Secure Web Gateway Network Guardian Administration Guide

Transcription

1 Secure Web Gateway Network Guardian Administration Guide For future reference Network Guardian serial number: Date installed: Smoothwall contact:

2 Smoothwall Network Guardian, Administration Guide, March 2015 Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Network Guardian. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall. For more information, contact: Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Network Guardian contains graphics taken from the Open Icon Library project Address Web Telephone Fax Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom info@smoothwall.net USA and Canada: United Kingdom: All other countries: USA and Canada: United Kingdom: All other countries:

3 Contents About This Guide... 1 Audience and Scope... 1 Organization and Use... 1 Conventions... 2 Related Documentation... 2 Chapter 1 Network Guardian Overview... 3 Overview of Network Guardian... 4 Annual Renewal... 4 Accessing Network Guardian... 4 Dashboard... 5 Logs and Reports... 6 Reports... 6 Alerts... 6 Realtime... 6 Logs... 7 Settings... 8 Networking... 8 Configuration... 8 Filtering... 9 Routing... 9 Settings... 9 Services Authentication User Portal Proxies SNMP Message Censor System Maintenance Central Management Preferences Administration iii

4 Contents Hardware Diagnostics Certificates Guardian Quick Links Web Filter Policies HTTPS Inspection Policies Content Modification Policies Anti-malware Policies Block Page Policies Policy Objects Swurl Web Proxy Web Proxy Upstream Proxy Authentication MobileProxy Global Proxy Configuration Guidelines Specifying Networks, Hosts and Ports Using Comments Connecting via SSH Connecting Using a Client Secure Communication Unknown Entity Warning Inconsistent Site Address Chapter 2 Working with Interfaces About Network Interfaces and Roles Creating an External Connection About Load Balancing Traffic over External Connections 26 Editing an External Connection Deleting an External Connection Monitoring External Connections Status Adding a New Interface Allocating IP Addresses to Interfaces Adding an IP Address Editing Allocated IP Addresses Deleting Allocated IP Addresses Configuring Bonded Interfaces Creating Bonds Editing Bonds Deleting a Bond Interface Using Virtual Local Area Networks Creating a VLAN Configuring Transparent Bridges Creating Bridges Editing Bridges Deleting Bridge Interfaces iv Smoothwall Ltd

5 Contents Using a Point-to-Point Protocol over Ethernet Interface Editing a PPPoE Interface Deleting Parent PPPoE Interfaces Adding Alias IP Addresses Using Domain Name System Services Configuring Global DNS Settings Configuring the DNS Servers Using Conditional DNS Forwarders Mapping Static DNS Hosts Chapter 3 Deploying Web Filtering Getting Up and Running Blocking and Allowing Content Immediately Blocking Locations Excepting Computers from Web Filtering About Shortcuts About Network Guardian s Default Policies About the Default Web Filter Policies About the Default Authentication Policies Chapter 4 Working with Policies An Overview of Policies Types of Policies How Policies are Applied Guardian Getting Started Working with Category Group Objects Creating Category Group Objects Creating Custom Categories Editing Category Group Objects Deleting Category Group Objects Working with Time Slot Objects Creating a Time Slot Editing a Time Slot Deleting a Time Slot Working with Location Objects Creating a Location Object Editing Location Objects Deleting Location Objects Working with Quota Objects About the Default Quota Object Creating Quota Objects Editing Quota Objects Deleting Quota Objects Managing Web Filter Policies Creating Web Filter Policies Editing Web Filter Policies Deleting Web Filter Policies Managing HTTPS Inspection Policies Enabling HTTPS Inspection Policies Creating an HTTPS Inspection Policy v

