Corporate Firewall 2008 Admin

Corporate Firewall
Ve
Administrators Guide
rs
io
SmoothWall Corporate Firewall, 2008 FP2, Administrators Guide, Version 1, March 2009 SmoothWall Ltd. publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Corporate Firewall. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of SmoothWall Ltd. For more information, contact: docs@smoothwall.net This document was created and published in the United Kingdom. 2001 2009 SmoothWall Ltd. All rights reserved. Trademark notice SmoothWall and the SmoothWall logo are registered trademarks of SmoothWall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in SmoothWall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. End user notice During their development, all SmoothWall products are subjected to exhaustive penetration testing. There are no insecurities in a standard SmoothWall system or SmoothWall add-on module. All files that implement SmoothWall security policies are part of the system configuration and must only be altered using the recommended configuration procedures outlined in this documentation. SmoothWall Ltd. disclaims all responsibility for any configuration and/or installation changes that may compromise network security. Acknowledgements SmoothWall acknowledges the work, effort and talent of the SmoothWall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Address
Email Web Telephone
Ve
USA and Canada: United Kingdom: All other countries: USA and Canada: United Kingdom: All other countries:
SmoothWall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom info@smoothwall.net www.smoothwall.net 1 800 959 3760 0870 1 999 500 +44 870 1 999 500 1 888 899 9164 0870 1 991 399 +44 870 1 991 399
Fax
rs
io
Contents
Chapter 1 Introduction ..................................................................... 1
Overview of Corporate Firewall .................................................................... 1 Corporate Firewall Add-on Modules................................................................. 1 Who should read this guide?............................................................................ 2 Other Documentation and User Information .................................................... 2 Support ........................................................................................................... 2 Accessing Corporate Firewall....................................................................... 3 Corporate Firewall Sections and Pages....................................................... 5 Main ................................................................................................................. 5 Information ....................................................................................................... 5
Reports ......................................................................................................................................5 Alerts .........................................................................................................................................5 Realtime ....................................................................................................................................6 Logs...........................................................................................................................................6 Settings......................................................................................................................................7
Ve
rs
Networking ....................................................................................................... 7
Filtering......................................................................................................................................7 Routing ......................................................................................................................................7 Interfaces...................................................................................................................................7 Firewall ......................................................................................................................................8 Outgoing ....................................................................................................................................8 Settings......................................................................................................................................8
Services ........................................................................................................... 8
Authentication............................................................................................................................9 User Portal.................................................................................................................................9 Proxies.......................................................................................................................................9 DNS .........................................................................................................................................10 Message Censor .....................................................................................................................10 IDS...........................................................................................................................................10 DHCP ......................................................................................................................................10
System ........................................................................................................... 11
Maintenance ............................................................................................................................11 Preferences .............................................................................................................................11 Administration..........................................................................................................................12 Hardware .................................................................................................................................12 Diagnostics ..............................................................................................................................12
Certs............................................................................................................... 12 VPN................................................................................................................ 13 Configuration Conventions......................................................................... 13 Specifying Networks, Hosts and Ports........................................................... 13

IP Address ...............................................................................................................................13
io
Chapter 2
Corporate Firewall Overview ......................................... 3
Contents
IP Address Range ...................................................................................................................13 Subnet Addresses ...................................................................................................................13 Netmasks.................................................................................................................................14 Service and Ports ....................................................................................................................14 Port Range ..............................................................................................................................14
Using Comments............................................................................................ 14 Creating, Editing and Removing Rules .......................................................... 14

Creating a Rule........................................................................................................................14 Editing a Rule ..........................................................................................................................14 Removing a Rule .....................................................................................................................15
Chapter 3
Working with Connections........................................... 19
Chapter 4
Chapter 5
ii
Ve
rs
PPP Profiles ............................................................................................................................21 Modem Profiles........................................................................................................................21
Creating a Connection Profile..................................................................... 22 Configuring Global Settings ........................................................................... 22 Configuring a Static Ethernet Connection...................................................... 24 Configuring a DHCP Ethernet Connection..................................................... 24 Configuring a PPP over Ethernet Connection................................................ 25 Configuring a PPTP over Ethernet Connection.............................................. 25 Configuring an ADSL/DSL Modem Connection ............................................. 26 Configuring an ISDN Modem Connection...................................................... 27 Configuring a Dial-up Modem Connection ..................................................... 27 Creating a PPP Profile ................................................................................. 28 Modifying Profiles ........................................................................................ 29 Deleting Profiles........................................................................................... 30
Managing Your Network Infrastructure ...................... 31

Creating Subnets ......................................................................................... 31 Editing and Removing Subnet Rules ............................................................. 32 Managing Internal Aliases........................................................................... 32 Creating an Internal Alias Rule ...................................................................... 33 Editing and Removing Internal Alias Rules .................................................... 33
General Network Security Settings ............................. 35

Blocking by IP .............................................................................................. 35 Creating an IP Blocking Rule ......................................................................... 35 Editing and Removing IP Block Rules............................................................ 36
io
Managing Network Interfaces ..................................................................... 19 Interfaces ....................................................................................................... 20 Restarting Networking.................................................................................... 20 About Connection Methods and Profiles................................................... 21 About Connection Profiles for Modems.......................................................... 21
Connecting via the Console........................................................................ 15 Connecting Using a Client.............................................................................. 15 Connecting Using Web-based SSH ............................................................... 16 Corporate Firewall Secure Communication .............................................. 16 Unknown Entity Warning................................................................................ 16 Inconsistent Site Address............................................................................... 16
SmoothWall Corporate Firewall Administrators Guide
Configuring Advanced Networking Features ............................................ 37 Enabling Traffic Auditing ............................................................................ 38 Dropping Traffic on a Per-interface Basis ................................................. 39 Working with Port Groups........................................................................... 39 Creating a Port Group.................................................................................... 40 Adding Ports to Existing Port Groups............................................................. 40 Editing Port Groups........................................................................................ 41 Deleting a Port Group .................................................................................... 41
Chapter 6
Configuring Inter-Zone Security.................................. 43

About Zone Bridging Rules......................................................................... 43 Creating a Zone Bridging Rule ................................................................... 44 Editing and Removing Zone Bridge Rules ................................................ 45 A Zone Bridging Tutorial ............................................................................. 45 Creating the Zone Bridging Rule.................................................................... 46 Allowing Access to the Web Server ............................................................... 46 Accessing a Database on the Protected Network.......................................... 46 Introduction to Port Forwards Inbound Security ................................... 49 Port Forward Rules Criteria............................................................................ 49 Creating Port Forward Rules.......................................................................... 50 Editing and Removing Port Forward Rules .................................................... 51 Advanced Network and Firewall Settings.................................................. 52 Network Application Helpers.......................................................................... 52 Managing Bad External Traffic....................................................................... 53 Configuring Reflective Port Forwards ............................................................ 53 Outbound Access ........................................................................................ 54 Port Rule Modes ............................................................................................ 54 Preset Port Rules........................................................................................... 54 Creating a Port Rule....................................................................................... 55 Editing a Port Rule ......................................................................................... 56
Editing and Removing Protocols and Ports .............................................................................56 Deleting a Port Rule ................................................................................................................56
Chapter 8
Ve
rs
Viewing a Port Rule........................................................................................ 56 Source Rules.................................................................................................. 57 Configuring the Default Source Rule Settings................................................ 57
Editing and Removing Source Rules.......................................................................................58
Managing External Services ....................................................................... 58

Editing and Removing External Service Rules ........................................................................59
Assigning Rules to Groups......................................................................... 60
Corporate Firewall Services......................................... 61

Working with User Portals .......................................................................... 61 Configuring a Portal ....................................................................................... 62 Accessing Portals........................................................................................... 63 Editing Portals................................................................................................ 64 Deleting Portals.............................................................................................. 64
io
Chapter 7
Managing Inbound and Outbound Traffic .................. 49
iii
Contents
Assigning Groups to Portals........................................................................... 64 Making User Exceptions ................................................................................ 65 Web Proxy..................................................................................................... 65 Configuring and Enabling the Web Proxy Service ......................................... 66 About Web Proxy Methods ............................................................................ 69
Transparent Proxying ..............................................................................................................69 Non-Transparent Proxying ......................................................................................................70
Editing and Removing Static Hosts .........................................................................................78
iv
Ve
rs
Censoring Instant Message Content.......................................................... 80 Configuration Overview.................................................................................. 80 Managing Custom Categories........................................................................ 81

Creating Custom Categories ...................................................................................................81 Editing Custom Categories......................................................................................................82 Deleting Custom Categories....................................................................................................82
Setting Time Periods...................................................................................... 82

Editing Time Periods ...............................................................................................................83 Deleting Time Periods .............................................................................................................83
Creating Filters............................................................................................... 83
Editing Filters...........................................................................................................................84 Deleting Filters.........................................................................................................................84 Editing Polices .........................................................................................................................85 Deleting Policies ......................................................................................................................85
Creating and Applying Messaging Policies .................................................... 84 Intrusion Detection System (IDS) ............................................................... 86 Configuring the IDS Service........................................................................... 86 Deleting Custom Rules .................................................................................. 87 DHCP............................................................................................................. 87 Enabling DHCP.............................................................................................. 87 Creating a DHCP Subnet ............................................................................... 88 Editing a DHCP subnet .................................................................................. 90 Deleting a DHCP subnet................................................................................ 90 Adding a Dynamic Range .............................................................................. 90 Adding a Static Assignment ........................................................................... 91 Adding a Static Assignment from the ARP Table........................................... 91 Editing and Removing Assignments .............................................................. 92 Viewing DHCP Leases................................................................................... 92
io
Editing and Removing Dynamic Hosts ....................................................................................80 Forcing a Dynamic DNS Update .............................................................................................80
Enabling the DNS Proxy Service ................................................................... 78 Managing Dynamic DNS................................................................................ 79
Configuring End-user Browsers ..................................................................... 70 Instant Messenger Proxying ....................................................................... 71 Monitoring SSL-encrypted Chats ............................................................... 74 SIP Proxying................................................................................................. 75 Types of SIP Proxy ........................................................................................ 75 Choosing the Type of SIP Proxying ............................................................... 75 Configuring SIP.............................................................................................. 76 DNS................................................................................................................ 77 Adding Static DNS Hosts ............................................................................... 77
Creating Custom DHCP Options.................................................................... 92
Chapter 9
Virtual Private Networking ........................................... 95

Corporate Firewall VPN Features ............................................................... 95 What is a VPN?............................................................................................. 95 VPN Tunnel Types......................................................................................... 96 About VPN Gateways .................................................................................... 96 Administrator Responsibilities ........................................................................ 96 About VPN Authentication .......................................................................... 96 PSK Authentication ........................................................................................ 97 X509 Authentication....................................................................................... 97
About Digital Certificates .........................................................................................................98 Corporate Firewall and Digital Certificates ..............................................................................98
Configuration Overview............................................................................... 99 Working with CAs and Certificates ............................................................ 99 Creating a CA............................................................................................... 100 Exporting the CA Certificate......................................................................... 101 Importing Another CA's Certificate............................................................... 102 Deleting the Local Certificate Authority and its Certificate ........................... 102 Deleting an Imported CA Certificate............................................................. 102 Managing Certificates................................................................................ 103 Creating a Certificate ................................................................................... 103 Reviewing a Certificate ................................................................................ 104 Exporting Certificates................................................................................... 105 Exporting in the PKCS#12 Format ............................................................... 105 Importing a Certificate.................................................................................. 106 Deleting a Certificate.................................................................................... 106 Setting the Default Local Certificate ........................................................ 107 Site-to-Site VPNs IPSec .......................................................................... 107 Recommended Settings............................................................................... 107 Creating an IPsec Tunnel............................................................................. 108 IPSec Site to Site and X509 Authentication Example .......................... 112 Prerequisite Overview.................................................................................. 112 Creating the Tunnel specification on the Primary System ........................... 112 Creating the Tunnel Specification on the Secondary System ...................... 113 Checking the System is Active..................................................................... 114 Activating the IPSec tunnel .......................................................................... 115 IPSec Site to Site and PSK Authentication.............................................. 115 Creating the Tunnel Specification on Primary System................................. 115 Creating the Tunnel Specification on the Secondary System ...................... 116 Checking the System is Active..................................................................... 117 Activating the PSK tunnel............................................................................. 117 About Road Warrior VPNs......................................................................... 117 Configuration Overview................................................................................ 118 IPSec Road Warriors.................................................................................. 118 Creating an IPSec Road Warrior.................................................................. 119 Supported IPSec Clients ........................................................................... 122 Creating L2TP Road Warrior Connections .............................................. 122
Ve
rs
io
Contents
Creating a Certificate ................................................................................... 122 Configuring L2TP and SSL VPN Global Settings......................................... 123 Creating an L2TP Tunnel............................................................................. 124 Using NAT-Traversal.................................................................................... 125 VPNing Using L2TP Clients....................................................................... 125 L2TP Client Prerequisites ............................................................................ 125 Connecting Using Windows XP/2000 .......................................................... 126 Installing an L2TP Client .............................................................................. 126 Connecting Using Legacy Operating Systems............................................. 130 VPNing with SSL ........................................................................................ 130 Prerequisites ................................................................................................ 130 Configuring VPN with SSL ........................................................................... 130 Configuring SSL VPN on Internal Networks................................................. 131 Configuring and Connecting Clients............................................................. 132
Installing the Software ...........................................................................................................132 Opening an SSL VPN Connection.........................................................................................134 Closing an SSL VPN Connection ..........................................................................................135
vi
Ve
VPN Zone Bridging .................................................................................... 135 Secure Internal Networking....................................................................... 135 Creating an Internal L2TP VPN.................................................................... 136 Creating Internal IPSec VPNs...................................................................... 137 Internal VPN Clients..................................................................................... 138 Advanced VPN Configuration ................................................................... 138 Multiple Local Certificates ............................................................................ 139 Creating Multiple Local Certificates.............................................................. 139 Public Key Authentication ............................................................................ 140 Configuring Both Ends of a Tunnel as CAs.................................................. 141 VPNs between Business Partners ............................................................... 141 Extended Site to Site Routing ...................................................................... 142
Site A Tunnel Definition .........................................................................................................143 Site B Tunnel Definitions .......................................................................................................143 Site C tunnel definition...........................................................................................................143
rs
Managing VPN Systems ............................................................................ 144 Automatically Starting the VPN System ....................................................... 144 Manually Controlling the VPN System ......................................................... 145
Starting/Restarting the VPN system ......................................................................................145 Stopping the VPN system......................................................................................................145 Viewing the VPN system status.............................................................................................145
Viewing and Controlling Tunnels.................................................................. 145

IPSec Subnets.......................................................................................................................145 IPSec Road Warriors.............................................................................................................145 L2TP Road Warriors..............................................................................................................146 SSL Road Warriors................................................................................................................146
VPN Logging................................................................................................ 146 VPN Tutorials.............................................................................................. 146 Example 1: Preshared Key Authentication................................................... 147
Configuring Corporate Firewall A ..........................................................................................147 Configuring Corporate Firewall B ..........................................................................................147 Creating a Zone Bridge .........................................................................................................148 Testing...................................................................................................................................148
io
Example 2: X509 Authentication.................................................................. 148

Configuring Corporate Firewall A ..........................................................................................148 Configuring Corporate Firewall B ..........................................................................................149 Creating a Zone Bridge .........................................................................................................150 Testing...................................................................................................................................150 Corporate Firewall A Configuration .......................................................................................151 Corporate Firewall B Configuration .......................................................................................151 Corporate Firewall C Configuration .......................................................................................151 Creating a Zone Bridge .........................................................................................................152 Testing...................................................................................................................................152 Corporate Firewall A Configuration .......................................................................................153 SoftRemote Configuration ..................................................................................................153 Creating a Zone Bridge .........................................................................................................154 Testing...................................................................................................................................154 Corporate Firewall A Configuration .......................................................................................154 L2TP Client Configuration .....................................................................................................155 Creating a Zone Bridge .........................................................................................................155
Example 3: An Additional System................................................................ 150
Example 4: IPSec Road Warrior Connection ............................................... 152
Chapter 10
Ve
rs
SafeNet SoftRemote................................................................................... 155 Configuring IPSec Road Warriors................................................................ 155 Using the Security Policy Template SoftRemote ......................................... 156 Creating a Connection without the Policy File.............................................. 158 Advanced Configuration............................................................................... 160 Configuring Global Settings ..................................................................... 161 Configuring Authentication Time-out............................................................ 161 Limiting Concurrent User Logins.................................................................. 162 Working with Groups................................................................................. 162 About Groups............................................................................................... 162 Configuring the Number of Groups .............................................................. 163 Renaming a Group....................................................................................... 164 Managing Temporarily Banned Users...................................................... 164 Creating a Temporary Ban........................................................................... 164 Removing Temporary Bans ......................................................................... 165 Removing Expired Bans............................................................................... 165 Managing Local Users............................................................................... 165 Adding Users................................................................................................ 166 Viewing Local Users..................................................................................... 167 Editing Local Users ...................................................................................... 167 Importing New Users.................................................................................... 167 Exporting Local Users.................................................................................. 168 Deleting Users.............................................................................................. 168 Moving Users between Groups.................................................................... 168 Viewing User Activity and Cache Statistics.................................................. 168
Viewing User Activity .............................................................................................................169 Viewing User Cache Statistics...............................................................................................169
Authentication and User Management ..................... 161
Authenticating Using SSL Login .............................................................. 170
io
Example 5: L2TP Road Warrior ................................................................... 154
vii
Contents
Enabling SSL Login...................................................................................... 170 Accessing the SSL Login Page.................................................................... 170 Creating SSL Login Exceptions ................................................................... 171 Customizing the SSL Login Page ................................................................ 171
Uploading a Title JPEG .........................................................................................................171 Uploading a Background JPEG.............................................................................................172 Removing an Uploaded JPEG...............................................................................................172 Customizing Messages .........................................................................................................172
Managing the Authentication System ...................................................... 172 Restarting the Authentication System .......................................................... 173 Stopping the Authentication System ............................................................ 173 Viewing System Status ................................................................................ 173 Running Diagnostics .................................................................................... 173
Chapter 11
Reporting ..................................................................... 175

Accessing Reporting ................................................................................. 175 Generating Reports...................................................................................... 176 Saving Reports............................................................................................. 176 About Recent and Saved Reports................................................................ 176 Changing Report Formats............................................................................ 177 Publishing Reports on Portals...................................................................... 177 Managing Reports and Folders.................................................................... 178
Chapter 12
viii
Ve
rs
Creating Folders ....................................................................................................................178 Deleting Folders ....................................................................................................................178 Navigating between Folders ..................................................................................................178 Deleting Reports....................................................................................................................179
Publishing Reports on a Portal..................................................................... 179 Making Reports Available to Other Portals .................................................. 180 Scheduling Reports ................................................................................... 181 Managing Report Data ............................................................................... 182 Managing a Database.................................................................................. 182 Backing-up Databases.......................................................................... 183 Restoring Data ............................................................................................. 183 Working with Crystal Reports................................................................... 183 Installing the Crystal Reports Client ............................................................. 184 Overview of the Crystal Reports Client ........................................................ 184 Using Custom Templates............................................................................. 185 Retrieving Logs ............................................................................................ 185 Opening Crystal Reports-compatible Reports.............................................. 186 Retrieving Information and Opening Reports............................................... 186 Uninstalling the Crystal Reports Client......................................................... 187 About the Control Page ............................................................................. 189 About the Summary Page ......................................................................... 189 About the About Page ............................................................................... 191 Alerts........................................................................................................... 192 Overview ...................................................................................................... 192 Available Alerts ............................................................................................ 192
Information, Alerts and Logging ............................... 189
io
Enabling Alerts............................................................................................. 194 Looking up an Alert by Its Reference........................................................... 194 Configuring Alert Settings ............................................................................ 195
Configuring the SmoothTunnel VPN Certificate Alert............................................................195 Configuring the SmoothRule Violations Alert ........................................................................196 Configuring the System Resource Alert ................................................................................196 Configuring the Firewall Notifications Alert............................................................................197 Configuring the System Service Alert....................................................................................197 Configuring the Health Monitor..............................................................................................197 Configuring the Traffic Statistics Alert ...................................................................................198 Configuring the Inappropriate Word Alert ..............................................................................199 Configuring the Intrusion Detection System Alert..................................................................200
Ve
rs
Realtime ...................................................................................................... 200 System Information ...................................................................................... 200 Firewall Information...................................................................................... 201 IPsec Information ......................................................................................... 202 Portal Information......................................................................................... 203 Instant Messaging........................................................................................ 203 Traffic Graphs............................................................................................. 204 Logging....................................................................................................... 205 Accessing Logs............................................................................................ 205 Navigating Logs ........................................................................................... 205 Log Filtering ................................................................................................. 206 Exporting...................................................................................................... 206
Export Formats ......................................................................................................................206
Sorting Log Information................................................................................ 206 System Logs ................................................................................................ 207 Firewall Logs................................................................................................ 209
Filtering Firewall Logs............................................................................................................209 Viewing Firewall Logs............................................................................................................210 Looking up a Source IP whois ............................................................................................210 Blocking a Source IP .............................................................................................................211
IPsec Logs ................................................................................................... 212

Exporting Logs.......................................................................................................................212 Exporting all dates .................................................................................................................212 Viewing and Sorting Log Entries ...........................................................................................212
Log Filtering ................................................................................................. 213 Exporting Logs ............................................................................................. 213 IDS Logs ...................................................................................................... 213
Filtering IDS logs ...................................................................................................................214 Viewing IDS logs ...................................................................................................................214
IM Proxy Logs .............................................................................................. 214 Web Proxy Logs........................................................................................... 216

Filtering Proxy Logs...............................................................................................................216 Viewing Proxy Logs ...............................................................................................................217
User Portal Logs ........................................................................................ 217 Settings....................................................................................................... 217 Configuring Logging Options........................................................................ 217
Configuring the Log Retention Period ...................................................................................218 Automatically Deleting Logs ..................................................................................................219
Configuring Groups...................................................................................... 219

ix
io
Contents
Creating Groups ....................................................................................................................219 Editing a Group......................................................................................................................220 Deleting a Group ...................................................................................................................220
Configuring Output Settings..................................................................... 220 About Email to SMS Output ......................................................................... 221 About Placeholder Tags............................................................................... 221 Configuring Email to SMS Output ................................................................ 222 Testing Email to SMS Output....................................................................... 223 Output to Email ............................................................................................ 223 Generating a Test Alert................................................................................ 224
Chapter 13
Managing Your System .............................................. 225

Managing Updates ..................................................................................... 225 Installing Updates Manually ......................................................................... 227 Managing Modules..................................................................................... 227 Installing Modules Manually......................................................................... 228 Removing a Module ..................................................................................... 229 Licenses...................................................................................................... 229 Installing Licenses........................................................................................ 229 Archives...................................................................................................... 230 About Profiles............................................................................................... 230 Creating an Archive...................................................................................... 231 Downloading an Archive .............................................................................. 231 Restoring an Archive.................................................................................... 231 Deleting Archives ......................................................................................... 232 Uploading an Archive................................................................................... 232 Scheduling.................................................................................................. 232 Scheduling Remote Archiving...................................................................... 233 Editing Schedules ........................................................................................ 234 Replication.................................................................................................. 235
Configuring the Replication Master .......................................................................................235 Configuring the Replication Slave .........................................................................................236
Ve
rs
Shutting down and Rebooting .................................................................. 236 Shell Access............................................................................................... 237 Setting System Preferences...................................................................... 237 Configuring the User Interface ..................................................................... 238 Setting Time................................................................................................. 239 Configuring Registration Options ................................................................. 240 Configuring the Hostname ........................................................................... 241 Configuring Administration and Access Settings .................................. 242 Configuring Admin Access Options.............................................................. 242 Referral Checking ........................................................................................ 243 Configuring External Access........................................................................ 243 Editing and Removing External Access Rules............................................. 244 Administrative User Settings........................................................................ 244
Changing a User's Password ................................................................................................245
About Extended Registration Information..............................................................................241
Hardware..................................................................................................... 246
io
UPS Settings................................................................................................ 246 Enabling UPS Monitoring............................................................................. 246

Configuring a Local UPS Connection ....................................................................................247 Connecting to a Network UPS...............................................................................................247 Customizing UPS Behavior ...................................................................................................248 Viewing UPS Device Status ..................................................................................................248 Acting as a UPS Master Device ............................................................................................249
Configuring Modems ................................................................................ 249 Installing and Uploading Firmware .......................................................... 251 Diagnostics................................................................................................. 251 Configuration Tests...................................................................................... 251 Generating Diagnostics................................................................................ 252 IP Tools........................................................................................................ 252
Using Ping .............................................................................................................................253 Using Traceroute ...................................................................................................................253
Appendix A
Troubleshooting VPNs ............................................... 257

Site-to-site Problems ................................................................................. 257 L2TP Road Warrior Problems ................................................................... 258 Enabling L2TP Debugging ........................................................................... 258 Windows Networking Issues..................................................................... 258
Appendix B
Ve
rs
Understanding Templates and Reports.................... 261

Programmable Drill-Down Looping Engine (PuDDLE) ........................... 261 Example Report Template ........................................................................... 262 Example Report .......................................................................................... 262 Report Templates, Creation and Editing...................................................... 262 Viewing Reports, Exporting and Drill Down Reporting................................. 262 Changing Report Formats............................................................................ 263 Changing Report Date Ranges.................................................................... 264 Navigating HTML Reports............................................................................ 264 Interpreted Results....................................................................................... 265 Saving Reports............................................................................................. 265 Changing the Report.................................................................................... 265 Investigating Further (Drill down) ................................................................. 266 Creating Template Reports and Customizing Sections ............................... 267 Ordering Sections ........................................................................................ 268 Grouped Sections ........................................................................................ 268 Understanding Groups and Grouped Options.............................................. 268 Feed-Forward Reporting.............................................................................. 269 Iterative Reporting........................................................................................ 269 Group Ordering ............................................................................................ 270 Grouping Sections........................................................................................ 270
xi
io
WhoIs........................................................................................................... 253 Analyzing Network Traffic ............................................................................ 254 Managing CA Certificates.......................................................................... 255 Reviewing CA Certificates............................................................................ 255 Importing CA Certificates ............................................................................. 255 Exporting CA Certificates............................................................................. 255 Deleting and Restoring Certificates.............................................................. 256
Contents
xii
Ve
rs
Glossary Index
Feature Pack 1............................................................................................ 285 Feature Pack 2............................................................................................ 285
...................................................................................... 287 ...................................................................................... 295
io
Appendix C
Annual Renewal .......................................................... 285
Creating Feed-forward and Iterative Groups................................................ 270 Exporting Options......................................................................................... 271 Reporting Folders ...................................................................................... 272 Creating a Folder ......................................................................................... 275 Renaming Folders........................................................................................ 275 Deleting Folders........................................................................................... 275 Scheduling Reports ................................................................................... 275 Portal Permissions..................................................................................... 276 Reporting Sections .................................................................................... 276 Generators and Linkers................................................................................ 276 General Sections.......................................................................................... 277 Network Interfaces ....................................................................................... 277 The Anatomy of a URL................................................................................. 277 HTTP Request Methods, HTTPS Interception and Man in the Middle......... 278 Guardian Status Filtering ............................................................................. 279 Search Terms and Search Phrases............................................................. 279 Filtering by Search Terms ............................................................................ 280 URL Extraction and Manipulation................................................................. 281 Origin Filtering.............................................................................................. 283
Chapter 1
Introduction
In this chapter: An overview of Corporate Firewalls capabilities About this documentation and who should read it Support information.
Welcome to Corporate Firewall, SmoothWalls modular firewall. Corporate Firewall is designed to fulfill the network security needs of growing companies and corporate branch offices.
Built on a modular architecture, Corporate Firewall can grow with your organizations requirements, enabling you to add SmoothWall security modules that provide web security/ content filtering, bandwidth management and email anti-virus.
Corporate Firewall Add-on Modules

Corporate Firewall has the following add-on modules:
SmoothGuardian protects against web threats by blocking spyware and browser exploits,
controlling the use of active code such as ActiveX and JavaScript, and by anti-virus scanning web pages and file downloads. Pornography and all objectionable content is blocked, access to non work-related content can be controlled and limited to specific times, as can the download of executable and potentially copyright files.
SmoothHost enables you to configure multiple public IP addresses on the external network
interface
Ve
rs
io
Overview of Corporate Firewall
Chapter 1 Introduction Support
SmoothTraffic enables you to prioritize interactive traffic such as VoIP and web browsing for consistent performance and quality whilst maximizing the use of Internet connections. SmoothZap enforces email security at the network perimeter before threats reach their intended mail server or client target.
Contact your SmoothWall representative, or visit http://www.smoothwall.net/ for more information.
Who should read this guide?

System administrators maintaining and deploying Corporate Firewall should read this guide.
Note: We strongly recommend that everyone working with SmoothWall products attend SmoothWall training. For information on our current training courses, see http://www.smoothwall.net/support/training/
Apart from this guide, the following documentation and online help is available:
SmoothWall Corporate Firewall Installation and Setup Guide contains complete
system to the latest version of Corporate Firewall SmoothWall add-on module guides explain how to use SmoothWall add-on modules with Corporate Firewall.
http://www.smoothwall.net/support/ contains support, self-help and training information as well as
product updates and the latest product manuals.
Support
All SmoothWall products include unlimited email and telephone support for 30 days from the date of purchase of the software licence. For more information, visit: http://www.smoothwall.net/support/
Ve
rs
io
Corporate Firewall Upgrade Guide explains how to upgrade a compatible SmoothWall
information on installing and configuring Corporate Firewall initially.
Other Documentation and User Information
Chapter 2
Corporate Firewall Overview

In this chapter: How to access Corporate Firewall An overview of the pages used to configure and manage Corporate Firewall.
Accessing Corporate Firewall

described in the Corporate Firewall Installation and Setup Guide.
Note: The example address above uses HTTPS to ensure secure communication with your Corporate
Accept Corporate Firewalls certificate.The following screen is displayed:
Enter the following information: Field Username Password Information Enter admin. This is the default Corporate Firewall administrator account. Enter the password you specified for the admin account when installing Corporate Firewall.
Click Login.
Ve
rs
Firewall. It is possible to use HTTP on port 81 if you are satisfied with less security. For more information, see Corporate Firewall Secure Communication on page 16.
io
https://192.168.72.141:441
To access Corporate Firewall: In the browser of your choice, enter the address of your Corporate Firewall, for example:
Note: The following sections assume that you have registered and configured Corporate Firewall as
Chapter 2 Corporate Firewall Overview Accessing Corporate Firewall
The control page opens.
The following sections describe Corporate Firewalls sections and pages.
Ve
rs
io
Corporate Firewall Sections and Pages

A navigation bar is displayed at the top of every page and contains links to Corporate Firewall's sections and pages.
The following sections give an overview of Corporate Firewalls default sections and pages.
Main
The main section contains the following pages: Pages
control
Description The control page is the default home page of your Corporate Firewall system. It displays a to-do list for getting started, service information, external connectivity controls and a customizable number of summary reports. For more information, see Chapter 12, About the Control Page on page 189.
summary about
The about page is where Corporate Firewall product, registration and trademark information as well as acknowledgements are displayed.For more information, see Chapter 12, About the About Page on page 191.
Information
Reports
Pages
reports recent and saved scheduled custom
Alerts
Pages
alerts
Ve
The information section contains the following sub-sections and pages:
Description Where you generate and organize reports. For more information, see Chapter 11, Generating Reports on page 176. Lists recently-generated and previously saved reports. For more information, see Chapter 11, Saving Reports on page 176. Sets which reports are automatically generated and delivered. For more information, see Chapter 11, Scheduling Reports on page 181. Enables you to create and view custom reports. For more information, see Appendix B, Understanding Templates and Reports on page 261.
Description Determine which alerts are sent to which groups of users and in what format. For more information, see Chapter 12, Alerts on page 192.
rs
io
Displays a number of generated reports. For more information, see Chapter 12, About the Summary Page on page 189.
Chapter 2 Corporate Firewall Overview Corporate Firewall Sections and Pages
Pages
alert settings
Description Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, see Chapter 12, Configuring Alert Settings on page 195.
Realtime
Pages
system firewall ipsec portal im proxy
Description A realtime view of the system log with some filtering options. For more information, see Chapter 12, System Information on page 200. A realtime view of the firewall log with some filtering options. For more information, see Chapter 12, Firewall Information on page 201.
A realtime view of activity on user portals. For more information, see Chapter 12, Portal Information on page 203. A realtime view of recent instant messaging conversations. For more information, see Chapter 12, Instant Messaging on page 203. including IPsec interfaces, with traffic passing down it. For more information, see Chapter 12, Traffic Graphs on page 204.
traffic graphs Displays a realtime bar graph of the bandwidth being used by each interface,
Logs
Pages
system firewall ipsec ids
im proxy web proxy user portal log settings
Ve
Description
Simple logging information for the internal system services. For more information, see Chapter 12, System Logs on page 207. Displays all data packets that have been dropped or rejected by the firewall. For more information, see Chapter 12, Firewall Logs on page 209. Displays diagnostic information for VPN tunnels. For more information, see Chapter 12, IPsec Logs on page 212. Displays network traffic detected by the intrusion detection system (IDS). For more information, see Chapter 12, IDS Logs on page 213.
Displays information on instant messaging conversations. For more information, see Chapter 12, IM Proxy Logs on page 214. Displays detailed analysis of web proxy usage. For more information, see Chapter 12, Web Proxy Logs on page 216. Displays information on access by users to portals. For more information, see Chapter 12, User Portal Logs on page 217. Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, see Chapter 12, Configuring Logging Options on page 217.
rs
io
A realtime view of the IPSec log with some filtering options. For more information, see Chapter 12, IPsec Information on page 202.
Settings
Pages
database settings database backup
Description Settings to manage the database storing Corporate Firewall report data. For more information, see Chapter 11, Managing Report Data on page 182. Enables you to back-up and restore data stored by SmoothWall add-on modules in the logging and reporting database. For more information, see Chapter 11, Backing-up Databases on page 183 and the applicable add-on module administrator guides. Where you create groups of users which can be configured to receive automated alerts and reports. For more information, see Chapter 12, Configuring Groups on page 219. Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, see Chapter 12, Configuring Output Settings on page 220.
groups
output settings
The networking section contains the following sub-sections and pages:
Filtering
Pages Description
zone bridging Used to define permissible communication between pairs of network zones. For
more information, see Chapter 6, About Zone Bridging Rules on page 43.
Routing
Pages
subnets
Interfaces
Pages
interfaces
internal aliases
Ve
ip block
Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Chapter 5, Creating an IP Blocking Rule on page 35.
Description Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see Chapter 4, Creating Subnets on page 31.
Description Configure and display information on your Corporate Firewalls internal and external interfaces. For more information, see Chapter 3, Managing Network Interfaces on page 19. Used to create aliases on internal network interfaces, thus enabling a single physical interface to route packets between IP addresses on a virtual subnet without the need for physical switches. For more information, see Chapter 4, Managing Internal Aliases on page 32.
rs
io
Networking
Pages
connectivity ppp
Description Used to create external connection profiles and implement them. For more information, see Chapter 3, Creating a Connection Profile on page 22. Used to create Point to Point Protocol (PPP) profiles that store PPP settings for external connections using dial-up modem devices. For more information, see Chapter 3, Creating a PPP Profile on page 28.
Firewall
Pages
port forwarding advanced
Description Used to forward incoming connection requests to internal network hosts. For more information, see Chapter 7, Introduction to Port Forwards Inbound Security on page 49. Used to enable or disable NAT-ing helper modules and manage bad external traffic. For more information, see Chapter 7, Network Application Helpers on page 52.
Outgoing
Pages
sources groups ports
Description
Used to assign outbound access controls to authenticated groups of users. For more information, see Chapter 7, Assigning Rules to Groups on page 60. Used to define lists of outbound destination ports and services that should be blocked or allowed. For more information, see Chapter 7, Outbound Access on page 54. Used to define a list of external services that should always be accessible to internal network hosts. For more information, see Chapter 7, Managing External Services on page 58.
external services
Settings
The settings section contains the following pages: Pages
port groups advanced
Services
The services section contains the following sub-sections and pages:
Ve
Description Create and edit groups of ports for use throughout Corporate Firewall. For more information, see Chapter 5, Working with Port Groups on page 39. Used to configure advanced network and traffic auditing parameters. For more information, see Chapter 5, Configuring Advanced Networking Features on page 37.
rs
Used to assign outbound access controls to IP addresses and networks. For more information, see Chapter 7, Source Rules on page 57.
io
Authentication
Pages
control
Description Used to view the current status of the authentication system, and to restart and stop the service. It also allows diagnostic tests to be performed against different areas of the authentication service. For more information, see Chapter 10, Authentication and User Management on page 161. Used to set global authentication settings. For more information, see Chapter 10, Configuring Global Settings on page 161. Used to customize group names. For more information, see Chapter 10, Working with Groups on page 162. Enables you to manage temporarily banned user accounts. For more information, see Chapter 10, Managing Temporarily Banned Users on page 164 Used to add, import and export user profiles, for example: usernames and passwords, to and from the systems own local user database. For more information, see Chapter 10, Managing Local Users on page 165. Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Chapter 10, Viewing User Activity and Cache Statistics on page 168. Used to customize the end-user login page. For more information, see Chapter 10, Enabling SSL Login on page 170.
settings groups temporary bans local users
ssl login
Pages
portals
Description
groups
user exceptions
Proxies
Pages
web proxy
instant messenger sip
Ve
This page enables you to configure and manage user portals. For more information, see Chapter 8, Configuring a Portal on page 62. This page enables you to assign groups of users to portals. For more information, see Chapter 8, Assigning Groups to Portals on page 64. This page enables you to override group settings and assign a user directly to a portal. For more information, see Chapter 8, Making User Exceptions on page 65.
Description Used to configure and enable the web proxy service, allowing controlled access to the Internet for local network hosts. For more information, see Chapter 8, Web Proxy on page 65. Used to configure and enable instant messaging proxying. For more information, see Chapter 8, Instant Messenger Proxying on page 71. Used to configure a proxy to manage Session Initiated Protocol (SIP) traffic. For more information, see Chapter 8, SIP Proxying on page 75.
rs
User Portal
io
user activity
DNS
Pages
static dns
Description Used to create a local hostname table for the purpose of mapping the hostnames of local network hosts to their IP addresses. For more information, see Chapter 8, Adding Static DNS Hosts on page 77. Used to provide a DNS proxy service for local network hosts. For more information, see Chapter 8, Enabling the DNS Proxy Service on page 78. Used to configure access to third-party dynamic DNS service providers. For more information, see Chapter 8, Managing Dynamic DNS on page 79.
dns proxy dynamic dns
Message Censor
Pages policies Description Enables you to create and manage filtering policies by assigning actions to matched content. For more information, see Chapter 8, Creating and Applying Messaging Policies on page 84. This is where you create and manage filters for matching particular types of message content. For more information, see Chapter 8, Creating Filters on page 83. This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, see Chapter 8, Setting Time Periods on page 82. Enables you to create and manage custom content categories for inclusion in filters. For more information, see Chapter 8, Managing Custom Categories on page 81.
time
custom categories
IDS
Pages
intrusion detection system
DHCP
Pages
global
dhcp server
dhcp leases
10
Ve
Description Used to enable and configure network activity monitoring using the Intrusion Detection System (IDS). For more information, see Chapter 8, Intrusion Detection System (IDS) on page 86.
Description Used to enable the Dynamic Host Configuration Protocol (DHCP) service and set its mode of operation. For more information, see Chapter 8, Enabling DHCP on page 87. Used to configure automatic dynamic and static IP leasing to DHCP requests received from network hosts. For more information, see Chapter 8, Creating a DHCP Subnet on page 88. Used to view all current DHCP leases, including IP address, MAC address, hostname, lease start and end time, and the current lease state. For more information, see Chapter 8, Viewing DHCP Leases on page 92.
rs
io
filters
Pages
dhcp custom options
Description Used to create and edit custom DHCP options. For more information, see Chapter 8, Creating Custom DHCP Options on page 92.
System
The system section contains the following sub-sections and pages:
Maintenance
Pages
updates
Description Used to display and install available product updates, in addition to listing currently installed updates. For more information, see Chapter 13, Managing Updates on page 225. Used to upload, view, check, install and remove Corporate Firewall modules. For more information, see Chapter 13, Managing Modules on page 227.
modules licenses archives scheduler
Used to create and restore archives of system configuration information. For more information, see Chapter 13, Archives on page 230.
shutdown shell
Preferences
Pages Description interface and specify reports to display. For more information, see Chapter 13, Configuring the User Interface on page 238. Used to manage set Corporate Firewalls time zone, date and time settings. For more information, see Chapter 13, Setting Time on page 239. Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to SmoothWall. For more information, see Chapter 13, Configuring Registration Options on page 240. Used to configure Corporate Firewalls hostname. For more information, see Chapter 13, Configuring the Hostname on page 241.
user interface Used to set the host description of the system, select the behavior of the web
time registration options hostname
Ve
replication
Used to configure your Corporate Firewall as a replication master or a replication slave. For more information, see Chapter 13, Replication on page 235. Used to shutdown or reboot the system. For more information, see Chapter 13, Shutting down and Rebooting on page 236. Used to access the Corporate Firewalls system console via a Java-based SSH shell. For more information, see Chapter 13, Shell Access on page 237.
rs
Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, see Chapter 13, Scheduling on page 232.
io
Used to display and update license information for the licensable components of the system. For more information, see Chapter 13, Licenses on page 229.
11
Administration
Pages Description referral checking. For more information, see Chapter 13, Configuring Admin Access Options on page 242. Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Corporate Firewall. For more information, see Chapter 13, Configuring External Access on page 243.
admin options Used to enable secure access to Corporate Firewall using SSH, and to enable
external access
administrative Used to manage user accounts and set or edit user passwords on the system. For users more information, see Chapter 13, Administrative User Settings on page 244.
Hardware
ups
Diagnostics
Pages
configuration Used to ensure that your current Corporate Firewall settings are not likely to cause tests problems. For more information, see Chapter 13, Diagnostics on page 251. diagnostics ip tools whois traffic analysis
Certs
Page
ca
12
Ve
Description
Used to create diagnostic files for support purposes. For more information, see Chapter 13, Generating Diagnostics on page 252. Contains the ping and traceroute IP tools. For more information, see Chapter 13, IP Tools on page 252. Used to find and display ownership information for a specified IP address or domain name. For more information, see Chapter 13, WhoIs on page 253. Used to generate and display detailed information on current traffic. For more information, see Chapter 13, Analyzing Network Traffic on page 254.
Description Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, see Chapter 13, Managing CA Certificates on page 255.
rs
firmware upload
Used to upload firmware used by USB modems. For more information, see Chapter 13, Installing and Uploading Firmware on page 251.
io
modem
Used to create up to five different modem profiles, typically used when creating external dial-up connections. For more information, see Chapter 13, Configuring Modems on page 249.
Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, see Chapter 13, UPS Settings on page 246.
Pages
Description
VPN
The vpn section contains the following pages: Pages
control
Description Used to show the current status of the VPN system and enable you to stop and restart the service. For more information, see Chapter 9, Managing VPN Systems on page 144. Used to create a local certificate authority (CA) for use in an X509 authenticated based VPN setup. It is also possible to import and export CA certificates on this page. For more information, see Chapter 9, Working with CAs and Certificates on page 99. Used to create host certificates if a local CA has been created. This page also provides controls to import, export, view and delete host certificates. For more information, see Chapter 9, Managing Certificates on page 103. Used to configure global settings for the VPN system. For more information, see Chapter 9, Setting the Default Local Certificate on page 107.
ca
certs
global ipsec subnets
ipsec roadwarriors Used to configure IPSec road warrior VPN tunnels. For more information, see
Chapter 9, IPSec Road Warriors on page 118.
l2tp roadwarriors
This section provides guidance about how to enter suitable values for frequently required configuration settings.
Specifying Networks, Hosts and Ports

IP Address
An IP address defines the network location of a single network host. The following format is used:
192.168.10.1
IP Address Range
An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. Examples:
192.168.10.1-192.168.10.20 192.168.10.1-192.168.12.255
Subnet Addresses
A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways:
Ve
Configuration Conventions
rs
Used to create and manage L2TP road warrior VPN tunnels. For more information, see Chapter 9, Creating L2TP Road Warrior Connections on page 122.
io
Used to configure IPSec subnet VPN tunnels. For more information, see Chapter 9, Site-to-Site VPNs IPSec on page 107.
13
Chapter 2 Corporate Firewall Overview Configuration Conventions 192.168.10.0/255.255.255.0 192.168.10.0/24
Netmasks
A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples:
255.255.255.0 255.255.0.0 255.255.248.0
Service and Ports

A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples:
21 7070
Port Range
137:139
Using Comments
Comments are entered in the Comment fields and displayed alongside saved configuration information.
Creating, Editing and Removing Rules

Much of Corporate Firewall is configured by creating rules for example, IP block rules and administration access rules.
Creating a Rule
1 2 To create a rule: Enter configuration details in the Add a new rule area. Click Add to create the rule and add it to the appropriate Current rules area.
Editing a Rule
1 2 To edit a rule: Find the rule in the Current rules area and select its adjacent Mark option. Click Edit to populate the configuration controls in the Add a new rule area with the rules current configuration values.
14
Ve
Almost every configurable aspect of Corporate Firewall can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement.
rs
io
A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used:
3 4
Change the configuration values as necessary. Click Add to re-create the edited rule and add it to the Current rules area.
Removing a Rule
1 2 To remove one or more rules: Select the rule(s) to be removed in the Current rules area. Click Remove to remove the selected rule(s). where hosts and users are the configuration elements being created. On such pages, the Add a new rule and Current rules area will be Add a new host and Current users etc.
Note: The same processes for creating, editing and removing rules also apply to a number of pages
You can access Corporate Firewall via a console using the Secure Shell (SSH) protocol.
Chapter 13, Configuring Admin Access Options on page 242 for more information.
Connecting Using a Client
When SSH access is enabled, you can connect to Corporate Firewall via a secure shell application, such as PuTTY, or from the system > maintenance > shell page.
Start PuTTY or an equivalent client.
Enter the following information: Field Host Name (or IP address) Description Enter Corporate Firewalls host name or IP address.
Ve
To connect using an SSH client: Check SSH access is enabled on Corporate Firewall. See Chapter 13, Configuring Admin Access Options on page 242 for more information.
rs
io
Note: By default, Corporate Firewall only allows SSH access if it has been specifically configured. See
Connecting via the Console
15
Chapter 2 Corporate Firewall Overview Corporate Firewall Secure Communication
Field Port Protocol 4
Description Enter 222 Select SSH.
Click Open. When prompted, enter root, and the password associated with it. You are given access to the Corporate Firewall command line.
Connecting Using Web-based SSH

1 To connect via the web-based SSH: Navigate to the system > maintenance > shell page.
Corporate Firewall Secure Communication

When you connect your web browser to Corporate Firewalls web-based interface on a HTTPS port for the first time, your browser will display a warning that Corporate Firewalls certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site.
Unknown Entity Warning

This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Corporate Firewalls certificate is a self-signed certificate.
Note: The data traveling between your browser and Corporate Firewall is secure and encrypted.
To remove this warning, your web browser needs to be told to trust certificates generated by Corporate Firewall. To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browsers documentation for information on how to import the certificate.
Inconsistent Site Address

Your browser will generate a warning if Corporate Firewalls certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. A certificate can only contain a single site name, and in Corporate Firewalls case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match.
16
Ve
rs
io
Enter the username root, and the password associated with it. As a root user, you will access the Corporate Firewall command line.
To remove this warning, access Corporate Firewall using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future.
Note: Neither of the above issues compromise the security of HTTPS access. They simply serve to
illustrate that HTTPS is also about identity as well encryption.
Ve
rs
io
17
Chapter 2 Corporate Firewall Overview Corporate Firewall Secure Communication
18
Ve
rs
io
Chapter 3
Working with Connections

In this chapter: How to manage network interfaces The different ways that Corporate Firewall can be connected to the Internet.
Managing Network Interfaces

