M86 security Swg User manual

Secure Web Gateway

SWG User Guide

Release 10.2.0 • Manual Version v 10.2.0.1

SWG User Guide

Copyright2

M86 SECURITY SECURE WEB GATEWAY

SWG USER GUIDE

©2012M86Security

Allrightsreserved.

828W.TaftAve.,Orange,CA92865,USA

Version10.2.0.1,publishedFebruary2012forSWGsoftwarerelease10.2.0.

Thisdocumentmaynot,inwholeorinpart,becopied,photocopied,reproduced,translated,or

reducedtoanyelectronicmediumormachinereadableformwithoutpriorwrittenconsentfrom

M86Security.

Everyefforthasbeenmadetoensuretheaccuracyofthisdocument.However,M86Securitymakes

nowarrantieswithrespecttothisdocumentationanddisclaimsanyimpliedwarrantiesof

merchantabilityandfitnessforaparticularpurpose.M86Securityshallnotbeliableforanyerror

orforincidentalorconsequentialdamagesinconnectionwiththefurnishing,performance,oruse

ofthismanualortheexamplesherein.Duetofutureenhancementsandmodificationsofthis

product,theinformationdescribedinthisdocumentationissubjecttochangewithoutnotice.

Trademarks

Otherproductnamesmentionedinthismanualmaybetrademarksorregisteredtrademarksof

theirrespectivecompaniesandarethesolepropertyoftheirrespectivemanufacturers.

SWG User Guide

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

PART 1: Initial Management Console Tasks . . . . . . . . . . . . . . . . . . . . . 9

Chapter 1. Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Performing Preliminary Tasks . . . . . . . . . . . . . . . . . . . . . . . 10

Performing First Time Login, Password Change, and License In-

stallation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Configuring The Mail Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Performing Basic Tasks in the Management Console . . . . . 12

Logging In and Logging Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Changing Your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Committing Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Working in Multiple Windows . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Relocating an Item in a Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Customizing the Management Console Toolbar . . . . . . . . . . . . .13

Using Keyboard Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Chapter 2. Configuring / Adding Scanning Servers . . . . . . . . . . . . . . 15

Configuring Device General Settings . . . . . . . . . . . . . . . . . . 15

Adding Devices and Device Groups. . . . . . . . . . . . . . . . . . . 17

Moving Scanning Servers To a Different Group . . . . . . . . . 18

PART 2: Implementing User Security Policies. . . . . . . . . . . . . . . . . . . 19

Chapter 3. Defining and Customizing Security Policies. . . . . . . . . . . 20

Editing a Pre-supplied Security Policy in Simplified Mode. 21

Defining a Security Policy in Advanced Mode . . . . . . . . . . 22

Defining a Rule in a Security Policy . . . . . . . . . . . . . . . . . . 22

Defining Conditions in a Security Policy Rule. . . . . . . . . . . 24

Creating a Block/Warn Message . . . . . . . . . . . . . . . . . . . . . 25

SWG User Guide

Table of Contents4

Editing a Message Template. . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 4. Defining and Managing Users . . . . . . . . . . . . . . . . . . . . . . 27

Setting Default User Policy Assignments . . . . . . . . . . . . . . 28

Defining and Managing LDAP Users . . . . . . . . . . . . . . . . . 29

Adding and Configuring LDAP Directories . . . . . . . . . . . . . . . .29

Importing LDAP Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Configuring LDAP Group Settings. . . . . . . . . . . . . . . . . . . . . . . .31

Importing LDAP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Setting a Schedule For LDAP Directory Update. . . . . . . . . . . . .32

Assigning Policies to Unassigned LDAP Users . . . . . . . . . . . . . .33

Defining and Managing M86 (Non-LDAP) Users . . . . . . . . 33

Creating/Configuring User Groups . . . . . . . . . . . . . . . . . . . . . . .33

Adding and Defining Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Moving Users To a Different Group . . . . . . . . . . . . . . . . . . . . . . .36

Defining User Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

PART 3: Configuring Advanced Network Settings . . . . . . . . . . . . . . . 38

Chapter 5. Implementing Identification Policy. . . . . . . . . . . . . . . . . . 39

Defining and Customizing Identification Policy . . . . . . . . . 39

Defining an Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Chapter 6. Implementing Authentication . . . . . . . . . . . . . . . . . . . . . . 43