6 Contents Editing HTTPS Inspection Policies Deleting HTTPS Inspection Policies Configuring HTTPS Inspection Policy Settings Clearing the Generated Certificate Cache Managing Content Modification Policies Creating a Content Modification Policy Editing Content Modification Policies Deleting Content Modification Policies Creating Custom Content Modification Policies Managing Anti-malware Policies Creating an Anti-malware Policy Configuring Anti-malware Protection Configuring Anti-malware Status Information Editing Anti-malware Policies Deleting Anti-malware Policies Using the Policy Tester Other Ways of Accessing the Policy Tester Working with Policy Folders Creating a Policy Folder Editing Policy Folders Deleting Policy Folders Censoring Web Form Content Configuring Organization Accounts Chapter 5 Managing Authentication Policies About Authentication Policies Creating Authentication Policies Creating Non-transparent Authentication Policies Creating Transparent Authentication Policies Managing Authentication Policies Editing Authentication Policies Deleting Policies Managing Authentication Exceptions Identification by Location Using Global Proxy Certificates Using Multiple, Distinct Proxies Using an Unsecured Proxy Viewing the Global Proxy Logs Connecting to Network Guardian About Non-transparent Connections About Transparent Connections Authentication Scenarios New Content Filtering Changing the Listening Port Providing Filtered Web Access to the Public Requiring Authentication to Browse the Web Using Multiple Authentication Methods Controlling an Unruly Class vi Smoothwall Ltd

7 Contents Chapter 6 Managing Web Security Overview of the Web Proxy Global Options Advanced Web Proxy Settings Using PAC Scripts Using a Built-in Script Using a Custom Script Managing the Configuration Script Limiting Bandwidth Use Ordering Bandwidth Limiting Policies Editing Bandwidth Limiting Policies Deleting Bandwidth Limiting Policies Configuring WCCP Managing Upstream Proxies Overview Configuring an Upstream Proxy Configuring Source and Destination Filters Using a Single Upstream Proxy Working with Multiple Upstream Proxies Managing Blocklists Viewing Blocklist Information Manually Updating Blocklists Managing Block Pages About the Default Block Page Customizing the Default Block Page Using a Custom HTML Template Using an External Block Page Configuring a Block Page Policy Managing Block Page Policies Working with Block Pages Chapter 7 Managing Your Network Infrastructure Creating Subnets Editing and Removing Subnet Rules Using the Routing Information Protocol Service Load Balancing Traffic Creating Load Balancing Pools Reordering Load Balancing Pools Example Configuration Using Source NATs and LLB Policies Using LLB Pools for Local Traffic Creating a NAT Policy Reordering NAT Policies Chapter 8 Managing Network Security Blocking by IP Creating IP Blocking Rules Editing and Removing IP Block Rules vii

8 Contents Blocking Services on the Ethernet Bridge Managing Exceptions to Blocked Services Working with Port Groups Creating a Port Group Adding Ports to Existing Port Groups Editing Port Groups Deleting a Port Group Working with Address Objects Creating an Address Object Creating Nested Address Objects Editing Address Objects Deleting Address Objects Configuring Advanced Networking Features Blocking and Ignoring Traffic Enabling Advanced Networking Features Configuring ARP Table Size Configuring Connection Tracking Table Size Configuring SYN Backlog Queue Size Configuring Traffic Audits Dropping Direct Traffic Enabling Network Application Helpers Managing Bad External Traffic Chapter 9 Using Zone Bridging Rules About Zone Bridging Rules Creating Zone Bridging Rules Editing and Removing Zone Bridge Rules Example Zone Bridging Rules About Group Bridging Rules Group Bridging and Authentication Creating Group Bridging Rules Editing and Removing Group Bridges Chapter 10 Managing Inbound Traffic Managing Inbound Traffic with Port Forwards About Port Forward Rules Creating Port Forward Rules Chapter 11 Authentication and User Management About User Authentication Configuring Global Authentication Settings About Directory Services Configuring a Microsoft Active Directory Connection Configuring an LDAP Connection Configuring a RADIUS Connection Configuring an Active Directory Connection Legacy Method Configuring a Local Users Directory Reordering Directory Servers viii Smoothwall Ltd

9 Contents Editing a Directory Server Deleting a Directory Server Diagnosing Directories Managing Local Users Adding Users Editing Local Users Deleting Users Managing Groups of Users About Groups Adding Groups Editing Groups Deleting Groups Mapping Groups Remapping Groups Deleting Group Mappings Managing Temporarily Banned Users Creating a Temporary Ban Removing Temporary Bans Removing Expired Bans Managing User Activity Viewing User Activity Logging Users Out Banning Users About SSL Authentication Customizing the SSL Login Page Reviewing SSL Login Pages Managing Kerberos Keytabs Prerequisites Adding Keytabs Managing Keytabs Troubleshooting a Kerberos Service Authenticating Chromebook Users Creating a Google Client ID and Client Secret (Web Application) Restricting Accepted Google Accounts by Domain Customizing the Client Login Page Managing Chromebooks Chapter 12 Centrally Managing Smoothwall Systems About Centrally Managing Smoothwall Systems Pre-requirements Setting up a Centrally Managed Smoothwall System Configuring the Parent Node Configuring Child Nodes Adding Child Nodes to the System Editing Child Node Settings Deleting Nodes in the System Managing Nodes in a Smoothwall System Monitoring Node Status Accessing the Node Details Page ix

