Beruflich Dokumente
Kultur Dokumente
Smoothwall Limited
1 John Charles Way
Leeds. LS12 6QA
United Kingdom
info@smoothwall.net
Web
www.smoothwall.net
Telephone
Fax
Contents
Chapter 1
Introduction .................................................... 1
Overview of Advanced Firewall ....................................................... 1
Who should read this guide? ........................................................... 1
Other User Information..................................................................... 1
Annual Renewal................................................................................. 2
Chapter 2
Contents
Chapter 3
Chapter 4
ii
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Contents
Configuring a Portal........................................................................ 83
Accessing Portals ........................................................................... 86
Editing Portals ................................................................................. 86
Deleting Portals............................................................................... 86
Managing the Web Proxy Service.................................................. 87
Configuring and Enabling the Web Proxy Service ....................... 88
About Web Proxy Methods ............................................................ 91
Configuring End-user Browsers .................................................... 92
Instant Messenger Proxying .......................................................... 93
Monitoring SSL-encrypted Chats .................................................. 96
SIP Proxying .................................................................................... 96
Types of SIP Proxy .......................................................................... 96
Choosing the Type of SIP Proxying............................................... 97
Configuring SIP ............................................................................... 97
FTP Proxying ................................................................................... 99
Configuring non-Transparent FTP Proxying ................................ 99
Configuring Transparent FTP Proxying ...................................... 100
Reverse Proxy Service.................................................................. 102
Configuring the Reverse Proxy Service ...................................... 103
SNMP.............................................................................................. 104
DNS................................................................................................. 105
Adding Static DNS Hosts ............................................................. 105
Enabling the DNS Proxy Service.................................................. 106
Managing Dynamic DNS............................................................... 107
Censoring Message Content ....................................................... 109
Configuration Overview................................................................ 109
Managing Custom Categories ..................................................... 109
Setting Time Periods .................................................................... 110
Creating Filters.............................................................................. 111
Creating and Applying Message Censor Policies...................... 113
Editing Polices............................................................................... 114
Deleting Policies ........................................................................... 114
Managing the Intrusion System................................................... 114
About the Default Policies............................................................ 114
Deploying Intrusion Detection Policies....................................... 114
Deploying Intrusion Prevention Policies ..................................... 115
Creating Custom Policies............................................................. 117
Uploading Custom Signatures..................................................... 118
DHCP.............................................................................................. 119
Enabling DHCP.............................................................................. 120
Creating a DHCP Subnet.............................................................. 120
Editing a DHCP subnet ................................................................. 123
Deleting a DHCP subnet............................................................... 123
Adding a Dynamic Range ............................................................. 123
Adding a Static Assignment......................................................... 123
Adding a Static Assignment from the ARP Table ...................... 124
Editing and Removing Assignments ........................................... 124
Viewing DHCP Leases .................................................................. 124
DHCP Relaying .............................................................................. 125
Creating Custom DHCP Options ................................................. 125
iv
Chapter 9
Contents
Chapter 10
vi
Chapter 11
Chapter 12
Contents
Chapter 13
viii
Chapter 14
Contents
Appendix A
Appendix B
Appendix C
Appendix D
Glossary
Index
..................................................................... 341
..................................................................... 349
xi
Contents
xii
Chapter 1
Introduction
In this chapter:
User information.
Perimeter firewall multiple Internet connections with load sharing and automatic connection failover
User authentication policy-based access control and user authentication with support for Microsoft
Active Directory, Novell eDirectory and other LDAP authentication servers
Load balancer the ideal solution for the efficient and resilient use of multiple Internet connections.
Internal firewall segregation of networks into physically separate zones with user-level access
control of inter-zone traffic
VPN Gateway site-to-site, secure remote access and secure wireless connections.
Introduction
Other User Information
Annual Renewal
To ensure that you have all the functionality documented in this guide, we recommend that you
purchase annual renewal. For more information, contact your Smoothwall representative.
Chapter 2
Advanced Firewall
Overview
In this chapter:
In a web browser, enter the address of your Advanced Firewall, for example:
https://192.168.72.141:441
Note: The example address above uses HTTPS to ensure secure communication with your Advanced
Firewall. It is possible to use HTTP on port 81 if you are satisfied with less security.
Note: The following sections assume that you have registered and configured Advanced Firewall as
described in the Advanced Firewall Installation and Setup Guide.
2
Information
Username Enter admin This is the default Advanced Firewall administrator account.
Password Enter the password you specified for the admin account when installing Advanced
Firewall.
The following sections give an overview of Advanced Firewalls default sections and pages.
Dashboard
The dashboard is the default home page of your Advanced Firewall system. It displays service
information and customizable summary reports.
Reports
Pages
Description
Summary
Displays a number of generated reports. For more information, see Chapter 11,
About the Summary Page on page 219.
Reports
Where you generate and organize reports. For more information, see Chapter 11,
Generating Reports on page 220.
Recent and Lists recently-generated and previously saved reports. For more information, see
saved
Chapter 11, Saving Reports on page 220.
Scheduled
Sets which reports are automatically generated and delivered. For more information,
see Chapter 11, Scheduling Reports on page 223.
Custom
Enables you to create and view custom reports. For more information, see Appendix
B, Understanding Templates and Reports on page 307.
Alerts
Pages
Description
Alerts
Determine which alerts are sent to which groups of users and in what format. For
more information, see Chapter 12, Alerts on page 227.
Alert
settings
Settings to enable the alert system and customize alerts with configurable thresholds
and trigger criteria. For more information, see Chapter 12, Configuring Alert Settings
on page 230.
Realtime
Pages
Description
System
A realtime view of the system log with some filtering options. For more information,
see Chapter 12, Realtime System Information on page 233.
Firewall
A realtime view of the firewall log with some filtering options. For more information,
see Chapter 12, Realtime Firewall Information on page 234.
IPSec
A realtime view of the IPSec log with some filtering options. For more information, see
Chapter 12, Realtime IPsec Information on page 235.
Displays the email log viewer running in realtime mode. For more information, see
Chapter 12, Email Logs on page 245.
Portal
A realtime view of activity on user portals. For more information, see Chapter 12,
Realtime Portal Information on page 236.
IM proxy
A realtime view of recent instant messaging conversations. For more information, see
Chapter 12, Realtime Instant Messaging on page 237.
Traffic
graphs
Displays a realtime bar graph of the bandwidth being used. For more information, see
Chapter 12, Realtime Traffic Graphs on page 237.
Logs
Pages
Description
System
Simple logging information for the internal system services. For more information,
see Chapter 12, System Logs on page 239.
Firewall
Displays all data packets that have been dropped or rejected by the firewall. For
more information, see Chapter 12, Firewall Logs on page 241.
IPSec
Displays diagnostic information for VPN tunnels. For more information, see Chapter
12, IPSec Logs on page 243.
Displays sender, recipient, subject and other email message information. For more
information, see Chapter 12, Email Logs on page 245.
IDS
Displays network traffic detected by the intrusion detection system (IDS). For more
information, see Chapter 12, IDS Logs on page 246.
IPS
Displays network traffic detected by the intrusion detection system (IPS). For more
information, see Chapter 12, IPS Logs on page 247.
IM proxy
Web proxy
Displays detailed analysis of web proxy usage. For more information, see Chapter
12, Web Proxy Logs on page 249.
Reverse
proxy
Displays information on reverse proxy usage. For more information, see Chapter 12,
Reverse Proxy Logs on page 249.
Log settings Settings to configure the logs you want to keep, an external syslog server,
automated log deletion and rotation options. For more information, see Chapter 12,
Configuring Log Settings on page 251.
Settings
Pages
Description
Datastore
settings
Contains settings to manage the storing of log files. For more information, see
Chapter 11, Managing Log Retention on page 224.
Groups
Where you create groups of users which can be configured to receive automated
alerts and reports. For more information, see Chapter 12, Configuring Groups on
page 254.
Output
settings
Settings to configure the Email to SMS Gateway and SMTP settings used for
delivery of alerts and reports. For more information, see Chapter 12, Configuring
Output Settings on page 255.
Networking
The Networking section contains the following sub-sections and pages:
Filtering
Pages
Description
Zone
bridging
Group
bridging
Used to define the network zones that are accessible to authenticated groups of
users. For more information, see Chapter 6, Group Bridging on page 63.
IP block
Used to create rules that drop or reject traffic originating from or destined for single
or multiple IP addresses. For more information, see Chapter 5, Creating IP Blocking
Rules on page 51.
Routing
Pages
Description
Subnets
Used to generate additional routing information so that the system can route traffic
to other subnets via a specified gateway. For more information, see Chapter 4,
Creating Subnets on page 39.
RIP
Used to enable and configure the Routing Information Protocol (RIP) service on the
system. For more information, see Chapter 4, Using RIP on page 40.
Sources
Used to determine which external network interface will be used by internal network
hosts for outbound communication when a secondary external connection is active.
For more information, see Chapter 4, Sources on page 42.
Ports
Used to create rules to set the external interface based on the destination port. For
more information, see Chapter 4, Ports on page 43.
Interfaces
Pages
Description
Interfaces
Internal
aliases
External
aliases
Connectivity
Used to create external connection profiles and implement them. For more
information, see Chapter 3, Connecting Using a Static Ethernet Connectivity
Profile on page 20.
Pages
Description
PPP
Used to create Point to Point Protocol (PPP) profiles that store PPP settings for
external connections using dial-up modem devices. For more information, see
Chapter 3, Creating a PPP Profile on page 31.
Secondaries
Firewall
Pages
Description
Port
forwarding
Used to forward incoming connection requests to internal network hosts. For more
information, see Chapter 7, Introduction to Port Forwards Inbound Security on
page 67.
Source
mapping
Used to map specific internal hosts or subnets to an external alias. For more
information, see Chapter 4, Creating a Source Mapping Rule on page 46
Advanced
Used to enable or disable NAT-ing helper modules and manage bad external traffic.
For more information, see Chapter 7, Network Application Helpers on page 70.
Outgoing
Pages
Description
Policies
Used to assign outbound access controls to IP addresses and networks. For more
information, see Chapter 7, Working with Outbound Access Policies on page 76.
Ports
Used to define lists of outbound destination ports and services that should be
blocked or allowed. For more information, see Chapter 7, Managing Outbound
Traffic and Services on page 72.
External
services
Settings
Pages
Description
Port groups Create and edit groups of ports for use throughout Advanced Firewall. For more
information, see Chapter 5, Working with Port Groups on page 55.
Advanced
Used to configure advanced network and traffic auditing parameters. For more
information, see Chapter 5, Configuring Advanced Networking Features on page 52.
Services
The Services section contains the following sub-sections and pages:
Authentication
Pages
Description
Settings
Used to set global login time settings. For more information, see Chapter 10,
Configuring Global Authentication Settings on page 193.
Directories Used to connect to directory servers in order to retrieve groups and apply network
and web filtering permissions and verify the identity of users trying to access network
or Internet resources. For more information, see Chapter 10, About Directory Servers
on page 194.
Groups
Used to customize group names. For more information, see Chapter 10, Managing
Groups of Users on page 216.
Temporary
bans
Enables you to manage temporarily banned user accounts. For more information,
see Chapter 10, Managing Temporarily Banned Users on page 206
User
activity
Displays the login times, usernames, group membership and IP address details of
recently authenticated users. For more information, see Chapter 10, Managing User
Activity on page 208.
SSL login
Used to customize the end-user SSL login page and configure SSL login redirection
and exceptions. For more information, see Chapter 10, About SSL Authentication on
page 209.
Kerberos
keytabs
This is where Kerberos keytabs are imported and managed. For more information,
see Chapter 10, Managing Kerberos Keytabs on page 212.
WPA
Enterprise
Enables you to authenticate users with their own devices and allow them to connect
to the network. For more information, see Chapter 10, Using WPA Enterprise on
page 213.
User Portal
Pages
Description
Portals
This page enables you to configure and manage user portals. For more information,
see Chapter 8, Working with Portals on page 81.
Groups
This page enables you to assign groups of users to portals. For more information,
see Chapter 8, Assigning Groups to Portals on page 85.
User
exceptions
This page enables you to override group settings and assign a user directly to a
portal. For more information, see Chapter 8, Making User Exceptions on page 85.
Proxies
Pages
Description
Web proxy
Used to configure and enable the web proxy service, allowing controlled access to
the Internet for local network hosts. For more information, see Chapter 8, Managing
the Web Proxy Service on page 87.
Instant
Used to configure and enable instant messaging proxying. For more information, see
messenger Chapter 8, Instant Messenger Proxying on page 93.
10
Pages
Description
SIP
Used to configure and enable a proxy to manage Session Initiated Protocol (SIP)
traffic. For more information, see Chapter 8, SIP Proxying on page 96.
FTP
Used to configure and enable a proxy to manage FTP traffic. For more information,
see Chapter 8, FTP Proxying on page 99.
Reverse
proxy
The reverse proxy service enables you to control requests from the Internet and
forward them to servers in an internal network. For more information, see Chapter 8,
Reverse Proxy Service on page 102.
SNMP
Pages
Description
SNMP
DNS
Pages
Description
Static DNS
Used to create a local hostname table for the purpose of mapping the hostnames of
local network hosts to their IP addresses. For more information, see Chapter 8,
Adding Static DNS Hosts on page 105.
DNS proxy
Used to provide a DNS proxy service for local network hosts. For more information,
see Chapter 8, Enabling the DNS Proxy Service on page 106
Dynamic
DNS
Used to configure access to third-party dynamic DNS service providers. For more
information, see Chapter 8, Managing Dynamic DNS on page 107.
Message Censor
Pages
Description
Policies
Enables you to create and manage filtering policies by assigning actions to matched
content. For more information, see Chapter 8, Creating and Applying Message
Censor Policies on page 113.
Filters
This is where you create and manage filters for matching particular types of
message content. For more information, see Chapter 8, Creating Filters on
page 111.
Time
This is where you create and manage time periods for limiting the time of day during
which filtering policies are enforced. For more information, see Chapter 8, Setting
Time Periods on page 110.
Custom
categories
Enables you to create and manage custom content categories for inclusion in filters.
For more information, see Chapter 8, Managing Custom Categories on page 109.
Intrusion System
Pages
Description
Signatures
Enables you to deploy customized and automatic rules in the intrusion detection and
intrusion prevention systems. For more information, see Chapter 8, Uploading
Custom Signatures on page 118.
Policies
IDS
Used to enable and configure policies to monitor network activity using the Intrusion
Detection System (IDS). For more information, see Chapter 8, Deploying Intrusion
Detection Policies on page 114.
IPS
Used to enable and configure policies to monitor network activity using the Intrusion
Prevention System (IDS). For more information, see Chapter 8, Deploying Intrusion
Prevention Policies on page 115.
11
DHCP
Pages
Description
Global
Used to enable the Dynamic Host Configuration Protocol (DHCP) service and set its
mode of operation. For more information, see Chapter 8, Enabling DHCP on
page 120.
DHCP
server
DHCP
leases
Used to view all current DHCP leases, including IP address, MAC address,
hostname, lease start and end time, and the current lease state. For more
information, see Chapter 8, Viewing DHCP Leases on page 124.
DHCP relay Used to configure the DHCP service to forward all DHCP requests to another DHCP
server, and re-route DHCP responses back to the requesting host. For more
information, see Chapter 8, DHCP Relaying on page 125.
Custom
options
12
Used to create and edit custom DHCP options. For more information, see Chapter
8, Creating Custom DHCP Options on page 125.
System
The System section contains the following sub-sections and pages:
Maintenance
Pages
Description
Updates
Used to display and install available product updates, in addition to listing currently
installed updates. For more information, see Chapter 13, Installing Updates on
page 259.
Modules
Used to upload, view, check, install and remove Advanced Firewall modules. For
more information, see Chapter 13, Managing Modules on page 261.
Licenses
Used to display and update license information for the licensable components of the
system. For more information, see Chapter 13, Licenses on page 262.
Archives
Used to create and restore archives of system configuration information. For more
information, see Chapter 13, Archives on page 262.
Scheduler
Used to automatically discover new system updates, modules and licenses. It is also
possible to schedule automatic downloads of system updates and create local and
remote backup archives. For more information, see Chapter 13, Scheduling on
page 264.
Shutdown
Used to shutdown or reboot the system. For more information, see Chapter 13,
Shutting down and Rebooting on page 267.
Central Management
Pages
Description
Overview
This is where you monitor nodes and schedule updates in a Smoothwall system. For
more information, see Chapter 14, Managing Nodes in a Smoothwall System on
page 297.
Child nodes This is where you add and configure nodes in a Smoothwall system. For more
information, see Chapter 14, Configuring Child Nodes on page 293.
Local node This is where you configure a node to be a parent or child in a Smoothwall system
settings
and manage central management keys for use in the system. For more information,
see Chapter 14, Setting up a Centrally Managed Smoothwall System on page 292.
Preferences
Pages
Description
User interface Used to manage Advanced Firewalls dashboard settings. For more information,
see Chapter 13, Configuring the User Interface on page 268.
Time
Used to manage Advanced Firewalls time zone, date and time settings. For more
information, see Chapter 13, Setting Time on page 269.
Registration
options
Used to configure a web proxy if your ISP requires you use one. Also, enables you
configure sending extended registration information to Smoothwall. For more
information, see Chapter 13, Configuring Registration Options on page 270.
Hostname
13
Administration
Pages
Description
Admin options
Used to enable secure access to Advanced Firewall using SSH, and to enable
referral checking. For more information, see Chapter 13, Configuring Admin
Access Options on page 272.
External access
Used to create rules that determine which interfaces, services, networks and
hosts can be used to administer Advanced Firewall. For more information, see
Chapter 13, Configuring External Access on page 273.
Administrative
users
Used to manage user accounts and set or edit user passwords on the system.
For more information, see Chapter 13, Administrative User Settings on
page 274.
Hardware
Pages
Description
UPS
Used to configure the system's behavior when it is using battery power from an
Uninterruptible Power Supply (UPS) device. For more information, see Chapter 13,
Managing UPS Devices on page 277.
Failover
Used to specify what Advanced Firewall should do in the event of a hardware failure.
For more information, see Chapter 13, Managing Hardware Failover on page 279.
Modem
Used to create up to five different modem profiles, typically used when creating
external dial-up connections. For more information, see Chapter 13, Configuring
Modems on page 284.
Firmware
upload
Used to upload firmware used by USB modems. For more information, see Chapter
13, Installing and Uploading Firmware on page 286.
Diagnostics
Pages
Description
Configuration Used to ensure that your current Advanced Firewall settings are not likely to cause
tests
problems. For more information, see Chapter 13, Diagnostics on page 286.
Diagnostics
Used to create diagnostic files for support purposes. For more information, see
Chapter 13, Generating Diagnostics on page 287.
IP tools
Contains the ping and trace route IP tools. For more information, see Chapter 13,
IP Tools on page 288.
Whois
Traffic
analysis
Used to generate and display detailed information on current traffic. For more
information, see Chapter 13, Analyzing Network Traffic on page 289.
Certificates
14
Page
Description
Certificate
authorities
Provides certification authority (CA) certificates and enables you to manage them for
clients and gateways. For more information, see Chapter 13, Managing CA
Certificates on page 290.
VPN
The VPN section contains the following pages:
Pages
Description
Control
Used to show the current status of the VPN system and enable you to stop and
restart the service. For more information, see Chapter 9, Managing VPN
Systems on page 175.
Certificate
authorities
Used to create a local certificate authority (CA) for use in an X509 authenticated
based VPN setup. It is also possible to import and export CA certificates on this
page. For more information, see Chapter 9, Working with Certificate Authorities
and Certificates on page 131.
Certificates
Used to create host certificates if a local CA has been created. This page also
provides controls to import, export, view and delete host certificates. For more
information, see Chapter 9, Managing Certificates on page 134.
Global
Used to configure global settings for the VPN system. For more information, see
Chapter 9, Setting the Default Local Certificate on page 137.
IPSec subnets
Used to configure IPSec subnet VPN tunnels. For more information, see Chapter
9, Site-to-Site VPNs IPSec on page 138.
IPSec
roadwarriors
Used to configure IPSec road warrior VPN tunnels. For more information, see
Chapter 9, IPSec Road Warriors on page 151.
L2TP
roadwarriors
Used to create and manage L2TP road warrior VPN tunnels. For more
information, see Chapter 9, Creating L2TP Road Warrior Connections on
page 154.
SSL
roadwarriors
Enables you to configure and upload custom SSL VPN client scripts. For more
information, see Chapter 9, Managing Custom Client Scripts for SSL VPNs on
page 164.
Configuration Guidelines
This section provides guidance about how to enter suitable values for frequently required
configuration settings.
IP Address Range
An IP address range defines a sequential range of network hosts, from low to high. IP address ranges
can span subnets. For example:
192.168.10.1-192.168.10.20
192.168.10.1-192.168.12.255
15
Subnet Addresses
A network or subnet range defines a range of IP addresses that belong to the same network. The
format combines an arbitrary IP address and a network mask, and can be entered in two ways:
192.168.10.0/255.255.255.0
192.168.10.0/24
Netmasks
A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address.
Some pages allow a network mask to be entered separately for ease of use. Examples:
255.255.255.0
255.255.0.0
255.255.248.0
Port Range
A 'Port range' can be entered into most User defined port fields, in order to describe a sequential
range of communication ports from low to high. The following format is used:
137:139
Using Comments
Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment.
This feature is provided so that administrators can record human-friendly notes against configuration
settings they implement.
Comments are entered in the Comment fields and displayed alongside saved configuration
information.
Creating a Rule
To create a rule:
1
Click Add to create the rule and add it to the appropriate Current rules area.
Editing a Rule
To edit a rule:
1
16
Find the rule in the Current rules area and select its adjacent Mark option.
Click Edit to populate the configuration controls in the Add a new rule area with the rules current
configuration values.
Click Add to re-create the edited rule and add it to the Current rules area.
Removing a Rule
To remove one or more rules:
1
Note: The same processes for creating, editing and removing rules also apply to a number of pages where
hosts and users are the configuration elements being created. On such pages, the Add a new rule
and Current rules area will be Add a new host and Current users etc.
Check SSH access is enabled on Advanced Firewall. See Chapter 13, Configuring Admin Access
Options on page 272 for more information.
Description
17
Field
Description
Port
Enter 222
Protocol
Select SSH.
Click Open. When prompted, enter root, and the password associated with it. You are given
access to the Advanced Firewall command line.
Secure Communication
When you connect your web browser to Advanced Firewalls web-based interface on a HTTPS port
for the first time, your browser will display a warning that Advanced Firewalls certificate is invalid. The
reason given is usually that the certificate was signed by an unknown entity or because you are
connecting to a site pretending to be another site.
18
Chapter 3
19
Description
Secondary DNS
Description
Ethernet
Modem
Ethernet/modem
hybrid
Up to five different connections to the Internet can be defined, each stored in its own connectivity
profile. Each profile defines the type of connection that should be used and appropriate settings.
The following sections explain how to connect using different connection methods.
On the Networking > Interfaces > Interfaces page, configure the following setting:
Setting
Description
Default gateway
20
Point to the network interface card (NIC) you want to use and select Edit.
Setting
Description
Name
Use as
Select External.
MTU
On the Networking > Interfaces > Connectivity page, configure the following settings:
Setting
Description
Profiles
Profile name
Method
Auto connect on By default, all connections will automatically connect at boot time. If you wish
boot
to disable this behavior, deselect this option.
Custom MTU
Some ISPs supply additional settings that can be used to improve connection
performance. If your ISP provides a custom MTU value, enter it here.
Automatic
Optionally, select to specify a different external connection profile to switch to
failover to profile if communication cannot be established with the hosts identified in the Primary
failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced
Firewall cannot establish a connection using the specified connection
profile. There is also a reboot option which you can use to restart the
system if all of the connections fail.
Primary failover
ping IP
Secondary
failover ping IP
Load balance
outgoing traffic
Select to ensure that outbound NATed traffic is divided among the primary
external connection and any other secondary connections that have been
added to the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Load balance
Select to ensure that web proxy traffic is divided among the primary external
web proxy traffic connection and any other secondary connections that have themselves been
added to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Weighting
Select from the drop-down list to assign an external connection in the load
balancing pool. Load balancing is performed according to the respective
weights of each connection.
21
Click Update. In the Static Ethernet settings area, configure the following settings:
Setting
Description
Interface
From the drop-down list, select the Ethernet interface for this connection.
Default gateway Enter the default gateway IP address as provided by your ISP.
Address
Netmask
Primary DNS
Secondary DNS
Click Save and connect to save the profile and connect to the Internet immediately.
On the Networking > Interfaces > Interfaces page, configure the following setting:
Setting
Description
Default gateway
Point to the network interface card (NIC) you want to use and select Edit.
Setting
Description
Name
Use as
Select External.
MTU
On the Networking > Interfaces > Connectivity page, configure the following settings:
Setting
Description
Profiles
Profile name
Method
Auto connect on By default, all connections will automatically connect at boot time. If you wish
boot
to disable this behavior, deselect this option.
Custom MTU
22
Some ISPs supply additional settings that can be used to improve connection
performance. If your ISP provides a custom MTU value, enter it here.
Setting
Description
Automatic
Optionally, select to specify a different external connection profile to switch to
failover to profile if communication cannot be established with the hosts identified in the Primary
failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced
Firewall cannot establish a connection using the specified connection
profile. There is also a reboot option which you can use to restart the
system if all of the connections fail.
Primary failover
ping IP
Secondary
failover ping IP
Load balance
outgoing traffic
Select to ensure that outbound NATed traffic is divided among the primary
external connection and any other secondary connections that have been
added to the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Load balance
Select to ensure that web proxy traffic is divided among the primary external
web proxy traffic connection and any other secondary connections that have themselves been
added to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Weighting
Select from the drop-down list to assign an external connection in the load
balancing pool. Load balancing is performed according to the respective
weights of each connection.
Click Update and in the DHCP Ethernet settings area, configure the following settings:
Setting
Description
Interface
From the drop-down list, select the Ethernet interface for this connection.
DHCP
Hostname
MAC spoof
Click Save and connect to save the profile and connect to the Internet immediately.
23
On the Networking > Interfaces > Interfaces page, configure the following setting:
Setting
Description
Default gateway
Point to the network interface card (NIC) you want to use and select Edit.
Setting
Description
Name
Use as
Select External.
MTU
On the Networking > Interfaces > Connectivity page, configure the following settings:
Setting
Description
Profiles
Profile name
Method
Auto connect on By default, all connections will automatically connect at boot time. If you wish
boot
to disable this behavior, deselect this option.
Custom MTU
Some ISPs supply additional settings that can be used to improve connection
performance. If your ISP provides a custom MTU value, enter it here.
Automatic
Optionally, select to specify a different external connection profile to switch to
failover to profile if communication cannot be established with the hosts identified in the Primary
failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced
Firewall cannot establish a connection using the specified connection
profile. There is also a reboot option which you can use to restart the
system if all of the connections fail.
Primary failover
ping IP
Secondary
failover ping IP
24
Setting
Description
Load balance
outgoing traffic
Select to ensure that outbound NATed traffic is divided among the primary
external connection and any other secondary connections that have been
added to the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Load balance
Select to ensure that web proxy traffic is divided among the primary external
web proxy traffic connection and any other secondary connections that have themselves been
added to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Weighting
Select from the drop-down list to assign an external connection in the load
balancing pool. Load balancing is performed according to the respective
weights of each connection.
Click Update. In the PPP over Ethernet settings area, configure the following settings:
Setting
Description
Service name If required, enter the service name as specified by your ISP.
Concentrator If required, enter the concentrator name as specified by your ISP.
Interface
From the drop-down list, select the Ethernet interface for this connection.
PPP Profile
From the drop-down list, select the PPP profile for this connection. Or, if no PPP
profile has been created, click Configure PPP to go to the Networking >
Interfaces > PPP page and create one.
Click Save and connect to save the profile and connect to the Internet immediately.
On the Networking > Interfaces > Interfaces page, configure the following setting:
Setting
Description
Default gateway
Point to the network interface card (NIC) you want to use and select Edit.
Description
Name
Use as
Select External.
MTU
On the Networking > Interfaces > Connectivity page, configure the following settings:
Setting
Description
Profiles
Profile name
Method
Auto connect on By default, all connections will automatically connect at boot time. If you wish
boot
to disable this behavior, deselect this option.
Custom MTU
Some ISPs supply additional settings that can be used to improve connection
performance. If your ISP provides a custom MTU value, enter it here.
Automatic
Optionally, select to specify a different external connection profile to switch to
failover to profile if communication cannot be established with the hosts identified in the Primary
failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced
Firewall cannot establish a connection using the specified connection
profile. There is also a reboot option which you can use to restart the
system if all of the connections fail.
Primary failover
ping IP
Secondary
failover ping IP
Load balance
outgoing traffic
Select to ensure that outbound NATed traffic is divided among the primary
external connection and any other secondary connections that have been
added to the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Load balance
Select to ensure that web proxy traffic is divided among the primary external
web proxy traffic connection and any other secondary connections that have themselves been
added to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Weighting
Select from the drop-down list to assign an external connection in the load
balancing pool. Load balancing is performed according to the respective
weights of each connection.
Click Update. In the PPTP over Ethernet settings area, configure the following settings:
Setting
Description
Interface
From the drop-down list, select the Ethernet interface for this connection.
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to Networking >
Interfaces > Interfaces and create one. For more information, see Creating a PPP
Profile on page 31.
26
Setting
Description
Address
Netmask
Gateway
Telephone
Click Save and connect to save the profile and connect to the Internet immediately.
On the Networking > Interfaces > Connectivity page, configure the following settings:
Setting
Description
Profiles
Profile name
Method
Auto connect on By default, all connections will automatically connect at boot time. If you wish
boot
to disable this behavior, deselect this option.
Custom MTU
Some ISPs supply additional settings that can be used to improve connection
performance. If your ISP provides a custom MTU value, enter it here.
Automatic
Optionally, select to specify a different external connection profile to switch to
failover to profile if communication cannot be established with the hosts identified in the Primary
failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced
Firewall cannot establish a connection using the specified connection
profile. There is also a reboot option which you can use to restart the
system if all of the connections fail.
Primary failover
ping IP
Secondary
failover ping IP
27
Setting
Description
Load balance
outgoing traffic
Select to ensure that outbound NATed traffic is divided among the primary
external connection and any other secondary connections that have been
added to the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Load balance
Select to ensure that web proxy traffic is divided among the primary external
web proxy traffic connection and any other secondary connections that have themselves been
added to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Weighting
Select from the drop-down list to assign an external connection in the load
balancing pool. Load balancing is performed according to the respective
weights of each connection.
Click Update. In the ADSL modem settings area, configure the following settings:
Setting
Description
Service name Leave this field blank. It is not required for this type of profile.
Concentrator Leave this field blank. It is not required for this type of profile.
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to Networking
> Interfaces > PPP page and create one. For more information, see Creating a PPP
Profile on page 31.
Click Save and connect to save the profile and connect to the Internet immediately.
On the Networking > Interfaces > Connectivity page, configure the following settings:
Setting
Description
Profiles
Profile name
Method
Auto connect on By default, all connections will automatically connect at boot time. If you wish
boot
to disable this behavior, deselect this option.
Custom MTU
28
Some ISPs supply additional settings that can be used to improve connection
performance. If your ISP provides a custom MTU value, enter it here.
Setting
Description
Automatic
Optionally, select to specify a different external connection profile to switch to
failover to profile if communication cannot be established with the hosts identified in the Primary
failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced
Firewall cannot establish a connection using the specified connection
profile. There is also a reboot option which you can use to restart the
system if all of the connections fail.
Primary failover
ping IP
Secondary
failover ping IP
Load balance
outgoing traffic
Select to ensure that outbound NATed traffic is divided among the primary
external connection and any other secondary connections that have been
added to the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Load balance
Select to ensure that web proxy traffic is divided among the primary external
web proxy traffic connection and any other secondary connections that have themselves been
added to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Weighting
Select from the drop-down list to assign an external connection in the load
balancing pool. Load balancing is performed according to the respective
weights of each connection.
Click Update. In the ISDN settings area, configure the following settings:
Setting
Description
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to the
Networking > Interfaces > Interfaces page and create one. For more information,
see Creating a PPP Profile on page 31.
Telephone
Channels
From the drop-down list, select either Single channel or Dual channel,
depending on whether you are using one or two ISDN lines.
Keep
second
channel up
Select to force the second channel to remain open when its data rate falls below a
worthwhile threshold.
Note: ISDN connections sometimes suffer from changeable data throughput rates.
If this occurs in dual channel mode, and the data-rate of the second channel
decreases below a threshold where it is of no benefit, Advanced Firewall will
automatically close it. Forcing the second channel to stay up will help prevent
this from happening.
29
Setting
Description
Minimum
time to keep
second
channel up
(sec)
Click Save to save the profile or Save and connect to save the profile and use it to connect to the
Internet immediately.
On the Networking > Interfaces > Connectivity page, configure the following settings:
Setting
Description
Profiles
Profile name
Method
Select Modem.
Auto connect on By default, all connections will automatically connect at boot time. If you wish
boot
to disable this behavior, deselect this option.
Custom MTU
Some ISPs supply additional settings that can be used to improve connection
performance. If your ISP provides a custom MTU value, enter it here.
Automatic
Optionally, select to specify a different external connection profile to switch to
failover to profile if communication cannot be established with the hosts identified in the Primary
failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced
Firewall cannot establish a connection using the specified connection
profile. There is also a reboot option which you can use to restart the
system if all of the connections fail.
Primary failover
ping IP
Secondary
failover ping IP
Load balance
outgoing traffic
Select to ensure that outbound NATed traffic is divided among the primary
external connection and any other secondary connections that have been
added to the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
30
Setting
Description
Load balance
Select to ensure that web proxy traffic is divided among the primary external
web proxy traffic connection and any other secondary connections that have themselves been
added to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.
Weighting
Select from the drop-down list to assign an external connection in the load
balancing pool. Load balancing is performed according to the respective
weights of each connection.
Click Update. In the Modem settings area, configure the following settings:
Setting
Description
PPP Profile
From the drop-down list, select the PPP profile for this connection.
Or, if no PPP profile has been created, click Configure PPP to go to Networking
> Interfaces > Interfaces and create one. For more information, see Creating a PPP
Profile on page 31.
Modem
profile
From the drop-down list, select the modem profile to use. See Configuring Modems
on page 284 for more information on modem profiles.
Telephone
Click Save and connect to save the profile and use it to connect to the Internet immediately.
31
Description
Profiles
Profile name
Dial on Demand Select to ensure that the PPP connection is only established if an outwardbound request is made. This may help reduce costs if your ISP uses per unit time
billing.
Dial on Demand Select to ensure that the system dials for DNS requests this is normally the
for DNS
desired behavior.