Configuring Default and Scanning Server Authentication. . 43

Chapter 7. Defining and Customizing Upstream Proxy Policy . . . . . 46

Defining an Upstream Proxy Policy. . . . . . . . . . . . . . . . . . . 46

Defining a Rule in an Upstream Proxy Policy . . . . . . . . . . . 48

Defining Conditions in an Upstream Proxy Rule. . . . . . . . . 49

Chapter 8. Enabling and Customizing Caching . . . . . . . . . . . . . . . . . 50

Enabling Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

SWG User Guide

Table of Contents

Defining a Caching Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Defining a Rule in a Caching Policy . . . . . . . . . . . . . . . . . . 52

Defining Conditions in a Caching Rule . . . . . . . . . . . . . . . . 53

Chapter 9. Assigning Policies To Devices . . . . . . . . . . . . . . . . . . . . . . 54

Setting Device Policy Defaults . . . . . . . . . . . . . . . . . . . . . . . 54

Assigning Policies to Specific Devices . . . . . . . . . . . . . . . . 55

PART 4: Configuring Logging and Alert Settings . . . . . . . . . . . . . . . . 56

Chapter 10.Defining and Customizing Logging Policy . . . . . . . . . . . . 57

Defining a Logging Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Defining a Rule in a Logging Policy . . . . . . . . . . . . . . . . . . 58

Defining Conditions in a Logging Rule . . . . . . . . . . . . . . . . 59

Chapter 11.Configuring the Log Server . . . . . . . . . . . . . . . . . . . . . . . . 61

Configuring Log Server Settings . . . . . . . . . . . . . . . . . . . . . 61

Chapter 12.Configuring Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Assigning Alert Channels to Event Types . . . . . . . . . . . . . . 66

Configuring SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . 67

Setting Thresholds For Security Alert Notification . . . . . . . 69

PART 5: Performing Monitoring And Maintenance . . . . . . . . . . . . . . 70

Chapter 13.Viewing Security and Component Statuses at a Glance . 71

Viewing Security Status Information (Dashboard) . . . . . . . 71

Viewing Dynamic Component Information . . . . . . . . . . . . . 72

Chapter 14.Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Creating, Editing, and Managing Log Profiles . . . . . . . . . . . 74

SWG User Guide

Table of Contents6

Viewing Transaction Details (Web Log only) . . . . . . . . . . . 76

Chapter 15.Implementing ICAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring SWG To Provide ICAP Services . . . . . . . . . . . 77

Configuring SWG To Use External ICAP Services. . . . . . . 78

Configuring the ICAP Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Defining ICAP Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Defining an ICAP Forward Policy . . . . . . . . . . . . . . . . . . . . . . . .81

Chapter 16.Viewing and Working With Reports . . . . . . . . . . . . . . . . 84

Running and Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . 84

Creating or Modifying Report Definitions . . . . . . . . . . . . . . 85

Managing Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Defining Report Schedules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

Adding Report Shortcuts to the Favorites Folder . . . . . . . . . . . .88

Viewing a Report’s History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Exporting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Chapter 17.Maintaining Your System . . . . . . . . . . . . . . . . . . . . . . . . . 91

Performing Manual Backup and Restore . . . . . . . . . . . . . . . 91

Viewing and Installing Updates . . . . . . . . . . . . . . . . . . . . . . 92

Importing From and Exporting Policy Databases . . . . . . . . 94

PART 6: Performing Advanced Configuration . . . . . . . . . . . . . . . . . . 96

Chapter 18.Defining Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Creating/Editing an Administrator Group . . . . . . . . . . . . . . 98

Creating/Editing an Administrator . . . . . . . . . . . . . . . . . . . . 99

Setting Access Permissions . . . . . . . . . . . . . . . . . . . . . . . . 100

Configuring RADIUS Server Authentication. . . . . . . . . . . 101

Chapter 19.Performing Additional Configuration Tasks . . . . . . . . . 103

Adjusting Network Settings For a Device . . . . . . . . . . . . . 103

SWG User Guide

Table of Contents

Configuring A Device To Use An NTP Server . . . . . . . . . 105

Configuring Administrative Settings . . . . . . . . . . . . . . . . . 106

Importing Digital Certificates. . . . . . . . . . . . . . . . . . . . . . . 107

Configuring Backup Settings . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring Automatic Update Handling. . . . . . . . . . . . . . 109

Defining and Customizing Device Logging Policy . . . . . . 110

Defining a Device Logging Policy . . . . . . . . . . . . . . . . . . . . . . . .110

