Stonesoft StoneGate User manual

STONEGATE 5.2

FIREWALL/VPN REFERENCE GUIDE

FIREWALL

VIRTUAL PRIVATE NETWORKS

Legal Information

End-User License Agreement

The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at

the Stonesoft website:

www.stonesoft.com/en/support/eula.html

Third Party Licenses

The StoneGate software includes several open source or third-party software packages. The appropriate software licensing information for

those products at the Stonesoft website:

www.stonesoft.com/en/support/third_party_licenses.html

U.S. Government Acquisitions

If Licensee is acquiring the Software, including accompanying documentation on behalf of the U.S. Government, the following provisions

apply. If the Software is supplied to the Department of Defense (“DoD”), the Software is subject to “Restricted Rights”, as that term is

defined in the DOD Supplement to the Federal Acquisition Regulations (“DFAR”) in paragraph 252.227-7013(c) (1). If the Software is

supplied to any unit or agency of the United States Government other than DOD, the Government’s rights in the Software will be as

defined in paragraph 52.227-19(c) (2) of the Federal Acquisition Regulations (“FAR”). Use, duplication, reproduction or disclosure by the

Government is subject to such restrictions or successor provisions.

Product Export Restrictions

The products described in this document are subject to export control under the laws of Finland and the European Council Regulation (EC)

N:o 1334/2000 of 22 June 2000 setting up a Community regime for the control of exports of dual-use items and technology (as

amended). Thus, the export of this Stonesoft software in any manner is restricted and requires a license by the relevant authorities.

General Terms and Conditions of Support and Maintenance Services

The support and maintenance services for the products described in these materials are provided pursuant to the general terms for

support and maintenance services and the related service description, which can be found at the Stonesoft website:

www.stonesoft.com/en/support/view_support_offering/terms/

Replacement Service

The instructions for replacement service can be found at the Stonesoft website:

www.stonesoft.com/en/support/view_support_offering/return_material_authorization/

Hardware Warranty

The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the

Stonesoft website:

www.stonesoft.com/en/support/view_support_offering/warranty_service/

Trademarks and Patents

The products described in these materials are protected by one or more of the following European and US patents: European Patent Nos.

1065844, 1189410, 1231538, 1259028, 1271283, 1289183, 1289202, 1304849, 1313290, 1326393, 1379046, 1330095,

131711, 1317937 and 1443729 and US Patent Nos. 6,650,621; 6 856 621; 6,885,633; 6,912,200; 6,996,573; 7,099,284;

7,127,739; 7,130,266; 7,130,305; 7,146,421; 7,162,737; 7,234,166; 7,260,843; 7,280,540; 7,302,480; 7,386,525; 7,406,534;

7,461,401; 7,721,084; and 7,739,727 and may be protected by other EU, US, or other patents, or pending applications. Stonesoft, the

Stonesoft logo and StoneGate, are all trademarks or registered trademarks of Stonesoft Corporation. All other trademarks or registered

trademarks are property of their respective owners.

Disclaimer

Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes

no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of

the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only.

Revision: SGFRG_20101015

Table of Contents

TABLE OF CONTENTS

INTRODUCTION

CHAPTER 1

Using StoneGate Documentation . . . . . . . . . . . 13

How to Use This Guide . . . . . . . . . . . . . . . . . . 14

Typographical Conventions . . . . . . . . . . . . . . 14

Documentation Available . . . . . . . . . . . . . . . . . 15

Product Documentation. . . . . . . . . . . . . . . . . 15

Support Documentation . . . . . . . . . . . . . . . . 15

System Requirements. . . . . . . . . . . . . . . . . . 16

Contact Information . . . . . . . . . . . . . . . . . . . . 16

Licensing Issues . . . . . . . . . . . . . . . . . . . . . 16

Technical Support. . . . . . . . . . . . . . . . . . . . . 16

Your Comments . . . . . . . . . . . . . . . . . . . . . . 16

Other Queries. . . . . . . . . . . . . . . . . . . . . . . . 16

CHAPTER 2

Introduction to Firewalls . . . . . . . . . . . . . . . . . 17

The Role of the Firewall. . . . . . . . . . . . . . . . . . 18

Firewall Technologies . . . . . . . . . . . . . . . . . . . 18

Packet Filtering. . . . . . . . . . . . . . . . . . . . . . . 18

Proxy Firewalls . . . . . . . . . . . . . . . . . . . . . . . 19

Stateful Inspection . . . . . . . . . . . . . . . . . . . . 19

StoneGate Multi-Layer Inspection. . . . . . . . . . 19

Additional Firewall Features . . . . . . . . . . . . . . . 21

Authentication . . . . . . . . . . . . . . . . . . . . . . . 21

Deep Packet Inspection and Unified Threat

Management . . . . . . . . . . . . . . . . . . . . . . . . 21

Integration With External Content Inspection. . 21

Load Balancing and Traffic Management. . . . . 22

Logging and Reporting . . . . . . . . . . . . . . . . . 22

Network Address Translation (NAT). . . . . . . . . 23

VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Firewall Weaknesses. . . . . . . . . . . . . . . . . . . . 23

