Unified Threat Management Advanced Firewall Operations Guide

Transcription

1 Unified Threat Management Advanced Firewall Operations Guide For future reference Advanced Firewall serial number: Date installed: Smoothwall contact:

2 Smoothwall Advanced Firewall, Operations Guide, March 2015 Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Advanced Firewall. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall. For more information, contact: Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Advanced Firewall contains graphics taken from the Open Icon Library project Address Web Telephone Fax Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom [email protected] USA and Canada: United Kingdom: All other countries: USA and Canada: United Kingdom: All other countries:

3 Contents About This Guide... 1 Audience and Scope... 1 Organization and Use... 1 Conventions... 2 Related Documentation... 2 Chapter 1 Advanced Firewall Overview... 3 Overview of Advanced Firewall... 3 Annual Renewal... 4 Accessing Advanced Firewall... 4 Dashboard... 5 Logs and Reports... 6 Reports... 6 Alerts... 6 Realtime... 6 Logs... 7 Settings... 8 Networking... 8 Configuration... 8 Filtering... 9 Routing... 9 Outgoing... 9 Settings Services Authentication User Portal Proxies SNMP Message Censor Intrusion System DHCP System Maintenance iii

4 Contents Central Management Preferences Administration Hardware Diagnostics Certificates VPN Configuration Guidelines Specifying Networks, Hosts and Ports Using Comments Connecting via SSH Connecting Using a Client Secure Communication Unknown Entity Warning Inconsistent Site Address Chapter 2 Advanced Firewall Services Working with Portals Creating a Portal Configuring a Portal Editing Portals Deleting Portals Managing the Web Proxy Service Configuring and Enabling the Web Proxy Service About Web Proxy Methods Configuring End-user Browsers Instant Messenger Proxying Monitoring SSL-encrypted Chats SIP Proxying Types of SIP Proxy Choosing the Type of SIP Proxying Configuring SIP FTP Proxying Configuring non-transparent FTP Proxying Configuring Transparent FTP Proxying Reverse Proxy Service Configuring the Reverse Proxy Service SNMP Censoring Message Content Creating Custom Categories Setting Time Periods Creating Filters Creating and Applying Message Censor Policies Editing Polices Deleting Policies Managing the Intrusion System About the Default Policies Deploying Intrusion Detection Policies Deploying Intrusion Prevention Policies Creating Custom Policies iv Smoothwall Ltd

5 Contents Uploading Custom Signatures Using BYOD with Advanced Firewall About the RADIUS requests Implementation Examples Configuring BYOD for Advanced Firewall Prerequisites Adding RADIUS Clients Blocking Access to the Wireless Network Adding External RADIUS Servers Using the Advanced Firewall Certificate Chapter 3 Producing Reports About Reports About Report Templates About Report Outputs Using Drill Down Reports Generating Reports Canceling a Report Regenerating and Saving Reports About the Summary Report Scheduling Reports Example Schedule Report Configuration Managing Scheduled Reports Creating Custom Report Templates Creating Basic Custom Reports About Advanced Custom Reports Managing Custom Reports Managing Reports and Report Folders Creating Folders Deleting Folders Deleting Reports Making Reports Available on User Portals Saving a Report Output to Other User Portals Removing Reports from a User Portal Chapter 4 Using Alerts, Information, and Logging About the Dashboard About Alerts Available Alerts Configuring Alert Settings Enabling Instantaneous Alerts Looking up Previous Alerts by Reference About Advanced Firewall s Realtime Viewer Realtime System Information Realtime Firewall Information Realtime IPsec Information Realtime Portal Information Realtime Instant Messaging Realtime Traffic Graphs About Advanced Firewall s Log Files v

6 Contents Viewing System Logs Exporting System Logs Firewall Logs IPSec Logs Logs IDS Logs IPS Logs IM Proxy Logs Web Proxy Logs Web Filter Logs Configuring Web Filter Logs Monitoring Log Activity in Realtime Searching for and Filtering Information Exporting Data Reverse Proxy Logs User Portal Logs Configuring Log Settings Configuring Other Log Settings Managing Log Retention Managing Automatic Deletion of Logs Configuring Report and Alert Output Settings About -to-SMS Output About Placeholder Tags Configuring to SMS Output Configuring Output to Generating a Test Alert Configuring Alert and Report Groups Creating Groups Editing a Group Deleting a Group Chapter 5 Managing Your Advanced Firewall Installing Updates Installing Updates Installing Updates on a Failover System Managing Modules Removing a Module Licenses Installing Licenses Archives About Archive Profiles Creating an Archive Downloading an Archive Restoring an Archive Deleting Archives Uploading an Archive Scheduling Scheduling Remote Archiving Editing Schedules Rebooting and Shutting Down vi Smoothwall Ltd

7 Contents Setting System Preferences Configuring the User Interface Setting Time Configuring Registration Options Changing the Hostname Configuring Administration and Access Settings Configuring Administration Access Options Configuring External Access Rules Administrative User Settings Managing Tenants Creating Tenants Editing a Tenant Deleting a Tenant Hardware Managing UPS Devices Managing Hardware Failover Prerequisites Configuring Hardware Failover Administering Failover Testing Failover Using Advanced Firewall s Diagnostic Tools Testing Advanced Firewall Functionality Exporting Advanced Firewall s Configuration Using IP Tools Using Whois Managing CA Certificates Reviewing CA Certificates Importing CA Certificates Exporting CA Certificates Deleting and Restoring Certificates Appendix A Available Reports All blocked activity for a specific user Amount of time a user spent browsing a URL Amount of time a user spent browsing sites in a category Amount of time an IP address spent browsing a URL Amount of time an IP address spent browsing sites in a category Application Bandwidth Statistics About the Generated Report Authentication Cache Bandwidth usage by a specific user Complete IP address audit trail Complete user audit trail Connection details and traffic statistics Control page template Daily category comparison Daily domain comparison Daily user comparison Disk information vii

8 Contents Estimated cost of Spam and Malware Executive summary of activity of a specific IP address Executive summary of activity of a specific user Executive summary of all group activity Firewall activity Incoming summary incl last 24 hours Interfaces and IP addresses Mailbox activity Malware Incl last 24 hours Outgoing summary incl last 24 hours Portal users logged in status Summary page template System information Time spent browsing for a specific user Time spent browsing sites in a specific category for a specific user Times of day a group browses a specific URL Times of day a user browses a specific URL Times of day a user browses and the categories browsed Times of day an IP address browses a specific URL Times of day an IP address browses and the categories browsed Times of day members of a group browses and the categories browsed Top blocked domains by hits Top blocked users by hits Top categories by hits and bandwidth Top categories by hits and bandwidth - with options Top client IPs by hits and bandwidth Top client IPs by hits and bandwidth - with options Top domains by hits and bandwidth Top domains by hits and bandwidth - with options Top search terms Top search terms and the searches they were used in for a specific user Top users by hits and bandwidth Top users by hits and bandwidth - with options Top users using banned search terms Updates VPN status and history Web filter statistics Appendix B Application Groups Standard Application Groups Deep Packet Inspection Application Groups Glossary Index viii Smoothwall Ltd

9 About This Guide Smoothwall s Advanced Firewall is a licenced feature of your Smoothwall System. This manual provides guidance for configuring Advanced Firewall. Audience and Scope This guide is aimed at system administrators maintaining Advanced Firewall. This guide assumes the following prerequisite knowledge: An overall understanding of the functionality of the Smoothwall System An overall understanding of networking concepts Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, contact your Smoothwall representative. Organization and Use This guide is made up of the following chapters and appendices: Chapter 1, Advanced Firewall Overview on page 3 Chapter 2, Advanced Firewall Services on page 21 Chapter 3, Producing Reports on page 67 Chapter 4, Using Alerts, Information, and Logging on page 81 Chapter 5, Managing Your Advanced Firewall on page 125 Appendix A:Available Reports on page 161 Appendix B:Application Groups on page 181 Glossary on page 189 1

10 About This Guide Index on page 199 Conventions The following typographical conventions are used in this guide: Item Convention Example Key product terms Initial Capitals Advanced Firewall Smoothwall System Menu flow, and screen objects Bold System > Maintenance > Shutdown Click Save Cross-references Blue text See Chapter 1, Introduction on page 1 References to other guides Italics Refer to the Advanced Firewall Administration Guide Filenames and paths Courier The portal.xml file Variables that users replace Courier Italics Links to external websites Blue text, underlined Refer to This guide is written in such a way as to be printed on both sides of the paper. Related Documentation The following guides provide additional information relating to Advanced Firewall: Advanced Firewall Installation Guide, which describes how to install Advanced Firewall Advanced Firewall Administration Guide, which describes how to configure Advanced Firewall Advanced Firewall Upgrade Guide, which describes how to upgrade Advanced Firewall Advanced Firewall User Portal Guide, which describes how to use the Advanced Firewall user portal contains the Smoothwall support portal, knowledge base and the latest product manuals. 2 Smoothwall Ltd

11 1 Advanced Firewall Overview This chapter introduces Advanced Firewall, including: Overview of Advanced Firewall on page 3 Annual Renewal on page 4 Accessing Advanced Firewall on page 4 Dashboard on page 5 Logs and Reports on page 6 Networking on page 8 Services on page 10 System on page 13 VPN on page 16 Configuration Guidelines on page 16 Connecting via SSH on page 18 Secure Communication on page 18 Overview of Advanced Firewall Advanced Firewall is the Unified Threat Management system for enterprise networks. Combining the functions of perimeter and internal firewalls, Advanced Firewall employs Microsoft Active Directory/LDAP user authentication for policy based access control to local network zones and Internet services. Secure wireless, secure remote access and site-to-site IPSec connectivity are provided by the integrated VPN gateway. 3

12 Advanced Firewall Overview Advanced Firewall provides: Perimeter firewall Multiple Internet connections with load sharing and automatic connection failover User authentication Policy-based access control and user authentication with support for Microsoft Active Directory, Novell edirectory and other LDAP authentication servers Load balancer The ideal solution for the efficient and resilient use of multiple Internet connections. Internal firewall Segregation of networks into physically separate zones with user-level access control of inter-zone traffic Security Anti-spam, anti-malware, mail relay and control. Note this is a separate module that you may not have installed. VPN Gateway Site-to-site, secure remote access and secure wireless connections. Annual Renewal To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. For more information, contact your Smoothwall representative. Accessing Advanced Firewall To access Advanced Firewall, do the following: 1. In a web browser, enter the address of your Advanced Firewall, for example: Note: The example address above uses HTTPS to ensure secure communication with your Advanced Firewall. It is possible to use HTTP on port 81 if you are satisfied with less security. Note: The following sections assume that you have registered and configured Advanced Firewall as described in the Advanced Firewall Installation and Setup Guide. 2. Accept Advanced Firewall s certificate.the login screen is displayed. 4 Smoothwall Ltd

13 Advanced Firewall Overview 3. Enter the following information: Field Username Password Information Enter admin This is the default Advanced Firewall administrator account. Enter the password you specified for the admin account when installing Advanced Firewall. 4. Click Login. The Dashboard opens. The following describe Advanced Firewall s user interface. Dashboard The Dashboard is the default home page of your Advanced Firewall system. It displays the status of external interfaces, service information and customizable summary reports. 5

14 Advanced Firewall Overview Logs and Reports The Logs and reports section contains the following menu items and pages: Reports All report functionality, including customizing and scheduling, are found here: Pages Summary Reports Recent and saved Scheduled Custom Displays a number of generated reports. For more information, see About the Summary Report on page 70. Where you generate and organize reports. For more information, see Generating Reports on page 69. Lists recently-generated and previously saved reports. For more information, see Regenerating and Saving Reports on page 70. Sets which reports are automatically generated and delivered. For more information, see Scheduling Reports on page 71. Enables you to create and view custom reports. For more information, see Creating Custom Report Templates on page 73. Alerts You can enable alerts and monitors from here: Pages Alerts Alert settings Determine which alerts are sent to which groups of users and in what format. For more information, see About Alerts on page 82. Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, see Configuring Alert Settings on page 86. Realtime You can watch Advanced Firewall s log files populate in realtime from here: Pages System Firewall IPSec A real time view of the system log with some filtering options. For more information, see Realtime System Information on page 92. A real time view of the firewall log with some filtering options. For more information, see Realtime Firewall Information on page 93. A real time view of the IPSec log with some filtering options. For more information, see Realtime IPsec Information on page Smoothwall Ltd

15 Advanced Firewall Overview Pages Portal IM proxy Traffic graphs Displays the log viewer running in real time mode. For more information, see Logs on page 104. Note that you may not see this option if Anti- Spam is not installed. For more information, refer to the Anti-Spam Installation and Administration Guide. A real time view of activity on user portals. For more information, see Realtime Portal Information on page 94. A real time view of recent instant messaging conversations. For more information, see Realtime Instant Messaging on page 95. Displays a real time bar graph of the bandwidth being used. For more information, see Realtime Traffic Graphs on page 96. Logs You can view and download Advanced Firewall s log files from here: Pages System Firewall IPSec IDS IPS IM proxy Web proxy Reverse proxy User portal Log settings Simple logging information for the internal system services. For more information, see Viewing System Logs on page 97. Displays all data packets that have been dropped or rejected by the firewall. For more information, see Firewall Logs on page 100. Displays diagnostic information for VPN tunnels. For more information, see IPSec Logs on page 102. Displays sender, recipient, subject and other message information. For more information, see Logs on page 104. Note that you may not see this option if Anti-Spam is not installed. For more information, refer to the Anti-Spam Installation and Administration Guide. Displays network traffic detected by the intrusion detection system (IDS). For more information, see IDS Logs on page 106. Displays network traffic detected by the intrusion detection system (IPS). For more information, see IPS Logs on page 107. Displays information about instant messaging conversations. For more information, see IM Proxy Logs on page 108. Displays detailed analysis of web proxy usage. For more information, see Web Proxy Logs on page 109. Displays information about reverse proxy usage. For more information, see Reverse Proxy Logs on page 111. Displays information about access by users to portals. For more information, see User Portal Logs on page 113. Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, see Configuring Log Settings on page

16 Advanced Firewall Overview Settings You set global settings for reports, alerts, and log files from here: Pages Datastore settings Groups Output settings Contains settings to manage the storing of log files. For more information, see Managing Log Retention on page 117. Where you create groups of users which can be configured to receive automated alerts and reports. For more information, see Configuring Alert and Report Groups on page 122. Settings to configure the to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, see Configuring Report and Alert Output Settings on page 118. Networking The Networking section contains the following sub-sections and pages: Configuration You configure all interfaces, whether they are NICs or software interfaces, here: Pages Interfaces DNS Link Load Balancing Source NAT & LLB policies Port forwards Configure and display information for your Advanced Firewall s interfaces, including VLANs and bridges. For more information, refer to the Advanced Firewall Administration Guide. Configure static DNS settings, and DNS proxy service settings. For more information, refer to the Advanced Firewall Administration Guide. Configure load balancing pools for network interfaces. For more information, refer to the Advanced Firewall Administration Guide. Configure any source NAT-ing, source mapping policies, and load balancing policies. For more information, refer to the Advanced Firewall Administration Guide. Configure any port forwarding policies to internal network services. For more information, refer to the Advanced Firewall Administration Guide. 8 Smoothwall Ltd

17 Advanced Firewall Overview Filtering You can setup filtering rules here for network traffic: Pages Zone bridging Group bridging IP block Ethernet bridging Used to define permissible communication between pairs of network zones. For more information, refer to the Advanced Firewall Administration Guide. Used to define the network zones that are accessible to authenticated groups of users. For more information, refer to the Advanced Firewall Administration Guide. Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, refer to the Advanced Firewall Administration Guide. Used to block peer to peer traffic across the bridge interface. For more information, refer to the Advanced Firewall Administration Guide. Routing You can configure routing rules here for network traffic: Pages Subnets RIP Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, refer to the Advanced Firewall Administration Guide. Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, refer to the Advanced Firewall Administration Guide. Outgoing You can configure rules for external bound network traffic here: Pages Policies Ports External services Used to assign outbound access controls to IP addresses and networks. For more information, refer to the Advanced Firewall Administration Guide. Used to define lists of outbound destination ports and services that should be blocked or allowed. For more information, refer to the Advanced Firewall Administration Guide. Used to define a list of external services that should always be accessible to internal network hosts. For more information, refer to the Advanced Firewall Administration Guide. 9

18 Advanced Firewall Overview Settings You set global settings for all networking aspects from here: Pages Port groups Address object manager Advanced Create and edit groups of ports for use throughout Advanced Firewall. For more information, refer to the Advanced Firewall Administration Guide. Create and edit IP address objects for use in networking configuration. For more information, refer to the Advanced Firewall Administration Guide. Used to configure advanced network and traffic auditing parameters. For more information, refer to the Advanced Firewall Administration Guide. Services The Services section contains the following sub-sections and pages: Authentication You configure user authentication policies here: Pages Settings Directories Groups Temporary bans User activity SSL login Kerberos keytabs BYOD Chromebook Used to set global login time settings. For more information, refer to the Advanced Firewall Administration Guide. Used to connect to directory servers in order to retrieve groups and apply network and web filtering permissions and verify the identity of users trying to access network or Internet resources. For more information, refer to the Advanced Firewall Administration Guide. Used to customize group names. For more information, refer to the Advanced Firewall Administration Guide. Enables you to manage temporarily banned user accounts. For more information, refer to the Advanced Firewall Administration Guide. Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, refer to the Advanced Firewall Administration Guide. Used to customize the end-user SSL login page and configure SSL login redirection and exceptions. For more information, refer to the Advanced Firewall Administration Guide. This is where Kerberos keytabs are imported and managed. For more information, refer to the Advanced Firewall Administration Guide. Enables you to authenticate users with their own devices and allow them to connect to the network. For more information, see Using BYOD with Advanced Firewall on page 56. Used to configure Google credentials for Chromebook authentication. For more information, refer to the Advanced Firewall Administration Guide. 10 Smoothwall Ltd

19 Advanced Firewall Overview User Portal You configure and manage user portals here: Pages Portals Group access User access This page enables you to configure and manage user portals. For more information, see Working with Portals on page 21. This page enables you to assign groups of users to portals. For more information, see Creating a Portal on page 22. This page enables you to override group settings and assign a user directly to a portal. For more information, see Granting Individual User Access on page 26. Proxies You configure the proxy service for Advanced Firewall s individual modules, including: Pages Web proxy Instant messenger SIP FTP Reverse proxy Configure the web proxy service for internal interfaces. For more information, see Managing the Web Proxy Service on page 27. Configure the instant messenger proxy service. For more information, see Instant Messenger Proxying on page 33. Configure the SIP proxy service. For more information, see SIP Proxying on page 36. Configure the FTP proxy service. For more information, see FTP Proxying on page 38. Configure the reverse proxy service. For more information, see Reverse Proxy Service on page 42. SNMP You enable and configure the SNMP service here: Pages SNMP Used to activate Advanced Firewall s Simple Network Management Protocol (SNMP) agent. For more information, see SNMP on page

20 Advanced Firewall Overview Message Censor You can configure filtering policies for message content here: Pages Policies Filters Time Custom categories Enables you to create and manage filtering policies by assigning actions to matched content. For more information, see Creating and Applying Message Censor Policies on page 50. This is where you create and manage filters for matching particular types of message content. For more information, see Creating Filters on page 49. This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, see Setting Time Periods on page 48. Enables you to create and manage custom content categories for inclusion in filters. For more information, see Creating Custom Policies on page 54. Intrusion System You configure the Intrusion Detection System (IDS) here: Pages Signatures Policies IDS IPS Enables you to deploy customized and automatic rules in the intrusion detection and intrusion prevention systems. For more information, see Uploading Custom Signatures on page 55. Enables you to configure Advanced Firewall s intrusion detection and prevention rules for inclusion in IDS and IPS policies. For more information, see Creating Custom Policies on page 54. Used to enable and configure policies to monitor network activity using the Intrusion Detection System (IDS). For more information, see Deploying Intrusion Detection Policies on page 52. Used to enable and configure policies to monitor network activity using the Intrusion Prevention System (IDS). For more information, see Deploying Intrusion Prevention Policies on page 53. DHCP You can enable and configure DHCP services here: Pages Global DHCP server Used to enable the Dynamic Host Configuration Protocol (DHCP) service and set its mode of operation. For more information, refer to the Advanced Firewall Administration Guide. Used to configure automatic dynamic and static IP leasing to DHCP requests received from network hosts. For more information, refer to the Advanced Firewall Administration Guide. 12 Smoothwall Ltd

21 Advanced Firewall Overview Pages DHCP leases DHCP relay Custom options Used to view all current DHCP leases, including IP address, MAC address, hostname, lease start and end time, and the current lease state. For more information, refer to the Advanced Firewall Administration Guide. Used to configure the DHCP service to forward all DHCP requests to another DHCP server, and re-route DHCP responses back to the requesting host. For more information, refer to the Advanced Firewall Administration Guide. Used to create and edit custom DHCP options. For more information, refer to the Advanced Firewall Administration Guide. System The System section contains the following sub-sections and pages: Maintenance You use the following sections to manage and maintain various aspects of Advanced Firewall, including: Pages Updates Modules Licenses Archives Scheduler Shutdown Used to display and install available product updates, in addition to listing currently installed updates. For more information, see Installing Updates on page 126. Used to upload, view, check, install and remove Advanced Firewall modules. For more information, see Managing Modules on page 127. Used to display and update license information for the licensable components of the system. For more information, see Licenses on page 129. Used to create and restore archives of system configuration information. For more information, see Archives on page 130. Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, see Scheduling on page 131. Used to shutdown or reboot the system. For more information, see Rebooting and Shutting Down on page 134. Central Management You can setup a centrally managed Advanced Firewall system here: Pages Overview This is where you monitor nodes and schedule updates in a Smoothwall system. For more information, refer to the Advanced Firewall Administration Guide. 13

22 Advanced Firewall Overview Pages Child nodes Local node settings This is where you add and configure nodes in a Smoothwall system. For more information, refer to the Advanced Firewall Administration Guide. This is where you configure a node to be a parent or child in a Smoothwall system and manage central management keys for use in the system. For more information, refer to the Advanced Firewall Administration Guide. Preferences You can customize your installation of Advanced Firewall here: Pages User interface Time Registration options Hostname Used to manage Advanced Firewall s dashboard settings. For more information, see Configuring the User Interface on page 135. Used to manage Advanced Firewall s time zone, date and time settings. For more information, see Setting Time on page 136. Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Smoothwall. For more information, see Configuring Registration Options on page 137. Used to configure Advanced Firewall s hostname. For more information, see Changing the Hostname on page 138. Administration You can enable administration access to Advanced Firewall here: Pages Admin options External access Administrative users Tenants Used to enable secure access to Advanced Firewall using SSH, and to enable referral checking. For more information, see Configuring Administration Access Options on page 139. Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Advanced Firewall. For more information, see Configuring External Access Rules on page 140. Used to manage user accounts and set or edit user passwords on the system. For more information, see Administrative User Settings on page 142. Used to manage tenants. For more information, refer to the Multi-Tenant Installation and Administration Guide. Note you may not see this option if you have not purchased a Multi-Tenant licence. 14 Smoothwall Ltd

23 Advanced Firewall Overview Hardware You can configure additional hardware aspects here: Pages UPS Failover Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, see Managing UPS Devices on page 145. Used to specify what Advanced Firewall should do in the event of a hardware failure. For more information, see Managing Hardware Failover on page 149. Console Configure the system console. For more information, see. Diagnostics You can perform diagnostics tests here: Pages Functionality tests Configuration report IP tools Whois Used to ensure that your current Advanced Firewall settings are not likely to cause problems. For more information, see Using Advanced Firewall s Diagnostic Tools on page 154. Used to create diagnostic files for support purposes. For more information, see Exporting Advanced Firewall s Configuration on page 156. Contains the ping and trace route IP tools. For more information, see Using IP Tools on page 156. Used to find and display ownership information for a specified IP address or domain name. For more information, see Using Whois on page 158. Certificates You can configure Advanced Firewall as a Certificate Authority: Page Certificate authorities Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, see Managing CA Certificates on page

24 Advanced Firewall Overview VPN You can configure multiple VPN tunnels through Advanced Firewall here: Pages Control Certificate authorities Certificates Global IPSec subnets IPSec roadwarriors L2TP roadwarriors SSL roadwarriors Used to show the current status of the VPN system and enable you to stop and restart the service. For more information, refer to the Advanced Firewall Administration Guide. Used to create a local certificate authority (CA) for use in an X509 authenticated based VPN setup. It is also possible to import and export CA certificates on this page. For more information, refer to the Advanced Firewall Administration Guide. Used to create host certificates if a local CA has been created. This page also provides controls to import, export, view and delete host certificates. For more information, refer to the Advanced Firewall Administration Guide. Used to configure global settings for the VPN system. For more information, refer to the Advanced Firewall Administration Guide. Used to configure IPSec subnet VPN tunnels. For more information, refer to the Advanced Firewall Administration Guide. Used to configure IPSec road warrior VPN tunnels. For more information, refer to the Advanced Firewall Administration Guide. Used to create and manage L2TP road warrior VPN tunnels. For more information, refer to the Advanced Firewall Administration Guide. Enables you to configure and upload custom SSL VPN client scripts. For more information, refer to the Advanced Firewall Administration Guide. Configuration Guidelines This section provides guidance about how to enter suitable values for frequently required configuration settings. Specifying Networks, Hosts and Ports IP Address An IP address defines the network location of a single network host. The following format is used: Smoothwall Ltd

25 Advanced Firewall Overview IP Address Range An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example: Subnet Addresses A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways: / /24 Netmasks A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples: Service and Ports A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples: Port Range A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used: 137:139 Using Comments Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement. Comments are entered in the Comment fields and displayed alongside saved configuration information. 17

26 Advanced Firewall Overview Connecting via SSH You can access Advanced Firewall via a console using the Secure Shell (SSH) protocol. Connecting Using a Client When SSH access is enabled, you can connect to Advanced Firewall via a secure shell application, such as PuTTY. To connect using an SSH client: 1. Check SSH access is enabled on Advanced Firewall. See Configuring Administration Access Options on page 139 for more information. 2. Start PuTTY or an equivalent client. 3. Enter the following information: Field Host Name (or IP address) Enter Advanced Firewall s host name or IP address. Port Enter 222 Protocol Select SSH. 4. Click Open. When prompted, enter root, and the password associated with it. You are given access to the Advanced Firewall command line. Secure Communication When you connect your web browser to Advanced Firewall s web-based interface on a HTTPS port for the first time, your browser will display a warning that Advanced Firewall s certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site. 18 Smoothwall Ltd

27 Advanced Firewall Overview Unknown Entity Warning This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Advanced Firewall s certificate is a self-signed certificate. Note: The data traveling between your browser and Advanced Firewall is secure and encrypted. To remove this warning, your web browser needs to be told to trust certificates generated by Advanced Firewall. To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browser s documentation for information about how to import the certificate. Inconsistent Site Address Your browser will generate a warning if Advanced Firewall s certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address. A certificate can only contain a single site name, and in Advanced Firewall s case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Advanced Firewall using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption. 19

28

29 2 Advanced Firewall Services This chapter describes additional features and services of Advanced Firewall, including: Working with Portals on page 21 Managing the Web Proxy Service on page 27 Instant Messenger Proxying on page 33 Monitoring SSL-encrypted Chats on page 36 SIP Proxying on page 36 FTP Proxying on page 38 Reverse Proxy Service on page 42 SNMP on page 45 Censoring Message Content on page 46 Managing the Intrusion System on page 52 Using BYOD with Advanced Firewall on page 56 For information about authentication services, refer to your Advanced Firewall Administration Guide. Working with Portals Advanced Firewall enables you to create portals, simplified versions of the Advanced Firewall user interface, to manage operations, including: Use the policy tester This is a simplified version of Advanced Firewall s policy tester. For more information, refer to the Advanced Firewall Administration Guide. Generate reports You can restrict the number of reports available. You can also save reports generated on the administration user interface to the user portal. 21

30 Advanced Firewall Services Manage web access You can block web access for groups of users, or from specified locations. Manage categories You can add or remove domains, and search terms from categories. For a detailed description about using a portal, refer to the Advanced Firewall User Portal Guide. Creating a Portal The following section explains how to create a portal and make it accessible to users in a specific group. To create a user portal, do the following: 1. Browse to Services > User portal > Portals. 2. From the Portals panel, click New. 3. Configure a name for the portal in the Name text box. 4. Click Save. Users access the portal from a web browser, using the URL: Firewall_IPAddress>/portal. where Advanced Firewall_IPAddress is the IP address assigned to Advanced Firewall. 22 Smoothwall Ltd