To access interface settings: Browse to the networking > interfaces > interfaces page.
Ve
rs
io
You can configure and review information on Corporate Firewalls internal and externalinterfaces.
19
Chapter 3 Working with Connections Managing Network Interfaces
The following settings for your Corporate Firewalls internal interface are available: Setting Default interface Primary DNS Description A drop-down list of the current interfaces available. If Corporate Firewall is to be integrated as part of an existing DNS infrastructure, enter the appropriate DNS server information within the existing infrastructure. If in doubt, leave this setting at the default value of 127.0.0.1, i.e. localhost. For more information, see Appendix A, Advanced Firewall and DNS on page 295. Secondary DNS Enter the IP address of the secondary DNS server, if one is available. If the primary DNS server setting is set to 127.0.0.1, i.e. localhost, leave this setting empty. If Corporate Firewall is not going to become your networks gateway, enter the gateway here. external connection such as an ADSL router, leased line, or ISDN line. In this case, leave this field blank.
Default gateway
Here you can review all the settings for your Corporate Firewall interfaces.
Text in blue denotes the current IP address and other information is different to the entered values. This is useful for showing IPs of external interfaces so they are not accidentally reconfigured to be internal ones.
Restarting Networking
Several key changes may have an effect on connectivity of Corporate Firewall. For this reason, most changes are only applied when networking is restarted. 1 To restart networking: Click Restart.
Note: Restarting networking can take some time and may interrupt some services.
20
Ve
Tip:
Clicking the graph takes you to the relevant interface report.
rs
Interfaces
io
Note: In nearly all setups, Corporate Firewall will be connected to an
About Connection Methods and Profiles

Corporate Firewall supports the following connection methods: Connection method Ethernet Modem Ethernet/modem hybrid Description An Ethernet NIC routed to an Internet connection, not controlled by Corporate Firewall. An internal or external modem connected to the Internet via an ISP, controlled by Corporate Firewall. An Ethernet NIC routed to an external modem connected to the Internet via an ISP, controlled by Corporate Firewall.
About Connection Profiles for Modems
Connection profiles for modems, including ISDN, and Ethernet/modem hybrid devices use an additional profile: a Point-To-Point (PPP) profile. A PPP profile contains the username, password and other settings used for dial-up type connections. The advantage of storing these settings in a PPP profile is that multiple connection profiles can refer to the same authentication and dial settings. This is useful for creating multiple profiles to ISPs that support a range of access technologies that are authenticated via the same user account.
Modem Profiles
A modem profile is used solely for connections using dial-up modems. A modem profile contains hardware and dialling preferences to control the behavior of dial-up modem devices.
Ve
rs
io
PPP Profiles
Up to five different connections to the Internet can be defined, each stored in its own connection profile. Each connection profile defines the type of connection that should be used and appropriate settings.
21
Chapter 3 Working with Connections Creating a Connection Profile
Creating a Connection Profile

The following sections explain how to create a connection profile. When creating a connection profile, you configure the global settings, including the connection method, and then configure the method-specific settings.
Configuring Global Settings

1 To configure global settings: Navigate to the networking > interfaces > connectivity page.
Configure the following settings: Setting Description Select Empty from drop-down list and click Select. Enter a name for the connection profile.
Profiles Profile name
22
Ve
rs
io
Setting Method
Description Choose the connection method from the drop-down list. Options include:
Static Ethernet for more information, see Configuring
Connection on page 24. Connection on page 24. Connection on page 25.
a Static Ethernet a DHCP Ethernet
DHCP Ethernet for more information, see Configuring
PPP over Ethernet for more information, see Configuring a PPP over Ethernet PPTP over Ethernet for more information, see Configuring
Ethernet Connection on page 25. Connection on page 26.

on page 27. on page 27.
Auto connect on boot Custom MTU Automatic failover to profile
a PPTP over
ADSL Modem for more information, see Configuring
an ADSL/DSL Modem
Modem for more information, see Configuring a Dial-up Modem Connection
Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here.
Primary Enter an IP address that is known to be contactable if the external connection is failover ping IP operating correctly.
Secondary Optionally, enter a secondary IP address that is known to be contactable if the failover ping IP external connection is operating correctly.
Load balance Select to ensure that outbound NATed traffic is divided among the primary outgoing external connection and any other secondary connections that have been added to traffic the load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
Ve
Note: Using this option, you can daisy-chain profiles to use if Corporate Firewall
If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu.
If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu.
rs
Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields. cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail.
primary external connection.
io
By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option.
ISDN TA for more information, see Configuring an ISDN Modem Connection
23
Setting
Description
Load balance Select to ensure that web proxy traffic is divided among the primary external web proxy connection and any other secondary connections that have themselves been added traffic to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection. Weighting Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection.
3 4
Click Update to display further method-specific settings in the settings area. At this point, click Save as configuration using other pages may be necessary for some connection methods, for example PPP and modem profiles.
In the Static Ethernet settings area, configure the following settings: Setting Description From the drop-down list, select the Ethernet interface for this connection. Enter the static IP address provided by your ISP. Enter the subnet mask as provided by your ISP. Enter the primary DNS server details as provided by your ISP. Enter the secondary DNS server details as provided by your ISP.
Interface Address Netmask Primary DNS Secondary DNS 3 Click Save.
Default gateway Enter the default gateway IP address as provided by your ISP.
Configuring a DHCP Ethernet Connection

A DHCP Ethernet connection enables Corporate Firewall to be allocated a dynamic IP address, as assigned by the ISP.
24
Ve
rs
To create a static Ethernet connection: Configure the global settings and select Static Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
io
A static Ethernet connection enables Corporate Firewall to use a static IP address, as assigned by your ISP.
Configuring a Static Ethernet Connection
To complete the connection profile, refer to the method-specific sections in the remaining sections of this chapter.
To create a DHCP Ethernet connection: Configure the global settings and select DHCP Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
In the DHCP Ethernet settings area, configure the following settings: Setting Interface
DHCP Hostname MAC spoof
Description From the drop-down list, select the Ethernet interface for this connection. Optionally enter a DHCP hostname, if provided by your ISP. Enter a MAC spoof value if required. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. For more information about whether MAC spoof settings are required, consult the documentation supplied by your ISP and modem supplier.
In the PPP over Ethernet settings area, configure the following settings: Setting
Service name Concentrator Interface PPP Profile
Click Save.
Configuring a PPTP over Ethernet Connection

This section explains how to configure Corporate Firewall to use a PPTP modem for Internet connectivity.
Ve
To create a PPP over Ethernet connection: Configure the global settings and select PPP over Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
Description If required, enter the service name as specified by your ISP. If required, enter the concentrator name as specified by your ISP. From the drop-down list, select the Ethernet interface for this connection. From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one.
rs
This section explains how to configure Corporate Firewall to use a PPPoE modem for Internet connectivity.
io
Configuring a PPP over Ethernet Connection
Click Save.
25
To create a PPTP over Ethernet connection: Configure the global settings and select PPTP over Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
In the PPTP over Ethernet settings area, configure the following settings: Setting Interface PPP Profile Description From the drop-down list, select the Ethernet interface for this connection. From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one. For more information, see Creating a PPP Profile on page 28. Address Netmask Gateway Telephone Enter the IP address assigned by your ISP. Enter the netmask assigned by your ISP. Enter the gateway assigned by your ISP Enter the dial telephone number as provided by your ISP.
Click Save.
Note: To connect using an ADSL modem, the ADSL device must have been either configured during
the initial installation and setup or post-installation by launching the setup program from the system console. For further information, see the Corporate Firewall Installation and Setup Guide. To complete the connection profile: Configure the global settings and select ADSL Modem as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
In the ADSL Modem settings area, configure the following settings: Setting Description
Service name Leave this field blank. It is not required for this type of profile. Concentrator Leave this field blank. It is not required for this type of profile. PPP Profile From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one. For more information, see Creating a PPP Profile on page 28.
26
Ve
Corporate Firewall can connect to the Internet using an ADSL modem. If your ADSL connection uses a PPPoE connection, see Configuring a PPP over Ethernet Connection on page 25 for more information.
rs
Configuring an ADSL/DSL Modem Connection
io
Click Save.
Configuring an ISDN Modem Connection

This section explains how to configure Corporate Firewall to use an ISDN modem for Internet connectivity.
Note: To connect using an ISDN modem, an ISDN device must have been configured during the initial
installation and setup of Corporate Firewall. Alternatively, ISDN devices can be configured post-installation by launching the setup program from the system console. For further information, see the Corporate Firewall Installation and Setup Guide. To complete the connection profile: Configure the global settings and select ISDN TA as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
In the ISDN settings area, configure the following settings: Setting PPP Profile Description
Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one. For more information, see Creating a PPP Profile on page 28. Channels
Keep second Select to force the second channel to remain open when its data rate falls below a channel up worthwhile threshold.
Note: ISDN connections sometimes suffer from changeable data throughput
Minimum time to keep second channel up (sec) 3 Click Save.
Configuring a Dial-up Modem Connection

This section explains how to configure Corporate Firewall to use a dial-up modem for Internet connectivity.
Ve
Telephone
Enter the telephone number for the ISDN connection. From the drop-down list, select either Single channel or Dual channel, depending on whether you are using one or two ISDN lines.
Enter a minimum time, in seconds, if your ISDN connection experiences intermittent loss of data throughput for short periods of time. This option is of use when the second channel data-rate falls below the threshold for short periods of time.
rs
From the drop-down list, select the PPP profile for this connection.
rates. If this occurs in dual channel mode, and the data-rate of the second channel decreases below a threshold where it is of no benefit, Corporate Firewall will automatically close it. Forcing the second channel to stay up will help prevent this from happening.
io
27
Chapter 3 Working with Connections Creating a PPP Profile
To complete the profile: Configure the global settings and select Modem as the connection method. For more information on global settings, see Configuring Global Settings on page 22. Click Update.
In the Modem settings area, configure the following settings: Setting PPP Profile Description From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one. For more information, see Creating a PPP Profile on page 28. Modem profile Telephone From the drop-down list, select the modem profile to use. See Configuring Modems on page 249 for more information on modem profiles. Enter the telephone number for the connection.
Click Save.
To create a PPP profile: Navigate to the networking > interfaces > ppp page.
28
Ve
rs
Up to five PPP profiles can be created to store username, password and connection-specific details for connections where Corporate Firewall controls the connecting device, e.g. an ADSL modem attached to Corporate Firewall.
io
Creating a PPP Profile
Configure the following settings: Setting Profiles Profile name Dial on Demand Description From the drop-down list, select Empty. Enter a name for the profile. Select to ensure that the PPP connection is only established if an outwardbound request is made. This may help reduce costs if your ISP uses per unit time billing. Select to ensure that the system dials for DNS requests this is normally the desired behavior. Enter the number of minutes that the connection must remain inactive for before it is automatically closed by Corporate Firewall. Enter 0 to disable this setting.
Dial on Demand for DNS Idle timeout
Username Password Method Script name Type
Enter your ISP assigned username. Enter your ISP assigned password. Choose the authentication method as specified by your ISP in this field. Enter the name of a logon script here, if your ISP informs you to do so. Ensure that the relevant script type has been selected in the Method drop-down list. Specifies the DNS type used by your ISP.
Manual select if your ISP has provided you with DNS server addresses to
Primary DNS Secondary DNS 3
Click Save to save your settings and create a PPP profile.
Modifying Profiles
1 2 3 To modify an existing connection, PPP or modem profile: Navigate to the appropriate profile page. Choose the profile from the Profiles drop-down list that you wish to modify and click Select. The profile details will now be displayed. Make changes to any of the fields, review the changes and click Save. following re-connection. The connection can be manually restarted on the main > control page.
Note: Any changes made to a profile that is used as part of a current connection will only be applied
Ve
enter.
rs
Automatic select if your ISP automatically allocates DNS settings upon connection.
If Manual has been selected, enter the primary DNS server IP address. If Manual has been selected, enter the secondary DNS server IP address.
io
Maximum retries Enter the maximum number of times that Corporate Firewall will try to connect following failure to connect.
Persistent connection
Select to ensure that once this PPP connection has been established, it will remain connected, regardless of the value entered in the Idle timeout field.
29
Chapter 3 Working with Connections Deleting Profiles
Deleting Profiles
1 2 3 To delete an existing connection, PPP or modem profile: Navigate to the appropriate profile page. Choose the profile from the Profiles drop-down list that you wish to delete and click Select. The profile details will now be displayed. If you are certain that you wish to delete the selected profile, click Delete. close.
Note: Deleting a profile that is used as part of a current connection will cause the current connection to
30
Ve
rs
io
Chapter 4
Managing Your Network Infrastructure

In this chapter: Creating subnets and internal subnet aliases.
Large organizations often find it advantageous to group computers from different departments, floors and buildings into their own subnets, usually with network hubs and switches.
Note: This functionality only applies to subnets available via an internal gateway.
To create a subnet rule: Navigate to the networking > routing > subnets page.
Configure the following settings: Setting Network Netmask Description Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value. Enter a network mask that specifies the size of the subnet when combined with the network field.
Ve
rs
io
Creating Subnets
31
Chapter 4 Managing Your Network Infrastructure Managing Internal Aliases
Setting Gateway
Description Enter the IP address of the gateway device by which the subnet can be found. This will be an address on a locally recognized network zone. It is necessary for Corporate Firewall to be able to route to the gateway device in order for the subnet to be successfully configured. The gateway address must be a network that Corporate Firewall is directly attached to.
Metric
Enter a router metric to set the order in which the route is taken. This sets the order in which the route is evaluated, with 0 being the highest priority and the default for new routes. Enter a description of the rule. Select to enable the rule.
Comment Enabled 3
To edit or remove existing subnet rules, use Edit and Remove in the Current rules area.
Managing Internal Aliases
Corporate Firewall can be configured to create internal aliases for each installed NIC. Internal aliases can be used to create logical subnets amongst hosts within the same physical network zone. of security implications and limitations that using this feature will impose on the rest of your network. Internal alias rules are used to create such bindings on an internal network interface, thus enabling it to route packets to and from IP addresses on a virtual subnet without the need for physical switches.
Note: No services will run on the alias IP. Note: Use of this feature is not normally recommended for the following reasons:
No physical separation Internal aliases should not be considered as a substitute for physically separating multiple networks. Network users can join a logical subnet by changing their IP address. No DHCP service DHCP servers cannot serve a logical subnet, as it is impossible for it to know which subnet (physical or logical) that the client should be on. No direct DNS or proxy access The DNS proxy and web proxy services cannot be accessed by hosts on a logical subnet. Requests for such services must be routed via the IP address of the physical interface this is not the case when an alias is in use. Generally, internal aliases should only be created in special circumstances.
32
Ve
Note: This function is recommended only for experienced network administrators, as there are a number
rs
io
Editing and Removing Subnet Rules
Click Add. The rule is added to the Current rules table.
Creating an Internal Alias Rule

1 To create an internal alias rule: Navigate to the networking > interfaces > internal aliases page.
Configure the following settings: Setting Interface Netmask Comment Enabled Description
IP address Enter an IP address for the internal alias.
Enter a description of the rule. Select to enable the rule.
Editing and Removing Internal Alias Rules

To edit or remove existing internal alias rules, use Edit and Remove in the Current rules area.
Ve
Click Add. The internal alias rule is added to the Current rules table.
rs
Enter a network mask that specifies the size of the subnet accessible via the internal alias (when combined with a network value).
io
From the drop-down menu, select the internal interface on which to create the alias.
33
Chapter 4 Managing Your Network Infrastructure Managing Internal Aliases
34
Ve
rs
io
Chapter 5
General Network Security Settings

In this chapter: Using IP blocking to block source IPs and networks Reviewing network interface information Fine-tuning network communications using the advanced networking features Creating groups of ports for use throughout Corporate Firewall.
IP block rules can also operate in an exception mode allowing traffic from certain source IPs or network addresses to always be allowed.
Creating an IP Blocking Rule

1 To create an IP block rule: Navigate to the networking > filtering > ip block page.
Ve
rs
IP block rules can be created to block network traffic originating from certain source IPs or network addresses. IP block rules are primarily intended to block hostile hosts from the external network, however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal system has been infected by a virus.
io
Blocking by IP
35
Chapter 5 General Network Security Settings Blocking by IP
Configure the following settings: Control Source IP or network Description Enter the source IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt: An individual network host, enter its IP address, for example: 192.168.10.1. A range of network hosts, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter an appropriate subnet range, for example, 192.168.10.0/255.255.255.0 or 192.168.10.0/24.
Drop packet Reject packet Exception
An individual network host, enter its IP address, for example: 192.168.10.1.
Log Comment Enabled 3
Click Add. The rule is added to the Current rules table. same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it.
Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the
Editing and Removing IP Block Rules

To edit or remove existing IP block rules, use Edit and Remove in the Current rules area.
36
Ve
rs
Select to ignore any request from the source IP or network. The effect is similar to disconnecting the appropriate interface from the network. Select to cause an ICMP Connection Refused message to be sent back to the originating IP, and no communication will be possible. Select to always allow the source IPs specified in the Source IP or Network field to communicate, regardless of all other IP block rules. Exception block rules are typically used in conjunction with other IP block rules, for example, where one IP block rule drops traffic from a subnet range of IP addresses, and another IP block rule creates exception IP addresses against it. Select to log all activity from this IP. Optionally, describe the IP block rule. Select to enable the rule.
io
A subnet range of network hosts, enter an appropriate subnet range, for example, 192.168.10.0/255.255.255.0 or 19
A range of network hosts, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15.
Destination IP or network
Enter the destination IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt:
Configuring Advanced Networking Features

Corporate Firewalls advanced networking settings can help prevent denial of service (DoS) attacks and enforce TCP/IP standards to restrict broken network devices from causing disruption. 1 To configure advance networking features: Navigate to the networking > settings > advanced page.
Configure the following settings: Setting Block ICMP ping broadcasts Block ICMP ping Description
Enable SYN cookies
Block and ignore IGMP Select this option to block and ignore multi-cast reporting Internet Group packets Management Protocol (IGMP) packets. IGMP packets are harmless and are most commonly observed when using cable modems to provide external connectivity. If your logs contain a high volume of IGMP entries, enable this option to ignore IGMP packets without generating log entries. Block and ignore multicast traffic Select this option to block multicast messages on network address 224.0.0.0 from ISPs and prevent them generating large volumes of spurious log entries.
Ve
rs
Select to prevent the system responding to broadcast ping messages, from all network zones (including external). This can prevent the effects of a broadcast ping-based DoS attack. Select to prevent the system responding to normal ping messages, from all network zones (including external). This will effectively hide the machine from Internet Control Message Protocol (ICMP) pings, but this can also make connectivity problems more difficult to diagnose. Select to defend the system against SYN flood attacks. A SYN flood attack is where a huge number of connection requests, SYN packets, are sent to a machine in the hope that it will be overwhelmed. The use of SYN cookies is a standard defence mechanism against this type of attack, the aim being to avoid a DoS attack.
io
37
Chapter 5 General Network Security Settings Enabling Traffic Auditing
Setting Connection tracking table size
Description Select to store information about all connections known to the system. This includes NATed sessions, and traffic passing through the firewall. The value entered in this field determines the tables maximum size. In operation, the table is automatically scaled to an appropriate size within this limit, according to the number of active connections and their collective memory requirements. Occasionally, the default size, which is set according to the amount of memory, is insufficient use this field to configure a larger size.
SYN backlog queue size
Select this option to set the maximum number of requests which may be waiting in a queue to be answered. The default value for this setting is usually adequate, but increasing the value may reduce connection problems for an extremely busy proxy service.
Click Advanced to access the following settings: Setting Block SYN+FIN packets Description
Enable TCP timestamps
Enable window scaling Enable ECN
Click Save to enable the settings you have selected.
Enabling Traffic Auditing

Traffic auditing is a means of recording extended traffic logs for the purpose of analyzing the different types of incoming, outgoing and forwarded traffic. 1 To activate a particular traffic auditing feature: Navigate to the networking > settings > advanced page.
38
Ve
Enable selective ACKs Select this option to enable selective ACKs (RFC2018) to improve TCP performance when packet loss is high. Select this option to enable TCP window scaling to improve the performance of TCP on high speed links. Select this option to enable Explicit Congestion Notification (ECN) a mechanism for avoiding network congestion. Whilst effective, it requires communicating hosts to support it, and some routers are known to drop packets marked with the ECN bit. For this reason, this feature is disabled by default.
rs
Generally, SYN+FIN scans result in large numbers of log entries being generated. With this option enabled, the scan packets are automatically discarded and are not logged. Select this option to enable TCP timestamps (RFC1323) to improve TCP performance on high speed links.
io
Select to automatically discard packets used in SYN+FIN scans used passively scan systems.
Click Advanced to access the Traffic auditing area and configure the following settings: Setting Direct incoming traffic Direct outgoing traffic Forwarded traffic Description Select to log all new connections to all interfaces that are destined for the firewall. Select to log all new connections from any interface. Select to log all new connections passing through one interface to another.
Click Save. logs generated is acceptable.
Note: Traffic auditing can potentially generate vast amounts of logging data. Ensure that the quantity of
information, see Chapter 12, Firewall Logs on page 209.
Dropping Traffic on a Per-interface Basis

All internal traffic destined for Corporate Firewall can be dropped on a per-interface basis. This feature is useful for preventing non-trusted hosts, such as servers in a DMZ, from having direct connectivity to Corporate Firewall. 1 2 3 To drop all direct traffic on a particular internal interface: Navigate to the networking > settings > advanced page and click Advanced. Click Save.
Note: Take care not to drop traffic from the interface that is used to administer Corporate Firewall.
Working with Port Groups

You can create and edit named groups of TCP/UDP ports for use throughout Corporate Firewall. Creating port groups significantly reduces the number of rules needed and makes rules more flexible. For example, you can create a port group to make a single port forward to multiple ports and modify which ports are in the group without having to recreate the rules that use it. In this way you could easily add a new service to all your DMZ servers.
Ve
Select the interface in the Drop all traffic on internal interfaces area.
rs
io
Note: Traffic auditing logs are viewable on the information > logs > firewall page. For further
39
Chapter 5 General Network Security Settings Working with Port Groups
Creating a Port Group

1 To create a port group: Navigate to the networking > settings > port groups page.
In the Port groups area, click New and configure the following settings: Setting
Group name Name Port
Description
Enter a name for the port group and click Save. Enter a name for the port or range of ports you want to add to the group. Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example:
1024:65535
Comment
Click Add. The port, ports or port range is added to the group.
Adding Ports to Existing Port Groups

1 2 To add a new port: Navigate to the networking > settings > port groups page. Configure the following settings: Setting Port groups Name Description From the drop-down list, select the group you want to add a port to and click Select. Enter a name for the port or range of ports you want to add to the group.
40
Ve
To enter non-consecutive numbers, enter the numbers separated by , for example:

99,200,650
Optionally, add a descriptive comment for the port or port range.
rs
io
Setting Port
Description Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example:
1024:65535
To enter non-consecutive numbers, enter the numbers separated by , for example:

99,200,650
Comment 3
Optionally, add a descriptive comment for the port or port range.
Click Add. The port, ports or range are added to the group.
Editing Port Groups

1 2 3 4 To edit a port group: Navigate to the networking > settings > port groups page. From the Port groups drop-down list, select the group you want to edit and click Select. In the Current ports area, select the port you want to change and click Edit.
Deleting a Port Group

1 2 3
To delete a Port group: Navigate to the networking > settings > port groups page. Click Delete.
Note: Deleting a port group cannot be undone.
Ve
From the Port groups drop-down list, select the group you want to delete and click Select.
rs
io
In the Add a new port, edit the port and click Add. The edited port, ports or range is updated.
41
Chapter 5 General Network Security Settings Working with Port Groups
42
Ve
rs
io
Chapter 6
Configuring Inter-Zone Security

In this chapter: How bridging rules allow access between internal network zones.
About Zone Bridging Rules
A zone bridging rule defines a bridge in the following terms:
Direction Source Destination Service
Defines whether the bridge is accessible one-way or bi-directionally.
Defines whether the bridge allows access to an individual host, a range of hosts, a network or any hosts. Defines what ports and services can be used across the bridge. Defines what protocol can be used across the bridge.
Protocol
It is possible to create a narrow bridge, e.g. a one-way, single-host to single-host bridge, using a named port and protocol, or a wide or unrestricted bridge, e.g. a bi-directional, any-host to anyhost bridge, using any port and protocol. In general, make bridges as narrow as possible to prevent unnecessary or undesirable use.
Ve
rs
Defines whether the bridge is accessible from an individual host, a range of hosts, a network or any host.
io
Zones
Defines the two network zones between which the bridge exists.
Term
Description
By default, all internal network zones are isolated by Corporate Firewall. Zone bridging is the process of modifying this, in order to allow some kind of communication to take place between a pair of network zones.
43
Chapter 6 Configuring Inter-Zone Security Creating a Zone Bridging Rule
Creating a Zone Bridging Rule

1 To create a zone bridging rule: Navigate to the networking > filtering > zone bridging page.
Setting Source interface Destination interface
Description
Bi-directional Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface.
Note: To create a one-way bridge where communication can only be initiated
Protocol Source IP
44
Ve

rs
From the drop-down menu, select the source network zone. From the drop-down menu, select the destination network zone.
from the source interface to the destination interface and not vice versa, ensure that this option is not selected. From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. Enter the source IP, IP range or subnet range from which access is permitted. To create a bridge from: A single network host, enter its IP address, for example: 192.168.10.1. A range of network hosts, enter an appropriate IP address range: for example, 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter an appropriate subnet range, for example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24. Any network host in the source network, leave the field blank.
io
Configure the following settings:
Setting
Description To create a bridge to: A single network, enter its IP address, for example, 192.168.10.1. A range of network hosts, enter an IP address range, for example, 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter a subnet range, for example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24. To create a bridge to any network host in the destination network, leave the field blank.
Destination IP Enter the destination IP, IP range or subnet range to which access is permitted.
Service
From the drop-down list, select the services, port range or group of ports to which access is permitted.
Note: This is only applicable to TCP and UDP.
Comment Enabled 3
Enter a description of the bridging rule. Select to enable the rule.
Click Add. The rule is added to the Current rules table.
To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area.
A Zone Bridging Tutorial

In this tutorial, we will use the following two local network zones: Network zone
Protected network DMZ
Ve
Editing and Removing Zone Bridge Rules
rs
Description
io
Or, leave the field blank to permit access to all ports for the relevant protocol.
Port
If User defined is selected as the destination port, specify the port number.
Or, select User defined and leave the Port field blank to permit access to all ports for the relevant protocol.
IP address
192.168.100.1/24 192.168.200.1/24
Contains local user workstations and confidential business data. Contains a web server.
Note: The DMZ network zone is a DMZ in name alone until appropriate bridging rules are created,
neither zone can see or communicate with the other. In this example, we will create a DMZ that: Allows restricted external access to a web server in the DMZ, from the Internet. Does not allow access to the protected network from the DMZ. Allows unrestricted access to the DMZ from the protected network.
45
Chapter 6 Configuring Inter-Zone Security A Zone Bridging Tutorial
A single zone bridging rule will satisfy the bridging requirements, whilst a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ.
Creating the Zone Bridging Rule

1 To create the rule: Navigate to the networking > filtering > zone bridging page and configure the following settings: Settings
Source interface Protocol Comment Enabled
Description From the drop-down menu, select the protected network. From the drop-down list, select All. Enter a description of the rule.
Destination interface From the drop-down menu, select the DMZ.
Click Add. Hosts in the protected network will now be able to access any host or service in the DMZ, but not vice versa.
To allow access to a web server in the DMZ from the Internet: Navigate to the networking > firewall > port forwarding page and configure the following settings: Setting
Protocol Source
Description
From the drop-down list, select TCP. From the drop-down menu, select HTTP (80) to forward HTTP requests to the web server. Enter a description, such as Port forward to DMZ web server. Select to activate the port forward rule once it has been added.
Comment Enabled
Click Add.
Accessing a Database on the Protected Network

Multiple zone bridging rules can be used to further extend the communication allowed between the zones. As a extension to the previous example, a further requirement might be to allow the web server in the DMZ to communicate with a confidential database in the Protected Network. 1 To create the rule: Navigate to the networking > filtering > zone bridging page and configure the following settings: Setting
Source interface Protocol
Destination interface From the drop-down menu, select Protected Network.
46
Ve
Destination IP Enter the IP address of the web server 192.168.200.10.
rs
Description
From the drop-down menu, select DMZ. From the drop-down menu, select TCP.
io
Allowing Access to the Web Server
Select to activate the bridging rule once it has been added.
Setting
Source IP Destination IP Service Port Comment Enabled
Description Enter the web servers IP address: 192.168.200.10 Enter the databases IP address: 192.168.100.50 Select User defined. The database service is accessed on port 3306. Enter 3306. Enter a comment: DMZ web server to Protected Network DB. Select Enabled to activate the bridging rule once the bridging rule has been added.
Click Add.
Ve
rs
io
47
Chapter 6 Configuring Inter-Zone Security A Zone Bridging Tutorial
48
Ve
rs
io
Chapter 7
Managing Inbound and Outbound Traffic

In this chapter: How port forward rules work Application helpers which allow traffic passing through the firewall to work correctly How to manage outbound access to IP addresses and networks.
Introduction to Port Forwards Inbound Security

It is common to think of such requests arriving from hosts on the Internet; however, port forwards can be used to forward any type of traffic that arrives at an external interface, regardless of whether the external interface connects to the Internet or some other external network zone.
Port Forward Rules Criteria

Criterion
Port forward rules can be configured to forward traffic based on the following criteria: Description Forward traffic if it originated from a particular IP address, IP address range or subnet range. Forward traffic if it arrived at a particular external interface or external alias. Forward traffic if it was destined for a particular port or range of ports. Forward traffic if it uses a particular protocol. A port forward will send traffic to a specific destination IP. A port forward will send traffic to a specific destination port.
External IP Source IP Port Protocol
Destination IP Destination port
For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a De-Militarized Zone (DMZ). If the web server has an IP address of 192.168.2.60, you can create a port forward rule to forward all port 80 TCP traffic to port 81 on 192.168.2.60.
Ve
rs
io
Port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone.
49
Chapter 7 Managing Inbound and Outbound Traffic Introduction to Port Forwards Inbound Security
Note: It is important to consider the security implications of each new port forward rule. Any network
is only as secure as the services exposed upon it. Port forwards allow unknown hosts from the external network to access a particular internal host. If a cracker manages to break into a host that they have been forwarded to, they may gain access to other hosts in the network. For this reason, we recommend that all port forwards are directed towards hosts in isolated network zones, that preferably contain no confidential or security-sensitive network hosts. Use the networking > filtering > zone bridging page to ensure that the target host of the port forward is contained within a suitably isolated network, i.e. a DMZ scenario.
Creating Port Forward Rules
Configure the following settings: Control Protocol Description From the drop-down list, select the network protocol for the traffic that you want to forward. For example, to port forward a HTTP request, which is a TCP-based protocol, choose the TCP option.
External IP or network Enter the IP address, address range or subnet range of the external hosts allowed to use this rule. Or, to create a port forward rule that will forward all external hosts (such as that required to port forward anonymous HTTP requests from any network host to a web server), leave this field blank. Connection logging Source IP Select to log all port forwarded traffic. Select the external IP alias that this rule will apply to. In most cases, this will be the IP of the default external connection.
50
Ve
rs
io
To create a port forward rule: Navigate to the networking > firewall > port forwarding page.
Control Source service
Description From the drop-down menu, select the service, port, port range or group of ports. Or, to specify a user defined port, select User defined.
Note: Only applies to the protocols TCP and UDP.
User defined
If User defined is selected in the Source service drop-down menu, enter a single port or port range. Port ranges are specified using an A:B notation. For example: 1000:1028 covers the range of ports from 1000 to 1028.
Destination IP Destination service User defined
Enter the IP address of the network host to which traffic should be forwarded. From the drop-down menu, select the service, port, port range or group of ports. Or, select User defined.
Comment Enabled 3
Enter a description of the port forward rule.
Click Add. The port forward rule is added to the Current rules table.
Editing and Removing Port Forward Rules

To edit or remove existing port forward rules, use Edit and Remove in the Current rules area.
Ve
rs
Select to enable the rule.
io
If left blank and the source service value specified a port range, the destination port will be the same as the port that the connection came in on. If it contains a single port, then this will be used as the target.
Leave this field empty to create a port forward that uses the source port as the destination port.
If User defined is selected as the destination service, enter a destination port.
51
Chapter 7 Managing Inbound and Outbound Traffic Advanced Network and Firewall Settings
Advanced Network and Firewall Settings

The following sections explain network application helpers, how you can manage bad traffic actions and reflective port forwarding.
Network Application Helpers

Corporate Firewall includes a number of helper applications which must be enabled to allow certain types of traffic passing through the firewall to work correctly. 1 To activate helper applications: Navigate to the networking > firewall > advanced page.
Application FTP IRC
Advanced PPTP client support
52
Ve
The following helper applications are available: Description IP information is embedded within FTP traffic this helper application ensures that FTP communication is not adversely affected by the firewall. IP information is embedded within IRC traffic this helper application ensures that IRC communication is not adversely affected by the firewall. When enabled, loads special software modules to help PPTP clients. This is the protocol used in standard Windows VPNing. If this option is not selected, it is still possible for PPTP clients to connect through to a server on the outside, but not in all circumstances. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. In this case, this application helper should be used.
Note: When this application helper is enabled, it is not possible to forward PPTP
rs
traffic. For this reason, this option is not enabled by default.
io
Application H323
Description When enabled, loads modules to enable passthrough of H323, a common protocol used in Voice over IP (VoIP) applications. Without this option enabled, it will not be possible to make VoIP calls. Additionally, with this option enabled, it is possible to receive incoming H323 calls through the use of a port forward on the H323 port. This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. We recommend that you only enable this feature if you require VoIP functionality. See also, Chapter 8, SIP Proxying on page 75.
1 2 3
To enable a helper application: In the Network application helpers area, select the application(s) you require.
Click Save.
By default, bad traffic is rejected and a No one here ICMP message is bounced back to the sender. This is what Internet hosts are meant to do.
From the Bad external traffic action drop-down list, select Drop to silently discard the traffic and not send a message to the sender, or Reject to keep the default behavior, that is, reject the traffic and notify the sender. Click Save to implement your selection.
Configuring Reflective Port Forwards

By default, port forwards are not accessible from within the same network where the destination of the forward resides. However, when enabled, the reflective port forwards option allows port forwards originating on an internal network to reach a host on the same network. This makes it possible to access a port forwarded service from inside the internal network using the same (external) address as an external host would. 1 2 To configure reflective port forwards: Navigate to the networking > firewall > advanced page. Select Reflective port forwards and click Save.
Ve
To manage bad external traffic: Navigate to the networking > firewall > advanced page.
rs
Using the Bad external traffic action option, you can drop traffic silently which enables you to stealth your firewall and make things like port scans much harder to do.
io
Managing Bad External Traffic
Optionally, in the Advanced area, select Drop to drop traffic silently. This runs Corporate Firewall in a stealth-like manner and makes things like port scans much harder to do.
53
Chapter 7 Managing Inbound and Outbound Traffic Outbound Access
Outbound Access
The following sections discuss outbound port and source rules. Port rules are used to create lists of outbound communication rules that can be subsequently applied to individual hosts and networks using source rules.
Port Rule Modes

Port rules can operate in one of two modes: Mode Permissive Restrictive Description Reject only outbound requests to the named ports. Allow only outbound requests to the named ports.
Preset Port Rules
MS ports Known exploits Basic services DMZ
Ports commonly associated with Microsoft Windows such as SMB (NetBIOS), Active Directory etc.
In addition, the following preset rules are included and cannot be customized: Preset port rules Allow all Reject all Description This port rule allows unrestricted access to the Internet. This port rule denies all outbound access to the Internet.
54
Ve
rs
Ports associated with many common exploits against a variety of programs and services, including many ports associated with virus attacks Services common to most user computers, including web browsing (HTTP and HTTPS), email (POP3), DNS etc. Basic ports necessary for hosting servers in a DMZ network.
io
Preset port rules
Description
Corporate Firewall supports a maximum of 20 port rule sets, of which the following preset rules are installed by default and can be customized:
Creating a Port Rule

1 To create a port rule: Navigate to the networking > outgoing > ports page.
Configure the following settings: Setting Port rules Port rule name Description
Reject only listed ports Allow only listed ports
Rejection logging Stealth mode Block eDonkey Block KaZaA Block Gnutella Block DirectConnect Block BitTorrent 3
Click Save. The port rule is added to the Port rules drop-down list. Various P2P applications are port-aware and use a number of evasive techniques to circumvent regular outbound access controls. Corporate Firewall is able to detect such activity when these options are activated, and ensure that P2P communication is completely blocked.
Note: The dedicated P2P blocking options are provided due to the nature of certain P2P software.
Ve
rs
From the drop-down menu, select Empty and click Select. Enter a name for the port rule. This name will be displayed in the Port rules drop-down list and where ever the rule can be selected. Select to reject listed ports. Select to allow listed ports. Select if you want to log outbound requests rejected by this rule.
Note: This generates a lot of data and should be used with care.
Select if you want to log but not reject outbound requests. Select to block access to eDonkey and eMule P2P variants. Select to block access to the KaZaA P2P network. Select to block access to the Gnutella and GnutellaNet P2P networks. Select to block access to the DirectConnect file sharing network. Select to block the use of the BitTorrent protocol for P2P file transfers.
io
55
Chapter 7 Managing Inbound and Outbound Traffic Outbound Access
In the Add a new rule area, configure the following settings: Setting Protocol Service Description From the drop-down menu, select a network protocol to add to the port rule. From the drop-down menu, select the service, port, port range or group of ports you want to allow or deny, depending on the rule you are creating. Select User defined to be able to specify a specific port number in the User defined port or range field. Port Enter a custom port number or range of ports if User defined is selected in the Service drop-down list. A port range is specified using from:to notation, for example: 1024:2048. Enter a description of the rule. Select to enable the rule.
Comment Enabled 5
Click Add. The rule is added to the Current rules region.
1 2 3 4
Choose the port rule that you wish to edit from the Port rules drop-down list.
Click Save in the Port rules region.
Editing and Removing Protocols and Ports

To edit or remove existing protocols and ports for a port rule, use Edit and Remove in the Current rules region.
Deleting a Port Rule

1 2 To delete an existing port rule: Navigate to the networking > outgoing > ports page. Select the port rule that should be deleted using the Port rules drop-down list from the Port rules region. Click Delete.
Viewing a Port Rule

1 2 To display the contents of preset or custom port rules: Navigate to the networking > outgoing > ports page. In the Port rules region, choose a set of port rules using the Port rules drop-down list. Click Select. The set of port rules and associated configuration are displayed in the Port rules and Current rules regions.
56
Ve
rs
Click Select to display the port rule and make any changes to the port rule settings using the controls in the Port rules region.
io
To edit an existing port rule: Navigate to the networking > outgoing > ports page.
Editing a Port Rule
Source Rules
Source rules are used to assign outbound access controls to IP addresses and networks. Each source rule associates a particular host or network with a preset or customized port rule. When the source IP of an outbound packet originates from a host that is defined in a source rule, Corporate Firewall checks that the packet does not break the port rules assigned to the host. If the packet is destined for a banned port, the packet is rejected. If the packet is destined for an allowed port, the packet is allowed.
Note: Once a packet matches a source rule, it will not be subjected to further rule matching. Source rules
cannot be stacked.
Configuring the Default Source Rule Settings

1 To create a source rule: Navigate to the networking > outgoing > sources page.
Configure the following settings: Setting Default port rule Description From the drop-down list, select the port rule to be applied to outbound packets originating from a source IP that has no matching source rule configured. This value is usually set to one of the preset catch-all port rules, either Allow all or Reject all. Selecting Allow all enables all hosts that are not matched by a source rule to initiate any kind of outbound communication. Selecting Reject all prevents all outbound communication from all non-matching hosts. Best practice is to select Reject all. Rejection logging Stealth mode Select to log all traffic rejected by the default or current list of source rules. Select to allow all traffic that would normally be rejected by the default port rule and log all traffic information in the firewall logs.
Ve
rs
io
57
Chapter 7 Managing Inbound and Outbound Traffic Managing External Services
Click Save. In the Add a new rule area, configure the following settings: Setting Source IP or network Description Enter the source IP or network that the selected port rule will affect. To apply the port rule to: A specific host, enter its IP address. A range of network hosts, enter an IP address range, for example, entering the value 192.168.10.10:50 will encompass the range of addresses from 192.168.10.10 to 192.168.10.50. A subnet, enter a source IP and network mask, for example, 192.168.10.0/255.255.255.0 will encompass the range of range of addresses from 192.168.10.0 to 192.168.10.255.
Port rule Comment Enabled 4
From the drop-down list, select the port rule to apply. Enter a description of the rule. Select to enable the rule.
To edit or remove existing source rules, use Edit and Remove in the Current rules region.
To create an external service rule: Navigate to the networking > outgoing > external services page.
58
Ve
You can prevent local network hosts from using external services by creating appropriate source and port rules to stop outbound traffic.
rs
Managing External Services
io
Editing and Removing Source Rules
Click Add. The source rule is added to the Current rules table.
Configure the following settings: Setting Service Service rule name Protocol Service Port Description Select Empty from the drop-down list. Enter a name for the rule. Select the protocol used by the service. From the drop-down menu, select the service, port, port range or group of ports. Or, to specify a user defined port, select User defined. If User defined is selected in the Service drop-down menu, enter a single port or port range. Port ranges are specified using an A:B notation. For example: 1000:1028 covers the range of ports from 1000 to 1028. Rejection logging Stealth mode Select to log all traffic rejected by the external services rule Select to allow traffic that would normally be rejected by the external services rule and log all traffic in the firewall logs.
Destination IP Comment Enabled 4
Enter the IP address of the external service to which the rule applies. Enter a description of the rule.
Click Add. The external service rule is added to the Current rules region:
To edit or remove existing external service rules, use Edit and Remove in the Current rules area.
Ve
Editing and Removing External Service Rules
rs
Select to enable the rule.
io
Setting
Description
Click Save. In the Add a new rule area:
59
Chapter 7 Managing Inbound and Outbound Traffic Assigning Rules to Groups
Assigning Rules to Groups

The groups page is used to assign outbound access controls to authenticated groups of users. Each group rule associates a particular authenticated group of users with a preset or customized port rule. 1 To assign rules to groups: Navigate to the networking > outgoing > groups page.
2 3 4
Select Enable authenticated groups. Locate the authentication group in the Group rules region and choose its port rule from the adjacent Port rule drop-down list. Click Save. themselves, using the SSL Login page or by some other authentication method, the user is unknown to the system and group rules cannot be applied. In this case, only source rules will be applied. Group rules are often more suitable for allowing access to ports and services. In such situations, users have a reason to pro-actively authenticate themselves so that they can gain access to an outbound port or service.
Note: Group rules cannot be enforced in all circumstances. If a user has not actively authenticated
60
Ve
rs
io
Chapter 8
Corporate Firewall Services

In this chapter: User portals Web proxying IM proxying SIP proxying SNMP Censoring messages IDS For information on authentication services, see Chapter 10, Authentication and User Management on page 161. DHCP.
Note: Only available if you have purchased Corporate Firewall annual renewal support. For more
Corporate Firewall enables you to create user portals which can be configured to display reports and software downloads depending on the account used to access the portal. For information using a portal, see the Corporate Firewall Portal User Guide.
Ve
information, see Appendix C, Annual Renewal on page 285.
rs
Working with User Portals
io
DNS
61
Chapter 8 Corporate Firewall Services Working with User Portals
Configuring a Portal
The following section explains how to create a portal and make it accessible to users. 1 To create a user portal and make it available to users: Browse to the services > user portal > portals page.
Setting Name
Ve
Enabled
Top reports displayed on portal From the drop-down list, select the number of reports you want home page to display on the portals home page. Corporate Firewall will display the most often viewed reports. For more information, see Chapter 11, Publishing Reports on Portals on page 177. SSL VPN client archive download Select this option to make an archive of SSL VPN settings available for download on the portal home page. See Chapter 9, VPNing with SSL on page 130 for information on how to create the archive. Select to display a welcome message on the portals home page. You can accept the default welcome message or enter a custom message
Welcome message
Click Save. Corporate Firewall creates the portal.
62
rs
Description Enter a name for the portal and click New. Select to enable the portal.
io
Browse to the services > user portal > groups page.
Configure the following settings: Setting Group Description
Click Add. Corporate Firewall gives the group access to the portal. See Accessing Portals on page 63 for information on reviewing the portal.
Accessing Portals
1 2
To access a portal: In the browser of your choice, enter the URL to the portal on your Corporate Firewall system, for example: http://192.168.72.141/portal/ Accept any certificate and other security information. Corporate Firewall displays the login page for the portal, for example:
Enter a valid username and password and click Login.
Ve
The following section explains how to access a portal.
rs
io
Portal
From the drop-down menu, select the portal you want the group to access.
From the drop-down menu, select the group you want to allow access to the portal. For more information on groups, see Chapter 10, Working with Groups on page 162.
63
Chapter 8 Corporate Firewall Services Working with User Portals
The portal is displayed, for example:
For more information, see the Corporate Firewall Portal User Guide.
Editing Portals
1 2 3 4
The following section explains how to edit a portal.
From the Portals drop-down list, select the portal you want to edit.
Click Save to save the changes.
The following section explains how to delete a portal. 1 2 3 To delete a portal: Browse to the services > user portal > portals page From the Portals drop-down list, select the portal you want to delete. Click Delete. Corporate Firewall deletes the portal.
Assigning Groups to Portals

The following section explains how to assign a group to a portal. 1 2 To assign a group to a portal: Browse to the services > user portal > groups page. Configure the following settings: Setting Group Description From the drop-down menu, select the group you want to allow access to the portal. For more information on groups, see Chapter 10, Working with Groups on page 162. From the drop-down menu, select the portal you want the group to access.
Portal
64
Ve
Deleting Portals
rs
Make the changes you require, see Configuring a Portal on page 62 for information on the settings available.
io
To edit a portal: Browse to the services > user portal > portals page.
Click Add.
Making User Exceptions

You can configure Corporate Firewall so that a user uses a specific portal. This setting overrides group settings. 1 To make user exceptions on a portal: Browse to the services > user portal > user exceptions page.
Configure the following settings: Setting Username Portal Description
Web Proxy

Corporate Firewalls web proxy service provides local network hosts with controlled access to the Internet with the following features: Transparent or non-transparent operation Caching controls for improved resource access times Support for automatic configuration scripts Support for remote proxy servers.
Ve
Click Add. Corporate Firewall gives the user access to the portal.
rs
Enter the username of the user you want to access the portal. From the drop-down list, select the portal you want the user to access.
io
65
Chapter 8 Corporate Firewall Services Web Proxy
Configuring and Enabling the Web Proxy Service

1 To configure and enable the web proxy service: Navigate to the services > proxies > web proxy page.
66
Ve
rs
io
Configure the following settings: Control

