Mostly supported by Microsoft operating systems with built-in support on Windows 2000 and XP.
Very easy to configure.
Creating a Certificate
The first task when creating an L2TP road warrior connection is to create a certificate. For further
information, see Creating a Certificate on page 134.
A road warrior certificate is typically created using the user's email address as the certificate ID.
Configuring L2TP and SSL VPN Global Settings

To configure L2TP and SSL VPN global settings:
1
On the VPN > VPN > Global page. Configure the following settings:
Setting
Description
L2TP and SSL

VPN client
configuration
settings
Enter primary and secondary DNS settings. These DNS settings will be assigned
to all connected L2TP road warriors and SSL VPN users.
If applicable, enter primary and secondary WINS settings.These WINS settings will
be assigned to all connected L2TP road warriors and SSL VPN users.
L2TP settings From the drop-down list, select the internal network that L2TP road warriors will
be connected to.
2
154
Click Save.

Creating an L2TP Tunnel

To create an external L2TP road warrior connection:
1
Navigate to the VPN > VPN > L2TP roadwarriors page.
Click Advanced to display all settings and configure the following settings:
Setting
Description
Name
Enter a descriptive name for the tunnel. For example: Joe Blogg's L2TP.
Enabled
Client IP
Enter a client IP address for this connection in the Client IP field. The IP address
must be a valid and available IP on the globally specified internal network.
Username
Enter a username for this connection.
Password
Enter a password for the tunnel.
Again
Re-enter the password to confirm it.
Authenticate by From the drop down list, select one of the following options:
Certificate presented by peer If the certificate was created by a different
CA, choose this option. Authenticating by a named certificate is recommended
for ease of management.
Common Name's organization certificate The peer has a copy of the
public part of the hosts certificate. Here both ends are Certificate Authorities,
and each has installed the peers public certificate.
L2TP client OS
From the drop-down list, select the L2TP clients operating system.
Comment
Enter a descriptive comment.
Advanced
Click Advanced to access more options.
Local
certificate
From the drop-down list, select the default local certificate to provide the
Advanced Firewalls default local certificate as proof of authenticity to the
connecting road warrior.
Interface
Select PRIMARY.
Click Add to create the L2TP tunnel specification and add it to the Current tunnels region.
155

Creating L2TP Road Warrior Connections
Configuring an iPhone-compatible Tunnel

Advanced Firewall enables you to configure iPhone-compatible tunnels. Configuring an iPhonecompatible tunnel entails:
setting a preshared key and configuring DNS and interface settings on the VPN > VPN > Global page
creating the tunnel on the VPN > VPN > L2TP roadwarriors page.
Note: Before you start, please be aware of the following limitation in IPSec preshared key (PSK)
authentication mode: all connections from unknown IP addresses, including IPSec and L2TP road
warriors, must use the same authentication method, and, in the case of PSK, the same secret.
In practice, this means that if you want to create a tunnel between an iPhone-compatible device and
Advanced Firewall, you must:
not have any L2TP or IPSec road warriors, as they use certificates for authentication
not have any IPSec subnet tunnels to unknown (blank) remote IPs. There is a workaround for
subnet tunnels to unknown, remote IPs but the IPSec subnets would have to use PSK
authentication with the same shared secret as the iPhone-compatible device.
To configure an iPhone-compatible tunnel:
1
On the VPN > VPN > Global page, configure the following settings:
Setting
Description
IPSec Road Warrior (and L2TP)

Preshared Key
Preshared key Enter a strong password which

contains more than 6 characters.
Again Re-enter the password to confirm it.
L2TP and SSL VPN client configuration Enter the primary and secondary DNS settings.
settings
2
Click Save. Browse to the VPN > VPN > L2TP roadwarriors page and configure the following
settings:
Setting
Description
Name
Enter a descriptive name for the tunnel. For example: CEO's iPhone.
Enabled
Client IP
Enter a client IP address for this connection. The IP address must be a valid
and available IP on the globally specified internal network.
Username
Password
Enter a password for the tunnel.
Again
Comment
Optionally, enter a description of the tunnel.
Authenticate by
Preshared key (iPhone compatible) Select this option to use the

preshared key entered in step 1.
L2TP client OS
From the drop-down list, select Apple (iPhone compatible).
Click Add. Advanced Firewall creates the tunnel and lists it in the Current tunnels area.
On the iPhone-compatible device, navigate to Settings > General > Network > VPN.
Select Add VPN Configuration and configure the following settings:
156
Setting
Description
Description
Enter a description for the tunnel.
Server
Enter Advanced Firewalls external IP address.

Setting
Description
Account
Enter the username as entered in step 2.
RSA SecurID
Set to OFF.
Password
Enter the password as entered in step 2.
Secret
Enter the PSK as configured in step 1.
Send All Traffic
Set to ON on for routing to other VPNs.
Proxy
Set to OFF.
Select Save to save the tunnel configuration. The tunnel is now ready for use.
Using NAT-Traversal
Passing IPSec traffic through any NATing device such as a router (or a separate firewall in front of the
VPN gateway/client) can cause problems.
IPSec normally uses Protocol 50 which embeds IP addresses within the data packets standard
NATing will not change these addresses, and the recipient VPN gateway will receive VPN packets
containing private (non-routable) IP addresses. In this situation, the VPN cannot work.
However, Advanced Firewall can operate in IPSec NAT Traversal (NAT-T) mode. NAT-T uses the
UDP Protocol instead of Protocol 50 for IPSec VPN traffic UDP is not affected by the NAT process.
This does of course require that the other end of the VPN tunnel supports NAT-T. Both SafeNet
SoftRemote and SSH Sentinel support this mode, as do the vast majority of other modern VPN
gateway devices.
Note: Any IPSec VPN client connections from a local network behind Advanced Firewall that connect to
another vendor's VPN gateway will also need to use NAT-T rather than Protocol 50 for the reasons
stated above.
Note: NAT-T is a VPN gateway feature, not a NATing feature.
VPNing Using L2TP Clients

This section explains the configuration process for supported Microsoft operating systems.
L2TP Client Prerequisites

To connect to an L2TP tunnel, a road warrior must be using a Microsoft operating system which is
covered by the Microsoft support lifecycle.
Connecting Using Windows XP/2000

Users of Windows XP or Windows 2000 should first ensure that they are running the latest service
release of their operating system. Specifically, one particular windows update is required for L2TP
connections to function:
Q818043 L2TP/IPSec NAT-T update. Information about this patch can be found at http://
support.microsoft.com/?kbid=818043
The above update will already be installed if you are running Windows XP SP2 or above, or Windows
2000 SP4 or above. Please use the Microsoft Windows Update facility to ensure compliance, see
http://windowsupdate.microsoft.com/
157

One further requirement is that the road warrior user must be a member of the Administrator group
in order to install the necessary certificates into the Local Computer certificate store.
Installing an L2TP Client

The first step in the connection process is to run the L2TP Client Wizard. You can download it from
here. It is a freely distributable application that automates much of the configuration process.
Note: There is an alternative configuration method that uses a command line tool, thus enabling an L2TP
connection to be configured as part of a logon script. For details, see Advanced VPN Configuration
on page 171.
When started, the L2TP Client Wizard first ensures that the Q818043 hotfix is installed. If it is not, the
program issues a warning. Assuming the hotfix is installed, it will then guide the user through the
steps of configuring the connection to the Advanced Firewall system.
To install the L2TP client:
1
Run the L2TP Client Wizard on the road warrior system.
View the license and click Next to agree to it. The following screen is displayed:
158

3
Click Browse and open the CA certificate file as exported during the certificate creation process.
Click Next. The following dialog opens:
Click Browse to locate and select the road warrior's host certificate file. This must be a PKCS#12
file, typically saved as *.p12, as exported during the certificate creation process. Enter the password
and click Next.
The following screen is displayed:
Ensure that the Launch New Connection Wizard option is selected and click Install.
159

6
The wizard install the certificates. Click Finish. The Microsoft New Connection Wizard is launched.
Click Next. The following screen is displayed:
Select Connect to the network at my workplace and click Next.
160

9
Select Virtual Private Network connection and click Next. The following screen is displayed:
10
Enter a name for the connection and click Next.

The following screen is displayed:
11
Enter Advanced Firewalls host name or IP address and click Next.
161

VPNing with SSL
12
Click Finish. The Connect dialog box is displayed
13
Enter the username and password of the road warrior and click Connect. Ensure that the tunnel is
enabled.
Note: Certain anti-malware and worm detection software may generate alerts when L2TP client
connections are first established. Only UDP port 500 and UDP port 4500 and/or ESP should flow
from the road warrior when using a Smoothwall L2TP over an IPSEC connection. Any alerts
concerning this kind of traffic can be safely ignored, and unblocked communication permitted.
VPNing with SSL

Advanced Firewall supports OpenVPN SSL connections. Using light-weight clients, which can be
easily configured and distributed, any user account able to authenticate to the directory service
configured, plus the list of local users gain easy and secure VPN access to your network. All your
users need to know is their Advanced Firewall user account name and password.
Prerequisites
An installed default local certificate, see Setting the Default Local Certificate on page 137 for more
information.
Configuring VPN with SSL

The following section explains how to configure Advanced Firewall for VPNing with SSL.
To configure SSL VPN settings:
1
Browse to the VPN > VPN > Global page. In the SSL VPN settings area, configure the following
settings:
Setting
Description
Enable SSL VPN
Select to enable SSL VPN on Advanced Firewall.
Transport protocol
Select the network protocol. The following options are available:

TCP (HTTPS) Select to run the SSL VPN connection over TCP on port
443, the standard HTTPS port. This protocol is preferred for compatibility
with filters between the client and the server.
UDP (1194) Select to run the SSL VPN connection over UDP on port
1194. This protocol is preferred for performance.
162

Setting
Description
SSL VPN network

address
Accept the default network address or enter a new one.

SSL VPN users, when they connect, get an IP address on a virtual
interface, within Advanced Firewall.
The IP range must not be one not used for any physical network. If the
default subnet, 10.110.0/24, is taken by any existing network, configure
this setting to use range not taken on the network.
Note: Because connected clients are placed on a virtual network, all
machines they access must also have a route to this network.
SSL VPN netmask
Accept the default network netmask or enter a new one.
Force clients to use Select to configure Advanced Firewall to force the client to send all its
SSL VPN as gateway traffic through the SSL VPN connection.
Advanced Firewall can force all connected clients to route through it,
which is generally better as it enforces the policy on the server end.
SSL VPN client
gateway(s)
Usually, a client is configured to use Advanced Firewalls primary external

IP address as its gateway. However, if dynamic DNS is used, this will not
work. Therefore, you have the option to set one or more different
gateways.
Enter one IP address or hostname per line. If set, the gate way(s) will be
used by the SSL VPN clients as the connecting gateway host. If blank, the
primary external IP address of the gateway will be used.
Enable TLS
authentication
Select this setting to apply Transport Layer Security (TLS) authentication.

TLS authentication can mitigate in a denial of service condition.
Note: For systems which have never had VPN configured, this setting is
on by default. For systems which have had VPN configured, this
setting is off by default.
Choose random
gateway
Select this setting to enable clients to connect on a random address when

multiple gateways are defined. This is good for load balancing over
multiple links.
Click Save to save the settings, and, at the top of the page, click Restart to apply the settings.
Managing SSL Road Warriors

Managing SSL road warriors entails managing group access to SSL VPNs and managing custom
scripts for SSL VPNs. See the sections that follow for more information.
Note: On Windows Vista, to ensure that a user gets full VPN connectivity, add the user to the built-in
network configuration operator group.
Managing Group Access to SSL VPNs

By default all groups are allowed to use SSL VPN. Advanced Firewall enables you to stop one or
more groups from using SSL VPNs by disabling access.
163

To disable a group from using SSL VPN:
1
Browse to the VPN > VPN > SSL roadwarriors page.
From the Select group drop-down list, select the group you want to disable from using SSL VPN
and then click Select. Advanced Firewall displays SSL VPN group settings.
De-select the Enable option and click Save. Advanced Firewall disables access.
Repeat the steps above for any other groups you want to disable from using SSL VPN.
Managing Custom Client Scripts for SSL VPNs

Advanced Firewall enables you to upload or remove preconnect, connect and disconnect scripts
which can carry out custom commands before or after a VPN comes up or goes down. You can also
deploy scripts based on groups.
Uploading Scripts
To upload scripts:
1
In the Select group area, accept the default settings to apply any uploaded scripts to all groups, or,
from the Select group drop-down list, select the group to which the script(s) will be specifically
deployed. Click Select.
To upload a preconnect script, in the Custom client scripts area beside the Upload Preconnect
Script text box, click Browse.
When prompted, browse to and select the script. Click Upload preconnect script. Advanced
Firewall uploads the script, displays the size of the script and a message confirming a successful
upload.
Repeat the steps above to upload connect and disconnect scripts as required.
Removing Scripts
To remove scripts:
1
In the Select group area, accept the default settings to remove any uploaded scripts from all groups,
or, from the Select group drop-down list, select the group from which the script(s) will be specifically
removed. Click Select.
164

3
To remove a preconnect script, in the Custom client scripts area beside the Upload Preconnect
Script text box, click Remove preconnect script.
Advanced Firewall removes the script and displays a message confirming a successful removal.
Repeat the steps above to remove connect and disconnect scripts as required.
Generating SSL VPN Archives

You can generate an archive of the SSL VPN settings which can be distributed to users. Archives
can contain SSL VPN settings and, optionally, custom client scripts.
To generate an SSL client archive:
1
On the VPN > VPN > Global page, configure the SSL VPN settings. For information on how, see
Configuring VPN with SSL on page 162.
If you do not want to include custom scripts in the archive, you can generate the archive now. Click
Generate client archive, Advanced Firewall generates an archive containing the client software and
the VPN settings required. When Advanced Firewall prompts you, save the file in a suitable location.
See step 4 for what to do next.
If you want to include scripts in the archive, browse to the VPN > VPN > SSL roadwarriors page
and configure the scripts. For information on how, see Managing Custom Client Scripts for SSL VPNs
on page 164.
Click Generate client archive, Advanced Firewall generates an archive containing the client
software and the VPN settings required. When Advanced Firewall prompts you, save the file in a
suitable location.
Once saved, distribute the archive to those users who will be using SSL VPNing. You can use the
Advanced Firewall portal to distribute the archive. For more information, see Chapter 8, Making the
SSL VPN Client Archive Available on page 85.
See Configuring and Connecting Clients on page 166 for information on how to install the SSL VPN
software on clients.
Note: An archive can be used for both internal and external use. See Configuring SSL VPN on Internal
Networks on page 165 for more information on internal use.
Configuring SSL VPN on Internal Networks

Advanced Firewalls SSL VPN functionality can be deployed to secure internal wireless interfaces.
To configure SSL VPN on an internal network:
1
On the VPN > VPN > Global page, configure the SSL VPN settings, see Configuring VPN with SSL
on page 162.
Click Advanced and, in the Additional SSL VPN client internal interfaces area, select the interface on
which to deploy the SSL VPN.
Click Generate client archive. Advanced Firewall generates an archive containing the client
software and the VPN settings required and prompts you to save the file in a suitable location.
Note: The same archive can be used for both internal and external use. See Configuring VPN with SSL on
page 162 for more information on external use.
4
Once saved, distribute the archive to users who require secure access to the internal wireless
interface. You can use the Advanced Firewall portal to distribute the archive. For more information,
see Chapter 8, Making the SSL VPN Client Archive Available on page 85.
165

Configuring and Connecting Clients

The following sections explain how to install the SSL VPN client software. and connect using an SSL
VPN connection.
Installing the Software

To install the SSL VPN client software:
1
Extract the client archive, see Configuring VPN with SSL on page 162, to a suitable location and
double-click on Smoothwall-SSL-OpenVPN-client.exe to start the installation wizard. The following
screen opens:
Click Next to continue. The following screen opens:
Read the license and click I agree to continue.
166

The following screen opens:
Accept the default components and click Next to continue. The following screen opens:
Accept the default destination folder or click Browse to select a different destination. Click Install to
continue. The following screen opens:
Click Continue Anyway.
167

The following screen opens:
Click Next to continue. The following screen opens:
Click Finish to complete the installation.
Opening an SSL VPN Connection

To open an SSL VPN connection:
1
In the system tray, right click on OpenVPN GUI and select Connect. The following dialog box is
displayed:
168
Setting
Description
Username
Enter the name of the user account to be used.
Password
Enter the password belonging to the account.

3
Click OK. The SSL VPN connection is opened.
Closing an SSL VPN Connection

To close an SSL VPN connection:
1
In the system tray, right click on OpenVPN GUI and select Disconnect.
VPN Zone Bridging

In order to permit or deny inbound and outbound access to and from a site-to-site VPN tunnel,
ensure that appropriate zone bridging rules are configured.
L2TP road warriors and SSL VPNs require zone bridging rules that bridge the interface. IPSec road
warriors also require zone bridging rules, and share their zone bridging configuration with IPSec
subnets. For more information, see Chapter 6, Configuring Inter-Zone Security on page 59.
Secure Internal Networking

This part of the manual explains how Advanced Firewall can be used to provide secure internal
networking using VPN technology.
An internal VPN capability can be useful in many situations, a few examples of typical scenarios are
given below:
Secure wireless access Commonly used wireless access protocols offer relatively weak levels of
security, thus allowing potential intruders to directly access and intercept confidential data on an
organizations internal network. Advanced Firewall can ensure secure wireless access by providing
an additional interface as an internal VPN gateway. By attaching a wireless access point to this
interface, wireless clients can connect and create a secure tunnel to the desired internal network.
Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access
to any network resource.
Hidden network access It is possible to create a hidden network that can only be accessed via a
secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed
by an exclusively authenticated member of staff. To do this, create a network that is not bridged to
any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the
hidden network.
There is no complicated configuration process for creating such internal VPNs, the facility is provided
by globally nominating an internal VPN interface and creating tunnels specifying it as its interface.
Creating an Internal L2TP VPN

To create an internal L2TP VPN connection:
1
Navigate to the VPN > VPN > Global page.
In the L2TP settings area, from the L2TP client internal interface drop-down list, choose an
internal network interface.
Optionally, click Advanced and configure the following settings:

Setting
Description
Enable NATTraversal
NAT-T is enabled by default and allows IPSec clients to connect from behind
NATing devices.
In some advanced and unusual situations, however, this feature may prevent
connections, therefore, NAT-T can be disabled.
169

Secure Internal Networking
Setting
Description
Enable Dead
Peer Detection
Used to activate a keep-alive mechanism on tunnels that support it.

This setting, commonly abbreviated to DPD, allows the VPN system to almost
instantly detect the failure of a tunnel and have it marked as Closed in the control
page.
If this feature is not used, it can take any time up to the re-keying interval
(typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec
implementations support this feature, it is not enabled by default.
In setups consisting exclusively of Advanced Firewall VPN gateways, it is
recommended that this feature is enabled.
Copy TOS (Type

Of Service) bits
in and out of
tunnels
When selected, TOS bits are copied into the tunnel from the outside as VPN
traffic is received, and conversely in the other direction. This makes it possible
to treat the TOS bits of traffic inside the network (such as IP phones) in traffic
shaping rules within Traffic and traffic shape them.
If this option is not selected, the TOS bits are hidden inside the encrypted tunnel
and it is not possible to traffic shape VPN traffic.
Note: There is a theoretical possibility that enabling this setting can be used to
spy on traffic
Click Save.
Note: We advise you to limit any zone bridging from the nominated interface to other interfaces.
Tunnels connecting to the nominated additional interface will be assigned an IP address on the L2TP
client internal interface, as shown in the L2TP settings region.
If a zone bridge is created between the additional nominated interface and the L2TP client interface,
it allows the VPN to be circumvented and thus limits its usefulness.
5
Create a certificate for the L2TP client. See Creating a Certificate on page 134.
Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings:
Setting
Description
Name
Enabled
Client IP
Enter a client IP address for this connection. The IP address must be a valid and
available IP on the globally specified internal network.
Username
Password
Enter a password for the connection.
Again
Authenticate
by
To dedicate this connection to a specific user, choose the users certificate from
the drop-down list.
To allow any valid certificate holder to use this tunnel, choose Certificate
provided by peer option.
If your organization anticipates supporting many road warrior connections,
authenticating by a specific certificate is recommended for ease of
management.
L2TP client OS From the drop-down list, select the L2TP client's OS.
Comment
7
170
Enter a descriptive comment.
Click Advanced and, from the Local certificate drop-down list, select Default.

8
Click Add. Advanced Firewall lists the tunnel in the Current tunnels area.
To configure client access to the L2TP tunnel, see Installing an L2TP Client on page 158.
Advanced VPN Configuration

The following sections explain how and when you might want to use non-standard configurations of
CAs, certificates and tunnel definitions to:
Allow sites to autonomously manage their own road warriors
Create VPN links between co-operating organizations
Create VPN hubs that link networks of networks.
Multiple Local Certificates

In some instances, it may be desirable to install multiple local certificates that are used to identify the
same host. There are a number of situations, where this might be desirable:
Autonomous management of road warrior tunnels from multiple sites.
Autonomous management of site-to-site tunnels from multiple sites.

Multiple local certificates are typically used to de-centralize VPN management in larger networks. For
instance, a VPN could be used to create a WAN (Wide Area Network) between three head offices of
an multinational company. Each head office must be responsible for its own VPN links that connect
its regional branches to its head office, as otherwise there would be a reliance on a single set of
administrators in one country / time zone preparing certificates for the entire organization.
Using the above example, each head office VPN gateway could utilize two local IDs (certificates):
Country head office ID This ID would be used by a head office to identify itself to head offices from
other countries, to form VPN tunnels that make up the international WAN.
Head office ID This ID would be used by a head office to identify itself to other domestic offices, so
that it can manage VPN tunnel connectivity within its own region.
The same concept can be applied to any situation where autonomous VPN management is required.
To continue the above example, many of the offices within one particular country require a number
of road warrior users to connect to their local networks. In this instance, a branch office VPN gateway
could utilize two local IDs (certificates):
Regional branch office ID This ID would be used by a branch office to identify itself to the head office
and other branch offices that make up the country-wide WAN.
Branch office ID This ID would be used by a branch office to identify itself to its local road warriors,
so that it can manage road warrior connectivity to its own branch.
Creating Multiple Local Certificates

This example will demonstrate how to delegate VPN management from an unconfigured master
Advanced Firewall system to an unconfigured secondary Advanced Firewall system. The secondary
Advanced Firewall system will be responsible for managing site-to-site and road warrior connections
within its own geography.
Firstly, we must create a tunnel to link the master Advanced Firewall to the secondary Advanced
Firewall.
Since this example covers configuration from scratch, you must follow the instructions from the step
most appropriate to your current level of VPN connectivity.
1
On the master system, navigate to the VPN > VPN > Certificate authorities page.
Create a local Certificate Authority, see Creating a CA on page 131.
171

3
Create signed certificates for the master and secondary Advanced Firewall systems, see Managing
Certificates on page 134.
Install the master signed certificate as the master Advanced Firewall's default local certificate, see
Setting the Default Local Certificate on page 137.
Create the tunnel specification to the secondary Advanced Firewall system, see Site-to-Site VPNs
IPSec on page 138.
Export the secondary Advanced Firewall's signed certificate using the PKCS#12 format, see
Exporting Certificates on page 135.
Export the master Advanced Firewall's CA certificate in PEM format, see Exporting the CA Certificate
on page 132.
The remaining series of configuration steps are all carried out on the secondary Advanced Firewall
system, firstly to create the primary site-to-site link.
To create the primary site-to-site link:
On the secondary system, navigate to the VPN > VPN > Certificate authorities page.
Import the CA certificate on the secondary Advanced Firewall, see Importing Another CA's Certificate
on page 133.
Import the signed certificate on the secondary Advanced Firewall system, see Importing a Certificate
on page 136.
Install the signed certificate as the default local certificate, see Setting the Default Local Certificate on
page 137.
Create the tunnel specification to the master Advanced Firewall system, with Local certificate set to
Default see Site-to-Site VPNs IPSec on page 138.
Test the VPN connection.

The next step is to create an additional CA on the secondary Advanced Firewall system. This
additional CA will be used to create another local certificate for the secondary Advanced Firewall
system, as well as certificates for any further site-to-site or road warrior connections that it will be
responsible for managing.
To create an additional CA on the secondary Advanced Firewall system:
On the secondary system, navigate to the VPN > VPN > Certificate authorities page.
Create a new local Certificate Authority, see Creating a CA on page 131.
Create a new signed certificate for the secondary Advanced Firewall system (this will be used as the
secondary Advanced Firewall's second local certificate, see Creating a Certificate on page 134.
Create a new signed certificate for any host whose VPN connectivity will be managed by the
secondary Advanced Firewall system.
Create a site-to-site or road warrior tunnel specification, and choose the second signed certificate
(created by the previous step) as the Local certificate.
Export the local CA and signed certificate created by step 4 to any host whose VPN connectivity will
be managed by the secondary Advanced Firewall system.
Create the remote tunnel specification (this could be a road warrior client or another site-to-site
gateway).
Public Key Authentication

It is possible to authenticate a VPN tunnel by exchanging each host's public key with the other.
During authentication, each host uses the other host's public key to decrypt the (private key
encrypted) certificate it will be passed as identity credentials.
This configuration does not require the CA that created either host's certificate to be known to either
VPN gateway. This can be useful in many ways:
172
Simplified internal management, using certificates created by an external Certificate Authority.

Tunnelling between two separate organizations using certificates created by different (possibly
external) CAs.
Alternative scheme to allow both ends of the tunnel to create their own CA and default local
certificates. This would enable each VPN gateway to manage their own site-to-site and road warrior
connections. This achieves the same result as the previous technique described in the Multiple local
certificates section.
Note: The use of public key authentication should not be considered as a direct replacement for a stringent
X509 based authentication setup. While public key authentication does use some of the same
technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As
such, appropriate precautions should be taken when considering implementing this alternative
authentication method.
Configuring Both Ends of a Tunnel as CAs

This configuration example uses public key authentication to connect two Advanced Firewall
systems, each with their own CA so that they can manage their own site-to-site and road warrior
connections.
The following assumptions have been made:
Two Advanced Firewall systems.
Each Advanced Firewall has its own CA.
Each CA has created a signed certificate for its own local Advanced Firewall system.
To create the tunnel specifications:
On both systems, navigate to the VPN > VPN > Certificates page.
Export the local certificates from both Advanced Firewall systems using the PEM format, see
Exporting Certificates on page 135.
Import each PEM certificate on the opposite Advanced Firewall system, see Importing a Certificate
on page 136.
Create an IPSec site-to-site tunnel specification on the first Advanced Firewall system, and select the
second Advanced Firewall system's host certificate in the Authenticate by drop-down list.
Create an IPSec site-to-site tunnel specification on the second Advanced Firewall system, and select
the first Advanced Firewall system's host certificate in the Authenticate by drop-down list.
The tunnel can now be established and authenticated between the two Advanced Firewall systems.
In addition, each Advanced Firewall system is able to autonomously manage its own site-to-site and
road warrior connections by using its own CA to create additional certificates.
VPNs between Business Partners

To create a VPN between two separate organizations (such as two firms working together as
partners), it is most likely that an IPSec tunnel will be required. This may be to a non-Advanced
Firewall system, so a degree of co-ordination will be required to decide upon a compatible tunnel
specification.
This example uses certificates created by an external, commercial CA so that each organization can
authenticate certificates presented by the other using a CA that is independent of both organizations.
This configuration example assumes the following:
Local Advanced Firewall system.
Host certificates created by the same commercial CA.
Host certificate, Certificate A created by the commercial CA for the Advanced Firewall system.
Host certificate, Certificate B created by the commercial CA for the other organizations VN gateway.
173

Firstly, import the certificate created for the local Advanced Firewall system (Certificate A).
To import the certificate:
1
On the local system, navigate to the VPN > VPN > Certificates page.
Import Certificate A, see Importing a Certificate on page 136.

Next, import the commercial CA's certificate:
On the system, navigate to the VPN > VPN > Certificates page.
Import the CA's certificate according to the file format it was supplied in, see Importing Another CA's
Certificate on page 133.
Next, configure the local tunnel specification in co-operation with the other organization. This is most
likely to be an IPSec site-to-site connection, though it is possible that you could connect to their
network as a road warrior. In either case, full consultation between both organizations is required to
decide on the configuration options to be used on the respective VPN gateways.
Follow these steps to create a site-to-site connection:
Connect to Advanced Firewall on the Advanced Firewall system and navigate to the VPN > VPN >
IPSec subnets page.
In the local tunnel specification, choose Default local cert subject or Default local cert subject
alt.name from the Local ID type drop-down list. However, it may be necessary to use user specified
values if the other VPN gateway is not directly compatible with Advanced Firewall's communication
of certificate subjects.
Choose Certificate A from the Local certificate drop-down list to ensure that this tunnel overrides any
default local certificate that might be configured.
Choose Certificate provided by peer from the Authenticate by drop-down list. This will ensure that
Advanced Firewall will authenticate Certificate B when is presented by the other organizations VPN
gateway.
Choose the remote ID type from the Remote ID type drop-down list that was entered during the
creation of Certificate B using the commercial CA.
Confer with the other organization regarding all other configuration settings and ensure that they
authenticate the tunnel using the CA's certificate and Certificate A as provided by Advanced Firewall
as connection time.
Extended Site to Site Routing

A useful feature of Advanced Firewall is its ability to use the VPN as a means of linking multiple
networks together by creating a centralized VPN hub. The hub is used to route traffic to between
different networks and subnets by manipulation of the local and remote network settings in each
tunnel specification.
This potentially allows every network to be linked to every other network without the need for a fully
routed network of VPN tunnels, i.e. a tunnel from every site to every other site. A fully routed network
can be awkward to configure and maintain.
This configuration example assumes the following:
Site A Local network: 192.168.10.0/255.255.255.0 Tunnel A connects to Site B.
Site B Local network: 192.168.20.0/255.255.255.0 Tunnel A connects to Site A, Tunnel

C connects to Site C.
Site C Local network: 192.168.30.0/255.255.255.0 Tunnel C connects to Site B.