Idle timeout
Enter the number of minutes that the connection must remain inactive for before
it is automatically closed by Advanced Firewall. Enter 0 to disable this setting.
Persistent
connection
Select to ensure that once this PPP connection has been established, it will
remain connected, regardless of the value entered in the Idle timeout field.
Maximum
retries
Enter the maximum number of times that Advanced Firewall will try to connect
following failure to connect.
Username
Password
Method
Script name
Enter the name of a logon script here, if your ISP informs you to do so. Ensure
that the relevant script type has been selected in the Method drop-down list.
Type
Primary DNS
32
If Manual has been selected, enter the primary DNS server IP address.
Setting
Description
Secondary DNS If Manual has been selected, enter the secondary DNS server IP address.
3
Modifying Profiles
To modify a profile:
1
On the Networking > Interfaces > Connectivity page, from the Profiles drop-down list, select the
profile you wish to modify and click Select.
Make the changes. See Connecting Using an Internet Connectivity Profile on page 20 for information
on the settings.
Note: Any changes made to a profile used in a current connection will only be applied following reconnection.
Deleting Profiles
To delete a profile:
1
On the Networking > Interfaces > Connectivity page, from the Profiles drop-down list, select the
profile you wish to modify and click Select.
Note: Deleting a profile used as part of a current connection will cause the current connection to close.
Creating Bridges
To create a bridge:
1
On the Networking > Interfaces > Interfaces page, click Add new interface.
In the Add new interface dialog box, configure the following settings:
Setting
Description
Name
Type
Select Bridge.
Ports
From the ports listed as available, select the ports to be used as bridge members.
Use as
33
Setting
Description
MAC
Click Add. Advanced Firewall adds the bridge to the list on the Networking > Interfaces > Interfaces
page.
Editing Bridges
To edit a bridge:
1
On the Networking > Interfaces > Interfaces page, point to the bridge and click Edit.
In the Edit interface dialog box, make the changes needed. See Creating Bridges on page 33 for
information on the settings available.
Deleting Bridges
To delete a bridge:
1
On the Networking > Interfaces > Interfaces page, point to the bridge and click Delete.
When prompted, click Delete to confirm you want to delete the bridge. Advanced Firewall deletes
the bridge.
Creating Bonds
To create a bond:
1
On the Networking > Interfaces > Interfaces page, click Add new interface.
In the Add new interface dialog box, configure the following settings:
Setting
Description
Name
Type
Select Bonding.
Ports
From the ports listed as available, select the ports to be used as bond members.
Use as
MAC
3
34
Click Add. Advanced Firewall adds the bond to the list on the Networking > Interfaces > Interfaces
page.
Editing Bonds
To edit a bond:
1
On the Networking > Interfaces > Interfaces page, point to the bond and click Edit.
In the Edit interface dialog box, make the changes needed. See Creating Bonds on page 34 for
information on the settings available.
Deleting Bonds
To delete a bond:
1
On the Networking > Interfaces > Interfaces page, point to the bond and click Delete.
When prompted, click Delete to confirm you want to delete the bond. Advanced Firewall deletes the
bond.
Configuring IP Addresses
The following sections explain how to add, edit and delete IP addresses used by interfaces.
Note: External aliases are configured on the Networking > Interfaces > External aliases page. See Chapter
4, Creating an External Alias Rule on page 45 for more information.
Adding an IP Address
To add an IP address:
1
On the Networking > Interfaces > Interfaces page, click on the interface you want to add an IP
address to.
In the IP addresses dialog box, click Add new address. In the Add new address dialog box,
configure the following settings:
Setting
Description
Status
IP address
Enter an IP address.
Subnet mask
Gateway
Editing an IP Address
To edit an IP address:
1
On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you
want to edit.
In the IP addresses dialog box, point to the address and click Edit.
In the Edit address dialog box, make the changes needed and click Save changes. Advanced
Firewall applies the changes.
35
Deleting an IP Address
To edit an IP address:
1
On the Networking > Interfaces > Interfaces page, click on the interface whose IP address you
want to delete.
In the IP addresses dialog box, point to the address and click Delete.
Virtual LANs
Advanced Firewall supports the creation of Virtual LANs (VLANs) by binding a virtual network
interface to a regular NIC on the system.
Each VLAN is treated by Advanced Firewall as an isolated network zone, just as if it were a regular
network zone attached to a real NIC.
Creating a VLAN
To create a VLAN:
1
On the Networking > Interfaces > Interfaces page, click Add new interface.
In the Add new interface dialog box, configure the following settings:
Setting
Description
Name
Type
Select VLAN.
Parent interface
From the drop-down list of NICs available, select the interface to use.
VLAN ID
Use as
36
Click Add. The VLAN is added to the list of interfaces below where you can configure it.
Editing a VLAN
To edit a VLAN:
1
On the Networking > Interfaces > Interfaces page, point to the VLAN and click Edit.
In the Edit interface dialog box, make the changes needed and click Save changes. See Creating
a VLAN on page 36 for information on the settings available.
Deleting a VLAN
To delete a VLAN:
1
On the Networking > Interfaces > Interfaces page, point to the VLAN and click Delete.
When prompted, click Delete to confirm. Advanced Firewall deletes the VLAN.
37
38
Chapter 4
Creating Subnets
Large organizations often find it advantageous to group computers from different departments, floors
and buildings into their own subnets, usually with network hubs and switches.
Note: This functionality only applies to subnets available via an internal gateway.
To create a subnet rule:
1
Description
Network
Enter the IP address that specifies the network ID part of the subnet definition when
combined with a netmask value.
Netmask
Enter a network mask that specifies the size of the subnet when combined with the
network field.
39
Setting
Description
Gateway
Enter the IP address of the gateway device by which the subnet can be found.
This will be an address on a locally recognized network zone. It is necessary for
Advanced Firewall to be able to route to the gateway device in order for the subnet to
be successfully configured.
The gateway address must be a network that Advanced Firewall is directly attached
to.
Metric
Enter a router metric to set the order in which the route is taken. This sets the order
in which the route is evaluated, with 0 being the highest priority and the default for
new routes.
Comment
Enabled
Using RIP
The Routing Information Protocol (RIP) service enables network-wide convergence of routing
information amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to
its nearest neighbor, typically every 30 seconds.
Advanced Firewalls RIP service can:
40
Description
Enabled
Scan interval
From the drop-down menu, select the time delay between routing table imports
and exports.
Select a frequent scan interval for networks with fewer hosts. For networks with
greater numbers of hosts, choose a less frequent scan interval.
Note: There is a performance trade-off between the number of RIP-enabled
devices, network hosts and the scan frequency of the RIP service. The
periodic exchange of routing information between RIP-enabled devices
increases the ambient level of traffic on the host network. Accordingly,
administrators responsible for larger networks should consider increasing
the RIP scan interval or the suitability of the RIP service for propagating
routing information.
Direction
From the drop-down menu, select how to manage routing information. The
following options are available:
Import and Export
The RIP service will add and update its routing table from information received
from other RIP enabled gateways. The RIP service will also broadcast its routing
tables for use by other RIP enabled gateways.
Import
The RIP service will add and update its routing table from information received
from other RIP enabled gateways.
Export
The RIP service will only broadcast its routing tables for use by other RIP enabled
gateways.
Logging level
RIP interfaces
Select each interface that the RIP service should import/export routing
information to/from.
Authentication
Enabling RIP authentication ensures that routing information is only imported and
exported amongst trusted RIP-enabled devices.
Select one of the following options to manage authentication:
None
In this mode, routing information can be imported and exported between any RIP
device. We do not recommend this option from a security standpoint.
Password
In this mode, a plain text password is specified which must match other RIP
devices.
MD5
In this mode, an MD5 hashed password is specified which must match other RIP
devices.
Password
Again
41
Setting
Description
Direct routing
interfaces
Optionally, select interfaces whose information should also include routes to the
RIP services own interfaces when exporting RIP data.
This ensures that other RIP devices are able to route directly and efficiently to
each exported interface.
Click Save.
Sources
The Sources page is used to configure source rules which determine which external network
interface will be used by internal network hosts for outbound communication when a secondary
external connection is active.
Source rules can be created for individual hosts, ranges of hosts or subnet ranges.
42
Setting
Description
Source IP
or network
Enter the source IP or subnet range of internal network host(s) specified by this rule.
For more information, see About IP Address Definitions on page 43.
Internal
interface
From the drop-down menu, select the internal interface that the source IP must
originate from to use the external connection.
Setting
Description
External
interface
From the drop-down menu, select the external interface that is used by the specified
source IP or network for external communication.
Alternatively, select Exception to create an exception rule to ensure that all
outbound traffic from the specified source IP, network and internal interface is routed
via the primary external interface.
Note: If the external interface is set to Exception, any traffic specified here will not be
subject to any load balancing.
Note: Using Exception will always send traffic out via the primary, no matter what
interface is currently being used by the primary connection.
Comment
Enabled
Click Add.
Removing a Rule
To remove one or more rules:
1
Select each rule in the Current rules area and click Remove.
Editing a Rule
To edit a rule:
1
Locate it within the Current rules region, select it and click Edit to populate the configuration controls
in the Add a new rule region with the rule's current configuration values.
Ports
The Ports page is where you route outbound traffic for selected ports through a particular external
interface. For example, you can create a rule to send all SMTP traffic down a specific external
interface.
Note: The rules specified on the sources pages will always be examined first, so a rule will only travel down
this list of ports if it does not first hit a sources rule. For more information, see Sources on page 42.
43
Description
Protocol
From the drop down menu, select the protocol the traffic uses.
Service
From the drop down menu, select the select the services, port range or group of
ports.
Port
External
interface
Comment
Enabled
Click Add to create the rule. The rule is created and listed in the Current rules area.
Removing Rules
To remove one or more rules:
1
Select each rule in the Current rules area and click Remove.
Editing a Rule
To edit a rule:
1
Select the rule in the Current rules area and click Edit.
In the Add a new rule area, make the changes you require and click Add. The rule is updated and
listed in the Current rules area.
44
Description
External
interface
From the drop-down list, select the external interface to which you want to bind an
additional public IP address.
Select
Connectivity
profile
Alias IP
Enter the IP address of the external alias. This address should be provided by your
ISP as part of an multiple static IP address allocation.
Netmask
Used to specify the network mask of the external alias. This value is usually the
same as the external interface's netmask value. This value should be provided by
your ISP.
Comment
A field used to assign a helpful message describing the external alias rule.
Enabled
Click Add. The external alias rule is added to the Current rules table.
45
Description
Source IP
3
46
Alias IP
From the drop-down list, select the external alias that outbound communication is
mapped to.
Comment
Enabled
Click Add. The source mapping rule is added to the Current rules table.
47
Description
Interface
From the drop-down menu, select the internal interface on which to create the alias.
Netmask
Enter a network mask that specifies the size of the subnet accessible via the internal
alias (when combined with a network value).
Comment
Enabled
Click Add. The internal alias rule is added to the Current rules table.
48
Description
Secondary
external
interface
From the drop-down list, select the interface you want to use as the secondary
external interface.
Select
Address
Netmask
Primary failover Optionally, specify an IP address that you know can be contacted if the
ping IP
secondary connection is operating correctly.
When enabled, the IP address is pinged every two minutes over the secondary
to ensure that the connection is active.
If this IP address cannot be contacted, all outbound traffic will be redirected to
the primary connection. If a secondary failover IP has been entered, it must also
fail before failover routing is activated.
Secondary
failover ping IP
Load balance
Optionally, select to add the currently selected secondary address to the load
outgoing traffic balancing pool of connections.
Selecting this option ensures that outbound NATed traffic is divided among the
currently selected secondary address and any other connections, primary or
secondary, that have been added to the load balancing pool.
Note: If no load balance options are enabled, all traffic will be sent out of the
primary external connection.
Load balance
web proxy
traffic
Optionally, select to add the currently selected secondary address to the proxy
load balancing pool.
Selecting this option ensures that web proxy traffic is divided among the
currently selected secondary address and any other connections, primary or
secondary, that have themselves been added to the proxy load balancing pool.
Note - If no load balance tick-box controls are selected, all traffic will be sent out
of the primary external connection.
49
Setting
Description
Weighting
Optionally, select to set the weighting for load balancing on the currently
selected secondary address.
A weighting is assigned to all external connections in the load balancing pool
and load balancing is performed according to the respective weights of each
connection. For example:
The weighting value is especially useful for load balancing external connections
of differing speeds.
3
50
Click Save to save your settings and enable the secondary external interface.
Chapter 5
Blocking by IP
IP block rules can be created to block network traffic originating from certain source IPs or network
addresses. IP block rules are primarily intended to block hostile hosts from the external network,
however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal
system has been infected by malware.
IP block rules can also operate in an exception mode allowing traffic from certain source IPs or
network addresses to always be allowed.
51
Description
Source IP or
network
Destination IP or Enter the destination IP, IP range or subnet range of IP addresses to block or
network
exempt. To block or exempt:
Drop packet
Select to ignore any request from the source IP or network. The effect is similar
to disconnecting the appropriate interface from the network.
Reject packet
Exception
Select to always allow the source IPs specified in the Source IP or Network field
to communicate, regardless of all other IP block rules.
Exception block rules are typically used in conjunction with other IP block rules,
for example, where one IP block rule drops traffic from a subnet range of IP
addresses, and another IP block rule creates exception IP addresses against
it.
Log
Comment
Enabled
Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the
same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it.
52
Description
53
Setting
Enable
Description
SYN cookies Select to defend the system against SYN flood attacks.
A SYN flood attack is where a huge number of connection requests, SYN
packets, are sent to a machine in the hope that it will be overwhelmed.
The use of SYN cookies is a standard defence mechanism against this
type of attack, the aim being to avoid a DoS attack.
TCP timestamps Select this option to enable TCP timestamps
(RFC1323) to improve TCP performance on high speed links.
Selective ACKs Select this option to enable selective ACKs (RFC2018)
to improve TCP performance when packet loss is high.
Window scaling Select this option to enable TCP window scaling to
improve the performance of TCP on high speed links.
ECN Select this option to enable Explicit Congestion Notification (ECN),
a mechanism for avoiding network congestion.
While effective, it requires communicating hosts to support it, and some
routers are known to drop packets marked with the ECN bit. For this
reason, this feature is disabled by default.
ARP filter Select this option to enable the ARP filter. This option can be
enabled if your network is experiencing ARP flux.
You should increase the ARP table size if the number of directly connected
machines or IP addresses is more then the value shown in the drop-down
box.
In normal situations, the default value of 2048 will be adequate, but in very
big networks, select a bigger value.
Directly connected machines are those which are not behind a
intermediate router but are instead directly attached to one of Advanced
Firewall's network interfaces.
Connection tracking Select to store information about all connections known to the system.
table size
This includes NATed sessions, and traffic passing through the firewall.
The value entered in this field determines the tables maximum size. In
operation, the table is automatically scaled to an appropriate size within
this limit, according to the number of active connections and their
collective memory requirements.
Occasionally, the default size, which is set according to the amount of
memory, is insufficient use this field to configure a larger size.
SYN backlog queue
size
Select this option to set the maximum number of requests which may be
waiting in a queue to be answered.
The default value for this setting is usually adequate, but increasing the
value may reduce connection problems for an extremely busy proxy
service.
54
Setting
Description
Audit
Drop all direct traffic Select any internal interfaces which have hosts on them that do not require
on internal interfaces direct access to the system but do require access to other networks
connected to Advanced Firewall.
3
55
In the Port groups area, click New and configure the following settings:
Setting
Description
Group
name
Name
Enter a name for the port or range of ports you want to add to the group.
Port
Comment
3
Click Add. The port, ports or port range is added to the group.
Description
Port groups From the drop-down list, select the group you want to add a port to and click Select.
Name
56
Enter a name for the port or range of ports you want to add to the group.
Setting
Description
Port
Comment
3
Click Add. The port, ports or range are added to the group.
From the Port groups drop-down list, select the group you want to edit and click Select.
In the Current ports area, select the port you want to change and click Edit.
In the Add a new port, edit the port and click Add. The edited port, ports or range is updated.
From the Port groups drop-down list, select the group you want to delete and click Select.
Click Delete.
57
58
Chapter 6
Configuring Inter-Zone
Security
In this chapter:
Description
Zones
Defines the two network zones between which the bridge exists.
Direction
Source
Defines whether the bridge is accessible from an individual host, a range of hosts,
a network or any host.
Destination
Defines whether the bridge allows access to an individual host, a range of hosts, a
network or any hosts.
Service
Defines what ports and services can be used across the bridge.
Protocol
It is possible to create a narrow bridge, e.g. a one-way, single-host to single-host bridge, using a
named port and protocol, or a wide or unrestricted bridge, e.g. a bi-directional, any-host to any-host
bridge, using any port and protocol.
In general, make bridges as narrow as possible to prevent unnecessary or undesirable use.
59
Description
Source
interface
Destination
interface
Bidirectional
Select to create a two-way bridge where communication can be initiated from either
the source interface or the destination interface.
Note: To create a one-way bridge where communication can only be initiated from
the source interface to the destination interface and not vice versa, ensure
that this option is not selected.
Protocol
From the drop-down list, select a specific protocol to allow for communication
between the zones or select All to allow all protocols.
Source IP
Enter the source IP, IP range or subnet range from which access is permitted.
To create a bridge from:
Destination
IP
60
Any network host in the source network, leave the field blank.
Enter the destination IP, IP range or subnet range to which access is permitted.
To create a bridge to:
To create a bridge to any network host in the destination network, leave the
field blank.
Setting
Description
Service
From the drop-down list, select the services, port range or group of ports to which
access is permitted.
Or, select User defined and leave the Port field blank to permit access to all ports
for the relevant protocol.
Note: This is only applicable to TCP and UDP.
Port
If User defined is selected as the destination port, specify the port number.
Or, leave the field blank to permit access to all ports for the relevant protocol.
Comment
Enabled
Description
IP address
Protected
network
192.168.100.0/24
DMZ
192.168.200.0/24
Note: The DMZ network zone is a DMZ in name alone until appropriate bridging rules are created, neither
zone can see or communicate with the other.
In this example, we will create a DMZ that:
Allows restricted external access to a web server in the DMZ, from the Internet.
Does not allow access to the protected network from the DMZ.
Navigate to the Networking > Filtering > Zone bridging page and configure the following settings:
Settings
Description
Source interface From the drop-down menu, select the protected network.
Destination
interface
Protocol
61
Settings
Description
Comment
Enabled
Click Add. Hosts in the protected network will now be able to access any host or service in the DMZ,
but not vice versa.
Navigate to the Networking > Firewall > Port forwarding page and configure the following
settings:
Setting
Description
Protocol
Destination
IP
Source
From the drop-down menu, select HTTP (80) to forward HTTP requests to the web
server.
Comment
Enabled
Select to activate the port forward rule once it has been added.
Click Add.
Navigate to the Networking > Filtering > Zone bridging page and configure the following settings:
Setting
Description
62
Destination
interface
Protocol
Source IP
Destination IP
Service
Port
Comment
Enabled
Select Enabled to activate the bridging rule once the bridging rule has been
added.
Click Add.
Group Bridging
By default, authenticated users may only access network resources within their current network
zone, or that are allowed by any active zone bridging rules. Group bridging is the process of
modifying this default security policy, in order to allow authenticated users from any network zone to
access specific IP addresses, IP ranges, subnets and ports within a specified network zone.
Authenticated groups of users can be bridged to a particular network by creating group bridging
rules. A group bridging rule defines a bridge in the following terms:
Group The group of users from the authentication sub-system that may access the bridge.
Zone The destination network zone.
Destination Defines whether the bridge allows access to an individual host, a range of hosts, a
subnet of hosts or any hosts.
Service Defines what ports and services can be used across the bridge.
Protocol Defines what protocol can be used across the bridge.
Like zone bridges, group bridges can be narrow (e.g. allow access to a single host, using a named
port and protocol) or wide (e.g. allow access to any host, using any port and protocol).
In general, bridges should be made as narrow as possible to prevent unnecessary or undesirable
use.
63
Description
Groups
From the drop-down menu, select the group of users that this rule will apply to.
Select
Destination
interface
Destination IP Enter the destination IP, IP range or subnet range that the group will be permitted
to access. To create a rule to allow access to:
A single network host in the destination network, enter its IP address, for
example: 192.168.10.1.
Any network host in the destination network, leave the field blank.
Protocol
From the drop-down list, select a specific protocol to allow for communication
between the zones or select All to allow all protocols.
Service
From the drop-down list, select the service, port or port range to be used.
To restrict to a custom port, select User defined and enter a port number in the
Port field.
To allow any service or port to be used, select User defined and leave the Port
field empty.
64
Port
If applicable, enter a destination port or range of ports. If this field is blank, all ports
for the relevant protocol will be permitted.
Comment
Enabled
65
66
Chapter 7
Application helpers which allow traffic passing through the firewall to work correctly
Description
External IP
Source IP
Port
Protocol
Destination IP
Destination port
For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server
listening on port 81 in a De-Militarized Zone (DMZ).
If the web server has an IP address of 192.168.2.60, you can create a port forward rule to forward
all port 80 TCP traffic to port 81 on 192.168.2.60.
67
Note: It is important to consider the security implications of each new port forward rule. Any network is only
as secure as the services exposed upon it.
Port forwards allow unknown hosts from the external network to access a particular internal host. If
a cracker manages to break into a host that they have been forwarded to, they may gain access to
other hosts in the network.
For this reason, we recommend that all port forwards are directed towards hosts in isolated network
zones, that preferably contain no confidential or security-sensitive network hosts. Use the
Networking > Filtering > Zone bridging page to ensure that the target host of the port forward is
contained within a suitably isolated network, i.e. a DMZ scenario.
Description
External interface
From the drop-down menu, select the interface that the port forward will
be bound to.
By default, a port forward is bound to the primary external connection.
However, if you have a secondary external connection you can assign a
port forward explicitly to it.
Select
Protocol
From the drop-down list, select the network protocol for the traffic that you
want to forward. For example, to port forward a HTTP request, which is a
TCP-based protocol, choose the TCP option.
External IP or
network
Enter the IP address, address range or subnet range of the external hosts
allowed to use this rule.
Or, to create a port forward rule that will forward all external hosts (such as
that required to port forward anonymous HTTP requests from any network
host to a web server), leave this field blank.
68
Setting
Description
Log
IPS
Source IP
Select the external IP alias that this rule will apply to. In most cases, this will
be the IP of the default external connection.
Source service
From the drop-down menu, select the service, port, port range or group of
ports. Or, to specify a user defined port, select User defined.
Note: Only applies to the protocols TCP and UDP.
User defined
Destination IP
Destination service
From the drop-down menu, select the service, port, port range or group of
ports. Or, select User defined.
User defined
Comment
Enabled
Click Add. The port forward rule is added to the Current rules table.
On the Networking > Firewall > Port forwarding page, create a port forward rule to the first
network host. See Creating Port Forward Rules on page 68 for more information.
On the Networking > Firewall > Port forwarding page, create another port forward rule using
exactly the same settings except for the destination IP to the second network host.
Advanced Firewall automatically balances the traffic between the hosts.
IP information is embedded within FTP traffic this helper application ensures that
FTP active mode client connections are not adversely affected by the firewall.
IRC
IP information is embedded within IRC traffic this helper application ensures that
IRC communication is not adversely affected by the firewall.
Advanced When enabled, loads special software modules to help PPTP clients. This is the
PPTP client protocol used in standard Windows VPNing.
support
If this option is not selected, it is still possible for PPTP clients to connect through to
a server on the outside, but not in all circumstances. Difficulties can occur if multiple
clients on the local network wish to connect to the same PPTP server on the Internet.
In this case, this application helper should be used.
Note: When this application helper is enabled, it is not possible to forward PPTP
traffic. For this reason, this option is not enabled by default.
H323
70
In the Network application helpers area, select the application(s) you require.
Optionally, in the Advanced area, select Drop to drop traffic silently. This runs Advanced Firewall in
a stealth-like manner and makes things like port scans much harder to do.
From the Bad external traffic drop-down list, select Drop to silently discard the traffic and not send
a message to the sender, or Reject to reject the traffic and notify the sender.
On the Networking > Firewall > Advanced page, go to the Connectivity Failback area.
From the Connectivity failback profile drop-down menu, select the profile to use after reboot if
the primary connectivity profile has failed.
Click Save changes. Advanced Firewall applies and saves the changes.
71
On the Networking > Firewall > Advanced page, go to the Connectivity Failback area.
Enable Automatic failback and click Save changes. Advanced Firewall applies and saves the
changes.
Reject all
Reject all outbound access to the Internet except for listed ports.
Reject all peer to peer outbound access to the Internet on listed ports. For
more information, see Managing Blocked Services on page 74.
Reject all with logging Reject all outbound access to the Internet except for listed ports and log
the rejections.
72
Reject known
exploits
Reject outbound access on the listed ports which are associated with
many common exploits against programs and services.
Reject MS ports
Reject outbound access on the listed ports which are associated with
Microsoft Windows local area networking.
Click Add new port rule. The following dialog box opens.
Description
Name
Enter a name for the port rule. This name will be displayed where ever the rule
can be selected.
Action
73
Setting
Description
Rejection logging
Stealth mode
4
Click Add. Advanced Firewall adds the port rule to the Port rules list. Click the rules content arrow.
The ports/services in the rule are displayed.
Note: Some services use unpredictable port numbers to evade port-based outbound access rules. To
control access to these services, see, see Managing Blocked Services on page 74
5
Description
Status
Protocol
From the drop-down menu, select the network protocol to add to the port.
Destination port
Comment
7
From the drop-down menu, select the port, port range or group of ports
you want to allow or deny access to.
74
On the Networking > Outgoing > Ports page, locate the port rule for which you want to configure
services.
Click the rules content arrow. The ports/services contained in the rule are displayed.
Point to Blocked services and click Edit. The following dialog box opens.
Note: The types of services available depend on what Deep Packet Inspection licensing you have
purchased. Contact your Smoothwall representative for more information
5
Click Save to save the settings and close the dialog box. Advanced Firewall applies the settings and
starts blocking the services selected.
On the Networking > Outgoing > Ports page, point to the port rule and select Edit.
In the Edit port rule dialog box, make any changes required. See Creating a Port Rule on page 73 for
information on the settings available.
Click Save changes to apply the changes and close the dialog box.
On the Networking > Outgoing > Ports page, point to the rule and select Delete. When prompted,
click Delete to confirm that you want to delete the rule and its contents.
On the Networking > Outgoing > Ports page, click the rules content arrow. The ports/services
contained in the rule are displayed.
Point to the port/service and click Edit. In the Edit port/service dialog box, make any changes
required. See Creating a Port Rule on page 73 for information on the settings available.
Click Save changes to apply the changes and close the dialog box.
75
Note: Once the network traffic matches a policy, Advanced Firewall does not apply any further policy
matching.
By default, Advanced Firewall contains a default outbound access policy which uses the Allow all port
rule and allows unrestricted outbound access to the Internet.
You can reorder outbound access policies to suit your requirements. If the outbound network traffic
or service does not match any policy, the Default policy is applied.
Description
Status
Group
From the drop-down menu, select the group to which the outbound access
policy applies.
Port rule
From the drop-down menu, select which port rule to use in the outbound
access policy. For more information on port rules, see Working with Port Rules
on page 72.
Comment
Place the policy where it is required by selecting it and using Up or Down, or by dragging it to the
correct position and clicking Save moves.
Note: Once traffic matches a policy, Advanced Firewall does not apply any further policy matching.
76
Note: Group policies cannot be enforced in all circumstances. If a user has not actively authenticated
themselves, using the SSL Login page or by some other authentication method, the user is unknown
to the system and a policy cannot be applied.
Group policies are often more suitable for allowing access to ports and services. In such situations,
users have a reason to pro-actively authenticate themselves so that they can gain access to an
outbound port or service.
Creating Outbound Access Policies for Traffic from Sources and/or Destinations
When the source and/or destination IP addresses of outbound traffic match a policy in the Sources
and Destination addresses, Advanced Firewall checks that the traffic does not break the port rule(s)
assigned to that source and/or destination.
To create a policy:
1
In the Add new policy dialog box, configure the following settings:
Setting
Description
Status
Name
Source
Destination
Port rule
From the drop-down list, select the port rule to apply. For more information,
see Working with Port Rules on page 72.
Comment
77
Click Add. The policy is added to the list of sources and destinations.
Place the policy where it is required by selecting it and using Up or Down, or by dragging the rule to
the correct position and clicking Save moves.
Note: Once traffic matches a policy, Advanced Firewall does not apply any further policy matching.
Editing a Policy
To edit a policy:
1
On the Networking > Outgoing > Policies page, point to the rule and select Edit.
In the Edit policy dialog box, make any changes required. See Creating Outbound Access Policies
for Traffic from Sources and/or Destinations on page 77 for information on the settings available.
Click Save changes to apply the changes and close the dialog box.
Deleting a Policy
To delete a policy:
1
On the Networking > Outgoing > Policies page, point to the rule and select Delete. When
prompted, click Delete to confirm that you want to delete the policy.
Navigate to the Networking > Outgoing > External services page and configure the following
settings:
Setting
Description
Service
Protocol
Service
From the drop-down menu, select the service, port, port range or group of
ports. Or, to specify a user defined port, select User defined.
Port
78
Rejection logging
Stealth mode
Description
Destination IP
Enter the IP address of the external service to which the rule applies.
Setting
Description
Comment
Enabled
Click Add. The external service rule is added to the Current rules region:
79
80
Chapter 8
Advanced Firewall
Services
In this chapter:
Creating a Portal
The following section explains how to create a portal and make it accessible to users in a specific
group.
81
In the Portals area, enter a name for the portal and click Save. Advanced Firewall creates the portal
and makes it accessible on your Advanced Firewall system at, for example: http://
192.168.72.141/portal/
82
Description
Group
From the drop-down menu, select the group containing the users you want to
authorize to use the portal. For more information on users and groups, see Chapter
10, Managing Groups of Users on page 216.
Portal
From the drop-down menu, select the portal you want the group to access.
Click Add. Advanced Firewall authorizes the group to use the portal.
The next step is to configure the portal to enable authorized users to use it to download files, manage
web access and display reports.
Configuring a Portal
The following sections explain how to configure a Advanced Firewall portal so that authorized users
can view reports, enable the policy tester, block other users from accessing the web, download VPN
client files and receive a custom welcome message.
Browse to the Logs and reports > Reports > Reports page, locate the report you want to publish
on a portal.
On the Permissions tab, click Portal Access. A dialog box containing report details opens.
From the Add access drop-down list, select the portal where you want to publish the report and
click Add.
Browse to the Services > User portal > Portals page and, in the Portals area, configure the
following settings:
Setting
Description
Portals
From the drop-down list, select the portal on which you want to
make reports available and click Select.
In the Portal published reports and templates area, configure the following settings:
Setting
Description
Enabled
Select Enabled.
From the drop-down list, select the number of reports you want to
display on the portals home page.
Advanced Firewall will display the most often viewed reports.
Browse to the bottom of the page and click Save to save the settings and make the reports available
on the portal.
83
Browse to the Services > User portal > Portals page and configure the following setting:
Setting
Description
Policy tester
Select Enabled.
Browse to the bottom of the page and click Save to save the settings.
Browse to the Services > User portal > Portals page and, in the Portals area, configure the
following settings:
Setting
Description
Portals
From the drop-down list, select the portal on which you want to authorize
groups to block users.
In the Portal permissions for web access blocking, configure the following settings:
Setting
Description
Enabled
Select Enabled.
Allow control of
groups
Select this option and, in the list of groups displayed, select the group(s)
containing the users that the group is authorized to block from accessing
the web.
To select consecutively listed groups, hold down the Shift key while
selecting. To select non-consecutively listed groups, hold down the Ctrl
key while selecting.
Browse to the bottom of the page and click Save to save the settings.
84
Browse to the Services > User portal > Portals page and, in the Portals area, configure the
following settings:
Setting
Description
Portals
From the drop-down list, select the portal on which you want to enable groups to
block users.
In the Portal permissions for web access blocking, configure the following settings:
Setting
Description
Enabled
Select Enabled.
Setting
Description
Allow control
of locations
Select this option and, in the list of locations displayed, select the location(s) that
the group is authorized to block from accessing the web.
To select consecutively listed locations, hold down the Shift key while selecting.
To select non-consecutively listed locations, hold down the Ctrl key while
selecting.
Browse to the bottom of the page and click Save to save the settings.
In the VPN connection details area, select SSL VPN client archive download. See Chapter 9, Virtual
Private Networking on page 127 for information on how to create the archive.
Browse to the bottom of the page and click Save to save the settings.
Browse to the Services > User portal > Portals page and, in the Welcome message area,
configure the following settings:
Setting
Description
Welcome message
Browse to the bottom of the page and click Save to save the settings.
Setting
Description
Group
From the drop-down menu, select the group you want to allow access to the portal.
For more information on groups, see Chapter 10, Managing Groups of Users on
page 216.
Portal
From the drop-down menu, select the portal you want the group to access.
Click Add. Advanced Firewall will allow members of the group to access the specified portal.
85
Browse to the Services > User portal > User exceptions page.
Setting
Description
Username
Enter the username of the user you want to access the portal.
Portal
From the drop-down list, select the portal you want the user to access.
Click Add. Advanced Firewall gives the user access to the portal.
Accessing Portals
The following section explains how to access a portal.
To access a portal:
1
In the browser of your choice, enter the URL to the portal on your Advanced Firewall system, for
example: http://192.168.72.141/portal/
Accept any certificate and other security information. Advanced Firewall displays the login page for
the portal.
Enter a valid username and password and click Login. The portal is displayed.
For more information, see the Advanced Firewall Portal User Guide.
Editing Portals
The following section explains how to edit a portal.
To edit a portal:
1
From the Portals drop-down list, select the portal you want to edit.
Make the changes you require, see Configuring a Portal on page 83 for information on the settings
available.
Deleting Portals
The following section explains how to delete a portal.
86
From the Portals drop-down list, select the portal you want to delete.
87
88
Description
Cache size
Enter the amount of disk space, in MBytes, to allocate to the web proxy service
for caching web content, or accept the default value.
Web and FTP requests are cached. HTTPS requests and pages including
username and password information are not cached.
The specified size must not exceed the amount of free disk space available. The
cache size should be configured to an approximate size of around 40% of the
systems total storage capacity, up to a maximum of around 10 gigabytes
approximately 10000 megabytes for a high performance system with storage
capacity in excess of 25 gigabytes.
Larger cache sizes can be specified, but may not be entirely beneficial and can
adversely affect page access times. This occurs when the system spends more
time managing the cache than it saves retrieving pages over a fast connection.
For slower external connections such as dial-up, the cache can dramatically
improve access to recently visited pages.
Remote proxy
In most scenarios this field will be left blank and no remote proxy will be used.