Cache size
Description Enter the amount of disk space, in MBytes, to allocate to the web proxy service for caching web content, or accept the default value. Web and FTP requests are cached. HTTPS requests and pages including username and password information are not cached. The specified size must not exceed the amount of free disk space available. The cache size should be configured to an approximate size of around 40% of the systems total storage capacity, up to a maximum of around 10 gigabytes approximately 10000 megabytes for a high performance system with storage capacity in excess of 25 gigabytes. Larger cache sizes can be specified, but may not be entirely beneficial and can adversely affect page access times. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. For slower external connections such as dial-up, the cache can dramatically improve access to recently visited pages.
Remote proxy
Optionally, enter the IP address of a remote proxy in the following format: In most scenarios this field will be left blank and no remote proxy will be used.
Remote proxy username Remote proxy password
Max object size
Min object size
Max outgoing size Specify the maximum amount of outbound data that can be sent by a browser
Max incoming size Specify the maximum amount of inbound data that can be received by a
Ve
rs
Used to configure the web proxy to operate in conjunction with a remote web proxy. Larger organizations may wish to use a dedicated proxy or sometimes ISPs offer remote proxy servers to their subscribers. Enter the remote proxy username if using a remote proxy with user authentication. Enter the remote proxy password when using a remote proxy with user authentication. Specify the largest object size that will be stored in the proxy cache. Objects larger than the specified size will not be cached. This prevents large downloads filling the cache. The default of 4096 K bytes (4 M bytes) should be adjusted to a value suitable for the needs of the proxy end-users. Specify the smallest object size that will be stored in the proxy cache. Objects smaller than the specified size will not be cached. The default is no minimum this should be suitable for most purposes. This can be useful for preventing large numbers of tiny objects filling the cache. in any one request. The default is no limit. This can be used to prevent large uploads or form submissions. browser in any one request. This limit is independent of whether the data is cached or not. The default is no limit. This can be used to prevent excessive and disruptive download activity.
io
hostname:port
67
Control
Transparent
Description Select to enable transparent proxying. When operating in transparent mode, network hosts and users do not need to configure their web browsers to use the web proxy. All requests are automatically redirected through the cache. This can be used to prevent network hosts from browsing without using the proxy server. In nontransparent mode, proxy server settings (IP address and port settings) must be configured in all browsers. For more information, see About Web Proxy Methods on page 69.
Disable proxy logging Enabled Allow admin port access
Select to disable the proxy logging. Select to enable the web proxy service. Select to permit access to other network hosts over ports 81 and 441. This is useful for accessing remote a SmoothWall system, or other nonstandard HTTP and HTTPS services, through the proxy. In normal circumstances such communication would be prevented. access rules on the system > administration > admin options page. This would allow internal network hosts to access the admin logon prompt via the proxy.
Do not cache
Banned local IP addresses
No user authentication Proxy authentication
Core authentication
68
Ve
Exception local IP Enter any IP addresses on the local network that should be completely exempt addresses from authentication restrictions.
rs
Enter any domains that should not be web cached. Enter domain names without the www. prefix, one entry per line. This can be used to ensure that old content of frequently updated web sites is not cached.
Exception local IP addresses are typically used to grant administrator workstations completely unrestricted Internet access. Enter any IP addresses on the local network that are completely banned from using the web proxy service. If any hosts contained in this list try to access the web they will receive an error page stating that they are banned. Select to allow users to globally access the web proxy service without authentication. Select to allow users to access the web proxy service according to the username and password that they enter when prompted by their web browser. The username and password details are encoded in all future page requests made by the user's browser software.
Note: You can only use proxy authentication if the proxy is operating in non-
transparent mode. Select to allow users to access the web proxy service by asking the authentication system whether there is a known user at a particular IP address. If the user has not been authenticated by any other authentication mechanism, the users status is returned by the authentication system as unauthenticated.
io
Note: By selecting this option, it is possible to partially bypass the admin
Control
Description
Groups allowed to Authenticated users can be selectively granted or denied access to the web use web proxy proxy service according to their authentication group membership.
Proxy access permissions are only applied if an authentication method other than No user authentication has been selected.
Automatic configuration script custom direct hosts
Enter any additional hosts required to the automatic configuration scripts list of direct (non-proxy routing) hosts. This is useful for internal web servers such as a company intranet server. All hosts listed will be automatically added to a browser's Do not use proxy server for these addresses proxy settings if they access the automatic configuration script for their proxy settings.
Note: Browsers must be configured to access the automatic configuration
script to receive this list of direct routing hosts Use automatic configuration script address After enabling and restarting the service, the automatic configuration script location is displayed here.
Note: Microsoft Internet Explorer provides only limited support for automatic
Manual web browser proxy settings

Interfaces
Save and restart the web proxy service by clicking Save and Restart or Save and Restart with cleared cache. of all data. This is useful when cache performance has been degraded by the storage of stale information typically from failed web-browsing or poorly constructed web sites. The web proxy will be restarted with any configuration changes applied.
Note: Save and Restart with cleared cache Used to save configuration changes and empty the proxy cache
Note: Restarting may take up to a minute to complete. During this time, end-user browsing will be
suspended and any currently active downloads will fail. It is a good idea to a restart when it is convenient for the proxy end-users.
About Web Proxy Methods

The following sections discuss the types of web proxy methods supported by Corporate Firewall.
Transparent Proxying
If Corporate Firewall's web proxy service has been configured to operate in transparent mode, all HTTP port 80 requests will be automatically redirected through the proxy cache.
Ve
rs
After enabling and restarting the service, the proxy address and port settings to be used when manually configuring end-user browsers are displayed here. Select the interface for the web proxy traffic.
io
Tests by SmoothWall indicate a number of intermittent issues regarding the browsers implementation of this feature. SmoothWall recommends the use of Mozilla-based browsers when using the automatic configuration script functionality.
configuration scripts.
69
If you are having problems with transparent proxying, check that the following settings are not configured in end-user browsers: Automatic configuration Proxy server.
Non-Transparent Proxying
If Corporate Firewalls web proxy service has not been configured to operate in transparent mode, all end-user browsers on local workstations in Corporate Firewall network zones must be configured. You can configure browser settings:
Manually Browsers are manually configured to enable Internet access. Automatically using a configuration script Browsers are configured to receive proxy configuration
WPAD automatic script Browsers are configured to automatically detect proxy settings and a local
1 2 3
To configure Internet Explorer: Start Internet Explorer, and from the Tools menu, select Internet Options. Configure the following settings: Method: Manual To configure: 1 2 In the Proxy server area, select Use a proxy server for your LAN Enter your Corporate Firewall's IP address and port number 800. This information is displayed on the services > proxies > web proxy page, in the Automatic configuration script area. Click Advanced to access more settings. In the Exceptions area, enter the IP address of your Corporate Firewall and any other IP addresses to content that you do not want filtered, for example, your intranet or local wiki. Click OK and OK to save the settings. In the Automatic configuration area, select Use automatic configuration script. Enter the location of the script, for example: http://192.168.72.141/ proxy.pac. The location is displayed on the services > proxies > web proxy page, in the Automatic configuration script area. Ensure that no other proxy settings are enabled or have entries. Click OK and OK to save the settings.
Automatic 1 configuration 2 script 3 4
70
Ve
3 4 5
On the Connections tab, click LAN settings.
rs
The following steps explain how to configure web proxy settings in the latest version of Internet Explorer available at the time of writing.
io
Configuring End-user Browsers
DNS server or Corporate Firewall static DNS has a host wpad.YOURDOMAINNAME added.
settings from an automatic configuration script, proxy.pac. The configuration script is automatically generated by Corporate Firewall and is accessible to all network zones that the web proxy service is enabled on.
Method: WPAD
To configure:
Note: This method is only recommended for administrators familiar with
configuring web and DNS servers. 1 2 3 In the Automatic configuration area, select Automatically detect settings. Click OK and OK to save the settings. On a local DNS server or using Corporate Firewall static DNS, add the host substituting your domain name. The host must resolve to the Corporate Firewall IP.
wpad.YOURDOMAINNAME
When enabled in end-user browsers, Web Proxy Auto-Discovery (WPAD) prepends the hostname wpad to the front of its fully qualified domain name and looks for a web server on port 80 that can supply it a wpad.dat file. The file tells the browser what proxy settings it should use. record for it to work. However, Microsoft Knowledge Base article Q252898 suggests that the WPAD method does not work on Windows 2000. They suggest that you should use a DHCP auto-discovery method using a PAC file. See the article for more information. This is contrary to some of our testing.
Instant Messenger Proxying
Corporate Firewalls Instant Messenger (IM) proxy service can log the majority of IM traffic. Corporate Firewall can also censor instant messaging content, for more information, see Censoring Instant Message Content on page 80.
Note: Corporate Firewall cannot monitor IM sessions within HTTP requests, such as when Microsoft
MSN connects through an HTTP proxy. Neither can Corporate Firewall intercept conversations which are secured by end-to-end encryption, such as provided by Off-the-Record Messaging (http://www.cypherpunks.ca/otr/). However, using SSL Intercept, see below, Corporate Firewall can monitor Jabber/Google Talk and AIM sessions protected by SSL.
Ve
rs
io
Note: PCs will have had to be configured with the same domain name as the A
71
Chapter 8 Corporate Firewall Services Instant Messenger Proxying
To configure the instant messaging proxy service: Browse to the services > proxies > instant messenger page.
Configure the following settings: Setting

Enabled
Ve
Description Select to enable the instant messaging proxy service.
72
rs
io
Setting
Enable Message Censor
Description Select to enable censoring of words usually considered unsuitable. Corporate Firewall censors unsuitable words by replacing them with *s. For more information, see Censoring Instant Message Content on page 80.
Block all file-transfers
Note: Only available if you have purchased Corporate Firewall
annual renewal support. For more information, see Appendix C, Annual Renewal on page 285. Select this setting to block file transfers using certain IM protocols. Currently, when enabled, this setting blocks files transferred using MSN, ICQ, AIM and Yahoo IM protocols
MSN AIM and ICQ Yahoo Gadu Gadu
Select to proxy and monitor Microsoft Messenger conversations. Select to proxy and monitor Yahoo conversations.
Jabber
Ve
Intercept SSL
rs
Blocked response
Logging warning response
io
Select to proxy and monitor Gadu Gadu conversations.

annual renewal support. For more information, see Appendix C, Annual Renewal on page 285.
Select to proxy and monitor conversations which use the Jabber protocol.
annual renewal support. For more information, see Appendix C, Annual Renewal on page 285. Select to monitor conversations on Google Talk or AIM instant messaging clients which have SSL mode enabled. For more information, see Monitoring SSL-encrypted Chats on page 74.
annual renewal support. For more information, see Appendix C, Annual Renewal on page 285. Select to inform IM users that their message or file transfer has been blocked.
Note: This option does not work with the ICQ/AIM protocol. Note: Only available if you have purchased Corporate Firewall
annual renewal support. For more information, see Appendix C, Annual Renewal on page 285. Select to inform IM users that their conversation is being logged.
Note: This option does not work with the ICQ/AIM protocol.
annual renewal support. For more information, see Appendix C, Annual Renewal on page 285.
Select to proxy and monitor ICQ and AIM conversations.
73
Chapter 8 Corporate Firewall Services Monitoring SSL-encrypted Chats
Setting
Blocked response message
Description Optionally, enter a message to display when a message or file is blocked; or accept the default message. If multiple messages or files are blocked, this message is displayed at 15 minute intervals.
Logging warning response message Automatic whitelisting
Optionally, enter a message to display informing users that their conversations are being logged. This message is displayed once a week.
annual renewal support. For more information, see Appendix C, Annual Renewal on page 285. Settings here enable you to control who can instant message your local users.
Block unrecognized remote users Select this option to automatically add a remote user to the white-list when a local user sends them an instant message. Once added to the white-list, the remote user and the local use can instant message each other freely.
White-list users Black-list users
Ve
Enabled on interfaces
Exception local IP addresses
Click Save to save and implement your settings. See Chapter 12, Instant Messaging on page 203 for information in viewing conversations in realtime and Chapter 12, IM Proxy Logs on page 214 for information on instant messaging logging.
Monitoring SSL-encrypted Chats

Corporate Firewall can monitor Google Talk and AIM instant message (IM) chats which use SSL for encryption.
Note: Using Corporate Firewall to monitor SSL-encrypted IM chats reduces security on IM clients as
the clients are unable to validate the real IM server certificate. To monitor SSL-encrypted conversations: Browse to the services > proxies > instant messenger page. Enable IM proxying and configure the settings you require. For full information on the settings available, see Instant Messenger Proxying on page 71.
74
rs
io
When this option selected, any remote users who are not on the white-list are automatically blocked.
Number of current entries Displays the number of entries currently
in the whitelist user list.
Clear Automatic Whitelisted user list Click to clear the white-list.
To whitelist a user, enter their instant messaging ID, for example JohnDoe@hotmail.com. To blacklist a user, enter their instant messaging ID, for example JaneDoe@hotmail.com. Select the interfaces on which to enable IM proxying. To exclude specific IP addresses, enter them here.
2 3 4
Select Intercept SSL, select the interfaces on which to enable the monitoring and click Save. Click Export Certificate Authority certificate. Corporate Firewall generates a Corporate Firewall CA certificate. Download and install the certificate on PCs which use Google Talk and SSL-enabled AIM IM clients. Corporate Firewall will now monitor and log the chats.
SIP Proxying
Corporate Firewall supports a proxy to manage Session Initiation Protocol (SIP) traffic. SIP is often used to set up calls in Voice over Internet Protocol (VoIP) systems. SIP normally operates on port 5060, and is used to set up sessions between two parties. In the case of VoIP, it is an RealTime Protocol (RTP) session that is set up, and it is the RTP stream that carries voice data. RTP operates on random unprivileged ports, and, as such, is not NAT friendly. For this reason, Corporate Firewalls SIP proxy ensures that RTP is also proxied, allowing VoIP products to work correctly.
Types of SIP Proxy
Some clients will allow users to configure one SIP proxy this is invariably the registering proxy, others will allow for two proxies, one to which the client will register, and one which the client users for access, a pass-through.
Choosing the Type of SIP Proxying

As with many types of proxy, the SIP proxy can be used in transparent mode. In transparent mode, the proxy is only useful as a pass-through. This mode is useful for those clients which do not support a second proxy within their configuration. If all your clients can be properly configured with a second proxy, transparent mode is not required. If the proxy is operating in transparent mode, the non-transparent proxy is still available, so a mixture of operation is possible.
Ve
rs
There are two types of SIP proxy: a registering SIP proxy, and a pass-through proxy. A registering proxy or registrar allows SIP clients to register so that they may be looked up and contacted by external users. A pass-through proxy merely rewrites the SIP packets such that the correct IP addresses are used and the relevant RTP ports can be opened.
io
Corporate Firewalls SIP proxy is also able to proxy RTP traffic, solving some of the problems involved in setting up VoIP behind NAT.
75
Chapter 8 Corporate Firewall Services SIP Proxying
Configuring SIP
1 To configure and enable the SIP proxy: Browse to the services > proxies > sip page.
Configure the following settings: Setting Enabled SIP client internal interface Logging
Description
Log calls
Maximum number of Select the maximum number of clients which can use the proxy. clients Setting the maximum number of clients is a useful way to prevent malicious internal users performing a DoS on your registering proxy.
76
Ve
rs
Select to enable the SIP proxy service. From the drop-down list, select the interface for the SIP proxy to listen for connections on. This is the interface on which you will place your SIP clients. Select the logging level required. Select from:
Normal Just warnings and errors Detailed Warnings, errors and informational messages Very detailed Everything, including debugging messages.
Select if you require individual call logging.
io
Setting
Description
Diffserv mark for RTP From the drop-down menu, select a Diffserv mark to apply to SIP RTP packets packets. This traffic can be traffic shaped with SmoothTraffic, if it is installed. The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for which it proxies. This is useful because it is otherwise quite tricky to define RTP traffic, as it may occur on a wide range of ports. Prioritizing SIP traffic on port 5060 would not make any difference to VoIP calls. The standard mark is BE which is equivalent to doing nothing. Other marks may be interpreted by upstream networking equipment, such as that at your ISP, and can also be acted upon by SmoothTraffic, SmoothWalls Quality of Service (QoS) module if it is installed. In this way, traffic passing through the firewall may be prioritized to give a consistent call quality to VoIP users. Transparent The SIP proxy may be configured in both transparent and non-transparent mode. Select this option a transparent SIP proxy is required. When operating transparently, the SIP proxy is not used as a registrar, but will allow internal SIP devices to communicate properly with an external registrar such as an ITSP. Exception IPs 3 Hosts which should not be forced to use the transparent SIP proxy must be listed in the Exception IPs box below.
Note: If a client is using the proxy when transparent proxying is turned on, the existing users may fail to
DNS
The following sections discuss domain name system (DNS) services in Corporate Firewall.
Adding Static DNS Hosts

Corporate Firewall can use a local hostname table to resolve internal hostnames. This allows the IP addresses of a named host to be resolved by its hostname.
Note: Corporate Firewall itself can resolve static hostnames regardless of whether the DNS proxy
service is enabled.
Ve
use the transparent proxy until the firewall is rebooted. This is due to the in-built connection tracking of the firewalls NAT.
rs
Click Save to enable and implement SIP proxying.
io
77
Chapter 8 Corporate Firewall Services DNS
To add a static DNS host: Navigate to the services > dns > static dns page.
Control IP address Hostname Comment Enabled 3
Description
Enter the hostname that you would like to resolve to the IP address. Enter a description of the host. Select to enable the new host being resolved.
Editing and Removing Static Hosts
Enabling the DNS Proxy Service

The DNS proxy service is used to provide internal and external name resolution services for local network hosts. In this mode, local network hosts use Corporate Firewall as their primary DNS server to resolve external names, if an external connection is available, in addition to any local names that have been defined in the Corporate Firewalls static DNS hosts table. 1 To enable the DNS proxy service on a per-interface basis: Navigate to the services > dns > dns proxy page.
Select each interface that should be able to use the DNS proxy and click Save.
78
Ve
To edit or remove existing static hosts, use Edit and Remove in the Current hosts area.
rs
Click Add. The static host is added to the Current hosts table.
io
Enter the IP address of the host you want to be resolved.
Note: If the DNS proxy settings were configured as 127.0.0.1 during the initial installation and setup
process of Corporate Firewall, the system will use the DNS proxy for name resolution.
Managing Dynamic DNS

Corporate Firewalls dynamic DNS service is useful when using an external connection that does not have a static IP. The dynamic DNS service can operate with a number of third-party dynamic DNS service providers, in order to enable consistent routing to Corporate Firewall from the Internet. Dynamic host rules are used to automatically update leased DNS records by contacting the service provider whenever the system's IP address is changed by the ISP. The following dynamic DNS service providers are supported:
dhs.org dyndns.org (Dynamic) dyns.cx ez-ip.net
hn.org no-ip.com
dyndns.org (Custom)
Many of these service providers offer a free of charge, basic service. 1
Configure the following settings: Setting Service Behind a proxy Description From the drop-down list, select your dynamic DNS service provider. Select if your service provider is no-ip.com and the system is behind a web proxy.
Ve
rs
To create a dynamic host: Navigate to the services > dns > dynamic dns page.
io
zoneedit.com
DNS service providers
easydns.com dyndns.org (Static) ods.org
79
Chapter 8 Corporate Firewall Services Censoring Instant Message Content
Setting Enable wildcards
Description Select to specify that sub-domains of the hostname should resolve to the same IP address, for example domain.dyndns.org and sub.domain.dyndns.org will both resolve to the same IP.
Note: This option cannot be used with no-ip.com, it must be selected from
their web site. Hostname Domain Username Password Comment Enabled 3 Enter the hostname registered with the dynamic DNS service provider.
Note: This is not necessary when using dyndns.org as the service provider.
Enter the domain registered with the dynamic DNS service provider. Enter the username registered with the dynamic DNS service provider. Enter the password registered with the dynamic DNS service provider. Enter a description of the dynamic DNS host. Select to enable the service.
Click Add. The dynamic host will be added to the Current hosts table.
Editing and Removing Dynamic Hosts
Forcing a Dynamic DNS Update
Note: Dynamic DNS service providers do not like updating their records when an IP has not changed,
and may suspend the user accounts of users they deem to be abusing their service.
Censoring Instant Message Content

Corporate Firewall enables you to create and deploy policies which accept, modify, block and/or log content in instant messages.
Configuration Overview
Configuring a censor policy entails: Defining custom categories required to cater for situations not covered by the default Corporate Firewall phrase lists, for more information, see Managing Custom Categories on page 81 Configuring time periods during which policies are applied, for more information, see Setting Time Periods on page 82 Configuring filters which classify messages by their textual content, for more information, see Creating Filters on page 83
80
Ve
To force an update: Click Force update.
rs
The dynamic DNS service will update the DNS records for the host whenever the hosts IP address changes. However, it may be necessary on some occasions to forcibly update the service provider's records.
io
To edit or remove existing dynamic hosts, use Edit and Remove in the Current hosts area.
Configuring and deploying a censor policy consisting of a filter, an action, a time period and level of severity, see Creating and Applying Messaging Policies on page 84
Managing Custom Categories

Custom categories enable you to add phrases which are not covered by the default Corporate Firewall phrase lists. The following sections explain how to create, edit and delete custom categories.
Creating Custom Categories

The following section explains how to create a custom category. 1 To create a custom category: Browse to the services > message censor > custom categories page.
Configure the following settings: Setting Name Comment Phrases Description Enter a name for the custom category. Optionally, enter a description of the category. Enter the phrases you want to add to the category. Enter one phrase, in brackets, per line, using the format:
(example-exact-phrase) Corporate Firewall matches exact phrases
Click Add. Corporate Firewall adds the custom category to the current categories list and makes it available for selection on the services > message censor > filters page.
Ve
without taking into account possible spelling errors.
(example-approximate-phrase)(2) For the number specified, Corporate
Firewall uses fuzzy matching to take into account that number of spelling mistakes or typographical errors when searching for a match.
rs
io
81
Editing Custom Categories

The following section explains how to edit a custom category. 1 2 3 4 To edit a custom category: Browse to the services > message censor > custom categories page. In the Current categories area, select the category and click Edit. In the Phrases area, add, edit and/or delete phrases. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
Deleting Custom Categories

The following section explains how to delete custom categories. 1 2 3 To delete custom categories: Browse to the services > message censor > custom categories page. At the top of the page, click Restart to apply the changes.
You can configure Corporate Firewall to apply policies at certain times of the day and/or days of the week.
Configure the following settings: Setting Description
Active from From the drop-down lists, set the time period. to Select the weekdays when the time period applies. Name Comment 3 Enter a name for the time period. Optionally, enter a description of the time period.
Click Add. Corporate Firewall creates the time period and makes it available for selection on the services > message censor > policies page.
82
Ve
rs
To set a time period: Browse to the services > message censor > time page.
io
Setting Time Periods
In the Current categories area, select the category or categories and click Remove.
Editing Time Periods

The following section explains how to edit a time period. 1 2 3 4 To edit a time period: Browse to the services > message censor > time page. In the Current time periods area, select the time and click Edit. In the Time period settings, edit the settings. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
Deleting Time Periods

The following section explains how to delete time periods. 1 2 3 To delete time periods: Browse to the services > message censor > time page. At the top of the page, click Restart to apply the changes.
To create a filter: Browse to the services > message censor > filters page.
Configure the following settings: Setting Name Comment Description Enter a name for the filter. Optionally, enter a description of the filter
Ve
rs
Corporate Firewall uses filters to classify messages according to their textual content. SmoothWall supplies a default filter. You can create, edit and delete filters. You can also create custom categories of phrases for use in filters, for more information, see Creating Custom Categories on page 81.
io
Creating Filters
In the Current time periods area, select the period(s) and click Remove.
83
Setting Custom phrase list 3
Description Select the categories you want to include in the filter.
Click Add. Corporate Firewall creates the filter and makes it available for selection on the services > message censor > policies page.
Editing Filters
You can add, change or delete categories in a filter. 1 2 3 4 To edit a filter: Browse to the services > message censor > filters page. In the Current filters area, select the filter and click Edit. In the Custom phrase list area, edit the settings. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
Deleting Filters
2 3
In the Current filters area, select the filter(s) and click Remove. At the top of the page, click Restart to apply the changes.
Creating and Applying Messaging Policies

1 To create and apply a message censoring policy: Browse to the services > message censor > policies page.
84
Ve
A message censoring policy consists of a filter, an action, a time period and a level of severity.
rs
io
To delete filters: Browse to the services > message censor > filters page.
You can delete filters which are no longer required.
Configure the following settings: Setting Service Description From the drop-down menu, select one of the following options:
IM proxy incoming Select to apply the policy to incoming instant
messages.
IM proxy outgoing Select to apply the policy to outgoing instant
messages. Click Select. Filter Time period From the drop-down menu, select a filter to use. For more information on filters, see Creating Filters on page 83. From the drop-down menu, select a time period to use, or accept the default setting. For more information on filters, see Setting Time Periods on page 82. From the drop-down menu, select one of the following actions:
Block - Content which is matched by the filter is discarded. Censor - Content which is matched by the filter is masked but the message Categorize - Content which is matched by the filter is allowed and logged. Allow - Content which is matched by the filter is allowed and is not
Action
Log severity level
Comment Enabled 3
Click Add and, at the top of the page, click Restart to apply the policy. Corporate Firewall applies the policy and adds it to the list of current policies.
Editing Polices
You can add, change or delete categories in a filter. 1 2 3 4 To edit a filter: Browse to the services > message censor > policies page. In the Current policies area, select the policy and click Edit. Edit the settings as required, see Creating and Applying Messaging Policies on page 84 for information on the settings available. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
Deleting Policies
You can delete policies which are no longer required.
Ve
rs
processed by any other filters.
From the drop-down list, select a level at which to log violations of the policy. You can configure Corporate Firewall to use this information to alert administrators of severe violations of the policy. For more information, see Chapter 12, Alerts on page 192. Optionally, enter a description of the policy. Select to enable the policy.
io
is delivered to its destination.
85
Chapter 8 Corporate Firewall Services Intrusion Detection System (IDS)
1 2 3
To delete policies: Browse to the services > message censor > policies page. In the Current policies area, select the policy or policies and click Remove. At the top of the page, click Restart to apply the changes.
Intrusion Detection System (IDS)

The Intrusion Detection System (IDS) service performs real-time packet analysis on all network traffic in order to detect malicious network activity. IDS can detect a vast array of well-known service exploits including buffer overflow attempts, port scans and CGI attacks. All violations are logged and the resultant data can be used to strengthen the firewall by creating IP block rules against identified networks and source IPs.
Configure the following settings: Setting Custom rules file Enable IDS Automatic rules Description Enables you to install customized IDS rules. Click Browse to locate and select the file. Click Upload custom rules to upload and install the rules. Select to enable the IDS service. Select to use automatic rules.
Note: You will need an Oink code. See below for more information.
86
Ve
Updating automatic rules can take several minutes
rs
io
To configure the IDS service: Navigate to the services > ids > intrusion detection system page.
Configuring the IDS Service
By registering for an Oink code, you can simplify the process of downloading and updating IDS rules. For more information, visit http://smoothwall.net/support/oinkcode/
Setting Custom rules
Description Select to use any custom rules uploaded to Corporate Firewall.

Note: Custom rules that are not obtained from a reputable source should be used
with caution as the integrity of the source can not be verified. Use syslog for Select to send IDS logs to a remote syslog server. IDS logging Note: Do not select this option if you want to send IDS logs to the IDS log viewer. For more information, see Chapter 12, IDS Logs on page 213. Oink code If you are using automatic rules, enter the Oink code associated with them here. For more information, visit http://smoothwall.net/support/oinkcode/ Click Update automatic rules to download and apply the latest rules. 3 Click Save.
Deleting Custom Rules

1 To delete custom rules: Click Delete custom rules.
DHCP
Corporate Firewall DHCP provides a fully featured DHCP server, with the following capabilities: Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet Automate the creation of static assignments using the ARP cache
Enabling DHCP
1 To enable DHCP: Navigate to the services > dhcp > global page.
Ve
Support for 2 DHCP subnets
rs
Corporate Firewall's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to automatically obtain IP address and other network settings.
io
87
Chapter 8 Corporate Firewall Services DHCP

Enabled
Description Select to enable the DHCP service. Select to enable logging.
Enable logging 3
Click Save to enable the service.
Creating a DHCP Subnet

The DHCP service enables you to create DHCP subnets. Each subnet can have a number of dynamic and static IP ranges defined. 1 To create a DHCP subnet: Navigate to the services > dhcp > dhcp server page.
88
Ve
rs
io
Configure the following settings: Setting DHCP Subnet Subnet name Network Description From the drop-down menu, select Empty and click Select. Enter a name for the subnet. Enter the IP address that specifies the network ID of the subnet when combined with the network mask value entered in the netmask field. For example: 192.168.10.0. Define the subnet range by entering a network mask, for example 255.255.255.0. Enter the value that a requesting network host will receive for the primary DNS server it should use.
Netmask Primary DNS Secondary DNS Default gateway Enabled Primary WINS
Enter the value that a requesting network host will receive for the default gateway it should use.
Optionally, enter the value that a requesting network host will receive for the primary WINS server it should use. This is often not required on very small Microsoft Windows networks.
Secondary WINS
Ve
Tip: Tip:
Primary NTP
Secondary NTP
Default lease time (mins) Max lease time (mins) TFTP server Network boot filename
rs
Optionally, enter the value that a requesting network host will receive for the secondary WINS server it should use. This is often not required on very small Microsoft Windows networks. Optionally, enter the IP address of the Network Time Protocol (NTP) server that the clients will use if they support this feature. Enter Corporate Firewalls IP address and clients can use its time services if enabled. See Chapter 13, Setting Time on page 239 for more information.
Optionally, enter the IP address of a secondary Network Time Protocol (NTP) server that the clients will use if they support this feature. Enter Corporate Firewalls IP address and clients can use its time services if enabled. See Chapter 13, Setting Time on page 239 for more information.
Enter the lease time in minutes assigned to network hosts that do not request a specific lease time. The default value is usually sufficient. Enter the lease time limit in minutes to prevent network hosts requesting, and being granted, impractically long DHCP leases. The default value is usually sufficient. Enter which Trivial File Transfer Protocol (TFTP) server workstations will use when booting from the network. Specify to the network booting client which file to download when booting off the above TFTP server.
io
Click Advanced to access the following settings:
Determines whether the DHCP subnet is currently active.
Optionally, enter the value that a requesting network host will receive for the secondary DNS server it should use.
89
Setting
Description
Domain name suffix Enter the domain name suffix that will be appended to the requesting host's hostname. Automatic proxy config URL 3 Click Save. is required. Dynamic ranges and static assignments must be added to the DHCP subnet so that the server knows which addresses it should allocated to the various network hosts. Specify a URL which clients will use for determining proxy settings. Note that it should reference an proxy auto-config (PAC) file and only some systems and web browsers support this feature.
Note: For the DHCP server to be able to assign these settings to requesting hosts, further configuration
1 2 3 4
To edit a DHCP subnet: Navigate to the services > dhcp > dhcp server page.
From the DHCP Subnet drop-down list, select the subnet and click Select. Click Save.
2 3
From the DHCP Subnet drop-down list, select the subnet and click Select. Click Delete.
Adding a Dynamic Range

Dynamic ranges are used to provide the DHCP server with a pool of IP addresses in the DHCP subnet that it can dynamically allocate to requesting hosts. 1 2 3 To add a dynamic range to an existing DHCP subnet: Navigate to the services > dhcp > dhcp server page. Choose an existing DHCP subnet from the DHCP subnet drop-down list, and click Select. In the Add a new dynamic range, configure the following settings: Setting Start address Description Enter the start of an IP range over which the DHCP server should supply dynamic addresses from. This address range should not contain the IPs of other machines on your LAN with static IP assignments.
90
Ve
To delete a DHCP subnet: Navigate to the services > dhcp > dhcp server page.
rs
Deleting a DHCP subnet
io
Edit the settings displayed in the Settings area.
Editing a DHCP subnet
Setting
Description
End address Enter the end of an IP range over which the DHCP server should supply dynamic addresses to. For example, enter 192.168.10.15. This address range should not contain the IPs of other machines on your LAN with static IP assignments. Comment Enabled 4 Enter a description of the dynamic range. Select to enable the dynamic range.
Click Add dynamic range. The dynamic range is added to the Current dynamic ranges table.
Adding a Static Assignment

Static assignments are used to allocate fixed IP addresses to nominated hosts. This is done by referencing the unique MAC address of the requesting hosts network interface card. This is used to ensure that certain hosts are always leased the same IP address, as if they were configured with a static IP address. 1 2 3
Scroll to the Add a new static assignment area and configure the following settings:
MAC address
Enter the MAC address of the network hosts NIC as reported by an appropriate network utility on the host system. This is entered as six pairs of hexadecimal numbers, with a space, colon or other separator character between each pair, e.g. 12 34 56 78 9A BC or
12:34:56:78:9A:BC
IP address Comment Enabled 4
Click Add static. The static assignment is added to the Current static assignments table.
Adding a Static Assignment from the ARP Table

In addition to the previously described means of adding static DHCP assignments, it is possible to add static assignments automatically from MAC addresses detected in the ARP table. 1 2 3 4 5 To add a static assignment from the ARP cache to an existing DHCP subnet: Navigate to the services > dhcp > dhcp server page. Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select. Scroll to the Add a new static assignment from ARP table area: Select one or more MAC addresses from those listed and click Add static from ARP table. Click Save.
Ve
Enter the IP address that the host should be assigned. Enter a description of the static assignment. Select to enable the assignment.
rs
Setting
Description
io
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select.
To add a static assignment to an existing DHCP subnet: Navigate to the services > dhcp > dhcp server page.
91
Editing and Removing Assignments

To edit or remove existing dynamic ranges and static assignments, use the options available in the Current dynamic ranges and Current static hosts areas.
Viewing DHCP Leases

1 To view free leases: Navigate to the services > dhcp > dhcp leases page.
Field IP address Start time End time MAC address State
Description
The start time of the DHCP lease granted to the network host that submitted a DHCP request. The end time of the DHCP lease granted to the network host that submitted a DHCP request. The MAC address of the network host that submitted a DHCP request. The hostname assigned to the network host that submitted a DHCP request. The current state of the DHCP lease. The state can be either Active, that is, currently leased; or Free, the IP address is reserved for the same MAC address or re-used if not enough slots are available.
Hostname
Creating Custom DHCP Options

Corporate Firewall enables you to create and edit custom DHCP options for use on subnets. For example, to configure and use SIP phones you may need to create a custom option which specifies a specific option code and SIP directory server.
92
Ve
rs
The IP address assigned to the network host which submitted a DHCP request.
io
Select Show free leases and click Update. The following information is displayed:
To create a custom option: Browse to the services > dhcp > dhcp custom options page.
Setting Option code
Description
From the drop-down list, select the code to use.
Option type
From the drop-down list, select the option type.

IP address Select when creating an option which uses an IP address.
Description Comment Enabled 3
Enter a description for the option. This description is displayed on the services > dhcp > dhcp server page. Optionally, enter any comments relevant to the option. Select to enable the option.
Click Add. Corporate Firewall creates the option and lists it in the Current custom options area. For information on using custom options, see Creating a DHCP Subnet on page 88
Ve
rs
Text Select when creating an option which uses text.
io
The codes available are between the values of 128 and 254, with 252 excluded as it is already allocated.
93
94
Ve
rs
io
Chapter 9
Virtual Private Networking

In this chapter: All about VPN and tunnels.
Corporate Firewall VPN Features

Corporate Firewall contains a rich set of Virtual Private Network (VPN) features: Feature IPSec site-to-site L2TP road warriors Description
Industry-standard IPSec site-to-site VPN tunneling. Mobile user VPN support using Microsoft Windows 2000 and XP, as well as older versions of Windows. No client software required; the software is part of the Windows operating system. Mobile user VPN support using IPSec road warriors clients such as SafeNet SoftRemote, as well as others. Mobile user VPN support using OpenVPN SSL and a light-weight client installed on the users computer/laptop. Industry-standard X509 certificates or PreShared Keys (subnet VPN tunnels). Full certificate management controls built into the interface, with import and export capabilities in a number of formats. Self-signed certificates can be generated. Individual controls for all VPN tunnels. Support for VPNs routed over internal networks. Comprehensive logging of individual VPN tunnels.
IPSec road warriors SSL VPN Authentication Certificate management
Tunnel controls Internal VPNs Logging
What is a VPN?
A VPN, in the broadest sense, is a network route between computer networks, or individual computers, across a public network. The public network, in most cases, is the Internet. Typically, a VPN replaces a leased line or other circuit which is used to link networks together over some geographic distance. In a similar way to how a VPN can replace leased line circuits used to route networks together, a VPN can also replace Remote Access Server (RAS) phone or ISDN lines. These types of connections are usually referred to as road warriors. The P in VPN technologies refers to the encryption and authentication employed to maintain an equivalent level of privacy that one would expect using a traditional circuit which a VPN typically replaces.
Ve
rs
io
95
Chapter 9 Virtual Private Networking About VPN Authentication
There are several technologies which implement VPNs. Some are wholly proprietary, others are open standards. The most commonly deployed VPN protocol is called IPSec, for IP Security, and is a well established and open Internet standard. Many implementations of this standard exist, and generally all vendors of network security products will have an offering in their product portfolio. VPNs are mostly used to link multiple branch office networks together, site-to-site VPNs, or to connect mobile and home users, road warriors, to their office network. The network route between a site-to-site or road warrior VPN is provided by a VPN tunnel. Tunnels can be formed between two VPN gateways. All data traversing the tunnel is encrypted, thus making the tunnel and its content unintelligible and therefore private to the outside world.
VPN Tunnel Types

You can create the following types of VPN tunnel using Corporate Firewall:
Site-to-site
Links networks to each other using an external medium (typically the Internet).
About VPN Gateways

Allow VPN tunnels to be configured. Authenticate the other end of a VPN connection, i.e. ensure it can be identified and trusted. Encrypt all data presented to the VPN tunnel into secure data packets. Decrypt secure data received from the VPN tunnel. Route all data received from the tunnel to the correct computer on the LAN. Allow VPN tunnels to be managed.
Administrator Responsibilities
A network administrator has three responsibilities: Specify the tunnel define the tunnel on each VPN gateway. Configure authentication define a secure means for each VPN gateway to identify the other. Manage tunnels control the opening and closing of tunnels.
About VPN Authentication

Authentication is the process of validating that a given entity, that is a person, system or device, is actually who or what it identifies itself to be. Since VPN gateways are not usually in the same physical location, it is not readily determinable that either gateway is genuine.
96
Ve
Route all data received from its own Local Area Network (LAN) to the correct VPN tunnel.
rs
A VPN gateway is a network device responsible for managing incoming and outgoing VPN connections. A VPN gateway must perform a number of specific tasks:
io
Road warrior Links individual mobile or home-based clients to a host network, using an external medium (typically the Internet).
Tunnel type
Description
A gateway that initiates a VPN connection must be assured that the remote gateway is the right one. Conversely, the remote gateway must be assured that the initiating gateway is not an imposter. Corporate Firewall supports several authentication methods that can be used to validate a VPN gateways identity: Authentication method Description
Pre-Shared Key
Usually referred to as PSK, this is a simplistic authentication method based on a password challenge. For more information, see PSK Authentication on page 97. An industry strength and internationally recognized authentication method using a system of digital certificates, as published by the ITUT and ISO standardization bodies. In addition to using X509, all users of L2TP road warrior connections must enter a valid username and password, as specified when the L2TP tunnel definition is created.
X509
Username/password
A more in depth examination of the PSK and X509 authentication methods can be found in the following sections, including recommendations for the usage of each.
PSK Authentication
To use the Pre-Shared Key (PSK) method, connecting VPN gateways are pre-configured with a shared password that only they know. When initiating a VPN connection, each gateway requests the others password. If the password received by each gateway matches the password stored by each gateway, both gateways know that the other must be genuine. Hence, each gateway is authentic and a secure, trusted VPN tunnel can be established. The simplicity of PSK is both its strength and its weakness. Whilst PSK tunnels are quick to set up, there are human and technological reasons that make this method unsuitable for larger organizations. Password protection is easily circumvented as passwords are frequently written down, spoken aloud or shared amongst administrator colleagues. Some VPN configurations will also require multiple tunnels to use the same password highly undesirable if your organization intends to create multiple road warrior VPN connections. PSK authentication is best suited when a single site-to-site or road warrior VPN capability is required. Whilst it is possible to create large VPN networks based entirely on PSK authentication, such a scheme is likely to prove unmanageable in the long run and liable to misuse.
X509 Authentication
In this model, each VPN gateway is given a digital certificate that it can present to prove its identity, much like a traveler can present his or her passport. Digital certificates are created and issued by a trusted entity called a Certificate Authority (CA), just like a government is entrusted to provide its citizens with passports. In the world of digital certificates, a CA can be called upon to validate the authenticity of a certificate, in the same way that a government can be asked to validate a citizen's passport.
Ve
rs
io
This ensures that both the user and the VPN gateway (the L2TP client) are authenticated.
For more information, see X509 Authentication on page 97.
97
Chapter 9 Virtual Private Networking About VPN Authentication
About Digital Certificates

A digital certificate, referred to here as a certificate, is an electronic document that uniquely identifies its owner, and contains the following information: Information Subject Issuer Certificate ID Validity period Description Information about who the certificate was issued to, their country, company name etc. Information about the CA that created and signed the certificate. An alternative identifier for the certificate owner in abbreviated form. The start and expiry dates, during which time the certificate is valid.
Certificates contain information about both its owner, i.e. the subject and its issuer, i.e. the CA.
However, this only proves that the CA genuinely issued the certificate. Just because a passport was validly issued by a government does not mean that the person presenting it is its rightful owner. This is solved by one further stage of encryption, this time the certificate owner uses its private key to encrypt the entire certificate (including the CA's signature) before presenting the certificate. It can now be proven beyond all doubt that the certificate is the property of its rightful owner (by decrypting it using the owner's public key) and that the certificate was issued by the specified CA (by decrypting the CA's signature from the certificate using the CA's public key).
Corporate Firewall and Digital Certificates

Corporate Firewall is equipped to handle all aspects of setting up a self-contained X509 authentication system. Corporate Firewall enables you to: Create a trusted CA. Create signed, digital certificates. Manage exporting and installing certificates on other Corporate Firewall / VPN gateway systems. Alternatively, digital certificates can be leased from companies like Verisign or Thawte and then imported, or they can be created by a separate CA such as the one included in Microsoft Windows
98
Ve
To sign a certificate, the CA takes the content of the certificate and encrypts it using its private key. The encrypted content is inserted into the certificate, much like a watermark or other security feature is added to a passport by a government. Anybody wishing to determine the authenticity of the certificate can therefore attempt to decrypt the CA signature using the public key attainable from the issuing CA. If the signature can be successfully decrypted and matches the issuer details declared in the certificate, the certificate is proven to be authentic.
rs
It is computationally infeasible to derive either key from the other. It is also impossible for any other key to decrypt a message apart from the encrypting key's counterpart. If the private key is kept secret by its owner, and the public key is freely accessible to all, any message successfully decrypted using the public key can only have originated from the private key owner. This concept is exploited by CAs to sign all certificates they create, thus proving that the certificate is genuine.
io
Public-key cryptography is an encryption mechanism that involves the use of a mathematically related pair of encryption keys, one called a private key and the other called a public key. The mathematical relationship allows messages encrypted with the private key to be decrypted by the public key and vice versa.
However, it is not yet clear whether the certificate is a forgery to prove absolute authenticity, X509 utilizes public-key cryptography.
2000. The use of a local Corporate Firewall CA is recommended as a more convenient and equally secure approach. It is usual for a single CA to provide certificates for an entire network of peer systems, but there are alternative schemes that use multiple CAs which will be discussed later.
The following sections cover the separate topics of CAs, certificates, site-to-site VPNs, road warrior VPNs, internal VPNs and management in great depth. As an overview to these sections, it is worthwhile outlining the steps required to create a typical site-to-site VPN connection: 1 2 3 4 5 6 7 8 9 10 On the master Corporate Firewall system, create a local Certificate Authority. For details, see Creating a CA on page 100. Create certificates for the master Corporate Firewall system and the remote Corporate Firewall system. Install the master Corporate Firewalls certificate as its default local certificate. Create a tunnel specification on the master Corporate Firewall system that points to the remote Corporate Firewall system. Export the CA certificate and the remote Corporate Firewall certificate from the master Corporate Firewall system. Import and install the remote Corporate Firewall systems certificate, as exported by step 5. Create a tunnel specification on the remote Corporate Firewall system that matches the one created by step 4. Bring the connection up. Ensure that appropriate zone bridging rules are configured and active in order to permit traffic to and from the VPN tunnel. For further information see Chapter 6, Configuring Inter-Zone Security on page 43.
Note: For VPN configuration tutorials, see VPN
Ve
rs
Import the CA certificate on the remote Corporate Firewall system, as exported by step 5.
Please follow the relevant sections in the following sections for details on how to complete steps outlined above.
Working with CAs and Certificates

A Certificate Authority (CA) is an implicitly trusted system that is responsible for issuing and managing digital certificates. A certificate created by a known CA can be authenticated as genuine. The following sections explain how to create a local CA using Corporate Firewall, for the purpose of creating certificates for VPN tunnel authentication. They also explain how to export and import CA certificates so that a remote Corporate Firewall has knowledge of the CA. Maintenance tasks such as how to delete CAs are also discussed.
io
Tutorials on page 146.
99
Chapter 9 Virtual Private Networking Working with CAs and Certificates
Creating a CA
To create your own certificates for use in VPN tunnel authentication, you require access to at least one CA. It is possible to purchase certificates from an externally managed CA, but this can be inconvenient and costly. This section explains how to create a CA using Corporate Firewall. If you already have a CA on your network, it may be useful to use that, in which case refer to Importing Another CA's Certificate on page 102. 1 To create a CA: Navigate to the vpn > ca page.
Setting Email
Common name Organization Department
Locality or town Country Life time User defined (days) 3
State or province Enter a state or province. Enter a two letter country code. From the drop-down menu, select the length of time that the CA will remain valid for. If User defined is selected as the life time value of the CA, enter the number of days the CA will be valid.
Click Create Certificate Authority.
100
Ve
Configure the following settings: Description
rs
Enter an easily identifiable name. Enter an administrative email address. Enter an organizational identifier. Enter a departmental identifier. Enter a locality or town.
io
The local CA is created and displayed, for example:
To export the CA certificate: Navigate to the vpn > ca page and configure the following settings: Setting Name
Export format
Click Export and choose to save the file to disk from the dialog box launched by your browser. You can deliver the certificate to another system without any special security requirements since it contains only public information.
Ve
rs
Description
Once a CA has been created, you need to export its certificate so that other systems can recognize and authenticate any signed certificates it creates. There are two different export formats:
In the Installed Certificate Authority certificates area, locate and select the local CA certificate. From the drop-down list, select the format in which to export the certificate authoritys certificate. The following formats are available:
CA certificate in PEM An ASCII (textual) certificate format commonly used by Microsoft operating systems. Select thsi format if the certificate is to be used on another SmoothWall system. CA certificate in BIN A binary certificate format, select if the certificate is to be used on a system which requires this format. Consult the systems documentation for more information.
io
Exporting the CA Certificate
Once a CA has been created, you can use it to create digital certificates for network hosts. You can also export the CAs own certificate to other systems which can use it to authenticate digital certificates issued by the CA.
101
Chapter 9 Virtual Private Networking Working with CAs and Certificates
Importing Another CA's Certificate

To authenticate a signed certificate produced by a non-local CA, you must import the non-local CAs certificate into Corporate Firewall. This is usually done on secondary Corporate Firewall systems so that they can authenticate certificates created by a master Corporate Firewall system's CA.
Note: The certificate must be in PEM format to be imported.
1 2 3 4
To import the CA's certificate: Navigate to the vpn > ca page. In the Import Certificate Authority certificate area, click Browse. Locate and open the CAs certificate that you wish to import. Click Import CA cert from PEM. The certificate is listed in the Installed Certificate Authority certificates list of certificates area.
Deleting the Local Certificate Authority and its Certificate

2 3 In the Delete local Certificate Authority region, select Confirm delete. Click Delete Certificate Authority.
Note: Deleting the local CA will invalidate all certificates that it has created.
Deleting an Imported CA Certificate

1 2 3 To delete an imported CA's certificate: Navigate to the vpn > ca page. Locate and select the non-local CA certificate in the Installed Certificate Authority certificates region. Click Delete. The CA certificate will no longer appear in the Installed Certificate Authority certificates region and Corporate Firewall will not be able to authenticate any certificates created by it.
102
Ve
Once the local CA has been deleted, the Create local Certificate Authority region will be displayed. This change in layout occurs because a CA no longer exists on the Corporate Firewall system. The Create local Certificate Authority region replaces the Delete local Certificate Authority region.
rs
io
To delete the local CA and its certificate: Navigate to the vpn > ca page.
Managing Certificates
The following sections explain how to create, view, import, export and delete certificates in Corporate Firewall.
Creating a Certificate
Once a local Certificate Authority (CA) has been created, you can generate certificates. The first certificate created is usually for the Corporate Firewall system that the CA is installed on. This is because the Corporate Firewall VPN gateway is a separate entity to the CA, and therefore requires its own certificate. It is normal for a single CA to create certificates for all other hosts that will be used as VPN gateways, i.e. all other Corporate Firewall systems. 1
Ve
rs
io
To create a new signed certificate: Navigate to the vpn > certs page.
103
Chapter 9 Virtual Private Networking Managing Certificates
Scroll to the Create new signed certificate area and configure the following settings: Setting ID type Description From the drop-down menu, select the certificatess ID type. The options are:
No ID Not recommended but available for inter-operability with other VPN
gateways.
Host & Domain Name Recommended for most site-to-site VPN connections. This does not need to be a registered DNS name. IP address Recommended for site-to-site VPNs whose gateways use static IP
addresses.
Email address Recommended for road warrior or internal VPN connections. This does not need to be a real email address, although the use of a real email address is recommended.
For a site-to-site Corporate Firewall VPN this is typically a hostname. For a road warrior this is usually the users email address. Email Organization Department Locality or town Country Enter an email address for the individual or host system that will own this certificate. Enter an organizational identifier for the certificate owner. Enter a departmental identifier for the certificate owner. Enter a locality or town for the certificate owner. Enter a two letter country code. From the drop-down menu, select the length of time that the certificate will remain valid for. If User defined is selected as the life time value of the certificate, enter the number of days the certificate will be valid for.
State or province Enter a state or province for the certificate owner. Life time
User defined (days) 3
Click Create signed certificate. The certificate is listed in the Installed signed certificates area.
Reviewing a Certificate
You can review the content of a certificate. Reviewing certificates can be useful for checking certificate content and validity. 1 2 3 To review a certificate: Navigate to the vpn > certs page. Locate the certificate that you wish to view in the Installed signed certificates region. Click the certificate name.
104
Ve
rs
io
Common name
Enter a common name for the certificate, for example Head Office.
ID value
Enter an ID value.
The content is displayed in a new browser window, for example:
Close the browser window to return to Corporate Firewall.
1 2
To export a certificate: Navigate to the vpn > certs page and scroll to the Installed signed certificates area. Select the certificate you want to export and configure the following settings: Setting Export format Description
Click Export. Choose to save the certificate file (a .pem or .der file) to disk in the dialog box launched by your browser software. The certificate will be saved to the browser's local file system in the specified format. should only be known by the certificate owner.
Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that
Exporting in the PKCS#12 Format

PKCS#12 is a container format used to transport a certificate and its private key. It is recommended for use in all Corporate Firewall to Corporate Firewall VPNs and L2TP road warriors.
Ve
rs
From the drop-down menu, select the format in which to export the certificate. The following formats are available:
Certificate in PEM An ASCII (textual) certificate format commonly used by
Microsoft operating systems. Recommended for all Corporate Firewall to Corporate Firewall VPN connections.
Certificate in DER A binary certificate format for use with non-Corporate
Firewall VPN gateways.