The advantage of this approach is that only one tunnel is required for each remote network. The
disadvantage is that the central VPN gateway is now routing traffic not destined for it, thus it requires
additional resources for its bandwidth. Also, the central VPN creates a single point of failure in the
network. An improved approach would incorporate backup tunnel definitions that could be used to
create a fail-over VPN hub elsewhere on the network.
174

Site A Tunnel Definition

A definition for Tunnel A (connecting Site A to Site B) is required. Use the following local and remote
network settings:
Local network 192.168.10.0/255.255.255.0
Remote network 192.168.0.0/255.255.0.0

With this configuration, any traffic destined for the Site B network (any address in the range
192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the
definition of the remote end of Tunnel A.
Any traffic destined for the Site C network (any address in the range 192.168.30.0 to
192.168.30.255) will also be routed to Site B, as this range also falls within the definition of the
remote end of Tunnel A. However, this traffic still needs to be forwarded to Site C to reach its
destination Tunnel C from Site B will ensure this.
Site B Tunnel Definitions

First, a definition for Tunnel A (connecting Site B to Site A) is required. Use the following local and
remote network settings:
Local network 192.168.0.0/255.255.0.0
Remote network 192.168.10.0/255.255.255.0

With this configuration, any traffic destined for the Site A network (any address in the range
192.168.10.0 to 192.168.10.255) will be routed to Site A, as this range falls within the
definition of the remote end of Tunnel A.
Next, a definition for Tunnel C (connecting Site B to Site C) is required. Use the following local and
remote network settings:
Local network 192.168.0.0/255.255.0.0
Remote network 192.168.30.0/255.255.255.0

With this configuration, any traffic destined for the Site C network (any address in the range
192.168.30.0 to 192.168.30.255) will be routed to Site C, as this range falls within the
definition of the remote end of Tunnel C.
Site C tunnel definition

A definition for Tunnel C (connecting Site C to Site B) is required. Use the following local and remote
network settings:
Local network 192.168.30.0/255.255.255.0
Remote network 192.168.0.0/255.255.0.0

With this configuration, any traffic destined for the Site B network (any address in the range
192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the
definition of the remote end of Tunnel C.
Any traffic destined for the Site A network (any address in the range 192.168.10.0 to
192.168.10.255) will also be routed to Site B, as this range also falls within the definition of the
remote end of Tunnel C. However, this traffic still needs to be forwarded to Site A to reach its
destination Tunnel A from Site B will ensure this.
Managing VPN Systems

The following sections document how to:
Control VPNs
Open and close tunnels
Monitor and report tunnel activity

175

Managing VPN Systems
Display tunnel logging information
Update tunnel licensing.
Automatically Starting the VPN System

Advanced Firewalls VPN system can be set to automatically start when the system is booted. This
allows road warriors to tunnel in without having to wait for the system to be started. It also allows
site-to-site tunnels that are initiated on the Advanced Firewall system to automatically negotiate a
site-to-site connection.
To configure automatic start up:
1
Navigate to the VPN > VPN > Control page.
In the Automatic control area, select Start VPN sub-system automatically.
Click Save.
Manually Controlling the VPN System

The following sections explains how to start, restart, stop and view the status of the VPN system.
Starting/Restarting the VPN system

To start or restart the VPN system:
1
Click Restart in the Manual control region.
176

Stopping the VPN system

To stop the VPN system:
1
Click Stop from the Manual control region.
Viewing the VPN system status

To view the VPN system status:
1
Click Refresh in the Manual control region.
View the current status from the Current status information field.
There are two possible system statuses:
Running The VPN system is currently operational; tunnels can be connected.
Stopped The VPN system is not currently operational; no tunnels can be connected.
Viewing and Controlling Tunnels

All configured tunnels can be viewed and controlled from the VPN > VPN > Control page.
There are two possible tunnel statuses:
Open The tunnel is connected; communication across the tunnel can be made.
Closed The tunnel is not connected; no communication across the tunnel can be made.
IPSec Subnets
Site-to-site IPSec subnet connections are shown in the IPSec subnets region of the VPN > VPN >
Control page. The information displayed is:
Name The name given to the tunnel.
Control:
Up Open the tunnel connection
Down Close the tunnel connection.
Remote IP The IP address of the other end of the tunnel.
IPSec Road Warriors

IPSec road warrior connections are shown in the IPSec road warriors region of the VPN > VPN >
Control:
Internal IP The IP address of the local tunnel end.
Remote IP The IP address of the other end of the tunnel.
L2TP Road Warriors

L2TP road warrior connections are shown in the L2TP Road Warriors region of the VPN > VPN >
Control:
177

VPN Tutorials
SSL Road Warriors

SSL road warrior connections are shown in the SSL Road Warriors region of the VPN > VPN >
Username The name given to the tunnel.
Control
External IP The IP address of the other end of the tunnel.
VPN Logging
VPN log entries can be found in the Logs and reports > Logs > IPSec page.
VPN Tutorials
The following tutorials cover the creation of the main types of VPN tunnels. The examples build on
each other, i.e. the configuration settings in an example builds on that of the previous.
Example 1: Preshared Key Authentication

This first example begins with a simple two network VPN using shared secrets.The following
networks are to be routed together via a VPN tunnel:
We will use Preshared Key authentication initially. This is the easiest to setup.
Configuring Network A
There is no need for a CA or any certificates.
On the Create a tunnel with the following characteristics. This tunnel we call Tunnel 1. Where a
parameter is not listed, leave it at its default value:
178
Parameter
Description
Name
Tunnel 1
Local network
Set to the opposite ends remote network value.

Parameter
Description
Local ID type
Local IP
Remote IP or hostname
200.0.0.1
Remote network
192.168.12.0/24
Remote ID type
Remote IP (or ANY if blank Remote IP)
Authenticate by
Preshared Key
Preshared Key
loudspeaker
Preshared Key again
loudspeaker
All other settings can be left at their defaults.
Configuring Network B
Here a single tunnel is created:
Parameter
Description
Name
Tunnel 1
Local network
Set to the opposite ends remote network value.
Local ID type
Local IP
100.0.0.1
Remote network
192.168.0.0/24
Remote ID type
Remote IP (or ANY if blank Remote IP)
Authenticate by
Preshared Key
Preshared Key
loudspeaker
Preshared Key again
loudspeaker
Creating a Zone Bridge

In order for traffic to flow down the tunnel, you must create a zone bridge.
To create the zone bridge:
1
On the Networking > Filtering > Zone bridging page, create a zone bridge between the local
network and the IPSec interface. If you want traffic to flow in both directions, make the rule bidirectional.
For more information, see Chapter 6, Configuring Inter-Zone Security on page 59.
Testing
Restart the VPN system on both ends. Because both ends are set as initiators, the tunnels should
come up immediately. If this does not happen please refer to Appendix C, Troubleshooting VPNs on
page 331.
To actually test that the VPN is routing, ping a host on the remote network from a machine on the
local one. You should also be able to connect to servers and desktops on the remote network using
your standard tools.
Note: When configuring multiple PSK-based tunnels, use the User specified IP address as the remote
system ID type and the remote system external IP in the Remote system ID Value.
179

VPN Tutorials
Example 2: X509 Authentication

In this example, the same network as used in Example 1 will be used, see Example 1: Preshared Key
Authentication on page 178. This time we will improve the setup by using x509 authentication instead
of PSK.
Configuring Network A
Network A will be configured to be the Certificate Authority in the system.
Begin by going to the Authorities page and setting up the CA. In this example, we will list only the
required fields. You should, of course, enter values appropriate to your organization:
Parameter
Description
Common Name
Network A Cert Auth
Organization
My Company Ltd
From now on, we will enter My Company Ltd in all Organization fields on the certificates we create.
Next you should export this certificate in PEM format. We will call this file ca.pem, and save it on the
local workstations hard disk. You will need this file later.
Switch to the certificates page, and create the local certificate. It requires ID information:
Parameter
Description
ID Type
Host & Domain name
ID Value
tunnela.mycompany.com
Common Name
Network A Local Cert
The peer (the Network B machine) needs a certificate too:

Parameter
Description
ID Type
Host & Domain name
ID Value
tunnelb.mycompany.com
Common Name Network B Cert

Organization
My Company Ltd
Create both certificates, and then export the Network B Cert certificate in PKCS#12 format. You will
need to enter the passphrase to encrypt this certificate with; enter it in both boxes. We will call this
file tunnelb.p12.
Now onto the tunnels page. Choose the Network A Local Cert certificate to be the Default local
certificate, and press Save. We will Restart the VPN shortly to make this change active.
180

The tunnel specification is a little more complex. Here it is:
Parameter
Description
Name
Tunnel 1
Local network
Set to the opposite end's remote network value.
Local ID type
Default local cert subject alt. name
Remote IP or
hostname
200.0.0.1
Remote network
192.168.12.0/24
Remote ID type
Host & Domain name
Remote ID value
tunnelb.mycompany.com
Authenticate by
Certificate presented by peer
Add the tunnel.
Configuring Network B
The first step is to import the certificates.
To import the certificates:
1
On the Certificate authorities page, import the ca.pem file.
On to the certificates page, import the tunnelb.p12 file you created earlier. Remember to input the
passphrase used to create the export file in both boxes.
Chose the certificate, Network B Cert as the Default local certificate and click Save. The tunnel
configuration should look like this:
Parameter
Description
Name
Tunnel 1
Local network
Set to the opposite end's remote network value.
Local ID type
100.0.0.1
Remote network
192.168.0.0/24
Remote ID type
Host & Domain name
Remote ID value
tunnel.mycompany.com
Authenticate by

On the Networking > Filtering > Zone bridging page, create a zone bridge between the local network
and the IPSec interface. If you want traffic to flow in both directions, make the rule bi-directional.
Testing
As before, restart both ends of the tunnel. If the tunnel fails to come up, the most likely cause is a
mismatch of IDs. Check the IDs in the certificates by clicking on them in the certificate page. The ID
is the same as the Certificate ID. Examine the log for telltale messages.
181

VPN Tutorials
Example 3: Two Tunnels and Certificate Authentication

We will now add an additional system, Network C to the VPN network. We want Network C to be
able to access both the Network A subnet and Network B.
In Extended Site to Site Routing on page 174, we explained how to create centralized VPN hubs
using extended subnetting. We will use this technique to allow Network B to route to Network C, and
vice versa.
Network A Configuration
Create a new certificate for the new peer, and export it as a PKCS#12 file. We set the following
properties for this certificate:
Parameter
Description
ID Type
Host & Domain name
ID Value
tunnelc.mycompany.com
Common Name
Advanced Firewall C Cert
Organization
My Company Ltd
Modify the existing tunnel to Network B. All settings are unchanged except:
Parameter
Description
Local
subnet
192.168.0.0/16
Notice how this subnet mask now covers all subnets in the VPN.
Now we create a new tunnel to Advanced Firewall C:
182
Parameter
Description
Name
Tunnel 2
Local subnet
192.168.0.0/16
Local ID type
250.0.0.1
Remote network
192.168.13.0/24

Parameter
Description
Remote ID type
Host & Domain name
Remote ID value
tunnelc.mycompany.com
Authenticate by
Network B Configuration
Modify the tunnel as follows:
Parameter
Description
Remote subnet
192.168.0.0/16
Network C Configuration
Import the certificate, and then create the tunnel to Network A:
Parameter
Description
Name
Tunnel 2
Local ID type
Remote IP or
hostname
100.0.0.1
Remote network
192.168.0.0/16
Remote ID type
Host & Domain name
Remote ID value
tunnela.mycompany.com
Authenticate by

and the IPSec interface. If you want traffic to flow in both directions, make the rule bi-directional.
Testing
Test in the same way as before. After bringing up both tunnels, you should test by pinging a machine
on the Network A end from both of the Network B and Network C networks. Then you should test
that you can route across Network A by pinging a host on the Network C network from the Network
B network.
Example 4: IPSec Road Warrior Connection

Now we will add a road warrior, running SafeNet SoftRemote. This road warrior will connect to the
Network A gateway.
In addition to being able to access the Network A local network (192.168.0.0/24), the road warrior
will be able to access Network B and Network C as well.
183

VPN Tutorials
The road warrior is required to assume an internal IP on Network As local network, in this case:
192.168.0.5:
Create a certificate with the following properties:
Parameter
Description
Common Name IPSec road warrior

Organization
My Company Ltd
Note: No ID is required on this certificate.

Now create the IPSec road warrior tunnel:
Parameter
Description
Name
IPSec road warrior
Local network
192.168.0.0/16
Local ID type
Default local cert subject
Client IP
192.168.0.5
Remote ID type Remote IP (or ANY if blank Remote IP)

Authenticate by Certificate provided by peer
Export the certificate in PKCS#12 format. We will call this file computercert.p12.You will also need
the CA file, ca.pem.
184

SoftRemote Configuration
This tutorial describes setting up the client using a policy template as a shortcut to getting the
connection up and running. Full details, including detailed screen shots, are given in Working with
SafeNet SoftRemote on page 187.
After installing the client, begin by going to the Certificate Manager and importing the ca.pem and
the computercert.p12 certificate.
In the Security Policy Editor, import the template policy, policytemplate.spd, which is on the
installation CD. This policy file contains most of the input fields pre-filled with suitable defaults, and
will save a lot of time configuring the client. If you use different settings to those described in this
tutorial, compression for example, then you will have to modify those settings.
The following fields need to be filled in after importing the policy template.
In road warrior:
Parameter
Description
Gateway IP Address
100.0.0.1
Subnet
192.168.0.0
Mask
255.255.0.0
In My Identity:
Parameter
Description
Internal Network IP Address
192.168.0.5
After making the changes, remember to save the Security Policy.

On the Networking > Filtering > Zone bridging page, create a zone bridge between the local
network and the IPSec interface. If you want traffic to flow in both directions, make the rule bidirectional.
Testing
To bring up the connection, the simplest way is to ping a host on the network behind the gateway.
After a few retries, you should see the task bar icon change to show a yellow key. This indicates that
the tunnel is up. Your client computer will then appear to be connected to the local network behind
the VPN gateway. This works both ways; a machine on the local network can connect to the road
warrior.
You should be able to browse web servers, and so on. Also, because the tunnel covers all three local
networks, you should be able to connect to all three.
185

VPN Tutorials
Example 5: L2TP Road Warrior

This example consists of an additional road warrior client, this time running Microsoft Windows XP
and using Microsofts L2TP road warrior client.
Create a certificate with the following properties:
Parameter
Description
Common Name L2TP road warrior

Organization
My Company Ltd
Note: No ID is required on this certificate.

Now create the L2TP road warrior tunnel:
Parameter
Description
Name
L2TP road warrior
Authenticate by Certificate provided by peer

Client IP
192.168.0.6
Username
road warrior
Password
microphone
Export the certificate in PKCS#12 format. We will call this file computercert.p12. You will also need
the CA file, ca.pem.
L2TP Client Configuration

This tutorial only outlines the process of configuring an L2TP client. For detailed instructions, see
Installing an L2TP Client on page 158.
186

Begin by using the L2TPWizard to import the two certificates.
After bringing up the New Connection wizard, the only details that must be configured is the VPN
gateway external address, 100.0.0.1 in this example.
In TCP/IP properties; Advanced settings, you can choose to use the remote network as the default
gateway for the L2TP client. This option, enabled by default, is required if the client needs to be able
to route to the Advanced Firewall B and Advanced Firewall C networks. This is because the L2TP
client does not provide any facilities for setting up remote network masks. In the Connection dialog,
enter the username and password as configured on the Advanced Firewall A gateway:
Parameter
Description
Username
road warrior
Password
microphone
Finally, press the Connect button to initiate a connection the Advanced Firewall A VPN gateway.

and the L2TP interface. If you want traffic to flow in both directions, make the rule bi-directional.
Working with SafeNet SoftRemote

The following sections are a configuration guide for connecting to the Advanced Firewall VPN
gateway using SafeNet SoftRemote.
Configuring IPSec Road Warriors

First, create a signed certificate for the road warriors. An ID type is not normally required, although it
does no harm to include one when creating the certificate.
When connected, each road warrior gets an IP address in a specified local network zone. The IP
address should be a previously unused address and unique to the road warrior.
Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically
assigned machines such as servers.
Each road warrior user will need their own IP address. On the VPN > VPN > IPSec roadwarrior page,
the Client IP field is used to input the particular local network IP address. Such an IP address must
be in a local network zone and currently unused.
Set the Local ID type to Default local cert Subject, and set the Authenticate by setting to the certificate
for this road warrior connection. Then add the tunnel.
Each road warrior requires their own tunnel, so create as many tunnel as there are road warriors.
When connected, each road warrior client will, to all intents and purposes, be on the local network
zone. It will be possible to route to other subnets, including VPN-connected ones. This also means
that other machines in the network can see the client, just as if it was plugged in directly.
Note: The same advanced options are available as used when configuring IPSec Subnet VPNs. This
includes the encryption settings, and overriding the default local certificate.
187

Using the Security Policy Template SoftRemote

This documentation covers version both 9 and version 10 of this client. Older versions which support
Virtual IP addresses should also inter-operate. Specifically, version 8 is known to work as well as
version 9. However, you should consider upgrading to at least version 9 because of known securityrelated problems with version 8.
We also recommend that the LT versions of this software be used, which do not incorporate Zone
Alarm. Configuration of Zone Alarm will not be covered in this manual.
NAT-T is handled automatically by this client. No extra configuration is required. Check the log
messages in the client to see if NAT-T mode is being used as expected.
1
After installation, open the Certificate Manager. In the Root CAs tab, import a CA .PEM from
Advanced Firewall.
In the My Certificates tab, import a .P1. Enter the export password, and a short time later the
certificate should appear in the list. Select the certificate, and click Verify (on the right). You should
get a message saying the certificate is valid (because the CA certificate is installed) but lacks a CRL
(Certificate Revocation List). This indicates the certificate is valid.
Next, create a connection in the Security Policy Editor. Open it. To make configuration of this client
easier, you may use a Security Policy template, that will pre-fill most of the settings to suitable values,
saving you from the chore of doing it yourself. For completeness, we will also describe how you
would setup the client without the policy.
Import the Security Policy template, policytemplate.spd, which can be found in the extras
folder on the installation CD. After importing this policy, a single connection, named road warrior
will become available.
Assuming the Advanced Firewall gateway is using the standard settings for its road warrior clients,
i.e. those described above, only a handful of settings must be entered. In the road warrior section:
Enter the Remote Subnet, Mask and the gateways hostname (or IP address).
188

7
In the My Identity section, enter the Internal Network IP Address.:
Enter the Internal Network IP Address.

All other fields will be pre-filled. Obviously, if you are not using standard settings, as described in
D.1, then you will have to modify those particular settings. For instance, if you are using
compression, then you will have to enable it in the client.
Save the settings, and close the Security Policy Editor.
10
To bring up the connection to the Advanced Firewall gateway, you must send it a packet. The easiest
way to do this is by pinging a host on the remote network. After a series of Request timed out
messages you should start to get packets back, indicating that the VPN is up (you will also notice the
system tray icon change).
Creating a Connection without the Policy File

We will now describe how to setup the client without using the security policy template.
Before creating the connection, you must activate a special feature within the client which allows you
to specify a local network zone IP address for the client to take when it connects to the VPN gateway.
1
Select Global Policy Settings from the Options menu. A window will appear, and you should tick the
box marked Allow to specify internal network address.
Now go back to the tree control on the left and choose the New Connection node. You can rename
this to something more appropriate, like road warrior. In this node, configure the remote Subnet
address and Mask.
189

3
Choose Secure Gateway Tunnel from the Connect using drop-down list, and select an ID Type of
Any. You should then enter either a Gateway IP Address or Gateway Hostname.
Next, move to the My Identity node. Select the certificate you imported earlier. The ID types default,
the Distinguished Name; another word for the subject of a certificate, will suffice. Virtual adapter
should be disabled, and Internet Interface set to Any.
In the Internal network IP, enter the local network zone IP address (the Client IP) that was specified
when the tunnel was created.
Create a new Phase 1 security policy: Select 3DES encryption, and MD5 as the hashing algorithm.
Set the key group to 5, and choose a SA Life of 3000 seconds. This time period has to be less then
the equivalent setting in the Advanced Firewall, which defaults to 60 minutes (3600 seconds). This is
190

necessary to ensure the tunnel is always re-keyed.
Finally create a Phase 2 security policy, and again 3DES and MD5, in a tunnel. Tick the ESP box. In
this page you can select compression or not, as well as key life settings.
Once again, set the SA Life to 3000 seconds.
Test as before, by initiating a connection to a host on the Remote Network. Diagnostic logs are
available through the tool bar icon.
Advanced Configuration
Using the configuration previously described, the selected certificate will be required by the client in
order to obtain a connection. This method is usually desired, but in other cases an Authenticate by
setting of Certificate provided by peer can be more useful, especially if the client certificates are not
installed onto the VPN gateway server.
It is also possible to restrict (or extend) the hosts that the road warrior can access on the local
network zone. This is done by adjusting the Local network parameter in the tunnel configuration. For
example, if you wish to restrict the connected road warriors so that they can only contact a specific
IP address, for example 192.168.2.10, then you could set the Local network parameter to
192.168.2.10/32. Note that this setting is a network address, so you must always specify a network
mask, even if that network mask covers only a single host.
If the VPN server the road warrior connects to is routed onto other networks such as subnet VPNs
or other local network zones, the Local network setting can likewise be expanded to cover them.
Visit the support portal and knowledge base for information on setting up other clients.
191

192
Chapter 10
Authentication and User

Management
In this chapter:
Configuring global authentication settings
Working with directory servers
Managing groups of users
Managing temporarily banned users
Viewing user activity
About SSL login
Managing Kerberos keytabs
Using WPA Enterprise
Configuring Global Authentication Settings

Configuring global authentication settings entails setting login timeout, the number of concurrent
login sessions allowed and the type of authentication logging you require.
To configure log-in and logging settings:
1
Navigate to the Services > Authentication > Settings page.
193
Authentication and User Management

About Directory Servers
2

Setting
Description
Login timeout
(minutes)
Determines the length of time of inactivity after which a user is logged out.
Accept the default or enter the time out period.
Note: Setting a short login timeout increases the load on the machine,
particularly when using transparent NTLM or SSL Login. It also increase
the rate of re-authentication requests.
Setting a long login timeout may enable unauthorized users to access
the network if users leave computers without actively logging out.
The behavior of some authentication mechanisms is automatically
adjusted by the time-out period. For example, the SSL Login refresh
rate will update to ensure that authenticated users do not time-out.
For more information, see Appendix A, About the Login Time-out on
page 302.
Concurrent login
sessions (per
user)
Concurrent login settings determine how many logins are allowed per user.
The following options are available:
Logging level
Logging levels determine the type of authentication logging you want. The
following options are available:
No limit Select this option to allow an unlimited number of logins per user
or enter the number of logins you want to allow users.
Normal Select this option to log user login and LDAP server information.
Verbose Select this option to log user login and LDAP server information,
request, response and result information. This option is useful when
troubleshooting possible authentication issues.
3
Tip:
Encourage users to pro-actively log-out of the system to ensure that other users of their workstation
cannot assume their privileges if login time-out is yet to occur.
About Directory Servers

The Advanced Firewall authentication service is designed to enable Advanced Firewall to connect to
multiple directory servers in order to:
Retrieve groups configured in directories and apply network and web filtering permissions to users
based on group membership within directories
Verify the identity of a user who is trying to access network or Internet resources.
Once the connection to a directory service has been configured, Advanced Firewall retrieves a list of
the groups configured in the directory and maps them to the groups available in Advanced Firewall.
When the groups have been mapped, permissions and network access permissions in the filtering
and outgoing sections can be granted on the basis of group membership.
194

For information on how authentication works and interacts with other systems, see Appendix A,
Authentication on page 301.
Currently, Advanced Firewall supports the following directory servers:
Directory
Description
Microsoft Active Directory
Microsofts Active Directory, for more information, see Configuring

a Microsoft Active Directory Connection on page 195.
For information on using the legacy method to connect to Active
Directory, see Configuring an Active Directory Connection
Legacy Method on page 200.
Novell eDirectory
Apple/Open LDAP
Various directories which support the LDAP protocol, for more

information, see Configuring an LDAP Connection on page 196
389 Directory
RADIUS
Remote Authentication Dial In User Service, for more information,

see Configuring a RADIUS Connection on page 199.
Local users
A directory of Advanced Firewall local users, for more information,

see Configuring a Local Users Directory on page 203.
Configuring Directories
The following sections explain how to configure Advanced Firewall for use with supported directory
servers.
Configuring a Microsoft Active Directory Connection

The following sections explain the prerequisites for Microsoft Active Directory and how to configure
Advanced Firewall to work with Microsoft Active Directory.
Prerequisites for Active Directory

Before you configure any settings for use with Active Directory:
On the Networking > Interfaces > Interfaces page, check that the primary, and optionally the
secondary, DNS server containing the Active Directory information is specified correctly. This DNS
server is used by Advanced Firewall for name lookups. For more information, see Appendix A,
Advanced Firewall and DNS on page 302.
In Active Directory, choose or configure a non-privileged user account to use for joining the domain.
Advanced Firewall stores this accounts credentials, for instance, when backing-up and replicating
settings.
Note: We strongly recommend that you do not use an administrator account.

The account that you use needs permission to modify the Computers container. To delegate these
permissions to a non-privileged user account, choose Delegate Control on the Computers container,
create a custom task to delegate and, for Computer objects, grant the full control, create and delete
privileges.
Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized
using NTP. See Chapter 13, Setting Time on page 269 for more information.
195

Configuring an Active Directory Connection

The following section explains what is required to configure a connection to Active Directory.
To configure the connection:
1
On the Services > Authentication > Directories page, click Add new directory.
In the Add new directory dialog box, select Active Directory and configure the following settings:
Setting
Description
Status
Select Enabled to enable the connection.
Tenants
Optionally, select which tenant(s) use this directory. Specifying the tenant(s)
enables Advanced Firewall to apply network permissions to users coming from
different tenants with usernames which are the same.
Note: Tenants are only available if you have the correct Advanced Firewall
license type and they have been configured on the System >
Administration > Tenants page.
For more information on tenants, see Chapter 13, Managing Tenants on
page 275.
For more information on licensing, contact your Smoothwall
representative.
Domain
Enter the full DNS domain name of the domain. Other trusted domains will be
accessible automatically.
Username
Enter the username of the user account.
Password
Enter the password for the user account.
Confirm
Cache timeout
(minutes)
Click Advanced. Accept the default or specify the length of time Advanced
Firewall keeps a record of directory-authenticated users in its cache.
Advanced Firewall will not need to query the directory server for users who log
out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory server.
Setting a long cache timeout means that old passwords are valid for
longer, i.e. until the cache timeout has been passed.
Comment
3
Optionally, enter a comment about the directory.
Click Add. Advanced Firewall adds the directory to its list of directories and establishes the
connection.
Configuring an LDAP Connection

The following section explains what is required to configure a connection to an eDirectory, Apple/
OpenLDAP or 389 directory server.
To configure an LDAP connection:
1
In the Add new directory dialog box, select one of the following: eDirectory, Apple/OpenLDAP
Directory or 389 Directory and configure the following settings:
196
Setting
Description
Status

Setting
Description
Tenants
page 275.
representative.
LDAP server
Enter the directorys IP address or hostname.

Note: If using Kerberos as the bind method, you must enter the hostname.
Username
Enter the username of a valid account in the LDAP notation format

The format depends on the configuration of the LDAP directory. Normally it
should look something like this:
cn=user,ou=container,o=organization
This is what is referred to in the Novell eDirectory as tree and context. A user
part of the tree Organization and in the context Sales would have the
LDAP notation:
cn=user,ou=sales,o=organization
For Apple Open Directory, when not using Kerberos, the LDAP username can
be written as: uid=user,cn=users,dc=example,dc=org
Consult your directory documentation for more information.
Password
Enter the password of a valid account.

Note: A password is not required if using simple bind as the bind method.
Confirm
Bind method
Accept the default bind method, or from the drop-down list, select one of the
following options:
TLS (with password) Select to use Transport Layer Security (TLS).
Kerberos Select to use Kerberos authentication.
Simple bind Select to bind without encryption. This is frequently used by
directory servers that do not require a password for authentication.
Kerberos realm
If using Kerberos, enter the Kerberos realm. Use capital letters.
197

Setting
Description
User search root Enter where in the directory, Advanced Firewall should start looking for user
accounts. Usually, this is the top level of the directory.
For example: ou=myusers,dc=mydomain,dc=local
In LDAP form, this is seen in the directory as dc=mycompany,dc=local.
OpenLDAP based directories will often use the form o=myorganization
Apple Open Directory uses the form: cn=users,dc=example,dc=org
A Novell eDirectory will refer to this as the tree, taking the same form as the
OpenLDAP-based directories o=myorganization.
Note: In larger directories, it may be a good idea to narrow down the user
search root so Advanced Firewall does not have to look through the
entire directory. For example, if all users that need to be authenticated
have been placed in an organizational unit, the user search root can be
narrowed down by adding ou=userunit in front of the domain base.
Note: When working with multi domain environments, the user search root
must be set to the top level domain.
Group search
roots
Enter where in the directory, Advanced Firewall should start looking for user
groups. Usually this will be the same location as configured in the user search
root field.
For example: ou=mygroups,dc=mydomain,dc=local
Apple Open Directory uses the form: cn=groups,dc=example,dc=org
Note: With larger directories, it may be necessary to narrow down the group
search root. Some directories will not return more than 1000 results for
a search, so if there are more than 1000 groups in the directory, a more
specific group search root needs to be configured. The principle is the
same as with the user search root setting.
If there are multiple OUs containing groups that need to be mapped, add the
other locations in the advanced section.
Cache timeout
Accept the default or specify the length of time Advanced Firewall keeps a
record of directory-authenticated users in its cache.
Advanced Firewall does not query the directory server for users who log out
and log back in as long as their records are still in the cache.
LDAP port
Accept the default or enter the LDAP port to use.

Note: LDAPs (SSL) will be automatically used if you enter port number 636.
Extra user search This option enables you to enter directory-specific user search paths when
roots
working with a large directory structure which contains multiple OUs and many
users.
Enter one search root per line.
Extra group
search roots
Optionally, enter where in the directory Advanced Firewall should start looking
for more user groups.
Enter one search roots per line.
For more information, see Appendix A, Working with Large Directories on
page 303.
198

Setting
Description
Extra realms
This setting enables you to configure subdomains manually using DNS. Use
the following format:
<realm><space><kdc server>
For example:
example.org kdc.example.org
Enter one realm per line.
Only available if you have selected Kerberos as the authentication method,

Discover
Kerberos realms select this advanced option to use DNS to discover Kerberos realms.
through DNS
Using DNS to discover realms configures Advanced Firewall to try to find all
the domains in the directory server by querying the DNS server that holds the
directory information.
Comment
3
connection.
Configuring a RADIUS Connection

You can configure Advanced Firewall to use a Remote Authentication Dial In User Service (RADIUS)
as an authentication service.
Prerequisites
Before you configure any settings:
Configure the RADIUS server to accept queries from Advanced Firewall. Consult your RADIUS server
documentation for more information.
Configuring the Connection

1
In the Add new directory dialog box, select RADIUS and configure the following settings:
Setting
Description
Status
Tenants
page 275.
representative.
RADIUS server
Enter the hostname or IP address of the RADIUS server.
Secret
Enter the secret shared with the server.
Confirm
Re-enter the secret to confirm it.
199

Setting
Description
Action on login
failure
Try next directory server Select this option if users in RADIUS are
unrelated to users in any other directory server.
Deny access Select this option if the RADIUS password should override the
password set in another directory server, for example when using an
authentication token.
Identifying IP
address
Enter the IP address to use to identify the caller connecting to the RADIUS
server, if it must be different to the internal IP address of the system.
Obtain groups
from RADIUS
If the RADIUS server can provide group information, select this option to
enable Advanced Firewall to use the group information in the RADIUS Filter-Id
attribute.
When not enabled, Advanced Firewall will use group information from the next
directory server in the list. If there are no other directories in the list, Advanced
Firewall will place all users in the Default Users group.
Cache timeout
(minutes)
Advanced Firewall does not query the directory server for users who log out
and log back in as long as their records are still in the cache.
Port
Accept the default port or specify a UDP port to use when communicating with
the RADIUS server. The default is port 1812.
Comment
connection.
Configuring an Active Directory Connection Legacy

Method
Note: This is the legacy method of configuring an Active Directory connection. For a simpler method, we
recommend that you use the latest method, see Configuring a Microsoft Active Directory Connection
on page 195 for more information.
The following sections explain the prerequisites for Microsoft Active Directory and how to use the
legacy method to configure Advanced Firewall to work with Microsoft Active Directory.
Prerequisites for Active Directory

Before you configure any settings for use with Active Directory:
Run the Advanced Firewall Setup program and check that the DNS server containing the Active
Directory information is specified correctly. This DNS server is used by Advanced Firewall for name
lookups. For more information, see Appendix A, Advanced Firewall and DNS on page 302 and the
Advanced Firewall Installation and Setup Guide.
Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active
Directory servers.
Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized.
Note: Do not use the administrator account as the lookup user. Often the administrator account will not
have a Windows 2000 username, preventing the account from being used by the authentication
service.
200

Configuring an Active Directory Connection

Configuring an Active Directory connection entails specifying server details and optionally the
Kerberos realm to use, search roots and any advanced settings required.
1
Navigate to the Services > Authentication > Directories page.
In the Add directory server area, from the Directory server drop-down list, select Active Directory
and click Next. Advanced Firewall displays the settings for Active Directory.

Setting
Description
Status
Tenants
page 275.
representative.
Active Directory
server
Enter the directory servers full hostname.

Note: For Microsoft Active Directory, Advanced Firewall requires DNS servers
that can resolve the Active Directory server hostnames. Often, these will
be the same servers that hold the Active Directory. The Active Directory
DNS servers will need a reverse lookup zone with pointer (PTR) records
for the Active Directory servers for a successful lookup to be able to take
place.
Refer to the Microsoft DNS server help if you need assistance in setting
up a reverse lookup zone. See also, Appendix A, Advanced Firewall and
DNS on page 302 for more information.
Username
Enter the username of a valid account.

