GB-OS. Firewall. Version 3.7. User s Guide SOFTWARE GBUG

Transcription

1 GB-OS Firewall SOFTWARE Version 3.7 User s Guide GBUG

2 ii GB-OS 3.7 User s Guide Copyright , Global Technology Associates, Incorporated (GTA). All rights reserved. Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated. Technical Support GTA includes 30 days up and running installation support from the date of purchase. See GTA s web site for more information. GTA s direct customers in the USA should call or GTA using the telephone and address below. International customers should contact a local GTA authorized channel partner. Tel: [email protected] Disclaimer Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications of the program and contents of the manual without obligation to notify any person or organization of such changes. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products. Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors. Trademarks & Copyrights GNAT Box, GB Commander and Surf Sentinel 2.0 are registered trademarks of Global Technology Associates, Incorporated. GB-OS, RoBoX, GB-Ware and Firewall Control Center are trademarks of Global Technology Associates, Incorporated. Global Technology Associates and GTA are registered service marks of Global Technology Associates, Incorporated. Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley. WELF and WebTrends are trademarks of NetIQ. Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Java software may include software licensed from RSA Security, Inc. Some products contain software licensed from IBM are available at SurfControl is a registered trademark of SurfControl plc. Some products contain technology licensed from SurfControl plc. Some products include software developed by the OpenSSL Project ( Kaspersky Lab and Kaspersky Anti-Virus is licensed from Kaspersky Lab Int. Some products contain technology licensed from Kaspersky Lab Int. Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell Incorporated. All other products are trademarks of their respective companies. Global Technology Associates, Inc Lake Lynda Drive, Suite 109 Orlando, FL USA Tel: Fax: Web: [email protected]

3 Contents iii Contents 1 INTRODUCTION 1 About GTA Firewalls 1 About GB-OS 1 Standard Features 1 Options 1 What s New 1 GB-OS Roles 2 Support 2 Support Options 2 Updates 2 About This Guide 3 Organization of Chapters and Appendices 3 Documentation Conventions 3 Additional Documentation 3 Mailing List 4 2 INSTALLATION AND SETUP 5 Registration 5 Getting Your Activation Code 5 Connecting Your Computer to the Firewall 5 Requirements 5 Installing Utilities & Documentation 6 Setup by Temporary Peer Network 6 Alternate Method: Setup by LAN Using the Firewall s Default Network 7 Powering On the Firewall 8 Network Configuration 8 Configuration Using a Web Browser 8 Browser Compatibility 8 Connecting to the Web Interface 8 Setting Your Time 9 Entering Your Network Information 9 Re-configuring Your Computer 11 Accessing the Firewall 11 Configuration Using GBAdmin 11 Entering Your Network Information 12 Re-configuring Your Computer 12 Accessing the Firewall 12 3 BASIC CONFIGURATION 13 DNS (DNS Proxy) 13 Features 13 Serial Number 14 Activation Codes 14 Network Information 14 Logical Interfaces 15 Interface Object Names 16 Host Name 16 Default Gateway 16 Bridged Interfaces 16 Bridging Mode 17 Network Interface Cards (NICs) or Physical Interfaces 17 PPP 18 PPPoE 18 Enabling PPP/PPPoE in Network Information 18 PPTP 18 Preferences (Basic Configuration) 23 4 SERVICES 25 DHCP Server 25 DNS Server 26 DNS Domains 27 Dynamic DNS 28 GB-Commander Server 29 High Availability 30 Mail Sentinel ( Proxy) 31 Defining an White List or Black List 35 RDNS 41

4 iv GB-OS 3.7 User s Guide Defining a Mail Abuse Prevention System (MAPS) 41 Network Time Service 42 Finding NTP Servers 42 Designating the Firewall as an NTP Server 42 Remote Logging 43 WELF (WebTrends Enhanced Log Format) 43 GTAsyslog 44 Unix Facilities 44 Filter 44 NAT (Network Address Translation) 45 WWW 45 SNMP 45 5 AUTHORIZATION 47 Admin Accounts 47 Authentication 48 RADIUS 49 LDAP 49 Defining a User Authentication Remote Access Filter 49 GTA Authentication 49 LDAP 50 Using LDAP on a GTA Firewall 50 RADIUS 50 Using RADIUS on a GTA Firewall 50 Remote Admin 50 Changing the Remote Administration Port 51 WWW 51 RMC (GBAdmin) 51 SSL Encryption 52 Browser Compatibility 52 Generating and Installing SSL Certificate 52 Users 53 VPNs 54 Security Associations 54 Multiple Networks 55 Mobile Protocol 55 Encryption Key Length 55 Hash Key Length 55 Security Parameter Index (SPI) 55 Creating a VPN 55 6 CONTENT FILTERING 59 Access Control Lists 59 Local Allow and Deny Lists 60 Content Blocking 60 Local Content Lists 60 Adding Domain Names to LCLs 61 Preferences (Content Filtering) 61 Traditional Proxy 62 Creating an RAF for a Traditional Proxy 62 Transparent Proxy 62 Block Action 62 7 ROUTING 63 Gateway Policies 63 Selecting Useful Beacons 67 Gateway Policies and Bridging Mode 67 RIP 68 Static Routes 69 8 OBJECTS 71 Addresses 71 Using Regular Expressions 73 Default Address Objects 74 Traffic Shaping (Bandwidth Limiting) 74 Weight vs. Priority 74 Using Traffic Shaping 74 VPN Objects 76 Default VPN Objects 76 Which VPN Object Is Used? 76 Configuring a VPN Object 77

5 Contents v 9 FILTERS 81 Managing Filters 81 Filter Sets 81 Tips for Using Filters 81 Outbound Filters 82 IP Protocols 83 Preferences (Filters) 84 General 85 Address Spoof 86 Doorknob Twist 86 Fragmented Packets 86 Invalid Packets 86 Unexpected Packets 86 Stealth Mode 86 Alarms 86 Coalesce 86 Server 87 SNMP Traps 87 Pager 87 Remote Access Filters 88 Muffling Benign Protocols 89 Access a Protected Network from a PSN 89 Time Groups PASS THROUGH 91 Pass Through (No NAT) 91 Filters 91 Creating Passthrough Filter Pairs 92 Hosts/Networks 92 Creating a New Host or Network 93 Bridged Protocols 93 Protocol Definitions NAT 95 Aliases 95 Inbound Tunnels 95 Creating Inbound Tunnels 97 Static Address Mapping 97 Allowing Static Address Mapping 98 Timeouts ADMINISTRATION 101 Download Configuration 101 Resetting the Firewall or Defaulting Sections 101 Retaining Filters After Defaulting 101 Flush ARP Table 101 Halt 102 Interfaces 102 Ping 102 Using Ping 102 Reboot 103 Set Date/Time 103 UTC and Logging 103 Set Timezone 103 Trace Route 104 Upload Configuration 104 Upload Runtime REPORTS 107 Configuration 107 Hardware 107 Configuration 108 Verify Configuration SYSTEM ACTIVITY 111 Active ARP Table 111 Active Connections 111 Active Filters 112 Active Routes 112 Active Hosts 113 Active VPNs 113 Authenticated Users 114

6 vi GB-OS 3.7 User s Guide Current Statistics 114 DHCP Leases 115 Locked Out 115 Mail Sentinel ( Proxy) 115 View Log Messages UTILITY SOFTWARE 121 DBmanager 121 Database Maintenance 121 Utilities 121 GTAsyslog Settings 121 Help 122 Verify Installation 122 LogView 122 GBAuth User Authentication 122 Using GBAuth for GTA Authentication 123 Using GBAuth for LDAP Authentication 124 Using GBAuth for RADIUS Authentication TROUBLESHOOTING 127 Troubleshooting Basics 127 Frequently Asked Questions (FAQ) 127 APPENDIX A PORTS AND SERVICES 133 GTA Ports & Services 133 Well-known Ports and Services 133 Registered Port Numbers 134 APPENDIX B LOG MESSAGES 137 Default Logging 137 Interface Errors 137 Bridged Interfaces and Protocols 137 Gateway Policies 137 Filtered Packet Types 138 Log Messages 138 Permitted Inbound Connection 138 Permitted Outbound Connection 139 Remote Access Filters 139 Outbound Filters 139 Network Address Translation (NAT) 139 HTML Sessions 139 Outbound ICMP 140 Outbound UDP 140 Outbound TCP 140 Pass Through (No NAT) 140 Inbound Pass Through Filter Block 140 Outbound Pass Through Filter Block 140 Inbound/Outbound Security Policy Violation 141 Unauthorized Firewall Access Attempts 141 GBAdmin (RMC) 141 Web Interface 141 Console 142 Attempts to Compromise Remote Admin Ports 142 Ping Flood/DoS Attack 142 Content Filtering (HTTP Proxy) 143 Transparent Proxy 143 Traditional Proxy 143 Surf Sentinel Mail Sentinel ( Proxy) 144 Headers 145 Virtual Private Network (VPN) 145 Authentication 146 Automatic Filters 147 Saving GB-Commander on Firewall 147 Exceeding the Count of Licensed Users 147 APPENDIX C USER INTERFACES 149 Web Interface 149 Features 149 Web Interface Access 149 Characteristics 149 How to Access the Web Interface 149

7 Contents vii Navigation and Data Entry 150 GBAdmin 152 Features 152 GBAdmin Access 152 Characteristics 152 How to Access GBAdmin 152 Navigation and Data Entry 152 APPENDIX D GB-OS TERMS 155 IP Packet 155 Stateful Packet Inspection 155 Tunnels 155 Network Transparency 155 Virtual Cracks 155 IP Aliases 156 Network Types 156 External Network 157 Protected Network 157 Private Service Network 157 Network Interface Cards (NICs) 157 External Network Interface 158 Protected Network Interface 158 Private Service Network Interface 158 Network Address Translation (NAT) 158 Default NAT (Dynamic NAT) 158 Static Address Mapping (Static NAT) 158 IP Pass Through (No NAT) 159 Objects 159 Address Objects 159 Interface Objects 159 VPN Objects 159 Filters 160 Filter Defaults 160 Filter Types 160 Automatic Filters 160 Stealth Mode 160 VPN 160 DNS 160 DNS Server 161 APPENDIX E DEFAULT SETTINGS 163 Outbound Security Policies 163 Outbound Filters 163 Remote Access Security Policies 163 Remote Access Filters 163 INDEX 165

8 viii GB-OS 3.7 User s Guide

9 Chapter 1 Introduction 1 1 Introduction About GTA Firewalls Global Technology Associates, Inc. (GTA) has been designing and building Internet firewalls since In 1996, GTA developed the first truly affordable commercial-grade firewall, the GNAT Box. Since then, ICSA-certified GB-OS, formerly GNAT Box System Software, has become the engine that drives all GTA hardware appliance and software firewall systems. About GB-OS Standard Features GTA s NAT (Network Address Translation) and Stateful Packet Inspection engine are at the heart of all GB-OS firewalls. These facilities, tightly integrated with the network layer, guarantee maximum data throughput, reliable NAT and unparalleled security. Passthrough filters allow the use of the firewall without NAT. GB-OS features also include: proxy and spam and virus prevention tools Gateway-to-gateway IPSec VPN (Virtual Private Networking) Encryption methods including DES, 3DES, AES and Blowfish User authentication for any platform via the Java GBAuth utility DHCP and DNS services via built-in DHCP and DNS servers* Transparent network access for standard TCP and UDP applications Protocols including FTP, PASV FTP, CU-SeeMe, RealAudio/Video, ICQ, AIM, online gaming, Net2Phone, PPP, PPPoE and PPTP Bridging for user-identified Ethernet protocols Safer external access to internal networks using the PSN, GTA s improved DMZ network Secure remote logging using the GTAsyslog or a third-party syslog Default stealth mode GB-OS administrators have a choice of three user interfaces. Web interface: a secure cross-platform remote management interface providing comprehensive access to configuration options via a frames-enabled, SSL-compatible web browser GBAdmin: secure Windows-compatible remote management interface Console interface: on-site serial or video fail-safe and firewall recovery access Options Secure access of internal networks with mobile VPN client filtering with Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus Web content filtering with Surf Sentinel 2.0 Firewall failover ability with H 2 A High Availability* VPN hardware acceleration* Variable support contracts *Available on select GTA firewalls. What s New GB-OS version offers new features for both VPN users, users with multiple Internet gateways, and users desiring policybased gateway assignment. New features include:

10 2 GB-OS 3.7 User s Guide NAT-T (NAT traversal) for IPSec VPNs Dead peer detection for IPSec VPNs Additional Diffie-Hellman groups for greater IPSec VPN key size Multiple gateway (multi-wan) support Policy-based gateways Bandwidth sharing (load balancing) over multiple gateways GB-OS Roles As firewalls, GB-OS systems are dedicated to network security. Unlike servers and computers whose many running software applications may inadvertently open your network to vulnerability, GTA firewalls only run necessary security software: no unrelated applications run on them; you can t telnet to them, and you can t use them as a web server. An authorized user can log on only to configure and administer a GTA firewall s security functions. By definition, the effectiveness of a firewall is determined by traffic it denies. GB-OS systems are based on this principle: that which is not explicitly allowed is denied. If all filters were deleted and nothing was explicitly allowed, a GB-OS firewall would deny all traffic, and there would be no inbound or outbound packet flow. GB-OS software is: A firewall that prevents unauthorized access to internal networks, while allowing authorized connections to operate normally A virtual private network (VPN) gateway between two networks or a network and a VPN client using the IPSec VPN standards and supporting many third-party VPN products A network address translation (NAT) engine that allows unregistered IP addresses to be used on the protected and PSN networks so that IP addresses are hidden from external networks and translated to the primary external network interface IP address A network gateway that links network topographies (e.g. 10 Mbps to gigabit) and replaces a router in a PPP configuration A bridging firewall that links Ethernet networks together transparently like a bridge, while filtering IP packets as a firewall An proxy that restricts access to your server A DNS proxy or server that makes DNS requests or maintains a database of domain names (host names) and their corresponding IP addresses A DHCP server that automates the assignment of IP addresses to host systems on locally attached networks Support Installation ("up and running") support is available to registered users. If you have registered your product and need installation assistance during the first 30 days, contact the GTA Support team by to [email protected]. Include your product name, serial number, activation code, feature activation code numbers for your optional/subscription features, and a Configuration Report (available in Reports under Configuration in the web user interface), if possible. Installation support only covers installation and default configuration of the firewall. For further assistance, contact an authorized GTA Channel Partner or GTA Sales staff for information about support offerings. Support Options If you need support after installation and default configuration, a variety of support contracts are available. Contact an authorized GTA Channel Partner or GTA Sales staff for more information. Support ranges from support per incident to annual contract coverage. Other avenues for assistance are available through authorized GTA Channel Partners, the GNAT Box Mailing List, or the GTA web site ( Updates Once registered, you can view available updates in the GTA online support center section of the GTA web site ( com/support/center/login/). Click on the serial number of your registered product to see if an update is available for that specific model. Click on the DOWNLOADS link to view all available software versions.

11 Chapter 1 Introduction 3 Caution Back up your configuration before upgrading! About This Guide This guide follows GNAT Box System Software User s Guide Version 3.6. It includes a description of major changes to the software since version 3.6, additional information about pre-existing features, as well as information unchanged from version 3.6 to 3.7. It also includes directions for initial network configuration of a GTA firewall appliance from its factory default state. Organization of Chapters and Appendices Organization of the chapters in this guide generally reflects the subject listings in the menu of the GB-OS web interface for this software release. For the location of specific topics, please see the table of contents or index. Special chapters may provide information on features not directly present in the GB-OS web interface. For example, a chapter about utility software contains information on GBAuth, DBmanager, LogView and GTAsyslog. These utilities are used by GB- OS, GB-Commander and GTA Reporting Suite. The troubleshooting chapter presents answers to some of the common questions users have when configuring and using a GTA firewall. The appendices contain lists of ports and services, log messages, user interfaces, GB-OS terms and default settings. Documentation Conventions A few conventions are used in this guide to help you recognize specific elements of the text. If you are viewing this in PDF format, color variations may also used to emphasize notes, warnings and new sections. Bold Italics Italics SMALL CAPS Monospace Font Condensed Bold BOLD SMALL CAPS emphasis publications field names screen text menus, menu items buttons, links Additional Documentation For additional instructions on installation, registration and setup of a GTA product, see applicable Quick Guides, FAQs or technical papers. For optional features, see the appropriate option guide. Documentation is included with new GTA products, and is available for download from the GTA web site. Check the GTA web site for the latest PDFs and other documentation. These manuals and other documentation can also be found on the GTA web site ( Documents on the web site are either in plain text (*.txt) or portable document format (*.pdf) which requires Adobe Acrobat Reader version 5.0, Apple Preview or ghostview. A free copy of Adobe Acrobat Reader can be obtained at Document GB-OS Firewall Software User s Guide Console Interface User s Guide GB-Commander Product Guide GTA Reporting Suite Product Guide Mail Sentinel Feature Guide Surf Sentinel Content Filtering Feature Guide H 2 A High Availability Feature Guide VPN Option Guide FAQs on Topics GB-OS firewall software features; web user interface, GBAdmin console interface GB-Commander for GTA firewalls stand-alone reporting software anti-spam and anti-virus filtering optional feature content filtering optional feature high availability optional feature VPN (virtual private networks) optional feature frequently asked questions (FAQs) hardware specifications, current documentation, examples

12 4 GB-OS 3.7 User s Guide Mailing List To learn more about GB-OS, join the GTA staff-monitored GB-OS mailing list at [email protected].

13 Chapter 2 Installation and Setup 5 2 Installation and Setup This chapter describes setup and installation of your new GTA firewall appliance, including how to add network settings. Steps include registration, initial physical connection, entering network settings through the firewall s web interface or GBAdmin, and installation on your network. This chapter s subject reflects the Quick Guide included with firewall appliances, but provides alternative methods and more detailed instructions. These instructions are for GTA firewall appliances only, and do not apply to software firewalls such as GB-Ware. See the GB-Ware Product Guide for installation and setup of GB-Ware firewalls. Any firewall use or administration described in later chapters assumes that you have completed this chapter s instructions or the equivalent instructions in the GB-Ware Product Guide, as appropriate to your firewall model. Registration To get technical support and software updates, you must register your GTA firewall. 1. To register, go to Click on SUPPORT and then the SUPPORT CENTER link. 2. If you do not have an GTA online support center account, click on the CREATE AN ACCOUNT NOW link and enter your information. Once you have completed the form, click the SUBMIT button to save the profile. 3. Enter your user ID and password on the login page. Click on the REGISTER A PRODUCT link. Enter your serial number and activation code, then click the SUBMIT button. To view your registered products, click the VIEW YOUR REGISTERED PRODUCTS link. In addition to qualifying you for installation support, your product registration will allow GTA to inform you about updates and special offers. If you cannot retrieve your activation code, or a code does not appear under VIEW YOUR REGISTERED PRODUCTS, please support with a brief description of your problem in the body of the . Include the product serial number and your online support account s user ID in the message subject. Getting Your Activation Code All commercial GTA firewalls use an activation code to protect system software. This code is pre-installed in all firewall appliance models. Optional features require separate feature activation codes. Serial numbers and activation codes are included with the packaging and are also available under VIEW REGISTERED PRODUCTS on the GTA Support site, center/login/. GB-OS firewall software may be copied for backup purposes. Connecting Your Computer to the Firewall First install any necessary console software or documentation. Then physically connect the firewall to your computer or network using the provided cables. If your LAN s network configuration is different from the default firewall network, temporarily connect a computer to the firewall s default network or use the console interface to configure the firewall for integration with your LAN. Requirements To connect the firewall, you will need the following hardware: 1 crossover Ethernet cable to connect to a host or router, or a straight-through cable to connect to a hub or switch (1 yellow crossover cable may be included; consult your package contents list) 1 null-modem serial cable for the console (may be included; consult your package contents list)

14 6 GB-OS 3.7 User s Guide 1 external power supply or cable (may be included; consult your package contents list) 1 computer In addition, you will need: an understanding of TCP/IP networking network IP addresses for all firewall network ports used subnet masks for each attached network default route to the external network (gateway) a list of services / ports to allow inbound (if any) a list of services / ports to restrict outbound (if any) Installing Utilities & Documentation Prior to setup of the firewall, install any desired utility software (such as GBAdmin) and documentation on your computer. If the computer is running a non-windows operating system (e.g. Apple Macintosh or Unix ) or an older version of Microsoft Windows incapable of using the automated installer, locate the directory on the CD appropriate for your operating system (OS) and use the Read Me document to install documentation and utility programs. that some software may only run on a Windows operating system. Setup by Temporary Peer Network The factory network settings on the firewall are unlikely to match your existing network. In this case, you must first temporarily join a computer to the firewall s default network. This allows you to connect to configure the firewall s network settings to match your network IP address scheme. 1. Use a crossover Ethernet cable to connect a computer to the firewall s network port (NIC) 0. Alternately, use straightthrough cables to connect your computer and the firewall s NIC 0 to a hub or switch. NIC 0 is the Ethernet network port/connector labelled with a zero (0). 2. Back up your computer s network configuration. Temporarily change your computer s network configuration to join the firewall s default network: IP ADDRESS: (or any address on the default network) GATEWAY: NET MASK: DNS: none (or the firewall s IP, if this field is required)

15 Chapter 2 Installation and Setup 7 Temporary Network Configuration for Connection with Firewall Defaults - Windows Temporary Network Configuration for Connection with Firewall Defaults - Mac OS X 3. Reboot your computer if necessary to affect the network configuration. Alternate Method: Setup by LAN Using the Firewall s Default Network 1. If your LAN currently matches the firewall s default xxx network (which is unlikely), you can configure the firewall over the LAN without making a temporary network. Just make sure that the firewall s IP address ( ) is not currently assigned to any other device on your network, then connect your firewall. 2. If another device does have this IP address assigned, do not connect the firewall to the LAN. Instead, use a crossover Ethernet cable and connect your computer directly to the firewall s NIC 0. You can use the yellow crossover cable included with the firewall appliance using the first method.

16 8 GB-OS 3.7 User s Guide The next step is to enter your network information over the firewall's default configuration. Powering On the Firewall Connect the power supply or cable to a power outlet, then insert the power connector tip into the firewall. If there is a power switch, turn the firewall on; if there is no power switch, applying the power cable should cause the boot process to begin. The system should be operational in about one minute. Check to see that the power indicator LED on the front panel is lit. Verify your ability to connect to the firewall by pinging its default IP address of Preparation is now complete. Next, replace the firewall s default configuration with your own network s configuration. Network Configuration The following sections will describe how to replace the firewall s default configuration with your own network settings. Use either the web user interface or the GBAdmin user interface. Configuration Using a Web Browser Browser Compatibility GTA recommends using Apple Safari ( Mozilla ( Netscape Navigator ( Opera ( Microsoft Internet Explorer for Windows, or another SSL-compatible and frames-enabled browser to administer your firewall. On Macintosh computers, GTA does not recommend using Microsoft Internet Explorer for Macintosh (Mac IE 5). OpenSSL encryption, used by the firewall, is known to be incompatible with Mac IE 5, and your browser will not allow you to continue past the security alert screen. If you must use Mac IE 5, install the firewall using a compatible browser, GBAdmin or the console and disable SSL before using Mac IE 5. Mac IE 5 can only be used with SSL encryption disabled. Caution Administration of the firewall without SSL is insecure and may send sensitive information such as passwords in clear text, and is not recommended if you have a hub or any other network device between your computer and the firewall appliance. Connecting to the Web Interface 1. Start a web browser on your computer and enter the firewall s default IP address into the browser s location/address field: 2. If your network and cables are set up correctly, you will be prompted with a security alert dialog indicating that the certificate authority is not one you have chosen to trust; that the security (SSL) certificate date is valid; and that the name on the security certificate does not match the name of the site. Accepting the Firewall s SSL Certificate Select YES, or, if your alert differs, choose the selection that allows you to proceed. (You may establish your firewall SSL certificate once you have logged on to the firewall.) 3. Next, in the login screen, enter the default user ID, "gnatbox" (all lower case). Then enter the default password, also "gnatbox" (all lower case). Select OK or press the RETURN key when finished.

17 Chapter 2 Installation and Setup 9 Caution Entering the Default User ID and Password GTA recommends changing the default user ID and password to prevent unauthorized access. Setting Your Time Firewall logs record events and schedule time-based filters by current time. To ensure that the correct time is used, your GTA firewall should poll a network time (NTP) server. To enter which network time servers you would like to use, click Services to expand the menu, then Network Time Service. Check the ENABLE box, enter the domain name of a network time server (e.g. time. apple.com), then click the SAVE and OK buttons. Entering Your Network Information The firewall has default settings which need to be changed to match your network settings. Click on Basic Configuration and expand the menu, then select Network Information. Only one external and one protected network interface is required to initially configure and test the firewall. The other interface can be defined as any of the three network types: protected, external or PSN (Private Service Network, GTA's enhanced DMZ). 1. On the Network Information section: Enter IP addresses and subnet masks (in either dotted decimal or CIDR notation) for your external and protected networks on each network interface. Disable the DHCP option on the external network interface if necessary. Enter the default route to your Internet router s IP address. Enter the firewall s domain name according to your DNS server. This will automatically generate a new SSL certificate for the firewall using its domain name. Caution Closing the browser without clicking SAVE will cause the entered data to be lost, and your firewall will remain in default configuration. You will need to re-connect to the firewall and re-enter the network information. 2. Once you have completed the network configuration, apply the changes by clicking SAVE. The firewall will then join the assigned network. Close your browser. Caution Failure to close the browser may allow unauthorized access to the firewall. To prevent this, always log out and close your browser after a firewall administration session. If you changed the IP of NIC 0 s protected network, the firewall will now be on a different logical network than your computer, and you will not be able to access the firewall from your computer. You must restore your computer s original network settings to access the firewall again.

18 10 GB-OS 3.7 User s Guide Entering a Network Configuration Using a Browser Using CIDR-based or Slash (/) Notation CIDR (Classless Inter-Domain Routing) notation for a subnet mask aggregates routes so that one IP address can represent thousands served by a backbone provider. GB-OS uses CIDR notation as the default for subnet masks, instead of dotted decimal notation (e.g ). Instead of the fixed 8, 16 and 24 bits used in dotted decimal Class A, B, or C subnet masks, CIDR notation can further divide the network into subnets by using bit masking of any number from 1 to 32 to determine network class (/32 representing one IP address). For example, the CIDR address /24 indicates that the first 24 bits are used for the network class ID. The /24 mask includes 254 hosts on the network, and is equivalent to in dotted decimal notation. Calculate a CIDR-based notation subnet mask by converting the dotted decimal subnet mask to binary and count the ones. For a Class C network, the dotted decimal subnet mask is The binary notation of that subnet mask is There are 24 ones, so the CIDR notation would be /24. Using a subnet mask, the binary representation would be: The notation would be /28. You may also enter a host address that is defined by not including a subnet mask (e.g ). This is equivalent to a /32 bit mask. To enter a range of addresses, use a hyphen (-) between the two extremes of the range (e.g ). Dotted decimal notation may still be used by entering the dotted decimal subnet mask after the forward slash.

19 Chapter 2 Installation and Setup 11 Re-configuring Your Computer If you temporarily changed your computer s network configuration to connect to the firewall, restore the original configuration now. If you formed a temporary peer network during network configuration, disassemble it now; reconnect your computer and the firewall to your network. Now your computer and firewall should both be members of your network. Reboot your computer if necessary to affect the network configuration change. Accessing the Firewall Access the firewall using the IP address you assigned to the protected network. The firewall should now be active and functioning in default security mode (all internal users are allowed outbound and no unsolicited inbound connections are allowed). You can now perform any additional configuration tasks, including changing the administrative password. Caution Failure to change the default password is a serious security vulnerability. GTA recommends changing the default user ID and password to prevent unauthorized access. Configuration Using GBAdmin If your computer s operating system is Microsoft Windows, you can choose to configure your firewall by using the GBAdmin software you installed earlier instead of using the web interface. GBAdmin can only be installed on a local computer that uses Windows 98, NT 4.0, XP, Me, 2000 or Select GBAdmin from the Windows Start menu to start GBAdmin. 2. Select File from the tool bar, then select Open. In the dialog box s SOURCE area, select NETWORK. In the SERVER field, enter the default IP address for the firewall ( ). Make sure that there is a check in the box next to CONFIGURATION in the INFORMATION TO LOAD section. Once this is complete, press the RETURN key or click OK. Opening a GBAdmin Firewall Connection 3. GBAdmin will prompt you for a user ID and password to the firewall. Enter the default USER ID, which is "gnatbox" (all lower case) and enter the default PASSWORD, which is also "gnatbox" (all lower case), then press the RETURN key or select OK when finished. Caution Entering the Default User ID and Password GTA recommends changing the default user ID and password to prevent unauthorized access.

20 12 GB-OS 3.7 User s Guide GBAdmin Network Information Window Entering Your Network Information The firewall has default settings which need to be changed to match your network settings. Click on Basic Configuration and expand the menu to select Network Information. Only one external and one protected network are required to initially configure and test the firewall. The other network interface can be defined as any of the three network types: protected, external or PSN (Private Service Network, GTA's DMZ). 1. On the Network Information section: Enter IP addresses and subnet masks (in either dotted decimal or CIDR notation, as described in the web setup method) for your external and protected networks on each port. Disable the DHCP option on the external network if necessary. Enter the default route to your Internet router s IP address. Enter the firewall s domain name according to your DNS server. This will automatically generate a new SSL certificate for the firewall using its domain name. Caution Closing GBAdmin without clicking SAVE will cause the entered data to be lost, and your firewall will remain in default configuration. You will need to re-connect to the firewall and re-enter the network information. 2. Once you have completed the Network Information form, apply the changes by clicking SAVE. The firewall will then join the assigned network. Close GBAdmin. If you changed the IP address of network interface 0 s protected network, the firewall will now be on a different logical network than your computer, and you will not be able to access the firewall from your computer. You must restore your computer s original network settings to access the firewall again. Re-configuring Your Computer If you temporarily changed your computer s network configuration to connect to the firewall, restore the original configuration now. If you formed a temporary peer network during network configuration, disassemble it now; reconnect your computer and the firewall to your network. Now your computer and firewall should both be members of your network. Reboot your computer if necessary to affect the network configuration change. Accessing the Firewall Access the firewall using the IP address you assigned to the protected network interface. The firewall should now be active and functioning in default security mode (all internal users are allowed outbound and no unsolicited inbound connections are allowed). You can now perform any additional configuration tasks.

21 Chapter 3 Basic Configuration 13 3 Basic Configuration Basic Configuration contains functions for firewall setup and configuration, organized in order of the function s appearance on the menu in the web interface: DNS, Features, Network Information, PPP and Preferences. DNS (DNS Proxy) DNS can enable the DNS proxy, establishing the firewall as a proxy for translating host (domain) names into IP addresses. The DNS proxy requires a remote access filter to allow DNS proxy replies and to specify which hosts may use the DNS proxy. The hosts will be represented either by an IP address or an address object. The DNS proxy sends a request to all available DNS resolvers (those listed and those acquired dynamically) to resolve a host name. The first reply will be sent to the requestor. A DNS proxy is unnecessary with a local DNS server configured, so enabling the DNS Server will disable the DNS Proxy feature. DNS services are optional on certain GTA firewalls. Use an internal network DNS server if one is available; see the services chapter to configure the firewall as a DNS server. Use a DNS server from outside your network (e.g. a name server accessed through your ISP) as your external network DNS server. Field Primary Domain Name Enable External Name Server External Name Server IP Address Enable Internal Name Server Internal Name Server IP Address Enable (DNS Proxy) Enabling Services s DNS Server overrides the DNS Proxy. Description Primary domain name used for the network (i.e. gta.com) Use the name servers listed in this section. Disabled by default. IP address of an external DNS server that will provide records for your internal DNS server/proxy. Use the name servers listed in this section. Disabled by default. IP address of an internal DNS server. Enable DNS proxy. Disabled by default. DNS (DNS Proxy) Features Enter the system serial number and firewall activation codes in Features. The RESET button reverts to previously saved information if you have not yet saved the section.

22 14 GB-OS 3.7 User s Guide Serial Number Features The firewall serial number can be found on the card shipped with the firewall (along with the activation code), and on GTA firewall appliances. After registration, the serial number can also be retrieved from the GTA online support center. Activation Codes Activation code entry is necessary to use GB-Ware, feature updates or subscription services. Enter activation codes (hexadecimal characters only 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F) in the ACTIVATION CODE fields and select SAVE. The firewall will display a description of what has been activated. If this description is garbled or does not appear, the code has been entered incorrectly or is not correct for the current system or version. Activation codes are available on the card shipped with your product or on the GTA Support web site after registration. Additional entry spaces will be added as codes are entered and saved. Up to twenty (20) activation codes may be entered in the Features section. It is not necessary to delete old activation codes. However, if you would like to delete an entry, remove all of the code characters and select SAVE. To add entries in GBAdmin, click the ADD + button and then select SAVE. To delete a saved code, click DELETE ( ), then click SAVE. The RELOAD button reverts to previously saved information if you have not yet saved the section. Activation codes will not function without the firewall serial number. Hardware appliances have this number pre-installed. Network Information Much of the Network Information data will have been entered during installation, including the required protected and external networks.

23 Chapter 3 Basic Configuration 15 Field Logical Name Type IP Address NIC (& PPP) DHCP Gateway Host Name Default Gateway Description Interface object name for this logical network interface. Interface type: protected, external or PSN. IP address/subnet mask assigned to this logical interface. PPP or DHCP connections do not require an IP address. Network interface card (network port or NIC) to associate with the network. The drop down menu lists all physical devices on the firewall, including PPP connections. For PPP, configure a PPP/PPPoE/PPTP connection (PPP0, 1, 2, 3 or 4), then select it here. Dynamic Host Configuration Protocol. When checked, DHCP is used to obtain an IP address for the specified interface. DHCP is typically required for cable modem connections, but may be used on any network interface. (Web only.) When checked, make the interface an Internet gateway (default route). Identifying host name for the firewall. GTA recommends using a fully qualified domain name. Selected default route. Additional gateways can be defined in Gateway Policies. GBAdmin: When the gateway is dynamic, select the gateway s logical interface or interface object. Logical Interfaces Network Information Logical Interfaces, Host Name and Default Gateway A GTA firewall requires two logical networks, a protected and an external network, except when in bridging mode. Additional external and protected logical networks can be added, as well as one or more Private Service Networks (PSN). A logical interface: assigns a network (represented by an IP address and subnet mask) to a physical NIC designates a network type identifies a gateway (default route) The logical interface name serves as an interface object, allowing the administrator to reference the interface quickly when configuring the firewall. Logical network interfaces that do not use PPP or DHCP configurations require an IP address and subnet mask. If a subnet mask is not entered, the system will attempt to create one based on the network class: in CIDR notation, Class C = /24, Class B = /16, Class A = /8. This helps to prevent misconfiguration.

24 16 GB-OS 3.7 User s Guide Interface Object Names Interface object names may not use a number as the first character. Caution If a logical name is changed, but a filter that references it is not updated to refer to the new name, you will lose all connections maintained by the filter. To change any object name without losing connectivity, copy the object, change the name in the copy, enable it, then update the configuration references with the new name. After saving the new object, you may delete the original. Alternatively, to change interface logical names, first set filters to accept an IP address and/or interface of Any, then change the interface name and restore filters to accept the new logical name. Host Name The host name is the system name assigned to the GTA firewall and used to tag log messages. GTA recommends using a fully qualified domain name as the host name for your GTA firewall. A fully qualified domain name is the complete domain name for a specific computer (host) on the network, consisting of a host, domain, and top-level domain (e.g. gtafirewall.example.com, or Host names must be unique. If your network DHCP servers make IP address assignments based on the system name, enter the host name, often assigned by your ISP. Changing the host (domain) name of your firewall will cause it to automatically generate a new SSL certificate using the new host name. Default Gateway On a static interface, enter the IP address of the selected default route in the DEFAULT GATEWAY field. This value is usually the IP address of the router connecting the network to the Internet and must be on the same logical network as the associated external interface except when using PPP. The gateway value will be set automatically on a dynamically negotiated interface (DHCP or PPP). On the web interface, select the GATEWAY check box for the DHCP or PPP network in the LOGICAL INTERFACES section to make the network the default gateway (default route) to the Internet. In GBAdmin, select the interface object of the DHCP or PPP connection from the Default Gateway drop down menu. Gateway Policies will initially take the first gateway from the default route listed in Network Information. Further modifications to Gateway Policies causes it to override the default route listed in Network Information: GATEWAY 1 in Gateway Policies will become the default route, regardless of the default route listed in Network Information. Bridged Interfaces In BRIDGED INTERFACES, additional interfaces can be configured to share the IP address of one of the primary logical interfaces. TCP/IP packets pass between these bridged interfaces according to normal firewall rules on specified ports if allowed by a passthrough filter. Caution Packets with non-tcp/ip Ethernet protocols that have been allowed in Bridged Protocols can bypass all filtering between the bridged interfaces. Allowing unnecessary protocols, or protocols that may contain untrusted traffic, can pose a serious security vulnerability to your network, and is not recommended by GTA. Field Logical Name Type Interface NIC Description Interface object name for this bridged logical network interface. Interface type: protected, external or PSN. Logical interface to which to bridge the network interface card/physical interface in the NIC field. Network interface card ( port ; see NICs or physical interfaces) to associate with the bridged network. The drop down menu lists all physical devices on the firewall.