10 Contents Working with Updates Rebooting Nodes Disabling Nodes Using BYOD in a Centrally Managed System Glossary Index x Smoothwall Ltd

11 About This Guide Smoothwall s Network Guardian is a licenced feature of your Smoothwall System. This supplement provides guidance for configuring Network Guardian. Audience and Scope This guide is aimed at system administrators maintaining and deploying Network Guardian. This guide assumes the following prerequisite knowledge: An overall understanding of the functionality of the Smoothwall System An overall understanding of networking concepts Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, contact your Smoothwall representative. Organization and Use This guide is made up of the following chapters and appendices: Chapter 1, Network Guardian Overview on page 3 Chapter 2, Working with Interfaces on page 23 Chapter 3, Deploying Web Filtering on page 45 Chapter 4, Working with Policies on page 51 Chapter 5, Managing Authentication Policies on page 91 Chapter 6, Managing Web Security on page 111 Chapter 7, Managing Your Network Infrastructure on page 139 Chapter 8, Managing Network Security on page 151 1

12 About This Guide Chapter 9, Using Zone Bridging Rules on page 165 Chapter 10, Managing Inbound Traffic on page 173 Chapter 11, Authentication and User Management on page 177 Chapter 12, Centrally Managing Smoothwall Systems on page 209 Glossary on page 221 Index on page 231 Conventions The following typographical conventions are used in this guide: Item Convention Example Key product terms Initial Capitals Network Guardian Smoothwall System Menu flow, and screen objects Bold System > Maintenance > Shutdown Click Save Cross-references Blue text See Chapter 1, Network Guardian Overview on page 3 References to other guides Italics Refer to the Network Guardian Administration Guide Filenames and paths Courier The portal.xml file Variables that users replace Courier Italics Links to external websites Blue text, underlined Refer to This guide is written in such a way as to be printed on both sides of the paper. Related Documentation The following guides provide additional information relating to Network Guardian: Network Guardian Installation Guide, which describes how to install Network Guardian Network Guardian Operations Guide, which describes how to maintain Network Guardian Network Guardian Upgrade Guide, which describes how to upgrade Network Guardian Network Guardian User Portal Guide, which describes how to use the Network Guardian user portal contains the Smoothwall support portal, knowledge base and the latest product manuals. 2 Smoothwall Ltd

13 1 Network Guardian Overview This chapter introduces Network Guardian, including: Overview of Network Guardian on page 4 Annual Renewal on page 4 Accessing Network Guardian on page 4 Dashboard on page 5 Logs and Reports on page 6 Networking on page 8 Services on page 10 System on page 12 Guardian on page 14 Swurl on page 17 Web Proxy on page 17 Configuration Guidelines on page 19 Connecting via SSH on page 20 Secure Communication on page 21 3

14 Network Guardian Overview Overview of Network Guardian Welcome to Network Guardian, the intelligent web content filter that dynamically analyses, understands and categorizes all web content requested by your users. Network Guardian provides: Protection from pornography and objectionable content Controlled access to non work-related sites, such as news, sport, travel and auctions. Protection from web-borne spyware, malware and browser exploits Reporting on Internet behavior and resource utilization security: anti-spam, anti-malware, mail relay and control. Annual Renewal To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. For more information, contact your Smoothwall representative. Accessing Network Guardian To access Network Guardian, do the following: 1. In a web browser, enter the address of your Network Guardian, for example: Note: The example address above uses HTTPS to ensure secure communication with your Network Guardian. It is possible to use HTTP on port 81 if you are satisfied with less security. Note: The following sections assume that you have registered and configured Network Guardian as described in the Network Guardian Installation and Setup Guide. 2. Accept Network Guardian s certificate.the login screen is displayed. 4 Smoothwall Ltd

15 Network Guardian Overview 3. Enter the following information: Field Username Password Information Enter admin This is the default Network Guardian administrator account. Enter the password you specified for the admin account when installing Network Guardian. 4. Click Login. The Dashboard opens. The following describe Network Guardian s user interface. Dashboard The Dashboard is the default home page of your Network Guardian system. It displays the status of external interfaces, service information and customizable summary reports. 5

16 Network Guardian Overview Logs and Reports The Logs and reports section contains the following menu items and pages: Reports All report functionality, including customizing and scheduling, are found here: Pages Summary Reports Recent and saved Scheduled Custom Displays a number of generated reports. For more information, refer to the Network Guardian Operations Guide. Where you generate and organize reports. For more information, refer to the Network Guardian Operations Guide. Lists recently-generated and previously saved reports. For more information, refer to the Network Guardian Operations Guide. Sets which reports are automatically generated and delivered. For more information, refer to the Network Guardian Operations Guide. Enables you to create and view custom reports. For more information, refer to the Network Guardian Operations Guide. Alerts You can enable alerts and monitors from here: Pages Alerts Alert settings Determine which alerts are sent to which groups of users and in what format. For more information, refer to the Network Guardian Operations Guide. Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, refer to the Network Guardian Operations Guide. Realtime You can watch Network Guardian s log files populate in realtime from here: Pages System Firewall A real time view of the system log with some filtering options. For more information, refer to the Network Guardian Operations Guide. A real time view of the firewall log with some filtering options. For more information, refer to the Network Guardian Operations Guide. 6 Smoothwall Ltd

17 Network Guardian Overview Pages Portal IM proxy Web filter Traffic graphs Displays the log viewer running in real time mode. For more information, refer to the Network Guardian Operations Guide. Note that you may not see this option if Anti-Spam is not installed. For more information, refer to the Anti- Spam Installation and Administration Guide. A real time view of activity on user portals. For more information, refer to the Network Guardian Operations Guide. A real time view of recent instant messaging conversations. For more information, refer to the Network Guardian Operations Guide. Displays the web filter log viewer running in real time mode. For more information, refer to the Network Guardian Operations Guide. Displays a real time bar graph of the bandwidth being used. For more information, refer to the Network Guardian Operations Guide. Logs You can view and download Network Guardian s log files from here: Pages System Firewall IM proxy Web filter User portal Log settings Simple logging information for the internal system services. For more information, refer to the Network Guardian Operations Guide. Displays all data packets that have been dropped or rejected by the firewall. For more information, refer to the Network Guardian Operations Guide. Displays sender, recipient, subject and other message information. For more information, refer to the Network Guardian Operations Guide. Note that you may not see this option if Anti-Spam is not installed. For more information, refer to the Anti-Spam Installation and Administration Guide. Displays information about instant messaging conversations. For more information, refer to the Network Guardian Operations Guide. Displays time, username, source IP and other web filtering information. For more information, refer to the Network Guardian Operations Guide Web Filter Logs on page 107. Displays information about access by users to portals. For more information, refer to the Network Guardian Operations Guide. Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, refer to the Network Guardian Operations Guide. 7

18 Network Guardian Overview Settings You set global settings for reports, alerts, and log files from here: Pages Datastore settings Groups Output settings Contains settings to manage the storing of log files. For more information, refer to the Network Guardian Operations Guide. Where you create groups of users which can be configured to receive automated alerts and reports. For more information, refer to the Network Guardian Operations Guide Settings to configure the to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, refer to the Network Guardian Operations Guide. Networking The Networking section contains the following sub-sections and pages: Configuration You configure all interfaces, whether they are NICs or software interfaces, here: Pages Interfaces DNS Link Load Balancing Source NAT & LLB policies Port forwards Configure and display information for your Network Guardian s interfaces, including VLANs and bridges. For more information, see Configuring Global Settings for Interfaces on page 26. Configure static DNS settings, and DNS proxy service settings. For more information, see Using Domain Name System Services on page 40. Configure load balancing pools for network interfaces. For more information, see Load Balancing Traffic on page 143. Configure any source NAT-ing, source mapping policies, and load balancing policies. For more information, see Using Source NATs and LLB Policies on page 147. Configure any port forwarding policies to internal network services. For more information, see Managing Inbound Traffic with Port Forwards on page Smoothwall Ltd

19 Network Guardian Overview Filtering You can setup filtering rules here for network traffic: Pages Zone bridging Group bridging IP block Ethernet bridging Used to define permissible communication between pairs of network zones. For more information, see About Zone Bridging Rules on page 165. Used to define the network zones that are accessible to authenticated groups of users. For more information, see About Group Bridging Rules on page 169. Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Creating IP Blocking Rules on page 151. Used to block peer to peer traffic across the bridge interface. For more information, see Blocking Services on the Ethernet Bridge on page 153. Routing You can configure routing rules here for network traffic: Pages Subnets RIP Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see Creating Subnets on page 139. Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Using the Routing Information Protocol Service on page 141. Settings You set global settings for all networking aspects from here: Pages Port groups Address object manager Advanced Create and edit groups of ports for use throughout Network Guardian. For more information, see Working with Port Groups on page 155. Create and edit IP address objects for use in networking configuration. For more information, see Working with Address Objects on page 157. Used to configure advanced network and traffic auditing parameters. For more information, see Configuring Advanced Networking Features on page

20 Network Guardian Overview Services The Services section contains the following sub-sections and pages: Authentication You configure user authentication policies here: Pages Settings Directories Groups Temporary bans User activity SSL login Kerberos keytabs BYOD Chromebook Used to set global login time settings. For more information, see Configuring Global Authentication Settings on page 178. Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. For more information, see About Directory Services on page 179. Used to customize group names. For more information, see Managing Groups of Users on page 190. Enables you to manage temporarily banned user accounts. For more information, see Managing Temporarily Banned Users on page 193. Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Managing User Activity on page 195. Used to customize the end-user SSL login page. For more information, see About SSL Authentication on page 196. This is where Kerberos keytabs are imported and managed. For more information, see Managing Kerberos Keytabs on page 198. Enables you to authenticate users with their own devices and allow them to connect to the network. For more information, refer to the Network Guardian Operations Guide. Used to configure Google credentials for Chromebook authentication. For more information, see Authenticating Chromebook Users on page 201. User Portal You configure and manage user portals here: Pages Portals Group access User access This page enables you to configure and manage user portals. For more information, refer to the Network Guardian Operations Guide. This page enables you to assign groups of users to portals. For more information, refer to the Network Guardian Operations Guide. This page enables you to override group settings and assign a user directly to a portal. For more information, refer to the Network Guardian Operations Guide. 10 Smoothwall Ltd

21 Network Guardian Overview Proxies You configure the proxy service for Network Guardian s individual modules, including: Pages Instant messenger FTP Configure the instant messenger proxy service. For more information, refer to the Network Guardian Operations Guide. Configure the FTP proxy service. For more information, refer to the Network Guardian Operations Guide. SNMP You enable and configure the SNMP service here: Pages SNMP Used to activate Network Guardian s Simple Network Management Protocol (SNMP) agent. For more information, refer to the Network Guardian Operations Guide. Message Censor You can configure filtering policies for message content here: Pages Policies Filters Time Custom categories Enables you to create and manage filtering policies by assigning actions to matched content. For more information, refer to the Network Guardian Operations Guide. This is where you create and manage filters for matching particular types of message content. For more information, refer to the Network Guardian Operations Guide. This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, refer to the Network Guardian Operations Guide. Enables you to create and manage custom content categories for inclusion in filters. For more information, refer to the Network Guardian Operations Guide. 11

22 Network Guardian Overview System The System section contains the following sub-sections and pages: Maintenance You use the following sections to manage and maintain various aspects of Network Guardian, including: Pages Updates Modules Licenses Archives Scheduler Shutdown Used to display and install available product updates, in addition to listing currently installed updates. For more information, refer to the Network Guardian Operations Guide. Used to upload, view, check, install and remove Network Guardian modules. For more information, refer to the Network Guardian Operations Guide. Used to display and update license information for the licensable components of the system. For more information, refer to the Network Guardian Operations Guide. Used to create and restore archives of system configuration information. For more information, refer to the Network Guardian Operations Guide. Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, refer to the Network Guardian Operations Guide. Used to shutdown or reboot the system. For more information, refer to the Network Guardian Operations Guide. Central Management You can setup a centrally managed Network Guardian system here: Pages Overview Child nodes Local node settings This is where you monitor nodes and schedule updates in a Smoothwall system. For more information, see Managing Nodes in a Smoothwall System on page 215. This is where you add and configure nodes in a Smoothwall system. For more information, see Configuring Child Nodes on page 211. This is where you configure a node to be a parent or child in a Smoothwall system and manage central management keys for use in the system. For more information, see Setting up a Centrally Managed Smoothwall System on page Smoothwall Ltd

23 Network Guardian Overview Preferences You can customize your installation of Network Guardian here: Pages User interface Time Registration options Hostname Used to manage Network Guardian s dashboard settings. For more information, refer to the Network Guardian Operations Guide. Used to manage Network Guardian s time zone, date and time settings. For more information, refer to the Network Guardian Operations Guide. Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Smoothwall. For more information, refer to the Network Guardian Operations Guide. Used to configure Network Guardian s hostname. For more information, refer to the Network Guardian Operations Guide. Administration You can enable administration access to Network Guardian here: Pages Admin options External access Administrative users Tenants Used to enable secure access to Network Guardian using SSH, and to enable referral checking. For more information, refer to the Network Guardian Operations Guide. Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Network Guardian. For more information, refer to the Network Guardian Operations Guide. Used to manage user accounts and set or edit user passwords on the system. For more information, refer to the Network Guardian Operations Guide. Used to manage tenants. For more information, refer to the Multi-Tenant Installation and Administration Guide. Note you may not see this option if you have not purchased a Multi-Tenant licence. Hardware You can configure additional hardware aspects here: Pages UPS Console Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, refer to the Network Guardian Operations Guide. Configure the system console. For more information, refer to the Network Guardian Operations Guide. 13

24 Network Guardian Overview Diagnostics You can perform diagnostics tests here: Pages Functionality tests Configuration report IP tools Whois Used to ensure that your current Network Guardian settings are not likely to cause problems. For more information, refer to the Network Guardian Operations Guide. Used to create diagnostic files for support purposes. For more information, refer to the Network Guardian Operations Guide. Contains the ping and trace route IP tools. For more information, refer to the Network Guardian Operations Guide. Used to find and display ownership information for a specified IP address or domain name. For more information, refer to the Network Guardian Operations Guide. Certificates You can configure Network Guardian as a Certificate Authority: Page Certificate authorities Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, refer to the Network Guardian Operations Guide. Guardian The Guardian section contains the following sub-sections and pages: Quick Links The most commonly used Guardian functions are found here: Page Getting started Shortcuts Quick block/allow Policy tester This page provides an overview of what comprises a web filter policy, a link to the default policies and an introduction to policy wizards. For more information, see Guardian Getting Started on page 54. This page provides direct links to tasks you might do on a daily basis, such as blocking and allowing sites and running reports. For more information, see About Shortcuts on page 49. This page enables you to block or allow content immediately. For more information, see Blocking and Allowing Content Immediately on page 46. The policy tester enables you to test whether a URL is available to a specific person at a specific location and time. For more information, see Using the Policy Tester on page Smoothwall Ltd

25 Network Guardian Overview Web Filter Policies You configure web filter policies here: Pages Manage policies Policy wizard Location blocking Exceptions Outgoing This is where you manage how web filtering policies are applied. For more information, see Managing Web Filter Policies on page 64. This is where you can configure a custom web filtering policy. For more information, see Creating Web Filter Policies on page 65. Enables you to block computers at a specific location from accessing web content. For more information, see Blocking Locations on page 47. Here you can exempt computers from any web filtering. For more information, see Excepting Computers from Web Filtering on page 47. This is where you configure outgoing settings for a censor policy for content and/or files posted using web forms. For more information, see Censoring Web Form Content on page 87. HTTPS Inspection Policies You can configure HTTPS inspection policies here: Pages Manage policies Policy wizard Settings This is where you manage HTTPS inspection policies that decrypt and inspect encrypted communications. For more information, see Managing HTTPS Inspection Policies on page 68. This is where you create custom policies for managing encrypted communications. For more information, see Creating an HTTPS Inspection Policy on page 69. This is where you manage CA security certificates and configure HTTPS interception messages. For more information, see Configuring HTTPS Inspection Policy Settings on page 72. Content Modification Policies You can configure content modification policies here: Pages Manage policies Policy wizard Content modifications This is where you manage content modification policies that apply recommended security rules and enforce SafeSearch in browsers. For more information, see Managing Content Modification Policies on page 74. Enables you to create custom policies for applying security rules and enforcing SafeSearch in browsers. For more information, see Creating a Content Modification Policy on page 75. Create and manage content modification policies. For more information, see Managing Content Modification Policies on page

26 Network Guardian Overview Anti-malware Policies You can configure anti-malware policies here: Pages Manage policies Policy wizard Status page Settings This is where you manage policies that protect against malware. For more information, see Managing Anti-malware Policies on page 79. This is where you can create custom policies to protect against malware. For more information, see Creating an Anti-malware Policy on page 79. Enables you to customize anti-malware information shown when downloading files. For more information, see Configuring Anti-malware Status Information on page 82. This is where you enable malware protection. For more information, see Creating an Anti-malware Policy on page 79. Block Page Policies You can configure block page policies here: Pages Manage policies Policy wizard Block pages This is where you manage block page policies. For more information, see Managing Block Page Policies on page 137. This is where you create and edit block page policies. For more information, see Configuring a Block Page Policy on page 136. This is where you create and edit block pages. For more information, see Managing Block Pages on page 132. Policy Objects You can configure global policy objects to be used in any Guardian policy: Pages Category groups User defined Time slots Locations Quotas This is where you manage content categories used when applying a web filtering policy. For more information, see Working with Category Group Objects on page 55. This is where you manage custom content categories. For more information, see Creating Custom Categories on page 56. This is where you create and manage time slot policy objects for use in content filtering policies. For more information, see Working with Time Slot Objects on page 59. This is where you create and manage location policy objects for use in content filtering policies. For more information, see Working with Location Objects on page 60. This is where you create and manage quota policy objects for use in content filtering policies. For more information, see Working with Quota Objects on page Smoothwall Ltd

27 Network Guardian Overview Swurl The Swurl section contains the following sub-sections and pages: Pages Settings This is where you configure your organization s Swurl account. For more information, see Configuring Organization Accounts on page 89. Web Proxy The Web proxy section contains the following sub-sections and pages: Web Proxy You can manage the web proxy service here: Pages Settings Automatic configuration Bandwidth limiting WCCP This is where you configure and manage web proxy settings. For more information, see Overview of the Web Proxy on page 112. This is where you create and make available proxy auto-configuration (PAC) scripts. For more information, see Using PAC Scripts on page 116. This is where you can manage how much bandwidth is made available to clients. For more information, see Limiting Bandwidth Use on page 118. This is where you can configure Network Guardian to join a Web Cache Coordination Protocol (WCCP) cache engine cluster. For more information, see Configuring WCCP on page 120. Upstream Proxy You can managed the upstream proxy service here: Pages Manage policies Proxies Filters This is where you manage upstream proxy policies. For more information, see Working with Multiple Upstream Proxies on page 128. This is where you configure upstream proxy settings. For more information, see Configuring an Upstream Proxy on page 123. This is where you manage upstream proxy source and destination filters. For more information, see Configuring Source and Destination Filters on page

28 Network Guardian Overview Authentication You can manage web proxy authentications here: Pages Manage polices Policy wizard Exceptions Ident by location This is where you manage authentication policies which determine which web filter policies are applied. For more information, see Chapter 5, Managing Authentication Policies on page 91. This is where you create and edit authentication policies. For more information, see Creating Authentication Policies on page 92. This is where you can exempt content from authentication. For more information, see Managing Authentication Exceptions on page 103. This is where you configure identification of groups and/or users by their location. For more information, see Identification by Location on page 103. MobileProxy You can manage the MobileProxy service here: Pages Settings Proxies Exceptions On this page, you configure global MobileProxy server settings. For more information, refer to the Network Guardian Operations Guide. On this page, you manage MobileProxyservers for use with mobile devices. For more information, refer to the Network Guardian Operations Guide. On this page, you specify proxy exceptions. For more information, refer to the Network Guardian Operations Guide. Global Proxy The Global Proxy section contains the following sub-sections and pages: Pages Settings Certificate activity Used to configured Secure Global Proxy. For more information, For more information, see Using Global Proxy Certificates on page 104. Used to view the Secure Global Proxy logs. For more information, For more information, see Viewing the Global Proxy Logs on page Smoothwall Ltd

29 Network Guardian Overview Configuration Guidelines This section provides guidance about how to enter suitable values for frequently required configuration settings. Specifying Networks, Hosts and Ports IP Address An IP address defines the network location of a single network host. The following format is used: IP Address Range An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example: Subnet Addresses A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways: / /24 Netmasks A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples: Service and Ports A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples:

30 Network Guardian Overview Port Range A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used: 137:139 Using Comments Almost every configurable aspect of Network Guardian can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement. Comments are entered in the Comment fields and displayed alongside saved configuration information. Connecting via SSH You can access Network Guardian via a console using the Secure Shell (SSH) protocol. Connecting Using a Client When SSH access is enabled, you can connect to Network Guardian via a secure shell application, such as PuTTY. To connect using an SSH client: 1. Check SSH access is enabled on Network Guardian. See Configuring Administration Access Options on page 139 for more information. 2. Start PuTTY or an equivalent client. 20 Smoothwall Ltd

31 Network Guardian Overview 3. Enter the following information: Field Host Name (or IP address) Enter Network Guardian s host name or IP address. Port Enter 222 Protocol Select SSH. 4. Click Open. When prompted, enter root, and the password associated with it. You are given access to the Network Guardian command line. Secure Communication When you connect your web browser to Network Guardian s web-based interface on a HTTPS port for the first time, your browser will display a warning that Network Guardian s certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site. Unknown Entity Warning This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Network Guardian s certificate is a self-signed certificate. Note: The data traveling between your browser and Network Guardian is secure and encrypted. To remove this warning, your web browser needs to be told to trust certificates generated by Network Guardian. To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browser s documentation for information about how to import the certificate. Inconsistent Site Address Your browser will generate a warning if Network Guardian s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. A certificate can only contain a single site name, and in Network Guardian s case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Network Guardian using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. 21

32 Network Guardian Overview Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption. 22 Smoothwall Ltd

33 2 Working with Interfaces This chapter describes how to configure the network cards and interfaces on your Network Guardian, including: About Network Interfaces and Roles on page 23 Creating an External Connection on page 25 Adding a New Interface on page 27 Allocating IP Addresses to Interfaces on page 28 Configuring Bonded Interfaces on page 30 Using Virtual Local Area Networks on page 33 Configuring Transparent Bridges on page 34 Using a Point-to-Point Protocol over Ethernet Interface on page 37 Using Domain Name System Services on page 40 About Network Interfaces and Roles Note: Support for Internet connections using dial-up modems has been withdrawn. For more information, contact your Smoothwall representative. Interface can refer to both a software interface, such as a virtual LAN, and a physical network interface card (NIC). Within Network Guardian, interface typically refers to a software interface, whereas NICs have roles. The following NIC roles are supported: NIC Role External External interfaces connect your network to the Internet. For a detailed description of how to configure an external role, see Creating an External Connection on page

34 Working with Interfaces NIC Role Basic interface Bond member Bridge member Typically, basic interfaces deal with internal network traffic. During installation, a basic interface is reserved, and configured to provide a direct link to Network Guardian, either through the administration user interface, or through secure shell (SSH). For a detailed description of how to add an IP address to a basic interface, see Allocating IP Addresses to Interfaces on page 28. A bond member is one of two or more NICs combined together to provide high availability. A Bonding interface acts as the combination. For a detailed description of how to configure a bond member, see Configuring Bonded Interfaces on page 30. A bridge member is one of two or more NICs that bridge separate network zones together. A Bridge interface acts as the connection between NICs. For a detailed description of how to configure a bridge member, see Configuring Transparent Bridges on page 34. The following interfaces are supported: Interface Bonding VLAN Bridge PPPoE A Bonding interface is a software interface that combines NICs to provide high availability. For a detailed description of how to configure a bonded interface, see Configuring Bonded Interfaces on page 30. A virtual local area network (VLAN) is a virtual network zone. VLAN interfaces are software interfaces, associated with a NIC. For a detailed description of how to configure a VLAN interface, see Using Virtual Local Area Networks on page 33. A Bridge interface is a software interface that links network zones, that is, NICs, together. For a detailed description of how to configure a bridge interface, see Configuring Transparent Bridges on page 34. A Point-to-Point Protocol over Ethernet (PPPoE) interface connects network zones using modems, or similar devices. For a detailed description of how to configure a PPPoE interface, see Using a Point-to-Point Protocol over Ethernet Interface on page 37. New NICs added to your appliance are automatically added to the configuration as a BASIC interface. You must configure additional interfaces for Internet connections, connections from internal clients for web filtering purposes, and so on. Note: The configuration entered for the NIC during the installation is to allow access to Network Guardian from the administration user interface. For more information, refer to the Network Guardian Installation Guide. 24 Smoothwall Ltd