Enter the username without the domain. The domain will be added
automatically by Advanced Firewall.
In a multi domain environment, the username must be a user in the top level
domain. For more information, see Appendix A, Active Directory on page 303.
Password
Enter the password of a valid account.
Confirm
Cache timeout
(minutes)
Advanced Firewall will not need to query the directory server for users who log
out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory server.
Setting a long cache timeout means that old passwords are valid for
longer, i.e. until the cache timeout has been passed.
Kerberos realm
Optionally, select Automatic or enter the Kerberos realm.
201

Setting
Description
User search root Optionally, to configure Advanced Firewall to start looking for user accounts at
the top level of the directory, select Automatic.
Or enter the user search root to start looking in, for example:
ou=myusers,dc=mydomain,dc=local search root.
Note: When working with multi-domain environments, the user search root
must be set to the top level domain.
Group search
root
Optionally, to configure Advanced Firewall to start looking for user groups at

the top level of the directory, select Automatic.
Or enter the group search root to start looking in, for example:
ou=mygroups,dc=mydomain,dc=local
Note: Some directories will not return more than 1 000 results for a search, so
if there are more than 1 000 groups in the directory, a more specific
group search root needs to be configured.
Comment
Optionally, enter a comment about the directory server and the settings used.
Enabled
Select this option to enable the connection to the directory server.
Optionally, click Advanced to access and configure the following settings:

Setting
Description
LDAP port
Accept the default, or enter the LDAP port to use.
Discover Kerberos Select this option to use DNS to discover Kerberos realms.
realms through
Using DNS to discover realms configures Advanced Firewall to try to find all
DNS
the domains in the directory server by querying the DNS server that holds the
directory information.
Use
This setting applies when using Microsoft Windows NT4 or older
sAMAccountName installations.
Enter the sAMAccountName to override the userPrincipleName.
NetBIOS
workgroup
This setting applies when using NTLM authentication with Guardian.

Advanced Firewall cannot join domains required for NTLM authentication
where the workgroup, also known as NetBIOS domain name or preWindows 2000 domain name, is not the same as the Active Directory
domain.
Select Automatic or enter the NetBIOS domain name to use when joining
the workgroup.
Extra user search

roots
This option enables you to enter directory-specific user search paths when
working with a large directory structure which contains multiple OUs and
many users.
Enter search roots one per line.
Extra group search Optionally, enter where in the directory, Advanced Firewall should start
roots
looking for more user groups.
Enter search roots one per line.
For more information, see Appendix A, Working with Large Directories on
page 303.
202

Setting
Description
Extra realms
This setting enables you to configure subdomains manually, as opposed to

automatically, using DNS. Use the following format:
<realm><space><kdc server>
For example:
example.org kdc.example.org
Enter one realm per line.
connection.
Configuring a Local Users Directory

Advanced Firewall stores user account information comprised of usernames, passwords and group
membership in local user directories so as to provide a standalone authentication service for network
users.
To configure a local users directory:
1
In the Add new directory dialog box, select Local users and configure the following settings:
Setting
Description
Status
Tenants
page 275.
representative.
Name
Accept the default name or enter a new name.
Comment
Click Add. Advanced Firewall adds the directory to its list of directories. For information on adding
and managing local users, see Managing Local Users on page 204.
Reordering Directory Servers

Tip:
If most of your users are in one directory, list that directory first so as to reduce the number of queries
required. If user passwords are checked by a RADIUS server and group information is obtained from
LDAP, list the RADIUS server first.
To reorder directory servers:
On the Services > Authentication > Directories page, select the directory server you want to
move and click Up or Down until the server is where you want it.
Repeat the step above for any other directories you want to move.
Click Save moves. Advanced Firewall applies the changes.

203

Managing Local Users
Tip:
You can also drag and drop directories to where you want them. Just remember to click Save
moves.
Editing a Directory Server

To edit a directory server:
1
On the Services > Authentication > Directories page, point to the directory server and click Edit.
The Edit directory dialog box opens,
Make the changes required, see Configuring Directories on page 195 for information on the settings
available.
Deleting a Directory Server

To delete a directory server:
1
On the Services > Authentication > Directories page, point to the directory server and click
Delete. When prompted, confirm that you want to delete the directory. Advanced Firewall deletes
the server.
Diagnosing Directories
It is possible to review a directorys status and run diagnostic tests on it.
To diagnose a directory:
1
On the Services > Authentication > Directories page, point to the directory server and click
Diagnose. Advanced Firewall displays current directory connection, user account and status
information.
Tip:
You can diagnose multiple directories at the same time. Select the directories and click Diagnose.
Managing Local Users

Advanced Firewall stores user account information comprised of usernames, passwords and group
membership in local user directories so as to provide a standalone authentication service for network
users.
Adding Users
To add a user to a local user directory:
1
On the Services > Authentication > Directories page, click on the local user directory you want
to add a user to. Advanced Firewall displays any current local users
Click Add new user. In the Add new user dialog box, configure the following settings:
204
Setting
Description
Enabled
Select to enable the user account.
Username
Enter the user account name.
Password
Enter the password associated with the user account. Passwords must be a
minimum of six characters long.

Setting
Description
Repeat password
Select group
From the drop-down menu, select a group to assign the user account to.
Click Add. Advanced Firewall saves the information.
Repeat the steps above to add more users.
Editing Local Users

To edit an existing user's details:
1
On the Services > Authentication > Directories page, click on the local user directory containing
the user account you want to edit. Advanced Firewall displays current local users.
Point to the user account and click Edit. In the Edit user dialog box, make the changes required. See
Adding Users on page 204 for more information on the settings available.
Deleting Users
To delete users:
1
On the Services > Authentication > Directories page, click on the local user directory containing
the user account(s) you want to delete. Advanced Firewall displays current local users.
Point to the user account and click Delete. When prompted, confirm that you want to delete the
account. Advanced Firewall deletes the account.
Repeat the steps above to delete other accounts.
Mapping Groups
Once you have successfully configured a connection to a directory, you can map the groups
Advanced Firewall retrieves from the directory in order to apply permissions and restrictions to the
users in the groups.
To map directory groups to Advanced Firewall groups:
1
On the Services > Authentication > Directories page, click on the directory that contains the
group you want to map. Advanced Firewall displays any current group mappings.
Click Add new group mapping. In the Add new group mapping dialog box, configure the following
settings:
Setting
Description
Directory service From the drop-down list, select the directory group(s) you want to map.
group
Tip: You can filter the groups shown by entering parts of group names in this
field.
Local group
From the drop-down list, select the Advanced Firewall group you want to map
the directory service group(s) to.
Enabled
Select to enable the mapping.
Click Add. Advanced Firewall creates the mapping.
205

Managing Temporarily Banned Users
Remapping Groups
It is possible to change group mappings.
To remap groups:
1
group you want to remap. Advanced Firewall displays the current group mappings.
Point to the group and click Edit. In the Edit group mapping dialog box, remap the group(s) as
required. See Mapping Groups on page 205 for more information on the settings available.
Click Save changes. Advanced Firewall remaps the group(s).
Deleting Group Mappings

It is possible to delete group mappings.
To delete one or more group mappings:
1
mapping(s) you want to delete. Advanced Firewall displays the current group mappings.
Select the mapping(s) and click Delete. When prompted, confirm the deletion by clicking Delete
Advanced Firewall deletes the mapping(s).
Managing Temporarily Banned Users

Advanced Firewall enables you to temporarily ban specific user accounts. When temporarily banned,
the user is added to the Banned users group.
Note: You can apply any web filtering policy to the Banned users group.
Creating a Temporary Ban

Note: Only administrators and accounts with Temp ban access can manage banned accounts. For more
information, see Chapter 13, Administrative User Settings on page 274.
To ban an account temporarily:
1
206
Navigate to the Services > Authentication > Temporary bans page.

2
Click Add new temporary ban. In the Add new temporary ban dialog box, configure the following
settings:
Setting
Description
Status
Select Enabled to enable the ban immediately.
Username
Enter the user name of the account you want to ban.
Ban expires Click and select when the ban expires.

Comment
Optionally, enter a comment explaining why the account has been banned.
Click Add. Advanced Firewall enforces the ban immediately.
Tip:
You can edit the block page displayed to banned users so that it gives them information on the ban
in force. See Chapter 7, Managing Block Pages on page 101 for more information.
Tip:
There is also a ban option on the Services > Authentication > User activity page, for more information,
see Managing User Activity on page 208.
Removing Temporary Bans

To remove a ban:
1
In the Current rules area, select the ban and click Remove. Advanced Firewall removes the ban.
Removing Expired Bans

To remove bans which have expired:
1
In the Current rules area, click Remove all expired. Advanced Firewall removes all bans which have
expired.
207

Managing User Activity
Managing User Activity

Advanced Firewall enables you to see who is logged in and who has recently logged out. You can
also log users out and/or ban them.
Viewing User Activity

To view activity:
1
Navigate to the Services > Authentication > User activity page.
Advanced Firewall displays who is logged in, who recently logged out, the group(s) the user belongs
to their source IP and the method of user authentication.
Recently logged out users are listed for 15 minutes.
Logging Users Out

To log a user out:
1
On the Services > Authentication > User activity page, point to the user you want to log out and
click Log user out. Advanced Firewall logs the user out immediately and lists them as logged out.
Note: Logging a user out is not the same as blocking a user from accessing web content. Connectionbased authentication will automatically log the user back in. If the user is using SSL login, they will be
prompted to authenticate again.
Banning Users
To ban a user:
1
208
On the Services > Authentication > User activity page, point to the user you want to ban and
click Ban user. Advanced Firewall copies the users information and displays it on the Services >
Authentication > Temporary bans page where you can configure the ban. For more information, see
Creating a Temporary Ban on page 206.

About SSL Authentication

Advanced Firewall provides SSL Login as a built-in authentication mechanism which can be used by
authentication-enabled services to apply permissions and restrictions on a customized, per-user
basis.
When SSL Login is configured, network users requesting port 80 for outbound web access will be
automatically redirected to a secure login page, the SSL Login page, and prompted for their user
credentials.
The SSL Login page can be manually accessed by users wishing to pro-actively authenticate
themselves, typically where they need to use a non-web authentication-enabled service, for example,
group bridging, or where only a small subset of users require authentication.
SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated
user, thus allowing SSL Login redirection to be bypassed for authenticated users. When an
authenticated user logs out or exceeds the time-out limit, the rule is removed and future outbound
requests on port 80 will again cause automatic redirection to the SSL Login.
Customizing the SSL Login Page

When using SSL as an authentication method, it is possible to customize the title image, background
image and message displayed on an SSL login page.
Customizing the Title Image

It is possible to customize the title image displayed on the SSL login page.
To upload a custom title image:
1
Browse to the Services > Authentication > SSL login page.
Click the Title image Browse/Select file button. Using your browsers controls, locate and select
the file.
Click Save changes. Advanced Firewall uploads the file and makes it available on the SSL login
page.
209

About SSL Authentication
Customizing the Background Image

It is possible to customize the background image used on an SSL login page.
To upload a background image:
1
On the Services > Authentication > SSL login page, click the Background image Browse/Select
file button. Using your browsers controls, locate and select the file.
Click Save changes. Advanced Firewall uploads the file and makes it available on the SSL login
page.
Removing Custom Files

To remove a custom file:
1
To remove the title image, adjacent to Title image, click Delete.
To remove the background image, adjacent to Background image, click Delete.
Customizing the Message

It is possible to provide users with a customized message.
To customize the login message:
1
Navigate to the Services > Authentication > SSL login page.
In the Customize SSL Login area, enter your custom message in the SSL login page text box.
Click Save changes to apply the new message.
Reviewing SSL Login Pages

You can review SSL Login pages.
To review the SSL Login page:
1
210
In the web browser of your choice, enter your Advanced Firewall systems IP address and /login.
For example: http://192.168.72.141/login or, using HTTPS, https://
192.168.72.141:442/login. Advanced Firewall displays the SSL login page.

Configuring SSL Login

Note: If you add Guardian3 to an Advanced Firewall installation which does not have SSL login configured,
the SSL login redirection section will not be available.
If you add Guardian3 to an Advanced Firewall installation which already has SSL login configured,
ensure that SSL Login redirection is not enabled both on interface(s) on this page and in a web proxy
authentication policy. For more information on web proxy authentication policies, see the Guardian3
Administrators Guide.
SSL Login authentication is configured on a per-interface basis.
To configure SSL Login:
1
Navigate to the Services > Authentication > SSL login page.
In the SSL login redirection area, select each interface on which you want to activate SSL Login.
Click Save changes. Advanced Firewall enables SSL Login on the selected interfaces.
Creating SSL Login Exceptions

SSL Login exceptions can be created in order to prevent certain hosts, ranges of hosts or subnets
from being automatically redirected to the SSL Login page.
Tip:
This option is useful when avoiding requiring servers to authenticate.

To create an SSL login exception:
Locate the SSL login redirection area. In the Redirect exception addresses field, enter an IP
address, IP range or subnet that should not be redirected to the SSL Login.
Repeat the step above on a new line for each further exception you want to make.
Click Save changes.
211

Managing Kerberos Keytabs
Managing Kerberos Keytabs

Note: When using Microsoft Active Directory for authentication, Kerberos keys are managed automatically.
For other directory servers, it is necessary to import keytabs manually, see the following section for
information on how to do this.
A Kerberos keytab is a file which contains pairs of Kerberos principals and encrypted keys. By
importing and using Kerberos keytabs, Advanced Firewall services, such as authentication, can use
the interoperability features provided by Kerberos.
For information on using Kerberos as the authentication method in authentication policies, see
Chapter 6, Creating Authentication Policies on page 67.
Adding Keytabs
The following section explains how to add Kerberos keytabs into Advanced Firewall.
For information on generating keytabs, consult the documentation delivered with your directory
server. Also, available at the time of writing, see http://technet.microsoft.com/en-us/library/
cc753771%28v=WS.10%29.aspx which discusses how to get a keytab from Active Directory.
To add a keytab:
1
Browse to the Services > Authentication > Kerberos keytabs page.
Click Add new keytab and configure the following settings:

Setting
Description
Status
Accept the default setting to enable the keytab.
Name
Enter a descriptive name for the keytab.
File
Using your browser, locate and select the keytab.
Comment
Optionally, enter a comment to describe the keytab.
Click Add. Advanced Firewall adds the keytab and lists it in the Kerberos keytabs area.
Repeat the steps above for any other keytabs you need to import.
212

Managing Keytabs
The following sections explain how to enable, view, edit and delete Kerberos keytabs.
Disabling Keytabs
Kerberos keytabs are enabled by default. It is possible to disable a Kerberos keytab when required,
for example, when troubleshooting.
To disable a keytab:
1
In the Installed Kerberos keytabs area, point to the keytab and select Edit.
In the Edit keytab dialog box, clear the Enabled option. Click Save changes to save the setting.
Advanced Firewall disables the keytab.
Viewing Keytab Content

It is possible to view the contents of a Kerberos keytab.
To view a Kerberos keytab:
1
In the Edit keytab dialog box, click the keytabs display arrow. Advanced Firewall displays the
content.
Editing Keytabs
It is possible to change the name of the Kerberos keytab file.
To change the name of the Kerberos keytab file:
1
In the Edit keytab dialog box, change the name as required and click Save changes. Advanced
Firewall changes the name and lists the Kerberos keytab in the Installed Kerberos keytabs area
Deleting Keytabs
It is possible to delete Kerberos keytabs that are no longer require.
To delete a Kerberos keytab:
1
In the Installed Kerberos keytabs area, point to the keytab and select Delete.
When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the keytab.

Advanced Firewalls use of WPA Enterprise enables users to connect their own wireless devices to
the network (known as bring your own device or BYOD) and run applications with authentication
that is unobtrusive.
Advanced Firewall links your organization's Active Directory domain to a RADIUS server. As a
network administrator, you can configure your wireless network infrastructure to authenticate users
using the RADIUS server so that users can use their Active Directory accounts as wireless client login
details.
Configuring WPA Enterprise comprises:
213

Checking that your network is configured as required. For more information, see Pre-requisites on
page 214
Setting up wireless access points to use Advanced Firewall as a RADIUS server. For more
information, see Configuring Access Points on page 214
Configuring Advanced Firewall to use WPA Enterprise. For more information, see Configuring WPA
Enterprise on page 215
In some cases, manually making the Advanced Firewall CA certificate available to devices which
cannot accept it when users authenticate to the wireless network. For more information, see
Provisioning the Advanced Firewall Certificate on page 215
Pre-requisites
On Advanced Firewall, DHCP must be enabled and there must be a valid DHCP subnet configured.
For more information on DHCP, see Chapter 8, DHCP on page 119
Wireless access points must be on the same subnet as Advanced Firewall. Switches are allowed,
but there must be no routers between them. Advanced Firewall must be the DHCP server for that
subnet
Users wireless devices must support WPA Enterprise with PEAP and MSCHAPv2
For users to whom a web filtering policy applies, Guardian must be configured to use core
authentication. For more information, see Chapter 6, Creating Authentication Policies on page 67
Advanced Firewalls Active Directory authentication method must be used to authenticate users. For
more information, see Configuring a Microsoft Active Directory Connection on page x
Note: Local users are not supported, nor is the legacy Active Directory authentication method.
Configuring Access Points

Note: Consult the documentation delivered with your wireless access point for complete information on
how to configure it in detail.
To configure a wireless access point:
1
Log on to the wireless access point.
Create or modify a wireless network to use WPA2 with 802.1X.
Note: On the access point, the wireless network type may be referred to as: WPA2-Enterprise, WPA2RADIUS or WPA2 with a separate option for RADIUS. WPA2 is most secure. To support older
hardware, WPA version 1 is also supported. Some wireless access points support WPA/WPA2
simultaneously.
3
Make a note of the shared secret for the wireless network. You will need this when configuring WPA
Enterprise on Advanced Firewall.
Set Advanced Firewall as the RADIUS server for both authentication and accounting. Some wireless
access points require two separate settings for this.
214

Configuring WPA Enterprise

To configure WPA Enterprise:
1
Browse to the Services > Authentication > WPA Enterprise page.
Click Add new access point.n the Add new access point dialog box, configure the following setting:
Setting
Description
Status
Select Enabled to enable the access point.
Name
Enter a name for the access point.
IP address
Enter the IP address of the access point.
Shared secret
Enter the secret that secures RADIUS communication between the access
point and Advanced Firewall.
Confirm
Re-enter the shared secret to confirm it.
Comment
Optionally, enter a comment to describe the access point.
Click Add. Advanced Firewall applies the settings and lists the access point. Users who now try to
access the wireless network, will be prompted to authenticate.
Note: See Provisioning the Advanced Firewall Certificate on page 215, for devices which do not
automatically accept the Advanced Firewall certificate,
Provisioning the Advanced Firewall Certificate

Some devices may not automatically accept the Advanced Firewall certificate when users try to
authenticate themselves to the wireless network. For those devices, you can download the
Advanced Firewall certificate to make it available in a way supported by the devices.
To provision the certificate:
1
On the Services > Authentication > WPA Enterprise page, click Download CA certificate.
Save the certificate in a secure location and consult the documentation provided with the device(s)
as to how best install it on the device(s).
215

Managing Groups of Users

The following sections discuss groups of users and how to manage them.
About Groups
Advanced Firewall uses the concept of groups to provide a means of organizing and managing
similar user accounts. Authentication-enabled services can associate permissions and restrictions to
each group of user accounts, thus enabling them to dynamically apply rules on a per-user account
basis.
Local users can be added or imported to a particular group, with each group being organized to
mirror an organizations structure. Groups can be renamed by administrators to describe the users
that they contain.
Currently, Advanced Firewall supports 1000 groups and by default, contains the following groups:
Group
Description
Unauthenticated IPs
The main purpose of this group is to allow certain authenticationenabled services to define permissions and restrictions for
unauthenticated users, i.e. users that are not logged in, currently
unauthenticated or cannot be authenticated.
Note: This group cannot be renamed or deleted.
Default Users
Users can be mapped to Default Users. The main purpose of this group
is to allow certain authentication-enabled services to define permissions
and restrictions for users that are not specifically mapped to an
Advanced Firewall group, i.e. users that can be authenticated, but who
are not mapped to a specific Advanced Firewall authentication group.
Banned Users
This purpose of this group is to contain users who are banned from
using an authentication-enabled service.
Network
Administrators
This group is a normal user group, configured with a preset name, and
setup for the purpose of granting network administrators access to an
authentication-enabled service.
Because the Network Administrators group is a normal group with a
preset configuration, it can be both renamed and used by
authentication-enabled services to enforce any kind of permissions or
restrictions.
Adding Groups
It is possible to add groups to Advanced Firewall. Currently, Advanced Firewall supports 1000
groups.
To add a group:
1
On the Services > Authentication > Groups page, click Add new group.
In the Add new group dialog box, enter the following information:
216
Field
Description
Name
Enter a name for the group.
Comment
Optionally, enter a comment.

3
Click Add. Advanced Firewall creates the group and lists on the changes.
Editing Groups
Note: It is not possible to rename the Unauthenticated IPs, Default Users or Banned Users groups
To edit a group:
1
On the Services > Authentication > Groups page, point to the group and click Edit.
In the Edit group dialog box, enter the following information:
Field
Description
Name
When renaming a group, enter a new name.
Comment
Edit or enter a new comment.
Deleting Groups
Note: It is not possible to delete the Unauthenticated IPs, Default Users or Banned Users groups
To delete a group or groups:
1
On the Services > Authentication > Groups page, select the group(s) and click Delete.
When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the group(s).
217

218
Chapter 11
Reporting
In this chapter:
About the Summary page
Working with Advanced Firewall reports
Managing datastore/log retention settings.
About the Summary Page

The summary page displays a customizable list of reports.
To access the summary page:
1
Navigate to the Logs and reports > Reports > Summary page.
Note: The information displayed depends on the product series you are using.
A list of the reports generated by default is displayed. For information on customizing the reports
displayed, see Chapter 13, Configuring the User Interface on page 268.
Accessing Reporting
Advanced Firewall can produce many types of reports which provide information on almost every
aspect of Advanced Firewall.
To access reporting:
1
Navigate to the Logs and reports > Reports > Reports page.
219
Reporting
Generating Reports
Generating Reports
Advanced Firewall contains a broad range of reports which can be generated immediately.
To generate a report:
1
Navigate to the Logs and reports > Reports > Reports page and click on a folder containing the
report you want to generate.
Click on the report to access its options. Advanced Firewall displays the options available.
Tip:
Click Advanced to see a description of the report, access advanced options and portal publication
permissions. For more information on publishing reports, see Chapter 8, Making Reports Available
on page 83.
If applicable, set the time interval for the report and enter/select any option(s) you require.
Click Run report to generate the report. Advanced Firewall displays the report.
Canceling a Report
It is possible to a cancel a report if it is taking a long time to generate.
To cancel a report:
1
Generate the report, see Generating Reports on page 220.
When the report progress bar is displayed, click Cancel. Advanced Firewall cancels the report.
Saving Reports
If you want permanent access to a report, you must save it.
To save a report:
1
Generate the report, see Generating Reports on page 220.
In the Save as field, enter a name for the report and click Save. You can access the report on the
Logs and reports > Reports > Recent and saved page.
About Recent and Saved Reports

You can access all reports generated in the last three days on the Logs and reports > Reports >
Recent and saved page.
You can also save recently generated reports and change report formats on this page.
Changing Report Formats

Advanced Firewall enables you to change reports viewed and/or saved in one format to another.
220

To change a report format:
1
Navigate to the Logs and reports > Reports > Recent and saved page.
Locate the report you want to change and click on the format you want to change the report to. The
following formats are available:
Format
Description
csv
The report will be generated in comma separated text format.
excel
The report will be generated in Microsoft Excel format.
pdf
The report will be generated in Adobes portable document format.
pdfbw
The report will be generated in black and white in Adobes portable document format.
tsv
The report will be generated in tab separated text (tsv) format.
Managing Reports and Folders

The following sections explain how to create, delete and navigate reports and folders in Advanced
Firewall.
Creating Folders
You can create a folder to contain reports on the Logs and reports > Reports > Reports page or in
a folder or sub-folder contained on the page.
To create a folder:
1
On the Logs and reports > Reports > Reports page, determine where you want to create the
folder, on the page or in an existing folder.
Click the Create a new folder button. Advanced Firewall creates the folder.
Enter a name for the folder and click Rename.
Deleting Folders
To delete a folder:
1
On the Logs and reports > Reports > Reports page, locate the folder.
Click the Delete button. Advanced Firewall deletes the folder.
Note: You cannot delete a folder which contains reports. Delete the report(s) in the folder first, then delete
the folder.
221
Reporting
Generating Reports
Deleting Reports
To delete a report:
1
Navigate to the Logs and reports > Reports > Recent and saved page.
Locate the report and click the Delete button.
Report Permissions
Advanced Firewall enables you to publish reports on a portal. For more information, see Chapter 8,
Making Reports Available on page 83.
Making Reports Available on Portals

You can make reports generated on one portal available on other portals.
To make the report available:
1
Navigate to the Logs and reports > Reports > Reports page and locate the report you want to
publish to portals.
On the Permissions tab, click Automatic Access.
In the Automatic Access area, from the Add access drop-down list. select the portal you want to
publish the generated report on and click Add.
Click Close to close the dialog box. Advanced Firewall publishes the report to the portal.
222

Scheduling Reports
Advanced Firewall can generate and deliver reports to specified user groups at specified intervals.
To schedule a report:
1
Navigate to the Logs and reports > Reports > Scheduled page.

Setting
Description
Start date
Select the month and day on which to create and deliver the report.
If the report is to be repeated, enter the date on which the first report should
be created and delivered.
Time
Select the hour and minute at which to deliver the report.
Repeat
Scheduled reports can be generated and delivered more than once. Select
from the following options:
No Repeat The report will be generated and delivered once on the
specified date at the specified time.
Daily Repeat The report will be generated and delivered once a day at
the specified time starting on the specified date.
Weekday Repeat The report will be generated and delivered at the
specified time, Monday to Friday, starting on the specified date.
Weekly Repeat The report will be generated and delivered at the
specified time, once a week, starting on the specified date.
Monthly Repeat The report will be generated and delivered at the
specified time, once a month, starting on the specified date.
Enabled
Select to enable the scheduled report.
Comment
Optionally, enter a description of the scheduled report.

223
Reporting
Managing Log Retention
Setting
Description
Report
From the drop-down list, select the report.
Report shows
period
From the drop-down list, select how long to collate data for this report.
Save report
Select this option if you want to save the scheduled report after it has been
generated. The report will be available on the Logs and reports > Reports >
Recent and saved page.
Report name
Enter a name for the scheduled report.
Publish from portal Optionally, from the drop-down menu, select a portal to publish the report
from.
Email report
Select this option if you want to email the report to a group of users.
Group
From the drop-down list, select the group you want to deliver the report to.
For more information, see Chapter 12, Configuring Groups on page 254.
Click Add. Advanced Firewall schedules the report and lists it in the Scheduled reports area.

You can configure Advanced Firewall to retain logs for use in reporting and network troubleshooting.
To manage log retention:
1
224
Navigate to the Logs and reports > Settings > Datastore settings page.

2

Setting
Description
Retention
settings
Use the sliders start and end points to specify the minimum and maximum number
of months Advanced Firewall should retain log files.
Minimum The minimum number of months possible is 0. If a log file is older than
the minimum retention period specified, it may be deleted if the available storage
space starts to run out.
Maximum The maximum number of months possible is infinite. If a log file is older
than the maximum retention period specified, it will be deleted.
For example, if the minimum retention period is set to 3 months and the maximum
retention period is set to 6 months, Advanced Firewall will always keep log files for
3 months and, if there is available storage space, will keep them for 6 months.
Note: If, because of a lack of storage space, the minimum log retention is not
possible, Advanced Firewall will stop working and display a warning.
Note: If, because of a lack of disk space, the minimum log retention is not possible, Advanced Firewall will
stop working and display a warning.
3
Click Save changes to save the datastore settings.
225
Reporting
226
Chapter 12
Information, Alerts and

Logging
In this chapter:
About the dashboard, registration and initial setup pages
Viewing, analyzing and configuring alerts, realtime information and log files.
About the Dashboard

The dashboard is the default home page of your Advanced Firewall system. The dashboard displays
service information, external connectivity controls and a number of summary reports.
To access the dashboard:
1
Browse to Dashboard.
About the About Page

The About page displays product, registration, copyright and trademark information. It also displays
acknowledgements.
To access the About page:
1
Browse to the bottom of the page you are on and click About.
Alerts
Advanced Firewall contains a comprehensive set of incident alerting controls.
Overview
Alerts are generated when certain trigger conditions are met. Trigger conditions can be individual
events, for example, an administrator login failure, or a series of events occurring over a particular
time period, for example, a sustained high level of traffic over a five minute period. Some alerts allow
their trigger conditions to be edited to customize the alert sensitivity.
Some situations are constantly monitored, particularly those relating to critical failures, for example,
UPS and power supply alerts.
It is possible to specify two trigger conditions for some alerts the first acts as a warning alert, and,
in more critical circumstances, the second denotes the occurrence of an incident.
227
Information, Alerts and Logging

Alerts
Available Alerts
You access the alerts and their settings on the Logs and reports > Alerts > Alerts page.
Alert
Description
VPN Tunnel Status
VPN Tunnel status notifications occur when an IPSEC Tunnel is either

connected, or disconnected. Monitored once every five minutes.
Hardware failure alerts,

harddisk failure
Generates messages when hardware problems are detected.
License expiry status

warnings
Generates messages when the license is due for renewal or has

expired. Monitored once an hour.
Hardware Failover
Notification
Generates messages when a hardware failover occurs, or when

failover machines are forced on and offline.
SmoothTunnel VPN
Certificate Monitor
Validates Advanced Firewall VPN certificates and issues warnings

about potential problems, or impending expiration dates. Monitored
once an hour.
UPS, Power Supply

status warnings
Generates messages when server power switches to and from mains

supply. Constant monitoring.
SmoothRule Violations
Monitors outbound access activity and generates warnings about

suspicious behavior. Constant Monitoring.
System Resource
Monitor
These alerts are triggered whenever the system resources exceed

predefined limitations. Monitored once every five minutes.
Firewall Notifications
Monitors firewall activity and generates warnings based on

suspicious activities to or from certain IP addresses involving
particular ports. Constant monitoring.
L2TP VPN Tunnel Status
L2TP Tunnel status notifications occur when an L2TP (Layer 2

Tunnelling Protocol) Tunnel is either connected, or disconnected.
Monitored once every five minutes.
System Service
Monitoring
This alert is triggered whenever a critical system service changes

statues, i.e. starts or stops. Monitored once every five minutes.
Reverse proxy violations Monitors reverse proxy activity and generates warnings about
connectivity issues. Constant Monitoring
Health Monitor
Checks on remote services for activity.
Email Virus Monitor
These alerts are triggered by detection of malware being relayed via

SMTP or downloaded via POP3. Monitoring is constant.
IM proxy monitored word Monitors instant messaging chats activity and generates warnings
alert
based on excessive use of inappropriate language.
External Connection
Failover
Monitors the external connection(s) and alerts in the case of failover.

Monitoring is constant.
Traffic Statistics Monitor These alerts are triggered whenever the traffic flow for the external
interface exceeds certain thresholds. Monitored once every five
minutes.
Output System Test
Messages
Catches test alerts generated for the purposes of testing the

Advanced Firewall Output systems. Constant Monitoring.
Inappropriate word in IM Generates an alert whenever a user uses an inappropriate word or

Monitor
phrase in IM chat conversation
Administration Login
Failures
228
Monitors both the Secure Shell (SSH) and Web Interface services for
failed login attempts. Constant Monitoring.

Alert
Description
Intrusion System Monitor These alerts are triggered by violations and notices generated by the
intrusion system by suspicious network activity. Constant Monitoring.
Update Monitoring
Monitors the system for new updates once an hour.
Mail Queue Monitor
Watches the email queue and informs if the number of messages

therein exceeds a certain threshold. Monitored once an hour
System Boot (Restart)

Notification
This alert is generated whenever the system is booted; i.e. is turned

on or restarted. Monitored once every five minutes.
Enabling Alerts
Advanced Firewall contains a comprehensive set of incident alerting controls.
To enable alerts:
1
Browse to the Logs and reports > Alerts > Alerts page.