Complexity of Administration . . . . . . . . . . . . . 23

Single Point of Failure . . . . . . . . . . . . . . . . . . 24

Worms, Viruses, and Targeted Attacks . . . . . . 24

CHAPTER 3

Introduction to StoneGate 

Firewall/VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 25

The StoneGate Security Platform . . . . . . . . . . . 26

StoneGate Firewall/VPN System Components. . 27

Firewall/VPN Engines . . . . . . . . . . . . . . . . . . 28

Main Benefits of StoneGate Firewall/VPN . . . . . 28

Advanced Traffic Inspection. . . . . . . . . . . . . . 28

Built-in Clustering for Load Balancing and

High Availability . . . . . . . . . . . . . . . . . . . . . . 29

Multi-Link Technology . . . . . . . . . . . . . . . . . . 29

Built-in Inbound Traffic Management . . . . . . . 30

QoS and Bandwidth Management . . . . . . . . . 30

Integration with StoneGate IPS . . . . . . . . . . . 31

Clustered Multi-Link VPNs. . . . . . . . . . . . . . . 31

CHAPTER 4

StoneGate Firewall/VPN Deployment . . . . . . . . 33

Deployment Overview . . . . . . . . . . . . . . . . . . . 34

Supported Platforms . . . . . . . . . . . . . . . . . . 34

General Deployment Guidelines . . . . . . . . . . 34

Positioning Firewalls. . . . . . . . . . . . . . . . . . . . 35

External to Internal Network Boundary . . . . . . 35

Internal Network Boundaries. . . . . . . . . . . . . 36

DMZ Network Boundaries . . . . . . . . . . . . . . . 37

Positioning Management Center Components . 38

INTERFACES AND ROUTING

CHAPTER 5

Single Firewall Configuration. . . . . . . . . . . . . . 41

Overview to Single Firewall Configuration . . . . . 42

Configuration of Single Firewalls . . . . . . . . . . . 42

Dynamic Firewall Interface Addresses . . . . . . 42

Internal DHCP Server . . . . . . . . . . . . . . . . . . 43

Configuration Workflow . . . . . . . . . . . . . . . . . 43

Task 1: Create a Single Firewall

Element . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Task 2: Define Physical Interfaces . . . . . . . 43

Task 3: Define VLAN Interfaces. . . . . . . . . . 43

Task 4: Define an ADSL Interface . . . . . . . . 44

Task 5: Define IP Addresses. . . . . . . . . . . . 44

Task 6: Define Modem Interfaces . . . . . . . . 44

Task 7: Install the Firewall Engine . . . . . . . . 44

Task 8: Install a Firewall Policy . . . . . . . . . . 45

Example of a Single Firewall Deployment . . . . . 45

Setting up a Single Firewall. . . . . . . . . . . . . . 45

Adding a New Interface to an Existing

Configuration. . . . . . . . . . . . . . . . . . . . . . . . 46

4Table of Contents

CHAPTER 6

Firewall Cluster Configuration . . . . . . . . . . . . . 47

Overview to Firewall Cluster Configuration. . . . . 48

Benefits of Clustering . . . . . . . . . . . . . . . . . . 48

Communication Between the Nodes. . . . . . . . 48

Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Configuration of Firewall Clusters. . . . . . . . . . . 49

Load Balancing. . . . . . . . . . . . . . . . . . . . . . . 49

Standby Operation . . . . . . . . . . . . . . . . . . . . 49

Network Interfaces and IP Addresses. . . . . . . 50

Clustering Modes . . . . . . . . . . . . . . . . . . . . . 51

How Packet Dispatch Works . . . . . . . . . . . . . 51

Configuration Workflow . . . . . . . . . . . . . . . . . 53

Task 1: Create a Firewall Cluster

Element. . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Task 2: Create Physical Interfaces. . . . . . . . 53

