manualshive.com logo in svg

McAfee SG310, Administration Manual

The McAfee SG310 Administration Manual is your go-to resource for setting up and configuring your security appliance. This comprehensive manual covers everything from installation to troubleshooting. Download the manual for free from our website and get the most out of your SG310 device.

Share
Download
background image

288

McAfee UTM Firewall 4.0.4 Administration Guide

VPN menu features
IPsec example

Step 2: Complete the Tunnel settings page

1

Enter a description of the tunnel in the Tunnel name field. The name must not contain spaces or start 
or end with a number. In this example, enter: Branch_Office.

2

Leave the Enable this tunnel checkbox selected.

3

Select the Internet interface the IPSec tunnel is to go out on. In this example, select default gateway 
interface option.

4

Select the type of keying for the tunnel to use. In this example, select the Aggressive mode (IKE) 
option.

5

Select the type of IPSec endpoint this UTM Firewall appliance has. In this example, select the static IP 
address option in the Local address list.

6

Select the type of IPSec endpoint the remote party has. In this example, select the dynamic IP address 
option in the Remote address list.

7

Click Next to configure the Local Endpoint Settings.

Step 3: Local endpoint settings page

1

Leave the Optional Endpoint ID field blank in this example. It is optional because this UTM Firewall 
appliance has a static IP address. If the remote party is a UTM Firewall appliance and an Endpoint ID is 
used, it must have the form abcd@efgh. If the remote party is not a UTM Firewall appliance, refer to the 
interoperability documents in the KnowledgeBase (

mysupport.mcafee.com

)to determine what form it 

must take.

2

Leave the Enable IP Payload Compression checkbox unselected.

3

Leave the Enable Phase 1 & 2 rekeying to be initiated from my end checkbox selected.

4

Click Next to configure the Remote Endpoint Settings.

Step 4: Remote endpoint settings page

1

Enter the Required Endpoint ID of the remote party. In this example, enter the Local Endpoint ID at 
the Branch Office which was: branch@office.

2

Click Next to configure the Phase 1 Settings.

Step 5: Phase 1 settings page

1

Set the length of time before Phase 1 is renegotiated in the Key lifetime field. In this example, leave the 
Key Lifetime as the default value of 3600 minutes.

2

Set the time for when the new key is negotiated before the current key expires in the Rekeymargin field. 
In this example, leave the Rekeymargin as the default value of 600 seconds.

3

Set the maximum percentage by which the Rekeymargin should be randomly increased to randomize 
rekeying intervals in the Rekeyfuzz field. The Key lifetimes for both Phase 1 and Phase 2 are dependent 
on these values and must be greater that the value of “Rekeymargin x (100 + Rekeyfuzz) / 100.” 
In this example, leave the Rekeyfuzz as the default value of 100%.

4

Enter a secret in the Preshared Secret field. This must remain confidential. In this example, enter the 
Preshared Secret used at the branch office UTM Firewall appliance, which was: This secret must be 
kept confidential.

5

Select a Phase 1 Proposal. In this example, select the 3DES-SHA-Diffie Hellman Group 2 (1024 
bit) option (same as the Branch Office Phase 1 Proposal).

6

Click Next to configure the Phase 2 Settings.

Summary of Contents for SG310

Page 1: ...McAfee UTM Firewall Administration Guide version 4 0 4...

Page 2: ...d or other countries McAfee Red in connection with security is distinctive of McAfee brand products All other registered and unregistered trademarks herein are the sole property of their respective ow...

Page 3: ...21 Technical Support page 21 Technical Support Report page 22 2 Getting Started 23 Overview 23 Powering on the device 23 Connecting an administrative PC to the device 24 Setting password and LAN conn...

Page 4: ...ault high availability script 77 Enabling high availability 78 Configuring high availability 78 DMZ network 80 Configuring a DMZ connection 80 Services on the DMZ network 81 Guest network 82 Configuri...

Page 5: ...s 149 Controlling packet traffic 149 Firewall overview 151 Definitions 152 Service Groups page 152 Addresses page 155 Interfaces page 157 Packet filtering 159 Packet filtering actions 160 Packet Filte...

Page 6: ...Virus scanning Web traffic 231 Enabling FTP virus scanning 231 Antispam TrustedSource 233 About TrustedSource 233 Enabling TrustedSource 234 5 VPN menu features 239 VPN overview 239 About PPTP 240 PP...

Page 7: ...tunnel server 316 Creating nested port tunnels 318 6 System menu features 319 Status menu 319 Reviewing the general system status 319 Reviewing the status of the unit s connections 320 Reviewing the s...

Page 8: ...e 377 Firmware upgrade best practices and precautions 377 Restoring factory default settings 377 Upgrading firmware using Netflash 378 Troubleshooting Windows Netflash upgrades 378 Recovering from a f...

Page 9: ...or your specific needs Features may be enabled in screen captures to make them clear however not all features are appropriate or desirable for your setup Table 1 Conventions Convention Description Cou...

Page 10: ...10 McAfee UTM Firewall 4 0 4 Administration Guide...

Page 11: ...sonal Computer that the appliance is plugged into most network resources are freely accessible However any services that the PC provides such as file shares or Web services such as IIS are not accessi...

Page 12: ...f H B does not begin flashing shortly after power is supplied refer to Recovering from a failed upgrade Table 1 SG310 LED descriptions Label Activity Description Power On steady Power is supplied to t...

Page 13: ...ower adaptor voltage current depends on individual model Front panel operating status LEDs Power H B Operating temperature between 0 C and 40 C Storage temperature between 20 C and 70 C Humidity betwe...

Page 14: ...tains two 10 100 1000 GbE Gigabit Ethernet ports A and B three 10 100BaseT FE Fast Ethernet ports C D and E a serial port that can be connected to an analog ISDN modem or terminal for serial console a...

Page 15: ...threats as well as conventional Internet security concerns You can update configure and monitor the firewall and VPN connectivity of a workstation or server from any Web browser In the event of a bre...

Page 16: ...ere you can view the current system status of your UTM Firewall appliance You can also view the status of the UTM Firewall connections and the services that are running on it by selecting one of the o...

Page 17: ...ory with the styles you prefer UTM Firewall menus To navigate the UTM Firewall interface click a menu option on the left side of the screen The available menu options depend on the particular UTM Fire...

Page 18: ...and Custom IPv6 Firewall Rules tabs See Packet filtering NAT Opens NAT pages for Port Forwarding Source NAT 1 to 1 NAT Masquerading and UPnP Gateway See NAT Connection Tracking Opens the Connection Tr...

Page 19: ...em the unit s connections and the unit s services See Status menu System Setup Opens the Device Settings Security Policy Memory Allocation and Date and Time configuration pages See System Setup Menu B...

Page 20: ...e 9 associated with the item you want to edit Figure 9 Edit icon You can click the delete icon Figure 10 associated with the item you want to delete Figure 10 Delete icon Add above and below icons Cer...

Page 21: ...ears Figure 13 Figure 13 Online Help Search page To access context sensitive help for the page your are currently viewing click the help icon in the upper right corner of the page Help describes each...

Page 22: ...always include the technical support report with your support request Without this report the technical support staff are unlikely to have enough information to assist you Security Alert To maintain y...

Page 23: ...on the device 2 Connecting an administrative PC to the device 3 Configuring the UTM Firewall switch 4 Confirming settings 5 Setting up the PCs on your LAN 6 Registering your UTM Firewall Note These p...

Page 24: ...wall Management Console does not automatically appear perhaps because you have no home page established on your browser navigate to 192 168 0 1 If you are unable to browse to the UTM Firewall device a...

Page 25: ...model number Click Next The LAN dialog appears Figure 18 Figure 18 Quick Setup Wizard LAN dialog 4 Select an option for your LAN configuration Recommended To manually configure your LAN and optionall...

Page 26: ...ess and Subnet Mask for the UTM Firewall s LAN connection Take note of the IP address and subnet mask you will need them later on To enable the UTM Firewall s built in DHCP server enter both the start...

Page 27: ...ecting with a cable modem for configuration details If you selected Modem see Configuring a dialout connection on the COM port for configuration details If you selected ADSL see ADSL for configuration...

Page 28: ...ixed IP to manually configure the Internet address using static parameters 9 Click Next If you chose Use an IP address obtained from a server on the Internet DHCP and you are setting up an SG310 the F...

Page 29: ...itch The switch dialog displays if you are setting up the SG560 SG 560U SG565 or SG580 If you are setting up a different model skip to Selecting an initial firewall level By default the UTM Firewall s...

Page 30: ...lock Everything Blocks all traffic that is not expressly allowed by a packet filtering rule Ultra VPN access Allows VPN Dialin and LAN traffic to move through the firewall Denies all Internet traffic...

Page 31: ...and or your LAN hub directly to switch A If you are setting up the SG560 SG560U SG565 or SG580 and have configured its switch as 1 LAN Port 3 Isolated Ports connect port A1 directly to your LAN hub Ot...

Page 32: ...ically 4 Click Obtain DNS server address automatically 5 Click OK Automatic LAN configuration using an existing DHCP server If you chose the Obtain LAN IP address from a DHCP server on LAN option we s...

Page 33: ...lick OK Repeat for each PC on your network Quick setup is now complete Quick setup is all you need to do to get basic network connectivity to the Internet Network devices on the LAN should now be able...

Page 34: ...You can access the site by either clicking one of the registration site links in the Quick Setup Wizard or on the Help and Support page or by navigating to http my securecomputing com You will be pro...

Page 35: ...Account Request page 2 Enter your E mail address and click Create Account A message indicates a new account request is currently being processed Upon verification a login password is emailed to you O...

Page 36: ...ted Registering your UTM Firewall 1 Log in to the My Secure Computing site at http my securecomputing com The Welcome page appears Figure 30 Figure 30 My Secure Computing Welcome page 2 Click Add Prod...

Page 37: ...d underneath the appliance 4 Indicate the Year and Month for Date of Purchase 5 Click Submit To view a list of all products you have registered click List Products Activating a feature Use this proced...