Setting
Description
Group name
From the drop-down list, select a group of recipients and click Select. For
information on creating a group, see Configuring Groups on page 254.
Enable
instantaneous
alerts
By default, Advanced Firewall queues alerts in two minute intervals, and then
distributes a merged notification of all alerts.
Select this option to send the alert(s) individually as soon as they are triggered.
For each alert you want to send, select the delivery method: SMS or Email.
Click Save.
229

Alerts
Looking up an Alert by Its Reference

To view the content of an alert that has already been sent:
1
Enter the alerts unique ID into the Alert ID field and click Show. The content of the alert will be
displayed on a new page.
Configuring Alert Settings

The following sections explain how to configure Advanced Firewall alert settings.
To access the alert settings:
1
Browse to the Logs and reports > Alerts > Alert settings page.
Configuring the System Resource Alert

This alert is triggered whenever particular system resources exceed some predefined limitations.
To adjust the settings:
1
Enter or choose appropriate settings for each of the following controls:

Setting
Description
System
load
average
Used to set a threshold for the average number of processes waiting to use the
processor(s) over a five minute period.
A system operating at normal performance should record a load average of between
0.0 and 1.0. While higher values are not uncommon, prolonged periods of high load
(for example, averages greater than 3.0) may merit attention.
Disk usage Used to set a disk space usage percentage threshold, that generates an alert once
exceeded. Low amounts of free disk space can adversely affect system
performance.
230

Setting
Description
System
memory
usage
Used to set a system memory usage percentage threshold, that generates an alert
once exceeded. Advanced Firewall uses system memory aggressively to improve
system performance, so higher than expected memory usage may not be a concern.
However, prolonged periods of high memory usage may indicate that the system
could benefit from additional memory.
Click Save.
Configuring the Firewall Notifications Alert

This alert monitors firewall activity and generates warnings based on suspicious activities to or from
certain IP addresses involving particular ports.
To adjust the settings:
1
Enter or choose appropriate settings for each of the following controls:

Setting
Description
Monitor Source
(remote) IP
addresses
Detects suspicious inbound communication from remote IP addresses.

Alerts will be generated if a rapid series of inbound requests from the same
remote IP address is detected.
Monitor Source
(remote) Ports
Detects suspicious inbound communication from remote ports. Alerts will be

generated if a rapid series of inbound requests from the same remote port is
detected.
Monitor
Detects suspicious inbound communication to local IP addresses. Alerts will
Destination (local) be generated if a rapid series of inbound requests to the same local IP
IP Addresses
address is detected.
Monitor
Detects suspicious inbound communication to local ports. Alerts will be
Destination (local) generated if a rapid series of inbound requests to the same local port is
detected.
Ports
2
Click Save.
Note: The adjacent Warning threshold and Incident threshold fields can be used to set the respective levels
at which alerts are generated for each type of activity.
Note: To exempt particular ports from monitoring, enter a comma separated list of ports into the
appropriate Ignore fields.
Configuring the System Service Alert

This alert is triggered whenever a critical system service changes states, i.e. starts or stops.
To adjust the settings for this alert:
1
Select the components, modules and services that should generate alerts when they start or stop.
Click Save.
Configuring the Health Monitor

This alert is triggered whenever a remote service fails to report activity.
Health monitor alerts are intended to enable you to keep an eye on various aspects of your network
which are usually outside of the remit of Advanced Firewall.
The health monitor provides the following checks and alerts:
231

Alerts
Web Servers (HTTP)

When enabled, tries to retrieve the specified web page and check that it contains specific keywords.
This is for detecting defacement.
Setting
Description
Request
URL
Enter the URL of the web page you want retrieved and checked for keywords, for
example: example.com/index.htm
Note: Omit http:// when entering the URL.
No of tries
Enter the number of times Advanced Firewall should try to retrieve the page.
Keywords
Enter the keywords to be checked in the page.
Assuming the page has been retrieved and the keywords are missing, an alert is generated.
Other Services
Checks that the specified port is open and offering a service.
Setting
Description
IP Address
Enter the IP address.
Port
Enter the port number.
Protocol
From the drop-down list, select the protocol of the service you want to check for a
response. Select Other to check that there is any response to connections on the
associated port.
No of tries
Enter the number of times Advanced Firewall should check the address and not
receive a response before generating an alert.
DNS Name Resolution

Checks that a domain has not expired or been hijacked.
Setting
Description
Name
Enter the domain name.
Address
Enter the domain address.
To configure the alert:

1
For the services, enter the URL, IP address or name.
Enter keywords, port numbers and number of tries, if applicable.
Select the protocol.
Click Add for each service.
Configuring the Inappropriate Word in IM Monitor Alert

These alerts are generated whenever a user uses an inappropriate word or phrase in instant
messaging chat conversations.
To configure the alert:
1

Setting
Description
Enabled on received text Select to generate the alert when an inappropriate word is used in a
message received from a remote user.
Enabled on sent text
232
Select to generate the alert when an inappropriate word is used in a

message sent by a local user.

Setting
Description
Generate alert for each

message which exceeds
the Message Censor
severity threshold
Select to generate an alert when the Message Censor threshold is

exceeded. For information on the Message censor threshold, see
Chapter 8, Censoring Message Content on page 109.
Generate alert when

users exceed the rate of
inappropriate messages
Select to generate an alert when users exceed the specified number

of inappropriate messages within a 15 minute period.
Number of inappropriate
messages in 15 mins
Specify how many inappropriate messages to allow in a 15 minute

period before generating an alert.
From the drop-down list, select the threshold above which an alert
will be generated.
Click Save to save the settings.
Configuring the Email Virus Monitor Alert

When configured, these alerts are triggered when malware being relayed via SMTP or downloaded
via POP3 are detected.
To configure the alert(s):
1
Enable the following setting(s):

Setting
Description
Monitor POP3 proxy for

viruses
Select to alert when malware is detected when downloading via

POP3.
Monitor SMTP relay for

viruses
Select to alert when malware is detected when relaying via SMTP.
Click Save to enable the alerts.
Configuring the Mail Queue Monitor Alert

This alert is triggered the number of messages in the email queue exceeds a the specified threshold.
To configure and enable the alert:
1

Setting
Description
Threshold number of
messages
Enter the number of messages above which the alert is triggered.
Click Save to save the settings and enable the alert.
Realtime
The realtime pages provide access to realtime information about your system.
Realtime System Information

The System page is a realtime version of the system log viewer with some filtering options.
233

Realtime
To access the System page:
1
Browse to Logs and reports > Realtime > System page.
By default, all information in the system log is displayed and updated automatically approximately
every second.
To display information on specific components:
1
From the Section drop-down list, select the component and click Update. If there is information on
the component available in the system log, it is displayed in the Details area.
Realtime Firewall Information

The Firewall page is a realtime version of the firewall log viewer with some filtering options. All entries
in the firewall log are from packets that have been blocked by Advanced Firewall.
234

To access the page:
1
Browse to Logs and reports > Realtime > Firewall page.
By default, information is displayed and updated automatically approximately every second.

To display information on specific sources and destinations:
1
Enter a complete or partial IP address and/or port number in the fields and click Update.
Realtime IPsec Information

The IPSec page is a realtime version of the IPSec log viewer with some filtering options.
235

Realtime
To access the IPSec page:
1
Browse to Logs and reports > Realtime > IPSec page.
By default, all information in the log is displayed and updated automatically approximately every
second.
To display information on a specific tunnel:
1

Setting
Description
Connection
From the drop-down list, select the tunnel.
Show only lines

connecting
Enter the text you are looking for.
Click Update. If there is information available in the system log, it is displayed in the Details area.
Realtime Portal Information

The Portal page displays realtime information on users accessing Advanced Firewall portals.
To access the portal page:
1
Browse to Logs and reports > Realtime > Portal page.
For more information on portals, see Chapter 8, Working with Portals on page 81.
236

Realtime Instant Messaging

The IM proxy page is a realtime version of the IM proxy log viewer with some filtering options.
To view IM conversations:
1
Browse to Logs and reports > Realtime > IM proxy page.
The page displays a view of ongoing conversations for each of the monitored protocols and displays
a selected conversation as it progresses.
Note: As most IM clients communicate with a central server, local conversations are likely to be displayed
twice as users are recognized as both local and remote.
Active conversations which have had content added to them within the last minute are displayed in
bold text in the left pane. If nothing has been said for more than a minute, the remote username will
be displayed in the normal style font.
The local username is denoted in blue, the remote username is denoted in green.
You can use the following settings to manage how the conversation is displayed.
2
In the Username or IP address field, enter the username or IP address. If there is information available
in the web filter log, it is automatically displayed in the Details area.
To show lines containing specific text, in the Show only lines containing field, enter the text. If the text
is found, it is automatically displayed in the Details area.
Realtime Traffic Graphs

The Traffic graphs page displays a realtime graph of the bandwidth in bits per second being used by
the currently selected interface.
237

Logs
To access the traffic graphs page:
1
Browse to Logs and reports > Realtime > Traffic graphs page.
The Interfaces area displays a list of the active interfaces on Advanced Firewall. Clicking on an
interface displays its current traffic.
Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming
bandwidth.
Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing
bandwidth.
Logs
The log pages display system, firewall, IPsec, intrusion system, email and proxy information.
238

System Logs
The system logs contain simple logging and management information.
To access system logs:
1
Browse to the Logs and reports > Logs > System page.
239

Logs
The following filter criteria controls are available in the Settings area:
Control
Description
Section
Used to select which system log is displayed. The following options are available:
Authentication service Log messages from the authentication system, including
service status messages and user authentication audit trail.
IM Proxy Log messages from the instant messaging proxy service.
Kernel Log messages from the core Advanced Firewall operating system.
Message censor Displays information from the message censor logs.
NTP Log messages from the network time system.
SystemD Log messages from the system super server.
SSH Log messages from the SSH system.
System Displays server log information.
Monitor Displays monitoring system information including service status and alert/
report distribution audit trail.
System Simple system log messages, including startup, shutdown, reboot and
service status messages.
UPS Log messages from the UPS system, including service status messages.
Update transcript Displays information on update history.
VIPRE engine Displays information on the anti-malware engine.
Month
Used to select the month that log entries are displayed for.
Day
Used to select the day that log entries are displayed for.
Export
format
Logs can be exported in the following formats:

Comma Separated Values The information is exported in comma separated text
format.
Microsoft (tm) Excel (.xls) The information is exported in Microsoft Excel format.
You will need an Excel-compatible spreadsheet application to view these reports.
Raw Format The information is exported without formatting.
Tab Separated Value The information is exported separated by tabs.
Export all
dates
Exports the currently displayed log for all available dates.
To view specific information:

1
Select the filtering criteria using the Settings area and click Update.
A single column is displayed containing the time of the event(s) and descriptive messages.
240

Firewall Logs
The firewall logs contain information on network traffic.
To view the firewall logs:
1
Browse to the Logs and reports > Logs > Firewall page.
Filtering Firewall Logs

Control
Description
Section
Used to select which firewall log is displayed. The content of each section is
discussed below.
Month
Used to select the month that log entries are displayed for.
Day
Used to select the day that log entries are displayed for.
Compression
Used to ghost repeated sequential log entries for improved log viewing.
241

Logs
Control
Description
Source
Enter an IP address and click Update to display log entries for that source
address.
Src port
This drop-down list is populated with a list of all source ports contained in the
firewall log. Select a port and click Update to display log entries for that port.
Destination
Enter an IP address and click Update to display log entries for that destination
address.
Dst port
This drop-down list is populated with a list of all destination ports contained in the
firewall log. Select a port and click Update to display log entries for that port.
Export format

Comma Separated Values The information is exported in comma separated
text format.
Microsoft (tm) Excel (.xls) The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view these
reports.
Export all
dates
The list of possible sections that can be viewed are as follows:
242
Section
Description
Main
All rejected data packets.
Incoming
audit
All traffic to all interfaces that is destined for the firewall if Direct incoming traffic is
enabled on the Networking > advanced page.
Forward
audit
All traffic passing through one interface to another if Forwarded traffic is enabled
on the Networking > Settings > Advanced page.
Outgoing
audit
All traffic leaving from any interface if Direct outgoing traffic is enabled on the
Networking > Settings > Advanced page.
Port
forwards
All data packets from the external network that were forwarded by a port forward
rule if port forward logging is enabled on the Networking > Firewall > Port
forwarding page.
Outgoing rejects
All data packets from the internal network zones that were rejected by an outbound
access rule.
Outgoing stealth
All data packets from the internal network zones that were logged but not rejected
by an outbound access rule.

Viewing Firewall Logs

To view firewall logs, select the appropriate filtering criteria using the Settings area and click Update.
The following columns are displayed:
Column
Description
Time
The time that the firewall event occurred.
In
The interface at which the data packet arrived.
Out
The interface at which the data packet left.
Protocol
The network protocol used by the data packet.
Source
The IP address of the data packet's sender.
Src Port
The outbound port number used by the data packet.
Destination The IP address of the data packet's intended destination.

Dst port
The inbound port number used by the data packet.
Looking up a Source IP whois

The firewall log viewer can be used to find out more information about a selected source or
destination IP by using the whois tool.
To use whois:
1
Navigate to the Logs and reports > Logs > Firewall page.
Select a particular source or destination IP in Source and Destination columns.
Click Lookup. A lookup is performed and the result displayed on the System > Diagnostics >
whois page.
Blocking a Source IP
The firewall log viewer can be used to add a selected source or destination IP to the IP block list.
To block a source IP:
1
Navigate to the Logs and reports > Logs > Firewall page.
Select one or more source or destination IPs.
Click Add to IP block list.

The selected source and destination IPs will be automatically added to the IP block list which you
can review on the Networking > Filtering > IP block page. See Chapter 5, Blocking by IP on page 51
IPSec Logs
IPSec logs show IPSec VPN information.
243

Logs
To access the logs:
1
On Logs and reports > Logs > IPSec.
Choose the tunnel you are interested in by using the Tunnel name control.
To view the logs for all of the tunnels at once, choose ALL as the tunnel name.
After making a change, click Update.
Exporting Logs
To export and download all log entries generated by the current settings, click Export.
Exporting all dates

To export and download all log entries generated by the current settings, for all dates available, select
Export all dates, and click Export.
Viewing and Sorting Log Entries

The following columns are displayed in the Web log region:
Column
Description
Time
The time the tunnel activity occurred.
Name
The name of the tunnel concerned.
Description Log entries generated by the VPN system.

Log entries are displayed over a manageable number of pages. To view a particular page, click its
Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous),
> (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages.
To sort the log entries in ascending or descending order on a particular column, click its Column title
hyperlink. Clicking the currently selected column reverses the sort direction.
244

Email Logs
Email logs provide detailed, configurable and searchable information on email activity regarding time,
sender recipient, subject and spam status.
Configuring Email Logs

To access and configure email logs:
1
Navigate to the Logs and reports > Logs > Email page. Advanced Firewall displays the currently
configured log entries.
Click Advanced, the following options are displayed:
Option
Description
Sender
Select to display who sent the email message(s).
Recipient
Select to display who the email message(s) are for.
Subject
Select to display to display the subject line of the email message(s).
Spam
Select to display information on message(s) that have been classified as spam.
Select the options you want to display. Advanced Firewall updates what is displayed.
Monitoring Email Log Activity in Realtime

It is possible to monitor email log activity in realtime.
To monitor email log activity in realtime:
1
On the Logs and reports > Logs > Email page, click Realtime. Advanced Firewall displays the
currently configured log options in realtime in a table of log entries and in the email graph. The results
are updated automatically.
Tip:
To get a closer look at what is happening at a specific time, locate and click on that time in the graph.
Advanced Firewall stops the realtime display and shows what has been logged at the time you
clicked on.
To stop realtime monitoring, click Realtime. Advanced Firewall stops displaying realtime data.
245

Logs
Searching for/Filtering Email Log Information

Advanced Firewall enables you to search for/filter information in a number of ways.
To search for/filter information:
1
On the Logs and reports > Logs > Email page, use one or more of the following methods:
Method
Description
Graph
On the graph, locate and click on the time you are interested in. Advanced Firewall
displays what was logged at the time you clicked on.
Time
Click in the date and time picker and specify when to search from. Click Apply.
Advanced Firewall displays the results from the time specified and two hours
forward.
Free search In the Sender, Recipient, Subject and/or Spam column(s), enter one or more search
term
terms. Advanced Firewall displays the search results.
Exporting Email Data

It is possible to export logged data in comma-separated (CSV) format.
To export data:
1
On the Logs and reports > Logs > Email page, configure or search for the data you want export.
For more information, see Configuring Email Logs on page 245 and Searching for/Filtering Email Log
Information on page 246 Information.
Click Export. Follow your browsers prompts to save and export the data.
IDS Logs
The IDS logs contain details of suspicious network activity detected by Advanced Firewalls intrusion
detection system (IDS).
To view the IDS logs:
1
Navigate to the Logs and reports > Logs > IDS page.
Advanced Firewall displays the results.
246
Option
Select to:
Month
Specify which month you wish to view logs for.
Day
Specify which day you wish to view logs for.

Option
Select to:
Export format

Comma Separated Values The information is exported in comma
separated text format.
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Export all dates
Exporting Logs
To export logs:
1
Filter the logs to show the information you want to export.
Select the export format and if you want to export all dates.
Click Export. To save the exported log, use the browser's File, Save As option.
IPS Logs
The IPS logs contain details of suspicious network activity prevented by Advanced Firewalls intrusion
prevention system (IPS).
To view the IDS logs:
1
Navigate to the Logs and reports > Logs > IPS page.
Advanced Firewall displays the results.

Option
Select to:
Month
Specify which month you wish to view logs for.
Day
Specify which day you wish to view logs for.
247

Logs
Option
Select to:
Export format

these reports.
Export all dates
IM Proxy Logs
The IM proxy log page displays a searchable log of instant messaging conversations and file
transfers.
To view the IM proxy logs:
1
Browse to Logs and reports > Logs > IM proxy page.
The following settings are available:

Setting
Description
Local user filter Enter the name of a local user whose logged conversations you want to view.
248

Setting
Description
Enable local
user filter
Select to display conversations associated with the local user name entered.
Remote user
filter
Enter the name of a remote user whose logged conversations you want to view.
Enable remote
user filter
Select to display conversations associated with the remote user name entered.
Enable smilies
Select to display smilies in the conversation.
Enable links
Select to make links in the conversation clickable.
Search
Here you can enter a specific piece of text you want to search for.
Conversations
Enables you to browse conversations by instant messaging protocol, user ID

and date.
Web Proxy Logs

The proxy logs contain detailed information on all Internet access made via the web proxy service. It
is possible to filter the proxy logs using any combination of requesting source IP, and requested
resource type and domain.
To view the web proxy logs:
1
Browse to Logs and reports > Logs > Web proxy page.
Reverse Proxy Logs

The reverse proxy logs contain time, source IP and web site information about requests made using
the reverse proxy service.
To view reverse proxy logs:
1
Browse to the Logs and reports > Logs > Reverse proxy page.
249

Logs
Filtering Reverse Proxy Logs

Control
Description
Month
Used to choose the month that proxy logs are displayed for.
Day
Used to choose the day that proxy logs are displayed for.
Year
Used to choose the year that proxy logs are displayed for.
Ignore filter
Used to enter a regular expression that excludes matching log entries.

The default value excludes common log entries for image, JavaScript, CSS
style and other file requests.
Enable ignore
filter
Select to enable the filter.
Domain filter
Used to display log entries recorded against a particular domain.

Matching will occur on the start of the domain part of the URL. For example,
www.abc will match www.abc.com and www.abc.net but not match
abc.net.
It is possible to include regular expressions within the filter for example
(www.)?abc.com will match both abc.com and www.abc.com.
Enable domain
filter
Select to enable the filter.
Export format

these reports.
Export all dates
Note: When running SSL VPNs in TCP mode, the reverse proxy access logs generated for HTTPS requests
will contain a source address of 127.0.0.1. This is because OpenVPN has to proxy the HTTPS
traffic. Therefore, from Advanced Firewalls point of view, the traffic is originating from localhost.
Viewing Reverse Proxy Logs

To view proxy logs:
1
250
Select the appropriate filtering criteria using the Settings area and click Update. Proxy logs are
displayed in the Proxy log area. The following columns are displayed:
Column
Description
Time
The time the web request was made.
Source IP
The source IP address the web request originated from.
Website
The URL of the requested web resource.

User Portal Logs

The User portal log page displays information on users who have accessed user portals.
To view user portal log activity:
1
Browse to the Logs and reports > Logs > User portal page.
Advanced Firewall displays the information.
Configuring Log Settings

Advanced Firewall can send syslogs to an external syslog server, automatically delete log files when
disk space is low and set the maximum log file retention settings.
To configure logging settings:
1
Browse to the Logs and reports > Logs > Log settings page.
In the Syslog logging area, select the logging you require.
251

Configuring Log Settings
3
To enable and configure remote logging, configure the following settings:

Setting
Description
Remote syslog
To send logs to an external syslog server, select this setting.
Syslog server
If you have selected the Remote syslog option, enter the IP address of the
remote syslog server.
Default
retention
To set default log retention for all of the logs listed above, select one of the
following settings:
1 Day Rotate the log file daily and keep the last day.
2 Days Rotate the log file daily and keep the last 2 days.
A week Rotate the log file weekly and keep the last week.
2 weeks Rotate the log file weekly and keep the last 2 weeks.
A month Rotate the log file monthly and keep the last month.
2 months Rotate the log file monthly and keep the last 2 months.
Three months Rotate the log file monthly and keep the last 3 months.
Four months Rotate the log file monthly and keep the last 4 months.
Five months Rotate the log file monthly and keep the last 5 months.
Six months Rotate the log file monthly and keep the last 6 months.
Seven months Rotate the log file monthly and keep the last 7 months.
Eight months Rotate the log file monthly and keep the last 8 months.
Nine months Rotate the log file monthly and keep the last 9 months.
Ten months Rotate the log file monthly and keep the last 10 months.
Eleven months Rotate the log file monthly and keep the last 11 months.
A year Rotate the log file monthly and keep the last 12 months.
Optionally, to set an individual retention period for specific logs, click Advanced and configure the
settings displayed.
Click Save. Advanced Firewall will log and retain the information you have specified and, if
configured, send logs to the remote syslog server.
Configuring Other Log Settings

Advanced Firewall enables you to configure retention settings for other logs.
To configure other logs:
1
252

2
In the Other logging area, configure the following settings:

Setting
Description
Default
retention
To set default log retention for all of the logs listed in the table below, select one
of the following settings:
1 Day Rotate the log file daily and keep the last day.
2 Days Rotate the log file daily and keep the last 2 days.
A week Rotate the log file weekly and keep the last week.
2 weeks Rotate the log file weekly and keep the last 2 weeks.
A month Rotate the log file monthly and keep the last month.
2 months Rotate the log file monthly and keep the last 2 months.
Three months Rotate the log file monthly and keep the last 3 months.
Four months Rotate the log file monthly and keep the last 4 months.
Five months Rotate the log file monthly and keep the last 5 months.
Six months Rotate the log file monthly and keep the last 6 months.
Seven months Rotate the log file monthly and keep the last 7 months.
Eight months Rotate the log file monthly and keep the last 8 months.
Nine months Rotate the log file monthly and keep the last 9 months.
Ten months Rotate the log file monthly and keep the last 10 months.
Eleven months Rotate the log file monthly and keep the last 11 months.
A year Rotate the log file monthly and keep the last 12 months.
Click Advanced to see what other logs are available and to determine if you want to set individual
log retention settings.
Setting
Description
Default retention
From the drop-down menu, select the default retention period you want to
use for advanced logging settings. To set individual retention periods,
configure the settings below.
Intrusion
detection logs
From the drop-down menu, select how long you want to keep intrusion
detection logs.
Intrusion
prevention logs
From the drop-down menu, select how long you want to keep intrusion
prevention logs.
IM logs
From the drop-down menu, select how long you want to keep instant
messaging logs.
Click Save. Advanced Firewall will now retain the logs as you have specified.
Managing Automatic Deletion of Logs

Advanced Firewall can be set to automatically delete log files if there is a limited amount of free disk
space available.
To configure automatic log deletion:
1
In the Automatic log deletion area, configure the settings:

Setting
Description
Delete old logs when free space

is low
Select to automatically delete logs when the specified

amount of disk space has been used.
253

Configuring Groups
Setting
Description
Amount of disk space to use for

logging
From the drop-down list, select the level at which Advanced

Firewall will delete logs.
Click Save. Advanced Firewall will delete the logs when the specified amount of disk space has been
used.
Configuring Groups
The Groups page is used to create groups of users which can be configured to receive automated
alerts and reports.
Creating Groups
To create a group of users:
1
Browse to the Logs and reports > Settings > Groups page.

Setting
Description
Group name From the Group name drop-down list, select Empty and click Select.
Name
3
4
254
Enter a name for the group.
Click Save. Advanced Firewall creates the group. In the Add user area, configure the following
settings:
Setting
Description
Name
Enter a user's name.
SMS number
If required, enter the users SMS number details
Comment
Optionally, enter a description or comment.
Email address
If required, enter the user's email address.
Enable HTML Email
Select if you want emailed reports to be sent in HTML format.
Select Enabled to ensure that the user will receive any reports or alerts that are sent to the group.

5
Click Add. The user's details will be added to the list of current users in the Current users region.
Editing a Group
To edit a group:
1
Choose the group that you wish to edit using the Group name drop-down list. Click Select to
display the group.
Make any changes to the group using the controls in the Add a user and Current users areas.
Deleting a Group
To delete a group:
1
Select the group to be deleted using the Group name drop-down list.
Click Delete.
Configuring Output Settings

Reports and alerts are distributed according to Advanced Firewalls output settings. In order to send
reports and alerts, Advanced Firewall must be configured to operate with mail servers and email-toSMS gateway systems.
To access output settings:
1
Browse to the Logs and reports > Settings > Output settings page.
255

About Email to SMS Output

Advanced Firewall generates SMS alerts by sending emails to a designated email-to-SMS gateway.
When an email-to-SMS gateway receives an email, it extracts the information it needs and composes
an SMS message which is then sent.
A wide variety of different email-to-SMS gateway services are available. Unfortunately, each has its
own definition of the format that an email should arrive in. While there are a few conventions, usually
the destination SMS number is placed in the email's subject line, it is necessary to configure
Advanced Firewall so that it can format email messages in the format specified by your email-to-SMS
gateway service provider.
About Placeholder Tags

To allow easy configuration of message formats for different service providers, Advanced Firewall
uses placeholder tags that can be incorporated into an email template. The placeholder tags
available are as follows:
Placeholder
Description
%%ALERT%%
The content of the alert message.
%%SMS%%
The recipient SMS number.
%%EMAIL%%
The recipient's email address.
%%HOSTNAME%%
The hostname of the Advanced Firewall system (useful when using multiple
firewall systems).
%%DESCRIPTION%% The description of the Advanced Firewall system (useful when using multiple
firewall systems).
%%--%%
A special placeholder that indicates that all text following it should be

truncated to 160 characters.
This requires truncation to be enabled (indicated by the Truncate SMS
messages to 160 characters option).
For example, if an email-to-SMS gateway requires emails to be sent to: <telephone

number>@sampleSMS.com, the following configuration would provide this:
%%SMS%%@sampleSMS.com
If the content of the message should be entered in the email message body, the following
configuration would provide this: %%ALERT%%
Networks with multiple Advanced Firewall systems may wish to include detail of the system that the
alert was generated by, the following examples would provide this:
%%ALERT%% - From: %%HOSTNAME%%
%%ALERT%% - From: %%HOSTNAME%% (%%DESCRIPTION%%)
%%ALERT%% - From: %%DESCRIPTION%%
%%ALERT%% -%%HOSTNAME%%
%%ALERT%% :%%DESCRIPTION%% (%%HOSTNAME%%)
Some email-to-SMS gateways cannot process messages whose content is longer then 160
characters. Advanced Firewall can be configured to truncate messages in this mode, all characters
past position 155 are removed and the text: .. + is appended to the message to indicate that
truncation has occurred.
A further complication is caused by email-to-SMS gateways that require parameters such as
usernames and passwords to be set within the email's message body. In situations where truncation
is enabled, such additional (yet required) parameter text may force truncation of the actual alert. To
compensate for this, insert the special %%--%% placeholder at the start of the actual message
content, so that any truncation is only applied to the actual alert content.
256

Configuring Email to SMS Output

To configure Advanced Firewall's SMS settings:
1
Browse to Logs and reports > Settings > Output settings.
In the Email to SMS Output System area, configure the following settings:
Setting
Description
SMTP server
Enter the hostname or IP address of the SMTP server to be used by

Advanced Firewall.
Sender's email address

field
Enter the sender's email address.
SMS to address
Specify the formatting of the email's To: address according to the

format required by your service provider.
This would typically be a valid email address reserved and frequently

checked for IT administration purposes. This might also be an email
address that is registered with your email-to-SMS gateway provider.
This may be a regular email address, or it may require additional

placeholders such as %%SMS%% to identify the destination of the
SMS.
Truncate SMS messages
to 160 characters
Select if you want the content of SMS message body to be

truncated to 160 characters or if your email-to-SMS gateway service
provider instructs you to do so.
Enable SMTP auth
Select to use SMTP auth if required.
Username
If using SMTP auth, enter the username.
Password
If using SMTP auth, enter the password.
SMS subject line
Enter the subject line of the SMS email in the SMS subject line field
as specified by your email-to-SMS service provider.
This will often contain the %%SMS%% placeholder as many email-toSMS gateways use the subject line for this purpose.
SMS message body
Enter additional parameters and the content of the alert message.

If the truncation is required from a particular point onwards, use the
%%--%% placeholder to indicate its start position.
Click Save.
Testing Email to SMS Output

To test the output system:
1
In the Send test to: field, enter the cell phone number of the person who is to receive the test.
Click Send test.
Output to Email
To configure email settings:
1
Browse to Logs and reports > Settings > Output settings.
In the SMTP (Email) Output System area, configure the following settings:
Setting
Description
SMTP server
Enter the hostname or IP address of the SMTP server to be used by

Advanced Firewall.
257

Setting
Description
Sender's email address
Enter the sender's email address.

This would typically be a valid email address reserved and frequently
checked for IT administration purposes. This might also be an email
address that is registered with your email-to-SMS gateway provider.
Enable SMTP auth
Select to use SMTP auth if required.
Username
If using SMTP auth, enter the username.
Password
If using SMTP auth, enter the password.
Click Save.
Generating a Test Alert

To generate a test alert:
1
Configure Email to SMS output and/or SMTP (Email) output.
Click Generate test alert.
258
Chapter 13
Managing Your Advanced

Firewall
In this chapter:
Installing system and security updates
Managing module installations and product licensing
Creating and restoring archives
Scheduling automatic maintenance
Shutting down and restarting
Setting system preferences
Configuring administration and access settings
Managing tenants
Configuring UPS devices, modems, hardware failover and firmware settings
Producing diagnostic files
Managing certificates.
Installing Updates
Administrators should use Advanced Firewall's update facility whenever a new update is released.
Updates are typically released in response to evolving or theoretical security threats as they are
discovered. System updates may also include general product enhancements as part of
Smoothwalls commitment to continuous product improvement.
Advanced Firewall must be connected to the Internet in order to discover, download and install
system updates.
Smoothwalls support systems are directly integrated with Advanced Firewalls system update
procedure, allowing the Smoothwall support department to track the status of your system.
Installing Updates
The following section explains how to install updates.
Note: If Advanced Firewall is configured for failover, see Installing Updates on a Failover System on
page 260 for information on how to proceed.
259
Managing Your Advanced Firewall

Installing Updates
To install updates:
1
Navigate to the System > Maintenance > Updates page.
Setting/button
Description
Refresh update list
Click to get a list of available updates. Any updates available will be

listed in the Available updates area.
Download updates
Click to download all available updates. Once downloaded, the updates

are listed in the Pending updates area.
Clear download cache
Click to clear any downloaded updates stored in the cache.
Install updates
Click to install all updates in the Pending updates area immediately
Install at this time
Enter the time at which you want to install the updates if you do not want
to install them immediately and click Install at this time.
If the update requires a reboot, reboot the system on the System > Maintenance > Shutdown
page.
Installing Updates on a Failover System

The following section explains how to install updates on a failover system. Following theses steps
ensures the correct application of all pending updates and also performs a failover test between the
master and the failover unit.
To install updates on a failover system:
1
On the masters System > Maintenance > Updates page, download the updates.
Wait until the updates have been transferred to the failover unit. This should happen within 5 minutes.
Go to the failover units web interface and install the pending updates. Once they have been installed,
the failover unit displays information on the update and prompts for a reboot.
On the System > Maintenance > Shutdown page, reboot the failover unit.
When the failover unit is up and running again, install the updates on the master and reboot.
During master downtime, the failover unit is active and remains so until the master is live again.
260

Managing Modules
Advanced Firewall's major system components are separated into individually installed modules.
Modules can be added to extend Advanced Firewalls capabilities, or removed in order to simplify
administration and reduce the theoretical risk of, as yet un-discovered, security threats.
Note: Modules must be registered against your Advanced Firewall serial number before they can be
installed and used. For further information, please consult your Smoothwall partner or, if purchased
directly, Smoothwall.
Advanced Firewall must be connected to the Internet in order to install modules.
To install a module:
1
Navigate to the System > Maintenance > Modules page.
Note: The information displayed depends on the product series you are using.
2
In the Available modules area, locate the module and click Install.
Note: Some module installations require a full reboot of Advanced Firewall. Please read the module
description carefully prior to installation.
Removing a Module
To remove a module:
1
Navigate to the System > Maintenance > Modules page.
In the Installed modules area, locate the module and click Remove.
Reboot Advanced Firewall on the System > Maintenance > Shutdown page.
261

Licenses
Licenses
Advanced Firewall contains information on licenses and subscriptions.
To view license information:
1
Navigate to the System > Maintenance > Licenses page.
Note: The information displayed depends on the Smoothwall product you are using.
Installing Licenses
You can buy additional licenses from Smoothwall or an approved Smoothwall partner. License,
installation and activation is an automated process, initiated via a secure request to Smoothwall
licensing servers.
To install additional licenses:
1
Navigate to the System > Maintenance > Licenses page.
Click Refresh license list. This will cause the available license information to be updated via the
Internet, and any new licenses will be installed.
Note: The Subscriptions area is used to manage blocklists used by add-on modules. For more information,
see the documentation delivered with your Smoothwall add-on module.
Archives
The Archives page is used to create and restore archives of system settings. Archives can be saved
on removable media and used when restoring a Advanced Firewall system. They can also be used
to create clones of existing systems.
262

Tip:
Log on to our support portal and read how to set up a Windows SSH server with keys in order to
backup system settings.
Note: You can automatically schedule the creation of backup archives. For further information, see
Scheduling on page 264.
About Archive Profiles

You can assign a profile to an archive enabling you to specify which components you want backed
up in a particular archive.
You can create and assign up to 20 profiles and generate their archives automatically.
Profiles are also used to store settings for Smoothwall replication systems. For more information, see
Chapter 14, Centrally Managing Smoothwall Systems on page 291.
Creating an Archive
To create an archive:
1
Navigate to the System > Maintenance > Archives page.

