Stonesoft stonegate 5.2 User manual
STONEGATE 5.2
INSTALLATION GUIDE
INTRUSION PREVENTION SYSTEM
2
Legal Information
End-User License Agreement
The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at
the Stonesoft website:
www.stonesoft.com/en/support/eula.html
Third Party Licenses
The StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for
those products at the Stonesoft website:
www.stonesoft.com/en/support/third_party_licenses.html
U.S. Government Acquisitions
If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions
apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is
defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is
supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as
defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the
Government is subject to such restrictions or successor provisions.
Product Export Restrictions
The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC)
N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as
amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.
General Terms and Conditions of Support and Maintenance Services
The support and maintenance services for the products described in these materials are provided pursuant to the general terms for
support and maintenance services and the related service description, which can be found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/terms/
Replacement Service
The instructions for replacement service can be found at the Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/return_material_authorization/
Hardware Warranty
The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the
Stonesoft website:
www.stonesoft.com/en/support/view_support_offering/warranty_service/
Trademarks and Patents
The products described in these materials are protected by one or more of the following European and US patents: European Patent Nos.
1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095,
131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284;
7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534;
7,461,401; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the
Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered
trademarks are property of their respective owners.
Disclaimer
Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes
no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of
the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only.
Copyright © 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change.
Revision: SGIIG_20110816
3
Table of Contents
TABLE OF CONTENTS
INTRODUCTION
CHAPTER 1
Using StoneGate Documentation . . . . . . . . . . . 7
How to Use This Guide . . . . . . . . . . . . . . . . . . 8
Documentation Available . . . . . . . . . . . . . . . . . 9
Product Documentation. . . . . . . . . . . . . . . . . 9
Support Documentation . . . . . . . . . . . . . . . . 9
System Requirements. . . . . . . . . . . . . . . . . . 10
Supported Features . . . . . . . . . . . . . . . . . . . 10
Contact Information . . . . . . . . . . . . . . . . . . . . 10
Licensing Issues . . . . . . . . . . . . . . . . . . . . . 10
Technical Support. . . . . . . . . . . . . . . . . . . . . 10
Your Comments . . . . . . . . . . . . . . . . . . . . . . 10
Other Queries. . . . . . . . . . . . . . . . . . . . . . . . 10
PREPARING FOR INSTALLATION
CHAPTER 2
Planning the IPS Installation . . . . . . . . . . . . . . 13
Introduction to StoneGate IPS . . . . . . . . . . . . . 14
Example Network Scenario . . . . . . . . . . . . . . . 14
Overview to the Installation Procedure . . . . . . . 15
Important to Know Before Installation . . . . . . . 15
Supported Platforms. . . . . . . . . . . . . . . . . . . 15
Date and Time Settings . . . . . . . . . . . . . . . . 15
Capture Interfaces . . . . . . . . . . . . . . . . . . . . 16
Switch SPAN Ports . . . . . . . . . . . . . . . . . . . 16
Network TAPs. . . . . . . . . . . . . . . . . . . . . . . 16
Cabling Guidelines . . . . . . . . . . . . . . . . . . . . 16
Speed And Duplex . . . . . . . . . . . . . . . . . . . . 17
Installing IPS Licenses. . . . . . . . . . . . . . . . . . . 19
CHAPTER 3
Getting Started with IPS Licenses . . . . . . . . . . 20
Configuration Overview . . . . . . . . . . . . . . . . . 20
Generating New Licenses . . . . . . . . . . . . . . . . 20
Installing Licenses . . . . . . . . . . . . . . . . . . . . . 21
CHAPTER 4