25 Chapter 3 Basic Configuration 17 Network Information Bridged Interfaces Bridging Mode By default, a GTA firewall acts as a firewall router, so that systems on the internal network see it as a gateway to the external network, and systems on the external network see it as the gateway to the internal network. The GTA firewall connects networks transparently like a bridge for specified Ethernet protocol types, while continuing to filter other IP packets as a firewall. Caution There is no firewall filtering of the protocol types that have been allowed in Bridged Protocols. Allowing unnecessary protocols, or protocols may contain untrusted traffic, can pose a serious security threat to your network, and is not recommended by GTA. A GTA firewall in bridging mode can be inserted behind a router to the Internet between the router and the internal networks without changing IP addresses, gateways or any other network addresses for the rest of your network hosts. A GTA firewall in bridging mode can also be inserted in an internal network to separate networks that are at a peer level, or to further segregate Private Service Networks (a.k.a. DMZ). This configuration allows two internal networks to communicate as one, while filtering non-bridged IP traffic between them and preventing the passage of non-ip protocols (except ARP, which operates at both data link layer 2, and network layer 3). In bridging mode, a GTA firewall can be connected directly to a host, a switch, a router or a non-bridged firewall. Bridging can only be configured in GBAdmin or the web interface. Gateway Policies In order for gateway selection (see Routing s Gateway Policies) to function correctly in bridging mode, the host must use the IP address of a logical interface on the firewall as its gateway. Services The H 2 A High Availability service is not supported in bridging mode. PPP, PPPoE and PPTP are not supported on a bridged interface. If a host points to a router or gateway on a bridged interface as its default route to the Internet, the firewall will override that preference, routing the packet through its logical external network interface. Also, in bridging mode (as in unbridged firewall operation) any packet that goes through the firewall will use the firewall s routing tables. This means that even though a host may have indicated a particular route, the firewall will instead use the routes set up in Static Routing and RIP to route the traffic. Network Interface Cards (NICs) or Physical Interfaces Physical interfaces are supported and configured network interface devices detected by the system, including configured Ethernet NIC and PPP connections. NIC (& PPP) MAC Address Connection Option Field Description Network interface (Ethernet) cards detected, including configured PPP (modem) connections. If the physical interface device is an Ethernet card, the card s MAC address will be displayed. Record MAC addresses before installing system software. AUTO is generally recommended. Selections are: AUTO: Auto-select the active network connection. UTP_10: Unshielded twisted pair interface at 10 Mbps. TX_100: Unshielded twisted pair interface at 100 Mbps. Default (full- or half-duplex) or full duplex. MTU Maximum Transmission Unit. Default is Incorrect MTUs can cause poor performance, but it may be beneficial to increase MTU for a gigabit Ethernet interface when jumbo packets are to be used.

26 18 GB-OS 3.7 User s Guide Network Information - Network Information Cards (NICs) PPP PPP connections are frequently used in conjunction with dial-up modems or DSL ISPs. PPP configures a PPP (Point-to-Point Protocol), PPPoE (PPP over Ethernet) or PPTP (Point-to-Point Transport Protocol) connection for the firewall. After creating the configuration in the PPP section, enable the connection in the Network Information section by associating the configuration with the chosen logical interface. PPP Insert PPP - Select Transport Protocol In GBAdmin, create a new PPP configuration by selecting the ADD + button from the tool bar, creating a blank PPP tab with three sub-tabs. Create a PPPoE configuration by selecting the PPPOE or PPTP check box, which changes the selections on each sub-tab. PPPoE PPPoE is commonly used to assign IP addresses for DSL service providers. GB-OS automatically detects connection preferences so that the user is no longer required to enter chat or dial scripts, select CHAP or PAP, or set parity and flow control. Enabling PPP/PPPoE in Network Information 1. After completing the PPP or PPPoE configuration in the PPP section, go to the Network Interface section and select the NIC number (e.g. PPP0) on the logical interface for the external network interface you have selected for the PPP connection. 2. Select the logical interface as the gateway. Once these have been selected, the system will dynamically negotiate the IP address of the gateway. The DHCP selection will be unavailable. PPTP Caution PPP connections are automatically named PPP0, 1, 2, 3 or 4, in order of creation. When an entry in the PPP section is deleted, the remaining entries will be renamed according to the new order. Interfaces which use PPP connections must be changed to the revised designations. PPTP (point-to-point tunneling protocol) is typically used on GTA firewalls as an alternative to DHCP when allocating subnet IP addresses. It encapsulates and uses weak encryption on packets so that data or internal network IPs cannot be seen during transit

27 Chapter 3 Basic Configuration 19 over phone lines or the Internet. It does this by creating a link from an unroutable internal IP address to an external IP address through the use of an internal PPTP server with a routable IP address. To use PPTP: 1. Create the settings for a PPTP connection. Click Basic Configuration, then PPP, then the ADD + button to add a connection. Select the PPTP transport method. Enter your PPTP configuration options on the next screen, including a dial-up number if using a dial-up modem connection. Click the OK button when you are finished, then click the SAVE button. 2. Define a logical interface (usually your external network) as PPP type. In Network Information, select your PPTP object as the NIC for an external network, e.g. NIC: PPP0; click the SAVE button, then the OK button. 3. Enable use of PPTP over your chosen external network interface. Return to the PPP section and edit your PPTP object to enable PPTP over that interface object from Network Information that you just defined as PPP, e.g. Interface: <EXTERNAL>. Click the OK button, then the SAVE button. 4. Create a remote access filter (RAF) that allows generic routing encapsulation (GRE) like PPTP to be accepted and routed to your internal network. Click Filters then Remote Access. Click the (check) button next to the ALLOW GRE FROM PPTP SERVER field. You may edit the default filter, or you may click the COPY button at the bottom of the page to make a separate filter templated by that default filter. Click the OK button, then the SAVE button. Once the settings have been saved, the PPTP connection will dynamically negotiate the gateway IP address. Caution Default RAF are broad in scope. Modification may be required to meet the standards of your security policy. Field Description Allow GRE from PPTP server. Type Accept Interface ANY Authentication Required Select Protocol GRE (IP Protocol 47) Source <Use IP address> e.g Destination <Use IP address> e.g Settings Fields not illustrated above can use the defaults or custom settings.

28 20 GB-OS 3.7 User s Guide Field Name Description Connection Type Transport NIC** Interface*** PPTP Server*** Primary COM Port* Phone Number* User Name Password Local IP Address Remote IP Address Connection Time-out Description PPP0, 1,2,3 or 4. The name is automatically assigned, and will be the same for a PPPoE connection. The name will appear as a tab in GBAdmin. A user-defined description of the connection. Dedicated Establishes a link when the firewall boots up and remains up until the interface is manually disabled, or the system is halted. Select for PPTP. The logical choice for PPPoE, as DSL is an always on connection. Select to test a configuration. On-demand Initiates and establishes a link with the remote site whenever a packet arrives on a protected or PSN interface, destined for the external network. The link will stay up as long as packets continue to be received before the time-out has expired. On-enabled Requires manually enabling the external interface to initiate a session and establish a link with the remote site. The link will stay established until disabled. Interfaces may easily be enabled/disabled in Interfaces under Administration. Select in the INSERT PPP dialog box. GBAdmin: enable by selecting the check box. Network interface on which PPPoE will run. Select the interface defined in Network Information. Enter IP address of the internal PPTP server. COM Port used for the PPP interface. COM 1-4 are allowed, except for GB-1000: COM 2, and RoBoX: COM 1. Number used to dial the remote site. This field should contain any required access codes, e.g. 9 to dial out. Characters used for pauses and secondary dial tones can be used. Consult your modem or ISDN TA manual for dialing codes. User ID for remote access; password and user ID are generally issued by the remote site. Password remote access, obscured in the data field. A PPP-type link uses a local and remote IP address. If the remote site supports dynamic IP address assignment (as for most ISPs and remote sites), leave the local address set to the default, Set the remote address to an IP address on the remote network, such as the router IP or the DNS server address. PPP will use that address to dynamically negotiate the actual value. If the Remote IP address is static (dedicated), enter the address and leave the Local IP address set to If both addresses are static, set both fields to the appropriate IP address. Number of seconds during which a connection will stay connected when inactive. To prevent timing out, enter 0. Default is 600 (10 minutes). * PPP screens only. ** PPPoE screens only. *** PPTP screens only.

29 Chapter 3 Basic Configuration 21 Field PPPoE Provider** MTU** Login User Name Login Password Speed Number of Retries* Time before retry* Description Designation for the PPPoE Provider. Leave blank if you do not know the exact designation; the value is not required for the connection, and an incorrect setting can prevent the connection. Maximum Transmission Unit. GTA recommends setting the field at 0, which allows the system to negotiate the MTU value for each PPPoE connection. Incorrect values can cause the system to perform poorly, or not at all. For cases in which CHAP or PAP is negotiated, and a separate name and password are required to log in For cases in which CHAP or PAP is negotiated, and a separate name and password are required to log in DTE (Data Terminating Equipment) speed is the speed at which the firewall communicates with the modem. Options: 1200, 2400, 4800, 9600, 19200, 38400, 57600, 76800, , Number of attempts the system will make to establish a connection. After failure, any new packets arriving for the external network will restart a new dialing attempt. Dedicated connections do not use retries; they continue to try to connect. Default is 3. This is the amount of time the system waits before re-dialing to establish a connection. Default is 10 seconds. Address/Field Compression Options: Enable (local) or Accept (Remote). Line Quality Report Options: Enable (local) or Accept (Remote). Protocol Field Compression Options: Enable (local) or Accept (Remote). Van Jacobsen Compression Options: Enable (local) or Accept (Remote). Don t Bond Channels* Switch Type* Debug * PPP screens only. ** PPPoE screens only. *** PPTP screens only. Use to configure ISDN connections. Check with your provider for required settings. Off by default. Options: Yes/No. Use to configure ISDN connections. Check with your provider for required settings. Options: Default; NI-1; DMS-100; 5ESS P2P; 5ESS MP. These options provide helpful information when creating a PPP configuration. Chat records dialing and login chat script conversations. LCP records LCP conversations. Use to set non-default Link Control Protocol options. Phase records network phase conversations. Use to determine the LOCAL and REMOTE IP address specifications. Options: CHAT, LCP, and/or PHASE. Each Link Control Protocol (LCP) option has a pair of settings for side of the link: Enable for local and Accept for remote. If Local is enabled, the firewall will request that the remote side use that LCP. If Local is disabled, the firewall will not send a request for that LCP. If Remote is set to Accept (enabled), and the remote side of the connection offers to use the protocol, the firewall will accept it. If it is set to Deny (disabled), then the firewall will not accept the LCP if the remote side offers it. Default LCP settings are correct for most cases. If you are unsure which options to select, use the default setting and enable the LCP debug option. Then, when a session is attempted, use the debug data in the logs to determine which options have been requested and rejected. Match your LCP settings to the desired requests.

30 22 GB-OS 3.7 User s Guide Insert PPP - Serial PPP Insert PPP - PPPoE

31 Chapter 3 Basic Configuration 23 Insert PPP - PPTP Preferences (Basic Configuration) Preferences stores an administrator s contact information used by , report and list functions. Field Name Company Address Phone Number Support Character Set Description Primary contact name of the administrator. Company or organization name of the owner. address of the administrator. Phone number of the administrator. support address, supplied by GTA or your GTA Channel Partner; used if you send a configuration report to GTA Support. (Web only.) Select the appropriate character set for your language. Preferences (Basic Configuration)

32 24 GB-OS 3.7 User s Guide

33 Chapter 4 Services 25 4 Services Services configures the built-in services or proxies that may exist on a GTA firewall: DHCP Server and DNS Server; Dynamic DNS; Mail Sentinel; GB-Commander Server; H 2 A High Availability; Network Time Service; Remote Logging; and SNMP. None of these services are required for the firewall, but many of them can increase network functionality and security. Some services are optional. See the documentation for your particular firewall model to ascertain the available services. GTA suggests routing all incoming through the Mail Sentinel proxy to increase network security. DHCP Server DHCP Server automates assignment of IP addresses and configures the DNS server and gateway for computers on local networks using DHCP (Dynamic Host Configuration Protocol). The DHCP Server manages a range of IP addresses (a pool, e.g ) which can be assigned to hosts. Noncontiguous sets of IP addresses can be defined using exclusion ranges. Exclusion ranges indicate which IP addresses within the previously defined address range must not to be assigned to hosts. When the DHCP Server receives an initial request from a client host, it assigns an available IP address from its pool. Upon subsequent requests by the same client, the DHCP Server will attempt to reassign the same IP address. The only case in which it will not reassign the same IP address is when the number of DHCP clients exceeds the number of IP addresses available in the pool, and the IP address has been assigned to a different host. Changes to DHCP Server are applied when you click SAVE. The default gateway is usually either the firewall s protected/psn network card or the Internet router s IP address, as specified in Network Information or Gateway Policies. Field Disable Description Beginning Address Ending Address Net Mask Lease Duration Exclusion Ranges Domain Name Name Server IP Address Default Gateway Disable this DHCP IP address pool. Description User-defined description of the IP address pool. First IP address of the pool s range. Last IP address of the pool s range.. Subnet mask used to divide hosts into network groups.. Maximum length of time the assigned IP address may be used before renewal. A client must negotiate IP address renewal before the expiration of the lease, or quit using the IP address. Define up to five address ranges to exclude from each DHCP range. To exclude a single IP address, enter it in both the beginning and ending address fields. DNS domain name, typically that of the local network. IP address of a DNS server that will be issued to the requesting client. This can be any valid server: a local server, such as the built-in DNS Server, or a remote server, such as one located at an ISP. Up to three name servers can be defined. Gateway (default route) given to DHCP clients. For hosts located behind a firewall (on protected or PSNs) this will be the IP address of the firewall s internal network card.

34 26 GB-OS 3.7 User s Guide DHCP Server Insert DHCP Address Range The DHCP IP address range must consist of subnetwork IP addresses for one of the firewall s attached networks. The DHCP Server cannot allot IP addresses that are not part of its attached networks. In GBAdmin, first click the ENABLE check box to allow DHCP to be edited, then click ADD (+) to add a DHCP service. Select the inserted line. Once the fields have been saved, the basic information will appear in the DHCP service line below. To add an exclusion range, click ADD + next to the EXCLUSION fields. This will create a blank IP address for both the beginning and ending of the range. Double-click within the field to edit the BEGINNING IP address. Delete any extra characters, then edit the ENDING field. DNS Server DNS (Domain Name System) Server allows the firewall to be configured to function as a primary domain name server, maintaining a database of domain names and the IP addresses of hosts where those domains reside. Enabling the DNS Server section overrides the DNS Proxy in the DNS section of Basic Configuration. On some firewall products, DNS Server is optional and requires an activation code. See your product specifications for more information. GTA recommends a thorough knowledge of the domain name system before configuring any DNS server. One reference is DNS and Bind, 3rd Edition, by Paul Albitz & Cricket Liu, published by O Reilly and Associates. The built-in DNS Server is functional and flexible enough for most firewall users, but cannot be configured to support all possible DNS options. If your network requires a more complex configuration, or hosts secondary name services, GTA suggests using a non-firewall DNS server.

35 Chapter 4 Services 27 Enable Primary Server Field Secondary Server Forwarders Contact Description Enable the DNS Server. Disabled by default. Host name of your DNS Server. This may be the host name assigned to your firewall. When configuring an external DNS server, this will be the Internetapparent host name. The host name should be listed as a host in the DNS Domain screen or tab. Host names of DNS servers acting as alternate name servers for the domain. DNS servers that will be utilized as DNS forwarders. address of the primary contact for the domain (e.g. [email protected]). Network IP Address Network address/subnet mask of the desired subnet. Class C: /24 ( ) and Class B: /16 ( ) are commonly used networks. Reverse Zone Name Optional name used by reverse DNS, which looks up an IP address to obtain a domain name and confirm a DNS record. The firewall can determine the zone name automatically if the subnet uses a Class A, B or C subnet mask. Reverse zone names are typically assigned by your ISP. Subnets make a large network more manageable by splitting it into a series of contiguous address ranges. DNS Domains DNS Server The DNS Domain screen allows the user to define host names and associated IP addresses (A records), aliases (CNAME records) and exchangers (MX records) for the selected domain. To create DNS domains, click the ADD (+) button and continue configuration of the DNS Server.

36 28 GB-OS 3.7 User s Guide Field Disable Description Domain Name Domain IP Address Exchangers Disable (Host) RDNS IP Address Host Names Description Disable the domain definition so the zone will not be served by the DNS Server. Description of the domain for reference. Domain name for the defined zone (e.g. gta.com). IP address of a host to respond to the zone name. A host can have the same name as the zone, e.g. gta.com, meaning that if you have a web server, a visitor can use the zone name rather than the web server s host name. When a remote system sends mail to a domain, it will query a DNS server to determine which IP addresses are designated to accept for the zone. The Mail Exchanger (MX) fields define the mail servers for the domain. When there is more than one exchanger, the order of preference is specified by entering the preferred server in the first field, followed by a second and third entry. The first mail exchanger will be priority 5, the second priority 10, and the third priority 15. Disable this host entry. Optional name used by reverse DNS, which looks up an IP address to obtain a domain name and confirm a DNS record. The firewall can determine the zone name automatically if the subnet uses a Class A, B or C subnet mask. Reverse zone names are typically assigned by your ISP. IP address of the host. Primary host name in the first field and aliases in succeeding fields. The domain portion of the host name should not be entered. To define more than two aliases on the web interface, repeat the IP address in the next row. These names will also be used as aliases. Insert DNS Domains In GBAdmin, to add a secondary name server, forwarder or subnet, click the ADD (+) button next to these fields. To add a DNS Domain, add a tab to the screen below the SUBNET field by clicking the ADD + button on the tool bar. To edit a specific DNS Domain, click on the domain name tab. To add a mail exchanger or a host to the DNS Domain, click the ADD (+) button next to these fields. To enter more than one alias, separate aliases with a space. Dynamic DNS Dynamic DNS (DDNS) automates the process of advising DNS servers when the automatically assigned IP address for a network device is changed, ensuring that a specific domain name always points to the correct IP address. The domain name tracks the dynamic address so that other users on the Internet can easily reach the domain, allowing you to host a web site, FTP server or server, even when your IP address is dynamic. Dynamic DNS allows you to publish your new dynamic IP address by selecting one of these services from the drop down menu: DynDNS at or ChangeIP at The current external IP address on the firewall will update the selected service each time the IP address changes, or once every month, whichever comes first. To sign up for DDNS services from one of these providers, and for more information about using dynamic DNS, see the provider s web site.

37 Chapter 4 Services 29 Field Enable Service Login User Name Phone Number Host Name Description Enable Dynamic DNS service. Disabled by default. Select a Dynamic DNS service provider. Requires a dynamic DNS account with that service provider. A user name registered with your DDNS service provider. A password for your DDNS service provider account. Host name of the service that will use dynamic DNS. Dynamic DNS GB-Commander Server GB-Commander, GTA s Windows-compatible software for firewall management, allows an administrator to monitor multiple firewalls from a central location, increasing efficiency and reducing monitoring costs. GTA Reporting Suite, included with GB-Commander, provides summary charts and reports for quick analysis of network usage and trends to identify potential connectivity or security issues. GB-Commander features include: monitoring and configuring multiple GTA firewalls from one user interface defining hierarchies for monitoring and configuration displaying status, statistics and alarms for each monitored firewall processing alarm events sending notifications launching GTA Reporting Suite to chart collected data availability for all GTA firewall products GB-Commander must be separately purchased and activated before these features will function. See the GB-Commander Product Guide and GTA Reporting Suite Product Guide for more information. For the GB-Commander Server application to receive information from a GTA firewall, the GB-Commander service on the firewall must be enabled. Log in to the firewall using the web interface or GBAdmin. Select the GB-Commander Server menu item under Services and click ENABLE. Leave the BINDING INTERFACE field set to <Auto>, the firewall will detect the correct IP address. (The binding interface is used by the firewall to communicate with GB-Commander Server when using H 2 A High Availability or accessing through a VPN.) Enter the Server IP address or host name of the GB-Commander Server application and define a port number, if desired. The firewall should now send information to the GB-Commander database and appear in the GB-Commander Client hierarchy. Once GB-Commander is activated and GB-Commander Server is configured, logs are sent to GB-Commander Server with bandwidth and alarm data. Firewalls that have been configured and not yet defined in the hierarchy will appear in the NOT MONITORED group, from which they can be moved into a named firewall group. Firewalls cannot be manually added to the NOT MONITORED group. Because GB-Commander can monitor multiple firewalls, it is activated separately, and does not require an activation code on each individual firewall.

38 30 GB-OS 3.7 User s Guide Field Enable Binding Interface Server Preshared Secret Description Enable communication from the firewall to GB-Commander software. GB-Commander must be activated to use this option. Address from which GB-Commander Server is sourced. <Auto> indicates that the firewall should use its usual source IP address. To force data packets to have another source IP address, choose the desired interface object from the drop down list. <Auto> by default. IP address or host name of the computer where GB-Commander is installed. To use a different port, enter the IP address and port number in the standard format, e.g :76 or example.gta.com:76. TCP port 76 by default. ASCII or HEX value. The preshared secret as defined in GB-Commander. This field is case-sensitive. GB-Commander Server High Availability H 2 A High Availability is a GTA firewall failover option, allowing multiple GTA firewalls to operate as a virtual single firewall, ensuring that network access and security are maintained with minimum downtime. The section allows the firewall to be configured as one of an high availability pair or group. The service requires no obvious changes to your existing network, making it transparent to end users. H 2 A High Availability is available on some GTA firewalls and requires a feature activation code. The H 2 A High Availability Feature Guide details how to configure and utilize the option. Saving this configuration section will cause the firewall to reboot. H 2 A High Availability is not supported in bridging mode. Field Enable Status VRID Priority Notification Name Interface* Virtual IP Address Beacon Description Enable H 2 A. An activation code is required to use this option. H 2 A mode: Init, Slave or Master will display. Not editable. Value between 0 and 15 for the VRID (Virtual Router ID), used to uniquely identify the H 2 A group. All systems in the group must have the same VRID. Number between 1 and 255. The firewall with the highest priority and confirmed communications with beacons will operate in Master mode, and will process network traffic as the virtual firewall. If priority numbers are not set, the pair will select the master by automatically giving one system higher priority. address to notify when H 2 A status changes. Name to identify this member of the H 2 A group. Firewall interface location. Any change to the name assigned to the specified network interface on the Network Information section will change its interface object in the H 2 A configuration. Interfaces may only be used once in the H 2 A screen. In GBAdmin, an H 2 A member that has already been selected for one interface will not appear again. Virtual IP address used for a given network interface. (This IP address is for the firewall users.) Up to three beacon IP addresses. Beacons are IP addresses periodically pinged to test network connectivity. Normally, one beacon address is the H 2 A IP address on another H 2 A firewall; do not make it the only beacon, though, since that could produce inaccurate failover actions. *H 2 A systems cannot use dynamically assigned interfaces.

39 Chapter 4 Services 31 H 2 A High Availability H 2 A High Availability - Update Slave Mail Sentinel ( Proxy) Mail Sentinel configures an SMTP (Simple Mail Transfer Protocol) proxy for inbound on TCP port 25. Mail Sentinel can be used to shield an internal server from unauthorized access and reduce unsolicited ( spam ). Mail Sentinel will respond on any external network IP address unless a TCP tunnel is created on port 25. Caution The IP address receiving from Mail Sentinel should not simultaneously have an inbound tunnel on TCP port 25 because this will bypass the proxy, and could compromise your security. With every message, Mail Sentinel must choose to accept or deny transmission. Access control lists (ACLs) contain the criteria that causes an to be accepted or denied (such as white lists and black lists), and can define the destination server. ACLs may also contain Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus options which you may apply on a per-acl basis. Mail Sentinel proxy ACLs are evaluated in the order they are listed. When the proxy receives a message, proxy ACL rules are each tested for matching conditions. Once an property is matched with an ACL indicating acceptance or denial, that ACL action is performed, and no further ACLs will be tested for matching. If all of the ACL list has been exhausted but no match has been found, the will be rejected. To ensure their primacy, position white list ACLs and black list ACLs at the top of the proxy ACL list. By default, the Mail Sentinel proxy denies . This default will be enacted if an does not meet any listed ACL. To ensure that all is not rejected by default, make at least one ACL of type Accept. ACLs accept or deny based upon address objects, reverse DNS, message size, mail exchange (MX), or mail abuse prevention system (MAPS) criteria. Using multiple ACLs in conjunction can sort types to different destination SMTP servers. When considering the destination domain for an ACL match, three cases arise: no recipients match the ACL s destination domain one or more recipients match the ACL s destination domain all the recipients match the ACL s destination domain If no recipients match, Mail Sentinel checks the next ACL for a match. Behavior for the other two cases is controlled by the MATCH ALL ADDRESSES check box: when un-checked, any one or more matching recipients will cause an ACL match, but when checked, all of the recipients must match to cause an ACL match. To accept or reject regardless of their file size, enter 0 (zero) as the maximum file size in your proxy s ACL. A maximum size of zero does not mean that only zero-sized will be considered; instead, it means that the size limit consideration has been removed from the ACL.

40 32 GB-OS 3.7 User s Guide Mail Sentinel Proxy - Default

41 Chapter 4 Services 33 Disable Description Type Server Field Address (Source) Match Against MX Match All Addresses Address (Destination) Reject if RDNS Fails Maximum Size ( Proxy) Mail Abuse Prevention System Enable (Mail Sentinel Anti- Spam)** Reject (Mail Sentinel Anti-Spam: Confirmed)** Threshold (Mail Sentinel Anti- Spam: Confirmed)** Tag (Mail Sentinel Anti-Spam: Confirmed)** Quarantine (Mail Sentinel Anti- Spam: Confirmed)** Reject (Mail Sentinel Anti-Spam: Suspect)** Threshold (Mail Sentinel Anti- Spam: Suspect)** Tag (Mail Sentinel Anti-Spam: Suspect)** Quarantine (Mail Sentinel Anti- Spam: Suspect)** Enable (Mail Sentinel Anti-Virus)** Reject (Mail Sentinel Anti-Virus)** Tag (Mail Sentinel Anti-Virus)** Quarantine (Mail Sentinel Anti- Virus)** Maximum Size (Mail Sentinel Anti-Virus)** Disable an individual proxy ACL. Description A field to record a description of the rule s function. Accept or deny. Specifies the action that should be done to matching the source, destination and other criteria. Specifies which server should receive matching the ACL criteria. Specifies a source (sender) match criteria for . Makes a DNS MX (Mail Exchanger) record query that tries to match the domain in the TO: portion of an header to a domain assigned to the proxy s IP address. The is rejected if there is no match, preventing the site from being used to relay to other sites. If checked, causes the ACL to match only if all recipients contain the destination address; if un-checked, causes the ACL to match if any one or more recipients contain the destination address. Specifies a destination (recipient) match criteria for . Performs a Reverse DNS lookup on the remote host and refuses the connection if the lookup fails to match the host s offered identity. Maximum size in kilobytes (KB) of message to accept. Prevents bombs (large attachments that cause problems for clients). Enter 0 (zero) to allow any message size. MAPS; a special DNS server that contains only reverse DNS entries of known spam servers. Default of custom MAPS objects may be specified.* Enable use of Mail Sentinel Anti-Spam filtering (purchased separately). If enabled, this rejects evaluated as confirmed spam by Mail Sentinel Anti-Spam. The score must receive before being categorized as confirmed spam. Higher scores are more tolerant of spam-like qualities. If enabled, this adds user-specified text to the subject line of any confirmed spam you choose to deliver. If enabled, specifies an address that should receive quarantined (redirected) confirmed spam. If enabled, this rejects evaluated as suspect spam by Mail Sentinel Anti- Spam. The score must receive before being categorized as suspect spam. Higher scores are more tolerant of spam-like qualities. If enabled, this adds user-specified text to the subject line of any confirmed spam you choose to deliver. If enabled, specifies an address that should receive quarantined (redirected) suspect spam. Enable use of Mail Sentinel Anti-Virus filtering (purchased separately). If enabled, this rejects containing known viruses. If enabled, this adds user-specified text to the subject line of any virus you choose to deliver. If enabled, specifies an address that should receive quarantined (redirected) virus . Maximum size in kilobytes (KB) of message to scan for viruses. If this value is lower than the ACL s Maximum Size, may not be fully scanned for viruses. Enter 0 (zero) to scan any message size. * Mail Abuse Prevention System LLC black lists require a subscription. ** Mail Sentinel options are purchased separately; feature activation codes must be entered before Mail Sentinel Anti-Spam and/ or Mail Sentinel Anti-Virus subscription options can be enabled on an proxy ACL.

42 34 GB-OS 3.7 User s Guide Insert Mail Sentinel Proxy ACL

43 Chapter 4 Services 35 Saving an Proxy ACL Mail Sentinel subscription options require use of the standard Mail Sentinel proxy to help you remove spam and viruses from your network. Mail Sentinel options can help your Mail Sentinel proxy to decide whether to accept or reject an , as well as whether to quarantine its message. If you have purchased the Mail Sentinel Anti-Spam or Mail Sentinel Anti-Virus options for your GTA firewall, you can also allow or deny based upon spam or virus criteria. For additional flexibility, you may choose to allow through only after modifying it. (Modifications can include tagging the s subject line with user-defined text.) Quarantine and rejection controls provide greatest safety by removing viruses at the firewall level; subject line tags allow users to be alerted while retaining final discretion over virus handling. For more information on anti-spam and anti-virus features, please refer to the Mail Sentinel Feature Guide. Defining an White List or Black List White lists and black lists consist of ACLs set to unconditionally accept or deny connections from a group of servers. For example, you may wish to white list the server of a known business partner to accept all from that IP, or black list a known spam server to reject all from that IP. To define a white or black list, create a white list address object or a black list address object (you may use the white list and black list defaults as templates), then add an ACL to your Mail Sentinel proxy specifying an accept or deny action for that address object. To ensure that your white list or black list has priority over other ACL rules, move it to the top of your proxy ACL list. White listing or black listing by source, destination, or a combination of the two may have very different effects. For example, black listing a sender (source) will prevent everyone on your network from receiving from that source; however, setting a destination of [email protected] in addition to a source will block from that source only when it is sent to [email protected]. Conversely, setting a white list for all with a destination of [email protected] would allow anyone to that address, but allow you to black list sources sending to any other destination in subsequent ACLs. A combination of ACL order (priority) and source and / or destination contents can thereby provide for very complex accept and deny conditions that you may have. The following illustrations show the creation of an proxy white list and an proxy black list. 1. Create the appropriate address objects. Add unconditionally accepted addresses/domain names to a white list address object, and unconditionally denied addresses/domain names to a black list address object. The address objects must be of type Domains.

44 36 GB-OS 3.7 User s Guide Address Objects Insert Address Object - White List Address Objects - with White List

45 Chapter 4 Services 37 Insert Address Object - Black List Address Objects - with Black List Address Object Saved 2. Create accept or deny Mail Sentinel proxy ACLs referencing your white list or black list. Add your white list address object to an ACL that unconditionally accepts from your white list object (the type must be Accept). Add your black list address object to an ACL that unconditionally denies from your black list object (the type must be Deny). If you wish your white list or black list to have priority over all other ACL rules, move your white list and / or black list ACL to the top of the ACL list. (ACLs that come first will be tested for a match first; if matched, an ACL will be executed, and no additional ACLs will be tested.)

46 38 GB-OS 3.7 User s Guide Insert Proxy Access Control List - White List

47 Mail Sentinel Proxy - with White List Chapter 4 Services 39

48 40 GB-OS 3.7 User s Guide Insert Proxy Access Control List -Black List

49 Chapter 4 Services 41 Mail Sentinel Proxy - with Black List RDNS Proxy Saved Selecting the check box REJECT IF RDNS FAILS can prevent the reception of spoofed or spam . It performs a reverse DNS lookup on the IP address of the remote host trying to make an SMTP connection, and then compares it to a DNS lookup of the proffered host name. If the lookup fails or domain name and IP address records don t match (as may be the case with illegitimate mail servers), the connection is refused. RDNS requires a defined DNS server to function correctly. If REJECT IF RDNS FAILED is selected, legitimate hosts with misconfigured DNS entries will not be able to deliver to your domain. Defining a Mail Abuse Prevention System (MAPS) When deciding to accept or reject , you may wish to check the message for criteria known to a mail abuse prevention system (MAPS). When validating connections, you may use one of the pre-defined MAPS or specify a custom MAPS by using an Abuse type address object. A custom MAPS object may refer to a MAPS provider (such as mail-abuse.org) or to your own MAPS server. A MAPS server is a DNS server whose reverse DNS entries are spam servers; any name resolved by the MAPS server therefore indicates that the originated from a spam server. Additional information on creating your own MAPS server or subscribing to MAPS services is available from many sources. To specify which address object to use as a MAPS, select an object from the pull-down menu labeled Mail Abuse Prevention System under the TO BLOCK heading in your Mail Sentinel proxy s access control list (ACL). To define a custom MAPS, make a new address object. In the web interface, click Objects then Addresses, and click any + (add) button. After giving your new address object a name and description, select the Abuse type. Specify your domain name or IP address under the address field. Add a description if you wish. that you can define multiple MAPS servers in a single MAPS address object; this can be useful if the first MAPS is slow or unresponsive. To finalize your MAPS object definition, click the OK button, then the SAVE button.

50 42 GB-OS 3.7 User s Guide To use your custom MAPS object, add or edit a Mail Sentinel proxy ACL and then specify the object in the MAPS section. Insert Address Object - MAPS Network Time Service Network Time Service synchronizes your firewall and local computers with an Internet NTP server. NTP is highly accurate, with a resolution of under a nanosecond (one billionth of a second) and the ability to combine the output of the available time servers to reduce error. It also uses past measurements to estimate the current time when the network is down. The Network Time Service uses UTC (Universal Time Coordinated), which evolved from GMT (Greenwich Mean Time). Enter up to six NTP servers, either by host name or IP address. These servers can be on your internal or external network. (You must have DNS server defined in the Basic Configuration section if you use host names.) Finding NTP Servers Locate a server for your time zone and contact the administrator, if required. Before referencing any NTP server, make sure you adhere to the server s policies. There are many freely accessible NTP servers, but it is customary to make a formal request before utilizing the server. The following are a sample of the NTP and time server resources available. NIST Network Time servers: Network Time Protocol organization: Network Time Protocol specification: RFC 1305 NTP Zeit: Many Network Time Server sites require administrator permission before using the time server. Designating the Firewall as an NTP Server The firewall can be configured as an NTP server for other hosts on the network. To designate the firewall as an NTP server, enable the Network Time Service and create a remote access filter that accepts connections on UDP port 123. Configure your hosts to indicate the firewall as their NTP server. Enable Server Key Field Description Enable the Network Time Service. Disabled by default. Host name or IP address of the time server. Key for the specified server, if required. Some servers require a key value; most do not.

51 Chapter 4 Services 43 Network Time Service Remote Logging GTA firewalls support remote logging of events. Remote Logging provides a means to configure how and where log information is sent. GTAsyslog uses the TCP/IP syslog protocol for recording logs remotely. Recent events are kept in a local buffer on the firewall and can be accessed using View Log Messages under System Activity. Log messages can also be viewed from the LogView application, as a log file in a text editor such as pad or TextEdit, or using the GTA Reporting Suite application (available separately). Enable Remote Logging, then select the source IP address object from the BINDING INTERFACE drop down box, and enter the server IP address and port number in the SYSLOG SERVER field. See the appendix for more information about logs and default logging. Field Enable Service Syslog Server Filter Facility NAT Facility WWW Facility Description Enable remote logging. Disabled by default. Address from which logging is sourced. <Auto> by default. Selecting <Auto> will indicate the firewall s usual source IP address to the syslog server location. To force the logging packets to have a specific source IP address, choose the interface object from the drop down menu. IP address or host name of a system that will accept the remote logging data. Data can be accepted by the supplied GTAsyslog facility or any program that accepts the syslog protocol. The port is 514 by default. To enter a different port number, use the standard format, e.g :514 or example.gta. com:514. Logs information associated with any filter that has logging enabled. Any attempts at unauthorized access will be logged to the filter log stream. Logs information associated with Network Address Translation: essentially, outbound packets. Logs all URLs accessed through the firewall. WELF (WebTrends Enhanced Log Format) Remote Logging The remote logging facility uses the WebTrends Enhanced Logging Format (WELF) to record log messages. The following table shows the fields used. See the appendix for examples of log messages formatted in WELF. For more information about WELF, see com/partners/technology/welf.asp.

52 44 GB-OS 3.7 User s Guide id time fw pri rule proto duration sent rcvd src srcport nat nat_port dst dstport interface user op arg vpn cat_type cat_action fil_type fil_action msg attribute Field Type of record. Local date and time of the event. Firewall logging the event. Description Event priority: 0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=information, 7=debug. Index number of the item that triggered the entry. Protocol or service used by the event. Time required for the event operation, in seconds. Number of bytes transferred from source to destination. Number of bytes transferred from destination to source. IP address that generated the event. Port number where the event was generated. IP address where NAT was performed for the event. Port number where NAT was performed for the event. IP address that received the event. Port number where the event was generated. Network interface where the event occurred. User name. For HTTP and FTP, an operation such as GET or POST. For HTTP and FTP, this is the URL. Specific VPN object shows the most used connections. Local or Surf Sentinel 2.0 category: e.g. Local Accept or Deny List item; Drug Culture or Pornography. Action performed by the filter: Block or Pass. Filter description: Default, Outbound (OF), IP Pass Through (PTF) or Remote Access (RAF.) Filter action: Block or Accept. Details events such as a VPN starting, the configuration changing, or a port scan being detected; also captures the index/rule number of the generating filter or facility. Action taken when the filter was triggered, e.g. Alarm, , Stop. GTAsyslog GTAsyslog is GTA s syslog software. The configuration screen within the DBmanager software allows the user to select logging options how the GTAsyslog and LogView software operates, and how GTA Reporting Suite accesses recorded data. GTAsyslog does not have a user interface separate from DBmanager. The GTAsyslog automatically writes log data to a rotating file. With additional licensing, GTAsyslog sends the log information to a server for GTA Reporting Suite. Unix Facilities A syslog service (daemon) that can accept and record the log data is a standard feature on Unix or Linux operating systems. GB- OS logging provides for Unix syslog, as well as auth, authpriv, console, cron, daemon, ftp, kern, lpr, mail, news, ntp, security, user, uucp and local0 - local7. Since syslog redirects logs to another location, a configuration file must direct the log stream to a file or receiving software. The priority (set on each filter definition) is used by the remote log host to determine if and where the information in the syslog log stream should be displayed/stored. Filter Filter log messages are generated due to a filter rule, either explicit or automatic. Filter messages are logged by default to local1.