Private key in DER Exports just the private key in binary for use with non-
Corporate Firewall VPN gateways.
io
Any certificates you create for the purpose of identifying other network hosts must be exported so that they can be distributed to their owner.
Exporting Certificates
105
Chapter 9 Virtual Private Networking Managing Certificates
1 2 3 4 5
To export a certificate in the PKCS#12 container format: Navigate to the vpn >certs page. In the Installed signed certificates region, locate and select the certificate that you wish to export. Enter and confirm a password in the Password and Again fields. Click Export certificate and key as PKCS#12. Choose to save the PKCS#12 container file (a .p12 file) to disk in the dialog box launched by your browser software. The PKCS#12 file will be saved to the browser's local file system. should only be known by the certificate owner.
Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that
Importing a Certificate
Corporate Firewall systems that do not have their own CA will be required to import and install a host certificate to identify themselves. This is the normal process for secondary Corporate Firewall systems, for example, branch office systems connecting to a head office that has a Corporate Firewall system and CA.
Setting Password Import PKCS#12 filename
Description
1 2 1 2
Import PEM filename
Corporate Firewall imports the signed certificate lists it in the Installed signed certificates area.
Deleting a Certificate
1 2 3 To delete an installed certificate: Navigate to the vpn > certs page. In the Installed signed certificates region, locate and select the certificate that you wish to delete. Click Delete. The signed certificate will be removed from the Installed signed certificates region.
106
Ve
rs
Enter the password that was specified when the certificate was created. To import a certificate in PKCS#12 format: Click Browse and navigate to and select the certificate file. Click Import certificate and key from PKCS#12. To import a certificate in PEM format: Click Browse and navigate to and select the certificate file. Click Import certificate from PEM.
io
To import a certificate: Navigate to the vpn > certs page. In the Import certificates area, configure the following settings:
Setting the Default Local Certificate

One of the most important configuration tasks is to set the default local certificate on each Corporate Firewall host. The default local certificate should be the certificate that identifies its host. 1 To set the default local certificate: Navigate to the vpn > global page.
In the Default local certificate region, select the hosts certificate from the Certificate drop-down list and click Save. This certificate will now be used by default in all future tunnel specifications, unless otherwise specified. When prompted by Corporate Firewall, click Restart to deploy the certificate.
Site-to-Site VPNs IPSec

The following sections explain how to create a site-to-site VPN tunnel between two Corporate Firewall systems. The tunnel will use the IPSec protocol to create a secure, encrypted tunnel between head office and a branch office.
Recommended Settings
For Corporate Firewall to Corporate Firewall connections, the following settings are recommended for maximum security and optimal performance: Encryption: AES Authentication type: ESP Hashing algorithm: SHA
Ve
rs
io
107
Chapter 9 Virtual Private Networking Site-to-Site VPNs IPSec
Perfect Forward Secrecy: enabled Compression: enabled (unless predominant VPN traffic is already encrypted or compressed).
Creating an IPsec Tunnel

1 To create a site-to-site tunnel: On the Corporate Firewall at head office, browse to the vpn > ipsec subnets page.
Note: Many parameters are used when creating an IPSec site-to-site VPN tunnel. For Corporate Firewall
to Corporate Firewall connections, many settings can be left at their default values. However, for maximum compatibility with other VPN gateways, some settings may require adjustment. This section describes each parameter that can be configured when creating an IPSec tunnel. For more VPN tutorials, see VPN Tutorials on page 146. 2 Configure the following settings:
.
Setting Name Enabled Local IP
Local network
108
Ve
Description Enter a descriptive name for the tunnel connection, for example: New York to London. Select to enable the connection. Enter the IP address of the external interface used on the local Corporate Firewall host.
Note: This field should usually be left blank to automatically use the default
Specify the local subnet that the remote host will have access to. This is specified using the IP address/network mask format, e.g. 192.168.10.0/ 255.255.255.0.
rs
external IP (recommended).
io
Setting
Description
Local ID type From the drop-down list, select the type of the ID that will be presented to the remote system. The choices available are:
Default local Certificate Subject Uses the subject field of the default local certificate
as the local certificate ID.

Local IP Uses the local IP address of the host as the local certificate ID. User specified Host & Domain Name Uses a user specified host and domain name as
the local certificate ID.

User specified IP address Uses a user specified IP address name as the local
certificate ID.
User specified Email address Uses a user specified email address as the local
certificate ID. certificate ID.
Note: User specified types are mostly used when connecting to non-Corporate
Remote network
Remote ID type
Remote ID value
Ve
Remote IP or Enter the IP address or hostname of the remote system. The remote IP can be left hostname blank if the remote peer uses a dynamic IP address. This should specify the remote subnet that the local host will have access to. This is specified using the IP address/network mask format, e.g. 192.168.20.0/ 255.255.255.0. From the drop-down menu, select the type of ID that the remote gateway is expected to present. The choices are:
Remote IP (or ANY if blank Remote IP) The remote ID is the remote IP address, or any
other form of presented ID

User specified Host & Domain Name Allows the user to specify a custom host and
domain name that it should expect the remote gateway to present as ID.
User specified IP address Allows the user to specify a custom IP address that it
should expect the remote gateway to present as ID.

User specified Email address Allows the user to specify a custom email address that it should expect the remote gateway to present as ID. User specified Certificate Subject Allows the user to specify a custom certificate subject string that it should expect the remote gateway to present as ID (typically used for non-Corporate Firewall VPN gateways).
Enter the value of the ID used in the certificate that the remote peer is expected to present.
rs
In most cases, you can leave this field blank because its value will be automatically retrieved by Corporate Firewall during the connection process (according to the chosen ID type).
io
Local ID value
This field is only used if the local ID type is a User specified type (this is typically used when connecting to non-Corporate Firewall VPN gateways).
Firewall VPN gateways. Consult your vendor's administration guide for details regarding the required ID type and its formatting.
User specified Certificate Subject Uses a user specified certificate subject as the local
109
Chapter 9 Virtual Private Networking Site-to-Site VPNs IPSec
Setting
Description
Authenticate From the drop-down list, select the authentication method. by For more information on PSK and X509 authentication, About VPN Authentication on page 96. Preshared key Preshared key again Enter the preshared key when PSK is selected as the authentication method. Re-enter the preshared key entered in Preshared key field if PSK is selected as the authentication method.
Use Select to compresses tunnel communication. This is useful for low bandwidth compression connections, but it does increase CPU utilization on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, or VPN tunnels within tunnels may decrease performance. The same rule applies when transferring data that is already compressed, for example streaming video. For any tunnel with a high proportion of encrypted or already-compressed traffic, compression is not recommended. For non-encrypted, uncompressed traffic compression is recommended. This setting must be the same on the tunnel specifications of both connecting gateways.
Initiate the connection
Select to enable the local VPN system to initiate this tunnel connection if the remote IP address is known. Enter a descriptive comment for the tunnel, for example: London connection
.100 to Birmingham .250.
Comment 3
Note: Advanced settings are usually used for compatibility with other VPN gateway systems, although
they can be tweaked for performance gains in Corporate Firewall to Corporate Firewall VPN connections. 4 Enter the following information: Setting Local certificate Interface Description This is used in non-standard X509 authentication arrangements. For more information, see Advanced VPN Configuration on page 138. Select which interface will be used for this connection either on external or internal interfaces. PRIMARY means the connection will be on the external interface. Perfect Forward Secrecy Select to enable the use of the PFS key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. PFS is recommended for maximum security. VPN gateways must agree on the use of PFS.
110
Ve
Optionally, click Advanced.
rs
io
Setting
Description
Authentication Select the authentication type used during the authentication process. This type setting should be the same on both tunnel specifications of two connecting gateways.
ESP Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. Recommended for optimal performance. AH IP Authentication Header uses IP Protocol 51 and ensures authentication
and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended.
Phase 1 cryptographic algo
3DES A triple strength version of the DES cryptographic standard using a 168-
governments cryptographic standard. AES offers faster and stronger encryption than 3DES.
Phase 1 hash algo
Ve
rs
AES 256 Advanced Encryption Standard replaces DES/3DES as the US governments cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance. Blowfish This algorithm uses a variable-length key, from 32 to 448 bits. It is faster than 3DES but was superseded by Twofish. CAST This algorithm uses a DES-like crypto system with a 128 bit key (also
known as CAST-128 or CAST5).
Twofish This algorithm is based on Blowfish, and is a former NIST AESfinalist designed to replace the DES algorithm. Although NIST selected the Rijndael algorithm, Twofish is as strong as AES and can outperform it in some scenarios.
Select the hashing algorithm to use for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
MD5 A cryptographic hash function using a 128-bit key. Recommended for
faster performance and compatibility.

SHA Secure Hashing Algorithm uses a 160-bit key and is the US government's
hashing standard. Recommended for maximum security. Selects the encryption algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options.
io
AES 128 Advanced Encryption Standard replaces DES/3DES as the US
bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.
Select the encryption algorithm to use for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
111
Chapter 9 Virtual Private Networking IPSec Site to Site and X509 Authentication Example
Setting
Phase 2 hash algo
Description Selects the hashing algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. Set the length of time that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended. Set the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero value because if an active connection drops, it will persistently try to re-key a connection that it can't initiate.
Key life
Key tries
IKE lifetime Do not rekey
Set how frequently the Internet Key Exchange keys are re-exchanged.
Click Add to create the tunnel.
IPSec Site to Site and X509 Authentication Example
Prerequisite Overview
For details on how to complete each of these pre-requisite steps, refer to the previous sections. 1 2 3 4 5 6 7 Create a CA on the local system. Create certificates for the local and remote systems using Host and Domain Name as the ID type. Install the local certificate as the default local certificate on the local system. Export CA certificate in PEM format. Export the remote certificate using PEM in the PKCS#12 container format. Import the certificate on the remote system. Install the imported certificate as the default local certificate on the remote system. Once the above steps have been completed, proceed with creating tunnel specifications on the local and remote systems as detailed in the following sections.
Creating the Tunnel specification on the Primary System

1 2
112
To create the tunnel specification on the primary system: On the primary system, navigate to the vpn > ipsec subnets page. Enter a descriptive name for the tunnel into the Name field.
Ve
This example explains how to create a site-to-site IPSec tunnel using X509 authentication between two Corporate Firewall systems.
rs
io
Select to disable re-keying. This can be useful when working with NAT-ed endpoints.
3 4 5
Select the Enabled option to ensure that the tunnel can be activated once configuration is completed. Leave the Local IP field blank so that it is automatically generated as the default external IP address at connection time. Specify the local network that the secondary system will be able to access in the Local network field. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Choose Default local Certificate Subject from the Local ID type drop-down list. This will identify the primary system to the secondary system by using the subject field of the certificate installed as the primary system's default local certificate. For a reminder of ID types and values, see Creating an IPsec Tunnel. Leave the Local ID value field blank as its value will be automatically retrieved by Corporate Firewall during the connection process (this will be the value of the default local certificate's Certificate ID field, as chosen in the previous step). If the secondary system has a static IP address or hostname, enter it into the Remote IP or hostname field. If the secondary system has a dynamic IP address, leave the Remote IP or hostname field blank. Specify the network on the secondary system that the primary system will be able to access in the Remote network field. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0.
8 9 10
11 12 13
Enter the ID value (the hostname) of the secondary system's default local certificate into the Remote ID value field.
14 15 16 17 18
Leave the Preshared key fields blank; they are irrelevant when authenticating using certificates. Select the Use compression option reduce bandwidth consumption (useful for low bandwidth connections). This will require more processing power. Leave the Initiate the connection option un-ticked. It will be the responsibility of all secondary systems to initiate their own connection to the primary Corporate Firewall system. Enter a descriptive comment into the Comment field. For example, Tunnel to Branch Office. Click Add to create the tunnel specification and add it to the Current tunnels region: matching tunnel specification on the remote system.
Note: The advanced settings are left to their default values in this example. The next step is to create a
Creating the Tunnel Specification on the Secondary System

1 2 3 To create the tunnel specification on the secondary system: On the secondary system, navigate to the vpn > ipsec subnets page. Enter a descriptive name for the tunnel into the Name field. Select the Enabled option to ensure that the tunnel can be activated once configuration is completed.
Ve
Choose the Certificate provided by peer option from the Authenticate by drop-down list. This will instruct Corporate Firewall to authenticate the secondary system by validating the certificate it presents as its identity credentials.
rs
Choose the User specified Host & Domain Name option from the Remote ID type menu in order to match the ID type of the secondary system's default local certificate.
io
113
Chapter 9 Virtual Private Networking IPSec Site to Site and X509 Authentication Example
4 5
Leave the Local IP field blank so that it is automatically generated as the default external IP address at connection time. Specify the local network that the primary system will be able to access in the Local network field. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0. Choose Default local Certificate Subject from the Local ID type drop-down list. This will identify the secondary system to the primary system by using the subject field of the certificate installed as the secondary system's default local certificate. Leave the Local ID value field blank as its value will be automatically retrieved by Corporate Firewall during the connection process (this will be the value of the default local certificate's subject alt. name field, as chosen in the previous step). Enter the external IP address of the primary system into the Remote IP or hostname field. Unlike the first tunnel specification, this cannot be left blank. The secondary system will act as the initiator of the connection and thus it requires a destination IP address in order to make first contact. Specify the network on the primary system that the secondary system will be able to access in the Remote network field. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Choose User specified Host & Domain Name from the Remote ID type menu. This matches the primary system's certificate type of Host and Domain Name (as listed in the previous Prerequisite configuration overview section). Enter the ID value (the hostname) of the primary system's default local certificate into the Remote ID value field. Choose the Certificate provided by peer option from the Authenticate by drop-down list. This will instruct Corporate Firewall to authenticate the primary system by validating the certificate it presents as its identity credentials. Select Use compression if it was selected on the primary system. Select the Initiate the connection option, as the secondary system is responsible for its connection to the primary Corporate Firewall system. Enter a descriptive comment into the Comment field. For example, Tunnel to Head Office. Click Add. All advanced settings can be safely left at their defaults.
11 12
14 15 16 17
Checking the System is Active

Once the tunnel specifications have been created, the tunnel can be activated. To do this, first ensure that the VPN subsystem is active on both the primary and secondary systems. 1 2 3 4 To ensure the VPN subsystem is active on both systems: On the primary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. On the secondary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart.
114
Ve
13
Leave the Preshared key fields blank; they are irrelevant when authenticating using certificates.
rs
io
10
Activating the IPSec tunnel

Next, the secondary system should initiate the VPN connection. 1 2 To initiate the VPN connection: On the secondary system, navigate to the vpn > control page. In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up. that appropriate zone bridging rules are configured. For further information, see Chapter 6,
Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure
Configuring Inter-Zone Security on page 43.
Pre-Shared Key (PSK) authentication is useful for creating a basic VPN site-to-site connection where there is no requirement for multiple tunnel authentication and management controls.
1 2 3 4 5
To create the local (primary) tunnel specification: On the primary system, navigate to the vpn > ipsec subnets page. Select the Enabled option to ensure that the tunnel can be activated once configuration is completed.
Specify the local network that the secondary system will be able to access in the Local network field. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Choose Local IP from the Local ID type drop-down list. This will identify the primary system to the secondary system by using the local IP address of the primary system's external IP address. Leave the Local ID value field blank as it will be automatically generated since Local IP was chosen in the previous step. If the secondary system has a static IP address or hostname, enter it into the Remote IP or hostname field. If the secondary system has a dynamic IP address, leave the Remote IP or hostname field blank. Specify the network on the secondary system that the primary system will be able to access in the
Remote network field. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0.
6 7 8 9 10
11 12 13
Choose Remote IP (or ANY if blank Remote IP) from the Remote ID type menu. This will allow the primary system to use the secondary's IP address (if one was specified). Enter the ID value (the local IP address) of the secondary system into the Remote ID value field. Choose the Preshared Key option from the Authenticate by drop-down list. This will instruct Corporate Firewall to authenticate the secondary system by validating a shared pass phrase.
Ve
Leave the Local IP field blank so that it is automatically generated as the default external IP address at connection time.
rs
Enter a descriptive name for the tunnel into the Name field.
io
Creating the Tunnel Specification on Primary System
IPSec Site to Site and PSK Authentication
115
Chapter 9 Virtual Private Networking IPSec Site to Site and PSK Authentication
14 15 16 17 18 19
Enter a passphrase into the Preshared Key password field. Repeat the pass phrase entered in the Preshared Key password field in the Preshared Key again password field. Select the Use compression option if you wish to reduce bandwidth consumption (useful for low bandwidth connections). This will require more processing power. Leave the Initiate the connection option un-ticked. It will be the responsibility of all secondary systems to initiate their own connection to the primary Corporate Firewall system. Enter a descriptive comment into the Comment field. For example, Tunnel to Birmingham Branch. Click Add. All advanced settings can be safely left at their defaults. The next step is to create a matching tunnel specification on the remote system.
Creating the Tunnel Specification on the Secondary System

1 2 3 4 5 To create the secondary tunnel specification: On the secondary system, navigate to the vpn > ipsec subnets page. Enter a descriptive name for the tunnel into the Name field. Select the Enabled option to ensure that the tunnel can be activated once configuration is completed. Leave the Local IP field blank so that it is automatically generated as the default external IP address at connection time.
6 7 8
Leave the Local ID value field blank as it will be automatically generated since Local IP was chosen in the previous step. Enter the external IP address of the primary system into the Remote IP or hostname field. Unlike the first tunnel specification, this cannot be left blank. The secondary system will act as the initiator of the connection and thus it requires a destination IP address in order to make first contact. Specify the network on the primary system that the secondary system will be able to access in the Remote network field. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. Choose Remote IP (or ANY if blank Remote IP) from the Remote ID type menu. This will allow the primary system to use the secondary's IP address (if one was specified). Enter the ID value (the local IP address) of the secondary system into the Remote ID value field. Choose the Preshared Key option from the Authenticate by drop-down list. This will instruct Corporate Firewall to authenticate the secondary system by validating a shared pass phrase. Enter the same passphrase that was entered in the Preshared Key password fields on the primary system. Select the Use compression option if compression was enabled on the primary system. Select the Initiate the connection option as it is the responsibility of the secondary system to initiate its connection to the primary Corporate Firewall system. Enter a descriptive comment into the Comment field. For example, Tunnel to Head Office.
10 11 12 13 14 15 16
116
Ve
Choose Local IP from the Local ID type drop-down list. This will identify the primary system to the secondary system by using the local IP address of the primary system's external IP address.
rs
Specify the local network that the primary system will be able to access in the Local network field. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0.
io
17
Click Add. All advanced settings can be safely left at their defaults.
Checking the System is Active

Once the tunnel specifications have been created, the tunnel can be activated. To do this, first ensure that the VPN subsystem is active on both the primary and secondary systems. 1 2 3 4 To check the system is active: On the primary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. On the secondary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart.
Activating the PSK tunnel

1 2
In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up. that appropriate zone bridging rules are configured. For further information, see Chapter 6, Configuring Inter-Zone Security on page 43.
Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure
About Road Warrior VPNs

This part of the manual explains how to create road warrior VPN connections to enable mobile and home-based workstations to remotely join a host network. Corporate Firewall supports two different VPN protocols for creating road warrior connections:
L2TP L2TP connections are extremely easy to configure for road warriors using Microsoft operating systems (especially Windows XP and Windows 2000 which feature built-in support). There are fewer configuration parameters to consider when creating a tunnel specification. However, all L2TP road warriors must connect to the same internal network. IPSec IPSec road warrior connections use the same technology that Corporate Firewall uses to
create site-to-site VPNs. It is recommended for road warriors using Apple Mac, Linux or other non-Microsoft operating systems. IPSec road warriors must have IPSec client software installed and configured to connect to Corporate Firewall. IPSec road warriors can be configured to connect to any internal network.
Note: Road warrior configuration tutorials are provided in VPN
Ve
rs
io
To activate the tunnel: On the secondary system, navigate to the vpn > control page.
Next, the secondary system should initiate the VPN connection.
1
Tutorials on page 146.
117
Chapter 9 Virtual Private Networking IPSec Road Warriors
Typically, a road warrior connection is configured as follows: 1 2 3 4 5 6 7 Create a certificate for each road warrior user, usually with the user's email address as its ID type. Decide which VPN protocol best suits your road warrior's needs L2TP for Win 2000/XP, IPSec for all others. Decide which internal networks and what IP ranges to allocate to road warriors. Create the tunnel specification on the Corporate Firewall system. Install the certificate and any necessary client software on the road warrior system and configure. Connect. Ensure that inbound and outbound access to the road warrior have been configured using appropriate zone bridging rules. For further information, see Chapter 6, Configuring InterZone Security on page 43. When a road warrior connects to Corporate Firewall, it is given an IP address on a specified internal network. When connected, the road warrior client machine will, to all intents and purposes, be on the configured internal network. You can route to other subnets, including other VPN-connected ones. Other machines on the same internal network can see the client, just as if it was plugged into the network directly.
Each user requires their own tunnel, so create as many tunnels as there are road warriors.
IPSec Road Warriors

Before creating a road warrior connection using IPSec, check the following list to assess whether it is the right choice: Each connection can be routed to a different internal network. Each connection can use different types of cryptographic and authentication settings. Client software will need to be installed on road warrior systems. Also note that the same advanced options that are available when configuring IPSec site-to-site VPNs are also available to IPSec road warriors. This includes overriding the default local certificate.
118
Ve
rs
When configuring a tunnel, the client IP settings is used to assign the road warrior's IP address on the local network. This IP address must match the network that the road warrior connects too (globally specified for L2TP connections, individually specified for each IPSec road warrior.
io
Each road warrior must use a unique, unused IP address. Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically assigned machines such as servers.
Creating an IPSec Road Warrior

1 To create an IPSec road warrior connection: Navigate to the vpn > ipsec roadwarriors page.
Configure the following settings: Setting Name Enabled Local network Description
Client IP Local ID type Local ID value Remote ID type
Remote ID value Enter the value of the ID used in the certificate that the road warrior is expected to present.
Ve
rs
Enter a descriptive name for the tunnel. Select to activate the tunnel once it has been added. Enter the IP address and network mask combination of the local network. For example, 192.168.10.0/255.255.255.0.
Note: It is possible to restrict (or extend) the hosts that a road warrior can see
on its assigned internal network by changing this setting. For example, if you wish to restrict the connected road warrior to a specific IP address such as 192.168.2.10, set the local network to 192.168.2.10/3 Accordingly, enter the value 192.168.2.0/24 or 192.168.2.0/ 255.255.255.0 to allow the road warrior to access all addresses in the range 192.168.2.0 to 192.168.2.255.
Enter a client IP address for this connection. The IP address must be a valid and available address on the network specified in the Local network field. From the drop-down list, select the local ID type. Default local Certificate Subject is recommended for road warrior connections. If you chose a User Specified ID type, enter a local ID value. From the drop-down list, select Remote IP (or ANY if blank Remote IP). This is recommended as it allows the road warrior to present any form of valid ID.
io
119
Chapter 9 Virtual Private Networking IPSec Road Warriors
Setting
Description If the certificate was created by a different CA, choose Certificate presented by peer. Authenticating by a named certificate is recommended for ease of management.
Authenticate by From the drop-down list, if the road warrior's certificate is installed, select it.
Use compression Comment 3
Select to reduce bandwidth consumption (useful for low bandwidth connections). This will require more processing power. Enter a descriptive comment, for example, IPSec connection to Joe
Blogg's on .240.
Click Advanced and enter the following information: Setting Local certificate Interface Perfect Forward Secrecy Description
120
Ve
rs
Authentication Provides a choice of ESP or AH security during the authentication process. For type further details, see below. This setting should be the same on both tunnel specifications of two connecting gateways.
ESP Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. Recommended for optimal performance. AH IP Authentication Header uses IP Protocol 51 and ensures authentication
and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended.
io
This enables the use of the PFS key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. PFS is recommended for maximum security. VPN gateways must agree on the use of PFS.
Used to specify whether the road warrior will connect via an external IP or an internal interface.
This is used in less standard X509 authentication arrangements. For more information, see Advanced VPN Configuration on page 138.
Setting
Description This selects the encryption algorithm used for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
3DES A triple strength version of the DES cryptographic standard using a 168-
bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.
AES 128 Advanced Encryption Standard replaces DES/3DES as the US governments cryptographic standard. AES offers faster and stronger encryption than 3DES. AES 256 Advanced Encryption Standard replaces DES/3DES as the US governments cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance. Blowfish This algorithm uses a variable-length key, from 32 to 448 bits. It is
faster than 3DES but was superseded by Twofish.
Twofish This algorithm is based on Blowfish, and is a former NIST AES-
Phase 1 hash algo
Phase 2 cryptographic algo Phase 2 hash algo
Key life
Ve
rs
finalist designed to replace the DES algorithm. Although NIST selected the Rijndael algorithm, Twofish is as strong as AES and can outperform it in some scenarios. This selects the hashing algorithm used for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
MD5 A cryptographic hash function using a 128-bit key. Recommended for
faster performance and compatibility. hashing standard. Recommended for maximum security.
SHA Secure Hashing Algorithm uses a 160-bit key and is the US government's
This selects the encryption algorithm used for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options. This selects the hashing algorithm used for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. This sets the duration that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended.
io
CAST This algorithm uses a DES-like crypto system with a 128 bit key (also known as CAST-128 or CAST5).
121
Chapter 9 Virtual Private Networking Supported IPSec Clients
Setting Key tries
Description This sets the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero value because if an active connection drops, it will persistently try to re-key a connection that it can't initiate.
IKE lifetime Do not Rekey
Sets how frequently the Internet Key Exchange keys are re-exchanged. Turns off re-keying which can be useful for example when working with NATed end-points.
Click Add at the bottom of the page to add the tunnel to the list of current tunnels. for a site-to-site IPSec connection. For details on the operation of each advanced control, see Section 5.1 Introduction to Site to Site VPNs.
SmoothWall currently recommends the use of the following third-party IPSec client applications for IPSec road warriors with Microsoft Operating Systems: SafeNet SoftRemote 10 SafeNet SoftRemote 9
Creating L2TP Road Warrior Connections

This section covers the steps required to create an external road warrior connection using L2TP. Such connections have the following features: All connections share the same, globally specified subnet. Mostly supported by Microsoft operating systems (built-in support on Windows 2000 and XP). Very easy to configure.
Creating a Certificate
The first task when creating an L2TP road warrior connection is to create a certificate. For further information, see Creating a Certificate on page 103. A road warrior certificate is typically created using the user's email address as the certificate ID.
122
Ve
rs
SafeNet SoftRemote LT
io
Supported IPSec Clients
Note: The advanced settings of an IPSec road warrior tunnel operate in exactly the same manner as those
Configuring L2TP and SSL VPN Global Settings

1 To configure L2TP and SSL VPN global settings: Navigate to the vpn > global page.
Configure the following settings: Setting L2TP and SSL VPN client configuration settings Description
L2TP settings From the drop-down list, select the internal network that L2TP road warriors will be connected to. SSL VPN groups Optionally, click Advanced to display the SSL VPN groups area. By default, all authentication groups are allowed VPN access via SSL VPN. From the list displayed, de-select any authentication groups which should not be allowed VPN access via SSL VPN. 3 Click Save.
Ve
Enter primary and secondary DNS settings. These DNS settings will be assigned to all connected L2TP road warriors and SSL VPN users. If applicable, enter primary and secondary WINS settings.These WINS settings will be assigned to all connected L2TP road warriors and SSL VPN users.
rs
io
123
Chapter 9 Virtual Private Networking Creating L2TP Road Warrior Connections
Creating an L2TP Tunnel

1 To create an external L2TP road warrior connection: Navigate to the vpn > l2tp roadwarriors page.
Setting Name Enabled Client IP
Description
Username Password Again
Authenticate by
Comment Local certificate
Interface 3
Click Add to create the L2TP tunnel specification and add it to the Current tunnels region.
124
Ve
rs
Click Advanced. Select PRIMARY.
Enter a descriptive name for the tunnel. For example: Joe Blogg's L2TP. Select to activate the tunnel once it has been added. Enter a client IP address for this connection in the Client IP field. The IP address must be a valid and available IP on the globally specified internal network. Enter a username for this connection. Enter a password for the tunnel. Re-enter the password to confirm it. From the drop down list, select one of the following options:
Certificate presented by peer If the certificate was created by a different CA,
choose this option. Authenticating by a named certificate is recommended for ease of management.
Common Name's organization certificate The peer has a copy of the public part
of the hosts certificate. Here both ends are Certificate Authorities, and each has installed the peers public certificate. Enter a descriptive comment. From the drop-down list, select the default local certificate to provide the Corporate Firewalls default local certificate as proof of authenticity to the connecting road warrior.
io
Click Advanced to display all settings and configure the following settings:
Using NAT-Traversal
Passing IPSec traffic through any NATing device such as a router (or a separate firewall in front of the VPN gateway/client) can cause problems. IPSec normally uses Protocol 50 which embeds IP addresses within the data packets standard NATing will not change these addresses, and the recipient VPN gateway will receive VPN packets containing private (non-routable) IP addresses. In this situation, the VPN cannot work. However, Corporate Firewall can operate in IPSec NAT Traversal (NAT-T) mode. NAT-T uses the UDP Protocol instead of Protocol 50 for IPSec VPN traffic UDP is not affected by the NAT process. This does of course require that the other end of the VPN tunnel supports NAT-T. Both SafeNet SoftRemote and SSH Sentinel support this mode, as do the vast majority of other modern VPN gateway devices. to another vendor's VPN gateway will also need to use NAT-T rather than Protocol 50 for the reasons stated above.
Note: NAT-T is a VPN gateway feature, not a NATing feature.
VPNing Using L2TP Clients

L2TP Client Prerequisites
Microsoft Windows XP
This section explains the configuration process for supported Microsoft operating systems.
To connect to an L2TP tunnel, a road warrior must be using one of the following operating systems: Microsoft Windows 2000 Microsoft Windows NT 4.0 Microsoft Windows 98 Microsoft Windows ME Windows XP and Windows 2000 both feature built in support for L2TP connections, greatly simplifying the configuration process. L2TP has been successfully tested using Windows ME, Windows 98 and Windows NT 4.0 however, these platforms are no longer supported.
Note: Certain anti-virus and worm detection software may generate alerts when L2TP client connections
are first established. Only UDP port 500 and UDP port 4500 and/or ESP should flow from the road warrior when using a SmoothWall L2TP over IPSEC connection. Any alerts concerning this kind of traffic can be safely ignored, and unblocked communication permitted.
Ve
rs
io
Note: Any IPSec VPN client connections from a local network behind Corporate Firewall that connect
125
Chapter 9 Virtual Private Networking VPNing Using L2TP Clients
Connecting Using Windows XP/2000

Users of Windows XP or Windows 2000 should first ensure that they are running the latest service release of their operating system. Specifically, one particular windows update is required for L2TP connections to function: Q818043 L2TP/IPSec NAT-T update. Information about this patch can be found at http://
support.microsoft.com/?kbid=818043
The above update will already be installed if you are running Windows XP SP2 or above, or Windows 2000 SP4 or above. Please use the Microsoft Windows Update facility to ensure compliance, see http://windowsupdate.microsoft.com/ One further requirement is that the road warrior user must be a member of the Administrator group in order to install the necessary certificates into the Local Computer certificate store.
Configuration on page 138.
connection to be configured as part of a logon script. For details, see Advanced VPN
View the license and click Next to agree to it.
126
Ve
To install the L2TP client: Run the SmoothTunnel L2TP Client Wizard application on the road warrior system.
rs
When started, the SmoothL2TPWizard program first ensures that the Q818043 hotfix is installed. If it is not, the program issues a warning. Assuming the hotfix is installed, it will then guide the user through the steps of configuring the connection to the Corporate Firewall system.
io
Note: There is an alternative configuration method that uses a command line tool, thus enabling an L2TP
The first step in the connection process is to run the SmoothL2TPWizard application. You can find this in the extras folder on the Corporate Firewall installation CD. It is a freely distributable application that automates much of the configuration process.
Installing an L2TP Client
The following screen is displayed:
3 4
Click Browse and open the CA certificate file as exported during the certificate creation process. Click Next. The following dialog opens:
Ensure that the Launch New Connection Wizard option is selected and click Install.
Ve
Click Browse and locate the road warrior's host certificate file. This must be a PKCS#12 file, typically saved as *.p12, as exported during the certificate creation process. Enter the password and click Next. The following screen is displayed:
rs
io
127
Chapter 9 Virtual Private Networking VPNing Using L2TP Clients
The certificates are installed and the Microsoft New Connection Wizard is launched.
Click Next.
Select Virtual Private Network connection and click Next.
128
Ve
Select Connect to the network at my workplace and click Next:
rs
io
The following screen is displayed:
10
Enter a name for the connection and click Next.
12
Click Finish.
Ve
11
Enter Corporate Firewalls host name or IP address and click Next.
rs
io
129
Chapter 9 Virtual Private Networking VPNing with SSL
The Connect dialog box is displayed:
13
Enter the username and password of the road warrior and click Connect. Ensure that the tunnel is enabled.
Connecting Using Legacy Operating Systems
VPNing with SSL
Prerequisites
An installed default local certificate, see Setting the Default Local Certificate on page 107 for more information.
Configuring VPN with SSL

The following section explains how to configure Corporate Firewall for VPNing with SSL. 1 2 To configure SSL VPN settings: Browse to the vpn >global page. Configure the following settings: Setting Enable SSL VPN Description Select to enable SSL VPN on Corporate Firewall.
130
Ve
Corporate Firewall supports OpenVPN SSL connections. Using light-weight clients, which can be easily configured and distributed, any user account able to authenticate to the directory service configured, plus the list of local users gain easy and secure VPN access to your network. All your users need to know is their Corporate Firewall user account name and password.
rs
io
It is possible to create L2TP connections from a number of legacy operating systems. You can find more information in the support area of SmoothWalls web site: http://www.smoothwall.net/support/
Setting Transport protocol
Description Select the network protocol. The following options are available:
TCP (HTTPS) Select to run the SSL VPN connection over TCP on port
443, the standard HTTPS port. This protocol is preferd for compatability with filters between the client and the server.
UDP (1194) Select to run the SSL VPN connection over UDP on port 1194. This protocol is is prefered for performance.
SSL VPN network address
Accept the default network address or enter a new one. SSL VPN users, when they connect, get an IP address on a virtual interface, within Corporate Firewall. The IP range must not be one not used for any physical network. If the default subnet, 10.110.0/24, is taken by any existing network, configure this setting to use range not taken on the network.
Note: Because connected clients are placed on a virtual network, all
machines they access must also have a route to this network. Force clients to use SSL VPN as gateway Select to configure Corporate Firewall to force the client to send all its traffic through the SSL VPN connection. Corporate Firewall can force all connected clients to route through it, which is generally better as it enforces the policy on the server end.
Click Generate client archive. Corporate Firewall generates an archive containing the client software and the VPN settings required and prompts you to save the file in a suitable location.
Note: The same archive can be used for both internal and external use. See Configuring SSL VPN on
Internal Networks on page 131 for more information on internal use.
Once saved, distribute the archive to those users who will be using SSL VPNing. You can use the Corporate Firewall portal to distribute the archive. For more information, see Chapter 8, Working with User Portals on page 61. See Configuring and Connecting Clients on page 132 for information on how to install the SSL VPN software on clients.
Configuring SSL VPN on Internal Networks

Corporate Firewalls SSLVPN functionality can be deployed to secure internal wireless interfaces. 1 To configure SSL VPN on internal network: On the vpn > global page, configure the SSL VPN settings, see Configuring VPN with SSL on page 130.
Ve
rs
SSL VPN client gateway Select to override the default IP or hostname that the client will be configured to use as its gateway. Usually, the client is configured to use Corporate Firewall primary external IP address as its gateway. However, if dynamic DNS is used this will not work.Therefore, you have the option to set a different gateway.
io
SSL VPN netmask
Accept the default network netmask or enter a new one.
131
2 3
Click Advanced and, in the SSL VPN internal interfaces area, select the interface on which to deploy the SSL VPN. Click Generate client archive. Corporate Firewall generates an archive containing the client software and the VPN settings required and prompts you to save the file in a suitable location. on page 130 for more information on external use.
Note: The same archive can be used for both internal and external use. See Configuring VPN with SSL
Once saved, distribute the archive to users who require secure access to the internal wireless interface. You can use the Corporate Firewall portal to distribute the archive. For more information, see Chapter 8, Working with User Portals on page 61.
Configuring and Connecting Clients
Installing the Software

1 To install the SSL VPN client software: Extract the client archive, see Configuring VPN with SSL on page 130, to a suitable location and double-click on SmoothWall-SSL-OpenVPN-client.exe to start the installation wizard. The following screen opens:
Click Next to continue. The following screen opens:
Read the license and click I agree to continue.
132
Ve
rs
io
The following sections explain how to install the SSL VPN client software. and connect using an SSL VPN connection.
The following screen opens:
Accept the default components and click Next to continue. The following screen opens:
Click Continue Anyway.
Ve
Accept the default destination folder or click Browse to select a different destination. Click Install to continue. The following screen opens:
rs
io
133
The following screen opens:
Click Next to continue. The following screen opens:
Opening an SSL VPN Connection

1 To open an SSL VPN connection: In the system tray, right click on OpenVPN GUI and select Connect. The following dialog box is displayed:
Configure the following settings: Setting Username Description Enter the name of the user account to be used.
134
Ve
Click Finish to complete the installation.
rs
io
Setting Password 3
Description Enter the password belonging to the account.
Click OK. The SSL VPN connection is opened.
Closing an SSL VPN Connection

1 To close an SSL VPN connection: In the system tray, right click on OpenVPN GUI and select Disconnect.
VPN Zone Bridging

In order to permit or deny inbound and outbound access to and from a site-to-site VPN tunnel, ensure that appropriate zone bridging rules are configured. L2TP road warriors and SSL VPNs require zone bridging rules that bridge the interface. IPSec road warriors also require zone bridging rules, and share their zone bridging configuration with IPSec subnets. For more information, see Chapter 6, Configuring Inter-Zone Security on page 43.
Secure Internal Networking
Secure wireless access Commonly used wireless access protocols offer relatively weak levels of security, thus allowing potential intruders to directly access and intercept confidential data on an organizations internal network. Corporate Firewall can ensure secure wireless access by providing an additional interface as an internal VPN gateway. By attaching a wireless access point to this interface, wireless clients can connect and create a secure tunnel to the desired internal network. Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access to any network resource. Hidden network access It is possible to create a hidden network that can only be accessed via a secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed by an exclusively authenticated member of staff. To do this, create a network that is not bridged to any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the hidden network. There is no complicated configuration process for creating such internal VPNs, the facility is provided by globally nominating an internal VPN interface and creating tunnels specifying it as its interface.
Ve
An internal VPN capability can be useful in many situations, a few examples of typical scenarios are given below:
rs
This part of the manual explains how Corporate Firewall can be used to provide secure internal networking using VPN technology.
io
135
Chapter 9 Virtual Private Networking Secure Internal Networking
Creating an Internal L2TP VPN

1 To create an internal L2TP VPN connection: Navigate to the vpn > global page.
2 3
In the L2TP settings area, choose an internal network interface from the L2TP client internal interface drop-down list.
Setting
Enable NATTraversal
Enable Dead Peer Detection
136
Ve
Optionally, click Advanced and configure the following settings: Description NAT-T is enabled by default and allows IPSec clients to connect from behind NATing devices. In some advanced and unusual situations, however, this feature may prevent connections, therefore, NAT-T can be disabled. Used to activate a keep-alive mechanism on tunnels that support it. This setting, commonly abbreviated to DPD, allows the VPN system to almost instantly detect the failure of a tunnel and have it marked as Closed in the control page. If this feature is not used, it can take any time up to the re-keying interval (typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec implementations support this feature, it is not enabled by default. In setups consisting exclusively of Corporate Firewall VPN gateways, it is recommended that this feature is enabled.
rs
io
Setting
Description
Copy TOS (Type Of When selected, TOS bits are copied into the tunnel from the outside as VPN Service) bits in and traffic is received, and conversely in the other direction. This makes it out of tunnels possible to treat the TOS bits of traffic inside the network (such as IP phones)
in traffic shaping rules within SmoothTraffic and traffic shape them. If this option is not selected, the TOS bits are hidden inside the encrypted tunnel and it is not possible to traffic shape VPN traffic.
Note: There is a theoretical possibility that enabling this setting can be used
to spy on traffic 4 Click Save.
Note: We advise you to limit any zone bridging from the nominated interface to other interfaces.
If a zone bridge is created between the additional nominated interface and the L2TP client interface, it allows the VPN to be circumvented and thus limits its usefulness. 5 6 7 8 9 10 11 Create a certificate for the L2TP client. See Creating a Certificate on page 103. On the vpn > l2tp roadwarriors page, enter a descriptive name for the tunnel into the Name field. To activate the tunnel once it has been added, ensure that the Enabled option is selected. Enter a client IP address for this connection in the Client IP field. The IP address must be a valid and available IP on the globally specified internal network, see the vpn > global page. Enter a username for this connection into the Username field. To dedicate this connection to a specific user, choose their certificate from the Authenticate by drop-down list. To allow any valid certificate holder to use this tunnel, choose the Certificate provided by peer option. If your organization anticipates supporting many road warrior connections, authenticating by a specific certificate is recommended for ease of management. Enter a descriptive comment into the Comment field. Choose the Default local certificate from the Local certificate drop-down list. Click Add. To configure client access to the L2TP tunnel, see Installing an L2TP Client on page 126. Enter and repeat a password for this connection in the Password and Again fields.
12 13 14
Creating Internal IPSec VPNs

To create an internal IPSec VPN connection, first nominate an additional internal VPN interface. 1 2 3 To nominate an additional VPN interface: Navigate to the vpn > global page. In the Advanced region, choose an internal network interface from the Additional internal VPN interface drop-down list. This is the interface that internal VPN connections can be made to. Click Save.
Ve
rs
io
Tunnels connecting to the nominated additional interface will be assigned an IP address on the L2TP client internal interface, as shown in the L2TP settings region.
137
Chapter 9 Virtual Private Networking Advanced VPN Configuration
Note: IPSec tunnels connecting to the nominated additional interface will be assigned an IP address on
the IPSec tunnel's local network. It is advisable to limit any zone bridging from the IPSec tunnel's local network to other interfaces as this may create a route that can allow the VPN to be circumvented, thus limiting its usefulness. 4 5 6 7 8 9 10 11 12 13 Create a certificate for the IPSec client. See Creating a Certificate on page 122 for more information. Navigate to the vpn > ipsec roadwarriors page to create a tunnel specification using the nominated interface Enter a descriptive name for the tunnel into the Name field. For example, Joe Blogg's IPSec. To activate the tunnel once it has been added, ensure that the Enabled option is selected. Specify the local network the tunnel will connect to by entering an IP address and network mask combination into the Local network field. For example, 192.168.10.0/255.255.255.0.
Choose the Remote IP (or ANY if blank Remote IP) option from the Remote ID drop-down list. This is recommended as it allows the client to present any form of valid ID. If the client's certificate is installed on the Corporate Firewall system, choose it from the Authenticate by drop-down list. If the certificate was created by a different CA (on another Corporate Firewall or a non-Corporate Firewall CA), choose Certificate provided by peer. Authenticating by a named certificate is recommended for ease of management. Select the Use compression option reduce bandwidth consumption (useful for low bandwidth connections). This will require more processing power. Enter a descriptive comment into the Comment field. For example, IPSec connection to Joe
Blogg's on .240.
14 15 16
Click Add at the bottom of the page. All advanced settings can be safely left at their defaults.
Internal VPN Clients

The configuration process for client access to an internal IPSec or L2TP tunnels is exactly the same as a regular VPN client connection, except: The VPN gateway address must be set to the IP address of the nominated internal VPN interface.
Advanced VPN Configuration

The following sections explain how and when you might want to use non-standard configurations of CAs, certificates and tunnel definitions to: Allow sites to autonomously manage their own road warriors Create VPN links between co-operating organizations Create VPN hubs that link networks of networks.
138
Ve
rs
io
Enter a local ID value into the Local ID value field if you chose a User Specified ID type in the Local ID type field. Otherwise, the field can be left blank.
Choose the local ID type from the Local ID type drop-down list. Default local Certificate Subject is recommended for road warrior connections.
Enter a client IP address for this connection in the Client IP field. The IP address must be a valid and available IP on the network specified in the Local network field.
Multiple Local Certificates

In some instances, it may be desirable to install multiple local certificates that are used to identify the same host. There are a number of situations, where this might be desirable: Autonomous management of road warrior tunnels from multiple sites. Autonomous management of site-to-site tunnels from multiple sites. Multiple local certificates are typically used to de-centralize VPN management in larger networks. For instance, a VPN could be used to create a WAN (Wide Area Network) between three head offices of an multinational company. Each head office must be responsible for its own VPN links that connect its regional branches to its head office, as otherwise there would be a reliance on a single set of administrators in one country / time zone preparing certificates for the entire organization. Using the above example, each head office VPN gateway could utilize two local IDs (certificates): Country head office ID This ID would be used by a head office to identify itself to head offices from other countries, to form VPN tunnels that make up the international WAN. Head office ID This ID would be used by a head office to identify itself to other domestic offices, so that it can manage VPN tunnel connectivity within its own region.
Branch office ID This ID would be used by a branch office to identify itself to its local road warriors, so that it can manage road warrior connectivity to its own branch.
Creating Multiple Local Certificates