Configuring NAT Addresses . . . . . . . . . . . . . . . 23
Getting Started with NAT Addresses . . . . . . . . . 24
Configuration Overview . . . . . . . . . . . . . . . . . 25
Defining Locations . . . . . . . . . . . . . . . . . . . . . 25
Adding SMC Server Contact Addresses . . . . . . 26
CONFIGURING SENSORS AND ANALYZERS
CHAPTER 5
Defining Sensors and Analyzers . . . . . . . . . . . . 31
Getting Started with Defining Sensors and
Analyzers. . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Creating Engine Elements. . . . . . . . . . . . . . . . 32
Defining System Communication Interfaces for IPS
Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Defining Physical Interfaces . . . . . . . . . . . . . 34
Defining VLAN Interfaces . . . . . . . . . . . . . . . 35
Defining IP Addresses . . . . . . . . . . . . . . . . . 36
Setting Interface Options for IPS Engines. . . . . 37
Defining Traffic Inspection Interfaces for Sensors 38
Defining Logical Interfaces . . . . . . . . . . . . . . 39
Defining Reset Interfaces . . . . . . . . . . . . . . . 40
Defining Capture Interfaces . . . . . . . . . . . . . 41
Defining Inline Interfaces . . . . . . . . . . . . . . . 42
Bypassing Traffic on Overload . . . . . . . . . . . . . 43
Finishing the Engine Configuration. . . . . . . . . . 44
CHAPTER 6
Saving the Initial Configuration . . . . . . . . . . . . 45
Configuration Overview . . . . . . . . . . . . . . . . . . 46
Saving the Initial Configuration for Sensors and
Analyzers. . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Transferring the Initial Configuration to Sensors
and Analyzers . . . . . . . . . . . . . . . . . . . . . . . . 49
CHAPTER 7
Configuring Routing and Installing Policies . . . 51
Configuring Routing . . . . . . . . . . . . . . . . . . . . 52
Adding Next-hop Routers . . . . . . . . . . . . . . . 53
Adding the Default Route . . . . . . . . . . . . . . . 54
Adding Other Routes . . . . . . . . . . . . . . . . . . 54
Installing the Initial Policy . . . . . . . . . . . . . . . . 55
Commanding IPS Engines. . . . . . . . . . . . . . . 57
INSTALLING SENSORS AND ANALYZERS
CHAPTER 8
Installing the Engine on Intel-Compatible
Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Installing the Sensor or Analyzer Engine. . . . . . 62
Configuration Overview . . . . . . . . . . . . . . . . . 62
Obtaining Installation Files . . . . . . . . . . . . . . . 62
4Table of Contents
Downloading the Installation Files . . . . . . . . . 62
Checking File Integrity . . . . . . . . . . . . . . . . . . 62
Creating the Installation CD-ROM . . . . . . . . . . 63
Starting the Installation. . . . . . . . . . . . . . . . . . 63
Configuring the Engine . . . . . . . . . . . . . . . . . . 64
Configuring the Engine Automatically with a
USB Stick . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Configuring the Engine in the Engine
Configuration Wizard. . . . . . . . . . . . . . . . . . . 65
Configuring the Operating System Settings . . . 65
Configuring the Network Interfaces . . . . . . . . 67
Contacting the Management Server . . . . . . . . 68
Activating the Initial Configuration . . . . . . . . 68
Filling in the Management Server
Information . . . . . . . . . . . . . . . . . . . . . . . . 69
Selecting the Engine Type . . . . . . . . . . . . . . 69
After Successful Management Server Contact 70
Installing the Engine in Expert Mode . . . . . . . . 70
Partitioning the Hard Disk Manually . . . . . . . . 70
Allocating Partitions . . . . . . . . . . . . . . . . . . . 71
UPGRADING
CHAPTER 9
Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Getting Started with Upgrading . . . . . . . . . . . . 76
Configuration Overview . . . . . . . . . . . . . . . . . 77
Obtaining Installation Files . . . . . . . . . . . . . . 77
Upgrading or Generating Licenses . . . . . . . . . . 78
Upgrading Licenses Under One Proof Code. . . 78
Upgrading Licenses Under Multiple Proof
Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Installing Licenses . . . . . . . . . . . . . . . . . . . . 80
Checking the Licenses . . . . . . . . . . . . . . . . . 81
Upgrading Engines Remotely . . . . . . . . . . . . . . 82
Upgrading Engines Locally . . . . . . . . . . . . . . . . 84
Upgrading from an Engine Installation CD-ROM 84
Upgrading from a ZIP Archive File. . . . . . . . . . 85
APPENDICES
APPENDIX A
Command Line Tools . . . . . . . . . . . . . . . . . . . . 89