Page 38: ...ivate Feature page 3 Select your UTM Firewall appliance from the SnapGear Serial Number list 4 Enter the token in the Feature Serial Number token field 5 Click Submit Retrieving license information fo...

Page 39: ...g your UTM Firewall Figure 33 My Secure Computing Product Management License data For those features that require a certificate and private key to activate click the associated View License data butto...

Page 40: ...d Registering your UTM Firewall Figure 34 Product Management License details You can then copy and paste the license key for Web Filtering for instance into the Certificate copy paste page Note Be sur...

Page 41: ...6 SIP Network overview This chapter describes the Network Setup options of the McAfee UTM Firewall Management Console Use the Network Setup options to configure each of your UTM Firewall appliance s E...

Page 42: ...ions as a regular LAN switch with network traffic passing freely between its ports Typically port B is used as your primary Internet connection However switch A s ports can be configured individually...

Page 43: ...changes and click Update You can also make changes in the additional tabs that appear for a connection such as Aliases and IPv6 For more information see Aliases tab and Enabling IPv6 for a connection...

Page 44: ...s a direct IP connection to a network that does not require a modem to be established This is typically a LAN DMZ or Guest connection but it can also be an Internet connection Network settings can be...

Page 45: ...entries in this field 10 Select a classification from the Firewall Class list The Firewall class setting controls the basic allow deny policy for this interface Allowed network traffic is accepted de...

Page 46: ...plex 10 BaseT Auto Duplex 10 BaseT Full Duplex 10 BaseT Half Duplex 100 Base T4 6 Specify the MTU Maximum Transmission Unit for the interface in the MTU field This setting should normally be left at 1...

Page 47: ...n your ISP has assigned you a range of IP addresses to use with your Internet connection or when you have more than one subnet connected to a single network interface Figure 39 Aliases tab For aliases...

Page 48: ...Select the Enable IPv6 checkbox 5 LAN connections only You can enter a site level aggregation value for this connection in the Site Level Aggregation field This field is used to create a site local a...

Page 49: ...connection to your ISP using the following methods Auto detect If you are unsure of your ADSL connection type the UTM Firewall appliance can attempt to Auto detect ADSL connection type The appliance...

Page 50: ...tings for your ADSL Autodetect does not work for PPTP connections 1 From the Network Setup menu click Network Setup On the Connections page select ADSL from the Change Type list The ADSL Connection Me...

Page 51: ...sh By default PPPoE connections are treated as always on and are kept up continuously Alternatively you can choose to only bring the connection up when PCs on the LAN DMZ or Guest network via a VPN tu...

Page 52: ...allocates an address that is used as the actual Internet interface on the UTM Firewall appliance Usually the address supplied by the ISP is different from the local IP address entered here Even if th...

Page 53: ...ADSL DHCP Configuration page appears Figure 44 Figure 44 ADSL DHCP Configuration page 3 Optional Enter a descriptive name in the Connection Name field 4 Enter the host name in the Hostname field 5 Sel...

Page 54: ...Ethernet configuration tab depending on your connection type Aliases and IPv6 See Ethernet Configuration tab VLAN Aliases tab and Enabling IPv6 for a connection Connecting with a cable modem Use this...

Page 55: ...page that appears depends on your provider choice If you chose Generic Cable Modem Provider as shown in Figure 47 enter a name for the connection in the Connection Name field optional and click Finis...

Page 56: ...have the interface firewall class of Internet Caution Do not plug an ISDN connection directly into your UTM Firewall appliance You must first connect a terminal adaptor To connect to an ISDN line the...

Page 57: ...Enter the Access Point Name for the connection You can get this from your ISP d Enter the DNS Server address given to you by your ISP You can enter multiple DNS servers into this field by separating t...

Page 58: ...necessary 1 From the Network Setup menu click Network Setup The Connections tab opens Click the edit icon for the Unconfigured connection The Serial Port Setup page appears Figure 51 Figure 51 Port Se...

Page 59: ...layer of tabs Figure 52 3 Optional To enable dial on demand select the Dial on Demand checkbox 4 In the Idle Time field enter the number of minutes the appliance waits after the connection becomes idl...

Page 60: ...ally Assigned IP Address page appears Figure 53 Figure 53 Connections Static Addresses 3 Enter the static IP address from your ISP in the My Static IP Address field 4 Enter the address of the ISP gate...

Page 61: ...t connection See Enabling IPv6 for a connection Setting up dial in access A remote user can dial directly to a modem connected to the serial port of the UTM Firewall appliance Once connected and authe...

Page 62: ...tication CHAP This is the weakest type of encrypted password authentication to use It is not recommended that clients connect using this as it provides very little password protection Also note that c...

Page 63: ...l in client Connecting a dial in client Remote users can dial in to the UTM Firewall appliance using the standard Windows Dial Up Networking software The network connection wizard guides you through s...

Page 64: ...access Figure 59 New Connection WIzard Network Connection 4 Select Dial up connection and click Next The Select a Device page appears Figure 60 Figure 60 New Connection WIzard Select a Device 5 Select...

Page 65: ...n access Figure 61 New Connection WIzard Connection Name 6 Enter a name for the connection and click Next The Phone Number to Dial page appears Figure 62 Figure 62 New Connection WIzard Phone Number t...

Page 66: ...and click Next The Connection Availability page appears Figure 64 Figure 64 New Connection WIzard Connection Availability 9 To make the connection only available for you select the My use only option...

Page 67: ...nection Enter the User name and Password set up for the UTM Firewall appliance dial in account and click Dial Failover load balancing and high availability Note This topic applies to UTM Firewall desk...

Page 68: ...in the sections Direction Connection ADSL Cable Modem and Dialout ISDN earlier in this chapter See Direct connection overview ADSL Connecting with a cable modem and Configuring a dialout connection on...

Page 69: ...rk connection The primary and secondary connection levels are tested in turn until one becomes available Internet failover is not stateful Any network connections that were established through the fai...

Page 70: ...on before testing whether it is functioning correctly Use a longer delay for connection types that are slow to establish such as dialout The defaults vary depending on the type of connection and are a...

Page 71: ...page Can be a fully qualified domain name of the form host domain com Both Host or domain can consist of alphabetic numeric or hyphen characters but cannot begin nor end with the hyphen character Can...

Page 72: ...tions must be marked as Required or Enabled Internet connections that are marked Disabled are not part of this connection level The initial defaults on the modify levels page for a connection are Load...

Page 73: ...ection on which to send outgoing traffic When an internal client makes a connection to a server on the Internet this and subsequent connections between the internal client and remote server are confin...

Page 74: ...This allows these hosts to automatically switch from one UTM Firewall appliance to the other if an appliance becomes unavailable The two appliances negotiate for ownership of the shared IP address at...

Page 75: ...ss assigned When the appliance becomes secondary all specified interfaces will have the shared IP address removed The following diagrams illustrate the basic HA configuration Figure 75 Basic HA config...

Page 76: ...76 Basic HA configuration Appliance 1 loses LAN connectivity Should UTM Firewall appliance 1 lose LAN connectivity for example someone accidentally powers it down UTM Firewall appliance 2 assumes the...

Page 77: ...gger The default location for the HA script is bin highavaild Customizing the HA script You can customize the HA script by replacing and modifying the bin highavaild script From the command line inter...

Page 78: ...u can now configure the HA connection for each interface See Configuring high availability Disabling high availability 1 From the Network Setup menu click Network Setup Failover H A High Availability...

Page 79: ...connections are accepted however administration connections are not 6 Enter the netmask in the Subnet Mask field Can be in the following forms A number from 0 32 255 255 255 0 7 Optional Enter an alia...

Page 80: ...MZ and network traffic originating from the DMZ is allowed out to the Internet The topic Services on the DMZ network discusses how to allow certain traffic from the Internet into the DMZ To allow publ...

Page 81: ...eferred gateway for load balancing select the Preferred Gateway checkbox 9 Click Update Services on the DMZ network Once you have configured the DMZ connection configure the UTM Firewall appliance to...

Page 82: ...expense Machines on the guest network typically have addresses in a private IP address range such as 192 168 2 0 255 255 255 0 or 10 2 0 0 255 255 0 0 For NAT Network Address Translation purposes the...

Page 83: ...The RADIUS server must be defined on the RADIUS page For information refer to RADIUS page WPA PSK Wi Fi Protected Access Preshared Key also known as WPA Personal An authentication and encryption prot...

Page 84: ...erred Gateway checkbox 6 Click Next The Access Point Configuration page appears Figure 83 Figure 83 Wireless Configuration Access Point page 7 Optional Enter a descriptive name for the wireless networ...

Page 85: ...ireless clients are trusted To bridge between clients select the Bridge Between Clients checkbox This setting enables the access point to forward packets between clients at the wireless level so that...

Page 86: ...either of the above two methods Security Alert Due to flaws in the authentication protocol the Shared Key method reduces the security of the WEP key McAfee recommends using Open System authentication...

Page 87: ...802 11i support which is also referred to as WPA2 b Specify the preshared key in the WPA Key field Allowed formats are 8 to 63 ASCII characters of any type at least 20 characters at a minimum recommen...

Page 88: ...y method select the Bridge Between Clients checkbox Packets between bridged wireless clients will not be restricted by the firewall Note If this setting is disabled it is still possible to configure w...

Page 89: ...wireless network For additional security you can specify a list of MAC addresses network hardware addresses to either allow or deny Security Alert MAC based ACL is a weak form of authentication and do...

Page 90: ...on settings The ESSID may be the same or different If the access points have the same ESSID then clients can transparently roam between them There are two common scenarios for WDS bridging or repeatin...

Page 91: ...is used for both the wireless clients and the WDS link Note You cannot enable both WDS and WEP with 802 1X Can be exactly 64 hexadecimal characters 0 9 a b or A B Can be from 8 to 63 characters of any...

Page 92: ...egulatory organization Tweaking these advanced wireless features can increase processing overhead so balance performance requirements with this in mind Advanced wireless settings include packet fragme...