Defining a Rule in a Device Logging Policy . . . . . . . . . . . . . . . .110

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Configuring Default and Device-Specific Access Lists . . . 112

Configuring Transparent Proxy Mode . . . . . . . . . . . . . . . . 113

Scheduling Configuration And Security Updates for Scanning

Server Device Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Implementing High Availability. . . . . . . . . . . . . . . . . . . . . 114

Modifying LDAP Directory Advanced Settings . . . . . . . . 115

Chapter 20.Enabling HTTPS Scanning . . . . . . . . . . . . . . . . . . . . . . . 117

Defining an HTTPS Policy . . . . . . . . . . . . . . . . . . . . . . . . . 117

Defining a Rule in an HTTPS Policy. . . . . . . . . . . . . . . . . . . . . .118

Defining Conditions in an HTTPS Rule . . . . . . . . . . . . . . . . . . .119

Configuring and Certifying HTTPS . . . . . . . . . . . . . . . . . . 120

Chapter 21.Implementing Cloud Security . . . . . . . . . . . . . . . . . . . . . 122

Configuring Cloud Settings in Internal Mode . . . . . . . . . . 124

Configuring Cloud Settings in PKI Mode . . . . . . . . . . . . . 127

Certifying and Managing Cloud Users . . . . . . . . . . . . . . . . 131

Defining a Private Cloud Scanner . . . . . . . . . . . . . . . . . . . 134

SWG User Guide

About This Guide8

BOUT

HIS

UIDE

TheSWGUserGuideprovidestheproceduresthatyouperformontheManagementConsoleto

implement,use,andmaintainSecureWebGateway(SWG)inyourorganization.TheManagement

ConsoleisyourinterfacetoSWG.

Itisimportanttonotethatthisguideisnotareferenceguide.Itdoesnotprovideadetailed

descriptionofallscreensandfields.Nordoesitprovideadetaileddescriptionofconceptsthat

applytoSWGandtheManagementConsole.Forthatinformation,youshouldseetheManagement

ConsoleReferenceGuide.

Thisguideassumesthat:

• youhavealreadyinstalledtheSecureWebGatewayinyourorganization.Forinstallationinstruc‐

tions,seetheSecureWebGatewayInstallationGuide.

• youhavesetuptheSWGusingtheLimitedShell,Forsetupinstructions,seetheSecureWeb

GatewaySetupGuide.

• youhavealreadyplannedoutyoursecurityneeds.

ThisguideisdividedintoPartsandChapters.Thesepartsandchaptersareorganizedinthe

sequenceinwhichyouarelikelytousethemwhenfirstimplementingSWG.Youcan,ofcourse,use

anyprocedureatanytimethatyouneed.

SWG Documentation Set

TheSWGdocumentationsetincludesthefollowingguides:

•SecureWebGatewayInstallationGuide

•SecureWebGatewaySetupGuide

•ManagementConsoleReferenceGuide

•ManagementConsoleUserGuide

•SecureWebGatewayUserSecurityPoliciesInDepthGuide

•SecureWebGatewayUserIdentificationGuide

SWG User Guide

PART 1: Initial Management Console Tasks

PART 1: I

NITIAL

ANAGEMENT

ONSOLE

ASKS

Thispartcontainsthefollowingchaptersandprocedures:

•Chapter1:GettingStarted

•PerformingPreliminaryTasks

•PerformingFirstTimeLogin,PasswordChange,andLicenseInstallation

•ConfiguringTheMailServer

•PerformingBasicTasksintheManagementConsole

•LoggingInandLoggingOut

•ChangingYourPassword

•CommittingChanges

•WorkinginMultipleWindows

•RelocatinganIteminaTree

•CustomizingtheManagementConsoleToolbar

•UsingKeyboardShortcuts

•Chapter2:Configuring/AddingScanningServers

•ConfiguringDeviceGeneralSettings

•AddingDevicesandDeviceGroups

•MovingScanningServersToaDifferentGroup

Chapter 1: Getting Started 10

HAPTER

1:

ETTING

TARTED

Thischaptercontainsthefollowingtopics:

•PerformingPreliminaryTasks

•PerformingBasicTasksintheManagementConsole

Performing Preliminary Tasks

NOTES:ThisguideinstructionsforproceduresthatyouperformontheManagement

Console.ItdoesnotprovidedetaileddescriptionsofManagementConsoleconcepts,screens,

orfields.Forthatinformation,refertotheManagementConsoleReferenceGuide.