Task 3: Define VLAN Interfaces . . . . . . . . . . 53

Task 4: Configure Physical or VLAN

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 54

Task 5: Install the Firewall Engines . . . . . . . 55

Task 6: Install a Firewall Policy . . . . . . . . . . 55

Using a Firewall Cluster. . . . . . . . . . . . . . . . . . 55

Internal DHCP Server . . . . . . . . . . . . . . . . . . 55

Node State Synchronization. . . . . . . . . . . . . . 56

Security Level for State Synchronization . . . . . 56

Manual Load Balancing. . . . . . . . . . . . . . . . . 56

Examples of Firewall Cluster Deployment . . . . . 57

Setting up a Firewall Cluster . . . . . . . . . . . . . 57

Adding a Node to a Firewall Cluster . . . . . . . . 58

CHAPTER 7

Routing and Antispoofing. . . . . . . . . . . . . . . . . 59

Overview to Routing and Antispoofing. . . . . . . . 60

Configuration of Routing and Antispoofing . . . . 60

Reading the Routing and Antispoofing Trees . . 60

Multi-Link Routing for Single and Clustered

Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Default Elements . . . . . . . . . . . . . . . . . . . . . 62

Configuration Workflow . . . . . . . . . . . . . . . . . 63

Task 1: Add Router or NetLink. . . . . . . . . . . 63

Task 2: Add Network(s). . . . . . . . . . . . . . . . 63

Task 3: Refresh Firewall Policy . . . . . . . . . . 63

Using Routing and Antispoofing . . . . . . . . . . . . 63

Policy Routing. . . . . . . . . . . . . . . . . . . . . . . . 63

Multicast Routing . . . . . . . . . . . . . . . . . . . . . 63

Modifying Antispoofing . . . . . . . . . . . . . . . . . 64

Examples of Routing . . . . . . . . . . . . . . . . . . . . 64

Routing Traffic with Two Interfaces . . . . . . . . . 64

Routing Internet Traffic with Multi-Link . . . . . . 64

Routing Traffic to Networks That Use Same

Address Space . . . . . . . . . . . . . . . . . . . . . . 65

ACCESS CONTROL POLICIES

CHAPTER 8

Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . 69

Overview to Firewall Policies . . . . . . . . . . . . . . 70

Policy Hierarchy . . . . . . . . . . . . . . . . . . . . . . 70

How StoneGate Examines the Packets. . . . . . 70

Configuration of Policy Elements . . . . . . . . . . . 72

Default Elements . . . . . . . . . . . . . . . . . . . . . 74

Configuration Workflow . . . . . . . . . . . . . . . . . 74

Task 1: Create a Firewall Template

Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Task 2: Create a Firewall Policy. . . . . . . . . . 75

Task 3: Create a Firewall Sub-Policy . . . . . . 75

Task 4: Install the Policy . . . . . . . . . . . . . . 76

Using Policy Elements and Rules. . . . . . . . . . . 77

Validating Policies . . . . . . . . . . . . . . . . . . . . 77

Connection Tracking vs. Connectionless Packet

Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Policy Snapshots . . . . . . . . . . . . . . . . . . . . . 80

Continue Rules . . . . . . . . . . . . . . . . . . . . . . 80

Adding Comments to Rules. . . . . . . . . . . . . . 80

Examples of Policy Element Use . . . . . . . . . . . 81

Protecting Essential Communications . . . . . . 81

Improving Readability and Performance . . . . . 81

Restricting Administrator Editing Rights . . . . . 82

CHAPTER 9

Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Overview to Access Rules. . . . . . . . . . . . . . . . 84

Configuration of Access Rules. . . . . . . . . . . . . 85

Considerations for Designing Access Rules . . 87

Default Elements . . . . . . . . . . . . . . . . . . . . . 87

Configuration Workflow . . . . . . . . . . . . . . . . . 89

Task 1: Define the Source and

Destination . . . . . . . . . . . . . . . . . . . . . . . . 89

Task 2: Define the Service . . . . . . . . . . . . . 89

Task 3: Select the Action and Action

Options. . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Task 4: Select Logging Options. . . . . . . . . . 92

Task 5: Add User Authentication . . . . . . . . . 92

Task 6: Restrict the Time When the

Rule Is Enforced . . . . . . . . . . . . . . . . . . . . 92

Task 7: Restrict the Rule Match Based

on Source VPN . . . . . . . . . . . . . . . . . . . . . 93

Table of Contents

Using Access Rules . . . . . . . . . . . . . . . . . . . . 93

Allowing System Communications . . . . . . . . . 93

Configuring Default Settings for Several Rules 94

Using Continue Rules to Set Logging

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Using Continue Rules to set the

Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Using Aliases in Access Rules. . . . . . . . . . . . 95

Examples of Access Rules. . . . . . . . . . . . . . . . 96

Example of Rule Order . . . . . . . . . . . . . . . . . 96

Example of Continue Rules . . . . . . . . . . . . . . 98

CHAPTER 10

Inspection Rules . . . . . . . . . . . . . . . . . . . . . . . 99

Overview to Inspection Rules. . . . . . . . . . . . . . 100

Configuration of Inspection Rules. . . . . . . . . . . 101

Considerations for Designing Inspection Rules 102

Exception Rule Cells . . . . . . . . . . . . . . . . . . . 103

Default Elements . . . . . . . . . . . . . . . . . . . . . 104

Configuration Workflow . . . . . . . . . . . . . . . . . 104

Task 1: Activate Deep Inspection in

Access Rules . . . . . . . . . . . . . . . . . . . . . . . 105

Task 2: Activate the Relevant Inspection

Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Task 3: Define the Exceptions . . . . . . . . . . . 105