Page 93: ...that support 802 11g also support 802 11b 802 11g only Wireless clients can only connect using 802 11g 54 Mbit s Wireless clients that only support 802 11b are unable to connect 802 11b and 802 11g Re...

Page 94: ...ance Another advantage is that network traffic not usually routed by an unbridged interface such as broadcast packets multicast packets and any non IPv4 protocols such as IPv6 IPX or Appletalk pass ov...

Page 95: ...to specify this IP address as a gateway to the networks connected to the bridge It is not so important which IP address you choose to assign to the bridge interface it is primarily used by hosts on e...

Page 96: ...field The delay usually only occurs when the appliance first boots or when the bridge configuration is modified This delay allows the appliance s bridge to detect which hosts are connected to each of...

Page 97: ...om an existing configuration 1 From the Network Setup menu click Network Setup and select the Connections tab The Connections page appears 2 From below the main Connections table select Bridge from th...

Page 98: ...opens 2 Click the delete icon for the bridge you want to delete The Bridge Deletion page appears Figure 99 Figure 99 Bridge Deletion page 3 Select the interface to which to transfer the bridge s IP co...

Page 99: ...o enforce access policies between ports on an external switch that supports port based VLANs In this scenario only the switch and other trusted devices should be directly connected to the LAN port of...

Page 100: ...ess between all ports the default or use port based VLANs to control access between each individual port in the switch This port based VLAN configuration makes it possible to assign each of the four p...

Page 101: ...ports Tip If you previously selected 1 LAN Port 3 Isolated Ports in the Switch Configuration step of the Quick Setup Wizard port based VLANs are already enabled and a single isolated VLAN for each po...

Page 102: ...k Update Adding a port based VLAN Use this procedure to manually add a port based VLAN on the switch of a UTM Firewall appliance Tip If you previously selected the 1 LAN Port 3 Isolated Ports option i...

Page 103: ...e VLAN ID field Otherwise if there is not an existing VLAN enter the next available VLAN ID If the Default port based VLAN ID on the Ethernet Configuration page Figure 102 has been left at its default...

Page 104: ...other devices that support the GRE protocol You can build GRE tunnels to other UTM Firewall appliances that support GRE or to other devices such as Cisco equipment A GRE tunnel must be created betwee...

Page 105: ...3 Ensure the Enable checkbox is selected 4 Optional Enter a descriptive GRE Tunnel Name for this tunnel 5 Enter the address of the remote GRE endpoint in Remote Address for example the Internet IP ad...

Page 106: ...across the GRE tunnel unless there is a route set up on the GRE tunnel 3G USB Modems UTM Firewall SG565 devices provide additional options for 3G EVDO modems Configuring 3G USB modem connections Use t...

Page 107: ...onfirm Password field 8 Conditional if required Enter the SIM card PIN code for your GPRS or 3G connection 9 Optional Select a Firewall Class for the connection The firewall class determines the packe...

Page 108: ...the Modem init string default value unchanged 6 Click Update Adding new 3G USB modem profiles Occasionally a modem may not present complete configuration information to the UTM Firewall device In thes...

Page 109: ...s more than one serial interface to the UTM Firewall device enter the interface to use for PPP connections in the Serial Interface to use field 7 Conditional If the USB modem is a GPRS or 3G modem ent...

Page 110: ...e A number between 0 and 32 Can also be in the form 255 255 255 0 6 Optional You can specify an Interface out which the network traffic should be routed from the Interface list Only current valid inte...

Page 111: ...ou use the New button the route is added to the bottom of the list Use the up or down arrows to reposition a route For more information on icons see Interface icons Once the page is populated with rou...

Page 112: ...ick New you can create an address definition when you create this route 7 Enter the Destination Address that matches the destination IP address of the packet When you click New you can create an addre...

Page 113: ...efer to the Zebra Web site http www zebra org for comprehensive documentation Example Configuring RIP Route Management Ensure you have enabled RIP v1 v2 under Route Management then open zebra conf and...

Page 114: ...istribute routing information from static route entries redistribute static Redistribute routing information from kernel route entries e g IPSec redistribute kernel The above files configure the devic...

Page 115: ...to OSPF is based on Dijkstra s Shortest Path First algorithm which is CPU intensive compared to other routing algorithms OSPF counts with the special characteristics of networks and interfaces such as...

Page 116: ...from the LARTC Linux Advanced Routing Traffic Control dynamic routing howto available from http lartc org howto LARTC is an invaluable resource for those wanting to learn about and take advantage of...

Page 117: ...f neighbors to which the router is connected neighbor 192 168 1 1 remote as 2 neighbor 192 168 1 1 distribute list local_nets in neighbor 10 10 1 1 remote as 3 neighbor 10 10 1 1 distribute list local...

Page 118: ...erver page Enabling DNS proxy server 1 From the Network Setup menu click Network Setup select the DNS tab and then select the DNS Proxy tab The DNS Proxy Server page appears 2 Enabled by default To en...

Page 119: ...ed by the UTM Firewall appliance are as follows 3322 org Chinese provider http www 3322 org DyNS http www dyns cx dyndns org http www dyndns org GNUDip http gnudip cheapnet net ODS http www ods org TZ...

Page 120: ...count in the Password and Confirm Password fields 8 Enter the domain for your dynamic account in the Domain field 9 Optional for dyndns org provider only If you have additional domains for this accoun...

Page 121: ...tus column now displays Disabled without the need to refresh your browser Editing a dynamic DNS account 1 From the Network Setup menu click Network Setup select the DNS tab and then select the Dynamic...

Page 122: ...Static Hosts tab The Static Hosts page appears 2 Select the edit icon for the static host you want to edit The Edit Static Hosts page appears 3 Make your changes and click Finish Deleting a static ho...

Page 123: ...ssigning dynamic IP address to devices on a network IP addresses are assigned using the concept of a lease which is the amount of time the IP address is valid for a device With DHCP network administra...

Page 124: ...s page Figure 128 DHCP Server Status Configured and Running You can disable and enable the configuration in the leftmost column The Interface column displays the interface for which the DHCP server or...

Page 125: ...server address is set as per the following If the DNS Proxy is enabled default see DNS Proxy tab then the DNS server is set to the IP address of the network interface on which the DHCP server is liste...

Page 126: ...or relay Note To configure a DHCP relay see Configuring a DHCP relay 1 From the Network Setup menu click DHCP Server The DHCP Configuration page appears 2 Clear the enable checkbox for the DHCP serve...

Page 127: ...McAfee UTM Firewall 4 0 4 Administration Guide 127 Network Setup menu options DHCP Server Figure 130 DHCP Addresses page...

Page 128: ...d to a host Click Refresh to obtain the most current information Click the delete icon to delete an IP address If an address is taken by a client a delete icon appears in the Free column so that you c...

Page 129: ...or IP address range you want to remove 4 Click Remove The address or addresses are removed from the Address List pane Add Reserved IP Addresses pane Use this pane to reserve an IP address for a clien...

Page 130: ...oes not support Network Address Translation NAT The UTM Firewall appliance is configured with the IP address of the DHCP Server The appliance accepts client DHCP Discover packets and relays them to th...

Page 131: ...ssional operating system You must have administrative rights to configure Windows XP as a DHCP client 1 Click Start Control Panel Network Connections Local Area Connection The Local Area Connection St...

Page 132: ...DHCP client If the UTM Firewall appliance is being used as an DHCP client inspect the front panel LEDs If the appliance s LAN interface cannot get a DHCP assigned IP address all lights flash simultane...

Page 133: ...level are queried if the replies from sibling caches did not succeed For information see Configuring Web Cache Peers The Web cache can also be configured to pass off Web transaction requests or respo...

Page 134: ...ing system capable of SMB sharing Refer to the documentation of your particular operating system for details on creating a network share This section includes basic procedures for creating a user acco...

Page 135: ...change this to something easier to remember if you want 4 To set the security permissions of the newly created network share click Permissions 5 Recommended If you want to secure the network share wit...

Page 136: ...blank and go to the last step Otherwise if the dedicated user account must authenticate to the network share continue with the next step 6 Enter the username of the dedicated user in the Username fie...

Page 137: ...ver checkbox b Enter the IP address of your UTM Firewall appliance in the Address box c Enter 3128 in the Port box The Web cache of the UTM Firewall appliance uses port 3128 by default d Select the By...

Page 138: ...e Local Storage tab The Local USB Storage page appears Figure 143 Figure 143 Web Cache Local USB Storage 2 Enter the cache size in the Cache Size field The size should be at least as big as the Cache...

Page 139: ...r accept the default port 3128 6 Enter the ICP port for querying neighbor caches about objects in the ICP Port field or accept the default port 3130 7 Click Finish The peer is displayed in the edit li...

Page 140: ...ons are blocked until the ICAP server becomes contactable 6 Click Submit Configuring advanced settings for the Web cache 1 Under the Network Setup menu click Web Cache select the Advanced tab and then...

Page 141: ...lable options are None default No anonymity and no identifying information is removed from Web requests Basic Paranoid Custom The Custom setting is for users who have manually edited these settings in...

Page 142: ...e 148 Figure 148 QoS Traffic Autoshaper 2 Click the edit icon next to the network interface on which you want to enable the autoshaper The QoS Autoshaper Edit page appears Figure 149 Figure 149 QoS Tr...

Page 143: ...w priority to the following services domain tcp and udp ftp and ftp data http and https imap irc nntp ntp pop3 smtp ssh telnet Enabling and configuring ToS packet priorities You can configure the ToS...

Page 144: ...ic Shaping and then select the ToS Packet Priority tab Figure 150 Figure 150 ToS Packet Priority 2 Select the Enable ToS Prioritization checkbox 3 Select a Default priority from the list The Default p...

Page 145: ...col or ICMP message type in the Ports field Acceptable inputs are service name single port number between 1 and 65535 range of port numbers in the form a b comma or whitespace separated list of any of...

Page 146: ...SG580 and SG720 only The SIP proxy of the UTM Firewall appliance allows SIP software clients or SIP hardware clients to work from a private network such as your LAN behind a masquerading firewall such...