Thissectioncontainsthefollowingtopics:

•PerformingFirstTimeLogin,PasswordChange,andLicenseInstallation

•ConfiguringTheMailServer

Performing First Time Login, Password Change, and

License Installation

WhenloggingontotheManagementConsoleforthefirsttime:

1. Inyourwebbrowser,enterhttps://<applianceIPaddress>.

2. Ifanalertmessageidentifiesaproblemwiththewebsite(forexample,itssecuritycertificate),

continuetothewebsite,eveniftheoptionsaysthatthisisnotrecommended.

TheLoginwindowisdisplayed.

Beforeperformingthepreliminarytaskslistedhere,ensurethat:

•SWGhasbeeninstalled.Forinstallationinstructions,seetheSecureWebGateway

InstallationGuide.

• Limitedshellsetuphasbeenperformed.Forsetupinstructions,seetheSecureWeb

GatewaySetupGuide.

•YouhavetheLicensekeyforSWG.

•YouhaveaddedthePolicyServerIPtotheProxyServerExceptionsinyourinternet

settings.AddingthePolicyServerIPisoptionalbutitwillensureoptimumperformance.

SWG User Guide

Chapter 1: Getting Started

3. Entertheadministratorusername(default:admin)andpassword(default:finjan).

4. InthedisplayedChangePasswordwindow,dothefollowing:

a. Enterthecurrentpasswordforthisadministratoruser.

b. Enteranewpassword.ThenreenterthenewpasswordintheConfirmPasswordfield.

c. ClickChangePassword.

5. InthedisplayedLicensewindowentertheLicensekey,andthenclickContinue.

TheManagementConsoleGUIisdisplayed.

Configuring The Mail Server

TheMailServercontrolsthesendingofemailsforsystemevents,applicationevents,andsoftware

updates.TheserverusesSimpleMailTransferProtocol(SMTP).

YouneedtodefinethesettingsfortheMailServer.YoudothisintheMailServerSettingScreen.

To configure the Mail Server

1. SelectAdministration

SystemSettings

MailServer.

2. Atthebottomofthewindow,clickEdit.

3. Toenablethesendingofemail,ensurethattheEnableSendingEmailcheckboxisselected.

4. IntheHostname/IPfield,specifytheIPaddress,orhostname,oftheSMTPServeryouareusing

(forexample,mail.M86.com).

5. InthePortfield,specifythenumberoftheportthattheSMTPServeruses,usually25isspecified.

6. IntheUsernameandPasswordfields,specifytheUsernameandPasswordusedforSMTP

Authentication.Thisisoptional,dependingonyourSMTPrequirements.

7. IntheOriginatingDomainfield,specifythedomainfromwhichemailswillbesent.

8. IntheTestRecipientfield,specifytheemailaddresstowhichthetestemailwillbesent,tovali‐

datethatthemessagesarebeingreceived(forexample,sarah@M86.com).

9. TotesttheMailServerconfiguration,clickTest.Asampleemailalertwillbesenttothetest

recipientemailaddress.

10. ClickSave.

11. Ifyouarereadytodistributeandimplementthechangesinyoursystemdevices,click .

NOTE:WhenlogontoSWGisperformedforthefirsttime,theChangePasswordwindowis

displayed;thepasswordmustbechanged.

SWG User Guide

Chapter 1: Getting Started12

Performing Basic Tasks in the Management Console

Thissectiondescribesthefollowingtasks:

•LoggingInandLoggingOut

•ChangingYourPassword

•CommittingChanges

•WorkinginMultipleWindows

•RelocatinganIteminaTree

•CustomizingtheManagementConsoleToolbar

•UsingKeyboardShortcuts

Logging In and Logging Out

To log into the Management Console

1. Inyourwebbrowser,enter

https://<

appliance IP address>

.

2. Ifanalertmessageidentifiesaproblemwiththewebsite(forexample,itssecuritycertificate),

continuetothewebsite,eveniftheoptionsaysthatthisisnotrecommended.

3. InthedisplayedLoginwindow,entertheusernameandpassword,andclickLogin.

To log out of the Management Console

1. ClicktheLogoutmainmenuoption.

2. Attheconfirmationprompt,clickOK.

Changing Your Password

Alluserscanusethisproceduretochangetheirownpasswords.

