Ronde & Schwarz GP-E User Manual Download Page 34

Page: 34 / 129

User Interface

R&S

GP-U/GP-E/GP-S/GP-T

User Manual 3646.3836.02 ─ 01

d) On the "Kerberos" tab, click the "Create Kerberos Key" button to generate the

Kerberos key.

The Active Directory is queried to validate the specified AD user and to obtain the
relevant information, such as the Kerberos key version number. With that informa-
tion, the gateprotect Firewall is able to generate a valid Kerberos key locally.

6. Activating SSO on the gateprotect Firewall

To enable SSO on the gateprotect Firewall, perform the following steps:

a) On the "Kerberos" tab, select the "Active" checkbox.
b) Click "Save" to store your settings.

7. Preparing the Windows client

The gateprotect Firewall installation medium contains the

UAClientSSO

Summary of Contents for GP-E

Page 1: ...R S GP U GP E GP S GP T gateprotect Firewall User Manual User Manual 3646 3836 02 01 T VT2 Cybersecurity ...

Page 2: ... Cybersecurity GmbH Mühldorfstr 15 81671 Munich Germany Phone 49 0 30 65 884 223 Email cybersecurity rohde schwarz com Internet cybersecurity rohde schwarz com Printed in Germany Subject to change Data without tolerance limits is not binding R S is a registered trademark of Rohde Schwarz GmbH Co KG Trade names are trademarks of the owners The following abbreviations are used throughout this manual...

Page 3: ...igation Pane 15 3 1 3 Desktop 15 3 2 Icons and Buttons 17 3 3 Firewall Rule Settings 19 3 4 Menu Reference 22 3 4 1 Firewall 22 3 4 1 1 License Settings 22 3 4 1 2 Updates Settings 23 3 4 1 3 Administrators 26 3 4 1 4 User Authentication 28 3 4 1 5 Server Access Settings 41 3 4 1 6 Command Center Settings 43 3 4 1 7 Time Settings 43 3 4 1 8 High Availability Settings 45 3 4 1 9 Backup 49 3 4 2 Net...

Page 4: ... 4 6 VPN User Groups 83 3 4 4 7 Networks 84 3 4 4 8 Host Groups 84 3 4 4 9 IP Ranges 85 3 4 4 10 VPN Hosts 86 3 4 4 11 VPN Groups 87 3 4 4 12 VPN Networks 88 3 4 4 13 Connections 89 3 4 5 Desktop 90 3 4 5 1 Services 90 3 4 5 2 Desktop Rules 90 3 4 6 UTM 91 3 4 6 1 Application Filter 91 3 4 6 2 URL Content Filter 93 3 4 6 3 Antivirus Settings 95 3 4 6 4 Email Security 98 3 4 6 5 Proxy 101 3 4 7 VPN...

Page 5: ...icates 114 3 4 8 2 Templates 117 3 4 8 3 OCSP CRL Settings 118 3 4 8 4 Trusted Proxy CAs 119 3 4 9 Monitoring 119 3 4 9 1 SNMP Settings 119 3 4 9 2 Syslog Servers 121 3 4 9 3 Logs 122 3 4 10 Network Tools 123 3 4 10 1 Ping Settings 124 3 4 10 2 Traceroute Settings 124 Index 127 ...

Page 6: ...Contents R S GP U GP E GP S GP T 6 User Manual 3646 3836 02 01 ...

Page 7: ...hat meets the high demands of complex network structures in industry and enterprise environ ments GP Tough the firewall solution specifically designed for challenging environments There are license based features that distinguish individual product models within the product lines from one another For more information about your specific gateprotect Firewall see the information on the relevant data...

Page 8: ...Description Graphical user interface ele ments All names of graphical user interface elements on the screen such as menu items buttons checkboxes dialog boxes list names are enclosed by quotation marks Top level menu item sub menu element A sequence of menu commands is indicated by greater than symbols between menu items and the whole sequence being enclosed by quota tion marks Select the submenu ...

Page 9: ...l documents such as technical specifications please visit the my gatepro tect portal at www mygateprotect com 1 5 About Rohde Schwarz Cybersecurity Rohde Schwarz Cybersecurity is an IT security company that protects companies and public institutions around the world against cyberattacks The company develops and produces technologically leading solutions for information and network security includi...

Page 10: ...About This Manual R S GP U GP E GP S GP T 10 User Manual 3646 3836 02 01 For more information visit our website at cybersecurity rohde schwarz com About Rohde Schwarz Cybersecurity ...