Used to configure the web proxy to operate in conjunction with a remote web
proxy. Larger organizations may wish to use a dedicated proxy or sometimes
ISPs offer remote proxy servers to their subscribers.
Remote proxy
username
Enter the remote proxy username if using a remote proxy with user
authentication.
Remote proxy
password
Enter the remote proxy password when using a remote proxy with user
authentication.
Max object
size
Specify the largest object size that will be stored in the proxy cache. Objects
larger than the specified size will not be cached. This prevents large downloads
filling the cache.
The default of 4096 K bytes (4 M bytes) should be adjusted to a value suitable for
the needs of the proxy end-users.
Min object size Specify the smallest object size that will be stored in the proxy cache.
Objects smaller than the specified size will not be cached. The default is no
minimum this should be suitable for most purposes.
This can be useful for preventing large numbers of tiny objects filling the cache.
Max outgoing
size
Specify the maximum amount of outbound data that can be sent by a browser in
any one request. The default is no limit.
This can be used to prevent large uploads or form submissions.
Max incoming
size
Specify the maximum amount of inbound data that can be received by a browser
in any one request. This limit is independent of whether the data is cached or not.
The default is no limit.
This can be used to prevent excessive and disruptive download activity.
89
Control
Description
Transparent
Disable proxy
logging
Enabled
Allow admin
port access
Select to permit access to other network hosts over ports 81 and 441.
This is useful for accessing remote a Smoothwall System, or other non-standard
HTTP and HTTPS services, through the proxy. In normal circumstances such
communication would be prevented.
Note: By selecting this option, it is possible to partially bypass the admin access
rules on the System > Administration > Admin options page. This would
allow internal network hosts to access the admin logon prompt via the
proxy.
Do not cache
Enter any domains that should not be web cached. Enter domain names without
the www. prefix, one entry per line.
This can be used to ensure that old content of frequently updated web sites is not
cached.
Exception
local IP
addresses
Enter any IP addresses on the local network that should be completely exempt
from authentication restrictions.
Banned local
IP addresses
Enter any IP addresses on the local network that are completely banned from
using the web proxy service.
If any hosts contained in this list try to access the web they will receive an error
page stating that they are banned.
No user
Select to allow users to globally access the web proxy service without
authentication authentication.
Proxy
Select to allow users to access the web proxy service according to the username
authentication and password that they enter when prompted by their web browser.
The username and password details are encoded in all future page requests
made by the user's browser software.
Note: You can only use proxy authentication if the proxy is operating in nontransparent mode.
Core
Select to allow users to access the web proxy service by asking the
authentication authentication system whether there is a known user at a particular IP address.
If the user has not been authenticated by any other authentication mechanism,
the users status is returned by the authentication system as unauthenticated.
Groups
Authenticated users can be selectively granted or denied access to the web
allowed to use proxy service according to their authentication group membership.
web proxy
Proxy access permissions are only applied if an authentication method other than
No user authentication has been selected.
90
Control
Description
Automatic
configuration
script custom
direct hosts
Enter any additional hosts required to the automatic configuration scripts list of
direct (non-proxy routing) hosts.
This is useful for internal web servers such as a company intranet server. All hosts
listed will be automatically added to a browser's Do not use proxy server for these
addresses proxy settings if they access the automatic configuration script for their
proxy settings.
Note: Browsers must be configured to access the automatic configuration script
to receive this list of direct routing hosts
Use automatic After enabling and restarting the service, the automatic configuration script
configuration location is displayed here.
script address Note: Microsoft Internet Explorer provides only limited support for automatic
configuration scripts.
Tests by Smoothwall indicate a number of intermittent issues regarding the
browsers implementation of this feature. Smoothwall recommends the
use of Mozilla-based browsers when using the automatic configuration
script functionality.
Manual web
After enabling and restarting the service, the proxy address and port settings to
browser proxy be used when manually configuring end-user browsers are displayed here.
settings
Interfaces
3
Save and restart the web proxy service by clicking Save and Restart or Save and Restart with
cleared cache.
Note: Save and Restart with cleared cache Used to save configuration changes and empty the proxy
cache of all data. This is useful when cache performance has been degraded by the storage of stale
information typically from failed web-browsing or poorly constructed web sites. The web proxy will
be restarted with any configuration changes applied.
Note: Restarting may take up to a minute to complete. During this time, end-user browsing will be
suspended and any currently active downloads will fail. It is a good idea to a restart when it is
convenient for the proxy end-users.
Transparent Proxying
If Advanced Firewall's web proxy service has been configured to operate in transparent mode, all
HTTP port 80 requests will be automatically redirected through the proxy cache.
If you are having problems with transparent proxying, check that the following settings are not
configured in end-user browsers:
Automatic configuration
Proxy server.
Non-Transparent Proxying
If Advanced Firewalls web proxy service has not been configured to operate in transparent mode,
all end-user browsers on local workstations in Advanced Firewall network zones must be configured.
91
WPAD automatic script Browsers are configured to automatically detect proxy settings and a
local DNS server or Advanced Firewall static DNS has a host wpad.YOURDOMAINNAME added.
Start Internet Explorer, and from the Tools menu, select Internet Options.
To configure:
Manual
In the Proxy server area, select Use a proxy server for your LAN
Enter your Advanced Firewall's IP address and port number 800. This
information is displayed on the Services > Proxies > Web proxy page, in the
Automatic configuration script area.
In the Exceptions area, enter the IP address of your Advanced Firewall and
any other IP addresses to content that you do not want filtered, for example,
your intranet or local wiki.
1
Automatic
configuration
script
2
92
Method:
To configure:
WPAD
On a local DNS server or using Advanced Firewall static DNS, add the host
wpad.YOURDOMAINNAME substituting your domain name. The host must
93
94
Setting
Description
Enabled
Setting
Description
Enable Message
Censor
Hide conversation
text
MSN
Yahoo
GaduGadu
Jabber
Select to proxy and monitor conversations which use the Jabber protocol.
Intercept SSL
Blocked response
Select to inform IM users that their message or file transfer has been
blocked.
Currently, when enabled, this setting blocks files transferred using MSN,
ICQ, AIM and Yahoo IM protocols.
Blocked response
message
Note: This option does not work with the ICQ/AIM protocol.
Automatic
whitelisting
Settings here enable you to control who can instant message your local
users.
Block unrecognized remote users Select this option to automatically
add a remote user to the white-list when a local user sends them an instant
message. Once added to the white-list, the remote user and the local use
can instant message each other freely.
When this option selected, any remote users who are not on the white-list
are automatically blocked.
Number of current entries Displays the number of entries currently in
the whitelist user list.
Clear Automatic Whitelisted user list Click to clear the white-list.
White-list users
Black-list users
Enabled on
interfaces
95
Setting
Description
Exception local IP
addresses
Browse to the Services > Proxies > Instant messenger page. Enable IM proxying and configure
the settings you require. For full information on the settings available, see Instant Messenger Proxying
on page 93.
Select Intercept SSL, select the interfaces on which to enable the monitoring and click Save.
Click Export Certificate Authority certificate. Advanced Firewall generates a Advanced Firewall
CA certificate.
Download and install the certificate on PCs which use Google Talk and SSL-enabled AIM IM clients.
Advanced Firewall will now monitor and log the chats.
SIP Proxying
Advanced Firewall supports a proxy to manage Session Initiation Protocol (SIP) traffic. SIP is often
used to set up calls in Voice over Internet Protocol (VoIP) systems.
SIP normally operates on port 5060, and is used to set up sessions between two parties. In the case
of VoIP, it is an RealTime Protocol (RTP) session that is set up, and it is the RTP stream that carries
voice data.
RTP operates on random unprivileged ports, and, as such, is not NAT friendly. For this reason,
Advanced Firewalls SIP proxy ensures that RTP is also proxied, allowing VoIP products to work
correctly.
Advanced Firewalls SIP proxy is also able to proxy RTP traffic, solving some of the problems involved
in setting up VoIP behind NAT.
96
Configuring SIP
To configure and enable the SIP proxy:
1
Description
Enabled
From the drop-down list, select the interface for the SIP proxy to listen for
connections on. This is the interface on which you will place your SIP clients.
Logging
Log calls
Maximum number
of clients
Select the maximum number of clients which can use the proxy.
Setting the maximum number of clients is a useful way to prevent malicious
internal users performing a DoS on your registering proxy.
97
Setting
Description
From the drop-down menu, select a Diffserv mark to apply to SIP RTP
packets. This traffic can be traffic shaped with SmoothTraffic, if it is installed.
The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for
which it proxies. This is useful because it is otherwise quite tricky to define
RTP traffic, as it may occur on a wide range of ports. Prioritizing SIP traffic
on port 5060 would not make any difference to VoIP calls.
The standard mark is BE which is equivalent to doing nothing. Other marks
may be interpreted by upstream networking equipment, such as that at your
ISP, and can also be acted upon by SmoothTraffic, Smoothwalls Quality of
Service (QoS) module if it is installed. In this way, traffic passing through the
firewall may be prioritized to give a consistent call quality to VoIP users.
Transparent
Exception IPs
Hosts which should not be forced to use the transparent SIP proxy must be
listed in the Exception IPs box below.
Note: If a client is using the proxy when transparent proxying is turned on, the existing users may fail to use
the transparent proxy until the firewall is rebooted. This is due to the in-built connection tracking of
the firewalls NAT.
98
FTP Proxying
Advanced Firewall provides you with a proxy to manage FTP traffic and also makes transparent
proxying possible.
Description
Status
Anti-malware
scanning
Proxy port
From the drop-down list, select the port for FTP traffic.
Note: For performance reasons, files larger than 100 MB are not scanned
for malware.
Note: The port you select must be open for the FTP client. You configure
this on the System > Administration > External access page. See
Chapter 13, Configuring External Access on page 273 for more
information.
99
Setting
Description
Access control
Click Save changes to save the settings and enable non-transparent FTP proxying.
Description
Remote host
Remote port
Enter the FTP proxy port configured on Advanced Firewall, either 21 or 2121.
See Configuring non-Transparent FTP Proxying on page 99 for more
information.
Remote
username
100
Description
Status
Anti-malware
scanning
Proxy port
From the drop-down list, select the port for FTP traffic.
Note: For performance reasons, files larger than 100 MB are not scanned
for malware.
Note: The port you select must be open for the FTP client. You configure
this on the System > Administration > External access page. See
Chapter 13, Configuring External Access on page 273 for more
information.
Access control
Description
Source IPs
Transparently proxy all IPs Select to transparently FTP proxy for all
source IPs.
Transparently proxy only
the following IPs
101
Setting
Description
Destination IPs
Transparently proxy all IPs Select to transparently FTP proxy for all
destination IPs.
Transparently proxy only
the following IPs
Transparent proxy
interfaces
4
Click Save changes to save the settings and enable transparent FTP proxying.
When running Advanced Firewalls FTP proxy in transparent mode, you do not need to configure FTP
client applications.
Provides the ability to route multiple HTTP and HTTPS sites to each of their own internal servers.
Provides the ability to publish Microsoft Exchange services such as Outlook Web Access (OWA) and
Outlook Anywhere (previously RPC over HTTPS)
102
Description
Reverse
proxy
SSL
certificate
The reverse proxy service caters for HTTPS sites using an SSL certificate. Select
one of the following options to specify the SSL certificate to use:
Built-in Select this option to use Advanced Firewalls built in SSL certificate.
Custom certificate Select this option to upload a custom certificate and key file.
Note: The certificate and key files must be distinct and separate and they must be
in the unencrypted PEM format.
To upload a custom certificate and key:
1
Key Click the Choose file/Browse button and browse to and select the
key. Click Upload to upload the certificate.
Tip:
You can use the XCA certificate and key management client to import and
export your SSL certificates and key files in any standard format.
103
Description
Intrusion
prevention
Advanced Firewalls intrusion prevention system (IPS) policies stop intrusions such
as known and zero-day attacks, undesired access and denial of service.
Select Enable apply to apply an enabled IPS policy.
For more information, see Managing the Intrusion System on page 114.
Failback
internal
address
4
Click Save to save the global options. In the Manage rule area, configure the following settings:
Setting
Description
Name
External
address
Enter the URL, domain or IP address of the site you want to publish in the following
format: http://example.com, https://www.example.com/, http://
.example.com or http://example.com/path/
You must include http or https in the address.
You can also enter a path to the site you want to publish in the URL.
Note: When configuring: www.example.com and example.com, they are
treated as distinct and separate sites, unless you use a wildcard for the
domain. To use a wildcard, specify it as: .example.com
Internal
address
Enter the protocol with the IP address or IP address and port of the web server, e.g.
http://192.168.1.1, https://192.168.1.1, http://
192.168.1.1:1234
A port number is optional on the internal address, this enables you to specify
custom destination ports for various internal web servers. If no port is specified,
Advanced Firewall will default to 80 for HTTP sites and 443 for HTTPS sites.
Click Save. Advanced Firewall enables and deploys the reverse proxy service and lists it in the Rules
area.
Repeat the steps above to enable, configure and deploy more rules.
SNMP
Simple Network Management Protocol (SNMP) is part of the IETFs Internet Protocol suite. It is used
to enable a network-attached device to be monitored, typically for centralized administrative
purposes.
Advanced Firewalls SNMP service operates as an SNMP agent that gathers all manner of system
status information, including the following:
104
Select Enabled and enter the SNMP community password into the Community text field. The default
value public is the standard SNMP community.
Click Save.
Note: To view information and statistics provided by the system's SNMP service, a third-party SNMP
management tool is required. For specific details about how to view all the information made
accessible by Advanced Firewalls SNMP service, please refer to the product documentation that
accompanies your preferred SNMP management tool.
Note: To access the SNMP service, remote access permissions for the SNMP service must be configured.
For further information, see Chapter 13, Configuring Administration and Access Settings on
page 272.
DNS
The following sections discuss domain name system (DNS) services in Advanced Firewall.
105
Setting
Description
IP address
Hostname
Enter the hostname that you would like to resolve to the IP address.
Comment
Enabled
Click Add. The static host is added to the Current hosts table.
106
Setting
Description
Interfaces
Select each interface that should be able to use the DNS proxy.
Advanced
Forward SRV & SOA records Optionally, select this setting to stop the DNS proxy
from filtering out SRV & SOA records. Any such filtering would prevent SIP, Kerberos
and other services from functioning.
Click Save.
Note: If the DNS proxy settings were configured as 127.0.0.1 during the initial installation and setup
process of Advanced Firewall, the system will use the DNS proxy for name resolution.
hn.org
easydns.com
dyndns.org (Dynamic)
dyndns.org (Custom)
dyndns.org (Static)
dyns.cx
no-ip.com
ods.org
ez-ip.net
zoneedit.com
107
Description
Service
From the drop-down list, select your dynamic DNS service provider.
Behind a proxy Select if your service provider is no-ip.com and the system is behind a web
proxy.
Enable
wildcards
Select to specify that sub-domains of the hostname should resolve to the same
IP address, for example domain.dyndns.org and
sub.domain.dyndns.org will both resolve to the same IP.
Note: This option cannot be used with no-ip.com, it must be selected from
their web site.
Hostname
Enter the hostname registered with the dynamic DNS service provider.
Note: This is not necessary when using dyndns.org as the service provider.
Domain
Enter the domain registered with the dynamic DNS service provider.
Username
Enter the username registered with the dynamic DNS service provider.
Password
Enter the password registered with the dynamic DNS service provider.
Comment
Enabled
Click Add. The dynamic host will be added to the Current hosts table.
108
Note: Dynamic DNS service providers do not like updating their records when an IP address has not
changed, and may suspend the user accounts of users they deem to be abusing their service.
Configuration Overview
Configuring an message censor policy entails:
Defining custom categories required to cater for situations not covered by the default Advanced
Firewall phrase lists, for more information, see Creating Custom Categories on page 109
Configuring time periods during which policies are applied, for more information, see Setting Time
Periods on page 110
Configuring filters which classify messages by their textual content, for more information, see
Creating Filters on page 111
Configuring and deploying a policy consisting of a filter, an action, a time period and level of severity,
see Creating and Applying Message Censor Policies on page 113.
Browse to the Services > Message censor > Custom categories page.
109
Description
Name
Comment
Phrases
Click Add. Advanced Firewall adds the custom category to the current categories list and makes it
available for selection on the Services > Message censor > Filters page.
Browse to the Services > Message censor > Custom categories page.
In the Current categories area, select the category and click Edit.
In the Phrases area, add, edit and/or delete phrases. When finished, click Add to save your changes.
Browse to the Services > Message censor > Custom categories page.
In the Current categories area, select the category or categories and click Remove.
110
Setting
Description
Active from
to
Name
Comment
Click Add. Advanced Firewall creates the time period and makes it available for selection on the
Services > Message censor > Policies page.
In the Current time periods area, select the time and click Edit.
In the Time period settings, edit the settings. When finished, click Add to save your changes.
In the Current time periods area, select the period(s) and click Remove.
Creating Filters
Advanced Firewall uses filters to classify messages according to their textual content. Advanced
Firewall supplies a default filter. You can create, edit and delete filters. You can also create custom
categories of phrases for use in filters, for more information, see Creating Custom Categories on
page 109.
111
Setting
Description
Name
Comment
Click Add. Advanced Firewall creates the filter and makes it available for selection on the Services >
Message censor > Policies page.
Editing Filters
You can add, change or delete categories in a filter.
To edit a filter:
1
In the Current filters area, select the filter and click Edit.
In the Custom phrase list area, edit the settings. When finished, click Add to save your changes.
Deleting Filters
You can delete filters which are no longer required.
To delete filters:
1
In the Current filters area, select the filter(s) and click Remove.
112
Description
Service
Filter
From the drop-down menu, select a filter to use. For more information on filters, see
Creating Filters on page 111.
Time
period
From the drop-down menu, select a time period to use, or accept the default setting.
For more information on filters, see Setting Time Periods on page 110.
Action
Log
severity
level
Based on the log severity level, you can configure Advanced Firewall to send an alert
if the policy is violated.
From the drop-down list, select a level to assign to the content if it violates the policy.
See Chapter 12, Configuring the Inappropriate Word in IM Monitor Alert on page 232
for more information.
Click Add and, at the top of the page, click Restart to apply the policy. Advanced Firewall applies
the policy and adds it to the list of current policies.
Editing Polices
You can add, change or delete a policy.
To edit a policy:
1
In the Current policies area, select the policy and click Edit.
Edit the settings as required, see Creating and Applying Message Censor Policies on page 113 for
information on the settings available. When finished, click Add to save your changes.
Deleting Policies
You can delete policies which are no longer required.
To delete policies:
1
Browse to the Services > Message censor > Services > Message censor > Policies page.
In the Current policies area, select the policy or policies and click Remove.
114
Description
IDS Policy
From the drop-down list, select the policy you want to deploy. See About the Default
Policies on page 114 for more information on the policies available.
You can select from the default policies provided with Advanced Firewall or
customize a policy to suit your network, see Chapter 8, Creating Custom Policies
on page 117.
Interface
From the drop-down list, select the interface on which you want to deploy the
policy.
Comment
Enabled
Click Add. Advanced Firewall deploys the policy and lists it in the Current IDS policies area.
In the Current IDS policies area, select the policy you want to remove.
115
Description
IPS Policy
From the drop-down list, select the policy you want to deploy. See About the Default
Policies on page 114 for more information on the policies available.
You can select from the default policies provided with Advanced Firewall or
customize a policy to suit your network, see Chapter 8, Creating Custom Policies
on page 117.
Comment
Enabled
Click Add. Advanced Firewall lists the policy in the Current IPS policies area.
In the Current IPS policies area, select the policy you want to remove.
116
117
Tip:
If the list of signatures takes some time to load, try upgrading to the latest version of your browser to
speed up the process.
Setting
Description
Name
Comment
Signatures
From the list, select the signatures you want to include in the policy. For information
on how to add custom signatures, see Uploading Custom Signatures on page 118.
Click Add. Advanced Firewall creates the policy and lists it in the Current policies area.
The policy is now available when deploying intrusion detection and intrusion prevention policies. For
more information, seeDeploying Intrusion Detection Policies on page 114 andDeploying Intrusion
Prevention Policies on page 115.
Description
Custom signatures
Click Browse to locate and select the signatures file you want to upload.
Click Upload to upload the file. Advanced Firewall uploads the file and
makes it available for inclusion in detection and prevention policies on the
Services > Intrusion system > Policies page.
Note: Use custom signatures with caution as Advanced Firewall cannot
verify custom signature integrity.
118
Setting
Description
Oink code
If you have signed-up with Sourcefire to use their signatures, enter your
Oink code here.
Click Update to update and apply the latest signature set. Advanced
Firewall downloads the signature set and makes it available for inclusion in
detection and prevention policies on the Services > Intrusion system >
Policies page.
Note: Updating the signatures can take several minutes.
Click Save. Any custom signatures you have uploaded to Advanced Firewall or Sourcefire VRT
signatures you have downloaded to Advanced Firewall will be listed on the Services > Intrusion
system > Policies page. For information on deploying intrusion policies, see Deploying Intrusion
Detection Policies on page 114 and Deploying Intrusion Prevention Policies on page 115.
On the Services > Intrusion system > Signatures page, click Delete.
Advanced Firewall prompts you to confirm the deletion. Click Confirm, Advanced Firewall deletes
the signatures.
DHCP
Advanced Firewall's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to
automatically obtain IP address and other network settings.
Advanced Firewall DHCP provides a fully featured DHCP server, with the following capabilities:
Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet
119
Enabling DHCP
To enable DHCP:
1
Setting
Description
Enabled
Server
Relay (forwarding
proxy)
Enable logging
120
Description
DHCP Subnet
Subnet name
Network
Enter the IP address that specifies the network ID of the subnet when
combined with the network mask value entered in the netmask field. For
example: 192.168.10.0.
Netmask
Primary DNS
Enter the value that a requesting network host will receive for the primary DNS
server it should use.
Secondary DNS
Optionally, enter the value that a requesting network host will receive for the
secondary DNS server it should use.
121
Setting
Description
Default gateway
Enter the value that a requesting network host will receive for the default
gateway it should use.
Enabled
Optionally, enter the value that a requesting network host will receive for the
primary WINS server it should use. This is often not required on very small
Microsoft Windows networks.
Secondary WINS
Optionally, enter the value that a requesting network host will receive for the
secondary WINS server it should use. This is often not required on very small
Microsoft Windows networks.
Primary NTP
Optionally, enter the IP address of the Network Time Protocol (NTP) server
that the clients will use if they support this feature.
Tip:
Secondary NTP
Enter Advanced Firewalls IP address and clients can use its time
services if enabled. See Chapter 13, Setting Time on page 269 for
more information.
Enter Advanced Firewalls IP address and clients can use its time
services if enabled. See Chapter 13, Setting Time on page 269 for
more information.
Default lease time Enter the lease time in minutes assigned to network hosts that do not request
(mins)
a specific lease time. The default value is usually sufficient.
Enter the lease time limit in minutes to prevent network hosts requesting, and
being granted, impractically long DHCP leases. The default value is usually
sufficient.
TFTP server
Enter which Trivial File Transfer Protocol (TFTP) server workstations will use
when booting from the network.
Network boot
filename
Specify to the network booting client which file to download when booting off
the above TFTP server.
Domain name
suffix
Enter the domain name suffix that will be appended to the requesting host's
hostname.
Automatic proxy
config URL
Specify a URL which clients will use for determining proxy settings. Note that
it should reference an proxy auto-config (PAC) file and only some systems and
web browsers support this feature.
Custom DHCP
options
Any custom DHCP options created on the Services > DHCP > Custom
options page are listed for use on the subnet. For more information, see
Creating Custom DHCP Options on page 125.
Click Save.
Note: For the DHCP server to be able to assign these settings to requesting hosts, further configuration is
required. Dynamic ranges and static assignments must be added to the DHCP subnet so that the
server knows which addresses it should allocated to the various network hosts.
122
From the DHCP Subnet drop-down list, select the subnet and click Select.
Click Save.
From the DHCP Subnet drop-down list, select the subnet and click Select.
Click Delete.
Choose an existing DHCP subnet from the DHCP subnet drop-down list, and click Select.
Description
Start
address
Enter the start of an IP range over which the DHCP server should supply dynamic
addresses from.
This address range should not contain the IPs of other machines on your LAN with
static IP assignments.
End
address
Enter the end of an IP range over which the DHCP server should supply dynamic
addresses to. For example, enter 192.168.10.15.
This address range should not contain the IPs of other machines on your LAN with
static IP assignments.
Comment
Enabled
Click Add dynamic range. The dynamic range is added to the Current dynamic ranges table.
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select.
123
Scroll to the Add a new static assignment area and configure the following settings:
Setting
Description
MAC
address
Enter the MAC address of the network hosts NIC as reported by an appropriate
network utility on the host system.
This is entered as six pairs of hexadecimal numbers, with a space, colon or other
separator character between each pair, e.g. 12 34 56 78 9A BC or
12:34:56:78:9A:BC
IP address
Comment
Enabled
Click Add static. The static assignment is added to the Current static assignments table.
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select.
Scroll to the Add a new static assignment from ARP table area:
Select one or more MAC addresses from those listed and click Add static from ARP table.
Click Save.
124
Select Show free leases and click Update. The following information is displayed:
Field
Description
IP address
The IP address assigned to the network host which submitted a DHCP request.
Start time
The start time of the DHCP lease granted to the network host that submitted a DHCP
request.
End time
The end time of the DHCP lease granted to the network host that submitted a DHCP
request.
MAC
address
The MAC address of the network host that submitted a DHCP request.
Hostname
The hostname assigned to the network host that submitted a DHCP request.
State
DHCP Relaying
Advanced Firewall DHCP relay enables you to forward all DHCP requests to another DHCP server
and re-route DHCP responses back to the requesting host.
To configure DHCP relaying:
1
Connect to Advanced Firewall and navigate to the Services > DHCP > DHCP relay page.
Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary
DHCP server and Secondary DHCP server fields. Click Save.
Note: DHCP relaying must be enabled on the Services > DHCP > Global page.
125
Description
Option code From the drop-down list, select the code to use.
The codes available are between the values of 128 and 254, with 252 excluded as
it is already allocated.
Option type
126
Description
Enter a description for the option. This description is displayed on the Services >
DHCP > DHCP server page.
Comment
Enabled
Click Add. Advanced Firewall creates the option and lists it in the Current custom options area. For
information on using custom options, see Creating a DHCP Subnet on page 120.
Chapter 9
Description
IPSec site-to-site
Mobile user VPN support using Microsoft Windows 2000 and XP, as well
as older versions of Windows. No client software required; the software is
part of the Windows operating system.
IPSec road warriors Mobile user VPN support using IPSec road warriors clients such as
SafeNet SoftRemote, as well as others.
SSL VPN
Mobile user VPN support using OpenVPN SSL and a light-weight client
installed on the users computer/laptop.
Authentication
Certificate
management
Full certificate management controls built into the interface, with import and
export capabilities in a number of formats. Self-signed certificates can be
generated.
Tunnel controls
Internal VPNs
Logging
What is a VPN?
A VPN, in the broadest sense, is a network route between computer networks, or individual
computers, across a public network. The public network, in most cases, is the Internet. Typically, a
VPN replaces a leased line or other circuit which is used to link networks together over some
geographic distance.
In a similar way to how a VPN can replace leased line circuits used to route networks together, a VPN
can also replace Remote Access Server (RAS) phone or ISDN lines. These types of connections are
usually referred to as road warriors.
The P in VPN technologies refers to the encryption and authentication employed to maintain an
equivalent level of privacy that one would expect using a traditional circuit which a VPN typically
replaces.
There are several technologies which implement VPNs. Some are wholly proprietary, others are open
standards. The most commonly deployed VPN protocol is called IPSec, for IP Security, and is a well
127
Authenticate the other end of a VPN connection, i.e. ensure it can be identified and trusted.
Route all data received from its own Local Area Network (LAN) to the correct VPN tunnel.
Encrypt all data presented to the VPN tunnel into secure data packets.
Route all data received from the tunnel to the correct computer on the LAN.
Administrator Responsibilities
A network administrator has three responsibilities:
Configure authentication define a secure means for each VPN gateway to identify the other.
Description
Usually referred to as PSK, this is a simplistic authentication method
based on a password challenge.
For more information, see PSK Authentication on page 129.
X509
128
Authentication
method
Description
Username/password In addition to using X509, all users of L2TP road warrior connections must
enter a valid username and password, as specified when the L2TP tunnel
definition is created.
This ensures that both the user and the VPN gateway (the L2TP client) are
authenticated.
A more in depth examination of the PSK and X509 authentication methods can be found in the
following sections, including recommendations for the usage of each.
PSK Authentication
To use the Pre-Shared Key (PSK) method, connecting VPN gateways are pre-configured with a
shared password that only they know. When initiating a VPN connection, each gateway requests the
others password. If the password received by each gateway matches the password stored by each
gateway, both gateways know that the other must be genuine. Hence, each gateway is authentic
and a secure, trusted VPN tunnel can be established.
The simplicity of PSK is both its strength and its weakness. While PSK tunnels are quick to set up,
there are human and technological reasons that make this method unsuitable for larger
organizations. Password protection is easily circumvented as passwords are frequently written
down, spoken aloud or shared amongst administrator colleagues. Some VPN configurations will also
require multiple tunnels to use the same password highly undesirable if your organization intends
to create multiple road warrior VPN connections.
PSK authentication is best suited when a single site-to-site or road warrior VPN capability is required.
While it is possible to create large VPN networks based entirely on PSK authentication, such a
scheme is likely to prove unmanageable in the long run and liable to misuse.
X509 Authentication
In this model, each VPN gateway is given a digital certificate that it can present to prove its identity,
much like a traveler can present his or her passport. Digital certificates are created and issued by a
trusted entity called a Certificate Authority (CA), just like a government is entrusted to provide its
citizens with passports. In the world of digital certificates, a CA can be called upon to validate the
authenticity of a certificate, in the same way that a government can be asked to validate a citizen's
passport.
Description
Subject
Information about who the certificate was issued to, their country, company name
etc.
Issuer
Certificate ID
Validity period The start and expiry dates, during which time the certificate is valid.
Certificates contain information about both its owner, i.e. the subject and its issuer, i.e. the CA.
However, it is not yet clear whether the certificate is a forgery to prove absolute authenticity, X509
utilizes public-key cryptography.
129
Manage exporting and installing certificates on other Advanced Firewall / VPN gateway systems.
Alternatively, digital certificates can be leased from companies like Verisign or Thawte and then
imported, or they can be created by a separate CA such as the one included in Microsoft Windows
2000. The use of a local Advanced Firewall CA is recommended as a more convenient and equally
secure approach.
It is usual for a single CA to provide certificates for an entire network of peer systems, but there are
alternative schemes that use multiple CAs which will be discussed later.
Configuration Overview
The following sections cover the separate topics of CAs, certificates, site-to-site VPNs, road warrior
VPNs, internal VPNs and management in great depth.
As an overview to these sections, these are the steps required to create a typical site-to-site VPN
connection:
1
On the master Advanced Firewall system, create a local Certificate Authority. For details, see
Creating a CA on page 131.
Create certificates for the master Advanced Firewall system and the remote Advanced Firewall
system.
Install the master Advanced Firewalls certificate as its default local certificate.
Create a tunnel specification on the master Advanced Firewall system that points to the remote
Advanced Firewall system.
130
Export the CA certificate and the remote Advanced Firewall certificate from the master Advanced
Firewall system.
Import the CA certificate on the remote Advanced Firewall system, as exported by step 5.
Import and install the remote Advanced Firewall systems certificate, as exported by step 5.
Create a tunnel specification on the remote Advanced Firewall system that matches the one created
by step 4.
10
Ensure that appropriate zone bridging rules are configured and active in order to permit traffic to and
from the VPN tunnel. For further information see Chapter 6, Configuring Inter-Zone Security on
page 59.
Note: For VPN configuration tutorials, see VPN Tutorials on page 178.
Creating a CA
To create your own certificates for use in VPN tunnel authentication, you require access to at least
one CA. It is possible to purchase certificates from an externally managed CA, but this can be
inconvenient and costly. This section explains how to create a CA using Advanced Firewall.
If you already have a CA on your network, it may be useful to use that, in which case refer to Importing
Another CA's Certificate on page 133.
131
Description
Organization
Department
State or
province
Country
Life time
From the drop-down menu, select the length of time that the CA will remain valid
for.
User defined
(days)
If User defined is selected as the life time value of the CA, enter the number of
days the CA will be valid.
132
Navigate to the VPN > VPN > Authorities page and configure the following settings:
Setting
Description
Name
In the Installed Certificate Authority certificates area, locate and select the local
CA certificate.
Export format
From the drop-down list, select the format in which to export the certificate
authoritys certificate. The following formats are available:
CA certificate in PEM An ASCII (textual) certificate format commonly used
by Microsoft operating systems. Select this format if the certificate is to be used
on another Smoothwall System.
CA certificate in BIN A binary certificate format, select if the certificate is to
be used on a system which requires this format. Consult the systems
documentation for more information.
Click Export and choose to save the file to disk from the dialog box launched by your browser.
You can deliver the certificate to another system without any special security requirements since it
contains only public information.
Locate and open the CAs certificate that you wish to import.
Click Import CA cert from PEM. The certificate is listed in the Installed Certificate Authority
certificates list of certificates area.
Note: Deleting the local CA will invalidate all certificates that it has created.
Once the local CA has been deleted, the Create local Certificate Authority region will be displayed.
This change in layout occurs because a CA no longer exists on the Advanced Firewall system. The
Create local Certificate Authority region replaces the Delete local Certificate Authority region.
133
Locate and select the non-local CA certificate in the Installed Certificate Authority certificates region.
Click Delete. The CA certificate will no longer appear in the Installed Certificate Authority certificates
region and Advanced Firewall will not be able to authenticate any certificates created by it.
Managing Certificates
The following sections explain how to create, view, import, export and delete certificates in Advanced
Firewall.
Creating a Certificate
Once a local Certificate Authority (CA) has been created, you can generate certificates.
The first certificate created is usually for the Advanced Firewall system that the CA is installed on. This
is because the Advanced Firewall VPN gateway is a separate entity to the CA, and therefore requires
its own certificate.
It is normal for a single CA to create certificates for all other hosts that will be used as VPN gateways,
i.e. all other Advanced Firewall systems.
To create a new signed certificate:
1
134
Scroll to the Create new signed certificate area and configure the following settings:
Setting
Description
ID type
From the drop-down menu, select the certificatess ID type. The options are:
No ID Not recommended but available for inter-operability with other VPN
gateways.
Host & Domain Name Recommended for most site-to-site VPN
connections. This does not need to be a registered DNS name.
IP address Recommended for site-to-site VPNs whose gateways use static
IP addresses.
Email address Recommended for road warrior or internal VPN connections.
This does not need to be a real email address, although the use of a real email
address is recommended.
ID value
Enter an ID value.