Settings
Description
Profile
To create a new profile, from the drop-down list, select Empty and click
Select.
To reuse or modify an existing profile, from the drop-down list select the
profile and click Select.
Profile name
Enter a name for the profile.
Comment
Enter a description for the archive.
Automatic backup Select if you want to archive settings automatically.

Settings
Settings available include general settings for Advanced Firewall and

replicable settings which can be used in a Smoothwall system.
Indicates that the setting can be replicated.
Select the components you want to archive or select All to select and
archive all settings.
For more information on replication in Smoothwall systems, see Chapter 14,
Centrally Managing Smoothwall Systems on page 291
Logs
Select the log files you want to archive or select All to select and archive all
logs.
Click Save and backup to create the archive.
Downloading an Archive
To download an archive:
1
In the Archives area, select the archive.
Click Download and save the archive to disk using the browser's Save as dialog box.
263

Scheduling
Restoring an Archive
To restore an archive:
1
In the Archives area, select the archive.
Click Restore. The archive contents are displayed.
Select the components in the archive that you want to restore and click Restore.
Deleting Archives
To delete an archive:
1
In the Archives area, select the archive and click Delete.
Uploading an Archive
This is where you upload archived settings from previous versions of Advanced Firewall and
Smoothwall modules so that they can be re-used in the current version(s).
To upload an archive:
1
In the Upload area, enter the name of the archive and click Browse.
Navigate to and select the archive.
Click Upload to upload the archive.
Scheduling
You can configure Advanced Firewall to automatically discover and download system updates,
modules and license upgrades using the scheduler.
You can also use the scheduler to create and remotely archive automatic backups. Other system
modules can integrate with the scheduler to provide additional automated maintenance tasks.
264

To create a schedule of tasks:
1
Navigate to the System > Maintenance > Scheduler page.

Setting
Description
Day
From the drop-down list, select the day of the week that the tasks will
be executed.
Hour
From the drop-down list, select the time of day at which the tasks will
be executed.
Check for new updates
Select to check for new system updates.
Download updates
Select to download available updates.
Check for new modules
Select to check for new modules.
Check for license

upgrades
Select to discover and install license upgrades.
265

Scheduling
Setting
Description
Prune archives
Options here enable you to schedule archive pruning if you require it.
Select one of the following options:
Dont prune This is the default option, archives are never pruned.
Over a month Select this option to prune archives that are older
than one month.
Over 2 months Select this option to prune archives that are older
than two months.
Over 3 months Select this option to prune archives that are older
than three months.
Click Save.
Scheduling Remote Archiving

Scheduled remote archiving uses SSH keys to allow Advanced Firewall to securely copy files to a
remote SSH server without the need for passwords.
The use of SSH keys requires Advanced Firewall to generate a key pair which it will use to encrypt
all file transfers sent to the SSH server.
The SSH server must be configured to accept connections from Advanced Firewall in this manner
it requires the public half of the key pair to be installed.
To schedule remote archiving:
1
Navigate to the System > Maintenance > Scheduler page.
In the Remote archive destinations area, click Export Public Backup Key.
Install the public key on the remote SSH server for details on how to do this, please consult the
administrator's guide of the SSH server in use.
In the Remote archive destinations area, enter the following information:

Setting
Description
Name
Enter a name to identify this destination.
Username
Specify the user name of the account on the SSH server that will be used.
For additional security it is recommended that this user has no additional
privileges and is only allowed write access to the specified Remote path.
Remote path
Enter the path where archives are to be stored on the remote SSH server,
for example: /home/mypath/
If left blank, Advanced Firewall uses the default home directory of the
specified remote user.
Server
Set the IP address of the SSH server.
Port Number
Set the port number used to access the SSH server (normally port 22).
Transfer Speed Limit Specify the maximum transfer speed when automatic archiving occurs.
This control is useful for preventing the automatic remote archiving system
adversely affecting the performance of other network traffic.
Comment
Enter a description of the destination.
Click Add.
Repeat the steps above to make other destinations available.
266

7
In the Remote archival area, enter the following information:

Setting
Description
Day
The day of the week to carry out the archive.
Hour
The hour of the day to carry out the archive.
Archive destination
From the drop-down list, select a destination as configured in the Remote

archive destinations area.
Archive profile
From the drop-down list, select an archive profile as configured on the

archives page.
Enabled
Select to enable the archive.
Comment
Enter a description of the archive.
Click Add.
Repeat the steps above to configure other archives for scheduled remote archive.
Note: A local copy of the archive is also created and stored.
Editing Schedules
To edit a schedule:
1
In the appropriate area, select the destination or task and click Edit or Remove.
Shutting down and Rebooting

Advanced Firewall can be shutdown or restarted immediately, after a specified delay or at a predetermined time.
To shut down or reboot:
1
Browse to the System > Maintenance > Shutdown page.

Setting
Description
Immediately
Select to shut down or reboot immediately.
Delay action for
Select to shut down or reboot after a specified length of time.

From the drop-down menu, select the length of time.
267

Setting System Preferences
Setting
Description
At the following
time
Select to shut down or reboot at a specified length of time.

From the drop-down menu, select the hour and minute at which to shut down
or reboot.
Click Reboot to reboot at the specified time, or click Shutdown to shut down at the specified time

The following sections discuss how to configure the user interface, time settings and a web proxy if
your ISP requires you use one.
Configuring the User Interface

Advanced Firewall can be customized in different ways, depending on how you prefer working. The
main changes that can be made are the method of displaying errors and the drop-down list
navigation system. It is also possible to alter the system's description.
To configure the user interface:
1
Browse to the System > Preferences > User interface page.

Setting
Description
Host information In the description field, enter a description to identify Advanced Firewall. This
will be displayed in the title bar of the browser window.
268
System control
page
From the Report to show drop-down list, select the report you want
displayed on the Dashboard.
Dashboard
sections
Determines what, if any, information is displayed in the System Services area

on the Dashboard.
Click Save.

Setting Time
Advanced Firewall's time zone, date and time settings can be specified manually or automatically
retrieved from a local or external Network Time Protocol (NTP) server, typically located on the
Internet.
Advanced Firewall can also act as an NTP server itself, allowing network wide synchronization of
system clocks.
To set the time:
1
Navigate to the System > Preferences > Time page.

Setting
Description
Timezone
From the drop-down list, select the appropriate time zone.
Time and
date
Network
time
retrieval
To manually set the time and date:

1
Select Set and use the drop-down lists to set the time and date.
To automatically retrieve time settings:
Select Enabled in the Network time retrieval area.
Choose the time retrieval frequency by selecting an interval from the Interval
drop-down list.
Select Save time to RTC to ensure that the time is written back to the
system's hardware clock (the Real-Time Clock).
Choose one of the following network retrieval methods:

Multiple random public servers select to set the time as the average
time retrieved from five random time servers
Selected single public server select from the drop-down list a public time
server to use to set the time
User defined single public or local server Enter the address of a
specific local or external time server.
269

Setting
Description
Network
Advanced Firewall can be used to synchronize the system clocks of local network
time service hosts by providing a time service.
interfaces
To synchronize the network time service:
Enable network time retrieval.
Select each internal network interface that the network time service should
be available from.
Click Save.
Configuring Registration Options

Advanced Firewall enables you to use an upstream registration proxy if your ISP requires you to use
one, and optionally, supply information about the status of your system and web filtering statistics.
To configure registration options:
1
Navigate to the System > Preferences > Registration options page.

Setting
Description
Server Enter the hostname or IP address of the proxy server.

Upstream
registration Port Enter the port number to use.
proxy
Username Enter the username provided by your ISP.
Password Enter the password provided by your ISP.
Note: The upstream proxy has no bearing on Advanced Firewall proxy services.
270

Setting
Description
Extended
When registering, updating and/or installing add-on modules, Advanced Firewall
registration sends information about licences, subscription and add-on modules to Smoothwall.
information When this option is enabled and depending on which add-on modules are installed,
the following information is also sent:
Enabled status for optional services
The number of configured interfaces and whether they are internal or external
Authentication service settings and the LDAP server type
Guardian transparent mode and authentication service settings mode
Manufacturer name and product name from dmidecode
Main board manufacturer and main board product name from dmidecode.
Note: No usernames, passwords or sensitive information are sent and any

potentially identifying data is summarized before sending.
Provide
filtering
feedback
information
When enabled, Advanced Firewall will periodically send information about web
filtering accuracy and a list of the domains of any web sites which could not be
classified.
Smoothwall will take every available measure to ensure data cannot be associated
with your organization and no personal information is ever sent.
Click Save. Advanced Firewall starts to use the configured upstream proxy and, if enabled, send
registration and/or filtering information.
Configuring the Hostname

You can configure Advanced Firewalls hostname. A hostname should usually include the name of
the domain that it is within.
To change the hostname:
1
Browse to the System > Preferences > Hostname page.
Enter a new value in the Hostname field and click Save.
Note: After setting the hostname, a reboot is required before the HTTPS server will use the hostname in its
Common Name field.
271

Configuring Administration and Access Settings

The following sections discuss administration, external access and account settings.
Configuring Admin Access Options

You can enable and disable remote access to Advanced Firewalls console via Secure Shell (SSH)
and configure remote access referral checking.
To access Advanced Firewall via remote SSH, the following criteria must be met:
The host must be from a valid network zone
The host must be from a valid source IP
The SSH service must be enabled
Admin access must be set to enabled
The setup or root username and password must be known.

To permit access to the console via SSH:
Navigate to the System > Administration > Admin options page.
Select SSH and click Save.
Note: Terminal access to Advanced Firewall uses the non-standard port 222.
Referral Checking
In order to ensure that configuration requests from the web interface originate from a logged in
administrator, and not some third party web page, you can enable remote access referral checking.
When enabled, administration requests are only processed if the referral URL contains the local IP
address, the local hostname, or the external IP address where applicable.
272

If the referral is not from a Advanced Firewall page, the request is ignored and reported in the general
Smoothwall log file.
Note: This function prevents Advanced Firewall from being accessed remotely via a DNS or a Dynamic
DNS address. To remotely manage an Advanced Firewall system via a DNS or a Dynamic DNS
address, the referral URL check must be disabled.
To enable referral checking:
1
Navigate to the System > Administration > Admin access page.
Select Allow admin access only from valid referral URLs in the Remote Access area.
Click Save.
Configuring External Access

External access rules are used to determine which interfaces, services, networks and host systems
can be used to administer Advanced Firewall.
The default external access rule allows administrators to access and configure Advanced Firewall
from any source IP that can route to the system's first (default) network interface.
This default rule allows administrators to access any of the following admin services:
SSH admin Access to the system console using port 222. Requires the SSH access to be enabled,
see Configuring Admin Access Options on page 272.
HTTP admin Access to the web-based interface on port 81.
HTTPS admin Access to the web-based interface on port 441.

To enable external access:
Browse to the System > Administration > External access page.

Setting
Description
Interface
From the drop-down list, select the interface that access is permitted from.
273

Setting
Description
Source IP,
or network
Specify individual hosts, ranges of hosts or subnet ranges of hosts that are permitted
to use admin access.
For a range of hosts, enter an IP address range, for example, 192.168.10.1192.168.10.50.
For a particular subnet of hosts, enter a subnet range, for example,
192.168.10.0/255.255.255.0 or 192.168.10.0/24.
If no value is entered, any source IP can access the system.
Service
Select the permitted access method.
Comment
Enter a description for the access rule.
Enabled
Select to activate access.
Click Add. The access rule is added to the Current rules table.
Note: Do not remove the default external access rule, it provides access to the default internal network.
Editing and Removing External Access Rules

To edit or remove access rules, use Edit and Removes in the Current rules area.
Administrative User Settings

Advanced Firewall supports different types of administrative accounts.
To manage accounts:
1
Navigate to the System > Administration > Administrative users page.
274
Setting
Description
Username
Enter a name for the user account.
Password
Enter a password. Passwords are case sensitive and must be at least six characters
long.

Setting
Description
Again
Permissions
Select the account permissions you want to apply to the account.

Administrator Full permission to access and configure Advanced Firewall.
Log Permission to view the system log files.
Operator Permission to shutdown or reboot the system.
Portal User Permission to access the user portal pages.
SMTP quarantine Permission to access and manage the SMTP quarantine
pages.
Realtime logs Permission to view realtime logs.
Reporting system Permission to access the reporting system.
Rule editor user Permission to edit networking outgoing policies ports and
external services. For more information, see Chapter 7, Managing Outbound Traffic
and Services on page 72.
Temp ban Permission to access and change temporary ban status.
Click Add to add the account.
Changing a User's Password

To set or edit a user's password:
1
Browse to the System > Administration Administrative users page.
In the Current users area, select the user and click Edit.
Enter and confirm the new password in the Password and Again fields.
Click Add to activate the changes.
Managing Tenants
Note: To add tenants, you must have the correct Advanced Firewall license type. Contact your Smoothwall
representative for more information.
Advanced Firewalls multi-tenancy functionality enables you to define client-organizations known
as tenants which can access and use Advanced Firewall services. Each tenant has its own
directory server(s) and users.
Multi-tenancy enables Advanced Firewall to apply network permissions to users whose usernames
are not unique.
For information on tenants and directories, see Chapter 10, Configuring Directories on page 195.
Adding a Tenant
Note: When you add tenants to Advanced Firewall, connections coming from addresses not associated
with a tenant will be unable to authenticate.
275

Hardware
To add a tenant:
1
Browse to the System > Administration > Tenants page.
Click Add new tenant.
In the Add new tenant dialog box, configure the following settings:
Setting
Description
Name
Enter a name to identify the tenant.
IP address range
Enter the tenants IP address, subnet or range.

Note: An address can only be used by a single tenant. Tenant
addresses cannot overlap.
Click Add. Advanced Firewall adds the tenant.
Repeat the steps above for any other tenants you want to add.
Editing a Tenant
To edit a tenant:
1
On the System > Administration > Tenants page, point to the tenant and click Edit.
In the Edit tenant dialog box, make the changes you require. See Adding a Tenant on page 275 for
Deleting a Tenant
To delete a tenant:
1
On the System > Administration > Tenants page, point to the tenant and click Delete.
When prompted, click Delete. Advanced Firewall deletes the tenant.
Hardware
The following sections discuss how to configure UPS devices, modems and firmware settings.
276

Managing UPS Devices

Uninterruptible Power Supply (UPS) device(s) physically connected to Advanced Firewall provide
emergency power to Advanced Firewall if the mains power supply fails.
UPS Connection Prerequisites

Before you start configuring Advanced Firewall to use a UPS device:
1
Follow the documentation delivered with your UPS device to prepare it for use.
Connect the UPS device to Advanced Firewall.
On the System > Maintenance > Shutdown page, reboot immediately. Once rebooted, you are
ready to start configuring the UPS device.
Configuring the Global Shut Down Condition

The global shut down condition determines when, if ever, a Advanced Firewall connected to a UPS
device should shut down.
To configure the global shut down condition:
1
Browse to the System > Hardware > UPS page.
Select when Advanced Firewall should shut down:

Setting
Description
Never
Select to never shut down Advanced Firewall.
When all remaining UPS Select to shut down Advanced Firewall when all currently connected
are at low battery
UPS devices are at low battery levels.
After a set time of being Select to specify how long to wait before shutting down Advanced
on battery
Firewall when on running on UPS battery.
Delay before shut down Enter how long in minutes to wait before
shutting down Advanced Firewall.
3
Click Save changes. Advanced Firewall applies the shut down condition.
Configuring UPS Devices

UPS devices can be configured to use the following types of connections:
277

Hardware
USB connects to Advanced Firewall via a USB connection, for more information, see Configuring
a UPS Device with a USB Connection on page 278
Serial connects to Advanced Firewall via a serial connection, for more information, see Configuring
a UPS Device with a Serial Connection on page 278
SNMP connects to Advanced Firewall via an SNMP connection, for more information, see
Configuring a UPS Device with an SNMP Connection on page 278
SNMP connects to Advanced Firewall via an HTTP connection, for more information, see
Configuring a UPS Device with an HTTP Connection on page 279.
Advanced Firewall also makes information about UPS devices available on the System > Central
management > Overview page. For more information, see Chapter 14, Accessing the Node Details
Page on page 298.
It is also possible to configure an alert which is triggered when power switches to and from mains
supply. For more information, see Chapter 12, Enabling Alerts on page 229.
Configuring a UPS Device with a USB Connection

To configure a USB connection:
1
On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS. In the
Add new UPS dialog box, configure the following settings:
Setting
Description
Name
Enter a name for the UPS device.
UPS connection
Select USB.
Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area.
Configuring a UPS Device with a Serial Connection

To configure a serial connection:
1
Setting
Description
Name
UPS connection
Select Serial.
Manufacturer
From the drop-down lists, select the UPS devices manufacturer and model.
Port
From the drop-down list, select the port the USP device uses.
Configuring a UPS Device with an SNMP Connection

To configure an SNMP connection:
1
278
Setting
Description
Name
UPS connection
Select SNMP.
IP address
Enter the IP address that the UPS device will use.
SNMP community
Enter the UPS devices SNMP community string.

2
Configuring a UPS Device with an HTTP Connection

To configure an HTTP connection:
1
Setting
Description
Name
UPS connection
Select HTTP.
IP address
Enter the IP address that the UPS device will use.
Username
If required, enter the user name to be used to connect the device to

Advanced Firewall.
Password
If required, enter the password to be used to connect the device to

Advanced Firewall.
Confirm
If required, re-enter the password to be used to connect the device to

Advanced Firewall.
Editing UPS Devices

To edit a UPS devices settings:
1
On the System > Hardware > UPS page, point to the device you want to edit and click Edit.
In the Edit UPS dialog box, make the changes required. See Configuring UPS Devices on page 277
for information on the settings available.
Click Save changes. Advanced Firewall changes the settings and lists the device in the Connected
UPS area.
Deleting UPS Devices

To delete a UPS device:
1
On the System > Hardware > UPS page, point to the device you want to delete and click Delete.
When prompted, click Delete to confirm that you want to delete the device. Advanced Firewall
deletes the device and removes it from the list in the Connected UPS area.
Managing Hardware Failover

Advanced Firewalls hardware failover enables you to configure a failover Advanced Firewall system
which, in the event of hardware failure, provides all the protection and services your master Advanced
Firewall usually provides.
Note: Hardware failover is not included as standard with Advanced Firewall it must be licensed separately.
Contact an authorized Smoothwall partner or visit www.smoothwall.net for more information.
How does it work?

When configured and enabled, the failover Advanced Firewall runs in a standby mode monitoring the
master Advanced Firewall for a heartbeat communication. Heartbeat is the name of a suite of
279

services and configuration options that enable two identical Advanced Firewall systems to be
configured to provide hardware failover.
The master periodically copies settings to the failover unit to ensure that the failover unit can provide
a fully configured service if the master fails.
Note: Settings are copied intermittently and it is theoretically possible that the failover unit will be a few
minutes behind configuration changes made to the master.
If the master fails, it stops responding to the failover units heartbeat and the failover unit therefore
determines that the primary system is no longer available. This will occur somewhere between 0
seconds and the keep-alive time specified when configuring failover.
The failover unit then enters a more responsive mode where it monitors the master for its revival. It
remains in this mode for the length of dead time you have configured. This stage is designed
principally to cope with intermittent failures within the communication system, such a heavily loaded
master.
Once the dead time has expired, the failover unit awakens from its standby mode and begins reinstating the settings and services which allow it to take over operations from the master. Since part
of this information includes the IP addresses for each of the master interfaces, the failover unit will
essentially provide a drop-in replacement and the transition will generally go unnoticed.
When the master starts to respond again, be it minutes, days or weeks later, assuming that autofailback is enabled, the failover unit hands over control to the master, de-activates its configuration
and services and returns to standby mode.
Prerequisites
The following must be in place for hardware failover to work:
A private network consisting of only two Advanced Firewall systems connected via their heartbeat
interfaces preferably using a crossover cable
The master and failover unit should both use the same types of hard disk drives, RAM, and above all
the same type and number of network interface cards
The failover unit must be plugged into all the switches the master is plugged into
SSH must be enabled on the master, see Configuring Admin Access Options on page 272 for more
information.
Configuring Hardware Failover

Configuring hardware failover entails:
On the master, specifying a network interface for the heartbeat and configuring and generating a
failover archive to deploy on the failover unit
On the failover unit, installing Advanced Firewall and deploying the failover archive.
280

Configuring the Master

To configure the master Advanced Firewall:
1
Navigate to the Networking > Interfaces > Interfaces page.
Point to the interface to be used by the hardware failover master and failover unit systems to
communicate with each other and click Edit.
Note: The master and failover unit systems are connected via their heartbeat interfaces on a private
network. It is critically important that this network is not congested and suffers as little latency as is
possible. For these reasons, we strongly recommend that this connection be a crossover cable.
Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat
interface is on could fail.
3

Setting
Description
Name
Use as
Select Heartbeat interface.
281

Setting
Description
Spoof MAC
Optionally, enter a spoof MAC if required.

Some cable modems require the MAC address of the connecting NIC to
be spoofed in order to function correctly. For more information about
whether MAC spoof settings are required, consult the documentation
supplied by your ISP and modem supplier.
MTU

your environment.
Click Save changes.
Navigate to the System > Hardware > Failover page.

Setting
Description
Enabled
Select to enable failover.
Auto failback
Select if you want the failover unit to automatically hand back control to the
master when the master starts to respond after a hardware failure. The
failover unit will hand over control to the master, deactivate its configuration
and services and return to standby status.
Keep-alive internal Set the interval after which the master and failover unit communicate to
ensure the master is still working. The default is 1 second.
In non-congested networks, we recommend a very short interval which is
undetectable in terms of system performance.
Dead time
Specify how long after the failover unit has become aware that the master is
no longer responding it should wait before taking over from the master.
Master heartbeat
IP
Enter an IP address for the master.
Slave heartbeat IP
Enter an IP address for the failover unit.
Note: We recommend that this network be private and only used by the
master and failover units.
Netmask
Enter a netmask.
7
282
Click Save.

8
Browse to the System > Maintenance > Shutdown page, select Immediately and click Reboot.
Wait a couple of minutes for the system to reboot and then log in again.
The next step is to generate the failover archive to deploy on the failover unit.
Generating a Failover Archive

A failover archive contains the settings required to configure the failover unit to provide hardware
failover for Advanced Firewall.
To generate a failover archive:
1
Navigate to the System > Hardware > Failover page and configure and save the failover settings.
SeeConfiguring the Master on page 281.
Click Generate slave setup archive. Advanced Firewall generates the archive and prompts you to
specify where to save it.
Save the archive on some suitable removable media accessible by the failover unit. The next step is
to use the archive to implement the failover settings on the failover unit.
Note: The size of the failover unit archive varies depending on the Smoothwall modules installed. 50 M
bytes is an average size.
Implementing Failover Settings on the Failover Unit

Implementing failover on the failover unit entails running the setup program and using the restore
options to apply the settings.
To implement failover on the failover unit:
1
Install Advanced Firewall using the quick install option. See the Advanced Firewall Installation and
Setup Guide for more information. On the following screen:
Select Yes and press Enter.
Select the type of media the archive is stored on and press Enter. You are prompted to insert the
media.
Insert the media and press Enter.
Select the archive and press Enter. The failover settings are installed.
When prompted, press Enter to reboot the failover unit. The failover unit will reboot and automatically
enter standby mode.
Note: For information on installing updates in failover units, see Installing Updates on a Failover System on
page 260.
Administering Failover
There are no noticeable differences between administering Advanced Firewall used as a master and
one which is not used as a master.
There should be little or no need to administer the failover unit on a day to day basis. However, from
time to time, you will need to install updates.
283

Configuring Modems
Updates are not automatically applied in order to ensure that the failover unit can provide a known
good system to failover to in case of any issues resulting from updates to the master.
Accessing the Failover Unit

With failover implemented, the active Advanced Firewall system is always accessed via the usual
address, whether services and protection are being supplied by the master or the failover unit.
When you need to access the failover unit directly you can do so using a variation of the address for
master. For example, to access the master's Update page the address would usually look as follows:
https://192.168.72.142:441/cgi-bin/admin/updates.cgi
To access the settings on the failover unit, the address would be:
https://192.168.72.142:440/cgi-bin/admin/updates.cgi
All communications with the user interface on the failover unit are via HTTPS and on port 440 instead
of port 441.
The address used, in the example above: 192.168.72.142, is the address of the master, as when
in standby mode the failover unit has no effective presence on any of the local or remote networks.
Testing Failover
In order to test failover, you can force the master to enter standby mode.
To test failover:
1
On the master, go to the System > Hardware > Failover page and click Enter standby mode.
After a short period of time the failover unit will take over from the master.
To restore operations to the master, on the active system, go to theSystem > Hardware >
FailoverFailover page and click Enter standby mode. Operations will be transferred to the master.
Note: If Auto failback is enabled, rebooting the master will also return it to active service and force the
failover unit into standby mode.
Manual Failback
In configurations where Auto failback is not enabled, when the failover unit is in active operation, but
the master system has become available again after corrective action has been taken you can
manually failback to the master.
To manually failback:
1
On the failover unit, go to the System > Hardware > Failover page and click Enter standby mode
to restore the system to normal operation.
Configuring Modems
Advanced Firewall can store up to five modem profiles.
284

To configure a modem profile:
1
Browse to the System > Hardware > Modem page.

Setting
Description
Profiles
From the drop-down list, select Empty to create a modem profile.
Profile name
Enter a name of the modem profile.
Interface
Select the serial port that the modem is connected to.
Computer to modem Select the connection speed of the modem. A standard 56K modem is
rate
usually connected at the default 115200 rate.
Modem speaker on
Select to enable audio output during the modem dialing process, if the
modem has a speaker.
Dialing mode
Select the dialing mode.

Tone Select if your telephone company supports tone dialing.
Pulse Select if your telephone company supports pulse dialing.
Init
Enter the commands required to initialize the modem.
Hangup
Enter the commands required to end a connection.
Speaker on
Enter the commands required to turn the speaker on.
Speaker off
Enter the commands required to turn the speaker off.
Tone dial
Enter the commands required to turn tone dialing on.
Pulse dial
Enter the commands required to turn pulse dialing on.
Connect timeout
Enter the amount of time in seconds to allow the modem to attempt to

connect.
Click Save to save your settings and create the profile.
285

Installing and Uploading Firmware
Installing and Uploading Firmware

Advanced Firewall can upload the third-party mgmt.o file to the system. Without this file, Alcatel
SpeedTouch USB ADSL modems will not work.
To upload and install the Alcatel firmware:
1
Navigate to the System > Hardware > Firmware upload page.
Click Browse adjacent to Upload file field.
Use the browser's Open dialog to find and open the mgmt.o firmware update file.
Click Upload to upload the firmware update.
Note: Once this process has been completed, the system must be rebooted before the new firmware is
activated.
Note: The 330 version of this modem also requires its own firmware update to function correctly.
Diagnostics
The following sections discuss configuration tests, diagnostics, IP tools and traffic analysis.
Configuration Tests
The Configuration tests page is used to ensure that your current Advanced Firewall settings are not
likely to cause problems.
Components installed on your Advanced Firewall add tests to this page which, when run, highlight
problem areas. For example, DNS resolution is checked, gateways are ping-ed and network routing
is tested to make sure your current settings are not likely to cause problems.
286

To test your configuration:
1
Navigate to the System > Diagnostics > Configuration tests page.
Click Perform tests. The results are displayed in the Details area.
Generating Diagnostics
Advanced Firewall provides diagnostics facilities, typically used to provide Smoothwall support
engineers with complete system configuration information to aid problem solving.
To generate a diagnostics file:
1
Navigate to the System > Diagnostics > Diagnostics page.
Setting
Description
System
Select All to include all system components, or individually select the components
you want to include in the diagnostics results.
Modules
Select All to include all modules, or individually select the modules you want to
include in the diagnostics results.
Click Generate. When prompted, save the results in a suitable location for review.
287

Diagnostics
IP Tools
The IP tools page is used to check connectivity, both from Advanced Firewall to computers on its
local networks and to hosts located externally on the Internet. There are two IP Tools:
Ping
Ping establishes that basic connectivity to a specified host can be made. Use it to prove that
Advanced Firewall can communicate with hosts its local networks and external hosts on the Internet.
Traceroute
Traceroute is used to reveal the routing path to Internet hosts, shown as a series of hops from one
system to another. A greater number of hops indicates a longer (and therefore slower) connection.
The output of these commands is as it would be if the commands were run directly by the root user
from the console of the Advanced Firewall system. It is of course, more convenient to run them from
this page.
Using Ping
To use Ping
1
Navigate to the System > Diagnostics > IP tools page.
Select the Ping option from the Tool drop-down list.
Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field.
Click Run. The result of the ping command is displayed.
Using Traceroute
To use Traceroute:
1
Navigate to the System > Diagnostics > IP tools page.
Select the Traceroute option from the Tool drop-down list.
Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field.
Click Run. The result of the traceroute command is displayed.
Whois
Whois is used to display ownership information for an IP address or domain name. A major use for
this is to determine the source of requests appearing in the firewall or
Detection System logs. This can assist in the identification of malicious hosts.
288

To use Whois:
1
Navigate to the System > Diagnostics > Whois page.
Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name
field.
Click Run. The output of Whois is as it would be if it were run directly by the root user from the
console of the Advanced Firewall system.
Analyzing Network Traffic

The Traffic analysis page displays detailed information on what traffic is currently on the network.
To analyze traffic:
1
Navigate to the System > Diagnostics > Traffic analysis page.
From the Interface drop-down list, select the interface.
From the Time to run for drop-down list, select how long to analyze the traffic.
Click Generate. After the time specified has elapsed, the traffic a breakdown of what ports and
services have been used is presented, as well as specific information on connections made. It is
possible to view a complete transcript of TCP and UDP sessions, including pictures sent or received
on web requests.
289

Managing CA Certificates
Managing CA Certificates
When Advanced Firewalls instant messenger proxy and/or Guardian are configured to intercept SSL
traffic, certificates must be validated. Advanced Firewall validates the certificates by checking them
against the list of installed Certificate Authority (CA) certificates on the System > Certificates >
Certificate authorities page.
The following sections describe how you can import new CA certificates, export existing CA
certificates and edit the list to display a subset or all of the CA certificates available.
Reviewing CA Certificates
By default, Advanced Firewall comes with certificates issued by well-known and trusted CAs.
To review the certificates:
1
Browse to the System > Certificates > Certificate authorities page. Advanced Firewall displays
the certificates available. It also displays which certificates are valid and which are built-in, i.e.
included in Advanced Firewall by default.
To review a specific certificate, click on its name. Advanced Firewall displays it.
Click your browsers Back button to return to Advanced Firewall.
Importing CA Certificates
To import CA certificates:
1
Navigate to the System > Certificates > Certificate authorities page and locate the Import
Certificate Authority certificate area.
Click Browse, navigate to the certificate and select it.
Click the import option. Advanced Firewall imports the certificate and displays it at the bottom of the
list.
Exporting CA Certificates
To export certificates:
1
On the System > Certificates > Certificate authorities page, select the certificate.
From the Export format drop-down list, select one of the following options:
Option
Description
CA certificate in PEM Export the certificate in an ASCII (textual) certificate format commonly
used by Microsoft operating systems.
CA certificate in BIN
3
Export the certificate in a binary certificate format.
Click Export and save the certificate on suitable medium.
Deleting and Restoring Certificates

You can remove built-in certificates from the list on the System > Certificates > Certificate authorities
page. You can also restore them to the list if required.
To delete certificates:
1
290
On the System > Certificates > Certificate authorities page, select the certificate(s) and click
Delete. Advanced Firewall removes the certificate(s).
Chapter 14
Centrally Managing
Smoothwall Systems
In this chapter:
About centrally managing Smoothwall systems
Pre-requirements
Setting up a Smoothwall system
Managing nodes in a system.
About Centrally Managing Smoothwall Systems

Advanced Firewalls central management enables you to monitor and manage nodes in a
Smoothwall system.
A Smoothwall system is comprised of an instance of a Smoothwall product running as a parent node
and one or more compatible Smoothwall products running as child nodes being managed by the
parent node.
Configuring and managing a Smoothwall system entails:
Configuring a parent and the nodes in the system, for more information, see Setting up a Centrally
Managed Smoothwall System on page 292
Actively monitoring the nodes in the system, for more information, see Monitoring Node Status on
page 297
Applying updates, for more information, see Scheduling and Applying Updates to One or More
Nodes on page 299
Rebooting nodes as required, for more information, see Rebooting Nodes on page 299
Disabling nodes as required, for more information, see Disabling Nodes on page 299.
Pre-requirements
Before you start to set up a centrally managed Smoothwall system:
Check that all the Smoothwall machines you intend to include in the system have the latest updates
applied. For more information, see Chapter 13, Installing Updates on page 259
Check that you have administrator access to all of the computers you want to include in the system
Check that there is IP access from the computer that will be a the parent node to the computers that
will be child nodes in the system.
291
Centrally Managing Smoothwall Systems

Setting up a Centrally Managed Smoothwall System
Setting up a Centrally Managed Smoothwall

System
Setting up a centrally managed Smoothwall system entails:
Configuring the parent node in the system
Configuring child nodes settings, installing the central management key and enabling SSH on child
nodes
Adding child nodes to the system.
Configuring the Parent Node

The first step when configuring a Smoothwall system is to configure the parent node in the system.
To configure the parent node:
1
Log in to the instance of Advanced Firewall you want to function as the parent node.
Browse to the System > Central management > Local node settings page.