31 Advanced Firewall Services 5. Browse to Services > User portal > Groups access.. 6. Configure the following parameters: Group From the drop-down menu, select the user group that will use this portal. For more information about users and groups, refer to the Advanced Firewall Administration Guide. Portal From the drop-down menu, select the portal that this group can access. The next step is to configure the portal to enable authorized users to use it to download files, manage web access and display reports. Configuring a Portal Configuring a user portal involves the following: Enabling the Policy Tester on page 23 Making Reports Available on page 24 Managing Bandwidth Classes on page 24 Enabling Groups to Block Users Access on page 25 Managing Filter Lists on page 25 Making the SSL VPN Client Archive Available on page 26 Configuring a Welcome Message on page 26 The following sections explain how to configure a Advanced Firewall portal so that authorized users can view reports, enable the policy tester, block other users from accessing the web, download VPN client files and receive a custom welcome message. Enabling the Policy Tester The policy tester enables portal users to test if a URL is accessible to a user at a specific location and time. It also enables them to request that content reported by the tool as blocked be unblocked by Advanced Firewall s system administrator. To grant access to the policy tester, do the following: 1. Browse to Services > User portal > Portals. 2. Select the relevant portal from the drop down list, and click Select. 23

32 Advanced Firewall Services 3. Scroll down to the Policy tester panel, and configure the following: Enabled Select to enable or disable access to the policy tester from this portal. Allow block/unblock requests Select this to allow portal users to send an unblock request to the Advanced Firewall s system administrator. Administrator s address Enter the address to send the unblock request to. 4. Scroll down to the bottom of the page, and click Save. For more information about the policy tester, refer to the Advanced Firewall Administration Guide. Making Reports Available There are two methods available to make reports available to a user portal; you can either add a number of reports at the same time, or add them individually. The following procedure describes how to add a number of reports to a portal. For a detailed description of how to add individual reports to a portal, see Making Reports Available on User Portals on page 78. To make a number of reports available to the portal, do the following: 1. Browse to Services > User portal > Portals. 2. Select the relevant portal from the drop down list, and click Select. 3. Scroll down to the Portal published reports and templates panel, and configure the following: Reporting on portal Select to enable or disable access to reports from this portal Select templates Select those reports that can be run from this user portal. Note that by selecting a top-level folder, access is granted to all reports contained in that folder. 4. Scroll down to the bottom of the page, and click Save. Managing Bandwidth Classes Portal users can enable or disable Bandwidth classes as required. Note: Bandwidth is a licensed add-on module of Unified Threat Management, and may not be available through your administration interface. For more information about using the Bandwidth module, refer to your Smoothwall representative. To grant access to Bandwidth classes management, do the following: 1. Browse to Services > User portal > Portals. 2. Select the relevant portal from the drop down list, and click Select. 3. Scroll down to the Bandwidth management panel, and configure the following: Allow control of bandwidth classs Select to enable or disable Bandwidth class management from this user portal. 4. Scroll down to the bottom of the page, and click Save. For more information about the Bandwidth module of Unified Threat Management, refer to the Bandwidth Installation and Administration Guide. 24 Smoothwall Ltd

33 Advanced Firewall Services Enabling Groups to Block Users Access You can enable portal users in a specific group to block web access for all users in a specific group, or specific location. To grant access for web access management, do the following: 1. Browse to Services > User portal > Portals. 2. Select the relevant portal from the drop down list, and click Select. 3. Scroll down to the Portal permissions for web access management panel, and configure the following: Enabled Select to enable or disable web access management from this user portal. Allow control of groups Select to enable or disable blocking of web access for groups from this user portal. From the list of groups underneath, select the group, or groups, that the user is authorized to block. Use CTRL or SHIFT to select multiple groups. Allow control of locations Select to enable or disable blocking of web access for locations from this user portal. From the list of locations underneath, select the location, or locations, that the user is authorized to block. Use CTRL or SHIFT to select multiple locations. 4. Scroll down to the bottom of the page, and click Save. For more information about configuring groups and locations, refer to the Advanced Firewall Administration Guide. Managing Filter Lists Portal users can add or remove domains and search terms from web filter categories. To grant access to filter lists management, do the following: 1. Browse to Services > User portal > Portals. 2. Select the relevant portal from the drop down list, and click Select. 3. Scroll down to the Portal filter list management panel, and configure the following: Manage filter lists on portal Select to enable or disable filter lists management from this user portal. 4. Scroll down to the bottom of the page, and click Save. For more information about web filter categories, refer to the Advanced Firewall Administration Guide. 25

34 Advanced Firewall Services Making the SSL VPN Client Archive Available You can configure Advanced Firewall portals to make an SSL VPN client archive available for download on the portal. To make the archive available: 1. In the VPN connection details panel, select SSL VPN client archive download. For a detailed description about creating the archive, refer to your Advanced Firewall Administration Guide. 2. Browse to the bottom of the page and click Save to save the settings. Configuring a Welcome Message Advanced Firewall enable you to display a customized welcome message when a user visits a portal. To display a welcome message on a portal, do the following: 1. Browse to Services > User portal > Portals. 2. Select the relevant portal from the drop down list, and click Select. 3. Scroll down to the Welcome message panel, and configure a welcome message. To disable the welcome message, untick the Welcome message box. 4. Scroll down to the bottom of the page, and click Save. Granting Individual User Access You can configure Advanced Firewall so that a user uses a specific portal. This setting overrides group settings. To grant individual access, do the following: 1. Browse to the Services > User portal > User access page. 2. From the Add user panel, configure the following parameters: Username Enter the username for the user for this user portal. This is case-sensitive. Portal From the drop-down menu, select the portal that the user can access. 3. Click Add. 26 Smoothwall Ltd

35 Advanced Firewall Services Editing Portals The following section explains how to edit a portal. To edit a portal: 1. Browse to the Services > User portal > Portals page. 2. From the Portals drop-down list, select the portal you want to edit. 3. Make the changes you require, see Configuring a Portal on page 23 for information about the settings available. 4. Click Save to save the changes. Deleting Portals The following section explains how to delete a portal. To delete a portal: 1. Browse to the Services > User portal > Portals page 2. From the Portals drop-down list, select the portal you want to delete. 3. Click Delete. Advanced Firewall deletes the portal. Managing the Web Proxy Service Advanced Firewall s web proxy service provides local network hosts with controlled access to the Internet with the following features: Transparent or non-transparent operation Caching controls for improved resource access times Support for automatic configuration scripts Support for remote proxy servers. 27

36 Advanced Firewall Services Configuring and Enabling the Web Proxy Service To configure and enable the web proxy service: 1. Navigate to the Services > Proxies > Web proxy page. 2. Configure the following settings: Control Cache size Enter the amount of disk space, in MBytes, to allocate to the web proxy service for caching web content, or accept the default value. Web and FTP requests are cached. HTTPS requests and pages including username and password information are not cached. The specified size must not exceed the amount of free disk space available. The cache size should be configured to an approximate size of around 40% of the system s total storage capacity, up to a maximum of around 10 gigabytes approximately megabytes for a high performance system with storage capacity in excess of 25 gigabytes. Larger cache sizes can be specified, but may not be entirely beneficial and can adversely affect page access times. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. For slower external connections such as dial-up, the cache can dramatically improve access to recently visited pages. 28 Smoothwall Ltd

37 Advanced Firewall Services Control Remote proxy Remote proxy username Remote proxy password Max object size Min object size Max outgoing size Max incoming size Transparent Disable proxy logging Enabled Optionally, enter the IP address of a remote proxy in the following format: hostname:port In most scenarios this field will be left blank and no remote proxy will be used. Used to configure the web proxy to operate in conjunction with a remote web proxy. Larger organizations may wish to use a dedicated proxy or sometimes ISPs offer remote proxy servers to their subscribers. Enter the remote proxy username if using a remote proxy with user authentication. Enter the remote proxy password when using a remote proxy with user authentication. Specify the largest object size that will be stored in the proxy cache. Objects larger than the specified size will not be cached. This prevents large downloads filling the cache. The default of 4096 K bytes (4 M bytes) should be adjusted to a value suitable for the needs of the proxy end-users. Specify the smallest object size that will be stored in the proxy cache. Objects smaller than the specified size will not be cached. The default is no minimum this should be suitable for most purposes. This can be useful for preventing large numbers of tiny objects filling the cache. Specify the maximum amount of outbound data that can be sent by a browser in any one request. The default is no limit. This can be used to prevent large uploads or form submissions. Specify the maximum amount of inbound data that can be received by a browser in any one request. This limit is independent of whether the data is cached or not. The default is no limit. This can be used to prevent excessive and disruptive download activity. Select to enable transparent proxying. When operating in transparent mode, network hosts and users do not need to configure their web browsers to use the web proxy. All requests are automatically redirected through the cache. This can be used to prevent network hosts from browsing without using the proxy server. In non-transparent mode, proxy server settings (IP address and port settings) must be configured in all browsers. For more information, see About Web Proxy Methods on page 31. Select to disable the proxy logging. Select to enable the web proxy service. 29

38 Advanced Firewall Services Control Allow admin port access Do not cache Exception local IP addresses Banned local IP addresses No user authentication Proxy authentication Core authentication Groups allowed to use web proxy Automatic configuration script custom direct hosts Select to permit access to other network hosts over ports 81 and 441. This is useful for accessing remote a Smoothwall System, or other nonstandard HTTP and HTTPS services, through the proxy. In normal circumstances such communication would be prevented. Note: By selecting this option, it is possible to partially bypass the admin access rules on the System > Administration > Admin options page. This would allow internal network hosts to access the admin logon prompt via the proxy. Enter any domains that should not be web cached. Enter domain names without the www. prefix, one entry per line. This can be used to ensure that old content of frequently updated web sites is not cached. Enter any IP addresses on the local network that should be completely exempt from authentication restrictions. Exception local IP addresses are typically used to grant administrator workstations completely unrestricted Internet access. Enter any IP addresses on the local network that are completely banned from using the web proxy service. If any hosts contained in this list try to access the web they will receive an error page stating that they are banned. Select to allow users to globally access the web proxy service without authentication. Select to allow users to access the web proxy service according to the username and password that they enter when prompted by their web browser. The username and password details are encoded in all future page requests made by the user's browser software. Note: You can only use proxy authentication if the proxy is operating in non-transparent mode. Select to allow users to access the web proxy service by asking the authentication system whether there is a known user at a particular IP address. If the user has not been authenticated by any other authentication mechanism, the user s status is returned by the authentication system as unauthenticated. Authenticated users can be selectively granted or denied access to the web proxy service according to their authentication group membership. Proxy access permissions are only applied if an authentication method other than No user authentication has been selected. Enter any additional hosts required to the automatic configuration script s list of direct (non-proxy routing) hosts. This is useful for internal web servers such as a company intranet server. All hosts listed will be automatically added to a browser's Do not use proxy server for these addresses proxy settings if they access the automatic configuration script for their proxy settings. Note: Browsers must be configured to access the automatic configuration script to receive this list of direct routing hosts 30 Smoothwall Ltd

39 Advanced Firewall Services Control Use automatic configuration script address After enabling and restarting the service, the automatic configuration script location is displayed here. Note: Microsoft Internet Explorer provides only limited support for automatic configuration scripts. Tests by Smoothwall indicate a number of intermittent issues regarding the browser s implementation of this feature. Smoothwall recommends the use of Mozilla-based browsers when using the automatic configuration script functionality. Manual web browser proxy settings Interfaces After enabling and restarting the service, the proxy address and port settings to be used when manually configuring end-user browsers are displayed here. Select the interface for the web proxy traffic. 3. Save and restart the web proxy service by clicking Save and Restart or Save and Restart with cleared cache. Note: Save and Restart with cleared cache Used to save configuration changes and empty the proxy cache of all data. This is useful when cache performance has been degraded by the storage of stale information typically from failed web-browsing or poorly constructed web sites. The web proxy will be restarted with any configuration changes applied. Note: Restarting may take up to a minute to complete. During this time, end-user browsing will be suspended and any currently active downloads will fail. It is a good idea to a restart when it is convenient for the proxy end-users. About Web Proxy Methods The following sections discuss the types of web proxy methods supported by Advanced Firewall. Transparent Proxying If Advanced Firewall's web proxy service has been configured to operate in transparent mode, all HTTP port 80 requests will be automatically redirected through the proxy cache. If you are having problems with transparent proxying, check that the following settings are not configured in end-user browsers: Automatic configuration Proxy server 31

40 Advanced Firewall Services Non-Transparent Proxying If Advanced Firewall s web proxy service has not been configured to operate in transparent mode, all end-user browsers on local workstations in Advanced Firewall network zones must be configured. You can configure browser settings: Manually Browsers are manually configured to enable Internet access. Automatically using a configuration script Browsers are configured to receive proxy configuration settings from an automatic configuration script, proxy.pac. The configuration script is automatically generated by Advanced Firewall and is accessible to all network zones that the web proxy service is enabled on. WPAD automatic script Browsers are configured to automatically detect proxy settings and a local DNS server or Advanced Firewall static DNS has a host wpad.yourdomainname added. Configuring End-user Browsers The following steps explain how to configure web proxy settings in the latest version of Internet Explorer available at the time of writing. To configure Internet Explorer: 1. Start Internet Explorer, and from the Tools menu, select Internet Options. 2. On the Connections tab, click LAN settings. 3. Configure the following settings: Method: To configure: Manual 1. In the Proxy server area, select Use a proxy server for your LAN 2. Enter your Advanced Firewall's IP address and port number 800. This information is displayed on the Services > Proxies > Web proxy page, in the Automatic configuration script area. 3. Click Advanced to access more settings. 4. In the Exceptions area, enter the IP address of your Advanced Firewall and any other IP addresses to content that you do not want filtered, for example, your intranet or local wiki. 5. Click OK and OK to save the settings. Automatic configuration script 1. In the Automatic configuration area, select Use automatic configuration script. 2. Enter the location of the script, for example: The location is displayed on the Services > Proxies > Web proxy page, in the Automatic configuration script area. 3. Ensure that no other proxy settings are enabled or have entries. 4. Click OK and OK to save the settings. 32 Smoothwall Ltd

41 Advanced Firewall Services Method: WPAD To configure: Note: This method is only recommended for administrators familiar with configuring web and DNS servers. 1. In the Automatic configuration area, select Automatically detect settings. 2. Click OK and OK to save the settings. 3. On a local DNS server or using Advanced Firewall static DNS, add the host wpad.yourdomainname substituting your domain name. The host must resolve to the Advanced Firewall IP. When enabled in end-user browsers, Web Proxy Auto-Discovery (WPAD) prepends the hostname wpad to the front of its fully qualified domain name and looks for a web server on port 80 that can supply it a wpad.dat file. The file tells the browser what proxy settings it should use. Note: PCs will have had to be configured with the same domain name as the A record for it to work. However, Microsoft Knowledge Base article Q suggests that the WPAD method does not work on Windows They suggest that you should use a DHCP auto-discovery method using a PAC file. See the article for more information. This is contrary to some of our testing. Instant Messenger Proxying Advanced Firewall s Instant Messenger (IM) proxy service can log the majority of IM traffic. Advanced Firewall can also censor instant messaging content, for more information, see Censoring Message Content on page 46. Note: Advanced Firewall cannot monitor IM sessions within HTTP requests, such as when Microsoft MSN connects through an HTTP proxy. Neither can Advanced Firewall intercept conversations which are secured by end-to-end encryption, such as provided by Off-the-Record Messaging ( However, using SSL Intercept, see below, Advanced Firewall can monitor Jabber/Google Talk and AIM sessions protected by SSL. 33

42 Advanced Firewall Services To configure the instant messaging proxy service: 1. Browse to the Services > Proxies > Instant messenger page. 2. Configure the following settings: Setting Enabled Enable Message Censor Hide conversation text Block all filetransfers MSN AIM and ICQ Yahoo GaduGadu Jabber Intercept SSL Select to enable the instant messaging proxy service. Select to enable censoring of words usually considered unsuitable. Advanced Firewall censors unsuitable words by replacing them with *s. For more information, see Censoring Message Content on page 46. Select this option to record instant message events, such as messages in and out, but to discard the actual conversation text before logging. Select this option to block file transfers using certain IM protocols. Currently, when enabled, this setting blocks files transferred using MSN, ICQ, AIM and Yahoo IM protocols. Select to proxy and monitor Microsoft Messenger conversations. Select to proxy and monitor ICQ and AIM conversations. Select to proxy and monitor Yahoo conversations. Select to proxy and monitor GaduGadu conversations. Select to proxy and monitor conversations which use the Jabber protocol. Select to monitor conversations on Google Talk or AIM instant messaging clients which have SSL mode enabled. For more information, see Monitoring SSL-encrypted Chats on page Smoothwall Ltd

43 Advanced Firewall Services Setting Blocked response Logging warning response Blocked response message Logging warning response message Automatic whitelisting White-list users Black-list users Enabled on interfaces Exception local IP addresses Select to inform IM users that their message or file transfer has been blocked. This option does not work with the ICQ/AIM protocol. Select to inform IM users that their conversation is being logged. Note: This option does not work with the ICQ/AIM protocol. Optionally, enter a message to display when a message or file is blocked; or accept the default message. If multiple messages or files are blocked, this message is displayed at 15 minute intervals. Optionally, enter a message to display informing users that their conversations are being logged. This message is displayed once a week. Settings here enable you to control who can instant message your local users. Block unrecognized remote users Select this option to automatically add a remote user to the white-list when a local user sends them an instant message. Once added to the white-list, the remote user and the local use can instant message each other freely. When this option selected, any remote users who are not on the white-list are automatically blocked. Number of current entries Displays the number of entries currently in the whitelist user list. Clear Automatic Whitelisted user list Click to clear the whitelist. To whitelist a user, enter their instant messaging ID, for example [email protected]. To blacklist a user, enter their instant messaging ID, for example [email protected]. Select the interfaces on which to enable IM proxying. To exclude specific IP addresses, enter them here. 3. Click Save to save and implement your settings. 35

44 Advanced Firewall Services Monitoring SSL-encrypted Chats Advanced Firewall can monitor Google Talk and AIM instant message (IM) chats which use SSL for encryption. Note: Using Network Guardian to monitor SSL-encrypted IM chats reduces security on IM clients as the clients are unable to validate the real IM server certificate. To monitor SSL-encrypted conversations: 1. Browse to the Services > Proxies > Instant messenger page. Enable IM proxying and configure the settings you require. For full information about the settings available, see Instant Messenger Proxying on page Select Intercept SSL, select the interfaces on which to enable the monitoring and click Save. 3. Click Export Certificate Authority certificate. Advanced Firewall generates a Advanced Firewall CA certificate. 4. Download and install the certificate on PCs which use Google Talk and SSL-enabled AIM IM clients. Advanced Firewall will now monitor and log the chats. SIP Proxying Advanced Firewall supports a proxy to manage Session Initiation Protocol (SIP) traffic. SIP is often used to set up calls in Voice over Internet Protocol (VoIP) systems. SIP normally operates on port 5060, and is used to set up sessions between two parties. In the case of VoIP, it is an RealTime Protocol (RTP) session that is set up, and it is the RTP stream that carries voice data. RTP operates on random unprivileged ports, and, as such, is not NAT friendly. For this reason, Advanced Firewall s SIP proxy ensures that RTP is also proxied, allowing VoIP products to work correctly. Advanced Firewall s SIP proxy is also able to proxy RTP traffic, solving some of the problems involved in setting up VoIP behind NAT. Types of SIP Proxy There are two types of SIP proxy: a registering SIP proxy, and a pass-through proxy. A registering proxy or registrar allows SIP clients to register so that they may be looked up and contacted by external users. A pass-through proxy merely rewrites the SIP packets such that the correct IP addresses are used and the relevant RTP ports can be opened. Some clients will allow users to configure one SIP proxy this is invariably the registering proxy, others will allow for two proxies, one to which the client will register, and one which the client users for access, a pass-through. 36 Smoothwall Ltd

45 Advanced Firewall Services Choosing the Type of SIP Proxying As with many types of proxy, the SIP proxy can be used in transparent mode. In transparent mode, the proxy is only useful as a pass-through. This mode is useful for those clients which do not support a second proxy within their configuration. If all your clients can be properly configured with a second proxy, transparent mode is not required. If the proxy is operating in transparent mode, the non-transparent proxy is still available, so a mixture of operation is possible. Configuring SIP To configure and enable the SIP proxy: 1. Browse to Services > Proxies > SIP. 2. Configure the following: Enabled Select to enable the SIP proxy service. Logging level Select the required logging level: Logging level Normal Detailed Very detailed Logs just warning, and error messages As above, plus informational messages As above, plus debugging messages Maximum number of clients Select the maximum number of clients which can use the proxy. Setting the maximum number of clients is a useful way to prevent malicious internal users performing a Denial of Service (DoS) attack on your registering proxy. Transparent The SIP proxy may be configured in both transparent and non-transparent mode. Select this option if you require a transparent SIP proxy. When operating transparently, the SIP proxy is not used as a registrar, but allows internal SIP devices to communicate properly with an external registrar such as an ITSP. 37

46 Advanced Firewall Services SIP client internal address From the drop-down list, select the interface for the SIP proxy to listen for internal connections on. This is the interface SIP clients use. SIP client external address From the drop-down list, select the interface for the SIP proxy to listen for external connections on. Diffserv mark for RTP packets From the drop-down menu, select a Diffserv mark to apply to SIP RTP packets. The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for which it proxies. This is useful because it is otherwise quite tricky to define RTP traffic, as it may occur on a wide range of ports. Prioritizing SIP traffic on port 5060 would not make any difference to VoIP calls. The standard mark is BE which is equivalent to doing nothing. Other marks may be interpreted by upstream networking equipment, such as that at your ISP. Log calls Select if individual call logging is required. Exception local IP addresses List those hosts which should not be forced to use the transparent SIP proxy. Each entry must be on a new line. You can either list individual IP addresses, or enter a range using a hyphen - as the delimiter. 3. Click Save to enable and implement SIP proxying. Note: If a client is using the proxy when transparent proxying is turned on, the existing users may fail to use the transparent proxy until the firewall is rebooted. This is due to the in-built connection tracking of the firewall s NAT. FTP Proxying Advanced Firewall provides you with a proxy to manage FTP traffic and also makes transparent proxying possible. 38 Smoothwall Ltd

47 Advanced Firewall Services Configuring non-transparent FTP Proxying To configure FTP proxying in non-transparent mode, do the following: 1. Browse to the Services > Proxies > FTP page. 2. Configure the following settings: Setting Status Anti-malware scanning Proxy port Select Enabled to enable the FTP proxy. Select to scan files for malware. Note: For performance reasons, files larger than 100 MB are not scanned for malware. From the drop-down list, select the port for FTP traffic. Note: The port you select must be open for the FTP client. You configure this on the System > Administration > External access page. See Configuring External Access Rules on page 140 for more information. Access control Allow connections to any server Only connections to specified servers Select to allow FTP connections to all servers. Select to specify which remote FTP connections are allowed and configure the following: Remote FTP server white-list Enter the hostname or IP address of any remote FTP servers you want to white-list. Enter one hostname or IP, colon and port per line, for example: ftp.company.com or If no information is listed, all hostnames on all ports will be accessible. 39

48 Advanced Firewall Services 3. Click Save changes to save the settings and enable non-transparent FTP proxying. 4. Configure FTP clients as follows: Setting Remote host Remote port Remote username Enter Advanced Firewall s hostname or IP address. Enter the FTP proxy port configured on Advanced Firewall, either 21 or See Configuring non-transparent FTP Proxying on page 39 for more information. Enter the username in the following format: remoteusername@remoteftpserver Configuring Transparent FTP Proxying To configure transparent FTP proxying: 1. Browse to the Services > Proxies > FTP page. 2. Configure the following settings: Setting Status Anti-malware scanning Proxy port Select Enabled to enable the FTP proxy. Select to scan files for malware. Note: For performance reasons, files larger than 100 MB are not scanned for malware. From the drop-down list, select the port for FTP traffic. Note: The port you select must be open for the FTP client. You configure this on the System > Administration > External access page. See Configuring External Access Rules on page 140 for more information. 40 Smoothwall Ltd

49 Advanced Firewall Services Setting Access control Allow connections to any server Only connections to specified servers Select to allow FTP connections to all servers. Select to specify which remote FTP connections are allowed and configure the following: Remote FTP server white-list Enter the hostname or IP address of any remote FTP servers you want to white-list. Enter one hostname or IP, colon and port per line, for example: ftp.company.com or If no information is listed, all hostnames on all ports will be accessible. 3. In the Transparent proxy settings area, configure the following settings: Setting Source IPs Transparently proxy all IPs Transparently proxy only the following IPs Transparently proxy all except the following IPs Select to transparently FTP proxy for all source IPs. Select to transparently FTP proxy for the source IPs specified. Enter the IP addresses of local machines which are to be allowed access to transparent FTP proxying. Enter one IP address per line, for example: Select to transparently FTP proxy all except the source IPs specified. Enter the IP addresses of local machines which are to be excluded from transparent FTP proxying. Enter one IP address per line, for example:

50 Advanced Firewall Services Setting Destination IPs Transparently proxy all IPs Transparently proxy only the following IPs Transparently proxy all except the following IPs Select to transparently FTP proxy for all destination IPs. Select to transparently FTP proxy for the destination IPs specified. Enter the IP addresses of the machines which are to be allowed access to transparent FTP proxying. Enter one IP address per line, for example: Select to transparently FTP proxy all except the destination IPs specified. Enter the IP addresses of the machines which are to be excluded from transparent FTP proxying. Enter one IP address per line, for example: Transparent proxy interfaces Select the interface on which to transparently proxy FTP traffic. 4. Click Save changes to save the settings and enable transparent FTP proxying. When running Advanced Firewall s FTP proxy in transparent mode, you do not need to configure FTP client applications. Reverse Proxy Service Advanced Firewall s reverse proxy service enables you to control requests from the Internet and forward them to servers in an internal network. The reverse proxy service: Provides the ability to route multiple HTTP and HTTPS sites to each of their own internal servers. Provides the ability to publish Microsoft Exchange services such as Outlook Web Access (OWA) and Outlook Anywhere (previously RPC over HTTPS) Monitors traffic passing through the reverse proxy Increases server efficiency by SSL off-loading. Improves web server security using intrusion prevention system (IPS). Configuring the Reverse Proxy Service The following sections explain how to enable, configure and deploy the reverse proxy service. 42 Smoothwall Ltd

51 Advanced Firewall Services To enable, configure and deploy the reverse proxy service: 1. Navigate to the Services > Proxies > Reverse proxy page. 2. In the Global options area, configure the following settings: Setting Reverse proxy SSL certificate Select one of the following settings: Enable Select to enable the service. Disable Select to disable the service. The reverse proxy service caters for HTTPS sites using an SSL certificate. Select one of the following options to specify the SSL certificate to use: Built-in Select this option to use Advanced Firewall s built in SSL certificate. Custom certificate Select this option to upload a custom certificate and key file. Note: The certificate and key files must be distinct and separate and they must be in the unencrypted PEM format. To upload a custom certificate and key: 1. Certificate Click the Choose file/browse button and browse to and select the certificate. Click Upload to upload the certificate. 2. Key Click the Choose file/browse button and browse to and select the key. Click Upload to upload the certificate. Tip: You can use the XCA certificate and key management client to import and export your SSL certificates and key files in any standard format. 43

52 Advanced Firewall Services 3. Optionally, click Advanced and configure the following settings: Setting Intrusion prevention Failback internal address Advanced Firewall s intrusion prevention system (IPS) policies stop intrusions such as known and zero-day attacks, undesired access and denial of service. Select Enable apply to apply an enabled IPS policy. For more information, see Managing the Intrusion System on page 52. Enter the IP address, e.g or IP address and port, e.g :1234, of the web server to failback to, if a request does not match an address already configured. 4. Click Save to save the global options. In the Manage rule area, configure the following settings: Setting Name External address Internal address Enter a descriptive name for the reverse proxy rule. Enter the URL, domain or IP address of the site you want to publish in the following format: or You must include http or https in the address. You can also enter a path to the site you want to publish in the URL. Note: When configuring: and example.com, they are treated as distinct and separate sites, unless you use a wildcard for the domain. To use a wildcard, specify it as:.example.com Enter the protocol with the IP address or IP address and port of the web server, e.g A port number is optional on the internal address, this enables you to specify custom destination ports for various internal web servers. If no port is specified, Advanced Firewall will default to 80 for HTTP sites and 443 for HTTPS sites. 5. Click Save. Advanced Firewall enables and deploys the reverse proxy service and lists it in the Rules area. Repeat the steps above to enable, configure and deploy more rules. 44 Smoothwall Ltd

53 Advanced Firewall Services SNMP Simple Network Management Protocol (SNMP) is part of the IETF s Internet Protocol suite. It is used to enable a network-attached device to be monitored, typically for centralized administrative purposes. Advanced Firewall s SNMP service operates as an SNMP agent that gathers all manner of system status information, including the following: System name, description, location and contact information Live TCP and UDP connection tables Detailed network interface and usage statistics Network routing table Disk usage information Memory usage information. In SNMP terminology, Advanced Firewall can be regarded as a managed device when the SNMP service is enabled. The SNMP service allows all gathered management data to be queried by any SNMP-compatible NMS (Network Management System) devices, that is a member of the same SNMS community. The Community field is effectively a simple password control that enables SNMP devices sharing the same password to communicate with each other. To enable and configure the SNMP service: 1. Navigate to the Services > SNMP > SNMP page. 2. Select Enabled and enter the SNMP community password into the Community text field. The default value public is the standard SNMP community. 3. Click Save. Note: To view information and statistics provided by the system's SNMP service, a third-party SNMP management tool is required. For specific details about how to view all the information made accessible by Advanced Firewall s SNMP service, please refer to the product documentation that accompanies your preferred SNMP management tool. 45