For a site-to-site Advanced Firewall VPN this is typically a hostname. For a road
warrior this is usually the users email address.
Common name Enter a common name for the certificate, for example Head Office.
Email
Enter an email address for the individual or host system that will own this
certificate.
Organization
Department
State or
province
Country
Life time
From the drop-down menu, select the length of time that the certificate will
remain valid for.
User defined
(days)
If User defined is selected as the life time value of the certificate, enter the
number of days the certificate will be valid for.
Click Create signed certificate. The certificate is listed in the Installed signed certificates area.
Reviewing a Certificate
You can review the content of a certificate. Reviewing certificates can be useful for checking
certificate content and validity.
To review a certificate:
1
Locate the certificate that you wish to view in the Installed signed certificates region.
Click the certificate name. The content is displayed in a new browser window.
Exporting Certificates
Any certificates you create for the purpose of identifying other network hosts must be exported so
that they can be distributed to their owner.
To export a certificate:
1
Navigate to the VPN > VPN > Certificates page and scroll to the Installed signed certificates area.
135
Select the certificate you want to export and configure the following settings:
Setting
Description
Export format
From the drop-down menu, select the format in which to export the
certificate. The following formats are available:
Certificate in PEM An ASCII (textual) certificate format commonly used by
Microsoft operating systems. Recommended for all Advanced Firewall to
Advanced Firewall VPN connections.
Certificate in DER A binary certificate format for use with non-Advanced
Firewall VPN gateways.
Private key in DER Exports just the private key in binary for use with nonAdvanced Firewall VPN gateways.
Click Export. Choose to save the certificate file (a .pem or .der file) to disk in the dialog box launched
by your browser software. The certificate will be saved to the browsers local file system in the
specified format.
Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that
should only be known by the certificate owner.
In the Installed signed certificates region, locate and select the certificate that you wish to export.
Choose to save the PKCS#12 container file (a .p12 file) to disk in the dialog box launched by your
browser software. The PKCS#12 file will be saved to the browser's local file system.
Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that
should only be known by the certificate owner.
Importing a Certificate
Advanced Firewall systems that do not have their own CA will be required to import and install a host
certificate to identify themselves. This is the normal process for secondary Advanced Firewall
systems, for example, branch office systems connecting to a head office that has a Advanced
Firewall system and CA.
To import a certificate:
1
136
Navigate to the VPN > VPN > Certificates page. In the Import certificates area, configure the
following settings:
Setting
Description
Password
Enter the password that was specified when the certificate was created.
Setting
Import
PKCS#12
filename
Description
To import a certificate in PKCS#12 format:
1
Import PEM
filename
1
2
Advanced Firewall imports the signed certificate lists it in the Installed signed certificates area.
Deleting a Certificate
To delete an installed certificate:
1
In the Installed signed certificates region, locate and select the certificate that you wish to delete.
Click Delete. The signed certificate will be removed from the Installed signed certificates region.
137
In the Default local certificate region, select the hosts certificate from the Certificate drop-down list
and click Save. This certificate will now be used by default in all future tunnel specifications, unless
otherwise specified.
Recommended Settings
For Advanced Firewall to Advanced Firewall connections, the following settings are recommended
for maximum security and optimal performance:
138
Setting
Selection
Encryption
AES
Authentication type
ESP
Setting
Selection
Hashing algorithm
SHA
Enabled
Compression
On the Advanced Firewall at head office, browse to the VPN > VPN > IPSec subnets page.
Note: Many parameters are used when creating an IPSec site-to-site VPN tunnel. For Advanced Firewall to
Advanced Firewall connections, many settings can be left at their default values.
However, for maximum compatibility with other VPN gateways, some settings may require
adjustment. This section describes each parameter that can be configured when creating an IPSec
tunnel. For more VPN tutorials, see VPN Tutorials on page 178.
2
Description
Name
Enter a descriptive name for the tunnel connection, for example: New York to
London.
Enabled
Local IP
Enter the IP address of the external interface used on the local Advanced Firewall
host.
Note: This field should usually be left blank to automatically use the default
external IP (recommended).
139
Setting
Description
Local
network
Specify the local subnet that the remote host will have access to.
Local ID type
From the drop-down list, select the type of the ID that will be presented to the
remote system. The choices available are:
Default local Certificate Subject Uses the subject field of the default local
certificate as the local certificate ID.
Local IP Uses the local IP address of the host as the local certificate ID.
User specified Host & Domain Name Uses a user specified host and domain
name as the local certificate ID.
User specified IP address Uses a user specified IP address name as the local
certificate ID.
User specified Email address Uses a user specified email address as the local
certificate ID.
User specified Certificate Subject Uses a user specified certificate subject as
the local certificate ID.
Note: User specified types are mostly used when connecting to non-Advanced
Firewall VPN gateways. Consult your vendor's administration guide for
details regarding the required ID type and its formatting.
Local ID value This field is only used if the local ID type is a User specified type (this is typically
used when connecting to non-Advanced Firewall VPN gateways).
In most cases, you can leave this field blank because its value will be automatically
retrieved by Advanced Firewall during the connection process (according to the
chosen ID type).
Remote IP or
hostname
Enter the IP address or hostname of the remote system. The remote IP can be left
blank if the remote peer uses a dynamic IP address.
Remote
network
This should specify the remote subnet that the local host will have access to.
Remote ID
type
From the drop-down menu, select the type of ID that the remote gateway is
expected to present. The choices are:
Remote IP (or ANY if blank Remote IP) The remote ID is the remote IP
address, or any other form of presented ID
User specified Host & Domain Name Allows the user to specify a custom
host and domain name that it should expect the remote gateway to present as ID.
User specified IP address Allows the user to specify a custom IP address that
it should expect the remote gateway to present as ID.
User specified Email address Allows the user to specify a custom email
address that it should expect the remote gateway to present as ID.
User specified Certificate Subject Allows the user to specify a custom
certificate subject string that it should expect the remote gateway to present as ID
(typically used for non-Advanced Firewall VPN gateways).
140
Remote ID
value
Enter the value of the ID used in the certificate that the remote peer is expected to
present.
Authenticate
by
Setting
Description
Preshared
key
Enter the preshared key when PSK is selected as the authentication method.
Preshared
key again
Re-enter the preshared key entered in Preshared key field if PSK is selected as the
authentication method.
Use
compression
Initiate the
connection
Comment
Select to enable the local VPN system to initiate this tunnel connection if the
remote IP address is known.
Enter a descriptive comment for the tunnel, for example: London connection
.100 to Birmingham .250.
Note: Advanced settings are usually used for compatibility with other VPN gateway systems, although they
can be tweaked for performance gains in Advanced Firewall to Advanced Firewall VPN connections.
4
Description
Local certificate
Interface
Select which interface will be used for this connection either on external or
internal interfaces.
PRIMARY means the connection will be on the external interface.
Perfect Forward
Secrecy
Select to enable the use of the PFS key establishment protocol, ensuring that
previous VPN communications cannot be decoded should a key currently in
use be compromised.
PFS is recommended for maximum security. VPN gateways must agree on the
use of PFS.
Authentication
type
Select the authentication type used during the authentication process. This
setting should be the same on both tunnel specifications of two connecting
gateways.
ESP Encapsulating Security Payload uses IP Protocol 50 and ensures
confidentiality, authenticity and integrity of messages. Recommended for
optimal performance.
AH IP Authentication Header uses IP Protocol 51 and ensures authentication
and integrity of messages. This is useful for compatibility with older VPN
gateways. Because AH provides only authentication and not encryption, AH is
not recommended.
141
Setting
Description
Phase 1
cryptographic
algo
Select the encryption algorithm to use for the first phase of VPN tunnel
establishment. This setting should be the same on both tunnel specifications
of two connecting gateways.
3DES A triple strength version of the DES cryptographic standard using a
168-bit key. The 3DES is a very strong encryption algorithm though it has been
exceeded in recent years. It is the default encryption scheme on most VPN
gateways and is therefore recommended for maximum compatibility.
AES 128 Advanced Encryption Standard replaces DES/3DES as the US
governments cryptographic standard. AES offers faster and stronger
encryption than 3DES.
AES 256 Advanced Encryption Standard replaces DES/3DES as the US
governments cryptographic standard. AES offers faster and stronger
encryption than 3DES. It is recommended for maximum security and
performance.
Phase 1 hash
algo
Select the hashing algorithm to use for the first phase of VPN tunnel
establishment. This setting should be the same on both tunnel specifications
of two connecting gateways.
MD5 A cryptographic hash function using a 128-bit key. Recommended for
faster performance and compatibility.
SHA Secure Hashing Algorithm uses a 160-bit key and is the US
government's hashing standard. Recommended for maximum security.
Phase 2
cryptographic
algo
Selects the encryption algorithm to use for the second phase of VPN tunnel
establishment. This setting should be the same on both tunnel specifications
of two connecting gateways.
See Phase 1 cryptographic algo for more information on the options.
Phase 2 hash
algo
Selects the hashing algorithm to use for the second phase of VPN tunnel
establishment. This setting should be the same on both tunnel specifications
of two connecting gateways.
See Phase 1 hash algo for more information on the options.
Key life
Set the length of time that a set of keys can be used for. After the key-life value
has expired, new encryption keys are generated, thus reducing the threat of
snooping attacks.
The default and maximum value of 60 minutes is recommended.
Key tries
Set the maximum number of times the host will attempt to re-try the
connection before failing.
The default value of zero tells the host to endlessly try to re-key a connection.
However, a non-initiating VPN gateway should not use a zero value because if
an active connection drops, it will persistently try to re-key a connection that it
can't initiate.
142
IKE lifetime
Set how frequently, in minutes, the Internet Key Exchange keys are reexchanged.
Do not rekey
Select to disable re-keying. This can be useful when working with NAT-ed endpoints.
Setting
Description
Local internal IP
This optional setting is used when Advanced Firewall itself sends traffic in the
IPsec tunnel.
Note: If you do not use this setting, Advanced Firewall will not, itself, be able
to send traffic in the IPsec tunnel.
Enter the IP of the network interface to use when Advanced Firewall itself sends
traffic in the tunnel.
143
Prerequisite Overview
Before you start, you must do the following:
1
Create a CA on the local system for information on how to do this, see Creating a CA on page 131
Create certificates for the local and remote systems using Host and Domain Name as the ID type,
for information on how to do this, see Creating a Certificate on page 134.
Install the local certificate as the default local certificate on the local system, for information on how
to do this, see Importing a Certificate on page 136.
Export the CA certificate in PEM format, for information on how to do this, see Exporting Certificates
on page 135.
Export the remote certificate in the PKCS#12 container format, for information on how to do this, see
Exporting in the PKCS#12 Format on page 136.
Import and install the certificate as the default local certificate on the remote system, for information
on how to do this, see Importing a Certificate on page 136.
Once the above steps have been completed, proceed with creating tunnel specifications on the
local and remote systems as detailed in the following sections.
On the primary system, navigate to the VPN > VPN > IPSec subnets page and configure the
following settings:
Setting
Description
Name
Enabled
Local IP
Leave empty.
It will be automatically generated as the default external IP address at
connection time
Local network
Specify the local network that the secondary system will be able to access.
This should be given in the IP address / network mask format and should
correspond to an existing local network. For example, 192.168.10.0/
255.255.255.0.
Local ID type
Local ID value
Leave empty.
Its value will be automatically retrieved by Advanced Firewall during the
connection process.
144
Setting
Description
Remote IP or
hostname
Remote network
Specify the network on the secondary system that the primary system will
be able to access.
If the secondary system has a dynamic IP address, leave this field blank.
Remote ID type
From the drop-down list, select User specified Host & Domain Name.
Remote ID value
Enter the ID value (the hostname) of the secondary systems default local
certificate.
Authenticate by
From the drop-down list, select Certificate provided by peer. This will
instruct Advanced Firewall to authenticate the secondary system by
validating the certificate it presents as its identity credentials.
Preshared Key
Leave empty.
Preshared Key
again
Leave empty.
Use compression
Initiate the
connection
Comment
Click Add to create the tunnel specification and list it in the Current tunnels area:
The advanced settings are left to their default values in this example. The next step is to create a
matching tunnel specification on the remote system.
On the secondary system, navigate to the VPN > VPN > IPSec subnets page and configure the
following settings:
Setting
Description
Name
Enabled
Local IP
Leave empty.
It will be automatically generated as the default external IP address at
connection time.
Local network
Specify the local network that the primary system will be able to access.
This should be given in the IP address/network mask format and should
correspond to an existing local network. For example, 192.168.20.0/
255.255.255.0.
Local ID type
Setting
Description
Local ID value
Leave empty.
Its value will be automatically retrieved by Advanced Firewall during the
connection process.
Remote IP or
hostname
Remote network
Enter the network on the primary system that the secondary system will
be able to access.
Unlike the first tunnel specification, this cannot be left blank. The
secondary system will act as the initiator of the connection and therefore
requires a destination IP address in order to make first contact.
From the drop-down list, select User specified Host & Domain Name.
This matches the primary systems certificate type of Host and Domain
Name, as listed in Prerequisite Overview on page 144.
Remote ID value
Enter the ID value (the hostname) of the primary systems default local
certificate.
Authenticate by
Preshared Key
Leave empty.
Leave empty.
Use compression
Initiate the connection Select as the secondary system is responsible for its connection to the
primary Advanced Firewall system.
Comment
2
146
Click Add. All advanced settings can be safely left at their defaults.
On the primary system, navigate to the VPN > VPN > Control page.
In the Manual control region, identify the current status of the VPN system. If the status is Running,
you do not need to do anything. If the status is Stopped, click Restart.
On the secondary system, navigate to the VPN > VPN > Control page.
In the Manual control region, identify the current status of the VPN system. If the status is Running,
you do not need to do anything. If the status is Stopped, click Restart.
On the secondary system, navigate to the VPN > VPN > Control page.
In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate
the connection and bring the tunnel up.
Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure
that appropriate zone bridging rules are configured. For further information, see Chapter 6,
Configuring Inter-Zone Security on page 59.
On the primary system, navigate to the VPN > VPN > IPSec subnets page and configure the
following settings:
Setting
Description
Name
Enabled
Local IP
Local network
Specify the local network that the secondary system will be able to access.
This should be given in the IP address/network mask format and should
correspond to an existing local network. For example, 192.168.10.0/
255.255.255.0.
Local ID type
From the drop-down list, select Local IP. This will identify the primary
system to the secondary system by using the local IP address of the
primary systems external IP address.
147
Setting
Description
Local ID value
Remote IP or
hostname
Remote network
Specify the network on the secondary system that the primary system will
be able to access.
This should be given in the IP address / network mask format and should
correspond to an existing local network. For example, 192.168.20.0/
255.255.255.0.
Remote ID type
From the drop-down list, select Remote IP (or ANY if blank Remote IP).
This will allow the primary system to use the secondarys IP address (if one
was specified).
Remote ID value
Authenticate by
From the drop-down list, select Preshared Key. This will instruct
Advanced Firewall to authenticate the secondary system by validating a
shared pass phrase.
Preshared Key
Enter a passphrase.
Preshared Key
again
Use compression
Initiate the
connection
Comment
Click Add. All advanced settings can be safely left at their defaults. Advanced Firewall lists it in the
Current tunnels area. The next step is to create a matching tunnel specification on the remote
system.
148
On the secondary system, navigate to the VPN > VPN > IPSec subnets page and configure the
following settings:
Setting
Description
Name
Enabled
Local IP
Local network
Specify the local network that the primary system will be able to access.
This should be given in the IP address/network mask format and should
correspond to an existing local network. For example,
192.168.10.0/255.255.255.0.
Setting
Description
Local ID type
From the drop-down list, select Local IP. This will identify the primary
system to the secondary system by using the local IP address of the
primary systems external IP address.
Local ID value
Remote IP or
hostname
Enter the external IP address of the primary system. Unlike the first
tunnel specification, this cannot be left blank. The secondary system will
act as the initiator of the connection and thus it requires a destination IP
address in order to make first contact.
Remote network
Specify the network on the primary system that the secondary system
will be able to access. This should be given in the IP address/network
mask format and should correspond to an existing local network. For
example, 192.168.10.0/255.255.255.0.
Remote ID type
From the drop-down list, select Remote IP (or ANY if blank Remote
IP). This will allow the primary system to use the secondary's IP address
(if one was specified).
Remote ID value
Authenticate by
From the drop-down list, select Preshared Key. This will instruct
Advanced Firewall to authenticate the secondary system by validating a
shared pass phrase.
Preshared Key
Enter the same passphrase as was entered in the Preshared Key field
on the primary system.
Use compression
Initiate the connection Select this option as it is the responsibility of the secondary system to
initiate its connection to the primary Advanced Firewall system.
Comment
2
Click Add. All advanced settings can be safely left at their defaults.
On the primary system, navigate to the VPN > VPN > Control page.
In the Manual control region, identify the current status of the VPN system. If the status is Running,
you do not need to do anything. If the status is Stopped, click Restart.
On the secondary system, navigate to the VPN > VPN > Control page.
In the Manual control region, identify the current status of the VPN system. If the status is Running,
you do not need to do anything. If the status is Stopped, click Restart.
On the secondary system, navigate to the VPN > VPN > Control page.
149
In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate
the connection and bring the tunnel up.
Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure
that appropriate zone bridging rules are configured. For further information, see Chapter 6,
Configuring Inter-Zone Security on page 59.
L2TP L2TP connections are extremely easy to configure for road warriors using Microsoft
operating systems. There are fewer configuration parameters to consider when creating a tunnel
specification. However, all L2TP road warriors must connect to the same internal network.
IPSec IPSec road warrior connections use the same technology that Advanced Firewall uses to
create site-to-site VPNs. It is recommended for road warriors using Apple Mac, Linux or other nonMicrosoft operating systems. IPSec road warriors must have IPSec client software installed and
configured to connect to Advanced Firewall. IPSec road warriors can be configured to connect to
any internal network.
Note: Road warrior configuration tutorials are provided in VPN Tutorials on page 178.
Configuration Overview
Typically, a road warrior connection is configured as follows:
1
Create a certificate for each road warrior user, usually with the user's email address as its ID type.
Decide which VPN protocol best suits your road warrior's needs L2TP for Win 2000/XP, IPSec for
all others.
Decide which internal networks and what IP ranges to allocate to road warriors.
Install the certificate and any necessary client software on the road warrior system and configure.
Connect.
Ensure that inbound and outbound access to the road warrior have been configured using
appropriate zone bridging rules. For further information, see Chapter 6, Configuring Inter-Zone
Security on page 59.
When a road warrior connects to Advanced Firewall, it is given an IP address on a specified internal
network. When connected, the road warrior client machine will, to all intents and purposes, be on the
configured internal network. You can route to other subnets, including other VPN-connected ones.
Other machines on the same internal network can see the client, just as if it was plugged into the
network directly.
Each road warrior must use a unique, unused IP address. Typically, you would choose a group of IP
addresses outside of either the DHCP range, or statically assigned machines such as servers.
When configuring a tunnel, the client IP settings is used to assign the road warrior's IP address on
the local network. This IP address must match the network that the road warrior connects too
(globally specified for L2TP connections, individually specified for each IPSec road warrior.
Each user requires their own tunnel, so create as many tunnels as there are road warriors.
150
Each connection can use different types of cryptographic and authentication settings.
Description
Name
Enabled
Local network Enter the IP address and network mask combination of the local network. For
example, 192.168.10.0/255.255.255.0.
Note: It is possible to restrict (or extend) the hosts that a road warrior can see on
its assigned internal network by changing this setting.
For example, if you wish to restrict the connected road warrior to a specific
IP address such as 192.168.2.10, set the local network to
192.168.2.10/3
Accordingly, enter the value 192.168.2.0/24 or 192.168.2.0/
255.255.255.0 to allow the road warrior to access all addresses in the
range 192.168.2.0 to 192.168.2.255.
Client IP
Enter a client IP address for this connection. The IP address must be a valid and
available address on the network specified in the Local network field.
151
Setting
Description
Local ID type
From the drop-down list, select the local ID type. Default local Certificate Subject
is recommended for road warrior connections.
Local ID value
Remote ID
type
From the drop-down list, select Remote IP (or ANY if blank Remote IP). This
is recommended as it allows the road warrior to present any form of valid ID.
Remote ID
value
Enter the value of the ID used in the certificate that the road warrior is expected
to present.
Authenticate
by
Use
compression
Comment
Description
Local certificate This is used in less standard X509 authentication arrangements. For more
information, see Advanced VPN Configuration on page 171.
Interface
Used to specify whether the road warrior will connect via an external IP or an
internal interface.
Perfect Forward This enables the use of the PFS key establishment protocol, ensuring that
Secrecy
previous VPN communications cannot be decoded should a key currently in use
be compromised. PFS is recommended for maximum security. VPN gateways
must agree on the use of PFS.
Authentication
type
152
Setting
Description
Phase 1
cryptographic
algo
This selects the encryption algorithm used for the first phase of VPN tunnel
establishment. This setting should be the same on both tunnel specifications of
two connecting gateways.
3DES A triple strength version of the DES cryptographic standard using a
168-bit key. The 3DES is a very strong encryption algorithm though it has been
exceeded in recent years. It is the default encryption scheme on most VPN
gateways and is therefore recommended for maximum compatibility.
AES 128 Advanced Encryption Standard replaces DES/3DES as the US
governments cryptographic standard. AES offers faster and stronger
encryption than 3DES.
AES 256 Advanced Encryption Standard replaces DES/3DES as the US
governments cryptographic standard. AES offers faster and stronger
encryption than 3DES. It is recommended for maximum security and
performance.
Phase 1 hash
algo
This selects the hashing algorithm used for the first phase of VPN tunnel
establishment. This setting should be the same on both tunnel specifications of
two connecting gateways.
MD5 A cryptographic hash function using a 128-bit key. Recommended for
faster performance and compatibility.
SHA Secure Hashing Algorithm uses a 160-bit key and is the US
government's hashing standard. Recommended for maximum security.
Phase 2
cryptographic
algo
This selects the encryption algorithm used for the second phase of VPN tunnel
establishment. This setting should be the same on both tunnel specifications of
two connecting gateways.
See Phase 1 cryptographic algo for more information on the options.
Phase 2 hash
algo
This selects the hashing algorithm used for the second phase of VPN tunnel
establishment. This setting should be the same on both tunnel specifications of
two connecting gateways.
See Phase 1 hash algo for more information on the options.
Key life
This sets the duration that a set of keys can be used for. After the key-life value
has expired, new encryption keys are generated, thus reducing the threat of
snooping attacks.
The default and maximum value of 60 minutes is recommended.
Key tries
This sets the maximum number of times the host will attempt to re-try the
connection before failing.
The default value of zero tells the host to endlessly try to re-key a connection.
However, a non-initiating VPN gateway should not use a zero value because if
an active connection drops, it will persistently try to re-key a connection that it
can't initiate.
IKE lifetime
Sets how frequently the Internet Key Exchange keys are re-exchanged.
Do not Rekey
Turns off re-keying which can be useful for example when working with NAT-ed
end-points.
Click Add at the bottom of the page to add the tunnel to the list of current tunnels.
Note: The advanced settings of an IPSec road warrior tunnel operate in exactly the same manner as those
for a site-to-site IPSec connection. For details on the operation of each advanced control, see
Section 5.1 Introduction to Site to Site VPNs.
153
SafeNet SoftRemote LT
SafeNet SoftRemote 10
SafeNet SoftRemote 9
Mostly supported by Microsoft operating systems with built-in support on Windows 2000 and XP.
Creating a Certificate
The first task when creating an L2TP road warrior connection is to create a certificate. For further
information, see Creating a Certificate on page 134.
A road warrior certificate is typically created using the user's email address as the certificate ID.
On the VPN > VPN > Global page. Configure the following settings:
Setting
Description
Enter primary and secondary DNS settings. These DNS settings will be assigned
to all connected L2TP road warriors and SSL VPN users.
If applicable, enter primary and secondary WINS settings.These WINS settings will
be assigned to all connected L2TP road warriors and SSL VPN users.
L2TP settings From the drop-down list, select the internal network that L2TP road warriors will
be connected to.
2
154
Click Save.
Click Advanced to display all settings and configure the following settings:
Setting
Description
Name
Enter a descriptive name for the tunnel. For example: Joe Blogg's L2TP.
Enabled
Client IP
Enter a client IP address for this connection in the Client IP field. The IP address
must be a valid and available IP on the globally specified internal network.
Username
Password
Again
Authenticate by From the drop down list, select one of the following options:
Certificate presented by peer If the certificate was created by a different
CA, choose this option. Authenticating by a named certificate is recommended
for ease of management.
Common Name's organization certificate The peer has a copy of the
public part of the hosts certificate. Here both ends are Certificate Authorities,
and each has installed the peers public certificate.
L2TP client OS
From the drop-down list, select the L2TP clients operating system.
Comment
Advanced
Local
certificate
From the drop-down list, select the default local certificate to provide the
Advanced Firewalls default local certificate as proof of authenticity to the
connecting road warrior.
Interface
Select PRIMARY.
Click Add to create the L2TP tunnel specification and add it to the Current tunnels region.
155
setting a preshared key and configuring DNS and interface settings on the VPN > VPN > Global page
creating the tunnel on the VPN > VPN > L2TP roadwarriors page.
Note: Before you start, please be aware of the following limitation in IPSec preshared key (PSK)
authentication mode: all connections from unknown IP addresses, including IPSec and L2TP road
warriors, must use the same authentication method, and, in the case of PSK, the same secret.
In practice, this means that if you want to create a tunnel between an iPhone-compatible device and
Advanced Firewall, you must:
not have any L2TP or IPSec road warriors, as they use certificates for authentication
not have any IPSec subnet tunnels to unknown (blank) remote IPs. There is a workaround for
subnet tunnels to unknown, remote IPs but the IPSec subnets would have to use PSK
authentication with the same shared secret as the iPhone-compatible device.
To configure an iPhone-compatible tunnel:
1
On the VPN > VPN > Global page, configure the following settings:
Setting
Description
L2TP and SSL VPN client configuration Enter the primary and secondary DNS settings.
settings
2
Click Save. Browse to the VPN > VPN > L2TP roadwarriors page and configure the following
settings:
Setting
Description
Name
Enter a descriptive name for the tunnel. For example: CEO's iPhone.
Enabled
Client IP
Enter a client IP address for this connection. The IP address must be a valid
and available IP on the globally specified internal network.
Username
Password
Again
Comment
Authenticate by
L2TP client OS
Click Add. Advanced Firewall creates the tunnel and lists it in the Current tunnels area.
On the iPhone-compatible device, navigate to Settings > General > Network > VPN.
156
Setting
Description
Description
Server
Setting
Description
Account
RSA SecurID
Set to OFF.
Password
Secret
Proxy
Set to OFF.
Select Save to save the tunnel configuration. The tunnel is now ready for use.
Using NAT-Traversal
Passing IPSec traffic through any NATing device such as a router (or a separate firewall in front of the
VPN gateway/client) can cause problems.
IPSec normally uses Protocol 50 which embeds IP addresses within the data packets standard
NATing will not change these addresses, and the recipient VPN gateway will receive VPN packets
containing private (non-routable) IP addresses. In this situation, the VPN cannot work.
However, Advanced Firewall can operate in IPSec NAT Traversal (NAT-T) mode. NAT-T uses the
UDP Protocol instead of Protocol 50 for IPSec VPN traffic UDP is not affected by the NAT process.
This does of course require that the other end of the VPN tunnel supports NAT-T. Both SafeNet
SoftRemote and SSH Sentinel support this mode, as do the vast majority of other modern VPN
gateway devices.
Note: Any IPSec VPN client connections from a local network behind Advanced Firewall that connect to
another vendor's VPN gateway will also need to use NAT-T rather than Protocol 50 for the reasons
stated above.
Note: NAT-T is a VPN gateway feature, not a NATing feature.
Q818043 L2TP/IPSec NAT-T update. Information about this patch can be found at http://
support.microsoft.com/?kbid=818043
The above update will already be installed if you are running Windows XP SP2 or above, or Windows
2000 SP4 or above. Please use the Microsoft Windows Update facility to ensure compliance, see
http://windowsupdate.microsoft.com/
157
One further requirement is that the road warrior user must be a member of the Administrator group
in order to install the necessary certificates into the Local Computer certificate store.
View the license and click Next to agree to it. The following screen is displayed:
158
Click Browse and open the CA certificate file as exported during the certificate creation process.
Click Next. The following dialog opens:
Click Browse to locate and select the road warrior's host certificate file. This must be a PKCS#12
file, typically saved as *.p12, as exported during the certificate creation process. Enter the password
and click Next.
The following screen is displayed:
Ensure that the Launch New Connection Wizard option is selected and click Install.
159
The wizard install the certificates. Click Finish. The Microsoft New Connection Wizard is launched.
160
Select Virtual Private Network connection and click Next. The following screen is displayed:
10
11
161
13
Enter the username and password of the road warrior and click Connect. Ensure that the tunnel is
enabled.
Note: Certain anti-malware and worm detection software may generate alerts when L2TP client
connections are first established. Only UDP port 500 and UDP port 4500 and/or ESP should flow
from the road warrior when using a Smoothwall L2TP over an IPSEC connection. Any alerts
concerning this kind of traffic can be safely ignored, and unblocked communication permitted.
Prerequisites
An installed default local certificate, see Setting the Default Local Certificate on page 137 for more
information.
Browse to the VPN > VPN > Global page. In the SSL VPN settings area, configure the following
settings:
Setting
Description
Transport protocol
162
Setting
Description
Force clients to use Select to configure Advanced Firewall to force the client to send all its
SSL VPN as gateway traffic through the SSL VPN connection.
Advanced Firewall can force all connected clients to route through it,
which is generally better as it enforces the policy on the server end.
SSL VPN client
gateway(s)
Enable TLS
authentication
Choose random
gateway
Click Save to save the settings, and, at the top of the page, click Restart to apply the settings.
163
From the Select group drop-down list, select the group you want to disable from using SSL VPN
and then click Select. Advanced Firewall displays SSL VPN group settings.
De-select the Enable option and click Save. Advanced Firewall disables access.
Repeat the steps above for any other groups you want to disable from using SSL VPN.
Uploading Scripts
To upload scripts:
1
In the Select group area, accept the default settings to apply any uploaded scripts to all groups, or,
from the Select group drop-down list, select the group to which the script(s) will be specifically
deployed. Click Select.
To upload a preconnect script, in the Custom client scripts area beside the Upload Preconnect
Script text box, click Browse.
When prompted, browse to and select the script. Click Upload preconnect script. Advanced
Firewall uploads the script, displays the size of the script and a message confirming a successful
upload.
Repeat the steps above to upload connect and disconnect scripts as required.
Removing Scripts
To remove scripts:
1
In the Select group area, accept the default settings to remove any uploaded scripts from all groups,
or, from the Select group drop-down list, select the group from which the script(s) will be specifically
removed. Click Select.
164
To remove a preconnect script, in the Custom client scripts area beside the Upload Preconnect
Script text box, click Remove preconnect script.
Advanced Firewall removes the script and displays a message confirming a successful removal.
Repeat the steps above to remove connect and disconnect scripts as required.
On the VPN > VPN > Global page, configure the SSL VPN settings. For information on how, see
Configuring VPN with SSL on page 162.
If you do not want to include custom scripts in the archive, you can generate the archive now. Click
Generate client archive, Advanced Firewall generates an archive containing the client software and
the VPN settings required. When Advanced Firewall prompts you, save the file in a suitable location.
See step 4 for what to do next.
If you want to include scripts in the archive, browse to the VPN > VPN > SSL roadwarriors page
and configure the scripts. For information on how, see Managing Custom Client Scripts for SSL VPNs
on page 164.
Click Generate client archive, Advanced Firewall generates an archive containing the client
software and the VPN settings required. When Advanced Firewall prompts you, save the file in a
suitable location.
Once saved, distribute the archive to those users who will be using SSL VPNing. You can use the
Advanced Firewall portal to distribute the archive. For more information, see Chapter 8, Making the
SSL VPN Client Archive Available on page 85.
See Configuring and Connecting Clients on page 166 for information on how to install the SSL VPN
software on clients.
Note: An archive can be used for both internal and external use. See Configuring SSL VPN on Internal
Networks on page 165 for more information on internal use.
On the VPN > VPN > Global page, configure the SSL VPN settings, see Configuring VPN with SSL
on page 162.
Click Advanced and, in the Additional SSL VPN client internal interfaces area, select the interface on
which to deploy the SSL VPN.
Click Generate client archive. Advanced Firewall generates an archive containing the client
software and the VPN settings required and prompts you to save the file in a suitable location.
Note: The same archive can be used for both internal and external use. See Configuring VPN with SSL on
page 162 for more information on external use.
4
Once saved, distribute the archive to users who require secure access to the internal wireless
interface. You can use the Advanced Firewall portal to distribute the archive. For more information,
see Chapter 8, Making the SSL VPN Client Archive Available on page 85.
165
Extract the client archive, see Configuring VPN with SSL on page 162, to a suitable location and
double-click on Smoothwall-SSL-OpenVPN-client.exe to start the installation wizard. The following
screen opens:
166
Accept the default components and click Next to continue. The following screen opens:
Accept the default destination folder or click Browse to select a different destination. Click Install to
continue. The following screen opens:
167
In the system tray, right click on OpenVPN GUI and select Connect. The following dialog box is
displayed:
168
Setting
Description
Username
Password
In the system tray, right click on OpenVPN GUI and select Disconnect.
Secure wireless access Commonly used wireless access protocols offer relatively weak levels of
security, thus allowing potential intruders to directly access and intercept confidential data on an
organizations internal network. Advanced Firewall can ensure secure wireless access by providing
an additional interface as an internal VPN gateway. By attaching a wireless access point to this
interface, wireless clients can connect and create a secure tunnel to the desired internal network.
Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access
to any network resource.
Hidden network access It is possible to create a hidden network that can only be accessed via a
secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed
by an exclusively authenticated member of staff. To do this, create a network that is not bridged to
any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the
hidden network.
There is no complicated configuration process for creating such internal VPNs, the facility is provided
by globally nominating an internal VPN interface and creating tunnels specifying it as its interface.
In the L2TP settings area, from the L2TP client internal interface drop-down list, choose an
internal network interface.
Description
Enable NATTraversal
NAT-T is enabled by default and allows IPSec clients to connect from behind
NATing devices.
In some advanced and unusual situations, however, this feature may prevent
connections, therefore, NAT-T can be disabled.
169
Setting
Description
Enable Dead
Peer Detection
When selected, TOS bits are copied into the tunnel from the outside as VPN
traffic is received, and conversely in the other direction. This makes it possible
to treat the TOS bits of traffic inside the network (such as IP phones) in traffic
shaping rules within Traffic and traffic shape them.
If this option is not selected, the TOS bits are hidden inside the encrypted tunnel
and it is not possible to traffic shape VPN traffic.