Page 147: ...lick SIP The SIP Proxy page appears Figure 154 Figure 154 SIP Proxy page 2 Optional Select the Enabled checkbox 3 Select an interface from the Internal Interface list The outbound interface is typical...

Page 148: ...148 McAfee UTM Firewall 4 0 4 Administration Guide Network Setup menu options SIP...

Page 149: ...Antispam TrustedSource Controlling packet traffic Many features within the McAFee UTM Firewall Management Console can affect the flow of packet traffic within the appliance This topic outlines the hie...

Page 150: ...guring connection tracking NAT The destination IP addresses and ports of incoming packets are modified by the UTM Firewall appliance See About port forwarding Packet filtering Traffic is then subjecte...

Page 151: ...ured firewall The firewall allows you to control both incoming and outgoing access so that PCs on local networks can have tailored Internet access facilities while being shielded from malicious attack...

Page 152: ...and interfaces used to match packets Definitions need not be created for simple rules that only specify a single service address or interface as these can be entered while creating the rule If a rule...

Page 153: ...click Definitions Service Groups tab The Service Groups page appears Predefined services are displayed The Name column displays the name of the service group and the Details column displays the proto...

Page 154: ...e Service Groups page appears 2 Click the edit icon for the service group you want to edit The Modify Service Group page appears 3 Make your changes and click Finish Deleting a service group 1 From th...

Page 155: ...re predefined The Addresses page is shown in Figure 158 Figure 158 Addresses tab Adding an IP address or range 1 From the Firewall menu click Definitions Addresses tab The Addresses page opens Predefi...

Page 156: ...ting the firewall rules 1 From the Firewall menu click Definitions Addresses tab The Addresses page appears 2 Select DNS Hostname from the Type list 3 Click New The Hostname page appears Figure 160 Fi...

Page 157: ...k Finish Deleting an address Use this procedure to delete a single IP address range of addresses or address group If an address is being used by a packet filter or NAT rule a message informs you to mo...

Page 158: ...xes for the interfaces to group 5 Click Finish Editing an Interface Group 1 From the Firewall menu click Definitions Interfaces tab The Interfaces page appears 2 Click the edit icon for the interface...

Page 159: ...t filtering The majority of firewall customization is typically accomplished by creating Packet Filter and NAT Network Address Translation rules Packet filter rules match network packets based on a co...

Page 160: ...s that have the same address and port information are considered part of the same connection as are any responses moving in the opposite direction A special built in rule matches all packets that are...

Page 161: ...ket Filtering rule Packet Filtering page Use this page to define rules for packet filtering The factory default configuration includes the following predefined packet filter rules as shown in Figure 1...

Page 162: ...re you want to add the rule The Packet Filter Rule page appears Figure 167 Figure 167 Packet Filter Rule page 3 Optional Enter a descriptive name in the Descriptive Name field 4 Make sure the Enable c...

Page 163: ...s appliance None This option is automatically selected and displayed read only when the Input option is selected in the Type list Select this option to only match packets destined for this appliance 9...

Page 164: ...g a packet filter rule 1 From the Firewall menu click Packet Filtering The Packet Filters Rules page appears 2 Click the delete icon for the packet filter rule you want to delete You are prompted to c...

Page 165: ...d values Integer equal to or greater than 1 7 Select an action to take when a packet matches the packet filter rule but exceeds the rate limit from the Action if Limited list Available options are Non...

Page 166: ...o default to the Any wildcard 8 Select the Log checkbox and enter log_SG_origin_traffic in the Log Prefix field 9 Click Finish Example 2 Creating a rule to allow access through the appliance This exam...

Page 167: ...able 12 provides information about the services you can enable for each interface Table 12 Interface service descriptions Service Description Telnet This column controls access to the UTM Firewall app...

Page 168: ...s 3 To allow echo requests on Internet interfaces select the Accept echo request incoming port checkbox The default recommended is to disallow echo requests so your UTM Firewall appliance does not res...

Page 169: ...les It also displays how many times each rule has been matched which can be useful for troubleshooting Scroll through the page to view the iptables for Packet Filter Rules NAT Rules Packet Mangle Rule...

Page 170: ...ck Update Custom IPv6 Firewall Rules tab This tab provides the ability to manually add custom entries to the IP tables using the ip6tables command syntax The custom rules are executed whenever the sta...

Page 171: ...text box 4 Click Update Custom firewall rules and connection tracking Because selecting the Custom firewall rules instead of built in rules checkbox results in the default firewall functionality bein...

Page 172: ...out masquerading and source NAT Source NAT rules are useful for masquerading one or more IP addresses behind a single other IP address This is the type of NAT used by the UTM Firewall appliance to mas...

Page 173: ...contains the following main pages Port forwarding page Source NAT page One to one NAT Masquerading page Universal Plug and Play Gateway For further information on NAT investigate the solution finder f...

Page 174: ...nd source address for matching incoming packets use the Advanced port forward page In addition if you want to disable the port forwarding rule from automatically creating a packet filtering rule follo...

Page 175: ...port or ports in the Ports field If you want to show the definitions click Show Definitions The Protocol and Ports fields are replaced with the Services list Select a service from the list Figure 179...

Page 176: ...eld 5 Leave the Enable checkbox selected To temporarily disable the rule clear the checkbox 6 Optional recommended To create a corresponding packet filter rule to accept NATed packets leave the Create...

Page 177: ...Finish Disabling a port forwarding rule Use this procedure to temporarily disable a rule Tip Click the enable disable checkbox to the left of the object list to quickly disable the rule The page refre...

Page 178: ...ition is created Next create the port forwarding rule that uses the service group 5 From the Firewall menu click NAT Port Forwarding tab The Port Forwarding page appears 6 If this is the first rule de...

Page 179: ...stem This rule uses port 2222 for SSH rather than the standard SSH port of 22 Forwarding the SSH port allows remote access using SSH to the UTM Firewall appliance itself which runs an SSH server on po...

Page 180: ...w icon to add a rule above or below an existing rule If you use the New button the rule is added to the bottom of the list Use the up or down arrows to reposition a rule For more information on icons...

Page 181: ...can select the option Any to match packets that will be transmitted on any interface You should normally set this field to your Internet interface 6 Enter the address from which the request originate...

Page 182: ...dress assigned as an alias to the UTM Firewall appliance In addition to addresses you have predefined the following options are also available Unchanged Do not translate the source address This is use...

Page 183: ...ckbox to the left of the object list to quickly re enable the rule The page refreshes and a check mark indicates the rule is enabled again 1 From the Firewall menu click NAT Source NAT tab Any rules t...

Page 184: ...an internal private address to an external public address and vice versa This form of NAT maps an external public address to an internal private address Figure 189 1 to 1 NAT page initial view Creatin...

Page 185: ...page Make sure you add a corresponding packet filter rule See Creating a packet filter rule Editing a one to one NAT rule 1 From the Firewall menu click NAT 1 to 1 NAT tab The 1 to 1 NAT page is displ...

Page 186: ...ed for port B 1 From the Firewall menu click NAT 1 to 1 NAT tab The 1 to 1 NAT page is displayed Any rules that have already been defined are displayed 2 Click New or the add above or below icon depen...

Page 187: ...s on your LAN which is generally not recommended 3 Enabled by default To enable masquerading for connections between any LAN interface and any DMZ interface select the Enable NAT from LAN VPN interfac...

Page 188: ...ce be power cycled or should the internal or external interface become unavailable The UPnP Gateway is intended for transitory application port forwarding such as those established by some versions of...

Page 189: ...3 Open Internet Connection click Settings Add The Service Settings window appears Figure 195 Figure 195 Service Settings 4 Enter an arbitrary Description of service 5 Enter the Name or IP address of...

Page 190: ...dress of packets that have been port forwarded Takes the form of target IP address port number Connection tracking Connection tracking keeps a record of packets that have passed through the appliance...

Page 191: ...the original direction and the reply direction The addresses for the original direction are before NAT and the addresses for the reply direction are after NAT Tip Connection logging generates a large...

Page 192: ...shed and expire however this can result in excessive log messages if you have a large or busy network Make sure you have enabled remote system logging if you enable connection logging See Enabling rem...

Page 193: ...xpert firewall administrators See Custom firewall rules and connection tracking for details About the Connection Tracking Report Use this report to view information about the current connections to a...

Page 194: ...ck Connection Tracking Report tab The Connection Tracking Report page is displayed Figure 199 2 Select the Display checkbox for the fields you want to include in the report 3 Optional If available for...

Page 195: ...er of rows you want displayed in the Maximum display rows field This value cannot exceed the display only value shown in the System processing limit field The system limit value is dynamic depending o...

Page 196: ...as identification However identification can be forged On the other hand intrusion detection systems are more like security systems with motion sensors and video cameras Video screens can be monitore...

Page 197: ...e being blocked in the Trigger count before blocking field This option only takes effect when one of the blocking options is enabled The trigger count value should be between 0 and 2 zero represents a...

Page 198: ...t to detect most scans The Strict setting includes all services in Standard and Basic in addition to its own unique settings Security Alert The list of network ports can be freely edited however addin...

Page 199: ...t be enabled in the IDB configuration for any scanning or blocking to occur See Configuring basic IDB echo X Elite X X exec X filenet rmi X X X finger X X gopher X http X ida discover2 X imap X X X in...

Page 200: ...n Standard and Basic in addition to its own unique settings Security Alert The list of network ports can be freely edited however adding network ports used by services running on the UTM Firewall unit...

Page 201: ...detect many attacks by checking destination port number TCP flags and doing a simple search through the packet s data payload Rules can be quite complex allowing a trigger if one criterion matches but...

Page 202: ...tab The Intrusion Prevention page appears Figure 204 Figure 204 Snort Configuration IPS 2 Select the Enabled checkbox 3 Recommended To restrict memory usage for the scanning select the Use less memor...