54 Advanced Firewall Services Note: To access the SNMP service, remote access permissions for the SNMP service must be configured. For further information, see Chapter 5, Configuring Administration and Access Settings on page 139. Censoring Message Content Advanced Firewall enables you to create and deploy policies which accept, modify, block and/or log content in messages. Configuring an message censor policy entails: Defining custom categories required to cater for situations not covered by the default Advanced Firewall phrase lists, for more information, see Creating Custom Categories on page 46 Configuring time periods during which policies are applied, for more information, see Setting Time Periods on page 48 Configuring filters which classify messages by their textual content, for more information, see Creating Filters on page 49 Configuring and deploying a policy consisting of a filter, an action, a time period and level of severity, see Creating and Applying Message Censor Policies on page 50. Creating Custom Categories Custom categories enable you to add phrases which are not covered by the default Advanced Firewall phrase lists. To create a custom category: 1. Browse to the Services > Message censor > Custom categories page. 46 Smoothwall Ltd

55 Advanced Firewall Services 2. Configure the following settings: Setting Name Comment Phrases Enter a name for the custom category. Optionally, enter a description of the category. Enter the phrases you want to add to the category. Enter one phrase, in brackets, per line, using the format: (example-exact-phrase) Advanced Firewall matches exact phrases without taking into account possible spelling errors. (example-approximate-phrase)(2) For the number specified, Advanced Firewall uses fuzzy matching to take into account that number of spelling mistakes or typographical errors when searching for a match. 3. Click Add. Advanced Firewall adds the custom category to the current categories list and makes it available for selection on the Services > Message censor > Filters page. Editing Custom Categories The following section explains how to edit a custom category. To edit a custom category: 1. Browse to the Services > Message censor > Custom categories page. 2. In the Current categories area, select the category and click Edit. 3. In the Phrases area, add, edit and/or delete phrases. When finished, click Add to save your changes. 4. At the top of the page, click Restart to apply the changes. Deleting Custom Categories The following section explains how to delete custom categories. To delete custom categories: 1. Browse to the Services > Message censor > Custom categories page. 2. In the Current categories area, select the category or categories and click Remove. 3. At the top of the page, click Restart to apply the changes. 47

56 Advanced Firewall Services Setting Time Periods You can configure Advanced Firewall to apply policies at certain times of the day and/or days of the week. To set a time period: 1. Browse to the Services > Message censor > Time page. 2. Configure the following settings: Setting Active from to Name Comment From the drop-down lists, set the time period. Select the weekdays when the time period applies. Enter a name for the time period. Optionally, enter a description of the time period. 3. Click Add. Advanced Firewall creates the time period and makes it available for selection on the Services > Message censor > Policies page. Editing Time Periods To edit a time period: 1. Browse to the Services > Message censor > Time page. 2. In the Current time periods area, select the time and click Edit. 3. In the Time period settings, edit the settings. When finished, click Add to save your changes. 4. At the top of the page, click Restart to apply the changes. Deleting Time Periods To delete time periods: 1. Browse to the Services > Message censor > Time page. 2. In the Current time periods area, select the period(s) and click Remove. 3. At the top of the page, click Restart to apply the changes. 48 Smoothwall Ltd

57 Advanced Firewall Services Creating Filters Advanced Firewall uses filters to classify messages according to their textual content. Advanced Firewall supplies a default filter. You can create, edit and delete filters. You can also create custom categories of phrases for use in filters, for more information, see Creating Custom Categories on page 46. To create a filter: 1. Browse to the Services > Message censor > Filters page. 2. Configure the following settings: Setting Name Comment Custom phrase list Enter a name for the filter. Optionally, enter a description of the filter. Select the categories you want to include in the filter. 3. Click Add. Advanced Firewall creates the filter and makes it available for selection on the Services > Message censor > Policies page. Editing Filters You can add, change or delete categories in a filter. To edit a filter: 1. Browse to the Services > Message censor > Filters page. 2. In the Current filters area, select the filter and click Edit. 3. In the Custom phrase list area, edit the settings. When finished, click Add to save your changes. 4. At the top of the page, click Restart to apply the changes. 49

58 Advanced Firewall Services Deleting Filters You can delete filters which are no longer required. To delete filters: 1. Browse to the Services > Message censor > Filters page. 2. In the Current filters area, select the filter(s) and click Remove. 3. At the top of the page, click Restart to apply the changes. Creating and Applying Message Censor Policies The following section explains how to create and apply a censor policy for message content. A policy consists of a filter, an action, a time period and a level of severity. To create and apply a censor policy: 1. Browse to the Services > Message censor > Policies page. 2. Configure the following settings: Setting Service Filter Time period From the drop-down menu, select one of the following options: IM proxy incoming Select to apply the policy to incoming instant message content. IM proxy outgoing Select to apply the policy to outgoing instant message content. Click Select to update the policy settings available. From the drop-down menu, select a filter to use. For more information about filters, see Creating Filters on page 49. From the drop-down menu, select a time period to use, or accept the default setting. For more information about filters, see Setting Time Periods on page Smoothwall Ltd

59 Advanced Firewall Services Setting Action Log severity level Comment Enabled From the drop-down menu, select one of the following actions: Block Content which is matched by the filter is discarded. Censor Content which is matched by the filter is masked but the message is delivered to its destination. Categorize Content which is matched by the filter is allowed and logged. Allow Content which is matched by the filter is allowed and is not processed by any other filters. Based on the log severity level, you can configure Advanced Firewall to send an alert if the policy is violated. From the drop-down list, select a level to assign to the content if it violates the policy. See Chapter 4, Configuring the Inappropriate Word in IM Monitor on page 89 for more information. Optionally, enter a description of the policy. Select to enable the policy. 3. Click Add and, at the top of the page, click Restart to apply the policy. Advanced Firewall applies the policy and adds it to the list of current policies. Editing Polices You can add, change or delete a policy. To edit a policy: 1. Browse to the Services > Message censor > Policies page. 2. In the Current policies area, select the policy and click Edit. 3. Edit the settings as required, see Creating and Applying Message Censor Policies on page 50 for information about the settings available. When finished, click Add to save your changes. 4. At the top of the page, click Restart to apply the changes. Deleting Policies You can delete policies which are no longer required. To delete policies: 1. Browse to the Services > Message censor > Services > Message censor > Policies page. 2. In the Current policies area, select the policy or policies and click Remove. 3. At the top of the page, click Restart to apply the changes. 51

60 Advanced Firewall Services Managing the Intrusion System Advanced Firewall s Intrusion System performs real-time packet analysis on all network traffic in order to detect and prevent malicious network activity. Advanced Firewall can detect a vast array of well-known service exploits including buffer overflow attempts, port scans and CGI attacks. All violations are logged and the logged data can be used to strengthen the firewall by creating IP block rules against identified networks and source IPs. About the Default Policies By default, Advanced Firewall comes with a number of intrusion policies which you can deploy immediately. The default policies will change as emerging threats change and will be updated regularly. For more information about the default policies, browse to Services > Intrusion system > Policies, and scroll down to the Current Policies table. For a detailed description of how to edit the default policies, see Creating Custom Policies on page 54. Deploying Intrusion Detection Policies Advanced Firewall s default policies enable you to deploy Intrusion Detection immediately to identify threats on your network. Any custom policies you create are deployed in the same method. To deploy an intrusion detection policy, do the following: 1. Browse to Services > Intrusion system > IDS. 2. Enable the Intrusion System by checking Status in the Global panel. 3. Click Add new IDS policy. 4. Configure the following: Status New policies are enabled by default. Clear the check box to create a disabled policy. Interface From the drop-down list, select the interface to deploy this policy for. Policy Select those policies that you want to apply to this interface. 52 Smoothwall Ltd

61 Advanced Firewall Services Comment Configure an optional comment for this policy. An additional button, Show comments, will be displayed on the IDS policies table if any comments are configured. Clicking this will display configured comments under the interface name. 5. Click Add. Editing Deployed Intrusion Detection Policies To edit an existing Intrusion Detection policy, do the following: 1. Browse to Services > Intrusion system > IDS. 2. Scroll down to the IDS policies panel. 3. Highlight the relevant policy, and click Edit. 4. Edit the configuration as required. For a detailed description of each setting, see Deploying Intrusion Detection Policies on page Click Save changes. Deleting Deployed Intrusion Detection Policies To remove an existing Intrusion Detection policy, do the following: 1. Browse to Services > Intrusion system > IDS. 2. Scroll down to the IDS policies panel. 3. Highlight the relevant policy, and click Delete. 4. Click Delete to confirm deleting the policy. Deploying Intrusion Prevention Policies Advanced Firewall enables you to deploy Intrusion Prevention policies to stop intrusions such as known and zero-day attacks, undesired access and denial of service. To deploy an Intrusion Prevention policy, do the following: 1. Browse to the Services > Intrusion system > IPS page. 53

62 Advanced Firewall Services 2. Configure the following settings: Setting IPS Policy Comment Enabled From the drop-down list, select the policy you want to deploy. See About the Default Policies on page 52 for more information about the policies available. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network, see Chapter 2, Creating Custom Policies on page 54. Enter a description for the policy Select this option to enable the policy. 3. Click Add. Advanced Firewall lists the policy in the Current IPS policies area. Removing Intrusion Prevention Policies To remove an Intrusion Prevention policy from deployment: 1. Browse to the Services > Intrusion system > IPS page. 2. In the Current IPS policies area, select the policy you want to remove. 3. Click Remove. Advanced Firewall removes the policy. Creating Custom Policies By default, Advanced Firewall contains a number of policies which you can deploy to detect and prevent intrusions. It is also possible to create custom policies to suit your individual network. To create a custom policy, do the following: 1. Browse to the Services > Intrusion system > Policies page. 54 Smoothwall Ltd

63 Advanced Firewall Services Tip: If the list of signatures takes some time to load, try upgrading to the latest version of your browser to speed up the process. 2. Configure the following settings: Setting Name Comment Signatures Enter a name for the policy you are creating. Enter a description for the custom policy. From the list, select the signatures you want to include in the policy. For information about how to add custom signatures, see Uploading Custom Signatures on page Click Add. Advanced Firewall creates the policy and lists it in the Current policies area. The policy is now available when deploying Intrusion Detection and Intrusion Prevention policies. For more information, seedeploying Intrusion Detection Policies on page 52 anddeploying Intrusion Prevention Policies on page 53. Uploading Custom Signatures Advanced Firewall enables you to upload custom signatures and Sourcefire Vulnerability Research Team (VRT) signatures, and make them available for use in Intrusion Detection and Prevention policies. To upload custom signatures, do the following: 1. Navigate to the Services > Intrusion system > Signatures page. 55

64 Advanced Firewall Services 2. Configure the following settings: Setting Custom signatures Use syslog for Intrusion logging Oink code Click Browse to locate and select the signatures file you want to upload. Click Upload to upload the file. Advanced Firewall uploads the file and makes it available for inclusion in detection and prevention policies on the Services > Intrusion system > Policies page. Note: Use custom signatures with caution as Advanced Firewall cannot verify custom signature integrity. Select this option to enable logging intrusion events in the syslog. If you have signed-up with Sourcefire to use their signatures, enter your Oink code here. Click Update to update and apply the latest signature set. Advanced Firewall downloads the signature set and makes it available for inclusion in detection and prevention policies on the Services > Intrusion system > Policies page. Note: Updating the signatures can take several minutes. 3. Click Save. Any custom signatures you have uploaded to Advanced Firewall, or Sourcefire VRT signatures you have downloaded to Advanced Firewall will be listed on the Services > Intrusion system > Policies page. For information about deploying intrusion policies, see Deploying Intrusion Detection Policies on page 52 and Deploying Intrusion Prevention Policies on page 53. Deleting Custom Signatures It is possible to delete custom signatures that have been made available on the Services > Intrusion system > Policies page. Note: If you choose to delete custom signatures, Advanced Firewall will delete all custom signatures. If there are detection or prevention policies which use custom signatures, the signatures will be deleted from the policies. To delete custom signatures, do the following: 1. On the Services > Intrusion system > Signatures page, click Delete. Advanced Firewall prompts you to confirm the deletion. Click Confirm, Advanced Firewall deletes the signatures. Using BYOD with Advanced Firewall Advanced Firewall makes use of RADIUS accounting to allow users to connect their own wireless devices to the network, known as bring your own device (BYOD), and authenticate unobtrusively. This has the added advantage of not having to install additional software on the users device. Advanced Firewall links your organization's directory service to its RADIUS server. As a network administrator, you can configure your wireless network infrastructure to authenticate users using the RADIUS server so that users can use their directory service accounts as wireless client login details. 56 Smoothwall Ltd

65 Advanced Firewall Services About the RADIUS requests The following RADIUS requests can be processed by Advanced Firewall, depending on the BYOD network implementation: Accounting A request to inform that the user has left or joined the wireless network. Typically, this is sent by the network access server (NAS) acting as the RADIUS client. Advanced Firewall uses this request to physically log the user on or off the network. Authentication A request to confirm that the supplied user credentials are valid, and the user authorized to join the wireless network. Typically, this is sent by the network access server acting as the RADIUS client. Advanced Firewall can only receive requests via an Extensible Authentication Protocol (EAP) tunnel, with an Microsoft Challenge-Handshake Authentication Protocol (MSCHAP) handshake. You can define groups to explicitly allow or reject the authorization requests. The following RADIUS attributes will be used within account requests: Filter-ID This is an optional attribute, used to supply the authentication group of the user. Typically, the group assignment is used by Advanced Firewall when there is no directory service configured to use for group mapping. Framed-IP-Address This contains the IP address of the client that has been authorized to join the wireless network. This attribute is essential to the BYOD service. Interim-Update This is a status update received from the network access server, advising of the status of the client s session. If Advanced Firewall does not receive this at least once an hour, it assumes the session has ended and logs the client out. Implementation Examples The following describes possible implementations for using BYOD with Advanced Firewall. Advanced Firewall Provides DHCP, Authentication, and Accounting Services You can choose to configure Advanced Firewall to be the DHCP server, and the RADIUS server for both authentication, and accounting requests. This may be implemented as follows: 57

66 Advanced Firewall Services In the network access server, Advanced Firewall is configured as the RADIUS server which will receive authentication, and authorization requests In the network access server, Advanced Firewall is also configured as the RADIUS server which will receive accounting requests Advanced Firewall connects to an Active Directory server to perform user authentication Advanced Firewall is the DHCP server, therefore does not perform DHCP relays for the wireless network. Advanced Firewall must be on the same subnet as the network access server for this to work. Advanced Firewall Provides Authentication and Accounting This implementation is similar to the Advanced Firewall Provides Accounting Services implementation, except Advanced Firewall provides greater control over authentication services. Advanced Firewall will authenticate the user, and authorize them to the wireless network. However, Advanced Firewall is informed of the IP address assigned to the user in the RADIUS accounting packet received from the network access server. This will be contained in the Framed-IP- Address attribute. Advanced Firewall Provides Accounting Services You can delegate user authentication and authorization to the wireless network to the network access server, and only use Advanced Firewall as the RADIUS server which will receive accounting requests. Typically, Advanced Firewall will use the accounting requests to log the user on or off the network for this to work the network access server must include the Framed-IP-Address attribute (as well as Accounting-Start or Accounting-Stop) in the RADIUS accounting packet to Advanced Firewall. 58 Smoothwall Ltd

67 Advanced Firewall Services This may be implemented as follows: The network access server can use any directory service to authenticate the user. In the network access server, Advanced Firewall is configured as the RADIUS server which will receive accounting requests. The network access server must send an Interim-Update at least once a hour to confirm the user s session is still active. If supported, the network access server must be configured to send the users IP address in the Framed-IP-Address attribute of the RADIUS accounting packet, otherwise the IP address of the network access server will be sent instead. This will lead to Advanced Firewall being unable to log individual users on or off the wireless network. You can add a directory service Type of RADIUS accounting to Advanced Firewall, to indicate to it that all authentication and authorization requests are provided by an external RADIUS server. You must add group mappings in Advanced Firewall to map the RADIUS group, to Advanced Firewall groups. For more information, refer to the Advanced Firewall Administration Guide. Optionally, to support group mappings, the network access server must be configured to send the Filter-ID RADIUS attribute in the accounting requests to Advanced Firewall. Advanced Firewall must also be configured to authenticate the users. Note: It is also possible for Advanced Firewall to just provide DHCP services, and receive RADIUS accounting requests if the network access server is configured to connect to a directory service for authentication and authorization to the wireless network. Using BYOD in a Multi-Tenant Setup Using BYOD is possible in a Multi-Tenant configuration, with the client s IP address passed in the Framed-IP-Address attribute denoting the tenant membership. Typically, you add all network access servers IP addresses into the same tenant as the clients they are serving.this is essential if the network access server is unable to support sending the client s IP address in the Framed-IP-Address attribute (Advanced Firewall would receive the IP address of the network access server instead), or if Framed-IP-Address is not sent in every accounting packet. This is to ensure users receive the correct web filtering policies. For more information about licensing and using the Multi-Tenant feature of Advanced Firewall, refer to the Multi-Tenant Administration Guide. 59

68 Advanced Firewall Services Using BYOD in a Centrally Managed Solution A BYOD service in a centrally managed solution, could potentially be configured with any of the implementations previously described. You can choose to configure the parent Advanced Firewall node as the primary RADIUS server, with the child nodes acting as extra RADIUS servers receiving forwarded accounting packets. It is also possible to configure more than one Advanced Firewall to act as the RADIUS server for the network access server, with each processing a different RADIUS request. You can also choose to configure the network access servers to use one of the Advanced Firewall nodes as a backup RADIUS server. However, the following limitations apply: The network access server must send the Framed-IP-Address attribute to all nodes, including those that are not being used for authentication Each Advanced Firewall node must be configured to see all other Advanced Firewall nodes in the centrally managed solution You must ensure the correct shared secret is configured for each node Each node must be configured to forward accounting packets to all other nodes Note: Nodes from a centrally managed solution are not added automatically to the BYOD configuration. You must add them separately to the Forward RADIUS accounting to panel located at Services > Authentication > BYOD. For more information, see Adding External RADIUS Servers on page 65. For a detailed description of how to implement a centrally managed Smoothwall System, refer to the Advanced Firewall Administration Guide. 60 Smoothwall Ltd

69 Advanced Firewall Services Configuring BYOD for Advanced Firewall To configure BYOD, do the following: 1. Browse to Services > Authentication > BYOD. 2. Configuring Advanced Firewall for BYOD involves the following: Prerequisites on page 61 Adding RADIUS Clients on page 63 Blocking Access to the Wireless Network on page 64 Adding External RADIUS Servers on page 65 Using the Advanced Firewall Certificate on page 66 Prerequisites Irrespective of the type of BYOD setup, before you configure Advanced Firewall you must have the following information: The IP addresses for the wireless access points The IP addresses for any external RADIUS servers, if required The shared secrets for the RADIUS servers and clients 61

70 Advanced Firewall Services When Advanced Firewall is the RADIUS Authentication Server If Advanced Firewall is acting as the RADIUS server for authentication, the following must be considered: Users wireless devices must support WPA Enterprise with Protected Extensible Authentication Protocol (PEAP), and Microsoft Challenge-Handshake Authentication Protocol (MSCHAP) version 2. If a web filtering policy is applied to users, Guardian must be configured to use core authentication. For more information, refer to the Guardian Installation and Administration Guide. Active Directory must be used to authenticate users to the wireless network. Note that no other directory services are supported if Advanced Firewall is the authentication server, including the legacy method of using Active Directory. For a detailed description of how to configure Advanced Firewall to connect to an Active Directory server, refer to the Advanced Firewall Administration Guide. When Basic Network Access Servers are Used If the network access server is unable to authenticate the user, or act as a DHCP server to provision the wireless device with an IP address, the following must be considered: You must enable DHCP on Advanced Firewall, and configure a valid DHCP subnet. For a detailed description of how to do this, refer to the Advanced Firewall Administration Guide. All network access servers must be located in the same subnet as Advanced Firewall. Network switches can be used, but there must not be any routers between them. Again, Advanced Firewall must be the DHCP server for that subnet. Advanced Firewall must act as the RADIUS authentication and accounting server. The prerequisites listed in When Advanced Firewall is the RADIUS Authentication Server on page 62 also apply. Notes for the Network Access Servers Note: Refer to your documentation for the network access server you are using for a detailed description of how to configure the access points. The following should be considered: The wireless network added to, or modified in the network access server must use WPA2 with 802.1X. The wireless network type may be referred to as WPA2-Enterprise, WPA2-RADIUS, or WPA2 with a separate option for RADIUS accounting. WPA2 is the most secure. To support older hardware, WPA1 is also supported. Some network access servers may support WPA1 and WPA2 simultaneously. Some network access servers require you to enter Advanced Firewall s details twice, if Advanced Firewall is the RADIUS server for both authentication and accounting. 62 Smoothwall Ltd

71 Advanced Firewall Services Unblocking Communication Ports for RADIUS Traffic Advanced Firewall uses port 1812 and 1813 to send and receive RADIUS traffic. You must add the following external rules to allow traffic from BYOD devices through to Advanced Firewall. If Advanced Firewall is acting as both the RADIUS authentication and accounting server, do the following: 1. Browse to System > Administration > External access. 2. Add an external access rule for the following Service RADIUS authentication (1812). 3. Create an additional external access rule for the following Service RADIUS accounting (1813). For all other BYOD configurations, do the following: 1. Browse to System > Administration > External access. 2. Add an external access rule for the following Service RADIUS accounting (1813). For a detailed description of using external access rules, including how to configure them, see Configuring External Access Rules on page 140. Adding RADIUS Clients You must add the RADIUS clients details that are authorized to connect to Advanced Firewall. Depending on your network configuration, the RADIUS clients will either advise of user authentication and authorization, or send a request for the user to either be authenticated, authorized for access, or both. To add RADIUS clients, do the following: 1. Browse to Services > Authentication > BYOD. 2. Scroll down to the Authorized RADIUS clients panel, and click Add new RADIUS client. 3. Configure the following: Status Clear the selection if you don t want this RADIUS client to send requests Name Configure a meaningful name for the RADIUS client IP address Enter the IP address of the RADIUS client Shared secret Enter the shared secret (password) that will be used by this client to successfully communicate with the RADIUS server. It is recommended you use a minimum of eight characters, using a combination of alphanumeric and punctuation characters. Confirm Re-enter the shared secret. Do not copy and paste from the previous text box, as this may copy any errors. Comment Configure an optional comment for this server. An additional button, Show comments, will be displayed on the Authorized RADIUS clients table if any comments are configured. Clicking this will display configured comments under the client name. 4. Click Add. 63

72 Advanced Firewall Services Editing RADIUS Clients To edit an existing RADIUS client, do the following: 1. Browse to Services > Authentication > BYOD. 2. Scroll down to the Authorized RADIUS clients panel. 3. Highlight the relevant RADIUS client, and click Edit. 4. Edit the configuration as required. For a detailed description of each setting, see Adding RADIUS Clients on page Click Save changes. Deleting RADIUS Clients To remove an existing RADIUS client, do the following: 1. Browse to Services > Authentication > BYOD. 2. Scroll down to the Authorized RADIUS clients panel. 3. Highlight the relevant RADIUS client, and click Delete. 4. Click Delete to confirm deleting the client. Blocking Access to the Wireless Network You can add rules to block access to the wireless network according to group membership. However, to be able to do this, the following prerequisites must be met: Advanced Firewall must be the authentication RADIUS server for the network RADIUS authentication is via Active Directory The network access server must be able to send the users authentication group in the Filter-ID RADIUS attribute A default rule is provided as a catch-all for any groups not listed in this section All other groups. The default behavior for this rule is to allow access to the wireless network. Note: This is a complete block to the wireless network, not just to the Internet. You can use Guardian to block access to the Internet, but still allow access to the wireless network. For a detailed description of how to do this, refer to the Guardian Installation and Administration Guide. To add an access control rule, do the following: 1. Browse to Services > Authentication > BYOD. 2. Scroll down to the Access control rules panel, and click Add new access control rule. 3. Configure the following: Status Clear the selection if you do not want this group to use access control rules. Group From the drop-down list, select the relevant group for this rule. Rule From the drop-down list, select whether this rule is to Allow access to the wireless network, or to Block access. Comment Configure an optional comment for this rule. 64 Smoothwall Ltd

73 Advanced Firewall Services An additional button, Show comments, will be displayed on the Access control rules table if any comments are configured. Clicking this will display configured comments under the group name. 4. Click Add. For a detailed description of how to add groups to Advanced Firewall, see Managing Groups of Users on page 162. Editing an Access Control Rule To edit an existing access control rule, do the following: 1. Browse to Services > Authentication > BYOD. 2. Scroll down to the Access control rules panel. 3. Highlight the relevant rule, and click Edit. 4. Edit the configuration as required. For a detailed description of each setting, see Blocking Access to the Wireless Network on page Click Save changes. Adding External RADIUS Servers Typically, Advanced Firewall acts as the RADIUS server, but will act as the client when it needs to forward RADIUS accounting data to upstream servers, such as, a billing system, or a captive portal. This can also be other Advanced Firewall nodes in a centrally managed solution. If Advanced Firewall is to forward RADIUS accounting requests to an additional server, you must configure the servers that will receive the RADIUS accounting packets. To add RADIUS servers, do the following: 1. Browse to Services > Authentication > BYOD. 2. Scroll down to the Forward RADIUS accounting to panel, and click Add new RADIUS server. 3. Configure the following: Status Clear the selection if you don t want this RADIUS server to handle requests Name Configure a meaningful name for the RADIUS server IP address Enter the IP address of the RADIUS server Shared secret Enter the shared secret (password) that will be used by connecting RADIUS clients to successfully communicate with this server. It is recommended you use a minimum of eight characters, using a combination of alphanumeric and punctuation characters. Confirm Re-enter the shared secret. Do not copy and paste from the previous text box, as this may copy any errors. Comment Configure an optional comment for this server. An additional button, Show comments, will be displayed on the Forward RADIUS accounting to table if any comments are configured. Clicking this will display configured comments under the server name. 4. Click Add. 65

74 Advanced Firewall Services Editing RADIUS Servers To edit an existing RADIUS server, do the following: 1. Browse to Services > Authentication > BYOD. 2. Scroll down to the Forward RADIUS accounting to panel. 3. Highlight the relevant RADIUS server, and click Edit. 4. Edit the configuration as required. For a detailed description of each setting, see Adding External RADIUS Servers on page Click Save changes. Deleting RADIUS Server To remove an existing RADIUS server, do the following: 1. Browse to Services > Authentication > BYOD. 2. Scroll down to the Forward RADIUS accounting to panel. 3. Highlight the relevant RADIUS server, and click Delete. 4. Click Delete to confirm deleting the server. Using the Advanced Firewall Certificate If authentication services are provided through Advanced Firewall, you may find that some devices may not automatically accept Advanced Firewall s certificate when users try to authenticate onto the wireless network. You can download Advanced Firewall s certificate, and make it available in a way supported by those affected devices. To download the certificate, do the following: 1. Browse to Services > Authentication > BYOD. 2. From the Certificates panel, click Download CA certificate. 3. Copy the certificate to a secure location, then import it into the devices browser. For a detailed description of how to import certificates, refer to the devices accompanying documentation. 66 Smoothwall Ltd

75 3 Producing Reports This chapter describes how to use the reporting engine of Advanced Firewall, including: About Reports on page 67 Generating Reports on page 69 Scheduling Reports on page 71 Creating Custom Report Templates on page 73 Managing Reports and Report Folders on page 77 Making Reports Available on User Portals on page 78 About Reports Advanced Firewall s supplied reports are found under the Logs and reports > Reports menu. Those reports available to run are dependant on the Smoothwall System, and licenced modules, installed. All other supplied reports have been deprecated from the Smoothwall System, but remain in the Archive folder for backwards compatibility. For a detailed description of the supplied reports, see Appendix A:Available Reports on page 161. About Report Templates A report template is the structure for a supplied report or custom report. You can create custom report templates tailored to your installation. These can be created from scratch, or you adjust the content of the supplied report templates to suit. However, this will create a copy of the supplied report template rather than changing the existing report structure. For a detailed description of how to create custom templates, see Creating Custom Report Templates on page

76 Producing Reports About Report Outputs When a report is initially generated, it is outputted as HTML-rendered to the screen. A Contents menu is displayed to provide quick and easy navigation to sections within the report. A Back to top quick-link is also provided to reduce scrolling for large reports. Some result data, such as, IP addresses and URLs, can present additional information when hovered over. This is particularly useful where Advanced Firewall has truncated a long URL for display purposes. Note that not all reports and results have this feature. Once generated, you can save the report, change the date range and change the output format. About Other Report Outputs You can also choose to save the report to one of the following outputs: CSV Comma separated values Excel Microsoft Excel format PDF Portable document format PDFBW Portable document format, but in black and white only TSV Tab separated values Using Drill Down Reports Some supplied reports come with the ability to drill down through the data presented for further investigation. Note that not all reports have this feature. Drill down reports are actually other supplied reports that can be run using the same data. Drill down reports are stored with the report under the Recent reports panel of the Recent and saved page: Note: The list of available drilled down reports is determined by the report group and cannot be altered. 68 Smoothwall Ltd