Note: There is a theoretical possibility that enabling this setting can be used to
spy on traffic
Click Save.
Note: We advise you to limit any zone bridging from the nominated interface to other interfaces.
Tunnels connecting to the nominated additional interface will be assigned an IP address on the L2TP
client internal interface, as shown in the L2TP settings region.
If a zone bridge is created between the additional nominated interface and the L2TP client interface,
it allows the VPN to be circumvented and thus limits its usefulness.
5
Create a certificate for the L2TP client. See Creating a Certificate on page 134.
Browse to the VPN > VPN > L2TP roadwarriors page and configure the following settings:
Setting
Description
Name
Enabled
Client IP
Enter a client IP address for this connection. The IP address must be a valid and
available IP on the globally specified internal network.
Username
Password
Again
Authenticate
by
To dedicate this connection to a specific user, choose the users certificate from
the drop-down list.
To allow any valid certificate holder to use this tunnel, choose Certificate
provided by peer option.
If your organization anticipates supporting many road warrior connections,
authenticating by a specific certificate is recommended for ease of
management.
L2TP client OS From the drop-down list, select the L2TP client's OS.
Comment
7
170
Click Advanced and, from the Local certificate drop-down list, select Default.
Click Add. Advanced Firewall lists the tunnel in the Current tunnels area.
To configure client access to the L2TP tunnel, see Installing an L2TP Client on page 158.
Country head office ID This ID would be used by a head office to identify itself to head offices from
other countries, to form VPN tunnels that make up the international WAN.
Head office ID This ID would be used by a head office to identify itself to other domestic offices, so
that it can manage VPN tunnel connectivity within its own region.
The same concept can be applied to any situation where autonomous VPN management is required.
To continue the above example, many of the offices within one particular country require a number
of road warrior users to connect to their local networks. In this instance, a branch office VPN gateway
could utilize two local IDs (certificates):
Regional branch office ID This ID would be used by a branch office to identify itself to the head office
and other branch offices that make up the country-wide WAN.
Branch office ID This ID would be used by a branch office to identify itself to its local road warriors,
so that it can manage road warrior connectivity to its own branch.
On the master system, navigate to the VPN > VPN > Certificate authorities page.
171
Create signed certificates for the master and secondary Advanced Firewall systems, see Managing
Certificates on page 134.
Install the master signed certificate as the master Advanced Firewall's default local certificate, see
Setting the Default Local Certificate on page 137.
Create the tunnel specification to the secondary Advanced Firewall system, see Site-to-Site VPNs
IPSec on page 138.
Export the secondary Advanced Firewall's signed certificate using the PKCS#12 format, see
Exporting Certificates on page 135.
Export the master Advanced Firewall's CA certificate in PEM format, see Exporting the CA Certificate
on page 132.
The remaining series of configuration steps are all carried out on the secondary Advanced Firewall
system, firstly to create the primary site-to-site link.
To create the primary site-to-site link:
On the secondary system, navigate to the VPN > VPN > Certificate authorities page.
Import the CA certificate on the secondary Advanced Firewall, see Importing Another CA's Certificate
on page 133.
Import the signed certificate on the secondary Advanced Firewall system, see Importing a Certificate
on page 136.
Install the signed certificate as the default local certificate, see Setting the Default Local Certificate on
page 137.
Create the tunnel specification to the master Advanced Firewall system, with Local certificate set to
Default see Site-to-Site VPNs IPSec on page 138.
On the secondary system, navigate to the VPN > VPN > Certificate authorities page.
Create a new signed certificate for the secondary Advanced Firewall system (this will be used as the
secondary Advanced Firewall's second local certificate, see Creating a Certificate on page 134.
Create a new signed certificate for any host whose VPN connectivity will be managed by the
secondary Advanced Firewall system.
Create a site-to-site or road warrior tunnel specification, and choose the second signed certificate
(created by the previous step) as the Local certificate.
Export the local CA and signed certificate created by step 4 to any host whose VPN connectivity will
be managed by the secondary Advanced Firewall system.
Create the remote tunnel specification (this could be a road warrior client or another site-to-site
gateway).
172
Tunnelling between two separate organizations using certificates created by different (possibly
external) CAs.
Alternative scheme to allow both ends of the tunnel to create their own CA and default local
certificates. This would enable each VPN gateway to manage their own site-to-site and road warrior
connections. This achieves the same result as the previous technique described in the Multiple local
certificates section.
Note: The use of public key authentication should not be considered as a direct replacement for a stringent
X509 based authentication setup. While public key authentication does use some of the same
technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As
such, appropriate precautions should be taken when considering implementing this alternative
authentication method.
Each CA has created a signed certificate for its own local Advanced Firewall system.
To create the tunnel specifications:
On both systems, navigate to the VPN > VPN > Certificates page.
Export the local certificates from both Advanced Firewall systems using the PEM format, see
Exporting Certificates on page 135.
Import each PEM certificate on the opposite Advanced Firewall system, see Importing a Certificate
on page 136.
Create an IPSec site-to-site tunnel specification on the first Advanced Firewall system, and select the
second Advanced Firewall system's host certificate in the Authenticate by drop-down list.
Create an IPSec site-to-site tunnel specification on the second Advanced Firewall system, and select
the first Advanced Firewall system's host certificate in the Authenticate by drop-down list.
The tunnel can now be established and authenticated between the two Advanced Firewall systems.
In addition, each Advanced Firewall system is able to autonomously manage its own site-to-site and
road warrior connections by using its own CA to create additional certificates.
Host certificate, Certificate A created by the commercial CA for the Advanced Firewall system.
Host certificate, Certificate B created by the commercial CA for the other organizations VN gateway.
173
On the local system, navigate to the VPN > VPN > Certificates page.
On the system, navigate to the VPN > VPN > Certificates page.
Import the CA's certificate according to the file format it was supplied in, see Importing Another CA's
Certificate on page 133.
Next, configure the local tunnel specification in co-operation with the other organization. This is most
likely to be an IPSec site-to-site connection, though it is possible that you could connect to their
network as a road warrior. In either case, full consultation between both organizations is required to
decide on the configuration options to be used on the respective VPN gateways.
Follow these steps to create a site-to-site connection:
Connect to Advanced Firewall on the Advanced Firewall system and navigate to the VPN > VPN >
IPSec subnets page.
In the local tunnel specification, choose Default local cert subject or Default local cert subject
alt.name from the Local ID type drop-down list. However, it may be necessary to use user specified
values if the other VPN gateway is not directly compatible with Advanced Firewall's communication
of certificate subjects.
Choose Certificate A from the Local certificate drop-down list to ensure that this tunnel overrides any
default local certificate that might be configured.
Choose Certificate provided by peer from the Authenticate by drop-down list. This will ensure that
Advanced Firewall will authenticate Certificate B when is presented by the other organizations VPN
gateway.
Choose the remote ID type from the Remote ID type drop-down list that was entered during the
creation of Certificate B using the commercial CA.
Confer with the other organization regarding all other configuration settings and ensure that they
authenticate the tunnel using the CA's certificate and Certificate A as provided by Advanced Firewall
as connection time.
174
Control VPNs
Click Save.
176
View the current status from the Current status information field.
There are two possible system statuses:
Stopped The VPN system is not currently operational; no tunnels can be connected.
Open The tunnel is connected; communication across the tunnel can be made.
Closed The tunnel is not connected; no communication across the tunnel can be made.
IPSec Subnets
Site-to-site IPSec subnet connections are shown in the IPSec subnets region of the VPN > VPN >
Control page. The information displayed is:
Control:
Up Open the tunnel connection
Down Close the tunnel connection.
Control:
Up Open the tunnel connection
Down Close the tunnel connection.
Control:
177
Control
Up Open the tunnel connection
Down Close the tunnel connection.
VPN Logging
VPN log entries can be found in the Logs and reports > Logs > IPSec page.
VPN Tutorials
The following tutorials cover the creation of the main types of VPN tunnels. The examples build on
each other, i.e. the configuration settings in an example builds on that of the previous.
We will use Preshared Key authentication initially. This is the easiest to setup.
Configuring Network A
There is no need for a CA or any certificates.
On the Create a tunnel with the following characteristics. This tunnel we call Tunnel 1. Where a
parameter is not listed, leave it at its default value:
178
Parameter
Description
Name
Tunnel 1
Local network
Parameter
Description
Local ID type
Local IP
Remote IP or hostname
200.0.0.1
Remote network
192.168.12.0/24
Remote ID type
Authenticate by
Preshared Key
Preshared Key
loudspeaker
loudspeaker
Configuring Network B
Here a single tunnel is created:
Parameter
Description
Name
Tunnel 1
Local network
Local ID type
Local IP
Remote IP or hostname
100.0.0.1
Remote network
192.168.0.0/24
Remote ID type
Authenticate by
Preshared Key
Preshared Key
loudspeaker
loudspeaker
On the Networking > Filtering > Zone bridging page, create a zone bridge between the local
network and the IPSec interface. If you want traffic to flow in both directions, make the rule bidirectional.
For more information, see Chapter 6, Configuring Inter-Zone Security on page 59.
Testing
Restart the VPN system on both ends. Because both ends are set as initiators, the tunnels should
come up immediately. If this does not happen please refer to Appendix C, Troubleshooting VPNs on
page 331.
To actually test that the VPN is routing, ping a host on the remote network from a machine on the
local one. You should also be able to connect to servers and desktops on the remote network using
your standard tools.
Note: When configuring multiple PSK-based tunnels, use the User specified IP address as the remote
system ID type and the remote system external IP in the Remote system ID Value.
179
Configuring Network A
Network A will be configured to be the Certificate Authority in the system.
Begin by going to the Authorities page and setting up the CA. In this example, we will list only the
required fields. You should, of course, enter values appropriate to your organization:
Parameter
Description
Common Name
Organization
My Company Ltd
From now on, we will enter My Company Ltd in all Organization fields on the certificates we create.
Next you should export this certificate in PEM format. We will call this file ca.pem, and save it on the
local workstations hard disk. You will need this file later.
Switch to the certificates page, and create the local certificate. It requires ID information:
Parameter
Description
ID Type
ID Value
tunnela.mycompany.com
Common Name
Description
ID Type
ID Value
tunnelb.mycompany.com
My Company Ltd
Create both certificates, and then export the Network B Cert certificate in PKCS#12 format. You will
need to enter the passphrase to encrypt this certificate with; enter it in both boxes. We will call this
file tunnelb.p12.
Now onto the tunnels page. Choose the Network A Local Cert certificate to be the Default local
certificate, and press Save. We will Restart the VPN shortly to make this change active.
180
Description
Name
Tunnel 1
Local network
Local ID type
Remote IP or
hostname
200.0.0.1
Remote network
192.168.12.0/24
Remote ID type
Remote ID value
tunnelb.mycompany.com
Authenticate by
Configuring Network B
The first step is to import the certificates.
To import the certificates:
1
On to the certificates page, import the tunnelb.p12 file you created earlier. Remember to input the
passphrase used to create the export file in both boxes.
Chose the certificate, Network B Cert as the Default local certificate and click Save. The tunnel
configuration should look like this:
Parameter
Description
Name
Tunnel 1
Local network
Local ID type
Remote IP or hostname
100.0.0.1
Remote network
192.168.0.0/24
Remote ID type
Remote ID value
tunnel.mycompany.com
Authenticate by
Testing
As before, restart both ends of the tunnel. If the tunnel fails to come up, the most likely cause is a
mismatch of IDs. Check the IDs in the certificates by clicking on them in the certificate page. The ID
is the same as the Certificate ID. Examine the log for telltale messages.
181
In Extended Site to Site Routing on page 174, we explained how to create centralized VPN hubs
using extended subnetting. We will use this technique to allow Network B to route to Network C, and
vice versa.
Network A Configuration
Create a new certificate for the new peer, and export it as a PKCS#12 file. We set the following
properties for this certificate:
Parameter
Description
ID Type
ID Value
tunnelc.mycompany.com
Common Name
Organization
My Company Ltd
Modify the existing tunnel to Network B. All settings are unchanged except:
Parameter
Description
Local
subnet
192.168.0.0/16
Notice how this subnet mask now covers all subnets in the VPN.
Now we create a new tunnel to Advanced Firewall C:
182
Parameter
Description
Name
Tunnel 2
Local subnet
192.168.0.0/16
Local ID type
Remote IP or hostname
250.0.0.1
Remote network
192.168.13.0/24
Parameter
Description
Remote ID type
Remote ID value
tunnelc.mycompany.com
Authenticate by
Network B Configuration
Modify the tunnel as follows:
Parameter
Description
Remote subnet
192.168.0.0/16
Network C Configuration
Import the certificate, and then create the tunnel to Network A:
Parameter
Description
Name
Tunnel 2
Local ID type
Remote IP or
hostname
100.0.0.1
Remote network
192.168.0.0/16
Remote ID type
Remote ID value
tunnela.mycompany.com
Authenticate by
Testing
Test in the same way as before. After bringing up both tunnels, you should test by pinging a machine
on the Network A end from both of the Network B and Network C networks. Then you should test
that you can route across Network A by pinging a host on the Network C network from the Network
B network.
183
Network A Configuration
Create a certificate with the following properties:
Parameter
Description
My Company Ltd
Description
Name
Local network
192.168.0.0/16
Local ID type
Client IP
192.168.0.5
184
SoftRemote Configuration
This tutorial describes setting up the client using a policy template as a shortcut to getting the
connection up and running. Full details, including detailed screen shots, are given in Working with
SafeNet SoftRemote on page 187.
After installing the client, begin by going to the Certificate Manager and importing the ca.pem and
the computercert.p12 certificate.
In the Security Policy Editor, import the template policy, policytemplate.spd, which is on the
installation CD. This policy file contains most of the input fields pre-filled with suitable defaults, and
will save a lot of time configuring the client. If you use different settings to those described in this
tutorial, compression for example, then you will have to modify those settings.
The following fields need to be filled in after importing the policy template.
In road warrior:
Parameter
Description
Gateway IP Address
100.0.0.1
Subnet
192.168.0.0
Mask
255.255.0.0
In My Identity:
Parameter
Description
192.168.0.5
Testing
To bring up the connection, the simplest way is to ping a host on the network behind the gateway.
After a few retries, you should see the task bar icon change to show a yellow key. This indicates that
the tunnel is up. Your client computer will then appear to be connected to the local network behind
the VPN gateway. This works both ways; a machine on the local network can connect to the road
warrior.
You should be able to browse web servers, and so on. Also, because the tunnel covers all three local
networks, you should be able to connect to all three.
185
Network A Configuration
Create a certificate with the following properties:
Parameter
Description
My Company Ltd
Description
Name
192.168.0.6
Username
road warrior
Password
microphone
Export the certificate in PKCS#12 format. We will call this file computercert.p12. You will also need
the CA file, ca.pem.
Description
Username
road warrior
Password
microphone
Finally, press the Connect button to initiate a connection the Advanced Firewall A VPN gateway.
187
After installation, open the Certificate Manager. In the Root CAs tab, import a CA .PEM from
Advanced Firewall.
In the My Certificates tab, import a .P1. Enter the export password, and a short time later the
certificate should appear in the list. Select the certificate, and click Verify (on the right). You should
get a message saying the certificate is valid (because the CA certificate is installed) but lacks a CRL
(Certificate Revocation List). This indicates the certificate is valid.
Next, create a connection in the Security Policy Editor. Open it. To make configuration of this client
easier, you may use a Security Policy template, that will pre-fill most of the settings to suitable values,
saving you from the chore of doing it yourself. For completeness, we will also describe how you
would setup the client without the policy.
Import the Security Policy template, policytemplate.spd, which can be found in the extras
folder on the installation CD. After importing this policy, a single connection, named road warrior
will become available.
Assuming the Advanced Firewall gateway is using the standard settings for its road warrior clients,
i.e. those described above, only a handful of settings must be entered. In the road warrior section:
Enter the Remote Subnet, Mask and the gateways hostname (or IP address).
188
10
To bring up the connection to the Advanced Firewall gateway, you must send it a packet. The easiest
way to do this is by pinging a host on the remote network. After a series of Request timed out
messages you should start to get packets back, indicating that the VPN is up (you will also notice the
system tray icon change).
Select Global Policy Settings from the Options menu. A window will appear, and you should tick the
box marked Allow to specify internal network address.
Now go back to the tree control on the left and choose the New Connection node. You can rename
this to something more appropriate, like road warrior. In this node, configure the remote Subnet
address and Mask.
189
Choose Secure Gateway Tunnel from the Connect using drop-down list, and select an ID Type of
Any. You should then enter either a Gateway IP Address or Gateway Hostname.
Next, move to the My Identity node. Select the certificate you imported earlier. The ID types default,
the Distinguished Name; another word for the subject of a certificate, will suffice. Virtual adapter
should be disabled, and Internet Interface set to Any.
In the Internal network IP, enter the local network zone IP address (the Client IP) that was specified
when the tunnel was created.
Create a new Phase 1 security policy: Select 3DES encryption, and MD5 as the hashing algorithm.
Set the key group to 5, and choose a SA Life of 3000 seconds. This time period has to be less then
the equivalent setting in the Advanced Firewall, which defaults to 60 minutes (3600 seconds). This is
190
Finally create a Phase 2 security policy, and again 3DES and MD5, in a tunnel. Tick the ESP box. In
this page you can select compression or not, as well as key life settings.
Test as before, by initiating a connection to a host on the Remote Network. Diagnostic logs are
available through the tool bar icon.
Advanced Configuration
Using the configuration previously described, the selected certificate will be required by the client in
order to obtain a connection. This method is usually desired, but in other cases an Authenticate by
setting of Certificate provided by peer can be more useful, especially if the client certificates are not
installed onto the VPN gateway server.
It is also possible to restrict (or extend) the hosts that the road warrior can access on the local
network zone. This is done by adjusting the Local network parameter in the tunnel configuration. For
example, if you wish to restrict the connected road warriors so that they can only contact a specific
IP address, for example 192.168.2.10, then you could set the Local network parameter to
192.168.2.10/32. Note that this setting is a network address, so you must always specify a network
mask, even if that network mask covers only a single host.
If the VPN server the road warrior connects to is routed onto other networks such as subnet VPNs
or other local network zones, the Local network setting can likewise be expanded to cover them.
Visit the support portal and knowledge base for information on setting up other clients.
191
192
Chapter 10
193
Description
Login timeout
(minutes)
Determines the length of time of inactivity after which a user is logged out.
Accept the default or enter the time out period.
Note: Setting a short login timeout increases the load on the machine,
particularly when using transparent NTLM or SSL Login. It also increase
the rate of re-authentication requests.
Setting a long login timeout may enable unauthorized users to access
the network if users leave computers without actively logging out.
The behavior of some authentication mechanisms is automatically
adjusted by the time-out period. For example, the SSL Login refresh
rate will update to ensure that authenticated users do not time-out.
For more information, see Appendix A, About the Login Time-out on
page 302.
Concurrent login
sessions (per
user)
Concurrent login settings determine how many logins are allowed per user.
The following options are available:
Logging level
Logging levels determine the type of authentication logging you want. The
following options are available:
No limit Select this option to allow an unlimited number of logins per user
or enter the number of logins you want to allow users.
Normal Select this option to log user login and LDAP server information.
Verbose Select this option to log user login and LDAP server information,
request, response and result information. This option is useful when
troubleshooting possible authentication issues.
3
Tip:
Encourage users to pro-actively log-out of the system to ensure that other users of their workstation
cannot assume their privileges if login time-out is yet to occur.
Retrieve groups configured in directories and apply network and web filtering permissions to users
based on group membership within directories
Verify the identity of a user who is trying to access network or Internet resources.
Once the connection to a directory service has been configured, Advanced Firewall retrieves a list of
the groups configured in the directory and maps them to the groups available in Advanced Firewall.
When the groups have been mapped, permissions and network access permissions in the filtering
and outgoing sections can be granted on the basis of group membership.
194
Description
Novell eDirectory
Apple/Open LDAP
389 Directory
RADIUS
Local users
Configuring Directories
The following sections explain how to configure Advanced Firewall for use with supported directory
servers.
On the Networking > Interfaces > Interfaces page, check that the primary, and optionally the
secondary, DNS server containing the Active Directory information is specified correctly. This DNS
server is used by Advanced Firewall for name lookups. For more information, see Appendix A,
Advanced Firewall and DNS on page 302.
In Active Directory, choose or configure a non-privileged user account to use for joining the domain.
Advanced Firewall stores this accounts credentials, for instance, when backing-up and replicating
settings.
Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized
using NTP. See Chapter 13, Setting Time on page 269 for more information.
195
On the Services > Authentication > Directories page, click Add new directory.
In the Add new directory dialog box, select Active Directory and configure the following settings:
Setting
Description
Status
Tenants
Optionally, select which tenant(s) use this directory. Specifying the tenant(s)
enables Advanced Firewall to apply network permissions to users coming from
different tenants with usernames which are the same.
Note: Tenants are only available if you have the correct Advanced Firewall
license type and they have been configured on the System >
Administration > Tenants page.
For more information on tenants, see Chapter 13, Managing Tenants on
page 275.
For more information on licensing, contact your Smoothwall
representative.
Domain
Enter the full DNS domain name of the domain. Other trusted domains will be
accessible automatically.
Username
Password
Confirm
Cache timeout
(minutes)
Click Advanced. Accept the default or specify the length of time Advanced
Firewall keeps a record of directory-authenticated users in its cache.
Advanced Firewall will not need to query the directory server for users who log
out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory server.
Setting a long cache timeout means that old passwords are valid for
longer, i.e. until the cache timeout has been passed.
Comment
3
Click Add. Advanced Firewall adds the directory to its list of directories and establishes the
connection.
On the Services > Authentication > Directories page, click Add new directory.
In the Add new directory dialog box, select one of the following: eDirectory, Apple/OpenLDAP
Directory or 389 Directory and configure the following settings:
196
Setting
Description
Status
Setting
Description
Tenants
Optionally, select which tenant(s) use this directory. Specifying the tenant(s)
enables Advanced Firewall to apply network permissions to users coming from
different tenants with usernames which are the same.
Note: Tenants are only available if you have the correct Advanced Firewall
license type and they have been configured on the System >
Administration > Tenants page.
For more information on tenants, see Chapter 13, Managing Tenants on
page 275.
For more information on licensing, contact your Smoothwall
representative.
LDAP server
Username
Password
Confirm
Bind method
Accept the default bind method, or from the drop-down list, select one of the
following options:
TLS (with password) Select to use Transport Layer Security (TLS).
Kerberos Select to use Kerberos authentication.
Simple bind Select to bind without encryption. This is frequently used by
directory servers that do not require a password for authentication.
Kerberos realm
197
Setting
Description
User search root Enter where in the directory, Advanced Firewall should start looking for user
accounts. Usually, this is the top level of the directory.
For example: ou=myusers,dc=mydomain,dc=local
In LDAP form, this is seen in the directory as dc=mycompany,dc=local.
OpenLDAP based directories will often use the form o=myorganization
Apple Open Directory uses the form: cn=users,dc=example,dc=org
A Novell eDirectory will refer to this as the tree, taking the same form as the
OpenLDAP-based directories o=myorganization.
Note: In larger directories, it may be a good idea to narrow down the user
search root so Advanced Firewall does not have to look through the
entire directory. For example, if all users that need to be authenticated
have been placed in an organizational unit, the user search root can be
narrowed down by adding ou=userunit in front of the domain base.
Note: When working with multi domain environments, the user search root
must be set to the top level domain.
Group search
roots
Enter where in the directory, Advanced Firewall should start looking for user
groups. Usually this will be the same location as configured in the user search
root field.
For example: ou=mygroups,dc=mydomain,dc=local
Apple Open Directory uses the form: cn=groups,dc=example,dc=org
Note: With larger directories, it may be necessary to narrow down the group
search root. Some directories will not return more than 1000 results for
a search, so if there are more than 1000 groups in the directory, a more
specific group search root needs to be configured. The principle is the
same as with the user search root setting.
If there are multiple OUs containing groups that need to be mapped, add the
other locations in the advanced section.
Cache timeout
Accept the default or specify the length of time Advanced Firewall keeps a
record of directory-authenticated users in its cache.
Advanced Firewall does not query the directory server for users who log out
and log back in as long as their records are still in the cache.
LDAP port
Extra user search This option enables you to enter directory-specific user search paths when
roots
working with a large directory structure which contains multiple OUs and many
users.
Enter one search root per line.
Extra group
search roots
Optionally, enter where in the directory Advanced Firewall should start looking
for more user groups.
Enter one search roots per line.
For more information, see Appendix A, Working with Large Directories on
page 303.
198
Setting
Description
Extra realms
This setting enables you to configure subdomains manually using DNS. Use
the following format:
<realm><space><kdc server>
For example:
example.org kdc.example.org
Enter one realm per line.
Click Add. Advanced Firewall adds the directory to its list of directories and establishes the
connection.
Prerequisites
Before you configure any settings:
Configure the RADIUS server to accept queries from Advanced Firewall. Consult your RADIUS server
documentation for more information.
On the Services > Authentication > Directories page, click Add new directory.
In the Add new directory dialog box, select RADIUS and configure the following settings:
Setting
Description
Status
Tenants
Optionally, select which tenant(s) use this directory. Specifying the tenant(s)
enables Advanced Firewall to apply network permissions to users coming from
different tenants with usernames which are the same.
Note: Tenants are only available if you have the correct Advanced Firewall
license type and they have been configured on the System >
Administration > Tenants page.
For more information on tenants, see Chapter 13, Managing Tenants on
page 275.
For more information on licensing, contact your Smoothwall
representative.
RADIUS server
Secret
Confirm
199
Setting
Description
Action on login
failure
Try next directory server Select this option if users in RADIUS are
unrelated to users in any other directory server.
Deny access Select this option if the RADIUS password should override the
password set in another directory server, for example when using an
authentication token.
Identifying IP
address
Enter the IP address to use to identify the caller connecting to the RADIUS
server, if it must be different to the internal IP address of the system.
Obtain groups
from RADIUS
If the RADIUS server can provide group information, select this option to
enable Advanced Firewall to use the group information in the RADIUS Filter-Id
attribute.
When not enabled, Advanced Firewall will use group information from the next
directory server in the list. If there are no other directories in the list, Advanced
Firewall will place all users in the Default Users group.
Cache timeout
(minutes)
Accept the default or specify the length of time Advanced Firewall keeps a
record of directory-authenticated users in its cache.
Advanced Firewall does not query the directory server for users who log out
and log back in as long as their records are still in the cache.
Port
Accept the default port or specify a UDP port to use when communicating with
the RADIUS server. The default is port 1812.
Comment
Click Add. Advanced Firewall adds the directory to its list of directories and establishes the
connection.
Run the Advanced Firewall Setup program and check that the DNS server containing the Active
Directory information is specified correctly. This DNS server is used by Advanced Firewall for name
lookups. For more information, see Appendix A, Advanced Firewall and DNS on page 302 and the
Advanced Firewall Installation and Setup Guide.
Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active
Directory servers.
Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized.
Note: Do not use the administrator account as the lookup user. Often the administrator account will not
have a Windows 2000 username, preventing the account from being used by the authentication
service.
200
In the Add directory server area, from the Directory server drop-down list, select Active Directory
and click Next. Advanced Firewall displays the settings for Active Directory.
Description
Status
Tenants
Optionally, select which tenant(s) use this directory. Specifying the tenant(s)
enables Advanced Firewall to apply network permissions to users coming from
different tenants with usernames which are the same.
Note: Tenants are only available if you have the correct Advanced Firewall
license type and they have been configured on the System >
Administration > Tenants page.
For more information on tenants, see Chapter 13, Managing Tenants on
page 275.
For more information on licensing, contact your Smoothwall
representative.
Active Directory
server
Username
Password
Confirm
Cache timeout
(minutes)
Accept the default or specify the length of time Advanced Firewall keeps a
record of directory-authenticated users in its cache.
Advanced Firewall will not need to query the directory server for users who log
out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory server.
Setting a long cache timeout means that old passwords are valid for
longer, i.e. until the cache timeout has been passed.
Kerberos realm
201
Setting
Description
User search root Optionally, to configure Advanced Firewall to start looking for user accounts at
the top level of the directory, select Automatic.
Or enter the user search root to start looking in, for example:
ou=myusers,dc=mydomain,dc=local search root.
Note: When working with multi-domain environments, the user search root
must be set to the top level domain.
Group search
root
Comment
Optionally, enter a comment about the directory server and the settings used.
Enabled
Description
LDAP port
Discover Kerberos Select this option to use DNS to discover Kerberos realms.
realms through
Using DNS to discover realms configures Advanced Firewall to try to find all
DNS
the domains in the directory server by querying the DNS server that holds the
directory information.
Use
This setting applies when using Microsoft Windows NT4 or older
sAMAccountName installations.
Enter the sAMAccountName to override the userPrincipleName.
NetBIOS
workgroup
This option enables you to enter directory-specific user search paths when
working with a large directory structure which contains multiple OUs and
many users.
Enter search roots one per line.
Extra group search Optionally, enter where in the directory, Advanced Firewall should start
roots
looking for more user groups.
Enter search roots one per line.
For more information, see Appendix A, Working with Large Directories on
page 303.
202
Setting
Description
Extra realms
Click Add. Advanced Firewall adds the directory to its list of directories and establishes the
connection.
On the Services > Authentication > Directories page, click Add new directory.
In the Add new directory dialog box, select Local users and configure the following settings:
Setting
Description
Status
Tenants
Optionally, select which tenant(s) use this directory. Specifying the tenant(s)
enables Advanced Firewall to apply network permissions to users coming from
different tenants with usernames which are the same.
Note: Tenants are only available if you have the correct Advanced Firewall
license type and they have been configured on the System >
Administration > Tenants page.
For more information on tenants, see Chapter 13, Managing Tenants on
page 275.
For more information on licensing, contact your Smoothwall
representative.
Name
Comment
Click Add. Advanced Firewall adds the directory to its list of directories. For information on adding
and managing local users, see Managing Local Users on page 204.
If most of your users are in one directory, list that directory first so as to reduce the number of queries
required. If user passwords are checked by a RADIUS server and group information is obtained from
LDAP, list the RADIUS server first.
To reorder directory servers:
On the Services > Authentication > Directories page, select the directory server you want to
move and click Up or Down until the server is where you want it.
Repeat the step above for any other directories you want to move.
Tip:
You can also drag and drop directories to where you want them. Just remember to click Save
moves.
On the Services > Authentication > Directories page, point to the directory server and click Edit.
The Edit directory dialog box opens,
Make the changes required, see Configuring Directories on page 195 for information on the settings
available.
On the Services > Authentication > Directories page, point to the directory server and click
Delete. When prompted, confirm that you want to delete the directory. Advanced Firewall deletes
the server.
Diagnosing Directories
It is possible to review a directorys status and run diagnostic tests on it.
To diagnose a directory:
1
On the Services > Authentication > Directories page, point to the directory server and click
Diagnose. Advanced Firewall displays current directory connection, user account and status
information.
Tip:
You can diagnose multiple directories at the same time. Select the directories and click Diagnose.
Adding Users
To add a user to a local user directory:
1
On the Services > Authentication > Directories page, click on the local user directory you want
to add a user to. Advanced Firewall displays any current local users
Click Add new user. In the Add new user dialog box, configure the following settings:
204
Setting
Description
Enabled
Username
Password
Enter the password associated with the user account. Passwords must be a
minimum of six characters long.
Setting
Description
Repeat password
Select group
From the drop-down menu, select a group to assign the user account to.
On the Services > Authentication > Directories page, click on the local user directory containing
the user account you want to edit. Advanced Firewall displays current local users.
Point to the user account and click Edit. In the Edit user dialog box, make the changes required. See
Adding Users on page 204 for more information on the settings available.
Deleting Users
To delete users:
1
On the Services > Authentication > Directories page, click on the local user directory containing
the user account(s) you want to delete. Advanced Firewall displays current local users.
Point to the user account and click Delete. When prompted, confirm that you want to delete the
account. Advanced Firewall deletes the account.
Mapping Groups
Once you have successfully configured a connection to a directory, you can map the groups
Advanced Firewall retrieves from the directory in order to apply permissions and restrictions to the
users in the groups.
To map directory groups to Advanced Firewall groups:
1
On the Services > Authentication > Directories page, click on the directory that contains the
group you want to map. Advanced Firewall displays any current group mappings.
Click Add new group mapping. In the Add new group mapping dialog box, configure the following
settings:
Setting
Description
Directory service From the drop-down list, select the directory group(s) you want to map.
group
Tip: You can filter the groups shown by entering parts of group names in this
field.
Local group
From the drop-down list, select the Advanced Firewall group you want to map
the directory service group(s) to.
Enabled
205
Remapping Groups
It is possible to change group mappings.
To remap groups:
1
On the Services > Authentication > Directories page, click on the directory that contains the
group you want to remap. Advanced Firewall displays the current group mappings.
Point to the group and click Edit. In the Edit group mapping dialog box, remap the group(s) as
required. See Mapping Groups on page 205 for more information on the settings available.
On the Services > Authentication > Directories page, click on the directory that contains the
mapping(s) you want to delete. Advanced Firewall displays the current group mappings.
Select the mapping(s) and click Delete. When prompted, confirm the deletion by clicking Delete
Advanced Firewall deletes the mapping(s).
206
Click Add new temporary ban. In the Add new temporary ban dialog box, configure the following
settings:
Setting
Description
Status
Username
Optionally, enter a comment explaining why the account has been banned.
Tip:
You can edit the block page displayed to banned users so that it gives them information on the ban
in force. See Chapter 7, Managing Block Pages on page 101 for more information.
Tip:
There is also a ban option on the Services > Authentication > User activity page, for more information,
see Managing User Activity on page 208.
In the Current rules area, select the ban and click Remove. Advanced Firewall removes the ban.
In the Current rules area, click Remove all expired. Advanced Firewall removes all bans which have
expired.
207
Advanced Firewall displays who is logged in, who recently logged out, the group(s) the user belongs
to their source IP and the method of user authentication.
Recently logged out users are listed for 15 minutes.
On the Services > Authentication > User activity page, point to the user you want to log out and
click Log user out. Advanced Firewall logs the user out immediately and lists them as logged out.
Note: Logging a user out is not the same as blocking a user from accessing web content. Connectionbased authentication will automatically log the user back in. If the user is using SSL login, they will be
prompted to authenticate again.
Banning Users
To ban a user:
1
208
On the Services > Authentication > User activity page, point to the user you want to ban and
click Ban user. Advanced Firewall copies the users information and displays it on the Services >
Authentication > Temporary bans page where you can configure the ban. For more information, see
Creating a Temporary Ban on page 206.
Click the Title image Browse/Select file button. Using your browsers controls, locate and select
the file.
Click Save changes. Advanced Firewall uploads the file and makes it available on the SSL login
page.