StoneGate-Specific Commands . . . . . . . . . . . . 90
General Tools . . . . . . . . . . . . . . . . . . . . . . . . . 93
APPENDIX B
Default Communication Ports . . . . . . . . . . . . . 95
Management Center Ports . . . . . . . . . . . . . . . 96
IPS Engine Ports . . . . . . . . . . . . . . . . . . . . . . 98
APPENDIX C
Example Network Scenario . . . . . . . . . . . . . . . 101
Overview of the Example Network . . . . . . . . . . 102
Example Headquarters Intranet Network . . . . . 103
HQ Sensor Cluster . . . . . . . . . . . . . . . . . . . . 103
Example Headquarters Management Network . 104
HQ Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . 104
HQ Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 104
Management Center Servers . . . . . . . . . . . . 104
Example Headquarters DMZ Network . . . . . . . 105
DMZ Sensor . . . . . . . . . . . . . . . . . . . . . . . . 105
Example Branch Office Network. . . . . . . . . . . . 106
Branch Office Sensor-Analyzer. . . . . . . . . . . . 106
Branch Office Firewall. . . . . . . . . . . . . . . . . . 106
Branch Office Log Server . . . . . . . . . . . . . . . 106
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
6
7
CHAPTER 1
USING STONEGATE DOCUMENTATION
Welcome to Stonesoft’s StoneGate™ IPS. This chapter describes how to use the StoneGate
IPS Installation Guide and lists other available documentation. It also provides directions for
obtaining technical support and giving feedback.
The following sections are included:
How to Use This Guide (page 8)
Documentation Available (page 9)
Contact Information (page 10)
8Chapter 1 Using StoneGate Documentation
How to Use This Guide
This IPS Installation Guide is intended for administrators who install the StoneGate IPS system.
It describes the IPS Sensor and Analyzer engine installation step by step. The chapters in this
guide are organized in the general order you should follow when installing the system.
Most tasks are explained using illustrations that include explanations on the steps you need to
complete in each corresponding view in your own environment. The explanations that
accompany the illustrations are numbered when the illustration contains more than one step for
you to perform.
Typographical Conventions
The following conventions are used throughout the documentation:
We use the following ways to indicate important or additional information:
Tip – Tips provide additional helpful information, such as alternative ways to complete steps.
Example Examples present a concrete scenario that clarifies the points made in the adjacent text.
Table 1.1 Typographical Conventions
Formatting Informative Uses
User Interface text Text you see in the User Interface (buttons, menus, etc.) and any
other interaction with the user interface are in bold-face.
References, terms Cross-references and first use of acronyms and terms are in
italics.
Command line File names, directories, and text displayed on the screen are
monospaced.
User input User input on screen is in monospaced bold-face.
Command parameters Command parameter names are in monospaced italics.
Note – Notes prevent commonly-made mistakes by pointing out important points.
Caution – Cautions prevent breaches of security, information loss, or system downtime.
Cautions always contain critical information that you must observe.
9
Documentation Available
Documentation Available
StoneGate documentation is divided into two main categories: Product Documentation and
Support Documentation. Each StoneGate product has a separate set of manuals.
Product Documentation
The table below lists the available product documentation. PDF guides are available on the
Management Center CD-ROM and at http://www.stonesoft.com/support/.
Support Documentation
The StoneGate support documentation provides additional and late-breaking technical
information. These technical documents support the StoneGate Guide books, for example, by
giving further examples on specific configuration scenarios.
The latest StoneGate technical documentation is available at the Stonesoft website at
http://www.stonesoft.com/support/.
Table 1.2 Product Documentation
Guide Description
Reference Guide
Explains the operation and features of StoneGate comprehensively.
Demonstrates the general workflow and provides example scenarios
for each feature area. Available for StoneGate Management Center,
Firewall/VPN, and StoneGate IPS.