Setting
Description
Local node options Parent node Select this option to enable central management and
configure this instance of Advanced Firewall as the parent node in the
Smoothwall system.
4
292
Click Save. This instance of Advanced Firewall becomes the parent node and can be used to
centrally manage the Smoothwall system.

Configuring Child Nodes

Every child node in a Smoothwall system must have a central management key installed and SSH
enabled.
To configure a child node:
1
On the systems parent node, browse to the System > Central management > Local node
settings page.

Setting
Description
Local node options Parent node Check that this option is selected so that you can generate
a central management key for installation on child nodes.
Manage central
management keys
Central management key Click Download to download and save the

central management key in a secure, accessible location for distribution to
the child nodes in the system.
On the Smoothwall system you want to add as a child node, browse to the System > Central
management > Local node settings page and configure the following settings:
Setting
Description
Local node options Child node Select this option to configure this machine as a child node
in the system. Click Save to save this setting.
Manage central
management keys
Upload central management key Using your browsers controls,

browse to and select the key. Click Save to upload the key to the child
node.
Note: If you are reconfiguring a child node to be the child of a new parent,
reboot the child node to apply the changes.
On the System > Administration > Admin options page, select SSH and click Save.
Repeat step 3 and step 4 above on any other machines you want to use as child nodes. When
finished, you are ready to add them the system. See Adding Child Nodes to the System on page 294
293

Adding Child Nodes to the System

When you have installed the central management key and enabled SSH on all child nodes, you are
ready to add them to the system.
You can add nodes:
Manually by adding each node separately, see Manually Adding Child Nodes on page 294
By importing node information from a CSV file, for more information, see Importing Nodes into the
System on page 295.
Manually Adding Child Nodes

Adding child nodes manually entails entering the information for each node separately.
To add child nodes manually:
1
On the parent node, browse to the System > Central management > Child nodes page.
Click Add node and configure the following settings:

Setting
Description
Node details
Node name Enter a unique name to identify the node. Node names may
only consist of letters, numbers, spaces, underscores and full stops.
Unicode is not supported.
IP/hostname Enter the IP address or hostname of the child node.
Comment Optionally, enter a comment describing the child node.
294

Setting
Description
Node settings
Replication profile From the drop-down list, select the replication profile
to be deployed on the child node. The replication profile enables the sharing
of system settings between nodes. For information on configuring a
replication profile, see Chapter 13, Creating an Archive on page 263.
Central logging Select to enable central logging for the child node.
Note: Do not select this option if you want to access the child nodes logs
on the child node itself.
Allow parent to monitor status Select to enable central monitoring for
the child node.
Allow parent to manage resources Select to enable the parent node in
the group to manage child node resources such as quotas which limit user
access to web content.
Note: Currently, this option only applies to Advanced Firewall with
Guardian3 installed.
When enabled and quotas have been used in a web filtering policy, the
parent ensures that users cannot access content for longer than allowed by
using different child nodes.
Select Enable node and click Confirm. When prompted, review the node details and then click
Save to add the node.
Repeat step 2 and step 3 for each node you want to add to the system.
When you have added all of the nodes, browse to the System > Central management > Overview
page. The parent node lists the child nodes and displays their current status. For more information,
see Monitoring Node Status on page 297.
Importing Nodes into the System

If child node information is available in a comma separated format (CSV) file, you can import it directly
into the parent node.
About the CSV File

Each line in the CSV file must contain 8 fields. The fields must be separated by commas and ordered
as follows:
Name,IP/hostname,Centrallogging,Monitorstatus,Centralresources
Replicationprofile,Enabled,Comment
The possible values for the fields are as follows:
Field
Value
Name
The node name. This field is required.

Note: If the name is the same as that of a child node already in the system,
the child node in the system will be overwritten.
A node name may consist of letters, numbers, spaces, underscores and full
stops. Unicode is not supported.
IP/hostname
The IP or hostname of the node. This field is required.
Central logging
Determines if central logging is enabled or disabled. This field is required.

Enabled Enter: yes, on, or 1.
Disabled Enter: no, off, or 0.
Note: Do not enable this option if you want to access the child nodes logs
on the child node itself.
295

Field
Value
Monitor status
Determines if central monitoring is enabled or disabled. This field is

required.
Central resources
Determines if resources are managed by the parent. This field is required.

Note: Currently, this option only applies to Advanced Firewall with
Guardian3 installed.
Replication profile
The name of the replication profile used on the node. This field is optional
and may be empty.
For more information, see Chapter 13, About Archive Profiles on page 263.
Enabled
Determines if the node settings are enabled or disabled. This field is

required.
Comment
A comment. This field is optional.

It may consist of letters, numbers, spaces, underscores and full stops.
Unicode is not supported.
For full information on what the settings do, see Manually Adding Child Nodes on page 294.
Importing Node Information

The following steps explain how to import node information from a CSV file. For more information on
CSV files, see About the CSV File on page 295.
To import node information from a CSV file:
1
Click Import CSV, browse to the file and select it. Click Import to import the contents of the file.
The parent node displays the contents of the file and notifies you of any errors in the file.
Note: Importing settings from a CSV file will overwrite existing nodes with the same name.
4
Click Confirm to import the information in the file. The parent node imports the node information and
displays it.
Editing Child Node Settings

When required, it is possible to edit child node settings.
To edit a child nodes settings:
1
Browse to the System > Central management > Child nodes page, locate the node you want to
edit and click Edit node.
Make the changes required, see Manually Adding Child Nodes on page 294 for full information on
the settings.
Click Confirm, review the changes and then click Save to save and implement the changes.
296

Deleting Nodes in the System

It is possible to delete nodes that are no longer required in the system.
To delete a node:
1
On the System > Central management > Child nodes page, locate the node you want to delete and
click Delete node. When prompted, click Delete to confirm the deletion.
Repeat the step above for any other nodes you want to delete.
Managing Nodes in a Smoothwall System

Managing nodes in a Smoothwall system entails:
Monitoring node status
Applying updates to nodes
Scheduling updates for application at a specific time
Rebooting nodes when necessary
Disabling nodes when necessary
Monitoring Node Status

The central management node overview on the parent node displays a list of all of the nodes in the
Smoothwall system. It also displays the nodes current status and whether updates for the nodes are
available.
To monitor node status:
1
On the parent node, browse to the System > Central management > Overview page. The parent
node displays current node status, for example:
Node information is contained in the following fields:

Field
Description
Name
The Name field displays the name of the node. Click on the name to log in to the
node.
297

Field
Description
Status
The Status field displays the current state of the node. Click on the Status text to
display detailed information on the node. For more information, see Accessing the
Node Details Page on page 298.
The following statuses are possible:
OK the node is functioning and does not require attention.
Critical the node requires immediate attention. Click on the nodes status field for
more information.
Warning the node does not require immediate attention but should be checked
for problems. Click on the nodes status field for more information.
Updates
The Updates field enables you to schedule the application of available updates. For
more information, see Scheduling and Applying Updates to One or More Nodes on
page 299.
Click on the Updates text to display detailed information on the node.
Accessing the Node Details Page

It is possible to view detailed information on a node by accessing the node details page.
To access a node details page:
1
On the parent node, browse to the System > Central management > Overview page.
Locate the node you want more information on and click on its Status text. Advanced Firewall
displays the node details page.
Click on the displayed headings for more information.
Click Refresh node to refresh the information displayed.
Click Reboot node to reboot the node.
Working with Updates

You can review and apply updates to a node as they become available. You can also apply updates
to one ore more nodes immediately or at a later date.
Reviewing and Applying Available Updates to a Node

You can review and apply updates to a node as they become available.
To review and apply updates:
1
Click the Updates tab and then click the Status field of the node. The node details are displayed.
Click on the Updates line to review detailed information about the updates available. To apply the
updates to the node, click Schedule update. The Schedule node update page is displayed.
In the Install updates area, select one of the following options:
298
Option
Description
Now
Select to apply the updates to the node immediately.
Later
From the drop-down list, select when you want the updates applied to the node.
Click Schedule update. The updates are applied to the node as specified in the previous step and
the node is rebooted.

Scheduling and Applying Updates to One or More Nodes

You can apply updates to one or more nodes immediately or schedule them for application later.
To apply updates:
1
Locate and select the node(s) that require updates and click Schedule update. The Schedule node
update page is displayed.
In the Install updates area, select one of the following options:
Option
Description
Now
Select to apply the update(s) to the node(s) immediately.
Later
From the drop-down list, select when you want the update(s) applied to the node(s).
Click Schedule update. The updates are applied to the node(s) as specified in the previous step
and the node(s) are rebooted.
Clearing Schedule Updates

It is possible to clear any scheduled updates.
To clear scheduled updates:
1
On the System > Central management > Overview page or the node details page, under
Updates, click Clear schedule.
Advanced Firewall displays the updates that are currently scheduled. Click Clear schedule to clear
the updates.
Rebooting Nodes
When required, you can reboot a child node from the systems parent node.
To reboot a child node:
1
Locate the node you want to reboot and click on the Status text. The node details are displayed.
Click Reboot node. The Schedule node reboot page opens. In the Reboot node area, select one of
the following options:
Option
Description
Now
Select to reboot the node immediately.
Later
From the drop-down list, select when you want to reboot the node.
Click Schedule reboot. The node is rebooted.
Disabling Nodes
It is possible to disable nodes locally and system-wide.
Disabling Nodes Locally

You may need to work on a child node in a system and, e.g. want to stop replication settings from
being applied by the parent. You can do this by disabling the child node locally.
To disable a node locally:
1
On the node you want to disable, browse to the System > Central management > Local node
settings page.
299

2
In the Local node options area, select Disable and click Save.
Repeat the step above for any other nodes in the system that you want to disable.
Note: On the parent node, on the System > Central management > Overview page, nodes that have been
disabled locally will be listed as Node uncontactable.
Disabling Nodes System-wide

You may need to disable a child node in a system, e.g. in the case of hardware failure. You can do
this by disabling the child node system-wide.
To disable a node system-wide:
1
Locate the node you want to disable area, select Disable and click Save.
Repeat the steps above for any other nodes in the system that you want to disable system-wide.
300
Appendix A
Authentication
In this appendix:
Authentication methods
WPA enterprise and Windows 8.
Overview
Advanced Firewall's authentication system enables the identity of internal network users to be
verified, such that service permissions and restrictions can be dynamically applied according to a
user's group membership.
Identity verification authenticate users by checking supplied identity credentials, e.g. usernames
and passwords, against known user profile information.
Identity confirmation provide details of known authenticated users at a particular IP address.
Verifying User Identity Credentials

In order to authenticate users, Advanced Firewall must be able to verify the identity credentials,
usernames and passwords, supplied by network users. Credentials are verified against the
authentication system's local user database.
Network users must provide their identity credentials when using an authentication-enabled service
for the first time. If the credentials cannot be verified by the authentication system, i.e. a matching
username and password cannot be found in the local user database, the user's identity status will
be set to 'Unauthenticated'. Unauthenticated users are usually granted limited, or sometimes no,
access to authentication-enabled services.
A user that is authenticated can be described as being logged in.
About Authentication Mechanisms

All authentication-enabled services use the authentication system to discover what users are
accessing them. Once a particular user is known, an authentication-enabled service can enforce
customized permissions and restrictions. Authentication-enabled services can interact with the
authentication system in the following ways:
Passive interrogation of whether there is an already-authenticated user at a particular IP address, and

if so their details
Active provision of user-supplied identity credentials, for onward authentication.

The means by which these two types of interactions are combined and implemented defines a
particular named authentication mechanism.
The Core Authentication Mechanism

This is a special type of authentication mechanism that uses the first interaction method exclusively,
i.e. it only ever asks the authentication system whether there is a known user at a particular IP
301
Advanced Firewall and DNS

address. If the user has not been authenticated by any other authentication mechanism, the user's
status is returned by the authentication system as 'Unauthenticated'.
Other Authentication Mechanisms

All other authentication mechanisms use a combination of the previously discussed interactions.
Such mechanisms usually interrogate the authentication system to determine if the user at the
requesting IP has already been authenticated. If the user has been authenticated, appropriate
permissions and restrictions can be enforced by the requesting service.
However, if the user is currently unauthenticated, the second type of interaction occurs i.e. the
requesting service pro-actively provides end-user identity credentials to the authentication system,
for onward authentication. Thus, it follows that such authentication mechanisms must also provide
an appropriate means of collecting end-user identity credentials.
Choosing an Authentication Mechanism

As discussed in the preceding sections, all authentication-enabled services must use some kind of
authentication mechanism to interact with the authentication system. Some authentication-enabled
services offer no choice of mechanism used in such cases, the authentication mechanism will
always be 'Core authentication'.
About the Login Time-out

The login time-out is the length of time that a user's authenticated status will last once they are
authenticated. Time-out does not occur if Advanced Firewall can determine that the same user is still
active for example, by seeing continued web browsing from the same user. However, if Advanced
Firewall sees no activity from a particular user for the length of time specified by the time-out period,
the user's authenticated status will be invalidated.
The login time-out affects the load on the local system. Lower time-out values increase the frequency
of re-authentication requests. A value of 10 minutes is effective for most networks. Time-out values
that are too low may adversely affect system performance, resulting in failed login attempts.
However, longer time-outs increase the risk of a new user at the same IP address being granted
inappropriate rights, if the original user fails to pro-actively log-out.
Advanced Firewall and DNS

Advanced Firewalls authentication service uses internal DNS servers for name lookups. Internal DNS
servers are specified using Advanced Firewalls setup program.
Advanced Firewalls DNS proxy server uses external DNS servers for name lookups. External DNS
servers are specified when setting up an Advanced Firewall connectivity profile.
In this way, Advanced Firewall can be configured to use an internal DNS server and the internal DNS
server can, in turn, be configured to use Advanced Firewall as its DNS forwarder.
A Common DNS Pitfall

Often Advanced Firewall is configured so that an internal DNS server is configured as the primary
DNS server and an external DNS server configured as the secondary DNS server.
This is not the correct way to configure DNS servers on any client. DNS is a system that was
designed to be able to respond to any request by redirecting questions to the DNS servers
responsible for the various registered domains on the public Internet. This means the client assumes
that it does not matter which DNS server it uses, as all DNS servers will have access to the same
302

information. With the proliferation of private networks and internal DNS zones, this no longer is the
case.
A DNS client will behave in the following way when looking up a host:
If a reply of host not found is received, the client will NOT ask other DNS servers
If the DNS is not answering, the client will try to ask another DNS server
The client will ask randomly between configured DNS servers

Taking the above conditions into account, it is clear that a DNS configuration that has an internal DNS
and an external DNS server in the configuration will not work, or at least, will not work reliably.
The internal DNS server that holds the Active Directory information needs to be configured so it can
resolve external hostnames. The easiest way to do this is to configure the DNS server to use a
forwarder, like Advanced Firewalls DNS proxy server.
Working with Large Directories

The Additional Group search roots option enables you to specify several OUs in which to search for
groups.
When dealing with large directories, a search through the entire directory can take a long time and
make the Advanced Firewall Include groups page unwieldy to manage.
Normally, a specified group search root can help in narrowing the scope of where to search for
groups, but if groups are distributed in multiple OUs, one group search root may not be enough.
Consider, for example, a directory with 5000 users and 2500 groups.
Setting the group search root to the top level of the directory would result in an Include groups page
with 2500 entries. This would probably take a long time to load and be hard to get an overview of.
The administrator of the Active Directory domain has 2 OUs, where the groups to be mapped are
located. In the groups search root, the administrator enters the path for the primary OU and in the
additional groups search, the second OU is entered:
User search root: dc=domain,dc=local
Group search root: ou=guardiangroups,dc=domain,dc=local
Additional group search root:
ou=networkgroups,ou=users,dc=sub1,dc=domain.dc=local
The above example is for a multi domain Active Directory installation, where the second OU is in the
sub-domain sub1. Remember that multiple groups can be mapped to the same Advanced Firewall
permissions group.
Active Directory
The following sections usernames and group membership which must be configured correctly in
order to successfully implement Active Directory-based authentication.
Active Directory Username Types

A user account on a Windows 2000+ server will have 2 types of usernames:
A Windows 2000+ username, which takes the form of user@domain.local
An old style Windows NT 4 username, which has no domain attached to it.

When a Windows 2000+ domain has been migrated from a legacy Windows NT4 domain, the
Windows NT 4 style usernames are not automatically duplicated to Windows 2000+ usernames.
303
About Kerberos
In order for Advanced Firewall authentication to be able to successfully look up and authenticate
Windows users, a Windows 2000+ username needs to be present.
Accounts and NTLM Identification

When using NTLM identification on an Active Directory server that has been set up with no preWindows 2000 access permissions, the server lookup user account needs to be a member of the
Pre-Windows 2000 Compatible Access group. This group is normally found in the built-in OU in the
Active Directory Users and Groups snap-in.
About Kerberos
The following sections document Kerberos pre-requisites and list some points to try if
troubleshooting.
Kerberos Pre-requisites and Limitations

The following are pre-requisites and known limitations when using Kerberos as an authentication
method:
Forward and reverse DNS must be working
All clocks must be in sync. More than 5 minutes clock drift will cause authentication to fail
Internet E6 will not work in non-transparent mode.
Troubleshooting
Check the following when troubleshooting a service that uses Kerberos:
Make sure all the prerequisites have been met, see Kerberos Pre-requisites and Limitations on
page 304
Try another browser for fault-finding
In Safari, try the fully qualified domain name (FQDN) if the short form does not work
Check if the user logged on before the keytab was created? Try logging off then on again.
Check if the user logged on before Advanced Firewall joined the domain? Try logging off then on
again.
Double check you are logged on with a domain account
When exporting your own keytabs:

Make sure the keytab contains keys with the same type of cryptography as that used by the client
The HTTP in the service principal name (SPN) must be in uppercase
The keytab should contain SPNs containing the short and fully qualified forms of each hostname.
304

Connecting a Windows 7 System to a WPAEnterprise/802.1X Wireless Network

Microsofts Windows 7 operating system is very strict on how 802.1X/EAP wireless networks are
connected. Without the use of registry hacks, it is not possible to connect a Windows 7 system to a
WPA-Enterprise/802.1X wireless network without certificate validation.
The following describes a process of setting up an 802.1X authenticated wireless network under
Windows 7 without the use of registry hacks.
Prepare the CA certificate:
1
On the Advanced Firewall WPA Enterprise, download the certificate file.
Copy the certificate file onto a suitable medium for transfer to the device, e.g. USB flash drive or CDR media.
Import the CA certificate on the device:
Double-click on the Certificate file.
Windows will present the certificate details for inspection. Click the Install Certificate... button.
When asked where to install the certificate, click Browse, and select Trusted Root Certificate
Authorities.
Create a wireless network profile:
It is not possible to join the wireless network from the notification area icon as Windows defaults to
incorrect settings for the network. A profile must be created manually.
Access Network and Sharing Center via Control Panel.
Click Set up a new connection or network.
In the window that appears, select Manually connect to a wireless network.
Enter the network name (SSID) into the Network Name box.
Select WPA2-Enterprise as the security type.
Select AES as the encryption type.
Leave Security Key blank.
Select Start this connection automatically to connect as the network becomes available.
Click Next.
10
Click Change Connecting Settings.

Modify security settings of network profile:
Select the Security tab.
Ensure Microsoft: Protected EAP (PEAP) is selected in the drop-down list, then click Settings.
Ensure Validate server certificate is selected.
Ensure Connect to these servers is not selected.
Ensure the imported root CA is selected in the list under Trusted Root Certification Authorities.
Deselect Do not prompt user to authorize new servers or trusted certification authorities.
Ensure Secured password (EAP-MSCHAPv2) is selected under Select Authentication

Method.
If your wireless network credentials do not match your Windows log on credentials, click Configure
and deselect Automatically use my Windows logon name and password, and click OK.
Click OK.
10
Click on Advanced settings.
11
Ensure Specify authentication mode is selected, and change the drop-down option to User
authentication.
305
Connecting a Windows 7 System to a WPA-Enterprise/802.1X Wireless Network

12
Click OK.
13
Click OK.
Connect to the wireless network
Click on the wireless network icon in the notification area.
From the wireless network list, select the wireless network required and click Connect.
When prompted, enter your username and password. If you did not deselect Automatically use my
Windows logon name and password you will not be prompted.
You should now be connected to the wireless network.
Windows 7 802.1X Profile Migration

1
After following the above instructions on how to setup 802.1X on the first machine, log in to the
command prompt and export the wireless profile, using:
netsh wlan export profile name=SSID
This exports the details to an xml file.
Copy this xml file and the root certificate presented by Advanced Firewall to the target machine.
Install the certificate to the Trusted Root Certificate Authorities.
Open up the command prompt, navigate to the location of the xml file and enter:
netsh wlan add profile filename=wirelessprofilename.xml

Login with your user credentials.
306
Appendix B
Understanding Templates
and Reports
In this chapter:
How to use custom reporting
Programmable Drill-Down Looping Engine

The Advanced Firewall reporting system is divided into two conceptually different ideas, those of
templates and reports. A template is a series of report sections and their configuration which
contains instructions for extracting and manipulating data from Advanced Firewall and producing a
report by filling in the templates sections.
A template is as described above nothing more than a structured series of sections. A report
section can be considered to be similar to a building block from a construction kit or a piece from a
jigsaw puzzle. It has shape, color and provides some information however its power is better
expressed when used in combination with other blocks to build more complicated and more
interesting shapes.
A template in that metaphor is analogous to the instruction sheet for the building blocks, it shows
how to assemble the blocks together to produce the report which is analogous to the finished
model. The act of building it takes the template and finds each of the individual blocks, retrieving
data as appropriate and assembling it as the template dictates.
To this extent a section has a variety of inputs and a number of outputs. These can be connected to
each other where the input and output types are equivalent in the way that jigsaw pieces can be
connected if their input and output facets match.
307
Example Report Template
Example Report
Report Templates, Creation and Editing

Creating report templates is done via the Advanced Firewall custom page, which gives rise to the
ability to add, remove and manipulate the sections which it contains. The description of how to do
this is covered elsewhere however there are a few details which allow for some level of flexibility.
Each report template can be assigned an icon, name and description. The name is clearly the name
of the report template as it appears in the reports section, the description and icon options are
equally obvious as to their use. The description field is actually unlimited in length and reasonably
permissive in the characters it may contain. Long descriptions will be truncated in the interface for
brevity however the full version of the description will appear under the report templates advanced
options.
Once a report template has been created it may be edited (including changing its name) via the edit
this report link under the report icon on the reports page.
While editing a report template is a useful feature, there are occasions when it would be better to
simply alter or manipulate an exact copy of a report template, for this purpose the edit a copy of this
report option should be used. This will take a copy of all the reports options and sections while
leaving the original report template unchanged.
When editing a report template, or a copy of a report template the preview button may be used
without making changes to the existing template. Changes will only be saved to the desired report
template when the create report option is used.
Note again that the Edit report option on the Report display page (seen while viewing a rendered
report) is analogous to the edit a copy of this report option seen from the reports page.
Viewing Reports, Exporting and Drill Down Reporting

The term reports has been made deliberately ambiguous and is now used to describe both a report
and what was formerly known as a template, with the terms report and report template are used in
this appendix where the distinction between the two is deemed important.
For the bulk of users, the distinction between what is a report and what is a report template is
unimportant, each will eventually show them a set of details about what their system is doing, what
it has been doing historically and where their users may have been attempting things with nefarious
end.
The difference between the two is perhaps moot for the most part, however the key difference is that
a report is a combination of several things, the report template used to create it and the data which
was extracted and interpreted along with its interpretation.
In the building block metaphor a report template is the instructions alone, Advanced Firewall is the
warehouse full of bins of pieces and a report is the final boxed model ready for building. It has the
instructions and the pieces but is still not quite ready for a user to play with.
308

This should leave the question so when does the model actually get built, the answer to which is
reasonably simple, basically the construction of a rendered report requires the following steps to be
undertaken, again using the building-block metaphor.
1
Retrieve assembly instructions.
Collect necessary parts from warehouse.
Place all the required pieces into a box along with its instructions.
Assemble the model and present to the awaiting small child.