209
On the Services > Authentication > SSL login page, click the Background image Browse/Select
file button. Using your browsers controls, locate and select the file.
Click Save changes. Advanced Firewall uploads the file and makes it available on the SSL login
page.
In the Customize SSL Login area, enter your custom message in the SSL login page text box.
210
In the web browser of your choice, enter your Advanced Firewall systems IP address and /login.
For example: http://192.168.72.141/login or, using HTTPS, https://
192.168.72.141:442/login. Advanced Firewall displays the SSL login page.
In the SSL login redirection area, select each interface on which you want to activate SSL Login.
Click Save changes. Advanced Firewall enables SSL Login on the selected interfaces.
Locate the SSL login redirection area. In the Redirect exception addresses field, enter an IP
address, IP range or subnet that should not be redirected to the SSL Login.
Repeat the step above on a new line for each further exception you want to make.
211
Adding Keytabs
The following section explains how to add Kerberos keytabs into Advanced Firewall.
For information on generating keytabs, consult the documentation delivered with your directory
server. Also, available at the time of writing, see http://technet.microsoft.com/en-us/library/
cc753771%28v=WS.10%29.aspx which discusses how to get a keytab from Active Directory.
To add a keytab:
1
Description
Status
Name
File
Comment
Click Add. Advanced Firewall adds the keytab and lists it in the Kerberos keytabs area.
Repeat the steps above for any other keytabs you need to import.
212
Managing Keytabs
The following sections explain how to enable, view, edit and delete Kerberos keytabs.
Disabling Keytabs
Kerberos keytabs are enabled by default. It is possible to disable a Kerberos keytab when required,
for example, when troubleshooting.
To disable a keytab:
1
In the Installed Kerberos keytabs area, point to the keytab and select Edit.
In the Edit keytab dialog box, clear the Enabled option. Click Save changes to save the setting.
Advanced Firewall disables the keytab.
In the Installed Kerberos keytabs area, point to the keytab and select Edit.
In the Edit keytab dialog box, click the keytabs display arrow. Advanced Firewall displays the
content.
Editing Keytabs
It is possible to change the name of the Kerberos keytab file.
To change the name of the Kerberos keytab file:
1
In the Installed Kerberos keytabs area, point to the keytab and select Edit.
In the Edit keytab dialog box, change the name as required and click Save changes. Advanced
Firewall changes the name and lists the Kerberos keytab in the Installed Kerberos keytabs area
Deleting Keytabs
It is possible to delete Kerberos keytabs that are no longer require.
To delete a Kerberos keytab:
1
In the Installed Kerberos keytabs area, point to the keytab and select Delete.
When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the keytab.
213
Checking that your network is configured as required. For more information, see Pre-requisites on
page 214
Setting up wireless access points to use Advanced Firewall as a RADIUS server. For more
information, see Configuring Access Points on page 214
Configuring Advanced Firewall to use WPA Enterprise. For more information, see Configuring WPA
Enterprise on page 215
In some cases, manually making the Advanced Firewall CA certificate available to devices which
cannot accept it when users authenticate to the wireless network. For more information, see
Provisioning the Advanced Firewall Certificate on page 215
Pre-requisites
On Advanced Firewall, DHCP must be enabled and there must be a valid DHCP subnet configured.
For more information on DHCP, see Chapter 8, DHCP on page 119
Wireless access points must be on the same subnet as Advanced Firewall. Switches are allowed,
but there must be no routers between them. Advanced Firewall must be the DHCP server for that
subnet
Users wireless devices must support WPA Enterprise with PEAP and MSCHAPv2
For users to whom a web filtering policy applies, Guardian must be configured to use core
authentication. For more information, see Chapter 6, Creating Authentication Policies on page 67
Advanced Firewalls Active Directory authentication method must be used to authenticate users. For
more information, see Configuring a Microsoft Active Directory Connection on page x
Note: Local users are not supported, nor is the legacy Active Directory authentication method.
Note: On the access point, the wireless network type may be referred to as: WPA2-Enterprise, WPA2RADIUS or WPA2 with a separate option for RADIUS. WPA2 is most secure. To support older
hardware, WPA version 1 is also supported. Some wireless access points support WPA/WPA2
simultaneously.
3
Make a note of the shared secret for the wireless network. You will need this when configuring WPA
Enterprise on Advanced Firewall.
Set Advanced Firewall as the RADIUS server for both authentication and accounting. Some wireless
access points require two separate settings for this.
214
Click Add new access point.n the Add new access point dialog box, configure the following setting:
Setting
Description
Status
Name
IP address
Shared secret
Enter the secret that secures RADIUS communication between the access
point and Advanced Firewall.
Confirm
Comment
Click Add. Advanced Firewall applies the settings and lists the access point. Users who now try to
access the wireless network, will be prompted to authenticate.
Note: See Provisioning the Advanced Firewall Certificate on page 215, for devices which do not
automatically accept the Advanced Firewall certificate,
On the Services > Authentication > WPA Enterprise page, click Download CA certificate.
Save the certificate in a secure location and consult the documentation provided with the device(s)
as to how best install it on the device(s).
215
About Groups
Advanced Firewall uses the concept of groups to provide a means of organizing and managing
similar user accounts. Authentication-enabled services can associate permissions and restrictions to
each group of user accounts, thus enabling them to dynamically apply rules on a per-user account
basis.
Local users can be added or imported to a particular group, with each group being organized to
mirror an organizations structure. Groups can be renamed by administrators to describe the users
that they contain.
Currently, Advanced Firewall supports 1000 groups and by default, contains the following groups:
Group
Description
Unauthenticated IPs
The main purpose of this group is to allow certain authenticationenabled services to define permissions and restrictions for
unauthenticated users, i.e. users that are not logged in, currently
unauthenticated or cannot be authenticated.
Note: This group cannot be renamed or deleted.
Default Users
Users can be mapped to Default Users. The main purpose of this group
is to allow certain authentication-enabled services to define permissions
and restrictions for users that are not specifically mapped to an
Advanced Firewall group, i.e. users that can be authenticated, but who
are not mapped to a specific Advanced Firewall authentication group.
Note: This group cannot be renamed or deleted.
Banned Users
This purpose of this group is to contain users who are banned from
using an authentication-enabled service.
Note: This group cannot be renamed or deleted.
Network
Administrators
This group is a normal user group, configured with a preset name, and
setup for the purpose of granting network administrators access to an
authentication-enabled service.
Because the Network Administrators group is a normal group with a
preset configuration, it can be both renamed and used by
authentication-enabled services to enforce any kind of permissions or
restrictions.
Adding Groups
It is possible to add groups to Advanced Firewall. Currently, Advanced Firewall supports 1000
groups.
To add a group:
1
On the Services > Authentication > Groups page, click Add new group.
In the Add new group dialog box, enter the following information:
216
Field
Description
Name
Comment
Click Add. Advanced Firewall creates the group and lists on the changes.
Editing Groups
Note: It is not possible to rename the Unauthenticated IPs, Default Users or Banned Users groups
To edit a group:
1
On the Services > Authentication > Groups page, point to the group and click Edit.
Field
Description
Name
Comment
Deleting Groups
Note: It is not possible to delete the Unauthenticated IPs, Default Users or Banned Users groups
To delete a group or groups:
1
On the Services > Authentication > Groups page, select the group(s) and click Delete.
When prompted to confirm the deletion, click Delete. Advanced Firewall deletes the group(s).
217
218
Chapter 11
Reporting
In this chapter:
Navigate to the Logs and reports > Reports > Summary page.
Note: The information displayed depends on the product series you are using.
A list of the reports generated by default is displayed. For information on customizing the reports
displayed, see Chapter 13, Configuring the User Interface on page 268.
Accessing Reporting
Advanced Firewall can produce many types of reports which provide information on almost every
aspect of Advanced Firewall.
To access reporting:
1
Navigate to the Logs and reports > Reports > Reports page.
219
Reporting
Generating Reports
Generating Reports
Advanced Firewall contains a broad range of reports which can be generated immediately.
To generate a report:
1
Navigate to the Logs and reports > Reports > Reports page and click on a folder containing the
report you want to generate.
Click on the report to access its options. Advanced Firewall displays the options available.
Tip:
Click Advanced to see a description of the report, access advanced options and portal publication
permissions. For more information on publishing reports, see Chapter 8, Making Reports Available
on page 83.
If applicable, set the time interval for the report and enter/select any option(s) you require.
Click Run report to generate the report. Advanced Firewall displays the report.
Canceling a Report
It is possible to a cancel a report if it is taking a long time to generate.
To cancel a report:
1
When the report progress bar is displayed, click Cancel. Advanced Firewall cancels the report.
Saving Reports
If you want permanent access to a report, you must save it.
To save a report:
1
In the Save as field, enter a name for the report and click Save. You can access the report on the
Logs and reports > Reports > Recent and saved page.
220
Navigate to the Logs and reports > Reports > Recent and saved page.
Locate the report you want to change and click on the format you want to change the report to. The
following formats are available:
Format
Description
csv
excel
pdfbw
The report will be generated in black and white in Adobes portable document format.
tsv
Creating Folders
You can create a folder to contain reports on the Logs and reports > Reports > Reports page or in
a folder or sub-folder contained on the page.
To create a folder:
1
On the Logs and reports > Reports > Reports page, determine where you want to create the
folder, on the page or in an existing folder.
Click the Create a new folder button. Advanced Firewall creates the folder.
Deleting Folders
To delete a folder:
1
On the Logs and reports > Reports > Reports page, locate the folder.
Note: You cannot delete a folder which contains reports. Delete the report(s) in the folder first, then delete
the folder.
221
Reporting
Generating Reports
Deleting Reports
To delete a report:
1
Navigate to the Logs and reports > Reports > Recent and saved page.
Report Permissions
Advanced Firewall enables you to publish reports on a portal. For more information, see Chapter 8,
Making Reports Available on page 83.
Navigate to the Logs and reports > Reports > Reports page and locate the report you want to
publish to portals.
In the Automatic Access area, from the Add access drop-down list. select the portal you want to
publish the generated report on and click Add.
Click Close to close the dialog box. Advanced Firewall publishes the report to the portal.
222
Scheduling Reports
Advanced Firewall can generate and deliver reports to specified user groups at specified intervals.
To schedule a report:
1
Navigate to the Logs and reports > Reports > Scheduled page.
Description
Start date
Select the month and day on which to create and deliver the report.
If the report is to be repeated, enter the date on which the first report should
be created and delivered.
Time
Repeat
Scheduled reports can be generated and delivered more than once. Select
from the following options:
No Repeat The report will be generated and delivered once on the
specified date at the specified time.
Daily Repeat The report will be generated and delivered once a day at
the specified time starting on the specified date.
Weekday Repeat The report will be generated and delivered at the
specified time, Monday to Friday, starting on the specified date.
Weekly Repeat The report will be generated and delivered at the
specified time, once a week, starting on the specified date.
Monthly Repeat The report will be generated and delivered at the
specified time, once a month, starting on the specified date.
Enabled
Comment
Reporting
Managing Log Retention
Setting
Description
Report
Report shows
period
From the drop-down list, select how long to collate data for this report.
Save report
Select this option if you want to save the scheduled report after it has been
generated. The report will be available on the Logs and reports > Reports >
Recent and saved page.
Report name
Publish from portal Optionally, from the drop-down menu, select a portal to publish the report
from.
Email report
Select this option if you want to email the report to a group of users.
Group
From the drop-down list, select the group you want to deliver the report to.
For more information, see Chapter 12, Configuring Groups on page 254.
Click Add. Advanced Firewall schedules the report and lists it in the Scheduled reports area.
224
Navigate to the Logs and reports > Settings > Datastore settings page.
Description
Retention
settings
Use the sliders start and end points to specify the minimum and maximum number
of months Advanced Firewall should retain log files.
Minimum The minimum number of months possible is 0. If a log file is older than
the minimum retention period specified, it may be deleted if the available storage
space starts to run out.
Maximum The maximum number of months possible is infinite. If a log file is older
than the maximum retention period specified, it will be deleted.
For example, if the minimum retention period is set to 3 months and the maximum
retention period is set to 6 months, Advanced Firewall will always keep log files for
3 months and, if there is available storage space, will keep them for 6 months.
Note: If, because of a lack of storage space, the minimum log retention is not
possible, Advanced Firewall will stop working and display a warning.
Note: If, because of a lack of disk space, the minimum log retention is not possible, Advanced Firewall will
stop working and display a warning.
3
225
Reporting
Managing Log Retention
226
Chapter 12
Viewing, analyzing and configuring alerts, realtime information and log files.
Browse to Dashboard.
Browse to the bottom of the page you are on and click About.
Alerts
Advanced Firewall contains a comprehensive set of incident alerting controls.
Overview
Alerts are generated when certain trigger conditions are met. Trigger conditions can be individual
events, for example, an administrator login failure, or a series of events occurring over a particular
time period, for example, a sustained high level of traffic over a five minute period. Some alerts allow
their trigger conditions to be edited to customize the alert sensitivity.
Some situations are constantly monitored, particularly those relating to critical failures, for example,
UPS and power supply alerts.
It is possible to specify two trigger conditions for some alerts the first acts as a warning alert, and,
in more critical circumstances, the second denotes the occurrence of an incident.
227
Available Alerts
You access the alerts and their settings on the Logs and reports > Alerts > Alerts page.
Alert
Description
Hardware Failover
Notification
SmoothTunnel VPN
Certificate Monitor
SmoothRule Violations
System Resource
Monitor
Firewall Notifications
System Service
Monitoring
Reverse proxy violations Monitors reverse proxy activity and generates warnings about
connectivity issues. Constant Monitoring
Health Monitor
IM proxy monitored word Monitors instant messaging chats activity and generates warnings
alert
based on excessive use of inappropriate language.
External Connection
Failover
Traffic Statistics Monitor These alerts are triggered whenever the traffic flow for the external
interface exceeds certain thresholds. Monitored once every five
minutes.
Output System Test
Messages
228
Monitors both the Secure Shell (SSH) and Web Interface services for
failed login attempts. Constant Monitoring.
Alert
Description
Intrusion System Monitor These alerts are triggered by violations and notices generated by the
intrusion system by suspicious network activity. Constant Monitoring.
Update Monitoring
Enabling Alerts
Advanced Firewall contains a comprehensive set of incident alerting controls.
To enable alerts:
1
Browse to the Logs and reports > Alerts > Alerts page.
Description
Group name
From the drop-down list, select a group of recipients and click Select. For
information on creating a group, see Configuring Groups on page 254.
Enable
instantaneous
alerts
By default, Advanced Firewall queues alerts in two minute intervals, and then
distributes a merged notification of all alerts.
Select this option to send the alert(s) individually as soon as they are triggered.
For each alert you want to send, select the delivery method: SMS or Email.
Click Save.
229
Enter the alerts unique ID into the Alert ID field and click Show. The content of the alert will be
displayed on a new page.
Browse to the Logs and reports > Alerts > Alert settings page.
Description
System
load
average
Used to set a threshold for the average number of processes waiting to use the
processor(s) over a five minute period.
A system operating at normal performance should record a load average of between
0.0 and 1.0. While higher values are not uncommon, prolonged periods of high load
(for example, averages greater than 3.0) may merit attention.
Disk usage Used to set a disk space usage percentage threshold, that generates an alert once
exceeded. Low amounts of free disk space can adversely affect system
performance.
230
Setting
Description
System
memory
usage
Used to set a system memory usage percentage threshold, that generates an alert
once exceeded. Advanced Firewall uses system memory aggressively to improve
system performance, so higher than expected memory usage may not be a concern.
However, prolonged periods of high memory usage may indicate that the system
could benefit from additional memory.
Click Save.
Description
Monitor Source
(remote) IP
addresses
Monitor Source
(remote) Ports
Monitor
Detects suspicious inbound communication to local IP addresses. Alerts will
Destination (local) be generated if a rapid series of inbound requests to the same local IP
IP Addresses
address is detected.
Monitor
Detects suspicious inbound communication to local ports. Alerts will be
Destination (local) generated if a rapid series of inbound requests to the same local port is
detected.
Ports
2
Click Save.
Note: The adjacent Warning threshold and Incident threshold fields can be used to set the respective levels
at which alerts are generated for each type of activity.
Note: To exempt particular ports from monitoring, enter a comma separated list of ports into the
appropriate Ignore fields.
Select the components, modules and services that should generate alerts when they start or stop.
Click Save.
231
Description
Request
URL
Enter the URL of the web page you want retrieved and checked for keywords, for
example: example.com/index.htm
Note: Omit http:// when entering the URL.
No of tries
Enter the number of times Advanced Firewall should try to retrieve the page.
Keywords
Assuming the page has been retrieved and the keywords are missing, an alert is generated.
Other Services
Checks that the specified port is open and offering a service.
Setting
Description
IP Address
Port
Protocol
From the drop-down list, select the protocol of the service you want to check for a
response. Select Other to check that there is any response to connections on the
associated port.
No of tries
Enter the number of times Advanced Firewall should check the address and not
receive a response before generating an alert.
Description
Name
Address
Description
Enabled on received text Select to generate the alert when an inappropriate word is used in a
message received from a remote user.
Enabled on sent text
232
Setting
Description
Number of inappropriate
messages in 15 mins
From the drop-down list, select the threshold above which an alert
will be generated.
Description
Description
Threshold number of
messages
Realtime
The realtime pages provide access to realtime information about your system.
233
By default, all information in the system log is displayed and updated automatically approximately
every second.
To display information on specific components:
1
From the Section drop-down list, select the component and click Update. If there is information on
the component available in the system log, it is displayed in the Details area.
234
Enter a complete or partial IP address and/or port number in the fields and click Update.
235
By default, all information in the log is displayed and updated automatically approximately every
second.
To display information on a specific tunnel:
1
Description
Connection
Click Update. If there is information available in the system log, it is displayed in the Details area.
For more information on portals, see Chapter 8, Working with Portals on page 81.
236
The page displays a view of ongoing conversations for each of the monitored protocols and displays
a selected conversation as it progresses.
Note: As most IM clients communicate with a central server, local conversations are likely to be displayed
twice as users are recognized as both local and remote.
Active conversations which have had content added to them within the last minute are displayed in
bold text in the left pane. If nothing has been said for more than a minute, the remote username will
be displayed in the normal style font.
The local username is denoted in blue, the remote username is denoted in green.
You can use the following settings to manage how the conversation is displayed.
2
In the Username or IP address field, enter the username or IP address. If there is information available
in the web filter log, it is automatically displayed in the Details area.
To show lines containing specific text, in the Show only lines containing field, enter the text. If the text
is found, it is automatically displayed in the Details area.
237
Browse to Logs and reports > Realtime > Traffic graphs page.
The Interfaces area displays a list of the active interfaces on Advanced Firewall. Clicking on an
interface displays its current traffic.
Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming
bandwidth.
Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing
bandwidth.
Logs
The log pages display system, firewall, IPsec, intrusion system, email and proxy information.
238
System Logs
The system logs contain simple logging and management information.
To access system logs:
1
Browse to the Logs and reports > Logs > System page.
239
Description
Section
Used to select which system log is displayed. The following options are available:
Authentication service Log messages from the authentication system, including
service status messages and user authentication audit trail.
IM Proxy Log messages from the instant messaging proxy service.
Kernel Log messages from the core Advanced Firewall operating system.
Message censor Displays information from the message censor logs.
NTP Log messages from the network time system.
SystemD Log messages from the system super server.
SSH Log messages from the SSH system.
System Displays server log information.
Monitor Displays monitoring system information including service status and alert/
report distribution audit trail.
System Simple system log messages, including startup, shutdown, reboot and
service status messages.
UPS Log messages from the UPS system, including service status messages.
Update transcript Displays information on update history.
VIPRE engine Displays information on the anti-malware engine.
Month
Used to select the month that log entries are displayed for.
Day
Used to select the day that log entries are displayed for.
Export
format
Export all
dates
Select the filtering criteria using the Settings area and click Update.
A single column is displayed containing the time of the event(s) and descriptive messages.
240
Firewall Logs
The firewall logs contain information on network traffic.
To view the firewall logs:
1
Browse to the Logs and reports > Logs > Firewall page.
Description
Section
Used to select which firewall log is displayed. The content of each section is
discussed below.
Month
Used to select the month that log entries are displayed for.
Day
Used to select the day that log entries are displayed for.
Compression
Used to ghost repeated sequential log entries for improved log viewing.
241
Control
Description
Source
Enter an IP address and click Update to display log entries for that source
address.
Src port
This drop-down list is populated with a list of all source ports contained in the
firewall log. Select a port and click Update to display log entries for that port.
Destination
Enter an IP address and click Update to display log entries for that destination
address.
Dst port
This drop-down list is populated with a list of all destination ports contained in the
firewall log. Select a port and click Update to display log entries for that port.
Export format
Export all
dates
242
Section
Description
Main
Incoming
audit
All traffic to all interfaces that is destined for the firewall if Direct incoming traffic is
enabled on the Networking > advanced page.
Forward
audit
All traffic passing through one interface to another if Forwarded traffic is enabled
on the Networking > Settings > Advanced page.
Outgoing
audit
All traffic leaving from any interface if Direct outgoing traffic is enabled on the
Networking > Settings > Advanced page.
Port
forwards
All data packets from the external network that were forwarded by a port forward
rule if port forward logging is enabled on the Networking > Firewall > Port
forwarding page.
Outgoing rejects
All data packets from the internal network zones that were rejected by an outbound
access rule.
Outgoing stealth
All data packets from the internal network zones that were logged but not rejected
by an outbound access rule.
Description
Time
In
Out
Protocol
Source
Src Port
Navigate to the Logs and reports > Logs > Firewall page.
Click Lookup. A lookup is performed and the result displayed on the System > Diagnostics >
whois page.
Blocking a Source IP
The firewall log viewer can be used to add a selected source or destination IP to the IP block list.
To block a source IP:
1
Navigate to the Logs and reports > Logs > Firewall page.
IPSec Logs
IPSec logs show IPSec VPN information.
243
Choose the tunnel you are interested in by using the Tunnel name control.
To view the logs for all of the tunnels at once, choose ALL as the tunnel name.
Exporting Logs
To export and download all log entries generated by the current settings, click Export.
Description
Time
Name
244
Email Logs
Email logs provide detailed, configurable and searchable information on email activity regarding time,
sender recipient, subject and spam status.
Navigate to the Logs and reports > Logs > Email page. Advanced Firewall displays the currently
configured log entries.
Option
Description
Sender
Recipient
Subject
Spam
Select the options you want to display. Advanced Firewall updates what is displayed.
On the Logs and reports > Logs > Email page, click Realtime. Advanced Firewall displays the
currently configured log options in realtime in a table of log entries and in the email graph. The results
are updated automatically.
Tip:
To get a closer look at what is happening at a specific time, locate and click on that time in the graph.
Advanced Firewall stops the realtime display and shows what has been logged at the time you
clicked on.
To stop realtime monitoring, click Realtime. Advanced Firewall stops displaying realtime data.
245
On the Logs and reports > Logs > Email page, use one or more of the following methods:
Method
Description
Graph
On the graph, locate and click on the time you are interested in. Advanced Firewall
displays what was logged at the time you clicked on.
Time
Click in the date and time picker and specify when to search from. Click Apply.
Advanced Firewall displays the results from the time specified and two hours
forward.
Free search In the Sender, Recipient, Subject and/or Spam column(s), enter one or more search
term
terms. Advanced Firewall displays the search results.
On the Logs and reports > Logs > Email page, configure or search for the data you want export.
For more information, see Configuring Email Logs on page 245 and Searching for/Filtering Email Log
Information on page 246 Information.
Click Export. Follow your browsers prompts to save and export the data.
IDS Logs
The IDS logs contain details of suspicious network activity detected by Advanced Firewalls intrusion
detection system (IDS).
To view the IDS logs:
1
Navigate to the Logs and reports > Logs > IDS page.
246
Option
Select to:
Month
Day
Option
Select to:
Export format
Exporting Logs
To export logs:
1
Select the export format and if you want to export all dates.
Click Export. To save the exported log, use the browser's File, Save As option.
IPS Logs
The IPS logs contain details of suspicious network activity prevented by Advanced Firewalls intrusion
prevention system (IPS).
To view the IDS logs:
1
Navigate to the Logs and reports > Logs > IPS page.
Select to:
Month
Day
247
Option
Select to:
Export format
IM Proxy Logs
The IM proxy log page displays a searchable log of instant messaging conversations and file
transfers.
To view the IM proxy logs:
1
Description
Local user filter Enter the name of a local user whose logged conversations you want to view.
248
Setting
Description
Enable local
user filter
Select to display conversations associated with the local user name entered.
Remote user
filter
Enter the name of a remote user whose logged conversations you want to view.
Enable remote
user filter
Select to display conversations associated with the remote user name entered.
Enable smilies
Enable links
Search
Here you can enter a specific piece of text you want to search for.
Conversations
Browse to Logs and reports > Logs > Web proxy page.
Browse to the Logs and reports > Logs > Reverse proxy page.
249
Description
Month
Used to choose the month that proxy logs are displayed for.
Day
Used to choose the day that proxy logs are displayed for.
Year
Used to choose the year that proxy logs are displayed for.
Ignore filter
Enable ignore
filter
Domain filter
Enable domain
filter
Export format
Note: When running SSL VPNs in TCP mode, the reverse proxy access logs generated for HTTPS requests
will contain a source address of 127.0.0.1. This is because OpenVPN has to proxy the HTTPS
traffic. Therefore, from Advanced Firewalls point of view, the traffic is originating from localhost.
250
Select the appropriate filtering criteria using the Settings area and click Update. Proxy logs are
displayed in the Proxy log area. The following columns are displayed:
Column
Description
Time
Source IP
Website
Browse to the Logs and reports > Logs > User portal page.
Browse to the Logs and reports > Logs > Log settings page.
251
Description
Remote syslog
Syslog server
If you have selected the Remote syslog option, enter the IP address of the
remote syslog server.
Default
retention
To set default log retention for all of the logs listed above, select one of the
following settings:
1 Day Rotate the log file daily and keep the last day.
2 Days Rotate the log file daily and keep the last 2 days.
A week Rotate the log file weekly and keep the last week.
2 weeks Rotate the log file weekly and keep the last 2 weeks.
A month Rotate the log file monthly and keep the last month.
2 months Rotate the log file monthly and keep the last 2 months.
Three months Rotate the log file monthly and keep the last 3 months.
Four months Rotate the log file monthly and keep the last 4 months.
Five months Rotate the log file monthly and keep the last 5 months.
Six months Rotate the log file monthly and keep the last 6 months.
Seven months Rotate the log file monthly and keep the last 7 months.
Eight months Rotate the log file monthly and keep the last 8 months.
Nine months Rotate the log file monthly and keep the last 9 months.
Ten months Rotate the log file monthly and keep the last 10 months.
Eleven months Rotate the log file monthly and keep the last 11 months.
A year Rotate the log file monthly and keep the last 12 months.
Optionally, to set an individual retention period for specific logs, click Advanced and configure the
settings displayed.
Click Save. Advanced Firewall will log and retain the information you have specified and, if
configured, send logs to the remote syslog server.
252
Browse to the Logs and reports > Logs > Log settings page.
Description
Default
retention
To set default log retention for all of the logs listed in the table below, select one
of the following settings:
1 Day Rotate the log file daily and keep the last day.
2 Days Rotate the log file daily and keep the last 2 days.
A week Rotate the log file weekly and keep the last week.
2 weeks Rotate the log file weekly and keep the last 2 weeks.
A month Rotate the log file monthly and keep the last month.
2 months Rotate the log file monthly and keep the last 2 months.
Three months Rotate the log file monthly and keep the last 3 months.
Four months Rotate the log file monthly and keep the last 4 months.
Five months Rotate the log file monthly and keep the last 5 months.
Six months Rotate the log file monthly and keep the last 6 months.
Seven months Rotate the log file monthly and keep the last 7 months.
Eight months Rotate the log file monthly and keep the last 8 months.
Nine months Rotate the log file monthly and keep the last 9 months.
Ten months Rotate the log file monthly and keep the last 10 months.
Eleven months Rotate the log file monthly and keep the last 11 months.
A year Rotate the log file monthly and keep the last 12 months.
Click Advanced to see what other logs are available and to determine if you want to set individual
log retention settings.
Setting
Description
Default retention
From the drop-down menu, select the default retention period you want to
use for advanced logging settings. To set individual retention periods,
configure the settings below.
Intrusion
detection logs
From the drop-down menu, select how long you want to keep intrusion
detection logs.
Intrusion
prevention logs
From the drop-down menu, select how long you want to keep intrusion
prevention logs.
IM logs
From the drop-down menu, select how long you want to keep instant
messaging logs.
Click Save. Advanced Firewall will now retain the logs as you have specified.
Browse to the Logs and reports > Logs > Log settings page.
Description
Setting
Description
Click Save. Advanced Firewall will delete the logs when the specified amount of disk space has been
used.
Configuring Groups
The Groups page is used to create groups of users which can be configured to receive automated
alerts and reports.
Creating Groups
To create a group of users:
1
Browse to the Logs and reports > Settings > Groups page.
Description
Group name From the Group name drop-down list, select Empty and click Select.
Name
3
4
254
Click Save. Advanced Firewall creates the group. In the Add user area, configure the following
settings:
Setting
Description
Name
SMS number
Comment
Email address
Select Enabled to ensure that the user will receive any reports or alerts that are sent to the group.
Click Add. The user's details will be added to the list of current users in the Current users region.
Editing a Group
To edit a group:
1
Browse to the Logs and reports > Settings > Groups page.
Choose the group that you wish to edit using the Group name drop-down list. Click Select to
display the group.
Make any changes to the group using the controls in the Add a user and Current users areas.
Deleting a Group
To delete a group:
1
Browse to the Logs and reports > Settings > Groups page.
Select the group to be deleted using the Group name drop-down list.
Click Delete.
Browse to the Logs and reports > Settings > Output settings page.
255
Description
%%ALERT%%
%%SMS%%
%%EMAIL%%
%%HOSTNAME%%
The hostname of the Advanced Firewall system (useful when using multiple
firewall systems).
%%DESCRIPTION%% The description of the Advanced Firewall system (useful when using multiple
firewall systems).
%%--%%
256
In the Email to SMS Output System area, configure the following settings:
Setting
Description
SMTP server
SMS to address
Username
Password
Enter the subject line of the SMS email in the SMS subject line field
as specified by your email-to-SMS service provider.
This will often contain the %%SMS%% placeholder as many email-toSMS gateways use the subject line for this purpose.
Click Save.
In the Send test to: field, enter the cell phone number of the person who is to receive the test.
Output to Email
To configure email settings:
1
In the SMTP (Email) Output System area, configure the following settings:
Setting
Description
SMTP server
Setting
Description
Username
Password
Click Save.
258
Chapter 13
Managing tenants
Managing certificates.
Installing Updates
Administrators should use Advanced Firewall's update facility whenever a new update is released.
Updates are typically released in response to evolving or theoretical security threats as they are
discovered. System updates may also include general product enhancements as part of
Smoothwalls commitment to continuous product improvement.
Advanced Firewall must be connected to the Internet in order to discover, download and install
system updates.
Smoothwalls support systems are directly integrated with Advanced Firewalls system update
procedure, allowing the Smoothwall support department to track the status of your system.
Installing Updates
The following section explains how to install updates.
Note: If Advanced Firewall is configured for failover, see Installing Updates on a Failover System on
page 260 for information on how to proceed.
259
Setting/button
Description
Download updates
Install updates
Enter the time at which you want to install the updates if you do not want
to install them immediately and click Install at this time.
If the update requires a reboot, reboot the system on the System > Maintenance > Shutdown
page.
On the masters System > Maintenance > Updates page, download the updates.
Wait until the updates have been transferred to the failover unit. This should happen within 5 minutes.
Go to the failover units web interface and install the pending updates. Once they have been installed,
the failover unit displays information on the update and prompts for a reboot.
On the System > Maintenance > Shutdown page, reboot the failover unit.
When the failover unit is up and running again, install the updates on the master and reboot.
During master downtime, the failover unit is active and remains so until the master is live again.
260
Managing Modules
Advanced Firewall's major system components are separated into individually installed modules.
Modules can be added to extend Advanced Firewalls capabilities, or removed in order to simplify
administration and reduce the theoretical risk of, as yet un-discovered, security threats.
Note: Modules must be registered against your Advanced Firewall serial number before they can be
installed and used. For further information, please consult your Smoothwall partner or, if purchased
directly, Smoothwall.
Advanced Firewall must be connected to the Internet in order to install modules.
To install a module:
1
Note: The information displayed depends on the product series you are using.
2
In the Available modules area, locate the module and click Install.
Note: Some module installations require a full reboot of Advanced Firewall. Please read the module
description carefully prior to installation.
Removing a Module
To remove a module:
1
In the Installed modules area, locate the module and click Remove.
Reboot Advanced Firewall on the System > Maintenance > Shutdown page.
261
Licenses
Advanced Firewall contains information on licenses and subscriptions.
To view license information:
1
Note: The information displayed depends on the Smoothwall product you are using.
Installing Licenses
You can buy additional licenses from Smoothwall or an approved Smoothwall partner. License,
installation and activation is an automated process, initiated via a secure request to Smoothwall
licensing servers.
To install additional licenses:
1
Click Refresh license list. This will cause the available license information to be updated via the
Internet, and any new licenses will be installed.
Note: The Subscriptions area is used to manage blocklists used by add-on modules. For more information,
see the documentation delivered with your Smoothwall add-on module.
Archives
The Archives page is used to create and restore archives of system settings. Archives can be saved
on removable media and used when restoring a Advanced Firewall system. They can also be used
to create clones of existing systems.
262
Tip:
Log on to our support portal and read how to set up a Windows SSH server with keys in order to
backup system settings.
Note: You can automatically schedule the creation of backup archives. For further information, see
Scheduling on page 264.
Creating an Archive
To create an archive:
1
Description
Profile
To create a new profile, from the drop-down list, select Empty and click
Select.
To reuse or modify an existing profile, from the drop-down list select the
profile and click Select.
Profile name
Comment
Logs
Select the log files you want to archive or select All to select and archive all
logs.
Downloading an Archive
To download an archive:
1
Click Download and save the archive to disk using the browser's Save as dialog box.
263
Restoring an Archive
To restore an archive:
1
Select the components in the archive that you want to restore and click Restore.
Deleting Archives
To delete an archive:
1
Uploading an Archive
This is where you upload archived settings from previous versions of Advanced Firewall and
Smoothwall modules so that they can be re-used in the current version(s).
To upload an archive:
1
In the Upload area, enter the name of the archive and click Browse.
Scheduling
You can configure Advanced Firewall to automatically discover and download system updates,
modules and license upgrades using the scheduler.
You can also use the scheduler to create and remotely archive automatic backups. Other system
modules can integrate with the scheduler to provide additional automated maintenance tasks.