53 Chapter 4 Services 45 NAT (Network Address Translation) Network Address Translation log messages are generated due to a NAT action. These actions can be both outbound traffic and inbound tunnel traffic. All NAT messages are logged by default to local0. By default, NAT session closes are logged at priority Notice, and NAT session opens are not logged. WWW WWW log messages are generated when an outbound HTTP access occurs. The complete URL is logged. All HTTP URLs are logged by default to local2. Log messages are sent at priority Notice. SNMP SNMP (Simple Network Management Protocol) is a standard for managing IP devices, retrieving and sending data with designated hosts. In its full implementation, SNMP uses both read and write access. In GB-OS, SNMP is read-only (preventing write access security issues). SNMP data, contained in the MIB (Management Information Base) and organized in report form, helps the administrator ensure optimal performance in the managed devices. SNMP on GB-OS systems does not have its own MIB. Instead, MIBs supplied with a third-party SNMP toolkit can function with the firewall. SNMP version 2 provides enhancements including security and an RMON (Remote Monitoring) MIB, which provides continuous feedback without being queried by the SNMP facility. SNMP version 3 introduced a revised nomenclature for SNMP, a new access method using authentication, and the ability to encrypt SNMP data packets. SNMP requires appropriate remote access filters. Auto-configure the filter set or create appropriate filters, then customize and enable the desired filters. Caution GTA strongly recommends restricting SNMP access to specific hosts in order to reduce dissemination of information about the network. Allow access to the information only from designated, secure hosts because the data could be transmitted in clear (nonencrypted) text, providing potential attack information to any spies between the host and the firewall. Field Enable (SNMP 1) Contact Information Location Enables SNMP. Disabled by default. address of the administrator. Enable (SNMP 2) Enable SNMP version 2. Description User-defined description of the administrator s location. Community Essentially, a password. With the password, those with access can see SNMP information and/or receive trap notifications. In the full SNMP implementation, there are three community levels: read access, read-write access, and trap notification. Members of a community can access information at the level allowed in the community. Enable (SNMP 3) Enables SNMP version 3. User ID User name assigned separately from other user authorization names. An extra layer of protection against impolite and undesirable interest in your network. Password Password for this extra authorization level. This is an encrypted password. Security Level Security levels: AuthPriv (Authentication, Privacy). Access to SNMP information only with both authentication and data encryption of all SNMP packets (privacy). AuthNoPriv (Authentication, No Privacy). Access to SNMP information with only authentication.

54 46 GB-OS 3.7 User s Guide SNMP

55 Chapter 5 Authorization 47 5 Authorization Authorization contains Admin Accounts, Authentication, Remote Administration, firewall Users and VPN definitions using previouslydefined VPN objects. Admin Accounts Admin Accounts manages the administrative accounts on the firewall. The primary account logs on to the firewall during initial configuration and is the only one that can use the console interface. The default user ID and password are gnatbox. GTA recommends changing the default user ID and password to prevent unauthorized access. Up to five additional administrator accounts can be defined. Each account is assigned a unique user ID and password with selected access privileges. Accounts without administrator privileges (the ADMIN permission field is not selected) are read-only, so they cannot make changes to the firewall or view preshared secrets. Secret/password fields will be obscured when Admin permissions are disabled for the account. Field Enable Lockout Lockout Threshold Lockout Duration Notification User ID Password Admin Console WWW RMC Description Disallow further logins from a user s IP address if a login is entered incorrectly. Enabled by default. Number of tries a user can make from an IP address before that IP address is locked out. Number of seconds an IP address is locked out. Send to administrator upon a lock-out. Administration account name used to log on to the firewall, up to 39 characters long. Any character that can be generated from the keyboard is valid, except leading and trailing spaces. Password used to log on to the firewall, up to 39 characters long. Any character generated from the keyboard is valid, except leading and trailing spaces. Enable administrator authority for this firewall. Only the primary account user can log on to the console. Not editable. Enable to allow this user to log on via the web interface. Enable to allow this user to log in via GBAdmin. Administration Accounts

56 48 GB-OS 3.7 User s Guide Authentication The Authentication service allows the administrator to require GBAuth authentication before initiating a connection to or through the firewall. To use this feature, Authentication must be enabled and a user authentication remote access filter must be configured. All data is sent from GBAuth to the firewall via SSL. Enable Field Service Port GBAuth only. Default port is 76. Enable (LDAP) Server Base DN Enable (RADIUS) Binding Interface Server Preshared Secret Description Enable the use of any of the three methods of authentication. If only this check box is selected, GTA Authentication can be used. Selecting the services below allows LDAPv3 and/or RADIUS authentication to be used as well. Enable the use of an LDAP service. Server IP address or host name and port number of the LDAP server that will perform the authorization. The service port number defaults to 389. To enter a specific port number, use the format ldap.example.com:389. Root distinguished name on the LDAP server, comparable to the domain name in an Internet address. Maximum length is 127 characters. Enable the use of the RADIUS service. Address from which authentication information is sourced. <Auto> by default. Selecting <Auto> will indicate the firewall s usual source IP address to the server location. To force packets to have a specific source IP address, choose the interface object from the drop down menu. Server IP address or host name and port number of the RADIUS server that will perform the authorization. The port number defaults to To enter a specific port number, use the format radius.example.com:1812. Alphanumeric value. Preshared secret as defined in the RADIUS service. This field is case-sensitive. Authentication - RADIUS with NAS There are three authentication methods on GTA firewall: GTA authentication, LDAP and RADIUS. See the utility software chapter for more about configuring and using GBAuth, GTA s authentication client.

57 Chapter 5 Authorization 49 RADIUS The RADIUS authentication option allows you to accept or deny traffic by querying a RADIUS server. Historically RADIUS has been used to authenticate dial-up connections, but RADIUS can authenticate traditional TCP/IP connections as well. To use RADIUS authentication, click Authorization then Authentication on the web interface menu. Enter the appropriate information in the RADIUS section of the page, then click the SAVE button. The following additional RADIUS options are available: LDAP NAS IDENTITY: By default (if the field is empty), this is the firewall s local IP. Match the RADIUS server s expected identity for authentication requests. (This field is treated as undistinguished octets.) NAS CHANNEL: Matches the RADIUS server s channel number. Only necessary if the RADIUS server distinguishes between its NAS ports (channels). (Valid values should be in the range of ) NAS CHANNEL TYPE: Matches the RADIUS server s connection type, namely a modem (async etc.) or TCP/IP (virtual) connection. (Values are shown in the drop down list.) The LDAP authentication option allows you accept or deny traffic by querying an LDAP (Lightweight Directory Access Protocol) server. The LDAP authentication option can be used on outbound traffic filters, as well as inbound tunnels, remote access filters, outbound filters, and passthrough filters. To use LDAP authentication, click Authorization then Authentication on the web interface menu. Enter the appropriate interface, server IP or domain name, and LDAP base domain name in the LDAP section of the page, then click the SAVE button. Defining a User Authentication Remote Access Filter A user authentication remote access filter must be configured for any of the three methods of authentication. To use the default filter, select AUTO-CONFIGURE THE REMOTE ACCESS FILTERS. This filter may be edited in Remote Access under Filters. Filters that have never been saved are automatically configured to system parameters every time the system is restarted. If filters have been saved, use DEFAULT to match the automatic system defaults. GTA Authentication Edit Remote Access Filter - User Authentication To use GTA Authentication, enable Authentication and the desired port (TCP port 76, by default). Create a user authentication remote access filter if one has not already been created. If Authentication is enabled, but neither LDAP nor RADIUS are enabled and configured, the firewall uses GTA Authentication by default. GTA Authentication requires firewall user account set-up; configure users with the instructions in the Users section in this chapter. GTA Authentication can be selected in VPN objects, inbound tunnels, remote access filters and passthrough filters. Users enter the values in the IDENTITY and PASSWORD fields from Users to log in using GBAuth.

58 50 GB-OS 3.7 User s Guide LDAP LDAPv3 is supported for user authentication. LDAP (Lightweight Directory Access Protocol) is a specification for accessing directories on the Internet to obtain information such as addresses and public keys. LDAP is based on the X.500 directory access protocol, DAP, but is less comprehensive. It also supports TCP/IP for Internet access. Like Internet protocols HTTP and FTP, LDAP is used in the protocol prefix of a URL, e.g. ldap://example.com. LDAP version 3, completed in 1997, is the latest implementation at the time of this release. Using LDAP on a GTA Firewall To use LDAP: 1. Enable Authentication and the LDAPv3 feature. 2. Enter the IP address and desired port (TCP port 389 by default) of the LDAP server and the base distinguished name for your network, as in the LDAP section of the Authentication illustration. 3. Create a user authentication remote access filter if one has not already been created. LDAP authentication requires an LDAP server with users, organizational units and domains. LDAP authentication can be selected in inbound tunnels, remote access filters, outbound filters and passthrough filters. When LDAP is used, authentication cannot be selected in a VPN object. To use LDAP with VPNs, select authentication on the appropriate remote access filter. Using this method, the VPN cannot initiate until the user has authenticated with GBAuth. A user is authenticated for all firewall services until the authentication times out or is closed by the user. cn rdn ou dn dc Field Description Common name specified on the LDAP server and entered in the IDENTITY field of GBAuth, e.g. Joe Tech. Relative distinguished name; the common name plus cn= identifier; cn=joe Tech. Organizational unit; group to which the user has been assigned. There can be a hierarchy of ou s defined; enter each in the order of its specificity: if Joe Tech belongs to the FreeBSD group within the support group, ou would be entered into the IDENTITY field of GBAuth, after the cn, as: ou=freebsd, ou=support. Distinguished name; entries in an LDAP server are located by way of the distinguished name, a globally unique identifier designed to be readable by any LDAP-compliant client. This is the entire string sent to the LDAP server by GBAuth. cn=joe Tech, ou=support,dc=qa, dc=com, dc=gta. Domain component; single domain component of an FQDN (fully-qualified domain name) such as qa.gta.com, e.g. dc=qa, dc=com, dc=gta. RADIUS The IDENTITY field value in GBAuth (cn and the ou together) can be up to 127 characters. RADIUS (Remote Authentication Dial-In User Service) is an authentication and management system used by many ISPs, requiring the customer to enter a user ID and password to access the service. A RADIUS server verifies the information, and then authorizes access. The RADIUS specification is not an official IETF standard. Using RADIUS on a GTA Firewall To use RADIUS: 1. Enable Authentication and the RADIUS feature. 2. Enter the IP address, desired port (TCP port 1812 by default) and preshared secret of the RADIUS server, as in the Authentication illustration example. 3. If a user authentication remote access filter has not already been created, configure and enable the filter. Remote Admin Remote Admin regulates administration via remote (non-console) methods such as the web interface or GBAdmin (Remote Management Console or RMC). The factory settings enable remote administration and the ability to apply updates. By default, the web interface is served on standard TCP port 443 for SSL encryption and GBAdmin on TCP port 77. The firewall can also be accessed using the console interface using the primary administrative account.

59 Chapter 5 Authorization 51 The console interface cannot be disabled. Enable (web) Field Description Enables remote administration via the web interface. Enabled by default. Server Port TCP port allowing web administration. SSL encryption default is 443. Allow Updates Encryption Enable (GBAdmin) By default, updates are allowed. All levels of SSL encryption (Low, Medium and High) are enabled by default. SSL may also be set to None to turn off SSL encryption. Enable access via GBAdmin (RMC). Enabled by default. Server Port TCP port allowing GBAdmin administration. Default port for RMC access is 77. Allow Updates Encryption By default, updates are allowed. Encryption level is high. Changing the Remote Administration Port Caution Remote Administration Changing the TCP port for remote administration without first adding the new port to a new remote access filter will cause you to lose remote administration connectivity. To prevent this, install a new remote access filter before removing the old one, or connect to the firewall console locally. To maintain access when changing the port number used for remote administration, a remote access filter for the new port must be in place before changing the port number. Implement a port number change in this order: 1. In Remote Access under Filters, find the filter that controls remote administration access and add the new port number value. Save the section. 2 In Remote Administration, change the port to the new value and save the section. 3. In Remote Access under Filters, return to the remote administration access filter and delete the old port. Save the section. Your firewall will now use the new port value for access. WWW In this section, the user can choose access, update and select preferences for the web interface. A remote access filter must be created and enabled to use web administration. A firewall URL using SSL encryption will use HTTPS, i.e. the address displays instead of Caution Non-SSL (unencrypted) web administration is available. However, remote administration without an encrypted/ssl connection will send sensitive information like passwords in plain text, posing a serious threat to your network security. Unencrypted connections are therefore strongly discouraged by GTA. Caution Port 80 is the standard for non-ssl HTTP, but GTA suggests using an alternate such as 8000 or This helps to protect the remote web interface from unauthorized use even if a filter is misconfigured. RMC (GBAdmin) The RMC (Remote Management Console) feature establishes an encrypted network connection to the firewall on TCP port 77 using the GBAdmin application. By default, the firewall is only configured to allow this access on the protected network interface. Since the RMC network connection is encrypted, it is suitable for secure management from both external networks and PSNs. A remote access filter must be created and enabled to use RMC from external networks.

60 52 GB-OS 3.7 User s Guide SSL Encryption For additional security, SSL (Secure Sockets Layer) encryption is available. SSL encryption (HTTPS), developed by Netscape, is the standard in Internet security for HTTP, supporting server/client authentication, and maintaining security and integrity in transmission. Usable by the web and GBAdmin access, SSL may be configured from any user interface. SSL encryption has been used by default in GB-OS since version SSL encrypted administration requires a remote access filter with a port that matches the remote administration port (443, by default). SSL certificates include three validity checks: an issuer, or self-issued certificate authority; a date, which will be the date of certificate generation; and a name, which will be the firewall s host name. (After the firewall has been installed, enter the host name in the HOST NAME field in Network Information under Basic Configuration. Any changes to the firewall s host name will cause the firewall to automatically renew its SSL certificate using the new host name.) To create a certificate in which the name on the security certificate matches the name on the site, the host name entered in Network Information must match the name given to the firewall in the DNS Server. If you cannot match the host name, you may instead add the host name to the LMHOST file on Windows computers. Level Key Strength Description None N/A Disables SSL encryption. All N/A Accepts low/medium/high levels of SSL encryption. Low 40-, 56-, 64-bit A low level of SSL encryption. Easier to break. Medium 128-bit A medium level of SSL encryption. Harder to break. High 168-bit A high level of SSL encryption. Difficult to break. GB-OS supports SSL version 3.0. Due to potential security flaws, support for SSL version 2.0 has been removed. Browser Compatibility GTA recommends using Apple Safari ( Mozilla ( Netscape Navigator ( Opera ( Microsoft Internet Explorer for Windows, or another SSL-compatible and frame-enabled browser to administer your firewall. On Macintosh PCs, GTA does not recommend using Microsoft Internet Explorer for Macintosh (Mac IE 5). GB-OS SSL encryption, used by the firewall, is known to be incompatible with Mac IE 5, and your browser will not allow you to continue past the security alert screen. If you must use Mac IE 5, install the firewall using a compatible browser, GBAdmin or the console and disable SSL before using Mac IE 5. Mac IE 5 can only be used with SSL encryption disabled. Caution Administration of the firewall without encryption is insecure and may send sensitive information such as passwords in clear text, and is not recommended if you have a hub or other network device between your computer and the firewall appliance. Generating and Installing SSL Certificate Each time you update GB-OS, the SSL certificate is renewed for a year from the release build date. You may also manually generate a new certificate using the NEW SSL CERTIFICATE button, or automatically by changing the firewall s host name. This creates a new SSL certificate for the firewall. An SSL certificate is valid for one year from the date it is created. To generate and install a new SSL security certificate: 1. Click NEW SSL CERTIFICATE in Remote Admin under Authorization, select Yes from the drop down menu, and then click the SUBMIT button to generate a certificate for the firewall. Remote Admin - New SSL Certificate 2. Since the certificate is self-issued, and your browser will not recognize your firewall as a certificate authority (CA), you will be prompted with a security alert similar to the one illustrated.

61 Chapter 5 Authorization 53 Internet Explorer 6 for Windows - SSL Certificate Security Alert The dialog indicates that the listed certificate authority is not one you have already chosen to trust; the certificate date is valid; and the name on the certificate does not match the name of the site. Select YES. Your security will not be compromised. 3. Certificate installation may vary by browser. (The remaining instructions are specific to Internet Explorer 6 for Windows, but may be adapted for other browsers.) To install the SSL security certificate, click VIEW CERTIFICATE. In the Certificate screen that appears, click INSTALL CERTIFICATE. Internet Explorer 6 for Windows - View Certificate 4. A Certificate Import Wizard will appear. Click NEXT and choose whether to automatically select the Certificate Store (recommended), or select a location manually. Click FINISH. 5. Verify that you want to install to the Root Certificate Store. If a dialog reports that the import was successful, you have completed the certificate installation. Once the certificate is installed, and the firewall host name has been entered in the DNS server, no more warnings should appear until the certificate expires. However, a new certificate can be created at any time. Changing the firewall s host (domain) name will cause automatic generation of a new SSL certificate using the new host name. Users Users creates a firewall user who can utilize authorization, VPNs, or other restricted access points. One or more mobile VPNs are defined by linking a VPN object (such as the Mobile VPN object) to a remote network address or address object. See the VPN Option Guide for more about VPN authentication. Users can be selected in filters to regulate access from outside the protected network and in Inbound Tunnels to restrict access from a specified network interface to an IP address / port. See the VPN Option Guide for more about authentication.

62 54 GB-OS 3.7 User s Guide Field Disable Name Description Identity Method Password Disable VPN Object Remote Network Preshared Secret Description Disable all access for the selected user. Full name of the user. Description of user. User address for user authentication. Password method. Password for user authentication. Disable VPN access for the selected user. Previously defined VPN object. IP address or address object of the remote network. ASCII or HEX* value preshared secret. *Valid hexadecimal characters: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F. Users Insert User VPNs VPNs creates and controls authorization for firewall VPNs using addresses or objects. One or more VPNs are defined by linking a VPN object to a remote network address or address object. The authorization of a VPN connection between two single networks defines one VPN. For example, the local network VPN object IKE may contain the address object Protected Networks, which in turn represents all the protected networks in the local network. The remote network is a single network address. Any subnets have been combined to create one network using a 24-bit subnet mask. Security Associations A security association (SA) specifies the parameters connecting two hosts. Each active two-way VPN connection uses a minimum of two SAs, one for each direction of communication. For the total number of potential SAs used by each VPN authorization, see the authorization section in the system configuration report, found in Configuration under Reports. See product specifications for the number of security associations supported by a specific model. To see the current number of VPN security associations, see Active VPNs under System Activity. Each authorization in the configuration report will contain one or more VPNs, depending on the number of networks represented by each VPN or address object.

63 Chapter 5 Authorization 55 Multiple Networks A VPN authorization can define one VPN connection or many, depending on the number of networks represented by each object. For example, if a VPN authorization contains an object with two separate local networks and a single remote network, two VPNs are defined, for a total of four SAs. Protected Network /24 Protected Network /24 VPN VPN Inbound SA Outbound SA Outbound SA Inbound SA GB Remote Network Two VPNs, Four VPN Security Associations Mobile Protocol VPN Security Associations A VPN using mobile protocol either a mobile VPN created in the Users section, or gateway to gateway VPN with Force Mobile Protocol selected will use SAs while active. The number of SAs potentially used by mobile and gateway-to-gateway VPNs can be higher than the number of licensed SAs; however, the number of SAs used by active VPNs, mobile VPNs included, cannot exceed this number. See the previous section for more about changes to Users authorization. Encryption Key Length Blowfish encryption transformations use variable length keys, while AES, DES and 3DES use a fixed length key. If you exceed the maximum key length in these fields, you will generate an error and not be able to save the configuration until it is corrected. You may enter a shorter length key; the system will pad it to the minimum key size. Higher-bit key size generally results in stronger encryption. Algorithm Key Size ASCII and Hexadecimal Characters AES bits 16 ASCII or 32 Hex AES bits 24 ASCII or 48 Hex AES bits 32 ASCII or 64 Hex Blowfish bits 5-56 ASCII or Hex DES 64 bits 8 ASCII or 16 Hex 3DES 192 bits 24 ASCII or 48 Hex Hash Key Length The key length for the MD5 transformation is 128 bits, which is 16 ASCII characters or 32 hexadecimal characters. The key length for the SHA-1 transformations is 160 bits, which is 20 ASCII (40 hexadecimal) characters; it provides 80 bits of security. The key length for the SHA-2 (SHA-256) transformations is 256 bits, which is 32 ASCII (60 hexadecimal) characters; it provides 128 bits of security against mid-transport data tampering. Generally, larger keys are more secure. Security Parameter Index (SPI) The INBOUND and OUTBOUND SECURITY PARAMETER INDEX are arbitrary numbers used to uniquely identify a security association (SA) on a MANUAL VPN. The INBOUND SPI will be the OUTBOUND SPI on the remote side of the VPN; also, the OUTBOUND SPI will be the INBOUND SPI on the remote side of the VPN. The SPI should be unique for each SA, although the inbound and outbound SPI may have the same value. The minimum SPI value is 256. Creating a VPN 1. Presuming that you use the default VPN objects, create a VPN by selecting Authorization then VPNs. Create a new VPN authorization.

64 56 GB-OS 3.7 User s Guide VPNs 2. Select the key exchange method. In the web interface, a dialog box prompts you to select IKE (automatic key exchange) or Manual mode. In GBAdmin, the IKE or Manual mode is selected on the main VPN screen. Insert VPN - Select Key Exchange Method 3. Complete the VPN settings fields. There will be slightly different settings available depending on your automatic (IKE) or manual key exchange method selection. Field Disable IPSec Key Mode Description Identity VPN Object Remote Gateway Remote Network IP Address Preshared Secret Description Check to disable all access for the selected VPN. IKE (automatic key exchange) Description of VPN. User address for user authentication. This field is used to associate the remote user with a preshared secret key. Use the mobile user s address to uniquely identify the user. This value must be unique for all mobile VPN users. (Only needed when Force Mobile Protocol is selected.) VPN Object to define this VPN. (Destination) Default is IP address of the route through which this VPN will pass, the gateway to the remote network. If the remote network is behind a firewall, then this would be one assigned to the external network interface. This IP address will also help determine the routing of the encapsulated packet. Previously defined Address object or an IP address. Destination IP address of the network that resides behind the remote firewall. This can be just the part of the network to which access is desired. (On a firewall, typically this will be the protected network, PSN or a subnet of either.) Use a subnet mask to define the class of network. ASCII or HEX* format value preshared secret as defined in VPN. This same key needs to be entered in the GTA Mobile VPN Client when configuring the security policy. This field is case sensitive. (Phase I) *Valid hexadecimal characters: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F. Insert VPN IKE

65 Chapter 5 Authorization 57 Disable IPSec Key Mode Description VPN Object Field Remote Gateway Remote Network IP Address Encryption Key* Hash Key Description Check to disable all access for the selected VPN. Manual Description of VPN. Inbound/Outbound Default is 256. VPN Object to define this VPN. (Destination) Default is IP address of the route through which this VPN will pass, the gateway to the remote network. If the remote network is behind a firewall, then this would be one assigned to the external network interface. This IP address will also help determine the routing of the encapsulated packet. Previously defined Address object or an IP address. *Valid hexadecimal characters: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F. Destination IP address of the network that resides behind the remote firewall. This can be just the part of the network to which access is desired. (On a firewall, typically this will be the protected network, PSN or a subnet of either.) Use a subnet mask to define the class of network. ASCII or HEX* format value encryption key as defined in VPN. ASCII or Hex* format value hash algorithm for the authentication transformation. Insert VPN Manual 4. Create remote access filters to accept VPN packets from the remote gateway (ESP, AH, or IKE UDP 500). This can be done using the DEFAULT button on the Remote Access Filter list or created by hand. Make sure you specify the correct protocol in the remote access filter for the type of VPN connection that will be created. If you have not updated your protocol definition list, you should do so prior to defining any VPN remote access filters, as the ESP and AH protocols may not be included in the list. Go to the protocol list and press the DEFAULT button to auto-configure a list that includes the ESP and AH protocols. If you have created additional protocols, using the DEFAULT button will delete them; in this case, add the ESP (IP protocol 50) and AH (IP protocol 51) by hand. 5. Create pass through filters that allow inbound and outbound access on the defined VPN. Generally you will need two filters for each VPN definition (one for inbound access and one for outbound). If you have one or more VPN definitions, go to the Pass Through Filter section and press the DEFAULT button. A set of filters will be auto-configured for your VPN definitions. The inbound filters will be disabled and set to deny. Make modifications to these filters as required and enable them as per your local security policy. Passthrough filters for VPN definitions do not require that entries be created on the Hosts/Networks section.

66 58 GB-OS 3.7 User s Guide

67 Chapter 6 Content Filtering 59 6 Content Filtering Content Filtering controls web site access based on the domain name and content of the site. Content Filtering ACLs allow use of Surf Sentinel 2.0, GTA s subscription content filtering service (purchased separately). Speed of Content Filtering relies on an efficient, enabled DNS server. Access Control Lists With every web page request, your firewall must choose to accept or deny transmission. Access control lists (ACLs) contain the criteria that causes a web page request to be accepted or denied (such as white lists and black lists), and defines any scripts or applets that should be blocked. Content filtering ACLs are evaluated in the order they are listed. When the firewall receives a web page request, ACL rules are each tested for matching conditions. Once a web page request is matched with an ACL indicating acceptance or denial, the ACL actions are performed, and no further ACLs will be tested for matching. If all of the ACL list has been exhausted but no match has been found, the web page request will be rejected. By default, the HTTP proxy (Content Filtering) denies all web page requests. This default will be enacted if a web page request does not meet any listed ACL. To ensure that all web page requests are not rejected by default, make at least one ACL of type Accept. Sometimes non-http protocols (such as FTP) or unknown HTTP commands may be transmitted over standard HTTP ports. For example, if your firewall is configured to only allow web traffic, this may indicate an effort of internal network users to bypass your policy by redirecting blocked non-http protocol ports to open HTTP ports. To block transmission of non-standard HTTP commands and unencrypted non-http protocols over HTTP ports, check the UNKNOWN HTTP COMMANDS box in the CONTENT BLOCKING section. Field Disable Description Source Address Local Allow List Local Deny List Surf Sentinel 2.0* Java JavaScript ActiveX Objects Unknown HTTP Commands Surf Sentinel 2.0 Categories* Disable this ACL. Description for the ACL. Description If a request matches an element of the specified address object, the packet will be compared to the ACL. Use the firewall s ALLOW list. Use the firewall s DENY list. Use the Surf Sentinel 2.0 list. Requires a Surf Sentinel 2.0 subscription. Block Java applets. Disabled by default. Block JavaScript. Disabled by default. Block ActiveX controls. Disabled by default. Block unknown HTTP commands and unencrypted non-http protocols. Disabled by default. Specify allowed or blocked Surf Sentinel 2.0 categories. Switch a category from one list to the other by selecting the item and clicking the left or right arrow button. Surf Sentinel 2.0 must be enabled. * Requires a feature activation code.

68 60 GB-OS 3.7 User s Guide Local Allow and Deny Lists Edit Content Filtering ACL - Block Unknown HTTP Commands Local allow and deny lists allow customization of content filtering using local content lists (LCLs). You can choose to execute all content filtering locally, allow access to sites that are disallowed by another content filtering facility, or deny access to sites that are otherwise allowed. Content Blocking Portable code blocking for Java, JavaScript and ActiveX objects and unknown HTTP commands can protect your network from malicious programs such as viruses spread by web pages (applets or scripts appear in inbound HTML on TCP port 443, 80, 8000 and 8080). In addition to blocking mobile programs embedded in web pages, Content Blocking can also prevent tunneled, unencrypted non-http connections over standard HTTP ports. Surf Sentinel 2.0 Categories Surf Sentinel 2.0 is a subscription option that provides firewall system administrators with a user-friendly interface and easy access to an exhaustive list of web categories for content filtering. Surf Sentinel 2.0 is superior to LCLs alone. Using LCLs, an administrator is able to enter only a limited number of URLs. With Surf Sentinel 2.0, the administrator can easily allow or deny whole categories of content. LCLs then allow further customization. Surf Sentinel 2.0 is specifically designed for firewall and content filtering solutions. It features a small, ultra-light footprint. An annual subscription for Surf Sentinel 2.0 can be purchased from GTA, or through an authorized GTA Channel Partner. With your subscription, use the Surf Sentinel 2.0 Feature Guide, which provides more information on using Surf Sentinel 2.0 categories. Local Content Lists Local Content Lists (LCLs) allow customization of content filtering. LCLs take precedence over Surf Sentinel 2.0 content filtering so that you can allow access to sites that have been blocked, or deny access to sites that are otherwise allowed. Maximum string length for a URL and comment is 180 characters. You can also choose to do simple content filtering by entering the sites your company wishes to allow or deny. The ALLOWED list takes precedence over the DENIED list; if you have the same URL in both lists, access to the site will be allowed.

69 Chapter 6 Content Filtering 61 Adding Domain Names to LCLs Local Content Lists 1. Enter sites in the LCLs by typing the domain name in the ADD/REMOVE field and clicking the ADD button. 2. Click SAVE. The items will appear in alphabetical order after they have been entered. Enter domain names in the following format: example.com. WWW and other such subdomain prefixes (www2, www3) limit the effect of the LCL. For example, the value only denies or accepts access for the specific site, not to sites associated with it such as www2.example.com. If you wish to block an entire domain, enter example.com. This will block all subdomains. Preferences (Content Filtering) Content Filtering requires the use of an HTTP proxy. The Preferences section of Content Filtering allows the administrator to specify a traditional proxy, a transparent proxy, or both; in addition, a blocked content action can be selected. Field Enable (Traditional) Description Enable the traditional proxy. Disabled by default. Proxy Port Port through which the proxy will run. Default is Enable (Transparent) Block Action Message URL Enable the transparent proxy. Disabled by default. Provide a specific message or redirect to URL when a request for blocked content is made. If message is selected, enter a custom message or use the default, Local policy denies access to web page. If URL is selected, enter a redirection web page. Preferences (Content Filtering)

70 62 GB-OS 3.7 User s Guide Traditional Proxy When the firewall is operating without content filtering enabled, it does not use a proxy. When the HTTP proxy is used in conjunction with a content filtering facility, it runs a proxy on TCP port 2784 by default. To run the HTTP proxy on a different port, enter the value in the PORT field. To enable access to the traditional proxy, create a remote access filter allowing connections on that port. TRADITIONAL PROXY requires users located on protected networks to have browsers configured to use a proxy connection with the proxy port number and the proxy IP address. Only users specifying the traditional proxy port will use Content Filtering for their HTTP traffic. Creating an RAF for a Traditional Proxy TRADITIONAL PROXY requires a remote access filter. Create or modify an existing remote access filter to allow access to the traditional proxy. The default filter values are: Field Type Accept Interface PROTECTED Protocol TCP Priority Notice Log Default Source IP ANY_IP Source Port 0 (or blank) Destination IP ANY_IP Destination Port 2784 Value Transparent Proxy This method is transparent to users located on the protected network; no modification to browsers is required, and there is no PROXY PORT field. The firewall transparently mediates and filters HTTP traffic. Block Action If an ACL blocks a web address (URL), and a user attempts to load a page from that address, the user will see a custom message, or be redirected to a URL, e.g. an internal web site that defines the company s Internet use policies and the administrative process to get access to a site. The default message, Local policy denies access to web page, will appear if a user attempts to reach a blocked address, unless a custom message is entered.

71 Chapter 7 Routing 63 7 Routing Routing contains: Gateway Policies, RIP (Routing Information Protocol) and Static Routes. Any packet that goes through the firewall will use the firewall s routing tables. This means that even though a host may indicate a particular route, the firewall will instead use the routes set up in Routing to route the traffic. If Gateway Policies POLICY BASED ROUTING and appropriate firewall filters dictate, the gateway routing may also be altered. Gateway Policies Gateway Policies controls entry and exit routing for networks with multiple connections to the Internet or other external network. It contains controls for: Gateway sharing Policy-based routing Source routing Gateway failover These features can provide alternative routing if your primary Internet connection has failed (gateway failover), distribute outbound connections evenly across multiple Internet connections (gateway sharing), or specify gateways for certain types of connections via indication in a filter (source and policy-based routing). The default gateway is specifiable in Network Information. To specify additional gateways and routing policies related to them, use Gateway Policies. Gateway Policies will initially take the first gateway from the default route listed in Network Information. Further modifications to Gateway Policies causes it to override the default route listed in Network Information: GATEWAY 1 in Gateway Policies will become the default route, regardless of the default route listed in Network Information. By default, Gateway Policies gives priority to Gateway 1. Gateway sharing changes this default behavior, causing filter-selected traffic to be distributed among the available gateways,. Policy-based routing and source-based routing may also change this default behavior, and overrides gateway sharing, by specifying gateway overrides on a per-connection basis, also indicated in your outbound filters. When the gateway changes, the firewall logs a route change notification and sends an notification (if notification is enabled). Active Routes in System Activity will also be updated with the new gateway. If using only gateway failover (not sharing or policy-based routing), alternative gateways will deactivate once Gateway 1 becomes active again. To define additional gateways: 1. Click Routing then Gateway Policies in the menu. 2. In GATEWAYS, enter additional gateways (the primary gateway you entered in Network Information should already appear as the first gateway). 3. If your additional gateway should be used for balancing the gateway traffic load, check the SHARING check box. 4. If your additional gateway should be used as a failover, check the FAILOVER check box and provide at least one beacon IP address. 5. Click SAVE. Beacons are IP addresses used to determine if a gateway is available. The name derives from the technique of using returning ICMP ping messages to assess connection viability. Beacons must be no more than 5 hops (e.g. intermediate routers) from the gateway. Ping and traceroute can be used to find appropriate beacon IP addresses. To use gateway failover: 1. Click Routing then Gateway Policies in the menu. (Additional gateways must be predefined, as described above.) 2. In the GATEWAY FAILOVER section, check ENABLE. 3. If desired, Select NOTIFICATION for gateway changes and PING SECONDARY ONLY IF PRIMARY DOWN.

72 64 GB-OS 3.7 User s Guide 4. Check the FAILOVER option for the gateways you wish to use with gateway failover. Provide beacon IP addresses for those gateways. 5. Click SAVE. Input Field/Button Enable Notification Ping Secondary Only if Primary is Down Enable Enable Enable Name Route Sharing Failover Failover Beacons Default Save Reset Gateway Policies Gateway Failover Description Switch on/off gateway failover capabilities. the contact listed in Preferences when failover occurs. Ping the failover gateway only if pinging the primary gateway is unsuccessful. Gateway Sharing Switch on/off traffic connection balancing across gateways for which you have selected sharing. Policy Based Routing Switch on/off the ability to select a gateway for outbound filtered connections. Source Routing Switch on/off the ability to select a return gateway for incoming filtered connections. Gateways Contains the index number of the gateway, indicating order of preference for failover. Indicate the IP address of the gateway. Switch on/off the option to share traffic load with this gateway (if gateway sharing is enabled). Switch on/off the option to use this gateway as a failover (if gateway failover is enabled). Failover sequences will occur by the index number of the gateway, as indicated in the NAME field. Indicate pingable IP addresses that are within 5 hops of the gateway. GTA recommends that both beacons are specified to confirm when failover is necessary. For more information on selecting useful beacons, see Selecting Useful Beacons. Load the default single gateway defined in Network Information. Save and apply the Gateway Policies configuration. Reload the last saved state of your Gateway Policies configuration.

73 Chapter 7 Routing 65 To use gateway sharing: Gateway Policies 1. Click Routing then Gateway Policies in the menu. (Additional gateways must be predefined, as described above.) 2. Check ENABLE in GATEWAY SHARING. 3. Check SHARING for gateways that should share the balance their traffic. 4. Click SAVE. 5. Click Filters then Outbound. 6. Edit or create a filter. Position in the filter list matters (filters are evaluated in their list order, and the firewall will ignore further filters once a match is found), so place the filter at the top of the list if it must override all other outbound filter policies. See Filters for more information on creating a firewall filter. 7. Enter a description for your filter, e.g. Outbound Shared Gateway Connections. 8. Set the TYPE to Accept and the ROUTE to Sharing. If desired, specify other parameters to limit the connections that should receive gateway sharing treatment, e.g. restrict gateway sharing to only UDP traffic from the protected network. 9. Specify the DESTINATION PORTS a packet must match to receive gateway sharing treatment. Because some network applications assume a single gateway, this may not be possible for all protocols your network uses. Stateless network applications such as web pages (HTTP over TCP port 80) work best. Indicate only protocols / ports that are compatible with shared gateways. 10. Click OK then SAVE.

74 66 GB-OS 3.7 User s Guide To use policy-based routing: Insert Outbound Filter: Gateway Sharing 1. Click Routing then Gateway Policies in the menu. (Additional gateways must be predefined, as described above.) 2. Check ENABLE in POLICY-BASED ROUTING. 3. Click SAVE. 4. Click Filters then Outbound. 5. Edit or create a filter. Position in the filter list matters (filters are evaluated in their list order, and the firewall will ignore further filters once a match is found), so place the filter at the top of the list if it must override all other outbound filter policies. See Filters for more information on creating a firewall filter. 6. Enter a description for your filter, e.g. Policy-based Route: Use Gateway 2 for outbound UDP. 7. Set the TYPE to Accept and the ROUTE your desired gateway. If desired, specify other parameters to limit the connections that should receive gateway sharing treatment, e.g. restrict your gateway policy to only UDP traffic on port 53 and Click OK then SAVE.