This example will demonstrate how to delegate VPN management from an unconfigured master Corporate Firewall system to an unconfigured secondary Corporate Firewall system. The secondary Corporate Firewall system will be responsible for managing site-to-site and road warrior connections within its own geography. Firstly, we must create a tunnel to link the master Corporate Firewall to the secondary Corporate Firewall. Since this example covers configuration from scratch, you must follow the instructions from the step most appropriate to your current level of VPN connectivity. 1 2 3 4 5 6 On the master system, navigate to the vpn > ca page. Create a local Certificate Authority, see Creating a CA on page 100. Create signed certificates for the master and secondary Corporate Firewall systems, see Managing Certificates on page 103. Install the master signed certificate as the master Corporate Firewall's default local certificate, see Setting the Default Local Certificate on page 107. Create the tunnel specification to the secondary Corporate Firewall system, see Site-to-Site VPNs IPSec on page 107. Export the secondary Corporate Firewall's signed certificate using the PKCS#12 format, see Exporting Certificates on page 105.
139
Ve
rs
Regional branch office ID This ID would be used by a branch office to identify itself to the head office and other branch offices that make up the country-wide WAN.
io
The same concept can be applied to any situation where autonomous VPN management is required. To continue the above example, many of the offices within one particular country require a number of road warrior users to connect to their local networks. In this instance, a branch office VPN gateway could utilize two local IDs (certificates):
Export the master Corporate Firewall's CA certificate in PEM format, see Exporting the CA Certificate on page 101. The remaining series of configuration steps are all carried out on the secondary Corporate Firewall system, firstly to create the primary site-to-site link.
1 2 3 4 5 6
To create the primary site-to-site link: On the secondary system, navigate to the vpn > ca page. Import the CA certificate on the secondary Corporate Firewall, see Importing Another CA's Certificate on page 102. Import the signed certificate on the secondary Corporate Firewall system, see Importing a Certificate on page 106. Install the signed certificate as the default local certificate, see Setting the Default Local Certificate on page 107.
Test the VPN connection.
1 2 3
To create an additional CA on the secondary Corporate Firewall system: On the secondary system, navigate to the vpn > ca page. Create a new local Certificate Authority, see Creating a CA on page 100. Create a new signed certificate for the secondary Corporate Firewall system (this will be used as the secondary Corporate Firewall's second local certificate, see Creating a Certificate on page 103. Create a new signed certificate for any host whose VPN connectivity will be managed by the secondary Corporate Firewall system. Create a site-to-site or road warrior tunnel specification, and choose the second signed certificate (created by the previous step) as the Local certificate. Export the local CA and signed certificate created by step 4 to any host whose VPN connectivity will be managed by the secondary Corporate Firewall system. Create the remote tunnel specification (this could be a road warrior client or another site-to-site gateway).
4 5 6 7
Public Key Authentication

It is possible to authenticate a VPN tunnel by exchanging each host's public key with the other. During authentication, each host uses the other host's public key to decrypt the (private key encrypted) certificate it will be passed as identity credentials. This configuration does not require the CA that created either host's certificate to be known to either VPN gateway. This can be useful in many ways: Simplified internal management, using certificates created by an external Certificate Authority. Tunnelling between two separate organizations using certificates created by different (possibly external) CAs.
140
Ve
rs
io
The next step is to create an additional CA on the secondary Corporate Firewall system. This additional CA will be used to create another local certificate for the secondary Corporate Firewall system, as well as certificates for any further site-to-site or road warrior connections that it will be responsible for managing.
Create the tunnel specification to the master Corporate Firewall system, with Local certificate set to Default see Site-to-Site VPNs IPSec on page 107.
Alternative scheme to allow both ends of the tunnel to create their own CA and default local certificates. This would enable each VPN gateway to manage their own site-to-site and road warrior connections. This achieves the same result as the previous technique described in the Multiple local certificates section. stringent X509 based authentication setup. Whilst public key authentication does use some of the same technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As such, appropriate precautions should be taken when considering implementing this alternative authentication method.
Note: The use of public key authentication should not be considered as a direct replacement for a
Configuring Both Ends of a Tunnel as CAs
The following assumptions have been made: 1 2 3 4 5 Two Corporate Firewall systems. Each Corporate Firewall has its own CA.
Each CA has created a signed certificate for its own local Corporate Firewall system. To create the tunnel specifications: On both systems, navigate to the vpn > certs page. Export the local certificates from both Corporate Firewall systems using the PEM format, see Exporting Certificates on page 105.
Create an IPSec site-to-site tunnel specification on the first Corporate Firewall system, and select the second Corporate Firewall system's host certificate in the Authenticate by drop-down list. Create an IPSec site-to-site tunnel specification on the second Corporate Firewall system, and select the first Corporate Firewall system's host certificate in the Authenticate by drop-down list. The tunnel can now be established and authenticated between the two Corporate Firewall systems. In addition, each Corporate Firewall system is able to autonomously manage its own site-to-site and road warrior connections by using its own CA to create additional certificates.
VPNs between Business Partners

To create a VPN between two separate organizations (such as two firms working together as partners), it is most likely that an IPSec tunnel will be required. This may be to a non-Corporate Firewall system, so a degree of co-ordination will be required to decide upon a compatible tunnel specification. This example uses certificates created by an external, commercial CA so that each organization can authenticate certificates presented by the other using a CA that is independent of both organizations. This configuration example assumes the following: Local Corporate Firewall system. Host certificates created by the same commercial CA.
141
Ve
Import each PEM certificate on the opposite Corporate Firewall system, see Importing a Certificate on page 106.
rs
io
This configuration example uses public key authentication to connect two Corporate Firewall systems, each with their own CA so that they can manage their own site-to-site and road warrior connections.
Host certificate, Certificate A created by the commercial CA for the Corporate Firewall system. Host certificate, Certificate B created by the commercial CA for the other organizations VN gateway. Firstly, import the certificate created for the local Corporate Firewall system (Certificate A). To import the certificate: On the local system, navigate to the vpn > certs page. Import Certificate A, see Importing a Certificate on page 106. Next, import the commercial CA's certificate: On the system, navigate to the vpn > certs page. Import the CA's certificate according to the file format it was supplied in, see Importing Another CA's Certificate on page 102. Next, configure the local tunnel specification in co-operation with the other organization. This is most likely to be an IPSec site-to-site connection, though it is possible that you could connect to their network as a road warrior. In either case, full consultation between both organizations is required to decide on the configuration options to be used on the respective VPN gateways.
1 2 1 2
1 2
3 4
Choose Certificate A from the Local certificate drop-down list to ensure that this tunnel overrides any default local certificate that might be configured. Choose Certificate provided by peer from the Authenticate by drop-down list. This will ensure that Corporate Firewall will authenticate Certificate B when is presented by the other organizations VPN gateway. Choose the remote ID type from the Remote ID type drop-down list that was entered during the creation of Certificate B using the commercial CA. Confer with the other organization regarding all other configuration settings and ensure that they authenticate the tunnel using the CA's certificate and Certificate A as provided by Corporate Firewall as connection time.
5 6
Extended Site to Site Routing

A useful feature of Corporate Firewall is its ability to use the VPN as a means of linking multiple networks together by creating a centralized VPN hub. The hub is used to route traffic to between different networks and subnets by manipulation of the local and remote network settings in each tunnel specification. This potentially allows every network to be linked to every other network without the need for a fully routed network of VPN tunnels, i.e. a tunnel from every site to every other site. A fully routed network can be awkward to configure and maintain. This configuration example assumes the following: Site A Local network: 192.168.10.0/255.255.255.0 Tunnel A connects to Site B.
142
Ve
rs
In the local tunnel specification, choose Default local cert subject or Default local cert subject alt.name from the Local ID type drop-down list. However, it may be necessary to use user specified values if the other VPN gateway is not directly compatible with Corporate Firewall's communication of certificate subjects.
io
Follow these steps to create a site-to-site connection: Connect to Corporate Firewall on the Corporate Firewall system and navigate to the vpn > ipsec subnets page.
Site B Local network: 192.168.20.0/255.255.255.0 Tunnel A connects to Site A, Tunnel C connects to Site C. Site C Local network: 192.168.30.0/255.255.255.0 Tunnel C connects to Site B. The advantage of this approach is that only one tunnel is required for each remote network. The disadvantage is that the central VPN gateway is now routing traffic not destined for it, thus it requires additional resources for its bandwidth. Also, the central VPN creates a single point of failure in the network. An improved approach would incorporate backup tunnel definitions that could be used to create a fail-over VPN hub elsewhere on the network.
Site A Tunnel Definition

A definition for Tunnel A (connecting Site A to Site B) is required. Use the following local and remote network settings: Local network 192.168.10.0/255.255.255.0 With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the definition of the remote end of Tunnel A. Remote network 192.168.0.0/255.255.0.0
Site B Tunnel Definitions
First, a definition for Tunnel A (connecting Site B to Site A) is required. Use the following local and remote network settings: Local network 192.168.0.0/255.255.0.0 Remote network 192.168.10.0/255.255.255.0 With this configuration, any traffic destined for the Site A network (any address in the range 192.168.10.0 to 192.168.10.255) will be routed to Site A, as this range falls within the definition of the remote end of Tunnel A. Next, a definition for Tunnel C (connecting Site B to Site C) is required. Use the following local and remote network settings: Local network 192.168.0.0/255.255.0.0 Remote network 192.168.30.0/255.255.255.0 With this configuration, any traffic destined for the Site C network (any address in the range 192.168.30.0 to 192.168.30.255) will be routed to Site C, as this range falls within the definition of the remote end of Tunnel C.
Site C tunnel definition

A definition for Tunnel C (connecting Site C to Site B) is required. Use the following local and remote network settings: Local network 192.168.30.0/255.255.255.0 Remote network 192.168.0.0/255.255.0.0
Ve
rs
io
Any traffic destined for the Site C network (any address in the range 192.168.30.0 to 192.168.30.255) will also be routed to Site B, as this range also falls within the definition of the remote end of Tunnel A. However, this traffic still needs to be forwarded to Site C to reach its destination Tunnel C from Site B will ensure this.
143
Chapter 9 Virtual Private Networking Managing VPN Systems
With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the definition of the remote end of Tunnel C. Any traffic destined for the Site A network (any address in the range 192.168.10.0 to 192.168.10.255) will also be routed to Site B, as this range also falls within the definition of the remote end of Tunnel C. However, this traffic still needs to be forwarded to Site A to reach its destination Tunnel A from Site B will ensure this.
Managing VPN Systems

The following sections document how to: Control VPNs Open and close tunnels Display tunnel logging information Update tunnel licensing.
2 3
In the Automatic control region, select Start VPN sub-system automatically. Click Save.
144
Ve
To configure automatic start up: Navigate to the vpn > control page.
rs
Corporate Firewalls VPN system can be set to automatically start when the system is booted. This allows road warriors to tunnel in without having to wait for the system to be started. It also allows site-to-site tunnels that are initiated on the Corporate Firewall system to automatically negotiate a site-to-site connection.
io
Automatically Starting the VPN System
Monitor and report tunnel activity
Manually Controlling the VPN System

The following sections explains how to start, restart, stop and view the status of the VPN system.
Starting/Restarting the VPN system

1 2 To start or restart the VPN system: Navigate to the vpn > control page. Click Restart in the Manual control region.
Stopping the VPN system

1 2 To stop the VPN system: Navigate to the vpn > control page. Click Stop from the Manual control region.
Viewing the VPN system status

1 2 3 To view the VPN system status: Navigate to the vpn > control page.
View the current status from the Current status information field. There are two possible system statuses:
Running The VPN system is currently operational; tunnels can be connected. Stopped The VPN system is not currently operational; no tunnels can be connected.
All configured tunnels can be viewed and controlled from the vpn > control page. There are two possible tunnel statuses:
Open The tunnel is connected; communication across the tunnel can be made. Closed The tunnel is not connected; no communication across the tunnel can be made.
IPSec Subnets
Site-to-site IPSec subnet connections are shown in the IPSec subnets region of the vpn > control page. The information displayed is: Name The name given to the tunnel. Control: Up Open the tunnel connection Down Close the tunnel connection. Remote IP The IP address of the other end of the tunnel.
IPSec Road Warriors

IPSec road warrior connections are shown in the IPSec road warriors region of the vpn > control page. The information displayed is: Name The name given to the tunnel.
Ve
Viewing and Controlling Tunnels
rs
io
Click Refresh in the Manual control region.
145
Chapter 9 Virtual Private Networking VPN Tutorials
Control: Up Open the tunnel connection Down Close the tunnel connection.
Internal IP The IP address of the local tunnel end. Remote IP The IP address of the other end of the tunnel.
L2TP Road Warriors

L2TP road warrior connections are shown in the L2TP Road Warriors region of the vpn > control page. The information displayed is: Name The name given to the tunnel. Control: Up Open the tunnel connection Internal IP The IP address of the local tunnel end.
Username The name given to the tunnel. Up Open the tunnel connection Down Close the tunnel connection.
External IP The IP address of the other end of the tunnel.
VPN Logging
VPN log entries can be found in the information > logs > ipsec page and the information > logs > system page. For more information, see Chapter 12, Information, Alerts and Logging on page 189.
VPN Tutorials
The following tutorials cover the creation of the main types of VPN tunnels, including: IPSec siteto-site using PSK; IPSec site-to-site using X509; IPSec road warriors; and L2TP road warriors. The examples build on each other, i.e. the configuration settings in the next example builds on that of the previous.
146
Ve
Internal IP The IP address of the local tunnel end.
rs
Control
io
SSL road warrior connections are shown in the SSL Road Warriors region of the vpn > control page. The information displayed is:
SSL Road Warriors
Down Close the tunnel connection.
Example 1: Preshared Key Authentication

This first example begins with a simple two network VPN using shared secrets.The following networks are to be routed together via a VPN tunnel:
Configuring Corporate Firewall A

There is no need for a CA or any certificates. Create a tunnel with the following characteristics. This tunnel we call Tunnel 1. Where a parameter is not listed, leave it at its default value: Parameter Name Local network Local ID type
Remote network Remote ID type Preshared Key Authenticate by
Ve
Remote IP or hostname
Preshared Key again
All other settings can be left at their defaults.
Configuring Corporate Firewall B

Here a single tunnel is created: Parameter Name Local network Local ID type Remote IP or hostname Remote network Remote ID type Authenticate by Description Tunnel 1 Set to the opposite ends remote network value. Local IP 100.0.0.1 192.168.0.0/24 Remote IP (or ANY if blank Remote IP) Preshared Key
rs
io
Description Tunnel 1 Local IP 200.0.0.1 loudspeaker loudspeaker
Set to the opposite ends remote network value.
192.168.12.0/24 Remote IP (or ANY if blank Remote IP) Preshared Key
We will use Preshared Key authentication initially. This is the easiest to setup.
147
Parameter Preshared Key Preshared Key again
Description loudspeaker loudspeaker
Creating a Zone Bridge

In order for traffic to flow down the tunnel, you must create a zone bridge. On the networking > filtering > zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bidirectional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 43.
Testing
Restart the VPN system on both ends. Because both ends are set as initiators, the tunnels should come up immediately. If this does not happen please refer to Appendix A, Troubleshooting VPNs on page 257. To actually test that the VPN is routing, ping a host on the remote network from a machine on the local one. You should also be able to connect to servers and desktops on the remote network using your standard tools.
Note: When configuring multiple PSK-based tunnels, use the User specified IP address as the remote
system ID type and the remote system external IP in the Remote system ID Value.
Example 2: X509 Authentication
Configuring Corporate Firewall A

Corporate Firewall A will be configured to be the CA in the system. Begin by going to the ca page and setting up your Certificate Authority. In this example, we will list only the required fields. You should, of course, enter values appropriate to your organization: Parameter Common Name Organization Description Corporate Firewall A Cert Auth My Company Ltd
From now on, we will enter My Company Ltd in all Organization fields on the certificates we create. Next you should export this certificate in PEM format. We will call this file ca.pem, and save it on the local workstation's hard disk. You will need this file later. Switch to the certificates page, and create the local certificate. It requires ID information: Parameter ID Type Description Host & Domain name
148
Ve
In this example, the same network as used in Example 1 will be used, see Example 1: Preshared Key Authentication on page 147. This time we will improve the setup by using x509 authentication instead of Preshared Key.
rs
io
Parameter ID Value Common Name
Description tunnela.mycompany.com Corporate Firewall A Local Cert
The peer (the Corporate Firewall B machine) needs a certificate too: Parameter ID Type ID Value Common Name Organization Description Host & Domain name tunnelb.mycompany.com Corporate Firewall B Cert My Company Ltd
Parameter Name Local network Local ID type
Description
Remote network Remote ID type
Ve
Remote IP or hostname 200.0.0.1
Remote ID value Authenticate by Add the tunnel.
Configuring Corporate Firewall B

The first step is to import the certificates. On the ca page, import the ca.pem file. Then go to the certificates page, and import the tunnelb.p12 file you created earlier. Remember to input the passphrase used to create the export file in both boxes. Finally, onto the tunnels. Chose the certificate, Corporate Firewall B Cert as the Default local certificate and press Save. The tunnel configuration should look like this: Parameter Name Local network Description Tunnel 1 Set to the opposite end's remote network value.
rs
Tunnel 1
Set to the opposite end's remote network value. Default local cert subject alt. name 192.168.12.0/24 Host & Domain name tunnelb.mycompany.com Certificate presented by peer
io
The tunnel specification is a little more complex. Here it is:
Now onto the tunnels page. Choose the Corporate Firewall A Local Cert certificate to be the Default local certificate, and press Save. We will Restart the VPN shortly to make this change active.
Create both certificates, and then export the Corporate Firewall B Cert certificate in PKCS#12 format. You will need to enter the passphrase to encrypt this certificate with; enter it in both boxes. We will call this file tunnelb.p12.
149
Parameter Local ID type Remote IP or hostname Remote network Remote ID type Remote ID value Authenticate by
Description Default local cert subject alt. name 100.0.0.1 192.168.0.0/24 Host & Domain name tunnel.mycompany.com Certificate presented by peer

Example 3: An Additional System
In Extended Site to Site Routing on page 142, we explained how to create centralized VPN hubs using extended subnetting. We will use this technique to allow Corporate Firewall B to route to Corporate Firewall C, and vice versa.
150
Ve
We will now add an additional system, Corporate Firewall C to the VPN network. We want Corporate Firewall C to be able to access both the Corporate Firewall A subnet and Corporate Firewall B.
rs
io
As before, restart both ends of the tunnel. If the tunnel fails to come up, the most likely cause is a mismatch of IDs. Check the IDs in the certificates by clicking on them in the certificate page. The ID is the same as the Certificate ID. Examine the log for telltale messages.
Testing
Corporate Firewall A Configuration

Create a new certificate for the new peer, and export it as a PKCS#12 file. We set the following properties for this certificate: Parameter ID Type ID Value Common Name Organization Description Host & Domain name tunnelc.mycompany.com Corporate Firewall C Cert My Company Ltd
Modify the existing tunnel to Corporate Firewall B. All settings are unchanged except: Parameter Description
Notice how this subnet mask now covers all subnets in the VPN. Now we create a new tunnel to Corporate Firewall C: Parameter Name Local subnet Local ID type Remote IP or hostname Remote network Remote ID type Description Tunnel 2
Remote ID value Authenticate by
Ve
Corporate Firewall B Configuration

Modify the tunnel as follows: Parameter Remote subnet Description 192.168.0.0/16
Corporate Firewall C Configuration

Import the certificate, and then create the tunnel to Corporate Firewall A: Parameter Name Local ID type Remote network Remote ID type Remote ID value Description Tunnel 2 Default local cert subject alt. name 192.168.0.0/16 Host & Domain name tunnela.mycompany.com
Remote IP or hostname 100.0.0.1
rs
io
192.168.0.0/16 250.0.0.1 192.168.13.0/24
Default local cert subject alt. name
Host & Domain name tunnelc.mycompany.com Certificate presented by peer
Local subnet 192.168.0.0/16
151
Parameter Authenticate by
Description Certificate presented by peer

Testing
Test in the same way as before. After bringing up both tunnels, you should test by pinging a machine on the Corporate Firewall A end from both of the Corporate Firewall B and Corporate Firewall C networks. Then you should test that you can route across Corporate FirewallA by pinging a host on the Corporate Firewall C network from the Corporate Firewall B network.
Now we will add a road warrior (running SafeNet SoftRemote) into the mix. This road warrior will connect to the Corporate Firewall A gateway. In addition to being able to access the Corporate Firewall A local network (192.168.0.0/24) the road warrior will be able to access the Corporate Firewall B and Corporate Firewall C networks as well. The road warrior is required to assume an internal IP on the Corporate Firewall As local network, in this case: 192.168.0.5:
152
Ve
rs
io
Example 4: IPSec Road Warrior Connection

Create a certificate with the following properties: Parameter Common Name Organization Description IPSec road warrior My Company Ltd
Note: No ID is required on this certificate.
Now create the IPSec road warrior tunnel: Parameter Name Local network Local ID type Client IP Remote ID type Authenticate by Description IPSec road warrior Default local cert subject 192.168.0.5 Certificate provided by peer 192.168.0.0/16
Export the certificate in PKCS#12 format. We will call this file computercert.p12.You will also need the CA file, ca.pem.
SoftRemote Configuration
After installing the client, begin by going to the Certificate Manager and importing the ca.pem and the computercert.p12 certificate. In the Security Policy Editor, import the template policy, policytemplate.spd, which is on the installation CD. This policy file contains most of the input fields pre-filled with suitable defaults, and will save a lot of time configuring the client. If you use different settings to those described in this tutorial, compression for example, then you will have to modify those settings. The following fields need to be filled in after importing the policy template. In road warrior: Parameter Gateway IP Address Subnet Mask In My Identity: Parameter Internal Network IP Address Description 192.168.0.5 Description 100.0.0.1 192.168.0.0 255.255.0.0
After making the changes, remember to save the Security Policy.
Ve
This tutorial describes setting up the client using a policy template as a shortcut to getting the connection up and running. Full details, including detailed screen shots, are given in Appendix B SafeNet SoftRemote.
rs
io
Remote IP (or ANY if blank Remote IP)
153

Testing
To bring up the connection, the simplest way is to ping a host on the network behind the gateway. After a few retries, you should see the task bar icon change to show a yellow key. This indicates that the tunnel is up. Your client computer will then appear to be connected to the local network behind the VPN gateway. This works both ways; a machine on the local network can connect to the road warrior.

Create a certificate with the following properties: Parameter Common Name Organization Description L2TP road warrior My Company Ltd
Note: No ID is required on this certificate.
154
Ve
rs
io
This example consists of an additional road warrior client, this time running Microsoft Windows XP and using Microsofts L2TP road warrior client.
Example 5: L2TP Road Warrior
You should be able to browse web servers, and so on. Also, because the tunnel covers all three local networks, you should be able to connect to all three.
Now create the L2TP road warrior tunnel: Parameter Name Authenticate by Client IP Username Password Description L2TP road warrior Certificate provided by peer 192.168.0.6 road warrior microphone
Export the certificate in PKCS#12 format. We will call this file computercert.p12. You will also need the CA file, ca.pem.
L2TP Client Configuration
Begin by using the SmoothL2TPWizard program to import the two certificates.
Parameter Username Password
Finally, press the Connect button to initiate a connection the Corporate Firewall A VPN gateway.

In order for traffic to flow down the tunnel, you must create a zone bridge. On the networking > filtering > zone bridging page, create a zone bridge between the local network and the L2TP interface. If you want traffic to flow in both directions, make the rule bidirectional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 43.
SafeNet SoftRemote
The following sections are a configuration guide for connecting to the Corporate Firewall VPN gateway using SafeNet SoftRemote.
Configuring IPSec Road Warriors

Configuring an IPSec road warrior is a straightforward process.
Ve
rs
Description road warrior microphone
In TCP/IP properties; Advanced settings, you can choose to use the remote network as the default gateway for the L2TP client. This option, enabled by default, is required if the client needs to be able to route to the Corporate Firewall B and Corporate Firewall C networks. This is because the L2TP client does not provide any facilities for setting up remote network masks. In the Connection dialog, enter the username and password as configured on the Corporate Firewall A gateway:
io
After bringing up the New Connection wizard, the only details that must be configured is the VPN gateway external address, 100.0.0.1 in this example.
This tutorial only outlines the process of configuring an L2TP client. For detailed instructions, see Section 6.3 L2TP Clients.
155
Chapter 9 Virtual Private Networking SafeNet SoftRemote
First create a signed certificate for the road warriors. An ID type is not normally required, although it does no harm to include one when creating the certificate. When connected, each road warrior gets an IP address in a specified local network zone. The IP address should be a previously unused address and unique to the road warrior. Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically assigned machines such as servers. Each road warrior user will need their own IP address. On the vpn > IPSec roadwarrior page, the Client IP field is used to input the particular local network IP address. Such an IP address must be in a local network zone and currently unused. Set the Local ID type to Default local cert Subject, and set the Authenticate by setting to the certificate for this road warrior connection. Then add the tunnel. Each road warrior requires their own tunnel, so create as many tunnel as there are road warriors. When connected, each road warrior client will, to all intents and purposes, be on the local network zone. It will be possible to route to other subnets, including VPN-connected ones. This also means that other machines in the network can see the client, just as if it was plugged in directly.
Note: The same advanced options are available as used when configuring IPSec Subnet VPNs. This
Using the Security Policy Template SoftRemote
NAT-T is handled automatically by this client. No extra configuration is required. Check the log messages in the client to see if NAT-T mode is being used as expected. 1 2 After installation, open the Certificate Manager. In the Root CAs tab, import a CA .PEM from Corporate Firewall. In the My Certificates tab, import a .P1. Enter the export password, and a short time later the certificate should appear in the list. Select the certificate, and click Verify (on the right). You should get a message saying the certificate is valid (because the CA certificate is installed) but lacks a CRL (Certificate Revocation List). This indicates the certificate is valid.
Next, create a connection in the Security Policy Editor. Open it. To make configuration of this client easier, you may use a Security Policy template, that will pre-fill most of the settings to suitable values, saving you from the chore of doing it yourself. For completeness, we will also describe how you would setup the client without the policy.
156
Ve
We also recommend that the LT versions of this software be used, which do not incorporate Zone Alarm. Configuration of Zone Alarm will not be covered in this manual.
rs
This documentation covers version both 9 and version 10 of this client. Older versions which support Virtual IP addresses should also inter-operate. Specifically, version 8 is known to work as well as version 9. However, you should consider upgrading to at least version 9 because of known security-related problems with version 8.
io
includes the encryption settings, and overriding the default local certificate.
Import the Security Policy template, policytemplate.spd, which can be found in the extras folder on the installation CD. After importing this policy, a single connection, named road warrior will become available. Assuming the Corporate Firewall gateway is using the standard settings for its road warrior clients, i.e. those described above, only a handful of settings must be entered. In the road warrior section:
6 7
Enter the Remote Subnet, Mask and the gateways hostname (or IP address). In the My Identity section, enter the Internal Network IP Address.:
Enter the Internal Network IP Address. All other fields will be pre-filled. Obviously, if you are not using standard settings, as described in D.1, then you will have to modify those particular settings. For instance, if you are using compression, then you will have to enable it in the client.
9 10
Save the settings, and close the Security Policy Editor. To bring up the connection to the Corporate Firewall gateway, you must send it a packet. The easiest way to do this is by pinging a host on the remote network. After a series of Request timed out messages you should start to get packets back, indicating that the VPN is up (you will also notice the system tray icon change).
Ve
rs
io
157
Creating a Connection without the Policy File

We will now describe how to setup the client without using the security policy template. Before creating the connection, you must activate a special feature within the client which allows you to specify a local network zone IP address for the client to take when it connects to the VPN gateway. 1 Select Global Policy Settings from the Options menu. A window will appear, and you should tick the box marked Allow to specify internal network address.
Now go back to the tree control on the left and choose the New Connection node. You can rename this to something more appropriate, like road warrior. In this node, configure the remote Subnet address and Mask.
Next, move to the My Identity node. Select the certificate you imported earlier. The ID types default, the Distinguished Name; another word for the subject of a certificate, will suffice. Virtual adapter should be disabled, and Internet Interface set to Any.
158
Ve
rs
Choose Secure Gateway Tunnel from the Connect using drop-down list, and select an ID Type of Any. You should then enter either a Gateway IP Address or Gateway Hostname.
io
In the Internal network IP, enter the local network zone IP address (the Client IP) that was specified when the tunnel was created.
Finally create a Phase 2 security policy, and again 3DES and MD5, in a tunnel. Tick the ESP box. In this page you can select compression or not, as well as key life settings.
Ve
rs
io
Create a new Phase 1 security policy: Select 3DES encryption, and MD5 as the hashing algorithm. Set the key group to 5, and choose a SA Life of 3000 seconds. This time period has to be less then the equivalent setting in the Corporate Firewall, which defaults to 60 minutes (3600 seconds). This is necessary to ensure the tunnel is always re-keyed.
159
Once again, set the SA Life to 3000 seconds.
Test as before, by initiating a connection to a host on the Remote Network. Diagnostic logs are available through the tool bar icon.
Advanced Configuration
If the VPN server the road warrior connects to is routed onto other networks such as subnet VPNs or other local network zones, the Local network setting can likewise be expanded to cover them. Visit https://support.smoothwall.net/ for information on setting up other clients.
160
Ve
It is also possible to restrict (or extend) the hosts that the road warrior can access on the local network zone. This is done by adjusting the Local network parameter in the tunnel configuration. For example, if you wish to restrict the connected road warriors so that they can only contact a specific IP address, for example 192.168.2.10, then you could set the Local network parameter to 192.168.2.10/32. Note that this setting is a network address, so you must always specify a network mask, even if that network mask covers only a single host.
rs
Using the configuration previously described, the selected certificate will be required by the client in order to obtain a connection. This method is usually desired, but in other cases an Authenticate by setting of Certificate provided by peer can be more useful, especially if the client certificates are not installed onto the VPN gateway server.
io
Chapter 10
Authentication and User Management

In this chapter: How authentication is managed.
You can configure global time and user limits:
Configuring Authentication Time-out

1
You can set the time interval during which users are authenticated. To configure the authentication time-out: Navigate to the services > authentication > settings page.
Choose the number of minutes for the time out period from the Authentication timeout in minutes drop-down list.
Note: When using NTLM identification or authentication, set the time out to longer than 1 minute.
3 4
Click Save. Navigate to the services > authentication > control page and restart the authentication system.
Ve
rs
io
Configuring Global Settings
161
Chapter 10 Authentication and User Management Working with Groups
Note: The behavior of some authentication mechanisms is automatically adjusted by the time-out
period. For example, the SSL Login refresh rate will update to ensure that authenticated users do not time-out.
Note: Encourage users to pro-actively log-out of the system to ensure that other users of their
workstation cannot assume their privileges if authentication time-out is yet to occur. This also prevents users having to wait for time-out to occur before they can login to another workstation, if concurrent login limits are in use.
Limiting Concurrent User Logins

The concurrent user login value determines the number of systems that a user can simultaneously be authenticated from. The default value of 1 means that each user can only be authenticated on a single system at any one moment. 1 2 3 4 To set the limit for concurrent user logins: Navigate to the services > authentication > settings page.
Click Save.
Navigate to the services > authentication > control page and restart the authentication system.
Working with Groups

About Groups
Corporate Firewalls uses the concept of user groups to provide a means of organizing and managing similar user accounts. Authentication-enabled services can associate permissions and restrictions to each group of user accounts, thus enabling them to dynamically apply rules on a per-user account basis. Local users can be added or imported to a particular group, with each group being organized to mirror an organizations structure. Groups can be renamed by administrators to describe the users that they contain. Currently, Corporate Firewall supports up to 100 groups and by default, contains the following groups:
Unauthenticated IPs
Users can be mapped to Unauthenticated IPs. The main purpose of this group is to allow certain authentication-enabled services to define permissions and restrictions for unauthenticated users, i.e. users that are not logged in, currently unauthenticated or cannot be authenticated.
Note: This group cannot be renamed. Default Users
Users can be mapped to Default Users. The main purpose of this group is to allow certain authentication-enabled services to define permissions and restrictions for users that are not
162
Ve
The following sections discuss user groups and how to manage them.
rs
io
To set a user defined number of concurrent logins, choose the User defined option and enter a numeric value into the User defined field.
specifically mapped to an Corporate Firewall group, i.e. users that can be authenticated, but who are not mapped to a specific Corporate Firewall authentication group.
Note: This group cannot be renamed. Banned Users
This group is a normal user group, pre-configured with a preset name, and setup for the purpose of banning users from an authentication-enabled service. Because Banned Users is actually a normal group with a preset configuration, it can be both renamed and used by authenticationenabled services to enforce any kind of permissions or restrictions.
Network Administrators
This group is a normal user group, pre-configured with a preset name, and setup for the purpose of granting network administrators access to an authentication-enabled service. Because 'Network Administrators' is actually a normal group with a preset configuration, it can be both renamed and used by authentication-enabled services to enforce any kind of permissions or restrictions.
Configuring the Number of Groups

1
2 3
From the Number of groups drop-down list, select the number you require. Click Save and Restart to save the change.
Ve
rs
io
To configure the number of groups available: Navigate to the services > authentication > groups page.
Corporate Firewall enables you to set the number of groups available.
1
163
Chapter 10 Authentication and User Management Managing Temporarily Banned Users
Renaming a Group
All normal groups can be renamed. 1 To rename a group: Navigate to the services > authentication > groups page.

Select group Group name
Description
From the drop-down menu, select the group you want to rename and click Select.
Click Save. The group is renamed.
Managing Temporarily Banned Users

Corporate Firewall enables you to temporarily ban specific user accounts. The accounts are banned irrespective of the directory server group they are in and the ban overrides everything else.
Note: Only available if you have purchased Corporate Firewall annual renewal support. For more
information, see Appendix C, Annual Renewal on page 285.
Creating a Temporary Ban

Note: Only administrators and accounts with Temp ban access, can manage banned accounts. For more
information, see Chapter 13, Administrative User Settings on page 244.
164
Ve
rs
Enter the new group name.
io
To ban an account temporarily: Navigate to the services > authentication > temporary bans page.
Configure the following settings: Setting Username Expiry Comment Enabled Description
Enter the user name of the account you want to ban. Optionally, enter a comment explaining why the account has been banned. Click to enable the ban.
Click Add. Corporate Firewall lists the ban in the Current rules area and enforces the ban immediately.
Removing Temporary Bans

1 2 To remove a ban: Navigate to the services > authentication > temporary bans page. In the Current rules area, select the ban and click Remove. Corporate Firewall removes the ban.
Removing Expired Bans

1 1 To remove bans which have expired: Navigate to the services > authentication > temporary bans page. In the Current rules area, click Remove all expired. Corporate Firewall removes all bans which have expired.
Managing Local Users

Corporate Firewall stores user profiles, e.g. usernames and passwords, in its own local user database, thus providing a standalone authentication service for network users. There are no special configuration steps required to setup the local user database. Administrators can quickly add, view, edit, import, export and delete users to or from the local user database and map local users to a local authentication group
Ve
rs
io
From the drop-down lists, select when the ban expires.
1
165
Chapter 10 Authentication and User Management Managing Local Users
Adding Users
1 To add a user to the local user database: Navigate to the services > authentication > local users page.
Configure the following settings: Setting Username Password Again Select group Description Enter the user account name. Enter the password associated with the user account. Passwords must be a minimum of six characters long. Re-enter the password to confirm it. From the drop-down menu, select a group to assign the user account to.
Click Add.
166
Ve
rs
io
Viewing Local Users

1 2 To view existing users from the local user database: Navigate to the services > authentication > local users page. Review the Current users area of the page. Users are listed according to their group membership, then alphabetically by username. A Mark option is listed alongside every user, allowing users to be selected for the edit, delete and move operations.
Editing Local Users

1 2 3 To edit an existing user's details: Navigate to the services > authentication > local users page. Click Edit user at the bottom of the Current users area. Once this button has been clicked, the user will be suspended, and physically removed from the user list. The user's details will be populated in the Add a user area at the top of the page. Locate and select the user you wish to edit in the Current users area of the page.
4 5
Click Add to add the user with the edited details.
Note: Once the edit button has been clicked, the user is effectively removed from the user list. Failure
New users can be imported into the local user database using a comma-separated text file in the following format:
Username1,Password1 Username2,Password2 ... Note: The username and password must be lower case, and have no special characters or spaces. You
must include the comma to separate the columns. If the password is in clear text, i.e. not encrypted, it will automatically be encrypted when the user is added. It is advisable to test importing a few users to confirm that you are getting the results you expect. To import users to the local user database: Navigate to the services > authentication > local users page. Choose a group to assign the imported users to from the Select group drop-down list in the Import and export users. Click Browse in the Import and export users area. In the file upload dialog box, locate the text file and click Open. The path and filename will be added to the Import users field when the focus returns to the browser window. Click Upload and import users to group to import the users contained in the text file.
1 2 3 4 5
Ve
Importing New Users
rs
to re-add the user will result in the permanent loss of the edited user's account.
io
Edit the user's username and group membership using Username and Select group controls. The password must be re-entered in both Password and Again fields.
167
Chapter 10 Authentication and User Management Managing Local Users
Exporting Local Users

Existing groups of users can be exported from the local user database to a comma-separated file in the following format:
Username1:ENCRYPTED_PASSWORD Username2:ENCRYPTED_PASSWORD ...
An example line in the export file might resemble something like the following:
testuser:$apr1$Np4hD...$2eNu.nSQuj8b2apdZufcz0e
1 2 3 4
To export a group of users: Navigate to the services > authentication > local users page. Choose the group of users to export from the Select group drop-down list in the Import and export users area. Click Export group users. Select the Save to disk or equivalent option from the dialog box displayed by your browser software and click its OK, Save or equivalent button.
Deleting Users
1 2 3
Locate and select the user or users you wish to delete in the Current users area of the page.
Moving Users between Groups

1 2 3 4 To change the group mapping: Navigate to the services > authentication > local users page. Locate and select the user or users you wish to move in the Current users area of the page. Choose the group to move the user or users to from the Group to move users to drop-down list. Click Move user(s) at the bottom of the Current users area.
Viewing User Activity and Cache Statistics

The authentication system uses a caching mechanism to store a list of all currently authenticated users. The cache improves the performance of the authentication system by providing a faster means of user login state discovery.
168
Ve
Click Delete user(s) at the bottom of the Current users area.
rs
To delete users: Navigate to the services > authentication > local users page.
io
The exported users will be saved to a text file called users.txt. Files exported in this format can be imported back into the local user database using the import facility.
To view activity and statistics: Navigate to the services > authentication > user activity page.
Viewing User Activity

1 2 3 4
If you wish to view only those users that are currently logged in, select Logged in users.
Column Time User
Group Source IP Logout
Viewing User Cache Statistics

1 2 To display the number of users stored in the cache: Navigate to the services > authentication > user activity page. View Users in cache field in the User statistics area of the page. cache is full, additional users cannot be authenticated until another user logs out.
Note: The number of users stored in the cache cannot exceed the number of licensed users. Once the
Ve
Description The time that the user was authenticated. The username of the user. The name of the group that the user belongs to, or Default users if unknown. The source IP of the system that the user logged in on. Select to invalidate that user in the cache so that they have to re-authenticate.
rs
Click Update. User activity is displayed in the User activity area, details of the table columns can be found below. The User activity area displays recent usage information in table format, with the following user activity columns:
io
Choose the number of most recent authentication system users to view from the Most recent users to show drop-down list control in the Settings area.
To display recent user activity: Navigate to the services > authentication > user activity page.
1
169
Chapter 10 Authentication and User Management Authenticating Using SSL Login
Authenticating Using SSL Login

The authentication system provides SSL Login as a built-in authentication mechanism which can be used by authentication-enabled services to apply permissions and restrictions on a customized, per-user basis. When SSL Login is enabled, network users requesting port 80 for outbound web access will be automatically redirected to a secure login page, the SSL Login page, and prompted for their user identity credentials. The SSL Login page can also be manually accessed by users wishing to pro-actively authenticate themselves, typically where they need to use a non-web authentication-enabled service for example, group bridging. The SSL Login authentication mechanism works by dynamically adding a rule for the IP address of each authenticated user, thus allowing SSL Login redirection to be bypassed for authenticated users. When an authenticated user logs out or exceeds the time-out limit, the rule is removed and future outbound requests on port 80 will again invoke automatic redirection to the SSL Login.
Enabling SSL Login

The SSL Login authentication mechanism can be enabled on a per-interface basis. 1 2 3
Click Save.
You can access and review the SSL Login page. 1 To access and review the SSL Login page: In the web browser of your choice, enter your Corporate Firewall systems IP address and / login. For example: http://192.168.72.141/login Corporate Firewall displays the SSL Login page, for example:
170
Ve
Accessing the SSL Login Page
rs
Select each interface that the SSL Login should be active on in the SSL Login redirect interfaces area.
io
To enable SSL Login: Navigate to the services > authentication > settings page.
Creating SSL Login Exceptions

SSL Login exceptions can be created in order to prevent certain hosts, ranges of hosts or subnets from being automatically redirected to the SSL Login page. This is mostly useful to avoid the need for servers to authenticate. 1 2 3 To create an SSL Login exception: Navigate to the services > authentication > settings page. Enter each IP address, IP range or subnet that should not be redirected to the SSL Login, on a new line in the Exception local IP addresses field. Click Save.
Customizing the SSL Login Page

Users can be authenticated using a secure customized, web browser login. 1 To customize the SSL login page: Navigate to the services > authentication > ssl login page.
It is possible to customize the following aspects of the login page: Option Background image Title image Message lines Description The background of the login page. This must be 500 x 471 pixels. The title area of the login page. This must be 500 x 69 pixels. The messages containing instructions for login users.
See the sections below for more information on uploading images and customizing messages.
Uploading a Title JPEG

1 2 3 4 To upload a title JPEG image for the login page: Navigate to the services > authentication > login page. Click Browse adjacent to Custom title jpeg. Locate the image file using the browser's Open file dialog box and click OK, Open or equivalent button. Click Upload custom jpeg.
171
Ve
rs
io
Chapter 10 Authentication and User Management Managing the Authentication System
Uploading a Background JPEG

1 2 3 4 To upload a background JPEG image for the login page: Navigate to the services > authentication > login page. Click Browse adjacent to Custom background jpeg. Locate the image file using the browser's Open file dialog box and click its OK, Open or equivalent button. Click Upload custom jpeg.
Removing an Uploaded JPEG

1 2 3 To remove uploaded login page images: Navigate to the services > authentication > login page. To remove the title JPEG image, click Remove title jpeg.
Customizing Messages
1 2 3 4 5
To alter the line one login message, alter the text in the Message line 1 field. To alter the line two login message, alter the text in the Message line 2 field. Enable the SSL Login authentication mechanism. For more information, see Enabling SSL Login on page 170. Click Save.
Managing the Authentication System

The authentication system can be stopped, started and monitored. 1 To access the authentication system controls: Navigate to the services > authentication > control page.
See the sections below for information on restarting, stopping and reviewing the service.
172
Ve
rs
io
To customize the login messages: Navigate to the services > authentication > login page.
To remove the background JPEG image, click Remove background jpeg.
Restarting the Authentication System

It may be necessary to restart the authentication system if unapplied configuration changes have been made. In this situation, a warning will be displayed at the top of all authentication pages as a reminder that a restart is required. A full restart normally takes a few seconds to complete, after which users will be required to reauthenticate. A restart will also cause all active downloads to be terminated. 1 2 To restart the authentication system: Navigate to the services > authentication > control page. Click Restart in the Manual control area.
Note: It is a good idea to only restart the authentication system at a convenient time for network users.
There are no reasons to stop the authentication system in normal operation. This procedure should only be carried out if instructed by the SmoothWall support team. 1 2 To stop the authentication system: On the services > authentication > control page. Click Stop in the Manual control area.
1 2
To display the current status of the authentication system: Navigate to the services > authentication > control page. Click Refresh in the Manual control area. The current status will be displayed in Current status field and can be either 'Running' or 'Stopped'.
Running Diagnostics
To check that the authentication system is operating correctly, diagnostic tests can be run. 1 To run authentication diagnostics: On the services > authentication > control page, click Run diagnostics. Corporate Firewall runs the tests and displays the results. Test Authentication service running Authentication service local connection Result Indicates whether the authentication service is activated. This tests that local groups and users can be authenticated.
Ve
rs
Viewing System Status
io
Stopping the Authentication System
173
Chapter 10 Authentication and User Management Managing the Authentication System
174
Ve
rs
io
Chapter 11
Reporting
In this chapter: Working with Corporate Firewall reports Managing report data databases How to install and work with SmoothWalls Crystal Reports client.
Corporate Firewall can produce many types of reports which provide information on almost every aspect of Corporate Firewall. 1
Ve
rs
io
To access reporting: Navigate to the information > reports > reports page.
Accessing Reporting
175
Chapter 11 Reporting Accessing Reporting
Generating Reports
Corporate Firewall contains a broad range of reports which can be generated immediately. 1 To generate a report: Navigate to the information > reports > reports page.
2 3
Tip:
Click on a folder containing the report you want to generate. Click on the report to access its options. Corporate Firewall displays the options available.
4 5
If applicable, set the time interval for the report and enter/select any option(s) you require. Click on the reports title or icon to generate the report. Corporate Firewall displays the report.
Saving Reports
If you want permanent access to a report, you must save it. 1 2 To save a report: Generate the report, see Generating Reports on page 176. In the Save as field, enter a name for the report and click Save. You can access the report on the information > reports > recent and saved page.
About Recent and Saved Reports

You can access all reports generated on-the-fly for 48 hours on the information > reports > recent and saved page. You can also save recently generated reports and change report formats on this page.
176
Ve
rs
Click Advanced to see a description of the report, access advanced options and portal publication permissions. For more information on portal publication, see Publishing Reports on Portals on page 177.
io
Changing Report Formats

Corporate Firewall enables you to change reports viewed and/or saved in one format to another. 1 To change a report format: Navigate to the information > reports > recent and saved page.
Format csv excel pdf pdfbw

tsv
Description
The report will be generated in comma separated text format. The report will be generated in Microsoft Excel format. The report will be generated in Adobes portable document format. The report will be generated in black and white in Adobes portable document format. The report will be generated in tab separated text format.
Publishing Reports on Portals

Corporate Firewall enables you to publish reports to user portals where they can be reviewed by users. For more information on portals, see Chapter 8, Working with User Portals on page 61. 1 2 3 To publish a report: Generate the report, see Generating Reports on page 176. Save the report, to see Saving Reports on page 176. Browse to the information > reports > recent and saved page, locate the report and click Permissions. The following dialog box opens:
From the Add access drop-down list, select the portal where you want to publish the report and click Add.
177
Ve
rs
io
Locate the report you want to change and click on the format you want to change the report to. The following formats are available:
Click Close to close the dialog box. Corporate Firewall publishes the report to the portal.
Managing Reports and Folders

The following sections explain how to create, delete and navigate reports and folders in Corporate Firewall.
Creating Folders
You can create a folder to contain reports on the information > reports > reports page or in a folder or sub-folder contained on the page. 1 2 To create a folder: On the information > reports > reports page, determine where you want to create the folder, on the page or in an existing folder.
Enter a name for the folder and click Rename.
Deleting Folders
1 2 To delete a folder: On the information > reports > reports page, locate the folder. Click the Delete button. Corporate Firewall deletes the folder. delete the folder.
Note: You cannot delete a folder which contains reports. Delete the report(s) in the folder first, then
Navigating between Folders

You can navigate between folders using the Location bar.
Tip:
To go up a level, click the Go up a folder level button.
178
Ve
rs
io
Click the Create a new folder button. Corporate Firewall creates the folder.
To navigate between folders on the location bar: On the information > reports > reports page, click on a folder in the Location bar.
Locate the report and click the Delete button.
Publishing Reports on a Portal

You can publish reports on a portal. 1 To publish a report to a portal: Navigate to the information > reports > reports page. Locate the report you want to publish and click Advanced.
Ve
rs
io
To delete a report: Navigate to the information > reports > recent and saved page.
Deleting Reports
From the drop-down list, click on the folder you want to go to. Corporate Firewall takes you to the folder.
179
On the Permissions tab, click Portal Access. The following dialog box opens:
3 4
In the Available to area, from the Add access drop-down list. select the portal you want to publish the report on and click Add. Click Close to close the dialog box. Corporate Firewall publishes the report to the portal. For more information on portals, see Chapter 8, Working with User Portals on page 61.
You can make reports generated on one portal available to other portals. 1 2 To make the report available: Navigate to the information > reports > reports page. Locate the report you want to publish to other portals and click Automatic Access. The following dialog box opens:
3 4
In the Automatic Access area, from the Add access drop-down list. select the portal you want to publish the generated report on and click Add. Click Close to close the dialog box. Corporate Firewall publishes the report to the portal.
180
Ve
rs
io
Making Reports Available to Other Portals
Scheduling Reports
Corporate Firewall can generate and deliver reports to specified user groups at specified intervals. 1 To schedule a report: Navigate to the information > reports > scheduled page.
Setting
Start date
Time Repeat
Enabled
Ve
rs
Description Select the month and day on which to create and deliver the report. If the report is to be repeated, enter the date on which the first report should be created and delivered. Select the hour and minute at which to deliver the report. Scheduled reports can be generated and delivered more than once. Select from the following options:
No Repeat The report will be generated and delivered once on the specified date at the specified time. Daily Repeat The report will be generated and delivered once a day at the
specified time starting on the specified date.