To change your password

1. SelectAdministration

ChangePassword.

2. Enteryouroldpassword.

3. Enteryournewpassword.ThenreenterthenewpasswordintheConfirmPasswordfield.

4. ClickChangePassword.

Committing Changes

Todistributeandimplementchangesthatyouhavesaved,youmustclickthe icon.Dependingon

howyouprefertowork,youcanclicktheiconaftereachSave,ortoavoidinterruptingyourwork,

NOTE:Administratorscanchangethepasswordsoftheadministratorsunderthem,inthe

AdministratordefinitionscreenaccessedviaAdministration

Administrators.

SWG User Guide

Chapter 1: Getting Started

youcanwaitandthenclicktheicononlywhenitisconvenienttodistributeandimplementthe

changes.

Working in Multiple Windows

Ifyouareworkinginawindowandneedtoaccessanotherwindow,youdonotneedtocloseyour

currentwindow.Youcanopenmultipletabs,eachactingasaself‐containedwindow.

To open and work in multiple windows

1. Toopenatabthatcontainsawindow,clickthe icon.

Anothertabcontainingawindowopens.Bydefault,itsaysManagementWizard.

2. Navigatetothedesiredlocationinthenewwindow.

3. Tomovetoadifferentwindow,clickthetabofthatwindow.

4. Tocloseatab,click intherightcornerofthetab.

Relocating an Item in a Tree

Dependingontheitemandtree,youcansometimesmoveanitemtoadifferentlocationinatree.

To move an item to a different location in a tree

1. Right‐clicktheitemandselectMoveorMoveto.

2. Selecttheitemaboveorbelowthelocationwhereyouwanttoplacetheitembeingmoved.

3. SelecteitherMoveBeloworMoveAbove,dependingonyourselection.

Customizing the Management Console Toolbar

To display/hide Toolbar icon shortcuts

1. Inthemainmenu,selectAdministration

SystemSettings

AdministrativeSettings.

2. Inthemainwindow,selecttheToolbartab.

3. ClickEdit.

4. Ensurethatonlytheiconsthatshouldbedisplayedareselected.

5. ClickSave.

NOTE:Alternatively,youcanclicktheiconand,inthedropdownlist,checkthoseitems

whichshouldbedisplayed,andthenclickUpdate.

SWG User Guide

Chapter 1: Getting Started14

Using Keyboard Shortcuts

Table1indicatesthekeyboardshortcutsthatyoucanusetoperformvariousactionsinthe

ManagementConsole.

Table1:KeyboardShortcuts

KeyboardShortcut Whatitdo e s

F2 Activates(sameasclicking)Edit

ESC Activates(sameasclicking)Cancel

Alt+u OpenstheUsersmenu

Alt+p OpensthePoliciesmenu

Alt+s OpenstheLogsandReportsmenu

Alt+n OpenstheAdministrationmenu

Alt+l OpenstheHelpmenu

Keyboardarrows • Whenusedinamenu,navigatesinsidethemenu

• Whenusedinatree,navigatesinsidethetree

Chapter 2: Configuring / Adding Scanning Servers 15

HAPTER

2:

ONFIGURING

/ A

DDING

CANNING

ERVERS

SWGcomeswithdefaultdevicesettings.Youcanmodifythesedefaults.Defaultsettingsare

automaticallyappliedtoallnewdevicesthatyouadd.Youcanthenmodifythevaluesforspecific

devices.

SWGalsocomeswithadefaultScanningServerdevicegroup,DefaultDevicesGroup.Youcan

createotherdevicegroups,andaddscanningserverstoanyscanningserverdevicegroup.Foreach

ScanningServerdevicegroup,youcandefineschedulesforautomaticconfigurationandupdateof

thedevicesinthegroup.

Youcanalsomovedevicesfromonegrouptoanother.

Thischaptercontainsthefollowingprocedures:

•ConfiguringDeviceGeneralSettings

•AddingDevicesandDeviceGroups

•MovingScanningServersToaDifferentGroup

Configuring Device General Settings

Usetheproceduretomodifydefaultsettings,andlaterafteryouhaveaddeddevices,toconfigure

settingsforspecificdevices.

To configure Device General settings

1. SelectAdministration

SystemSettings

M86Devices.

2. IntheDeviceconfigurationtree,doeitherofthefollowingundertheDevices(root)node:

• ToconfigureDefaultsettings,selectDefaultValues

DeviceSettings

General.Values

youdefineherewillapplytoallnewdevicesthatyoucreate.