Page 203: ...t Configuration page 2 Select the Enabled checkbox 3 Select the network Interface to monitor This is typically Internet or possibly DMZ 4 Select the checkbox or checkboxes for the Rule sets you want t...

Page 204: ...dress or resolvable host name of the analysis server in the Hostname field 6 Enter the database port of the analysis server in the Database port field For MySQL type databases this is typically 3306 7...

Page 205: ...use The access control Web proxy allows you to control access to the Internet based on the type of Web content being accessed through Web Filtering and the user or workstation that is accessing the In...

Page 206: ...you want to apply access control At least one checkbox must be selected for any access control operation to take place Available options are Private includes the LAN VPN and Dialin firewall classes En...

Page 207: ...are blocked resulting in faster Web access than that provided by the software HTTP proxy Once the Fast Web Mode checkbox is selected the UTM Firewall device will operate in Fast Web Mode whenever The...

Page 208: ...ust also have Web access enabled by your administrator Without this your access will be blocked as shown in Figure 209 then configure the browser to use the appliance Web proxy See Configuring browser...

Page 209: ...ect the Use a proxy server for your LAN and the Bypass proxy server for local addresses checkboxes All other options should remain cleared 3 Click Advanced The Proxy Settings dialog box is displayed F...

Page 210: ...e Access Control Lists page appears Figure 212 Figure 212 ACL tab 2 Optional Select allowed source hosts from the Allowed Source Hosts list The default is None Available options Available options depe...

Page 211: ...select the single address you defined which is 10 0 0 0 25 8 Click Submit Web Lists tab Use the tabs within Web Lists to configure allowed and blocked URL fragments Only WWW browsing is restricted by...

Page 212: ...wed access again Policy enforcement Policy enforcement on the UTM Firewall appliance provides the ability for specific internal servers and workstations to have their network access through the applia...

Page 213: ...checkbox Turning policy enforcement on without specifying anything to scan causes a slight decrease in performance of the appliance 3 Optional Select the Block Unscanned Hosts checkbox This checkbox...

Page 214: ...resses and services groups See Addresses page and Creating a service group Enable policy enforcement See Enabling security policy enforcement Upload and test NSAL scripts optional See Uploading a NASL...

Page 215: ...tically populated from the files ending with nasl in the etc config directory Security groups may overlap with respect to hosts within them In this case a single allow service overrides any number of...

Page 216: ...no longer displays indicating the script is now disabled Deleting a policy enforcement script 1 From the Firewall menu click Access Control Script Management tab The Manage Scripts page appears 2 Cli...

Page 217: ...ting a feature The McAfee Web Gateway URL filtering service on the UTM Firewall appliance is for the URL filtering and reporting if applicable feature only Advanced McAfee Web Gateway features include...

Page 218: ...ories might be added after content filtering is configured on your appliance Note Content filtering is not performed for addresses specified in the Web Lists tab URL Allow or Block pages or for allowe...

Page 219: ...ilter Service page appears 2 Clear the Enable content filtering checkbox 3 Click Submit Uploading a McAfee Web Gateway certificate and key Use this procedure to upload the McAfee Web Gateway certifica...

Page 220: ...TE lines when copying and pasting text 3 Click Submit Blocking categories for McAfee Web Gateway filtering Use this procedure to block categories for McAfee Web Gateway filter service There is only on...

Page 221: ...teway URL rating Use this procedure to test the URL rating of a given URL You can provide feedback if you think the rating for the URL is inaccurate and needs to be reassessed 1 Go to http www trusted...

Page 222: ...mit URL for Review Figure 226 URL check results Antivirus The antivirus capabilities of the UTM Firewall appliance shield your LAN from viruses that propagate through email the Web and FTP An antiviru...

Page 223: ...ion tab System System Setup Memory Allocation tab See Memory Allocation tab for more information The antivirus database is updated automatically at intervals set when antivirus is enabled If your UTM...

Page 224: ...y Available options are Hourly Daily Weekly 5 Specify the maximum size in kilobytes of files to scan for viruses in the Maximum file size to virus scan KB field Files over this size are automatically...

Page 225: ...nternet Ideally the freshclam utility that comes with clam antivirus should be used to download the database files to a local machine If freshclam is not available you can download the database files...

Page 226: ...pears Figure 228 Figure 228 Antivirus Network Storage 2 Select the Use share checkbox 3 Enter the path of the network share in the Share field You can use the following formats HOSTNAME sharename OR a...

Page 227: ...ng a Windows XP network share A network share is a shared folder or drive on a local Windows PC or a PC running another operating system capable of SMB sharing such as Mac OS X For details on creating...

Page 228: ...email client that is not retrieving email from the default POP server this may be all email clients the email client s POP3 user name setting must be in the form of user mail isp com rather than simpl...

Page 229: ...mply user user is the POP3 login and mail isp com is the POP3 mail server Additionally the email client s incoming POP3 email server setting must be sent to the UTM Firewall appliance s LAN IP address...

Page 230: ...server address of your LAN in the Destination SMTP server field 6 Enabled by default To enable source address translation select the Source NAT connections checkbox This enabled option prevents your...

Page 231: ...s check Web downloads checkbox You must have access control enabled for this to function For more information on access control see Enabling access control 3 To treat oversized downloads as potential...

Page 232: ...in the Maximum simultaneous connections field This is the total number of FTP connections allowed from your LAN Once this number is reached subsequent FTP connections are rejected until previous FTP c...

Page 233: ...ll not function on the appliance until it is licensed About TrustedSource To determine reputation scores TrustedSource uses servers around the world to gather and analyze messages TrustedSource assign...

Page 234: ...an SMTP proxy Security Alert Since antivirus for SMTP email and TrustedSource share SMTP resources only one SMTP server can be protected by these features Prerequisites DNS is configured with access...

Page 235: ...gured to trust and forward messages appearing to originate from the LAN address of the appliance If enabled the apparent source address for connections to the internal SMTP server is one of the WAN ad...

Page 236: ...ry engine You can also use this page to query the reputation of a given server which allows you to more finely tune your reputation threshold If this test is failing to return a reputation it could me...

Page 237: ...4 0 4 Administration Guide 237 Firewall menu options Antispam TrustedSource Disabling TrustedSource 1 Select Firewall Antispam TrustedSource tab The TrustedSource page appears 2 Clear the Enable chec...

Page 238: ...238 McAfee UTM Firewall 4 0 4 Administration Guide Firewall menu options Antispam TrustedSource...

Page 239: ...ed directly from your office Similarly telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP VPN technology can be deployed as a low cost way of securely li...

Page 240: ...appliance can operate as a PPTP client or a PPTP server The configuration of the appliance defines which networks are accessible via the tunnel The appliance initiates the PPTP tunnel with a specifie...

Page 241: ...the system administrator of the remote PPTP server The username cannot start with 8 Enter the password in the Password field to use when logging in to the remote VPN The password can be one or more ch...

Page 242: ...the office printer access shared files and computers on the network as if you were physically on the LAN To disconnect right click the PPTP Status system tray icon and select Disconnect PPTP VPN Serve...

Page 243: ...ge in the IP Addresses to give to remote hosts field This must be a free IP address or a range of free IP addresses from the network typically the LAN that remote users are assigned while connected to...

Page 244: ...b of the Users page You must enable the Dial in Access option for the individual users that are allowed dial in access RADIUS Use an external RADIUS server as defined on the RADIUS tab of the Users pa...

Page 245: ...ternet you must set up two networking connections One connection is for the ISP and the other connection is for the VPN tunnel to your office network The PPTP server of the appliance interoperates wit...

Page 246: ...on Wizard Network Connection Type page 5 Select Connect to the network at my workplace and click Next The Network Connection page appears Figure 244 Figure 244 New Connection Wizard Network Connection...

Page 247: ...Public Network page appears Figure 246 Figure 246 New Connection Wizard Public Network page 8 If you have set up your computer to connect to your ISP using dial up select Automatically dial this init...

Page 248: ...PN Server Selection page 9 Enter the UTM Firewall PPTP appliance s Internet IP address or fully qualified domain name and click Next The Smart Cards page appears Figure 248 Figure 248 New Connection W...

Page 249: ...r you want to make this connection available to all users or only available to yourself and click Next The Completion page appears Figure 250 Figure 250 New Connection Wizard Completion page 12 To add...

Page 250: ...set up your VPN connection to automatically establish an initial Internet connection 14 Enter the user name and password added in the Adding a PPTP user account 15 Click Connect Figure 252 VPN connect...

Page 251: ...hared secret 3 Set up VPN user accounts on the UTM Firewall appliance and enable the appropriate authentication security See Adding an L2TP user account 4 Configure the VPN clients at the remote sites...

Page 252: ...e one that you want to connect remote users to from the IP Address to Assign VPN Server list This is typically a LAN interface or alias 5 Select the weakest Authentication Scheme to accept Access is d...

Page 253: ...reate an IPSec tunnel for use with L2TP Authentication is performed using x 509 certificates or a preshared secret You can add a single shared secret tunnel for all remote clients authenticating using...

Page 254: ...tab 2 Click the status link for the connection you want to monitor The configuration displays data similar to that shown in Figure 256 Figure 256 L2TP IPSec status down 3 Click Update to update the cu...

Page 255: ...list select the certificate uploaded to the UTM Firewall appliance 5 Enter the Client Distinguished Name It must match exactly the distinguished name of the remote party s local certificate to succes...

Page 256: ...er name and Password as these are required in configuring the remote L2TP client 1 Click System Users Local Users tab The Local Users page is displayed 2 Click New The Edit User Information page appea...

Page 257: ...r IPSec Preshared Secret Configuration To authenticate using an x 509 Certificate Tunnel you must first install the local certificate The distinguished name of this local certificate must match the na...

Page 258: ...P server which is usually a Microsoft Windows server 1 From the VPN main menu click L2TP and select the L2TP VPN Client tab The L2TP accounts page appears Figure 261 Figure 261 L2TP VPN Client Setup t...

Page 259: ...rface field For more information on static routes see Creating a static route 11 Optional Set the strength of encryption to use by selecting a Required Encryption Level from the drop down menu 12 Opti...