WeekdayRepeat The report will be generated and delivered at the
specified time, Monday to Friday, starting on the specified date.

Weekly Repeat The report will be generated and delivered at the specified
time, once a week, starting on the specified date.

Monthly Repeat The report will be generated and delivered at the specified
time, once a month, starting on the specified date. Select to enable the scheduled report.
io
1
181
Chapter 11 Reporting Managing Report Data
Setting Comment Report Save report
Description Optionally, enter a description of the scheduled report. From the drop-down list, select the report. Select this option if you want to save the scheduled report after it has been generated. The report will be available on the information > reports > recent and saved page. Enter a name for the scheduled report. Optionally, from the drop-down menu, select a portal to publish the report from. Select this option if you want to email the report to a group of users. From the drop-down list, select the group you want to deliver the report to. For more information, see Chapter 12, Configuring Groups on page 219.
Report shows period From the drop-down list, select how long to collate data for this report.
Report name Publish from portal Email report Group
Click Add. Corporate Firewall schedules the report and lists it in the Scheduled reports area.
Corporate Firewall stores report data locally in its own database.
Managing a Database
1
Configure the following settings: Setting Database Description Enter the following information:
Username Accept the default user name or enter a new user name. Password Enter a password for the database.
182
Ve
To manage a database: Navigate to the information > settings > database settings page.
rs
io
Managing Report Data
Setting Pruning
Description Select if you want to prune entries in the database at specified intervals to save storage space or potentially speed up information processing.
Dont prune Select to not remove any enties from the database. Over a month Select to remove entries that are more than one month old and repeat every month. Over three months Select to remove entries that are more than three months old
and repeat every month.

Over six months Select to remove entries that are more than six months old and
repeat every month. 3 Click Save to save the database management settings.
Backing-up Databases
For more information, see the SmoothZap Administrator's Guide and the SmoothGuardian
Administrator's Guide.
1 2 3
Click Backup, Corporate Firewall backs up the data in an archive and lists it in the Backup area.
Restoring Data
1 2 3 4
The following section explains how to restore data. To restore data: Browse to the information > settings > database backup page. In the Upload area, click Browse. In the File Upload dialog box, navigate to where the backup archive stored, select it and click Open. Click Upload. Corporate Firewall uploads the file and lists it in the Backup area. Select the file and click Restore. Corporate Firewall restores the data.
Working with Crystal Reports

With the SmoothWall Crystal Reports Client, you can design and integrate reports in your Crystal Reports system.
Note: You can use the SmoothWall Crystal Reports Client to import data from log files and store it in
comma-separated (csv) format without having access to Crystal Reports.
Ve
In the Backup area, select the archive and click Download. When prompted, save the archive in a secure location for use if you need to restore data.
rs
To back up data: Browse to the information > settings > database backup page.
io
Depending on the SmoothWall add-on modules installed, Corporate Firewall can back up your report data in an archive, enabling you to restore your database, for example, when recovering from hardware failure.
1
183
Chapter 11 Reporting Working with Crystal Reports
Installing the Crystal Reports Client

Note: The Crystal Reports Client only runs on Microsoft Windows systems.
1 2 3 4
To install the Crystal Reports Client: Insert your Corporate Firewall CD into your CD drive and, in Windows Explorer, browse to the Extras directory on the CD. Locate and double-click on SmoothWall Crystal Reports Client Setup.exe. The installation wizard starts. Accept all the default options and complete the wizard. Click Windows Start, from the Programs group, select Crystal Reports Client. The Crystal Reports Client starts:
For information on working in the Crystal Reports Client, see the following sections.
Note: When you install the Crystal Reports Client, ODBC Data Sources for the proxy and filter logs are
These are named SW_CR_ProxyDataSource and SW_CR_FilterDataSource respectively.
Overview of the Crystal Reports Client

The Crystal Reports Client contains the following settings and options: Option Guardian IP/ Hostname Username Password Previous Proxy logs Description The IP or hostname of Corporate Firewall containing the log files you want to use. The name of a user account authorized to access your Corporate Firewall. The password associated with the account. A drop-down list of time intervals you want the logs to cover. You can select logs for: the last day, week, month or year. Specifies that you want to access the information contained in the proxy logs on your Corporate Firewall. If you select this option, Crystal Report-compatible reports to manage bandwidth usage and basic log information become available below.
184
Ve
created using the Microsoft Text Driver.
rs
io
Option Filter logs
Description Specifies that you want to access the information contained in the filter logs on your Corporate Firewall. If you select this option, Crystal Report-compatible reports to manage denied pages and virus information become available below.
Retrieve Log
Retrieves and saves the information as a csv file in your local Documents and Settings folder. If you have selected Proxy logs, the file will be stored under:
Application Data\SmoothWall Crystal Reports Client\Log Files\Proxy.
If you have selected Filter logs, the file will be stored under:
Application Data\SmoothWall Crystal Reports Client\Log Files\Filter.
Open Report
Opens the currently selected Crystal Reports-compatible report in Crystal Reports. Retrieves information from the selected log and displays it in the currently selected Crystal Reports-compatible report.
Note: You must have Crystal Reports installed and accessible for this to work.
To manually manage log files and templates: From the File menu, select Open. The default directory structure is as follows: The Log files directory which contains the sub directories: Filter and Proxy The Templates directory which contains the sub directories: Filter and Proxy.
2 3
Place Crystal Reports templates for working with web filter logs in the Templates\Filter folder. Place Crystal Reports templates for working with proxy logs in the Templates\Proxy folder.
Retrieving Logs
Note: On a busy network, log files will be large and may take some time to retrieve and process.
1 2 3 4 5
To retrieve logs: Click Windows Start and, from the Programs group, select Crystal Reports Client. Enter the IP or hostname of Corporate Firewall and the user name and password of an authorized account. Select the time period for the logs. Select the type of logs you want to retrieve. Click Retrieve Logs. The Crystal Reports Client retrieves and saves the information as a csv file in your local Documents and Settings folder.
Ve
You can install custom templates in Crystal Reports Clients data directory. These templates become available after restarting Crystal Reports Client.
rs
Using Custom Templates
io
Retrieve and Open
Note: You must have Crystal Reports installed and accessible for this to work.
csv
files can be opened in most text editors and spreadsheet applications.
185
If you have selected Proxy logs, the file will be stored under: Application Data\Crystal Reports Client\Log Files\Proxy. If you have selected Filter logs, the file will be stored under: Application Data\Crystal
Reports Client\Log Files\Filter.
Opening Crystal Reports-compatible Reports

See Overview of the Crystal Reports Client on page 184 for information on the options available. The Crystal Reports Client contains a number of predefined Crystal Reports-compatible reports which you can review in Crystal Reports.
Note: Crystal Reports must be installed and accessible for this function to work.
1 2 3 4
Select proxy log or filter log.
Click Open Report. The report is opened in Crystal Reports. For information on working in Crystal Reports, see your Crystal Reports documentation.
Retrieving Information and Opening Reports

The Crystal Reports Client contains a number of predefined Crystal Reports-compatible reports which you can use to display Corporate Firewall proxy and filter log information in Crystal Reports.
Note: Crystal Reports must be installed and accessible for this function to work. Note: On a busy network, log files will be large and may take some time to retrieve and process.
1 2 3 4 5
To retrieve information and display it in Crystal Reports: Click Windows Start and, from the Programs group, select Crystal Reports Client. Enter the IP or hostname of Corporate Firewall and the user name and password of an authorized account. Select the time period for the logs. Select the type of logs you want to retrieve. Click Retrieve & Open. The Crystal Reports Client retrieves the information, starts Crystal Reports and displays the information. For information on working in Crystal Reports, see your Crystal Reports documentation.
186
Ve
See Overview of the Crystal Reports Client on page 184 for information on the options available.
rs
io
Depending on the type of log you selected, choose one of the following: Bandwidth usage per user, Basic log view, Denied pages per user or Virus occurrences.
To open a report: Click Windows Start and, from the Programs group, select Crystal Reports Client.
Uninstalling the Crystal Reports Client

1 To uninstall the Crystal Reports Client: Click Windows Start and, in the Programs group, select Crystal Reports Client and Uninstall. The following dialog opens:
Note: Uninstalling the Crystal Reports Client does not remove the ODBC Data Sources or the data
Ve
rs
io
directory. They must be removed manually.
Click Uninstall and, when the process is complete, click Close. The Crystal Reports Client is removed from your workstation and is no longer available.
187
188
Ve
rs
io
Chapter 12
Information, Alerts and Logging

In this chapter: About the control, summary and about pages Viewing, analyzing and configuring alerts, realtime information and log files.
About the Control Page

1 To access the control page: Browse to the main > main> control page.
For information on customizing the information displayed, see Chapter 13, Configuring the User Interface on page 238.
About the Summary Page

The summary page displays a customizable list of Corporate Firewall reports.
Ve
rs
io
The control page displays a to-do list for getting started, service information, external connectivity controls and a customizable number of summary reports.
The control page is the default home page of your Corporate Firewall system.
189
Chapter 12 Information, Alerts and Logging About the Summary Page
To access the summary page: Navigate to the main > main > summary page.
A list of reports which are generated by default is displayed. For information on customizing the reports displayed, see Chapter 13, Configuring the User Interface on page 238.
190
Ve
rs
io
About the About Page

The about page displays product, registration, copyright and trademark information. It also displays acknowledgements. 1 To access the about page: Browse to the main > main > about page.
Ve
rs
io
1
191
Chapter 12 Information, Alerts and Logging Alerts
Alerts
Corporate Firewall contains a comprehensive set of incident alerting controls.
Overview
Alerts are generated when certain trigger conditions are met. Trigger conditions can be individual events, for example, an administrator login failure, or a series of events occurring over a particular time period, for example, a sustained high level of traffic over a five minute period. Some alerts allow their trigger conditions to be edited to customize the alert sensitivity. Some situations are constantly monitored, particularly those relating to critical failures, for example, UPS and power supply alerts. It is possible to specify two trigger conditions for some alerts the first acts as a warning alert, and, in more critical circumstances, the second denotes the occurrence of an incident. In normal operation, the alert system will queue alerts in two minute intervals, and then distribute a merged notification of all alerts. For more critical systems, the alert system can be configured to operate in instantaneous mode, whereby alerts are sent out individually, at the moment they are triggered.
You access the alerts and their settings on the information > alerts > alerts page.
Note: The range of available alerts depends on which modules are currently installed on your Corporate
Firewall system. For this reason, only some of the following alerts may be available. Alert
Ve
VPN Tunnel Status
Hardware failure alerts, harddisk failure License expiry status warnings SmoothTunnel VPN Certificate Monitor SmoothRule Violations Firewall Notifications
L2TP VPN Tunnel Status
192
rs
io
Description
Available Alerts
VPN Tunnel status notifications occur when an IPSEC Tunnel is either connected, or disconnected. Monitored once every five minutes. Generates messages when hardware problems are detected. Generates messages when the license is due for renewal or has expired. Monitored once an hour Validates Corporate Firewall VPN certificates and issues warnings about potential problems, or impending expiration dates. Monitored once an hour. Monitors outbound access activity and generates warnings about suspicious behavior. Constant Monitoring. Monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. Constant monitoring. L2TP Tunnel status notifications occur when an L2TP (Layer 2 Tunnelling Protocol) Tunnel is either connected, or disconnected. Monitored once every five minutes.
Alert System Resource Monitor
Description These alerts are triggered whenever the system resources exceed predefined limitations. Monitored once every five minutes.
System Service Monitoring This alert is triggered whenever a critical system service changes statues, i.e. starts or stops. Monitored once every five minutes. Health Monitor Traffic Statistics Monitor Checks on remote services for activity. These alerts are triggered whenever the traffic flow for the external interface exceeds certain thresholds. Monitored once every five minutes. Catches test alerts generated for the purposes of testing the Corporate Firewall Output systems. Constant Monitoring. Generates an alert whenever a user uses an inappropriate word or phrase in IM chat conversation Monitors both the Secure Shell (SSH) and Web Interface services for failed login attempts. Constant Monitoring.
Output System Test Messages Inappropriate word in IM Monitor Administration Login Failures Update Monitoring
Update Monitoring System Boot (Restart) Notification
Ve
rs
io
Intrusion Detection System These alerts are triggered by violations and notices generated by the Monitor Intrusion Detection System (IDS) by suspicious network activity. Constant Monitoring. Monitors the system for new updates once an hour. This alert is generated whenever the system is booted; i.e. is turned on or restarted. Monitored once every five minutes.
Monitors the system for new updates.
193
Enabling Alerts
Corporate Firewall contains a comprehensive set of incident alerting controls. 1 To enable alerts: Browse to the information > alerts > alerts page.
2 3 4
Choose a recipient group from the Group name drop-down list and click Select. For information on creating a group, see Creating Groups on page 219. For each alert you want to send, select the delivery method: SMS or Email. Click Save.
Looking up an Alert by Its Reference

1 To view the content of an alert that has already been sent: Enter the alerts unique ID into the Alert ID field and click Show. The content of the alert will be displayed on a new page.
194
Ve
rs
io
Configuring Alert Settings

The following sections explain how to configure Corporate Firewall alert settings. 1 To access the alert settings: Browse to information > settings > alert settings:
Configuring the SmoothTunnel VPN Certificate Alert
Setting
Notification of expired certificates
Number of days left Used to specify the number of days before a certificate expires that a (Warning) warning alert is sent. Number of days left Used to specify the number of days before a certificate expires that a (Critical) critical alert is sent. 2 Click Save.
Ve
To adjust the settings: Enter or choose appropriate settings for each of the following controls: Description Used to generate alerts when certificates have expired.
rs
This alert validates VPN certificates and issues warnings about potential problems or impending expiration dates.
io
1
195
Configuring the SmoothRule Violations Alert

This alert monitors outbound activity and generates warnings about suspicious behavior. 1 To adjust the settings: Enter or choose appropriate settings for each of the following controls: Setting Monitor ports for accesses Description Enables outbound port access monitoring. Use the adjacent Warning threshold text field to enter the number of port accesses that would generate an alert. Use the Destination port list to specify a comma separated list of outbound ports that this alert applies to. Monitor Enables outbound IP address monitoring. Alerts will be generated if a rapid series Destination of outbound requests are made to the same destination IP. IP addresses Use the Warning threshold and Incident threshold fields to set the respective levels at which alerts are generated for this kind of activity. Monitor Destination Ports 2 Click Save.
Configuring the System Resource Alert
This alert is triggered whenever particular system resources exceed some predefined limitations. 1
Setting
System load Used to set a threshold for the average number of processes waiting to use the average processor(s) over a five minute period. A system operating at normal performance should record a load average of between 0.0 and 1.0. Whilst higher values are not uncommon, prolonged periods of high load (for example, averages greater than 3.0) may merit attention. Disk usage Used to set a disk space usage percentage threshold, that generates an alert once exceeded. Low amounts of free disk space can adversely affect system performance. Used to set a system memory usage percentage threshold, that generates an alert once exceeded. Corporate Firewall uses system memory aggressively to improve system performance, so higher than expected memory usage may not be a concern. However, prolonged periods of high memory usage may indicate that the system could benefit from additional memory.
System memory usage
Click Save.
196
Ve
To adjust the settings: Enter or choose appropriate settings for each of the following controls: Description
rs
io
Use the Warning threshold and Incident threshold fields to set the respective levels at which alerts are generated for this kind of activity.
Enables outbound port monitoring. Alerts will be generated if a rapid series of outbound requests are made to the same destination port.
Configuring the Firewall Notifications Alert

This alert monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. 1 To adjust the settings: Enter or choose appropriate settings for each of the following controls: Setting Monitor Source (remote) IP addresses Monitor Source (remote) Ports Description Detects suspicious inbound communication from remote IP addresses. Alerts will be generated if a rapid series of inbound requests from the same remote IP address is detected. Detects suspicious inbound communication from remote ports. Alerts will be generated if a rapid series of inbound requests from the same remote port is detected.
Monitor Destination Detects suspicious inbound communication to local IP addresses. Alerts (local) IP Addresses will be generated if a rapid series of inbound requests to the same local IP address is detected. Monitor Destination Detects suspicious inbound communication to local ports. Alerts will be (local) Ports generated if a rapid series of inbound requests to the same local port is detected. 2 Click Save.
levels at which alerts are generated for each type of activity.

Note: To exempt particular ports from monitoring, enter a comma separated list of ports into the
appropriate Ignore fields.
Configuring the System Service Alert

This alert is triggered whenever a critical system service changes states, i.e. starts or stops. 1 2 To adjust the settings for this alert: Select the components, modules and services that should generate alerts when they start or stop. Click Save.
Configuring the Health Monitor

This alert is triggered whenever a remote service fails to report activity. Health monitor alerts are intended to enable you to keep an eye on various aspects of your network which are usually outside of the remit of Corporate Firewall. The health monitor provides the following checks and alerts:
Ve
rs
Note: The adjacent Warning threshold and Incident threshold fields can be used to set the respective
io
197
Web Servers (HTTP) When enabled, tries to retrieve the specified web page and check that it contains specific keywords. This is for detecting defacement. Setting Description
Request URL Enter the URL of the web page you want retrieved and checked for keywords, for example: example.com/index.htm
Note: Omit http:// when entering the URL.
No of tries Keywords
Enter the number of times Corporate Firewall should try to retrieve the page. Enter the keywords to be checked in the page.
Assuming the page has been retrieved and the keywords are missing, an alert is generated. Other Services Checks that the specified port is open and offering a service. Setting IP Address Port Protocol Description Enter the port number.
No of tries
Enter the number of times Corporate Firewall should check the address and not receive a response before generating an alert.
Setting Name
Address 1 2 3 4
To configure the alert: For the services, enter the URL, IP address or name. Enter keywords, port numbers and number of tries, if applicable. Select the protocol. Click Add for each service.
Configuring the Traffic Statistics Alert

This alert is triggered whenever the traffic flow for the external interface exceeds certain thresholds.
198
Ve
DNS Name Resolution Checks that a domain has not expired or been hijacked. Description Enter the domain name. Enter the domain address.
rs
From the drop-down list, select the protocol of the service you want to check for a response. Select Other to check that there is any response to connections on the associated port.
io
Enter the IP address.
To adjust the settings: Enter or choose appropriate settings for each of the following controls: Setting Incoming bandwidth Outgoing bandwidth Data transfer for the previous Description Used to set an average incoming data rate limit in Kbps if this is exceeded over a five minute period, an alert is triggered. Used to set an average outgoing data rate limit in Kbps. If this is exceeded over a five minute period, an alert is triggered. Used to specify whether alerts should be generated for a daily, weekly or monthly data limit.
Click Save.
Configuring the Inappropriate Word Alert

These alerts are generated whenever a user uses an inappropriate word or phrase in instant messaging chat conversations. 1 To configure the alert: Configure the following settings: Setting Enabled on received text Enabled on sent text Generate alert for each message which exceeds the Message Censor severity threshold Generate alert when users exceed the rate of inappropriate messages Number of inappropriate messages in 15 mins Description Select to generate the alert when an inappropriate word is used in a message received from a remote user. Select to generate the alert when an inappropriate word is used in a message sent by a local user. Select to generate an alert when the Message Censor threshold is exceeded. For information on the Message censor threshold, see Chapter 8, Censoring Instant Message Content on page 80. From the drop-down list, select the threshold above which an alert will be generated. Select to generate an alert when users exceed the specified number of inappropriate messages within a 15 minute period. Specify how many inappropriate messages to allow in a 15 minute period before generating an alert.
Ve
rs
io
Total data exceeds
Used to set an total data threshold (in KB). An alert is generated if the specified amount of incoming and outgoing traffic is exceeded in a day, week or month (dependent on the setting chosen from the Data transfer for the previous drop-down list).
Outgoing data exceeds Used to set an outgoing data threshold (in KB). An alert is generated if the specified amount is exceeded in a day, week or month (dependent on the setting chosen from the Data transfer for the previous drop-down list).
Incoming data exceeds Used to set an incoming data threshold (in KB). An alert is generated if the specified amount is exceeded in a day, week or month (dependent on the setting chosen from the Data transfer for the previous drop-down list).
199
Chapter 12 Information, Alerts and Logging Realtime
Click Save to save the settings.
Configuring the Intrusion Detection System Alert

This alert is triggered by violations and notices generated by the Intrusion Detection System (IDS) by suspicious network activity. 1 To adjust the settings: Enter or choose appropriate settings for each of the following controls: Setting Priority 2 Click Save. Description Used to set the priority level threshold for IDS detected warnings that, once exceeded, generates an alert.
Realtime
System Information
1
The system page is a realtime version of the system log viewer with some filtering options. To access the system page: Browse to information > realtime > system page.
By default, all information in the system log is displayed and updated automatically approximately every second. 1 To display information on specific components: From the Section drop-down list, select the component and click Update. If there is information on the component available in the system log, it is displayed in the Details area.
200
Ve
rs
io
The realtime pages provide access to realtime information about your system, IPsec tunnels, the firewall and traffic.
Firewall Information
The firewall page is a realtime version of the firewall log viewer with some filtering options. All entries in the firewall log are from packets that have been blocked by Corporate Firewall. 1 To access the page: Browse to information > realtime > firewall page.
To display information on specific sources and destinations: Enter a complete or partial IP address and/or port number in the fields and click Update.
Ve
rs
io
By default, information is displayed and updated automatically approximately every second.
1
201
Chapter 12 Information, Alerts and Logging Realtime
IPsec Information
The ipsec page is a realtime version of the IPSec log viewer with some filtering options. 1 To access the ipsec page: Browse to information > realtime > ipsec page.
To display information on a specific tunnel: Configure the following settings:
Connection
Click Update. If there is information available in the system log, it is displayed in the Details area.
202
Ve
Show only lines containing
rs
Setting
io
Description
By default, all information in the log is displayed and updated automatically approximately every second.
From the drop-down list, select the tunnel. Enter the text you are looking for.
Portal Information
The portal page displays realtime information on users accessing Corporate Firewall portals. 1 To access the portal page: Browse to information > realtime > portal page.
For more information on portals, see Chapter 8, Working with User Portals on page 61.
Instant Messaging
1
The im proxy page is a realtime version of the im proxy log viewer with some filtering options. To view IM conversations: Browse to information > realtime > im proxy page.
The page displays a view of ongoing conversations for each of the monitored protocols and displays a selected conversation as it progresses.
Note: As most IM clients communicate with a central server, local conversations are likely to be
displayed twice as users are recognized as both local and remote.
Ve
rs
io
203
Chapter 12 Information, Alerts and Logging Traffic Graphs
Active conversations which have had content added to them within the last minute are displayed in bold text in the left pane. If nothing has been said for more than a minute, the remote username will be displayed in the normal style font. The local username is denoted in blue, the remote username is denoted in green. You can use the following settings to manage how the conversation is displayed. Setting <html> ScrLk Description Click to remove any html tags at the start or end of a conversation. Click to lock the conversation pane to the bottom of the conversation. I.e. when someone says something new the text will scroll off the top of the screen.
Traffic Graphs
The traffic graphs page displays a realtime graph of the bandwidth being used by the currently selected interface. To access the traffic graphs page: Browse to information > realtime > traffic graphs page.
The Interfaces area displays a list of the active interfaces on Corporate Firewall. Clicking on an interface displays its current traffic. Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming bandwidth.
204
Ve
rs
io
Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing bandwidth.
Logging
Corporate Firewall generates and records activity data in the form of log files. Each log file describes a sequential history of related events for example, packets being dropped or denied by the firewall, or users being authenticated or logged out of the system. Regular analysis of the log files helps to maintain an effective, and secure network policy. This is because the log files can be used to recognize and remedy potential security or network problems. For example, frequently blocked packets from an unknown external IP address can be readily identified in the firewall log, allowing administrators to take action by adding the hostile source to the IP block list.
Accessing Logs
1 To access Corporate Firewall logs: Browse to the information > logs > system page.
Each log file is generated by a different component of Corporate Firewall. Certain log files will not be available if the module that creates them is not installed or activated.
Navigating Logs
Log files are viewed in the following display areas: Area Settings Log Description Used to specify filtering criteria that determines which log entries are displayed. Used to display matching log entries.
Each area may provide additional custom controls that are relevant to the log that is being viewed. Log files are divided into manageable pages to avoid the need for excessive scrolling.
Ve
rs
io
1
205
Chapter 12 Information, Alerts and Logging Logging
Each page number can be clicked to view a corresponding page of log entries, of the following page controls can be used: Control << < > >> Description Move to the first log page. Move to the previous log page. Move to the next log page. Move to the last log page.
Log Filtering
Log files are automatically displayed using the default or existing filter criteria in the Settings area. To alter the log entries that are displayed, adjust the filter criteria in the Settings area and click Update.
Option
Export Export all dates
Description
Exports the currently displayed log for all available dates.
Export Formats
Logs can be exported in the following formats: Format Comma Separated Values Microsoft (tm) Excel (.xls) Description The information is exported in comma separated text format. The information is exported in Microsoft Excel format. You will need an Excel-compatible application to view these reports. The information is exported in portable document format. You will need an Adobe Acrobat compatible application to view these reports. The information is exported without formatting. The information is exported separated by tabs.
Portable Document Format (.pdf)
Raw Format Tab Separated Value
Sorting Log Information

Log entries can be sorted in ascending or descending order using the column controls in the Log area:
206
Ve
To save the exported log, use the browser's File, Save As option.
rs
Exports all pages of the currently displayed log.
io
The contents of a log file can be exported using the Export and Export all dates options.
Exporting
A sort icon is displayed in the title area of the column that is currently being sorted. The icon denotes an ascending or descending sort by displaying an appropriate 'up' or 'down' arrow image. To sort by a particular column, click its title. The log entries will be re-ordered, and the sort icon will be displayed in the selected column's title area. To reverse the direction of the sort, click the title a second time.
System Logs
The system logs contain simple logging and management information. 1 To access system logs: Browse to information > logs > system:
Ve
rs
io
1
207
The following filter criteria controls are available in the Settings area: Control Description Section Used to select which system log is displayed. The following options are available:
Authentication service Log messages from the SmoothAuth system, including service status messages and user authentication audit trail. DHCP server Log messages from the SmoothDHCP system. DNS Proxy Log messages from the DNS proxy service. IM Proxy Log messages from the instant messaging proxy service. IPSec logs the VPN system including service status changes. ISDN Log messages from external connections using a local ISDN device. Kernel Log messages from the core Corporate Firewall operating system. L2TP PPP Logs L2TP PPP transport negotiation messages. LCD panel Not applicable. NTP Log messages from the network time system, including service status and L2TP Logs L2TP service status messages.
internal and external synchronization requests.

PPP Log messages from the SmoothFirewall system, for external modem or dial-up SIP service Logs SIP-based VoIP service information. SmoothD Log messages from the SmoothD super server. SSH Log messages from the SSH system, including service status and successful/
Month Day 1
To view specific information: Select the filtering criteria using the Settings area and click Update. A single column is displayed containing the time of the event(s) and descriptive messages.
208
Ve
failed login attempts.
SSL VPN Log messages from the SSL VPN system. SmoothD Displays server log information.
SmoothMonitor Displays monitoring system information including service status and alert/report distribution audit trail. SmoothWall Simple system log messages, including startup, shutdown, reboot and service status messages. UPS Log messages from the UPS system, including service status messages. Update transcript Displays information on update history. Web proxy Displays web proxy activity.
Used to select the month that log entries are displayed for. Used to select the day that log entries are displayed for.
rs
connections.
io
Message censor Displays information from the message censor logs.
Firewall Logs
The firewall logs contain details about all data packets rejected by Corporate Firewall. In addition, the firewall logs can display port forwards, and all incoming, outgoing and forwarded data packets, if traffic auditing has been configured on the networking > firewall >advanced page. 1 To view the firewall logs: Browse to the information > logs > firewall page.
The following filter criteria controls are available in the Settings area: Control Section Month Day Source Description
Compression Used to ghost repeated sequential log entries for improved log viewing. This drop-down list is populated with a list of all source IP addresses contained in the firewall log. Choose a particular IP address and click Update to display log entries originating from just one address. This drop-down list is populated with a list of all source ports contained in the firewall log. Choose a particular port and click Update to display log entries originating from just one port. This drop-down list is populated with a list of all destination IP addresses contained in the firewall log. Choose a particular IP address and click Update to display log entries destined for just one address. This drop-down list is populated with a list of all destination ports contained in the firewall log. Choose a particular port and click Update to display log entries destined for just one port.
Src port
Destination
Dst port
Ve
Used to select which firewall log is displayed. The content of each section is discussed below. Used to select the month that log entries are displayed for. Used to select the day that log entries are displayed for.
rs
Filtering Firewall Logs
io
1
209
The list of possible sections that can be viewed are as follows: Section
Main Incoming audit
Description All rejected data packets. All traffic to all interfaces that is destined for the firewall if Direct incoming traffic is enabled on the Networking > advanced page. enabled on the networking > settings > advanced page.
Forward audit All traffic passing through one interface to another if Forwarded traffic is Outgoing audit
All traffic leaving from any interface if Direct outgoing traffic is enabled on the networking > settings > advanced page. rule if port forward logging is enabled on the networking > firewall > port forwarding page.
Port forwards All data packets from the external network that were forwarded by a port forward
To view firewall logs, select the appropriate filtering criteria using the Settings area and click Update. The following columns are displayed: Column Time In Out Description
The time that the firewall event occurred. The interface at which the data packet arrived. The interface at which the data packet left. The network protocol used by the data packet. The IP address of the data packet's sender. The outbound port number used by the data packet. The IP address of the data packet's intended destination. The inbound port number used by the data packet.
Protocol Source Src Port
Destination Dst port
Looking up a Source IP whois

The firewall log viewer can be used to find out more information about a selected source or destination IP by using the whois tool. 1 2 3 To use whois: Navigate to the information > logs > firewall page. Select a particular source or destination IP in Source and Destination columns. Click Lookup.
210
Ve
rs
io
Viewing Firewall Logs
SmoothRule - All data packets from the internal network zones that were logged but not rejected stealth by an outbound access rule.
SmoothRule - All data packets from the internal network zones that were rejected by an outbound rejects access rule.
A lookup is performed and the result displayed on the system > diagnostics > whois page, for example:
Blocking a Source IP
The firewall log viewer can be used to add a selected source or destination IP to the IP block list. 1 2 3 To block a source IP: Navigate to the information > logs > firewall page. Select one or more source or destination IPs. Click Add to IP block list.
Ve
rs
io
1
211
The selected source and destination IPs will be automatically added to the IP block list which you can review on the networking > filtering > ip block page. See Chapter 5, Blocking by IP on page 35 for more information.
IPsec Logs
The ipsec logs page displays information on VPN tunnels. 1 To access IPsec logs: Browse to information > logs > ipsec:
2 3 4
Choose the tunnel you are interested in by using the Tunnel name control. To view the logs for all of the tunnels at once, choose ALL as the tunnel name. After making a change, click Update.
Exporting Logs
To export and download all log entries generated by the current settings, click Export.
Exporting all dates
To export and download all log entries generated by the current settings, for all dates available, select Export all dates, and click Export.
Viewing and Sorting Log Entries

The following columns are displayed in the Web log region: Column Time Name Description Description The time the tunnel activity occurred. The name of the tunnel concerned. Log entries generated by the VPN system.
Log entries are displayed over a manageable number of pages. To view a particular page, click its Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous), > (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages. To sort the log entries in ascending or descending order on a particular column, click its Column title hyperlink. Clicking the currently selected column reverses the sort direction.
212
Ve
rs
io
Corporate Firewall provides logs on SMTP relaying and POP3 proxying. 1 To access email logs: Navigate to the information > logs > email page: In the Settings area, you choose whether you want to view logs on relay email or POP3 proxy email. Option Section Month Day From address To address Show only infected mail Export format Select to: Choose the type of logs to view: SMTP relay logs or POP3 logs. Specify which month you wish to view logs for. Specify which day you wish to view logs for. Choose to show only mails from a particular address. Show only email to a particular address.
Logs can be exported in the following formats: text format.
Microsoft (tm) Excel (.xls) The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view these reports.
Export all dates
Log Filtering
Log files are automatically displayed using the default or existing filter criteria in the Settings area. 1 To filter log entries: Adjust the filter criteria in the Settings area and click Update.
Exporting Logs
1 2 3 To export logs: Filter the logs to show the information you want to export. Select the export format and if you want to export all dates. Click Export. To save the exported log, use the browser's File, Save As option.
IDS Logs
The IDS logs contain details of suspicious network activity detected by the Corporate Firewalls Intrusion Detection System (IDS).
Ve
rs
Portable Document Format (.pdf) The information is exported in PDF. You
will need a PDF reader to view these reports.
Raw Format The information is exported without formatting. Tab Separated Value The information is exported separated by tabs.
Exports the currently displayed log for all available dates.
io
Comma Separated Values The information is exported in comma separated
Show only email that is infected with a virus.
213
To view the IDS logs: Navigate to the information > logs > ids page.
Filtering IDS logs
The following filter criteria controls are available in the Settings area: Control Month Day Description
Used to select the month that log entries are displayed for. Used to select the day that log entries are displayed for.
To view IDS logs, select the appropriate filtering criteria using the Settings area and click Update. IDS logs are displayed in the IDS logs area:
Column Time Name Priority Type IP info
References
Note: SmoothWall is not responsible for the content of the references. All links are provided for general
guidance only.
IM Proxy Logs
The IM proxy log page displays a searchable log of instant messaging conversations and file transfers.
214
Ve
The following columns are displayed: Description Displays the time at which the IDS incident was detected. Displays the recognized name of the IDS incident. Displays the severity of the IDS incident (1 is high). Displays the general type of the IDS incident. Displays the source and destination IP addresses of the IDS incident. Provides external links to independent web sites containing information about the nature of this IDS event.
rs
Viewing IDS logs
io
To view the IM proxy logs: Browse to information > logs > im proxy page.
The following settings are available: Setting Local user filter Description Enter the name of a local user whose logged conversations you want to view.
Enable local user filter: Select to display conversations associated with the local user name entered. Remote user filter Enable remote user filter Enable smilies Enable links Search Conversations Enter the name of a remote user whose logged conversations you want to view. Select to display conversations associated with the remote user name entered. Select to display smilies in the conversation. Select to make links in the conversation clickable. Here you can enter a specific piece of text you want to search for. Enables you to browse conversations by instant messaging protocol, user ID and date.
Ve
rs
io
1
215
Web Proxy Logs

The proxy logs contain detailed information about all Internet access made via the web proxy service. It is possible to filter the proxy logs using any combination of requesting source IP, and requested resource type and domain. 1 To view the web proxy logs: Browse to information > logs > web proxy page.
The following filter criteria controls are available in the Settings area:
Month Day Year
Source IP Ignore filter
Enable ignore filter Domain filter
Enable domain filter Used to activate the domain filter.

Note: To restore the default filter criteria, click Restore defaults.
216
Ve
Control
rs
Description
Filtering Proxy Logs
Used to choose the month that proxy logs are displayed for. Used to choose the day that proxy logs are displayed for. Used to choose the year that proxy logs are displayed for. Used to display proxy logs from a specific source IP. Used to enter a regular expression that excludes matching log entries. The default value excludes common log entries for image, JavaScript, CSS style and other file requests. To enable the ignore filter, Enable ignore filter must be selected. Used to activate the ignore filter. Used to display log entries recorded against a particular domain. Matching will occur on the start of the domain part of the URL. For example, www.abc will match www.abc.com and www.abc.net but not match abc.net. It is possible to include regular expressions within the filter for example (www.)?abc.com will match both abc.com and www.abc.com.
io
Viewing Proxy Logs

1 To view proxy logs: Select the appropriate filtering criteria using the Settings area and click Update. Proxy logs are displayed in the Log area. The following columns are displayed: Column Time Source IP Website Description The time the web request was made. The source IP address the web request originated from. The URL of the requested web resources.
User Portal Logs

1 To view user portal log activity: Browse to the information > logs > user portal page.
Corporate Firewall displays the information.
Settings
The following sections cover alert and logging settings.
Configuring Logging Options

Corporate Firewall can send logs to an external syslog server, automatically delete log files when disk space is low, and set the maximum log file retention settings.
Ve
rs
io
The user portal log page displays information on users who have accessed user portals.
217
Chapter 12 Information, Alerts and Logging Settings
To configure logging options: Browse to information > logs > log settings:
3 4
To enable remote system logging, select remote syslog and enter the IP address of a remote syslog server into the Syslog server field.
Configuring the Log Retention Period
Corporate Firewall enables you to set retention periods for the different log files. 1 2 3 To configure the log retention period: Browse to the information > settings > logging options page. In the Log file retention area, locate the log type you want to configure retention for. From the drop-down list, select the retention period. The following periods are available: Time Period
1 Day 2 Days A week A fortnight A month Two months Three months Four months Five months Six months Seven months
218
Ve
rs
Description
Click Save. Corporate Firewall will now log the information you have specified and send logs to the remote syslog server.
Rotate the log file daily and keep the last day. Rotate the log file daily and keep the last 2 days. Rotate the log file weekly and keep the last week. Rotate the log file weekly and keep the last 2 weeks. Rotate the log file monthly and keep the last month. Rotate the log file monthly and keep the last 2 months. Rotate the log file monthly and keep the last 3 months. Rotate the log file monthly and keep the last 4 months. Rotate the log file monthly and keep the last 5 months. Rotate the log file monthly and keep the last 6 months. Rotate the log file monthly and keep the last 7 months.
io
Select the logging options you require and how you want to retain each log.
Time Period
Eight months Nine months Ten months Eleven months A year A week (large) A month (Large) A year (large)
Description Rotate the log file monthly and keep the last 8 months. Rotate the log file monthly and keep the last 9 months. Rotate the log file monthly and keep the last 10 months. Rotate the log file monthly and keep the last 11 months. Rotate the log file monthly and keep the last 12 months. Rotate the log file daily and keep the last 7 days. Rotate the log file daily and keep the last 31 days. Rotate the log file daily and keep the last 365 days.
Click Save.
Corporate Firewall can be set to automatically delete log files if there is a limited amount of free disk space available. 1 2 3 4 To configure automatic log deletion: Browse to the information > settings > logging options page. In the Automatic log deletion area, select Delete old logs when free space is low. Choose a level at which log deletion will be activated using the Amount of disk space to use for logging drop-down list. Click Save.
The groups page is used to create groups of users which can be configured to receive automated alerts and reports.
Creating Groups
1 To create a group of users: Browse to the information > settings > groups page.
Ve
Configuring Groups
rs
io
Automatically Deleting Logs
219
Chapter 12 Information, Alerts and Logging Configuring Output Settings
2 3 4 5 6 7 8 9
Choose a group profile from the Group name drop-down list with a value of Empty and click Select. Enter a descriptive name for the group into the Name field and click Save. In the Add user area, enter a user's name into the Name field. Enter the user's email address and / or SMS number details (where applicable) into the Email address and SMS number fields. Assign a descriptive comment to the user by entering text into the Comment field. Select the Enable HTML Email option if you want emailed reports to be sent in HTML format. Select Enabled to ensure that the user will receive any reports or alerts that are sent to the group. Click Add. The user's details will be added to the list of current users in the Current users region.
Editing a Group
2 3
Choose the group that you wish to edit using the Group name drop-down list. Click Select to display the group.
1 2 3
To delete a group: Browse to the information > settings > groups page. Select the group to be deleted using the Group name drop-down list. Click Delete.
Configuring Output Settings

Reports and alerts are distributed according to Corporate Firewalls output settings. In order to send reports and alerts, Corporate Firewall must be configured to operate with mail servers and email-to-SMS gateway systems.
220
Ve
rs
io
Deleting a Group
Make any changes to the group using the controls in the Add a user and Current users areas.
To edit a group: Browse to the information > settings > groups page.
To access output settings: Browse to information > settings > output settings:
Corporate Firewall generates SMS alerts by sending emails to a designated email-to-SMS gateway. When an email-to-SMS gateway receives an email, it extracts the information it needs and composes an SMS message which is then sent. A wide variety of different email-to-SMS gateway services are available. Unfortunately, each has its own definition of the format that an email should arrive in. Whilst there are a few conventions, usually the destination SMS number is placed in the email's subject line, it is necessary to configure Corporate Firewall so that it can format email messages in the format specified by your email-to-SMS gateway service provider.
About Placeholder Tags

To allow easy configuration of message formats for different service providers, Corporate Firewall uses placeholder tags that can be incorporated into an email template. The placeholder tags available are as follows: Placeholder
%%ALERT%% %%SMS%% %%EMAIL%%
Ve
About Email to SMS Output
rs
Description The content of the alert message. The recipient SMS number. The recipient's email address.
io
1
221
Placeholder
%%HOSTNAME%%
Description The hostname of the Corporate Firewall system (useful when using multiple firewall systems).
%%DESCRIPTION% The description of the Corporate Firewall system (useful when using % multiple firewall systems). %%--%%
A special placeholder that indicates that all text following it should be truncated to 160 characters. This requires truncation to be enabled (indicated by the Truncate SMS messages to 160 characters option).
For example, if an email-to-SMS gateway requires emails to be sent to: <telephone number>@sampleSMS.com, the following configuration would provide this: %%SMS%%@sampleSMS.com
A further complication is caused by email-to-SMS gateways that require parameters such as usernames and passwords to be set within the email's message body. In situations where truncation is enabled, such additional (yet required) parameter text may force truncation of the actual alert. To compensate for this, insert the special %%--%% placeholder at the start of the actual message content, so that any truncation is only applied to the actual alert content.
Configuring Email to SMS Output

1 2 To configure Corporate Firewall's SMS settings: Browse to information > settings > output settings. In the Email to SMS Output System area, configure the following settings: Setting SMTP server Description Enter the hostname or IP address of the SMTP server to be used by Corporate Firewall. This would typically be a valid email address reserved and frequently checked for IT administration purposes. This might also be an email address that is registered with your email-to-SMS gateway provider.
Sender's email address field Enter the sender's email address.
222
Ve
Some email-to-SMS gateways cannot process messages whose content is longer then 160 characters. Corporate Firewall can be configured to truncate messages in this mode, all characters past position 155 are removed and the text: .. + is appended to the message to indicate that truncation has occurred.
rs
io
%%ALERT%% %%ALERT%% %%ALERT%% %%ALERT%% %%ALERT%%
- From: %%HOSTNAME%% - From: %%HOSTNAME%% (%%DESCRIPTION%%) - From: %%DESCRIPTION%% -%%HOSTNAME%% :%%DESCRIPTION%% (%%HOSTNAME%%)
Networks with multiple Corporate Firewall systems may wish to include detail of the system that the alert was generated by, the following examples would provide this:
If the content of the message should be entered in the email message body, the following configuration would provide this: %%ALERT%%
Setting SMS to address
Description Specify the formatting of the email's To: address according to the format required by your service provider. This may be a regular email address, or it may require additional placeholders such as %%SMS%% to identify the destination of the SMS.
Truncate SMS messages to 160 characters Enable SMTP auth Username Password SMS subject line
Select if you want the content of SMS message body to be truncated to 160 characters or if your email-to-SMS gateway service provider instructs you to do so. Select to use SMTP auth if required. If using SMTP auth, enter the username. If using SMTP auth, enter the password. Enter the subject line of the SMS email in the SMS subject line field as specified by your email-to-SMS service provider. This will often contain the %%SMS%% placeholder as many emailto-SMS gateways use the subject line for this purpose.
SMS message body
Enter additional parameters and the content of the alert message.
Testing Email to SMS Output

1 2 Click Send test.
Output to Email
1 2 To configure email settings: Browse to information > settings > output settings. In the SMTP (Email) Output System area, configure the following settings: Setting SMTP server Sender's email address Description Enter the hostname or IP address of the SMTP server to be used by Corporate Firewall. Enter the sender's email address. This would typically be a valid email address reserved and frequently checked for IT administration purposes. This might also be an email address that is registered with your email-to-SMS gateway provider. Enable SMTP auth Username Select to use SMTP auth if required. If using SMTP auth, enter the username.
Ve
To test the output system: In the Send test to: field, enter the cell phone number of the person who is to receive the test.
rs
Click Save.
io
If the truncation is required from a particular point onwards, use the %%--%% placeholder to indicate its start position.
223
Setting Password 3 Click Save.
Description If using SMTP auth, enter the password.
Generating a Test Alert

1 2 To generate a test alert: Configure Email to SMS output and/or SMTP (Email) output. Click Generate test alert.
224
Ve
rs
io
Chapter 13
Managing Your System

In this chapter: Managing system and security updates Managing module installations and product licensing Creating and restoring backup archives Scheduling automatic maintenance Producing diagnostic support files Shutting down and restarting Corporate Firewall
Uploading firmware updates to Alcatel hardware How to use Corporate Firewall's network tools to perform a variety of everyday network maintenance tasks.
Managing Updates
Corporate Firewall must be connected to the Internet in order to discover, download and install system updates. SmoothWalls support systems are directly integrated with Corporate Firewalls system update procedure, allowing the SmoothWall support department to readily track the status of your system.
Ve
Administrator's should use Corporate Firewall's update facility whenever a new system update is released by SmoothWall. Updates are typically released in response to evolving or theoretical security threats, as and when they are discovered. System updates may also include general product enhancements, as part of SmoothWalls commitment to continuous product improvement.
rs
io
Managing certificates
225
Chapter 13 Managing Your System Managing Updates
To manage updates: Navigate to the system > maintenance > updates page.
Configure the following settings: Setting/button

Refresh update list Download updates
226
Ve
Description Click to get a list of available updates. Any updates available will be listed in the Available updates area. Click to download all available updates. Once downloaded, the updates are listed in the Pending updates area.
rs
io
Setting/button
Clear download cache Install updates Install at this time
Description Click to clear any downloaded updates stored in the cache. Click to install all updates in the Pending updates area immediately Enter the time at which you want to install the updates if you do not want to install them immediately and click Install at this time.
If the update requires a reboot, reboot the system on the system > maintenance > shutdown page.
Installing Updates Manually