IMPORTANT:Toensurethatoptimaldefaultsvalueswillbeappliedtonewdevices,youshould

modifythedefaultvaluesbeforeaddingnewdevices.

Youc

NOTE:Youcanalso:

•configuredefaultanddevicespecificaccesslists,whichcanlimitaccesstospecificIPsorIP

ranges.Forinstructions,seeConfiguringDefaultandDevice‐SpecificAccessLists.

•selectScanningServersforautomaticupdate.Forinstructions,seeIfyouarereadyto

distributeandimplementthechangesinyoursystemdevices,click..

SWG User Guide

Chapter 2: Configuring / Adding Scanning Servers16

• ToconfigurethesettingsforaspecificScanningServer,select<device_group>



<device_ip>

ScanningServer

General.

Themainwindowdisplaystabsforconfiguringthefollowing:Downloads,Timeout,Trans

parentProxyMode,andDevicePolicy.

3. ClickEdit.

4. IntheDownloadstab,specifyinmegabytesthemaximumscannablesizesforfilesdownloador

uploadviatheproxy.

5. IntheTimeouttab,youcanspecifythefollowingtimeoutvalues:

•ClientSideTimeout—maximumlapsetimebetweenconsecutiverequestswithintheclient‐

proxyconnectionbeforeatimeoutisdeclared.

•ServerSideTimeout—maximumlapsetimebetweenreceptionofconsecutivepiecesof

datafromtheserverbeforeatimeoutisdeclared.

6. ToenableandconfigureTransparentProxyMode,followtheinstructionsinConfiguringTrans‐

parentProxyMode.

7. IntheDevicePoliciestab,youcanassignexistingpoliciesIdentification,DeviceLogging,

UpstreamProxy,andCachingpolicies,asdefaultsortothespecificdevice.Iftheneededpolicies

arenotyetdefined,youcanperformthepolicyassignmentslater.Forinstructions,seeChapter9:

AssigningPoliciesToDevices.

8. Ifyouwanttoapplyalldefaultsettingstoexistingdevices,right‐clickDefaultValuesandthen

clickResetwithallDefaultValues.

9. ClickSave.

10. Ifyouarereadytodistributeandimplementthechangesinyoursystemdevices,click .

11. Testthatyourscannerisperformingsecuritychecksduringbrowsing,asfollows:

a. Browsetoanadultsite(forexample,www.playboy.com).

b. Browsetoanddownloadatestvirus,asfollows:

i. Browsetohttp://www.m86security.com/EVG/eicar.com.txt

ii. ConnecttothesitebyenteringtheusernamegetevgandpasswordHurNoc45,and

clickingOK.

EachofthesetestsshouldresultinanappropriatePageBlockedmessagefromthescanner.

IMPORTANT:ItishighlyrecommendedthatyouNOTmodifythedefaulttimeoutvaluesin

theTimeouttab.

NOTE:InadditiontotheGeneralparameters,youcanalsodefineotherScanningserver

relatedoptions,dependingonparticularfeaturesthatyouuse.Instructionsforconfiguring

AuthenticationandCaching,andICAPimplementation,andforenablingHTTPSscanning,

aredescribedinthisguide.

ForinformationonconfiguringHTTP,WCCP,andFTPsettings,seetheManagementCon

soleReferenceGuide.

SWG User Guide

Chapter 2: Configuring / Adding Scanning Servers

Adding Devices and Device Groups

SWGcomeswithadefaultgroup,DefaultDevicesGroup,foraddingScanningServers,butyoucan

addadditionalgroupsforholdingscanningservers.

Thissectioncontainsthefollowingprocedures:

•ToaddaScanningServerDeviceGroup

•ToaddaScanningServerDevice

To add a Scanning Server Device Group

1. SelectAdministration

SystemSettings

M86Devices.

2. IntheDevicetreethatisdisplayedintheleftpane,right‐clicktheDevicesrootandclickAdd

Group.

TheNewGroupwindowdisplaystwotabsfordefiningthegroup.

3. Specifyamandatorygroupnameandoptionallyaddadescription.

4. IntheCommitSchedulingtab,definetheschedulebywhichconfigurationchangeswillbe

committedandappliedtothedevicesinthegroup.