Installation Guide
Instructions for planning, installing, and upgrading a StoneGate
system. Available for StoneGate Management Center, Firewall/VPN,
and IPS.
Online Help
Describes how to configure and manage the system step-by-step.
Accessible through the Help menu and by using the Help button or
the F1 key in any window or dialog. Available in the StoneGate
Management Client and the StoneGate Web Portal. An HTML-based
system is available in the StoneGate SSL VPN Administrator through
help links and icons.
Administrator’s Guide
Describes how to configure and manage the system step-by-step.
Available as a combined guide for both StoneGate Firewall/VPN and
StoneGate IPS, and as separate guides for StoneGate SSL VPN and
StoneGate IPsec VPN Client.
User’s Guide Instructions for end-users. Available for the StoneGate IPsec VPN
Client and the StoneGate Web Portal.
Appliance Installation Guide
Instructions for physically installing and maintaining StoneGate
appliances (rack mounting, cabling, etc.). Available for all StoneGate
hardware appliances.
10 Chapter 1 Using StoneGate Documentation
System Requirements
The certified platforms for running StoneGate engine software can be found at the product
pages at http://www.stonesoft.com/en/products/ips/Software_Solutions/.
The hardware and software requirements for the version of StoneGate you are running can also
be found in the Release Notes available at the StoneGate Support Documentation pages.
Supported Features
Not all StoneGate features are supported on all platforms. See the Appliance Software Support
Table at the Stonesoft Support Documentation pages for more information.
Contact Information
For street addresses, phone numbers, and general information about StoneGate and Stonesoft
Corporation, visit our website at http://www.stonesoft.com/.
Licensing Issues
You can view your current licenses at the License Center section of the Stonesoft website at
https://my.stonesoft.com/managelicense.do.
Technical Support
Stonesoft offers global technical support services for Stonesoft’s product families. For more
information on technical support, visit the Support section at the Stonesoft website at
http://www.stonesoft.com/support/.
Your Comments
We want to make our products fulfill your needs as well as possible. We are always pleased to
receive any suggestions you may have for improvements.
•To comment on software and hardware products, e-mail [email protected].
•To comment on the documentation, e-mail [email protected].
Other Queries
12
13
CHAPTER 2
PLANNING THE IPS INSTALLATION
This chapter provides important information to take into account before the installation can
begin. The chapter also includes an overview to the installation process.
The following sections are included:
Introduction to StoneGate IPS (page 14)
Example Network Scenario (page 14)
Overview to the Installation Procedure (page 15)
Important to Know Before Installation (page 15)
Capture Interfaces (page 16)
14 Chapter 2 Planning the IPS Installation
Introduction to StoneGate IPS
A StoneGate IPS system consists of Sensors, Analyzers, and the StoneGate Management
Center. Sensors pick up network traffic, inspect it, and create event data for further processing
by the Analyzers.
StoneGate Sensors and Analyzers can be distributed as follows:
•a combined Sensor-Analyzer with these two components on a single machine.
•a single node Sensor.
•a Sensor cluster, which consists of 2 to 16 machines with Sensors called cluster nodes or
nodes for short.
•an Analyzer, which is required when a single node Sensor or a Sensor cluster is used.
You can install sensors in two basic ways:
•IDS (intrusion detection system) installation: Sensors capture and inspect all traffic in the
connected network segment, but do not, by default, interrupt the flow of traffic in any way.
•IPS (intrusion prevention system) installation: Sensors are installed inline, so that all traffic
that is to be inspected flows through the Sensor. In this setup, the Sensor itself can also be
used to automatically block selected traffic according to how you configure it. Inline sensors
in transparent access control mode (requires a separate license) provide transparent access
control and logging for Ethernet (layer 2) traffic.
The main features of StoneGate IPS include:
•Multiple detection methods: misuse detection uses fingerprints to detect known attacks.
Anomaly detection uses traffic statistics to detect unusual network behavior. Protocol
validation identifies violations of the defined protocol for a particular type of traffic. Event
correlation in the Analyzer processes event information received from the Sensors to detect a
pattern of events that might indicate an intrusion attempt.