75 Chapter 7 Routing 67 To use source-based routing: Insert Outbound Filter: Policy-based Routing 1. Click Routing then Gateway Policies in the menu. (Additional gateways must be predefined, as described above.) 2. Check ENABLE in SOURCE ROUTING. With source routing enabled, connections with NAT will automatically be returned through the gateway according to their original source. 3. Click SAVE. Source routing only applies to non-firewall connections with NAT applied. Passthrough and bridged connections do not receive source-based routing. Connections to firewall services such as the NTP and DNS proxies or the Mail Sentinel proxy also do not receive source-based routing. Selecting Useful Beacons Beacons determine if a route is accessible by testing accessibility of the beacons. Beacon IP addresses typically reside on the remote side of a WAN connection or beyond. Each beacon must be unique. GTA recommends using both beacons. The Gateway Policies ICMP ping TTL (time to live) value is five; therefore, beacons can be no more than five (5) hops away. (Hops are intermediate network nodes such as routers or gateways.) A beacon more than five hops away will mark routes inaccessible, and Gateway Policies will perform improperly. One way to select a beacon is to test hop count with traceroute from each interface. Select the next one or two IP addresses in the trace past the gateway as beacons. The GTA firewall pings each beacon IP address every 0.5 seconds. When a beacon address does not respond for five (5) consecutive pings or 2.5 seconds, Gateway Policies will consider the route down, and switch to the next accessible failover route in the GATEWAYS list. Gateway Policies and Bridging Mode In order for gateway policies to function correctly in bridging mode, the host must use the IP address of the firewall s logical external network interface as its gateway. Source routing gateway policies cannot be applied while in bridging mode.

76 68 GB-OS 3.7 User s Guide RIP RIP (Routing Information Protocol) configures RIP on any network interface, and is typically used by routers to receive updated routing tables. RIP is a TCP/IP routing protocol defined by RFC 1058 that allows broadcasting and/or listening to routing information in order to choose a route for a packet that uses the fewest hops. Hosts using RIP select the routes that use the fewest hops, or select an alternate path if a route is down or has been slowed by high traffic. RIP is limited to 15 hops; more than that, and the route is flagged as unreachable. Caution Most smaller network configurations do not benefit from RIP. Before using RIP, be aware that the protocol may decrease performance rather than help small networks, and acceptance of improper RIP sources can compromise network security. To use RIP version 2.0: 1. Select Routing then RIP. In the row for your desired RIP network, check ENABLE to enable RIP messages over that network. Select v2 from either the input or output field, or both, to indicate version 2 of the protocol. In the password fields, you may select a password encryption scheme from the menu. The None option will require no password and no encryption. Clear will send an unencrypted password; MD5 will use MD5 encryption on the password. Caution Sending unencrypted (clear/plain) passwords can expose your RIP password to the network and any potential attackers on it, and therefore is not recommended by GTA. 2. Enter a password into the text box. If you selected MD5 password encryption, you must also enter a pre-shared secret key that will be used to encrypt the password; if you did not select a password encryption algorithm, simply leave the field alone. RIP is disabled by default on GB-OS, so routing information to redirect packets is not accepted from external sources. If RIP is enabled, the firewall can receive and/or broadcast routing information for either RIP version 1 or 2. Field Enable Advertise Default Route Interface Enable Input/Output Password Type Password Key ID Description Enable RIP on the selected interface. If connected to a remote firewall, the RIP facility will not start until the section is saved. Disabled by default. Advertise the default route (gateway) on any protected network or PSN on which RIP is enabled. Lists all configured network interfaces available for RIP. Enables RIP on the specified network interface. Each interface may be independently configured to accept/export RIP information. Controls how RIP is implemented. Input determines whether any version of RIP will be accepted from other routers. Output determines whether any version of RIP will be exported or broadcast. The choices are: None : RIP is not accepted or exported. V1: Version 1 RIP is accepted or exported. V2: Version 2 RIP is accepted or exported. Both: Both version 1 and 2 are used. Type of encryption that will be used. If an encryption type is selected, the password field is enabled. Encryption types are: None, Clear and MD5. RIPv2 only. Password that must be used to collect routing information through RIPv2. Key ID for the password. RIP

77 Chapter 7 Routing 69 Static Routes Static Routes defines static paths between one internal subnet and another, instead of automatically defining non-subnet traffic as outbound and routing it to the gateway. Static routes supersede the default gateway defined in Network Information (or in Gateway Policies, if it is enabled). By default, a firewall does not routing information protocols such as RIP, so a static route allows traffic to move in a specific path across the network without broadcasting routing information. Defining a static route is useful when there is a router between different parts of an internal network, creating multiple subnets within your internal network. Without a static route, the firewall routes all subnet traffic outside subnet mask range to the gateway, even if it should be directed to a different subnet on the internal network. Traffic will not then travel the most efficient path; additionally, internal-bound traffic may not be able to reach its destination IP after it is routed to an external network via the gateway. Static routes solve this problem by diverting internal traffic back to the appropriate internal subnet before it reaches a gateway. Using a static route, the firewall correctly routes internal multi-subnet traffic to other internal IPs. Field Index Network IP Address Gateway Description Number indicating order of route application. IP address(es) whose traffic will be subject to the static route, either by selecting the appropriate interface object in the drop down box or by selecting Use IP Address and entering the address and subnet mask, either in CIDR-based (slash) notation or dotted decimal. IP address of the destination/gateway (default route) selected for this static route. Static Routes

78 70 GB-OS 3.7 User s Guide

79 Chapter 8 Objects 71 8 Objects Objects defines commonly-used blocks of IP addresses and domains in the firewall configuration. By using these references to a single set of information, you can reduce configuration errors associated with repeated information entry. Objects also simplify configuration changes: changing the object effectively changes all places in the configuration where the object is used. The Objects section includes Addresses, Traffic Shaping and VPN Objects. Object names may not have a number as the first character. Addresses Addresses displays the name and description of all defined address objects. The members can be either a single IP address (host), a range of IP addresses, a subnet specified by an IP address and subnet mask, or another address object. See product specifications for the maximum number of address objects available on a specific model. To use address objects, click on Objects then Addresses in the GB-OS web user interface. Click a + (add) button to add an address object, (check) button to modify an existing object, or (delete) button to delete an object. Configuration data does not receive automatic updates when an object name is changed, but retains references with the old, invalid name; as a result, connections maintained by that object may be lost when an object name is changed. To change an object name without losing connectivity: copy the object, save it with a different name, enable it, then change the parts of the configuration that reference it. You may then delete the original object. Edit the address object to add information to the DESCRIPTION field. Click the OK button, then the SAVE button. Name Description Object IP Address Field Description Unique name by which the object will be referenced. Name cannot begin with a number. Description of the address object. Previously defined interface or address object as a member of this object. IP address/subnet mask to be included in this object. Use this field if Use IP address was selected in the OBJECT field. Addresses A DESCRIPTION field is available with each address object entry. Functional or administrative notes can be stored here for each object, creating a documented firewall configuration.

80 72 GB-OS 3.7 User s Guide To define how the object will be used, select a category from the type box while editing or creating an object. For example, an Abuse type address object could be used in the configuration where a mail abuse prevention system (MAPS) is called for. Abuse Domains Servers IP Addresses ALL Type Description An IP address or domain name of a MAPS server used only in the Mail Sentinel proxy. An IP address or domain name of any server when used as an SMTP source or recipient in the Mail Sentinel proxy; an account when used as a quarantine in the Mail Sentinel proxy. An IP address or domain name of the destination SMTP server in the Mail Sentinel proxy. Entry of both primary and secondary exchange (MX) server is recommended. An IP address used in any firewall filter. Domain names are not accepted by many firewall filters, and should not be used here. An IP address or domain name used throughout the firewall configuration. To add members (server IP addresses, etc.) to the object, select a previously defined interface or address object from the Object drop down menu, and select a Type from its drop down menu. The type you choose will determine where the object may be used, and what members are valid entries for the object. Servers type address objects require single IP addresses or domain (host) names; IP address ranges and regular expressions may not be used, as a regular expression or IP address range may describe multiple hosts. In a like manner, quarantine address objects require that a single account address be listed without using regular expressions. To avoid slow-downs associated with DNS lags or time-outs, specify hosts by IP address instead of their domain name. Edit Address Object In GBAdmin, select the Address Objects line and click ADD (+) to add a new address object. This will create a new object in the address object list and bring up a dialog in which to enter the NAME and DESCRIPTION field values. To edit this dialog at any time, select the object and double- or right-click. To add a member to the address object, select the address object and click ADD (+). This will add a new member for the address object: To edit the member, click an object field and enter an IP address/subnet mask or range. Click OK. GBAdmin - Scrolling Menu - Address Objects

81 Chapter 8 Objects 73 Using Regular Expressions GBAdmin - Edit Address Objects Domain names can be entered in the ADDRESS field for an address object. Domain name sets can also be specified by using special characters to denote the patterns as regular expressions. Most firewall filtering rules will only require the use of two regular expression characters: the asterisk and the question mark. The * (asterisk) character matches any number of any type of characters, while a? (question mark) character matches only one character of any type. Advanced users may wish to specify more complex matching rules for domain names. To activate the use of a full regular expression character set, simply begin your domain name entry with the ^ (caret) character. Sample Regular Expression Address Entry Sample Matches Description example.com example.com Match exact listing only. Sub-domains or variants do not match.?xample.com *.com example.com, axample.com example.com, gta.com *. example.com time. example. com, mail. example.com ^(.+\.)* example. com time.dev. example.com, mail.sales. example.com Any character replacing the wild-card character can trigger a match; the domain must end in xample.com. Sub-domains do not match, but first-letter variants match. Any series of characters replacing the wild-card character can trigger a match; the domain must end in.com. All commercial domains and their sub-domains match. Any series of characters replacing the wild-card character can trigger a match; the domain must end in. example.com. Any sub-domains match. Any series of characters can begin the pattern, followed by a period character, followed by any series of characters, followed by a period character can trigger a match; the domain must end in. example.com. Any second-level or greater sub-domains match.

82 74 GB-OS 3.7 User s Guide Default Address Objects Insert Address Object - with Regular Expressions GB-OS has seven default address objects. The ANY_IP address object is required, so it can be viewed and the description modified, but cannot be deleted; other default types may be copied or modified. To return the address objects list to this default configuration, click the DEFAULT button and save the section. Traffic Shaping (Bandwidth Limiting) Traffic shaping objects allow the administrator to allocate available bandwidth for specific filters and tunnels by defining a bandwidth pipe that can be applied to connections through the use of filters and tunnels. The default object does not restrict traffic, allowing traffic to utilize all available bandwidth, first come, first served. If traffic shaping is enabled, the default object cannot be disabled. Enable Traffic Shaping by selecting the check box at the top of the list screen. The default object will be enabled. Add the first object by clicking the down arrow button, and any additional objects by using the ADD (+) button. Other traffic shaping objects can be disabled individually. A filter or tunnel using a traffic shaping object restricts users to the amount of bandwidth specified. All users affected will share the allocated bandwidth; filters and tunnels can be defined to command more or less of the allocated or available bandwidth by selecting a weight for each of the filters using the same traffic shaping object. Weight vs. Priority Traffic Shaping - Default The weight applied to a filter or tunnel when using a traffic shaping object is similar, but not the same as, priority. Two connections with different priorities will use a connection one at a time, the one with the highest priority first. On the other hand, a connection with a higher weight applied to its matching filter or tunnel will use a higher percentage of available bandwidth, still allowing the lower weight connection to use a percentage (though smaller) of the available bandwidth. Weights of 10 have the greatest percentage, and 1 has the lowest percentage of available bandwidth. Using Traffic Shaping Traffic shaping objects can be used in remote access, passthrough or outbound filters and in inbound tunnels. The following example shows the use of a traffic shaping object in an outbound or IP passthrough filter and in an inbound tunnel. The example traffic shaping object is intended to limit the bandwidth that slow FTP connections can use, allowing other, faster traffic more bandwidth. 1. Create a traffic shaping pipe.

83 Chapter 8 Objects 75 Disable Description Name Bandwidth Field Description Disable defined object. Disabled by default. Description of the traffic shaping pipe. Name by which the objects will be referenced. Number of kilobits (Kb), kilobytes (KB) or megabytes (MB) to which filters or tunnels using this pipe will be restricted. Bandwidth entered in KB or MB format will be translated to kilobits, e.g. entering 2000 KB will be translated to Kb. The largest bandwidth that can be specified is 1,000,000 Kb. A 0 indicates that the object allows unlimited use of the available bandwidth. Insert Traffic Shaping Pipe - Slow FTP 2. Create an outbound or passthrough filter for the piped traffic. In the outbound filter, select the traffic shaping object previously created. Using this, the filter will restrict all inbound and outbound packets, including the virtual crack created for the data the size of the traffic shaping object pipe. 3. Select a weight for the connection. The weight selected will prioritize the connections that match the filter. Insert Pass Through Filter - Slow FTP 4. Create an inbound tunnel for your bandwidth limited connection. (Other protocols can be added to the inbound tunnels list by adding the protocol/port number combination in IP Protocols under Filters.)

84 76 GB-OS 3.7 User s Guide In the inbound tunnel, select the traffic shaping object previously created. Using this object, the tunnel will restrict all inbound and outbound packets, including the virtual crack created for the data the size of the traffic shaping object pipe. 5. Select a weight for the connection. The weight selected will prioritize the connections that match the filter. Insert Inbound Tunnel - Slow FTP VPN Objects VPN Objects displays all defined VPN configuration objects. VPN objects configures how incoming VPN connections will be negotiated by defining what client or VPN gateway initiation behavior should be acceptable by your GTA firewall. A VPN configuration object must be applied to an Authorization (either Users or VPNs) and coupled with remote access and passthrough filters to be applied to the VPN gateway (GTA firewall). Default VPN Objects Four VPN objects exist by default: IKE Manual Mobile Dynamic To reset the firewall to these factory default VPN objects, click DEFAULT. VPN Objects Which VPN Object Is Used? Depending on whether your GTA firewall has a static or dynamic (DHCP / PPP) IP address, different parts of VPN objects will be used to initiate a VPN connection. If both VPN gateways have static IP addresses: 1. Each will use the VPN object selected in their Authorization configuration. If an initiating VPN gateway (or mobile VPN client) has a dynamic IP address: 1. The dynamically-addressed initiator uses the selected VPN object, except it requires Aggressive for its EXCHANGE MODE. 2. The statically-addressed responder uses the selected VPN object, except that it ignores PHASE I settings and instead uses PHASE I configuration from the Dynamic VPN object. For this reason, GTA recommends that the Dynamic VPN object be edited with extra care, because it can inadvertently effect other dynamically-addressed VPN setups.

85 Chapter 8 Objects 77 Edit VPN Object - Dynamic VPN (Default) Configuring a VPN Object Appropriate VPN configuration objects vary with the type of VPN connection and your security policies. GTA firewalls use the IPSec VPN standard (RFC 2401) set by the IETF. For more information, see the VPN Option Guide.

86 78 GB-OS 3.7 User s Guide Input Field/Button Disable Description Name Authentication Required Local Gateway Force Mobile Protocol Local Network IP Address Force NAT-T Exchange Mode Local Identity Encryption Method Hash Algorithm Key Group Lifetime DPD Interval Insert/Edit VPN Object Description Switch on/off the ability to use this VPN configuration.. Describe the contents or purpose of the configuration. Name the configuration with a unique string. Require pre-authentication using GBAuth, LDAP or RADIUS. Authorization must be configured with the appropriate remote access filter in place. See the VPN Option Guide for more information. Select an IP address, alias or H 2 A group assigned to an external network interface on the local firewall that will serve as the VPN gateway. (To the second VPN gateway or mobile client, this IP address is the remote gateway.) This is the visible, non-encapsulated, non-encrypted IP address. Switch on/off forced negotiation suited to VPNs involving dynamic IP addresses, including VPN gateways with dynamic (DHCP or PPP) IP addresses. Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. Alternatively, enter the IP address(es) in the IP ADDRESS field. Enter the host/subnetwork that should be accessible from the VPN. Typically this is some range of hosts on the protected network or PSN. Alternatively, select the address object in Local Network s pull-down menu. Phase I Switch on/off forced use of NAT-T for connections that do not require NAT-T (are not using NAT that denies VPN IKE connections). Specify flexible (Main) or forced (Aggressive) negotiation of acceptable encryption algorithms for IKE. Aggressive mode is required if one component of the VPN has a dynamic (DHCP or PPP) IP address, such as with a dynamically-addressed VPN gateway or mobile VPN client. Specify the IP address, domain name or address value that the LOCAL GATEWAY should use to identify itself to the remote gateway or mobile VPN client. If you elect to use an IP address or domain name but do not provide one in the accompanying text field, the firewall will use the IP address or domain name indicated in Network Information. Specify the encryption algorithm that this firewall should accept during an incoming VPN initiation request (IKE). Strong encryption allows use of any encryption algorithm, a suitable selection when specifying Main EXCHANGE MODE. (GTA firewalls initiate Phase I with 3DES encryption by default.) Specify which one-way hash algorithm should be used to provide packet tampering checks in the Phase I (IKE) authentication header. All allows use of any hash algorithm. (GTA firewalls initiate Phase I with HMAC-SHA1 hashes by default.) Specify which Diffie-Hellman key group (bit size of the key) to use in IKE host authenticity keys. (GTA firewalls initiate Phase I with 1,024- bit/group 2 keys by default.) Specify the length of time in minutes before the Phase I (IKE) security associations must be renewed. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection. Specify the interval in seconds between checks for continued viability of the VPN connection (also known as dead peer detection). To disable DPD queries made by this firewall, set the interval to 0; the firewall will still respond to DPD signals from other VPN gateways and clients, but will not initiate any signals of its own. Phase II

87 Chapter 8 Objects 79 Input Field/Button Encryption Method Hash Algorithm Key Group Lifetime Back Copy Paste OK Reset Insert/Edit VPN Object Description Specify the encryption algorithm that this firewall should accept for VPN data transfers (ESP). Strong encryption means that any algorithm except None and Null will be accepted from the VPN initiator. (Null provides IP encapsulation, but no encryption; None provides neither encryption nor encapsulation.). Null provides no security benefits, but is useful to transport non-ip protocols when using NAT between firewalls. GTA firewalls initiate connections using AES-128. (GTA firewalls initiate Phase II with AES-128 encryption by default.) Specify which one-way hash algorithm should be used to provide packet tampering checks in the Phase II authentication header. All allows use of any hash algorithm. None provides no authenticity checks on the connection. (GTA firewalls initiate VPNs with HMAC- SHA1 hashes by default.) Specify which Diffie-Hellman key group (bit size of the key) to use in Phase II host authenticity keys. (GTA firewalls initiate Phase II with 1,024-bit/group 2 keys by default. Perfect forward secrecy (PFS) can be used to limit the amount of data vulnerable if an individual key is cracked.). Specify the length of time in minutes before the Phase II security associations must be renewed. This time must be smaller than the Phase I lifetime. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection. Return to the list of VPN objects. Copy this VPN configuration object for pasting into another VPN object. Paste the previously copied VPN object settings into this VPN object. This button appears only if you have first used COPY to indicate pastable VPN object data. Confirm this VPN configuration object and return to the list of VPN objects. This does not save or apply the configuration data! To save or apply this VPN object, return to the list of VPN objects and click SAVE. Reload a copy of this VPN configuration object from its last saved state. Edit VPN Object - IKE (Default)

88 80 GB-OS 3.7 User s Guide About Phase I Phase I establishes VPN peer identities (keys) that can be tested for authenticity and establishes initial security associations (SAs) correlating hosts to encryption methods, securing further VPN negotiation (such as the establishment of IPSec SAs). Phase I settings are only used to protect the VPN negotiation / setup communications, and not actual transfers of user data. During Phase I, the Diffie-Hellman cryptographic technique uses prime numbers and random numbers to generate a secondary number; these secondary numbers are then exchanged, and each host uses a combination of these secondary numbers as keys. Because predicting random numbers and determining prime numbers are both computationally difficult, knowledge of the random and prime numbers behind the generation of a key can be used to prove host authenticity. (Increased computational power means that a key may eventually be computed; this is the reason why key-based security such as VPN phases must be periodically regenerated to guarantee authenticity of a packet s source.) Once Diffie-Hellman key exchanges have been performed (automatically with IKE or manually), these temporary keys are used to prove authenticity of hosts requesting encryption and hash methods to be used during Phase II negotiations. Automatic key exchange (IKE) uses Phase I settings during its automatic negotiations. Manual key exchange does not use Phase I settings, because the firewall does not provide automatic negotiations in manual mode. About Phase II Phase II uses the host authenticity and agreed initial hash and encryption established in Phase I to protect secondary negotiations for authenticity, data integrity and confidentiality settings; these secondary settings are used in the actual transfer of user data. Using the temporary protection mechanisms devised during Phase I, Phase II again performs negotiations for keys, hashes and encryption that will be used to protect the transfer of actual user data. GTA firewalls always use replay detection and PFS (perfect forward secrecy). When communicating with a third-party VPN gateway or VPN client, enable PFS and replay detection in the third-party device/software s configuration. PFS ensures that an attacker cannot use a compromised session key to compromise future data transfer sessions, thus limiting the effectiveness of an individual successful attack. Replay detection ensures that an attacker cannot re-send altered versions of legitimate traffic by limiting the degree to which an IP packet can be received out of order.

89 Chapter 9 Filters 81 9 Filters Filters contains Outbound, IP Protocols, Preferences, Remote Access and Time Groups. Filters control access to and through the firewall, providing fundamental firewall functionality. Outbound and remote access filters are created in the Filters section, while passthrough filters are created in the first Pass Through section. Most automatic filter options are not directly defined by the user: inbound tunnels can be configured by checking the AUTOMATIC ACCEPT ALL FILTER check box; stealth mode can be turned on or off in Preferences. Outbound, remote access and passthrough filters are defined using the same screen layout and process. Use the information on filter management and fields at the beginning of this chapter to create outbound, remote access and passthrough filters. Managing Filters Outbound, remote access and passthrough filters use the same mechanisms for filter configuration. Filter Sets A filter set is all filters of a given type. The order of the set is important. Each packet is compared to the appropriate set starting at the first filter (index 1). The packet is compared sequentially against each filter until one of two events occurs: 1. A filter is matched. The packet is either accepted or denied based on the filter definition; the actions associated with the filter are performed. 2. No filters are matched and the filter list is exhausted. In this case the packet is denied. Filters are color-coded on the web interface and GBAdmin: green for acceptance; red for denial; grey for disabled filters. Tips for Using Filters Once you have completed Network Information, you can use the DEFAULT button to auto-configure an initial set of filters according to the defined configuration. Auto-configured filters will be left disabled or enabled according to their factory default (the most secure setting). The DEFAULT button does not reset to original factory filters. When a filter set is auto-configured, the filters do not retain manual changes. If you have custom filters you wish to save, either create new filters manually or print a copy of your configuration before auto-configuration to use in restoring custom filters. Changes to filters will not be effective until the section is saved. If you leave the filter or filter set without saving, changes will be lost. The COPY function can be used to copy the definition of one filter and apply it to a new blank filter. To copy a filter definition into the copy/paste buffer, click on the EDIT button of the filter you wish to copy. Once it is displayed, click the COPY button. Return to the filter list, insert a new filter in the desired location and click PASTE. Combining multiple filters can be useful and efficient when they share similar criteria. This most often occurs when all the filter parameters are the same except for the destination port. Filters commonly combined are for SMTP, FTP, and HTTP, since these are all TCP-based protocols, and are often served from the same computer.

90 82 GB-OS 3.7 User s Guide Field Description Disable Type Interface Protocol Priority Authentication Required Actions Log Coalesce Time Based Time Group Is Traffic Shaping Weight Source Address Range Source Ports Destination Address Range Broadcast Destination Ports Description Description of the filter for reference. Any filters generated by the system will have descriptions with a label such as PROXY or NO RIP. Check to disable the selected filter. Accept or deny the packet type. Logical interfaces. The specified interface is matched against the interface on which the IP packet arrived. <ANY> will match any interface. TCP, UDP, ICMP, IGMP, ESP, AH, ALL, or any other protocol defined in IP Protocols can be selected to match against the packet. If ALL is selected, no destination or source ports may be specified. Using NAT, only TCP, UDP, ICMP can be used with a Deny filter. Using IP Pass Through, all protocols can be used with either filter. User-defined notice sent with the alarm event. Authentication allows the administrator to require users to authenticate to the firewall using GBAuth before initiating a connection. By default, GTA s user authentication is served on TCP port 76. Actions to notify the administrator about a filter alarm. Alarm, , ICMP, Pager, SNMP, Stop Interface. Yes, No, and Default. Default is the value defined in the Filter Preferences section. Coalescing blends similar data into a single log event: Source address/ports, Destination address/ports. Enabled by default in new and auto-configured filters. INTERVAL in Filter Preferences is a global option for all coalescing. Set the interval to zero (0) to turn off all coalescing. Coalescing selected in Filter Preferences applies only to Automatic Filters. Make the filter operate at a specified time. Time parameters for the filter.??? means no time group has been selected. Object that defines the pipe to apply to this filter. The Default traffic shaping object allows unlimited access to the available bandwidth. (Traffic shaping must be enabled under Objects then Traffic Shaping.) Priority when accessing the pipe s allocated bandwidth. Weights of 10 have the highest priority, and 1, the lowest IP address of the packet. The selected IP address or object will be matched against the source IP address of the packet. Choose a range of ports to which this filter will apply. Single or multiple ports, or a range of ports. Leave blank to allow any source port to be accepted. The source port for most client protocols is a random value above Specified Source Ports are matched against the source port of the IP packet. For Ports, see the Appendix, Ports and Services section. IP address of the packet. The selected IP address or object will be matched against the destination IP address of the packet. Choose a range of ports. Select if this is a Broadcast Destination. Often called services. Well-known service were assigned dedicated port numbers ranging from 1 to 1024, but other services have since been assigned outside this range. See Source Ports, above, for more information. Outbound Filters Outbound controls access from hosts on protected networks and PSNs to external IP addresses, and from protected network hosts to PSN and other protected networks. TCP, UDP, ICMP, IGMP, ESP, AH or any other protocol defined in IP Protocols can be matched against the packet.

91 Chapter 9 Filters 83 Exclusion takes priority for both inbound and outbound packets: that which is not explicitly allowed is denied. The rule is explicitly listed by the last default outbound filter in Outbound in version 3.5 and higher. The factory default set of outbound filters allows all IP addresses on the protected network to access any IP address and service external to the protected network. If a PSN interface exists, a similar outbound filter will be auto-configured that allows all access to the external network but not to the protected network. These filters can be modified or deleted according to local network security policy. Outbound Filters Insert Outbound Filter IP Protocols IP Protocols defines protocols available when creating filters. Administrators can explicitly deny a protocol on a certain port in order to generate log entries. Denial of all packets not explicitly allowed, combined with default logging of all rejected packets, can make unknown protocol log events too numerous. Identifying IP protocols can reduce the number or vagueness of these events. To define a protocol, enter the acronym of the protocol in the NAME field and the port number of the protocol in the NUMBER field. After the protocol has been defined, create and enable an appropriate filter to deny the protocol on that port, then either log the event or prevent its logging. By default, IP Protocols contains the protocol/port ( number ) combinations IGMP (IP protocol 2), GRE (IP protocol 47), ESP (IP protocol 50) and AH (IP protocol 51). Defaulting the IP Protocols section will delete customized protocols and restore these defaults. Remove protocols by deleting the field entries and clicking the SAVE button. Protocols are listed in order by port number.

92 84 GB-OS 3.7 User s Guide IP Protocols Preferences (Filters) Preferences under Filters globally defines most logging and filter options for user-defined filters in one location, as well as enabling or disabling stealth mode. Logging options for automatic filters, tunnel connections ( opens and closes ) and filter blocks may be selected. ICMP packets dropped by stealth mode can be logged. DEFAULT LOGGING options are used when the Default option is selected in a filter definition LOG field, allowing the event selected to be logged whenever the filter is activated. All protocols are logged by default. Automatic filters are generated by the firewall to allow expected events such as response packets from DNS queries and mail servers. Automatic filters can be logged and disabled. GTA recommends disabling automatic filters only for troubleshooting and configuration testing. See the appendix for log examples.

93 Chapter 9 Filters 85 General Preferences (Filters) Under the GENERAL PREFERENCES heading, filter actions basic to the firewall may be adjusted. The administrator can enable or disable filters, generate alarms, send , send an ICMP service not available message, or log a filtered event. Field Automatic Filters Deny Address Spoof Deny Doorknob Twist Deny Fragmented Packets Deny Invalid Packets Deny Unexpected Packets Stealth Mode Filter Blocks Tunnel Opens Tunnel Closes Description Options: Enable/Disable; Log. Always enabled. Options: Alarm, , Log. Always enabled. Options: Alarm, , ICMP, Log. Options: Enable/Disable, Log. Can be used to block some fragment attacks. Always enabled. Option: Log packets. Always enabled. Option: Enable/Disable, Log. Options: Enable/Disable, Log. Stealth mode has priority over all filters. Always enabled. Option: Log, enabled by default. Always enabled. Option: Log, disabled by default. Always enabled. Option: Log, enabled by default.

94 86 GB-OS 3.7 User s Guide Address Spoof An IP address spoof occurs when a packet arrives at one interface and its return path is through a different interface. This may be caused by an intrusion attempt made altering the packet source IP address; or a mis-configured firewall, e.g. networks or hosts located on, or connected to, the internal side of a firewall have not been defined. Doorknob Twist A doorknob twist occurs when a connection is attempted on a port for which there is no service or tunnel in place and a filter has accepted the packet. A doorknob twist usually indicates that the firewall is mis-configured. Fragmented Packets By default, fragmented packets are reassembled and forwarded only if the resulting packet does not violate security policy; otherwise, they are dropped. Invalid Packets Invalid packets are those that are not the expected size or have an invalid option bit, e.g. an ICMP port unreachable packet must have at least 28 bytes. Invalid packets are dropped silently by default, but the firewall can now log dropped packets. Unexpected Packets If a packet is valid, but not expected by the state table, the firewall denies it, e.g. a packet can only generate a single ICMP port unreachable response; a second one may indicate an ICMP replay attack; also, an unexpected packet may be a packet that does not have the correct flags during TCP s three-way handshake. The firewall can now log these packets. Stealth Mode Stealth mode is the factory set default for new GTA firewalls. In stealth mode, the firewall will not respond to ICMP ping requests, ICMP traceroute requests nor UDP traceroute requests. Filters that allow pings, traceroutes, etc. from the external interface are not functional when the firewall is in stealth mode. In addition, the firewall will not respond with an ICMP message when a packet arrives for a port without a tunnel or service set on any external network interface. Stealth mode has priority over the other filter types. Because it has higher priority than filters, stealth mode will not appear in the Active Filters section. Alarms Stealth mode does not affect protected network or Private Service Network interfaces. If you wish to set stealth mode for these interfaces, create the appropriate remote access filter. Alarms sets the default parameters for alarm notifications. When a filter is matched, an alarm event is activated. Each alarm event increments the alarm count by one. If either the time or number of alarms threshold is exceeded, a notification will be sent documenting all the events. Multiple messages will be sent if the number of events exceeds the maximum count. Field Threshold for Generating Threshold Interval Minimum Alarms Per Attempt to Log Host Names Page When Threshold Reached Description Number of alarms above which a notification is sent. Length of time after which to send alarms. Maximum number of alarm messages included in a per message. An alarm message is generally 200 bytes. Attempt to resolve the host name of the IP address that generated the alarm. If Pager is enabled, a pager notification is sent when an alarm threshold is exceeded. Coalesce Coalescing is enabled by default in Preferences under Filters. Data coalescing reduces the amount of individual filter event data logged, merging similar data into a single log event. It applies only to automatic filters, such as those created by a tunnel when AUTOMATIC ACCEPT ALL is selected on an inbound tunnel definition. The INTERVAL is an option for all filter event coalescing; set the interval to zero (0) to turn off all coalescing.

95 Chapter 9 Filters 87 Field Interval Source Address Source Ports Destination Address Destination Ports Description 60 seconds by default. Zero (0) turns off coalescing. Enabled by default. When selected, it coalesces log messages from like source IP addresses. Enabled by default. When selected, it coalesces log messages from like source ports. Enabled by default. When selected, it coalesces log messages from like destination IP addresses. Enabled by default. When selected, it coalesces log messages from like destination ports. Server Although the server is typically a host on the protected network or PSN, the server may be an external host. Notifications can be sent to any valid, accessible address. To use a host/domain name for the server, you must have defined a DNS server for lookups on the firewall. (External DNS servers cannot resolve non-routable internal hosts; use the firewall s DNS Server as in internal DNS server to overcome this limitation) If you are unsure about the name, use the host s IP address. The server need not be the same as the one used by the Mail Sentinel proxy. If filter alarms and/or notifications are set, and the server is not enabled, a warning message will be sent to the log instead. Enable Server From To Field Description Send and alarm notifications. Disabled by default. DNS host name or IP address of the server for alarms and notification messages, mailhost by default. address that will appear in From field. An invalid address or a server that does not allow with an empty From field can cause an loop. The address can be a fully-qualified address, such as [email protected], or the mailbox name on the specified server: jdoe. address where notifications should be sent, fwadmin by default. The address can be a fully-qualified address, such as [email protected], or the mailbox name on the specified server: jdoe. SNMP Traps Simple Network Management Protocol (SNMP) is a standard for managing network configuration data for each host. If SNMP is disabled, selecting SNMP filter actions on the filter definition screen has no effect. If SNMP is checked as an action, the firewall will generate an enterprise-specific generic trap on a filter definition when the filter is matched. The SNMP manager is typically on the protected network, though it may reside on any network. Selecting Auto from the Binding interface drop down menu will select the interface configured in Network Information through which the packet would normally exit based on the routing table. Field Enable SNMP Manager Binding Interface Description Enable the SNMP alarm facility. Disabled by default. Host IP address to receive SNMP trap messages. Address from which SNMP traps are sourced, Auto by default. To force the SNMP traps to have a specific source IP address, choose the interface object from the drop down list. Pager To send firewall alarms to a pager, connect a modem to an available serial port on the firewall or use an internal modem card for software-based firewalls. The modem is only used for dialing and sending DTMF tones, so a basic model suffices. The CODE field may include any valid numbers or symbols used by your numeric pager may use. Commas represent pauses and are typically required while the pager announcement is played. Most pagers have the message terminated by a number (#) symbol. Please consult your pager service for the specifics of your pager.

96 88 GB-OS 3.7 User s Guide Field Enable COM Port Speed Phone Number Code Description Enables the Pager alarm facility. Disabled by default. COM port to which the modem used for paging is attached. Choose COM ports 1 through 4. COM 3 by default. DTE speed at which the firewall will communicate with the modem by default. Telephone number for the target numeric pager. Enter all numbers and dialing codes required to make a call. Numeric value that will be displayed on the pager. Remote Access Filters Remote Access controls inbound access (primarily on tunnels, but also on inbound access between any interfaces on the firewall). A remote access filter make tunnels accessible. Any protocol defined in IP Protocols can be filtered. See the beginning of this chapter for filter set information, tips and fields for filters. Configure firewall Preferences under Basic Configuration and Inbound Tunnels under NAT before remote access filters. This automatically creates a set of filters logically resulting from the firewall s configuration. These filters can be used as-is, or modified to suit your network security policy. Remote Access Filters

97 Chapter 9 Filters 89 Muffling Benign Protocols Edit Remote Access Filter Some events which are implicitly blocked and logged by the firewall are known to be harmless. To suppress the logging of these benign events, create and enable a remote access filter that will explicitly block the event, but not log it. Select the source address and ports and destination address and ports for which this blocked protocol event should not be logged. Order is important. Place the NO LOG filter in the set after any filters that specifically allow and/or log this event in certain cases, and before more restrictive filters. Use these parameters: Type Interface Protocol Log Field Deny (to block the protocol). Setting Interface for which block event should not be logged. To no log the event on all interfaces, select <ANY>. Protocol to block. No. Access a Protected Network from a PSN By default, the PSN is untrusted by the protected network and may not initiate connections between the two, just as the external network is untrusted by the networks behind the firewall. However, sometimes it is more efficient to allow the PSN to access a protected network for selected services. Access should be as limited as possible: you can use either an inbound tunnel with an auto accept filter or an allow remote access filter and tunnel on the protected network. Using a remote access filter allows the administrator to tightly regulate access and use NAT to hide the real IP address of the protected network from the PSN and potential attackers. The PSN to PRO filter should use these parameters: Type Interface Protocol Field Accept (to accept the protocol). PSN <ALL> or select the desired protocol. Setting Select the source IP address and port from which this access will be initiated, then select the connection s destination IP address and port on the PSN which should match the beginning of the tunnel.

98 90 GB-OS 3.7 User s Guide Time Groups Time Groups contains user-defined schedules that can be associated with any type of filter. Time groups control access (both inbound or outbound) based on time of day (by 10-minute increments) or day of the week. A filter with an associated time group will be in effect only during the defined period. Time groups operates similarly to filters; all normal filter functions apply. If a desired access policy already exists, simply insert a time group filter earlier in the list to indicate its effective time. The firewall will attempt to match the time group; if matched, the relevant filter will be applied. Name Description Start End Field Description Name that will appear in the Time Group drop down menu when defining the filter. Description of the time group. Time to begin applying the filter. Time to stop applying the filter. Time Groups Insert Time Group

99 Chapter 10 Pass Through Pass Through Pass Through routes protocols through the firewall without network address translation (NAT) and defines Ethernet protocols that should bypass all firewall filtering on specified ports, manually creating cracks. Pass Through (No NAT) Filters and Hosts/Networks define a host, subnet or network and port that will not have network address translation (NAT) applied to outgoing packets. By default, all outbound packets destined for external/psn networks are NATed to the IP address of the external/psn interface. Passthrough bypasses this default NAT. NAT is not performed on inbound connections: from the external network to the PSN or protected network, or from the PSN to the protected network. Pass through filters support all IP protocols. Pass Through can define no-nat traffic for host on a: protected network to a host on another protected network protected network outbound through PSN and external interface protected network outbound through a PSN interface only protected network outbound through an external interface only PSN outbound through an external interface only A passthrough filter requires: defined IP addresses in Hosts/Networks or a bridging interface internal hosts have a routable address on the subnet if the traffic goes to the Internet through the external interface By default, inbound traffic will not know how to route back to reach the internal pass through host. To allow inbound traffic to a pass through host, add a static route to the gateway (Internet router) routing inbound traffic to the firewall s pass through host. If you do not wish to receive inbound traffic, the address can be a non-routable (RFC 1918) public address. an IP Pass Through filter allowing packets to flow from and/or to the internal IP address For more information on RFC 1918 addresses, see If an IP address in a pass through filter uses the external network interface as a routable address with the Internet, the IP address must be registered. See RFC 1918 for more information. By default, passthrough filters are configured for outbound traffic only. Stateful packet inspection information is maintained about outbound sessions originating from hosts on a PSN or a protected network, guaranteeing that only replies to the initiated connections are accepted. If the connection protocol calls for a secondary inbound connection from an external host to the originating internal host, virtual cracks are created to allow the secondary connection. This allows multi-connection protocols such as FTP to be used without arbitrary, semi-permanent inbound connections. Passthrough provides great routing flexibility. For example, with proper passthrough filters, the firewall can apply NAT to some traffic (e.g. protected network packets with a destination on the Private Service Network), but not apply NAT to other traffic (e.g. external/internet traffic). For specific examples, see the GTA web site. Filters Pass Through s Filters controls access to and from hosts specified by Pass Through s Hosts/Networks. These filters are different from remote access and outbound filters: they control both inbound and outbound access, so the firewall functions as a router or gateway for these IP addresses. Pass through filters use Hosts/Networks addresses in the definitions, not firewall network interface addresses.