77 Producing Reports For example, a report showing the amount of traffic used by the top IP addresses can be drilled down to show the bandwidth usage for one of the IP addresses; a report showing number of times a website has been requested can be drilled down to show the URL was requested or which users actually visited the site: Note: Drill down reports are not available through the user portal. Generating Reports To generate a supplied report, do the following: 1. From your Advanced Firewall, browse to Logs and reports > Reports > Reports. 2. Open the relevant report folder. 3. Enter a date range. 4. Click the Advanced >> button for the required report, and enter any relevant information. 5. Click Run Report. The report is generated to screen. To choose a different format, select the relevant output type. Follow the instructions for your browser to download and save the report. Note: You can also run reports from Advanced Firewall s user portal. The reports available depend on the users login credentials. For a detailed description of how to run reports from Advanced Firewall s user portal, refer to the Advanced Firewall User Portal Guide. Canceling a Report You can also choose to cancel a report, for example, if it was incorrectly run, or taking too long to generate. To cancel a report generation, do the following: From the report progress bar, click Cancel. Advanced Firewall does not display the report generated so far. 69

78 Producing Reports Regenerating and Saving Reports You can access all reports generated for a limited time frame from the last hour, today, yesterday, and older. You can also regenerate previously run reports, change the date range, or change their output format. To see recently generated reports, go to Logs and Reports > Reports > Recent and saved. You can also save generated reports for permanent access. To permanently save a report, do the following: 1. Generate a report as detailed in Generating Reports on page When the report has generated to screen, enter a name for the report in the Save as text box at the top. The report appears under Logs and reports > Reports > Recent and saved in the Saved reports panel. About the Summary Report The Summary report is provided separately on Advanced Firewall. The Summary report provides summary information about your Advanced Firewall installation, including: Alerts The running status of system services Network ARP table Updates for your Smoothwall System Tip of the day Summary of uptime Processor information Memory information Hard disk drive information Interface and host bandwidth usage Per IP address statistics Network routing table To run the Summary report, do the following: From your Advanced Firewall, browse to Logs and reports > Reports > Summary. You can customize the content of the summary report to suit. For more information, see Creating Custom Report Templates on page 73. Note that any customized versions on the Summary report will be run from Logs and reports > Reports > Reports, rather than the Summary page. 70 Smoothwall Ltd

79 Producing Reports Scheduling Reports You can configure Advanced Firewall to send reports at scheduled times of the day, to specified users and user groups. Both supplied and custom reports can be scheduled. To create a scheduled report, do the following: 1. From your Advanced Firewall, browse to Logs and reports > Reports > Scheduled. 2. Configure the Schedule details: Start date Choose the month and day to schedule the report on. If this is a repeated schedule, enter the date for the first schedule. Time Enter the time, in 24-hour format, for the report schedule. Repeat Choose the type of schedule. Available options are: Repeat Option No repeat Daily repeat Weekday repeat Weekly repeat Monthly repeat The report is generated only at the time and date specified. The report is generated at the specified time, every day. The report is generated at time specified, Monday to Friday. The report is generated at the time specified, once a week. The report is generated at the time specified, once a month. Enabled Click to enable or disable the schedule as required. Comment An optional description for the report schedule. 3. Configure the Report details: Report Select the required report for the schedule. Report shows period If required, select the required date range. Available ranges are: 1 day, 2 days, 3 days, 4 days, 5 days, 6 days, 1 week, 2 weeks, 3 weeks, 1 month, 2 months, 3 months, 4 months, 5 months, and 6 months. Click the Update button. If the report requires extra information to search against, such as, a specific IP address, you will be prompted to enter it. 4. To save the report after it has been generated, do the following from the Save report panel: Save report Click to enable this report to be saved to your Smoothwall System. Saved reports are found under Logs and reports > Reports > Recent and saved. Report name Enter a name for the report schedule. Publish from portal If user portals have been enabled for your Smoothwall System, you can choose to publish the scheduled report to a user portal. Leave this option as none to ignore all portals. 5. To create an scheduled report, do the following from the report panel: report Click to create an scheduled report. Group From the drop-down menu, choose the group to the reports to. For a detailed description of how to setup groups, see Configuring Alert and Report Groups on page Click Add to create the scheduled report. 71

80 Producing Reports Example Schedule Report Configuration Managing Scheduled Reports The Scheduled reports panel lists all created, scheduled reports. You can edit, and remove scheduled reports from this panel. To remove a scheduled report, do the following: 1. Highlight the relevant report, ensuring that Mark is ticked. 2. Click the Remove button. This removes the entire schedule. If you want to keep the report setup but not run the schedules, you can disable the report schedule by editing the report setup and unclicking the Enabled check box. For a detailed description of how to edit a report, see below. To edit a scheduled report, do the following: 1. Highlight the relevant report, ensuring that Mark is ticked. 2. Click the Edit button. The schedule details are displayed in the relevant panels. 3. Make the required changes and click Add. 72 Smoothwall Ltd

81 Producing Reports Creating Custom Report Templates Custom reports allow you to extract data and present it in your own report. You can choose to save custom reports you create in existing, supplied report folders, or in custom folders. The data available to use in custom reports are grouped into sections. Existing report templates, including those previously created as custom reports, can be used to create new custom reports. However, if that template is updated whilst being used by other custom reports, the changes will not be filtered through. Note: The report sections available for custom reports depend on the Smoothwall System installed, and the modules licenced. Creating Basic Custom Reports The following section describes how to create a basic custom report, with only a single reporting section. To create a basic custom report, do the following: 1. From your Advanced Firewall, browse to Logs and reports > Reports > Custom. 2. From the Customize reports panel, configure the following: Name The name of your custom report. Report icon Choose a relevant icon for your custom report from the drop-down menu. Add an optional description for your custom report. This text is displayed under the report link in the Reports page. Location Choose a relevant folder to store your custom report from the drop-down menu. For a detailed description of how to create a new folder, see Creating Folders on page

82 Producing Reports 3. Within the Sections panel, expand the relevant Available sections folder. Highlight the required report section by clicking it. 4. Click Add >> to include the report section in your custom report. A new panel, headed with the section name, will be created at the bottom of the screen with the following tabs: The description of the included section. Options Some sections deal with only a limited set of data, such as a single group or a single IP address, in which case this tab will not apply. For other sections, you will be prompted to choose the type of data for the report, such as, incoming or outgoing traffic, interface number, and so on. Results The results returned for that section. This is useful if the section is used in feedforward reporting. For more information, see About Advanced Custom Reports on page 74. Export This tab displays those data items that a user can be prompted to enter to narrow the search when running the report, such as, username or IP address. The exported options appear on the Advanced >> table when running the reports see Generating Reports on page Click Create report. About Advanced Custom Reports An advanced custom report is typically one where the report data can be taken from different aspects of Advanced Firewall s logs, such as, user activity, browsing history, bandwidth used. Custom reports can make use of the advanced features of Advanced Firewall s reporting engine: Grouping sections You may want to group sections together to allow multiple, logically similar sections to share reporting options. For example, you can group together sections which require a username to be entered for the report to run against. You can also create subgroups within grouped sections. When you group section together, you will be presented with extra Grouped options to report on. Sections that have report Options to narrow down the report data can be used to override 74 Smoothwall Ltd

83 Producing Reports the data for the section group you have setup. For example, for a traffic report showing incoming data only, you can setup one section in a report to report disregard all internal traffic. Re-ordering sections You can reorder included sections to create a logical report. If you are using feed-forward reporting, sections that provide feeder data should always be before those sections utilizing the data. Feed-forward reporting Feed-forward reporting allows a section s results to be used as the source of options for subsequent sections. For example, a network interfaces section can be used to gather the configuration details of external network interfaces, whilst another section can use that data to display the bandwidth usage per interface. Iterative reporting Iterative reporting is where a section is repeated in the same report, but with a few details changed. Example Advanced Custom Report Scenarios The following are high level examples of the types of reports that can be classified as advanced custom reports: Show user activity for each user, by department, during a specific date range. The user activity should be broken down into the websites they were looking at, the categories those websites belong to, and the length of time spent browsing. Show the bandwidth used for configured interfaces, including both incoming and outgoing data. Ignore internal data. Creating Advanced Custom Reports When creating an advanced custom report, it is best to imagine the report structure from a groups perspective, that is: What data needs to be grouped together? Which groups, or data should be repeated? 75

84 Producing Reports To create an advanced custom report, do the following: 1. Create a custom report as detailed in Creating Basic Custom Reports on page 73, adding multiple report sections. Don t click Create report. Tip: You can highlight multiple available sections before clicking the Add >> button to add multiple sections at once. 2. To group sections together, do the following: Within the Included sections panel, highlight those sections you want to group together. Note that you do not need to hold the CTRL button down to click multiple sections. Click Group. In the report panel underneath, those selected sections will be grouped together. Add a meaningful Group name. To ungroup grouped sections, highlight the group name in the Included sections panel, and click Ungroup. Note that un-grouping sections may affect any feed-forward, iterative, or group options you have configured. 3. To re-order the included sections, do the following: Within the Included sections: panel, highlight the section you want to move. Click either the Move up or Move down button as required. You can move groups in the same manner by highlighting the group name. Note that you cannot move sections outside of groups. 4. To create a feed-forward group, do the following: Create a report group as detailed in step 2. From the Repeat > Using results from a section: drop-down menu, select the section you want to feed-forward from. Only suitable sections for feed-forward reporting will be listed under this heading. The resulting data is listed in the Results tab for that section. Click the Update button. The feed-forward section will be removed from its parent group, and displayed in a new (feeder) section. Configure any extra configuration options for the feeder section. Click Update again. 5. To create an iterative report, do the following: Create a report group as detailed in step 2. From the Repeat > Based upon grouped option: drop-down menu, select the option that best suits the section you want to be repeated. Note that if a grouped option is chosen to be repeated, it will no longer be available as an option from its parent section. Click the Update button to display extra configuration options for the repeated section. Configure any extra configuration options for the iterative section. Click Update again to save your extra configuration settings. 6. Click Create report. 76 Smoothwall Ltd

85 Producing Reports Managing Custom Reports The custom report interface can be used to edit supplied reports. Note that this does not override the supplied report structure. Instead, a copy of the report, with your changes, will be made. To edit an existing report, or custom report, do the following: 1. Browse to either the Logs and reports > Reports > Reports or Logs and reports > Reports > Recent and saved page. 2. Click the Edit button for the relevant report. 3. Edit the report as required. 4. Click Update to save your changes. For a detailed description of how to delete a custom report, see Deleting Reports on page 78. Managing Reports and Report Folders Supplied and custom reports are grouped into folders on Advanced Firewall. You can customize the report folders for your installation. Creating Folders You can create additional folders, and subfolders, to the Reports page. You can also add subfolders to the supplied report folders on Advanced Firewall. Note: You cannot change the folder location of supplied reports. To create a folder or subfolder, do the following: 1. From your Advanced Firewall, browse to Logs and reports > Reports > Reports. To add a subfolder to an existing location, open the relevant folder. 2. Click the New folder button. 3. Enter a new name for the folder, and click Rename. To add reports to your new folder, do one of the following: Create a new custom report, and save it to the folder location. Edit an existing report, and change the report location from the Location drop-down menu of the Customize reports panel. 77

86 Producing Reports Renaming Folders Note: Only custom folders you have created can be renamed. Supplied folders cannot be renamed. To rename an existing folder, do the following: 1. From your Advanced Firewall, browse to Logs and reports > Reports > Reports. 2. Click the Edit button for the relevant report. 3. Enter a new name for the folder, and click Rename. Deleting Folders Folders that contain reports cannot be deleted. You must empty the folders first. Note: Only custom folders you have created can be deleted. Supplied folders cannot be deleted. To delete an existing folder, do the following: 1. From your Advanced Firewall, browse to Logs and reports > Reports > Reports. 2. Click the Delete button for the relevant folder. Deleting Reports You can only delete recently generated, saved, and custom reports. Supplied reports cannot be removed from Advanced Firewall. Note: Only custom reports you have created can be deleted. Supplied report templates cannot be deleted. To delete an existing report, do the following: 1. From your Advanced Firewall, browse to Logs and reports > Reports > Reports. 2. Click the Delete button for the relevant report. Making Reports Available on User Portals The following describes an alternative method of adding reports to user portals, to the one described in Configuring a Portal on page 23. To make the report available, do the following: 1. From your Advanced Firewall, browse to Logs and reports > Reports > Reports. 2. Open the relevant report folder, and locate the required report. 3. Click the Advanced >> button. 4. From the Permissions tab, click Portal access. 78 Smoothwall Ltd

87 Producing Reports The following pop-up is displayed: Those portals that this report is available from are listed in the Available to panel. 5. To make this report available from a user portal, select it from the Add access drop-down list, and click Add. 6. Click Close. Saving a Report Output to Other User Portals You can also make the reports generated from one user portal available to another portal. This may be useful for users that need specific information but may not necessarily have access, or the time to run such a report. Note: By following the method described below, the report output for the specified report will always be saved to the configured user portal. To always save a report output to a user portal, do the following: 1. From your Advanced Firewall, browse to Logs and reports > Reports > Reports. 2. Open the relevant report folder, and locate the required report. 3. Click the Advanced >> button. 4. From the Permission tab, click Automatic access. Those portals already receiving a copy of this reports output are listed in the Automatic Access panel. 5. To make this reports output available from to a user portal, select it from the Add access dropdown list, and click Add. 6. Click Close. 79

88 Producing Reports Removing Reports from a User Portal To remove a report from a user portal, do the following: 1. From your Advanced Firewall, browse to Logs and reports > Reports > Reports. 2. Open the relevant report folder, and locate the required report. 3. Click the Advanced >> button. 4. From the Permissions tab, click Portal access. Those portals that this report is available from are listed in the Available to panel. 5. Select those reports to remove from the user portal, and click Delete. 6. Click Close. Tip: The above method can also be used to stop a report outputting to a user portal. Follow steps 1 to 6, deleting those reports under the Available Access panel instead. 80 Smoothwall Ltd

89 4 Using Alerts, Information, and Logging This chapter describes the information, alerts and log files that are available in your Smoothwall System, including: About the Dashboard on page 81 About Alerts on page 82 About Advanced Firewall s Realtime Viewer on page 92 About Advanced Firewall s Log Files on page 97 Configuring Report and Alert Output Settings on page 118 Configuring Alert and Report Groups on page 122 About the Dashboard The dashboard is the default home page of your Advanced Firewall system, providing a summary of the current state of the Advanced Firewall system. To access the dashboard, do the following: Browse to Dashboard. 81

90 Using Alerts, Information, and Logging The following information is available to you: System External connection Displays the status of any external interfaces configured on Advanced Firewall System services Displays the status of Core and Optional services. If available, you can click on the service name to jump to the relevant configuration page. Resource usage Displays status of various aspects of your hardware appliance. Monitor Recent alerts Displays important alerts from Advanced Firewall, such as, memory usage, and system reboots. Tunnel Displays the status of any VPNs configured on the system. You can choose to hide any of the above sections from your Dashboard. For a detailed description of how to do this, see Configuring the User Interface on page 135. The rest of the Dashboard displays various Control reports including, but limited to: System updates Tip of the day Support information To customize the controls displayed in the Dashboard, see Control page template on page 168. About Alerts Advanced Firewall contains a comprehensive set of incident alerting controls. Alerts are generated when certain trigger conditions are met. Trigger conditions can be individual events, for example, an administrator login failure, or a series of events occurring over a particular time period, for example, a sustained high level of traffic over a five minute period. Some alerts allow their trigger conditions to be edited to customize the alert sensitivity. Some situations are constantly monitored, particularly those relating to critical failures, for example, UPS and power supply alerts. It is possible to specify two-trigger conditions for some alerts the first acts as a warning alert, and, in more critical circumstances, the second denotes the occurrence of an incident. You access the alerts and their settings on the Logs and reports > Alerts > Alerts page. 82 Smoothwall Ltd

91 Using Alerts, Information, and Logging Available Alerts The following alerts are available to you: Alert Default Settings VPN Tunnel Status Hardware failure alerts, harddisk failure License expiry status warnings Hardware Failover Notification VPN Certificate Monitor UPS, Power Supply status warnings Outgoing Traffic Violations System Resource Monitor VPN Tunnel status notifications occur when an IPSEC Tunnel is either connected, or disconnected. Monitored once every five minutes. Generates messages when hardware problems are detected. Monitored constantly. Generates messages when the license is due for renewal or has expired. Monitored once an hour. Monitored once an hour. Generates messages when a hardware failover occurs, or when failover machines are forced on and offline. Monitored constantly. Validates Advanced Firewall VPN certificates and issues warnings about potential problems, or impending expiration dates. Monitored once an hour. Generates messages when server power switches to and from mains supply. Monitored constantly. Monitors outbound access activity and generates warnings about suspicious behavior. Monitored constantly. These alerts are triggered whenever the system resources exceed predefined limitations. Monitored once every five minutes. Notification of expired certificates: Number of days left (warning): 7 Number of days left (critical): 1 Forbidden services: Monitor ports for accesses Warning threshold: 5 Destination Port list: 25, 4662, 4661, 6881, 6882, 6699 Forbidden accesses: Monitor destination IP addresses Warding threshold: 100 Incident threshold: 300 Monitor destination ports Warding threshold: 100 Incident threshold: 300 System load average warning level: 3.0 System memory warning level: 80% Disk usage warning level: 80% 83

92 Using Alerts, Information, and Logging Alert Default Settings Firewall Notifications L2TP VPN Tunnel Status System Service Monitoring Connection Monitor Reverse proxy violations Health Monitor Virus Monitor IM proxy monitored word alert Monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. Monitored constantly. L2TP Tunnel status notifications occur when an L2TP (Layer 2 Tunnelling Protocol) Tunnel is either connected, or disconnected. Monitored once every five minutes. This alert is triggered whenever a critical system service changes statues, that is, starts or stops. Monitored once every five minutes. This alert is triggered when an interface has failed. An additional alert will be sent when an interface becomes available again. Monitored constantly. Monitors reverse proxy activity and generates warnings about connectivity issues. Monitored constantly. Checks on remote services for activity. Health monitor alerts are intended to enable you to keep an eye on various aspects of your network which are usually outside of the remit of Advanced Firewall. Monitored constantly. These alerts are triggered by detection of malware being relayed via SMTP or downloaded via POP3. Note that you may not see this option if Anti-Spam is not installed. For more information, refer to the Anti-Spam Installation and Administration Guide. Monitored constantly. Monitors instant messaging chats activity and generates warnings based on excessive use of inappropriate language. Monitored constantly. Monitor source IP addresses: Warning threshold: 50 Incident threshold: 200 Monitor destination IP addresses: Warning threshold: 100 Incident threshold: 200 Monitor destination ports: Warning threshold: 50 Incident threshold: 150 Ignored ports: 135, 136, 137, 138, 139, 445, 80 Web server Cron server Monitor alerts SystemD 84 Smoothwall Ltd

93 Using Alerts, Information, and Logging Alert Default Settings Output System Test Messages Inappropriate word in IM Monitor Administration Login Failures Bandwidth Monitor NTLM Authentication Failures Update Monitoring Intrusion System Monitor Mail Queue Monitor Global Proxy Catches test alerts generated for the purposes of testing the Advanced Firewall Output systems. Monitored constantly. Generates an alert whenever a user uses an inappropriate word or phrase in IM chat conversation. Monitored constantly. Monitors both the Secure Shell (SSH) and Web Interface services for failed login attempts. Monitored constantly. These alerts are triggered whenever the traffic flow for an external interface or bridge exceeds certain thresholds. Monitored constantly. This alert is generated when a client is unable to provide correct credentials for NTLM authentication. Monitored constantly. Monitors the system for new updates once an hour. These alerts are triggered by violations and notices generated by the intrusion system by suspicious network activity. Monitored constantly. Watches the queue and informs if the number of messages therein exceeds a certain threshold. For more information, refer to the Anti-Spam Installation and Administration Guide. Monitored once an hour. This alert monitors for Global Proxy activity. Alerts are triggered when client misconfiguration, or potential abuse is detected. Monitored constantly. Enabled on received text Enabled on sent text Generate alert for each message which exceeds the Message Censor severity threshold: Threshold: 0 Generate alert when users exceed the rate of inappropriate messages: Threshold: 0 Number of inappropriate messages in 15mins: 5 Priority: High 85

94 Using Alerts, Information, and Logging Alert Default Settings System Boot (Restart) Notification This alert is generated whenever the system is booted; that is, is turned on or restarted. Monitored once every five minutes. Configuring Alert Settings You can configure additional alerts, or change the default settings of pre-defined alerts. To configure alert settings, do the following: 1. From your Advanced Firewall system, browse to Logs and reports > Alerts > Alerts settings. 2. Locate the relevant alert and configure the appropriate settings: Configuring the VPN Certificate Monitor on page 86 Configuring the Outgoing Traffic Violations Alert on page 87 Configuring the System Resource Monitor on page 87 Configuring the Firewall Notifications Alert on page 88 Configuring the System Service Monitoring Alert on page 88 Configuring the Health Monitor Alert on page 88 Configuring the Inappropriate Word in IM Monitor on page 89 Configuring the Virus Monitor on page 89 Configuring the Mail Queue Monitor Alert on page 90 Configuring the NTLM Authentication Failures Alert on page 90 Configuring the Bandwidth Monitor Alert on page 90 Configuring the Intrusion System Monitor on page 91 Configuring the Global Proxy Alert on page Click Save or Add. Configuring the VPN Certificate Monitor The VPN certificate monitor comes pre-defined upon installation. Adjust the alert parameters as needed: Notification of expired certificates Select this to disable this alert Number of days left (Warning) Enter the number of days before the certificate expires that will trigger a warning alert Number of days left (Critical) Enter the number of days before the certificate expires that will trigger a critical alert 86 Smoothwall Ltd

95 Using Alerts, Information, and Logging Configuring the Outgoing Traffic Violations Alert The Outgoing Traffic Violations alert comes pre-defined upon installation. Adjust the alert parameters as needed: Forbidden services These parameters define the alert thresholds for forbidden services: Monitor ports for accesses Select to disable port monitoring for this alert Warning threshold Enter the number of forbidden hits for all ports before the warning alerts is triggered Destination Port list Enter a comma-separated list of destination port numbers to be monitored Forbidden accesses These parameters define the alert thresholds for forbidden accesses: Monitor destination IP addresses Select to disable destination IP address monitoring Warning threshold Enter the number of forbidden hits to destination IP addresses before the warning alert is triggered Incident threshold Enter the number of forbidden hits to destination IP addresses before an incident alert is triggered Monitor destination ports Select to disable destination port monitoring Warning threshold Enter the number of forbidden hits to destination ports before the warning alert is triggered Incident threshold Enter the number of forbidden hits to destination ports before an incident alert is triggered Configuring the System Resource Monitor The System Resource Monitor comes pre-defined upon installation. Adjust the alert parameters as follows: System load average warning level (per CPU core) This is used to set the threshold of the average number of processes waiting to use the processors over a five minute period. A system operating at normal performance should record a load average of between 0.0 and 1.0. While higher values are not uncommon, prolonged periods of high load (for example, averages greater than 3.0) may merit attention. Disk usage (%) warning level This is used to set the threshold of the disk space usage percentage threshold before the alert is triggered. Low amounts of free disk space can adversely affect system performance. System memory (%) warning level This is used to set the system memory usage percentage threshold before the alert is triggered. Advanced Firewall uses system memory aggressively to improve system performance, so higher than expected memory usage may not be a concern. However, prolonged periods of high memory usage may indicate that the system could benefit from additional memory. 87

96 Using Alerts, Information, and Logging Configuring the Firewall Notifications Alert The Firewall Notifications alert comes pre-defined upon installation. Adjust the alert parameters as follows: Monitor source (remote) IP addresses Select this to disable this alert. This detects suspicious inbound communication from remote IP addresses. Alerts will be generated if a rapid series of inbound requests from the same remote IP address is detected. Warning threshold Enter the number of hits from the source IP addresses before the warning alert is triggered. Incident threshold Enter the number of hits from the source IP addresses before the incident alert is triggered. Ignore Enter a comma-separated list of source IP addresses that should be ignored for this alert. Monitor source (remote) ports Select this to enable this alert. This detects suspicious inbound communication from remote ports. Alerts will be generated if a rapid series of inbound requests from the same remote port is detected. Monitor destination (local) IP addresses Select this to disable this alert. This detects suspicious inbound communication to local IP addresses. Alerts will be generated if a rapid series of inbound requests to the same local IP address is detected. Monitor destination (local) ports Select this to disable this alert. This detects suspicious inbound communication to local ports. Alerts will be generated if a rapid series of inbound requests to the same local port is detected. Configuring the System Service Monitoring Alert The System Service Monitoring alert comes pre-defined upon installation. Adjust the alert parameters as follows: Select the components, modules and services that should generate alerts when they start or stop. Configuring the Health Monitor Alert The Health Monitor alerts are disabled upon installation. To enable Health Monitor alerts, configure the following: Web server (HTTP) This alert will retrieve the specified web page, and check for specific keywords. If the keywords are missing, an alert will be triggered. Request URL Enter the URL of the web page to monitor. You can omit when entering the URL. No of tries Enter the number of attempts to retrieve the web page Keywords Enter a comma-separated list of keywords to search for 88 Smoothwall Ltd

97 Using Alerts, Information, and Logging Other services This alert checks the specified port is open and offering a service. IP Address Enter the IP address Port Enter the port number Protocol From the drop-down list, select the protocol of the service you want to check for a response. Select Other to check that there is any response to connections on the associated port. No of tries Enter the number of times Advanced Firewall should check the address and not receive a response before generating an alert. DNS name resolution This alert checks that a domain has not expired, or been taken over. Name Enter the domain name Address Enter the domain address (URL) Configuring the Inappropriate Word in IM Monitor The Inappropriate word in IM Monitor comes pre-defined upon installation. Adjust the alert parameters as follows: Enabled on received text Select to disable this alert Enabled on sent text Select to disable this alert Generate alert for each message which exceeds Message Censor severity threshold Select to disable this alert Threshold From the drop-down list, select the threshold above which an alert will be generated. For information about the Message censor threshold, see Censoring Message Content on page 46. Generate alert when users exceed the rate of inappropriate messages Select to disable this alert Threshold From the drop-down list, select the threshold above which an alert will be generated. Number of inappropriate messages in 15 mins Enter the number of times users can use inappropriate messages in 15 minute before the alert is triggered. Configuring the Virus Monitor When configured, these alerts are triggered when malware being relayed via SMTP or downloaded via POP3 are detected. To configure the alert(s): 1. Enable the following settings: Monitor POP3 proxy for viruses Select to enable alerting when malware is detected when loading via POP3. Monitor SMTP relay for viruses Select to enable alerting when malware is detected when relaying via SMTP. 2. Click Save to enable the alerts. 89

98 Using Alerts, Information, and Logging Configuring the Mail Queue Monitor Alert This alert is triggered the number of messages in the queue exceeds a the specified threshold. To configure and enable the alert: 1. Configure the following settings: Setting Threshold number of messages Enter the number of messages above which the alert is triggered. 2. Click Save to save the settings and enable the alert. Configuring the NTLM Authentication Failures Alert This alert is disabled upon installation. To enable the NLTM Authentication Failures alert, do the following: 1. Configure the following: Monitor for failed NTLM Authentication Select to enable this alert. 2. Click Save. Configuring the Bandwidth Monitor Alert The Bandwidth Monitor Alert is disabled upon installation. To enable the Bandwidth Monitor, configure the following: Incoming Select this to enable incoming bandwidth monitoring Outgoing Select this to enable outgoing bandwidth monitoring Note: Each alert you configure can only monitor traffic in a single direction. However, you can configure multiple Bandwidth Monitor alerts to enable you monitor all traffic. Traffic for From the drop-down list, select to monitor the bandwidth used for: Total For all interfaces configured on your Advanced Firewall Any IP Any IP address using Advanced Firewall Single application A single, specified application. A additional drop down list will appear for you to specify the application. Single application group A single, specified application group. A additional drop down list will appear for you to specify the application group. Time period From the drop-down list, select the required time period to monitor bandwidth for MB The maximum amount of data usage, in megabytes, permitted before the alert is triggered. kbps The average data transfer rate, in kilobits per second, permitted before the alert is triggered. 90 Smoothwall Ltd