Youcanchoosebetween:

• immediatelyuponcommit

• specificintervalinnumberofdays,ataspecifiedtime

• specificdaysoftheweekataspecifiedtime

• specificdayofthemonthataspecifiedtime

5. IntheUpdateSchedulingtab,definetheschedulebywhichsecurityupdateswillbecommitted

andappliedtothedevicesinthegroup.

Youcanchoosebetween:

• immediately

• ataspecifiedtime.Inthiscase,youalsospecifythewindowofopportunityinminutesby

whichtheupdatemustbegin;iftheupdatedoesnotbeginwithinthattime,itwillbe

attemptedagainthenextday.

6. ClickSave.

7. Ifyouarereadytodistributeandimplementthechangesinyoursystemdevices,click .

NOTE:TheschedulethatyoudefinegoesaccordingtothetimeofthePolicyServer,notthe

localclienttime.

NOTE:TheschedulethatyoudefinegoesaccordingtothetimeofthePolicyServer,notthe

localclienttime.

SWG User Guide

Chapter 2: Configuring / Adding Scanning Servers18

To add a Scanning Server Device

YoushouldperformthisprocedurewhenyouadddevicesforeitherlocalScanningServersorcloud

ScanningServers.YoucanidentifythedevicebyaspecificIPorarangeofIPs.

1. SelectAdministration

SystemSettings

M86Devices.

2. IntheDevicetree,right‐clicktheScanningServerDeviceGrouptowhichthedeviceshouldbe

added,andchooseeitherofthefollowing:

a. IfyouwillassociatethedevicewithaspecificIP,chooseAddDevice.

b. IfyouaddmultipledeviceswithinaspecificIPrange,chooseAddDeviceByRange.

TheNewDevicescreenisdisplayedinthemainwindow.Itcontainsseveralfieldsandtabsfor

configuringthedevice.TheStatustabisinformational;youdonotdefineanyvaluesinthistab.

3. SpecifythedeviceIP,ordeviceIPrangeafterspecifyingtheinitialIPintherange,specifythelast

3‐digitsetintherangeinthefieldontheright.

4. SelecttheDevicetype.YoucanchoosebetweenScanningServer(local)orCloudScanning

Server.TheAllinOneoptionisnotavailablebecausethePolicyserverisonadifferentdevice.

5. Optionally,addadescriptionoftheserver.

6. Optionally,intheAccessListtab,defineanAccessListtolimitaccesstospecificIPs.Formore

informationandinstructions,seeConfiguringDefaultandDevice‐SpecificAccessLists.

7. ClickSave.

8. Configurethedevice’sGeneralsettings.Forinstructions,seeConfiguringDeviceGeneralSettings.

9. Ifyouarereadytodistributeandimplementthechangesinyoursystemdevices,click .

Moving Scanning Servers To a Different Group

To move scanning server devices from one group to another

1. SelectAdministration

SystemSettings

M86Devices.

2. IntheDevicetree,right‐clickthesourceScanningserverdevicegroup,andchooseMove

Devices.

3. Inthedisplayedwindow,selectthecheckboxesofthedevicestobemoved.

4. IntheTodrop‐downlist,selectthetargetgroup.

5. ClickOK.

6. Ifyouarereadytodistributeandimplementthechangesinyoursystemdevices,click .

NOTE:Beforeyoucanaddascanner,youmustensurethatthedeviceisaccessibleandthat

youhaveitsIPaddress.

NOTE:Ifyouaredefiningthedeviceasacloudscanner,whenyouaredonewiththedevice

configuration,youmustperformcloudimplementationifyouhavenotpreviouslyperformed

it.Forinstructions,seeChapter21:ImplementingCloudSecurity.

SWG User Guide

PART 2: Implementing User Security Policies

PART 2: I

MPLEMENTING

SER

ECURITY

OLICIES

Thispartcontainsthefollowingchaptersandprocedures:

•Chapter3:DefiningandCustomizingSecurityPolicies

•EditingaPre‐suppliedSecurityPolicyinSimplifiedMode

•DefiningaSecurityPolicyinAdvancedMode

•DefiningaRuleinaSecurityPolicy

•DefiningConditionsinaSecurityPolicyRule

•CreatingaBlock/WarnMessage

•EditingaMessageTemplate.