264
Description
Day
From the drop-down list, select the day of the week that the tasks will
be executed.
Hour
From the drop-down list, select the time of day at which the tasks will
be executed.
Download updates
265
Setting
Description
Prune archives
Options here enable you to schedule archive pruning if you require it.
Select one of the following options:
Dont prune This is the default option, archives are never pruned.
Over a month Select this option to prune archives that are older
than one month.
Over 2 months Select this option to prune archives that are older
than two months.
Over 3 months Select this option to prune archives that are older
than three months.
Click Save.
In the Remote archive destinations area, click Export Public Backup Key.
Install the public key on the remote SSH server for details on how to do this, please consult the
administrator's guide of the SSH server in use.
Description
Name
Username
Specify the user name of the account on the SSH server that will be used.
For additional security it is recommended that this user has no additional
privileges and is only allowed write access to the specified Remote path.
Remote path
Enter the path where archives are to be stored on the remote SSH server,
for example: /home/mypath/
If left blank, Advanced Firewall uses the default home directory of the
specified remote user.
Server
Port Number
Set the port number used to access the SSH server (normally port 22).
Transfer Speed Limit Specify the maximum transfer speed when automatic archiving occurs.
This control is useful for preventing the automatic remote archiving system
adversely affecting the performance of other network traffic.
Comment
Click Add.
266
Description
Day
Hour
Archive destination
Archive profile
Enabled
Comment
Click Add.
Repeat the steps above to configure other archives for scheduled remote archive.
Editing Schedules
To edit a schedule:
1
In the appropriate area, select the destination or task and click Edit or Remove.
Description
Immediately
267
Setting
Description
At the following
time
Click Reboot to reboot at the specified time, or click Shutdown to shut down at the specified time
Description
Host information In the description field, enter a description to identify Advanced Firewall. This
will be displayed in the title bar of the browser window.
268
System control
page
From the Report to show drop-down list, select the report you want
displayed on the Dashboard.
Dashboard
sections
Click Save.
Setting Time
Advanced Firewall's time zone, date and time settings can be specified manually or automatically
retrieved from a local or external Network Time Protocol (NTP) server, typically located on the
Internet.
Advanced Firewall can also act as an NTP server itself, allowing network wide synchronization of
system clocks.
To set the time:
1
Description
Timezone
Time and
date
Network
time
retrieval
Select Set and use the drop-down lists to set the time and date.
To automatically retrieve time settings:
Choose the time retrieval frequency by selecting an interval from the Interval
drop-down list.
Select Save time to RTC to ensure that the time is written back to the
system's hardware clock (the Real-Time Clock).
269
Setting
Description
Network
Advanced Firewall can be used to synchronize the system clocks of local network
time service hosts by providing a time service.
interfaces
To synchronize the network time service:
Select each internal network interface that the network time service should
be available from.
Click Save.
Description
270
Setting
Description
Extended
When registering, updating and/or installing add-on modules, Advanced Firewall
registration sends information about licences, subscription and add-on modules to Smoothwall.
information When this option is enabled and depending on which add-on modules are installed,
the following information is also sent:
The number of configured interfaces and whether they are internal or external
Main board manufacturer and main board product name from dmidecode.
When enabled, Advanced Firewall will periodically send information about web
filtering accuracy and a list of the domains of any web sites which could not be
classified.
Smoothwall will take every available measure to ensure data cannot be associated
with your organization and no personal information is ever sent.
Click Save. Advanced Firewall starts to use the configured upstream proxy and, if enabled, send
registration and/or filtering information.
Note: After setting the hostname, a reboot is required before the HTTPS server will use the hostname in its
Common Name field.
271
Note: Terminal access to Advanced Firewall uses the non-standard port 222.
Referral Checking
In order to ensure that configuration requests from the web interface originate from a logged in
administrator, and not some third party web page, you can enable remote access referral checking.
When enabled, administration requests are only processed if the referral URL contains the local IP
address, the local hostname, or the external IP address where applicable.
272
Select Allow admin access only from valid referral URLs in the Remote Access area.
Click Save.
SSH admin Access to the system console using port 222. Requires the SSH access to be enabled,
see Configuring Admin Access Options on page 272.
Description
Interface
From the drop-down list, select the interface that access is permitted from.
273
Setting
Description
Source IP,
or network
Specify individual hosts, ranges of hosts or subnet ranges of hosts that are permitted
to use admin access.
For a range of hosts, enter an IP address range, for example, 192.168.10.1192.168.10.50.
For a particular subnet of hosts, enter a subnet range, for example,
192.168.10.0/255.255.255.0 or 192.168.10.0/24.
If no value is entered, any source IP can access the system.
Service
Comment
Enabled
Click Add. The access rule is added to the Current rules table.
Note: Do not remove the default external access rule, it provides access to the default internal network.
274
Setting
Description
Username
Password
Enter a password. Passwords are case sensitive and must be at least six characters
long.
Setting
Description
Again
Permissions
In the Current users area, select the user and click Edit.
Enter and confirm the new password in the Password and Again fields.
Managing Tenants
Note: To add tenants, you must have the correct Advanced Firewall license type. Contact your Smoothwall
representative for more information.
Advanced Firewalls multi-tenancy functionality enables you to define client-organizations known
as tenants which can access and use Advanced Firewall services. Each tenant has its own
directory server(s) and users.
Multi-tenancy enables Advanced Firewall to apply network permissions to users whose usernames
are not unique.
For information on tenants and directories, see Chapter 10, Configuring Directories on page 195.
Adding a Tenant
Note: When you add tenants to Advanced Firewall, connections coming from addresses not associated
with a tenant will be unable to authenticate.
275
In the Add new tenant dialog box, configure the following settings:
Setting
Description
Name
IP address range
Repeat the steps above for any other tenants you want to add.
Editing a Tenant
To edit a tenant:
1
On the System > Administration > Tenants page, point to the tenant and click Edit.
In the Edit tenant dialog box, make the changes you require. See Adding a Tenant on page 275 for
information on the settings available.
Deleting a Tenant
To delete a tenant:
1
On the System > Administration > Tenants page, point to the tenant and click Delete.
Hardware
The following sections discuss how to configure UPS devices, modems and firmware settings.
276
Follow the documentation delivered with your UPS device to prepare it for use.
On the System > Maintenance > Shutdown page, reboot immediately. Once rebooted, you are
ready to start configuring the UPS device.
Description
Never
When all remaining UPS Select to shut down Advanced Firewall when all currently connected
are at low battery
UPS devices are at low battery levels.
After a set time of being Select to specify how long to wait before shutting down Advanced
on battery
Firewall when on running on UPS battery.
Delay before shut down Enter how long in minutes to wait before
shutting down Advanced Firewall.
3
Click Save changes. Advanced Firewall applies the shut down condition.
277
USB connects to Advanced Firewall via a USB connection, for more information, see Configuring
a UPS Device with a USB Connection on page 278
Serial connects to Advanced Firewall via a serial connection, for more information, see Configuring
a UPS Device with a Serial Connection on page 278
SNMP connects to Advanced Firewall via an SNMP connection, for more information, see
Configuring a UPS Device with an SNMP Connection on page 278
SNMP connects to Advanced Firewall via an HTTP connection, for more information, see
Configuring a UPS Device with an HTTP Connection on page 279.
Advanced Firewall also makes information about UPS devices available on the System > Central
management > Overview page. For more information, see Chapter 14, Accessing the Node Details
Page on page 298.
It is also possible to configure an alert which is triggered when power switches to and from mains
supply. For more information, see Chapter 12, Enabling Alerts on page 229.
On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS. In the
Add new UPS dialog box, configure the following settings:
Setting
Description
Name
UPS connection
Select USB.
Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area.
On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS. In the
Add new UPS dialog box, configure the following settings:
Setting
Description
Name
UPS connection
Select Serial.
Manufacturer
From the drop-down lists, select the UPS devices manufacturer and model.
Port
From the drop-down list, select the port the USP device uses.
Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area.
278
On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS. In the
Add new UPS dialog box, configure the following settings:
Setting
Description
Name
UPS connection
Select SNMP.
IP address
SNMP community
Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area.
On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS. In the
Add new UPS dialog box, configure the following settings:
Setting
Description
Name
UPS connection
Select HTTP.
IP address
Username
Password
Confirm
Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area.
On the System > Hardware > UPS page, point to the device you want to edit and click Edit.
In the Edit UPS dialog box, make the changes required. See Configuring UPS Devices on page 277
for information on the settings available.
Click Save changes. Advanced Firewall changes the settings and lists the device in the Connected
UPS area.
On the System > Hardware > UPS page, point to the device you want to delete and click Delete.
When prompted, click Delete to confirm that you want to delete the device. Advanced Firewall
deletes the device and removes it from the list in the Connected UPS area.
279
Prerequisites
The following must be in place for hardware failover to work:
A private network consisting of only two Advanced Firewall systems connected via their heartbeat
interfaces preferably using a crossover cable
The master and failover unit should both use the same types of hard disk drives, RAM, and above all
the same type and number of network interface cards
The failover unit must be plugged into all the switches the master is plugged into
SSH must be enabled on the master, see Configuring Admin Access Options on page 272 for more
information.
On the master, specifying a network interface for the heartbeat and configuring and generating a
failover archive to deploy on the failover unit
On the failover unit, installing Advanced Firewall and deploying the failover archive.
280
Point to the interface to be used by the hardware failover master and failover unit systems to
communicate with each other and click Edit.
Note: The master and failover unit systems are connected via their heartbeat interfaces on a private
network. It is critically important that this network is not congested and suffers as little latency as is
possible. For these reasons, we strongly recommend that this connection be a crossover cable.
Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat
interface is on could fail.
3
Description
Name
Use as
281
Setting
Description
Spoof MAC
MTU
Description
Enabled
Auto failback
Select if you want the failover unit to automatically hand back control to the
master when the master starts to respond after a hardware failure. The
failover unit will hand over control to the master, deactivate its configuration
and services and return to standby status.
Keep-alive internal Set the interval after which the master and failover unit communicate to
ensure the master is still working. The default is 1 second.
In non-congested networks, we recommend a very short interval which is
undetectable in terms of system performance.
Dead time
Specify how long after the failover unit has become aware that the master is
no longer responding it should wait before taking over from the master.
Master heartbeat
IP
Slave heartbeat IP
Note: We recommend that this network be private and only used by the
master and failover units.
Note: We recommend that this network be private and only used by the
master and failover units.
Netmask
Enter a netmask.
Note: We recommend that this network be private and only used by the
master and failover units.
7
282
Click Save.
Browse to the System > Maintenance > Shutdown page, select Immediately and click Reboot.
Wait a couple of minutes for the system to reboot and then log in again.
The next step is to generate the failover archive to deploy on the failover unit.
Navigate to the System > Hardware > Failover page and configure and save the failover settings.
SeeConfiguring the Master on page 281.
Click Generate slave setup archive. Advanced Firewall generates the archive and prompts you to
specify where to save it.
Save the archive on some suitable removable media accessible by the failover unit. The next step is
to use the archive to implement the failover settings on the failover unit.
Note: The size of the failover unit archive varies depending on the Smoothwall modules installed. 50 M
bytes is an average size.
Install Advanced Firewall using the quick install option. See the Advanced Firewall Installation and
Setup Guide for more information. On the following screen:
Select the type of media the archive is stored on and press Enter. You are prompted to insert the
media.
Select the archive and press Enter. The failover settings are installed.
When prompted, press Enter to reboot the failover unit. The failover unit will reboot and automatically
enter standby mode.
Note: For information on installing updates in failover units, see Installing Updates on a Failover System on
page 260.
Administering Failover
There are no noticeable differences between administering Advanced Firewall used as a master and
one which is not used as a master.
There should be little or no need to administer the failover unit on a day to day basis. However, from
time to time, you will need to install updates.
283
Testing Failover
In order to test failover, you can force the master to enter standby mode.
To test failover:
1
On the master, go to the System > Hardware > Failover page and click Enter standby mode.
After a short period of time the failover unit will take over from the master.
To restore operations to the master, on the active system, go to theSystem > Hardware >
FailoverFailover page and click Enter standby mode. Operations will be transferred to the master.
Note: If Auto failback is enabled, rebooting the master will also return it to active service and force the
failover unit into standby mode.
Manual Failback
In configurations where Auto failback is not enabled, when the failover unit is in active operation, but
the master system has become available again after corrective action has been taken you can
manually failback to the master.
To manually failback:
1
On the failover unit, go to the System > Hardware > Failover page and click Enter standby mode
to restore the system to normal operation.
Configuring Modems
Advanced Firewall can store up to five modem profiles.
284
Description
Profiles
Profile name
Interface
Computer to modem Select the connection speed of the modem. A standard 56K modem is
rate
usually connected at the default 115200 rate.
Modem speaker on
Select to enable audio output during the modem dialing process, if the
modem has a speaker.
Dialing mode
Init
Hangup
Speaker on
Speaker off
Tone dial
Pulse dial
Connect timeout
285
Use the browser's Open dialog to find and open the mgmt.o firmware update file.
Note: Once this process has been completed, the system must be rebooted before the new firmware is
activated.
Note: The 330 version of this modem also requires its own firmware update to function correctly.
Diagnostics
The following sections discuss configuration tests, diagnostics, IP tools and traffic analysis.
Configuration Tests
The Configuration tests page is used to ensure that your current Advanced Firewall settings are not
likely to cause problems.
Components installed on your Advanced Firewall add tests to this page which, when run, highlight
problem areas. For example, DNS resolution is checked, gateways are ping-ed and network routing
is tested to make sure your current settings are not likely to cause problems.
286
Click Perform tests. The results are displayed in the Details area.
Generating Diagnostics
Advanced Firewall provides diagnostics facilities, typically used to provide Smoothwall support
engineers with complete system configuration information to aid problem solving.
To generate a diagnostics file:
1
Setting
Description
System
Select All to include all system components, or individually select the components
you want to include in the diagnostics results.
Modules
Select All to include all modules, or individually select the modules you want to
include in the diagnostics results.
Click Generate. When prompted, save the results in a suitable location for review.
287
IP Tools
The IP tools page is used to check connectivity, both from Advanced Firewall to computers on its
local networks and to hosts located externally on the Internet. There are two IP Tools:
Ping
Ping establishes that basic connectivity to a specified host can be made. Use it to prove that
Advanced Firewall can communicate with hosts its local networks and external hosts on the Internet.
Traceroute
Traceroute is used to reveal the routing path to Internet hosts, shown as a series of hops from one
system to another. A greater number of hops indicates a longer (and therefore slower) connection.
The output of these commands is as it would be if the commands were run directly by the root user
from the console of the Advanced Firewall system. It is of course, more convenient to run them from
this page.
Using Ping
To use Ping
1
Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field.
Using Traceroute
To use Traceroute:
1
Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field.
Whois
Whois is used to display ownership information for an IP address or domain name. A major use for
this is to determine the source of requests appearing in the firewall or
Detection System logs. This can assist in the identification of malicious hosts.
288
Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name
field.
Click Run. The output of Whois is as it would be if it were run directly by the root user from the
console of the Advanced Firewall system.
From the Time to run for drop-down list, select how long to analyze the traffic.
Click Generate. After the time specified has elapsed, the traffic a breakdown of what ports and
services have been used is presented, as well as specific information on connections made. It is
possible to view a complete transcript of TCP and UDP sessions, including pictures sent or received
on web requests.
289
Managing CA Certificates
When Advanced Firewalls instant messenger proxy and/or Guardian are configured to intercept SSL
traffic, certificates must be validated. Advanced Firewall validates the certificates by checking them
against the list of installed Certificate Authority (CA) certificates on the System > Certificates >
Certificate authorities page.
The following sections describe how you can import new CA certificates, export existing CA
certificates and edit the list to display a subset or all of the CA certificates available.
Reviewing CA Certificates
By default, Advanced Firewall comes with certificates issued by well-known and trusted CAs.
To review the certificates:
1
Browse to the System > Certificates > Certificate authorities page. Advanced Firewall displays
the certificates available. It also displays which certificates are valid and which are built-in, i.e.
included in Advanced Firewall by default.
To review a specific certificate, click on its name. Advanced Firewall displays it.
Importing CA Certificates
To import CA certificates:
1
Navigate to the System > Certificates > Certificate authorities page and locate the Import
Certificate Authority certificate area.
Click the import option. Advanced Firewall imports the certificate and displays it at the bottom of the
list.
Exporting CA Certificates
To export certificates:
1
On the System > Certificates > Certificate authorities page, select the certificate.
From the Export format drop-down list, select one of the following options:
Option
Description
CA certificate in PEM Export the certificate in an ASCII (textual) certificate format commonly
used by Microsoft operating systems.
CA certificate in BIN
3
290
On the System > Certificates > Certificate authorities page, select the certificate(s) and click
Delete. Advanced Firewall removes the certificate(s).
Chapter 14
Centrally Managing
Smoothwall Systems
In this chapter:
Pre-requirements
Configuring a parent and the nodes in the system, for more information, see Setting up a Centrally
Managed Smoothwall System on page 292
Actively monitoring the nodes in the system, for more information, see Monitoring Node Status on
page 297
Applying updates, for more information, see Scheduling and Applying Updates to One or More
Nodes on page 299
Rebooting nodes as required, for more information, see Rebooting Nodes on page 299
Disabling nodes as required, for more information, see Disabling Nodes on page 299.
Pre-requirements
Before you start to set up a centrally managed Smoothwall system:
Check that all the Smoothwall machines you intend to include in the system have the latest updates
applied. For more information, see Chapter 13, Installing Updates on page 259
Check that you have administrator access to all of the computers you want to include in the system
Check that there is IP access from the computer that will be a the parent node to the computers that
will be child nodes in the system.
291
Configuring child nodes settings, installing the central management key and enabling SSH on child
nodes
Log in to the instance of Advanced Firewall you want to function as the parent node.
Browse to the System > Central management > Local node settings page.
Description
Local node options Parent node Select this option to enable central management and
configure this instance of Advanced Firewall as the parent node in the
Smoothwall system.
4
292
Click Save. This instance of Advanced Firewall becomes the parent node and can be used to
centrally manage the Smoothwall system.
On the systems parent node, browse to the System > Central management > Local node
settings page.
Description
Local node options Parent node Check that this option is selected so that you can generate
a central management key for installation on child nodes.
Manage central
management keys
On the Smoothwall system you want to add as a child node, browse to the System > Central
management > Local node settings page and configure the following settings:
Setting
Description
Local node options Child node Select this option to configure this machine as a child node
in the system. Click Save to save this setting.
Manage central
management keys
On the System > Administration > Admin options page, select SSH and click Save.
Repeat step 3 and step 4 above on any other machines you want to use as child nodes. When
finished, you are ready to add them the system. See Adding Child Nodes to the System on page 294
for more information.
293
Manually by adding each node separately, see Manually Adding Child Nodes on page 294
By importing node information from a CSV file, for more information, see Importing Nodes into the
System on page 295.
On the parent node, browse to the System > Central management > Child nodes page.
Description
Node details
Node name Enter a unique name to identify the node. Node names may
only consist of letters, numbers, spaces, underscores and full stops.
Unicode is not supported.
IP/hostname Enter the IP address or hostname of the child node.
Comment Optionally, enter a comment describing the child node.
294
Setting
Description
Node settings
Replication profile From the drop-down list, select the replication profile
to be deployed on the child node. The replication profile enables the sharing
of system settings between nodes. For information on configuring a
replication profile, see Chapter 13, Creating an Archive on page 263.
Central logging Select to enable central logging for the child node.
Note: Do not select this option if you want to access the child nodes logs
on the child node itself.
Allow parent to monitor status Select to enable central monitoring for
the child node.
Allow parent to manage resources Select to enable the parent node in
the group to manage child node resources such as quotas which limit user
access to web content.
Note: Currently, this option only applies to Advanced Firewall with
Guardian3 installed.
When enabled and quotas have been used in a web filtering policy, the
parent ensures that users cannot access content for longer than allowed by
using different child nodes.
Select Enable node and click Confirm. When prompted, review the node details and then click
Save to add the node.
Repeat step 2 and step 3 for each node you want to add to the system.
When you have added all of the nodes, browse to the System > Central management > Overview
page. The parent node lists the child nodes and displays their current status. For more information,
see Monitoring Node Status on page 297.
Value
Name
IP/hostname
Central logging
Field
Value
Monitor status
Central resources
Replication profile
The name of the replication profile used on the node. This field is optional
and may be empty.
For more information, see Chapter 13, About Archive Profiles on page 263.
Enabled
Comment
For full information on what the settings do, see Manually Adding Child Nodes on page 294.
On the parent node, browse to the System > Central management > Child nodes page.
Click Import CSV, browse to the file and select it. Click Import to import the contents of the file.
The parent node displays the contents of the file and notifies you of any errors in the file.
Note: Importing settings from a CSV file will overwrite existing nodes with the same name.
4
Click Confirm to import the information in the file. The parent node imports the node information and
displays it.
Browse to the System > Central management > Child nodes page, locate the node you want to
edit and click Edit node.
Make the changes required, see Manually Adding Child Nodes on page 294 for full information on
the settings.
Click Confirm, review the changes and then click Save to save and implement the changes.
296
On the System > Central management > Child nodes page, locate the node you want to delete and
click Delete node. When prompted, click Delete to confirm the deletion.
Repeat the step above for any other nodes you want to delete.
On the parent node, browse to the System > Central management > Overview page. The parent
node displays current node status, for example:
Description
Name
The Name field displays the name of the node. Click on the name to log in to the
node.
297
Field
Description
Status
The Status field displays the current state of the node. Click on the Status text to
display detailed information on the node. For more information, see Accessing the
Node Details Page on page 298.
The following statuses are possible:
OK the node is functioning and does not require attention.
Critical the node requires immediate attention. Click on the nodes status field for
more information.
Warning the node does not require immediate attention but should be checked
for problems. Click on the nodes status field for more information.
Updates
The Updates field enables you to schedule the application of available updates. For
more information, see Scheduling and Applying Updates to One or More Nodes on
page 299.
Click on the Updates text to display detailed information on the node.
On the parent node, browse to the System > Central management > Overview page.
Locate the node you want more information on and click on its Status text. Advanced Firewall
displays the node details page.
On the parent node, browse to the System > Central management > Overview page.
Click the Updates tab and then click the Status field of the node. The node details are displayed.
Click on the Updates line to review detailed information about the updates available. To apply the
updates to the node, click Schedule update. The Schedule node update page is displayed.
298
Option
Description
Now
Later
From the drop-down list, select when you want the updates applied to the node.
Click Schedule update. The updates are applied to the node as specified in the previous step and
the node is rebooted.
On the parent node, browse to the System > Central management > Overview page.
Locate and select the node(s) that require updates and click Schedule update. The Schedule node
update page is displayed.
Option
Description
Now
Later
From the drop-down list, select when you want the update(s) applied to the node(s).
Click Schedule update. The updates are applied to the node(s) as specified in the previous step
and the node(s) are rebooted.
On the System > Central management > Overview page or the node details page, under
Updates, click Clear schedule.
Advanced Firewall displays the updates that are currently scheduled. Click Clear schedule to clear
the updates.
Rebooting Nodes
When required, you can reboot a child node from the systems parent node.
To reboot a child node:
1
On the parent node, browse to the System > Central management > Overview page.
Locate the node you want to reboot and click on the Status text. The node details are displayed.
Click Reboot node. The Schedule node reboot page opens. In the Reboot node area, select one of
the following options:
Option
Description
Now
Later
From the drop-down list, select when you want to reboot the node.
Disabling Nodes
It is possible to disable nodes locally and system-wide.
On the node you want to disable, browse to the System > Central management > Local node
settings page.
299
In the Local node options area, select Disable and click Save.
Repeat the step above for any other nodes in the system that you want to disable.
Note: On the parent node, on the System > Central management > Overview page, nodes that have been
disabled locally will be listed as Node uncontactable.
On the parent node, browse to the System > Central management > Child nodes page.
Locate the node you want to disable area, select Disable and click Save.
Repeat the steps above for any other nodes in the system that you want to disable system-wide.
300
Appendix A
Authentication
In this appendix:
Authentication methods
Overview
Advanced Firewall's authentication system enables the identity of internal network users to be
verified, such that service permissions and restrictions can be dynamically applied according to a
user's group membership.
Identity verification authenticate users by checking supplied identity credentials, e.g. usernames
and passwords, against known user profile information.
301
If a reply of host not found is received, the client will NOT ask other DNS servers
If the DNS is not answering, the client will try to ask another DNS server
Active Directory
The following sections usernames and group membership which must be configured correctly in
order to successfully implement Active Directory-based authentication.
303
About Kerberos
In order for Advanced Firewall authentication to be able to successfully look up and authenticate
Windows users, a Windows 2000+ username needs to be present.
About Kerberos
The following sections document Kerberos pre-requisites and list some points to try if
troubleshooting.
All clocks must be in sync. More than 5 minutes clock drift will cause authentication to fail
Troubleshooting
Check the following when troubleshooting a service that uses Kerberos:
Make sure all the prerequisites have been met, see Kerberos Pre-requisites and Limitations on
page 304
In Safari, try the fully qualified domain name (FQDN) if the short form does not work
Check if the user logged on before the keytab was created? Try logging off then on again.
Check if the user logged on before Advanced Firewall joined the domain? Try logging off then on
again.
304
Copy the certificate file onto a suitable medium for transfer to the device, e.g. USB flash drive or CDR media.
Import the CA certificate on the device:
Windows will present the certificate details for inspection. Click the Install Certificate... button.
When asked where to install the certificate, click Browse, and select Trusted Root Certificate
Authorities.
Create a wireless network profile:
It is not possible to join the wireless network from the notification area icon as Windows defaults to
incorrect settings for the network. A profile must be created manually.
Enter the network name (SSID) into the Network Name box.
Select Start this connection automatically to connect as the network becomes available.
Click Next.
10
Ensure Microsoft: Protected EAP (PEAP) is selected in the drop-down list, then click Settings.
Ensure the imported root CA is selected in the list under Trusted Root Certification Authorities.
Deselect Do not prompt user to authorize new servers or trusted certification authorities.
If your wireless network credentials do not match your Windows log on credentials, click Configure
and deselect Automatically use my Windows logon name and password, and click OK.
Click OK.
10
11
Ensure Specify authentication mode is selected, and change the drop-down option to User
authentication.
305
Click OK.
13
Click OK.
Connect to the wireless network
From the wireless network list, select the wireless network required and click Connect.
When prompted, enter your username and password. If you did not deselect Automatically use my
Windows logon name and password you will not be prompted.
You should now be connected to the wireless network.
After following the above instructions on how to setup 802.1X on the first machine, log in to the
command prompt and export the wireless profile, using:
netsh wlan export profile name=SSID
This exports the details to an xml file.
Copy this xml file and the root certificate presented by Advanced Firewall to the target machine.
Open up the command prompt, navigate to the location of the xml file and enter:
306
Appendix B
Understanding Templates
and Reports
In this chapter:
307
Example Report
308
Place all the required pieces into a box along with its instructions.
309
From viewing a report the date controls appear at the top right of the page next to the table of
contents view, the preview button here will regenerate a new report according to those date ranges.
Note again, that both these actions will generate a new report, which may be saved accordingly.
Interpreted Results
Some results, such as URLs or IP addresses can present additional information which might not be
apparent from the result itself. For example IP addresses can contain whois information which would
allow for greater understanding of the IP address and why it might have appeared; URLs too can
contain more information than is immediately apparent from viewing the URL.
To activate the Advanced Firewalls advanced interpreter simply hover the mouse over the desired
result, this will produce a tool-tip which contains more information about the result.
310
In this example, the user has used the advanced interpreter to show the result for a YouTube video.
The URL in question has been truncated to show only the immediately relevant information (the
protocol, domain and path) and hovering the mouse over the line in the results produces a tool-tip
which not only shows the full URL, any associated parameters but has also retrieved the video title,
description and thumbnail from the YouTube server.
The advanced interpreter is capable of recognizing many different types of URL and will present them
in an appropriate manner.
Saving Reports
Reports can be saved for viewing later if this is desired. Saving a report will stop it being subject to
the 48 hour rolling deletion which tidies the reports list each day.
It is also important to note that a saved report is format-less and as such can be rendered to HTML,
pdf, csv etc as desired.
Saved reports are listed on the Recent and saved page under the reporting section, and can be
viewed, deleted and reused (by means of viewing the template used to generate them) in the same
manner as a recent report.
311
Note the list of related reports is determined by the report section and cannot be altered.
312
Report templates and customized sections are managed and manipulated from the Custom page
on your Advanced Firewalls interface.
Creating templates is a matter of choosing, grouping and refining a number of sections into the
correct set of instructions for the Advanced Firewalls reporting engine to interpret and use to extract
and manipulate data from the Advanced Firewalls logs.
A list of available sections is included on the Custom page under the heading Available sections,
existing template reports are also included in this list so that, once created they can be included into
new report templates without having to redefine them.
The available sections list is structured as a simple tree, with the sections belonging to each module
categorized accordingly, the templates folder at the bottom of this list includes any existing report
templates for inclusion as mentioned above.
It should be noted that when a template report is included within another template report its options,
and sections are copied into the template at the time of its inclusion. Subsequent modifications to
the template will not update any other templates that include it.
On the right of the available sections list is the included sections list, which shows a simplified form
of the sections currently included in the template report being edited. This list deliberately mirrors its
counterpart and denotes both the list of included sections and any groups that have been configured.
Groups are shown as folders in the included sections list.
To add and remove sections from the included sections list sections can be highlighted by clicking
on them and the add or remove controls used accordingly. Note multiple sections can be added at
once, and that sections can appear more than once in a template report.
Ordering Sections
Save the caveats detailed under grouping sections, sections can be included anywhere in a report
and ordered to make logical sense to the reader. To reorder a section simply select it from the
Included sections list and press either move up or move down depending upon which direction you
wish to move it. Note that sections cannot be moved outside of their containing folders.
313
Grouped Sections
Many of the underlying concepts in Advanced Firewalls reporting system are based around the
notion of grouped sections. A section group is a logical construct which allows for logically
connected sections to be collated together.
Grouping two sections together will produce a number of consequences and will allow for advanced
options such as iteration and feed-forwarding to be used.
Primarily grouping options is done to allow multiple, logically similar sections to share options. For
example, the Guardian web content filter module provides a number of reports which can show
aspects of web browsing activity as conducted by a particular user. For example a Domain activity
section could be configured to show the top 20 domains visited by a particular user, a Browsing
times section could be configured to show the times of day that a particular user tends to browse
the internet.
Both of these sections have a username field, these sections could be grouped together and share
the username option, allowing for it to be entered only once when the report is generated.
Groups also form the basis of both iterative reports and feed-forward reports, which are simply
special cases of section groups. For iterative groups, the variable to iterate over can be chosen from
the options common to the grouped sections. For feed-forward groups, a section which produces
results of a suitable type can be nominated and other sections in the group will iterate over the results
from that section.
Groups can contain other groups, which may of course be standard groups, iterative or feed-forward
groups. They may also contain single sections. By containing groups within groups complicated
reporting structures can be developed which allows reports to automatically drill down and produce
fine grained detail from a high level overview.
314
Feed-Forward Reporting
Due to the jigsaw or building block like nature of reporting sections a particular report section may
only provide part of the information which is desired, rather than the complete picture. To allow for
this the reporting template system in Advanced Firewall allows for a sections results to be used as
the source of options for subsequent sections.
To lead by example, take the Network Interfaces and Individual Network Interfaces sections. These
in turn can be used to show a list of all network interfaces which are configured on Advanced Firewall,
or those which are configured for internal or external networking. This information provides limited
details for the network interface such as its IP address and other details; however it does not show
monthly usage statistics.
The Individual Network Interfaces section can provide this information, but needs to be supplied with
the name of the interface for which to provide details for.
These sections can be chained together using a mechanism known as feed-forward where the
results from one section are used to define the behavior of another. In this example the Network
Interfaces report can produce one or more Interfaces, which is one of the options for the Individual
Network Interfaces section. By chaining these two report sections together it is possible to produce
a report template which will detail the configured external interface for Advanced Firewall, and then
display the advanced usage and bandwidth statistics from it.
Iterative Reporting
Some report sections only deal with a limited set of data, a single group, username or IP address for
example. For this reason it may be desired to repeat a section using mostly the same options, but
with one particular option changed each time.
For example it may be desired to see the Individual Network Interface section for several (but notably
not all) of the local network interfaces. In this case it would be possible to select the local network
interfaces that are desired and repeat the section once for each of the desired interfaces. Note that
there is potential overlap here, and if the desired result is a list of all the local interfaces then feedforwarding could be used instead. However, feed-forward would produce a list of all internal
interfaces, as well as include the Network Interfaces report.
Note that while it was covered first, feed-forward is actually a special case of iteration, where the list
of values to be iterated over is produced as the list of answers from a particular report section.
Group Ordering
Sections within a group can be re-ordered, this notionally changes nothing other than the order in
which they are included in the final report once data has been acquired. There are exceptions to this
rule however. Groups utilizing feed-forward will require one of their sections to be promoted (denoted
as the feeder) to a state where it will provide the answers for which the other sections within that
group are to be repeated. Naturally a feeder must be included before the sections it is feeding, and
therefore it is removed from the normal section ordering and placed above the grouped options list
in the groups display.
315
Grouping Sections
To group a number of sections together they should be selected from the included sections list and
then grouped using the group button. Note that only sections at the same level in the included
sections tree can be grouped together, although a group can contain any number of items including
other groups.
Similarly the ungroup command should be used to either disband a group or to remove a single item
from an existing group. Ungrouping a group will disband that group, moving all its contained sections
to the same level on the included sections tree that the group previously occupied, the group folder
will then be removed.
Ungrouping a single section will move that section up the tree to the same depth as is occupied by
the group that it has just been removed from.
Note, ungrouping sections will remove any properties that the group contains, and so may affect any
feed-forward, iterative or grouped options.
Exporting Options
Each report section provides a list of options which define its behavior. This behavior may be defined
at a later stage to make the report template truly flexible. For example a domain activity section can
take a username value to show the domains requested for a particular user which were subsequently
banned. Creating a template for this information for each user within an organization is time
consuming and unwieldy to say the least. It is for this purpose that section options may be exported.
In this particular example a domain activity section could be included in a report template, and have
its Denied status checkbox enabled.
Swapping to the export tab would show a list of all the available options for this report, choosing to
export the username field prior to creating the report template would mean that the username field
is present for this template report on the reports tab on the Advanced Firewall main interface (Logs
and reports > Reports > Reports).
Choosing the Denied option on the export tab would again make this setting available outside of the
report template (on the reports page), however it would also have the added effect of allowing a user
to turn this option off when using the template, similarly typing a username into the sections
username option (on the options tab) allows the template report to create a default username, which
can be changed by the person using the report template.