99 Using Alerts, Information, and Logging Note: Advanced Firewall will calculate the bandwidth used to two decimal places. Configuring the Intrusion System Monitor The Intrusion System Monitor is pre-defined upon installation. Adjust the alert parameters as follows: Priority From the drop-down list, select the appropriate priority level for this alert. Configuring the Global Proxy Alert The Global Proxy alert comes pre-defined upon installation. Adjust the alert parameters as follows: Monitor for incorrect certificates Select this to disable alerting when a client fails to present the correct certificate. This is either due to the client having the wrong certificate, or due to unauthorized access. Monitor for D0S attempts Select this to disable alerting when a client, with a valid certificate, repeatedly attempts a connection. Repeated connections from a client are assumed to be a Denial of Service (DoS) attempt. Enabling Instantaneous Alerts By default, Advanced Firewall queues alerts in two minute intervals, and then distributes a merged notification of all alerts. Advanced Firewall can configured to process instantaneous alerts as soon as they were triggered. You can choose to have them delivered via SMS or . To enable instantaneous alerts, do the following: 1. From your Advanced Firewall system, browse to Logs and reports > Alerts > Alerts. 2. Configure the following settings: From the Groups panel, select the group of recipients from the Group name drop down list. For a detailed description of how to configure groups, see Configuring Alert and Report Groups on page 122. From the Alert options panel, select Enable instantaneous alerts. 3. For each alert you want to send, select the delivery method: SMS or Click Save. 91

100 Using Alerts, Information, and Logging Looking up Previous Alerts by Reference You can also look up the content of a status that has been sent. This can be for instantaneous as well as standard alerts. To view the content of an alert that has already been sent, do the following: 1. From the Lookup alert details panel, enter the alert s unique ID into the Alert ID field. 2. Click Show. The content of the alert will be displayed in the Alert details panel at the top. About Advanced Firewall s Realtime Viewer Advanced Firewall s Realtime viewer provides live information about your system. Realtime System Information The System page is a realtime version of the system log viewer with some filtering options. To access the System page: 1. Browse to the Logs and reports > Realtime > System page. By default, all information in the system log is displayed and updated automatically approximately every second. To display information about specific components: 1. From the Section drop-down list, select the component and click Update. If there is information about the component available in the system log, it is displayed in the Details area. 92 Smoothwall Ltd

101 Using Alerts, Information, and Logging Realtime Firewall Information The Firewall page is a realtime version of the firewall log viewer with some filtering options. All entries in the firewall log are from packets that have been blocked by Advanced Firewall. To access the page: 1. Browse to Logs and reports > Realtime > Firewall page. By default, information is displayed and updated automatically approximately every second. To display information about specific sources and destinations: 1. Enter a complete or partial IP address and/or port number in the fields and click Update. Realtime IPsec Information The IPSec page is a realtime version of the IPSec log viewer with some filtering options. To access the IPSec page: 1. Browse to Logs and reports > Realtime > IPSec page. By default, all information in the log is displayed and updated automatically approximately every second. 93

102 Using Alerts, Information, and Logging To display information about a specific tunnel: 1. Configure the following settings: Setting Connection Show only lines connecting From the drop-down list, select the tunnel. Enter the text you are looking for. 2. Click Update. If there is information available in the system log, it is displayed in the Details area. Realtime Portal Information The Portal page displays realtime information about users accessing Advanced Firewall portals. To access the portal page: 1. Browse to Logs and reports > Realtime > Portal page. For more information about portals, see Chapter 2, Working with Portals on page Smoothwall Ltd

103 Using Alerts, Information, and Logging Realtime Instant Messaging The IM proxy page is a realtime version of the IM proxy log viewer with some filtering options. To view IM conversations: 1. Browse to Logs and reports > Realtime > IM proxy page. The page displays a view of ongoing conversations for each of the monitored protocols and displays a selected conversation as it progresses. Note: As most IM clients communicate with a central server, local conversations are likely to be displayed twice as users are recognized as both local and remote. Active conversations which have had content added to them within the last minute are displayed in bold text in the left pane. If nothing has been said for more than a minute, the remote username will be displayed in the normal style font. The local username is denoted in blue, the remote username is denoted in green. You can use the following settings to manage how the conversation is displayed. 2. In the Username or IP address field, enter the username or IP address. If there is information available in the web filter log, it is automatically displayed in the Details area. 3. To show lines containing specific text, in the Show only lines containing field, enter the text. If the text is found, it is automatically displayed in the Details area. 95

104 Using Alerts, Information, and Logging Realtime Traffic Graphs The Traffic graphs page displays a realtime graph of the bandwidth in bits per second being used by the currently selected interface. To access the traffic graphs page: 1. Browse to Logs and reports > Realtime > Traffic graphs page. The Interfaces area displays a list of the active interfaces on Advanced Firewall. Clicking on an interface displays its current traffic. Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming bandwidth. Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing bandwidth. 96 Smoothwall Ltd

105 Using Alerts, Information, and Logging About Advanced Firewall s Log Files The log pages display system, firewall, IPsec, intrusion system, and proxy information. Viewing System Logs The system logs contain simple logging and management information. You can choose to display specific log information, as well as exporting the log file to a chosen format. To view specific information, do the following: 1. Browse to Logs and reports > Logs > System. 2. Scroll down to the Settings panel. 3. From the Section drop-down list, choose one of the following: Section Authentication service Configuration migrations DHCP server DNS proxy DPI engine Datastore FTP proxy Guardian blocklist Guardian bypass Log messages from the authentication system, including service status messages and user authentication audit trail. Log messages when a system migration is performed. Log messages from the DHCP server. Log messages from the DNS server. Log messages from the Deep Packet Inspection (DPI) engine. Note that Advanced Firewall must be licensed to log DPI messages. Log messages about Advanced Firewall log s disk usage. Log messages about FTP traffic handled by the proxy. Log messages about requests made for websites on Guardian s blocklist. Log messages about requests made for websites that bypass Guardian s web filter. 97

106 Using Alerts, Information, and Logging Section Guardian category Heartbeat IM Proxy IPSec Kernel L2TP L2TP PPP Message censor Monitor NTP Network subsystem PPP Reverse Proxy Routing service SIP service SNMP SSH SSL VPN System SystemD UPS Update transcript VIPRE engine Web proxy Log messages about requests made for websites in any Guardian category. Log messages from any configured heartbeat interfaces of failover systems. Log messages from the Instant Messaging proxy service. Log messages from any configured IPSec tunnels. Log messages from the core Advanced Firewall operating system. Log messages from configured L2TP connections. Log messages from configured L2TP connections that use a PPPoE interface. Displays information from the message censor logs. Displays monitoring system information including service status and alert/report distribution audit trail. Log messages from the network time system. Displays information from the internal network service. Log messages from any configured PPPoE connection. Log messages from Advanced Firewall s reverse proxy service. Log messages from the routing service. Log messages from the SIP proxy service. Log messages from the SNMP service, if enabled. Log messages from the SSH system. Log messages from any configured SSL VPN tunnels. Simple system log messages, including startup, shutdown, reboot and service status messages. Log messages from the system super server. Log messages from the UPS system, including service status messages. Displays information about update history. Displays information about the anti-malware engine. Log messages from the web proxy service. 4. Click Update. A single column is displayed containing the time of the event(s) and descriptive messages. 98 Smoothwall Ltd

107 Using Alerts, Information, and Logging Exporting System Logs You can also choose to export system logs to a chosen format. You do this as follows: 1. Browse to Logs and reports > Logs > System. 2. From the Settings panel, configure the following: Section From the drop-down list, choose the log messages to export. For a detailed description of each section, see Viewing System Logs on page 97. Month From the drop-down list, choose the month s data to export. Day From the drop-down list, choose the day s data to export. Export format From the drop-down list, select the format to export to. Valid values are: Format Comma Separated Value Microsoft (tm) Excel (.xls) Raw Format Tab Separated Value The information is exported in comma separated text format. The file extension is.csv. The information is exported in Microsoft Excel format. You will need an Excel-compatible spreadsheet application to view these reports. The file extension is.xls. The information is exported without formatting. The file extension is.txt. The information is exported separated by tabs. The file extension is.tsv. Export all dates Select this option to export all data for that section, for all available dates. 3. Click Export. 99

108 Using Alerts, Information, and Logging Firewall Logs The firewall logs contain information about network traffic. To view the firewall logs: 1. Browse to the Logs and reports > Logs > Firewall page. Filtering Firewall Logs The following filter criteria controls are available in the Settings area: Control Section Month Day Compression Source Src port Destination Dst port Used to select which firewall log is displayed. The content of each section is discussed below. Used to select the month that log entries are displayed for. Used to select the day that log entries are displayed for. Used to ghost repeated sequential log entries for improved log viewing. Enter an IP address and click Update to display log entries for that source address. This drop-down list is populated with a list of all source ports contained in the firewall log. Select a port and click Update to display log entries for that port. Enter an IP address and click Update to display log entries for that destination address. This drop-down list is populated with a list of all destination ports contained in the firewall log. Select a port and click Update to display log entries for that port. 100 Smoothwall Ltd

109 Using Alerts, Information, and Logging Control Export format Export all dates Logs can be exported in the following formats: Comma Separated Values The information is exported in comma separated text format. Microsoft (tm) Excel (.xls) The information is exported in Microsoft Excel format. You will need an Excel-compatible spreadsheet application to view these reports. Raw Format The information is exported without formatting. Tab Separated Value The information is exported separated by tabs. Exports the currently displayed log for all available dates. The list of possible sections that can be viewed are as follows: Section Main Incoming audit Forward audit Outgoing audit Port forwards Outgoing - rejects Outgoing - stealth All rejected data packets. All traffic to all interfaces that is destined for the firewall if Direct incoming traffic is enabled on the Networking > advanced page. All traffic passing through one interface to another if Forwarded traffic is enabled on the Networking > Settings > Advanced page. All traffic leaving from any interface if Direct outgoing traffic is enabled on the Networking > Settings > Advanced page. All data packets from the external network that were forwarded by a port forward rule if port forward logging is enabled on the Networking > Firewall > Port forwarding page. All data packets from the internal network zones that were rejected by an outbound access rule. All data packets from the internal network zones that were logged but not rejected by an outbound access rule. Viewing Firewall Logs To view firewall logs, select the appropriate filtering criteria using the Settings area and click Update. The following columns are displayed: Column Time In Out Protocol Source Src Port Destination The time that the firewall event occurred. The interface at which the data packet arrived. The interface at which the data packet left. The network protocol used by the data packet. The IP address of the data packet's sender. The outbound port number used by the data packet. The IP address of the data packet's intended destination. 101

110 Using Alerts, Information, and Logging Column Dst port The inbound port number used by the data packet. Looking up a Source IP whois The firewall log viewer can be used to find out more information about a selected source or destination IP by using the whois tool. To use whois: 1. Navigate to the Logs and reports > Logs > Firewall page. 2. Select a particular source or destination IP in Source and Destination columns. 3. Click Lookup. A lookup is performed and the result displayed on the System > Diagnostics > whois page. Blocking a Source IP The firewall log viewer can be used to add a selected source or destination IP to the IP block list. To block a source IP: 1. Navigate to the Logs and reports > Logs > Firewall page. 2. Select one or more source or destination IPs. 3. Click Add to IP block list. The selected source and destination IPs will be automatically added to the IP block list which you can review on the Networking > Filtering > IP block page. See Blocking by IP on page 63 for more information. IPSec Logs IPSec logs show IPSec VPN information. To access the logs: 1. On Logs and reports > Logs > IPSec. 2. Choose the tunnel you are interested in by using the Tunnel name control. 102 Smoothwall Ltd

111 Using Alerts, Information, and Logging 3. To view the logs for all of the tunnels at once, choose ALL as the tunnel name. 4. After making a change, click Update. Exporting Logs To export and download all log entries generated by the current settings, click Export. Exporting all dates To export and download all log entries generated by the current settings, for all dates available, select Export all dates, and click Export. Viewing and Sorting Log Entries The following columns are displayed in the Web log region: Column Time Name The time the tunnel activity occurred. The name of the tunnel concerned. Log entries generated by the VPN system. Log entries are displayed over a manageable number of pages. To view a particular page, click its Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous), > (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages. To sort the log entries in ascending or descending order on a particular column, click its Column title hyperlink. Clicking the currently selected column reverses the sort direction. 103

112 Using Alerts, Information, and Logging Logs logs provide detailed, configurable and searchable information on activity regarding time, sender recipient, subject and spam status. Configuring Logs To access and configure logs: 1. Navigate to the Logs and reports > Logs > page. Advanced Firewall displays the currently configured log entries. 2. Click Advanced, the following options are displayed: Option Sender Recipient Subject Spam Select to display who sent the message(s). Select to display who the message(s) are for. Select to display to display the subject line of the message(s). Select to display information on message(s) that have been classified as spam. 3. Select the options you want to display. Advanced Firewall updates what is displayed. Monitoring Log Activity in Realtime It is possible to monitor log activity in realtime. To monitor log activity in realtime: 1. On the Logs and reports > Logs > page, click Realtime. Advanced Firewall displays the currently configured log options in realtime in a table of log entries and in the graph. The results are updated automatically. 104 Smoothwall Ltd

113 Using Alerts, Information, and Logging Tip: To get a closer look at what is happening at a specific time, locate and click on that time in the graph. Advanced Firewall stops the realtime display and shows what has been logged at the time you clicked on. 2. To stop realtime monitoring, click Realtime. Advanced Firewall stops displaying realtime data. Searching for/filtering Log Information Advanced Firewall enables you to search for/filter information in a number of ways. To search for/filter information: 1. On the Logs and reports > Logs > page, use one or more of the following methods: Method Graph Time Free search term On the graph, locate and click on the time you are interested in. Advanced Firewall displays what was logged at the time you clicked on. Click in the date and time picker and specify when to search from. Click Apply. Advanced Firewall displays the results from the time specified and two hours forward. In the Sender, Recipient, Subject and/or Spam column(s), enter one or more search terms. Advanced Firewall displays the search results. Exporting Data It is possible to export logged data in comma-separated (CSV) format. To export data: 1. On the Logs and reports > Logs > page, configure or search for the data you want export. For more information, see Configuring Logs on page 104 and Searching for/filtering Log Information on page 105 Information. 2. Click Export. Follow your browser s prompts to save and export the data. 105

114 Using Alerts, Information, and Logging IDS Logs The IDS logs contain details of suspicious network activity detected by Advanced Firewall s intrusion detection system (IDS). To view the IDS logs: 1. Navigate to the Logs and reports > Logs > IDS page. Advanced Firewall displays the results. Option Month Day Export format Export all dates Select to: Specify which month you wish to view logs for. Specify which day you wish to view logs for. Logs can be exported in the following formats: Comma Separated Values The information is exported in comma separated text format. Microsoft (tm) Excel (.xls) The information is exported in Microsoft Excel format. You will need an Excel-compatible spreadsheet application to view these reports. Raw Format The information is exported without formatting. Tab Separated Value The information is exported separated by tabs. Exports the currently displayed log for all available dates. Exporting Logs To export logs: 1. Filter the logs to show the information you want to export. 2. Select the export format and if you want to export all dates. 3. Click Export. To save the exported log, use the browser's File, Save As option. 106 Smoothwall Ltd

115 Using Alerts, Information, and Logging IPS Logs The IPS logs contain details of suspicious network activity prevented by Advanced Firewall s intrusion prevention system (IPS). To view the IDS logs: 1. Navigate to the Logs and reports > Logs > IPS page. Advanced Firewall displays the results. Option Month Day Export format Export all dates Select to: Specify which month you wish to view logs for. Specify which day you wish to view logs for. Logs can be exported in the following formats: Comma Separated Values The information is exported in comma separated text format. Microsoft (tm) Excel (.xls) The information is exported in Microsoft Excel format. You will need an Excel-compatible spreadsheet application to view these reports. Raw Format The information is exported without formatting. Tab Separated Value The information is exported separated by tabs. Exports the currently displayed log for all available dates. 107

116 Using Alerts, Information, and Logging IM Proxy Logs The IM proxy log page displays a searchable log of instant messaging conversations and file transfers. To view the IM proxy logs: 1. Browse to Logs and reports > Logs > IM proxy page. The following settings are available: Setting Local user filter Enable local user filter Remote user filter Enable remote user filter Enable smilies Enable links Enter the name of a local user whose logged conversations you want to view. Select to display conversations associated with the local user name entered. Enter the name of a remote user whose logged conversations you want to view. Select to display conversations associated with the remote user name entered. Select to display smilies in the conversation. Select to make links in the conversation clickable. 108 Smoothwall Ltd

117 Using Alerts, Information, and Logging Setting Search Conversations Here you can enter a specific piece of text you want to search for. Enables you to browse conversations by instant messaging protocol, user ID and date. Web Proxy Logs The proxy logs contain detailed information on all Internet access made via the web proxy service. It is possible to filter the proxy logs using any combination of requesting source IP, and requested resource type and domain. To view the web proxy logs: 1. Browse to Logs and reports > Logs > Web proxy page. Web Filter Logs Web filter logs provide detailed, configurable and searchable information on web filtering activity regarding user and group activity, source IPs, requested URLs, categories of web content requested and domains recorded. Configuring Web Filter Logs To access and configure the web filter log: 1. Navigate to the Logs and reports > Logs > Web filter page. Advanced Firewall displays the currently configured log entries. 2. Click Advanced, the following options are displayed: Option Username Source IP Group Code Select to display the usernames of users making web requests. Select to display source IP addresses that web requests are coming from. Select to display the logs for groups of users. Select to display the HTTP response status code. 109

118 Using Alerts, Information, and Logging Option URL Category Policy Domain SNI Select to display the URLs of the requested web resources. Note: When content matches a web filter policy, Advanced Firewall displays a link to the policy. To exclude certain types of URLs: 1. Click Exclude to display the drop-down menu. 2. Select which URLs to exclude from the viewer. The options are: Images Select to exclude all images. Javascript Select to exclude Javascript resource requests. CSS Select to exclude CSS resource requests. User defined Enter a regular expression to find and exclude a web resource. 3. Close the drop-down menu. Advanced Firewall excludes the web resource(s) specified and refreshes the displayed log entries. Select to display the categories a request was categorized as being in. Depending on how the request was categorized, Advanced Firewall may also display the following status information: Infected malware was found in the content. The name of the malware found is displayed. Denied access to the content was denied. The name(s) of the category/categories which caused the request to be denied is displayed. Select to display which web filtering policy has been applied to the content. For more information on policies, see Working with Policies on page 127. Select to display log entries recorded against domains. Select to display when an HTTPS request has not included a server name indication (SNI) field in its header. For more information on SNI, see Chapter 10, Creating Transparent Authentication Policies on page 163. Note: If an HTTPS request with no SNI field fails, the Code field will display Select the options you want to display. Advanced Firewall updates what is displayed. Monitoring Log Activity in Realtime It is possible to monitor web filter log activity in realtime. To monitor activity in realtime: 1. On the Logs and reports > Logs > Web filter page, click Realtime. Advanced Firewall displays the currently configured log options in realtime in a table of log entries and in the web filter graph. The results are updated automatically. Tip: To get a closer look at what is happening at a specific time, locate and click on that time in the graph. Advanced Firewall stops the realtime display and shows what has been logged at the time you clicked on. 2. To stop realtime monitoring, click Realtime. Advanced Firewall stops displaying realtime data. 110 Smoothwall Ltd

119 Using Alerts, Information, and Logging Searching for and Filtering Information Advanced Firewall enables you to search for/filter information in a number of ways. To search for/filter information: 1. On the Logs and reports > Logs > Web filter page, use one or more of the following methods: Method Graph Time Free search term Group On the graph, locate and click on the time you are interested in. Advanced Firewall displays what was logged at the time you clicked on. Click in the date and time picker and specify when to search from. Click Apply. Advanced Firewall displays search results from the time specified and two hours forward. In the Username, Source IP, Code, URL or Domain column(s), enter one or more search terms. Advanced Firewall displays the search results. From the Group column drop-down menu, select the group you want to search for. 2. Depending on your search criteria, Advanced Firewall updates the information displayed. Exporting Data It is possible to export logged data in comma-separated (CSV) format. To export data: 1. On the Logs and reports > Logs > Web filter page, configure or search for the data you want export. For more information, see Configuring Web Filter Logs on page 109 and Searching for and Filtering Information on page Click Export. Follow your browser s prompts to save and export the data. Reverse Proxy Logs The reverse proxy logs contain time, source IP and web site information about requests made using the reverse proxy service. 111

120 Using Alerts, Information, and Logging To view reverse proxy logs: 1. Browse to the Logs and reports > Logs > Reverse proxy page. Filtering Reverse Proxy Logs The following filter criteria controls are available in the Settings area: Control Month Day Year Ignore filter Enable ignore filter Domain filter Enable domain filter Used to choose the month that proxy logs are displayed for. Used to choose the day that proxy logs are displayed for. Used to choose the year that proxy logs are displayed for. Used to enter a regular expression that excludes matching log entries. The default value excludes common log entries for image, JavaScript, CSS style and other file requests. Select to enable the filter. Used to display log entries recorded against a particular domain. Matching will occur on the start of the domain part of the URL. For example, will match and but not match abc.net. It is possible to include regular expressions within the filter for example ( will match both abc.com and Select to enable the filter. 112 Smoothwall Ltd

121 Using Alerts, Information, and Logging Control Export format Export all dates Logs can be exported in the following formats: Comma Separated Values The information is exported in comma separated text format. Microsoft (tm) Excel (.xls) The information is exported in Microsoft Excel format. You will need an Excel-compatible spreadsheet application to view these reports. Raw Format The information is exported without formatting. Tab Separated Value The information is exported separated by tabs. Exports the currently displayed log for all available dates. Note: When running SSL VPNs in TCP mode, the reverse proxy access logs generated for HTTPS requests will contain a source address of This is because OpenVPN has to proxy the HTTPS traffic. Therefore, from Advanced Firewall s point of view, the traffic is originating from localhost. Viewing Reverse Proxy Logs To view proxy logs: 1. Select the appropriate filtering criteria using the Settings area and click Update. Proxy logs are displayed in the Proxy log area. The following columns are displayed: Column Time Source IP Website The time the web request was made. The source IP address the web request originated from. The URL of the requested web resource. User Portal Logs The User portal log page displays information about users who have accessed user portals. To view user portal log activity: 1. Browse to the Logs and reports > Logs > User portal page. 113

122 Using Alerts, Information, and Logging Advanced Firewall displays the information. Configuring Log Settings Advanced Firewall can send syslogs to an external syslog server, automatically delete log files when disk space is low and set the maximum log file retention settings. To configure logging settings: 1. Browse to the Logs and reports > Logs > Log settings page. 2. In the Syslog logging area, select the logging you require. 3. To enable and configure remote logging, configure the following settings: Setting Remote syslog Syslog server To send logs to an external syslog server, select this setting. If you have selected the Remote syslog option, enter the IP address of the remote syslog server. 114 Smoothwall Ltd

123 Using Alerts, Information, and Logging Setting Default retention To set default log retention for all of the logs listed above, select one of the following settings: 1 Day Rotate the log file daily and keep the last day. 2 Days Rotate the log file daily and keep the last 2 days. A week Rotate the log file weekly and keep the last week. 2 weeks Rotate the log file weekly and keep the last 2 weeks. A month Rotate the log file monthly and keep the last month. 2 months Rotate the log file monthly and keep the last 2 months. Three months Rotate the log file monthly and keep the last 3 months. Four months Rotate the log file monthly and keep the last 4 months. Five months Rotate the log file monthly and keep the last 5 months. Six months Rotate the log file monthly and keep the last 6 months. Seven months Rotate the log file monthly and keep the last 7 months. Eight months Rotate the log file monthly and keep the last 8 months. Nine months Rotate the log file monthly and keep the last 9 months. Ten months Rotate the log file monthly and keep the last 10 months. Eleven months Rotate the log file monthly and keep the last 11 months. A year Rotate the log file monthly and keep the last 12 months. 4. Optionally, to set an individual retention period for specific logs, click Advanced and configure the settings displayed. 5. Click Save. Advanced Firewall will log and retain the information you have specified and, if configured, send logs to the remote syslog server. 115

124 Using Alerts, Information, and Logging Configuring Other Log Settings Advanced Firewall enables you to configure retention settings for other logs. To configure other logs: 1. Browse to the Logs and reports > Logs > Log settings page. 2. In the Other logging area, configure the following settings: Setting Default retention To set default log retention for all of the logs listed in the table below, select one of the following settings: 1 Day Rotate the log file daily and keep the last day. 2 Days Rotate the log file daily and keep the last 2 days. A week Rotate the log file weekly and keep the last week. 2 weeks Rotate the log file weekly and keep the last 2 weeks. A month Rotate the log file monthly and keep the last month. 2 months Rotate the log file monthly and keep the last 2 months. Three months Rotate the log file monthly and keep the last 3 months. Four months Rotate the log file monthly and keep the last 4 months. Five months Rotate the log file monthly and keep the last 5 months. Six months Rotate the log file monthly and keep the last 6 months. Seven months Rotate the log file monthly and keep the last 7 months. Eight months Rotate the log file monthly and keep the last 8 months. Nine months Rotate the log file monthly and keep the last 9 months. Ten months Rotate the log file monthly and keep the last 10 months. Eleven months Rotate the log file monthly and keep the last 11 months. A year Rotate the log file monthly and keep the last 12 months. 3. Click Advanced to see what other logs are available and to determine if you want to set individual log retention settings. Setting Default retention Intrusion detection logs Intrusion prevention logs From the drop-down menu, select the default retention period you want to use for advanced logging settings. To set individual retention periods, configure the settings below. From the drop-down menu, select how long you want to keep intrusion detection logs. From the drop-down menu, select how long you want to keep intrusion prevention logs. 116 Smoothwall Ltd

125 Using Alerts, Information, and Logging Setting IM logs From the drop-down menu, select how long you want to keep instant messaging logs. 4. Click Save. Advanced Firewall will now retain the logs as you have specified. Managing Log Retention The Datastore settings page uses a pie chart to display current disk usage by Advanced Firewall logs. The Objects seen will depend on the modules installed. You can configure the length of time Advanced Firewall retains logs for use in reporting and network troubleshooting. To manage log retention, do the following: 1. Browse to Logs and reports > Settings > Datastore settings. 2. Using the slider in the Retention settings panel, specify the minimum and maximum number of months Advanced Firewall should retain log files, where: The minimum number of months possible is 0. If a log file is older than the minimum retention period specified, it may be deleted if storage space starts to run out. The maximum number of months possible is infinite. If a log file is older than the maximum retention period specified, it will be deleted. For example, if the minimum retention period is set to 3 months and the maximum retention period is set to 6 months, Advanced Firewall will always keep log files for 3 months and, if there is available storage space, will keep them for 6 months. Note: If, because of a lack of disk space, the minimum log retention is not possible, Advanced Firewall will stop working and display a warning. 3. Click Save changes. 117

126 Using Alerts, Information, and Logging Managing Automatic Deletion of Logs Advanced Firewall can be set to automatically delete log files if there is a limited amount of free disk space available. To configure automatic log deletion: 1. Browse to the Logs and reports > Logs > Log settings page. 2. In the Automatic log deletion area, configure the settings: Setting Delete old logs when free space is low Amount of disk space to use for logging Select to automatically delete logs when the specified amount of disk space has been used. From the drop-down list, select the level at which Advanced Firewall will delete logs. 3. Click Save. Advanced Firewall will delete the logs when the specified amount of disk space has been used. Configuring Report and Alert Output Settings Reports and alerts are distributed according to Advanced Firewall s output settings. In order to send reports and alerts, Advanced Firewall must be configured to operate with mail servers and -to- SMS gateway systems. About -to-SMS Output Advanced Firewall generates SMS alerts by sending s to a designated -to-sms gateway. When an -to-sms gateway receives an , it extracts the information it needs and composes an SMS message which is then sent. A wide variety of different -to-sms gateway services are available. However, each has its own definition of the format that an should arrive in. While there are a few conventions, typically the destination SMS number is placed in the 's subject line. It is necessary to configure Advanced Firewall so that it can format messages in the format specified by your -to-sms gateway service provider. About Placeholder Tags To allow easy configuration of message formats for different service providers, Advanced Firewall uses placeholder tags that can be incorporated into an template. The placeholder tags available are as follows: Placeholder %%ALERT%% %%SMS%% The content of the alert message. The recipient SMS number. 118 Smoothwall Ltd

127 Using Alerts, Information, and Logging Placeholder %% %% %%HOSTNAME%% %%DESCRIPTION%% The recipient's address. The hostname of the Advanced Firewall system (useful when using multiple firewall systems). The description of the Advanced Firewall system (useful when using multiple firewall systems). %%--%% A special placeholder that indicates that all text following it should be truncated to 160 characters. This requires truncation to be enabled (indicated by the Truncate SMS messages to 160 characters option). For example, if an -to-sms gateway requires s to be sent to: <telephone number>@samplesms.com the following configuration would provide this: %%SMS%%@sampleSMS.com If the content of the message should be entered in the message body, the following configuration would provide this: %%ALERT%% Networks with multiple Advanced Firewall systems may wish to include details of the system that the alert was generated by. The following examples would provide this: %%ALERT%% - From: %%HOSTNAME%% %%ALERT%% - From: %%HOSTNAME%% (%%DESCRIPTION%%) %%ALERT%% - From: %%DESCRIPTION%% %%ALERT%% -%%HOSTNAME%% %%ALERT%% :%%DESCRIPTION%% (%%HOSTNAME%%) About Truncating Messages Some -to-sms gateways cannot process messages whose content is longer then 160 characters. Advanced Firewall can be configured to truncate messages in this mode, all characters past position 155 are removed and the text:.. + is appended to the message to indicate that truncation has occurred. A further complication is caused by -to-sms gateways that require parameters such as usernames and passwords to be set within the 's message body. In situations where truncation is enabled, such additional (yet required) parameter text may force truncation of the actual alert. To compensate for this, insert the special %%--%% placeholder at the start of the actual message content, so that any truncation is only applied to the actual alert content. 119