•Chapter4:DefiningandManagingUsers

•SettingDefaultUserPolicyAssignments

•DefiningandManagingLDAPUsers

•AddingandConfiguringLDAPDirectories

•ImportingLDAPGroups

•ConfiguringLDAPGroupSettings

•ImportingLDAPUsers

•SettingaScheduleForLDAPDirectoryUpdate

•AssigningPoliciestoUnassignedLDAPUsers

•DefiningandManagingM86(Non‐LDAP)Users

•Creating/ConfiguringUserGroups

•AddingandDefiningUsers

•MovingUsersToaDifferentGroup

Chapter 3: Defining and Customizing Security Policies 20

HAPTER

3:

EFINING

AND

USTOMIZING

ECURITY

OLICIES

NOTE:Theprocessofimplementingsecurityforusersatyoursiteinvolvesperformingthe

followingtasks:

SWGprovidesanumberofpre‐definedpoliciesfordifferentpurposes.Amainpurposeissetting

security‐‐determininghowcontentishandled.Policiesconsistofthreebasiccomponents:the

Policyitself,ruleswhichdeterminehowtohandlethecontent(forexample,blockorallow),and

conditionswhichdeterminewhetheraparticularruleisactivated(forexample,ifaparticulartype

ofcontentisdetected).

SWGprovidestwomodesfordefiningandcustomizingSecurityPolicy:

•Simplified—inSimplifiedmode,youcancheckoruncheckpre‐supplied,customizablecontent

itemsappearinginlists,tosetwhetherthoseitems,ifdetected,shouldactivatethepolicyrule.

•Advanced—inAdvancedmode,youeditactualpolicies,rulesandconditions.Notethatyou

cannotdirectlyeditpre‐suppliedpolicies,butyoucanduplicatepoliciesandedittheduplicates,or

youcancreatepoliciesfromscratch.

Pre‐suppliedsecuritypoliciescomeinthreesecuritylevels—Basic,Medium,andStrict.

M86alsoprovidesspecialpurposeadvancedSecuritypoliciesfordifferentusersandsituations.

Theseinclude:

•Xraypolicy—allowsthepotentialeffectofthepolicyonthesystemtobeevaluatedwithout

implementingitssecurityactions.Fornon‐X‐raypolicies,youcandefinerulesasX‐rayrules,

alsoforpurposesofevaluation.YoucanmakeapolicyanX‐raypolicybyselectingtheXray

checkboxinthepolicydefinition.

•FullBypassPolicy—permitsuserstosurfthroughtheM86SWGAppliancewithoutany

scanning.

•CloudUserPolicies—M86BlockedCloudUsersPolicyandM86RevokedCloudUsers

Policyfortemporarilyblockingorrevokingthepermissionsofspecificcloudusers.

• DefiningSecurityPolicy,asdescribedinthischapter.

• DefiningUserGroupsandUsers,andassigningthemsecuritypolicies.Forinstructions,

seeChapter4:DefiningandManagingUsers.

• DefiningIdentificationpolicy.Forinstructions,seeChapter5:Implementing

IdentificationPolicy.

NOTE:Becauseoftheorderinwhichsecuritypoliciesareimplemented,somepoliciesmightnotbe

implementedduethenatureofaprecedingpolicy,whichcaneffectsubsequentpolicies.

Other manuals for SWG

Table of contents

Other M86 Security Gateway manuals

M86 Security

M86 Security SWG User manual

Popular Gateway manuals by other brands

IME

IME Milesight UG63 user guide

Handlink Technologies

Handlink Technologies WG-500P M user manual

IntesisBox

IntesisBox PA-AC-MBS-16 Installation sheet

Zenitel

Zenitel ICX 500 Installation and operation manual

SELECTRONIX

SELECTRONIX SUPERSTEP SERIES 4000 Installation & operating manual

AT&T

AT&T U-verse TV Self-installation guide

Arris

Arris Touchstone DG3260 user guide

ZyXEL Communications

ZyXEL Communications P-661HNU-FX Quick start quide

ETC

ETC Response Mk2 One-Port Setup guide

H3C

H3C SecPath M9000 Series Compliance and Safety Manual

ABB

ABB 83342 operating instructions

IBM

IBM N7 50T Series Installation and setup instructions

Digicom

Digicom 8D5824 user guide

GivEnergy

GivEnergy GIV-AIO-13.5 installation guide

RTA

RTA 460MSDFM-NNA1 Product user guide

Xantrex

Xantrex Communications gateway installation guide

Hobo

Hobo MXGTW1 quick start

Burkert

Burkert ME43 quick start