•Response mechanisms: There are several response mechanisms to anomalous traffic. These
include different alerting channels, traffic recording, TCP connection termination, traffic
blacklisting, and traffic blocking with inline IPS.
The sensors and analyzers are always managed centrally through the StoneGate Management
Center (SMC). You must have an SMC configured before you can proceed with installing the
sensors and analyzers. The SMC can be used to manage a large number of different StoneGate
products. The SMC installation is covered in a separate guide. See the SMC Reference Guide for
more background information on the SMC, and the IPS Reference Guide for more background
information on the StoneGate sensors and analyzers.
Example Network Scenario
To get a better understanding of how StoneGate fits into a network, you can consult the Example
Network Scenario that shows you one way to deploy StoneGate. See Example Network Scenario
(page 101).
15
Overview to the Installation Procedure
Overview to the Installation Procedure
1. Check the surrounding network environment as explained in Capture Interfaces (page 16).
2. Install licenses for the IPS engines. See Installing IPS Licenses (page 19).
3. If network address translation (NAT) is applied to communications between system
components and the IPS engines, define Contact Addresses. See Configuring NAT
Addresses (page 23).
4. Define the Sensor and Analyzer element(s) in the Management Client. See Defining
Sensors and Analyzers (page 31).
5. Generate the initial configuration for the sensor and analyzer engine(s). See Saving the
Initial Configuration (page 45).
6. Install and configure the sensors and analyzers.
•For hardware installation and initial configuration of StoneGate appliances, see the
Appliance Installation Guide that is delivered with each appliance.
•For software installations, see Installing the Engine on Intel-Compatible Platforms
(page 61).
7. Configure routing and install a policy on the sensor(s). See Configuring Routing and
Installing Policies (page 51).
The chapters and sections of this guide proceed in the order outlined above.
Important to Know Before Installation
Before you start the installation, you need to carefully plan the site that you are going to install.
Consult the Reference Guide if you need more detailed background information on the operation
of StoneGate than what is offered in this chapter.
Supported Platforms
Sensors and analyzers can be run on the following general types of platforms:
•Purpose-built StoneGate IPS appliances.
•Standard Intel-compatible servers. Search for the version-specific Hardware Requirements in
the technical documentation search at http://www.stonesoft.com/en/support/.
•As a VMware virtual host. There are some additional requirements and limitations when
StoneGate IPS is run as a virtual host. See the Release Notes for more information. Detailed
instructions can be found in Installing and Activating StoneGate IPS in VMWare ESX Server in
the StoneGate Technical Documentation database.
The sensors and analyzers have an integrated, hardened Linux operating system that is always
a part of the StoneGate engine software, eliminating the need for separate operating system
installation, configuration, and patching.
Date and Time Settings
The time settings of the engines do not need to be adjusted, as they are automatically
synchronized to the Management Server’s time setting. For this operation, the time is converted
to UTC time according to the Management Server’s time zone setting.
16 Chapter 2 Planning the IPS Installation
Capture Interfaces
Sensors can be connected to a switch SPAN port or a network TAP to capture network traffic.
Hubs can be used, but are not recommended. The considerations for these connection methods
are explained below. Additionally, the IPS Sensor can be installed in-line, so that the network
traffic is routed through the Sensor, allowing active blocking of any connection.
For more specific information on compatibility of different network devices and StoneGate IPS,
refer to the Stonesoft website at http://www.stonesoft.com/support/.
Switch SPAN Ports
A Switched Port Analyzer (SPAN) port is used for capturing network traffic to a defined port on a
switch. This is also known as port mirroring. The capturing is done passively, so it does not
interfere with the traffic.
A Sensor’s capture interface can be connected directly to a SPAN port of a switch. All the traffic
to be monitored must be copied to this SPAN port.