128 Using Alerts, Information, and Logging Configuring to SMS Output To configure Advanced Firewall's SMS settings, do the following: 1. Browse to Logs and reports > Settings > Output settings. 2. Configure the following settings: SMTP server Enter the hostname, or IP address of the SMTP server to be used by Advanced Firewall. Sender s address Enter the sender's address. Typically be a valid address reserved and frequently checked for IT administration purposes. This might also be an address that is registered with your -to-sms gateway provider. SMS to address Specify the formatting of the 's To: address according to the format required by your service provider. This may be a regular address, or it may require additional placeholders, such as, %%SMS%% to identify the destination of the SMS. Truncate SMS messages to 160 characters Select if you want the contents of the SMS message body to be truncated to 160 characters, or if your -to-sms gateway service provider instructs you to do so. Enable SMTP auth Select to use SMTP auth if required. Username If using SMTP auth, enter the username. Password If using SMTP auth, enter the password. SMS subject line Enter the subject line of the SMS as specified by your -to- SMS service provider. This will often contain the %%SMS%% placeholder, as many -to-sms gateways use the subject line for this purpose. SMS message body Enter additional placeholders and the content of the alert message. If the truncation is required from a particular point onwards, use the %%--%% placeholder to indicate its start position. 3. Click Save. 120 Smoothwall Ltd

129 Using Alerts, Information, and Logging Testing to SMS Output To test the output system, do the following: 1. In the Send test to field, enter the cell phone number of the person who is to receive the test. 2. Click Send test. Configuring Output to To configure Advanced Firewall s settings, do the following: 1. Browse to Logs and reports > Settings > Output settings. 2. Configure the following settings: SMTP server Enter the hostname, or IP address of the SMTP server to be used by Advanced Firewall. Sender s address Enter the sender's address. Typically be a valid address reserved and frequently checked for IT administration purposes. This might also be an address that is registered with your gateway provider. Enable SMTP auth Select to use SMTP auth if required. Username If using SMTP auth, enter the username. Password If using SMTP auth, enter the password. 3. Click Save. Generating a Test Alert To generate a test alert, do the following: 1. Configure to SMS output and, or, SMTP ( ) output. 2. Click Generate test alert. 121

130 Using Alerts, Information, and Logging Configuring Alert and Report Groups You can configure Advanced Firewall to scheduled reports to users, or groups of users. Alerts can also be sent via , or SMS. Creating Groups To be able to use the and SMS feature, you must configure user groups, and the group members who will receive alerts and reports. To create a group of users, do the following: 1. Browse to the Logs and reports > Settings > Groups page. 2. Configure the following settings: Group name From the Group name drop-down list, select Empty and click Select. Name Enter a name for the group 3. Click Save. Advanced Firewall creates the group. 4. In the Add user panel, configure the following settings: Name Enter the user s name address If required, enter the user s address SMS number If required, enter the user s SMS number Enable HTML Select this to send ed reports in HTML format Comment Enter an optional description Enabled Select this to enable alerts and, or, reports to be sent to this user. 5. Click Add. The user's details will be added to the list of current users in the Current users panel. 122 Smoothwall Ltd

131 Using Alerts, Information, and Logging 6. You can test the configured details by selecting either to SMS Output System or SMTP ( ) Output System from the drop-down list at the bottom. Click Send test. For a detailed description of how to set up Advanced Firewall to send and SMS, see Configuring Report and Alert Output Settings on page 118. Editing a Group You can either edit the group name, or add or remove group members. To edit a group, do the following: 1. Browse to the Logs and reports > Settings > Groups page. 2. Choose the group that you wish to edit from the Group name drop down list. 3. Click Select to display the group. 4. Make any changes to the group using the controls in the Add a user and Current users panels. For more information about using these panels, see Creating Groups on page 122. Deleting a Group Note: Deleting a group will also delete all group members. To delete a group, do the following: 1. Browse to the Logs and reports > Settings > Groups page. 2. Select the group to be deleted using the Group name drop-down list. 3. Click Delete. 123

132

133 5 Managing Your Advanced Firewall This chapter describes how to maintain your Advanced Firewall, including: Installing Updates on page 126 Licenses on page 129 Archives on page 130 Scheduling on page 131 Rebooting and Shutting Down on page 134 Setting System Preferences on page 135 Configuring Administration and Access Settings on page 139 Managing Tenants on page 143 Hardware on page 145 Managing Hardware Failover on page 149 Using Advanced Firewall s Diagnostic Tools on page 154 Managing CA Certificates on page

134 Managing Your Advanced Firewall Installing Updates Administrators should use Advanced Firewall's update facility whenever a new update is released. Updates are typically released in response to evolving or theoretical security threats as they are discovered. System updates may also include general product enhancements as part of Smoothwall s commitment to continuous product improvement. Advanced Firewall must be connected to the Internet in order to discover, download and install system updates. Smoothwall s support systems are directly integrated with Advanced Firewall s system update procedure, allowing the Smoothwall support department to track the status of your system. Installing Updates The following section explains how to install updates. Note: If Advanced Firewall is configured for failover, see Installing Updates on a Failover System on page 127 for information about how to proceed. To install updates: 1. Navigate to the System > Maintenance > Updates page. 2. Configure the following settings: Setting/button Refresh update list Download updates Click to get a list of available updates. Any updates available will be listed in the Available updates area. Click to download all available updates. Once downloaded, the updates are listed in the Pending updates area. 126 Smoothwall Ltd

135 Managing Your Advanced Firewall Setting/button Clear download cache Install updates Install at this time Click to clear any downloaded updates stored in the cache. Click to install all updates in the Pending updates area immediately Enter the time at which you want to install the updates if you do not want to install them immediately and click Install at this time. 3. If the update requires a reboot, reboot the system on the System > Maintenance > Shutdown page. Installing Updates on a Failover System The following section explains how to install updates on a failover system, if configured. Following theses steps ensures the correct application of all pending updates and also performs a failover test between the master and the failover unit. To install updates on a failover system: 1. On the master s System > Maintenance > Updates page, download the updates. 2. Wait until the updates have been transferred to the failover unit. This should happen within 5 minutes. 3. Go to the failover unit s web interface and install the pending updates. Once they have been installed, the failover unit displays information about the update and prompts for a reboot. 4. On the System > Maintenance > Shutdown page, reboot the failover unit. 5. When the failover unit is up and running again, install the updates on the master and reboot. During master downtime, the failover unit is active and remains so until the master is live again. Managing Modules Advanced Firewall's major system components are separated into individually installed modules. Modules can be added to extend Advanced Firewall s capabilities, or removed in order to simplify administration and reduce the theoretical risk of, as yet un-discovered, security threats. Note: Modules must be registered against your Advanced Firewall serial number before they can be installed and used. For further information, please consult your Smoothwall partner or, if purchased directly, Smoothwall. Advanced Firewall must be connected to the Internet in order to install modules. 127

136 Managing Your Advanced Firewall To install a module: 1. Navigate to the System > Maintenance > Modules page. Note: The information displayed depends on the product series you are using. 2. In the Available modules area, locate the module and click Install. Note: Some module installations require a full reboot of Advanced Firewall. Please read the module description carefully prior to installation. Removing a Module To remove a module: 1. Navigate to the System > Maintenance > Modules page. 2. In the Installed modules area, locate the module and click Remove. 3. Reboot Advanced Firewall on the System > Maintenance > Shutdown page. 128 Smoothwall Ltd

137 Managing Your Advanced Firewall Licenses Advanced Firewall contains information about licenses and subscriptions. To view license information: 1. Navigate to the System > Maintenance > Licenses page. Note: The information displayed depends on the Smoothwall product you are using. Installing Licenses You can buy additional licenses from Smoothwall or an approved Smoothwall partner. License, installation and activation is an automated process, initiated via a secure request to Smoothwall licensing servers. To install additional licenses: 1. Navigate to the System > Maintenance > Licenses page. 2. Click Refresh license list. This will cause the available license information to be updated via the Internet, and any new licenses will be installed. Note: The Subscriptions area is used to manage blocklists used by add-on modules. For more information, see the documentation delivered with your Smoothwall add-on module. 129

138 Managing Your Advanced Firewall Archives The Archives page is used to create and restore archives of system settings. Archives can be saved on removable media and used when restoring a Advanced Firewall system. They can also be used to create clones of existing systems. Tip: Log on to our support portal and read how to set up a Windows SSH server with keys in order to backup system settings. Note: You can automatically schedule the creation of backup archives. For further information, see Scheduling on page 131. About Archive Profiles You can assign a profile to an archive enabling you to specify which components you want backed up in a particular archive. You can create and assign up to 20 profiles and generate their archives automatically. Profiles are also used to store settings for Smoothwall replication systems. For more information, refer to the Advanced Firewall Administration Guide. Creating an Archive To create an archive: 1. Navigate to the System > Maintenance > Archives page. 2. Configure the following settings: Settings Profile Profile name Comment Automatic backup Settings Logs To create a new profile, from the drop-down list, select Empty and click Select. To reuse or modify an existing profile, from the drop-down list select the profile and click Select. Enter a name for the profile. Enter a description for the archive. Select this if you intend to use this archive profile in a scheduled backup. Settings available include general settings for Advanced Firewall and replicable settings which can be used in a Smoothwall system. Indicates that the setting can be replicated. Select the components you want to archive or select All to select and archive all settings. For more information about replication in Smoothwall systems, refer to the Advanced Firewall Administration Guide. Select the log files you want to archive or select All to select and archive all logs. 130 Smoothwall Ltd

139 Managing Your Advanced Firewall 3. Click Save and backup to create the archive. Downloading an Archive To download an archive: 1. In the Archives area, select the archive. 2. Click Download and save the archive to disk using the browser's Save as dialog box. Restoring an Archive To restore an archive: 1. In the Archives area, select the archive. 2. Click Restore. The archive contents are displayed. 3. Select the components in the archive that you want to restore and click Restore. Deleting Archives To delete an archive: 1. In the Archives area, select the archive and click Delete. Uploading an Archive This is where you upload archived settings from previous versions of Advanced Firewall and Smoothwall modules so that they can be re-used in the current version(s). To upload an archive: 1. In the Upload area, enter the name of the archive and click Browse. 2. Navigate to and select the archive. 3. Click Upload to upload the archive. Scheduling You can configure Advanced Firewall to automatically discover and download system updates, modules and license upgrades using the scheduler. You can also use the scheduler to create and remotely archive automatic backups. Other system modules can integrate with the scheduler to provide additional automated maintenance tasks. 131

140 Managing Your Advanced Firewall To create a schedule of tasks: 1. Navigate to the System > Maintenance > Scheduler page. 2. Configure the following settings: Setting Day Hour Check for new updates Download updates Check for new modules Check for license upgrades From the drop-down list, select the day of the week that the tasks will be executed. From the drop-down list, select the time of day at which the tasks will be executed. Select to check for new system updates. Select to download available updates. Select to check for new modules. Select to discover and install license upgrades. 132 Smoothwall Ltd

141 Managing Your Advanced Firewall Setting Prune archives Options here enable you to schedule archive pruning if you require it. Select one of the following options: Don t prune This is the default option, archives are never pruned. Over a month Select this option to prune archives that are older than one month. Over 2 months Select this option to prune archives that are older than two months. Over 3 months Select this option to prune archives that are older than three months. 3. Click Save. Scheduling Remote Archiving Scheduled remote archiving uses SSH keys to allow Advanced Firewall to securely copy files to a remote SSH server without the need for passwords. The use of SSH keys requires Advanced Firewall to generate a key pair which it will use to encrypt all file transfers sent to the SSH server. The SSH server must be configured to accept connections from Advanced Firewall in this manner it requires the public half of the key pair to be installed. To schedule remote archiving: 1. Navigate to the System > Maintenance > Scheduler page. 2. In the Remote archive destinations area, click Export Public Backup Key. 3. Install the public key on the remote SSH server for details on how to do this, please consult the administrator's guide of the SSH server in use. 4. In the Remote archive destinations area, enter the following information: Setting Name Username Remote path Server Enter a name to identify this destination. Specify the user name of the account on the SSH server that will be used. For additional security it is recommended that this user has no additional privileges and is only allowed write access to the specified Remote path. Enter the path where archives are to be stored on the remote SSH server, for example: /home/mypath/ If left blank, Advanced Firewall uses the default home directory of the specified remote user. Set the IP address of the SSH server. Port Number Set the port number used to access the SSH server (normally port 22). Transfer Speed Limit Specify the maximum transfer speed when automatic archiving occurs. This control is useful for preventing the automatic remote archiving system adversely affecting the performance of other network traffic. 133

142 Managing Your Advanced Firewall Setting Comment Enter a description of the destination. 5. Click Add. 6. Repeat the steps above to make other destinations available. 7. In the Remote archival area, enter the following information: Setting Day Hour Archive destination Archive profile Enabled Comment The day of the week to carry out the archive. The hour of the day to carry out the archive. From the drop-down list, select a destination as configured in the Remote archive destinations area. From the drop-down list, select an archive profile as configured on the archives page. Select to enable the archive. Enter a description of the archive. 8. Click Add. 9. Repeat the steps above to configure other archives for scheduled remote archive. Note: A local copy of the archive is also created and stored. Editing Schedules To edit a schedule: 1. In the appropriate area, select the destination or task and click Edit or Remove. Rebooting and Shutting Down You can choose to reboot or shut down Advanced Firewall either immediately, after a time delay, or at a predetermined time. To reboot or shut down Advanced Firewall, do the following: 1. Browse to the System > Maintenance > Shutdown page. 134 Smoothwall Ltd

143 Managing Your Advanced Firewall 2. Choose the type of reboot or shutdown: immediately Reboot or shut down Advanced Firewall now. delay action for From the drop-down list, choose the length of time to delay the reboot or shutdown. Valid options are given in five minute increments, from five minutes to one hour. at the following time From the drop-down lists, choose the time, in 24-hour format, to perform the reboot or shutdown. 3. Click Reboot or Shutdown. The Smoothwall logo is displayed whilst the system is rebooting or shutting down. If a reboot is occurring, this page will refresh to the login prompt once the reboot has completed. If a shutdown is occurring, you will need to manually close your browser window. Setting System Preferences The following sections discuss how to configure the user interface, time settings and a web proxy if your ISP requires you use one. Configuring the User Interface Advanced Firewall can be customized in different ways, depending on how you prefer working. The main changes that can be made are the method of displaying errors and the drop-down list navigation system. It is also possible to alter the system's description. To configure the user interface: 1. Browse to the System > Preferences > User interface page. 2. Configure the following settings: Setting Host information In the description field, enter a description to identify Advanced Firewall. This will be displayed in the title bar of the browser window. 135

144 Managing Your Advanced Firewall Setting System control page Dashboard sections From the Report to show drop-down list, select the report you want displayed on the Dashboard. Determines what, if any, information is displayed in the System Services area on the Dashboard. 3. Click Save. Setting Time Advanced Firewall's time zone, date and time settings can be specified manually or automatically retrieved from a local or external Network Time Protocol (NTP) server, typically located on the Internet. Advanced Firewall can also act as an NTP server itself, allowing network wide synchronization of system clocks. To set the time: 1. Navigate to the System > Preferences > Time page. 2. Configure the following settings: Setting Timezone Time and date From the drop-down list, select the appropriate time zone. To manually set the time and date: 1. Select Set and use the drop-down lists to set the time and date. 136 Smoothwall Ltd

145 Managing Your Advanced Firewall Setting Network time retrieval Network time service interfaces To automatically retrieve time settings: 1. Select Enabled in the Network time retrieval area. 2. Choose the time retrieval frequency by selecting an interval from the Interval drop-down list. 3. Select Save time to RTC to ensure that the time is written back to the system's hardware clock (the Real-Time Clock). 4. Choose one of the following network retrieval methods: Multiple random public servers select to set the time as the average time retrieved from five random time servers Selected single public server select from the drop-down list a public time server to use to set the time User defined single public or local server Enter the address of a specific local or external time server. Advanced Firewall can be used to synchronize the system clocks of local network hosts by providing a time service. To synchronize the network time service: 1. Enable network time retrieval. 2. Select each internal network interface that the network time service should be available from. 3. Click Save. Configuring Registration Options Advanced Firewall enables you to use an upstream registration proxy if your ISP requires you to use one, and optionally, supply information about the status of your system and web filtering statistics. To configure registration options: 1. Navigate to the System > Preferences > Registration options page. 137

146 Managing Your Advanced Firewall 2. Configure the following settings: Setting Upstream registration proxy Extended registration information Provide filtering feedback information Server Enter the hostname or IP address of the proxy server. Port Enter the port number to use. Username Enter the username provided by your ISP. Password Enter the password provided by your ISP. Note: The upstream proxy has no bearing on Advanced Firewall proxy services. When registering, updating and/or installing add-on modules, Advanced Firewall sends information about licences, subscription and add-on modules to Smoothwall. When this option is enabled and depending on which add-on modules are installed, the following information is also sent: Enabled status for optional services The number of configured interfaces and whether they are internal or external Authentication service settings and the LDAP server type Guardian transparent mode and authentication service settings mode Manufacturer name and product name from dmidecode Main board manufacturer and main board product name from dmidecode. Note: No usernames, passwords or sensitive information are sent and any potentially identifying data is summarized before sending. When enabled, Advanced Firewall will periodically send information about web filtering accuracy and a list of the domains of any web sites which could not be classified. Smoothwall will take every available measure to ensure data cannot be associated with your organization and no personal information is ever sent. 3. Click Save. Advanced Firewall starts to use the configured upstream proxy and, if enabled, send registration and/or filtering information. Changing the Hostname You set the hostname for Advanced Firewall during installation. However, you can use the administration interface to change the hostname at any point. Tip: Typically, the hostname includes the name of the domain that the appliance is in. 138 Smoothwall Ltd

147 Managing Your Advanced Firewall To change the hostname, do the following: 1. Browse to System > Preferences > Hostname. 2. Enter a new value in the Hostname field. 3. Click Save changes. 4. Reboot Advanced Firewall either by clicking the rebooted link in the Warning panel that appears at the top of the page, or by browsing to System > Preferences > Hostname. Note:.Changing the hostname causes Advanced Firewall to regenerate its SSL certificate. You must re-import it to any hosts that have imported the original certificate, for example, those that use SSL log ins. Using Hostname Identification By default, Advanced Firewall identifies itself to the network using its IP address. You can change this, so it uses hostname identification instead. This is useful if a system redirection to hostname is in place. To change the identification method, do the following: 1. Browse to System > Preferences > Hostname. 2. Change the System identification method drop-down from IP address to Hostname. 3. Click Save changes. Configuring Administration and Access Settings The following sections discuss administration, external access and account settings. Configuring Administration Access Options You can enable and disable remote access to Advanced Firewall s console via Secure Shell (SSH). To access Advanced Firewall via remote SSH, the following criteria must be met: The host must be from a valid network zone The host must be from a valid source IP 139

148 Managing Your Advanced Firewall The SSH service must be enabled Administration access must be set to enabled The setup or root username and password must be known Note: SSH access is enabled by default upon installation. Upgraded systems where SSH is disabled, still have SSH disabled. To disable SSH access, do the following: 1. Browse to System > Administration > Admin options. 2. Remove the check for SSH and click Save. Note: Terminal access to Advanced Firewall uses the non-standard port 222. Configuring External Access Rules External access rules allow specific services access to Advanced Firewall. A default rule is provided to grant access to all services across the default interface selected during installation. If you have multiple connections configured, you can choose which services have access to an interface. Note: If Advanced Firewall is configured with multiple connections, you must configure an explicit external access rule for some services. These are described separately in the relevant section. The following services are available for external access rules: FTP proxy alternative (21) DNS proxy (53) Other web access on HTTP (80) Web based admin on HTTP (81) SNMP (161) 140 Smoothwall Ltd

149 Managing Your Advanced Firewall SSH based admin (222) Heartbeat admin on HTTPS (440) Web based admin on HTTPS (441) Other web access on HTTPS (442) RADIUS authentication (1812) RADIUS accounting (1813) FTP proxy (2121) SIP (5060) The number following the service name denotes the port number used. You add external access rules as follows: 1. Browse to System > Administration > External access. 2. Configure the following: Setting Interface Source IP, or network Service Comment Enabled From the drop-down list, select the interface that access is permitted from. Specify individual hosts, ranges of hosts or subnet ranges of hosts that are permitted to use admin access. For a range of hosts, enter an IP address range, for example, For a particular subnet of hosts, enter a subnet range, for example, / or /24. If no value is entered, any source IP can access the system. Select the permitted access method. Enter a description for the access rule. Select to activate access. 3. Click Add. Note: Do not remove the default external access rule, it provides access to the default internal network. 141

150 Managing Your Advanced Firewall Editing and Removing External Access Rules To edit or remove access rules, use Edit and Remove in the Current rules area. Administrative User Settings Advanced Firewall supports different types of administrative accounts. To manage accounts: 1. Navigate to the System > Administration > Administrative users page. 2. Configure the following settings: Setting Username Password Again Enter a name for the user account. Enter a password. Passwords are case sensitive and must be at least six characters long. Re-enter the password to confirm it. 142 Smoothwall Ltd

151 Managing Your Advanced Firewall Setting Permissions Select the account permissions you want to apply to the account. Administrator Full permission to access and configure Advanced Firewall. Log Permission to view the system log files. Operator Permission to shutdown or reboot the system. Portal User Permission to access the user portal pages. SMTP quarantine Permission to access and manage the SMTP quarantine pages. Realtime logs Permission to view realtime logs. Reporting system Permission to access the reporting system. Rule editor user Permission to edit networking outgoing policies ports and external services. Temp ban Permission to access and change temporary ban status. 3. Click Add to add the account. Changing a User's Password To set or edit a user's password: 1. Browse to the System > Administration > Administrative users page. 2. In the Current users area, select the user and click Edit. 3. Enter and confirm the new password in the Password and Again fields. 4. Click Add to activate the changes. Managing Tenants Note: To add tenants, Advanced Firewall must have the Multi-Tenant license type installed. Contact your Smoothwall representative for more information. Multi-Tenant is designed to allow you to deploy your Smoothwall filter as a managed service for discrete individual clients, referred to as tenants. It provides a means of logically partitioning a Smoothwall cluster into multiple virtual instances. Each instance, or tenant, applies a core set of policies for all customers, as well as policies designed for individual tenants. A Multi-Tenant system can only provide filtering services to clients configured as tenants. It is not possible to configure your Smoothwall System to support tenant, and non-tenant modes. Multi-Tenant provides the following features: Central administration control over all tenants Maintenance of data integrity between individual tenants, ensuring no data or policy overlap Tenant control of report generation for their own operations Tenant specific category filtering, and content modification rules 143

152 Managing Your Advanced Firewall For information about tenants and directories, and self-service reporting, refer to the Multi-Tenant Managed Services Administration Guide. Creating Tenants You must assign a unique name to each tenant supported, including the IP ranges used by that tenant. Note: Requests from IP addresses not assigned to a tenancy will be blocked. To create tenants, do the following: 1. From your Advanced Firewall system, browse to System > Administration > Tenants. 2. Click Add new tenant. 3. Configure the following parameters: Name The name of the tenant. IP address range(s) The IP address ranges that are assigned to the tenant. If multiple ranges are assigned to the tenant, add each range on a new line. 4. Click Save changes. Editing a Tenant To edit a tenant, do the following: 1. From your Advanced Firewallsystem, browse to System > Administration > Tenants. 2. Highlight the relevant tenant, and click Edit. 3. In the Edit tenant dialog box, change the settings as required. For a detailed description of the available settings, see Creating Tenants on page Click Save changes. Deleting a Tenant Before deleting a tenant, the following behavior should be noted: Any directory services assigned to that tenant, must have their association removed first before the tenant can be deleted. If this is not done, a warning message will be displayed. For more information, refer to the Advanced Firewall Administration Guide. Any tenant-specific custom categories, and content modifications are retained for future use by other tenants. Advanced Firewall will display Deleted tenant against categories or content modifications for deleted tenants. Access to historical data from the deleted tenant must be made using SQL. For more information, refer to your Smoothwall representative. 144 Smoothwall Ltd

153 Managing Your Advanced Firewall To delete a tenant, do the following: 1. From your Advanced Firewall system, browse to System > Administration > Tenants. 2. Highlight the relevant tenant, and click Delete. 3. Confirm that you want to delete the tenant. You can also delete multiple tenants at the same time. To delete multiple tenants, do the following: 1. From your Advanced Firewall system, browse to System > Administration > Tenants. 2. Mark the relevant tenants, and click Delete. 3. Confirm that you want to delete the tenants. Hardware The following sections discuss how to configure UPS devices, and firmware settings. Managing UPS Devices Uninterruptible Power Supply (UPS) device(s) physically connected to Advanced Firewall provide emergency power to Advanced Firewall if the mains power supply fails. UPS Connection Prerequisites Before you start configuring Advanced Firewall to use a UPS device: 1. Follow the documentation delivered with your UPS device to prepare it for use. 2. Connect the UPS device to Advanced Firewall. 3. On the System > Maintenance > Shutdown page, reboot immediately. Once rebooted, you are ready to start configuring the UPS device. Configuring the Global Shut Down Condition The global shut down condition determines when, if ever, a Advanced Firewall connected to a UPS device should shut down. 145

154 Managing Your Advanced Firewall To configure the global shut down condition: 1. Browse to the System > Hardware > UPS page. 2. Select when Advanced Firewall should shut down: Setting Never When all remaining UPS are at low battery After a set time of being on battery Select to never shut down Advanced Firewall. Select to shut down Advanced Firewall when all currently connected UPS devices are at low battery levels. Select to specify how long to wait before shutting down Advanced Firewall when on running on UPS battery. Delay before shut down Enter how long in minutes to wait before shutting down Advanced Firewall. 3. Click Save changes. Advanced Firewall applies the shut down condition. Configuring UPS Devices UPS devices can be configured to use the following types of connections: USB connects to Advanced Firewall via a USB connection, for more information, see Configuring a UPS Device with a USB Connection on page 147 Serial connects to Advanced Firewall via a serial connection, for more information, see Configuring a UPS Device with a Serial Connection on page 147 SNMP connects to Advanced Firewall via an SNMP connection, for more information, see Configuring a UPS Device with an SNMP Connection on page 147 SNMP connects to Advanced Firewall via an HTTP connection, for more information, see Configuring a UPS Device with an HTTP Connection on page 148. Advanced Firewall also makes information about UPS devices available on the System > Central management > Overview page. For more information, refer to the Advanced Firewall Administration Guide. 146 Smoothwall Ltd

155 Managing Your Advanced Firewall It is also possible to configure an alert which is triggered when power switches to and from mains supply. For more information, see Chapter 4, Enabling Instantaneous Alerts on page 91. Configuring a UPS Device with a USB Connection To configure a USB connection: 1. On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS. In the Add new UPS dialog box, configure the following settings: Setting Name UPS connection Enter a name for the UPS device. Select USB. 2. Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. Configuring a UPS Device with a Serial Connection To configure a serial connection: 1. On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS. In the Add new UPS dialog box, configure the following settings: Setting Name UPS connection Manufacturer Port Enter a name for the UPS device. Select Serial. From the drop-down lists, select the UPS device s manufacturer and model. From the drop-down list, select the port the USP device uses. 2. Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. Configuring a UPS Device with an SNMP Connection To configure an SNMP connection: 1. On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS. In the Add new UPS dialog box, configure the following settings: Setting Name UPS connection IP address SNMP community Enter a name for the UPS device. Select SNMP. Enter the IP address that the UPS device will use. Enter the UPS device s SNMP community string. 2. Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. 147

156 Managing Your Advanced Firewall Configuring a UPS Device with an HTTP Connection To configure an HTTP connection: 1. On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS. In the Add new UPS dialog box, configure the following settings: Setting Name UPS connection IP address Username Password Confirm Enter a name for the UPS device. Select HTTP. Enter the IP address that the UPS device will use. If required, enter the user name to be used to connect the device to Advanced Firewall. If required, enter the password to be used to connect the device to Advanced Firewall. If required, re-enter the password to be used to connect the device to Advanced Firewall. 2. Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area. Editing UPS Devices To edit a UPS device s settings: 1. On the System > Hardware > UPS page, point to the device you want to edit and click Edit. 2. In the Edit UPS dialog box, make the changes required. See Configuring UPS Devices on page 146 for information about the settings available. 3. Click Save changes. Advanced Firewall changes the settings and lists the device in the Connected UPS area. Deleting UPS Devices To delete a UPS device: 1. On the System > Hardware > UPS page, point to the device you want to delete and click Delete. 2. When prompted, click Delete to confirm that you want to delete the device. Advanced Firewall deletes the device and removes it from the list in the Connected UPS area. 148 Smoothwall Ltd