Task 4: Eliminate False Positives. . . . . . . . . 106

Task 5: Add Custom Inspection Checks . . . . 106

Using Inspection Rules . . . . . . . . . . . . . . . . . . 106

Setting Default Options for Several Inspection

Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Example of Inspection Rules . . . . . . . . . . . . . . 107

Eliminating a False Positive . . . . . . . . . . . . . . 107

CHAPTER 11

Network Address Translation (NAT) Rules . . . . 109

Overview to NAT . . . . . . . . . . . . . . . . . . . . . . . 110

Static Source Translation . . . . . . . . . . . . . . . 110

Dynamic Source Translation . . . . . . . . . . . . . 111

Static Destination Translation . . . . . . . . . . . . 112

Destination Port Translation . . . . . . . . . . . . . 112

Configuration of NAT . . . . . . . . . . . . . . . . . . . . 113

Considerations for Designing NAT Rules . . . . . 115

Default Elements . . . . . . . . . . . . . . . . . . . . . 115

Configuration Workflow . . . . . . . . . . . . . . . . . 115

Task 1: Define Source, Destination, and

Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Task 2: Define Address Translation . . . . . . . 115

Task 3: Define the Firewall(s) that Apply

the Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Task 4: Check Other Configurations. . . . . . . 116

Using NAT and NAT Rules . . . . . . . . . . . . . . . . 116

NAT and System Communications . . . . . . . . . 116

Example of a Situation Where a

Contact Address is Needed . . . . . . . . . . . . 117

Contact Addresses and Locations . . . . . . . . 118

Outbound Load Balancing NAT . . . . . . . . . . . 118

Proxy ARP and NAT. . . . . . . . . . . . . . . . . . . . 119

Protocols and NAT . . . . . . . . . . . . . . . . . . . . 119

Examples of NAT . . . . . . . . . . . . . . . . . . . . . . 119

Dynamic Source Address Translation . . . . . . . 119

Static Address Translation . . . . . . . . . . . . . . 120

NAT with Hosts in the Same Network. . . . . . . 120

CHAPTER 12

Protocol Agents . . . . . . . . . . . . . . . . . . . . . . . 123

Overview to Protocol Agents . . . . . . . . . . . . . . 124

Connection Handling . . . . . . . . . . . . . . . . . . 124

Protocol Validation . . . . . . . . . . . . . . . . . . . . 124

NAT in Application Data . . . . . . . . . . . . . . . . 125

Configuration of Protocol Agents . . . . . . . . . . . 125

Configuration Workflow . . . . . . . . . . . . . . . . . 125

Task 1: Create a Custom Service with

a Protocol Agent . . . . . . . . . . . . . . . . . . . . 125

Task 2: Set Parameters for the Protocol

Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Task 3: Insert the Service in Access

Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Using Protocol Agents . . . . . . . . . . . . . . . . . . 126