A report template provides the first stage of this process, i.e. it is the instruction sheet for building the
model, executing it, i.e. generating a report will conduct steps 2 and 3. Viewing a report is the final
step in this process and renders the report data (assembles the model) according to one of the
output methods, i.e. this renders the report out into HTML, PDF, Excel, CSV or other formats.
These stages are always transparent to the user, but do deserve some explanation. The Reports
page lists the report templates or instruction sheets. The Recent and saved page shows the list of
boxed models ready for assembly, clicking on a report template link or a report itself from either the
reports or recent and saved pages will complete the missing steps and show the requesting user the
final model.
Changing Report Formats

The reporting system provides multiple output formats, while HTML output is the most commonly
used there are additional formats which might allow for further analysis or interpretation of data.
The formats available are:
Adobe PDF Format
Adobe PDF Format (suitable for black and white printers)
Microsoft Excel format
Comma Separated Value (csv format)
Tab Separated Value (tsv format)

Due to the nature of a report and the rendering options, changing the rendering method does not
regenerate the report, only the way it is presented. Thus any saved reports can be exported exactly
as is without the need to regenerate them, making the export process relatively quick in comparison
to the generation process.
Changing Report Date Ranges

From the reports page, and while viewing a rendered report it is possible to change the date range
over which the report data is accrued. Note this would require the regeneration of the report data
afterwards.
309

From the report page, clicking on either the report template name, its icon or one of the output
formats shown in the bottom right will use the date range specified at the top of the page.
From viewing a report the date controls appear at the top right of the page next to the table of
contents view, the preview button here will regenerate a new report according to those date ranges.
Note again, that both these actions will generate a new report, which may be saved accordingly.
Navigating HTML Reports

The HTML rendered version of a report contains a table of contents for quick and easy navigation
within the report. This table is accessed by clicking on the contents button in the top left hand corner
of the report when it is being viewed.
The table of contents is automatically generated and is based upon the sections contained within the
report itself. Features such as feed-forward and iterative reporting are reflected as titles within the
report and consequently as a level of indentation in the table of contents.
At the bottom right hand of each section is a link to the top of the page (labeled top) this can
(obviously) be used to skip back to the top of the page where both the table of contents and
rendering format options are presented.
Interpreted Results
Some results, such as URLs or IP addresses can present additional information which might not be
apparent from the result itself. For example IP addresses can contain whois information which would
allow for greater understanding of the IP address and why it might have appeared; URLs too can
contain more information than is immediately apparent from viewing the URL.
To activate the Advanced Firewalls advanced interpreter simply hover the mouse over the desired
result, this will produce a tool-tip which contains more information about the result.
310

For example:
In this example, the user has used the advanced interpreter to show the result for a YouTube video.
The URL in question has been truncated to show only the immediately relevant information (the
protocol, domain and path) and hovering the mouse over the line in the results produces a tool-tip
which not only shows the full URL, any associated parameters but has also retrieved the video title,
description and thumbnail from the YouTube server.
The advanced interpreter is capable of recognizing many different types of URL and will present them
in an appropriate manner.
Saving Reports
Reports can be saved for viewing later if this is desired. Saving a report will stop it being subject to
the 48 hour rolling deletion which tidies the reports list each day.
It is also important to note that a saved report is format-less and as such can be rendered to HTML,
pdf, csv etc as desired.
Saved reports are listed on the Recent and saved page under the reporting section, and can be
viewed, deleted and reused (by means of viewing the template used to generate them) in the same
manner as a recent report.
Changing the Report

Once a report has been generated the report template used to create it is stored alongside the report
data itself, and can therefore be used to produce a new report with refined options, alternative date
ranges or saved to appear on the reports page.
This is achieved in numerous ways depending upon location. When viewing the recent and saved
page, underneath the reports icon is a link to Edit report. This option will present the Custom page
with the report template used to generate this report already loaded. This report template is a copy
of the actual report template used to generate the report and may be edited as desired without
altering the version stored within the report itself.
While viewing a report there is an edit report button presented underneath the table of contents
which leads to the Custom page with the report template used to generate the viewed report already
loaded. Note again that this is a copy of the report template and so may be manipulated as desired.
311
Investigating Further (Drill down)

Each report section when it is generated can present a series of related or drill down reports; these
are pre-determined report templates which will allow further investigation relevant to the item in the
section in question.
To better illustrate this behavior, imagine a report taken from Guardian which lists the top users who
have requested internet sites via the Guardian content filter. This list would present a series of
usernames, suggested drill down reports might allow for a report on the actual sites visited by an
individual user, the full web activity for that user and so on. This is in a way analogous to the feedforward reporting which will be discussed later, however this is a manual process which allows for a
particular result to be investigated further.
Drill down reports will be stored notionally underneath the report in the recent and saved section.
Related reports are presented in a variety of ways depending upon the number of options available,
and the section which is being used, when a particular result has only one related report available
clicking on the result itself will lead to the related report for that result. When a result has more than
one related report associated with it then clicking on the result will produce a menu of the available
related reports, clicking on the relevant option will result in generating the relevant related report.
Note the list of related reports is determined by the report section and cannot be altered.
312

Creating Template Reports and Customizing Sections
Report templates and customized sections are managed and manipulated from the Custom page
on your Advanced Firewalls interface.
Creating templates is a matter of choosing, grouping and refining a number of sections into the
correct set of instructions for the Advanced Firewalls reporting engine to interpret and use to extract
and manipulate data from the Advanced Firewalls logs.
A list of available sections is included on the Custom page under the heading Available sections,
existing template reports are also included in this list so that, once created they can be included into
new report templates without having to redefine them.
The available sections list is structured as a simple tree, with the sections belonging to each module
categorized accordingly, the templates folder at the bottom of this list includes any existing report
templates for inclusion as mentioned above.
It should be noted that when a template report is included within another template report its options,
and sections are copied into the template at the time of its inclusion. Subsequent modifications to
the template will not update any other templates that include it.
On the right of the available sections list is the included sections list, which shows a simplified form
of the sections currently included in the template report being edited. This list deliberately mirrors its
counterpart and denotes both the list of included sections and any groups that have been configured.
Groups are shown as folders in the included sections list.
To add and remove sections from the included sections list sections can be highlighted by clicking
on them and the add or remove controls used accordingly. Note multiple sections can be added at
once, and that sections can appear more than once in a template report.
Ordering Sections
Save the caveats detailed under grouping sections, sections can be included anywhere in a report
and ordered to make logical sense to the reader. To reorder a section simply select it from the
Included sections list and press either move up or move down depending upon which direction you
wish to move it. Note that sections cannot be moved outside of their containing folders.
313
Grouped Sections
Many of the underlying concepts in Advanced Firewalls reporting system are based around the
notion of grouped sections. A section group is a logical construct which allows for logically
connected sections to be collated together.
Grouping two sections together will produce a number of consequences and will allow for advanced
options such as iteration and feed-forwarding to be used.
Primarily grouping options is done to allow multiple, logically similar sections to share options. For
example, the Guardian web content filter module provides a number of reports which can show
aspects of web browsing activity as conducted by a particular user. For example a Domain activity
section could be configured to show the top 20 domains visited by a particular user, a Browsing
times section could be configured to show the times of day that a particular user tends to browse
the internet.
Both of these sections have a username field, these sections could be grouped together and share
the username option, allowing for it to be entered only once when the report is generated.
Groups also form the basis of both iterative reports and feed-forward reports, which are simply
special cases of section groups. For iterative groups, the variable to iterate over can be chosen from
the options common to the grouped sections. For feed-forward groups, a section which produces
results of a suitable type can be nominated and other sections in the group will iterate over the results
from that section.
Groups can contain other groups, which may of course be standard groups, iterative or feed-forward
groups. They may also contain single sections. By containing groups within groups complicated
reporting structures can be developed which allows reports to automatically drill down and produce
fine grained detail from a high level overview.
Understanding Groups and Grouped Options

The first details shown in a group are a text entry field allowing for the group name to be changed,
this name provides a group to be given a title which will help with understanding the template
structure, and does not bear any influence on the report creation.
The second option is a drop down list of repeat options; this is used for controlling iterative and feedforward reporting and will be discussed in the appropriate sections.
When options are grouped together they will be presented as an option in the group under a section
called grouped options. They may also have a small visual indicator shown next to them in both the
grouped options section as well as the regular options panel for each section. This indicator shows
which options are grouped together and allows for them to be quickly collated together, for example
if two options are given slightly different names, but require the same value.
The list of sections contained within the group is listed below the grouped options each in its own
collapsible section.
Grouped options will be included for each section here alongside regular per-section options, with a
visual indicator allowing them to be related to their grouped counterparts.
Each option may be overridden by means of ticking the corresponding checkbox. An option with an
override will use the value given to that option rather than the option it receives from its grouped
parent, thus a group containing two sections both of which possess a limit field (the number of items
to show) can have different limits applied to them.
Next to the override option is a small description denoting why the option is inherently disabled, and
where the value comes from. This may be grouped, feed-forward or repeating, meaning that the
value will be assigned by the parent group, the results of a feed-forward section or from one of the
list provided in an iterating group.
Options which are not grouped, fed-forward or iterated over will be displayed using a format which
is appropriate to the type of value expected. This may be any number of common user interface
314

elements (checkboxes, select boxes, text entry fields etc) and may provide auto-complete features
to assist in finding an appropriate value.
Any overridden options will also be displayed and entered in this manner and, when provided will
replace values as would be expected.
Feed-Forward Reporting
Due to the jigsaw or building block like nature of reporting sections a particular report section may
only provide part of the information which is desired, rather than the complete picture. To allow for
this the reporting template system in Advanced Firewall allows for a sections results to be used as
the source of options for subsequent sections.
To lead by example, take the Network Interfaces and Individual Network Interfaces sections. These
in turn can be used to show a list of all network interfaces which are configured on Advanced Firewall,
or those which are configured for internal or external networking. This information provides limited
details for the network interface such as its IP address and other details; however it does not show
monthly usage statistics.
The Individual Network Interfaces section can provide this information, but needs to be supplied with
the name of the interface for which to provide details for.
These sections can be chained together using a mechanism known as feed-forward where the
results from one section are used to define the behavior of another. In this example the Network
Interfaces report can produce one or more Interfaces, which is one of the options for the Individual
Network Interfaces section. By chaining these two report sections together it is possible to produce
a report template which will detail the configured external interface for Advanced Firewall, and then
display the advanced usage and bandwidth statistics from it.
Iterative Reporting
Some report sections only deal with a limited set of data, a single group, username or IP address for
example. For this reason it may be desired to repeat a section using mostly the same options, but
with one particular option changed each time.
For example it may be desired to see the Individual Network Interface section for several (but notably
not all) of the local network interfaces. In this case it would be possible to select the local network
interfaces that are desired and repeat the section once for each of the desired interfaces. Note that
there is potential overlap here, and if the desired result is a list of all the local interfaces then feedforwarding could be used instead. However, feed-forward would produce a list of all internal
interfaces, as well as include the Network Interfaces report.
Note that while it was covered first, feed-forward is actually a special case of iteration, where the list
of values to be iterated over is produced as the list of answers from a particular report section.
Group Ordering
Sections within a group can be re-ordered, this notionally changes nothing other than the order in
which they are included in the final report once data has been acquired. There are exceptions to this
rule however. Groups utilizing feed-forward will require one of their sections to be promoted (denoted
as the feeder) to a state where it will provide the answers for which the other sections within that
group are to be repeated. Naturally a feeder must be included before the sections it is feeding, and
therefore it is removed from the normal section ordering and placed above the grouped options list
in the groups display.
315
Grouping Sections
To group a number of sections together they should be selected from the included sections list and
then grouped using the group button. Note that only sections at the same level in the included
sections tree can be grouped together, although a group can contain any number of items including
other groups.
Similarly the ungroup command should be used to either disband a group or to remove a single item
from an existing group. Ungrouping a group will disband that group, moving all its contained sections
to the same level on the included sections tree that the group previously occupied, the group folder
will then be removed.
Ungrouping a single section will move that section up the tree to the same depth as is occupied by
the group that it has just been removed from.
Note, ungrouping sections will remove any properties that the group contains, and so may affect any
feed-forward, iterative or grouped options.
Creating Feed-forward and Iterative Groups

Creating a group construct for use with feed-forward or iterative operations is done in the same way
as creating a normal group. It should be noted that when feed-forward is desired the section
producing results should be included in the group when it is first created, this will form the basis of
the feed-forward.
To create an iterative group, the desired sections should be grouped and the option which will form
the basis of the iteration selected from the Repeat drop-down which can be found immediately above
the grouped options section for that group.
Options which may be used in this way are included under a heading (in the drop down menu) of
based upon grouped option and the list will contain most of the options that the grouped options
section contains. When iterating over a grouped option, that option is no longer available in the
group.
Creating a feed-forward enabled group is done in a similar manner; however this time under the
Repeat drop down a list of sections is included under the title using results from a section. The results
returned by each section are visible under the results tab on the section in question, as well as the
bottom right hand side of the sections description in the available sections list.
By choosing a section to feed-forward the results from, this section is removed from the normal flow
within the group and is instead included as a feeder section. This is due to the nature of feedforwarding reports, that they must produce the list of results to iterate over prior to iterating over
them.
Feed-forward results pass from one variable into another, however the variables are named in a way
which makes them human readable, but not always identically for the sake of clarity. For example,
the Network ARP Table section produces a list of interfaces which the connection is on. The result
is labelled as Connected Interface and is of a type suitable for forwarding into the Individual Network
Interface section. Some care should be taken when choosing sections to flow into each other,
however generally results such as username should be taken to be suitable for feeding a username
field.
Additional caution should be taken when considering feed-forward reports as to the volume of data
produced, along with the potential work load that this would require on Advanced Firewall.
For example, a report which shows the top 20 groups within an organization, the top 50 users within
each of those groups and the top 100 banned URLs each of those users attempted to request is
entirely possible. However, this would result in the following execution tree.
Group Activity Section
20 x User Activity Section
50 x URL Activity Section
316

100 URLs
Hence, 20x50x100 URLs, or potentially the results for a thousand users, and hundred thousand
URLs. It would also require the execution and calculation of the top URLs section up to a thousand
times, assuming a reasonable time period for the calculation of each, such a report would potentially
take several hours to compile and be bewilderingly detailed for any person who chooses to read it.
Exporting Options
Each report section provides a list of options which define its behavior. This behavior may be defined
at a later stage to make the report template truly flexible. For example a domain activity section can
take a username value to show the domains requested for a particular user which were subsequently
banned. Creating a template for this information for each user within an organization is time
consuming and unwieldy to say the least. It is for this purpose that section options may be exported.
In this particular example a domain activity section could be included in a report template, and have
its Denied status checkbox enabled.
Swapping to the export tab would show a list of all the available options for this report, choosing to
export the username field prior to creating the report template would mean that the username field
is present for this template report on the reports tab on the Advanced Firewall main interface (Logs
and reports > Reports > Reports).
Choosing the Denied option on the export tab would again make this setting available outside of the
report template (on the reports page), however it would also have the added effect of allowing a user
to turn this option off when using the template, similarly typing a username into the sections
username option (on the options tab) allows the template report to create a default username, which
can be changed by the person using the report template.
317
Reporting Folders
Reporting Folders
Report templates can be arranged into a common hierarchy to allow for like purposed report
templates to be kept together and alleviate some of the confusion in finding the desired template.
Report templates are structured into one of the following folders on a standard Advanced Firewall
installation.
Email
Firewall and networking
System
Trends
Users
IP address analysis
IP address analysis per web
content category
Blogs
Image and video sharing
News
Reference and educational
Shopping and online auctions
Social bookmarking
Social networking
Sport
Web portals and search engines
Top IP addresses
Top users
User analysis
User analysis per web content
category
Blogs
Image and video sharing
News
Reference and educational
Shopping and online auctions
Social bookmarking
Social networking
Sport
Web portals and search engines
Web
content
Per category
Blogs
Blogger
Blogs
WordPress
Category analysis
Image and video
sharing
Dailymotion
Flickr
Fotolog
ImageShack
ImageVenue
YouTube
318

News
BBC News
CNet
CNN
News
Slashdot
Reference and
educational
IMDB
Shopping and
online auctions
Amazon
Wikipedia
Craiglists
Ebay
Shopping and online
auctions
Social
bookmarking
Delicious
Digg
Reddit
Stumbleupon
Social networking
Bebo
Facebook
Friendster
Hi5
Linkedin
Myspace
Orkut
Social networking
Twitter
Sport
BBC Sport
ESPN
Sport
Web portals and

search engines
AOL
Google
Search engines
Windows Live and
MSN
Yahoo
Site analysis
Top categories
Top domains
Top URLs
Top web searches
The destination folder for a report template can be set when creating the report template itself by
means of the Location option. This option contains an indented drop-down list of available folders,
report templates can be placed in any folder as desired.
319
Scheduling Reports
Folders can be created or deleted from the reports page, which is the main location to use to find
report templates and report folders. It also provides the ability to rename folders and edit and remove
report templates.
Folder navigation is achieved by clicking on the folder name. A location bar is also present along the
top of the Reports page which allows users to navigate the folder structure. Clicking on a folder
higher up in the hierarchy provides a list of alternative folders on the same level of the tree this
provides a faster means to navigate the list of available folders.
Creating a Folder
To create a folder simply navigate to the appropriate location in the hierarchy and click on the create
folder button next to the location bar, this will create a new folder called new folder with the ability to
rename it. Entering the name that is desired into the text box that is present and clicking rename will
change the name of the report folder.
A new folder should be named using letters, numbers and a limited set of punctuation symbols. Note
that report folder names must be unique at the same level.
Renaming Folders
Deleting Folders
Folders can be deleted from the Reports page by pressing the red cross icon immediately below the
folder image. Only empty folders can be deleted, so care should be taken to ensure that all report
templates and other folders have been removed before deleting a folder.
Note, this limitation is in place because folder and report template deletion cannot be undone
therefore such potentially dangerous actions are deliberately long winded.
Scheduling Reports
It is possible to schedule a report template to be executed at a particular time of day and repeated
at desired intervals. Reports generated in this way may be saved for use later via the recent and
saved reports section and/or emailed to a list of people as an HTML embedded email or plaintext
email.
Scheduled reports are deliberately flexible and present a full list of all report templates to be
scheduled. Options exported to the Reports page may also be set on a report by report basis so it
is possible to schedule a particular user (the sales manager for example) the web activity for the sales
group using a web activity report template and another user (the support manager) the web activity
report for the support group by means of the same report template.
Scheduled repeats allow for the automated generation of reports at specific intervals, the intervals
available are:
Daily each day at the time allocated
Weekday each working day (Monday to Friday) at the allocated time
Weekly every week at the allocated time on the same day of the week as the first report.
Monthly every month at the allocated time on the same day of the month as the first report.
Repetition can also be disabled if it is not desirable to receive a report at regular intervals.
320

Scheduled reports can also be made available to particular portals using the report templates portal
permissions. Since portal permissions can be configured to behave differently depending upon the
portal the generating user is assigned to it is possible to assign a specific portal for the scheduled
report to be generated by.
Portal Permissions
Reports can be made available to individuals who do not have access to the Advanced Firewall
administrative interface via the Advanced Firewall user portal. This is achieved via a report, or report
templates portal permissions.
There are two variations to portal permissions which dictate exactly how a report might be used.
Normal report permissions allow a user via the portal access to either a particular report, or a
particular report template. Access in this context means that they are able to generate and view the
report data.
Automatic access allows a users reporting activity to be made available to other users via the portal.
To clarify this, a report template will generate a report when it is used. When it is generated via the
portal this report will by default only be available to the user who created it. Automatic access allows
this report to be made automatically available to other users who share the authors portal, or to one
or more other portals as desired.
The Automatic access permission of portal is a special permission which allows a generated report
to be assigned to all members of the portal belonging to the person who generated the report,
regardless of which portal that user was in.
Reporting Sections
Generators and Linkers
Reporting sections can be divided into principally two types, generators and linkers.
While all report sections generate results, and display those results in the final rendered report, some
sections generate results which are intended for use in feed-forward reports and are only really useful
in that context.
321
Reporting Sections
For example, the Guardian module provides a report section entitled Per user Client IP addresses.
This section will take a Guardian username (be it derived from Active Directory or other such
authentication mechanism) and show the IP addresses that are associated with this user in the
Guardian web proxy access logs. It will also show the timestamps that these hits occurred at.
By this mechanism it is possible to deduce the IP address a user has been seen to use, and the time
period during which they were using it.
This information is perhaps informative, but not particularly. However the results, Client IP address
and Time-Period are both filters which can be applied to other reports, reports which might not be
able to associate activity with a particular username.
For example, the IM module provides tracking of Instant Message conversations, however users are
unlikely to (not to mention forbidden from) using their work usernames as their local usernames for
such conversations. The IM module however does record the IP address used in these
conversations, so using a linker section such as the one described above would be able to feed from
a username, to an IP address, to an IM conversation.
General Sections
The bulk of Advanced Firewalls reporting sections are reasonable easy to describe and are detailed
quite well by their descriptions, there are however several big reports which defy such description
and require a more in depth discussion, these will be covered later.
Standard sections will show up in the available sections list in a manner similar to the following.
This shows the sections description, title and any results that are returned for use in the systems
feed-forward ability.
Network Interfaces
A list of the configured internal and external network interfaces on the system. Includes details about
the hardware, configuration and recent network activity for each interface.
This report section lists the interfaces available on Advanced Firewall, including any internal NIC
interfaces, External NIC interfaces, modems, VLANs and VPN interfaces.
322

The options available to this interface allow you to discriminate between Internal, External and VPN
interfaces as well as the ability to show or hide any disconnected interfaces.
This section returns an interface which may be passed into a report section such as the Individual
network interface report section.
The Anatomy of a URL

URL processing in the Advanced Firewall reporting system is achieved via a series of mechanisms
which automatically split a URL into a number of internal parameters which are used to speed up
data processing and achieve the desired results efficiently and with minimal need to understand the
dynamics of how an individual web site is constructed. However some explanation is required as
several of the more advanced features of the Guardian reports require some manipulation of the URL.
A Advanced Firewall reporting URL is extracted into three distinct components, the protocol, domain
and parameters.
As can be seen, a URL entered into the Advanced Firewall reporting system will be automatically
highlighted in color to denote where the appropriate parts of the URL are being extracted from.
URLs entered in this fashion can be complete (as in the above example) or can alternatively be partial
including a combination of protocol, protocol and domain, domain and parameters or the parameters
themselves.
To use a partial URL the URL entered should be of an appropriate format depending upon the
combination of parameters which is desired.
Separation is effectively done from the right hand side backwards, so any URL starting with / would
be viewed as simply the parameters.
A URL which starts with a character other than / and does not end with :// is viewed as being the
domain.
A URL fragment starting with characters and ending with the string :// will be interpreted as a
protocol.
Deciphering a URL can however be a none trivial task, especially due to some web sites, companies
and organizations using a variety of load balancing techniques, curious URLs, sub-domains and a
variety of techniques which can only have been considered a good idea at the time.
For example, StumbleUpon a Social bookmarking site exists not only at the domain
www.stumbleupon.com but also stumbleupon.com a common enough concept with regards to the
absence of www. However it also receives some of its content from cdn.stumble-upon.com and
stumbleupon.stumble-upon.com.
For this reason it is possible to switch the URL recognition options in the Advanced Firewall reporting
system into dealing with URLs as regular expression matches rather than strict matching.
323
Reporting Sections
These options can be turned on individually for the protocol, domain and parameter parts of a URL
and for speed / processing reasons it is advised that they be turned on for the minimum of the parts
which are possible.
HTTP Request Methods and HTTPS Interception

The nature of HTTPS interception means that in essence a HTTPS intercepted site should be treated
no differently to a non-HTTPS site in terms of its logging, indeed, other than the protocol there is
nothing to distinguish HTTP and HTTPS methodology.
Guardian however also logs connections made to HTTPS servers where the content of that
communication has not been intercepted. To differentiate between the two it is possible to set the
HTTP request method (optionally along with the protocol from the domain) to catch HTTPS content
which has been intercepted and that which has not.
HTTPS connections start with a HTTP CONNECT request, if the connection is not being intercepted
this is the only part of the communication which is logged. If the connection is being subjected to
HTTPS interception then the requests within the connection are additionally logged.
Hence, searching for options other than CONNECT will provide results which may have been
subjected to HTTPS interception. Additionally setting the URL to include the string https:// will return
only those results which have been HTTPS intercepted as it restricts the results to those which are
via the HTTPS protocol and using a connection method other than CONNECT.
Guardian Status Filtering
Each URL which passes through Guardian is subjected to a level of filtering; the resulting action of
that filtering is logged and can be used to filter any results within the Guardian reports.
A URL may contain one or more of the following status messages, those being Almost blocked,
Denied (or blocked), Exception, Infected or Modified. The meaning of these is covered below.
Almost blocked This denotes any result whose score for phrase analysis was between 90 and
100 (the default score over which a result is blocked). This shows content which contained a number
of phrases which elevated its score, but did not quite cause the site to be blocked.
Denied This denotes sites which were blocked by the phrase or URL filtering in the Guardian
product. The reasoning why the page was banned can be determined by adding the include status
option on those reports which support it. Note however that this can change the ordering of the
results.
Exception The site in question was not filtered for one of several reasons, it may be that it is whitelisted, soft-blocked, temporarily bypassed, the client IP/Group is not subject to filtering etc.
324

Modified Determines content which was modified as it passed through the Guardian filter. This
might be due to a security rule (such as removing JavaScript etc), or to enforce AUP concepts such
as safe search.
Search Terms and Search Phrases

There are three facets to the search term reporting on a Guardian system, searching of search terms,
filtering by search term and selecting banned search terms.
Discovering search terms and showing them is achieved with the search engine search strings and
terms report section.
This section has a few peculiarities to its options which will be covered below, however the section
is essentially designed to show the top search terms, or phrases that have been encountered within
the Guardian filtered URLs.
Search terms are denoted as being either an individual word, or the entire phrase which was
searched for. For example:
Searching for babylon 5 earth destroyer would be considered to be three search words, babylon
5, earth and destroyer and one search phrase. Note that the search term reporting will treat any
quoted strings as a single search word.
Search words and phrases are assumed to be case insensitive, as the vast majority of searches are
done regardless of capitalization, however search filtering can be made case sensitive by usage of
the case sensitive search option under the advanced options for this report.
Both search terms and phrases can optionally be considered as regular expression matches via the
appropriate option under the advanced options.
Search terms, unlike search phrases can additionally be restricted to omit grammatical sugar or stop
words. Words such as and, of and the are usually omitted by most search engines and this can
be taken into consideration by using the option individual (uncommon) search terms on the search
term matching drop-down box.
The list of common search terms is taken to be the list of words omitted by the Google search engine,
this list is as follows: i, a, about, an, are, as, at, be, by, com, de, en, for, from, how,
in, is, it, la, of, on, or, that, the, this, to, was, what, when, where, who, will,
with, und, the and www.
Additional filtering options for username, group, client IP address and Guardian status are presented
for this report. Note that a list of Blocked search phrases can be achieved by use of the Guardian
status denied option under the Guardian status options.
325
Reporting Sections
Filtering by Search Terms

As explained earlier individual Guardian reports can be filtered by the search terminology they
contain. For example it is possible to show the top ten domains which contained a search request
for the word badger.
This filtering is achieved by using the individual report sections Search term matching options
presented under an individual sections advanced options.
Note that all search term filters operate over the search phrase rather than individual words and can
optionally be changed to using regular expression matches rather than the default mode of operation
which is strings containing this phrase.
To search for blocked search terms this filter can be used in combination with the Guardian status
filters.
URL Extraction and Manipulation

The Advanced Firewall reporting system for Guardian contains an advanced reporting section called
URL interpretation and reporting which allows for a sophisticated set of URL manipulations to be
conducted to extract information from the Guardian logs.
This reporting section has a lot of reasonably complicated options, however only a few of them are
relevant to the discussion of its operation, those options which are not are grayed out in the example
above and will be omitted from any further discussion as they apply the expected limitations on the
search results, changing the number of results or any username, client IP address or group filter etc.
The most important option for this report section is the URL, which in this example is a regular
expression URL which refers to the BBC news web site. The protocol and domain fields in the URL
326

in this example are reasonably straight forward, they do not contain any regular expression matches
(anything in brackets) and as such will not be used for anything further in this report section.
The parameters field however does contain two regular expression matches, the parts between the
opening and closing brackets, ( ). The parts of the URL extracted by these matching parts of the
URL regular expression are labelled 1 and 2 respectively and the appropriately labelled term will be
used by the Match to extract from parameters and Match to compare parameters to fields to further
analyze the URL.
In this example, there are two matches which are extracted from the URL, in this case, if a BBC news
article URL is considered: http://news.bbc.co.uk/1/hi/technology/7878769.stm
The two matches would provide technology and 7878679 as matches.
Of these two parameters one is the section from the BBC news site this article is from, the other is
the article name.
The Match to extract from domain and Match to extract from parameters options present which
regular expression match ($1, $2, $3 etc) to extract from the URL for the purposes of identifying
unique content, in this example we can see that the parameter match 2, would be used to uniquely
identify this URL, being the value of 7878769 or the article number. This value is subsequently used
to uniquely identify the relevant URLs before producing a list of the top matches, in this case, the top
news articles.
Rebuild and include example URL As part of its drill down and feed-forward abilities the URL
extraction report section reconstitutes a probable URL for the linked material. When this option is
ticked, this reconstructed URL is included in the report alongside the match.
Note, some sites such as YouTube for example can host several different URLs for the same video
ID. In these cases the reconstructed URL is a potential URL that might have been used, even if it is
not the actual URL that was encountered. To elaborate on this matter both of the following URLs:
http://www.youtube.com/get_video?video_id=6rNgCnY1lPg
http://www.youtube.co.uk/get_video?video_id=6rNgCnY1lPg
are for the same video, and could be matched accordingly (giving two hits for this video), however
the system would then have to construct a probable URL for the content, which would in this
example reference either the .com or .co.uk address version.
Recognise common URLs This option allows the reporting system to recognise common URLs
for known sites. This includes the ability to extract a YouTube video name from a YouTube video ID,
or the ability to extract a page title from a HTML pages header.
In this example we can see that the option is enabled, thus for each of the reconstituted URLs the
system would retrieve the HTML (.stm) page from the BBC News web site, extract the <title>
section from the page header and include it in the report.
Domain match and Parameter match these options allow for additional information to be fed
into the searching and will replace particular matches in the URL with the appropriate values. The
options of Match to compare domain to and Match to compare parameters to allow for values to be
substituted into the appropriate URL regular expression match to further filter the URL.
In the above example the Match to compare parameters to value is 1 which means that the value
entered into the Parameter match box would be substituted into $1 in the URL.
This would mean that entering the option technology into the Parameter match field would produce
the top 50 news articles from the technology section of the BBC News web site.
Results title This report section is feed-forward enabled and can produce a list of regular
expression URLs to identify and extract matching content. However, the URL is rarely of interest to
anyone viewing the resultant report although by default it would be included as the section title for
the feed-forwarded results.
For this purpose it is possible to override the title used for the feed-forward sections by entering a
value into the results title box. This can be straight text, or can reference one of the results feedforward values by means of a wildcard.
327
Reporting Sections
In the above example, we can see that %matchtitle% is used as the value, which would present
the feed-forward result of matchtitle as the title for any feed-forward sections. In this case,
%matchtitle% would be the <title> extracted from the relevant HTML page. Alternatively values of
%domainmatch%, %parametermatch% or %url% could be used.
In this manner, the URL extraction section provides one of the most flexible tools for extrapolating
information about particular web sites with no in-built understanding of the site. This means that the
section can easily be tailored to accommodate new web sites, or internal web sites which may be
processed by Guardian but outside of the scope of the standard templates.
In this example the URL extraction section is being used to display the top 50 video results from the
YouTube site.
The URL once again contains a series of regular expression matches, this time the domain also
includes a series of wildcards (.*) to accommodate YouTube being hosted via multiple domains,
sub-domains and TLDs.
Origin Filtering
Advanced Firewall contains the ability to aggregate reports over several different machines, Several
Advanced Firewalls for example can be used as a cluster of web content filters or alternatively the
system might be configured to receive the browsing activity from several mobile users via the
MobileGuardian content filter.
When these results are aggregated onto a central reporting Advanced Firewall system they each
contain a unique identifier to state where they came from. This identifier can be used to filter particular
results to have originated from a particular machine, or class of machines.
The origin filter on a Advanced Firewall report allows for the class of machine or in some cases the
individual machine to be used to restrict the results.
Note: The list of originating systems does not include a list of individual MobileGuardian installations as
there may be several dozen or more of these.
328

Note: The recommended configuration for MobileGuardian installations is to have MobileGuardian derive
its configuration from a specific authentication group and so the default template reports have been
constructed with that in mind. By default MobileGuardian filtering would be achieved using a group
filter for the appropriate group however should more advanced processing be required the Origin
filter could be used instead.
329
Reporting Sections
330
Appendix C
Troubleshooting VPNs
In this appendix:
Solutions to problems with VPNs.
Site-to-site Problems
All the PCs that are to participate in the VPN need to be fully operational and visible on the network
before attempting to install and configure VPN software.
Check that it is possible to ping the IP address of the RED (Internet) NIC on both Smoothwall
Systems. Failure to get a ping echo would indicate that:
The remote Advanced Firewall is not running
You have the wrong IP address for the remote Advanced Firewall
There is a network connection problem check routers, hubs and cables etc.
There is a problem at your Internet Service Provider
Advanced Firewall has ping disabled via the admin interface
Verify IP addresses by checking the Networking > Interfaces > Interfaces page for the appropriate
Ethernet card.
Check the routing information displayed in Advanced Firewall's status page, there must be a default
route (gateway).
Verify with the ISP that VPN traffic is not being blocked by any firewall or router used by the ISP.
Specifically, ESP mode uses IP protocol 50. AH mode uses IP protocol 50. In particular, if the tunnel
goes into OPEN mode but no packets will flow between the two networks, it is possible that one of
the ISPs involved is blocking the ESP or AH packets.
To simplify the problem, attempt to get a connection with shared secrets before moving on to
certificates.
Verify the symmetry in the tunnel specification, i.e. that the IDs, IP addresses and Remote network
addresses are mirrored. This is where most people make mistakes.
Each node on the VPN network must have its own unique certificate. At least one field in the subject
must be different. The subject is a composite of the information fields supplied when the certificate
is created. Likewise the Alt (Alternative) Name field must be unique for each certificate. Obviously
fields like company name can be common to all certificates.
A different local network address must be configured at both ends of the tunnel; they cannot both
use the default of 192.168.0.0. Likewise, ensure there is no conflict with another network address.
Be consistent with IDs. For example:
Hosts on static IPs should use the hostname for the gateway as the ID.
Hosts on dynamic IPs should use the administrator's email address.
Clients should usually not use an ID, unless they are using an unusual client that requires one.
331
L2TP Road Warrior Problems
L2TP Road Warrior Problems

The most likely problem with L2TP road warriors is establishing the initial IPSec transport connection.
The most likely reason for a failure at this stage is an incorrect or invalid certificate. The same
problems that can occur with any other type of IPSec connection can also occur with an L2TP road
warrior. However, because the vast majority of parameter values are predefined it is generally not
likely for an IPSec protocol error other then a certificate problem to occur.
First of all, verify the correct certificate is installed using the Microsoft MMC tool. There must be a CA
certificate, as well as a host certificate, present in the system. Also verify the certificate is within its
valid time window. If the certificate is newly created, and the time is set incorrectly by only an hour or
so, the connection will be refused because the certificate is not valid. MMC has facilities for verifying
that a host certificate is recognized as being valid.
Note that the error messages produced by the L2TP client can be somewhat strange. Modem not
responding can mean that there was an IPSec certificate error, for instance. Check the IPSec logs
first when looking for causes of problems. As a last resort, you can also enable debug logging on the
Windows client.
Enabling L2TP Debugging

In a default configuration, Microsoft's L2TP client does not produce any log files. This can make
diagnosing problems difficult if the logs on the Advanced Firewall gateway are not sufficient for finding
the cause or causes of connection issues.
To enable IPSec-level logging if you are using Windows 2000 or XP, you must create a registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakle
y
Add a REG_DWORD value named 'EnableLogging'. Set the value to 1 to enable logging, or 0 to
disable it. After changing this value, the VPN service must be restarted. From the command line:
net stop policyagent
followed by:
net start policyagent
The log file will be in Windows system directory:
\debug\oakley.log
The following URL is Microsoft's own guide to debugging L2TP connection problems:
http://support.microsoft.com/default.aspx?scid=kb;en-us;325034
Note: Smoothwall does not endorse manually editing the registry. Incorrectly altering registry values may
result in registry corruption and render the computer unusable.
Windows Networking Issues

In order to facilitate network browsing under Microsoft Windows across the VPN, it is necessary to
make sure both ends of the tunnel are properly configured.
In small, single subnet Windows networks, network browsing is facilitated via network broadcasts.
In these small networks, network neighborhood will just work without any configuration required. If a
road warrior were to connect in, though, it would be unable to browse the network unless the
administrator has configured the network to enable it. This is because network broadcasts do not
normally cross network boundaries, such as routers and VPNs.
This problem is exactly what Windows network administrators experience when connecting two or
more subnets via a router. If you are familiar with setting up multiple subnets of Windows machines,
then the problem to be solved is the same.
332