Page 11: ... and the factory default Password admin Figure 2 1 Logging on to the gateprotect Firewall 2 Click Login 3 After your first logon using the standard credentials the system prompts you to change your password The new password has to be at least six characters long You cannot skip this step The web client appears If you forget the new password entered contact the Rohde Schwarz Cybersecurity support t...

Page 12: ...Getting Started R S GP U GP E GP S GP T 12 User Manual 3646 3836 02 01 ...

Page 13: ...ent Chapter 3 2 Icons and Buttons on page 17 explains the meaning of the icons and buttons commonly used on the user interface and throughout this manual Chapter 3 3 Firewall Rule Settings on page 19 describes how a firewall rule for a connection between two desktop nodes is set up Chapter 3 4 Menu Reference on page 22 reflects the arrangement of the menu items in the navigation bar on the left si...

Page 14: ...by default see Chapter 3 1 2 Navigation Pane on page 15 the Rohde Schwarz Cybersecurity logo a language menu that allows you to select the language to be used in the web cli ent a user menu to end the current user session and return to the logon dialog a system menu to reboot or shut down power off your gateprotect Firewall and a help menu with links which provide access to a PDF version of the ga...

Page 15: ... Firewall reduces the corresponding list to show only those menu items or entries that contain the characters you are typ ing Click in the input field to delete the search string and display an unfiltered view of the list You can expand all menus in the navigation bar at once by clicking or collapse them by clicking in the upper right corner of the navigation bar Furthermore you can hide the navig...

Page 16: ... selection and the connection tool Use the selection tool for all actions on the desktop such as moving objects or selecting certain functions With the connection tool you can create or edit a connection between two desktop objects For further information see Chapter 3 3 Firewall Rule Settings on page 19 You can create an object on the desktop by clicking the respective desktop object button in th...

Page 17: ...and Buttons This topic explains the icons and buttons commonly used on the user interface and throughout this manual Icon Button Description Hide and show the navigation bar Move objects or select objects and functions on the desktop Create or edit a connection between two desktop objects Create an Internet object Create a host Create a host group Create a network Create an IP range Create a VPN h...

Page 18: ... blacklist whitelist to a file Import a backup from a file Export a backup to a file Create a list item in the item list bar Unfold a menu item to view subordinate items in the navigation bar Unfold a web filter category to view its subcategories Unfold a service category for firewall rules to view its subservices Hide subordinate menu items in the navigation bar Hide subcategories of a web filter...

Page 19: ...efined Service Along with the Connection panel a list of predefined services available for the con nection opens on the right side of the browser window The list of services can be col lapsed and expanded by clicking the appropriate icon For further information see Chapter 3 2 Icons and Buttons on page 17 The Filter input field at the top of the list helps you quickly find a particular service As ...

Page 20: ...ports port ranges and or protocols appear as an entry in the list You can edit or delete each single entry in the list by clicking the appro priate button next to an entry For further information see Chapter 3 2 Icons and Buttons on page 17 b In the Schedule tab you can specify the time when the firewall rule is active The tab provides the following options Set specific times and weekdays using th...

Page 21: ...ff by clicking the icon in the Action column You can choose between the following four options Off All traffic between source and destination desktop objects is dropped for this service Bidirectional All traffic between source and destination desktop objects is allowed for this service Left to right The desktop object on the left is allowed to send requests The desktop object on the right is allow...

Page 22: ...nstallation the gateprotect Firewall runs as a test version for 30 days You can see that it is a test version in the notification on the License Manager panel under Firewall License During this period of time it is not possible to create backups After this period of time the firewall remains active with your configuration However you are not able to make any changes and the HTTP and HTTPS protocol...

Page 23: ...ly downloaded from the update server and installed on the firewall quickly and has sle free In addition the update system is equipped with various functions for notifying the system administrator if there are new updates available Furthermore you can view a history of the imported updates To prevent any unauthorized or malicious updates from being installed on the firewall all gateprotect Firewall...

Page 24: ...pdate has been installed successfully Release Date Displays the date when the update was released Status Distinguishes between new updates and updates which have already been installed Note An update cannot be installed more than once Action Dependency If dependencies are met the Install action is allowed Otherwise a list of dependencies is dis played To meet the dependencies install the updates m...

Page 25: ...o one of the other values as nec essary Update Servers The standard update server is http www gatepro tect com updateserver You can add as many update servers as you like Enter the URL of an update server and click Add to put the update server on the list Note If the URL contains a fully qualified domain name FQDN you need to configure the DNS set tings Otherwise the FQDN cannot be resolved You ca...