100 92 GB-OS 3.7 User s Guide Pass through filters are used in three scenarios: when pass through hosts/networks are defined when setting up VPNs when the firewall is using bridging mode Typically, two filters are required for each host/network IP address: outbound and inbound. If hosts/networks are already defined, the firewall will create a pre-configured inbound/outbound filter pair based on those defined IP addresses. The pre-configured (default) filters vary according to options selected. Denial of all traffic not explicitly allowed applies to passthrough filters. The rule is explicitly listed by the last default filter in Pass Through s Filters in version 3.5 and higher. Pass through filters are defined in the same manner as remote access or outbound filters, and the rules concerning filter index order and order of evaluation also apply. Pass Through Filters Edit IP Pass Through Filter Creating Passthrough Filter Pairs Pass through addresses need two filters: inbound and outbound, one filter for each direction of traffic. 1. Create the outbound connection filter by adding a filter, or editing an existing filter. Complete the filter definition in the same manner as an outbound filter, specifying the same source IP address as the pass through address. Click OK. 2. Create the inbound connection filter by adding an empty filter definition, or editing an existing filter. Define the filter as you would a remote access filter except that the destination IP address will be the pass through address, not the IP address on the firewall s network interface. Click OK. 3. Once you have completed all the desired pass through filters, click the SAVE button on the filter set to save the filters and apply them to the firewall. Hosts/Networks Hosts/Networks specifies an IP address, subnet or network that will not have NAT applied to its traffic. See product specifications for the number of passthrough hosts / networks available on a specific model. A Hosts/Networks entry is not required for a pass through in bridging mode because no NAT is applied by definition of bridging mode.

101 Chapter 10 Pass Through 93 Creating a New Host or Network 1. In the Hosts/Networks table, select an object or <Use IP address> and enter an IP address (for a single host), IP address with subnet mask (for a subnet), or multiple IP address sets (for a network or multiple non-contiguous hosts) in the IP ADDRESS field. Single IP addresses use /32 or / , indicating that there is only one host member of that subnet. 2. Select the interface that should not apply NAT when outbound IP packets are received. 3. If unsolicited IP packets should be accepted for the specified address, select the INBOUND check box. If you wish to allow only replies to outbound traffic, deselect INBOUND. A subnet mask specifies a single IP address or a group of contiguous IP addresses. Hosts/Networks Bridged Protocols Bridged Protocols specifies any non-tcp/ip Ethernet protocols you wish to explicitly allow to bypass all firewall filtering between bridged interfaces. (TCP/IP protocols on bridged interfaces will still use normal firewall filters.) Caution There is no firewall filtering of the protocols that have been allowed in Bridged Protocols. Protocol Definitions Protocol definitions are generally unpublished, but some protocols in use are well-known. To see a collection of known Ethernet protocol types, go to IANA s web site at To locate a definition for a protocol you need to bridge: 1. Configure the bridged interface. 2. Log blocked non-tcp/ip traffic on bridged interfaces. By default, this traffic is denied, but not logged unless defined in Bridged Protocols. To log this denied traffic, enable logging for DENY UNEXPECTED PACKETS in Preferences under Filters. This will generate log messages containing the protocol types of the IP packets. The packet protocol type is logged with a 0x prefix that identifies the characters as being in hexadecimal format. 3. Enter the hexadecimal number with its prefix into the TYPE field in Bridged Protocols. Decimal format numbers can also be entered; they will be displayed in hexadecimal. 4. Defined non-tcp/ip protocol definitions may be enabled and protocol acceptance and logging may be specified on an individual basis. To continue to deny a specific protocol but not log it, enter the protocol number and select the ENABLE check box and deselect the LOG check box. To deny a protocol and log the denials, select both the ENABLE and LOG check boxes. To allow a protocol and not log it, select the ENABLE and ALLOW check boxes. Enable Type Allowed Log Description Field Description Enables use of the selected bridged protocol definition. Hexadecimal number of the packet header of the designated protocol. 0x0 is a placeholder for the full hexadecimal protocol type number. Use the 0x prefix when entering a number in hex format. Allows that protocol s traffic on the bridged interface. Logs events of that protocol type. Description of the bridged protocol type.

102 94 GB-OS 3.7 User s Guide Bridged Protocols

103 Chapter 11 NAT NAT NAT contains Aliases, Inbound Tunnels, Static Address Mappings and Timeouts. Network address translation (NAT) translates an IP address behind the firewall to the IP address of the external network interface, disguising the original IP address and making it possible to use a non-registered IP address within the protected networks and the PSNs, while still presenting a registered IP address to the external network (typically the Internet). NAT is active by default on GTA firewalls. NAT is applied to outbound packets from a protected to an external network; from a protected network to a PSN; from a PSN to an external network; from one protected network to another protected network; and from one PSN to another PSN. NAT is available in two forms: dynamic and static, referred to as default NAT and static address mapping. NAT can be bypassed using passthrough filters. Aliases Aliases allows a network interface to possess multiple IP addresses. An IP alias may be assigned to any network interface. See product specifications for the maximum number of IP aliases available on a specific model. Aliases are especially useful on the external network interface, or if multiple hosts on the PSN or protected network are required for the same service (port) via a tunnel (e.g. multiple internal web servers that all serve content to the external network). Aliases used on an external NIC attached to the Internet must be registered (legitimate) IP addresses. An alias does not need to have the same subnet as the real IP address, since the GTA firewall will route packets between all networks to which it is logically attached. If the IP alias is on the same logical network as the network interface s primary IP address, use a subnet mask of 32 bits ( ). The NAME field in Aliases allows the user to enter a logical name for the IP alias. Aliases are referred to by name as interface objects in other areas of the firewall configuration. User-defined names may not use a number as the first character. IP Aliases Inbound Tunnels Inbound Tunnels allows external hosts to initiate connections with internal hosts using protocols from IP Protocols, e.g. TCP, UDP, ICMP, IGMP, ESP or AH. Normally the firewall blocks all inbound traffic to the internal networks; tunnels allow, for example, computers such as web (port 80) servers on a PSN to be reached from the Internet. See product specifications for the number of tunnels available on a specific model. Tunnels can be defined for traffic from either external networks or the PSN; tunnels are only associated with inbound connections, so they are not normally used for traffic inbound from a protected network interface, which is by default allowed access to the other logical network types without use of a tunnel.

104 96 GB-OS 3.7 User s Guide Tunnels can be created for these inbound connections: from a external network interface to a host on a PSN from a external network interface to a host on a protected network from a PSN interface to a host on a protected network Field Disable Description Protocol From Interface From Port To IP Address To Port Automatic Accept All Filter Hide Source Authentication Required Traffic Shaping Weight Disables the inbound tunnel. Description of the inbound tunnel. Description Select from the IP Protocols list: ALL, TCP, UDP, ICMP, IGMP, ESP, AH, etc. Interface object representing a network interface, an IP alias or a H 2 A (high availability) group for the source side of the tunnel. Port value which users will access. See a list of common services and their port numbers in the appendix. For an exhaustive and up-to-date list, see IANA s list at IP address of the target host. The host may reside on either the PSN or the protected network (including subnets routed behind either network). Port value of the service being offered on the target host, which will be the destination of the tunnel. Make the inbound tunnel connection ignore conflicting filters. When activated, the automatic filters will appear in Active Filters under System Activity. Hide the source of the inbound tunnel connection. Useful when the firewall is used on an intranet. Authentication allows the administrator to require users to authenticate to the firewall using GBAuth before initiating a connection. By default, GTA Authentication occurs on TCP port 76. Object that defines the pipe to apply to this filter. The Default traffic shaping object allows unlimited access to the available bandwidth. Weight when allotting the pipe s allocated bandwidth. Weights of 10 have the highest percentage, and 1 the lowest percentage of available bandwidth. Inbound Tunnels Insert Inbound Tunnel

105 Chapter 11 NAT 97 Creating Inbound Tunnels Tunnels are defined by an interface object/port and a destination IP address / port. The source and destination port of the tunnel definition need not be the same: it is possible to provide access to multiple hosts for the same service using a single IP address. For example, telnet operates on port 23, but a tunnel could be defined with a source port of 99 and a destination port of 23. Only the source side of a tunnel is visible. Since tunnels are mapped inbound NAT paths, a user on the source network side will never see the ultimate destination of the tunnel. The tunnel appears to be a service operating on the firewall. If a tunnel originates from an IP alias address, you may need to map the destination host to the IP alias using static address mapping so that secondary connections appear to originate from the same address as the tunnel. Caution A tunnel with a source and destination port of zero means tunnel all ports for the specified protocol. It is possible to totally expose a host by creating a zero tunnel with the protocol type set to All. GTA does not recommend exposing a host in this way, especially a host on a protected network. To create a new tunnel: 1. Select the protocol the tunnel will use from the drop down list. In the Interface field, select the interface object that represents the source of the tunnel, and in the Port field, enter the number of the port through which this tunnel will operate on the source side. 2. For the destination of the tunnel, enter the IP address of the selected destination and then select the port through which the tunnel will operate on the destination side. See the appendix for some of the common ports. 3. Allow access to the inbound tunnel by using a remote access filter. A tunnel is a mapping from one IP address/port to another IP address/port, allowing the connection to be properly routed. However, the tunnel source will not be usable unless an appropriate filter on the firewall allows the connection to be made in the first place. There are two methods to allow access to an inbound tunnel: selecting AUTOMATIC ACCEPT ALL FILTERS on the tunnel or setting remote access filters. Unless further restriction is desired on a tunnel, selecting AUTOMATIC ACCEPT ALL FILTERS will allow traffic between the designated interfaces and addresses. If filter logging is desired, activate logging for automatic filters in Preferences under Filters. When activated, automatic filters will be recorded in the Active Filters table of the System Activity section. Remote access filters allows traffic between the designated interfaces and addresses. These filters can be activated and logged individually if close observation of tunnels is required. The Default button on the remote access filter set screen will autoconfigure filters for all defined tunnels. Caution The filters generated by this method are broad in scope and may require modification to meet your security policy. Static Address Mapping Static address mapping, also known as static mapping, mapping or outbound mapping, allows an internal IP address or subnet to be statically mapped to an external IP address during NAT. By default, all IP addresses on the protected networks and PSNs are dynamically assigned to the primary IP address of the outbound network interface. Static address mapping is used when it is desirable to statically assign the IP address used in NAT. See product specifications for the number of static address maps available on a specific model. To use static address mapping, first assign at least one IP alias to the desired outbound network interface (external network interface or PSN interface). The target of a map definition must be an IP alias. Mapping is only associated with outbound packet flow. Map definitions may be for a single host or a subnet.

106 98 GB-OS 3.7 User s Guide Object IP Address To Interface Field Description Select the interface object that will be mapped. If an interface object cannot be used, enter the IP address and subnet mask that will be mapped, e.g. to map a single IP address, use a subnet mask of /32 ( ). Interface object representing the IP address to which the source will be mapped. Static Address Mapping Allowing Static Address Mapping Static address mapping is allowed in these cases: from a host or subnet on the protected network to an IP alias assigned to the PSN interface from a host or subnet on the protected network to an IP alias assigned to the external network interface from a host or subnet on the PSN to an IP alias assigned to the external network interface Timeouts Timeouts defines how long a connection should be idle before it is marked as ready to close. The result of a connection reaching timeout value differs for each protocol. For example, TCP has enough embedded information for the firewall to determine when the connection is ready to close, but with ICMP and UDP, it is generally impossible to determine when the connection is ready to close. Field Description TCP Default is 600 (10 minutes). Wait for ACK (TCP) Default is 30 seconds. As part of TCP connection creation, the client and server exchange several IP packets. All packets sent from the server will have a header bit indicating ACK (acknowledgement). As part of Stateful Packet Inspection, the firewall keeps a record of this bit. If it is not seen, the remote server is probably down. If the idle time is reached without an ACK from the server, the connection is marked ready to close. Send Keep Alives? (TCP) Enabled by default so that if a TCP connection remains idle for the timeout period, a Keep Alive packet is sent. If the connection is still valid, the firewall will set the idle time to zero. If the connection is invalid, the firewall will see a reset packet indicating this sent by the client to its server, and will mark the connection ready to close. If no response is received within five minutes, the firewall will mark the connection ready to close. If the field is disabled, the connection is marked ready to close. UDP Default is 600 (10 minutes). ICMP Default is 15. Default Default is 600 (10 minutes). Timeout for supported protocols other than TCP, UDP or ICMP. After a connection is marked as ready to close, the firewall waits five seconds before it actually closes the connection, giving redundant IP packets a chance to clear the firewall without causing false doorknob twist error messages. Wait for Close Default is 20 seconds. If the firewall experiences spurious blocks from reply packets (typically port 80), increasing this value gives packets from slow or distant connections more time to return before the connection is closed.

107 Timeouts Chapter 11 NAT 99

108 100 GB-OS 3.7 User s Guide

109 Chapter 12 Administration Administration Administration contains functions generally applicable to the updating and troubleshooting of firewall software and hardware, including: Download Configuration, Flush ARP Table, Halt, Interfaces, Ping, Reboot, Set Date/Time, Trace Route, Upload Configuration and Upload Runtime. Download Configuration Download Configuration saves the current configuration to your computer in a file that can be opened using GBAdmin. Only the configuration data will be transmitted. When opening a configuration copy, you will need the same password as for the active configuration. Download Configuration prompts the user to indicate the desired download location using the BROWSE button, then saves the firewall configuration as a file with a.gbcfg extension. The saved configuration can be reloaded onto a firewall that has been reset to factory defaults, or a firewall that was running properly before a network or firewall configuration change. Resetting the Firewall or Defaulting Sections Before defaulting a section or resetting the firewall to factory settings, back up your configuration by downloading the active configuration. Click Download Configuration under Administration to save a copy to your computer. Retaining Filters After Defaulting Download Configuration After saving a configuration, go back to the desired filter section, click DEFAULT, then SAVE. This will set up generic filters. Use the previously copied configuration as a template to create new filters, or use copy and paste in GBAdmin to insert the filters into the active configuration. GBAdmin s ability to download / save configurations is located under the File menu as Save. GBAdmin can open saved configurations without loading them into the selected firewall. Flush ARP Table Flush ARP Table clears the cache of IP addresses resolved by the address resolution protocol and recorded in the ARP table. ARP is used to dynamically map host addresses to Ethernet addresses and then cache the maps. When an interface requests a routing map for an IP address not in the cache, ARP queues the message and broadcasts a request for the map on the associated network. If a response is provided, the new map is cached, and any pending message is transmitted. ARP will queue at most one packet while waiting for a response to a map request and only the most recent packet is kept. If the target host does not respond after several requests, the host is considered to be down for a short period (20 seconds), allowing an error to be returned for transmission attempts during this interval. The error host is down indicates a non-responding destination host, and host unreachable indicates a non-responding router. The ARP cache is stored in the system routing table as dynamically-created host routes. These routes time out 20 minutes after being validated; entries are not validated when not in use.

110 102 GB-OS 3.7 User s Guide Flush ARP Table Halt Halt properly shuts down all firewall services, preparing it to power off. Since this will terminate your network connection to its web server, your web browser will never receive a reply; it should eventually time out or you can just press the STOP button on your browser. Once halted, the firewall must be restarted either from the console interface or by powering on or hardware reset. Halt Interfaces Interfaces allows a network interface on the remote firewall to be enabled ( up and ready to send/receive packets), or disabled ( down and not accepting or sending packets). Interfaces Ping Ping executes the network ping connectivity test by using the ICMP protocol. The ping is executed from the firewall, not from your computer. Ping is very useful in validating network connectivity from the firewall to any target host on the external or internal network. Using Ping Pinging IP addresses is recommended when possible, as it eliminates the possibility of DNS errors. Pinging a domain name may only function when a DNS Proxy or DNS Server has been enabled. 1. Click Ping to display the ping form. 2. Click in the HOST field and enter the fully-qualified domain name or IP address to ping. Enter the IP address in dotted decimal notation. 3. Click the SUBMIT button to start the ping. The firewall will attempt to send five ping ICMP packets to the target IP address.

111 Chapter 12 Administration 103 Ping Ping - Results Reboot Reboot restarts the firewall. Since this action will terminate the web interface s network connection to the firewall web server, your web browser will never receive a reply. The connection will eventually time out, or you can click the STOP button on your web browser. Reboot Set Date/Time Set Date/Time sets the firewall s date and time values. The date should be entered in the form of century, year, month and day (yyyymm-dd). GTA recommends setting the time zone with either to the local time zone or UTC (Coordinated Universal Time). UTC and Logging Set Date/Time Firewalls report events to the log and to GB-Commander in UTC. When displaying the time, GB-Commander and GTA Reporting Suite convert stored UTC data to the administrator s computer s local time zone. This is relevant when GTA Reporting Suite and GB-Commander compares reports across time zones. Set Timezone UTC was formerly known as GMT (Greenwich Mean Time). Other terms used to refer to UTC are Zulu time, universal time and world time. Time is expressed in 24-hour notation in GB-OS, e.g. 1:00 a.m. is 01:00, and 4:00 p.m. is 16:00. To set the firewall s region, country and time zone, click Set Timezone. Click OK to apply your selection. Save your changes, then reboot the firewall. Time zone changes will not be put into effect until the firewall is rebooted. It is not possible to change the time zone using GBAdmin. This change must be made using the web interface.

112 104 GB-OS 3.7 User s Guide Set Timezone Trace Route Trace Route executes a routing trace from the firewall to a designated IP address or domain name. Trace Route, like Ping, is useful for testing network connectivity. To determine whether a route to an Internet host is viable, Trace Route launches UDP probe packets with a short TTL (Time to Live), and then listens for an ICMP time exceeded reply from a gateway. When the trace is active, three probes are launched for each gateway, with the output showing the TTL, address of the gateway, and round trip time of each probe. The Trace Route form will accept either a fully qualified host name (if DNS has been enabled on the firewall) or an IP address. Trace Route Upload Configuration Upload Configuration uploads a previously saved GTA firewall configuration file. Enter the name of the configuration file to upload, or use the BROWSE button to find the file on your computer. (The file should have the extension.gbcfg.) Click SUBMIT to upload the configuration file to the firewall. Upon successful configuration upload, the firewall will reboot. Upload Configuration To open a configuration using GBAdmin, select File then Open from the menu bar. GBAdmin can be used to review saved configurations without loading them into a running firewall. Upload Runtime Upload Runtime uploads GB-OS software to the firewall. This may be an update, or a previous software version. Upload Runtime is not available on GB-Light or GB-Pro.

113 Chapter 12 Administration 105 GB-OS software has two distinct parts: the runtime (operating system) and the configuration data. Upload Runtime allows the administrator to upload and install a GB-OS runtime image on a GTA firewall. When this item is selected, a dialog prompts you to browse for GB-OS runtime files (These files should have a file extension of.rtm). Select OPEN to upload the runtime file, then confirm that you want to update the runtime on the firewall. The firewall will validate the runtime file. If it is valid, the firewall will install it. Upload Runtime

114 106 GB-OS 3.7 User s Guide

115 Chapter 13 Reports Reports Reports contains: Configuration, Hardware and Configuration. Reports displays statistics for the firewall hardware and software. Verify Configuration is the last item on the main menu of the web interface, not under Reports, but is under the Reports section in GBAdmin. Items under the Reports menu in GBAdmin are available only when a network connection is established with a running GTA firewall. Configuration Configuration lists the current configuration of the firewall. The report displays information about all configuration parameters. At the top of the report is a hyperlinked table of contents for the Configuration Report; to jump to a particular section of the configuration, click on one of those links. If you need to contact technical support with a firewall question, the support staff may request that you generate a current configuration report as part of the troubleshooting process. Configuration does not test for configuration errors. To test your configuration, click Verify Configuration instead. Configuration Report Example (Partial) Hardware Hardware generates a report of the hardware components detected in your system and is useful in diagnosing hardware problems. If you suspect a hardware problem, generate this report and review the hardware listed. GTA s technical support staff may also request a current hardware report in order to answer your questions. Hardware Report Example (Partial)

116 108 GB-OS 3.7 User s Guide Configuration Configuration a copy of the firewall information to the designated support address (in Network Information s Preferences as SUPPORT ADDRESS). ed firewall information includes: a software configuration report a hardware configuration report a configuration verification report a copy of the current routing table a copy of the current ARP table a binary copy of the system configuration data in MIME format a list of active VPNs a list of active filters current statistics Enter any additional information you wish to provide in the COMMENTS field. Configuration Verify Configuration Verify Configuration is the last item on the main menu of the web interface (at the end of the list, not under Reports), but is under the Reports section in GBAdmin. Firewall self-verification occurs every time a section or configuration is saved, checking for potential configuration errors; Verify Configuration displays this verification information. If you have changed your firewall configuration, run a configuration verification to ensure that you have a valid configuration. Run the check each time after making changes to the system. Any change may cause misconfiguration; verification will help to ensure that no errors are caused by the new configuration.

117 Chapter 13 Reports 109 Verify Configuration Example (Partial) In GBAdmin, in addition to Verify Configuration, verification errors will appear over a configuration menu item when the mouse pointer hovers over it. Verification checks will also be indicated by the color of the scrolling menu circle: green for functional, yellow for warning and red for error. In GBAdmin, these warnings and errors will appear as soon as the administrator clicks on another selection, even if the configuration has not yet been saved. Use these verification notices in GBAdmin to test a configuration option before applying it to a running firewall.

118 110 GB-OS 3.7 User s Guide

119 Chapter 14 System Activity System Activity System Activity contains: Active ARP Table, Active Connections, Active Filters, Active Routers, Active VPNs, Authenticated Users, Current Statistics, DHCP Leases, Locked Out, Mail Sentinel, and View Log Messages. System Activity provides direct access to firewall statistics. System data is continuously updated, so system activity snapshots are current. To change the refresh rate of the report snapshot, click CHANGE REFRESH RATE on the report screen. Some statistics may not appear for you if they are not activated in your configuration. In GBAdmin, system activity reports are only available when a firewall connection is active. Click the item to request an update. Active ARP Table Active ARP Table list displays a list of the currently known ARP (Address Resolution Protocol) addresses. The list displays the IP address to MAC address translations and the TTL (Time to Live) for each entry. ARP table entries are kept for 20 minutes and scanned every five (5) minutes to check for expired entries. Once an entry is expired, the firewall will not try to re-map the address for 20 seconds. Active ARP Table Active Connections Active Connections displays a list of currently active inbound and outbound connections. By default, the display is a static snapshot, with the refresh rate set to zero (0) seconds (no automatic updates). If you wish to automatically update the list, adjust the interval using CHANGE REFRESH RATE. Field (Inbound/Outbound) Connection Direction Protocol Internal NAT External Active Idle Packets Bytes Description <-- indicates an inbound connection; --> indicates an outbound connection. Protocol used by the connection. Internal IP address:port. NAT IP address:port. External IP address:port. Time active. Time idle. Number of packets received/sent. Number of bytes received/sent. Active Connections

120 112 GB-OS 3.7 User s Guide Active Connections - Refresh Rate Active Filters Active Filters displays a list of filters for each of the four filter types: outbound, remote access, passthrough and implicit. Information includes the number of hits (count of filter activations) and a description of the filter. Inactive time-based filters have an asterisk (*) next to the entry. By default, the display is a static snapshot, with the refresh rate set to zero (0) seconds (no automatic updates). If you wish to automatically update the list, adjust the interval using CHANGE REFRESH RATE. Active Filters Active Routes Active Routes displays the active routing table, which can be helpful in troubleshooting routing problems. The list displays destination, gateway and flags. Flags are defined below. B b C c D G H M R S U W Field Description Recently discarded packets. Route represents a broadcast address. Generate new routes on use. Protocol-specified generate new routes on use. Created dynamically. Destination requires forwarding by intermediary. Host entry. Modified dynamically. Host or network unreachable. Static route, manually added. Route is usable. Route was generated as a result of cloning.

121 Chapter 14 System Activity 113 Active Routes Active Hosts Active Hosts appears only on firewalls with a restricted number of concurrent users. See product specifications for the number of concurrent users licensed on your model. Active Hosts tracks and regulates outbound access. The number of licenses used is determined by the number of IP addresses from which outbound requests are currently being made. This count includes: connections from a protected to external network connections from a protected to PSN connections from a PSN to external network outbound connections opened by a protected network or PSN when responding to requests The record includes the outbound user s IP address and lease duration (time remaining). If the user continues to send outbound requests, remaining active, the lease will renew each time a request is made. If the user remains inactive for the timeout period, the lease duration column will report expired until the license is required for another user or the original user renews the lease. The duration of leases is defined in Timeouts in the NAT section. Active Hosts Active VPNs Active VPNs displays all current active VPN connections. (There is an inbound and outbound connection for each VPN.) Source Destination Type Encryption Hash State Active Idle Bytes Description Field Description Source IP address of the gateway. Destination IP address of the gateway. Type of VPN connection (typically ESP). Encryption algorithm used by the VPN. Hash algorithm used by the VPN. Values include: larval, mature, dying and dead. Larval and Dead can happen too quickly to be observed. VPN connection s time of duration. Idle time of the VPN. Number of bytes transferred by the connection. Identifying name for the VPN. Active VPNs

122 114 GB-OS 3.7 User s Guide Authenticated Users Authenticated Users tracks access by users authenticated through GBAuth for GTA, LDAP and RADIUS authentication. The record includes: the outbound user s name as indicated in Authorization the LDAP configuration or the RADIUS configuration the GBAuth IDENTITY field the source IP address the number of minutes the user has been active, and when (if applicable) their lease expires The last column, lease duration (time remaining), applies only to mobile VPN users. If a VPN client user is actively connected, the lease will renew each time a request is made. If the user remains inactive for the timeout period, the lease duration column will report expiry until the license is required for another user or the original user renews the lease. The duration of leases is defined in Timeouts. Field Index Name IP Address Active Lease Duration Description A non-editable field designating order of authentication. Identifying name of the user. IP address from which the connection is made. Time the connection has been in use. For mobile VPN users, the time remaining before the connection expires, and the lease must be renewed. Authenticated Users Current Statistics Current Statistics displays the firewall s current connections of TCP, UDP, ICMP or other protocols. A summary of the information appears at the bottom of the list, including total packets, current average packets, peak average packets, date, time, uptime and CPU states % user process, % system process, % interrupt, and % idle. To automatically update the list, adjust the interval using CHANGE REFRESH RATE. Field Interface Connection Direction Protocol Connections Total Packets Bandwidth Utilization Total Peak Description Interface on which the connection is being made. Inbound or Outbound. List items for TCP, UDP, ICMP and other protocols. Current and average number of connections for each protocol and connection direction. Packets sent and received for each protocol and connection direction. Bandwidth for each protocol and connection direction. Summary line that displays the totals for each column. Summary line that displays the peak for each column.

123 Chapter 14 System Activity 115 Current Statistics DHCP Leases If activated, DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses to internal hosts logging onto a TCP/IP network. It eliminates having to manually assign permanent IP addresses. DHCP dynamically updates DNS servers after making assignments. DHCP Leases lists the DHCP-assigned IP addresses and their host identity. DHCP Leases Locked Out Locked Out lists IP address from which unsuccessful login attempts exceed the threshold number of attempts set in the Authorization LOCKOUT THRESHOLD field. A failed logon attempt occurs when the wrong firewall administration user name and/or password has been entered. The duration shows how long the IP address will be locked out and is expressed as a count-down, i.e. if the administrator has set five minutes as the lockout duration, the counter will start at and count down to zero ( ). At that time, the user may again attempt logon from the IP address. When the lockout time is expired, the IP address will disappear from Locked Out. Locked Out Mail Sentinel ( Proxy) Mail Sentinel statistics track its SMTP proxy connections and processing. These statistics can be viewed by clicking Mail Sentinel in the System Activity section of the web interface menu.

124 116 GB-OS 3.7 User s Guide Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus activities will not be available unless you have purchased and activated those Mail Sentinel subscription options. See the Mail Sentinel Options Feature Guide for more information. By default, these statistics are a static snapshot of current Mail Sentinel activity; to specify a snapshot update cycle for this statistics page, click CHANGE REFRESH RATE. Enter your desired refresh interval and click the SAVE button. The Mail Sentinel statistical summary includes fields describing total connections, rejected and timed-out connections, as well as processed by Mail Sentinel. Rejected are those for which a message undeliverable signal has been returned to the sender. Quarantined are those that have been sent to a quarantine address. Other are delivered normally. Percentages are relative to the total for the section. For example, the percentage of rejected Confirmed spam is relative to the total number of processed by Mail Sentinel Anti-Spam not relative to the total number of processed by the proxy as a whole. Access Control List statistics assist troubleshooting by indicating the count of messages that triggered an ACL of a given index number. The index and description columns describe which ACL was triggered by of the given number (count). Because the last time the ACLs were saved or changed may not be the time when the Mail Sentinel engine was last initialized, the total count of ACL matches may be less than the total number of processed by Mail Sentinel. Not all processed by the Mail Sentinel proxy are necessarily processed by Mail Sentinel Anti-Spam or Mail Sentinel Anti-Virus (unless every proxy ACL has enabled Mail Sentinel Anti-Spam or Mail Sentinel Anti-Virus), so these totals may not be equivalent.

125 Chapter 14 System Activity 117 Field Starting Date Active Connections Leases Connections (Total) Connections (Incomplete) Connections (Timeout) Processed Delivered Rejected Quarantined MAPS Maximum Size RDNS Rule Confirmed (Total) Confirmed (Rejected) Confirmed (Quarantined) Suspect (Total) Suspect (Rejected) Suspect (Quarantined) Unknown (Total) Description The date from which the statistics begin. This is usually the time that the proxy was activated. The number of SMTP connections currently being handled. The number of recipients that have received through Mail Sentinel Anti-Spam or Mail Sentinel Anti-Virus. If the user count license has been exceeded, a count of license overrun attempts is displayed. The total number of SMTP connection attempts that the proxy has received. The number of SMTP connections that were dropped by the sender. The number of SMTP connections that were dropped by the proxy due to timeout threshold. The total number of SMTP connections processed by proxy ACL rules. The total number of processed SMTP connections that were accepted and delivered by proxy ACL rules. The total number of processed SMTP connections that were denied or rejected by proxy ACL rules. The total number of processed SMTP connections that were quarantined by proxy ACL rules. Rejected The number of (out of all rejected ) that was rejected because of a MAPS response. The number of (out of all rejected ) that was rejected because they were over the maximum allowed size in the proxy ACL. The number of (out of all rejected ) that was rejected because a reverse DNS check did not match, possibly indicating an illegitimate . The number of (out of all rejected ) that was rejected because they matched a denied source or destination in the proxy ACL (rule), e.g. the address was locally black listed. Mail Sentinel Anti-Spam The total number of accepted SMTP connections that Mail Sentinel Anti-Spam registered in the Confirmed spam category. The number of (out of only Mail Sentinel Anti-Spam processed ) that was rejected because they were categorized as Confirmed spam. The number of (out of all Mail Sentinel Anti-Spam processed ) that was sent to a quarantine address because they were categorized as Confirmed spam. The total number of accepted SMTP connections that Mail Sentinel Anti-Spam registered in the Suspect spam category. The number of (out of all Mail Sentinel Anti-Spam processed ) that was rejected because they were categorized as Suspect. The number of (out of all Mail Sentinel Anti-Spam processed ) that was sent to a quarantine address because they were categorized as Suspect. The total number of accepted SMTP connections that Mail Sentinel Anti-Spam registered in the Unknown spam category. These are delivered normally.

126 118 GB-OS 3.7 User s Guide Field Virus (Total) Virus (Rejected) Virus (Quarantined) Index Count Description Mail Sentinel Anti-Virus Description The total number of accepted SMTP connections that Mail Sentinel Anti-Virus found a virus. that this does not count for which Mail Sentinel Anti-Virus was disabled in the ACL. The number of (out of only Mail Sentinel Anti-Virus processed ) that was rejected because they contained a virus. The number of (out of only Mail Sentinel Anti-Virus processed ) that was sent to a quarantine address because they contained a virus. Access Control Lists The number indicatting relative position of an ACL within the Mail Sentinel ACL set. Indicates order of testing for execution. The number of times that the ACL has been matched. This is reset to zero when the ACL set is saved, or when the firewall is rebooted. The description entered by the user for the ACL of that index number. System Activity - Mail Sentinel

127 Chapter 14 System Activity 119 View Log Messages Recent event messages are kept locally in a buffer on the firewall. The buffer s size is dependent on the firewall and memory configuration. When the buffer is filled, it will begin writing over the oldest data. Log messages are displayed in reverse order, with the most recent message appearing at the top. Messages are written in the standard WebTrends Enhanced Log Format (WELF). Warning messages are displayed in red. See the appendix for more information about interpreting log messages. The display is static and must be refreshed in order to display new activity. View Log Messages

128 120 GB-OS 3.7 User s Guide

129 Chapter 15 Utility Software Utility Software DBmanager DBmanager contains an interface for GTAsyslog and LogView software and verifies installation success for GTAsyslog. For GTA Reporting Suite and GB-Commander, DBmanager verifies installation success and maintains ODBC-compliant databases by performing backups, data purges, data restores, log imports, format conversions, reinitializations, unlocking and repairs. Functions specific to GTA Reporting Suite and GB-Commander are covered in those products guides; only functions used by the firewall and GTAsyslog are covered in this guide. Select DBmanager from the GTA sub-menu of the Windows Start menu. Database Maintenance DBmanager The database maintenance functions under the Database menu are used by GTA Reporting Suite and GB-Commander and will not function without a license for one of these products. It can purge and back up records, perform database conversion, reinitialization and repair, and unlock the database. See the GTA Reporting Suite and GB-Commander product guides for more information. Utilities The Utilities menu in DBmanager contains the GTA Reporting Suite Activation Code interface; an interface for configuring the GTAsyslog for GB-OS and GTA Reporting Suite; and the Import Logs function to import old logs into the GTA Reporting Suite or GB-Commander database. ACTIVATION CODE, IMPORT LOGS and the FIREWALL MONITORING LIST under GTAsyslog will not function without a license for GTA Reporting Suite or GB-Commander. DBmanager - Utilities Tab GTAsyslog Settings GTAsyslog allows the user to select how GTAsyslog operates, how GTA Reporting Suite accesses recorded data, and which port will be used by the LogView utility. GTAsyslog automatically writes data to a rotating log file using standard WebTrends Enhanced Log Format (WELF). The file buffer size is dependent on the system and memory configuration. When the buffer is filled, GTAsyslog begins writing over the oldest data in the log. Log messages are displayed in reverse order, with the most recent message appearing at the top. The display is static and must be refreshed in order to display new activity.

130 122 GB-OS 3.7 User s Guide Help If your license is for one firewall and you switch to a new firewall, GTAsyslog will not initially accept the new firewall. You must unlicense the old firewall and license the new one: stop the GTAsyslog service, attach the new firewall, delete the gbfirewall table in the log database, and restart the GTAsyslog service. This allows GTAsyslog to begin receiving logs from the new firewall. Field GTAsyslog Port Default TCP port is 514. Log View Port Default TCP port is Description Max. Number of Files Log entries retained before overwriting. Default 20. Max. Size of Each File Maximum file size for each log. Default 400 K. File Directory Current Firewalls Rotating log file name. Default C:\GTA\GTAsyslog\Logs. Host names of firewalls monitored by GTAsyslog for GTA Reporting Suite. Verify Installation (for GTAsyslog, GB-Commander and GTA Reporting Suite) and the About dialog box are found under DBmanager s Help menu. Verify Installation Verify Installation provides a list of general information about your computer. It also provides a list of product serial numbers; number of licensed firewalls; and database information, including tables and DSNs for GB-Commander and GTA Reporting Suite (when installed). Verify Installation also indicates whether GTAsyslog software is running. For more about using Verify Installation with GTA Reporting Suite and GB-Commander, see their product guides. LogView LogView is a versatile viewer that gives read-only access to firewall logs for up to 10 computers. Users equipped with LogView can review the streaming log file data from anywhere on the network as it is written to the rotating log. Enter the location of your syslog server in the LOG SERVER field. By default, this is hostname/port number localhost:2630. Click the CONNECT button to use LogView. Click DISCONNECT to stop viewing the log files. Log Viewer - View Configuration If an error message appears indicating that the port number may be incorrect, GTAsyslog may not be running. Check the Windows Task Manager to verify that GTA syslog is installed and running, or use Verify Installation in DBmanager. GBAuth User Authentication If authentication is required by a filter or tunnel, a user accessing the GTA firewall must enter the GTA Authentication, LDAP or RADIUS name and password into GBAuth software before initiating a connection. To use authentication, the desired authentication method must be enabled and configured, and a user authentication remote access filter must be configured. GBAuth is a cross-platform Java-compatible service. Install the software on the computer from which authentication will be used.