FTP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . 126

H.323 Agent . . . . . . . . . . . . . . . . . . . . . . . . 127

HTTP Agents . . . . . . . . . . . . . . . . . . . . . . . . 127

HTTPS Agent . . . . . . . . . . . . . . . . . . . . . . . . 127

ICMP Agent . . . . . . . . . . . . . . . . . . . . . . . . . 128

MSRPC Agent . . . . . . . . . . . . . . . . . . . . . . . 128

NetBIOS Agent. . . . . . . . . . . . . . . . . . . . . . . 128

Oracle Agent . . . . . . . . . . . . . . . . . . . . . . . . 128

Remote Shell (RSH) Agent . . . . . . . . . . . . . . 128

Services in Firewall Agent . . . . . . . . . . . . . . . 129

SIP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . 129

SMTP Agent. . . . . . . . . . . . . . . . . . . . . . . . . 129

SSH Agent. . . . . . . . . . . . . . . . . . . . . . . . . . 129

SunRPC Agent . . . . . . . . . . . . . . . . . . . . . . . 129

TCP Proxy Agent. . . . . . . . . . . . . . . . . . . . . . 130

TFTP Agent . . . . . . . . . . . . . . . . . . . . . . . . . 130

Examples of Protocol Agent Use . . . . . . . . . . . 130

Preventing Active Mode FTP . . . . . . . . . . . . . 130

Logging URLs Accessed by Internal Users . . . 131

6Table of Contents

CHAPTER 13

User Authentication . . . . . . . . . . . . . . . . . . . . . 133

Overview to User Authentication . . . . . . . . . . . 134

Configuration of User Authentication . . . . . . . . 135

The Internal User Database. . . . . . . . . . . . . . 136

External User Database Integration . . . . . . . . 137

External User Database Without Integration . . 137

User Management . . . . . . . . . . . . . . . . . . . . 137

Authentication Services . . . . . . . . . . . . . . . . 138

RADIUS Authentication . . . . . . . . . . . . . . . . 138

TACACS+ Authentication . . . . . . . . . . . . . . . 138

Default Elements . . . . . . . . . . . . . . . . . . . . . 138

Configuration Workflow . . . . . . . . . . . . . . . . . 139

Task 1: Create an External Authentication

Server Element. . . . . . . . . . . . . . . . . . . . . . 139

Task 2: Create an LDAP Server Element . . . . 139

Task 3: Create an Authentication Service

Element. . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Task 4: Add an LDAP Domain . . . . . . . . . . . 140

Task 5: Add Users and User Groups . . . . . . 140

Task 6: Define User Authentication in

IPv4 Access Rules . . . . . . . . . . . . . . . . . . . 141

Examples of User Authentication . . . . . . . . . . . 143

Using the Internal Database for Authenticating

Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Using StoneGate with a Microsoft Active

Directory Server . . . . . . . . . . . . . . . . . . . . . . 143

Using SecurID Authentication with StoneGate

VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . 144

CHAPTER 14

HTTPS Inspection . . . . . . . . . . . . . . . . . . . . . . 147

Overview to HTTPS Inspection . . . . . . . . . . . . . 148

Configuration of HTTPS Inspection . . . . . . . . . . 149

Default Elements . . . . . . . . . . . . . . . . . . . . . 149

Configuration Workflow . . . . . . . . . . . . . . . . . 149

Task 1: Create Server Protection

Credentials Elements . . . . . . . . . . . . . . . . . 149

Task 2: Create Client Protection

Certificate Authority Elements . . . . . . . . . . . 150

Task 3: Specify HTTPS Inspection

Options in the Firewall Properties. . . . . . . . . 150

Task 4: Create an HTTPS Inspection

Exceptions Element . . . . . . . . . . . . . . . . . . 150

Task 5: Create a Custom HTTPS

Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Task 6: Create an IPv4 Access Rule. . . . . . . 150

Using HTTPS Inspection . . . . . . . . . . . . . . . . . 151

Security Considerations . . . . . . . . . . . . . . . . 151

Virus Scanning of Decrypted HTTPS Traffic . . . 151

Examples of HTTPS Inspection. . . . . . . . . . . . . 151

Server Protection . . . . . . . . . . . . . . . . . . . . . 151

Client Protection . . . . . . . . . . . . . . . . . . . . . 152

CHAPTER 15

Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 153

Overview to Web Filtering . . . . . . . . . . . . . . . . 154

Configuration of Web Filtering . . . . . . . . . . . . . 154

Default Elements . . . . . . . . . . . . . . . . . . . . . 155

Configuration Workflow . . . . . . . . . . . . . . . . . 155

Task 1: Prepare the Firewall . . . . . . . . . . . . 155

Task 2: Create User Response Messages . . 155

Task 3: Blacklist/Whitelist Individual URLs . 155

Task 4: Configure Web Filtering Rules

in the Policy. . . . . . . . . . . . . . . . . . . . . . . . 155

Examples of Web Filtering. . . . . . . . . . . . . . . . 156

Allowing a Blocked URL . . . . . . . . . . . . . . . . 156

CHAPTER 16

Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . 157

Overview to Virus Scanning. . . . . . . . . . . . . . . 158

Configuration of Virus Scanning . . . . . . . . . . . 158

Configuration Workflow . . . . . . . . . . . . . . . . . 158

Task 1: Activate the Anti-Virus Feature

for a Firewall . . . . . . . . . . . . . . . . . . . . . . . 158

Task 2: Select Traffic for Inspection

with Access Rules . . . . . . . . . . . . . . . . . . . 158

Task 3: Define the Content Not to Be

Scanned . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Using Virus Scanning . . . . . . . . . . . . . . . . . . . 159

Integrated Scanning vs. Content Inspection

Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Limitations of Virus Scanning on Clusters . . . 159