The Install new update area enables you to install system updates manually. 1 2 3 4 5 6 To manually install an update: Navigate to the system > maintenance > updates page and click Refresh update list. In the Available updates list, locate the update and click Info. The SmoothWall updates web page opens. Download the update to a suitable location. On the system > maintenance > updates page, click Advanced. Click Upload to upload and install the update file.
Note: Modules must be registered against your Corporate Firewall serial number before they can be
installed and used. For further information, please consult your SmoothWall partner or, if purchased directly, SmoothWall. Corporate Firewall must be connected to the Internet in order to install modules.
Ve
Corporate Firewall's major system components are separated into individually installed modules. Modules can be added to extend Corporate Firewalls capabilities, or removed in order to simplify administration and reduce the theoretical risk of, as yet un-discovered, security threats.
rs
Managing Modules
io
In the Install new update area, click Browse to find and open the update.
227
Chapter 13 Managing Your System Managing Modules
To install a module: Navigate to the system > maintenance > modules page.
In the Available modules area, locate the module and click Install. description carefully prior to installation.
Note: Some module installations require a full reboot of Corporate Firewall. Please read the module
Installing Modules Manually

1 2 3 To install a module manually: Navigate to the system > maintenance > modules page and click Advanced. In the Upload module file area, browse to and select the module. Click Upload. The module is uploaded and installed
228
Ve
rs
io
Removing a Module
1 2 3 To remove a module: Navigate to the system > maintenance > modules page. In the Installed modules area, locate the module and click Remove. Reboot Corporate Firewall on the system > maintenance > shutdown page.
Licenses
Corporate Firewall contains information on licenses and subscriptions. For information on anti-virus update settings and your anti-spam subscription, see Chapter 12, Administering Email on page 195. For information on blocklist subscriptions, see Chapter 10, Managing Blocklists on page 134 1 To view license information: Navigate to the system > maintenance > licenses page.
Installing Licenses
You can buy additional licenses from SmoothWall or an approved SmoothWall partner. License, installation and activation is an automated process, initiated via a secure request to SmoothWall licensing servers. 1 To install additional licenses: Navigate to the system > maintenance > licenses page.
Ve
rs
io
1
229
Chapter 13 Managing Your System Archives
Click Refresh license list. This will cause the available license information to be updated via the Internet, and any new licenses will be installed. modules. For more information, see the documentation delivered with your SmoothWall add-on module.
Note: The Subscriptions area is used to manage anti-virus signatures and blocklists used by add-on
Archives
The archives page is used to create and restore archives of system settings. Archives can be saved on removable media and used when restoring a Corporate Firewall system. They can also be used to create clones of existing systems.
Note: It is possible to automatically schedule the creation of backup archives. For further information,
You can create and assign up to 20 profiles and generate their archives automatically. Profiles are also used to store settings for SmoothWall replication systems. For more information, see Replication on page 235.
230
Ve
rs
io
You can assign a profile to an archive enabling you to specify which components you want backed up in a particular archive. This enables you, for example with SmoothWalls email and anti-virus add on module, SmoothZap installed, to generate and store a complete backup of SmoothZap settings in one archive.
About Profiles
see Scheduling on page 232.
Creating an Archive
1 To create an archive: Navigate to the system > maintenance > archives page.
Configure the following settings: Settings Profile Profile name Comment Automatic backup Settings Logs Description
From the drop-down list, select Empty and click Select. Enter a name for the profile. Enter a description for the archive. Select if you want to archive settings automatically. For more information, see Scheduling on page 232.
Click Save and backup to create the archive.
Downloading an Archive
1 2 To download an archive: In the Archives area, select the archive. Click Download and save the archive to disk using the browser's Save as dialog box.
Restoring an Archive
1 2 To restore an archive: In the Archives area, select the archive. Click Restore. The archive contents are displayed.
231
Ve
Select the components you want to archive or select All to select and archive all settings. Select the log files you want to archive or select All to select and archive all logs.
rs
io
Chapter 13 Managing Your System Scheduling
Select the components in the archive that you want to restore and click Restore.
Deleting Archives
1 To delete an archive: In the Archives area, select the archive and click Delete.
Uploading an Archive
This is where you upload archived settings from previous versions of Corporate Firewall and SmoothWall modules so that they can be re-used in the current version(s). 1 2 3 To upload an archive: In the Upload area, enter the name of the archive and click Browse. Click Upload to upload the archive.
You can configure Corporate Firewall to automatically discover and download system updates, modules and license upgrades using the scheduler.
232
Ve
rs
You can also use the scheduler to create and remotely archive automatic backups. Other system modules can integrate with the scheduler to provide additional automated maintenance tasks.
io
Scheduling
Navigate to and select the archive.
To create a schedule of tasks: Navigate to the system > maintenance > scheduler page.
Configure the following settings: Setting Day
Ve
Hour Check for new updates Download updates Check for new modules 3 Click Save.
Check for license upgrades Select to discover and install license upgrades.
Scheduling Remote Archiving

Scheduled remote archiving uses SSH keys to allow it to securely copy files to a remote SSH server without the need for passwords. The use of SSH keys requires Corporate Firewall to generate a key pair which it will use to encrypt all file transfers sent to the SSH server. The SSH server must be configured to accept connections from Corporate Firewall in this manner it requires the public half of the key pair to be installed.
rs
Description From the drop-down list, select the day of the week that the tasks will be executed. From the drop-down list, select the time of day at which the tasks will be executed. Select to check for new system updates. Select to download available updates. Select to check for new modules.
io
1
233
Chapter 13 Managing Your System Scheduling
1 2 3 4
To schedule remote archiving: Navigate to the system > maintenance > scheduler page. In the Remote archive destinations area, click Export Public Backup Key. Install the public key on the remote SSH server for details on how to do this, please consult the administrator's guide of the SSH server in use. In the Remote archive destinations area, enter the following information: Setting Name Username Description Enter a name to identify this destination. Specify the user name of the account on the SSH server that will be used. For additional security it is recommended that this user has no additional privileges and is only allowed write access to the specified Remote path. Set the path where archives will be placed on the remote SSH server. Set the IP address of the SSH server. Set the port number used to access the SSH server (normally port 22). Specify the maximum transfer speed when automatic archiving occurs. This control is useful for preventing the automatic remote archiving system adversely affecting the performance of other network traffic. Enter a description of the destination.
Remote path Server Port Number Transfer Speed Limit Comment 5 6 7 Click Add.
In the Remote archival area, enter the following information:
Day
Hour
Archive destination Archive profile Enabled Comment 8 9 Click Add.
Repeat the steps above to configure other archives for scheduled remote archive.
Note: A local copy of the archive is also created and stored.
Editing Schedules
1 To edit a schedule: In the appropriate area, select the destination or task and click Edit or Remove.
234
Ve
Setting
Description
The day of the week to carry out the archive. The hour of the day to carry out the archive. From the drop-down list, select a destination as configured in the Remote archive destinations area. From the drop-down list, select an archive profile as configured on the archives page. Select to enable the archive. Enter a description of the archive.
rs
Repeat the steps above to make other destinations available.
io
Replication
Using replication, you can configure Corporate Firewall as a replication master or a replication slave.
Configuring the Replication Master

1 To configure the replication master: Navigate to the system > maintenance > replication page.
2 3
In the Master settings area, click Export Public Backup Key to generate a public key. In the Master settings area, enter the following information: Setting Master Export public backup key Slave IP Profile Description Select to enable replication. Select to set this Corporate Firewall as the master. Click Save. Click to generate the backup key. Enter the slave's IP address. From the drop-down list, select the profile containing the replication settings you want to implement on the slave. See the archives page for a list of which settings can be replicated. Enter a description for the slave. Select to enable the settings.
Enabled
Comment Enabled 4 5 6
Click Add to add the replication slave to the list of current slaves. Install the key on any systems you want to configure as this master's replication slaves. Ensure that SSH is enabled and can be contacted on the replication slave slave archive when you install the replication slave. The old replication slave archive will not work.
Note: If you reinstall your replication master using a backup image, you must create a new replication
Ve
rs
io
1
235
Chapter 13 Managing Your System Shutting down and Rebooting
Configuring the Replication Slave

1 2 3 4 To configure the replication slave: On your Corporate Firewall master system, on the maintenance > system > archives page, create an archive containing the replication settings you want to implement. On your Corporate Firewall slave system, on the maintenance > system > replication page, in the Settings area, select Enabled and Slave. Click Save. In the Slave settings area, click Browse and navigate to and select the archive containing the replication slave settings. Click Upload and On to implement the replication slave settings. and other timing constraints.
Note: Settings are not implemented immediately. There will be a delay depending on the network load
Shutting down and Rebooting

Immediately Delay action for
At the following time Select to shut down or reboot at a specified length of time.
Click Reboot to reboot at the specified time, or click Shutdown to shut down at the specified time
236
Ve
Description Select to shut down or reboot immediately. Select to shut down or reboot after a specified length of time. From the drop-down menu, select the length of time. From the drop-down menu, select the hour and minute at which to shut down or reboot.
rs
io
To shut down or reboot: Browse to the system > maintenance > shutdown page.
Corporate Firewall can be shutdown or restarted immediately, after a specified delay or at a predetermined time.
Shell Access
The web-based secure shell (SSH) remote access tool enables command line administration of the Corporate Firewall system through a web browser.
Note: In order to use this feature, SSH access must be enabled. See Chapter
Access Options on page 242.
13, Configuring Admin
The browser that is connected to the Corporate Firewall system is required to have a Java Virtual Machine capability installed. For details on setting your browser up in this way, consult your browser help system. 1 To use the shell tool: Navigate to the system > maintenance > shell page.
2 3
Click on the shell window once the Java applet has loaded. Enter the following information: Information User name Password Description Enter root. Enter the root accounts password.
Click Login.You gain access to the shell.
Setting System Preferences

The following sections discuss how to configure the user interface, time settings and a web proxy if your ISP requires you use one.
Ve
rs
io
1
237
Chapter 13 Managing Your System Setting System Preferences
Configuring the User Interface

Corporate Firewall can be customized in different ways, dependent on how you prefer working. The main changes that can be made are the method of displaying errors and the drop-down list navigation system. It is also possible to alter the system's description. 1 To configure the user interface: Browse to the system > preferences > user interface page.
Configure the following settings: Setting Description In the description field, enter a description to identify Corporate Firewall. This will be displayed in the title bar of the browser window.
Enable dropdown menus Select to enable drop-down menus in Corporate
Host information Web interface
System Control page Dashboard sections
238
Ve
rs
Firewall.
Always show second tier menus Select to always show second tier menus. Show information bar Select to show information on the trail to the page you
are on.
Show the to-do list Select to show the to-do list on main > main > control
page.
Popup error box Select to display error messages in a popup window. In-page error report Select to display error messages on the web page.
From the Report to show drop-down list, select the report you want displayed on the main > main > control page. Determines what, if any, information is displayed in the System Services area on the main > main > control page.
io
Setting System Summary page 3 Click Save.
Description From the Report to show drop-down list, select the report you want displayed on the information > reports > summary page.
Setting Time
Corporate Firewall's time zone, date and time settings can be specified manually or automatically retrieved from a local or external Network Time Protocol (NTP) server, typically located on the Internet. Corporate Firewall can also act as an NTP server itself, allowing network wide synchronization of system clocks. 1
Configure the following settings: Setting Timezone Time and date 1 Description From the drop-down list, select the appropriate time zone To manually set the time and date: Select Set and use the drop-down lists to set the time and date.
Ve
rs
io
1
239
To set the time: Navigate to the system > preferences > time page.
Chapter 13 Managing Your System Setting System Preferences
Setting
Description To automatically retrieve time settings: Select Enabled in the Network time retrieval area. Choose the time retrieval frequency by selecting an interval from the Interval drop-down list. Select Save time to RTC to ensure that the time is written back to the system's hardware clock (the Real-Time Clock). Choose one of the following network retrieval methods:
Multiple random public servers select to set the time as the average time retrieved from five random time servers Selected single public server select from the drop-down list a public time
Network time retrieval 1 2 3 4
server to use to set the time or external time server.
2 3 Click Save.
Select each internal network interface that the network time service should be available from.
You can configure Corporate Firewall to use an upstream registration proxy if your ISP requires you to use one. 1 To configure an upstream registration proxy: Navigate to the system > preferences > registration options page.
Configure the following settings: Setting Server Description Enter the hostname or IP address of the proxy server.
240
Ve
Configuring Registration Options
rs
io
Network time Corporate Firewall can be used to synchronize the system clocks of local network service hosts by providing a time service. interfaces To synchronize the network time service: 1 Enable network time retrieval.
User defined single public or local server Enter the address of a specific local
Setting Port Username Password 3 Click Save.
Description Enter the port number to use. Enter the user name provided by your ISP. Enter the password provided by your ISP.
Note: The upstream proxy has no bearing on Corporate Firewall proxy services.
About Extended Registration Information

By default Corporate Firewall sends information about your system to SmoothWall when registering and updating update, licence, subscription and add-on module information. It also sends information when installing SmoothWall add-on modules. The following information is sent: Enabled status for optional services
Authentication service settings and the LDAP server type Manufacturer name and product name from dmidecode Main board manufacturer and main board product name from dmidecode.
Note: No sensitive authentication information or passwords are sent.
1 2
Deselect the Provide extended usage information option and click Save.
Configuring the Hostname

You can configure Corporate Firewalls hostname. A hostname should usually include the name of the domain that it is within. 1 To change the hostname: Browse to the system > preferences > hostname page.
Enter a new value in the Hostname field and click Save.
Ve
To disable sending extended registration information: Navigate to the system > preferences > registration options page
rs
io
Guardian transparent mode and authentication service settings mode
The number of configured interfaces and whether they are internal or external
1
241
Chapter 13 Managing Your System Configuring Administration and Access Settings
Note: After setting the hostname, a reboot is required before the HTTPS server will use the hostname in
its Common Name field.
Configuring Administration and Access Settings

The following sections discuss administration, external access and account settings.
Configuring Admin Access Options

You can enable and disable remote access to Corporate Firewalls console via Secure Shell (SSH) and configure remote access referral checking. To access Corporate Firewall via remote SSH, the following criteria must be met: The host must be from a valid source IP The SSH service must be enabled The setup or root username and password must be known. To use Corporate Firewall's web-based SSH shell, the host browser must have a Java Virtual Machine installed. Admin access must be set to enabled
Select SSH and click Save.
242
Ve
rs
To permit access to the console via SSH: Navigate to the system > administration > admin options page.
io
The host must be from a valid network zone
Note: Terminal access to Corporate Firewall uses the non-standard port 222.
Referral Checking
In order to ensure that configuration requests from the web interface originate from a logged in administrator, and not some third party web page, you can enable remote access referral checking. When enabled, administration requests are only processed if the referral URL contains the local IP address, the local hostname, or the external IP address where applicable. If the referral is not from a Corporate Firewall page, the request is ignored and reported in the general SmoothWall log file.
Note: This function prevents Corporate Firewall from being accessed remotely via a DNS or a Dynamic
1 2 3
To enable referral checking: Navigate to the system > administration > admin access page.
Select Allow admin access only from valid referral URLs in the Remote Access area.
Configuring External Access
External access rules are used to determine which interfaces, services, networks and host systems can be used to administer Corporate Firewall.
This default rule allows administrators to access any of the following admin services: SSH admin Access to the system console using port 222. Requires the SSH access to be enabled, see Configuring Admin Access Options on page 242. HTTP admin Access to the web-based interface on port 81. HTTPS admin Access to the web-based interface on port 441.
Ve
The default external access rule allows administrators to access and configure Corporate Firewall from any source IP that can route to the system's first (default) network interface.
rs
io
Click Save.
DNS address. To remotely manage an Corporate Firewall system via a DNS or a Dynamic DNS address, the referral URL check must be disabled.
243
Chapter 13 Managing Your System Configuring Administration and Access Settings
To enable external access: Browse to the system > administration > external access page.
Configure the following settings: Setting Interface Description
For a range of hosts, enter an IP address range, for example, 192.168.10.1192.168.10.50.
Service
Comment Enabled 3
Click Add. The access rule is added to the Current rules table.
Note: Do not remove the default external access rule, it provides access to the default internal network.
Editing and Removing External Access Rules

To edit or remove access rules, use Edit and Removes in the Current rules area. For further information about editing and removing rules, see Chapter 2, Configuration Conventions on page 13.
Administrative User Settings

Corporate Firewall supports different types of administrative accounts.
244
Ve
For a particular subnet of hosts, enter a subnet range, for example, 192.168.10.0/255.255.255.0 or 192.168.10.0/24. If no value is entered, any source IP can access the system. Select the permitted access method. Enter a description for the access rule. Select to activate access.
rs
Source IP, or Specify individual hosts, ranges of hosts or subnet ranges of hosts that are network permitted to use admin access.
io
From the drop-down list, select the interface that access is permitted from. If this is set to External, the currently active external interface will be accessible for administration purposes.
To manage accounts: Navigate to the system > administration > administrative users page.
Setting
Username Password Again
Description
Enter a password. Passwords are case sensitive and must be at least six characters long. Re-enter the password to confirm it. Select the account permissions you want to apply to the account.
Administrator Full permission to access and configure Corporate Firewall. Log Permission to view the system log files. Operator Permission to shutdown or reboot the system. Portal User Permission to access the user portal pages. Realtime logs Permission to view realtime logs. Reporting system Permission to access the reporting system. Rule editor user Permission to edit rules. Temp ban Permission to access and change temporary ban status. VPN Permission to access VPN settings.
Permissions
Click Add to add the account.
Changing a User's Password

1 2 To set or edit a user's password: Browse to the system > administration > passwords page. In the Current users area, select the user and click Edit.
Ve
rs
Enter a name for the user account.
io
1
245
Chapter 13 Managing Your System Hardware
3 4
Enter and confirm the new password in the Password and Again fields. Click Add to activate the changes.
Hardware
The following sections discuss ups, modem and firmware settings
UPS Settings
Corporate Firewall can be connected to a local UPS (Uninterruptible Power Supply) device to protect the system against power cuts. With this arrangement, local UPS status monitoring can be configured, and the system can be configured to automatically react when it detects that it is using UPS battery power. In this mode, it is also possible for Corporate Firewall to act as a UPS 'master', and broadcast power status messages to other appropriately configured 'slave' systems or devices so that they too can react to power changes. Alternatively, Corporate Firewall can be configured as a 'slave' to an appropriately configured 'master' UPS system or device. In this mode, the status of the UPS service will be updated over the network, whenever the UPS 'master' device alerts the Corporate Firewall system. This mode also allows Corporate Firewall to react when it is informed that UPS battery power is being used.
Enabling UPS Monitoring

1
246
Ve
rs
To enable UPS monitoring: Navigate to the system > hardware > ups page.
io
Configure the following settings: Setting Enable UPS monitor support UPS connection type Description Select to enable support. Select one of the following options:
Local connection select to monitor a UPS device which is directly connected to the Corporate Firewall system. For more information, see Configuring a Local UPS Connection on page 247. Network connection select to monitor a UPS device that is connected to the network. For more information, see Connecting to a Network UPS on page 247.
Click Save.
Configuring a Local UPS Connection
The following controls are used to configure a local UPS connection: Control Select UPS type Description
Select UPS cable type 1 2 3 4 5
To configure a local UPS connection: Navigate to the system > hardware > ups page. Choose the manufacturer, model or compatible setting for the UPS device from the Select UPS type drop-down list. Choose the serial or USB port that the UPS device is attached to from the Select UPS COM port dropdown list. Choose the cable type that the UPS device is attached by from the Select UPS cable type drop-down list. Click Save.
Connecting to a Network UPS

Once UPS monitoring is enabled and operating in Network connection mode, the appropriate network UPS settings are configured using the Network UPS Configuration area: The following controls are used to configure a network UPS connection: Control Description
Master IP Address The IP address of the 'master' UPS device.
Ve
Select UPS COM port
rs
Used to set the manufacturer, model or compatible setting for the local UPS device (refer to the UPS device's technical documentation if this is not readily known). Used to set the serial or USB port that the UPS device is attached to. Used to set the type of cable that connects to the UPS device (refer to the UPS device's technical documentation if this is not readily known).
io
Once UPS monitoring is enabled and operating in Local connection mode, the appropriate local UPS settings are configured using the Local UPS Configuration area:
1
247
Chapter 13 Managing Your System Hardware
Control Port 1 2 3 4
Description The numeric port number of the master UPS device's network service.
To configure a network UPS connection (with Corporate Firewall acting as a UPS 'slave'): Navigate to the system > hardware > ups page. Enter the IP address of the UPS device into the Master IP Address field. Enter the port number that the UPS device uses into the Port field. Click Save.
Customizing UPS Behavior

Once UPS monitoring is enabled and an appropriate connection to a remote or local UPS device has been configured, UPS behavior can be customized. The Action to take when UPS on battery area is used for this purpose. The following controls are used to customize UPS behavior: Control Action to take... Force shutdown... Description Provides a combination of choices that configure different logging, shutdown and continue options in the event of a switch to battery power. Used to forcibly shutdown the system once battery power falls below a set level (between 5% and 30%). This feature will only work with UPS devices that support UPS 'Smart' mode (refer to the UPS device's technical documentation to determine if functionality is supported).
2 3 4
Choose what action should be taken when using battery power using the Action to take drop-down list. If the UPS device operates in Smart mode, use the Force shutdown drop-down list to choose the battery power level that will trigger the Corporate Firewall system to be forcibly shutdown. Click Save.
Viewing UPS Device Status

If UPS monitoring is enabled and all UPS configuration is correct, the UPS area can be used to view a variety of UPS status information. The following information fields are displayed: Field Status UPS monitor daemon Time and date of listed status information Model Serial number Cable type Description The current status of the UPS device. The current status of the system's UPS monitoring service. The time of the last update. The model description of the UPS device. The serial number of the UPS device. The UPS device's cable connection type.
248
Ve
To customize UPS behavior: Navigate to the system > hardware > ups page.
rs
io
Field Load percentage Battery charge Estimated battery run time Time been on battery Line supply voltage Line supply frequency UPS internal temperature Last time was on battery Last time came off battery
Description The current load required from the UPS as a percentage of the total UPS output capacity. The amount of charge currently stored in the UPS device's battery. The estimated duration that battery power can be sustained whilst being used. The amount of time that the UPS device has used battery power for (if currently running on battery). The mains voltage. The mains frequency. The internal temperature of the UPS device. The last date and time that the UPS device's battery was used.
Acting as a UPS Master Device
To act as a UPS master device, UPS monitoring must be enabled and a local or network UPS connection must be configured and working correctly. The Local UPS configuration area is then used to enter appropriate configuration settings: 1 2 3 4 To act as a UPS master: Navigate to the system > hardware > ups page. Enter the port number that UPS slaves can connect to into the Port field. Enter up to five IP addresses into the appropriate Slave IP Address fields. Each IP address should belong to a UPS 'slave' device. Click Save.
Configuring Modems
Corporate Firewall can store up to five modem profiles.
Ve
UPS devices can be daisy-chained to propagate UPS status updates. This means that the system can operate as both a slave and a master, i.e. the system connects as a slave to a UPS system or device over a network and receives UPS status updates. Following each update, the system acts as a master by sending status information to its slaves.
rs
The system can be configured to operate as a UPS 'master' device, allowing it to connect to appropriately configured 'slave' devices and send them UPS status updates.
io
The last date and time that the UPS device's switched from battery to mains.
Last reason for switching to battery The last reason for switching to battery power.
249
Chapter 13 Managing Your System Configuring Modems
To configure a modem profile: Browse to the system > hardware > modem page.
Setting Profiles Interface
Description
Profile name Enter a name of the modem profile. Select the serial port that the modem is connected to.
Modem speaker on
Dialing mode Select the dialing mode.

Tone Select if your telephone company supports tone dialing. Pulse Select if your telephone company supports pulse dialing.
Init Hangup Speaker on Speaker off Tone dial Pulse dial Connect timeout 3
Click Save to save your settings and create the profile.
250
Ve
Computer to Select the connection speed of the modem. A standard 56K modem is usually modem rate connected at the default 115200 rate. Select to enable audio output during the modem dialing process, if the modem has a speaker.
Enter the commands required to initialize the modem. Enter the commands required to end a connection. Enter the commands required to turn the speaker on. Enter the commands required to turn the speaker off. Enter the commands required to turn tone dialing on. Enter the commands required to turn pulse dialing on. Enter the amount of time in seconds to allow the modem to attempt to connect.
rs
From the drop-down list, select Empty to create a modem profile.
io
Installing and Uploading Firmware

Corporate Firewall can upload the third-party mgmt.o file to the system, without which Alcatel SpeedTouch USB ADSL modems will not work. 1 To upload and install the Alcatel firmware: Navigate to the system > hardware > firmware upload page.
2 3 4
Click Browse adjacent to Upload file field. Click Upload to upload the firmware update. activated.
Note: Once this process has been completed, the system must be rebooted before the new firmware is
Note: The 330 version of this modem also requires its own firmware update to function correctly.
Diagnostics
The following sections discuss configuration tests, diagnostics, IP tools and traffic analysis.
Configuration Tests
The configuration tests page is used to ensure that your current Corporate Firewall settings are not likely to cause problems. Components installed on your Corporate Firewall add tests to this page which, when run, highlight problem areas. For example, DNS resolution is checked, gateways are ping-ed and network routing is tested to make sure your current settings are not likely to cause problems. 1 To test your configuration: Navigate to the system > diagnostics > configuration tests page.
Ve
rs
io
Use the browser's Open dialog to find and open the mgmt.o firmware update file.
1
251
Chapter 13 Managing Your System Diagnostics
Click Perform tests. The results are displayed in the Details area. port forward is to a port range, the first and last addresses will be tested. If a test fails, it is classified as a timeout if the destination takes longer than 1 second to respond, or as unreachable, as the test receives an error condition as a response. If a test is successful, the time taken for the destination to respond is displayed (or the average time in the case of a port range). If one or more port forwards in a range are successful and one or more other port forwards in the same range are unsuccessful then this is displayed as a warning.
Note: TCP port forwards are tested by attempting to connect to the destination IP address and port. If a
Generating Diagnostics
Corporate Firewall provides diagnostics facilities, typically used to provide SmoothWall support engineers with complete system configuration information to aid problem solving. 1 To generate a diagnostics file: Navigate to the system > diagnostics > diagnostics page.
Configure the following settings: Setting System Modules Description Select All to include all system components, or individually select the components you want to include in the diagnostics results. Select All to include all modules, or individually select the modules you want to include in the diagnostics results.
Click Generate. When prompted, save the results in a suitable location for review.
IP Tools
The IP tools page is used to check connectivity, both from Corporate Firewall to computers on its local networks and to hosts located externally on the Internet. There are two IP Tools:
252
Ve
rs
io
SmoothWall Corporate Firewall Administrators Guide Ping
Ping establishes that basic connectivity to a specified host can be made. Use it to prove that Corporate Firewall can communicate with hosts its local networks and external hosts on the Internet.
Traceroute
Traceroute is used to reveal the routing path to Internet hosts, shown as a series of hops from one system to another. A greater number of hops indicates a longer (and therefore slower) connection. The output of these commands is as it would be if the commands were run directly by the root user from the console of the Corporate Firewall system. It is of course, more convenient to run them from this page.
Using Ping
2 3 4
Select the Ping option from the Tool drop-down list. Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field.
Using Traceroute
1 2 3 4
To use Traceroute: Navigate to the system > diagnostics > ip tools page. Select the Traceroute option from the Tool drop-down list. Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field. Click Run. The result of the traceroute command is displayed.
WhoIs
Whois is used to display ownership information for an IP address or domain name. A major use for this is to determine the source of requests appearing in the firewall or Intrusion Detection System logs. This can assist in the identification of malicious hosts.
Ve
Click Run. The result of the ping command is displayed.
rs
io
1
253
To use Ping Navigate to the system > diagnostics > ip tools page.
Chapter 13 Managing Your System Diagnostics
To use Whois: Navigate to the system > diagnostics > whois page.
2 3
Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name field.
To analyze traffic: Navigate to the system > diagnostics > traffic analysis page.
2 3 4
From the Interface drop-down list, select the interface. From the Time to run for drop-down list, select how long to analyze the traffic. Click Generate. After the time specified has elapsed, the traffic a breakdown of what ports and services have been used is presented, as well as specific information on connections made. It is possible to view a complete transcript of TCP and UDP sessions, including pictures sent or received on web requests.
254
Ve
rs
io
The traffic analysis page displays detailed information on what traffic is currently on the network.
Analyzing Network Traffic
Click Run. The output of the whois command is as it would be if the command were run directly by the root user from the console of the Corporate Firewall system. It is of course, more convenient to run it from this page.
Managing CA Certificates
When Corporate Firewalls instant messenger proxy and/or the add-on module SmoothGuardian are configured to intercept SSL traffic, certificates must be validated. Corporate Firewall validates the certificates by checking them against the list of installed Certificate Authority (CA) certificates on the system > certs > ca page. The following sections describe how you can import new CA certificates, export existing CA certificates and edit the list to display a subset or all of the CA certificates available. For information on certificates used in VPNs, see Chapter 9, Virtual Private Networking on page 95.
Reviewing CA Certificates
By default, Corporate Firewall comes with certificates issued by well-known and trusted CAs. 1 To review the certificates: Browse to the system > certs > ca page.
Click your browsers Back button to return to Corporate Firewall.
Importing CA Certificates
1 2 3 To import CA certificates: Navigate to the system > certs > ca page and locate the Import Certificate Authority certificate area Click Browse, navigate to the certificate and select it. Click the import option. Corporate Firewall imports the certificate and displays it at the bottom of the list.
Exporting CA Certificates
1 To export certificates: On the system > certs > ca page, select the certificate.
Ve
rs
io
To review a specific certificate, click on its name. Corporate Firewall displays it. For example:
Corporate Firewall displays the certificates available. It also displays which certificates are valid and which are built-in, i.e. included in Corporate Firewall by default.
1
255
Chapter 13 Managing Your System Managing CA Certificates
From the Export format drop-down list, select one of the following options: Option CA certificate in PEM
CA certificate in BIN
Description Export the certificate in an ASCII (textual) certificate format commonly used by Microsoft operating systems. Export the certificate in a binary certificate format.
Click Export and save the certificate on suitable medium.
Deleting and Restoring Certificates

You can remove built-in certificates from the list on the system > certs > ca page. You can also restore them to the list if required. To delete certificates: On the system > certs > ca page, select the certificate(s) and click Delete. Corporate Firewall removes the certificate(s).
256
Ve
rs
io
To restore the built-in list: On the system > certs > ca page, click Clear built-in deleted list. Corporate Firewall restores any builtin certificates which have been deleted from the list.
Appendix A
Troubleshooting VPNs
In this appendix: Solutions to problems with VPNs.
Site-to-site Problems
All the PCs that are to participate in the VPN need to be fully operational and visible on the network before attempting to install and configure VPN software.
The remote Corporate Firewall is not running There is a network connection problem check routers, hubs and cables etc. There is a problem at your Internet Service Provider Corporate Firewall has ping disabled via the admin interface Verify IP addresses by checking the networking > interfaces > interfaces page for the appropriate Ethernet card. Check the routing information displayed in Corporate Firewall's status page, there must be a default route (gateway). Verify with the ISP that VPN traffic is not being blocked by any firewall or router used by the ISP. Specifically, ESP mode uses IP protocol 50. AH mode uses IP protocol 50. In particular, if the tunnel goes into OPEN mode but no packets will flow between the two networks, it is possible that one of the ISPs involved is blocking the ESP or AH packets. To simplify the problem, attempt to get a connection with shared secrets before moving on to certificates. Verify the symmetry in the tunnel specification, i.e. that the IDs, IP addresses and Remote network addresses are mirrored. This is where most people make mistakes. Each node on the VPN network must have its own unique certificate. At least one field in the subject must be different. The subject is a composite of the information fields supplied when the certificate is created. Likewise the Alt (Alternative) Name field must be unique for each certificate. Obviously fields like company name can be common to all certificates. A different local network address must be configured at both ends of the tunnel; they cannot both use the default of 192.168.0.0. Likewise, ensure there is no conflict with another network address. Be consistent with IDs. For example: Hosts on static IPs should use the hostname for the gateway as the ID. Hosts on dynamic IPs should use the administrator's email address. Road warriors should usually not use an ID, unless they are using an unusual client that requires one.
Ve
rs
io
You have the wrong IP address for the remote Corporate Firewall
Check that it is possible to ping the IP address of the RED (Internet) NIC on both Advanced Server systems. Failure to get a ping echo would indicate that:
257
Appendix A Troubleshooting VPNs L2TP Road Warrior Problems
L2TP Road Warrior Problems

The most likely problem with L2TP road warriors is establishing the initial IPSec transport connection. The most likely reason for a failure at this stage is an incorrect or invalid certificate. The same problems that can occur with any other type of IPSec connection can also occur with an L2TP road warrior. However, because the vast majority of parameter values are predefined it is generally not likely for an IPSec protocol error other then a certificate problem to occur. First of all, verify the correct certificate is installed using the Microsoft MMC tool. There must be a CA certificate, as well as a host certificate, present in the system. Also verify the certificate is within its valid time window. If the certificate is newly created, and the time is set incorrectly by only an hour or so, the connection will be refused because the certificate is not valid. MMC has facilities for verifying that a host certificate is recognized as being valid. Note that the error messages produced by the L2TP client can be somewhat strange. Modem not responding can mean that there was an IPSec certificate error, for instance. Check the IPSec logs first when looking for causes of problems. As a last resort, you can also enable debug logging on the Windows client.
To enable IPSec-level logging if you are using Windows 2000 or XP, you must create a registry key:
Add a REG_DWORD value named 'EnableLogging'. Set the value to 1 to enable logging, or 0 to disable it. After changing this value, the VPN service must be restarted. From the command line:
net stop policyagent followed by: net start policyagent
The log file will be in Windows system directory:

\debug\oakley.log
The following URL is Microsoft's own guide to debugging L2TP connection problems:
http://support.microsoft.com/default.aspx?scid=kb;en-us;325034 Note: SmoothWall does not endorse manually editing the registry. Incorrectly altering registry values
may result in registry corruption and render the computer unusable.
Windows Networking Issues

In order to facilitate network browsing under Microsoft Windows across the VPN, it is necessary to make sure both ends of the tunnel are properly configured.
258
Ve
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakle y
rs
In a default configuration, Microsoft's L2TP client does not produce any log files. This can make diagnosing problems difficult if the logs on the Corporate Firewall gateway are not sufficient for finding the cause or causes of connection issues.
io
Enabling L2TP Debugging
In small, single subnet Windows networks, network browsing is facilitated via network broadcasts. In these small networks, network neighborhood will just work without any configuration required. If a road warrior were to connect in, though, it would be unable to browse the network unless the administrator has configured the network to enable it. This is because network broadcasts do not normally cross network boundaries, such as routers and VPNs. This problem is exactly what Windows network administrators experience when connecting two or more subnets via a router. If you are familiar with setting up multiple subnets of Windows machines, then the problem to be solved is the same. In the case of road warrior connections, the details depend on the client in use. The built in L2TP client for Windows can be configured to accept WINS and DNS server settings from the server. These parameters are configured in the Global Settings page. For inexperienced Windows administrators, the following notes are provided to assist with configuring your network to enable network browsing across the VPN. For NT networks, you will require a WINS server, normally running on your PDC. This WINS server is analogous to a DNS server for the Windows machines. Each of your desktop machines and servers should be configured to use the central WINS server in its network properties box. Any road warriors connecting in should also be set to use this WINS server. If this is done then when they are connected to the office network via the VPN, they should be able to browse the office network, attach to printers and shares, etc. In more complex arrangements, such as two subnets of Windows machines with a VPN between the two, it is necessary to set-up either one WINS server and share it between the subnets, or have one on each and configure a replicating system between the two. Again, the problem to be resolved is identical to that which the administrator would face with two normally routed networks.
Ve
rs
io
259
Appendix A Troubleshooting VPNs Windows Networking Issues
260
Ve
rs
io
Appendix B
Understanding Templates and Reports

In this appendix: How to use custom reporting.
Note: Various SmoothWall add-on modules are referred to in the following sections. For more
information on the add-on modules available for Corporate Firewall, see Chapter 1, Corporate Firewall Add-on Modules on page 1.
To this extent a section has a variety of inputs and a number of outputs. These can be connected to each other where the input and output types are equivalent in the way that jigsaw pieces can be connected if their input and output facets match.
Ve
A template in that metaphor is analogous to the instruction sheet for the building blocks, it shows how to assemble the blocks together to produce the report which is analogous to the finished model. The act of building it takes the template and finds each of the individual blocks, retrieving data as appropriate and assembling it as the template dictates.
rs
A template is as described above nothing more than a structured series of sections. A report section can be considered to be similar to a building block from a construction kit or a piece from a jigsaw puzzle. It has shape, color and provides some information however its power is better expressed when used in combination with other blocks to build more complicated and more interesting shapes.
io
The Corporate Firewall reporting system is divided into two conceptually different ideas, those of templates and reports. A template is a series of report sections and their configuration which contains instructions for extracting and manipulating data from Corporate Firewall and producing a report by filling in the templates sections.
Programmable Drill-Down Looping Engine (PuDDLE)
261
Appendix B Understanding Templates and Reports Programmable Drill-Down Looping Engine (PuDDLE)
Example Report Template
Example Report
Once a report template has been created it may be edited (including changing its name) via the edit this report link under the report icon on the reports page. Whilst editing a report template is a useful feature, there are occasions when it would be better to simply alter or manipulate an exact copy of a report template, for this purpose the edit a copy of this report option should be used. This will take a copy of all the reports options and sections whilst leaving the original report template unchanged. When editing a report template, or a copy of a report template the preview button may be used without making changes to the existing template. Changes will only be saved to the desired report template when the create report option is used. Note again that the edit report option on the report display page (seen whilst viewing a rendered report) is analogous to the edit a copy of this report option seen from the reports page.
Viewing Reports, Exporting and Drill Down Reporting

The term reports has been made deliberately ambiguous and is now used to describe both a report and what was formerly known as a template, with the terms report and report template are used in this appendix where the distinction between the two is deemed important. For the bulk of users, the distinction between what is a report and what is a report template is unimportant, each will eventually show them a set of details about what their system is doing, what it has been doing historically and where their users may have been attempting things with nefarious end. The difference between the two is perhaps moot for the most part, however the key difference is that a report is a combination of several things, the report template used to create it and the data which was extracted and interpreted along with its interpretation.
262
Ve
rs
Each report template can be assigned an icon, name and description. The name is clearly the name of the report template as it appears in the reports section, the description and icon options are equally obvious as to their use. The description field is actually unlimited in length and reasonably permissive in the characters it may contain. Long descriptions will be truncated in the interface for brevity however the full version of the description will appear under the report templates advanced options.
io
Creating report templates is done via the Corporate Firewall custom page, which gives rise to the ability to add, remove and manipulate the sections which it contains. The description of how to do this is covered elsewhere however there are a few details which allow for some level of flexibility.
Report Templates, Creation and Editing
In the building block metaphor a report template is the instructions alone, Corporate Firewall is the warehouse full of bins of pieces and a report is the final boxed model ready for building. It has the instructions and the pieces but is still not quite ready for a user to play with. This should leave the question so when does the model actually get built, the answer to which is reasonably simple, basically the construction of a rendered report requires the following steps to be undertaken, again using the building-block metaphor. 1 2 3 4 Retrieve assembly instructions. Collect necessary parts from warehouse. Place all the required pieces into a box along with its instructions. Assemble the model and present to the awaiting small child. A report template provides the first stage of this process, i.e. it is the instruction sheet for building the model, executing it, i.e. generating a report will conduct steps 2 and 3. Viewing a report is the final step in this process and renders the report data (assembles the model) according to one of the output methods, i.e. this renders the report out into HTML, PDF, Excel, CSV or other formats. These stages are always transparent to the user, but do deserve some explanation. The reports page lists the report templates or instruction sheets. The recent and saved page shows the list of boxed models ready for assembly, clicking on a report template link or a report itself from either the reports or recent and saved pages will complete the missing steps and show the requesting user the final model.
Changing Report Formats
The reporting system provides multiple output formats, whilst HTML output is the most commonly used there are additional formats which might allow for further analysis or interpretation of data. Adobe PDF Format
Adobe PDF Format (suitable for black and white printers) Microsoft Excel format Comma Separated Value (csv format) Tab Separated Value (tsv format) Due to the nature of a report and the rendering options, changing the rendering method does not regenerate the report, only the way it is presented. Thus any saved reports can be exported exactly as is without the need to regenerate them, making the export process relatively quick in comparison to the generation process.
Ve
The formats available are:
rs
io
263
Changing Report Date Ranges

From the reports page, and whilst viewing a rendered report it is possible to change the date range over which the report data is accrued. Note this would require the regeneration of the report data afterwards.
From the report page, clicking on either the report template name, its icon or one of the output formats shown in the bottom right will use the date range specified at the top of the page.
From viewing a report the date controls appear at the top right of the page next to the table of contents view, the preview button here will regenerate a new report according to those date ranges. Note again, that both these actions will generate a new report, which may be saved accordingly.
Navigating HTML Reports

The HTML rendered version of a report contains a table of contents for quick and easy navigation within the report. This table is accessed by clicking on the contents button in the top left hand corner of the report when it is being viewed. The table of contents is automatically generated and is based upon the sections contained within the report itself. Features such as feed-forward and iterative reporting are reflected as titles within the report and consequently as a level of indentation in the table of contents. At the bottom right hand of each section is a link to the top of the page (labeled top) this can (obviously) be used to skip back to the top of the page where both the table of contents and rendering format options are presented.
264
Ve
rs
io
Interpreted Results
Some results, such as URLs or IP addresses can present additional information which might not be apparent from the result itself. For example IP addresses can contain whois information which would allow for greater understanding of the IP address and why it might have appeared; URLs too can contain more information than is immediately apparent from viewing the URL. To activate the Corporate Firewalls advanced interpreter simply hover the mouse over the desired result, this will produce a tool-tip which contains more information about the result. For example:
The advanced interpreter is capable of recognizing many different types of URL and will present them in an appropriate manner.
Saving Reports
Reports can be saved for viewing later if this is desired. Saving a report will stop it being subject to the 48 hour rolling deletion which tidies the reports list each day. It is also important to note that a saved report is format-less and as such can be rendered to HTML, pdf, csv etc as desired. Saved reports are listed on the recent and saved page under the reporting section, and can be viewed, deleted and reused (by means of viewing the template used to generate them) in the same manner as a recent report.
Changing the Report

Once a report has been generated the report template used to create it is stored alongside the report data itself, and can therefore be used to produce a new report with refined options, alternative date ranges or saved to appear on the reports page.
Ve
In this example, the user has used the advanced interpreter to show the result for a YouTube video. The URL in question has been truncated to show only the immediately relevant information (the protocol, domain and path) and hovering the mouse over the line in the results produces a tool-tip which not only shows the full URL, any associated parameters but has also retrieved the video title, description and thumbnail from the YouTube server.
rs
io
1
265
This is achieved in numerous ways depending upon location. When viewing the recent and saved page, underneath the reports icon is a link to Edit report. This option will present the custom page with the report template used to generate this report already loaded. This report template is a copy of the actual report template used to generate the report and may be edited as desired without altering the version stored within the report itself. Whilst viewing a report there is an edit report button presented underneath the table of contents which leads to the custom page with the report template used to generate the viewed report already loaded. Note again that this is a copy of the report template and so may be manipulated as desired.
Investigating Further (Drill down)

Each report section when it is generated can present a series of related or drill down reports; these are pre-determined report templates which will allow further investigation relevant to the item in the section in question. To better illustrate this behavior, imagine a report taken from Guardian which lists the top users who have requested internet sites via the Guardian content filter. This list would present a series of usernames, suggested drill down reports might allow for a report on the actual sites visited by an individual user, the full web activity for that user and so on. This is in a way analogous to the feed-forward reporting which will be discussed later, however this is a manual process which allows for a particular result to be investigated further. Drill down reports will be stored notionally underneath the report in the recent and saved section. Related reports are presented in a variety of ways depending upon the number of options available, and the section which is being used, when a particular result has only one related report available clicking on the result itself will lead to the related report for that result. When a result has more than one related report associated with it then clicking on the result will produce a menu of the available related reports, clicking on the relevant option will result in generating the relevant related report.
Note the list of related reports is determined by the report section and cannot be altered.
266
Ve
rs
io
Creating Template Reports and Customizing Sections
Report templates and customized sections are managed and manipulated from the custom page on your Corporate Firewalls interface.
A list of available sections is included on the custom page under the heading Available sections, existing template reports are also included in this list so that, once created they can be included into new report templates without having to redefine them. The available sections list is structured as a simple tree, with the sections belonging to each module categorized accordingly, the templates folder at the bottom of this list includes any existing report templates for inclusion as mentioned above. It should be noted that when a template report is included within another template report its options, and sections are copied into the template at the time of its inclusion. Subsequent modifications to the template will not update any other templates that include it. On the right of the available sections list is the included sections list, which shows a simplified form of the sections currently included in the template report being edited. This list deliberately mirrors its counterpart and denotes both the list of included sections and any groups that have been configured. Groups are shown as folders in the included sections list. To add and remove sections from the included sections list sections can be highlighted by clicking on them and the add or remove controls used accordingly. Note multiple sections can be added at once, and that sections can appear more than once in a template report.
Ve
Creating templates is a matter of choosing, grouping and refining a number of sections into the correct set of instructions for the Corporate Firewalls reporting engine to interpret and use to extract and manipulate data from the Corporate Firewalls logs.
rs
io
1
267
Ordering Sections
Save the caveats detailed under grouping sections, sections can be included anywhere in a report and ordered to make logical sense to the reader. To reorder a section simply select it from the Included sections list and press either move up or move down depending upon which direction you wish to move it. Note that sections cannot be moved outside of their containing folders.
Grouped Sections
Many of the underlying concepts in Corporate Firewalls reporting system are based around the notion of grouped sections. A section group is a logical construct which allows for logically connected sections to be collated together. Grouping two sections together will produce a number of consequences and will allow for advanced options such as iteration and feed-forwarding to be used. Primarily grouping options is done to allow multiple, logically similar sections to share options. For example, the Guardian web content filter module provides a number of reports which can show aspects of web browsing activity as conducted by a particular user. For example a Domain activity section could be configured to show the top 20 domains visited by a particular user, a Browsing times section could be configured to show the times of day that a particular user tends to browse the internet. Both of these sections have a username field, these sections could be grouped together and share the username option, allowing for it to be entered only once when the report is generated. Groups also form the basis of both iterative reports and feed-forward reports, which are simply special cases of section groups. For iterative groups, the variable to iterate over can be chosen from the options common to the grouped sections. For feed-forward groups, a section which produces results of a suitable type can be nominated and other sections in the group will iterate over the results from that section. Groups can contain other groups, which may of course be standard groups, iterative or feedforward groups. They may also contain single sections. By containing groups within groups complicated reporting structures can be developed which allows reports to automatically drill down and produce fine grained detail from a high level overview.
Understanding Groups and Grouped Options

The first details shown in a group are a text entry field allowing for the group name to be changed, this name provides a group to be given a title which will help with understanding the template structure, and does not bear any influence on the report creation. The second option is a drop down list of repeat options; this is used for controlling iterative and feed-forward reporting and will be discussed in the appropriate sections. When options are grouped together they will be presented as an option in the group under a section called grouped options. They may also have a small visual indicator shown next to them in both the grouped options section as well as the regular options panel for each section. This indicator shows which options are grouped together and allows for them to be quickly collated together, for example if two options are given slightly different names, but require the same value. The list of sections contained within the group is listed below the grouped options each in its own collapsible section. Grouped options will be included for each section here alongside regular per-section options, with a visual indicator allowing them to be related to their grouped counterparts.
268
Ve
rs
io
Each option may be overridden by means of ticking the corresponding checkbox. An option with an override will use the value given to that option rather than the option it receives from its grouped parent, thus a group containing two sections both of which possess a limit field (the number of items to show) can have different limits applied to them. Next to the override option is a small description denoting why the option is inherently disabled, and where the value comes from. This may be grouped, feed-forward or repeating, meaning that the value will be assigned by the parent group, the results of a feed-forward section or from one of the list provided in an iterating group. Options which are not grouped, fed-forward or iterated over will be displayed using a format which is appropriate to the type of value expected. This may be any number of common user interface elements (checkboxes, select boxes, text entry fields etc) and may provide auto-complete features to assist in finding an appropriate value. Any overridden options will also be displayed and entered in this manner and, when provided will replace values as would be expected.
Feed-Forward Reporting
These sections can be chained together using a mechanism known as feed-forward where the results from one section are used to define the behavior of another. In this example the Network Interfaces report can produce one or more Interfaces, which is one of the options for the Individual Network Interfaces section. By chaining these two report sections together it is possible to produce a report template which will detail the configured external interface for Corporate Firewall, and then display the advanced usage and bandwidth statistics from it.
Iterative Reporting
Some report sections only deal with a limited set of data, a single group, username or IP address for example. For this reason it may be desired to repeat a section using mostly the same options, but with one particular option changed each time. For example it may be desired to see the Individual Network Interface section for several (but notably not all) of the local network interfaces. In this case it would be possible to select the local network interfaces that are desired and repeat the section once for each of the desired interfaces. Note that there is potential overlap here, and if the desired result is a list of all the local interfaces then feed-forwarding could be used instead. However, feed-forward would produce a list of all internal interfaces, as well as include the Network Interfaces report. Note that whilst it was covered first, feed-forward is actually a special case of iteration, where the list of values to be iterated over is produced as the list of answers from a particular report section.
Ve
The Individual Network Interfaces section can provide this information, but needs to be supplied with the name of the interface for which to provide details for.
rs
To lead by example, take the Network Interfaces and Individual Network Interfaces sections. These in turn can be used to show a list of all network interfaces which are configured on Corporate Firewall, or those which are configured for internal or external networking. This information provides limited details for the network interface such as its IP address and other details; however it does not show monthly usage statistics.
io
Due to the jigsaw or building block like nature of reporting sections a particular report section may only provide part of the information which is desired, rather than the complete picture. To allow for this the reporting template system in Corporate Firewall allows for a sections results to be used as the source of options for subsequent sections.
1
269
Group Ordering
Sections within a group can be re-ordered, this notionally changes nothing other than the order in which they are included in the final report once data has been acquired. There are exceptions to this rule however. Groups utilizing feed-forward will require one of their sections to be promoted (denoted as the feeder) to a state where it will provide the answers for which the other sections within that group are to be repeated. Naturally a feeder must be included before the sections it is feeding, and therefore it is removed from the normal section ordering and placed above the grouped options list in the groups display.
Grouping Sections
To group a number of sections together they should be selected from the included sections list and then grouped using the group button. Note that only sections at the same level in the included sections tree can be grouped together, although a group can contain any number of items including other groups. Similarly the ungroup command should be used to either disband a group or to remove a single item from an existing group. Ungrouping a group will disband that group, moving all its contained sections to the same level on the included sections tree that the group previously occupied, the group folder will then be removed.
Creating Feed-forward and Iterative Groups.