Network TAPs
A Test Access Port (TAP) is a passive device located at the network wire between network
devices. The capturing is done passively, so it does not interfere with the traffic. With a network
TAP, the two directions of the network traffic is divided to separate wires. For this reason, the
Sensor needs two Capture interfaces for a network TAP; one capture interface for each direction
of the traffic. The two related Capture interfaces must have the same Logical interface that
combines the traffic of these two interfaces for inspection. You could also use the pair of
Capture interfaces to monitor traffic in two separate network devices.
Cabling Guidelines
Follow standard cabling with inline IPS: use straight cables to connect the sensor to switches/
hubs and crossover cables to connect the sensor to hosts. Both crossover and straight cables
may work when the sensors are operating normally due to software-level correction, but only the
correct type of cable allows traffic to flow when fail-open network cards must pass traffic without
the help of higher-level features.
Also, make sure the cables are correctly rated (CAT 5e or CAT 6 in gigabit networks).
Illustration 2.1 Correct Cable Types
Switch/firewall
Host
Switch/firewall
Switch
Straight cable
Crossover cable Straight cable
Straight cable
17
Important to Know Before Installation
Speed And Duplex
Mismatched speed and duplex settings are a frequent source of networking problems. The
basic principle for speed and duplex is simply that network cards at both ends of each cable
must have identical settings. This principle also applies to the automatic negotiation setting: if
one end of the cable is set to autonegotiate, the other end must also be set to autonegotiate
and not to any fixed setting. Gigabit standards require interfaces to use autonegotiation—fixed
settings are not allowed at gigabit speeds.
Inline interfaces of sensors require additional consideration: since the sensor is a “smart
cable”, the settings must be matched on both links within each inline interface pair (identical
settings on all four interfaces) instead of just matching settings at both ends of each cable (two
+ two interfaces). If one of the links has a lower maximum speed than the other link, the higher-
speed link must be set to use the lower speed.
Illustration 2.2 Speed/Duplex Settings
100/Full
100/Full
Correct Incorrect
100/Full
1000/Full
18 Chapter 2 Planning the IPS Installation
20 Chapter 3 Installing IPS Licenses
Getting Started with IPS Licenses
Each analyzer and sensor engine must have its own license. You must generate the license files
and install them on the Management Server using the Management Client before you can bring
your system fully operational. The Management Server’s license may also be limited to
managing only a certain number of engines.
Your system may be able to automatically generate licenses for new StoneGate appliances. For
automatic licensing to work, ensure that automatic updates are working in the Management
Center. A factory-installed temporary license is automatically replaced with a permanent license
bound to the serial code (POS) of the appliance after the appliance is configured for use.
If you do not need to install licenses for the IPS engines at this time, proceed to one of the
following:
•If NAT is applied to communications between any system components, proceed to Configuring
NAT Addresses (page 23).
•If NAT is not applied to the communications, you are ready to define the Sensor and Analyzer
element(s). Proceed to Defining Sensors and Analyzers (page 31).
Configuration Overview
The following steps are needed for installing licenses for sensors and analyzers.
1. Generate the licenses at the Stonesoft website. See Generating New Licenses (page 20).
2. Install the licenses in the Management Client. See Installing Licenses (page 21).
Generating New Licenses
You generate the licenses at the Stonesoft website based on your proof-of-license (POL),
included in the order confirmation message sent by Stonesoft or the proof-of-serial-number
(POS) printed on the side of StoneGate appliances. Evaluation licenses are also available at the
website. If you are licensing several components of the same type, remember to generate one
license for each.
To generate a new license
1. Browse to the Stonesoft License Center at my.stonesoft.com/managelicense.do.
2. Enter the POL code in the License Identification field and click Submit. The license page
opens.
3. Click Register. The license generation page opens.
4. Enter the Management Server’s proof-of-license code or the engine’s primary control IP
address for the engines you want to license.
•The Management Server’s proof-of-license can be found in the e-mail you received
detailing your licenses or in the Management Client for all licenses imported into the
system.
5. Click Submit Request. The license file is sent to you in a moment. It also becomes
available for download at the license page.
Note – Evaluation license requests may need manual processing. See the license page for
current delivery times and details.
Table of contents