CHAPTER 17

External Content Inspection . . . . . . . . . . . . . . 161

Overview to Content Inspection . . . . . . . . . . . . 162

Configuration of Content Inspection. . . . . . . . . 163

Default Elements . . . . . . . . . . . . . . . . . . . . . 163

Configuration Workflow . . . . . . . . . . . . . . . . . 164

Task 1: Create a CIS Server Element. . . . . . 164

Task 2: Create a Custom Service for

Content Inspection Server Redirection. . . . . 164

Task 3: Define Access Rules for

Redirection . . . . . . . . . . . . . . . . . . . . . . . . 164

Task 4: Configure NAT Rules for

Content Inspection Server Redirection. . . . . 164

Using Content Inspection . . . . . . . . . . . . . . . . 165

Example of Content Inspection . . . . . . . . . . . . 166

Inspecting Internal User’s Web Browsing and

File Transfers. . . . . . . . . . . . . . . . . . . . . . . . 166

Table of Contents

CHAPTER 18

Situations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Overview to Situations . . . . . . . . . . . . . . . . . . 170

Configuration of Situations . . . . . . . . . . . . . . . 170

Situation Contexts . . . . . . . . . . . . . . . . . . . . 171

Anti-Virus Contexts . . . . . . . . . . . . . . . . . . . 171

Protocol-Specific Contexts. . . . . . . . . . . . . . 171

System Contexts . . . . . . . . . . . . . . . . . . . . 171

Default Elements . . . . . . . . . . . . . . . . . . . . . 172

Configuration Workflow . . . . . . . . . . . . . . . . . 172

Task 1: Create a Situation Element . . . . . . . 172

Task 2: Add a Context for the

Situation . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Task 3: Associate Tags and/or Situation

Types with the Situation . . . . . . . . . . . . . . . 173

Task 4: Associate the Situation with a

Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . 173

Using Situations . . . . . . . . . . . . . . . . . . . . . . . 173

Example of Custom Situations. . . . . . . . . . . . . 174

Detecting the Use of Forbidden Software . . . . 174

CHAPTER 19

Blacklisting . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Overview to Blacklisting . . . . . . . . . . . . . . . . . 176

Risks of Blacklisting . . . . . . . . . . . . . . . . . . . 176

Whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . 176

Configuration of Blacklisting . . . . . . . . . . . . . . 177

Configuration Workflow . . . . . . . . . . . . . . . . . 177

Task 1: Define Blacklisting in Access

Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Task 2: Define Analyzer-to-Firewall or

Analyzer-to-Sensor Connections . . . . . . . . . . 178

Task 3: Define Inspection Rules in the

IPS Policy. . . . . . . . . . . . . . . . . . . . . . . . . . 178

Using Blacklisting . . . . . . . . . . . . . . . . . . . . . . 178

Automatic Blacklisting. . . . . . . . . . . . . . . . . . 178

Monitoring Blacklisting . . . . . . . . . . . . . . . . . 179

Examples of Blacklisting . . . . . . . . . . . . . . . . . 179

Blacklisting Traffic from a Specific IP Address

Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Automatic Blacklisting with IPS . . . . . . . . . . . 179

TRAFFIC MANAGEMENT

CHAPTER 20

Outbound Traffic Management . . . . . . . . . . . . . 183

Overview to Outbound Traffic Management . . . . 184

Configuration of Multi-Link. . . . . . . . . . . . . . . . 184

Load Balancing Methods. . . . . . . . . . . . . . . . 185

Standby NetLinks for High Availability . . . . . . 185

Link Status Probing . . . . . . . . . . . . . . . . . . . 185

Configuration Workflow . . . . . . . . . . . . . . . . . 186

Task 1: Create NetLink Elements . . . . . . . . 186

Task 2: Configure Routing for NetLinks . . . . 186

Task 3: Combine NetLinks into Outbound

Multi-Link Elements . . . . . . . . . . . . . . . . . . 186

Task 4: Create NAT Rules for Outbound

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Using Multi-Link . . . . . . . . . . . . . . . . . . . . . . . 187

Multi-Link with a Single Firewall. . . . . . . . . . . 187

Multi-Link with a Firewall Cluster . . . . . . . . . . 188

Using Multiple Outbound Multi-Link elements . 189

Examples of Multi-Link . . . . . . . . . . . . . . . . . . 189

Preparing for ISP Breakdown. . . . . . . . . . . . . 189

Excluding a NetLink from Handling a QoS

Class of Traffic. . . . . . . . . . . . . . . . . . . . . . . 189

Balancing Traffic According to Link Capacity . . 190

Balancing Traffic between Internet Connections 190

CHAPTER 21

Inbound Traffic Management. . . . . . . . . . . . . . 191

Overview to Server Pool Configuration . . . . . . . 192

Configuration of Server Pools . . . . . . . . . . . . . 192

Multi-Link for Server Pools . . . . . . . . . . . . . . 193

Default Elements . . . . . . . . . . . . . . . . . . . . . 193

Configuration Workflow . . . . . . . . . . . . . . . . . 194

Task 1: Define Hosts . . . . . . . . . . . . . . . . . 194

Task 2: Combine Hosts into a Server

Pool Element . . . . . . . . . . . . . . . . . . . . . . . 194

Task 3: Configure the External DNS

Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Task 4: Create an Inbound Load