157 Managing Your Advanced Firewall Managing Hardware Failover Advanced Firewall s hardware failover enables you to configure a failover Advanced Firewall system which, in the event of hardware failure, provides all the protection and services your primary Advanced Firewall usually provides. Note: Hardware failover is not included as standard with Advanced Firewall it must be licensed separately. For more information, refer to your Smoothwall representative, or visit When configured and enabled, the failover Advanced Firewall runs in a standby mode monitoring the primary Advanced Firewall for a heartbeat communication. Heartbeat is the name of a suite of services and configuration options that enable two identical Advanced Firewall systems to be configured to provide hardware failover. The primary system periodically copies settings to the failover unit to ensure that the failover unit can provide a fully configured service if the primary system fails. Note: Settings are copied intermittently and it is theoretically possible that the failover unit will be a few minutes behind configuration changes made to the primary system. If the primary Advanced Firewall fails, it stops responding to the failover unit s heartbeat and the failover unit therefore determines that the primary system is no longer available. This occurs somewhere between 0 seconds and the Keep-alive internal time specified when configuring failover. The failover unit then enters a more responsive mode where it monitors the primary system for its revival. It remains in this mode for the length of Dead time you have configured. This stage is designed principally to cope with intermittent failures within the communication system, such as a heavily loaded primary system. Once Dead time has expired, the failover unit awakens from its standby mode and begins reinstating the settings and services allowing it to take over operations from the primary system. Since part of this information includes the IP addresses for each of the primary system s interfaces, the failover unit essentially provides a drop-in replacement and the transition generally go unnoticed. When the primary system starts to respond again, be it minutes, days or weeks later, assuming that Auto failback is enabled, the failover unit hands over control to the master, de-activates its configuration and services, and returns to standby mode. Prerequisites The following must be in place for hardware failover to work: A private network consisting of only two Advanced Firewall systems connected via their heartbeat interfaces, preferably using a crossover cable The primary and failover units should both use the same types of hard disk drives, RAM, and above all, the same type and number of network interface cards The failover unit must be plugged into all the switches the primary system is plugged into 149

158 Managing Your Advanced Firewall SSH must be enabled on the primary system see Configuring Administration Access Options on page 139 Configuring Hardware Failover Configuring hardware failover entails: On the primary system, specifying a network interface for the heartbeat and configuring and generating a failover archive to deploy on the failover unit On the failover unit, installing Advanced Firewall and deploying the failover archive To configure the primary Advanced Firewall, do the following: 1. Browse to Networking > Configuration > Interfaces. 2. Point to the interface to be used by the hardware failover master and failover unit systems to communicate with each other and click Edit. Note: The primary and failover unit systems are connected via their heartbeat interfaces on a private network. It is critically important that this network is not congested and suffers as little latency as is possible. For these reasons, we strongly recommend that this connection be a crossover cable. Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat interface is on could fail. 3. In the Edit interface dialog box, configure the following settings: Setting Name Use as Spoof MAC MTU Configure a meaningful name for this interface Select Heartbeat interface. If MAC spoofing is used, enter the new MAC address. Optionally, enter the maximum transmission unit (MTU) value required in your environment. 150 Smoothwall Ltd

159 Managing Your Advanced Firewall 4. Click Save changes. 5. Browse to System > Hardware > Failover. 6. Configure the following settings: Setting Enabled Auto failback Keep-alive internal Dead time Master heartbeat IP Failover heartbeat IP Netmask Select to enable failover. Select if you want the failover unit to automatically hand back control to the master when the master starts to respond after a hardware failure. The failover unit will hand over control to the master, deactivate its configuration and services and return to standby status. Set the interval after which the master and failover unit communicate to ensure the master is still working. The default is 1 second. In non-congested networks, we recommend a very short interval which is undetectable in terms of system performance. Specify how long after the failover unit has become aware that the master is no longer responding it should wait before taking over from the master. Enter an IP address for the primary system. Note: We recommend that this network be private and only used by the primary and failover units. Enter an IP address for the failover unit. Note: We recommend that this network be private and only used by the primary and failover units. Enter a netmask. Note: We recommend that this network be private and only used by the master and failover units. 7. Click Save. 8. Browse to System > Maintenance > Shutdown. 9. Select Immediately and click Reboot. Wait a couple of minutes for the system to reboot and then log in again. 151

160 Managing Your Advanced Firewall Generating a Failover Archive A failover archive contains the settings required to configure the failover unit to provide hardware failover for Advanced Firewall. To generate a failover archive, do the following on the primary system: 1. Browse to System > Hardware > Failover. 2. Ensure the failover settings are configured and saved see Configuring Hardware Failover on page Click Generate failover setup archive. Advanced Firewall generates the archive and prompts you to specify where to save it. 4. Save the archive on some suitable removable media accessible by the failover unit. The next step is to use the archive to implement the failover settings on the failover unit. Note: The size of the failover unit archive varies depending on the Smoothwall modules installed. 50 megabytes is an average size. Implementing Failover Settings on the Failover Unit Implementing failover on the failover unit entails running the setup program and using the restore options to apply the settings. To implement failover on the failover unit, do the following: 1. Install Advanced Firewall using the quick install option. For more information, refer to the Advanced Firewall Installation Guide. On the following screen: 1. Select Yes and press Enter. 2. Select the type of media the archive is stored on and press Enter. You are prompted to insert the media. 3. Insert the media and press Enter. 4. Select the archive and press Enter. The failover settings are installed. 5. When prompted, press Enter to reboot the failover unit. The failover unit will reboot and automatically enter standby mode. Note: For information about installing updates in failover units, see Installing Updates on a Failover System on page Smoothwall Ltd

161 Managing Your Advanced Firewall Administering Failover There are no noticeable differences between administering Advanced Firewall used as a primary system, and administering as a failover. There should be little or no need to administer the failover unit on a day to day basis. However, from time to time, you need to install updates. Accessing the Failover Unit With failover implemented, the active Advanced Firewall system is always accessed via the same address, whether services and protection are being supplied by the primary or the failover unit. All communications with the user interface on the failover unit are via HTTPS and on port 440 instead of port 441: For example, to access the primary system's Update page the address would usually look as follows: To access the settings on the failover unit, the address would be: Testing Failover In order to test failover, you can force the primary system to enter standby mode. To test failover, do the following: 6. From the primary system, browse to System > Hardware > Failover. 1. Click Enter standby mode. After a short period of time the failover unit takes over from the primary system. 2. To restore operations to the primary system, from the active system, browse to System > Hardware > Failover. 3. Click Enter standby mode. Operations are transferred back to the primary system. Note: If Auto failback is enabled, rebooting the primary system also returns it to active service, and force the failover unit into standby mode. Manual Failback In configurations where Auto failback is not enabled, when the failover unit is in active operation but the primary system has become available again, you can manually failback to the primary system. To manually failback, do the following: 4. From the failover system, browse to System > Hardware > Failover. 1. Click Enter standby mode to restore the system to normal operations. 153

162 Managing Your Advanced Firewall Using Advanced Firewall s Diagnostic Tools Advanced Firewall comes with the ability to perform diagnostics, and test the configuration. The following tools are available for use: Testing Advanced Firewall Functionality on page 154 Exporting Advanced Firewall s Configuration on page 156 Using IP Tools on page 156 Using Whois on page 158 Testing Advanced Firewall Functionality You can test Advanced Firewall s connectivity and networking configuration. Available test types are: Test Type Test Question Test Result Text Authentication Basic Connectivity Networking Configuration Check authentication service group_name? Can the primary DNS server resolve hostname? Can the secondary DNS server resolve hostname? Can the DNS server(s) resolve the external site domain? Does a reverse DNS entry exist for smoothwall_ip_address? What is our direct download speed? Does the primary DNS server (primary_dns_ip) have latency issues? Does the secondary DNS server (secondary_dns_ip) have latency issues? Does the default gateway respond? Do the internal subnets overlap? Are the internal networks within reserved IP ranges? Results for authentication service group_name Primary DNS results for hostname hostname Secondary DNS results for hostname hostname External DNS resolution results for domain Reverse DNS results for IP smoothwall_ip_address Direct download results Primary DNS server latency results Secondary DNS server latency results Default gateway ping requests Internal networks within reserved IP ranges results 154 Smoothwall Ltd

163 Managing Your Advanced Firewall Test Type Test Question Test Result Text VPN Connectivity Does the L2TP primary DNS server respond? Does the L2TP secondary DNS server respond? Does the L2TP primary WINS server respond? Does the L2TP secondary WINS server respond? L2TP primary DNS server ping results L2TP secondary DNS server ping results L2TP primary WINS server ping results L2TP secondary WINS server ping results VPN Certificates Are the installed root certificates valid? Results for installed root certificates Are the installed certificates valid? Results for installed certificates Note: By default, all testing options are selected to be included. However, the test options available are dependant on the configuration of your Advanced Firewall. You can customize the test, and run it as follows: 1. Browse to System > Diagnostics > Functionality tests. 2. Expand the relevant Test type, and clear the selection for those tests you do not want to run. Tip: Clearing the selection for the Test type removes all test options against that test category. 3. Click Test selected. A progress bar is displayed to indicate the test progress. When completed, the Functionality test results window is displayed, using the following Status indicators: A green tick indicates the test was run successfully, with no follow up actions required An amber exclamation mark indicates the test was run successfully. However, an issue was flagged up that does not impact on day-to-day operations. A red cross indicates a problem was found with the test run. The Details column provides a description of the issue. 155

164 Managing Your Advanced Firewall Exporting Advanced Firewall s Configuration You can export Advanced Firewall s system configuration to a text file, for example, to aid troubleshooting. To export Advanced Firewall s configuration, do the following: 1. Browse to System > Diagnostics > Configuration report. Note: By default, all configuration options are selected to be included. However, the export options available are dependant on the configuration of your Advanced Firewall. 2. Clear the selection for those options that you do not want to export. 3. Click Generate. When prompted, save the results in a suitable location for review. Using IP Tools The IP tools page is used to check connectivity, both from Advanced Firewall to computers on its local networks, and to hosts located externally on the Internet. There are two tools available: Ping Ping establishes that basic connectivity to a specified host can be made. Use it to prove that Advanced Firewall can communicate with hosts its local networks and external hosts on the Internet. Traceroute Traceroute is used to reveal the routing path to Internet hosts, shown as a series of hops from one system to another. A greater number of hops indicates a longer (and therefore slower) connection. The output of these commands is as it would be if the commands were run directly by the root user from the console of the Advanced Firewall system. It is of course, more convenient to run them from this page. 156 Smoothwall Ltd

165 Managing Your Advanced Firewall Using Ping To use Ping, do the following: 1. Browse to System > Diagnostics > IP tools. 2. Select Ping from the Tool drop-down list. 3. Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field. 4. You can choose to ping the entered IP address from any interface or IP address configured on Advanced Firewall. To ping from a specific interface or IP address, choose it from the Source IP drop-down list, else leave it as Any. 5. Click Run. The result of the ping command is displayed. Using Traceroute To use Traceroute, do the following: 1. Navigate to the System > Diagnostics > IP tools page. 2. Select the Traceroute option from the Tool drop-down list. 3. Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field. 4. You can choose to start the trace from any interface or IP address configured on Advanced Firewall. To trace from a specific interface or IP address, choose it from the Source IP dropdown list, else leave it as Any. 5. Click Run. The result of the traceroute command is displayed. 157

166 Managing Your Advanced Firewall Using Whois Whois is used to display ownership information for an IP address or domain name. A major use for this is to determine the source of requests appearing in the firewall or Detection System logs. This can assist in the identification of malicious hosts. To use Whois: 1. Navigate to the System > Diagnostics > Whois page. 2. Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name field. 3. Click Run. The output of Whois is as it would be if it were run directly by the root user from the console of the Advanced Firewall system. Managing CA Certificates When Advanced Firewall s instant messenger proxy and/or Guardian are configured to intercept SSL traffic, certificates must be validated. Advanced Firewall validates the certificates by checking them against the list of installed Certificate Authority (CA) certificates on the System > Certificates > Certificate authorities page. The following sections describe how you can import new CA certificates, export existing CA certificates and edit the list to display a subset or all of the CA certificates available. Reviewing CA Certificates By default, Advanced Firewall comes with certificates issued by well-known and trusted CAs. To review the certificates: 1. Browse to the System > Certificates > Certificate authorities page. Advanced Firewall displays the certificates available. It also displays which certificates are valid and which are builtin, i.e. included in Advanced Firewall by default. 2. To review a specific certificate, click on its name. Advanced Firewall displays it. 3. Click your browser s Back button to return to Advanced Firewall. 158 Smoothwall Ltd

167 Managing Your Advanced Firewall Importing CA Certificates To import CA certificates: 1. Navigate to the System > Certificates > Certificate authorities page and locate the Import Certificate Authority certificate area. 2. Click Browse, navigate to the certificate and select it. 3. Click the import option. Advanced Firewall imports the certificate and displays it at the bottom of the list. Exporting CA Certificates To export certificates: 1. On the System > Certificates > Certificate authorities page, select the certificate. 2. From the Export format drop-down list, select one of the following options: Option CA certificate in PEM CA certificate in BIN Export the certificate in an ASCII (textual) certificate format commonly used by Microsoft operating systems. Export the certificate in a binary certificate format. 3. Click Export and save the certificate on suitable medium. Deleting and Restoring Certificates You can remove built-in certificates from the list on the System > Certificates > Certificate authorities page. You can also restore them to the list if required. To delete certificates: 1. On the System > Certificates > Certificate authorities page, select the certificate(s) and click Delete. Advanced Firewall removes the certificate(s). 159

168

169 Appendix A: Available Reports This appendix describes the reports available to run from Advanced Firewall. The following table describes the report types, and shows the corresponding reports: Report Folder Comparison reports Executive summary Firewall and networking These reports provide timebased comparison of the common activity for each report type. These reports provide an analysis of traffic. These reports provide an analysis of the web traffic from specified reporting types. These reports provide an analysis of the web traffic through your Smoothwall firewall. Available Reports Daily category comparison on page 168 Daily domain comparison on page 168 Daily user comparison on page 169 Estimated cost of Spam and Malware on page 169 Incoming summary incl last 24 hours on page 171 Mailbox activity on page 171 Malware Incl last 24 hours on page 172 Outgoing summary incl last 24 hours on page 172 Executive summary of activity of a specific IP address on page 169 Executive summary of activity of a specific user on page 170 Executive summary of all group activity on page 170 Application Bandwidth Statistics on page 165 Connection details and traffic statistics on page 168 Firewall activity on page 170 Interfaces and IP addresses on page 171 VPN status and history on page

170 Available Reports Report Folder System Time of day activity Time spent browsing These reports provide an analysis of your Smoothwall System. These reports provide an analysis of the web activity at specific times of the day. These reports provide an analysis of browsing activity. Available Reports Authentication Cache on page 167 Control page template on page 168 Disk information on page 169 Portal users logged in status on page 172 Summary page template on page 172 System information on page 173 Updates on page 180 Web filter statistics on page 180 Times of day a group browses a specific URL on page 174 Times of day a user browses a specific URL on page 174 Times of day a user browses and the categories browsed on page 174 Times of day an IP address browses a specific URL on page 175 Times of day an IP address browses and the categories browsed on page 175 Times of day members of a group browses and the categories browsed on page 176 Amount of time a user spent browsing a URL on page 164 Amount of time a user spent browsing sites in a category on page 164 Amount of time an IP address spent browsing a URL on page 164 Amount of time an IP address spent browsing sites in a category on page Smoothwall Ltd

171 Available Reports Report Folder Top reports User analysis These reports provide an analysis of the web traffic of each report type. These reports provide an analysis of user activity. Available Reports Top blocked domains by hits on page 176 Top blocked users by hits on page 176 Top categories by hits and bandwidth on page 176 Top categories by hits and bandwidth - with options on page 177 Top client IPs by hits and bandwidth on page 177 Top client IPs by hits and bandwidth - with options on page 177 Top domains by hits and bandwidth on page 178 Top domains by hits and bandwidth - with options on page 178 Top search terms on page 179 Top users by hits and bandwidth on page 179 Top users by hits and bandwidth - with options on page 179 Top users using banned search terms on page 180 All blocked activity for a specific user on page 164 Bandwidth usage by a specific user on page 167 Complete IP address audit trail on page 167 Complete user audit trail on page 168 Time spent browsing for a specific user on page 173 Top search terms and the searches they were used in for a specific user on page 179 All other supplied reports have been deprecated from the Smoothwall System, but remain in the Archive folder for backwards compatibility. Note: If you are using a user portal, the reports available to you are dependant on the configuration of your portal. For more information, see Configuring a Portal on page 23. Note that drill down reports are not available from the user portal. The following sections describe each report in detail. The reports are listed in alphabetical order. Unless otherwise stated, all reports can be outputted to.csv,.xls,.pdf (either color, or black and white), and.tsv. 163

172 Available Reports All blocked activity for a specific user The All blocked activity for a specific user report lists the IP address used, the blocked URL, and the corresponding category. Blocked adverts are not included in the users statistics. To run the report for a specific user, click the Advanced >> button and enter the username in the Username text box. Enter the required date range and click Run report. Amount of time a user spent browsing a URL The Amount of time a user spent browsing a URL report provides a graphical representation of the data. To run the report for a specific user and URL, click the Advanced >> button and enter the username and URL in the Username and URL text boxes. Enter the required date range and click Run report. Amount of time a user spent browsing sites in a category The Amount of time a user spent browsing sites in a category report provides a graphical representation of the data. To run the report for a specific user and category, click the Advanced >> button and enter the username and category in the Username and Category text boxes. Enter the required date range and click Run report. Amount of time an IP address spent browsing a URL The Amount of time an IP address spent browsing a URL report provides a graphical representation of the data. Note: An IP address does not necessarily denote a particular user, as multiple users can use the same device depending on the setup. To run the report for a specific IP address and URL, click the Advanced >> button and enter the IP address and URL in the Client IP and URL text boxes. Enter the required date range and click Run report. 164 Smoothwall Ltd

173 Available Reports Amount of time an IP address spent browsing sites in a category The Amount of time an IP address spent browsing sites in a category report provides a graphical representation of the data. Note: An IP address does not necessarily denote a particular user, as multiple users can use the same device depending on the setup. To run the report for a specific IP address and category, click the Advanced >> button and enter the IP address and URL in the Client IP and Category text boxes. Enter the required date range and click Run report. Application Bandwidth Statistics The Application Bandwidth Statistics report provides details of the bandwidth used by application groups, including: Measurements of the incoming and outgoing bandwidth. Measurements of the bandwidth used by individual IP addresses. Measurements of the bandwidth used by individual applications. Measurements of bandwidth across external interfaces, and, or, bridges. Drill down through the report from application bandwidth into IP address bandwidth, and vice versa. Application classification into groups, and bandwidth measurements of these groups. For a detailed description of each application grouping, see Appendix B:Application Groups on page 181. Note: A Layer 7 licence (deep packet inspection) is required to run this report fully. Without this licence, limited information is displayed. For more information about obtaining a Layer 7 licence, refer to your Smoothwall representative. To run the report for a specific traffic direction and interface, click the Advanced >> button and choose the traffic direction from the Data flow direction to highlight drop down list, and interface from the Interface drop down list. Enter the required date range and click Run report. 165

174 Available Reports About the Generated Report The generated Application Bandwidth Statistics report is broken down into the following sections: Traffic statistics Shows the incoming and outgoing bandwidth as a graph, over the specified date range, for example: Top 5 IP addresses over time Shows the bandwidth used, as a graph, for each of the top five IP address. Incoming or outgoing data is shown, dependant on the traffic direction chosen when running the report. Top 5 application groups over time Shows the bandwidth used, as a graph, for each of the top five application groups. Incoming or outgoing data is shown, dependant on the traffic direction chosen when running the report. 166 Smoothwall Ltd

175 Available Reports You can also drill down through the graphs to show a further break down of either the IP addresses that accessed the application groups, or the application groups accessed by the IP address. The following example is a break down of the File Transfer application group from the image above: Note that as you drill down through the report, the Traffic statistics graph is always displayed at the top. Authentication Cache The Authentication Cache report displays a list of users, and their state within the cache, during a specific date range. To run the report, enter the required date range and click Run report. Bandwidth usage by a specific user The Bandwidth usage by a specific user report provides a graphical representation of the data. You can click on the username to use drill down reports. To run the report for a specific user, click the Advanced >> button and enter the username in the Username box. Enter the required date range and click Run report. Complete IP address audit trail The Complete IP address audit trail report provides statistical information of all activity, including web browsing and IM activity, for a specific IP address. To run the report for a specific IP address, click the Advanced >> button and enter the IP address in the Client IP box. Enter the required date range and click Run report. 167

176 Available Reports Complete user audit trail The Complete user audit trail report provides statistical information of all activity, including web browsing and IM activity, from a specific user. To run the report for a specific user, click the Advanced >> button and enter the username in the Username box. Enter the required date range and click Run report. Connection details and traffic statistics The Connection details and traffic statistics report provides statistical information for inbound and outbound traffic on each interface. Information is split into the following tables: Interface and host bandwidth usage Per IP address statistics To run the report, enter the required date range and click Run report. Control page template The Control page template is used on the control page. This displays control information about your Smoothwall System installation, including: Smoothwall System updates Tip of the day Support information, such as, serial number and license expiry dates. To run the report, click Run report. Daily category comparison The Daily category comparison report lists the top 50 categories accessed today, in descending order, plus their relative position for yesterday. To run the report, click Run report. Daily domain comparison The Daily domain comparison report lists the top 50 domains accessed today, in descending order, plus their relative position for yesterday. To run the report, click Run report. 168 Smoothwall Ltd

177 Available Reports Daily user comparison The Daily user comparison report lists the top 50 users today, in descending order, plus their relative position for yesterday. To run the report, click Run report. Disk information The Disk information report displays the status of the hard drive in your Advanced Firewall, including: Disk information Processor information Memory information Disk space information (Hard Disk Drive Info), including how much space is taken by the system installation, and log files. To run the report, enter the required date range and click Run report. Estimated cost of Spam and Malware The Estimated cost of Spam and Malware report provides the estimated return on investment of dealing with the quantity of spam and malware before it was rejected. The top originating recipients and domains are also listed. To run the report, enter the required date range and click Run report. Executive summary of activity of a specific IP address The Executive summary of activity of a specific IP address report provides a graphical representation of the following activity from a specified IP address: The number of hits per day The number of hits per hour The total browsing time The top search terms, or phrases, used by the IP address The categories browsed Note: An IP address does not necessarily denote a particular user, as multiple users can use the same device depending on the setup. 169

178 Available Reports To run the report for a specific IP address, click the Advanced >> button and enter the IP address in the Client IP text box. Enter the required date range and click Run report. Executive summary of activity of a specific user The Executive summary for a user report provides a graphical representation of the following activity from a specified username: The number of hits per day The number of hits per hour The total browsing time The top search terms, or phrases, used by the user The categories browsed To run the report for a specific user, click the Advanced >> button and enter their username in the Username text box. Enter the required date range and click Run report. Executive summary of all group activity The Executive summary for all group activity report scans all group activity, and provides a graphical representation of the number of hits from the top ten most active groups. The categories browsed by each group is also listed. To run the report, enter the required date range and click Run report. Firewall activity The Firewall activity report displays important firewall activity, broken into: Statistics for the firewall (main) An outgoing audit (auditoutput) Port-forwarding activity (portfw) srule srulestealth To run the report, enter the required date range and click Run report. 170 Smoothwall Ltd

179 Available Reports Incoming summary incl last 24 hours The Incoming summary incl last 24 hours report provides a graphical representation of the number of s received, the classification of those s, and the bandwidth used per day. classifications are: Accepted Spam Virus You can choose to run the report against a specific domain, or for all domains. To run the report for a specific domain, click the Advanced >> button and choose the domain from the Filter by domain drop down list. Enter the required date range and click Run report. Interfaces and IP addresses The Interfaces and IP addresses report displays all external, internal, and VPN interfaces, including their connection details and DHCP leases. Information for each interface is grouped into the following tables: Network Address Resolution Protocol (ARP) information Network routing information To run the report, enter the required date range and click Run report. Mailbox activity The Mailbox activity report provides a list of s received by active mailboxes but redirected to the anti spam quarantine, and the size of the quarantine, in megabytes.the top ten quarantined users are also displayed, broken down into: By messages quarantined By messages released By message size To run the report, enter the required date range and click Run report. 171

180 Available Reports Malware Incl last 24 hours The Malware Incl last 24 hours report provides a graphical representation of the number of times viruses and malware were attempted to be sent. Those received through the anti spam quarantine are also shown. The top viruses detected are also listed. You can choose to run the report against a specific domain, or for all domains. To run the report for a specific domain, click the Advanced >> button and choose the domain from the Filter by domain drop down list. Enter the required date range and click Run report. Outgoing summary incl last 24 hours The Outgoing summary incl last 24 hours report provides a graphical representation of the number of s sent, the classification of those s, and the bandwidth used per day. classifications are: Accepted Spam Virus You can choose to run the report against a specific domain, or for all domains. To run the report for a specific domain, click the Advanced >> button and choose the domain from the Filter by domain drop down list. Enter the required date range and click Run report. Portal users logged in status The Portal users logged in status report displays a list of those users who have access to the user portal, and the current state of their session. To run the report, enter the required date range and click Run report. Summary page template The Summary page template provides the template for the Summary report found under Logs and reports > Reports > Summary. This displays summary information about your Smoothwall System installation, including: Alerts The running status of system services Network ARP table Updates for your Smoothwall System Tip of the day Summary of uptime 172 Smoothwall Ltd

181 Available Reports Processor information Memory information Hard disk drive information Interface and host bandwidth usage Per IP address statistics Network routing table To run the report, either enter the required date range and click Run report, or click Logs and reports > Reports > Summary. System information The System information report displays important information about your Advanced Firewall installation, including: Summary of uptime The ports that are in use System logs for: Authentication service (auth) Kernel (kernel) System logs (smoothwall) SSH (ssh) Loaded kernel modules Information about any installed Universal Power Supplies (UPS) Disk information Processor information Memory information Hard disk drive information The running status of system services Updates for your Smoothwall System To run the report, enter the required date range and click Run report. Time spent browsing for a specific user The Time spent browsing for a specific user report provides a graphical representation of the data. To run the report for a specific user, click the Advanced >> button and enter the username in the Username text box. Enter the required date range and click Run report. 173

182 Available Reports Time spent browsing sites in a specific category for a specific user The Time spent browsing sites in a specific category for a specific user report provides a graphical representation of the data. To run the report for a specific user and category, click the Advanced >> button and enter the username and category in the Username and Category text boxes. Enter the required date range and click Run report. Times of day a group browses a specific URL The Times of day a group browses a specific URL report provides a graphical representation of the data. To run the report for a specific group and URL, click the Advanced >> button and select the group from the Group drop-down menu. Enter the URL in the URL text box. Enter the required date range and click Run report. Note: Even though a date range can be entered, the graph only displays data for a 24-hour period. It is recommended you limit your report range to a 24-hour period. Times of day a user browses a specific URL The Times of day a user browses a specific URL report provides a graphical representation of the data. To run the report for a specific user and URL, click the Advanced >> button and enter the username and URL in the Username and URL text boxes. Enter the required date range and click Run report. Note: Even though a date range can be entered, the graph only displays data for a 24-hour period. It is recommended you limit your report range to a 24-hour period. Times of day a user browses and the categories browsed The Times of day a user browses and the categories browsed report provides a graphical representation of the data. The categories they have browsed, is displayed in the Per hour table. To run the report for a specific user, click the Advanced >> button and enter the username in the Username text box. Click Run report. 174 Smoothwall Ltd

183 Available Reports Note: Even though a date range can be entered, the graph only displays data for a 24-hour period. It is recommended you limit your report range to a 24-hour period. Times of day an IP address browses a specific URL The Times of day an IP address browses a specific URL report provides a graphical representation of the data. Note: An IP address does not necessarily denote a particular user, as multiple users can use the same device depending on the setup. To run the report for a specific IP address and URL, click the Advanced >> button and enter the IP address and URL in the Client IP and URL text boxes. Enter the required date range and click Run report. Note: Even though a date range can be entered, the graph only displays data for a 24-hour period. It is recommended you limit your report range to a 24-hour period. Times of day an IP address browses and the categories browsed The Times of day an IP address browses and the categories browsed report provides a graphical representation of the data. The categories they have browsed, is displayed in the Per hour table. Note: An IP address does not necessarily denote a particular user, as multiple users can use the same device depending on the setup. To run the report for a specific IP address, click the Advanced >> button and enter the IP address in the Client IP text box. Click Run report. Note: Even though a date range can be entered, the graph only displays data for a 24-hour period. It is recommended you limit your report range to a 24-hour period. 175