317
Reporting Folders
Reporting Folders
Report templates can be arranged into a common hierarchy to allow for like purposed report
templates to be kept together and alleviate some of the confusion in finding the desired template.
Report templates are structured into one of the following folders on a standard Advanced Firewall
installation.
Email
Firewall and networking
System
Trends
Users
IP address analysis
IP address analysis per web
content category
Blogs
Image and video sharing
News
Reference and educational
Shopping and online auctions
Social bookmarking
Social networking
Sport
Web portals and search engines
Top IP addresses
Top users
User analysis
User analysis per web content
category
Blogs
Image and video sharing
News
Reference and educational
Shopping and online auctions
Social bookmarking
Social networking
Sport
Web portals and search engines
Web
content
Per category
Blogs
Blogger
Blogs
WordPress
Category analysis
Image and video
sharing
Dailymotion
Flickr
Fotolog
ImageShack
ImageVenue
YouTube
318
BBC News
CNet
CNN
News
Slashdot
Reference and
educational
IMDB
Shopping and
online auctions
Amazon
Wikipedia
Craiglists
Ebay
Shopping and online
auctions
Social
bookmarking
Delicious
Digg
Reddit
Stumbleupon
Social networking
Bebo
Facebook
Friendster
Hi5
Linkedin
Myspace
Orkut
Social networking
Twitter
Sport
BBC Sport
ESPN
Sport
AOL
Google
Search engines
Windows Live and
MSN
Yahoo
Site analysis
Top categories
Top domains
Top URLs
Top web searches
The destination folder for a report template can be set when creating the report template itself by
means of the Location option. This option contains an indented drop-down list of available folders,
report templates can be placed in any folder as desired.
319
Scheduling Reports
Folders can be created or deleted from the reports page, which is the main location to use to find
report templates and report folders. It also provides the ability to rename folders and edit and remove
report templates.
Folder navigation is achieved by clicking on the folder name. A location bar is also present along the
top of the Reports page which allows users to navigate the folder structure. Clicking on a folder
higher up in the hierarchy provides a list of alternative folders on the same level of the tree this
provides a faster means to navigate the list of available folders.
Creating a Folder
To create a folder simply navigate to the appropriate location in the hierarchy and click on the create
folder button next to the location bar, this will create a new folder called new folder with the ability to
rename it. Entering the name that is desired into the text box that is present and clicking rename will
change the name of the report folder.
A new folder should be named using letters, numbers and a limited set of punctuation symbols. Note
that report folder names must be unique at the same level.
Renaming Folders
Deleting Folders
Folders can be deleted from the Reports page by pressing the red cross icon immediately below the
folder image. Only empty folders can be deleted, so care should be taken to ensure that all report
templates and other folders have been removed before deleting a folder.
Note, this limitation is in place because folder and report template deletion cannot be undone
therefore such potentially dangerous actions are deliberately long winded.
Scheduling Reports
It is possible to schedule a report template to be executed at a particular time of day and repeated
at desired intervals. Reports generated in this way may be saved for use later via the recent and
saved reports section and/or emailed to a list of people as an HTML embedded email or plaintext
email.
Scheduled reports are deliberately flexible and present a full list of all report templates to be
scheduled. Options exported to the Reports page may also be set on a report by report basis so it
is possible to schedule a particular user (the sales manager for example) the web activity for the sales
group using a web activity report template and another user (the support manager) the web activity
report for the support group by means of the same report template.
Scheduled repeats allow for the automated generation of reports at specific intervals, the intervals
available are:
Weekly every week at the allocated time on the same day of the week as the first report.
Monthly every month at the allocated time on the same day of the month as the first report.
Repetition can also be disabled if it is not desirable to receive a report at regular intervals.
320
Portal Permissions
Reports can be made available to individuals who do not have access to the Advanced Firewall
administrative interface via the Advanced Firewall user portal. This is achieved via a report, or report
templates portal permissions.
There are two variations to portal permissions which dictate exactly how a report might be used.
Normal report permissions allow a user via the portal access to either a particular report, or a
particular report template. Access in this context means that they are able to generate and view the
report data.
Automatic access allows a users reporting activity to be made available to other users via the portal.
To clarify this, a report template will generate a report when it is used. When it is generated via the
portal this report will by default only be available to the user who created it. Automatic access allows
this report to be made automatically available to other users who share the authors portal, or to one
or more other portals as desired.
The Automatic access permission of portal is a special permission which allows a generated report
to be assigned to all members of the portal belonging to the person who generated the report,
regardless of which portal that user was in.
Reporting Sections
Generators and Linkers
Reporting sections can be divided into principally two types, generators and linkers.
While all report sections generate results, and display those results in the final rendered report, some
sections generate results which are intended for use in feed-forward reports and are only really useful
in that context.
321
Reporting Sections
For example, the Guardian module provides a report section entitled Per user Client IP addresses.
This section will take a Guardian username (be it derived from Active Directory or other such
authentication mechanism) and show the IP addresses that are associated with this user in the
Guardian web proxy access logs. It will also show the timestamps that these hits occurred at.
By this mechanism it is possible to deduce the IP address a user has been seen to use, and the time
period during which they were using it.
This information is perhaps informative, but not particularly. However the results, Client IP address
and Time-Period are both filters which can be applied to other reports, reports which might not be
able to associate activity with a particular username.
For example, the IM module provides tracking of Instant Message conversations, however users are
unlikely to (not to mention forbidden from) using their work usernames as their local usernames for
such conversations. The IM module however does record the IP address used in these
conversations, so using a linker section such as the one described above would be able to feed from
a username, to an IP address, to an IM conversation.
General Sections
The bulk of Advanced Firewalls reporting sections are reasonable easy to describe and are detailed
quite well by their descriptions, there are however several big reports which defy such description
and require a more in depth discussion, these will be covered later.
Standard sections will show up in the available sections list in a manner similar to the following.
This shows the sections description, title and any results that are returned for use in the systems
feed-forward ability.
Network Interfaces
A list of the configured internal and external network interfaces on the system. Includes details about
the hardware, configuration and recent network activity for each interface.
This report section lists the interfaces available on Advanced Firewall, including any internal NIC
interfaces, External NIC interfaces, modems, VLANs and VPN interfaces.
322
As can be seen, a URL entered into the Advanced Firewall reporting system will be automatically
highlighted in color to denote where the appropriate parts of the URL are being extracted from.
URLs entered in this fashion can be complete (as in the above example) or can alternatively be partial
including a combination of protocol, protocol and domain, domain and parameters or the parameters
themselves.
To use a partial URL the URL entered should be of an appropriate format depending upon the
combination of parameters which is desired.
Separation is effectively done from the right hand side backwards, so any URL starting with / would
be viewed as simply the parameters.
A URL which starts with a character other than / and does not end with :// is viewed as being the
domain.
A URL fragment starting with characters and ending with the string :// will be interpreted as a
protocol.
Deciphering a URL can however be a none trivial task, especially due to some web sites, companies
and organizations using a variety of load balancing techniques, curious URLs, sub-domains and a
variety of techniques which can only have been considered a good idea at the time.
For example, StumbleUpon a Social bookmarking site exists not only at the domain
www.stumbleupon.com but also stumbleupon.com a common enough concept with regards to the
absence of www. However it also receives some of its content from cdn.stumble-upon.com and
stumbleupon.stumble-upon.com.
For this reason it is possible to switch the URL recognition options in the Advanced Firewall reporting
system into dealing with URLs as regular expression matches rather than strict matching.
323
Reporting Sections
These options can be turned on individually for the protocol, domain and parameter parts of a URL
and for speed / processing reasons it is advised that they be turned on for the minimum of the parts
which are possible.
Hence, searching for options other than CONNECT will provide results which may have been
subjected to HTTPS interception. Additionally setting the URL to include the string https:// will return
only those results which have been HTTPS intercepted as it restricts the results to those which are
via the HTTPS protocol and using a connection method other than CONNECT.
Each URL which passes through Guardian is subjected to a level of filtering; the resulting action of
that filtering is logged and can be used to filter any results within the Guardian reports.
A URL may contain one or more of the following status messages, those being Almost blocked,
Denied (or blocked), Exception, Infected or Modified. The meaning of these is covered below.
Almost blocked This denotes any result whose score for phrase analysis was between 90 and
100 (the default score over which a result is blocked). This shows content which contained a number
of phrases which elevated its score, but did not quite cause the site to be blocked.
Denied This denotes sites which were blocked by the phrase or URL filtering in the Guardian
product. The reasoning why the page was banned can be determined by adding the include status
option on those reports which support it. Note however that this can change the ordering of the
results.
Exception The site in question was not filtered for one of several reasons, it may be that it is whitelisted, soft-blocked, temporarily bypassed, the client IP/Group is not subject to filtering etc.
324
Search terms are denoted as being either an individual word, or the entire phrase which was
searched for. For example:
Searching for babylon 5 earth destroyer would be considered to be three search words, babylon
5, earth and destroyer and one search phrase. Note that the search term reporting will treat any
quoted strings as a single search word.
Search words and phrases are assumed to be case insensitive, as the vast majority of searches are
done regardless of capitalization, however search filtering can be made case sensitive by usage of
the case sensitive search option under the advanced options for this report.
Both search terms and phrases can optionally be considered as regular expression matches via the
appropriate option under the advanced options.
Search terms, unlike search phrases can additionally be restricted to omit grammatical sugar or stop
words. Words such as and, of and the are usually omitted by most search engines and this can
be taken into consideration by using the option individual (uncommon) search terms on the search
term matching drop-down box.
The list of common search terms is taken to be the list of words omitted by the Google search engine,
this list is as follows: i, a, about, an, are, as, at, be, by, com, de, en, for, from, how,
in, is, it, la, of, on, or, that, the, this, to, was, what, when, where, who, will,
with, und, the and www.
Additional filtering options for username, group, client IP address and Guardian status are presented
for this report. Note that a list of Blocked search phrases can be achieved by use of the Guardian
status denied option under the Guardian status options.
325
Reporting Sections
This filtering is achieved by using the individual report sections Search term matching options
presented under an individual sections advanced options.
Note that all search term filters operate over the search phrase rather than individual words and can
optionally be changed to using regular expression matches rather than the default mode of operation
which is strings containing this phrase.
To search for blocked search terms this filter can be used in combination with the Guardian status
filters.
This reporting section has a lot of reasonably complicated options, however only a few of them are
relevant to the discussion of its operation, those options which are not are grayed out in the example
above and will be omitted from any further discussion as they apply the expected limitations on the
search results, changing the number of results or any username, client IP address or group filter etc.
The most important option for this report section is the URL, which in this example is a regular
expression URL which refers to the BBC news web site. The protocol and domain fields in the URL
326
327
Reporting Sections
In the above example, we can see that %matchtitle% is used as the value, which would present
the feed-forward result of matchtitle as the title for any feed-forward sections. In this case,
%matchtitle% would be the <title> extracted from the relevant HTML page. Alternatively values of
%domainmatch%, %parametermatch% or %url% could be used.
In this manner, the URL extraction section provides one of the most flexible tools for extrapolating
information about particular web sites with no in-built understanding of the site. This means that the
section can easily be tailored to accommodate new web sites, or internal web sites which may be
processed by Guardian but outside of the scope of the standard templates.
In this example the URL extraction section is being used to display the top 50 video results from the
YouTube site.
The URL once again contains a series of regular expression matches, this time the domain also
includes a series of wildcards (.*) to accommodate YouTube being hosted via multiple domains,
sub-domains and TLDs.
Origin Filtering
Advanced Firewall contains the ability to aggregate reports over several different machines, Several
Advanced Firewalls for example can be used as a cluster of web content filters or alternatively the
system might be configured to receive the browsing activity from several mobile users via the
MobileGuardian content filter.
When these results are aggregated onto a central reporting Advanced Firewall system they each
contain a unique identifier to state where they came from. This identifier can be used to filter particular
results to have originated from a particular machine, or class of machines.
The origin filter on a Advanced Firewall report allows for the class of machine or in some cases the
individual machine to be used to restrict the results.
Note: The list of originating systems does not include a list of individual MobileGuardian installations as
there may be several dozen or more of these.
328
Note: The recommended configuration for MobileGuardian installations is to have MobileGuardian derive
its configuration from a specific authentication group and so the default template reports have been
constructed with that in mind. By default MobileGuardian filtering would be achieved using a group
filter for the appropriate group however should more advanced processing be required the Origin
filter could be used instead.
329
Reporting Sections
330
Appendix C
Troubleshooting VPNs
In this appendix:
Site-to-site Problems
All the PCs that are to participate in the VPN need to be fully operational and visible on the network
before attempting to install and configure VPN software.
Check that it is possible to ping the IP address of the RED (Internet) NIC on both Smoothwall
Systems. Failure to get a ping echo would indicate that:
You have the wrong IP address for the remote Advanced Firewall
There is a network connection problem check routers, hubs and cables etc.
Verify IP addresses by checking the Networking > Interfaces > Interfaces page for the appropriate
Ethernet card.
Check the routing information displayed in Advanced Firewall's status page, there must be a default
route (gateway).
Verify with the ISP that VPN traffic is not being blocked by any firewall or router used by the ISP.
Specifically, ESP mode uses IP protocol 50. AH mode uses IP protocol 50. In particular, if the tunnel
goes into OPEN mode but no packets will flow between the two networks, it is possible that one of
the ISPs involved is blocking the ESP or AH packets.
To simplify the problem, attempt to get a connection with shared secrets before moving on to
certificates.
Verify the symmetry in the tunnel specification, i.e. that the IDs, IP addresses and Remote network
addresses are mirrored. This is where most people make mistakes.
Each node on the VPN network must have its own unique certificate. At least one field in the subject
must be different. The subject is a composite of the information fields supplied when the certificate
is created. Likewise the Alt (Alternative) Name field must be unique for each certificate. Obviously
fields like company name can be common to all certificates.
A different local network address must be configured at both ends of the tunnel; they cannot both
use the default of 192.168.0.0. Likewise, ensure there is no conflict with another network address.
Be consistent with IDs. For example:
Hosts on static IPs should use the hostname for the gateway as the ID.
Clients should usually not use an ID, unless they are using an unusual client that requires one.
331
333
334
Appendix D
Hosting Tutorials
In this appendix:
335
336
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.4
Destination IP: 192.168.1.4
Source port: POP3 (110)
Destination port: POP3 (110)
Comment: Mail Server .4 POP3
Finally, add the source mappings:
Source IP: 192.168.1.2 | Alias IP: 216.1.1.2
Comment: Web Server .2
Source IP: 192.168.1.3 | Alias IP: 216.1.1.3
Comment: Web Server .3
Source IP: 192.168.1.4 | Alias IP: 216.1.1.4
Comment: Mail Server .4
337
338
Protocol: TCP
External IP: <BLANK>
Source IP: 216.1.1.7
Destination IP: 192.168.1.7
Source port: POP3 (110)
Destination port: POP3 (110)
Comment: Mail Server .7 POP3
Next, add the zone bridges:
Zone bridging for example 3.
Source interface: Eth1
Destination interface: Eth2
Protocol: TCP
Source IP: 192.168.1.2
Destination IP: 192.168.10.2
Destination port: User defined, 3306
Comment: Web Server .2 to SQL Server .2
339
340
Glossary
Numeric
2-factor authentication The password to a token used with the token. In other words: 2-factor
authentication is something you know, used together with something you have. Access is only be granted
when you use the two together.
3DES A triple strength version of the DES cryptographic standard, usually using a 168-bit key.
A
Acceptable Use Policy See AUP
Access control The process of preventing unauthorized access to computers, programs,
processes, or systems.
Active Directory
Microsoft directory service for organizations. It contains information about organizational units, users and
computers.
ActiveX* A Microsoft reusable component technology used in many VPN solutions to provide VPN
client access in a road warrior's web browser.
AES (Advanced Encryption Standard) A method of encryption selected by NIST as a replacement for
DES and 3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES provides high security with
fast performance across multiple platforms.
AH (Authentication Header) Forms part of the IPSec tunnelling protocol suite. AH sits between the IP
header and datagram payload to maintain information integrity, but not secrecy.
B
Bandwidth Bandwidth is the rate that data can be carried from one point to another. Measured in Bps
341
BIN
Buffer Overflow An error caused when a program tries to store too much data in a temporary
storage area. This can be exploited by hackers to execute malicious code.
C
CA (Certificate Authority) A trusted network entity, responsible for issuing and managing x509 digital
certificates.
Certificate A digital certificate is a file that uniquely identifies its owner. A certificate contains owner
identity information and its owner's public key. Certificates are created by CAs.
Cipher A cryptographic algorithm.
Ciphertext Encrypted data which cannot be understood by unauthorized parties. Ciphertext is
created from plain text using a cryptographic algorithm.
Client Any computer or program connecting to, or requesting the services of, another computer or
program.
D
Default Gateway The gateway in a network that will be used to access another network if a gateway
is not specified for use.
Denial of Service Occurs when a network host is flooded with large numbers of automatically
generated data packets. The receiving host typically slows to a halt while it attempts to respond to each
request.
DER (Distinguished Encoding Rules) A certificate format typically used by Windows operating systems.
DES (Data Encryption Standard) A historical 64-bit encryption algorithm still widely used today. DES is
scheduled for official obsolescence by the US government agency NIST.
DHCP (Dynamic Host Control Protocol) A protocol for automatically assigning IP addresses to hosts
joining a network.
Dial-Up A telephone based, non-permanent network connection, established using a modem.
DMZ (Demilitarized Zone) An additional separate subnet, isolated as much as possible from protected
networks.
DNS (Domain Name Service) A name resolution service that translates a domain name to an IP address
and vice versa.
Domain Controller A server on a Microsoft Windows network that is responsible for allowing host
access to a Windows domain's resources.
Dynamic IP A non-permanent IP address automatically assigned to a host by a DHCP server.
342
E
Egress filtering The control of traffic leaving your network.
Encryption The transformation of plaintext into a less readable form (called ciphertext) through a
mathematical process. A ciphertext may be read by anyone who has the key to decrypt (undoes the
encryption) it.
ESP (Encapsulating Security Payload) A protocol within the IPSec protocol suite that provides
encryption services for tunnelled data.
Exchange Server A Microsoft messaging system including mail server, email client and groupware
applications (such as shared calendars).
Exploit A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a
system or service.
F
Filter A filter is a collection of categories containing URLs, domains, phrases, lists of file types and
replacement rules. Filters are used in policies to determine if a user should be allowed access to information
or files he/she has requested using their web browser.
G
Gateway A network point that acts as an entrance to another network.
Green In Smoothwall terminology, green identifies the protected network.
H
Hacker A highly proficient computer programmer who seeks to gain unauthorized access to systems
without malicious intent.
Host A computer connected to a network.
Hostname A name used to identify a network host.
HTTP (Hypertext Transfer Protocol) The set of rules for transferring files on the World Wide Web.
HTTPS A secure version of HTTP using SSL.
Hub A simple network device for connecting networks and network hosts.
343
I
ICMP (Internet Control Message Protocol) One of the core protocols of the Internet protocol suite. It is
chiefly used by networked computers' operating systems to send error messages indicating, for example,
that a requested service is not available or that a host or router could not be reached.
IDS Intrusion Detection System
Internet Protocol
IPS
IP Address A 32-bit number that identifies each sender and receiver of network data.
IPtables The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities.
IPSec (Internet Protocol Security) An internationally recognized VPN protocol suite developed by the
Internet Engineering Task Force (IETF).
IPSec Passthrough A 'helper' application on NAT devices that allows IPSec VPN traffic to pass
through.
K
Key A string of bits used with an algorithm to encrypt and decrypt data. Given an algorithm, the key
determines the mapping of plaintext to ciphertext.
Kernel The core part of an operating system that provides services to all other parts the operating
system.
Key space The name given to the range of possible values for a key. The key space is the number of
bits needed to count every distinct key. The longer the key length (in bits), the greater the key space.
L
L2F (Layer 2 Forwarding) A VPN system, developed by Cisco Systems.
L2TP (Layer 2 Transport Protocol) A protocol based on IPSec which combines Microsoft PPTP and
Cisco Systems L2F tunnelling protocols.
LAN (Local Area Network) is a network between hosts in a similar, localized geography.
Leased Lines (Or private circuits) A bespoke high-speed, high-capacity site-to-site network that is
installed, leased and managed by a telephone company.
Lockout A method to stop an unauthorized attempt to gain access to a computer. For example, a
three try limit when entering a password. After three attempts, the system locks out the user.
M
MAC Address (Media Access Control) An address which is the unique hardware identifier of a NIC.
MX Record
344
(Mail eXchange) An entry in a domain name database that specifies an email server to
N
NAT-T (Network Address Translation Traversal) A VPN Gateway feature that circumvents IPSec NATing
problems. It is a more effective solution than IPSec Passthrough.
NIC Network Interface Card
NIST (National Institute of Standards and Technology) NIST produces security and cryptography related
standards and publishes them as FIPS documents.
NTP (Network Time Protocol) A protocol for synchronizing a computer's system clock by querying NTP
Servers.
O
OU An organizational unit (OU) is an object used to distinguish different departments, sites or teams in
your organization.
P
Password A protected/private string of characters, known only to the authorized user(s) and the
system, used to authenticate a user as authorized to access a computer or data.
PEM (Privacy Enhanced Mail) A popular certificate format.
Perfect Forward Secrecy A key-establishment protocol, used to secure previous VPN
communications, should a key currently in use be compromised.
PFS See Perfect Forward Secrecy
Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security
parameter agreement.
Phase 2 Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters
from Phase 1 to bring the tunnel up.
Ping A program used to verify that a specific IP address can be seen from another.
PKCS#12 (Public Key Cryptography Standards # 12) A portable container file format for transporting
certificates and private keys.
PKI (Public Key Infrastructure) A framework that provides for trusted third party vetting of, and vouching
for, user identities; and binding of public keys to users. The public keys are typically in certificates.
Plaintext Data that has not been encrypted, or ciphertext that has been decrypted.
Policy Contains content filters and, optionally time settings and authentication requirements, to
determine how Advanced Firewall handles web content and downloads to best protect your users and your
organization.
Port A service connection point on a computer system numerically identified between 0 and 65536. Port
80 is the HTTP port.
Port Forward A firewall rule that routes traffic from a receiving interface and port combination to
345
another interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of
forwarding a network port from one network node to another. This technique can allow an external user to
reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router.
PPP (Point-to-Point Protocol) Used to communicate between two computers via a serial interface.
PPTP (Peer-to-Peer Tunnelling Protocol) A widely used Microsoft tunnelling standard deemed to be
relatively insecure.
Private Circuits See Leased Lines.
Private Key A secret encryption key known only by its owner. Only the corresponding public key can
decrypt messages encrypted using the private key.
Protocol A formal specification of a means of computer communication.
Proxy An intermediary server that mediates access to a service.
PSK (Pre-Shared Key) An authentication mechanism that uses a password exchange and matching
process to determine authenticity.
Public Key A publicly available encryption key that can decrypt messages encrypted by its owner's
private key. A public key can be used to send a private message to the public key owner.
Q
QOS (Quality of Service) In relation to leased lines, QOS is a contractual guarantee of uptime and
bandwidth.
R
RAS (Remote Access Server) A server which can be attached to a LAN to allow dial-up connectivity from
other LANs or individual users. RAS has been largely superseded by VPNs.
Red In Smoothwall, red is used to identify the Unprotected Network (typically the Internet).
RIP (Routing Information Protocol) A routing protocol which helps routers dynamically adapt to changes
in network connections by communicating information about which networks each router can reach and
how far away those networks are.
Road Warrior An individual remote network user, typically a travelling worker 'on the road' requiring
access to a organizations network via a laptop. Usually has a dynamic IP address.
Route A path from one network point to another.
Routing Table A table used to provide directions to other networks and hosts.
Rules In firewall terminology, rules are used to determine what traffic is allowed to move from one
network endpoint to another.
S
Security policy A security policy is a collection of procedures, standards and guidelines that state in
writing how an organization plans to protect its physical and information technology (IT) assets. It should
346
Single Sign-On (SSO) The ability to log-in to multiple computers or servers in a single action by
entering a single password.
Site-To-Site A network connection between two LANs, typically between two business sites. Usually
uses a static IP address.
Smart card A device which contains the credentials for authentication to any device that is smart
card-enabled.
Squid
SSH (Secure Shell) A command line interface used to securely access a remote computer.
SSL A cryptographic protocol which provides secure communications on the Internet.
SSL VPN A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client
configuration.
Strong encryption A term given to describe a cryptographic system that uses a key so long that, in
practice, it becomes impossible to break the system within a meaningful time frame.
Subnet An identifiably separate part of an organizations network.
Switch An intelligent cable junction device that links networks and network hosts together.
Syslog A server used by other hosts to remotely record logging information.
T
Triple DES (3-DES) Encryption A method of data encryption which uses three encryption keys
and runs DES three times Triple-DES is substantially stronger than DES.
Tunneling The transmission of data intended for use only within a private network through a public
network in such a way that the routing nodes in the public network are unaware that the transmission is part
of a private network.
U
User name / user ID A unique name by which each user is known to the system.
347
V
VPN (Virtual Private Network) A network connected together via securely encrypted communication
tunnels over a public network, such as the global Internet.
VPN Gateway An endpoint used to establish, manage and control VPN connections.
X
X509 An authentication method that uses the exchange of CA issued certificates to guarantee
authenticity.
348
Index
1s
Ed
it
accessing 4
active directory
cache timeout 196
domain 196
extra realm 203
password 196
status 196
tenants 196
username 196
active directory legacy
cache timeout 201
discover kerberos realms through dns 202
extra group search roots 202
extra realms 203
extra user search roots 202
kerberos realm 201
netbios domain name 202
password 201
port 202
sam account name 202
server 201
server username 201
status 201
tenants 201
user search root 202
admin 3
admin options 14
administration 14
administration login failures 228
administrative users 14
adsl modem
settings 28
advanced 8
AIM 95
aim 95
alert
im proxy monitored word 228
alerts 5, 228
administration login failures 228
email 257
email to sms 257
email virus monitor 228
external connection failover 228
firewall notifications 228
hardware failover notification 228
hardware failure alerts 228
health monitor 228
inappropriate words in im 228
io
B
banned users 216
black-list users 95
bond 34
bridge 33
bridging
groups 63
rules 59
zones 59
byod 213
C
ca 14, 15
censoring 95
central management 291
about 291
pre-requirements 291
central management key 293
centrally manage 291
349
Index
1s
database 224
settings 6
datastore 224
deep packet inspection 74
default
interface 20
users 216
denial of service 52
detection policies 114
dhcp 12
custom options 12
leases 12
relay 12
server 12
dhcp ethernet 22
settings 23
diagnostics 14, 193
dial-up modem 30
directories 9
directory settings 194
prerequisites 195, 199, 200
dns 11, 105
dynamic 11
proxy 11
proxy service 106
350
it
io
ECN 54
email 5, 6
email to sms 257
email virus monitor 228
enable arp filter 54
ethernet 20
External 228
external
access 14
aliases 7
external connection failover 228
external services 8, 78
editing 79
removing 79
Ed
certs 15
ca 14
child node 293
cluster 291
configuration tests 14
connection methods 20
dial-up modem 30
ethernet 20
ethernet/modem hybrid 20
isdn modem 28
modem 20
connection profiles 20
creating 20
deleting 33
modifying 33
connection tracking 54
connections 19
connectivity 7
console
connecting via 17
control 15
control page 4
create 5
csv 295
importing nodes 295
csv files 295
custom categories 11
custom signatures 118
G
gadugadu 95
global 12, 15
group bridging 7, 63
groups 6, 9, 216
banned users 216
default users 216
mapping 205
network administrators 216
renaming 216, 217
unauthenticated ips 216
H
h323 passthrough support 70
hardware 14
failover 280
hardware Failover 279
hardware failover notification 228
hardware failure alerts 228
health monitor 228
heartbeat 279
hide conversation text 95
hostname 13
https 4
hybrid 20
J
K
1s
jabber 95
io
kerberos keytabs 9
l2tp roadwarriors 15
l2tp vpn tunnel status 228
layer 7 application control 74
ldap directory
bind method 197
cache timeout 198
discover kerberos realms through dns 199
extra group search root 198
extra realms 199
extra user search roots 198
group search roots 198
kerberos realm 197
password 197
port 198
server 197
status 196
tenants 197
user search root 198
username 197
license expiry status 228
licenses 13
local users 203
activity 208
adding 204
configuring 203
deleting 205
editing 205
managing 204
status 203
tenants 203
log retention 224
log settings 6
logs 6
email 245
enable remote syslog 252
remote syslog server 252
it
Ed
icmp 53
ICMP ping 53
ICMP ping broadcast 53
ICQ 95
ids 6, 11
igmp 53
IGMP packets 53
im 93
hide conversation text 95
proxy 5
im proxy 6
inappropriate words in im 228
information 4
instant messenger 9, 93
block file transfers 95
blocked response 95
blocked response message 95
censor 95
intercept ssl 95
logging warning 95
logging warning message 95
protocols
aim 95
gadugadu 95
icq 95
jabber 95
msn 95
proxy 93, 94
instant messenger proxy
enable 94
enabled on interfaces 95
exception local IP addresses 96
interface
bond 34
bridge 33
interfaces 7
internal aliases 7
inter-zone security 59
intrusion detection 11
intrusion detection system 11
intrusion system 114
custom policies 117
detection policies 114
policies 114
prevention policies 115
intrusion system monitor 229
ip
address
351
Index
retention 252
io
mac spoof 23
maintenance 13
master 281
message censor 11
custom categories 11
filters 11
time 11
Microsoft Messenger 95
modem 14, 20
settings 31
modules 13
MSN 95
multicast traffic 53
1s
Ed
it
N
network
administrators 216
interface 19
networking 6, 8
source mapping 46
node 297
add 294
child 293
child delete 297
child edit 296
configure child 13
csv 295
delete 297
disable 299
edit 296
import 295
local settings 13
manage 297
monitor 297
parent 292
reboot 299
review 297
update 299
O
OpenVPN 162
outbound access
port rules 72
source rules 76
outgoing 8
output settings 6
output system test messages 228
P
pages
central management 13
info
352
alerts 5
alerts 5
custom 5
logs 6
firewall 6
ids 6
im proxy 5, 6
ips 6
ipsec 6
system 6
web proxy 6
realtime 5
firewall 5
ipsec 5
portal 5
system 5
traffic graphs 5
reports
reports 5
saved 5
scheduled reports 5
settings
alert settings 5
database settings 6
groups 6
log settings 6
output settings 6
information 4
logs and reports
settings
datastore 224
main 4
networking 6, 8
filtering 7
group bridging 7
ip block 7
zone bridging 7
firewall 8
advanced 8
port forwarding 8
source mapping 8
interfaces 7
connectivity 7
external aliases 7
interfaces 7
internal aliases 7
ppp 8
secondaries 8
outgoing 8
external services 8
policies 8
ports 8
routing 7
ports 7
rip 7
1s
io
whois 14
hardware 14
failover 14
firmware upload 14
modem 14
ups 14
maintenance 13
archives 13
licenses 13
modules 13
scheduler 13
shutdown 13
updates 13
preferences 13
hostname 13
registration options 13
time 13
vpn 15
ca 15
certs 15
control 15
global 15
ipsec roadwarriors 15
ipsec subnets 15
l2tp roadwarriors 15
ssl roadwarriors 15
parent node 292
passwords 3
policies 11, 114
intrusion 114
outgoing 8
port forwarding 8
port forwards 67
comment 69
creating 68
criteria 67
destination address 69
destination port 69
editing 69
enabled 69
external ip 68
ips 69
logging 69
protocol 68
removing 69
source IP 69
source port 69
user defined 69
port groups 8
port rules 72
creating 73
deleting 75, 78
editing 75, 78
modes 72
preset 72
it
Ed
sources 7
subnets 7
settings
advanced 8
port groups 8
services 8
authentication 9
directories 9
groups 9
kerberos keytabs 9
settings 9
ssl login 9
temporary bans 9
user activity 9
wpa enterprise 9
dhcp
dhcp custom options 12
dhcp leases 12
dhcp relay 12
dhcp server 12
global 12
dns 11
dns proxy 11
dynamic dns 11
static dns 11
ids 11
intrusion system
detection 11
policies 11
signatures 11
message censor 11
proxies 9
ftp 10
im proxy 9
sip 10
web proxy 9
snmp 11
user portal 9
groups 9
portals 9
user exceptions 9
system
administration 14
admin options 14
administrative users 14
external access 14
central management
child nodes 13
local node settings 13
overview 13
diagnostics 14
configuration tests 14
diagnostics 14
ip tools 14
traffic analysis 14
353
Index
io
1s
radius
action on login failure 200
cache timeout 200
identifying IP address 200
obtain groups from radius 200
port 200
secret 199
server 199
status 199
tenants 199
realtime 5
email 5, 6
reboot 299
registration options 13
reports 5, 127, 219
custom 5
database 224
reports 5
scheduled 5
reverse proxy 6, 10
violations alert 228
rip 7
routing 7
rules
dynamic host 107
354
scheduled reports 5
scheduler 13
secondaries 8
secondary dns 20
selective ACK 54
services
authentication 9, 193
dhcp 12, 119
dns 11, 105
dns proxy 106
dynamic dns 107
ids 11
intrusion system 114
message censor 11
portal 9
rip 40
sip 96
snmp 11, 104
settings 6, 9
shutdown 13
signatures 11
sip 10, 96
types 96
site address 18
smoothrule violations 228
smoothtunnel vpn certificate monitor 228
snmp 11, 104
snmp 11
source mapping 8, 46
source rules 76
sources 7
ssh 17
client 17
SSL 162
ssl login 9
accessing the page 210
customizing 209
exceptions 211
ssl roadwarriors 15
static ethernet
settings 22
subnets 7
it
Ed
viewing 75
portal 5, 9, 236
access 86
configure 81
delete 86
edit 86
groups 85
policy tester 83
user except 85
portals 9
ports 7, 8
ppp 8
ppp over ethernet
settings 25
ppp profile
creating 31
pptp client
support 70
pptp over ethernet
settings 26
preferences 13
prevention policies 115
primary dns 20
proxies 9
dns 106
sip 96
proxy
ftp 99
W
web proxy 6, 9
white-list users 95
whois 14
window scaling 54
wpa enterprise 9, 213
T
Y
yahoo 95
it
io
zone bridge
narrow 59
rule
create 59
settings 60
tutorial 61
wide 59
zone bridging 7, 59
Ed
TCP timestamps 54
telephony
settings 32
temporary ban 206
temporary bans 9
tenants 275
time 13
time out 193
time slots 11
time-out 302
traffic
analysis 14
graphs 5
traffic statistics monitor 228
training 1
tutorial
vpn 178
zone bridging 61
1s
V
virtual lans 36
vlan 36
voip 96
vpn 15, 127
authentication 128
psk 129
x509 129
355
1s
t
Ed
it
io
Index
356
357