Balancing Rule . . . . . . . . . . . . . . . . . . . . . 194

Task 5: Set up Server Pool Monitoring

Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Using Server Pools. . . . . . . . . . . . . . . . . . . . . 195

Dynamic DNS (DDNS) Updates . . . . . . . . . . . 195

Using Server Pool Monitoring Agents . . . . . . . 195

Examples of Server Pools . . . . . . . . . . . . . . . . 197

Load Balancing for Web Servers . . . . . . . . . . 197

Setting up Multi-Link and Dynamic DNS

Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

CHAPTER 22

Bandwidth Management And Traffic Prioritization 199

Overview to Bandwidth Management and Traffic

Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . 200

Bandwidth Management . . . . . . . . . . . . . . . . 200

Traffic Prioritization. . . . . . . . . . . . . . . . . . . . 200

8Table of Contents

Effects of Bandwidth Management and

Prioritization. . . . . . . . . . . . . . . . . . . . . . . . . 200

Configuration of Limits, Guarantees, and Priorities

for Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Default Elements . . . . . . . . . . . . . . . . . . . . . 202

Configuration Workflow . . . . . . . . . . . . . . . . . 202

Task 1: Define QoS Classes . . . . . . . . . . . . 202

Task 2: Define QoS Policies . . . . . . . . . . . . 203

Task 3: Assign QoS Classes to Traffic . . . . . 204

Task 4: Define QoS for Physical or

VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . 204

Using Bandwidth Management and Traffic

Prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . 205

Implementation Options . . . . . . . . . . . . . . . . 205

Designing QoS Policies . . . . . . . . . . . . . . . . . 205

Communicating Priorities with DSCP Codes . . 206

Managing Bandwidth of Incoming Traffic . . . . . 207

Examples of Bandwidth Management and Traffic

Prioritization. . . . . . . . . . . . . . . . . . . . . . . . . . 208

Ensuring Quality of Important Communications 208

Preparing for ISP Breakdown . . . . . . . . . . . . . 209

Limiting the Total Bandwidth Required . . . . . . 210

VIRTUAL PRIVATE NETWORKS

CHAPTER 23

Overview to VPNs . . . . . . . . . . . . . . . . . . . . . . 213

Introduction to VPNs . . . . . . . . . . . . . . . . . . . . 214

IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Security Associations (SA). . . . . . . . . . . . . . . 215

Internet Key Exchange (IKE). . . . . . . . . . . . . . 215

Perfect Forward Secrecy (PFS) . . . . . . . . . . . . 216

AH and ESP . . . . . . . . . . . . . . . . . . . . . . . . . 216

Authentication . . . . . . . . . . . . . . . . . . . . . . . 217

Tunnel and Transport Modes . . . . . . . . . . . . . 217

VPN Topologies. . . . . . . . . . . . . . . . . . . . . . . . 217

CHAPTER 24

VPN Configuration . . . . . . . . . . . . . . . . . . . . . 221

Overview to VPN Configuration. . . . . . . . . . . . . 222

Configuration of VPNs . . . . . . . . . . . . . . . . . . . 222

Default Elements . . . . . . . . . . . . . . . . . . . . . 224

Configuration Workflow . . . . . . . . . . . . . . . . . 224

Task 1: Define the Gateway Settings. . . . . . 224

Task 2: Define the Gateway Profile . . . . . . . 224

Task 3: Define the Gateways . . . . . . . . . . . 225

Task 4: Define the Sites. . . . . . . . . . . . . . . 225

Task 5: Create Certificates . . . . . . . . . . . . . 226

Task 6: Define the VPN Profile . . . . . . . . . . 226

Task 7: Define the VPN Element . . . . . . . . . 226

Task 8: Modify the Firewall Policy . . . . . . . . 227

Task 9: Configure VPN Clients and

External Gateway Devices. . . . . . . . . . . . . . 228

Using VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . 228

VPN Logging . . . . . . . . . . . . . . . . . . . . . . . . 229

Using a Dynamic IP Address for a VPN

End-Point. . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Using a NAT Address for a VPN End-Point. . . . 229