Page 260: ...g on an external DNS server The following is a list of configurations from most to least preferable remote to local location 1 Static IP address to static IP address 2 Dynamic IP address to static IP...

Page 261: ...gs Once populated with tunnels the Tunnel List pane displays the following information Connection This is the user defined name for the IPSec tunnel connection Remote Party This is the identity of the...

Page 262: ...abling IPsec VPN Use this procedure to enable IPSec VPN 1 From the VPN menu click IPSec The IPSec VPN Setup page appears 2 Select the Enable IPSec checkbox 3 Optional Enter a Maximum Transmission Unit...

Page 263: ...the remote party Tunnels configured with this method of authentication using the Quick Setup will by default use the Aggressive Mode of keying Note Preshared Secret is the only authentication current...

Page 264: ...uired local certificate to use to negotiate the tunnel from the Local Certificate list This is the list of local certificates that have been uploaded for x 509 authentication Select the required certi...

Page 265: ...to refresh the status before clicking the Status link 1 From the VPN menu click IPSec The IPSec VPN Setup page appears 2 In the Tunnel List pane click the linked status in the Status column Figure 26...

Page 266: ...formation An outline of the tunnel s network setup Phase 1 and Phase 2 key lifetimes ike_life and IPSec_life respectively Type of keying Type of authentication used The policy line displays PSK for Pr...

Page 267: ...TM Firewall appliance are Main Aggressive and Manual as described below Main The main mode has a more restrictive exchange for its key mode which automatically exchanges encryption and authentication...

Page 268: ...ample uses main_test b Leave the Enable this tunnel checkbox selected c From the Local Interface list select the interface the IPSec tunnel is to go out on The options depend on what is currently conf...

Page 269: ...vailable options are Preshared Secret RSA Digital Key Signature x 509 Certificates This examples uses Preshared Secret for authentication For further information on available authentication schemes re...

Page 270: ...form abcd efgh c Optional To apply IPComp compression before encryption select the Payload compression checkbox d Optional To offload VPN connections to another UTM Firewall appliance either select o...

Page 271: ...1 Settings page appears Figure 271 Figure 271 IPSec VPN Phase 1 Settings page Fill in the fields a Allow all of the defaults for the Key lifetime Rekey margin and Rekey fuzz fields b Enter the Presha...

Page 272: ...lick Add The pair appears in the Local and Remote Network list Figure 273 You can click the delete icon to delete the pair and define a different pair Note You can add as many network pairs as require...

Page 273: ...lso a UTM Firewall appliance and both appliances have static IP addresses 1 From the VPN menu click IPSec The IPSec VPN Setup page appears 2 Click Advanced The Tunnel Settings page appears Figure 274...

Page 274: ...page RSA authentication Fill in the fields a Enter the IP address of the remote party This example uses 1 1 1 3 b Enter the Required Endpoint ID This example uses remote branch c Select an option for...

Page 275: ...Public Key field enter the public part of the remote party s RSA Key generated for RSA Digital Key authentication This field must be populated with the remote party s public RSA key d Allow the Phase...

Page 276: ...ctions refer to Adding a certificate for use with IPSec VPN The root CA needs to be uploaded to both appliances The local and remote certificates and keys must be uploaded to their respective applianc...

Page 277: ...mote party This example uses 1 1 1 3 b Enter the Distinguished Name This example uses C US ST MN L St Paul O McAfee CN vpn McAfee com emailAddress vpn mcafee com Tip Copy the distinguished name from t...

Page 278: ...e 2 Proposal at the default d Leave Perfect Forward Secrecy enabled e Leave the Diffie Hellman Group at the default 8 Click Finish The tunnel is added to the Tunnel List pane and the Status column ind...

Page 279: ...e address This example uses a static IP address g If you want to force clients to authenticate using XAUTH select the Require XAUTH authentication checkbox 3 Click Next The Local Endpoint Settings pag...

Page 280: ...cal Network that will have access to the remote network You can select from a list of predefined values based on the current network configuration and existing Definitions or you can define custom net...

Page 281: ...is added to the Tunnel List pane and the Status column indicates the current status of the tunnel Manual keying mode for an IPSec tunnel Use this procedure as guidance for creating an IPSec tunnel usi...

Page 282: ...0xhex where hex is one or more hexadecimal digits The hex part must be exactly 16 characters long when using DES or 48 characters long when using 3DES excluding any underscore characters d Select a C...

Page 283: ...the form 0xhex where hex is one or more hexadecimal digits The hex part must be exactly 16 characters long when using DES or 48 characters long when using 3DES excluding any underscore characters It...

Page 284: ...Next The Remote Endpoint Settings page appears 7 Make your selections and click Next The Phase 1 Settings page appears 8 Make your selections and click Next The Phase 2 Settings page appears 9 Click...

Page 285: ...the Keying list select the type of keying for the tunnel to use In this example select the Aggressive Mode option 6 From the Local address list select the type of IPSec endpoint this UTM Firewall app...

Page 286: ...arty to the UTM Firewall appliance For this example leave the field blank The remote party s ID is optional if it has a static IP address and uses Preshared Secrets for authentication It becomes a req...

Page 287: ...ly network traffic coming from a Local Network and destined for a Remote Network is allowed across the tunnel IPSec uses its own routing mechanisms and disregards the main routing table 2 For this exa...

Page 288: ...ave the Enable IP Payload Compression checkbox unselected 3 Leave the Enable Phase 1 2 rekeying to be initiated from my end checkbox selected 4 Click Next to configure the Remote Endpoint Settings Ste...

Page 289: ...DNS providers For information on configuring DNS see DNS When configuring the tunnel select the DNS hostname address type for the IPSec endpoint that has dynamic DNS supported and enable Dead Peer De...

Page 290: ...m where pksc12_file is the PKCS12 file issued by the CA and local_private_key pem is the local private key certificate to be uploaded into the UTM Firewall appliance When the application prompts you t...

Page 291: ...lic certificate cert1 pem and the local private key certificate cert1 key ready to use in the UTM Firewall appliance For each certificate required change the cert1 filenames referenced in the above sy...

Page 292: ...es Certificate management Figure 296 Add Remove Snap in dialog 3 Click Add The Add Standalone Snap in dialog box is displayed Figure 297 Figure 297 Add Standalone Snap in 4 Select Certificates and cli...

Page 293: ...certificates installed for and click Finish Click Close and OK 6 In the Certificate console double click Certificates to open the certificate store Figure 299 Figure 299 Certificates Current User 7 In...

Page 294: ...on Guide VPN menu features Certificate management Figure 301 Action menu 9 The Certificate Import wizard starts Figure 302 Figure 302 Certificate Import Wizard Welcome page 10 Click Next The File to I...

Page 295: ...e 303 Certificate Import Wizard File to Import page 11 Click Browse and locate your cert1 p12 12 Click Next The Password page appears Figure 304 Figure 304 Certificate Import Wizard Password 13 Type i...

Page 296: ...on page 17 Click Finish Adding a certificate for use with IPSec VPN The following types of certificates can be installed for use with IPSec VPN Local Certificate is a private and public key pair signe...

Page 297: ...e in the Local Certificate field Click Browse to locate the file 4 Enter the Local Private Key certificate in Private Key Certificate field 5 Enter the passphrase to unlock the private key certificate...

Page 298: ...icate Use this procedure to add a CRL certificate for use with IPSec VPN The certificate must be in PEM or DER format 1 From the VPN menu click IPSec Certificate Lists tab The IPSec Certificates page...

Page 299: ...path is functioning again and if so falls forward to use the primary link instead Figure 313 Example IPSec failover network The steps necessary to recreate this failover scenario are 1 Set up unused a...

Page 300: ...rface default gateway interface Keying Aggressive mode IKE Local address dynamic IP address Remote address static IP address Local Required Endpoint ID primary branch Dead Peer Detection enabled Remot...

Page 301: ...168 12 1 192 168 11 1 c 3 stopwhack terminate name primary_1 asynchronous connection secondary parentipsec tunnel secondary_1 parentofipsec tunnel secondary_0 retry_delay5 test_delay5 maximum_retries...

Page 302: ...2 192 168 12 2 c 3 stopwhack terminate name secondary_1 asynchronous service ipsec failover groupprimary groupsecondary 9 After editing and saving ifmond conf on the Headquarters UTM Firewall run the...

Page 303: ...e party IP address 210 0 0 1 Local Network 2 Address of primary port 209 0 0 1 32 Remote Network 2 Remote Endpoint Table 27 Primary IPSec tunnel Branch Office UTM Firewall configuration Field Value Tu...

Page 304: ...1 1 32 Remote Network 2 Remote Endpoint Table 30 Primary GRE tunnel Headquarters UTM Firewall configuration Field Value GRE tunnel name primary Remote address 210 0 0 1 Local address 209 0 0 1 Firewal...

Page 305: ...entipsec tunnel secondary parentofnetif gre2 testifretry 2 5 ping I 209 0 1 1 210 0 1 1 c 3 retry_delay5 test_delay5 Gateway Metric 1 Table 35 Static route 2 Headquarters UTM Firewall configuration Fi...

Page 306: ...rall tunnel counts and throughput by configuring additional UTM Firewall appliances as an offload device An IPSec offload device is another McAfee UTM Firewall appliance that has been specifically con...

Page 307: ...ogether as they do not communicate with each other and only require simple single IP address visibility to the Central UTM Firewall appliance The optimal arrangement for conserving switch ports is a t...

Page 308: ...s some extra configuration required as described in the next topic Configuring for VPN offloading Configuring for VPN offloading In addition to configuring the offload device within the advanced wizar...

Page 309: ...4500 if NAT T is negotiated successfully Review the system log There will be entries by Pluto with informative data Verify the VPN LED is lit when the VPN tunnel is established this LED applies to al...

Page 310: ...not work Possible cause The MTU of the IPSec interface is too large Solution Reduce the MTU of the IPSec interface Symptom Tunnel goes down after awhile Possible causes The remote party has gone down...