In the case of road warrior connections, the details depend on the client in use. The built in L2TP
client for Windows can be configured to accept WINS and DNS server settings from the server.
These parameters are configured in the Global Settings page.
For inexperienced Windows administrators, the following notes are provided to assist with
configuring your network to enable network browsing across the VPN.
For NT networks, you will require a WINS server, normally running on your PDC. This WINS server is
analogous to a DNS server for the Windows machines. Each of your desktop machines and servers
should be configured to use the central WINS server in its network properties box. Any road warriors
connecting in should also be set to use this WINS server. If this is done then when they are connected
to the office network via the VPN, they should be able to browse the office network, attach to printers
and shares, etc.
In more complex arrangements, such as two subnets of Windows machines with a VPN between the
two, it is necessary to set-up either one WINS server and share it between the subnets, or have one
on each and configure a replicating system between the two. Again, the problem to be resolved is
identical to that which the administrator would face with two normally routed networks.
333
Windows Networking Issues
334
Appendix D
Hosting Tutorials
In this appendix:
Examples of hosting using Advanced Firewall.
Basic Hosting Arrangement

In this example, a DMZ has been configured with a network address of 192.168.1.0/24, i.e. it
can support host IP addresses of 192.168.1.1 through to 192.168.1.254.
Within the DMZ there are two servers:
Web server .2 This server will have an internal IP address of 192.168.1.2 and present an
external IP address of 216.1.1.2.
Mail server .3 This server will have an internal IP address of 192.168.1.3 and present an
external IP address of 216.1.1.3.
To configure this scenario:
1
First create the external aliases:

Alias IP: 216.1.1.2 | Netmask: 255.255.255.0
Comment: External Alias .2
Alias IP: 216.1.1.3 | Netmask: 255.255.255.0

Next, add the port forwards:
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.2
Destination IP: 192.168.1.2
Source port: HTTP (80)
Destination port: HTTP (80)
Comment: Web Server .2 HTTP
Protocol: TCP
Source port: SMTP (25)
Destination port: SMTP (25)
Comment: Mail Server .3 SMTP
Protocol: TCP
Source port: POP3 (110)
Destination port: POP3 (110)
Comment: Mail Server .3 POP3
335
Extended Hosting Arrangement

3
Finally, add the source mappings:

Source IP: 192.168.1.2 | Alias IP: 216.1.1.2
Comment: Web Server .2
Comment: Mail Server .3
Extended Hosting Arrangement

In this example, a DMZ has been configured with a network address of 192.168.1.0, i.e. it can
support host IP addresses of 192.168.1.1 through to 192.168.1.254.
Within the DMZ are three servers:
external IP address of 216.1.1.2. It supports both HTTP and HTTPS.
external IP address of 216.1.1.3. It should only be accessible to external hosts in the range
100.100.100.0/24 and 100.100.101.0/24.
Mail server .4 This server will have an internal IP address of 192.168.1.4 and present an
external IP address of 216.1.1.4
1

Alias IP: 216.1.1.2 | Netmask: 255.255.255.0
Alias IP: 216.1.1.3 | Netmask: 255.255.255.0
Alias IP: 216.1.1.4 | Netmask: 255.255.255.0

Protocol: TCP
Protocol: TCP
Source port: HTTPS (443)
Destination port: HTTPS (443)
Comment: Web Server .2 HTTPS
Protocol: TCP
External IP: 100.100.100.0/24
336

Protocol: TCP
External IP: 100.100.10.0/24
Protocol: TCP
Protocol: TCP
Comment: Mail Server .4
More Advanced Hosting Arrangement

In this example, a DMZ has been configured with a network address of 192.168.1.0, i.e. it can
support host IP addresses of 192.168.1.1 through to 192.168.1.254.
A local private network, 192.168.10.0/24 contains 3 servers:
SQL Server .2 Internal IP: 192.168.10.2
Mail Server [int] .3 Internal IP: 192.168.10.3
Intranet Web Server .4 External IP: 216.1.1.4, Internal IP: 192.168.10.4, restricted
users.
A DMZ network, 192.168.1.0/24 contains 5 servers:
Web Server .2 External IP: 216.1.1.2, Internal IP: 192.168.1.2, bridged to SQL Server
.2.
Web Server .3 External IP: 216.1.1.3, Internal IP: 192.168.1.3.
Virtual Web Server .5 External IP: 216.1.1.5, Internal IP: 192.168.1.5, same physical
host as Virtual Web Server .6.
337

Virtual Web Server .6 External IP: 216.1.1.6, Internal IP: 192.168.1.5, same physical
host as Virtual Web Server .5.
Mail Server [ext. out] External IP: 216.1.1.7, Internal IP: 192.168.1.6, for outgoing
mail.
Mail Server [ext. in] External IP: 216.1.1.7, Internal IP: 192.168.1.7, relaying to
Mail Server [int] .3.
1

Alias IP: 216.1.1.2 | Netmask: 255.255.255.0
Alias IP: 216.1.1.3 | Netmask: 255.255.255.0
Alias IP: 216.1.1.4 | Netmask: 255.255.255.0
Alias IP: 216.1.1.5 | Netmask: 255.255.255.0
Alias IP: 216.1.1.6 | Netmask: 255.255.255.0
Alias IP: 216.1.1.7 | Netmask: 255.255.255.0

Port forwards for example 3.
Protocol: TCP
Protocol: TCP
Protocol: TCP
Comment: Intranet Web Server .4 HTTP
Protocol: TCP
338

Comment: Virtual Web Server .5 HTTP
Protocol: TCP
Comment: Virtual Web Server .6 HTTP
Protocol: TCP
Protocol: TCP
Next, add the zone bridges:
Zone bridging for example 3.
Source interface: Eth1
Destination interface: Eth2
Protocol: TCP
Source IP: 192.168.1.2
Destination port: User defined, 3306
Comment: Web Server .2 to SQL Server .2
Source interface: Eth1

Destination interface: Eth2
Protocol: TCP
Source IP: 192.168.1.7
Comment: Mail Server [ext. in] .7 to Mail Server [int.] .3
Source mapping for example 3.
339

Comment: Intranet Web Server .4
Comment: Virtual Web Server .5 & .6
Comment: Mail Server [ext. out] .6
340
Glossary
Numeric
2-factor authentication The password to a token used with the token. In other words: 2-factor
authentication is something you know, used together with something you have. Access is only be granted
when you use the two together.
3DES A triple strength version of the DES cryptographic standard, usually using a 168-bit key.
A
Acceptable Use Policy See AUP
Access control The process of preventing unauthorized access to computers, programs,
processes, or systems.
Active Directory
Microsoft directory service for organizations. It contains information about organizational units, users and
computers.
ActiveX* A Microsoft reusable component technology used in many VPN solutions to provide VPN
client access in a road warrior's web browser.
AES (Advanced Encryption Standard) A method of encryption selected by NIST as a replacement for
DES and 3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES provides high security with
fast performance across multiple platforms.
AH (Authentication Header) Forms part of the IPSec tunnelling protocol suite. AH sits between the IP
header and datagram payload to maintain information integrity, but not secrecy.
Algorithm In Smoothwall products, an algorithm is a mathematical procedure that manipulates data

to encrypt and decrypt it.
Alias or External Alias In Smoothwall terminology, an alias is an additional public IP that operates as
an alternative identifier of the red interface.
ARP (Address Resolution Protocol) A protocol that maps IP addresses to NIC MAC addresses.
ARP Cache Used by ARP to maintain the correlation between IP addresses and MAC addresses.
AUP (Acceptable Use Policy) An AUP is an official statement on how an organization expects its
employees to conduct messaging and Internet access on the organizations email and Internet systems.
The policy explains the organizations position on how its users should conduct communication within and
outside of the organization both for business and personal use.
Authentication The process of verifying identity or authorization.
B
Bandwidth Bandwidth is the rate that data can be carried from one point to another. Measured in Bps
341
(Bytes per second) or Kbps.
BIN
A binary certificate format, 8-bit compatible version of PEM.
Buffer Overflow An error caused when a program tries to store too much data in a temporary
storage area. This can be exploited by hackers to execute malicious code.
C
CA (Certificate Authority) A trusted network entity, responsible for issuing and managing x509 digital
certificates.
Certificate A digital certificate is a file that uniquely identifies its owner. A certificate contains owner
identity information and its owner's public key. Certificates are created by CAs.
Cipher A cryptographic algorithm.
Ciphertext Encrypted data which cannot be understood by unauthorized parties. Ciphertext is
created from plain text using a cryptographic algorithm.
Client Any computer or program connecting to, or requesting the services of, another computer or
program.
Cracker A malicious hacker.

Cross-Over Cable A network cable with TX and RX (transmit and receive) reversed at either end to
provide a direct peer-to-peer network connection.
Cryptography The study and use of methods designed to make information unintelligible.
D
Default Gateway The gateway in a network that will be used to access another network if a gateway
is not specified for use.
Denial of Service Occurs when a network host is flooded with large numbers of automatically
generated data packets. The receiving host typically slows to a halt while it attempts to respond to each
request.
DER (Distinguished Encoding Rules) A certificate format typically used by Windows operating systems.
DES (Data Encryption Standard) A historical 64-bit encryption algorithm still widely used today. DES is
scheduled for official obsolescence by the US government agency NIST.
DHCP (Dynamic Host Control Protocol) A protocol for automatically assigning IP addresses to hosts
joining a network.
Dial-Up A telephone based, non-permanent network connection, established using a modem.
DMZ (Demilitarized Zone) An additional separate subnet, isolated as much as possible from protected
networks.
DNS (Domain Name Service) A name resolution service that translates a domain name to an IP address
and vice versa.
Domain Controller A server on a Microsoft Windows network that is responsible for allowing host
access to a Windows domain's resources.
Dynamic IP A non-permanent IP address automatically assigned to a host by a DHCP server.
342

Dynamic token A device which generates one-time passwords based on a challenge/response

procedure.
E
Egress filtering The control of traffic leaving your network.
Encryption The transformation of plaintext into a less readable form (called ciphertext) through a
mathematical process. A ciphertext may be read by anyone who has the key to decrypt (undoes the
encryption) it.
ESP (Encapsulating Security Payload) A protocol within the IPSec protocol suite that provides
encryption services for tunnelled data.
Exchange Server A Microsoft messaging system including mail server, email client and groupware
applications (such as shared calendars).
Exploit A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a
system or service.
F
Filter A filter is a collection of categories containing URLs, domains, phrases, lists of file types and
replacement rules. Filters are used in policies to determine if a user should be allowed access to information
or files he/she has requested using their web browser.
FIPS Federal Information Processing Standards. See NIST.

Firewall A combination of hardware and software used to prevent access to private network resources.
G
Gateway A network point that acts as an entrance to another network.
Green In Smoothwall terminology, green identifies the protected network.
H
Hacker A highly proficient computer programmer who seeks to gain unauthorized access to systems
without malicious intent.
Host A computer connected to a network.
Hostname A name used to identify a network host.
HTTP (Hypertext Transfer Protocol) The set of rules for transferring files on the World Wide Web.
HTTPS A secure version of HTTP using SSL.
Hub A simple network device for connecting networks and network hosts.
343
I
ICMP (Internet Control Message Protocol) One of the core protocols of the Internet protocol suite. It is
chiefly used by networked computers' operating systems to send error messages indicating, for example,
that a requested service is not available or that a host or router could not be reached.
IDS Intrusion Detection System
Internet Protocol
IPS
Intrusion Prevention System
IP Address A 32-bit number that identifies each sender and receiver of network data.
IPtables The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities.
IPSec (Internet Protocol Security) An internationally recognized VPN protocol suite developed by the
Internet Engineering Task Force (IETF).
IPSec Passthrough A 'helper' application on NAT devices that allows IPSec VPN traffic to pass
through.
ISP An Internet Service Provider provides Internet connectivity.
K
Key A string of bits used with an algorithm to encrypt and decrypt data. Given an algorithm, the key
determines the mapping of plaintext to ciphertext.
Kernel The core part of an operating system that provides services to all other parts the operating
system.
Key space The name given to the range of possible values for a key. The key space is the number of
bits needed to count every distinct key. The longer the key length (in bits), the greater the key space.
L
L2F (Layer 2 Forwarding) A VPN system, developed by Cisco Systems.
L2TP (Layer 2 Transport Protocol) A protocol based on IPSec which combines Microsoft PPTP and
Cisco Systems L2F tunnelling protocols.
LAN (Local Area Network) is a network between hosts in a similar, localized geography.
Leased Lines (Or private circuits) A bespoke high-speed, high-capacity site-to-site network that is
installed, leased and managed by a telephone company.
Lockout A method to stop an unauthorized attempt to gain access to a computer. For example, a
three try limit when entering a password. After three attempts, the system locks out the user.
M
MAC Address (Media Access Control) An address which is the unique hardware identifier of a NIC.
MX Record
344
(Mail eXchange) An entry in a domain name database that specifies an email server to

handle a domain name's email.
N
NAT-T (Network Address Translation Traversal) A VPN Gateway feature that circumvents IPSec NATing
problems. It is a more effective solution than IPSec Passthrough.
NIC Network Interface Card
NIST (National Institute of Standards and Technology) NIST produces security and cryptography related
standards and publishes them as FIPS documents.
NTP (Network Time Protocol) A protocol for synchronizing a computer's system clock by querying NTP
Servers.
O
OU An organizational unit (OU) is an object used to distinguish different departments, sites or teams in
your organization.
P
Password A protected/private string of characters, known only to the authorized user(s) and the
system, used to authenticate a user as authorized to access a computer or data.
PEM (Privacy Enhanced Mail) A popular certificate format.
Perfect Forward Secrecy A key-establishment protocol, used to secure previous VPN
communications, should a key currently in use be compromised.
PFS See Perfect Forward Secrecy
Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security
parameter agreement.
Phase 2 Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters
from Phase 1 to bring the tunnel up.
Ping A program used to verify that a specific IP address can be seen from another.
PKCS#12 (Public Key Cryptography Standards # 12) A portable container file format for transporting
certificates and private keys.
PKI (Public Key Infrastructure) A framework that provides for trusted third party vetting of, and vouching
for, user identities; and binding of public keys to users. The public keys are typically in certificates.
Plaintext Data that has not been encrypted, or ciphertext that has been decrypted.
Policy Contains content filters and, optionally time settings and authentication requirements, to
determine how Advanced Firewall handles web content and downloads to best protect your users and your
organization.
Port A service connection point on a computer system numerically identified between 0 and 65536. Port
80 is the HTTP port.
Port Forward A firewall rule that routes traffic from a receiving interface and port combination to
345
another interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of
forwarding a network port from one network node to another. This technique can allow an external user to
reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.
PPP (Point-to-Point Protocol) Used to communicate between two computers via a serial interface.
PPTP (Peer-to-Peer Tunnelling Protocol) A widely used Microsoft tunnelling standard deemed to be
relatively insecure.
Private Circuits See Leased Lines.
Private Key A secret encryption key known only by its owner. Only the corresponding public key can
decrypt messages encrypted using the private key.
Protocol A formal specification of a means of computer communication.
Proxy An intermediary server that mediates access to a service.
PSK (Pre-Shared Key) An authentication mechanism that uses a password exchange and matching
process to determine authenticity.
Public Key A publicly available encryption key that can decrypt messages encrypted by its owner's
private key. A public key can be used to send a private message to the public key owner.
PuTTY A free Windows / SSH client.
Q
QOS (Quality of Service) In relation to leased lines, QOS is a contractual guarantee of uptime and
bandwidth.
R
RAS (Remote Access Server) A server which can be attached to a LAN to allow dial-up connectivity from
other LANs or individual users. RAS has been largely superseded by VPNs.
Red In Smoothwall, red is used to identify the Unprotected Network (typically the Internet).
RIP (Routing Information Protocol) A routing protocol which helps routers dynamically adapt to changes
in network connections by communicating information about which networks each router can reach and
how far away those networks are.
Road Warrior An individual remote network user, typically a travelling worker 'on the road' requiring
access to a organizations network via a laptop. Usually has a dynamic IP address.
Route A path from one network point to another.
Routing Table A table used to provide directions to other networks and hosts.
Rules In firewall terminology, rules are used to determine what traffic is allowed to move from one
network endpoint to another.
S
Security policy A security policy is a collection of procedures, standards and guidelines that state in
writing how an organization plans to protect its physical and information technology (IT) assets. It should
346

include password, account and logging policies, administrator and user rights and define what behavior is
and is not permitted, by whom and under what circumstances.
Server In general, a computer that provides shared resources to network users.

SIP (Session Initiation Protocol) A protocol for initiating, modifying, and terminating an interactive user
session that involves multimedia elements such as video, voice, instant messaging, online games, and
virtual reality. Commonly used in VOIP applications.
Single Sign-On (SSO) The ability to log-in to multiple computers or servers in a single action by
entering a single password.
Site-To-Site A network connection between two LANs, typically between two business sites. Usually
uses a static IP address.
Smart card A device which contains the credentials for authentication to any device that is smart
card-enabled.
Spam Junk email, usually unsolicited.

SQL Injection A type of exploit whereby hackers are able to execute SQL statements via an Internet
browser.
Squid
A high performance proxy caching server for web clients.
SSH (Secure Shell) A command line interface used to securely access a remote computer.
SSL A cryptographic protocol which provides secure communications on the Internet.
SSL VPN A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client
configuration.
Strong encryption A term given to describe a cryptographic system that uses a key so long that, in
practice, it becomes impossible to break the system within a meaningful time frame.
Subnet An identifiably separate part of an organizations network.
Switch An intelligent cable junction device that links networks and network hosts together.
Syslog A server used by other hosts to remotely record logging information.
T
Triple DES (3-DES) Encryption A method of data encryption which uses three encryption keys
and runs DES three times Triple-DES is substantially stronger than DES.
Tunneling The transmission of data intended for use only within a private network through a public
network in such a way that the routing nodes in the public network are unaware that the transmission is part
of a private network.
U
User name / user ID A unique name by which each user is known to the system.
347
V
VPN (Virtual Private Network) A network connected together via securely encrypted communication
tunnels over a public network, such as the global Internet.
VPN Gateway An endpoint used to establish, manage and control VPN connections.
X
X509 An authentication method that uses the exchange of CA issued certificates to guarantee
authenticity.
348
Index
1s
Ed
it
accessing 4
active directory
cache timeout 196
domain 196
extra realm 203
password 196
status 196
tenants 196
username 196
active directory legacy
cache timeout 201
discover kerberos realms through dns 202
extra group search roots 202
extra realms 203
extra user search roots 202
kerberos realm 201
netbios domain name 202
password 201
port 202
sam account name 202
server 201
server username 201
status 201
tenants 201
user search root 202
admin 3
admin options 14
administration 14
administration login failures 228
administrative users 14
adsl modem
settings 28
advanced 8
AIM 95
aim 95
alert
im proxy monitored word 228
alerts 5, 228
administration login failures 228
email 257
email to sms 257
email virus monitor 228
external connection failover 228
firewall notifications 228
hardware failover notification 228
hardware failure alerts 228
health monitor 228
inappropriate words in im 228
intrusion detection system monitor 229

l2tp vpn tunnel status 228
license expiry status 228
output system test messages 228
settings 5
smoothrule violations 228
smoothtunnel vpn certificate monitor 228
system boot (restart) notification 229
system resource monitor 228
system service monitoring 228
traffic statistics monitor 228
update monitoring 229
ups, power supply status warning 228
vpn tunnel status 228
application helper 70
ftp 70
h323 passthrough support 70
irc 70
pptp client support 70
archives 13
arp filter 54
arp table size 54
audit 55
authentication 9, 128, 193
choosing 302
diagnostics 193
mechanisms 301
time-out 193
automatic whitelisting 95
io
B
banned users 216
black-list users 95
bond 34
bridge 33
bridging
groups 63
rules 59
zones 59
byod 213
C
ca 14, 15
censoring 95
central management 291
about 291
pre-requirements 291
central management key 293
centrally manage 291
349
Index
1s
database 224
settings 6
datastore 224
deep packet inspection 74
default
interface 20
users 216
denial of service 52
detection policies 114
dhcp 12
custom options 12
leases 12
relay 12
server 12
dhcp ethernet 22
settings 23
diagnostics 14, 193
dial-up modem 30
directories 9
directory settings 194
prerequisites 195, 199, 200
dns 11, 105
dynamic 11
proxy 11
proxy service 106
350
static 11, 105

documentation 1
DoS 53
dpi 74
it
io
ECN 54
email 5, 6
email to sms 257
email virus monitor 228
enable arp filter 54
ethernet 20
External 228
external
access 14
aliases 7
external connection failover 228
external services 8, 78
editing 79
removing 79
Ed
certs 15
ca 14
child node 293
cluster 291
configuration tests 14
connection methods 20
dial-up modem 30
ethernet 20
ethernet/modem hybrid 20
isdn modem 28
modem 20
connection profiles 20
creating 20
deleting 33
modifying 33
connection tracking 54
connections 19
connectivity 7
console
connecting via 17
control 15
control page 4
create 5
csv 295
importing nodes 295
csv files 295
custom categories 11
custom signatures 118
failover 14, 279, 280

failover unit 283
master 281
filtering 7
filters 11
firewall 5, 6
accessing
browser 4
connecting 17
notifications 228
firmware upload 14
ftp 10, 70, 99
G
gadugadu 95
global 12, 15
group bridging 7, 63
groups 6, 9, 216
banned users 216
default users 216
mapping 205
network administrators 216
renaming 216, 217
unauthenticated ips 216
H
h323 passthrough support 70
hardware 14
failover 280
hardware Failover 279
hardware failover notification 228
hardware failure alerts 228
health monitor 228

defining 43
block 7
tools 14
ips 6, 69
ipsec 5, 6
roadwarriors 15
subnets 15
irc 70
isdn modem 28
settings 29
isp 20
heartbeat 279
hide conversation text 95
hostname 13
https 4
hybrid 20
J
K
1s
jabber 95
io
kerberos keytabs 9
l2tp roadwarriors 15
l2tp vpn tunnel status 228
layer 7 application control 74
ldap directory
bind method 197
cache timeout 198
discover kerberos realms through dns 199
extra group search root 198
extra realms 199
extra user search roots 198
group search roots 198
kerberos realm 197
password 197
port 198
server 197
status 196
tenants 197
user search root 198
username 197
license expiry status 228
licenses 13
local users 203
activity 208
adding 204
configuring 203
deleting 205
editing 205
managing 204
status 203
tenants 203
log retention 224
log settings 6
logs 6
email 245
enable remote syslog 252
remote syslog server 252
it
Ed
icmp 53
ICMP ping 53
ICMP ping broadcast 53
ICQ 95
ids 6, 11
igmp 53
IGMP packets 53
im 93
hide conversation text 95
proxy 5
im proxy 6
inappropriate words in im 228
information 4
instant messenger 9, 93
block file transfers 95
blocked response 95
blocked response message 95
censor 95
intercept ssl 95
logging warning 95
logging warning message 95
protocols
aim 95
gadugadu 95
icq 95
jabber 95
msn 95
proxy 93, 94
instant messenger proxy
enable 94
enabled on interfaces 95
exception local IP addresses 96
interface
bond 34
bridge 33
interfaces 7
internal aliases 7
inter-zone security 59
intrusion detection 11
intrusion detection system 11
intrusion system 114
custom policies 117
detection policies 114
policies 114
prevention policies 115
intrusion system monitor 229
ip
address
351
Index
retention 252
io
mac spoof 23
maintenance 13
master 281
message censor 11
custom categories 11
filters 11
time 11
Microsoft Messenger 95
modem 14, 20
settings 31
modules 13
MSN 95
multicast traffic 53
1s
Ed
it
N
network
administrators 216
interface 19
networking 6, 8
source mapping 46
node 297
add 294
child 293
child delete 297
child edit 296
configure child 13
csv 295
delete 297
disable 299
edit 296
import 295
local settings 13
manage 297
monitor 297
parent 292
reboot 299
review 297
update 299
O
OpenVPN 162
outbound access
port rules 72
source rules 76
outgoing 8
output settings 6
output system test messages 228
P
pages
central management 13
info
352
alerts 5
alerts 5
custom 5
logs 6
firewall 6
ids 6
im proxy 5, 6
ips 6
ipsec 6
system 6
web proxy 6
realtime 5
firewall 5
ipsec 5
portal 5
system 5
traffic graphs 5
reports
reports 5
saved 5
scheduled reports 5
settings
alert settings 5
database settings 6
groups 6
log settings 6
output settings 6
information 4
logs and reports
settings
datastore 224
main 4
networking 6, 8
filtering 7
group bridging 7
ip block 7
zone bridging 7
firewall 8
advanced 8
port forwarding 8
source mapping 8
interfaces 7
connectivity 7
external aliases 7
interfaces 7
internal aliases 7
ppp 8
secondaries 8
outgoing 8
external services 8
policies 8
ports 8
routing 7
ports 7
rip 7

1s
io
whois 14
hardware 14
failover 14
firmware upload 14
modem 14
ups 14
maintenance 13
archives 13
licenses 13
modules 13
scheduler 13
shutdown 13
updates 13
preferences 13
hostname 13
registration options 13
time 13
vpn 15
ca 15
certs 15
control 15
global 15
ipsec roadwarriors 15
ipsec subnets 15
l2tp roadwarriors 15
ssl roadwarriors 15
parent node 292
passwords 3
policies 11, 114
intrusion 114
outgoing 8
port forwarding 8
port forwards 67
comment 69
creating 68
criteria 67
destination address 69
destination port 69
editing 69
enabled 69
external ip 68
ips 69
logging 69
protocol 68
removing 69
source IP 69
source port 69
user defined 69
port groups 8
port rules 72
creating 73
deleting 75, 78
editing 75, 78
modes 72
preset 72
it
Ed
sources 7
subnets 7
settings
advanced 8
port groups 8
services 8
authentication 9
directories 9
groups 9
kerberos keytabs 9
settings 9
ssl login 9
temporary bans 9
user activity 9
wpa enterprise 9
dhcp
dhcp custom options 12
dhcp leases 12
dhcp relay 12
dhcp server 12
global 12
dns 11
dns proxy 11
dynamic dns 11
static dns 11
ids 11
intrusion system
detection 11
policies 11
signatures 11
message censor 11
proxies 9
ftp 10
im proxy 9
sip 10
web proxy 9
snmp 11
user portal 9
groups 9
portals 9
user exceptions 9
system
administration 14
admin options 14
administrative users 14
external access 14
central management
child nodes 13
local node settings 13
overview 13
diagnostics 14
configuration tests 14
diagnostics 14
ip tools 14
traffic analysis 14
353
Index
external access 273

external service 78
group bridging 63
internal alias 47
ip blocking 51
port 43
port forward 67
source 76
source mapping 46
subnet 39
zone bridging 59
io
1s
radius
action on login failure 200
cache timeout 200
identifying IP address 200
obtain groups from radius 200
port 200
secret 199
server 199
status 199
tenants 199
realtime 5
email 5, 6
reboot 299
registration options 13
reports 5, 127, 219
custom 5
database 224
reports 5
scheduled 5
reverse proxy 6, 10
violations alert 228
rip 7
routing 7
rules
dynamic host 107
354
scheduled reports 5
scheduler 13
secondaries 8
secondary dns 20
selective ACK 54
services
authentication 9, 193
dhcp 12, 119
dns 11, 105
dns proxy 106
dynamic dns 107
ids 11
intrusion system 114
message censor 11
portal 9
rip 40
sip 96
snmp 11, 104
settings 6, 9
shutdown 13
signatures 11
sip 10, 96
types 96
site address 18
smoothrule violations 228
smoothtunnel vpn certificate monitor 228
snmp 11, 104
snmp 11
source mapping 8, 46
source rules 76
sources 7
ssh 17
client 17
SSL 162
ssl login 9
accessing the page 210
customizing 209
exceptions 211
ssl roadwarriors 15
static ethernet
settings 22
subnets 7
it
Ed
viewing 75
portal 5, 9, 236
access 86
configure 81
delete 86
edit 86
groups 85
policy tester 83
user except 85
portals 9
ports 7, 8
ppp 8
ppp over ethernet
settings 25
ppp profile
creating 31
pptp client
support 70
pptp over ethernet
settings 26
preferences 13
prevention policies 115
primary dns 20
proxies 9
dns 106
sip 96
proxy
ftp 99

vpn tunnel status 228
SYN backlog queue 54

SYN cookies 54
SYN+FIN packets 53
system 5, 6
system boot (restart) notification 229
system resource monitor 228
system service monitoring 228
W
web proxy 6, 9
white-list users 95
whois 14
window scaling 54
wpa enterprise 9, 213
T
Y
yahoo 95
it
io
zone bridge
narrow 59
rule
create 59
settings 60
tutorial 61
wide 59
zone bridging 7, 59
Ed
TCP timestamps 54
telephony
settings 32
temporary ban 206
temporary bans 9
tenants 275
time 13
time out 193
time slots 11
time-out 302
traffic
analysis 14
graphs 5
traffic statistics monitor 228
training 1
tutorial
vpn 178
zone bridging 61
1s
unauthenticated ips 216

unknown entity 18
updates 13
ups 14, 277
ups, power supply status warning 228
url test tool 83
user
activity 9, 208
identity 301
user exceptions 9
users
banned 216
default 216
local 204
network administrators 216
temporary ban 206
unauthenticated IPs 216
V
virtual lans 36
vlan 36
voip 96
vpn 15, 127
authentication 128
psk 129
x509 129
355
1s
t
Ed
it
io
Index
356

357

AdvancedFirewall Admin

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

AdvancedFirewall Admin

Hochgeladen von

Copyright:

Verfügbare Formate

Unified Threat Management

Advanced Firewall Administrators Guide

Smoothwall Advanced Firewall, Administrators Guide, December 2013

USA and Canada:

1 800 959 3760

USA and Canada:

1 888 899 9164

Advanced Firewall Overview......................... 3

Creating, Editing and Removing Rules ......................................... 16

Working with Interfaces .............................. 19

Managing Your Network Infrastructure..... 39

Smoothwall Advanced Firewall

Creating a Source Mapping Rule .................................................. 46

General Network Security Settings ............ 51

Configuring Inter-Zone Security................. 59

Managing Inbound and Outbound Traffic.. 67

Advanced Firewall Services ........................ 81

Smoothwall Advanced Firewall

Virtual Private Networking ........................ 127

Connecting Using Windows XP/2000.......................................... 157

Authentication and User Management .... 193

Smoothwall Advanced Firewall

Managing Local Users.................................................................. 204

Reporting .................................................... 219

Information, Alerts and Logging............... 227

Alerts .............................................................................................. 227

Managing Your Advanced Firewall........... 259

Smoothwall Advanced Firewall

Restoring an Archive .................................................................... 264

Centrally Managing Smoothwall Systems291

Editing Child Node Settings ......................................................... 296

Authentication ............................................ 301

Understanding Templates and Reports... 307

Smoothwall Advanced Firewall

Reporting Folders ......................................................................... 318

Troubleshooting VPNs............................... 331

Hosting Tutorials........................................ 335

An overview of Advanced Firewall

Who should read this guide

Overview of Advanced Firewall

Email Security: anti-spam, anti-malware, mail relay and control.

Who should read this guide?

Other User Information

http://www.smoothwall.net/support contains the Smoothwall support portal, knowledge base and

How to access Advanced Firewall

An overview of the pages used to configure and manage Advanced Firewall.

Accessing Advanced Firewall

Accept Advanced Firewalls certificate.The login screen is displayed.

Enter the following information:

Advanced Firewall Overview

Click Login. The Dashboard opens.

Smoothwall Advanced Firewall

Logs and reports

Advanced Firewall Overview

Displays information on instant messaging conversations. For more information, see

Smoothwall Advanced Firewall

Used to define permissible communication between pairs of network zones. For

Configure and display information on your Advanced Firewalls internal interfaces.

Used to create aliases on internal network interfaces, thus enabling a single

Used to create IP address aliases on static Ethernet external interfaces. External

Advanced Firewall Overview

Used to configure an additional, secondary external interface. For more

Used to define a list of external services that should always be accessible to

Smoothwall Advanced Firewall