Supported Authentication and Encryption

Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

FIPS Mode. . . . . . . . . . . . . . . . . . . . . . . . . 230

GOST-Compliant Systems . . . . . . . . . . . . . . 230

Message Digest Algorithms . . . . . . . . . . . . 230

Authentication Methods . . . . . . . . . . . . . . . 231

Encryption Algorithms. . . . . . . . . . . . . . . . . 232

Using Pre-Shared Key Authentication . . . . . . . 233

Using Certificate Authentication . . . . . . . . . . 233

Validity of Certificates . . . . . . . . . . . . . . . . 234

Internal VPN Certificate Authority. . . . . . . . . 234

External Certificate Authorities . . . . . . . . . . 235

Configuring VPNs with External Gateway

Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Clustering and VPNs. . . . . . . . . . . . . . . . . . . 236

Multi-Link VPN . . . . . . . . . . . . . . . . . . . . . . . 237

Examples of VPN Configurations . . . . . . . . . . . 238

Creating a VPN Between Three Offices. . . . . . 238

Creating a VPN for Mobile Users . . . . . . . . . . 239

Creating a VPN That Requires NAT. . . . . . . . . 240

APPENDICES

APPENDIX A

Command Line Tools . . . . . . . . . . . . . . . . . . . . 245

Management Center Commands . . . . . . . . . . . 246

Engine Commands . . . . . . . . . . . . . . . . . . . . . 254

Server Pool Monitoring Agent Commands. . . . . 259

APPENDIX B

Default Communication Ports . . . . . . . . . . . . . 261

Management Center Ports . . . . . . . . . . . . . . . 262

Firewall/VPN Engine Ports . . . . . . . . . . . . . . . 264

Table of Contents

APPENDIX C

Predefined Aliases . . . . . . . . . . . . . . . . . . . . . . 269

Pre-Defined User Aliases. . . . . . . . . . . . . . . . . 270

System Aliases. . . . . . . . . . . . . . . . . . . . . . . . 270

APPENDIX D

Regular Expression Syntax . . . . . . . . . . . . . . . . 273

Syntax for StoneGate Regular Expressions . . . . 274

Special Character Sequences . . . . . . . . . . . . . 276

Pattern-Matching Modifiers . . . . . . . . . . . . . . . 277

Bit Variable Extensions . . . . . . . . . . . . . . . . . . 278

Variable Expression Evaluation . . . . . . . . . . . . 280

Stream Operations . . . . . . . . . . . . . . . . . . . . 282

Other Expressions . . . . . . . . . . . . . . . . . . . . 283

System Variables . . . . . . . . . . . . . . . . . . . . . . 284

Independent Subexpressions. . . . . . . . . . . . . . 285

Parallel Matching Groups. . . . . . . . . . . . . . . . . 286

APPENDIX E

Schema Updates for External LDAP Servers . . . 287

APPENDIX F

SNMP Traps and MIBs . . . . . . . . . . . . . . . . . . . 289

APPENDIX G

Multicasting . . . . . . . . . . . . . . . . . . . . . . . . . . 301

The General Features of Multicasting . . . . . . . . 302

Multicasting vs. Unicasting . . . . . . . . . . . . . . 302

Multicasting vs. Broadcasting . . . . . . . . . . . . 302

IP Multicasting Overview . . . . . . . . . . . . . . . . . 302

Multicasting Applications . . . . . . . . . . . . . . . 303

Internet Group Management Protocol . . . . . . . . 303

Membership Messages. . . . . . . . . . . . . . . . . 303

Ethernet Multicasting . . . . . . . . . . . . . . . . . . . 304

Multicasting and StoneGate . . . . . . . . . . . . . . 304

Unicast MAC . . . . . . . . . . . . . . . . . . . . . . . . 305

Multicast MAC . . . . . . . . . . . . . . . . . . . . . . . 306

Multicast MAC with IGMP . . . . . . . . . . . . . . . 307

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

10 Table of Contents

This manual suits for next models

Table of contents

Popular Software manuals by other brands

COMPRO

COMPRO COMPROFM manual

Muratec

Muratec OFFICEBRIDGE ONLINE user guide

Oracle

Oracle Contact Center Anywhere 8.1 installation guide

Adobe

Adobe 65007312 - Photoshop Lightroom Programmer's guide

Avaya

Avaya NULL One-X for RIM Blackberry user guide

HP ProLiant BL420c user guide

PS Audio

PS Audio PowerPlay Programming manual

Brady

Brady LOCKOUT PRO 3.0 Administrator's guide

Avaya

Avaya Interaction Center user guide

Texas Instruments

Texas Instruments TI-83 Plus Silver Edition Guide book

Novell

Novell GROUPWISE 8 - INTERNET AGENT manual

Oracle

Oracle Application 9i Configuration guide

Acer

Acer RDM user guide

Canon

Canon Vixia HF21 instruction manual

Canon

Canon ZR950 instruction manual

Samsung

Samsung Auto Backup user manual

Polycom

Polycom Vortex EF2201 Application note

Brocade Communications Systems

Brocade Communications Systems Brocade 8/12c user manual