Page 311: ...Tunnel comes up but the application does not work across the tunnel Possible causes There may be a firewall device blocking IPSec packets The MTU of the IPSec interface may be too large The applicatio...

Page 312: ...is behind a firewall that only allows outgoing HTTP connections and blocks all other traffic SSL Tunnels are port tunnels that send data using an encrypted SSL pipe In order to use an SSL tunnel you m...

Page 313: ...P address of the remote tunnel server in the Tunnel Server field 7 Enter the TCP port on which the tunnel server is listening for connections in the Tunnel Port field This must match the tunnel server...

Page 314: ...e proxy server requires authentication enter the details in the Proxy User name and Proxy Password fields Can consist of any characters or be left blank 15 Optional If the proxy accepts connects from...

Page 315: ...o specify the maximum length to use in HTTP PUT requests enter a value in the Content Length field Default 102400 Can be an integer value equal to or greater than 1 9 Optional To force the content len...

Page 316: ...y accessible IP address of the remote tunnel server in the Tunnel Server field 7 Enter the TCP port on which the tunnel server is listening for connections in the Tunnel Port field Range an integer va...

Page 317: ...8 From the Protocol list select the protocol to use when negotiating the SSL connection Available options are Raw Default Use the default when incoming connections are from a tunnel client CIFS NNTP P...

Page 318: ...create nested tunnels which is useful for creating a secure SSL tunnel over an HTTP tunnel 1 Create the HTTP tunnel client and server 2 Create a SSL tunnel client such that the Tunnel Endpoint of the...

Page 319: ...grading firmware Status menu This menu provides access to high level summaries of the general status of the system including the connections to the unit and the services running on it Whenever you log...

Page 320: ...the bottom of the tab shows CPU usage by default You can change the chart to display other information by clicking on any of the underlined items in the System Status table Reviewing the status of the...

Page 321: ...cting any of the underlined rates will plot that rate over time on a chart below the physical and logical connection tables These statistics are measured over the statsd polling period To change the p...

Page 322: ...hart below the Services table The Services table also provides shortcuts to the configuration page for each service Simply click on the service name to be taken to the associated configuration page Sy...

Page 323: ...event If you use certificates for SSL or IPSec it is especially important that you set the date and time correctly as certificates include a start date and time before which they do not function and...

Page 324: ...Submit Syncing appliance date and time with a PC Use this procedure to set the date and time of your appliance to a personal computer You must have JavaScript enabled in your Web browser to sync your...

Page 325: ...the Network Time Protocol NTP services on the UTM Firewall appliance The appliance can make use of an NTP server or peer running the NTP to provide for time synchronization across a network The applia...

Page 326: ...ding an NTP server The UTM Firewall appliance can synchronize its system time with a remote time server using the network time protocol NTP Adding an NTP server ensures the clock in the UTM Firewall a...

Page 327: ...etwork 1 From the System menu click Date and Time NTP Time Server tab The NTP Time Server page appears 2 In the NTP Time Server pane enter the IP Address of the NTP server 3 Select Peer from the Type...

Page 328: ...ick Apply Memory Allocation tab This Memory Allocation tab Figure 332 allows system resources to be managed and allocated between the various available subsystems For each subsystem it is possible to...

Page 329: ...an also be saved as a plain unencrypted text file After configuring your UTM Firewall appliance it is strongly recommended that you remotely back up your configuration to an encrypted file If the appl...

Page 330: ...re a locally backed up configuration by clicking its corresponding Restore icon in the Restore or Delete Configuration pane 3 A message requests you to confirm the restore Click OK A message indicates...

Page 331: ...option Security Alert Ensure the configuration is transferred over an encrypted connection and stored on a secured system This file is not intended to be human readable although some portions can be...

Page 332: ...nfiguration files from the text box to a plain text file stored on a PC Restoring a saved configuration text file 1 From the System menu click Backup Restore Text Save Restore tab The Save Restore Con...

Page 333: ...ocal users Administrative user accounts on a UTM Firewall appliance allow administrative duties to be spread amongst a number of different people according to their level of competence and trust Each...

Page 334: ...ield Note Users with a fixed IP address still require a dynamic IP address even though they do not use it The PPTP VPN Server dynamic IP address range must be large enough to accommodate users with bo...

Page 335: ...that the user change their passwords to meet the updated password class requirements Deleting a user 1 From the System menu click Users The Administrative Users page appears 2 Click the delete icon ne...

Page 336: ...sibilities select one of the built in Predefined Administration Roles from the drop down menu The pre defined roles are Administration Diagnostic VPN Administrator 6 Optional Select an access level fo...

Page 337: ...tion can take place against the domain controller To configure your Windows NT workgroup settings 1 From the System menu click Users and select the Domain tab Figure 342 Domain tab 2 In the NT Domain...

Page 338: ...ecret string in the RADIUS Secret field The secret is used to access the RADIUS server and can be 1 or more characters of any type 6 Click Finish The new RADIUS server appears on the RADIUS server lis...

Page 339: ...s Each label cannot begin or end with the hyphen character The address can also be an IP address of the form a b c d 3 Enter the secret used to access the TACACS server in the TACACS Secret field The...

Page 340: ...d the duration of the lock out in seconds Re authentication idle time the amount of time a user may do nothing before having to log in to the unit again Disuse deletion time the number of days an acco...

Page 341: ...unit Note Any time a password class is changed the Change password on first access checkbox should be selected in order to force users to change their passwords to meet the new password class require...

Page 342: ...icated against a Windows workgroup server Note Selecting NT Domain requires the fields on the Domain tab be completed See Domain page TACACS the service is authenticated against a remote TACACS server...

Page 343: ...cond table lists login attempts by service Management menu The Management menu provides configuration options that control how the UTM Firewall appliance is managed Configuration options include setti...

Page 344: ...administration is similar to http 192 168 0 1 888 4 Optional recommended To enable secure HTTP HTTPS select the Enable HTTPS Management checkbox 5 Optional The Management Console runs on the default H...

Page 345: ...e uploaded or manually created at the earliest possible convenience A proper certificate enables remote clients to establish its authenticity upon connection using chain of trust root cert signed or s...

Page 346: ...te key length from the Generate an RSA key of list Available options are 512 bits default 1024 bits 1536 bits 2048 bits 3072 bits 4096 bits Note The more bits in the key the longer it takes to generat...

Page 347: ...at you take care to protect your private root certificate Should an untrusted party access your root CA it would enable that party to generate SSL certs that your browser would silently accept thus co...

Page 348: ...e 355 General Certificate Information 4 You can view the Details or Certification by click the relevant tab Click Install Certificate The Certificate Import Wizard begins Figure 356 Figure 356 Certifi...

Page 349: ...lect store based on type option and click Next The Completion page appears Figure 358 Figure 358 Certificate Import Wizard Completion page 7 Click Finish 8 A security warning dialog box displays the t...

Page 350: ...onger receive alerts when you access the console via https To view the certificates installed in the browser click Tools Internet options Content and click the Certificates button The Certificates dia...

Page 351: ...helps hide the service from would be attackers 4 Click Submit to save the configuration changes Enabling remote management by McAfee UTM Firewall Control Center Use this procedure to enable remote man...

Page 352: ...the Control Center Typically a setting somewhere between the logging everything and nothing is appropriate Available options are Absolutely Everything Everything but Debug Notices Warnings and Errors...

Page 353: ...anagement Control Center Attributes tab The Control Center Attributes page appears 2 Click the edit icon for the attribute you want to edit The Edit Control Center Device Attributes page appears 3 Mak...

Page 354: ...on this device It is highly recommended you do not allow read write access otherwise take additional steps to secure the connection 5 Specify the endpoints on which the SNMP agent accepts requests in...

Page 355: ...ormation that may be useful in determining whether all services for your UTM Firewall appliance are operating correctly Every message recorded by a service on the appliance has an associated logging l...

Page 356: ...log isolates your search terms To clear the system log messages click Clear Messages To filter the log output to display based on output type select an option from the Display list To reset the defaul...

Page 357: ...syslog messages Caution Make sure the value you enter does not exceed the maximum size of the var log filesystem available for your model as indicated in Table 38 For best results keep the log size a...

Page 358: ...the Remote Host field 4 Enter the Remote Port on which the remote syslog server is listening for syslog messages Typically the default is correct 5 Set the Filter Level to only send syslog messages at...

Page 359: ...from 6 Set the Filter Level to only send syslog messages at the selected level or above 7 Specify the number of seconds to wait after receiving a system log message before sending an email in Delay to...

Page 360: ...of an IPSec tunnel use the LAN interface of the appliance where the LAN network is defined as the local network Otherwise the ping will fail 4 Optional To perform a reverse DNS names lookup on IP add...

Page 361: ...Devices page appears Figure 376 Figure 376 USB Detected Devices The Vendor Product and ID details are obtained by querying the devices directly The ID field is a combination of the Product ID Vendor I...

Page 362: ...n the appliance For further information on temporary storage space see Table 38 on page 357 For large packet captures decrease this value 4 Click Add The packet capture configuration is added to the I...

Page 363: ...pcap file Use this procedure to delete pcap files when you no longer require them This keeps space available in the var tmp directory 1 From the System menu click Diagnostics Packet Capture The Packet...

Page 364: ...e Reboot page appears Figure 380 Figure 380 Reboot tab 2 Click Reboot It usually takes around 10 seconds before the appliance is up and running again If you have enabled bridging the UTM Firewall appl...

Page 365: ...signed address For additional recovery options see Recovering from a failed upgrade Upgrading firmware Periodically McAfee releases new versions of firmware for your UTM Firewall appliance If a new ve...

Page 366: ...otocol TFTP is a simplified version of FTP that allows transfer of files between computers over a network An alternative method to flash upgrades via HTTP is to install and configure a TFTP server and...

Page 367: ...Click Upgrade The firmware upload only accepts valid firmware images and only accepts newer images appropriate for your device Wait for the upgrade to complete Upgrading using TFTP from the command li...