131 Chapter 15 Utility Software 123 As long as data is being exchanged, GBAuth automatically re-authenticates. To manually close GBAuth, right-click on the icon and select Close or click the DISCONNECT button. GNAT Box Identity Challenge Response Field Description Name or IP address of the GTA firewall. Login data provided to the user: the value from the Users Authorization LOCAL IDENTITY field. Maximum, 127 characters. Case-sensitive. N/A Alphanumeric password from the Users Authorization PASSWORD field. GBAuth - Disconnect - Mac OS X Using GBAuth for GTA Authentication To use GTA authentication: the Authentication feature must be enabled a user authentication remote access filter must be configured users must be created users must have the GBAuth client installed on their computer To authenticate with the firewall using GBAuth: 1. Users enter the values from Users in Authorization. Enter the name or IP address of the firewall in the GNAT BOX field or select it from the drop down menu. Enter the identity in address format specified in User Authorization in the IDENTITY field, then click OK. If you are authenticating for the first time, or if the SSL certificate was recently changes, a security alert may appear. If you know the certificate is correct, click YES. GBAuth Using GTA Authentication - Windows If the information is correct, an unlocked padlock icon should appear in the Windows system tray or the Mac OS X dock. GBAuth - Authentication Unlocked Icon - Windows The unlocked icon indicates that authentication has begun; the Locked icon indicates that the user has successfully authenticated. 2. The cursor will move to the RESPONSE field. Enter the password from Users under Authorization, then click OK. If the identity or password is not recognized, an Authentication Failed notice will appear. If the information is correct, the lock icon appears in the system tray, and you can perform further actions, e.g. initiate a VPN connection through the firewall.

132 124 GB-OS 3.7 User s Guide Authentication Locked Icon - Windows Using GBAuth for LDAP Authentication To use LDAPv3 authentication: the Authentication and LDAPV3 features must be enabled GBAuth - Authentication Locked Icon - Mac OS X a user authentication remote access filter must be configured the LDAP server must be configured with users, domains and passwords to authenticate with users must have the GBAuth client installed on their computer To authenticate with the firewall using LDAP: 1. Enter the name or IP address of the firewall in the GNAT BOX field or select it from the drop down menu. Enter the cn and the ou identifier plus value in the IDENTITY field using the format User Name, ou=organization unit, then click OK. GNAT Box Identity Challenge Response Field Description Name or IP address of the GTA firewall. Login data provided to the user: cn (common name) and ou (organizational unit) combined. Do not enter the cn= identifier; this will be prepended when the data is sent to the LDAP server. Maximum length is 127 characters. The cn is case-sensitive. N/A Alphanumeric password specified for the user on the LDAP server. Case-sensitive. GBAuth Using LDAP Authentication 2. The cursor will move to the RESPONSE field. Enter the user s password on the LDAP server, then click OK. (The authentication BASE DN field values are appended to the data, creating the dn string that is sent by GBAuth to the LDAP server.) 3. If the identity or password is not recognized, an Authentication Failed notice will appear. If the information is correct, a lock icon appears in the Windows system tray, and you can initiate a connection to or through the firewall. Using GBAuth for RADIUS Authentication To use RADIUS authentication: the Authentication and RADIUS features must be enabled a user authentication remote access filter must be configured the RADIUS server must be configured users must have the GBAuth client installed on their computer To authenticate with the firewall using LDAP: 1. Enter the name or IP address of the firewall in the GNAT BOX field or select it from the drop down menu.

133 Chapter 15 Utility Software Enter the RADIUS identity and password in the appropriate fields. If the information is correct, a lock icon appears in the Windows system tray, and you can initiate a VPN connection through the firewall. User names are specified on your RADIUS server; the response or password is configured in the RADIUS section of thehauthentication service on the firewall. GNAT Box Identity Challenge Response Field Description Name or IP address of the GTA firewall. Login data provided to the user, specified on the RADIUS server. Maximum, 127 characters. Case-sensitive. N/A Alphanumeric preshared secret (password) specified for the user in the RADIUS section of Authentication. Case-sensitive.

134 126 GB-OS 3.7 User s Guide

135 Chapter 16 Troubleshooting Troubleshooting Troubleshooting Basics GTA Support recommends the following guidelines as a starting point when troubleshooting network problems: Start with the simplest case of locally attached hosts. Use IP addresses, not names. Your problem could be DNS. Work with one network segment / subnetwork at a time. Verify your firewall system configuration by using Verify Configuration. The verification check is the best method of ensuring that your system is configured correctly. Correct all errors and warnings listed. Your first tests should be connectivity tests. Ping and traceroute are very useful tools for testing connectivity. Make sure the network cabling is connected to the correct network interface. Some useful guidelines are: Verify the network interface numbers, MAC addresses and logical names listed on the Network Information screen and in the Configuration Report. Use the logical elimination method. Connect a network cable to the first network interface and use the ping facility to test for connectivity with a host on the desired network. If unsuccessful, move the cable to the next network interface and perform the test again. Repeat until successful, or all network interfaces have been tested. Generate a Configuration Report. Check the report to ensure all your network devices have been recognized by the system at boot time. Frequently Asked Questions (FAQ) 1. Why are the green LEDs on the back not lighting up? This indicates that you do not have network connectivity. Make sure all cables are functional, the firewall is powered on, and the connected computers are correctly configured. You may have selected the wrong network connection type. Check Network Information to ensure the appropriate connection type is selected. If you have selected one of the specific settings, try resetting to Auto, the factory setting. 2. Why can't all hosts (computers and devices) behind the firewall reach the Internet? This is usually a routing problem. The traceroute facility can be very useful in debugging routing problems. Check for these problems: Are the hosts that can t reach the Internet on a different network subnet from the firewall? Have you added a static route on the firewall to tell it which router is used to reach the Internet? Have you set the router s default route to be the firewall? Have you set the default route for hosts on the problem network to be the router or firewall? Is the wrong IP address assigned to the hosts or firewall? All network interfaces on the firewall must be on different logical networks. Is the default route assigned incorrectly? The default route should always be on the same subnet as the network interface of the host (this is true for all hosts, not just the firewall). For a firewall, the default route must be an IP address on the network which is attached to the network interface. When using PPP, PPTP or PPPoE, the default route is not necessarily on the same subnet. The route is assigned by your PPP provider. 3. Why can't one host (computers and devices) behind the firewall reach the Internet? This may indicate that the default route is assigned incorrectly (or not at all) to hosts on the protected or Private Service Networks. All hosts protected by the firewall must use the IP address of the firewall s network interface for the respective network. Hosts that reside behind routers or other gateways on these networks generally use the IP address of the gateway or router instead.

136 128 GB-OS 3.7 User s Guide 4. Why can't I access the web user interface from the protected network? The default remote access filter set is generated from the configuration parameters entered in the Network Information screen. It is possible that the firewall s protected network interface is on a different subnet from your host. Check the remote access filter for the web interface; it may need to be adjusted. 5. Why do I get errors when starting GBAdmin? Why is online help not displayed? GBAdmin requires Microsoft Windows and Microsoft Internet Explorer 5.x or later. Components from Internet Explorer are used to display the online help information. Errors will occur if Internet Explorer for Windows is not correctly installed. 6. Why can't I see or ping the protected network interface? First check for proper network configuration settings. If the network configuration is correct for the network interface, you may have the wrong cable for your connection. For a direct connection (firewall to host or router), you need a crossover cable. For a connection through a hub or switch, you need a straight-through cable. A yellow crossover cable and grey straight-through cable may be included with firewall appliances. See product specifications or packaging materials for a list of included firewall accessories. Distinguish between crossover cables and straight-through cables by comparing the connection ends. On a straight-through cable, the wire order matches; on a crossover cable, the first three of the four wires are in reverse order. 7. I forgot my user name and/or password. How can I log on to my firewall? If login information has been irretrievably lost, a firewall can be reset to factory defaults, erasing all current configuration data and resetting both the case-sensitive user name and password to gnatbox. Caution Resetting the firewall will cause it to lose current configuration data. The configuration data can only be restored by loading a saved configuration with a known user name and password, or by manually entering the information. To reset your firewall to factory defaults, attach either a terminal (using a serial console cable), or a computer with terminal emulation software (using a DB-9 null-modem cable). Enter these settings for the console connection: EMULATION PORT VT-100 BAUD RATE DATA / BIT RATE 8 PARITY FLOW CONTROL STOP 1 COM port connected via DB-9 cable to the firewall None Hardware* * Set flow control to None as an alternative to hardware flow control. Power on the GTA firewall. The following words will display: GB-OS System Software x.x.x loading... When the word loading appears, immediately press CONTROL-R. The system will begin to load, and configuration and hardware data will appear on screen. Finally, a confirmation question displays: Are you sure you want to reset your firewall configuration?: ( yes or no ) To reset to factory defaults, type the word yes in lower case letters. Typing any other key will reboot the system without resetting to defaults. There is no time out; the reset confirmation question will remain until a key is pressed. 8. How do I revert to my previous configuration after a version update? The firewall s flash memory is in two sections ( slices ); one contains the current software version plus any saved configuration, the other contains the previous software version and configuration. A new firewall s two memory slices are identical. When the firewall is updated to a new runtime (software version), the update process automatically overwrites the memory slice not in use with the new software version and the existing configuration, leaving the production firewall version and configuration intact. When the firewall is rebooted, the updated memory slice will load by default. To select a memory slice other than the default, set up the console interface as described in Troubleshooting question #7. When the firewall boots up, the memory slice information will load. When the word Default appears, immediately type the number of the slice you wish to load. 1 GB-OS slice 1 2 GB-OS slice 2 Default: 1

137 Chapter 16 Troubleshooting How do I use the memory section feature for live configuration testing? The memory section ( slice ) feature can be used to test a new firewall configuration in production while preserving the current configuration in the other memory slice. In the following example, memory slice 1 contains the current configuration, and memory slice 2 is used for testing a configuration. 1. Save a copy of the test configuration. 2. Reboot the firewall using the console interface. 3. Select and boot memory slice 2. Caution The test configuration will now be your active firewall. 4. Upload the configuration saved in step #1. 5. Switch to the web interface or GBAdmin to make advanced configuration changes; the currently selected slice will load by default until another is selected. 6. To revert to the last configuration, reboot the firewall using the console interface and select memory slice 1. For more Troubleshooting suggestions, see GTA's web site at I can t access a tunnel that I have created. Why? There are a few key points to remember about Tunnels: You cannot access a tunnel from the protected network, since you can access the host directly (use the real IP address of the host). The source side of the tunnel must have an IP address that is on the external network for tunnels from the external network to the PSN or to the protected network. The source side of the tunnel must have an IP address that is on the Private Service Network for tunnels from the PSN to the protected network. You must have a remote access filter that allows access to the tunnel from the host in question. A tunnel that has no remote access filter, or an improperly configured filter assigned to it, will generate a blocked packet message to the log file. Use the default option in the filter set to create disabled filters matching your defined tunnels, then customize and enable them. Ensure that your tunnel is active. Check the Configuration Report to verify that both your tunnel and remote access filters are active. Check the log messages for filter blocks when a remote host attempts to access the tunnel. If you see a block message, your remote access filter is most likely not configured correctly. If no block message appears, check the host that is specified as the target in the tunnel definition. The target host should have a default route configured, with the service in question running on the specified port. From the target host try to ping the remote host. 11. My Microsoft Exchange server located on the PSN can t find the PDC (Primary Domain Controller) on the protected network. Why? Normally, NetBIOS locates the primary domain controller (PDC) and other peer hosts by using broadcast packets. Since the firewall blocks all broadcast packets, another method of locating the PDC needs to be used. The solution is to use an LMHOST file and add an entry for the PDC providing a conduit for NetBIOS traffic to the PDC via a tunnel and allow access via remote access filters. 1. Create a LMHOST file and insert an entry for the PDC. This entry will use the PDC s NetBIOS name, the NetBIOS domain name, and the PSN interface IP address where the tunnel will be created. 2. Create three tunnels from the PSN interface to the PDC for NetBIOS services. UDP NetBIOS name resolution UDP NetBIOS datagrams TCP NetBIOS data transfer 3. Create three remote access filters that allow the MS Exchange server on the PSN to access the three tunnels you created in step Reboot the Microsoft Exchange server. Example GB-OS System EXT PRO PDC PSN EXCHANGE SRV LMSHOST Entry

138 130 GB-OS 3.7 User s Guide PDCSERVER #PRE #DOM:GTANET Tunnels UDP UDP TCP Add Remote Access Filters 1. Allow Exchange Server to access via NetBIOS UDP. Accept UDP PSN 2. Allow Exchange server to access via NetBIOS TCP / / Accept TCP PSN / / Windows NT/2000 Sample: C:\WINNT\System32\drivers\etc\LMHOSTS.SAM Real File: C:\WINNT\System32\drivers\etc\LMHOSTS Windows 95/98 Sample: C:\Windows\LMHOSTS.SAM Real File: C:\Windows\LMHOSTS 12. Why doesn't the feature I enabled ( proxy, RIP, etc.) work? The correct filters may not be installed/enabled for the selected features. The initial configuration of the firewall will create a set of all possible default filters. Depending on which options are enabled, filters may be disabled. To enable a feature, activate it then supply the required data (if needed) and enable or disable the appropriate remote access filters. Example: RIP 1. Enable RIP and the options in the RIP section and save. 2. Disable the DEFAULT RIP remote access filters. 3. Save the remote access filter set. Example: Mail Sentinel proxy 1. Enable the proxy. 2. Set the IP address of the primary server. 3. Save the section. 4. Enable the DEFAULT PROXY remote access filter. 5. Save the remote access filter set. 10. I get a bridging loop error message when I am in bridging mode. A bridging loop message indicates a physical loop in the network cabling. Feb 2 02:04:30 pri=4 msg= Bridging loop (13) 00:00:5e:00:01:60->01:00:5e:00:00:12 fxp1->fxp0 (muted) src= dst= Check physical wiring of hubs and switches to be sure no wire is crossed. Bridged networks must be physically isolated. 11. I get an alarm: Interface down message. An interface down error message indicates that an interface has failed. Feb 2 13:44:18 pri=4 msg= alarm: Interface EXTERNAL (rl1) down type=mgmt This could be caused by a loose or disconnected cable or disconnected Internet service. 12. Why can't I see or ping the protected network interface? You may have the wrong cable for your connection. For a direct connection (firewall to host or router) you need a crossover cable. For a connection to a hub or switch you need a straight-through cable. A yellow crossover cable and grey straight-through cable may be included with hardware appliances.

139 Chapter 16 Troubleshooting 131 Distinguish between crossover cables and straight-through cables by comparing the connection ends. On a straight-through cable, the wire order matches; on a crossover cable, the first three of the four cables are in reverse order. Also check that your computer belongs to the same subnetwork as the IP address of the protected network interface. 13. How do I determine which rule or filter is causing rejected traffic? When the firewall evaluates a packet for acceptance or rejection, many rules may be used. However, they are not evaluated in a random order, but sequentially, and you can use this knowledge to help you trace conditions that may be causing firewall misconfiguration. Order of evaluation is indicated on some pages by the index number (listed order on the page) of a rule. Start by testing the configurations on the top of the page, and work your way down until all configurations have been tested. For example, a rule / filter with an index of 1 will be evaluated before a rule/filter with an index of 5, and should be tested first. 14. I enabled Mail Sentinel options. Why did the firewall automatically disable them? Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus require Internet access over TCP port 443 (SSL) in order to authorize and update from GTA servers. If Mail Sentinel cannot access GTA servers (*gta.com) on TCP port 443, or if there is no DNS Proxy or Service enabled, the proxy may wait for Mail Sentinel option authentication that it cannot get; if the SSL connection times out, the proxy will disable Mail Sentinel options and continue processing according to standard ACL rules. The Mail Sentinel proxy will then log that it has disabled Mail Sentinel options, and will periodically check for Internet SSL connection restoration. If the connection is restored and Mail Sentinel feature activation codes are valid, the proxy automatically re-enables those Mail Sentinel options that were automatically disabled. To correct this problem, check that your network allows SSL connections to the Internet over an external network interface (no routing rules may deny port 443). Use ping and traceroute to verify connectivity to the Internet, including gta.com and its subdomains, and check all routers that may block Internet SSL access. 15. My quarantine does not work. Why? An quarantine object must be an address object that contains only a single address such as -quarantine@gta. com. It is not valid to enter only the domain name of your server; your quarantine object must have a full address that contains an account as well as a domain name. Use of wild card (regular expression) characters is also not allowed. If you wish to use multiple addresses as quarantines in different firewall configuration areas, you should create one quarantine address object per quarantine address. For example, if you wish to separate suspect spam and virus , you might create address objects named Suspect Quarantine (containing [email protected]) and Virus Quarantine (containing [email protected]). 16. Mail Sentinel rejects too little . Why? First check that your proxy ACLs reject those domains or IP address ranges that are known spam servers. Remember that proxy ACLs evaluate in the order they are listed. Make sure that an all-accepting ACL is listed underneath those exclusion ACLs to ensure that every is not accepted before being tested for a spam domain. Check the specific ACL that you expected the to match for configuration errors that may cause failed matches. Correct configuration errors in any ACLs before it that may cause a premature match. To rule out either Mail Sentinel Anti-Spam or Mail Sentinel Anti-Virus options as a source of the problem, un-check all of the ENABLE check boxes in the Anti-Spam and Anti-Virus sections of your proxy s access control lists (ACLs). When you reenable Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus in each ACL, be sure to do it one at a time so you can narrow down the source of the misconfiguration. The Mail Sentinel System Activity report can provide useful diagnostic information to determine whether Mail Sentinel options are causing rejection. Indicating a large maximum file size in either the TO BLOCK or Mail Sentinel Anti-Virus sections of your proxy ACL will allow larger through. To limit the size of that your firewall accepts for transmission, reduce the maximum file size to a small, non-zero number. Be sure to allow external Internet access from your firewall to the Internet. Mail Sentinel uses various servers to keep its Mail Sentinel options up-to-date; if you have routing rules preventing this access, your Mail Sentinel options may lapse or use old spam and virus definitions, allowing newer spam and viruses through. A maximum size of zero does not mean that only zero-sized will be considered; instead, it means that the size limit consideration has been removed from the ACL. If you notice that some spam is still not being caught by Mail Sentinel Anti-Spam, consider adjusting your Mail Sentinel Anti-Spam threshold to a more aggressive setting. You might also choose to restrict Suspect category as well as Confirmed category . Additional use of a MAPS (a kind of real-time black list, or RBL) can also help.

140 132 GB-OS 3.7 User s Guide 17. Mail Sentinel rejects too much . Why? When the firewall evaluates a packet for acceptance or rejection, many rules may be used. It is important to check other rules such as routing rules before investigating Mail Sentinel ACL rules. Remember that proxy ACLs evaluate in the order they are listed. Make sure that any white list ACLs are listed above any black list ACLs to ensure that all is not rejected before being tested for a known-good address. To rule out Mail Sentinel features as a source of the problem, un-check the ENABLE check box in the MAIL SENTINEL ANTI-SPAM and MAIL SENTINEL ANTI-VIRUS headings of your proxy s access control lists (ACLs). When you re-enable Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus, be sure to do it one at a time so you can narrow down the source of the misconfiguration. The Mail Sentinel System Activity report can provide useful diagnostic information to determine whether Mail Sentinel options or other ACL rules are causing rejection. Indicating a small maximum file size is also a common cause for rejected . Indicating a low threshold for too many Mail Sentinel Anti-Spam categories can also be a common cause. 18. Mail Sentinel rejects all . Why? If your firewall rejects all , first check to see that TCP ports (especially the standard SMTP port 25) have not been filtered out in other rules, and that your proxy is enabled. If your firewall accepts port 25 connections but still rejects all , check your proxy s ACL settings. If your ACL is set to reject fitting your rules and all matches your rules, all will be rejected. Make sure you have at least one proxy ACL set to accept ; denial-type ACLs or an absence of ACLs will cause to be rejected. The Mail Sentinel System Activity report can provide useful diagnostic information to determine whether Mail Sentinel options or other proxy ACL configurations are causing rejection. Additionally, if all servers are listed on your MAPS, all could be rejected. 19. My Surf Sentinel 2.0 firewall is behind another firewall. What ports should I allow for the Surf Sentinel 2.0 service? Allow UDP port 9020 to server ccs.sc.surfsentinel.net for the Surf Sentinel 2.0 web content filtering service. 20. I get errors when using GBAuth. What do they mean? GBAuth requires use of remote access filters, users, SSL certificates, and authorization services on your firewall; it also requires GBAuth (Java version) installed on the client computer. If any of these things are set up improperly, if your password or other entry was incorrect, or if you are using an old version of GBAuth, errors may be generated. RMCAuth: Command authloginget (400) rejected, incorrect size errors may be caused by using an old version of GBAuth. This error is logged on the firewall as well as displayed on the GBAuth client. To correct this error, update to GBAuth (Java version). IOException errors generally refer to inability to form a network connection (e.g. incorrect remote access filters cause traffic denial by the firewall and the connection times out, or incorrect GNAT BOX field entry) or problems with the SSL certificate (e.g. the computer and firewall have out-of-sync clocks so that according to the computer s clock, the SSL certificate has not yet become valid). Verify your remote access filters, network connections, your computer s clock. If you have repeated java.security.cert.certificateexception: Certificate not yet valid. problems with SSL certificates due to your computer s or firewall s clock, you may wish to use an NTP service such as the firewall s Network Time Service to keep its clock correct. 21. AOL web access is blocked when I use Surf Sentinel 2.0. How do I allow it? AOL uses pr.atwola.com, an advertisement server, to redirect to webmail.aol.com. If Surf Sentinel 2.0 is set to block the Advertisement category, access to pr.atwola.com will be blocked, and webmail.aol.com will never be reached. To allow AOL web access, add an allowed domain name of pr.atwola.com. to the LCL (local content lists) of your firewall.

141 Appendix A: Ports and Services 133 Appendix A Ports and Services GTA Ports & Services Port Numbers are divided into three ranges: well-known ports registered ports dynamic and/or private ports GTA generally uses well-known ports for standard services. For GTA services, appropriate ports are supplied by default. Default ports can be changed; if you change default ports, update firewall filters and port services with the new port number. The following ports are the default for GTA services; some are standard, others are private ports for a specific GTA or third-party service. This list is provided for reference only and should not be considered definitive. Default ports for services may change. Consult the GTA web site for the latest information. Some ports are used for more than one service. Service Port/Protocol Description GB-Commander, server, encrypted; GBAuth, encrypted 76/TCP Communication with GB-Commander Server (SSL) or GBAuth (SSL) RMC 77/TCP Remote management console; firewall administration using GBAdmin GB-Commander, client 78/TCP Client communication with GB-Commander Server HTTP 80/TCP Firewall Administration using HTTP NTP 123/UDP Used for NTP in the Network Time Service LDAP 389/TCP LDAP service for dynamic DNS HTTPS 443/TCP Encrypted administration via the web logging 514/TCP Remote logging RADIUS 1812/TCP RADIUS service for dynamic DNS HTTP proxy 2784/TCP HTTP proxy default port Well-known Ports and Services Well-known (common) ports are assigned by the IANA, and on most systems can only be used by system processes or by programs executed by privileged users. Ports are used in TCP to name the ends of logical connections carrying long-term conversations. To provide services to unknown callers, a contact port is defined. Here is a brief list of these common services and port numbers.

142 134 GB-OS 3.7 User s Guide Service Port/Protocol Description FTP 21/TCP/UDP File Transfer Protocol (control) SSH 22/TCP/UDP Secure Shell; remote shell telnet 23/TCP unencrypted remote shell SMTP 25/TCP Simple Mail Transfer Protocol; sends msg-auth 31/TCP/UDP MSG authentication name 42/TCP/UDP host name resolution nicname 43/TCP/UDP whois service domain 53/TCP/UDP DNS gopher 70/TCP/UDP gopher; data transfer finger 79/TCP/UDP finger; user info poll HTTP 80/TCP Hypertext Transfer Protocol (World Wide Web) CTF 84/TCP/UDP Common Trace Facility POP3 110/TCP Post Office Protocol version 3; receipt auth 113/TCP authentication service SFTP 115/TCP/UDP Secure File Transfer Protocol sqlserv 118/TCP/UDP Microsoft SQL services NNTP 119/TCP/UDP Network News Transfer Protocol NTP 123/TCP/UDP Network Time Protocol NetBIOS-ns 137/TCP/UDP NetBIOS name service NetBIOS-dgm 138/TCP/UDP NetBIOS datagram service NetBIOS-ssn 139/TCP/UDP NetBIOS session service SQL-net 150/TCP/UDP Oracle SQL-NET services sqlsrv 156/TCP/UDP SQL service SNMP 161/TCP/UDP Secure Network Management Protocol SNMPRAP 162/TCP/UDP SNMP TRAP prospero 191/TCP/UDP Prospero database reply IRC 194/TCP/UDP Internet Relay Chat Protocol PDAP 344/TCP/UDP Prospero Data Access Protocol LDAP 389/TCP/UDP LIght-weight Directory Access Protocol HTTPS 443/TCP HTTP over TLS/SSL syslog 514/UDP syslog service printer 515/TCP printer spooler service FTPS-data 989/TCP/UDP FTP (data) over TLS/SSL (reserved) 1023/TCP/UDP Reserved by IANA: [email protected] Registered Port Numbers Registered ports are listed by the IANA, and on most systems can be used by ordinary processes or programs executed by ordinary users. The IANA registers uses of these ports as a convenience to the community. Registered ports are in the range

143 Appendix A: Ports and Services 135 Service Port/Protocol Description shockwave2 1257/TCP/UDP Macromedia Shockwave 2 lotusnote 1352/TCP/UDP IBM Lotus s shockwave 1626/TCP/UDP Macromedia Shockwave sixnetudr 1658/TCP/UDP StreamWorks 4 Windows Terminal Services 3389/TCP Microsoft Windows Terminal Services pcanywhere 5631/TCP/UDP Symantec pcanywhere

144 136 GB-OS 3.7 User s Guide

145 Appendix B: Log Messages 137 Appendix B Log Messages This section describes and illustrates log messages generated by GB-OS running on GTA firewalls using WELF logging, or using GTAsyslog. In order to use the firewall s remote logging, the remote logging service must be configured on the Remote Logging screen, where the user defines the remote host, log facilities, and the data that will be transmitted. Log messages can be viewed from View Log Messages, from the LogView utility software, as a log file in a text editor such as pad or TextEdit, or using the GTA Reporting Suite software. Default Logging Hardware/interface errors will be logged. Additionally, the default filter logging configuration is set to log rejected packets for all protocols. If a different filter logging configuration is desired, changes can be made on the Preferences section under Filters. Under normal conditions only the Rejected packet type should be selected. All other packet types are provided to assist in debugging network problems; selecting Received, Matched or Accepted will generate excessive log messages. The protocol options are: All, None, TCP, UDP and ICMP. Interface Errors A failed PPPoE network interface logs as a failed PPP connection. Mar 4 21:06:44 pri=6 msg= PPP1: [PPP1] can t connect bypass,link0 and [b]:,session-ppp1: File exists type=mgmt Interface is down; indicates an interface has failed. This could be caused by a loose or disconnected cable. Mar 4 21:06:44 pri=4 msg= alarm: Interface EXTERNAL (rl1) down type=mgmt If another host is using the firewall s broadcast IP address and attempts to modify the firewall s IP address, the MAC address of the host will be logged. Check IP addresses and netmasks assigned to hosts on the local network. Mar 4 21:06:44 pri=3 msg= kernel: arp: 00:d0:68:04:98:b5 attempts to modify permanent entry for on en1 type=mgmt Bridged Interfaces and Protocols Physical Loop This example indicates a physical loop in the cabling of the network. Check physical wiring of hubs and switches to be sure no wire is crossed. Networks joined by a bridged interface must be physically distinct and not connected at more than one point. Mar 4 21:06:44 pri=4 msg= Bridging loop (13) 00:00:5e:00:01:60->01:00:5e:00:00:12 fxp1->fxp0 (muted) src= dst= Denied Protocol Only displayed when logging options set to log invalid packets. One can allow these packets through by adding them to the bridged protocol list. Caution No firewall filtering is performed on bridged protocols; this can result in a weakening of your security perimeters. Great care should be taken in allowing bridged protocol packets. Feb 2 13:28:53 pri=3 msg= Bridged protocol type 0x42 denied (00:08:83:08:82:2a->01:80:c2:00:00:00) Gateway Policies Gateway Policies Changes Gateway Due To Failed Primary Route Mar 4 21:06:44 selector: No reply from Mar 4 21:06:44 selector: No reply from Mar 4 21:06:44 selector: No reply from Mar 4 21:06:44 selector: Verification of default gateway failed. Mar 4 21:06:44 selector: Default gateway set to Notification from Gateway Policies NOTIFICATION TYPE: Default gateway change NAME: firewall.example.com DATE: Wed :59:18 EDT

146 138 GB-OS 3.7 User s Guide Default gateway changed to Filtered Packet Types Received If this option is selected, all packets matching the protocol that arrive at any of the firewall s network interfaces will be logged. The log message includes the protocol, source IP, source port, destination IP, destination port, network interface (NIC), packet length and TCP flags if appropriate. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=6 flt _ type=raf flt _ action=pass msg= Received (4) rule=4 proto=443/tcp src= srcport=1599 dst= dstport=443 interface=sis0 flags=0x11 Accepted If a packet matches a filter rule that allows a packet to be accepted by the firewall regardless of destination (inbound, outbound or directly to the firewall) it will be logged. The message includes the filter type (designated as RAF, NAT or PASS), the filter number, the word accept, log priority level, protocol, source IP, source port, destination IP, destination port, network interface, packet length and TCP flags if appropriate. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 flt _ type=obf flt _ action=pass msg= Accept OBF (2) rule=2 proto=500/udp src= srcport=500 dst= dstport=500 interface=sis0 Rejected If a packet is denied access either explicitly by a filter or implicitly by the default rule (deny all unless explicitly allowed) it will be logged. The log message includes the filter type (RAF: remote access, NAT: NAT or PASS: pass through), the filter number, the word block, log priority level, protocol, source IP, source port, destination IP, destination port, the word alarm if an alarm was generated due to filter settings, network interface, packet length and TCP flags if appropriate. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=raf flt _ action=block msg= Block RAF (20) rule=20 proto=23/tcp src= srcport=1601 dst= dstport=23 interface=ppp0 attribute= alarm flags=0x2 Log Messages Permitted Inbound Connection When an authorized inbound connection is made via a remote access filter (for permission) and a pass-through or NAT tunnel (for routing), three possible log messages can be generated. By default, one is created only when the session is closed. To generate a log message when an inbound session is started, enable the TUNNEL OPENS field in Preferences under Filters. The log messages for a permitted inbound connection are almost identical in both the open and close message, except that the close message contains connection information such as duration, packets sent/received, and bytes transmitted. The IP address/ port pairs in the log message detail the route of the packet. The open and closed connection examples below shows an inbound request to a web server on the Private Service Network. There is no explicit tag in the log message indicating that the packet was permitted, since the log message indicates this implicitly. Open Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Open incoming NAT tunnel proto=http src= srcport=4175 nat= natport=80 dst= dstport=80 Close Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Allow incoming NAT tunnel proto=http src= srcport=4175 nat= natport=80 dst= dstport=80 duration=22 sent=144 rcvd=120 FTP Port Updating FTP connections may require some additional negotiation for the opening connection. During this exchange, the port may be updated (but this will only be logged if you have also selected to log opening connections). The initial opening port is logged as port 0 until the actual connection port is determined, and an updated port is logged. This occurs for both tunneled (NAT) and passthrough connections. Pass-through filter accepting FTP appears as: Mar 4 21:06:44 pri=5 msg= Open outbound, pass through proto=1988/tcp src= srcport=0 dst= dstport=1988 rule=1 Mar 4 21:06:44 pri=5 msg= Update outbound, pass through proto=1988/tcp src= srcport=20 dst= dstport=1988 rule=1 NAT tunnel accepting FTP appears as:

147 Appendix B: Log Messages 139 Mar 4 21:14:43 pri=5 msg= Open inbound, NAT proto=54834/tcp src= srcport=0 nat= natport=54834 dst= dstport=54834 rule=1 Mar 4 21:14:43 pri=5 msg= Update inbound, NAT proto=54834/tcp src= srcport=2053 nat= natport=54834 dst= dstport=54834 rule=1 Permitted Outbound Connection When an authorized outbound connection is made, two possible log messages can be generated. By default, one is created only when the session is closed. To generate a log message when an outbound session is created, enable the TUNNEL CLOSES field in Preferences under Filters (enabled by default). The log messages for a permitted outbound request are almost identical for an open and close message, except that the close message contains connection information such as duration, packets sent/received, and bytes transmitted. An outbound request can be identified by the direction the arrows are pointing in the log file: left for inbound and right for outbound. The IP address/port pairs in the log message detail the route of the packet. The packet below shows an outbound request from the protected network to a web server on the Internet. There is no explicit tag in the log message indicating that the packet was permitted, since the permitted type of log message indicates this implicitly. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Open outbound NAT proto=http src= srcport=1683 nat= natport=1683 dst= dstport=80 rule=2 Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Allow outgoing NAT cat _ action=pass dstname= proto=http src= srcport=1684 nat= natport=1684 dst= dstport=80 rule=2 op=get arg=/img/privacy _ txt.gif duration=50 sent=777 rcvd=9657. Remote Access Filters To allow a connection to the firewall, two components are required: permission and routing rules. Remote access filters create permission for inbound connections. Default (No rules in place) Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=raf flt _ action=block msg= Block RAF proto=23/tcp src= srcport=1900 dst= dstport=23 interface=fxp0 flags=0x2 Match Rule To Block Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=raf flt _ action=block msg= Block RAF (25) rule=25 proto=23/tcp src= srcport=1877 dst= dstport=23 interface=fxp0 attribute= alarm flags=0x2 Outbound Filters To allow a connection to the firewall, two components are required: permission and routing rules. Outbound filters create permission for outbound connections. Default (No rules in place) Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=obf flt _ action=block msg= Block OBF proto=80/tcp src= srcport=1755 dst= dstport=80 interface=fxp2 flags=0x2 Match Rule To Block Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=obf flt _ action=block msg= Block OBF (2) rule=2 proto=80/tcp src= srcport=1842 dst= dstport=80 interface=fxp2 flags=0x2 Network Address Translation (NAT) Permitted inbound and outbound connections can be routed in different ways, one of which is with a NAT tunnel. Connections made using NAT can be of any type, including TCP/IP (with HTTP, FTP, etc.), ICMP, or UDP connections. HTML Sessions Open (Open is usually not logged - debug aid) Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Open outbound NAT proto=http src= srcport=1569 nat= natport Close Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Accept outgoing NAT cat _ action=pass dstname= proto=http src= srcport=1569 nat= natport=1569 dst= dstport=80 rule=2 op=get arg=/media/gb-group.jpg duration=47 sent=547 rcvd=340

148 140 GB-OS 3.7 User s Guide Outbound ICMP Open Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Open outbound NAT proto=icmp src= srcport=3 nat= natport=3 dst= dstport=3 rule=2 Close Aug 30 11:19:46 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Close outbound NAT proto=icmp src= srcport=3 nat= natport=3 dst= dstport=3 rule=2 duration=70 sent=3240 rcvd=3240 Outbound UDP Open Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Open outbound NAT proto=53/udp src= srcport=1035 nat= natport=1035 dst= dstport=53 rule=1 Close Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Close outbound NAT proto=22/tcp src= srcport=1025 nat= natport=1025 dst= dstport=22 rule=2 duration=176 sent=847 rcvd=788 Outbound TCP Open Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Open outbound NAT proto=22/tcp src= srcport=1026 nat= natport=1026 dst= dstport=22 rule=2 Close Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Close outbound NAT proto=22/tcp src= srcport=1025 nat= natport=1025 dst= dstport=22 rule=2 duration=176 sent=847 rcvd=788 Pass Through (No NAT) Permitted inbound and outbound connections can be routed in different ways, one of which is with a pass-through filter (which bypasses NAT). Connections made using IP pass-through can be of any type, including TCP/IP (with HTTP, FTP, etc.), ICMP, or UDP connections. Open Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Open outbound pass through proto=23/tcp src= srcport=1027 dst= dstport=23 Close Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= GNAT-Box pri=5 msg= Close outbound pass through proto=23/tcp src= srcport=1027 dst= dstport=23 duration=89 sent=444 rcvd=400 Inbound Pass Through Filter Block Default (No rules in place) Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=ptf flt _ action=block msg= Block PTF proto=23/tcp src= srcport=1030 dst= dstport=23 interface=fxp2 flags=0x2 Match Rule To Block Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=ptf flt _ action=block msg= Block PTF (1) rule=1 proto=23/tcp src= srcport=1031 dst= dstport=23 interface=fxp2 flags=0x2 Outbound Pass Through Filter Block Default (No rules in place) Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=ptf flt _ action=block msg= Block PTF proto=23/tcp src= srcport=1028 dst= dstport=23 interface=fxp0 flags=0x2 Match Rule To Block Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=ptf flt _ action=block msg= Block PTF (1) rule=1 proto=23/tcp src= srcport=1029 dst= dstport=23 interface=fxp0 flags=0x2

149 Appendix B: Log Messages 141 Inbound/Outbound Security Policy Violation When an unauthorized connection request is attempted, a log message is generated that shows that the attempt was blocked. If the packet source is from the Internet (unprotected side), then a remote access filter will be the cause of the connection refusal. In the log message this is indicated by the FILTER and RAF tag along with the remote access filter number which blocked the connection in parenthesis, followed by the word block. The log message also includes the priority level, protocol, source IP, source port, destination IP, destination port, network interface, packet length and TCP flags if appropriate. When an outbound connection (from the protected or PSN network) is blocked, then a message is generated indicating that an outbound filter caused connection refusal. This type of log message is identical to the unauthorized inbound message other than the tag OBF is used to indicate that an outbound filter rule initiated the message. Blocked Attempt to Connect Inbound on UDP Port Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=raf flt _ action=block msg= Block RAF (20) rule=20 proto=53/udp src= srcport=2554 dst= dstport=53 interface=ppp0 attribute= alarm Blocked Access Attempt The log message below shows a blocked attempt from the protected network to access a web server on the Internet. that no specific filter rule (indicated by default ) caused the block, but rather the implicit rule (that which is not explicitly allowed is denied) was applied. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=obf flt _ action=block msg= Block OBF proto=80/tcp src= srcport=1728 dst= dstport=80 interface=sis0 flags=0x2 Unauthorized Firewall Access Attempts If the firewall is operating in the default NAT mode, all inbound requests must be directed to a firewall tunnel; by definition of NAT, any hosts on the protected/psn interfaces are not otherwise visible to the external network. Any failures to satisfy a legitimate tunnel is considered an unauthorized access attempt. This is not the same as unauthorized access attempts using firewall administrative interface access: all administrative access (successful/unsuccessful) from any of the three user interfaces (GBAdmin, web interface and console) are logged regardless. GBAdmin (RMC) Accepts Connection Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= RMC: Accepted connection type=mgmt src= srcport=1745 dst= dstport=77 Successful Access When a successful access attempt is made from GBAdmin, a log entry is created. The entry includes the tag RMC indicating use of the GBAdmin remote management client. A message indicating a successful login, along with the IP address of the remote management client computer, is included. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= RMC: Administration login successful. type=mgmt src= srcport=1745 dst= dstport=77 duration=17 Unsuccessful Access When an unsuccessful access attempt is made from GBAdmin, a log entry is created. The log entry includes the RMC tag, a message indicating a login failure occurred, the user ID and the IP address of the remote management client system. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= GNAT-Box pri=4 msg= RMC: Login failure for user admin type=mgmt src= srcport=1745 dst= dstport=77 duration=6 Web Interface Successful Access When a successful access attempt is made from the web interface, a log entry is created for the first access. Since HTTP is stateless, each subsequent access from the same authenticated host is not logged (although it is automatically authenticated). Once an hour, however, a successful access entry is added to the log if the same HTTP session is still in existence. A successful log message for a web interface administrative access includes the tag WWWadmin, a message indicating remote administration access, and the IP address of the client s computer. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= WWWadmin: Remote administration access. type=mgmt src= srcport=1107 dst= dstport=443 Un-Successful Access When an unsuccessful access attempt is made from the web interface, a log message is generated. The message includes the tag WWWadmin and a message indicating a failed remote administrative access attempt along with the IP address of the client s host system. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 msg= WWWadmin: Password verification failure. type=mgmt src= srcport=1812 dst= dstport=443 duration=1

150 142 GB-OS 3.7 User s Guide Console Successful Access When a successful access attempt is made from console, a log message is generated. The message includes the tag cci (console command interface) and a message indicating a successful administrative access. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= cci: Successful administration login. type=mgmt Unsuccessful Access When an unsuccessful access attempt is made from the console, a log message is generated. The message includes the tag cci and a message indicating a failed access attempt. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 msg= cci: Password verification failure. type=mgmt Attempts to Compromise Remote Admin Ports To allow remote management of the firewall over a network, the TCP/UDP ports used for administration must be able to accept connections. Because these network ports are accessible, they can be susceptible to unauthorized access attempts. The firewall administrator should restrict access to only those networks where remote administration is required. GBAdmin Compromise The log message has a RMC tag, indicating that this log message is associated with GBAdmin access. In the example below a TCP connection is accepted on the RMC port (default is TCP port 77) from a host with an IP address of The second message of the group is generated when the remote host was unable to generate a key, which indicates that the remote management software (GBAdmin) was not running on the remote host. The final message indicates the connection was closed. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= RMC: Accepted connection type=mgmt src= srcport=1510 dst= dstport=77 Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=3 msg= RMC: Unable to negotiate key. type=mgmt src= srcport=1510 dst= dstport=77 duration=23 Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= RMC: Close connection type=mgmt src= srcport=1510 dst= dstport=77 duration=23 Web Interface Compromise Remote management using a web browser normally uses an SSL connection. (Although the web interface can be configured to operate without SSL encryption, this can compromise your security, and is not recommended.) In the example below, the WWWadmin tag indicates that the message is associated with web interface remote administration access. The first example indicates that a remote host ( ) connected to the firewall on the web interface port (by default 443 for SSL or 80 for non-ssl). The next message indicates that the connection was rejected as a key could not be negotiated. This could indicate that SSL was not running, or that an attempt to compromise the firewall was made via the web interface). Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= WWWadmin: Remote administration access. type=mgmt src= srcport=1028 dst= dstport=443 Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 msg= WWWadmin: Unable to establish SSL session type=mgmt src= srcport=1028 dst= dstport=443 duration=2 Ping Flood/DoS Attack ICMP Limiting Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 msg= FILTER: Limiting ICMP ping responses from 149 to 100 packets per second. type=mgmt TCP SYN Flood Excessive TCP SYN signals, indicative of a SYN flood attack, may be blocked and logged according to preferences. The key identifiers for this kind of message include Blocking TCP SYN flood attack. Jan 1 00:02:04 pri=4 msg= kernel: Blocking TCP SYN flood attack (4416) type=mgmt Spoof Message In this example, a packet is arriving on fxp0 (protected network interface) destined for the external network. The protected network consists of only /24. Therefore, the packet is considered a spoof, since it should be arriving on the external interface (fxp1). Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=default flt _ action=block msg= Possible spoof, return interface fxp1 doesn t match arrival interface proto=138/udp src= srcport=138 dst= dstport=138 interface=fxp0 attribute= bcast Door Knob Twist Connect to Closed Port Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=3 flt _ type=default msg= Connect to closed port proto=23/tcp src= srcport=1036 dst= dstport=23 interface=fxp0 flags=0x2

151 Appendix B: Log Messages 143 Invalid Packets Mar 4 21:06:44 firewall.example.com FILTER: Rejecting invalid packet: warning TCP [ :0]->[ :0] fxp0 l=20 f=0x0 FTP Bounce For this attack type, the FTP session is immediately dropped and all successive connections are denied as unexpected. Mar 4 21:06:44 pri=4 msg= FTP: illegal access attempt ( ) inbound, pass through proto=21/tcp src= srcport=32876 dst= dstport=21 rule=1 Mar 4 21:06:45 pri=4 flt _ action=block count=1 msg= Packet unexpected proto=21/tcp src= srcport=32876 dst= dstport=21 interface=sis1 flags=0x18 Content Filtering (HTTP Proxy) On GTA firewalls that support content filtering, two different URL proxy mechanisms are used: traditional proxy and transparent proxy. When the traditional proxy is used, each user must configure their browser to use a proxy (the IP address is that of the protected network interface of the firewall). The transparent proxy requires no configuration of the user s browser. Persistent (secondary) web connections will be logged. Mar 4 21:06:44 pri=5 msg= Accept persistent outbound, NAT cat _ action=pass cat _ site= Reference dstname= proto=http src= srcport=1043 nat= natport=1043 dst= dstport=80 rule=5 duration=0 sent=633 rcvd=400 pkts _ sent=2 pkts _ rcvd=1 op=get arg=/ images/example.gif Unknown HTTP commands being transmitted over HTTP ports (such as tunnels for non-http protocols such as AIM) may be blocked. The key identifier for this type of message is op=unknown. Mar 4 21:06:44 pri=4 msg= Block outbound, NAT cat _ action=block dstname= proto=80/tcp src= srcport=1688 nat= natport=1688 dst= dstport=80 rule=1 duration=22 sent=138 rcvd=94 pkts _ sent=3 pkts _ rcvd=2 op=unknown Transparent Proxy Accept Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Allow outgoing NAT cat _ action=pass dstname= cat _ site= Information Technology/Computers proto=http src= srcport=1439 nat= natport=1439 dst= dstport=80 rule=2 op=get arg=/ duration=43 sent=2701 rcvd=1141 Block Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 msg= Block outgoing NAT cat _ action=block dstname= cat _ site= Pornography proto=http src= srcport=1454 nat= natport=1454 dst= dstport=80 rule=2 op=get arg=/ duration=25 sent=666 rcvd=44 Traditional Proxy Accept Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Proxy cat _ action=pass proto=http src= dst= cat _ site= Information Technology/Computers op=get dstname= arg=/generateditems/csscriptlib.js Block Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 msg= Proxy cat _ action=block proto=http src= dst= cat _ site= Pornography op=get dstname=www. playboy.com arg=/ Attempt to Use Proxy Without Filter Enabled default proxy port: TCP 2784 Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 flt _ type=raf flt _ action=block msg= Block RAF (25) rule=25 proto=2784/tcp src= srcport=1521 dst= dstport=2784 interface=fxp0 attribute= alarm flags=0x2 Surf Sentinel 2.0 Saving Content Filtering Preferences Mar 4 21:06:44 pri=5 msg= proxywww: Surf Sentinel 2.0 successfully initialized type=mgmt Mar 4 21:06:44 pri=6 msg= proxywww: Listening at port type=mgmt Mar 4 21:06:44 pri=6 msg= proxywww: Reinitializing. type=mgmt Mar 4 21:06:44 pri=5 msg= WWWadmin: Update of URL Access Lists. type=mgmt src= srcport=2447 dst= dstport=443 Saving Content Filtering Access Control Lists Mar 4 21:06:44 pri=5 msg= WWWadmin: Update of URL Access Lists. type=mgmt src= srcport=2447 dst= dstport=443 Mar 4 21:06:44 pri=6 msg= proxywww: Reinitializing. type=mgmt

152 144 GB-OS 3.7 User s Guide Saving Content Filtering Local Content Lists Mar 4 21:06:44 pri=5 msg= WWWadmin: Update of Local Content Lists. type=mgmt src= srcport=2460 dst= dstport=443 Mar 4 21:06:44 pri=6 msg= proxywww: Reinitializing. type=mgmt Block Message Mar 4 21:06:44 pri=4 msg= Block outbound, NAT cat _ action=block cat _ site= Adult/Sexually Explicit dstname= proto=http src= srcport=2399 nat= natport=2399 dst= dstport=80 rule=2 duration=22 sent=676 rcvd=44 pkts _ sent=3 pkts _ rcvd=1 op=get arg=/ Accept Message Mar 4 21:06:44 pri=5 msg= Accept outbound, NAT cat _ action=pass cat _ site= Games dstname=1118.ign.com proto=http src= srcport=1813 nat= natport=1813 dst= dstport=80 rule=2 duration=22 sent=1279 rcvd=450 pkts _ sent=5 pkts _ rcvd=5 op=get arg=/event-ng/type Mail Sentinel ( Proxy) Delivered Mar 4 21:06:44 pri=5 msg= SMTP: Close smtp _ action=pass virus= none found spam=unknown,2 rule=5 server= proto=smtp user= [email protected] srcuser= [email protected] src= srcport=4711 dst= dstport=25 duration=2 sent=136 rcvd=1709 Rejected Due to Source or Destination of ACL Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 msg= SMTP: Rejected (rule) smtp _ action=block rule=6 proto=smtp user= [email protected] srcuser= [email protected] src= srcport=34813 dst= dstport=25 duration=2 sent=42 rcvd=67 Rejected Due to Exhaustion of ACLs (Reject by Default If No Match Is Found) Mar 4 21:06:44 pri=4 msg= SMTP: Rejected (rule) smtp _ action=block rule=0 proto=smtp user= user@example. net srcuser= [email protected] src= srcport=2107 dst= dstport=25 duration=13 sent=70 rcvd=68 Rejected Due to Reverse DNS Mar 4 21:06:44 pri=4 msg= SMTP: Rejected (RDNS) smtp _ action=block rule=1 proto=smtp user= user@example. com srcuser= [email protected] src= srcport=1696 dst= dstport=25 duration=10 sent=74 rcvd=60 Rejected Due to MAPS Mar 4 21:06:44 pri=4 msg= SMTP: Rejected (MAPS list.dsbl.org) smtp _ action=block rule=2 proto=smtp user= [email protected],[email protected] srcuser= [email protected] src= srcport=2327 dst= dstport=25 duration=4 sent=111 rcvd=107 Rejected Due to Invalid Recipient Mar 4 21:06:44 pri=4 msg= SMTP: Server returned, 550 Invalid recipient <[email protected]> type=mgmt proto=smtp user= [email protected] srcuser= [email protected] src= srcport=4599 dst= dstport=25 duration=5 If there is no spam or virus scanning enabled for that , you may see that message paired with one for an incomplete SMTP connection. This message occurs when the data is stopped during transmission. The internal server may have determined that an account does not exist, and cause the Mail Sentinel proxy to terminate the SMTP data reception. Connection Incomplete Mar 4 21:06:44 pri=4 msg= SMTP: Incomplete smtp _ action=block virus= not found spam=confirmed,96 rule=8 server= proto=smtp user= [email protected] srcuser= [email protected] src= srcport=4599 dst= dstport=25 duration=5 sent=214 rcvd=2765 Confirmed Spam by Mail Sentinel Anti-Spam but Delivered Mar 4 21:06:44 pri=4 msg= SMTP: Close smtp _ action=pass virus= none found spam=confirmed,99 rule=5 server= proto=smtp user= [email protected] srcuser= [email protected] src= srcport=3260 dst= dstport=25 duration=4 sent=110 rcvd=3396 Confirmed Spam by Mail Sentinel Anti-Spam and Quarantined Mar 4 21:06:44 pri=4 msg= SMTP: Close smtp _ action=quarantine virus= none found spam=confirmed,98 rule=3 server= proto=smtp user= [email protected] srcuser= [email protected] src= srcport=4282 dst= dstport=25 duration=2 sent=110 rcvd=3549 Virus Found by Mail Sentinel Anti-Virus and Cured Then Delivered Mar 4 21:06:44 pri=4 msg= SMTP: Close smtp _ action=block virus=cured, I-Worm.Bagle.au spam=unknown,50 rule=5 server= proto=smtp user= [email protected] srcuser= [email protected] src= srcport=4124 dst= dstport=25 duration=83 sent=82 rcvd= Virus Found by Mail Sentinel Anti-Virus but Delivered Mar 4 21:06:44 pri=4 msg= SMTP: Close smtp _ action=pass virus= I-Worm.Bagle.as spam=unknown,64 rule=5 server= proto=smtp user= [email protected] srcuser= [email protected] src= srcport=3364 dst= dstport=25 duration=10 sent=82 rcvd=31669

153 Appendix B: Log Messages 145 Virus Found by Mail Sentinel Anti-Virus and Quarantined Mar 4 21:06:44 pri=4 msg= SMTP: Close smtp _ action= quarantine virus= I-Worm.NetSky.q spam=confirmed,98 rule=5 server= proto=smtp user= [email protected] srcuser= [email protected] src= srcport=4272 dst= dstport=25 duration=5 sent=110 rcvd= Virus Found by Mail Sentinel Anti-Virus and Rejected Mar 4 21:06:44 pri=4 msg= SMTP: Close smtp _ action=block virus= I-Worm.Bagle.au spam=unknown,50 rule=5 server= proto=smtp user= [email protected] srcuser= [email protected] src= srcport=4124 dst= dstport=25 duration=83 sent=82 rcvd=26436 Maximum Count of Threads Exceeded Mar 4 21:06:44 pri=3 msg= SMTP: Maximum number of threads exceeded type=mgmt proto=smtp Headers headers, often invisible to a user unless they view the source or view it as plain text, contain information about delivery and processing. The Mail Sentinel proxy adds additional SMTP X-headers to processed . These headers can help diagnostic or tracking processes. Some X-headers specifically track events of an proxy that has enabled Mail Sentinel options. The GB prefix shows that this header was appended by a receiving GB-OS firewall. Headers can include: X-GB-Received: from domain.example.com ( ) by firewall.example.com (3.6.0) Lists the host that the originated from, followed by the host name and IP address of the receiving firewall. X-GB-From: [email protected] Lists the address of the sender. (The originating domain and the domain in the sender s are not necessarily the same.) X-GB-To: [email protected] Lists the address of the intended recipient. If an has been cleared from quarantine, this header allows the to be sent on to its final destination. X-GB-Mail-Format-Warning : Bad RFC2822 line length Describes a badly-formatted . X-GB-Rule : 5 Lists the proxy ACL that was matched. X-GB-AS Lists the spam category assigned to the (e.g. Confirmed or Suspect) and the score that caused the categorization. May describe any error conditions that occurred during Mail Sentinel Anti-Spam processing, causing it to not process the . These errors can include an expired Mail Sentinel Anti-Spam license or inability to contact the Mail Sentinel Anti-Spam license server. X-GB-AS-Summary Contains the Mail Sentinel Anti-Spam engine processing summary. X-GB-AV Lists any viruses found; if they could be removed from the , it will also say cured. May describe any error conditions that occurred during Mail Sentinel Anti-Virus processing, causing it to not process the . These errors can include an expired Mail Sentinel Anti-Virus license or inability to contact the Mail Sentinel Anti-Virus license server. X-GB-Quarantined Lists the address that a quarantined was sent to. For ease of identification, GTA recommends that the host name be a fully qualified domain name (FQDN), as in the example above. The firewall host name is entered in the HOST NAME field of the Basic Configuration/Network Information section. Virtual Private Network (VPN) Number Of Allowed Mobile Users This example shows the log message generated when the IKE server starts up. This occurs when the system boots or after saving VPN sections. The license messages indicate the number of allowed concurrent mobile users. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= WWWadmin: Starting IKE server. type=mgmt src= srcport=2206 dst= dstport=80 duration=2

154 146 GB-OS 3.7 User s Guide Mar 4 21:06:44 firewall.example.com id=firewall time= :12:18 fw= ipsec pri=5 msg= Licensed for 100 mobile client connections. type=mgmt,vpn Successful VPN Connection Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= IPsec-SA established type=mgmt,vpn src= dst= Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= IPsec-SA established type=mgmt,vpn src= dst= Successful Mobile User Connection Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= IPsec-SA established type=mgmt,vpn src= dst= Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= IPsec-SA established type=mgmt,vpn src= dst= Authentication from a Mobile User Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= RMCauth: Accepted connection type=mgmt src= srcport=2170 dst= dstport=76 Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=6 msg= RMCauth: Authentication successful for [email protected]. type=mgmt src= srcport=2170 dst= dstport=76 duration=4 Failed Authentication Attempt Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= RMCauth: Accepted connection type=mgmt src= srcport=2197 dst= dstport=76 Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 msg= RMCauth: Authentication failure for [email protected]. type=mgmt src= srcport=2197 dst= dstport=76 duration=4 Unable to Acquire License The user has already logged in from a different IP address, so the license is unavailable. Feb 18 07:04:56 pri=4 msg= Unable to aquire license, access for [email protected] denied. type=mgmt,vpn src= dst= Example Of Expiring And Renewing VPN phases occasionally expire and renew themselves to prevent attacks using compromised keys. Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= ipsec pri=5 msg= IPsec-SA established type=mgmt,vpn src= dst= Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= ipsec pri=5 msg= IPsec-SA established type=mgmt,vpn src= dst= Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= ipsec pri=5 msg= IPsec-SA expired type=mgmt,vpn src= dst= Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= ipsec pri=5 msg= IPsec-SA expired type=mgmt,vpn src= dst= Authentication Log messages for authenticated users and active hosts. Remote Access Filter Allowed Authentication Mar 4 21:06:44 pri=5 msg= Open inbound, NAT tunnel proto=smtp src= srcport=1753 user= Nick nat= natport=25 dnat= dnatport=1753 dst= dstport=25 rule=1 Authentication Successful Mar 4 21:06:44 pri=6 msg= RMCauth: Allow [email protected], authentication successful. type=mgmt src= srcport=3630 dst= dstport=76 duration=7 Jun 13 11:06:52 pri=5 msg= AUTH: Assign , to Mary type=mgmt Jun 13 11:06:46 pri=5 msg= RMCauth: Accepted connection type=mgmt src= srcport=3630 dst= dstport=76 duration=1 Authentication Closed Mar 4 21:06:44 pri=5 msg= RMCauth: Close connection type=mgmt src= srcport=3630 dst= dstport=76 duration=675 Jun 13 11:18:00 pri=5 msg= AUTH: Release , from Mary type=mgmt Released User User must authenticate again to gain access to restricted areas. Mar 4 21:06:44 pri=5 msg= USER: Release , from Nick type=mgmt Authenticated User Denied Due to Closed Connection Mar 4 21:06:44 pri=5 msg= RMCauth: Close connection type=mgmt src= srcport=3569 dst= dstport=76 duration=17 Jun 13 11:04:38 pri=4 msg= RMCauth: Deny [email protected], authentication failure. type=mgmt src= srcport=3569 dst= dstport=76 duration=16

155 Appendix B: Log Messages 147 Jun 13 11:04:22 pri=5 msg= RMCauth: Accepted connection type=mgmt src= srcport=3569 dst= dstport=76 Authentication Denied Due to Old GBAuth Version Mar 4 21:06:44 pri=3 msg= RMCauth: command authloginget (400) rejected, incorrect size. type=mgmt src= srcport=4192 dst= dstport=76 Authentication Denied Due to Remote Access Filter Mar 4 21:06:44 pri=4 flt _ type=raf flt _ action=block msg= Rejecting unathenticated access (1) rule=1 proto=25/tcp src= srcport=1700 dst= dstport=25 interface=sis1 flags=0x2 Mobile VPN Denied Without Authentication Mar 4 21:06:44 pri=4 msg= Authentication needed, access for [email protected] denied. type=mgmt,vpn src= dst= Tunnel Access after Authentication Mar 4 21:06:44 pri=5 msg= Open inbound, NAT tunnel proto=smtp src= srcport=1806 user= Nick nat= natport=25 dnat= dnatport=1806 dst= dstport=25 rule=1 Automatic Filters Automatic Accept All filters can be logged by activating Automatic Filter logging in Filter Preferences. When activated, automatic filters will be recorded in the Active Filters table of the System Activity section. Mar 4 21:06:44 firewall.example.com FILTER: ATF (5) accept - notice ICMP [ :3]->[ :3] fxp0 l=32 f=0x3. Active Host Mar 4 21:06:44 pri=5 msg= Accept outbound, NAT cat _ action=pass dstname= proto=http src= srcport=1658 nat= natport=1658 dst= dstport=80 rule=2 duration=349 sent=2480 rcvd=11842 pkts _ sent=18 pkts _ rcvd=17 op=get arg=/util/css/eweek.css Mar 4 21:06:44 pri=5 msg= Accept outbound, NAT cat _ action=pass dstname= proto=http src= srcport=1657 nat= natport=1657 dst= dstport=80 rule=2 duration=334 sent=2709 rcvd=24433 pkts _ sent=24 pkts _ rcvd=25 op=get arg=/print _ article/0,3668,a Access Control List with Surf Sentinel 2.0 Allowed Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=5 msg= Accept outbound NAT cat _ action=pass cat _ site= Web Communications dstname= proto=http src= srcport=2661 nat= natport=2661 dst= dstport=80 rule=2 duration=23 sent=536 rcvd=537 pkts _ sent=6 pkts _ rcvd=5 op=get arg=/ads1/images/digits/n7.gif Local Content List Denied Mar 4 21:06:44 firewall.example.com id=firewall time= :06:44 fw= firewall pri=4 msg= Block outbound NAT cat _ action=block cat _ site= Local Deny dstname=ad.doublclk.net proto=http src=src= srcport=4991 nat= natport=4991 dst= dstport=80 rule=2 duration=22 sent=861 rcvd=60 pkts _ sent=3 pkts _ rcvd=1 op=get arg=/adi/caranddriver.lana.com/kw=;;ord= Saving GB-Commander on Firewall Mar 4 21:06:44 pri=5 msg= WWWadmin: Update of GBC. type=mgmt src= srcport=2759 dst= dstport=443 Mar 4 21:06:44 pri=6 msg= gblogd: Reinitializing. type=mgmt Mar 4 21:06:44 pri=5 msg= GBC: Connected to server successfully type=mgmt src= srcport=2268 dst= dstport=76 Mar 4 21:06:44 pri=5 msg= GBC: Already connected to server type=mgmt src= srcport=2267 dst= dstport=76 Exceeding the Count of Licensed Users Maximum Firewall Users Mar 4 21:06:44 pri=3 msg= NAT: Max of 25 simultaneous hosts reached ( denied). type=mgmt Maximum Surf Sentinel 2.0 Users Mar 4 21:06:44 pri=4 msg= proxywww: Surf Sentinel 2.0 host licenses reached (25), denied. type=mgmt

156 148 GB-OS 3.7 User s Guide

157 Appendix C: User Interfaces 149 Appendix C User Interfaces GB-OS includes two primary user interfaces: the web interface and GBAdmin. Both user interfaces provide comprehensive administrative access and browser-based Help. A third interface, the console, is primarily a fail-safe. It is used to reset a misconfigured firewall to default, to recover a GTA firewall, and for basic configuration. The console has limited functionality. See the Console Interface User s Guide for more information. In this chapter, the web interface and GBAdmin are illustrated and described, including navigation, common keystrokes, tool bars, menu items and buttons. Features exclusive to each interface are explained. For initial configuration, use the product guide that came with your GTA firewall. Use the configuration and administration chapters of this guide to perform other basic and advanced configuration. Web Interface Features SSL encryption option Secure administration from any location connected to the Internet Intuitive browser-based user interface Platform-independent, compatible with most browsers and platforms Immediate modification as changes are saved to the firewall Web Interface Access The web interface is platform-independent and can be used on any frames-capable, SSL-compatible browser, including Internet Explorer, Netscape Navigator, Mozilla, Safari, and Opera, running on platforms such as Windows, Unix and Macintosh. Incompatibilities are noted in guides and release notes. By default, any host on the protected network interface is allowed access to the GTA Firewall web interface. The web interface can be disabled or set to a read-only mode in which no updates are allowed. If the web interface is disabled, the firewall will be blocked to web access immediately. If both the web interface and GBAdmin (RMC) have been disabled, you must use the console locally to re-enable them. By default, the firewall s web server operates on the standard SSL-encrypted port of 443 or non-ssl port 80. To change the port, create a remote access filter to allow the new port before changing the port number, then assign the port number on the Remote Administration section. Characteristics Changes take place immediately upon saving Re-sizing the browser window will change the size of the main screen Password authorization is persistent for a session. Removing the contents of form fields will delete the row when the SUBMIT button is clicked The firewall contains a built-in web server that only serves the firewall s remote administration web pages; it cannot be used for other purposes. The factory default user ID and password are gnatbox How to Access the Web Interface Start a frames-capable web browser. Enter the IP address or host name of the firewall s protected network interface as a URL in the address/location entry field (e.g. http s:// /). If your computer does not have an IP address on the same logical network as the firewall s protected network interface, you will need to adjust the remote access filter that controls access.

158 150 GB-OS 3.7 User s Guide Caution Firewall login persists until the user logs out and quits the browser application. To prevent unauthorized access, remember to log off the firewall and quit the browser application. Navigation and Data Entry The web interface uses HTML frames to subdivide the browser s display. The main parts of the web interface navigation screen are: GTA logo: link to Global Technology Associates s web site menu: access to all command functions main window: work area where data is entered and displayed The navigation of the web interface screen employs fields with extensive labeling, check boxes, drop down menus, dynamic menus, mouse/cursor clicks, keyboard TAB and RETURN keys, and verification messages to supply information to the user. Menus The menu is the main navigation tool, and is displayed on the left side of the web browser window. The chapters of this guide follow the order of the web interface menu layout. Certain optional features within sections will not appear on your GTA Firewall until they have been activated using a feature activation code. When selected, menu titles expand to reveal items in a functional area. Click on the title again to collapse the revealed menu. An open menu has a - sign to the left of the menu, and a closed menu has a + sign. Click on functions within the sections to display its configuration screen. Two special functions are listed at the bottom of the menu. Log Off allows the administrator to disconnect from the current GTA firewall. Verify Configuration is used to run verification tests on the current system configuration and produce a report using the results. Buttons and Fields Screen buttons and fields allow the user to navigate, enter data and display information. Navigation buttons are the most common. Reset Submit Copy Paste Default Back Save OK Button Description Return screen to previous state. Submit entries made in the current function. Copy filters or other items. Paste copied items into a new screen. Make the configuration screen items conform to the default security policy for the current configuration. Go back to the previous screen without saving. Save this screen or item. Keep the current screen this will allow the material to be saved on the previous screen. Buttons (arrows, add and check marks) appear wherever there are line items to add, delete or edit; see any of the filter sets for an example of these icons. Button Up/Down Arrow Delete ( ) Check Mark ( ) Description Add a line item (e.g. filter) above/below the selected item. Used where order is important. Delete the selected line item. Edit the selected line item. Filter Buttons

159 Appendix C: User Interfaces 151 Button Add (+) Delete ( ) Check Mark ( ) Description Add a line item (e.g. filter) above/below the selected item. Used where order is not important. Delete the selected line item. If there is a blank space in place of the delete button, then the item cannot be deleted. Edit the selected line item. Object Buttons Specialized buttons serve a specific purpose in the screen in which they are used. These buttons are explained in each section where they are used. Index numbers are non-editable fields containing rule evaluation order numbers (also called rule numbers). Index Column Check boxes are used to select/deselect items and functions. Read the field label carefully to learn whether the selected the check box will enable/turn on or disable/turn off the function. Some items cannot be changed; these are represented by a field with a YES/NO in place of the check box. In the example screen below, the WWW column is checked for both users, indicating that web interface administration is enabled for both users. The console column is marked with a Yes for the administrator user, meaning that only the administrator can make changes using the console, and that this cannot be disabled. The other user cannot access the firewall using the console, as indicated by a No in the field; this access cannot be enabled. Check Boxes Content Filtering has list selection screens which can be scrolled through using standard scroll bars. ARROW buttons move items from one list to another. < A left-pointing arrow moves the selected item from the list on the right to the list on the left. > A right-pointing arrow moves the selected item from the list on the left to the list on the right. Content Filtering Movement Buttons and Lists Miscellaneous boxes and fields allow the user to enter data by typing or selecting an item from a drop down menu. Data entry methods vary by the user interface element type. Click on the arrow to open a drop down menu, then click on an item to select it in a drop down menu. Click on a data entry field and begin typing to enter data in a text data field.

160 152 GB-OS 3.7 User s Guide Drop down Menus (Activated, Not Activated) Text Field A field with three question marks (???) indicates an unknown value; the field requires information in order to be used in the configuration being attempted. A field that is greyed out cannot be edited. It is either unavailable in this configuration or is set by the system. GBAdmin Features Verification checks are performed as configuration changes are made, before saving to the loaded configuration. Configurations can be saved to a local file and opened in GBAdmin, without saving the data to a running firewall. This allows using verification and configuration reports to adjust settings before committing a new configuration to a production firewall. Drop-down menus are customized according to the configuration information already saved to the configuration. Familiar Windows interface. Compact screens. Built-in copy and paste function using common keystrokes. GBAdmin Access GBAdmin is a Windows-only user interface that allows access from your computer; it can be used without network access by creating test configuration files on your computer. The program uses standard Windows commands and conventions. It requires a Windows computer with Internet Explorer version 5.0 or greater. By default, any protected network host can use the GBAdmin interface to access the firewall. To restrict access, modify the default remote access filter that allows access to the GBAdmin port and IP address. Characteristics GBAdmin data is not saved to the currently loaded configuration file, firewall or floppy disk, until a configuration Save, a Save All Sections, or a Save Current Section has been performed. Save Current Section saves only the data in the current function and is available when online (connected to a running firewall.) Re-sizing GBAdmin s display will change the display of the main screen. Password authorization is persistent for a session. The default User ID and password are gnatbox. How to Access GBAdmin Click the GBAdmin icon on the desktop if one was created during installation; optionally, open the Windows Start menu, then select GTA GNAT Box and click the GBAdmin program icon. Select Open under the File menu, click the NETWORK radio button and enter the IP address or host name of the firewall s protected network interface in the SERVER field, (e.g ). If your computer does not have an IP address on the same logical network as the firewall s protected network, you will need to adjust the remote access filter which controls GBAdmin access. Caution If GBAdmin is left running with a GTA firewall configuration loaded while you are away from your computer, an unauthorized user could gain access. To prevent unauthorized access, log off when you are not using your computer. Navigation and Data Entry GBAdmin uses a window browser to subdivide the display. The main parts of the GBAdmin navigation screen are:

161 Appendix C: User Interfaces 153 menu bar: access to all command functions, including a standard Windows File menu, a View menu and Administration menu, as well as the Expert Mode selection under the Edit menu tool bar: quick access to GBAdmin s most-used features scrolling menu: access to configuration functions main window: data entry and display area lists: view of all entered data for the function in one screen The GBAdmin interface consists of four basic parts within the standard window: the menu bar provides access to all sections and primary functions; the tool bar gives the user access to commonly used functions; the scrolling menu generally mirrors the web interface menu; and the work area displays firewall configuration items. The screen illustrated appears when GBAdmin is first accessed after login. It always opens displaying the Network Information screen. GBAdmin Starting View The runtime menu is unique to GBAdmin, and the administration menu is accessed from the menu bar. Selecting the PLUS + next to a scrolling menu title will expand the menu to reveal items in a functional area. Clicking the MINUS - sign collapses the revealed menu. In GBAdmin, clicking on the scrolling menu title will display an HTML version of the material available in this guide for each menu title. Keyboard Shortcuts Familiar keyboard shortcuts used in Windows are also used in GBAdmin: arrow keys can be used navigate menus: the TAB key can be used to navigate the fields in screens; CONTROL+S, CONTROL+O, CONTROL+X, CONTROL+C, etc., all perform the usual Windows functions. Available keyboard alternates for menu items are listed in the menu bar menus. Scrolling Menu The scrolling menu is similar to the menu in the web interface. However, it does not contain the Administrative menu; it reports the runtime version in its own menu section; as well as several other minor variations mentioned in individual sections. Scrolling Menu

162 154 GB-OS 3.7 User s Guide To access the functions within the scrolling menu, click the PLUS + sign to the left of the section labels. To close the menu section, click the MINUS - sign that appears to the left of the label when the menu section is open. To use a function, click the function label or indicator dot. Pop-up Verification s and Indicator Dots GBAdmin provides instant verification provided for a configuration. If the configuration is not correct or complete, a pop-up verification note is shown. The notes appear in front of the section when the user hovers the mouse by resting the cursor over the section label. There are two kinds of note: warning (reporting a possible problem), and error (reporting a configuration problem that will prevent the operation of the firewall). Pop-up Verification Indicator dots (also called lights or buttons ) give the user an instant impression of whether the section or function is configured correctly. Menu Bar The menu bar contains all the same functions as the scrolling menu, plus the Administration menu and many of the familiar Windows functions. Menu Bar Tool Bar The tool bar contains GBAdmin s most common functions in a graphic icon format. Several of the tools are Windows tools used in the standard way; others are used for a purpose specific to GBAdmin. The illustration below shows the location, name and description of each of these tools. Tool Bar Pop-up Description s Pop-up/mouse-over notes are a standard Windows feature. Use the mouse to hover the cursor over the object for which you would like a description. Check Boxes, Lists and Tabs Check boxes and other navigation items in GBAdmin are similar to their web interface counterparts. A special kind of selection button is the radio button: this is similar to a check box, but indicates that only one of the items can be selected at one time.

163 Appendix D: GB-OS Terms 155 Appendix D GB-OS Terms This section defines terms used in GB-OS and documentation. These terms, along with a collection of other relevant GB-OS and computer networking industry words, phrases and acronyms, are available in the GTA Glossary on the installation CD and GTA s web site at IP Packet The basic unit of the TCP/IP protocol is the IP packet. The firewall generally operates on the IP packet level, although some facilities of the system perform operations on the application or other levels too. At the IP packet level, the firewall specifically operates on the IP header, which contains the source and destination IP address, port numbers, IP protocol type, along with various control information. Normally, a firewall does not touch the data portion, or packet payload, of an IP packet. However, some application protocols embed IP addresses and ports in the data portion, and often this information needs to be interpreted in the course of Network Address Translation (NAT). It is the support for such complex application protocols that makes GTA Network Address Translation so much more powerful than normal NAT, which is blind to the application portion of the data packet. Stateful Packet Inspection GTA s stateful packet inspection engine monitors the network-wise state of each packet sent through the firewall. This verifies that the destination of an inbound packet matches the source of a previous outbound request. These transaction expectations (stateful information) are recorded in state tables. Tunnels Tunneling encapsulates a packet within another packet to hide an internal/unroutable IP address before sending the packet over an external network. An external host can see only the tunnel s external IP address where the encapsulation occurs; the IP address on the internal destination side is always hidden within the encapsulated packet. This allows a host on the external network or PSN to initiate a TCP, UDP or ICMP session with an otherwise inaccessible host on the PSN or protected network. Tunneling is done by mapping (providing a static route/nat for) an internal IP address and port (service) to an externally-visible target IP address and port (service). This mapping can be performed for all services (host to host tunneling), or,more typically, for a given service on a known port. Tunnels can be created to hosts on both the PSN and the protected network. Common tunnels include: HTTP, FTP, DNS, SQLnet, and telnet. Network Transparency Network transparency describes allowing host systems residing on the PSN and protected network to send packets to and receive replies from hosts on external networks without user-apparent intervention. Network transparency is implemented as a part of stateful packet inspection. The state of all connections is maintained by the system in a series of tables, along with other connection information that will ensure that only authorized packets are accepted. Unlike GTA firewalls, typical IP filtering firewalls are not transparent, and require that cracks (open, unprotected ports) be created in the firewall to allow packets to be accepted for arbitrary inbound connections. Since many application protocols create arbitrary secondary inbound connections, more cracks must be created to accommodate a wide range of possibilities; this creates a larger area of network vulnerability. Network transparency of the stateful packet inspection engine allows GTA firewalls to protect networks without making permanent holes (cracks) in the firewall to allow legitimate return traffic. Virtual Cracks GTA firewalls avoid the security problem of cracks through the use of virtual cracks. A virtual crack is part of GTA s stateful packet inspection technology, which allows secondary inbound connections used by some protocols to be accepted without a dedicated hole (crack) in the firewall.

164 156 GB-OS 3.7 User s Guide Virtual cracks are automatically configured when the system detects the signature of an outbound nonstandard protocol packet that requires secondary connections. The virtual crack stays in place until the primary connection is shut down, timers expire due to inactivity, or when the expected protocol event does not occur. A few application protocols which use secondary connections, and therefore virtual cracks, include: FTP, RealAudio, CU-SeeMe, Net2Phone and many Windows NetBIOS (SMB) facilities. IP Aliases IP aliases allow network interface to have multiple assigned IP addresses. This can be useful if multiple targets on a PSN or a protected network are required for the same service (port) via the state table tunnel (e.g. multiple internal web servers). IP aliases can be applied to any interface. IP Aliases Assigned to an External Network Interface All IP aliases must be registered or legitimate IP addresses if used on an external network interface connected to the Internet, although they need not be from the same network. Network Types GB-OS uses three logical network types to divide functionally separate networks: an external network, a protected network and a Private Service Network (PSN) type. The first two network types do not differ greatly from standard use, but the third is a special and improved variation of the standard DMZ (DeMilitarized Zone) network used by other firewalls.

165 Appendix D: GB-OS Terms 157 External Network Network Types and Their Scope An external network (EXT) is an unprotected network for which no Network Address Translation (NAT) is performed. An external network is typically a connection to an Internet service provider; however, a GTA firewall can also be used internally on private networks as an intranet firewall, in which case the external network is merely part of the intranet not protected by the firewall. A GTA firewall provides no security for hosts located on an external network; assign hosts to a protected network or PSN to use firewall protection. If connected to the Internet, an external interface must have a registered IP address. Protected Network A protected network (PRO) is a network that is hidden behind a GTA firewall. The term is used throughout GTA documentation to refer to a network directly connected to the firewall. All features and attributes associated with this network also apply to all networks connected to a protected network. All hosts and IP addresses used on this network are hidden from the external and Private Service Networks. Although hosts on a protected network are, by default, not accessible from other networks, a tunnel can be made to allow access from external or PSN hosts. Private Service Network A Private Service Network (PSN) is an optional network located logically between the external network and the protected network, but nearly at a peer level with the protected network. It is an improved type of DMZ network. A PSN differs from a standard DMZ because it is located on its own network rather than a subnet, and by it provides varying levels of security according to the needs of the organization. Since a PSN is hidden/internal, unregistered IP addresses can be utilized. A PSN is typically used with tunnels to allow access by external hosts to internal network services such as web servers, FTP servers and servers. By tunneling the external network to a server on a PSN, an organization can allow both external and internal access to services while maintaining the more stringent security of a protected network. By default, the PSN is not trusted by the protected network: no unsolicited packets are allowed to pass from the PSN to the protected network. All hosts on the PSN are hidden from the external network but completely accessible from the protected network. Network Interface Cards (NICs) A network interface card (NIC, also sometimes called a network port) can be any supported network device operating at any supported speed and utilizing any supported network topography. Generally this is an Ethernet device, receiving RJ-45 connectors with Cat. 5 cable. GTA s software firewalls can operate with a combination of different network cards, thus performing a bridging function between dissimilar networks. GB-OS requires at least two network interfaces (one for logically external and one for logically protected networks).

166 158 GB-OS 3.7 User s Guide With the multi-interface option, select GTA firewalls support up to eight (8) NICs or an unrestricted number of NICs. Interfaces beyond the required two may be defined as any of the three types; NICs can be divided among multiple external, protected or PSN networks. External Network Interface An external NIC is typically connected to the Internet, and hosts an external logical network. Any supported NIC can be used as an external network interface, including PPP devices. More than one external network interface may be defined, but only one can be designated as the primary default gateway or default route. If attached to the Internet, it requires a registered IP address (only one registered IP address is required for the firewall). Protected Network Interface A protected network interface is typically internal, and hosts a protected logical network. Any supported NIC may be used with the exception of a PPP device. A protected network interface does not require a registered IP address, although RFC 1918 addresses are recommended. More than one protected network interface may be defined. Private Service Network Interface A Private Service Network (PSN) interface typically acts as an intermediate security zone between external and protected networks, and hosts a PSN logical network. PSNs are optional, and may not be required for configurations such as on intranets or for outbound access only; however, if you offer public access to servers, (such as a web server), the installation of a PSN interface is highly recommended. Any supported NIC may be used with the exception of the PPP device. A PSN interface does not require a registered IP address, though RFC 1918 addresses are recommended. More than one PSN interface may be defined. IP aliasing may be used on any interface. See product guides for the maximum number of IP aliases available on a specific GTA firewall. Network Address Translation (NAT) Network Address Translation, or NAT, is one of the primary features of GB-OS. NAT is available in two forms: dynamic and static translation, referred to as default NAT (active by default) and static address mapping. NAT can be bypassed using pass through. NAT is applied to: packets outbound from the protected network to the external network packets outbound from the protected network to the PSN packets outbound from the PSN to the external network packets outbound from one protected network to another protected network Default NAT (Dynamic NAT) Default NAT is a dynamic many-to-one scheme that maps internal IPs to a single outgoing IP address. Packets from all IP addresses located on the source network (PSN or protected) have their source IP address translated to an IP address assigned to the outbound NIC (external or PSN). This means: Any packet originating from the protected network destined for a host that resides external to the external NIC will have its source IP address translated to the IP address of the external NIC. Any packet originating from the protected network destined for a host that resides external to the PSN NIC will have its source IP address translated to the IP address of the PSN NIC. Any packet originating from the PSN destined for a host external to the external network interface (external NIC) will have its source IP address translated to the IP address of the external NIC. Static Address Mapping (Static NAT) Static address mapping (also called outbound or static mapping) allows an internal IP address or subnet to be statically mapped to an external IP address during the NAT process. Typically, static address mapping is used with targets on the external network interface.

167 Appendix D: GB-OS Terms 159 IP Alias Primary IP Address Static Mapping Dynamic NAT Mapping Table GNAT Box System Protected Network Static Address Mapping Static maps associate a source IP address with an IP alias assigned to a PSN or external network interface. A subnet mask is combined with the specified source IP address to yield an IP address used for comparisons when applying static address mapping. Mapping is not useful unless IP aliases have been assigned, since by default all IP addresses on the protected network are dynamically assigned to the real IP address of the outbound network interface. See individual product guides for the maximum number of static address maps available on a specific GTA firewall. IP Pass Through (No NAT) Pass through means, essentially, no Network Address Translation (NAT). By default, all outbound packets receive firewall NAT. Pass through transfers certain packets through the firewall without applying NAT. When using pass through, the firewall creates pass through tunnels determined by user-designated IP address origins. These designated IP addresses can be networks, subnets or individual hosts on either a PSN or a protected network. IP Pass Through will support any defined IP protocol. Pass through filters can be applied selectively to packets based on their destination. Pass through specifies which interfaces will not have NAT applied for a designated IP address. For example, pass through filters can be used for external-to-psn packets, while PSN-to-external packets still have NAT applied. Objects Objects are logical groups of IP addresses. They are used to simplify the definition of IP addresses and groups of IP addresses by allowing the administrator to reference these objects rather than repeatedly entering data. Objects thereby reduce the possibility of error and time associated with configuration. A user defines an object once, then selects the object in each configuration area where that definition is required. Once an object is created, the user will only need to change the object itself to change all the locations where the object is used. Caution If the name of an object (address, interface, etc.) is changed, references to it must be changed to reflect the new name. Address Objects Traditionally, an IP address and subnet mask pair are used to create an address object. An address object may consist of many IP addresses. Interface Objects Interface objects function similarly to address objects, but contain network interface information instead of IP addresses (many IP addresses can be assigned to a single NIC). Logical names in the Network Interface section, IP alias names in the NAT section and the H 2 A High Availability group names in the Services section are all usable as interface objects. Interface objects can be used in: remote access filters VPN objects address objects inbound tunnels static address mapping VPN Objects VPN objects define user authentication, encryption and network connections for VPN users.

168 160 GB-OS 3.7 User s Guide Four VPN objects are created by default: an IKE, Manual, Mobile and Dynamic VPN. Filters Filter rules control network access to and through the firewall. Any connection not explicitly allowed by a firewall filter will be denied. Therefore, if no filters of any type were defined, packets would not be allowed to flow to or through (inbound or outbound) the firewall. Filter Defaults When you use the DEFAULT button in a filter section, pre-configured filters are generated based on other configuration section needs, security policy and preferences. For new installations, these are the factory-set policy and preferences. Filter Types GTA firewalls support four types of filters. The first three types, remote access filters, outbound filters and pass through filters, are configured in a similar way. They can be defined by the user either by creating custom filters or by using the DEFAULT button to pre-configure the filter set. Automatic Filters The fourth type of filter, automatic filters, has priority over other filter types. Automatic filters are generated by the firewall for transient events, e.g. a packet sent in response to a request from behind the firewall; connections triggered by selecting Automatic Accept All for an inbound tunnel; and stealth mode. When outbound, remote access and pass through filters are active, they will be listed below Automatic Filters in the active filters list. Stealth Mode Stealth mode is the default mode for new GTA firewalls. In stealth mode, the firewall will not respond to external ICMP ping requests, ICMP traceroute requests nor UDP traceroute requests. In addition, the firewall will not respond with an ICMP message when an external packet arrives for a port without a tunnel or service. (Stealth mode does not affect protected network or Private Service Network interfaces. ) VPN Stealth mode will not appear in the active filters list. VPNs provides a means to securely connect a mobile user or network to another network over an insecure network such as the Internet. It is commonly used by branch offices and mobile employees to connect to the internal network from abroad without compromising network security. GB-OS has a built-in Internet Engineering Task Force (IETF) IP Security (IPSec) standard VPN gateway. The GTA firewall VPN provides support for any IP protocol to be passed through the VPN tunnel to a remote network, if authorized. Since a GTA firewall is a VPN gateway, it uses the tunnel mode of the IPSec standard. The second VPN gateway can be another GTA firewall or third-party IPSec VPN gateway. Unlike many other VPN gateways, GTA firewalls apply security policies even inside the VPN tunnel: a secure network connection can be established between two sites, but this doesn t mean that anything goes in terms of network traffic. Denial of all packets not explicitly allowed still applies. Access filters must be defined for both inbound and outbound access on the VPN tunnel. Pass through filters define access control on the VPN. To connect to the firewall s VPN without using a second VPN server/firewall, use the GTA Mobile VPN Client. For more information about the GTA Mobile VPN Client, see the VPN Option Guide. DNS Since GTA firewalls provide network transparency for users on protected and PSNs, all outbound DNS (Domain Name System) queries operate normally. Users on protected networks and PSNs may use a DNS server on the external network for address resolution. However, an external DNS server cannot resolve protected hosts because NAT hides all internal network addresses on both protected and PSNs. Therefore, providing DNS information about to the external DNS about internal hosts is pointless, as none of the IP addresses on internal networks are routable from an external network. Before configuring DNS, you should understand how DNS functions. DNS and BIND, 3rd Edition by Paul Albitz & Cricket Liu, published by O Reilly and Associates, is a useful DNS reference.

169 Appendix D: GB-OS Terms 161 DNS Server A built-in DNS server that can host multiple domains is available on most GTA firewalls. The DNS Server functions as a primary (not a secondary) DNS server. External Domain View External Network External DNS External Network Interface PSN Network Interface Protected Network Interface Private Service Network GNAT Box System Internal Domain View Protected Network Internal DNS Internal and External Domain Name System (DNS)

170 162 GB-OS 3.7 User s Guide

171 Appendix E: Default Settings 163 Appendix E Default Settings This section contains the standard default settings for a GTA firewall that has been configured with an external, protected, and Private Service Network, but without further configuration changes. All packets not explicitly allowed are denied. If all filters were removed, no packets would flow inbound or outbound. A GTA firewall can generate a default configuration using security policies based on this rule. Outbound Security Policies 1. All outbound access from the protected network is allowed. 2. All outbound access from the Private Service Network is allowed. Outbound Filters 1 #DEFAULT: allow access to DNS by traditional WWW proxy users. Accept notice PROTECTED UDP coalesce (all) trafficshaping <DEFAULT> weight 5 from ANY _ IP to ANY _ IP 53 2 #DEFAULT: Allow protected interface access to anywhere. Accept notice PROTECTED ALL coalesce(all) trafficshaping <DEFAULT> weight 5 from ANY _ IP to ANY _ IP 3 #DEFAULT: Block with alarm everything. Deny warning ANY ALL alarm coalesce(all) from ANY _ IP to ANY _ IP Remote Access Security Policies 1. All inbound access from the external network is denied. 2. All access from the external network to the GTA firewall is denied. 3. Access to the GTA firewall using the web interface is allowed only from IP addresses on the protected network. 4. Access from a Private Service Network to the GTA firewall is denied. 5. Access from a Private Service Network to a protected network is denied. 6. Access to the console interface requires a user ID and password. 7. Access to the web interface requires a user ID and password. Remote Access Filters 1 #DEFAULT: Allow Protected Network access to remote admin services. Accept notice PROTECTED TCP from ANY _ IP to ANY _ IP #DEFAULT: Allow Protected Network access to DNS server. Accept notice PROTECTED UDP from ANY _ IP to ANY _ IP 53 3 #DEFAULT: Allow Protected Network access to SNMP service. DISABLED - Accept notice PROTECTED UDP from ANY _ IP to ANY _ IP #DEFAULT: DNSproxy - Allow all DNS replies. Accept notice ANY UDP from ANY _ IP 53 to ANY _ IP 53 5 #DEFAULT: DNS server - Allow all DNS replies. DISABLED - Accept notice ANY UDP from ANY _ IP 53 to ANY _ IP 1024: #DEFAULT: Allow access to user authentication server. DISABLED - Accept notice ANY TCP from ANY _ IP to ANY _ IP 76 7 #DEFAULT TRADITIONAL URL PROXY: Allow connections to URL proxy. DISABLED - Accept notice PROTECTED TCP from ANY _ IP to / #DEFAULT PROXY: Allow connections to proxy. DISABLED - Accept notice EXTERNAL TCP from ANY _ IP to ANY _ IP 25 9 #DEFAULT: Block/nolog discard bootp, netbios, and rwho. Deny warning ANY UDP nolog from ANY _ IP to ANY _ IP #DEFAULT NO RIP: Block/nolog rip. Deny warning ANY UDP nolog from ANY _ IP to ANY _ IP #DEFAULT RIP: Accept UDP rip. DISABLED - Accept notice ANY UDP from ANY _ IP to ANY _ IP #DEFAULT RIP: Accept IGMP multicast for router addresses. DISABLED - Accept notice ANY 2 from ANY _ IP to /24

172 164 GB-OS 3.7 User s Guide 13 #DEFAULT RIP: Accept router solicitations and advertisements DISABLED - Accept notice ANY ICMP from ANY _ IP to / #DEFAULT STEALTH: Block with alarm any other access to external interface. DISABLED - Deny warning EXTERNAL ALL alarm from ANY _ IP to ANY _ IP 15 #DEFAULT: Accept/nolog authentication (ident). Accept notice ANY TCP nolog from ANY _ IP to ANY _ IP #DEFAULT: Allow pings and ICMP traceroutes to GB-OS. Accept notice ANY ICMP from ANY _ IP 8 to ANY _ IP 8 17 #DEFAULT: Allow UDP traceroutes to GB-OS. Deny warning ANY UDP nolog genicmp from ANY _ IP to ANY _ IP 32767: #DEFAULT: Block/nolog stale WWW accesses. Deny warning ANY TCP nolog from ANY _ IP 80 to ANY _ IP 1024: #DEFAULT: Block with alarm any other access to all interfaces. Deny warning ANY ALL alarm from ANY _ IP to ANY _ IP

173 Index 165 Index Symbols 3DES 1, 55, 78 A accept 16, 21, 28, 31, 33, 35, 37, 41, 43, 44, 49, 57, 59, 68, 78, 79, 81, 86, 89, 104, 122, 132, 138, 142, 147 access control list 31, 41 account 5, 29, 47, 49, 50, 72, 131, 144 administrator 47 user 2, 47, 49, 53, 54, 55, 76, 111, 114, 122, 123, 145, 147, 160 ACL 31, 33, 34, 35, 37, 41, 42, 59, 60, 62, 116, 117, 118, 131, 132, 144, 145. See also access control list match 131 Acrobat Reader ii, 3. See also Adobe activation code 2, 5, 13, 14, 26, 29, 30, 33, 59, 131, 150 ActiveX 59, 60. See also content filtering administrator 15, 23, 27, 29, 42, 45, 47, 48, 60, 61, 74, 82, 85, 89, 96, 103, 105, 109, 115, 142, 150, 151, 159. See also account Adobe ii, 3. See also documentation Adobe Acrobat Reader ii, 3 AES 1, 55, 79 AH 57, 82, 83, 95, 96. See also VPN alarm notifications 29, 85, 86, 87. See also filters muffle benign events 89 aliases 27, 28, 95, 156, 158, 159 AOL 132 Apple 3, 6, 8, 52. See also Macintosh applets 59, 60. See also Java ARP table 101, 108, 111. See also router ASCII 30, 54, 55, 56, 57 asterisk 73, 112. See also regular expressions attacks. See vulnerability doorknob twist 86, 98 fragmented packets 85, 86 ICMP replay 86 invalid packets 85, 86 IP address spoof 85, 86 authentication 1, 45, 48, 49, 50, 52, 53, 54, 56, 57, 78, 79, 82, 114, 122, 123, 124, 131, 134, 146, 159, 163, 164 authorization 45, 48, 53, 54, 55, 132, 149, 152 A records 27. See also DNS B backup 5 bandwidth 29, 74, 75, 82, 96 beacon IP addresses 63, 64. See also failover black list 31, 35, 37, 131, 132. See also Mail Sentinel real-time 131 Blowfish 1, 55 bridge 2, 16, 17, 93 bridged interfaces 16, 93. See also bridge bridged protocol. See protocol bridging 2, 15, 17, 30, 67, 91, 92, 130, 157 broadcast 68, 112, 129 browser 1, 8, 9, 52, 53, 102, 103, 142, 143, 149, 150, 152 Internet Explorer ii, 8, 52, 53, 128, 149, 152 Mozilla 8, 52, 149 Netscape Navigator 8, 52, 149 Opera 8, 52, 149 Safari 8, 52, 149 C Cat. 5 cable 157. See also Ethernet certificate authority 8, 52, 53 CHAP 18, 21 character set 23, 73 chart 29 CIDR notation 9, 10, 12, 15 CNAME records 27. See also DNS coalescing 82, 86, 87. See also alarm notifications COM 20, 88, 128 Configuration Report 2, 23, 54, 107, 108, 127, 129 confirmed spam 33. See also Mail Sentinel Anti-Spam Connection Time-out 20 connectivity tests. See ping; See traceroute console 1, 3, 5, 8, 44, 47, 50, 51, 52, 102, 128, 129, 133, 141, 142, 149, 151, 163 content filtering 1, 3, 59, 60, 62, 143 copyright ii cracks 91, 155, 156. See also vulnerability; See also virtual crack crossover cable 5, 7, 128, 130, 131 D database conversion. See DBmanager DB See serial cable; See also serial cable DBmanager 3, 44, 121, 122 DDNS. See dynamic DNS default address objects 74 filter 19, 49, 62, 92, 137 IP address 8, 11 network settings 6 password 8, 11 ports 133 route 6, 9, 12, 15, 16, 17, 25, 63, 68, 69, 127, 129, 158 security mode 11, 12 user ID 8, 9, 11, 47, 149 VPN objects 55, 76 deny 2, 31, 33, 35, 37, 49, 57, 59, 60, 82, 83, 93, 131, 137, 138, 146, 147 DES 1, 55 DHCP 1, 2, 9, 12, 15, 16, 18, 25, 26, 76, 78, 111, 115 dial-up 18, 19, 49 dial scripts 18 Diffie-Hellman groups 2, 78, 79, 80 disconnected cable 130, 137 distinguished name. See DN DMZ 1, 9, 12, 17, 156, 157 DN 48, 124 DNS 1, 2, 6, 9, 12, 13, 20, 25, 26, 27, 28, 29, 31, 33, 41, 42, 52, 53, 59, 67, 72, 84, 87, 102, 104, 115, 117, 127, 131, 133, 134, 144, 155, 160, 161, 163 dynamic 28, 29, 133 lookup 33, 41 proxy 2, 13 record 27, 28 server 9, 12, 13, 20, 25, 26, 27, 28, 33, 41, 42, 53, 59, 87, 160, 161, 163 documentation ii, 3, 5, 6, 25, 155, 157 domain name 9, 12, 13, 15, 16, 25, 26, 27, 28, 41, 48, 49, 50, 59, 61, 72, 73, 78, 87, 102, 104, 129, 131, 132, 145 qualified 15, 16, 50, 102, 145 dotted decimal notation 9, 10, 102 download 3, 101 DPD 78

174 166 GB-OS 3.7 User s Guide DSL 18, 20 duplex 17 dynamic DNS 28, 29, 133. See also DNS E address ii, 33, 54, 56, 78, 87, 108, 116, 117, 118, 123, 131, 132, 145 black list 35. See also black list block 35. See also black list destination 35 filtering 1 headers 145 proxy 2, 25, 31, 33, 35, 37, 41, 42, 67, 72, 87, 116, 117, 130, 131, 132, 144, 145, 163. See also Mail Sentinel server 2, 28, 31, 33, 35, 72, 87, 130, 131, 132, 144, 157 source 35 white list 35. See also white list encapsulation 19, 79, 155 encryption 1, 8, 18, 45, 50, 51, 52, 55, 57, 68, 78, 79, 80, 142, 149, 159 errors ii, 71, 102, 107, 108, 109, 127, 128, 131, 132, 137, 145. See also self-verification; See also problems ESP 57, 79, 82, 83, 95, 96, 113. See also IPSec; See also VPN Ethernet 1, 2, 5, 6, 7, 16, 17, 18, 91, 93, 101, 157. See also straight-through cable; See also crossover cable F factory setting 127 failover 1, 30, 63, 64, 67 feature activation code 2, 5, 30, 59, 150 filters 1, 2, 9, 16, 45, 49, 50, 53, 57, 62, 63, 72, 74, 75, 76, 81, 82, 83, 84, 85, 86, 88, 89, 90, 91, 92, 93, 95, 96, 97, 101, 108, 112, 129, 130, 132, 133, 139, 147, 150, 159, 160, 163 bypass 16, 31, 59, 91, 93, 137 matched 81 order of evaluation 131 schedules 90 flow control 18, 128 fragmented packets. See attacks FTP 1, 28, 44, 50, 59, 74, 75, 76, 81, 91, 134, 138, 139, 140, 155, 156, 157 updated port 138 G gateway 1, 2, 6, 15, 16, 17, 18, 19, 25, 55, 56, 57, 63, 64, 65, 66, 67, 68, 69, 76, 78, 80, 91, 104, 112, 113, 127, 137, 138, 158, 160 policies 67 gateway-to-gateway 1, 55. See also VPN GB-Commander ii, 3, 25, 29, 30, 103, 121, 122, 133, 147 Server 25, 29, 30, 133 GB-Ware ii, 5, 14 GBAdmin 1, 3, 5, 6, 8, 11, 12, 14, 15, 16, 17, 18, 20, 26, 28, 29, 30, 47, 50, 51, 52, 56, 72, 73, 81, 101, 103, 104, 107, 108, 109, 111, 128, 129, 133, 141, 142, 149, 152, 153, 154 GBAuth 1, 3, 48, 49, 50, 78, 82, 96, 114, 122, 123, 124, 132, 133, 147 generic routing encapsulation 19. See also GRE gigabit 2, 17 GMT 42, 103 GNAT Box Mailing List 2 GNAT Box System Software 1, 3, 4, 5, 10, 18, 45, 52, 68, 74, 103, 104, 105, 121, 128, 137, 149, 155, 156, 157, 158, 160 GRE 19, 83 GTAsyslog 1, 3, 43, 44, 121, 122, 137 GTA Channel Partner 2, 60 GTA Mobile VPN Client. See VPN GTA online support center 2, 5, 14 GTA Reporting Suite 3, 29, 43, 44, 103, 121, 122, 137 GTA Sales 2 H H2A 1, 3, 17, 25, 29, 30, 31, 78, 96, 159 H2A High Availability 1, 3, 17, 25, 29, 30, 31, 159 halt 101, 102. See also shut down HEX 30, 54, 56, 57. See also hexadecimal hexadecimal 14, 54, 55, 56, 57, 93 holes. See cracks hops 63, 64, 67, 68. See also router host name 13, 15, 16, 27, 28, 29, 30, 41, 42, 43, 48, 52, 53, 86, 87, 104, 134, 145, 149, 152. See also domain name HTTP 44, 45, 50, 51, 52, 59, 60, 61, 62, 81, 133, 134, 139, 140, 141, 143, 155. See also URL; See also Surf Sentinel 2.0; See also browser; See also HTTPS proxy 59, 61, 62, 133, 143 unknown commands 59, 60 HTTPS 51, 52, 133, 134. See also SSL hub 5, 6, 8, 52, 128, 130 I IANA 93, 96, 133, 134 ICMP 63, 67, 82, 84, 85, 86, 95, 96, 98, 102, 104, 114, 137, 139, 140, 142, 147, 155, 160, 164 IETF 50, 77, 160 IGMP 82, 83, 95, 96, 163 IKE 54, 56, 57, 76, 78, 79, 80, 145, 160. See also VPN indicator 8, 154 insecure 8, 52, 160 installation ii, 2, 3, 5, 14, 53, 121, 152, 155, 158 Internet Engineering Task Force. See IETF Internet Explorer ii, 8, 52, 53, 128, 149, 152 IPSec 1, 2, 56, 57, 77, 80, 160. See also VPN IP aliases. See aliases IP packet. See packet ISDN 20, 21 ISP 13, 16, 25, 27, 28 J Java ii, 1, 59, 60, 122, 132 JavaScript 59, 60. See also content filtering jumbo packets 17 junk . See spam K key length 55 keyboard shortcuts 153 L LAN 5, 7 LCLs. See local content lists LCP 21 LDAP 48, 49, 50, 78, 114, 122, 124, 133, 134. See also authentication lease 25, 113, 114 expired 20, 111, 113, 115, 145, 146 LED 8 license 113, 114, 117, 121, 122, 145, 147 Lightweight Directory Access Protocol. See LDAP Linux ii, 44. See also Unix; See also Macintosh; See also Windows

175 Index 167 LMHOST 52, 129. See also host name; See also PDC local area network. See LAN local content lists 60, 132 locked out 47, 115. See also login log 2, 3, 9, 16, 21, 29, 43, 44, 45, 47, 49, 63, 82, 83, 84, 85, 86, 87, 89, 93, 103, 119, 121, 122, 128, 129, 131, 137, 138, 139, 141, 142, 145, 150, 152 order 121 view messages 119 logical interface 15, 17, 18, 19 logical network 9, 12, 15, 16, 95, 127, 149, 152, 156, 158 login 2, 5, 8, 21, 47, 128, 141, 142, 150, 153 unsuccessful 115 LogView 3, 43, 44, 121, 122, 137 loop 87, 130, 137 M Macintosh 6, 8, 52, 149 MAC address 17, 111 Mac OS X. See Macintosh; See also Apple Mail Sentinel 131 Mail Sentinel Anti-Spam 1, 31, 33, 35, 116, 117, 131, 132, 144, 145 Mail Sentinel Anti-Virus 1, 31, 33, 35, 116, 117, 118, 131, 132, 144, 145 malicious programs 60. See also virus manual key exchange 56. See also IKE MAPS 31, 33, 41, 42, 72, 117, 131, 132, 144. See also black list matching rules. See regular expressions Match Against MX. See access control list; See also MX records maximum file size 31, 33, 117, 131 MD5 55, 68. See also hash memory slice 128, 129 Microsoft Exchange server 129, 130 Windows ii, 1, 6, 7, 8, 11, 29, 52, 53, 121, 122, 123, 124, 125, 128, 130, 135, 149, 152, 153, 154, 156. See also Linux MTU 17, 21 multi-wan 2 MX records 27. See also DNS N NAS 48, 49. See also RADIUS NAT 1, 2, 43, 44, 45, 67, 78, 79, 82, 88, 89, 91, 92, 93, 95, 97, 111, 113, 138, 139, 140, 141, 143, 144, 146, 147, 155, 157, 158, 159, 160 NAT-T 2, 78 NAT traversal. See NAT-T navigation 150. See also user interfaces NetBIOS 129, 130, 134, 156. See also Windows network class 10, 15 connection type 127 settings 5, 6, 8, 9, 12 type 9, 12, 15, 95, 156 external 157 protected 157 PSN 157 network time server 9 NIC 6, 7, 9, 15, 16, 17, 18, 19, 20, 95, 138, 157, 158, 159 NIC 0 6, 7, 9 NTP 9, 42, 67, 132, 133, 134 server 42 O objects 13, 15, 16, 19, 30, 35, 37, 41, 42, 43, 44, 48, 50, 53, 54, 55, 56, 57, 59, 69, 71, 72, 73, 74, 75, 76, 78, 79, 82, 87, 93, 96, 97, 98, 131, 154, 159 ODBC-compliant databases 121. See also DBmanager OpenSSL ii, 8 outbound filters 49, 50, 63, 74, 83, 91, 92, 160 P packet 2, 17, 20, 56, 57, 59, 63, 65, 68, 78, 79, 80, 81, 82, 83, 86, 87, 91, 93, 97, 98, 101, 129, 131, 132, 137, 138, 139, 141, 142, 143, 155, 156, 158, 160 pager 86, 87, 88. See also alarm notifications PAP 18, 21 parity 18 passthrough 16, 49, 50, 74, 75, 76, 81, 91, 92, 95, 112. See also NAT password 5, 8, 9, 11, 20, 21, 29, 45, 47, 49, 50, 54, 68, 101, 115, 122, 123, 124, 125, 128, 132, 141, 142, 149, 152, 163 administrative 11 PDC 129 percentage 74, 96, 116 Phone Number 20, 23, 29, 88 ping 63, 64, 67, 86, 101, 102, 103, 104, 127, 128, 129, 130, 131, 142, 160 policy-based routing 63, 66. See also gateway; See also filters pool 25 ports 3, 6, 16, 49, 59, 60, 82, 87, 88, 89, 91, 97, 132, 133, 134, 142, 155 registered 133, 134. See also port number TCP 133 port number 29, 30, 43, 48, 51, 62, 75, 83, 122, 133, 149. See also protocol PPP 1, 2, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 76, 78, 127, 137, 158 PPPoE 1, 15, 17, 18, 20, 21, 23, 127, 137 Provider 21 PPTP 1, 15, 17, 18, 19, 20, 21, 23, 127 Primary Domain Controller. See PDC priority 28, 30, 35, 37, 44, 45, 63, 74, 82, 83, 85, 86, 138, 141, 160 problems 5, 33, 69, 107, 112, 127, 131, 132, 137, 154, 155 protocol 1, 16, 17, 18, 21, 43, 50, 55, 57, 59, 65, 68, 69, 75, 79, 81, 82, 83, 84, 88, 89, 91, 93, 95, 97, 98, 101, 102, 114, 137, 138, 141, 155, 156, 159, 160 bridged 137 proxy DNS 2, 13 1, 2, 25, 31, 33, 35, 37, 41, 42, 67, 72, 87, 116, 117, 130, 131, 132, 144, 145, 163 HTTP 59, 61, 62, 133 port 61 SMTP 115 traditional 61, 62, 143 transparent 61, 143 PSN 1, 2, 9, 12, 15, 16, 20, 25, 56, 57, 68, 78, 82, 83, 87, 89, 91, 95, 96, 97, 98, 113, 129, 130, 141, 155, 156, 157, 158, 159 Q quarantine 35, 72, 116, 117, 118, 131, 144, 145. See also spam; See also virus question mark 73. See also regular expressions R RADIUS 48, 49, 50, 78, 114, 122, 124, 125, 133. See also authentication

176 168 GB-OS 3.7 User s Guide ranges 2, 25, 27, 72, 131, 133 RBL. See black list RDNS. See reverse DNS references. See objects register 2, 5 registration 3, 5, 14 regular expressions 72, 73, 74, 131. See also objects remote access filter 13, 19, 42, 48, 49, 50, 51, 62, 78, 86, 89, 97, 122, 123, 124, 128, 129, 130, 138, 141 remote administration 50, 51, 52, 141, 142, 149. See also remote management Remote Authentication Dial-In User Service. See RADIUS remote logging 1, 43, 137 remote management 1, 141, 142 reports 2, 23, 45, 54, 103, 107, 108, 111, 113, 114, 127, 131, 132, 150. See also system activity reset to factory defaults 101, 128, 149 reverse DNS 27, 28, 31, 33, 41, 117. See also DNS reverse zone names 27, 28 revert 128, 129. See also reset RFC RFC RIP 17, 63, 68, 69, 82, 130, 163, 164 RJ See also Ethernet RMC 47, 50, 51, 133, 141, 142, 149. See also GB-Commander router 2, 5, 9, 12, 16, 17, 20, 25, 69, 91, 101, 127, 128, 130, 163, 164 Routing Information Protocol. See RIP rule. See filters runtime (executable) 105, 128, 153. See also software version S SA 54, 55, 146. See also VPN scripts 18, 59, 60. See also content filtering security alert 8, 52, 123 security association. See SA security certificate 8, 52, 53 security policy 19, 56, 57, 83, 86, 88, 97, 150, 160 self-verification 108. See also errors serial cable 5 serial console 128. See also user interfaces serial number 2, 5, 13, 14 services 1, 3, 6, 13, 14, 25, 26, 28, 41, 48, 50, 67, 82, 89, 96, 102, 129, 132, 133, 134, 155, 157, 163 SHA1 78, 79. See also hash shut down 102, 156 Simple Network Management Protocol. See SNMP SMB 156. See also NetBIOS SMTP 31, 41, 72, 81, 115, 117, 118, 132, 134, 144, 145 SNMP 25, 45, 47, 82, 87, 134, 163 software version 104, 128 spam 1, 3, 31, 33, 35, 41, 116, 117, 131, 144, 145 Unkown status 117 SPI 55. See also VPN SSL 1, 8, 9, 12, 16, 48, 50, 51, 52, 53, 123, 131, 132, 133, 134, 142, 149 certificate 8, 9, 12, 16, 52, 53, 123, 132 SSL-compatible 1, 8, 52, 149 Stateful Packet Inspection engine 1, 155 static address mapping 97, 158. See also NAT static mapping. See static address mapping stealth mode 1, 81, 84, 86, 160 straight-through cable 5, 128, 130, 131 subject line tags. See tag subnet mask 6, 10, 15, 25, 27, 28, 54, 56, 57, 69, 71, 72, 93, 95, 98, 159 support ii, 1, 2, 5, 23, 26, 43, 50, 52, 91, 107, 108, 143, 146, 147, 155, 158, 159, 160 Surf Sentinel 2.0 ii, 1, 44, 59, 60, 132, 143, 147 switch 5, 6, 8, 17, 67, 122, 128, 130 syslog 1, 43, 44, 122, 134 system activity 43, 54, 63, 96, 97, 111, 115, 118, 131, 132, 147 T tag 16, 35, 138, 139, 141, 142. See also Mail Sentinel Anti-Virus; See also Mail Sentinel Anti-Spam tagging. See tag TCP 1, 6, 16, 30, 31, 43, 49, 50, 51, 60, 62, 65, 68, 81, 82, 86, 93, 95, 96, 98, 114, 115, 122, 129, 130, 131, 132, 133, 134, 135, 137, 138, 139, 140, 141, 142, 143, 147, 155, 163, 164 technical support. See support telnet 2, 97, 134, 155 terminal 128 emulation 128 testing connectivity 127 threads 145 timeout 95, 98, 99, 113, 114, 116, 117. See also lease time zone 42, 103. See also NTP topographies 2 total number 54, 116, 117, 118 traceroute 101, 104, 127 trademarks ii traditional proxy 61, 62, 143 traffic shaping 74, 75, 76, 82, 96. See also bandwidth transparent proxy 61, 143 troubleshooting 3, 84, 101, 107, 112, 116, 127, 128, 129 connectivity 127 tunnel 31, 45, 49, 50, 74, 75, 76, 81, 84, 86, 88, 89, 95, 96, 97, 122, 129, 138, 139, 141, 146, 147, 155, 156, 157, 159, 160 TX_ U UDP 1, 42, 57, 65, 66, 82, 86, 95, 96, 98, 104, 114, 129, 130, 133, 134, 135, 137, 138, 139, 140, 141, 142, 155, 160, 163, 164 Unix 44, 149. See also Linux; See also Macintosh; See also Windows unlocking. See DBmanager unsolicited . See spam update 2, 5, 16, 28, 51, 52, 104, 105, 111, 112, 114, 116, 128, 131, 132, 133 upgrade. See update upload 104, 105. See also update URL 44, 45, 50, 51, 60, 61, 62, 143, 149, 163. See also content filtering user ID 5, 8, 9, 11, 20, 47, 50, 141, 149, 163 user interfaces 1, 3, 141, 149 UTC 42, 103 utility software 3, 6, 48, 137 UTP_10 17 V verification 108, 109, 127, 141, 142, 150, 152, 154. See also errors version. See software version virtual crack 75, 76, 155, 156. See also cracks Virtual Router ID. See VRID virus ii, 1, 3, 31, 33, 35, 116, 117, 118, 131, 132, 144, 145. See also Mail Sentinel Anti-Virus

177 Index 169 VPN 1, 2, 3, 29, 44, 47, 49, 50, 53, 54, 55, 56, 57, 71, 76, 77, 78, 79, 80, 92, 108, 111, 113, 114, 124, 125, 145, 146, 147, 159, 160 client 1, 2, 56, 76, 78, 80, 114, 160 gateway 76, 78, 80, 160 hardware acceleration 1 object 44, 50, 53, 54, 76, 79 VRID 30 VT See also terminal; See also serial console vulnerability 2, 11, 16, 155 W warranty ii web interface 3, 5, 11, 13, 16, 17, 28, 29, 41, 47, 49, 50, 51, 56, 81, 103, 107, 108, 115, 128, 129, 141, 142, 149, 150, 151, 153, 154, 163 web server 2, 28, 102, 103, 138, 139, 141, 149, 158 web site ii, 2, 3, 14, 28, 59, 62, 91, 93, 129, 133, 150, 155 weight 74, 75, 76, 134, 163. See also priority WELF ii, 43, 119, 121, 137. See also log white list 31, 35, 37, 132. See also Mail Sentinel wild-card character 73. See also regular expressions Windows ii, 1, 6, 7, 8, 11, 29, 52, 53, 121, 122, 123, 124, 125, 128, 130, 135, 149, 152, 153, 154, 156 Windows-compatible 1, 29 X X-headers 145. See also X.500. See LDAP