184 Available Reports Times of day members of a group browses and the categories browsed The Times of day members of a group browses and the categories browsed report provides a graphical representation of the data. The categories browsed, is displayed in the Per hour table. To run the report for a specific group, click the Advanced >> button and select the group from the Group drop-down menu. Enter the required date range and click Run report. Note: Even though a date range can be entered, the graph only displays data for a 24-hour period. It is recommended you limit your report range to a 24-hour period. Top blocked domains by hits The Top blocked domains by hits report lists the top 20 blocked domains for the specified time period. By clicking a domain, you can use drill down reports to report on that domain specifically. The data is also presented as a graph, and pie chart. For more information about drill down reports, see Using Drill Down Reports on page 68. To run the report, enter the required date range, and click Run report Top blocked users by hits The Top blocked users by hits report lists the top 20 blocked users for the specified time period. By clicking a username, you can use drill down reports to report on that username specifically.the data is also presented as a graph. For more information about drill down reports, see Using Drill Down Reports on page 68. To run the report, enter the required date range, and click Run report Top categories by hits and bandwidth The Top categories by hits and bandwidth report provides a graphical representation of the top 20 most frequently accessed categories. The top 20 categories are also listed according to the amount of bandwidth used. By clicking a category, you can use drill down reports to report on that category specifically. For more information about drill down reports, see Using Drill Down Reports on page 68. To run the report, enter the required date range and click Run report. 176 Smoothwall Ltd

185 Available Reports Top categories by hits and bandwidth - with options The Top categories by hits and bandwidth - with options report is exactly the same as the Top categories by hits and bandwidth report, except that you can customize the report for your own operational needs. Available options are: Display top Change the number of categories to display. Valid values are: 10, 20, 50, 100, 200, or 500 Client IP Enter a valid IP address to only report on the top categories browsed from that address Group From the drop down list, choose a group to only report on the top categories browsed from that group Username Enter a valid username to only report on the top categories browsed by that username URL Enter a URL to only report on the top categories that the URL belongs to Denied Select this option to only report on the top categories where browsing was blocked due to URL, or search term or phrase, filtering Denied POST Select this option to only report on the top categories where a message, or similar, upload was blocked due to banned words or phrases To run the report, click the Advanced >> button, and configure the relevant options. Enter the required date range and click Run report. Top client IPs by hits and bandwidth The Top client IPs by hits and bandwidth report provides a graphical representation of the top 20 busiest IP addresses. The top 20 IP addresses are also listed according to the amount of bandwidth used. By clicking an IP address, you can use drill down reports to report on that IP address specifically. For more information about drill down reports, see Using Drill Down Reports on page 68. To run the report, enter the required date range and click Run report. Top client IPs by hits and bandwidth - with options The Top client IPs by hits and bandwidth - with options report is exactly the same as the Top client IPs by hits and bandwidth report, except that you can customize the report for your own operational needs. Available options are: Display top Change the number of client IP addresses to display. Valid values are: 10, 20, 50, 100, 200, or 500 Category Enter a category to only report on those IP address that have browsed domains in that category 177

186 Available Reports Group From the drop down list, choose a group to only report on those IP addresses belonging to that group Exclude adverts Select this option to ignore hits and bandwidth used by adverts received URL Enter a URL to only report on those IP addresses that have visited the URL Denied Select this option to only report on the top IP addresses where browsing was blocked due to URL, or search term or phrase, filtering Denied POST Select this option to only report on the top IP addresses where a message, or similar, upload was blocked due to banned words or phrases To run the report, click the Advanced >> button, and configure the relevant options. Enter the required date range and click Run report. Top domains by hits and bandwidth The Top domains by hits and bandwidth report provides a graphical representation of the top 20 most requested domains. The top 20 domains are also listed according to the amount of bandwidth used. By clicking a domain, you can use drill down reports to report on that domain specifically. For more information about drill down reports, see Using Drill Down Reports on page 68. To run the report, enter the required date range and click Run report. Top domains by hits and bandwidth - with options The Top domains by hits and bandwidth - with options report is exactly the same as the Top domains by hits and bandwidth report, except that you can customize the report for your own operational needs. Available options are: Display top Change the number of domains to display. Valid values are: 10, 20, 50, 100, 200, or 500 Category Enter a category to only report on those domains in that category Client IP Enter a valid IP address to only report on those domains requested by the IP address Group From the drop down list, choose a group to only report on those domains visited by that group Username Enter a valid username to only report on those domains visited by that user Exclude adverts Select this option to ignore hits and bandwidth used by adverts received Denied Select this option to only report on the top IP addresses where browsing was blocked due to URL, or search term or phrase, filtering Denied POST Select this option to only report on the top IP addresses where a message, or similar, upload was blocked due to banned words or phrases To run the report, click the Advanced >> button, and configure the relevant options. Enter the required date range and click Run report. 178 Smoothwall Ltd

187 Available Reports Top search terms The Top search terms report lists the top 20 most frequently searched for terms or phrases. To run the report, enter the required date range and click Run report. Top search terms and the searches they were used in for a specific user The Top search terms and the searches they were used in for a specific user report lists the top 50 search terms or phrases, excluding common words, used by a specific user. The searches the terms were used in is also shown. To run the report for a specific user, click the Advanced >> button and enter the username in the Username text box. Enter the required date range and click Run report. Top users by hits and bandwidth The Top users by hits and bandwidth report provides a graphical representation of the top 20 most active users by individual web page visits. The top 20 users are also listed according to the amount of bandwidth used. By clicking a username, you can use drill down reports to report on that domain specifically. For more information about drill down reports, see Using Drill Down Reports on page 68. To run the report, enter the required date range and click Run report. Top users by hits and bandwidth - with options The Top users by hits and bandwidth - with options report is exactly the same as the Top users by hits and bandwidth report, except that you can customize the report for your own operational needs. Available options are: Display top Change the number of usernames to display. Valid values are: 10, 20, 50, 100, 200, or 500 Category Enter a category to only report on those categories visited by the user Client IP Enter a valid IP address to only report on web traffic originating from that IP address. Note that an IP address does not necessarily denote a particular user, as multiple users can use the same device depending on the setup. Group From the drop down list, choose a group to only report on those members of that group Exclude adverts Select this option to ignore hits and bandwidth used by adverts received URL Enter a valid URL to only report on those users that have visited this particular URL Denied Select this option to only report on the top IP addresses where browsing was blocked due to URL, or search term or phrase, filtering 179

188 Available Reports Denied POST Select this option to only report on the top IP addresses where a message, or similar, upload was blocked due to banned words or phrases To run the report, click the Advanced >> button, and configure the relevant options. Enter the required date range and click Run report. Top users using banned search terms The Top users using banned search terms report lists the top 20 users who have used banned search terms or phrases. To run the report, enter the required date range and click Run report. Updates The Updates report displays whether updates are needed for your Smoothwall System, and the last time the blocklists were installed or updated. To run the report, click Run report. VPN status and history The VPN status and history report provides statistical, and historical information about the status of configured VPN tunnels. A table for each type of VPN tunnel is available, that is, IPSec, L2TP road warrior, and SSL road warrior. To run the report, enter the required date range and click Run report. Web filter statistics The Web filter statistics report provides statistical information about the performance of the HTTP proxy service, and web content filter, including: Web cache graphs Web cache statistics Median services times for the last five minutes Median services times for the last 60 minutes The last time the blocklists were installed or updated To run the report, enter the required date range and click Run report. 180 Smoothwall Ltd

189 Appendix B: Application Groups This appendix lists the available application groups for Bandwidth, including: Standard Application Groups on page 181 Deep Packet Inspection Application Groups on page 182 Standard Application Groups Application groups are classified as follows Application Group Applications Databases Microsoft SQL MySQL PostgreSQL File Transfer FTP Infrastructure DHCP DNS ICMP IGMP Internet printing (IPP) LDAP Microsoft NTP RPC/SMB/CIFS SNMP Sun RPC/NFS Mail IMAP POP SMTP Messaging IRC News NNTP 181

190 Application Groups Application Group Applications Proxies SOCK proxy Web proxy Remote Access Remote Desktop SSH Telnet VNC Streaming Media SIP (VoIP) VPN/Tunneling IPsec tunneling IPv6 tunneling Web browsing HTTP HTTPS (unencryoted) Deep Packet Inspection Application Groups If deep packet inspection (DPI) is licensed for Bandwidth, the following additional application groups are also defined: Application Group Applications Collaboration Citrix Citrix GoToMyPC GoToMeeting Groupwise HL7 Lotus Notes Lync Databases BLIDM CLDAP dbase INGRES-NET LDAP MaxDB Mini SQL Meeting Maker Microsoft ActiveSync NetMeeting SAP SharePoint WebEx MS SQL Oracle RIS SVN Sybase SQL TDS 182 Smoothwall Ltd

191 Application Groups Application Group Applications File Transfer ACR-NEMA AFP Akamai Netsession Apple Update AppleJuice Ares Astraweb auditd AVG Avira BitDefender BitTorrent BITS BlazeFS CFDPTKT CIFS Clubbox Commvault DirectConnect Dropbox edonkey Eset FASP F-Prot Freenet Giganews Gnutella GPFS Google Talk File Transfer HiveStor icloud imesh Kaspersky Manolito McAfee Games Battle.net Quake Live Mail Exchange gmail InfoStore Microsoft Mail API Microsoft Mail Transfer Agent Microsoft RFR MS IMAP MC-FTP McIDAS MUTE-net NateOn File NFA NFS NNTP NovaBACKUP OFTP OFTPS Paltalk File Transfer Panda Pando PDbox PDbox P2P PFTP Qik Upload SBNTBCST SFTP Share P2P Shareman Skype File Transfer SuperNews TFTP Usenet Vegaa WebDAV WinMX Winny Windows Update Xunlei Yahoo Msg File Transfer ZanNet Steam XBox NI Mail PCMAIL POP2 POP3 Store Admin SMTP System Attendant 183

192 Application Groups Application Group Applications Messaging 050Plus Aliwangwan AIM APNS BaiduHi C2DM CISCOUC CISUCAUD CISUCVID DeNA Comm ebuddy ebuddy XMS Fring Google Hangouts Google Helpouts Google Talk icall ICQ ISCHAT Kakao Kakao Audio LINE Line2 Meebo MMS MSMQ MSNP NateOn NateOn Phone Nokia Message OSCAR Paltalk Pinger QQ Skype Video Skype Voice Snapchat Tango Viber WeChat XMPP YiXin Yahoo Messenger 184 Smoothwall Ltd

193 Application Groups Application Group Applications Networking Active Directory Apple ARP Apple AppleShare AppleTalk BGMP BGP BJNP Cableport AX Cisco DRP Cisco FNATIVE Cisco GDP Cisco SYSMAINT Cisoc TNATIVE Clearcase DASP DCAP DCCP DCE/RPC DHCP DHCPv6 Diameter DNS FIX GPRS Tunneling Protocol Control GPRS Tunneling Protocol Prime GPRS Tunneling Protocol User FINTA HDAP HTTP Ident IGMP ISAKMP Java RMI Kerberos LLMNR MDNS MFTP Microsoft Spooler Subsystem MobileIP MortgageWare MUMPS NDS Auth Netware NSS NSSTP NetBIOS Datagram Distribution Service NetBIOS Name Service NetBIOS Session Service NTP OCS OCSP ODMR OSPF PIM PKIX Timestamp PPP Discovery PPP Session Printer PTP RADIUS RADIUS-ACCT RAP RPC2PMAP RSVP Rsync SCCM SCCP SCTP SEND SSDP SSL STUN Sun RPC SVRLOC TACACS Teredo Timbuktu WCCP WebSocket Whois Wyse TCX XNS 185

194 Application Groups Application Group Applications Network Monitoring Chargen Daytime Discard Echo Finger ICMP ICMPv6 Naverisk Proxies Avocent Freegate Hopster Jondo Remote Access Citrix CGP Citrix ICA Citrix IMA Citrix Licensing Citrix RTMPL Citrix SLG Citrix WANScaler ERPC GOM Remote HP VMM SMUX SNMP Syslog Systat Tivoli Tripwire UMA Zabbix Privax SOCKS Tor Ultrasurf KWDB LogMeIn PCoIP RDP SCCM Remote Control ShowMyPC Sophos RED TeamViewer 186 Smoothwall Ltd

195 Application Groups Application Group Applications Streaming Media Adobe Flash FaceTime Fring A/V Google Talk Audio Google Talk Video Google Video H.225 H.245 H.248 H.323 Hulu Instagram Video itunes Kugou Lync Audio Lync Media Lync Video MagicJack Nate Video NetFlix Paltalk Video Paltalk Voice Pandora PPTV QIK QIK Chat VPN/Tunneling AH CyberGhost DynGate ESP GRE Hamachi Hotspot Shield IPComp QIK Video QuickTime RTCP RTMP RTP RTSP RTSPS SHOUTcast Silverlight Sina Video SIP Skype Sopcast Spotify Secure RTCP SRTP STRP Audio SRTP Video T-Mobile UltraViolet Vonage WhatsApp Windows Media Yahoo Messenger Audio Yahoo Messenger Video IPIP IPsec L2TP OpenVPN PPTP RSVP Tunnel SecurityKISS VPNReactor 187

196

197 Glossary Numeric 2-factor authentication The password to a token used with the token. In other words: 2- factor authentication is something you know, used together with something you have. Access is only be granted when you use the two together. 3DES A triple strength version of the DES cryptographic standard, usually using a 168-bit key. A Acceptable Use Policy Access control Active Directory ActiveX* AES AH Algorithm See AUP The process of preventing unauthorized access to computers, programs, processes, or systems. Microsoft directory service for organizations. It contains information about organizational units, users and computers. A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser. Advanced Encryption Standard A method of encryption selected by NIST as a replacement for DES and 3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES provides high security with fast performance across multiple platforms. Authentication Header Forms part of the IPSec tunnelling protocol suite. AH sits between the IP header and datagram payload to maintain information integrity, but not secrecy. Smoothwall products, an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it. 189

198 Glossary Alias ARP ARP Cache AUP Authentication or External Alias In Smoothwall terminology, an alias is an additional public IP that operates as an alternative identifier of the red interface. Address Resolution Protocol A protocol that maps IP addresses to NIC MAC addresses. Used by ARP to maintain the correlation between IP addresses and MAC addresses. Acceptable Use Policy An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organization s and Internet systems. The policy explains the organization s position on how its users should conduct communication within and outside of the organization both for business and personal use. The process of verifying identity or authorization. B Bandwidth BIN Buffer Overflow Bandwidth is the rate that data can be carried from one point to another. Measured in Bps (Bytes per second) or Kbps. A binary certificate format, 8-bit compatible version of PEM. An error caused when a program tries to store too much data in a temporary storage area. This can be exploited by hackers to execute malicious code. C CA Certificate Cipher Ciphertext Client Cracker Cross-Over Cable Cryptography Certificate Authority A trusted network entity, responsible for issuing and managing x509 digital certificates. A digital certificate is a file that uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. Certificates are created by CAs. A cryptographic algorithm. Encrypted data which cannot be understood by unauthorized parties. Ciphertext is created from plain text using a cryptographic algorithm. Any computer or program connecting to, or requesting the services of, another computer or program. A malicious hacker. A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection. The study and use of methods designed to make information unintelligible. 190 Smoothwall Ltd

199 Glossary D Default Gateway Denial of Service DER DES DHCP Dial-Up DMZ DNS Domain Controller Dynamic IP Dynamic token The gateway in a network that will be used to access another network if a gateway is not specified for use. Occurs when a network host is flooded with large numbers of automatically generated data packets. The receiving host typically slows to a halt while it attempts to respond to each request. Distinguished Encoding Rules A certificate format typically used by Windows operating systems. Data Encryption Standard A historical 64-bit encryption algorithm still widely used today. DES is scheduled for official obsolescence by the US government agency NIST. Dynamic Host Control Protocol A protocol for automatically assigning IP addresses to hosts joining a network. A telephone based, non-permanent network connection, established using a modem. Demilitarized Zone An additional separate subnet, isolated as much as possible from protected networks. Domain Name Service A name resolution service that translates a domain name to an IP address and vice versa. A server on a Microsoft Windows network that is responsible for allowing host access to a Windows domain's resources. A non-permanent IP address automatically assigned to a host by a DHCP server. A device which generates one-time passwords based on a challenge/response procedure. E Egress filtering Encryption ESP Exchange Server Exploit The control of traffic leaving your network. The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it. Encapsulating Security Payload A protocol within the IPSec protocol suite that provides encryption services for tunnelled data. A Microsoft messaging system including mail server, client and groupware applications (such as shared calendars). A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service. 191

200 Glossary F Filter FIPS Firewall A filter is a collection of categories containing URLs, domains, phrases, lists of file types and replacement rules. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser. Federal Information Processing Standards. See NIST. A combination of hardware and software used to prevent access to private network resources. G Gateway A network point that acts as an entrance to another network. H Hacker Host Hostname HTTP HTTPS Hub A highly proficient computer programmer who seeks to gain unauthorized access to systems without malicious intent. A computer connected to a network. A name used to identify a network host. Hypertext Transfer Protocol The set of rules for transferring files on the World Wide Web. A secure version of HTTP using SSL. A simple network device for connecting networks and network hosts. I ICMP IDS IP IPS IP Address IPtables Internet Control Message Protocol One of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. Intrusion Detection System Internet Protocol Intrusion Prevention System A 32-bit number that identifies each sender and receiver of network data. The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities. 192 Smoothwall Ltd

201 Glossary IPSec IPSec Passthrough ISP Internet Protocol Security An internationally recognized VPN protocol suite developed by the Internet Engineering Task Force (IETF). A 'helper' application on NAT devices that allows IPSec VPN traffic to pass through. An Internet Service Provider provides Internet connectivity. K Key Kernel Key space A string of bits used with an algorithm to encrypt and decrypt data. Given an algorithm, the key determines the mapping of plaintext to ciphertext. The core part of an operating system that provides services to all other parts the operating system. The name given to the range of possible values for a key. The key space is the number of bits needed to count every distinct key. The longer the key length (in bits), the greater the key space. L L2F L2TP LAN Leased Lines Lockout Layer 2 Forwarding A VPN system, developed by Cisco Systems. Layer 2 Transport Protocol A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols. Local Area Network A network between hosts in a similar, localized geography. Or private circuits A bespoke high-speed, high-capacity site-to-site network that is installed, leased and managed by a telephone company. A method to stop an unauthorized attempt to gain access to a computer. For example, a three try limit when entering a password. After three attempts, the system locks out the user. M MAC Address MX Record Media Access Control An address which is the unique hardware identifier of a NIC. Mail exchange An entry in a domain name database that specifies an server to handle a domain name's

202 Glossary N NAT-T NIC NIST NTP Network Address Translation Traversal A VPN Gateway feature that circumvents IPSec NAT-ing problems. It is a more effective solution than IPSec Passthrough Network Interface Card National Institute of Standards and Technology NIST produces security and cryptography related standards and publishes them as FIPS documents. Network Time Protocol A protocol for synchronizing a computer's system clock by querying NTP Servers. O OU An organizational unit (OU) is an object used to distinguish different departments, sites or teams in your organization. P Password PEM Perfect Forward Secrecy PFS A protected/private string of characters, known only to the authorized user(s) and the system, used to authenticate a user as authorized to access a computer or data. Privacy Enhanced Mail A popular certificate format. A key-establishment protocol, used to secure previous VPN communications, should a key currently in use be compromised. See Perfect Forward Secrecy Phase 1 Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security parameter agreement. Phase 2 Ping Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up. A program used to verify that a specific IP address can be seen from another. PKCS#12 Public Key Cryptography Standards # 12 A portable container file format for transporting certificates and private keys. PKI Plaintext Public Key Infrastructure A framework that provides for trusted third party vetting of, and vouching for, user identities; and binding of public keys to users. The public keys are typically in certificates. Data that has not been encrypted, or ciphertext that has been decrypted. 194 Smoothwall Ltd

203 Glossary Policy Port Port Forward PPP PPTP Private Circuits Private Key Protocol Proxy PSK Public Key PuTTY Contains content filters and, optionally time settings and authentication requirements, to determine how Advanced Firewall handles web content and downloads to best protect your users and your organization. A service connection point on a computer system numerically identified between 0 and Port 80 is the HTTP port. A firewall rule that routes traffic from a receiving interface and port combination to another interface and port combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NAT-enabled router. Point-to-Point Protocol Used to communicate between two computers via a serial interface. Peer-to-Peer Tunnelling Protocol A widely used Microsoft tunnelling standard deemed to be relatively insecure. See Leased Lines. A secret encryption key known only by its owner. Only the corresponding public key can decrypt messages encrypted using the private key. A formal specification of a means of computer communication. An intermediary server that mediates access to a service. Pre-Shared Key An authentication mechanism that uses a password exchange and matching process to determine authenticity. A publicly available encryption key that can decrypt messages encrypted by its owner's private key. A public key can be used to send a private message to the public key owner. A free Windows / SSH client. Q QOS Quality of Service In relation to leased lines, QOS is a contractual guarantee of uptime and bandwidth. R RAS Remote Access Server A server which can be attached to a LAN to allow dial-up connectivity from other LANs or individual users. RAS has been largely superseded by VPNs. 195

204 Glossary RIP Road Warrior Route Routing Table Rules Routing Information Protocol A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are. An individual remote network user, typically a travelling worker 'on the road' requiring access to a organization s network via a laptop. Usually has a dynamic IP address. A path from one network point to another. A table used to provide directions to other networks and hosts. In firewall terminology, rules are used to determine what traffic is allowed to move from one network endpoint to another. S Security policy Server SIP Single Sign-On Site-To-Site Smart card Spam SQL Injection Squid SSH SSL SSL VPN Strong encryption A security policy is a collection of procedures, standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. It should include password, account and logging policies, administrator and user rights and define what behavior is and is not permitted, by whom and under what circumstances. In general, a computer that provides shared resources to network users. Session Initiation Protocol A protocol for initiating, modifying, and terminating an interactive user session that involves multimedia elements such as video, voice, instant messaging, online games, and virtual reality. Commonly used in VOIP applications. (SSO) The ability to log-in to multiple computers or servers in a single action by entering a single password. A network connection between two LANs, typically between two business sites. Usually uses a static IP address. A device which contains the credentials for authentication to any device that is smart card-enabled. Junk , usually unsolicited. A type of exploit whereby hackers are able to execute SQL statements via an Internet browser. A high performance proxy caching server for web clients. Secure Shell A command line interface used to securely access a remote computer. A cryptographic protocol which provides secure communications on the Internet. A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client configuration. A term given to describe a cryptographic system that uses a key so long that, in practice, it becomes impossible to break the system within a meaningful time frame. 196 Smoothwall Ltd

205 Glossary Subnet Switch Syslog An identifiably separate part of an organization s network. An intelligent cable junction device that links networks and network hosts together. A server used by other hosts to remotely record logging information. T Triple DES (3-DES) Encryption Tunneling A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES. The transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. U User name / user ID A unique name by which each user is known to the system. V VPN VPN Gateway Virtual Private Network A network connected together via securely encrypted communication tunnels over a public network, such as the global Internet. An endpoint used to establish, manage and control VPN connections. X X509 An authentication method that uses the exchange of CA issued certificates to guarantee authenticity. 197

206

207 Index A accessing 4 admin 5 admin options 14 administration 14 administration login failures 85 administrative users 14 advanced 10 AIM 34 aim 34 alert im proxy monitored word 84 alerts 6, 83 administration login failures to sms 120 virus monitor 84 firewall notifications 84 hardware failover notification 83 hardware failure alerts 83 health monitor 84 inappropriate words in im 85 intrusion detection system monitor 85 l2tp vpn tunnel status 84 license expiry status 83 output system test messages 85 settings 6 smoothrule violations 83 smoothtunnel vpn certificate monitor 83 system boot (restart) notification 86 system resource monitor 83 system service monitoring 84 update monitoring 85 ups, power supply status warning 83 vpn tunnel status 83 application groups 181 NAVL 182 archives 13 authentication 10 automatic whitelisting 35 B black-list users 35 BYOD block 64 certificate 66 external RADIUS server 65 groups 64 RADIUS clients 63 C ca 15, 16 censoring 34 central management 13 certificate 66 certificates 15 certs 16 ca 15 console connecting via 18 control 16 control page 5 create 6 creating tenants 144 custom categories 12 custom signatures

208 Index D dashboard 5 database settings 8 detection policies 52 DHCP 12 dhcp custom options 13 leases 13 relay 13 server 12 diagnostics 15, 154 functionality 154 directories 10 documentation 2 E 7 to sms 120 virus monitor 84 external access 14 external services 9 F failover 15, 149, 150 failover unit 152 filtering 9 filters 12 firewall 6, 7 connecting 18 notifications 84 ftp 38 G gadugadu 34 global 12, 16 group bridging 9 groups 8, 10, 11 H hardware 15 failover 150 hardware Failover 149 hardware failover 150 hardware failover notification 83 hardware failure alerts 83 health monitor 84 heartbeat 149 hide conversation text 34 hostname 14 I ICQ 34 IDS 12 ids 7 im 33 hide conversation text 34 proxy 7 im proxy 7 inappropriate words in im 85 instant messenger 33 block file transfers 34 blocked response 35 blocked response message 35 censor 34 intercept ssl 34 logging warning 35 logging warning message 35 protocols aim 34 gadugadu 34 icq 34 jabber 34 msn 34 proxy 33, 34 instant messenger proxy enable 34 enabled on interfaces 35 exception local IP addresses 35 interfaces 8 intrusion detection 12 intrusion detection system 12 intrusion system 12, 52 custom policies 54 detection policies 52 policies 52 prevention policies 53 intrusion system monitor 85 ip block 9 tools 15 ips 7 ipsec 6, 7 roadwarriors 16 subnets 16 J jabber Smoothwall Ltd

209 Index K kerberos keytabs 10 L l2tp roadwarriors 16 l2tp vpn tunnel status 84 license expiry status 83 licenses 13 log settings 7 logs enable remote syslog 114 remote syslog server 114 retention 115 logs and reports 6 M maintenance 13 menu administration 14 alerts 6 authentication 10 central management 13 certificates 15 configuration 8 DHCP 12 diagnostics 15 hardware 15 IDS 12 intrusion system 12 logs 7 logs and reports 6 maintenance 13 message censor 12 outgoing 9 preferences 14 proxies 11 realtime 6 report settings 8 routing 9 SNMP 11 user portal 11 VPN 16 message censor 12 custom categories 12 filters 12 time 12 Microsoft Messenger 34 modules 13 MSN 34 multi-tenants managed services 143 N networking filtering 9 node configure child 14 local settings 14 O outgoing 9 output settings 8 output system test messages 85 overview 4 P pages info alerts alerts 6 custom 6 logs firewall 7 ids 7 im proxy 7 ips 7 ipsec 7 system 7 web proxy 7 realtime firewall 6 ipsec 6 portal 7 system 6 traffic graphs 7 reports reports 6 saved 6 scheduled reports 6 settings alert settings 6 database settings 8 groups 8 log settings 7 output settings 8 201

210 Index user portal 7 networking filtering group bridging 9 ip block 9 zone bridging 9 outgoing external services 9 policies 9 ports 9 routing rip 9 subnets 9 settings advanced 10 port groups 10 services authentication directories 10 groups 10 kerberos keytabs 10 settings 10 ssl login 10 temporary bans 10 user activity 10 dhcp dhcp custom options 13 dhcp leases 13 dhcp relay 13 dhcp server 12 global 12 intrusion system detection 12 policies 12 signatures 12 user portal groups 11 portals 11 user exceptions 11 system administration admin options 14 administrative users 14 external access 14 central management child nodes 14 local node settings 14 overview 13 diagnostics configuration report 15 functionality test 15 ip tools 15 whois 15 hardware failover 15 ups 15 maintenance archives 13 licenses 13 modules 13 scheduler 13 shutdown 13 updates 13 preferences hostname 14 registration options 14 time 14 vpn ca 16 certs 16 control 16 global 16 ipsec roadwarriors 16 ipsec subnets 16 l2tp roadwarriors 16 ssl roadwarriors 16 passwords 5 policies 12, 52 intrusion 52 outgoing 9 port groups 10 portal 7, 94 access 27 configure 22 delete 27 edit 27 groups 26 user except 26 portals Smoothwall Ltd

211 Index ports 9 preferences 14 prevention policies 53 proxies 11 sip 36 proxy ftp 38 R RADIUS client 63 RADIUS server 65 realtime 6 7 reboot 134 registration options 14 reports 6 custom 6 reports 6 scheduled 6 reverse proxy 7 violations alert 84 rip 9 routing 9 S scheduled reports 6 scheduler 13 services intrusion system 52 sip 36 snmp 45 settings 8, 10 menu networking settings 10 shutdown 13, 134 signatures 12 sip 36 types 36 site address 19 smoothrule violations 83 smoothtunnel vpn certificate monitor 83 SNMP 11 snmp 45 snmp 11 ssh 18 client 18 ssl login 10 ssl roadwarriors 16 subnets 9 system 6, 7 system boot (restart) notification 86 system resource monitor 83 system service monitoring 84 T temporary bans 10 tenants 143 testing functionalty 154 time 14 time slots 12 traffic graphs 7 training 1 U unknown entity 19 updates 13 ups 15, 145 ups, power supply status warning 83 user activity 10 user exceptions 11 user portal 7, 11 bandwidth classes 24 blocking access 25 filter lists 25 policy tester 23 reports 24 SSL VPN client 26 welcome message 26 V voip 36 VPN 16 vpn tunnel status 83 W web proxy 7 white-list users 35 whois 15 Y yahoo 34 Z zone bridging 9 203

212

213

214