Creating a group construct for use with feed-forward or iterative operations is done in the same way as creating a normal group. It should be noted that when feed-forward is desired the section producing results should be included in the group when it is first created, this will form the basis of the feed-forward. To create an iterative group, the desired sections should be grouped and the option which will form the basis of the iteration selected from the Repeat drop-down which can be found immediately above the grouped options section for that group. Options which may be used in this way are included under a heading (in the drop down menu) of based upon grouped option and the list will contain most of the options that the grouped options section contains. When iterating over a grouped option, that option is no longer available in the group. Creating a feed-forward enabled group is done in a similar manner; however this time under the Repeat drop down a list of sections is included under the title using results from a section. The results returned by each section are visible under the results tab on the section in question, as well as the bottom right hand side of the sections description in the available sections list. By choosing a section to feed-forward the results from, this section is removed from the normal flow within the group and is instead included as a feeder section. This is due to the nature of feedforwarding reports, that they must produce the list of results to iterate over prior to iterating over them. feed-forward results pass from one variable into another, however the variables are named in a way which makes them human readable, but not always identically for the sake of clarity. For
270
Ve
rs
Note, ungrouping sections will remove any properties that the group contains, and so may affect any feed-forward, iterative or grouped options.
io
Ungrouping a single section will move that section up the tree to the same depth as is occupied by the group that it has just been removed from.
example, the Network ARP Table section produces a list of interfaces which the connection is on. The result is labelled as Connected Interface and is of a type suitable for forwarding into the Individual Network Interface section. Some care should be taken when choosing sections to flow into each other, however generally results such as username should be taken to be suitable for feeding a username field. Additional caution should be taken when considering feed-forward reports as to the volume of data produced, along with the potential work load that this would require on Corporate Firewall. For example, a report which shows the top 20 groups within an organization, the top 50 users within each of those groups and the top 100 banned URLs each of those users attempted to request is entirely possible. However, this would result in the following execution tree. Group Activity Section 20 x User Activity Section 50 x URL Activity Section
Each report section provides a list of options which define its behavior. This behavior may be defined at a later stage to make the report template truly flexible. For example a domain activity section can take a username value to show the domains requested for a particular user which were subsequently banned. Creating a template for this information for each user within an organization is time consuming and unwieldy to say the least. It is for this purpose that section options may be exported. In this particular example a domain activity section could be included in a report template, and have its Denied status checkbox enabled. Swapping to the export tab would show a list of all the available options for this report, choosing to export the username field prior to creating the report template would mean that the username
Ve
rs
Exporting Options
io
Hence, 20x50x100 URLs, or potentially the results for a thousand users, and hundred thousand URLs. It would also require the execution and calculation of the top URLs section up to a thousand times, assuming a reasonable time period for the calculation of each, such a report would potentially take several hours to compile and be bewilderingly detailed for any person who chooses to read it.
100 URLs
271
Appendix B Understanding Templates and Reports Reporting Folders
field is present for this template report on the reports tab on the Corporate Firewall main interface (information > reports > reports).
Reporting Folders
Report templates can be arranged into a common hierarchy to allow for like purposed report templates to be kept together and alleviate some of the confusion in finding the desired template.Report templates are structured into one of the following folders on a standard Corporate Firewall installation assuming that installation has the SmoothZap, and Guardian modules installed. Email Firewall and networking System Trends
272
Ve
rs
io
Choosing the Denied option on the export tab would again make this setting available outside of the report template (on the reports page), however it would also have the added effect of allowing a user to turn this option off when using the template, similarly typing a username into the sections username option (on the options tab) allows the template report to create a default username, which can be changed by the person using the report template.
Users
IP address analysis IP address analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Top IP addresses User analysis User analysis per web content category Top users
Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Blogs Blogger Blogs WordPress Category analysis Image and video sharing Dailymotion Flickr Fotolog ImageShack ImageVenue YouTube News BBC News CNet CNN News Slashdot
Web content
Ve
Per category
rs
io
1
273
Appendix B Understanding Templates and Reports Reporting Folders
Reference and educational Shopping and online auctions
IMDB Wikipedia Amazon Craiglists Ebay Shopping and online auctions
Social bookmarking
Delicious Digg Reddit Stumbleupon
Social networking Bebo
1 n io rs
Sport
Facebook Friendster Hi5 Linkedin Myspace Orkut Social networking Twitter BBC Sport ESPN Sport
Ve
Web portals and search engines
AOL Google Search engines Windows Live and MSN Yahoo
Site analysis Top categories Top domains Top URLs Top web searches The destination folder for a report template can be set when creating the report template itself by means of the Location option. This option contains an indented drop-down list of available folders, report templates can be placed in any folder as desired. Folders can be created or deleted from the reports page, which is the main location to use to find report templates and report folders. It also provides the ability to rename folders and edit and remove report templates.
274
Folder navigation is achieved by clicking on the folder name. A location bar is also present along the top of the reports page which allows users to navigate the folder structure. Clicking on a folder higher up in the hierarchy provides a list of alternative folders on the same level of the tree this provides a faster means to navigate the list of available folders.
Creating a Folder
To create a folder simply navigate to the appropriate location in the hierarchy and click on the create folder button next to the location bar, this will create a new folder called new folder with the ability to rename it. Entering the name that is desired into the text box that is present and clicking rename will change the name of the report folder. A new folder should be named using letters, numbers and a limited set of punctuation symbols. Note that report folder names must be unique at the same level.
Deleting Folders
Scheduling Reports
It is possible to schedule a report template to be executed at a particular time of day and repeated at desired intervals. Reports generated in this way may be saved for use later via the recent and saved reports section and/or emailed to a list of people as an HTML embedded email or plaintext email. Scheduled reports are deliberately flexible and present a full list of all report templates to be scheduled. Options exported to the reports page may also be set on a report by report basis so it is possible to schedule a particular user (the sales manager for example) the web activity for the sales group using a web activity report template and another user (the support manager) the web activity report for the support group by means of the same report template. Scheduled repeats allow for the automated generation of reports at specific intervals, the intervals available are: Daily each day at the time allocated Weekday each working day (Monday to Friday) at the allocated time Weekly every week at the allocated time on the same day of the week as the first report. Monthly every month at the allocated time on the same day of the month as the first report. Repetition can also be disabled if it is not desirable to receive a report at regular intervals.
275
Ve
Note, this limitation is in place because folder and report template deletion cannot be undone therefore such potentially dangerous actions are deliberately long winded.
rs
Folders can be deleted from the reports page by pressing the red cross icon immediately below the folder image. Only empty folders can be deleted, so care should be taken to ensure that all report templates and other folders have been removed before deleting a folder.
io
Renaming Folders
Appendix B Understanding Templates and Reports Portal Permissions
Scheduled reports can also be made available to particular portals using the report templates portal permissions. Since portal permissions can be configured to behave differently depending upon the portal the generating user is assigned to it is possible to assign a specific portal for the scheduled report to be generated by.
Portal Permissions
Reports can be made available to individuals who do not have access to the Corporate Firewall administrative interface via the Corporate Firewall user portal. This is achieved via a report, or report templates portal permissions. There are two variations to portal permissions which dictate exactly how a report might be used. Normal report permissions allow a user via the portal access to either a particular report, or a particular report template. Access in this context means that they are able to generate and view the report data. Automatic access allows a users reporting activity to be made available to other users via the portal. To clarify this, a report template will generate a report when it is used. When it is generated via the portal this report will by default only be available to the user who created it. Automatic access allows this report to be made automatically available to other users who share the authors portal, or to one or more other portals as desired.
Generators and Linkers

Reporting sections can be divided into principally two types, generators and linkers. Whilst all report sections generate results, and display those results in the final rendered report, some sections generate results which are intended for use in feed-forward reports and are only really useful in that context. For example, the Guardian module provides a report section entitled Per user Client IP addresses. This section will take a Guardian username (be it derived from Active Directory or other such authentication mechanism) and show the IP addresses that are associated with this user in the Guardian web proxy access logs. It will also show the timestamps that these hits occurred at. By this mechanism it is possible to deduce the IP address a user has been seen to use, and the time period during which they were using it. This information is perhaps informative, but not particularly. However the results, Client IP address and Time-Period are both filters which can be applied to other reports, reports which might not be able to associate activity with a particular username. For example, the SmoothIM module provides tracking of Instant Message conversations, however users are unlikely to (not to mention forbidden from) using their work usernames as their local usernames for such conversations. The SmoothIM module however does record the IP address
276
Ve
Reporting Sections
rs
The Automatic access permission of portal is a special permission which allows a generated report to be assigned to all members of the portal belonging to the person who generated the report, regardless of which portal that user was in.
io
used in these conversations, so using a linker section such as the one described above would be able to feed from a username, to an IP address, to an IM conversation.
General Sections
The bulk of Corporate Firewalls reporting sections are reasonable easy to describe and are detailed quite well by their descriptions, there are however several big reports which defy such description and require a more in depth discussion, these will be covered later. Standard sections will show up in the available sections list in a manner similar to the following. This shows the sections description, title and any results that are returned for use in the systems feed-forward ability.
Network Interfaces
This report section lists the interfaces available on Corporate Firewall, including any internal NIC interfaces, External NIC interfaces, modems, VLANs and VPN interfaces.
This section returns an interface which may be passed into a report section such as the Individual network interface report section.
The Anatomy of a URL

URL processing in the Corporate Firewall reporting system is achieved via a series of mechanisms which automatically split a URL into a number of internal parameters which are used to speed up data processing and achieve the desired results efficiently and with minimal need to understand the dynamics of how an individual web site is constructed. However some explanation is required as several of the more advanced features of the Guardian reports require some manipulation of the URL. A Corporate Firewall reporting URL is extracted into three distinct components, the protocol, domain and parameters.
As can be seen, a URL entered into the Corporate Firewall reporting system will be automatically highlighted in color to denote where the appropriate parts of the URL are being extracted from.
Ve
The options available to this interface allow you to discriminate between Internal, External and VPN interfaces as well as the ability to show or hide any disconnected interfaces.
rs
A list of the configured internal and external network interfaces on the system. Includes details about the hardware, configuration and recent network activity for each interface.
io
1
277
Appendix B Understanding Templates and Reports Reporting Sections
URLs entered in this fashion can be complete (as in the above example) or can alternatively be partial including a combination of protocol, protocol and domain, domain, domain and parameters or the parameters themselves.
To use a partial URL the URL entered should be of an appropriate format depending upon the combination of parameters which is desired. Separation is effectively done from the right hand side backwards, so any URL starting with / would be viewed as simply the parameters.
A URL fragment starting with characters and ending with the string :// will be interpreted as a protocol.
These options can be turned on individually for the protocol, domain and parameter parts of a URL and for speed / processing reasons it is advised that they be turned on for the minimum of the parts which are possible.
HTTP Request Methods, HTTPS Interception and Man in the Middle

The nature of HTTPS interception means that in essence a HTTPS intercepted site should be treated no differently to a none HTTPS site in terms of its logging, indeed, other than the protocol there is nothing to distinguish HTTP and HTTPS methodology. Guardian however also logs connections made to HTTPS servers where the content of that communication has not been intercepted. To differentiate between the two it is possible to set the HTTP request method (optionally along with the protocol from the domain) to catch HTTPS content which has been intercepted and that which has not.
278
Ve
For this reason it is possible to switch the URL recognition options in the Corporate Firewall reporting system into dealing with URLs as regular expression matches rather than strict matching.
rs
For example, StumbleUpon a Social bookmarking site exists not only at the domain www.stumbleupon.com but also stumbleupon.com a common enough concept with regards to the absence of www. However it also receives some of its content from cdn.stumble-upon.com and stumbleupon.stumble-upon.com.
io
Deciphering a URL can however be a none trivial task, especially due to some web sites, companies and organizations using a variety of load balancing techniques, curious URLs, subdomains and a variety of techniques which can only have been considered a good idea at the time.
A URL which starts with a character other than / and does not end with :// is viewed as being the domain.
HTTPS connections start with a HTTP CONNECT request, if the connection is not being intercepted this is the only part of the communication which is logged. If the connection is being subjected to HTTPS interception then the requests within the connection are additionally logged.
Hence, searching for options other than CONNECT will provide results which may have been subjected to HTTPS interception. Additionally setting the URL to include the string https:// will return only those results which have been HTTPS intercepted as it restricts the results to those which are via the HTTPS protocol and using a connection method other than CONNECT.
Each URL which passes through Guardian is subjected to a level of filtering; the resulting action of that filtering is logged and can be used to filter any results within the Guardian reports.
Almost blocked This denotes any result whose score for phrase analysis was between 90 and 100
(the default score over which a result is blocked). This shows content which contained a number of phrases which elevated its score, but did not quite cause the site to be blocked.
Denied This denotes sites which were blocked by the phrase or URL filtering in the Guardian
product. The reasoning why the page was banned can be determined by adding the include status option on those reports which support it. Note however that this can change the ordering of the results.
Exception The site in question was not filtered for one of several reasons, it may be that it is white-
listed, soft-blocked, temporarily bypassed, the client IP/Group is not subject to filtering etc.
Infected This shows content which was marked as being viral/malware by the Guardian antivirus
system.
Modified Determines content which was modified as it passed through the Guardian filter. This
might be due to a security rule (such as removing JavaScript etc), or to enforce AUP concepts such as safe search.
Search Terms and Search Phrases

There are three facets to the search term reporting on a Guardian system, searching of search terms, filtering by search term and selecting banned search terms.
Ve
A URL may contain one or more of the following status messages, those being Almost blocked, Denied (or blocked), Exception, Infected or Modified. The meaning of these is covered below.
rs
io
1
279
Guardian Status Filtering
Discovering search terms and showing them is achieved with the search engine search strings and terms report section. This section has a few peculiarities to its options which will be covered below, however the section is essentially designed to show the top search terms, or phrases that have been encountered within the Guardian filtered URLs.
Search terms are denoted as being either an individual word, or the entire phrase which was searched for. For example:
Both search terms and phrases can optionally be considered as regular expression matches via the appropriate option under the advanced options. Search terms, unlike search phrases can additionally be restricted to omit grammatical sugar or stop words. Words such as and, of and the are usually omitted by most search engines and this can be taken into consideration by using the option individual (uncommon) search terms on the search term matching drop-down box. The list of common search terms is taken to be the list of words omitted by the Google search engine, this list is as follows: i, a, about, an, are, as, at, be, by, com, de, en, for, from, how, in, is, it, la, of, on, or, that, the, this, to, was, what, when, where, who, will, with, und, the and www. Additional filtering options for username, group, client IP address and Guardian status are presented for this report. Note that a list of Blocked search phrases can be achieved by use of the Guardian status denied option under the Guardian status options.
Filtering by Search Terms

As explained earlier individual Guardian reports can be filtered by the search terminology they contain. For example it is possible to show the top ten domains which contained a search request for the word badger.
280
Ve
rs
Search words and phrases are assumed to be case insensitive, as the vast majority of searches are done regardless of capitalization, however search filtering can be made case sensitive by usage of the case sensitive search option under the advanced options for this report.
io
Searching for babylon 5 earth destroyer would be considered to be three search words, babylon 5, earth and destroyer and one search phrase. Note that the search term reporting will treat any quoted strings as a single search word.
This filtering is achieved by using the individual report sections Search term matching options presented under an individual sections advanced options. Note that all search term filters operate over the search phrase rather than individual words and can optionally be changed to using regular expression matches rather than the default mode of operation which is strings containing this phrase. To search for blocked search terms this filter can be used in combination with the Guardian status filters.
URL Extraction and Manipulation

The Corporate Firewall reporting system for Guardian contains an advanced reporting section called URL interpretation and reporting which allows for a sophisticated set of URL manipulations to be conducted to extract information from the Guardian logs.
This reporting section has a lot of reasonably complicated options, however only a few of them are relevant to the discussion of its operation, those options which are not are grayed out in the example above and will be omitted from any further discussion as they apply the expected limitations on the search results, changing the number of results or any username, client IP address or group filter etc. The most important option for this report section is the URL, which in this example is a regular expression URL which refers to the BBC news web site. The protocol and domain fields in the URL in this example are reasonably straight forward, they do not contain any regular expression matches (anything in brackets) and as such will not be used for anything further in this report section. The parameters field however does contain two regular expression matches, the parts between the opening and closing brackets, ( ). The parts of the URL extracted by these matching parts of the URL regular expression are labelled 1 and 2 respectively and the appropriately labelled term will
Ve
rs
io
1
281
be used by the Match to extract from parameters and Match to compare parameters to fields to further analyze the URL. In this example, there are two matches which are extracted from the URL, in this case, if a BBC news article URL is considered: http://news.bbc.co.uk/1/hi/technology/
7878769.stm
The two matches would provide technology and 7878679 as matches. Of these two parameters one is the section from the BBC news site this article is from, the other is the article name. The Match to extract from domain and Match to extract from parameters options present which regular expression match ($1, $2, $3 etc) to extract from the URL for the purposes of identifying unique content, in this example we can see that the parameter match 2, would be used to uniquely identify this URL, being the value of 7878769 or the article number. This value is subsequently used to uniquely identify the relevant URLs before producing a list of the top matches, in this case, the top news articles.
Rebuild and include example URL As part of its drill down and feed-forward abilities the URL extraction report section reconstitutes a probable URL for the linked material. When this option is ticked, this reconstructed URL is included in the report alongside the match.
http://www.youtube.com/get_video?video_id=6rNgCnY1lPg http://www.youtube.co.uk/get_video?video_id=6rNgCnY1lPg
Recognise common URLs This option allows the reporting system to recognise common URLs for known sites. This includes the ability to extract a YouTube video name from a YouTube video ID, or the ability to extract a page title from a HTML pages header.
In this example we can see that the option is enabled, thus for each of the reconstituted URLs the system would retrieve the HTML (.stm) page from the BBC News web site, extract the <title> section from the page header and include it in the report.
Domain match and Parameter match these options allow for additional information to be fed into the
searching and will replace particular matches in the URL with the appropriate values. The options of Match to compare domain to and Match to compare parameters to allow for values to be substituted into the appropriate URL regular expression match to further filter the URL. In the above example the Match to compare parameters to value is 1 which means that the value entered into the Parameter match box would be substituted into $1 in the URL. This would mean that entering the option technology into the Parameter match field would produce the top 50 news articles from the technology section of the BBC News web site.
Results title This report section is feed-forward enabled and can produce a list of regular expression URLs to identify and extract matching content. However, the URL is rarely of interest to anyone viewing the resultant report although by default it would be included as the section title for the feed-forwarded results.
282
Ve
are for the same video, and could be matched accordingly (giving two hits for this video), however the system would then have to construct a probable URL for the content, which would in this example reference either the .com or .co.uk address version.
rs
io
Note, some sites such as YouTube for example can host several different URLs for the same video ID. In these cases the reconstructed URL is a potential URL that might have been used, even if it is not the actual URL that was encountered. To elaborate on this matter both of the following URLs:
For this purpose it is possible to override the title used for the feed-forward sections by entering a value into the results title box. This can be straight text, or can reference one of the results feedforward values by means of a wildcard. In the above example, we can see that %matchtitle% is used as the value, which would present the feed-forward result of matchtitle as the title for any feed-forward sections. In this case, %matchtitle% would be the <title> extracted from the relevant HTML page. Alternatively values of %domainmatch%, %parametermatch% or %url% could be used. In this manner, the URL extraction section provides one of the most flexible tools for extrapolating information about particular web sites with no inbuilt understanding of the site. This means that the section can easily be tailored to accommodate new web sites, or internal web sites which may be processed by Guardian but outside of the scope of the standard templates.
The URL once again contains a series of regular expression matches, this time the domain also includes a series of wildcards (.*) to accommodate YouTube being hosted via multiple domains, sub-domains and TLDs.
Origin Filtering
Corporate Firewall contains the ability to aggregate reports over several different machines, Several Corporate Firewalls for example can be used as a cluster of web content filters or alternatively the system might be configured to receive the browsing activity from several mobile users via the MobileGuardian content filter. When these results are aggregated onto a central reporting Corporate Firewall system they each contain a unique identifier to state where they came from. This identifier can be used to filter particular results to have originated from a particular machine, or class of machines.
Ve
In this example the URL extraction section is being used to display the top 50 video results from the YouTube site.
rs
io
1
283
The origin filter on a Corporate Firewall report allows for the class of machine or in some cases the individual machine to be used to restrict the results.
Note: The list of originating systems does not include a list of individual MobileGuardian installations
as there may be several dozen or more of these.

Note: The recommended configuration for MobileGuardian installations is to have MobileGuardian
derive its configuration from a specific authentication group and so the default template reports have been constructed with that in mind. By default MobileGuardian filtering would be achieved using a group filter for the appropriate group however should more advanced processing be required the Origin filter could be used instead.
284
Ve
rs
io
Appendix C
Annual Renewal
In this appendix: Functionality available based on annual renewal subscriptions. See also: http://smoothwall.net/
products/annualrenewal/
Feature Pack 1
Temporary bans enables you to manage temporarily banned user accounts. For more information, see Chapter 10, Managing Temporarily Banned Users on page 164. User portals enables you to create user portals which can be configured to display reports and software downloads depending on the account used to access the portal. For more information, see Chapter 8, Working with User Portals on page 61. Instant messaging functions: block all file-transfers for certain IM protocols Automatic whitelisting to control who can instant message your local users. See Chapter 8, Instant Messenger Proxying on page 71 for more information.
Feature Pack 2

In Feature Pack 2, the following became available to Corporate Firewall users with annual renewal subscriptions: Jabber monitoring monitor conversations which use the Jabber protocol. For more information, see Chapter 8, Instant Messenger Proxying on page 71. SSL interception monitor conversations on Google Talk or AIM instant messaging clients which have SSL mode enabled. For more information, see Chapter 8, Instant Messenger Proxying on page 71. Automated responses inform users their conversations are being monitored and file transfers have been blocked. For more information, see Chapter 8, Instant Messenger Proxying on page 71.
Ve
rs
proxy and monitor Gadu Gadu conversations
io
In Feature Pack 1, the following became available to Corporate Firewall users with annual renewal subscriptions:
285
Appendix C Annual Renewal Feature Pack 2
286
Ve
rs
io
Glossary
Numeric
2-factor authentication The password to a token used with the token. In other words: 2factor authentication is something you know, used together with something you have. Access is only be granted when you use the two together. 3DES A triple strength version of the DES cryptographic standard, usually using a 168bit key. to maintain information integrity, but not secrecy. Algorithm In SmoothWall products, an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it. Alias or External Alias In SmoothWall terminology, an alias is an additional public IP that operates as an alternative identifier of the red interface. ARP (Address Resolution Protocol) A protocol that maps IP addresses to NIC MAC addresses. ARP Cache Used by ARP to maintain the correlation between IP addresses and MAC addresses. AUP (Acceptable Use Policy) An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organizations email and Internet systems. The policy explains the organizations position on how its users should conduct communication within and outside of the organization both for business and personal use. Authentication The process of verifying identity or authorization.
A
Acceptable Use Policy
Active Directory A Microsoft directory service for organizations. It contains information about organizational units, users and computers. ActiveX* A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser. AES (Advanced Encryption Standard) A method of encryption selected by NIST as a replacement for DES and 3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES provides high security with fast performance across multiple platforms. AH (Authentication Header) Forms part of the IPSec tunnelling protocol suite. AH sits between the IP header and datagram payload
Ve
Access control The process of preventing unauthorized access to computers, programs, processes, or systems.
rs
See AUP
io
n
B
Bandwidth Bandwidth is the rate that data can be carried from one point to another. Measured in Bps (Bytes per second) or Kbps. BIN A binary certificate format, 8-bit compatible version of PEM.
287
Glossary
Buffer Overflow An error caused when a program tries to store too much data in a temporary storage area. This can be exploited by hackers to execute malicious code.
DER (Distinguished Encoding Rules) A certificate format typically used by Windows operating systems. DES (Data Encryption Standard) A historical 64-bit encryption algorithm still widely used today. DES is scheduled for official obsolescence by the US government agency NIST. DHCP (Dynamic Host Control Protocol) A protocol for automatically assigning IP addresses to hosts joining a network. Dial-Up A telephone based, non-permanent network connection, established using a modem. DMZ (Demilitarized Zone) An additional separate subnet, isolated as much as possible from protected networks. DNS (Domain Name Service) A name resolution service that translates a domain name to an IP address and vice versa. Domain Controller A server on a Microsoft Windows network that is responsible for allowing host access to a Windows domain's resources. Dynamic IP A non-permanent IP address automatically assigned to a host by a DHCP server. Dynamic token A device which generates one-time passwords based on a challenge/response procedure.
C
CA (Certificate Authority) A trusted network entity, responsible for issuing and managing x509 digital certificates. Certificate A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. Certificates are created by CAs. Cipher A cryptographic algorithm. Ciphertext Encrypted data which cannot be understood by unauthorized parties. Ciphertext is created from plain text using a cryptographic algorithm. Client Any computer or program connecting to, or requesting the services of, another computer or program. Cracker Cross-Over Cable A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection. Cryptography The study and use of methods designed to make information unintelligible.
Ve
A malicious hacker.
rs
io
D
Default Gateway The gateway in a network that will be used to access another network if a gateway is not specified for use. Denial of Service Occurs when a network host is flooded with large numbers of automatically generated data packets. The receiving host typically slows to a halt whilst it attempts to respond to each request.
288
n
E
Egress filtering The control of traffic leaving your network. Encryption The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it. ESP (Encapsulating Security Payload) A protocol within the IPSec protocol suite that
provides encryption services for tunnelled data. Exchange Server A Microsoft messaging system including mail server, email client and groupware applications (such as shared calendars). Exploit A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service.
HTTP (Hypertext Transfer Protocol) The set of rules for transferring files on the World Wide Web. HTTPS A secure version of HTTP using SSL. Hub A simple network device for connecting networks and network hosts.
I
ICMP (Internet Control Message Protocol) One of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. IDS (Intrusion Detection System) SmoothWall IDS monitors and logs network traffic and prioritizes detected intrusions giving a good indication towards the severity of intrusions. IP Internet Protocol IPS Intrusion Prevention System IP Address A 32-bit number that identifies each sender and receiver of network data. IPtables The Linux packet filtering tool used by SmoothWall to provide firewalling capabilities. IPSec (Internet Protocol Security) An internationally recognized VPN protocol suite developed by the Internet Engineering Task Force (IETF). IPSec Passthrough A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through. IPS Intrusion Prevention System ISP An Internet Service Provider provides Internet connectivity.
F
Filter A filter is a collection of categories containing URLs, domains, phrases, lists of file types and replacement rules. Filters are used in policies to determine if a user should be allowed access to information or files he/ she has requested using their web browser.
FIPS Federal Information Processing Standards. See NIST. Firewall A combination of hardware and software used to prevent access to private network resources.
Gateway A network point that acts as an entrance to another network. Green In SmoothWall terminology, green identifies the protected network.
H
Hacker A highly proficient computer programmer who seeks to gain unauthorized access to systems without malicious intent. Host A computer connected to a network. Hostname A name used to identify a network host.
Ve
rs
io
289
Glossary
K
Key A string of bits used with an algorithm to encrypt and decrypt data. Given an algorithm, the key determines the mapping of plaintext to ciphertext. Kernel The core part of an operating system that provides services to all other parts the operating system. Key space The name given to the range of possible values for a key. The key space is the number of bits needed to count every distinct key. The longer the key length (in bits), the greater the key space.
domain name database that specifies an email server to handle a domain name's email.
N
NAT-T (Network Address Translation Traversal) A VPN Gateway feature that circumvents IPSec NATing problems. It is a more effective solution than IPSec Passthrough. NIC Network Interface Card NIST (National Institute of Standards and Technology) NIST produces security and cryptography related standards and publishes them as FIPS documents. NTP (Network Time Protocol) A protocol for synchronizing a computer's system clock by querying NTP Servers.
L2F (Layer 2 Forwarding) A VPN system, developed by Cisco Systems.
LAN (Local Area Network) is a network between hosts in a similar, localized geography. Leased Lines (Or private circuits) A bespoke high-speed, high-capacity site-to-site network that is installed, leased and managed by a telephone company. Lockout A method to stop an unauthorized attempt to gain access to a computer. For example, a three try limit when entering a password. After three attempts, the system locks out the user.
Ve
L2TP (Layer 2 Transport Protocol) A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols.
io
rs
M
MAC Address (Media Access Control) An address which is the unique hardware identifier of a NIC. MX Record
290
(Mail eXchange) An entry in a
n
O P
OU An organizational unit (OU) is an object used to distinguish different departments, sites or teams in your organization.
Password A protected/private string of characters, known only to the authorized user(s) and the system, used to authenticate a user as authorized to access a computer or data. PEM (Privacy Enhanced Mail) A popular certificate format. Perfect Forward Secrecy A key-establishment protocol, used to secure previous VPN communications, should a key currently in use be compromised. PFS See Perfect Forward Secrecy Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates
the security parameter agreement. Phase 2 Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up. Ping A program used to verify that a specific IP address can be seen from another. PKCS#12 (Public Key Cryptography Standards # 12) A portable container file format for transporting certificates and private keys. PKI (Public Key Infrastructure) A framework that provides for trusted third party vetting of, and vouching for, user identities; and binding of public keys to users. The public keys are typically in certificates. Plaintext Data that has not been encrypted, or ciphertext that has been decrypted.
Private Key A secret encryption key known only by its owner. Only the corresponding public key can decrypt messages encrypted using the private key. Protocol A formal specification of a means of computer communication. Proxy An intermediary server that mediates access to a service. PSK (Pre-Shared Key) An authentication mechanism that uses a password exchange and matching process to determine authenticity. Public Key A publicly available encryption key that can decrypt messages encrypted by its owner's private key. A public key can be used to send a private message to the public key owner. PuTTY A free Windows / SSH client.
rs
Policy Contains content filters and, optionally time settings and authentication requirements, to determine how Corporate Firewall handles web content and downloads to best protect your users and your organization.
io
Port Forward A firewall rule that routes traffic from a receiving interface and port combination to another interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router. PPP (Point-to-Point Protocol) Used to communicate between two computers via a serial interface. PPTP (Peer-to-Peer Tunnelling Protocol) A widely used Microsoft tunnelling standard deemed to be relatively insecure. Private Circuits See Leased Lines.
Ve
Port A service connection point on a computer system numerically identified between 0 and 65536. Port 80 is the HTTP port.
n
Q R
QOS (Quality of Service) In relation to leased lines, QOS is a contractual guarantee of uptime and bandwidth.
RAS (Remote Access Server) A server which can be attached to a LAN to allow dial-up connectivity from other LANs or individual users. RAS has been largely superseded by VPNs. Red In SmoothWall, red is used to identify the Unprotected Network (typically the Internet). RIP (Routing Information Protocol) A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are.
291
Glossary
Road Warrior An individual remote network user, typically a travelling worker 'on the road' requiring access to a organizations network via a laptop. Usually has a dynamic IP address. Route A path from one network point to another. Routing Table A table used to provide directions to other networks and hosts. Rules In firewall terminology, rules are used to determine what traffic is allowed to move from one network endpoint to another.
SmoothHost A SmoothWall add-on module to provide support for multiple web, email and other servers via red aliasing. Spam Junk email, usually unsolicited. SQL Injection A type of exploit whereby hackers are able to execute SQL statements via an Internet browser. Squid A high performance proxy caching server for web clients. SSH (Secure Shell) A command line interface used to securely access a remote computer. SSL A cryptographic protocol which provides secure communications on the Internet. SSL VPN A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client configuration. Strong encryption A term given to describe a cryptographic system that uses a key so long that, in practice, it becomes impossible to break the system within a meaningful time frame. Subnet An identifiably separate part of an organizations network. Switch An intelligent cable junction device that links networks and network hosts together. Syslog A server used by other hosts to remotely record logging information.
S
Security policy A security policy is a collection of procedures, standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. It should include password, account and logging policies, administrator and user rights and define what behavior is and is not permitted, by whom and under what circumstances. Server In general, a computer that provides shared resources to network users. SIP (Session Initiation Protocol) A protocol for initiating, modifying, and terminating an interactive user session that involves multimedia elements such as video, voice, instant messaging, online games, and virtual reality. Commonly used in VOIP applications. Single Sign-On (SSO) The ability to log-in to multiple computers or servers in a single action by entering a single password. Site-To-Site A network connection between two LANs, typically between two business sites. Usually uses a static IP address. Smart card A device which contains the credentials for authentication to any device that is smart card-enabled.
Ve
rs
io
292
n
T
Triple DES (3-DES) Encryption A method of data encryption which uses three encryption keys and runs DES three times TripleDES is substantially stronger than DES. Tunneling The transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a pri-
vate network.
U
User name / user ID A unique name by which each user is known to the system.
V
VPN (Virtual Private Network) A network connected together via securely encrypted communication tunnels over a public network, such as the global Internet. VPN Gateway An endpoint used to establish, manage and control VPN connections.
Ve
rs
X509 An authentication method that uses the exchange of CA issued certificates to guarantee authenticity.
io
1
293
Glossary
294
Ve
rs
io
Index
A
accessing 3 admin 3 admin options 12 administration 12 administration login failures 193 administrative users 12 adsl modem settings 26 advanced 8 AIM 73 aim 73 alerts 5, 192 administration login failures 192 email 223 email to sms 222 firewall notifications 192 hardware failure alerts 192 health monitor 193 inappropriate words in im 193 intrusion detection system monitor 193 l2tp vpn tunnel status 192 license expiry status 192 output system test messages 193 settings 6 smoothrule violations 192 smoothtunnel vpn certificate monitor 192 system boot (restart) notification 193 system resource monitor 193 system service monitoring 193 traffic statistics monitor 193 update monitoring 193 vpn tunnel status 192 application helper 52 ftp 52 h323 passthrough support 53 irc 52 pptp client support 52 archives 11 authentication 9, 161 global settings 161 SSL login 170 time-out 161 authentication system diagnostics 173 managing 172 restarting 173 settings 161 status 173 stopping 173 automatic whitelisting 74 av 9
Ve
rs
io
n
C
1
B
ban 164 banned users 163 BitTorrent 55 black-list users 74 bridging rules 43 zones 43
ca 12, 13 censoring 73 certs 13 ca 12 concurrent user logins 162 configuration tests 12 connection methods 21 dial-up modem 27 ethernet 21, 24 ethernet/modem hybrid 21 isdn modem 27 modem 21 connection profiles 21 creating 22 deleting 30 modem 21 modifying 29 connection tracking 38 connections 19 connectivity 8 console
295
Index
connecting via 15 control 5, 9, 13 control page 3 create 5 custom categories 10
F
filtering 7 filters 10 firewall 6 accessing browser 3 console 16 connecting 15 notifications 192 firmware upload 12 ftp 52
D
database 182 backup 7 local 182 password 182 pruning 183 settings 7 username 182 default gateway 20 interface 20 users 162 denial of service 37 dhcp 10 custom options 11 leases 10 server 10 dhcp ethernet 24 settings 25 diagnostics 12 dial-up modem 27 DirectConnect 55 dns 10, 77 dynamic 10 proxy 10 proxy service 78 static 10, 77 documentation 2 DoS 37
G
gadu gadu 73 global 10, 13 global settings 22 configuring 22 Gnutella 55 groups 7, 8, 9, 162 banned users 163 default users 162 network administrators 163 renaming 164 unauthenticated ips 162 guardian 13
Ve
rs
io
E
ECN 38 eDonkey 55 email to sms 222 ethernet 21 external access 12 external services 8, 58 editing 59 removing 59
296
n
H I
h323 passthrough support 53 hardware 12 hardware failure alerts 192 health monitor 193 hostname 11 https 3 hybrid 21
icmp 37 ICMP ping 37 ICMP ping broadcast 37 ICQ 73 ids 6, 10 igmp 37 IGMP packets 37 im 71 proxy 6 im proxy 6 inappropriate words in im 193
information 5 instant messenger 9, 71 block file transfers 73 blocked response 73 blocked response message 74 censor 73 intercept ssl 73 logging warning 73 logging warning message 74 protocols aim 73 gadu gadu 73 icq 73 jabber 73 msn 73 proxy 71, 72 instant messenger proxy enable 72 enabled on interfaces 74 exception local IP addresses 74 interfaces 7 internal aliases 7 inter-zone security 43 intrusion detection system 10 intrusion detection system monitor 193 ip block 7 tools 12 ipsec 6 roadwarriors 13 subnets 13 irc 52 isdn modem 27 settings 27 isp 24
local users 9 activity 168 adding 166 deleting 168 editing 167 exporting 168 importing 167 managing 165 moving 168 viewing 167 log settings 6 logs 6
M
mac spoof 25 main about 5 control 5 maintenance 11 message censor 10 custom categories 10 filters 10 time 10 Microsoft Messenger 73 modem 12, 21 settings 28 modem profile 21 modules 11 MSN 73 multicast traffic 37
Ve
rs
io
J
jabber 73
K
KaZaA 55
L
l2tp roadwarriors 13 l2tp vpn tunnel status 192 license expiry status 192 licenses 11
n
N O
network administrators 163 interface 19 networking 7 restart 20
OpenVPN 130 outbound access port rules 54 source rules 57 outgoing 8 output settings 7 output system test messages 193
297
Index
P
pages 5 information 5 alerts 5 alerts 5 custom 5 logs 6 firewall 6 ids 6 im proxy 6 ipsec 6 system 6 web proxy 6 realtime 6 firewall 6 ipsec 6 portal 6 system 6 traffic graphs 6 reports reports 5 saved 5 scheduled reports 5 summary 5 settings alert settings 6 database backup 7 database settings 7 groups 7 log settings 6 output settings 7 user portal 6 main 5 networking 7 filtering 7 ip block 7 zone bridging 7 firewall 8 advanced 8 port forwarding 8 interfaces 7 connectivity 8 interfaces 7 internal aliases 7 ppp 8 outgoing 8 external services 8 groups 8 ports 8 sources 8
routing 7 subnets 7 settings advanced 8 port groups 8 services 8 authentication 9 control 9 groups 9 local users 9 settings 9 ssl login 9 temporary bans 9 user activity 9 dhcp dhcp custom options 11 dhcp leases 10 dhcp server 10 global 10 dns 10 dns proxy 10 dynamic dns 10 static dns 10 ids 10 intrusion detection system 10 message censor 10 proxies 9 im proxy 9 sip 9 web proxy 9 user portal 9 groups 9 portals 9 user exceptions 9 system 11 administration 12 admin options 12 administrative users 12 external access 12 diagnostics 12 configuration tests 12 diagnostics 12 ip tools 12 traffic analysis 12 whois 12 hardware 12 firmware upload 12 modem 12 ups 12 maintenance 11 archives 11
298
Ve
rs
io
licenses 11 modules 11 replication 11 scheduler 11 shell 11 shutdown 11 updates 11 preferences 11 hostname 11 registration options 11 time 11 user interface 11 vpn 13 ca 13 certs 13 control 13 global 13 ipsec roadwarriors 13 ipsec subnets 13 l2tp roadwarriors 13 passwords 3 permissive 54 policies 10 port forwarding 8 port forwards 49 comment 51 connection logging 50 creating 50 criteria 49 destination address 51 destination port 51 editing 51 enabled 51 external ip 50 protocol 50 removing 51 source IP 50 source port 51 user defined 51 port groups 8 port rules 54 creating 55 deleting 56 editing 56 modes 54 permissive 54 preset 54 restrictive 54 stealth 55, 57 viewing 56 portal 6, 9, 61, 203
rs
io
access 63 configure 62 delete 64 edit 64 groups 64 user except 65 portals 9 ports 8 ppp 8 ppp over ethernet settings 25 ppp profile 21 creating 28 pptp client support 52 pptp over ethernet settings 26 preferences 11 primary dns 20 proxies 9 dns 78 sip 75 pruning 183
Ve
n
R
realtime 6 registration options 11 replication 11 reports 5, 95, 175 custom 5 database 182 reports 5 scheduled 5 restrictive 54 routing 7 rules assigning 60 dynamic host 79 external access 243 external service 58 ids 86 internal alias 32 ip blocking 35 port forward 49 source 57 subnet 31 zone bridging 44
299
Index
S
scheduled reports 5 scheduler 11 secondary dns 20 selective ACK 38 services authentication 9 dhcp 10, 87 dns 10, 77 dns proxy 78 dynamic dns 79 ids 10, 86 message censor 10 portal 9 sip 75 settings 7, 9 shell 11 shutdown 11 sip 9, 75 types 75 site address 16 SmoothGuardian 1 SmoothHost 1 smoothrule violations 192 SmoothTraffic 2 smoothtunnel vpn certificate monitor 192 SmoothZap 2 source rules 57 creating 58 editing 58 rejection logging 57 removing 58 settings 57 sources 8 ssh 15 client 15 web-based 16 SSL 130 ssl login 9, 170 customizing 171 enabling 170 exceptions 171 static ethernet settings 24 stealth 55 subnets 7 summary 5 support 2 SYN backlog queue 38 SYN cookies 37
SYN+FIN packets 38 system 6 system boot (restart) notification 193 system resource monitor 193 system service monitoring 193
T
TCP timestamps 38 telephony settings 29 temporary bans 9 time 11 time slots 10 traffic analysis 12 graphs 6 traffic audit 38 traffic statistics monitor 193 training 2 tutorial vpn 146 zone bridging 45
rs
io
Ve
300
n
U V
unauthenticated ips 162 unknown entity 16 update monitoring 193 updates 11 ups 12 user activity 9, 168 interface 11 user exceptions 9 user portal 6 users ban 164 banned 163 default 162 local 165 network administrators 163 unauthenticated IPs 162
voip 75 vpn 13 vpn tunnel status 192
W
web proxy 6, 9 white-list users 74 whois 12 window scaling 38
Y
yahoo 73
Z
zone bridge narrow 43 rule create 44 settings 44 tutorial 45 wide 43 zone bridging 7, 43
Ve
rs
io
1
301
Index
302
Ve
rs
io
Ve
rs
io
303
Ve
Copyright 2001-2009 SmoothWall All rights reserved.
rs
io

Corporate Firewall 2008 Admin

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Corporate Firewall 2008 Admin

Hochgeladen von

Copyright:

Verfügbare Formate

Corporate Firewall

Email Web Telephone

Corporate Firewall Overview ......................................... 3

Using Comments............................................................................................ 14 Creating, Editing and Removing Rules .......................................................... 14

Working with Connections........................................... 19

PPP Profiles ............................................................................................................................21 Modem Profiles........................................................................................................................21

Managing Your Network Infrastructure ...................... 31

General Network Security Settings ............................. 35

SmoothWall Corporate Firewall Administrators Guide

Configuring Inter-Zone Security.................................. 43

Managing External Services ....................................................................... 58

Assigning Rules to Groups......................................................................... 60

Corporate Firewall Services......................................... 61

Managing Inbound and Outbound Traffic .................. 49

Editing and Removing Static Hosts .........................................................................................78

Setting Time Periods...................................................................................... 82

Enabling the DNS Proxy Service ................................................................... 78 Managing Dynamic DNS................................................................................ 79

SmoothWall Corporate Firewall Administrators Guide

Creating Custom DHCP Options.................................................................... 92

Virtual Private Networking ........................................... 95

Viewing and Controlling Tunnels.................................................................. 145

SmoothWall Corporate Firewall Administrators Guide

Example 2: X509 Authentication.................................................................. 148

Example 3: An Additional System................................................................ 150

Example 4: IPSec Road Warrior Connection ............................................... 152

Authentication and User Management ..................... 161

Authenticating Using SSL Login .............................................................. 170

Example 5: L2TP Road Warrior ................................................................... 154

Reporting ..................................................................... 175

Information, Alerts and Logging ............................... 189

SmoothWall Corporate Firewall Administrators Guide

IPsec Logs ................................................................................................... 212

IM Proxy Logs .............................................................................................. 214 Web Proxy Logs........................................................................................... 216

Configuring Groups...................................................................................... 219

Managing Your System .............................................. 225

About Extended Registration Information..............................................................................241

SmoothWall Corporate Firewall Administrators Guide

UPS Settings................................................................................................ 246 Enabling UPS Monitoring............................................................................. 246

Troubleshooting VPNs ............................................... 257

Understanding Templates and Reports.................... 261

Feature Pack 1............................................................................................ 285 Feature Pack 2............................................................................................ 285

...................................................................................... 287 ...................................................................................... 295

Annual Renewal .......................................................... 285

Corporate Firewall Add-on Modules

Overview of Corporate Firewall

Chapter 1 Introduction Support

Contact your SmoothWall representative, or visit http://www.smoothwall.net/ for more information.

Who should read this guide?

SmoothWall Corporate Firewall Installation and Setup Guide contains complete

product updates and the latest product manuals.

Corporate Firewall Upgrade Guide explains how to upgrade a compatible SmoothWall

information on installing and configuring Corporate Firewall initially.

Other Documentation and User Information

Corporate Firewall Overview

Accessing Corporate Firewall

Accept Corporate Firewalls certificate.The following screen is displayed:

Chapter 2 Corporate Firewall Overview Accessing Corporate Firewall

The control page opens.

The following sections describe Corporate Firewalls sections and pages.

SmoothWall Corporate Firewall Administrators Guide

Corporate Firewall Sections and Pages

reports recent and saved scheduled custom

The information section contains the following sub-sections and pages: