iboss Enterprise Firewall Manual iboss Security

Transcription

1 iboss Enterprise Firewall Manual iboss Security

2 Copyright Phantom Technologies, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in chemical, manual or otherwise, without the prior written permission of Phantom Technologies, Inc. All brand and product names mentioned in this manual are trademarks and/or registered trademarks of their respective holders. Page 2 of 80

3 Table of Contents TABLE OF FIGURES IBOSS ENTERPRISE FIREWALL OVERVIEW OVERVIEW HARDWARE APPLIANCE TYPICAL PACKAGE CONTENTS... 7 iboss Enterprise Firewall Appliance Description Front Panel Back Panel Serial Console GENERAL NETWORKING CONCEPTS PACKET TRANSMISSION ON TYPICAL IP NETWORKS ETHERNET INTERNET PROTOCOL (IP) TCP AND UDP PACKET TRANSMISSION OVER THE NETWORK SWITCHES, ROUTERS/GATEWAYS, AND FIREWALLS VIRTUAL AREA NETWORKS (VLANS) DIRECTORY SERVICES LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL (LDAP) ACTIVE DIRECTORY EDIRECTORY OPEN LDAP OPEN DIRECTORY DEPLOYING AND INSTALLING THE IBOSS ENTERPRISE FIREWALL ACCESSING THE FIREWALL INTERFACE FOR THE FIRST TIME THE FIREWALL HOME PAGE GENERAL LAYOUT OF FIREWALL SECTIONS HOME SYSTEM NETWORK FIREWALL TOOLS VPN SECURITY LOG DETAILED SECTION DESCRIPTION SYSTEM SECTION Status System Settings Ldap/Active Directory Creating And Managing Users Configuring the time Rebooting and Powering Off the system Managing the firewall firmware Managing Subscriptions NETWORK SECTION DETAIL Configuring Interface IP Settings Configuring Routes ARP DHCP Server Rev 1 Version 1.1: January 2012 Page 3 of 80

4 DNS Forwarding Dynamic DNS FIREWALL SECTION DETAIL Port Forwarding Access Control List One to One Nat Connections Monitor TOOLS Backup & Restore Backup To Network Share Diagnostics VPN General VPN Settings Site To Site VPN Connecting Remote Users Via VPN VPN Status SECURITY SECTION Gateway Antivirus Data Leakage Detection Virus Signatures Intrusion Prevention LOGS LOGGING OUT Table of Figures Figure 1 - Serial Console Settings... 8 Figure 2 - Packet Capture Example Figure 3 - Firewall Login Page Figure 4 - Home Page Figure 5 - Status Page Figure 6 - System Settings Figure 7 - System settings description Figure 8 - SMTP Server settings description Figure 9 - Log Settings Figure 10 - Log settings description Figure 11 - LDAP/Active Directory/eDirectory Settings Figure 12 - LDAP settings description Figure 13 - Sample Active Directory LDAP settings Figure 14 - Sample edirectory LDAP settings Figure 15 - Managing Users Figure 16 - Add/Edit User Figure 17 - Firewall administrative user settings description Figure 18 - System Time Settings Figure 19 - Reboot and Power Off Figure 20 - Managing Firmware Figure 21 - Managing Subscription Keys Figure 22 - Subscription keys description Figure 23 - Configuring WAN IP Address Figure 24 - Configuring LAN IP Address Figure 25 - Routes Rev 1 Version 1.1: January 2012 Page 4 of 80

5 Figure 26 - Configuring RIP Figure 27 - ARP Figure 28 - DHCP Server Figure 29 DHCP Reservations Figure 30 - Dhcp reservation settings description Figure 31 - Configuring DHCP Lease Pools Figure 32 - DHCP Server IP lease pool description Figure 33 - DNS Forwarding Figure 34 - Dynamic DNS Figure 35 - Port Forwarding Figure 36 - Port forwarding example settings Figure 37 - Creating a simple port forwarding rule Figure 38 - Sample port forwarding rule added Figure 39 - Port forwarding rule associated with new ACL. Note the ACL rule with ID 26 is associated with Port Forward rule ID 27 from the figure before. Also note that this figure is from the Access Control Lists page Figure 40 - Port Forwarding rules in advanced mode Figure 41 - Port forwarding settings description Figure 42 - Access Control List Figure 43 - Access control list settings description Figure 44 - One to One NAT Figure 45 - Active Firewall Connections Figure 46 - Backup & Restore Figure 47 - Automated Backups Figure 48 - Backuping up to network share Figure 49 - Backup to network share settings description Figure 50 - CPU Monitoring Tool Figure 51 - Active connections monitoring tool Figure 52 - DNS query lookup tool Figure 53 - DNS lookup result Figure 54 - Packet trace tool Figure 55 - Ping tool Figure 56 - Reverse name resolution tool Figure 57 - Reverse name resolution result Figure 58 - Trace route tool Figure 59 - General VPN Settings Figure 60 - General VPN settings description Figure 61 - Site to Site VPN Server Entry Figure 62 - Site to site VPN server settings description Figure 63 - Site to Site VPN client entry Figure 64 - Site to site VPN client settings description Figure 65 - Site to site VPN Location 1 Sample Figure 66 - Site to site VPN Location 2 Sample Figure 67 - Creating site to site VPN. Adding the server entry to Location 1. Note we define where the client (Location 2) is connecting from Rev 1 Version 1.1: January 2012 Page 5 of 80

6 Figure 68 - Location 1 settings complete. Now download the server settings by clicking on the "Download Site To Site Server Settings" link highlighted above Figure 69 - Saving the site to site VPN server settings on your computer Figure 70 - Configuring Location 2. Simply import the server settings created on the firewall at Location Figure 71 - Site to site VPN client settings complete Figure 72 - Adding VPN Users Figure 73 - VPN user settings description Figure 74 - Example VPN user tim.smith is being added to the system. Tim will authenticate via LDAP. Note the the LDAP settings must first be configured under the LDAP settings section under the System menu option Figure 75 - VPN users will only be allowed to log into the VPN if they are part of the VPNUsers group or OU in LDAP/Active Directory/eDirectory. This is specified in the VPN Settings section and highlighted above Figure 76 - Tim is added as a VPN user to the system. You can Tim the VPN client and settings by clicking on the " VPN Settings" button above. You must specify an address when creating the user for this button to appear Figure 77 - VPN Status Figure 78 - Gateway Antivirus Figure 79 - Gateway Antivirus settings description Figure 80 - Gateway Antivirus DLP settings Figure 81 - DLP settings description Figure 82 - Additional gateway antivirus settings description Figure 83 - Viewing Virus Signatures Figure 84 - Intrusion Prevention settings Figure 85 - Intrusion Prevention settings description Figure 86 - System Logs Figure 87 - Virus Logs Figure 88 - Intrusion Prevention Logs Rev 1 Version 1.1: January 2012 Page 6 of 80

7 1 iboss Enterprise Firewall Overview 1.1 Overview The iboss Enterprise Firewall is a high performance deep packet inspection security appliance. The firewall is typically installed on the outer edge of the network to prevent unauthorized access to the secure private network. In addition, the firewall provides additional services such as Network Address Translation (NAT), routing, DHCP services, Intrusion Prevention, VPN services for remote users and sites, Gateway Antivirus and more. Although very secure and complex at the core, the firewall is designed with the network administrator in mind to enable quick and easy configuration of typically difficult to accomplish tasks. This manual provides in-depth coverage of the iboss Enterprise Firewall, including deployment, features and function. An understanding of networking concepts is highly recommended, although some networking concepts will be covered in this manual as well. 2 Hardware Appliance The iboss is a self-contained hardware appliance. The appliance does not require external components or databases to function and handles all functionality internally. 2.1 Typical Package Contents The following items are included with the iboss Enterprise Firewall: iboss Enterprise Firewall appliance Power cable RS-232 null terminated console cable Quick Install Reference Pamphlet iboss Enterprise Firewall Appliance Description The iboss Enterprise is a rack-mountable appliance. Typically, the iboss firewall will occupy 1U of rack-mount space Front Panel The front panel consists of a power button and status LEDs. The power button provides soft power up and power down by pressing and releasing the button quickly. To perform a hard power down, press and hold the front panel power button while the appliance is powered on. It is recommended that you use the normal soft power down by quickly pressing and releasing the panel button and waiting approximately 1 minute for the appliance to gracefully shutdown. Rev 1 Version 1.1: January 2012 Page 7 of 80

8 Back Panel The back panel typically consists of two 10/100/1000 copper Ethernet network ports and a serial console port. Additional network interfaces can be present for functions such as additional WAN links or DMZ connections. The serial console port is accessible with the provided RS-232 null terminated console cable. The two network ports are labeled LAN and WAN, respectively. These are used to connect the iboss inline on your network. NOTE On certain models, there are additional interfaces. These interfaces can be either additional WAN links or DMZ links. They are labeled WAN2, WAN3, etc. or DMZ1, DMZ2, etc Serial Console The firewall is equipped with a serial console. The serial console interface contains basic functionality such as configuring the IP Address of the firewall and restoring factory defaults. The figure below shows the serial console settings that can be used to access the serial interface via a null terminated RS-232 cable. Figure 1 - Serial Console Settings Rev 1 Version 1.1: January 2012 Page 8 of 80

9 3 General Networking Concepts This section describes fundamental networking concepts required for a good understanding of the firewall. The section covers Ethernet, IP, TCP/UDP as well as other aspects of networking. NOTE If you are already have a good understanding of networking concepts, you can skip this section or skim through it. 3.1 Packet Transmission on typical IP networks When a computer wishes to transmit information from one place to another, it does this by breaking that information down into small data packages called packets. For example, downloading a web page from a server requires your computer to connect to a web server on the Internet in order to retrieve the information. This transmission is broken into smaller packet sizes which are much more convenient than transferring the entire data payload at once. Transmission of data on the Internet can be unreliable. By breaking the data into smaller data packets, it allows for some of the packets to be lost and re-transmitted later. If the entire data payload was transferred at once and an error occurred during the transfer, it would require the computer to retransmit the entire data payload again which would be inefficient and time consuming. The data packets are typically called Ethernet packets. Computers must use well defined protocols to transfer information so that both ends of the communication link (i.e. the computer and the web server) know how to transfer the data between each other and reassemble it. The Ethernet protocol is one of the lower level protocols used to transfer data packets from one computer to another. NOTE Although Ethernet is one of the most common transmission methods of packets, there are also other transmission methods that are used to move information in data packets from one point to another. These other protocols are typically used when moving packets that are larger in size than what Ethernet packets are capable of carrying. For example, one such transmission method is called Frame Relay. A packet is just a sequence of bytes (or data chunks) that are transferred together. The typical size of an Ethernet packet is 1514 bytes. The sections of the packet are divided with some sections being used to contain information about moving the packet from one place to another and other sections containing the actual data being transmitted. A typical packet used to transmit data in a reliable fashion using TCP (Transmission Control Protocol) is divided into sections like this: Ethernet->IP->TCP->Data Being Transmitted The figure below shows an actual packet capture from a computer going to This is a single packet (one of many) from the transmission and contains the portion requesting the Google home page: Rev 1 Version 1.1: January 2012 Page 9 of 80

10 Figure 2 - Packet Capture Example Starting from the top, you'll notice the packet is 823 bytes in size. The first portion is the Ethernet section. This is followed by the IP (Internet Protocol) section (highlighted in red). The next section is the TCP (Transmission Control Protocol) section. Finally the HTTP section is last which contains the first part of the data payload that is being transfered. 3.2 Ethernet Ethernet is a point to point protocol and is used by computers to transfer information directly from one computer to another. The protocol consists of tagging a packet with a source MAC Address and destination MAC address. Every network interface has a unique MAC address that is programmed into it by the manufacturer. For example, every network card must have a unique MAC address and this is guaranteed by the vendor who manufactures the card. The source MAC address of a packet is the MAC address of the network interface of the transmitting computer. The destination MAC address is the MAC address of the network interface where this packet is destined to. In order to retrieve the destination MAC address, the computer wishing to transmit the packet will perform a network query called an Arp Request. The Arp request provides the MAC address of the destination computer which is then used by the sending computer to populate the destination MAC address portion of the packet. Direct transmission of packets from one computer to another is only possible if the two computers are on the same local network. A local network is defined by a subnet. Two computers that are part of the same subnet are considered to be part of the same network. A computer uses it's own IP Address and Subnet Mask to determine if the computer it is trying to communicate with is on the same subnet. If the destination computer is on the same subnet, the computer will populate the destination MAC address of that computer and send the packet directly. Otherwise, if the destination computer is not on the local subnet, the computer will populate the MAC address of the network gateway into the packet and transmit the packet to the gateway which handles forwarding the packet to remote networks. 3.3 Internet Protocol (IP) The IP protocol is used in conjunction with Ethernet to transmit packets from one computer to another. The IP protocol provides additional information that allows packets to not only be transmitted on local networks, but also to computers that are not on the same network Rev 1 Version 1.1: January 2012 Page 10 of 80

11 as well. On the Internet, every computer that is visible to the outside world must have a unique IP Address. This allows the packets to be routed by network routers from one network to another. There are few IP ranges that are reserved for private use which allows computers on a local network to have the same IP Address as computers on remote networks. However, before the packet is transmitted to the Internet, the source IP Address of that packet must be translated by a router or firewall into a unique address. This process is called Network Address Translation (or NAT). It is the process of converting one IP Address to another before transmission to the globally visible Internet. The common reserved private IP Addresses are , and These addresses can be used internally only by networks to create many more IP Addresses than the globally visible IP Address that is assigned to their network. Because the 10.x.x.x network range is the biggest, it is typically used on larger networks. 3.4 TCP and UDP While IP is responsible for moving packets from one network to another, TCP and UDP are in charge of putting the packets in order and delivering them to the right program on the destination computer. TCP/UDP is the section of the packet that comes right after the IP section. The main difference between the TCP and UDP protocol is that TCP will guarantee that every packet makes it to the destination while UDP will not. If a packet is lost during a TCP transmission, TCP uses sequence numbers to determine which packets were lost and requests them to be resent. On the other hand UDP does not provide this ability but still has the necessary information in order to get the packet to the right application on the destination computer. UDP is much faster since it does not have these extra checks in place for lost packets. TCP is an absolute requirement when transferring files and documents in which a single packet could cause the document or information to be corrupt. In cases that involve streaming, such as phone calls (VOIP) and streaming video, UDP is typically a better choice because its faster and losing a packet is acceptable (you get a moment of silence on the phone or a small blip on the video you're watching). 3.5 Packet Transmission Over the Network Typical data transmissions involve packets that contain all of the headers mentioned so far (Ethernet, IP, TCP or UDP). They are used together to get the packet from a source computer to a destination computer. When a data transmission is on the local network, the computer sends the data directly to the other computer. When the data transmission is not local, the computer sends the data to the network gateway, which is a specialized piece of equipment called a router. The network gateway is always a local destination and it has the information necessary to forward the packet to its ultimate destination outside of the network. 3.6 Switches, Routers/Gateways, and Firewalls Switches, routers and firewalls are used to move packets around a network from one computer to another and also between one network and another network of computers. Rev 1 Version 1.1: January 2012 Page 11 of 80

12 The most basic piece of network equipment is a switch. A switch provides a physical way of connecting computers together. They contain multiple network ports and computers are connected to these ports so that packets can flow between them. The main job of a switch is to get a packet that enters one of its ports and re-transmit that packet to the appropriate port that is connected to the path of the destination computer. This is called packet switching. The switch contains an internal mapping of IP Addresses and MAC addresses so that it can determine to which port a computer is connected. When the time comes to receive and transmit a packet, the switch uses this table to move the packet to appropriate network port. Switches are typically only involved in switch packets on a local network although some advanced switches also perform routing functions. A router performs a higher function than a switch. A router is responsible for determining where a packet should be routed (i.e. which direction the packet should go). For example, if a packet is leaving the local network, it is sent to the router. The router uses internal table to determine what is called the "next hop". The next hop is the next router inline to the destination computer. Routers are used to move packets from network to network until they reach the final local network they were intended for. The router can also be called the network gateway. The gateway for a network must be local to the computers. Remember that computers can only send packets directly to one another via Ethernet if they are part of the same network. Since sending a packet to an outside network involves a computer sending the packet directly to the gateway, the gateway itself must also be local to the computer. Firewalls are typically installed at the outer edge of the network. Their function is to provide security services determining which packets can get into the network and which ones can get out. Firewalls contain rules called ACL rules (Access Control List rules) that are checked whenever a packet is received to determine whether the packet will be forwarded, dropped, or rejected. The firewall is also typically involved in routing and is able to forward packets in and out of the network. It is important to note that a firewall does not necessarily have to provide routing capabilities. Its core function is to decide which packets are allowed to move in and out of a network. 3.7 Virtual Area Networks (VLANs) In the prior section switches were mentioned that are involved with moving packets around a local network. For each computer on the network, you typically need an available network port on the switch in order to connect it with other computers. Switches can be daisy chained together (by connecting a cable from one switch to the other) to expand the number of available network ports. Typical switch configuration can be as small as 4 network ports to as many as 48 ports or more on larger switches. Computers connected to the same switch are typically considered part of the same network and can communicate with each other. Two separate networks typically require two separate switches so that packets from one network cannot physically be transmitted to the other network by any means. There are cases where it is desirable to use a single physical switch that contains more computers from more than one network. This is the case if you have a switch that has a lot of ports and would like to divide the ports as if they were on different switches. For example, suppose you had a 24 port switch and would like to divide ports 1-12 into their own logical switch and ports into the second switch. You can logically divide the ports by using VLANs. VLANs will divide a single switch to make it look like two physically different switches. This gives you the same effect as having two distinct switches in one package. Rev 1 Version 1.1: January 2012 Page 12 of 80

13 VLANs are very popular on large networks. Because many switches are used and installed in a "blade" environment, it makes sense to logically pick ports that belong to the same network and assign them to the same VLAN instead of managing many different switches. What is referred to as a blade environment is the physical configuration of the switches themselves. Blade switches are designed to be installed in a bigger chasis and allows larger networks to save rack space due to the size of the blade. Large networks usually have what's called a "core" switch. This is the switch that knows about all of the VLANs configured throughout the environment and has rules about which VLANs can communicate with each other. When two VLANs communicate with each other, this is called InterVLAN routing. Typically the core switch is connected directly to the outside firewall and is responsible for all of the routing on the network. The outside firewall in this scenario is NOT used as the gateway for these different VLANs. In fact, the firewall in this scenario typically does not know how to route traffic from one VLAN to another VLAN. It only knows how to route traffic from the core switch out to the Internet. Remember that in order for a computer to send a packet to the gateway, the gateway must be local to the computer. Since each VLAN is a different network, there must be a gateway for each of the VLANs. Typically core routers provide many gateways, one for each VLAN they are managing. Computers point to the gateway that is appropriate to the VLAN they are on. 4 Directory Services NOTE If you are already have a good understanding of Directory Services and Directory Servers, you can skip this section or skim over it. In very small networks, managing users and passwords for each computer may not be that difficult. However, when the number of computers grows and the number of people on the network grows this task can quickly become cumbersome and error prone. This is where directory services fills in. Directory services are run by directory servers such as Active Directory, edirectory, Open LDAP, OpenDirectory and more. In essence, directory services are provided by servers that have specialized software that is capable of storing information about the users on the network. The information these directory servers contain vary, but typically include usernames, Full Names, addresses (including addresses and phone numbers) among other things. They are a central place to store information about all of the users on the network. One of the most useful aspects of a directory server is its ability to centrally manage usernames and passwords. For example, suppose you had 1000 computers and one day one of the users left. If the username and password were stored locally on the computer you may have a hard time resetting it without having to reinstall the operating system. With a directory server you could easily reset the password at the server and regain access to the machine. With today's servers, they go beyond storing traditional items such as names and phone numbers. They can be used to enforce computer policies on a network, make sure mandatory software is installed, and perform functions during user logon (like mapping shared folders on the network). Rev 1 Version 1.1: January 2012 Page 13 of 80

14 4.1 Lightweight Directory Access Protocol (LDAP) LDAP is a generic communication protocol that is used to communicate with directory servers. Since each vendor that creates a directory server can implement their version differently, LDAP is a standard that allows applications such as the iboss to communicate in a generic fashion. Without LDAP, each version of a directory server would have a different language. Products like the iboss would have to communicate with a different language every time a different directory server was used which would not be ideal. In addition, if a new directory service product was introduced, there would be a delay before compatible solutions were available as vendors would have to implement the new communication language. Fortunately, all major directory servers adhere to the LDAP protocol. This means that the iboss can communicate with a large variety of directory servers regardless of the vendor. 4.2 Active Directory Active Directory is Microsoft's directory server product. It is a very advanced product which allows a lot of high end features. Some of these features include the ability to install programs, manage user accounts, manage user group memberships, and run scripts at user logon to perform an endless number of functions. The iboss fully integrates with Active Directory and Active Directory also exposes an LDAP interface. One unique feature of Active Directory is single-signon. This is a Microsoft technology developed to allow users to log into their computers once and transparently get signed into a variety of services on the network behind the scenes (so that they don't get prompted again for credentials). 4.3 edirectory edirectory is Novell's directory server product. This is an advanced product similar to Active Directory that manages usernames, passwords as well as the ability to run scripts at logon. In addition, edirectory can enforce policy and push software to computers. edirectory has a unique feature that allows it to integrate natively with iboss. edirectory has the ability to push an event whenever a user logs into or out of their computer. The iboss can capture this event and use it to associate the user with the computer. This feature is unique to edirectory. In addition, the iboss can integrate with edirectory by monitoring the directory tree for recently logged in users. Whenever it sees a new user, it associates that user with the computer. A third method of integration involves using logon scripts. This is similar to the Active Directory logon scripts but does not use single sign-on. The script runs when the user logs into their station which triggers the iboss to check edirectory for the user information. 4.4 Open LDAP Open LDAP is an open source LDAP product typically used on linux systems. It has all of the traditional features found in LDAP such as usernames and passwords. Rev 1 Version 1.1: January 2012 Page 14 of 80

15 4.5 Open Directory Open Directory is Apple's version of LDAP. It provides similar services to Open LDAP. The same applies to Open Directory. 5 Deploying and Installing the iboss Enterprise Firewall This section provides a step by step guide to deploying the firewall on your network. You may be asked to jump to step numbers depending on your specific configuration. 5.1 Accessing The Firewall Interface For The First Time By default, the LAN IP Address is of the iboss is with a subnet mask of The iboss will dynamically assign your computer an IP Address via the built in DHCP server. To access the firewall interface for the first time, connect your computer directly to the LAN port of the firewall and make sure your computer is configured to pick up an IP Address automatically via DHCP. Then open a browser and navigate to The default username is admin with no password. Figure 3 - Firewall Login Page 5.2 The Firewall Home Page Right after logging in, you will be taken to the home page of the firewall. The home page of the firewall should look similar to the figure below. Rev 1 Version 1.1: January 2012 Page 15 of 80

16 Figure 4 - Home Page The firewall home page consists of real-time activity graphs displaying the bandwidth going across the firewall, the number of packets traversing the firewall and the real-time 1 minute CPU average. In addition you can easily jump to different sections of the firewall using the menu options on the center of the screen as well as the menu that goes down the left hand side of the firewall. 5.3 General Layout Of Firewall Sections The firewall functionality is broken down in the a few general sections. The sections are Home, System, Network, Firewall, Tools, VPN, Security, and Log. Each of these sections can be quickly accessed via the left hand menu. Rev 1 Version 1.1: January 2012 Page 16 of 80

17 5.3.1 Home Clicking on the Home menu option will bring you back to the home page of the firewall appliance System The System section of the firewall contains functionality related to general system settings. These settings affect other aspects of the firewall and may be used across the different services the firewall provides. Functionality such as configuring the administrative password, integrating the firewall with LDAP or Active Directory, adding additional users, configuring the time, rebooting the appliance, updating the firmware and managing the subscription are handled through this section Network The Network section contains functionality related to configuring the fundamental networking aspects and functionality of the firewall. For example, configuring the WAN IP Address, LAN IP Address, adjusting the routing table, accessing the ARP cache, configuring the DHCP server, enabling DNS forwarding, and configuring dynamic DNS for the WAN link are performed in this section Firewall This section contains the firewalling aspects of the firewall. This core section of the firewall allows you to configure port forwarding rules, manage the access control list (ACL), configure one to one NAT, and monitor firewall connections in real time Tools This section contains tools to help you backup and restore the firewall as well as perform troubleshooting of the network VPN This section allows you to configure remote access into the network by remote users as well as link multiple locations together in a secure fashion via site to site VPN. The VPN provides the highest level of security available using strong SSL certificates and IPSec. NOTE The VPN requires a valid separate subscription in order to operate Security Rev 1 Version 1.1: January 2012 Page 17 of 80

18 The security section provides advanced protection for the network by allowing you to enable gateway antivirus and intrusion prevention which stops threats before they enter the local network. NOTE The security section requires one or more additional subscriptions in order to operate depending on whether gateway antivirus is used, intrusion prevention is used or both are used Log The log section contains all of the logs for the firewall including the system log, the gateway antivirus log, and intrusion prevention log. 5.4 Detailed Section Description This section contains a detailed description of the functionality of the sections described in the previous section System Section The system section is shown below. Figure 5 - Status Page Rev 1 Version 1.1: January 2012 Page 18 of 80

19 Status The status page contains information about the IP Addresses on the network interfaces as well as other general information about the current system status. From the figure above, the WAN and LAN IP is displayed as well as the link speed. You ll also find information about the specific model number of the firewall, the current firmware version, CPU load and other general statistical information System Settings The System Settings section contains general system settings that affect other aspects of the firewall. Rev 1 Version 1.1: January 2012 Page 19 of 80

20 Figure 6 - System Settings The Device Settings subsection allows you to configure the DNS name of the firewall. The Device Hostname is the netbios/hostname for the firewall. The Domain contains the base domain name of the firewall. This should be set to the same domain name as the base domain name on the network if one exists (for example if using Active Directory). The combination of the Device Hostname and Domain forms the fully qualified domain name (FQDN) of the firewall. The Administrative Settings subsection contains settings related to administering the firewall. The table below describes each of the settings in this section and their function. Setting Description Rev 1 Version 1.1: January 2012 Page 20 of 80

21 Administrator Name Old Password/New Password/Confirm Password Interface User Activity Timeout Failed login attempts per minute before lockout Lockout Period Subscription Server Enable Remote Diagnostics Integrate With Enterprise Reporter iboss Enterprise Reporter IP Address iboss Enterprise Reporter URL Integrate With iboss Web Filter iboss Web Filter IP Address This is the primary username used to log into the firewall. The default is admin but this can be changed to any value. This is used to set the administrator username s password. By default there is no password set (the password is blank). To set the initial password, leave the Old Password field blank and enter the new password in both the New Password field and Confirm Password field. This is the amount of idle time while logged into the user interface before being automatically logged out. This allows you to prevent non-authorized users from using a dictionary attack on the firewall. After this number of fail attempts within a one minute period, the firewall will not accept any username or password combinations until the lockout period in minutes which is set below has elapsed. The amount of time in minutes after a lockout before the firewall will begin accepting username/password combinations again to log into the firewall. This is the URL of the firewall subscription server which authorizes subscription keys. The default value is This value should not be changed. This is enabled to allow remote iboss support access to the firewall. If an iboss Enterprise Reporter is present on the network, set this to yes to allow the firewall to link to the reporter. The IP Address of the iboss Enterprise Reporter. Enter the full URL to the login page of the iboss enterprise reporter. The format should look similar to (Replace with correct IP Address or domain name of reporter). This will cause a link to the Enterprise Reporter to appear on the home page of the firewall. Set this to Yes if you have an iboss Enterprise Web filter on the network. The IP Address of the iboss Enterprise Web Filter. Rev 1 Version 1.1: January 2012 Page 21 of 80

22 iboss Web Filter URL Figure 7 - System settings description Enter the full URL to the login page of the iboss Enterprise Web Filter. This will cause the link to the iboss Enterprise Web Filter to show up on the home page of the firewall. The Settings subsection allows the firewall to send administrative s and alerts. The table below describes these settings. SMTP Server SMTP Port SMTP Requires Login SMTP Username SMTP Password Test Address Setting Figure 8 - SMTP Server settings description Description The IP Address or domain name of the SMTP relay that allows the firewalls to forward s through it. You may need to add the firewall IP Address to the allow list of the SMTP mail relay. The port through which to send s. The default is 25. If your SMTP mail relay requires login in order to send s through it, set this to yes. If the SMTP Requires Login is set to Yes, enter the username for the SMTP mail relay, otherwise leave blank. The password to the username entered above or blank if no password is required to send through the SMTP mail relay. Enter any address to which you have access in order to test the settings above. When finished, click the Test Settings button and an will be sent to this address confirming that the settings have been configured properly. The General Settings page also contains settings pertaining to log maintenance. The section is shown below. Rev 1 Version 1.1: January 2012 Page 22 of 80

23 Figure 9 - Log Settings The table below describes the settings in this subsection. Setting Max Log Partition Size Max System Log Size Max Virus Log Size Max IPS Log Size Backup To Share Share Path Share Username Description Internally, the logs are stored in partitions in order to efficiently display and perform maintenance on them. This setting defines how large each partition becomes before rolling into a new one. The total amount of space in MB for the system log. This is the sum of the size of all system log partitions. The total amount of space in MB for the virus log. This is the sum of the size of all virus log partitions. The total amount of space in MB for the Intrusion Prevnetion log. This is the sum of the size of all IPS log partitions. When a partition is rolled into a new parition for any of the log types, this setting specifies whether the log should be stored onto a network share. The path to the network folder share. The share should be a CIFS share (Windows folder share, etc) The username to the network share. Rev 1 Version 1.1: January 2012 Page 23 of 80

24 Share Password Share Domain Backup File Prefix Backup Alert Figure 10 - Log settings description The password to the network share. If a domain is required to access the network share for the username and password above, this setting specifies that domain. This prefix is appended to the back file that is created on the network share. This can be useful if more than one firewall is creating backups to the same network share. If you would like an alert to be sent when a backup is created, enter the address here. You must have valid SMTP settings configured before any s will be sent by the firewall Ldap/Active Directory The iboss firewall integrates with LDAP v3 servers and Active Directory in order to perform a variety of authentication functions. For example, when bound to an Active Directory server, the firewall can be accessed by a configured Active Directory username and password so that firewall administrators can use their directory credentials when logging into the firewall. In addition, VPN users can also connect to the network via the firewall VPN using their Active Directory/LDAP credentials. These settings are used as the base for any of the LDAP based authentication services offered by the firewall. Any LDAP related features discussed throughout the manual will rely on these settings to be configured properly before they function correctly. Rev 1 Version 1.1: January 2012 Page 24 of 80

25 Figure 11 - LDAP/Active Directory/eDirectory Settings The table below describes the LDAP settings. Setting Description Enabled This globally enables or disables LDAP integration. This must be set to Yes to enable LDAP integration. Host/IP The IP Address of the LDAP server (Active Directory, edirectory, OpenDirectory, OpenLDAP). Port The LDAP port to connect to. Default: 389 Admin Username The administrative username that can log into the ldap server. This user must have the ability to search the LDAP tree. Admin Password The password for the user specified above. Search Base The LDAP search base from where to start when searching for a user in the LDAP tree. Common Name Key The LDAP attribute used to extract the user s common name. Match Type Determines whether group privilege based matching is done by LDAP group membership or OU or both. Group Key The LDAP attribute from which to extract the user s groups. Group Match Sub Key When searching for user s groups within the group attribute specified by the Group Key, Rev 1 Version 1.1: January 2012 Page 25 of 80

26 DN Match Sub Key User Search Filter Figure 12 - LDAP settings description this sub key is used as a delimiter. When searching through a user s OUs, this sub key is used to parse the user s OUs. This is the filter used to extract a unique record matching the entered username during the login process. The filter should produce a unique result Sample LDAP Server Settings This section contains the common LDAP settings for reference. Note the full syntax and modify appropriately. Also, fields are case sensitive in most cases. Active Directory Example Domain Info: IP Address: Domain: phantomtech.local Administrator Username: Administrator Setting Description Enabled Yes Host/IP Port 389 Admin Username [email protected] Admin Password Password Search Base dc=phantomtech,dc=local Common Name Key cn Match Type Group Membership + OU Group Key memberof Group Match Sub Key CN DN Match Sub Key OU User Search Filter (samaccountname=%s) Figure 13 - Sample Active Directory LDAP settings edirectory Example edirectory Server Info: IP Address: Tree: o=phantomtech Administrator Username: admin Enabled Setting Yes Description Rev 1 Version 1.1: January 2012 Page 26 of 80

27 Host/IP Port 389 Admin Username cn=admin,o=phantomtech Admin Password Password Search Base o=phantomtech Common Name Key cn Match Type Group Membership + OU Group Key groupmembership Group Match Sub Key cn DN Match Sub Key ou User Search Filter (cn=%s) Figure 14 - Sample edirectory LDAP settings Creating And Managing Users The Users section allows the management and creation of additional firewall administrators. The primary administrative user (default username: admin) is managed under the general settings section. This master administrator has full firewall access. Additional firewall users can be added, deleted, and modified in the users section. A list of the additional firewall users are listed in this section. Figure 15 - Managing Users In the figure above, bill.smith is an additional firewall user that is enabled and able to log into the firewall s administrative interface. To create a new user, click on the New User button. You can modify or delete the user bill.smith by clicking on the appropriate Edit or Delete button corresponding to the user s entry. Rev 1 Version 1.1: January 2012 Page 27 of 80

28 The figure below shows the settings available when adding or editing an administrative firewall user. This page is reached by clicking on the New User button or the Edit button next to a user in the users list. Figure 16 - Add/Edit User The table below describes the settings in the figure above. Setting Username First Name Last Name Authenticate Via LDAP Description This is the username for the user. This field is editable when adding a new user. The first name of the user. The last name of the user. If you would like to use a LDAP/Active Directory password when logging into the firewall, set this option to Yes. This setting is only available if you have configured LDAP settings in the LDAP section. When authenticating via LDAP, be sure to make the username match the username as it appears the the LDAP directory. When this is set to yes and LDAP is configured, a user will be able to Rev 1 Version 1.1: January 2012 Page 28 of 80

29 Password/Confirm Password Enabled Access System Settings Access Network Settings Access Firewall Rules Access Users Access Tools Access Security Settings Access Logs Figure 17 - Firewall administrative user settings description Configuring the time This section allows you to configure settings related to the firewall time. log into the firewall using the same username and password as that in LDAP/Active Directory. The password for the user. When Authenticate Via LDAP is set to yes, this option does not get configured and will not appear in the interface. Controls whether this user can log into the firewall. Set this option to No to disable the user. Indicates whether the user can access the System section of the firewall. Indicates whether the user can access the Network section of the firewall. Indicates whether the user can access the Firewall section of the firewall. Inidicates whether the user can access the Users section of the firewall. Set to No if you would not like this user modifying or adding firewall users. Indicates whether the user can access the Tools section of the firewall. Indicates whether the user can access the Security section of the firewall. Inidcates whether the user can access the firewall logs. Rev 1 Version 1.1: January 2012 Page 29 of 80

30 Figure 18 - System Time Settings The settings subsection allows you to configure the timezone as well as the NTP server to use for synching the system time. You can sync with the NTP server at anytime by clicking on the Sync Time Now Via NTP. The time is automatically synced with the NTP server. The date subsection indicates the current time as seen by the firewall Rebooting and Powering Off the system The firewall can be rebooted or powered off from the Reboot/Poweroff subsection. Rev 1 Version 1.1: January 2012 Page 30 of 80

31 Figure 19 - Reboot and Power Off The reboot process takes about 2-3 minutes. Because the firewall is an inline device, you will lose network connectivity out to WAN of the firewall until the firewall reboot process is complete. You can power off the firewall by clicking on the shutdown button. The firewall takes seconds to gracefully shutdown. In addition, you can shutdown the firewall by pressing and releasing the button on the front panel of the firewall. Once the button is pressed, the firewall will begin the shutdown process which will take about seconds to complete Managing the firewall firmware Firmware is managed via the Firmware subsection. This section allows you to see the current firmware version of the firewall as well as perform firmware updates. Rev 1 Version 1.1: January 2012 Page 31 of 80

32 Figure 20 - Managing Firmware From the figure above, the model number and device name is displayed as well as the current firmware version. To check for firmware updates, click on the Check For Update button. If firmware is available, a button will appear allowing you to download the update and install it. Note that while updating the firewall, you will lose connectivity to the WAN. The update process make take several minutes to complete Managing Subscriptions The firewall requires one or more subscriptions to fully function depending on the available services enabled on the firewall. The Subscription subsection allows you to manage and update subscription keys. Rev 1 Version 1.1: January 2012 Page 32 of 80

33 Figure 21 - Managing Subscription Keys The primary subscription key is displayed under the Subscription Key subsection. This primary subscription key is required and used to obtain firmware updates. In addition to the primary subscription key, the table below describes additional subscription keys that can be used with the firewall. Subscription Support Contract Hardware Warranty Intrusion Prevention Gateway Antivirus VPN Services Figure 22 - Subscription keys description Description This key is required if the firewall has a support contract. This key is required if the firewall has a hardware warranty. This key is required if you intend to use the intrusion prevention services of the firewall. This key is required if you intend to use the gateway antivirus services of the firewall. This key is required if you would like to use the VPN services of the firewall. VPN services provide both site to site VPN connectivity as well as road warriors local access to the network. To edit or add a key, click on the Edit button on the line item you wish to modify the key. In addition, you can modify the main subscription key by clicking the Edit button to the right of Rev 1 Version 1.1: January 2012 Page 33 of 80

34 the key. The Check All Subscriptions Now button will verify all entered keys and update their status. The firewall must be connected to the Internet when editing keys Network Section Detail The network section contains settings related to managing network related tasks such as the IP Addresses of the LAN and WAN interface, managing routing, Arp, configuring the DHCP server, configuring DNS forwarding, and managing Dynamic DNS Configuring Interface IP Settings The Interfaces subsection allows you to configure the IP address of the network interfaces on the firewall. Typical IP settings involve those on the LAN and WAN interface. Figure 23 - Configuring WAN IP Address The Interface Status section shows the active primary IP address of the LAN and WAN interface. In addition, the link status (speed and duplex) is displayed along with the interfaces Mac Addresses. The Configure WAN Interface subsection allows you to configure the primary IP settings for the WAN network interface. You can configure the WAN interface with either a static or dynamic IP Rev 1 Version 1.1: January 2012 Page 34 of 80

35 address which is chosen by the Connection Type option. The WAN interace is typically configured with settings provided by your Internet Service Provider (ISP). To configure the link speed, use the Auto Negotiate, Speed and Duplex options. If Auto Negotiate is set to On, the WAN link will attempt to negotiate the speed with the connected partner. If the firewall is connected to a fixed duplex appliance on the WAN port, set Auto Negotiate to Off and set the Speed and Duplex setting appropriately to match the attached partner. The LAN IP settings are configure in the section below the WAN interface IP settings. Figure 24 - Configuring LAN IP Address The LAN can be configured with an IP Address and subnet mask. In addition, the link speed can be configured in a similar fashion to the WAN link. At the bottom of each the WAN and LAN subsection, you ll find a button labeled Additional IP Addresses. This allows you to configure additional IP Addresses for the WAN and LAN interfaces respectively. Once added, the IP can be accessed from the appropriate link Configuring Routes The Routing section allows you add static routes as well as view the current routing table. In addition, this section allows you to configure additional routing services such as RIP. Rev 1 Version 1.1: January 2012 Page 35 of 80

36 Figure 25 - Routes To add a static route, use the Add Rotue subsection. You can add routes to any of the available interfaces which display in the Interface drop down menu. The Static Routes subsection displays all of the added static routes. The Route Advertisement section allow you to configure RIP on the listed interfaces. In the figure above, the LAN interface has RIP disabled. Click on the Edit button to configure RIP settings for the associated interface line item. The figure below displays the RIP options when clicking the Edit button next to the associated interface. Rev 1 Version 1.1: January 2012 Page 36 of 80

37 Figure 26 - Configuring RIP The Routing Table subsection displays the current active routes which is used by the firewall to route packets appropriately ARP The ARP subsection allows you to manage the ARP table of the firewall. Functions such as creating static ARP entries are performed here. Rev 1 Version 1.1: January 2012 Page 37 of 80

38 Figure 27 - ARP To add a static ARP entry into the firewall s ARP table, use the Add Static Arp Entry subsection. Static ARP entries are displayed in the Static Arp Entries subsection. The active firewall ARP cache is displayed under the ARP cache subsection. An ARP entry can be deleted from the active ARP cache by clicking on the red X next to the ARP entry. NOTE When adding static ARP entries, they may take a while to appear in the firewall s active ARP cache DHCP Server The DHCP Server section contains the settings for the firewall s built-in DHCP server which is used to dynamically assign IP Addresses to computers on the local network. Rev 1 Version 1.1: January 2012 Page 38 of 80

39 Figure 28 - DHCP Server To enable the DHCP server, select Enabled in the DHCP Server Settings subsection which globally enables the DHCP server. Disabling the DHCP Server in this section disables all other functionality on in this section. If you would like clients that are assigned IP Addresses via the DHCP server to dynamically update their DNS entries, enable this feature in this section as well. The DHCP Server Lease Scopes section allows you to reserve DHCP IP Addresses for specific clients on the network or define an IP range that will be used by the DHCP server to dynamically assign IP Addresses to clients on the network. To create a static IP assignment so that a client always receives a specific IP Address, click on the Add Static button which will display the page below. Rev 1 Version 1.1: January 2012 Page 39 of 80

40 Figure 29 DHCP Reservations The table below describes the settings in this section. Setting Enabled Network Subnet IP Network Subnet Mask Node Name IP Address MAC Address Default Lease Time Max Lease Time Gateway IP Address Description Used to enable or disable an entry. This allows you to configure an entry and temporarily disable it without having to remove the settings from the firewall. The base IP for the subnet this entry belongs to. Should match the local subnet. The subnet mask of the subnet this entry belongs to. Should match the local subnet. The name for this entry. The IP Address to reserve for this client. The MAC address associated with the client to assign the IP. The default DHCP lease time for the IP address. The maximum DHCP lease time for the IP Address. The client should reobtain the lease from the firewall before this time expires. The gateway IP that will be assigned via Rev 1 Version 1.1: January 2012 Page 40 of 80

41 Subnet Mask Domain Name NIS Name DNS Servers NETBIOS Name Servers (WINS) Allow Assignment To BOOTP Figure 30 - Dhcp reservation settings description NOTE DHCP to the client. The subnet mask that will be assigned via DHCP to the client. The DNS domain name that will be assigned via DHCP to the client. The NIS name that will be assigned via DHCP to the client. The DNS servers that will be assigned via DHCP to the client. The WINS servers that will be assigned via DHCP to the client. Indicates whether this DHCP assignment can be applied to BOOTP devices. DHCP reservations must fall outside of any Dynamic DHCP entries (DHCP IP ranges) which are described below. Before the DHCP server can begin to assign IP Addresses to clients on the network, a range from which to assign addresses from must be defined. This is done by clicking on the Add Dynamic button from the main DHCP Server page. The figure below displays the page shown when this button is clicked. Rev 1 Version 1.1: January 2012 Page 41 of 80

42 Figure 31 - Configuring DHCP Lease Pools The settings on this page are similar to those for reserving an IP for a DHCP client. There are some small differences particularly with the settings related to the DHCP IP range. The table below outlines the settings on this page which are used to create a pool of IP addresses from which the DHCP server can pull IP Addresses to assign to clients on the network. Setting Enabled Network Subnet IP Network Subnet Mask DHCP Range Start IP DHCP Range End IP Default Lease Time Max Lease Time Description Used to enable or disable an entry. This allows you to configure an entry and temporarily disable it without having to remove the settings from the firewall. The base IP for the subnet this range belongs to. Should match the local subnet. The subnet mask of the subnet this range belongs to. Should match the local subnet. The beginning of the IP range from which IP Addresses are pulled. The end of the IP range from which IP Addresses are pulled The default DHCP lease time for the IP addresses assigned from this range. The maximum DHCP lease time for the IP Addresses assigned from this range. The client Rev 1 Version 1.1: January 2012 Page 42 of 80

43 Gateway IP Address Subnet Mask Domain Name NIS Name DNS Servers NETBIOS Name Servers (WINS) Allow Assignment To BOOTP Figure 32 - DHCP Server IP lease pool description should reobtain the lease from the firewall before this time expires. The gateway IP that will be assigned via DHCP to the client. The subnet mask that will be assigned via DHCP to the client. The DNS domain name that will be assigned via DHCP to the client. The NIS name that will be assigned via DHCP to the client. The DNS servers that will be assigned via DHCP to the client. The WINS servers that will be assigned via DHCP to the client. Indicates whether IPs in this range can be applied to BOOTP devices. NOTE Each network interface must have at least one dynamic DHCP IP range defined for the DHCP server to function properly. Each interface can have only one DHCP range defined DNS Forwarding The firewall can perform the function of DNS forwarding so that clients on the network can point their DNS server settings at the firewall. The firewall will forward DNS requests directed toward it to another DNS Server and forward the response from this server to the client. Rev 1 Version 1.1: January 2012 Page 43 of 80

44 Figure 33 - DNS Forwarding To enable DNS forwarding, set the option Enable DNS Forwarding to Yes. In the DNS Servers option, configure a list of DNS servers which will be used to fulfill any DNS requests by clients directed to the firewall. Use a comma between server entries to specify multiple DNS servers. NOTE If DNS forwarding is not enabled in this section, DNS requests directed toward the firewall from the LAN will not receive a response Dynamic DNS The firewall can be configured with a Dynamic DNS provider to assign a DNS name to the WAN IP Address of the firewall when the WAN IP Address is configured with a changing IP (DHCP). Rev 1 Version 1.1: January 2012 Page 44 of 80

45 Figure 34 - Dynamic DNS The Dynamic DNS subsection allows you to specify the account information of the Dynamic DNS service provider. The firewall will work with this account to report the current WAN IP Address to the provider so that it can be accessed by the associated DNS name Firewall Section Detail The firewall section detail contains settings related to firewalling. Functions like creating Access Control List rules (ACLs) and performing port forwarding are configured in this section Port Forwarding Port forwarding is configured in the Port Forwarding section of the firewall. Typically creating port forwarding rules that forward traffic from the WAN to a specific IP Address on the LAN can be a complex task as it also involves creating ACL rules to allow the access. To simplify the task of creating these rules, the iboss Firewall internally handles creating all of the configuration required to fulfill the ultimate end goal of the port forwarding rule. By default, the Add Port Forwarding Rule section default to a Simple View mode in which additional complex settings for the port forwarding rule are hidden. The simple mode is shown in the figure below. Rev 1 Version 1.1: January 2012 Page 45 of 80

46 Figure 35 - Port Forwarding An example of creating a port forwarding rule using the simple mode is described below. Supposed you are given the task to do the following: Forward traffic coming from the WAN directed to firewall WAN IP on port 80 (web server port) to the local web server on the network at IP In other words, allow the web server that is on the local network at IP Address to be accessible through the firewall from the Internet. To do this, use the following settings for simple mode: Setting Description Name Any name you would like to represent this entry, for example: webserver WAN IP Address Select Local IP Address Protocol TCP (the standard protocol for web servers) Port 80 (the standard port for web servers) Figure 36 - Port forwarding example settings The settings are shown in the figure below: Rev 1 Version 1.1: January 2012 Page 46 of 80

47 Figure 37 - Creating a simple port forwarding rule After entering the settings, click the Add button. Doing this will create the port forwarding rule allowing access to the local web server from the Internet. The associated ACL (Access Control List) rule is also created for you automatically. The figure below shows the entry after adding it to the list. Figure 38 - Sample port forwarding rule added Notice the ACL ID shown highlighted in the figure above. This is the associated ACL rule that will allow access through the firewall and can also be seen from the Access Control Lists section described in the next section and shown in the figure below. Rev 1 Version 1.1: January 2012 Page 47 of 80

48 Figure 39 - Port forwarding rule associated with new ACL. Note the ACL rule with ID 26 is associated with Port Forward rule ID 27 from the figure before. Also note that this figure is from the Access Control Lists page. Notice the highlighted entry corresponds the the port forwarding rule ID from the previous figure. In addition to simple mode, the port forwarding section allows you to change the view into advanced mode which exposes more settings to fine tune and further restrict a port forwarding rule entry. The figure below shows the port forwarding view when it is switch into Advanced Mode. Rev 1 Version 1.1: January 2012 Page 48 of 80

49 Figure 40 - Port Forwarding rules in advanced mode You can switch back to Siimple Mode by clicking on the Simple Mode button. The table below describes the settings available in advanced mode. Setting Enabled Name WAN IP Address Src IP Address Start/End Local IP Address Protocol Src Port Start/End Local Port Start/End Note Description Used to quickly enabling or disabling a port forwarding rule without having to delete it when disabling the rule. Any name for the rule This list contains all of the available WAN IP Addresses. Select the WAN IP Address you want to forward from. This allows you to restrict a port forwarding rule to a particular source IP Address. If it is a single IP Address, enter the same value into the start and end boxes. Otherwise, to restrict the rule to a range of source IPs, enter the start and end IP Address of the range to restrict the IP Address to. The local IP address to which the traffic will be forwarded to from the WAN IP Address. Which protocol to apply this rule to The original destination port of the packet as it hits the WAN IP. The converted destination port after it crosses the firewall into the LAN. Allows you to add a note to the rule. Rev 1 Version 1.1: January 2012 Page 49 of 80

50 Auto Create ACL Figure 41 - Port forwarding settings description Specifies whether the firewall should also create the appropriate firewall ACL rules automatically to allow the port forwarded traffic to traverse the firewall. If this is set to No, you must manually create the appropriate ACL rule that allows traffic to cross the firewall after it is port forwarded. The Port Forwarding Rules section toward the bottom of the list contains a list of all created port forwarding rules Access Control List This section allows you to create and manage ACLs on the firewall. ACLs define which traffic can traverse across the different network interfaces on the firewall. Typically it controls which packets traverse between the LAN and WAN interfaces and vice versa. There are many options for controlling packet flows and preventing unauthorized access into the local network from the Internet. By default, the firewall is hardened and prevents unauthorized access from the Internet onto the local network. The ACL section allows you to create additional rules for preventing specific packet flows as well as allowing flows into the network. Figure 42 - Access Control List The table below describes the options for creating or editing an ACL rule shown in the figure above. Setting Description Rev 1 Version 1.1: January 2012 Page 50 of 80

51 Enabled Priority # In Interface Out Interface Packet Direction Src IP Address Start/End Dst IP Address Start/End Action Protocol Src Port Start/End Dst Port Start/End Rule Type Note Enables or Disables a rule without having to delete it when the rule should not be applied. The position in the ACL rule list. Rules are applied from top to bottom of the list. When a match is found, that rule is applied with no other rule below the rule being evaluated. Lower priority numbers are evaluated first (for example rule 1 first, then rule 2, etc). The interface to which the packet came in. Leave this set to * if the interface it not relevant. The interface the packet is going out of. Leave this set to * if the interface is not relevant. The direction of the packet. Should the rule be applied to packets that are directed to the firewall itself or packets going across the firewall. The source IP address of the packet. If it is a single IP, use the same start and end IP Address. If it is a range, enter the range here. The destination IP address of the packet. If it is a single IP, use the same start and end IP Address. What action to take when the rule is matched. Options are Allow, Drop, or Reject. If allow is selected, the packet is allowed to pass. If Drop is selected, the packet is dropped. If Reject is selected, the packet is dropped and an unreachable ICMP packet response is sent to the source of the packet. Which protocol to apply this rule to. The source port of the packet. The destination port of the packet. The type of rule. There are two option, Standard and Gateway Antivirus Bypass. Most ACL rules will be Standard. If this rule is specifically designed to bypass the Gateway Antivirus engine (if gateway antivirus is used), then select Gateway Antivirus Bypass which will cause packets matching this rule to avoid the gateway antivirus scanning engine. There are cases where antivirus scanning is not desired on specific servers or IP ranges. Bypassing them from the antivirus engine offloads unnecessary scanning. A note to apply to the rule for reference. Rev 1 Version 1.1: January 2012 Page 51 of 80

52 Figure 43 - Access control list settings description Toward the bottom of the page, the Access Control List section displays the list of configured Access Control List rules One to One Nat One to One NAT allows you to forward all traffic that is directed to a specific firewall WAN IP to a specific LAN IP Address on the local network. Figure 44 - One to One NAT One to One NAT is configured via the One to One NAT section. Configuring a rule on the iboss firewall is very easy. Enter a name for the entry (any name can be used), select the WAN IP Address where the traffic will be directed to from the Internet, and then enter a local IP address where the traffic should be forwarded to. Once these settings are entered, click on the Add button which will add the rule to the firewall. At this point, any traffic that is directed to the specific WAN IP Address of the firewall will be forwarded to the specified Local IP Address Connections Monitor The connections monitor section allows you to view the currently active firewall connections being monitored by the firewall. Rev 1 Version 1.1: January 2012 Page 52 of 80

53 Figure 45 - Active Firewall Connections You can filter this real-time list by using the Connection Monitor Filters. Filters include IP Address, Port, or Filter Pattern. Filter Patterns are applied as a wild card across the connection tracking entry. No wild cards need to be used. The entered pattern will be applied in a wild card fashion across the connection string under the Active Connections Monitor List Tools The tools section contains functions to diagnose problems on the network as well as create restore points of the firewall which can be used during a catastrophic loss to restore the firewall onto another hardware appliance with little effort. Rev 1 Version 1.1: January 2012 Page 53 of 80

54 Figure 46 - Backup & Restore Backup & Restore The backup & restore section allows restore points to be created either manually or automatically which can be used to restore a replacement hardware appliance to the exact configuration before the catastrophic loss occurred. The first subsection titled Backup & Restore contains a list of restore points that are stored on the firewall. The list contains both restore points that were created automatically on a schedule as well as manually created restore points. Typically, automatic restore points are copied automatically to a network share. Manual restore points should be stored off of the firewall because if the firewall were to have a non-recoverable hardware failure, you would not be able to access the restore point in order to apply it to the replacement hardware appliance. You can download both automatic and manual restore points by clicking on the green download icon next to the restore point under the column titled Download. To restore to any restore point, click on the Restore icon next to the restore point you wish to restore to. Performing a restore will cause all current settings to be lost and a reboot to occur. During the reboot, network access to the WAN will be lost. The entire restore process will take several minutes to complete. WARNING Performing a restore will cause all current settings to be lost and a reboot to occur. During the reboot, network access to the WAN will be lost. The entire restore process will take several minutes to complete. Rev 1 Version 1.1: January 2012 Page 54 of 80

55 The Create Restore Point subsection allows you to manually create a restore point. Simply enter a name for the restore point and click the Create button. Once created, the restore point will appear in the list above. It is a good idea to download the manually created restore point off of the firewall appliance for later use. In addition, give the restore point a friendly name that will remind you of when the restore point was created and why. The name given to the restore point will eventually become the filename for the restore point when it is downloaded from the firewall. The Import Restore Point subsection allows you to import a restore point into the firewall appliance so that it appears in the restore point list. This is the first step for recovering settings into a replacement hardware appliance. Import the last restore point into the new appliance so that it appears in the restore points list, then click the restore button next to the entry in the list to perform the restore. NOTE Importing a restore point does not begin the restore process. It causes the restore point to appear in the restore points list. To perform the restore, click on the Restore button next to the restore point in the list after it is imported into the firewall Automated Backups The firewall has the ability to create automated backups on a schedule. The Automated Backups section contains settings to create automated backups on a schedule. Figure 47 - Automated Backups Select a schedule that matches your network needs. Firewall backups can be performed daily, weekly, or on a specific day of the month. Rev 1 Version 1.1: January 2012 Page 55 of 80

56 The status subsection describes the next time an automated backup will occur and the last time a backup occurred Backup To Network Share Backup/Restore points can be automatically copied to a network share. The Backup To Network Share subsection contains the settings required to copy a back to a network share automatically whenever a backup is created automatically by the firewall. Figure 48 - Backuping up to network share The table below describes the settings in this section. Setting Backup To SMB Share SMB Folder Name SMB User Name SMB Password SMB User Domain Backup File Prefix Description Defines whether automated backups should be backed up to a network share when created. The share path the network folder (Windows share, etc) The username used to connect to the shared folder The password used to connect to the shared folder If a domain is required for the credentials provided above, enter it here Allows a prefix to be applied to the backup file. This is useful if more than one firewall is copying backups to the same folder to differentiate between the backups. Rev 1 Version 1.1: January 2012 Page 56 of 80

57 Send Backup Alerts Alert Address Figure 49 - Backup to network share settings description Diagnostics Whether an alert indicating the backup was completed should be sent. SMTP settings must be specified in the general settings section for this to function properly The address to which alerts will be sent. The diagnostics section contains many diagnostic tools which can be used to troubleshoot problems on the network. Diagnostic tools include the following: CPU Monitor Active Connections Monitor DNS Name Lookup Packet Trace Ping Reverse Name Resolution Trace Route To switch between tools, select a tool from the drop down menu and click on the Select button CPU Monitor Tool Figure 50 - CPU Monitoring Tool Rev 1 Version 1.1: January 2012 Page 57 of 80

58 This tool displays the CPU load average for 1 minute, 5 minutes, and 15 minutes Active Connections Monitor Tool Figure 51 - Active connections monitoring tool The active connections monitor tool displays active connections being tracked by the firewall. You can filter this list based on IP Address by entering an IP Address and clicking the Apply button DNS Name Lookup Tool Figure 52 - DNS query lookup tool The DNS Name lookup tool allows you to perform a DNS lookup from the perspective of the firewall. Simply enter the domain name and click the start button which will product a result similar to below. Rev 1 Version 1.1: January 2012 Page 58 of 80

59 Figure 53 - DNS lookup result You can perform another DNS lookup by clicking on the Start Again button Packet Trace Tool Figure 54 - Packet trace tool The packet trace tool allows you to capture packets directly on the firewall interface and then download them for viewing. The capture is performed in a Wireshark format and can be opened with the Wireshark application. Wireshark is available at: Rev 1 Version 1.1: January 2012 Page 59 of 80

60 To perform a packet capture, select the interface from which to capture packets, then select the duration you would like to capture packets for and click the Start button. Depending on how much network traffic is flowing through the firewall, you must be cautious on the duration of the capture or a very large capture will occur Ping Tool Figure 55 - Ping tool The ping tool allows you to perform pings from the firewall. Enter a domain or IP Address and click the start button to begin the ping. You will end up with results similar to below. Figure 56 - Reverse name resolution tool To perform another ping, click on the Start Again button Reverse Name Resolution Tool Rev 1 Version 1.1: January 2012 Page 60 of 80

61 Figure 57 - Reverse name resolution result This tool allows you to perform reverse name resolution. Enter an IP Address and click the Start button to begin the reverse name resolution process Trace Route Tool Figure 58 - Trace route tool The trace route tool allows you to perform trace routes directly from the firewall. Enter the domain to which a you would like to perform a trace route and click the Start button VPN The iboss firewall has a built-in VPN which allows remote users to connect to the local network while on the road. In addition, the iboss firewall contains advanced technology that allows you to easily and securely connect two or more remote locations so that each location has access to the other s local resources in a secure fashion. Rev 1 Version 1.1: January 2012 Page 61 of 80

62 The VPN uses very strong IPSec TLS certificate based encryption to ensure the highest level of security when connecting remote sites or users to the local network. This security is handled transparently the network administrator as the firewall hides the complexities of the configuration and performs the complex tasks internally and automatically. The VPN is a routed VPN implementation (compared to a bridged configuration). A routed VPN allows the VPN to scale to a large user count without generating unnecessary broadcast traffic between remote users and the local network. The VPN is a licensed feature which is only enabled if a valid subscription key is entered under the Subscription section of the firewall General VPN Settings Figure 59 - General VPN Settings The general VPN settings must be configured before any other VPN section is configured. This section is the base for all other VPN sections. The table below describes the settings in this section. VPN Enabled Setting Description Globally enables or disables VPN features. If disabled, no other settings in the VPN section have an effect. Rev 1 Version 1.1: January 2012 Page 62 of 80

63 VPN Name VPN Base Subnet IP VPN Base Subnet Mask VPN DNS1/DNS2 VPN Client Routes LDAP OU/Group Figure 60 - General VPN settings description A friendly name to give the VPN. The name should not contain spaces. This name is also used in s related to VPN settings that can be sent to users for configuring VPN connections. For example, a valid VPN name for the primary office can be MainOffice In order for the VPN to operate, it must have a pool of IP Addresses from which to pull internal IP Addresses. The requirement for this setting is that it does not overlap with the local network subnet or any other remote local subnet that might be connected to this site via a site to site VPN. Any subnet is valid as long as this restriction is not violated. The associated subnet mask to the base subnet IP used above. The VPN will attempt to push these DNS settings to VPN users when connected to the VPN. When clients connect to the VPN, this setting allows you to push routes to the remote client so that traffic destined to these routes will be passed through the VPN instead of their local connection. When connecting to this VPN, the local subnet for the firewall is automatically passed to the client as a route so that traffic headed to the local subnet configured in the firewall is passed over the VPN. Additional routes can be specified here. Format is IPAddress/SubnetMask separated by semicolons, i.e / ; / Allows VPN users to authenticate using their LDAP/Active Directory credentials. When a user connects to the VPN, they will be prompted for a username and password. If the user is configured to use LDAP/Active Directory, the VPN will query the LDAP server for the user, verify the username and password and then confirm that the user is part of the OU or LDAP Group named here. If the user is not part of this group, access is denied when authenticating via LDAP. Rev 1 Version 1.1: January 2012 Page 63 of 80

64 Site To Site VPN The iboss firewall contains a very secure and easy to configure SSL based site to site VPN functionality which allows remote locations to be connected together in a secure fashion so that each site has access the others local resources. The site to site VPN makes connecting remote locations a an easy task while maintaining a very high level of certificate based SSL encryption. The site to site VPN functionality is configured in the site to site VPN section. The site to site VPN utilizes a client server model when one site is considered the client and the other the server. The client site initiates the connection to the server and the server site listens for connections from the client. When a site to site connection is established, the client monitors the connection and re-establishes the connection if the connection is lost. Sites can be connected in any configuration with a single site behaving as both a client to one remote site, but a server to another client site. This allows both hub and spoke configurations (where one central location is the server with one or more client sites) and mesh configurations where a mix of servers and client connections are mixed. The table below describes the fields of a site to site VPN entry. Server Entry Figure 61 - Site to Site VPN Server Entry Entry Type Enabled Setting Description This defines whether this entry will act as a server or a client. If the firewall will act as the server to other client sites, select Server and fill in the fields below. Enables this entry. If disabled, no clients can Rev 1 Version 1.1: January 2012 Page 64 of 80

65 Name Client WAN IP Client Local Subnet IP Client Local Subnet Mask Connect to other clients Route Internet via VPN Push Routes Note Figure 62 - Site to site VPN server settings description connect to the server. The name of this server. Any name can be chosen. The WAN IP of the client that will be connecting to this server. The local base subnet IP of the client that will be connecting to this server. The local base subnet mask of the client that will be connecting to this server. Specifies whether this client will be allowed to communicate with other listed clients on this server. Whether you want all traffic from this client routed through the VPN or you would like to use split tunnels and route non-local traffic through the clients own Internet connection. The option Connect to other clients takes care of pushing routes to all clients connected to this server. However, if you would like to push additional routes, enter them here. A note for this entry. Client Entry Figure 63 - Site to Site VPN client entry Entry Type Setting Description This defines whether this entry will act as a Rev 1 Version 1.1: January 2012 Page 65 of 80

66 Enabled Import Settings Note Figure 64 - Site to site VPN client settings description server or a client. For the client site, set this to client. Allows you to disable this connection. When an entry is created on the server, it allows you to download settings that will be transferred to the client firewall. Import the downloaded settings from the server here. It will handle all the encryption and network configuration options. A note for this client connection. In the most basic configuration, two sites are connected together with one site being the server and the remote site being the client. An example of this configuration is described below. In this scenario, we would like to connect two sites together so that they can communicate with each other s local subnets over a secure SSL connection. Here is the basic information for both locations Location 1 WAN IP Local Subnet / Figure 65 - Site to site VPN Location 1 Sample Location 2 WAN IP Local Subnet / Figure 66 - Site to site VPN Location 2 Sample When the configuration is done, computers on the network should be able to communicate and ping computers on the network and vice versa. We ll arbitrarily choose Location 1 ( ) to be the server site and Location 2 ( ) to be the client site. So Location 2 will initiate the connection to Location 1 (to end users, choosing Location 1 as the server and Location 2 as the client is arbitrary). First, configure the server firewall to allow the client (Location 2) to connect: Rev 1 Version 1.1: January 2012 Page 66 of 80

67 Figure 67 - Creating site to site VPN. Adding the server entry to Location 1. Note we define where the client (Location 2) is connecting from. From the settings above being added to the firewall at Location 1, you can see we set the entry to act as a server, the WAN IP of Location 2, the local subnet, as well as set the ability of Location 2 to connect to other clients (in case we add more sites in the future). After clicking the Add button you should see something similar to the figure below. Figure 68 - Location 1 settings complete. Now download the server settings by clicking on the "Download Site To Site Server Settings" link highlighted above. Now click on the Download Site to Site Server Settings link to download the settings for the client and move these settings so that you can import them into the firewall at Location 2. Rev 1 Version 1.1: January 2012 Page 67 of 80

68 Figure 69 - Saving the site to site VPN server settings on your computer. The figure above shows the.psvpni settings file which will be saved to the local computer then transferred so it can be imported into the firewall at Location 2. Now on the firewall at Location 2, add an entry that will act as a client to the server configured for Location 1 and import the settings. Firewall at Location 2 Rev 1 Version 1.1: January 2012 Page 68 of 80

69 Figure 70 - Configuring Location 2. Simply import the server settings created on the firewall at Location 1. Once you click the Add button you should see something similar to the following: Figure 71 - Site to site VPN client settings complete The client is now configured with all the settings necessary to connect to the server site at Location 1. With this, the site to site VPN has been completed and both locations are now connected over a secure connectionn using strong SSL encryption. Rev 1 Version 1.1: January 2012 Page 69 of 80

70 Connecting Remote Users Via VPN The VPN Users section allows you to connect remote users securely to the local network quickly and easily. Figure 72 - Adding VPN Users Adding VPN users is accomplished by filling out the settings under the Add VPN User subsection. The table below describes these settings: Enabled Username Auth Via Ldap Password First Name Last Name Setting Description Allows you to quickly disable a user. The username for the user. The user will be prompted for a username and password when connecting to the VPN. Allows a user to use their Ldap/Active Directory credentials when connecting to the network. If set to yes, confirm that the username in Ldap/Active Directory and that the username selected is assigned to the LDAP OU/Group specified under the VPN Settings page. Removing a user from this LDAP group will also remove VPN privileges. The password for the username if Auth Via Ldap is not selected. The first name of the user. The last name of the user. Rev 1 Version 1.1: January 2012 Page 70 of 80

71 Note Figure 73 - VPN user settings description The address of the user. VPN setup and configuration files can be sent directly to the user from the firewall if an address is specified. A note for the user. In the figure below, the Ldap user tim.smith is being configured to have access to the VPN: Figure 74 - Example VPN user tim.smith is being added to the system. Tim will authenticate via LDAP. Note the the LDAP settings must first be configured under the LDAP settings section under the System menu option. Notice Auth Via Ldap is set to Yes. In addition, tim.smith should be part of a group or OU called VPNUsers in the Ldap/Active Directory server (this is specified under the VPN Settings section show below). Rev 1 Version 1.1: January 2012 Page 71 of 80

72 Figure 75 - VPN users will only be allowed to log into the VPN if they are part of the VPNUsers group or OU in LDAP/Active Directory/eDirectory. This is specified in the VPN Settings section and highlighted above. Once the Add button is clicked, you should see something similar to the figure below. Figure 76 - Tim is added as a VPN user to the system. You can Tim the VPN client and settings by clicking on the " VPN Settings" button above. You must specify an address when creating the user for this button to appear. Notice from the figure above, you can VPN settings directly from the interface by clicking on the VPN Settings button. This will send an instructional to the user Tim Smith with the VPN client and VPN settings which he can use to connect to the network. If you would like to manually send the VPN settings, click on the VPN Import Settings button and download the settings to your computer. You can then send the VPN client and settings to Tim at a late time. Rev 1 Version 1.1: January 2012 Page 72 of 80

73 The VPN client will automatically configure itself with the firewall VPN IP, certificates and all other aspects needed to connect based on the VPN Import Settings (whether they are ed directly from the interface or downloaded). This makes it easy for the client to configure the VPN connection and minimizes the amount of communication needed between the network administrator and the user wishing to connect to the network since the user will be able to use their network credentials to connect to the network VPN Status The VPN status section displays the active VPN connections to this firewall. Figure 77 - VPN Status If there are users connected to the VPN, they are displayed here. For site to site VPN configurations, the server will display the connected client in the list once the client establishes the VPN connection Security Section The security section of the firewall contains sophisticated gateway security services such as gateway antivirus and intrusion prevention. This prevents threats from entering and leaving the network at the network gateway adding an additional layer of protection for the network Gateway Antivirus The gateway antivirus section allows you to enable and configure the firewall to perform virus scanning of traffic entering the network. Rev 1 Version 1.1: January 2012 Page 73 of 80

74 Figure 78 - Gateway Antivirus A valid gateway antivirus subscription key must be configured in the Subscription section in order for gateway antivirus to operate. In the general gateway antivirus subsection above, you can enable and disable gateway antivirus scanning as well as indicate whether scanning should be applied to HTTP and/or FTP. Gateway antivirus operates on port 80 (HTTP) and 21 (FTP). If the option for enabling gateway antivirus is disabled, all other settings on this page have no effect. The table below lists the options under the detailed settings section. Setting Deep Executable Scan Advanced Algorithmic Virus Detection Scan Word Documents Block Word Documents With Macros Scan Elf Files Scan PDF Description Allows the scanning engine to perform a deep scan of executables for trojans and other viruses. Uses advanced algorithms in addition to signatures for detecting viruses using heuristics. Allows scanning of word documents Blocks word documents if the engine is able to detect that macros are on the document. Enables scanning of Elf files Enables scanning of PDF documents Rev 1 Version 1.1: January 2012 Page 74 of 80

75 Block Broken Executables Advanced HTML Analysis Scan Compressed Files Blocked Encrypted Compressed Files Figure 79 - Gateway Antivirus settings description Indicates to the scanning engine that executables should be blocked if they are deemed to be broken and non-runnable Enables deep scanning of HTML web pages Enables scanning of compressed files Blocks compressed files if the engine determines the compressed file is encrypted Data Leakage Detection The gateway antivirus engine will attempt to detect data leakage and block it. Figure 80 - Gateway Antivirus DLP settings Below are the options in this subsection. Setting Data Leakage Protection Credit Card # Threshold SSN # Threadhold Detect Structured SSN # s Description Enables detection of data leakage The number of credit card numbers found in a document before triggering a data leakage block The number of social security numbers found in a document before triggering a data leakage block Tells the engine to detect structured social security numbers, i.e. social security numbers in the format xxx-xx-xxxx Rev 1 Version 1.1: January 2012 Page 75 of 80

76 Detect Unstructured SSN # s Tells the engine to detect unstructured social security numbers, i.e. social security numbers in the format xxxxxxxxx Figure 81 - DLP settings description The general settings subsection contains additional settings involved with the scanning engine. The table below describes these settings. Setting Max scanned file size Max scanning amount Max archive scanning depth Max archive files scanned Figure 82 - Additional gateway antivirus settings description Virus Signatures Description The maximum file size that will be scanned. Files exceeding this size in MB will be passed without scanning The maximum amount of data within a file that will be scanned. Must be less than or equal to the value above. How many levels deep the scanning engine should scan within an archive (how many archives within archives should be scanned) The maximum number of files within an archive that should be scanned The virus signatures section contains a list of the virus signatures being used by the virus engine. Virus signatures are automatically updated by the firewall several times a day. Figure 83 - Viewing Virus Signatures Rev 1 Version 1.1: January 2012 Page 76 of 80

77 Intrusion Prevention The intrusion prevention section contains section related to preventing intrusion on the network. The intrusion prevention engine is able to inject reset packets to terminate connections or streams it deems to be a risk to the network. Figure 84 - Intrusion Prevention settings The intrusion prevention engine is enabled with the first setting on the page above. If this setting is set to No, all other settings on the page have no effect and intrusion prevention scanning is disabled. The instrusion prevention security service requires a subscription in order to operate. You can configure a valid subscription key under the Subscriptions page. The table below describes the settings in the detailed settings subsection of the Intrusion Prevention settings. Protected Subnets Setting Detect Packets With Packet Size Greater Than Packet TCP Ignore Ports Description Enter which subnets you consider local and safe. These subnets are the subnets that will be protected by the IPS engine Packets containing a packet size field with a value that is actually greater than the packet will trigger a violation TCP ports which should not be scanned by the Rev 1 Version 1.1: January 2012 Page 77 of 80

78 UDP Ignore Ports Inspect TCP Inspect UDP Detect ARP Spoofing Inspect SSH Inspect RPC Detect DNS Anomalies Detect SSL Anomalies Sensitive Data Inspection Inspect SIP/VOIP Inspect IMAP Inspect POP Figure 85 - Intrusion Prevention settings description engine UDP ports which should not be scanned by the engine Enable inspection of TCP Enable inspection of UDP Trigger a violation when ARP spoofing is detected Inspect SSH secure connections Detect remote procedure call Detect anomalies in the DNS protocol Detect anomalies in the SSL secure sockets layer protocol Detect data and trigger on possible sensitive data movement Inspect the SIP/VOIP protocol used for internet phone calls Detect the IMAP mail protocol Detect the POP mail protocol Logs The Logs section contains general system logs, logs originating from the gateway antivirus engine, and logs originating from the intrusion prevention engine. Figure 86 - System Logs The figure above shows the general system log. The figure below shows an example of the virus log. Rev 1 Version 1.1: January 2012 Page 78 of 80

79 Figure 87 - Virus Logs The figure below shows an example of the Intrusion Prevention log. Figure 88 - Intrusion Prevention Logs Logging Out Whenever administrative functions on the firewall are complete, you should log out of the iboss Firewall interface by clicking on the Logout menu option on the left which will immediately end Rev 1 Version 1.1: January 2012 Page 79 of 80

80 the session. Administrative sessions also timeout automatically based on the values configured under the general system settings. Rev 1 Version 1.1: January 2012 Page 80 of 80