Page 368: ...te Configuration Files tab The Configuration Files tab provides direct and quick access to configuration files within the Edit Files tab The Filename column indicates the configuration file name The S...

Page 369: ...tiple files select the checkboxes for the files and click Modify An edit window opens for each file you want to modify The Modify File page appears The name of the file you are editing displays in the...

Page 370: ...delete 3 Click OK Tip You can also click the Delete button at the bottom of the configuration files list To delete multiple files select the checkboxes for the files and click Delete Uploading a conf...

Page 371: ...u features Advanced menu 1 From the System menu click Advanced Device Config tab The Display Modify Device Configuration page appears Figure 387 Figure 387 Display Modify Device Configuration page 2 M...

Page 372: ...372 McAfee UTM Firewall 4 0 4 Administration Guide System menu features Advanced menu...

Page 373: ...incoming interface OUT outgoing interface MAC dst src MAC addresses SRC source IP DST destination IP SPT source port DPT destination port additional packet info Where prefix if non empty hints at cau...

Page 374: ...0x00 TTL 62 ID 51683 DF PROTO TCP SPT 47044 DPT 22 WINDOW 5840 RES 0x00 SYN URGP 0 Packets going from the private network to the public come in eth0 and out eth1 as shown in the following example Mar...

Page 375: ...LAN with address 192 168 1 1 iptables I FORWARD j LOG p tcp syn s 5 6 7 8 32 d 192 168 1 1 dport 25 log prefix Mail for flubber This results in log output similar to 12 Jan 24 18 17 19 2000 klogd Mail...

Page 376: ...whether the authentication succeeded or failed and reason for the failure the user attempting authentication in this case root and the IP address from which the attempt was made Successful Telnet Com...

Page 377: ...ppliance stops functioning and becomes unusable until its flash is reprogrammed at the factory or a recovery boot is performed User care is advised UTM Firewall firmware revision numbers have the form...

Page 378: ...N port or switch directly to your PC using a straight cable 2 Login to your PC with administrator privileges 2000 XP NT4 only 3 Ensure there are no DHCP server programs or services Start Run Open serv...

Page 379: ...with antivirus software the UTM Firewall may be unable to contact the TFTP server on your PC To resolve the issue temporarily disable the software 4 The UTM Firewall device upgrade begins The LEDs on...

Page 380: ...restore factory default configuration power off the appliance and restart the recovery procedure from the beginning 12 When prompted select the appropriate final firmware image file sgu Each sgu file...

Page 381: ...ance s LAN port or first port of the UTM Firewall appliance s switch directly to your PC using a straight cable 7 Power off the appliance Press and hold the erase button while powering the appliance o...

Page 382: ...ower off the appliance 2 Push and hold in the erase button on the back panel of the UTM Firewall device 3 Plug in the power cord 4 Continue to hold the erase button for five seconds The UTM Firewall r...

Page 383: ...following line connect bin chat f etc config chat ttyS0 4 Add the following line to the bottom of the file passive 5 Click Finish 6 Connect the serial port of the appliance directly to the serial port...

Page 384: ...match those of the local PC On the UTM Firewall appliance 1 From the Network Setup menu click Network Setup The Connections page appears 2 Click the edit icon for the dial in connection 3 Select the...

Page 385: ...SG580 SG640 SG720 acld McAfee access control list daemon arp Manipulate the system ARP cache ash Busybox version of the Almquist Shell auth down McAfee program to run when pptp pptpd are brought up au...

Page 386: ...on Protocol Relay Agent diald Demand dialing daemon for IP links over phone lines discard Network utility that listens on the discard port dmesg Print or control the kernel ring buffer dnsmasq Caching...

Page 387: ...e system fsck msdos Check and repair MS DOS file systems fsck vfat Check and repair MS DOS file systems ftp Internet file transfer program gen keys SSH key generation program gen ssl cert McAfee opens...

Page 388: ...on insmod Simple program to insert a module into the Linux Kernel ip Show or manipulate routing devices policy routing and tunnels ip6tables IPv6 packet filter administration ipsec McAfee IPSec manage...

Page 389: ...status mkdir Make directories mkdosfs Create an MS DOS file system under Linux mke2fs Create an ext2 ext3 file system mkfs msdos Create an MS DOS file system under Linux mkfs vfat Create an MS DOS fi...

Page 390: ...of a running program ping Send ICMP ECHO_REQUEST packets to network hosts ping6 Send IPv6 pings pivot_root Tool to change root file system pluto IPSec IKE keying daemon pop3 proxy POP3 proxy server po...

Page 391: ...ate the IP routing table routef IP Route tool to flush IPv4 routes routel IP Route tool to list routes rrdtool Tool for creating round robin database files and for creating graphs rsasigkey Generate R...

Page 392: ...id ssh OpenSSH SSH client remote login program ssh keygen Authentication key generation management and conversion sshd OpenSSH SSH daemon sslwrap Program that allows plain services to be accessed via...

Page 393: ...ts query Test TrustedSource settings and query the reputation score of a server tune2fs Adjust tunable file system parameters on ext2 ext3 file systems udevadm udev helper application udevd udev daem...

Page 394: ...y for configuring WLAN Wireless LAN connections zcat Identical to gunzip c zebra Routing manager for use with associated components Table 40 Supported CLI programs and commands Comment continued Progr...

Page 395: ...s type of keying automatically exchanges encryption and authentication keys and replaces them periodically B Block cipher A method of encrypting text to produce ciphertext in which a cryptographic key...

Page 396: ...names and translates them into IP addresses A domain name is a meaningful and easy to remember name for an IP address DUN Dial Up Networking E Encapsulating Security Payload ESP Encapsulated Security...

Page 397: ...es ciphertext that is evenly distributed This makes it difficult to compress If one wishes to compress the data it must be done prior to encrypting The IPcomp header provides for this One of the probl...

Page 398: ...the local network MD5 Message Digest Algorithm Five is a 128 bit hash It is one of two message digest algorithms available in IPSec N NAT Network Address Translation The translation of an IP address u...

Page 399: ...route packets to their final destination RSA Digital Signatures A public private RSA key pair used for authentication The UTM Firewall appliance can generate these key pairs The public keys need to b...

Page 400: ...sociation of workstation names and locations with IP addresses X Z x 509 Certificates An x 509 certificate includes the format of the certificate the serial number of the certificate the algorithm use...

Page 401: ...4 enabling SNMP 353 alias IP address adding for interface 47 deleting for interface 47 aliases interface 47 allowing URL 211 antispam 233 antivirus 222 disabling 224 enabling 223 local USB storage 226...

Page 402: ...t display 370 direct edit 370 editing 368 uploading 370 configuring advanced Web Cache settings 140 advanced wireless features 92 DHCP 124 DHCP relay 130 DMZ connection 80 guest connection 82 IDB 196...

Page 403: ...r or relay 126 relay 130 server 123 DHCP Addresses page 126 DHCP relay configuring 130 DHCP Status page 124 dial on demand disabling 60 dial on demand connection enabling 59 dial out null modem 383 di...

Page 404: ...ased VLAN 101 QoS Autoshaper 142 route management 112 SNMP agent 353 source NAT rule 183 Web cache 133 erasing configuration and rebooting 365 EVDO 106 extended ISO date timestamping 356 extracting ce...

Page 405: ...Custom Firewall Rules 170 disabling 123 disabling for connection 48 enabling 123 IRC 191 K kill command 388 L L2TP VPN client 258 VPN server 251 L2TP IPSec tunnel deleting 256 LEDs 12 16 limitation po...

Page 406: ...P adding peer 327 adding server 326 null modem dial out 383 dial in 383 serial cable 383 O offloading IPSec VPN 306 online Help 21 Open Shortest Path First 115 OpenSSL 289 OSPF 115 P PAC file 133 pack...

Page 407: ...atus 264 relay configuring DHCP 130 DHCP 130 remote restoring configuration 331 system log 357 report technical support 22 reserving IP address 129 restoring firmware factory default settings 377 loca...

Page 408: ...log persistent remote 357 remote 357 System tab 355 T tab Local Syslog 356 TACACS server 339 tagged VLAN 100 tcpblast 393 technical support 21 report 22 test ping 360 trace route 360 Text Save Restor...

Page 409: ...31 VLAN 99 adding 99 adding port based 102 deleting port based 104 editing port based 104 enabling port based 101 limitations of port based 100 tagged 100 untagged 100 VPN disabling IPSec 267 IPSec 28...

Page 410: ...410 McAfee UTM Firewall 4 0 4 Administration Guide Index...

Page 411: ......

Page 412: ...700 2237A00...

Reviews:

No comments

Related manuals for SG310

Fortinet FortiGate-200 Quick Start Manual preview
FortiGate-200
Brand: Fortinet Pages: 2
Atlante Informatica AFEL Series User Manual preview
AFEL Series
Brand: Atlante Informatica Pages: 4
Fortinet FortiGate 5001A User Manual preview
FortiGate 5001A
Brand: Fortinet Pages: 40
Mackie D.2 Owner'S Manual preview
D.2
Brand: Mackie Pages: 28
Aaeon FWS-2271 User Manual preview
FWS-2271
Brand: Aaeon Pages: 100
Barracuda QSG 4.X Quick Start Manual preview
QSG 4.X
Brand: Barracuda Pages: 2
Barracuda CloudGen F93R Quick Start Manual preview
CloudGen F93R
Brand: Barracuda Pages: 6
PaloAlto Networks M-700 Hardware Reference Manual preview
M-700
Brand: PaloAlto Networks Pages: 54
Fortinet FortiGate FortiGate-ADM-XB2 Quick Start Manual preview
FortiGate FortiGate-ADM-XB2
Brand: Fortinet Pages: 1
Fortinet FortiGate FortiGate-5003 Quick Start Manual preview
FortiGate FortiGate-5003
Brand: Fortinet Pages: 2
Dell SonicWALL TZ400 Quick Start Manual preview
SonicWALL TZ400
Brand: Dell Pages: 16

Brands by name

Popular brands

Load more brands