Page 26: ... of administrators that are cur rently defined on the system in the item list bar The plus button above the list allows you to add new administrators In the expanded view the first table column displays the Name of the administrator The Admin column shows one of the following status indicators Green The administrator has been granted access to the web client Orange The administrator has not been g...

Page 27: ... Optional and for newly added administrators only if the Granting access checkbox is selected Select this checkbox if you want the administrator to change the password after the next logon Optional and for edited administrators only if the Change checkbox is selected Select this check box if you want the administrator to change the password after the next logon On the Webclient Permissions tab you...

Page 28: ...out and the new user is logged on Logging on to the firewall The gateprotect Firewall runs a special web server which only processes user logons It receives the user name and password With a user database which is created locally on the gateprotect Firewall an authentication service first verifies whether the user name and password are admissible If this logon fails and if a Microsoft Active Direc...

Page 29: ...ication item list bar as well Active Direc tory groups are a powerful tool to set up and maintain security policies for each user For example you allocate Active Directory users to certain Active Directory groups and then create firewall rules for these groups on the gateprotect Firewall Logging on Users can log on to the gateprotect Firewall in different ways Logging on via web browser on page 29...

Page 30: ...Click Login The authentication is carried out For security reasons the browser window in which the user logged on must remain open during the whole session Otherwise the user is logged out automatically after one minute to prevent unauthorized persons from accessing the firewall via a computer where a user has forgotten to log out Logging on via User Authentication Client UA Client The Windows bas...

Page 31: ... specified in the sAMAccountName attribute of the user Otherwise the name in the user specific firewall rules will not correspond to the user logging on to the client and the rules will not match 5 Enter the Password of the user 6 Optional Select the Remember password checkbox if you want the password to be saved for future logons 7 Optional Adjust the period of time for reconnection under Setting...

Page 32: ...es configured on the gateprotect Firewall concern ing these users are then automatically applied To realize SSO with the gateprotect Firewall in an Active Directory environment the following preconditions have to be met 1 As Kerberos is time critical make sure to set the same time NTP server for all components of SSO domain controller Windows client and gateprotect Firewall 2 Creating the user gpL...

Page 33: ...ed 3 Using the gpLogin user to query the Active Directory In the User Name input field under Authentication Server enter gpLogin 4 Configuring the Service Principal Name SPN Assign an SPN to the newly created user so that thegateprotect Firewall is able to create a position of trust regarding the domain controller To do so run the follow ing command on the domain controller setspn A gpLogin fw10 g...

Page 34: ...m puter For example if the host name of the gateprotect Firewall is fw96 and its IP address in the network of the client computer is 192 168 0 1 the target path for the installation of the UA SSO client is C Program Files R S Cybersecurity UA Client 3 0 UAClientSSO exe fw96 192 168 0 1 the UAClientSSO msi Microsoft installer file This file serves for the distribution of the client through a softwa...

Page 35: ... local users LDAP users and groups and unassigned users that are currently defined on the system in the item list bar Click Settings under the item list bar header to open the editor panel The User Authentication Settings panel allows you to configure the following ele ments Field Description ON OFF A slider switch indicates whether user authentication is active ON or inactive OFF By clicking the ...

Page 36: ...d to configure its set tings you first have to activate the Kerberos service on the Kerberos tab If Microsoft Active Directory Server is selected you can configure the fol lowing elements Field Description Host Enter the host name or the IP address of the direc tory server Note If you enter the host name of the directory server you need to configure the DNS settings Oth erwise the host name cannot...

Page 37: ...efine the location within the directory from where the directory search should start User Query Optional Specify the filter to be used to retrieve the list of users User ID Optional Define the attribute where the user identi fier is retrieved from The user names displayed in the web client are actually coming from this attribute of the LDAP User The user ID is retrieved from the sAMAccountName att...

Page 38: ...teprotect Firewall if necessary Domain Adjust the domain of your gateprotect Firewall so it matches the domain of the Active Directory if neces sary Local Users gateprotect Firewall offers local user administration for smaller companies without cen tral administration Use the Local Users settings to define and manage users by specifying the usernames and passwords that are authorized to connect to...

Page 39: ...store the reconfigured user or Reset to discard your changes You can click Close to shut the editor panel as long as no changes have been made on it The local users defined here are available for use in desktop objects for example VPN users LDAP Users It is possible to connect gateprotect Firewall to an external directory server via the Lightweight Directory Access Protocol LDAP to retrieve users ...

Page 40: ...controller To connect the user authentication to the Windows domain controller perform the fol lowing steps 1 Navigate to Firewall User Authentication 2 Click the Authentication Server tab 3 Enter the data of your domain controller All the users in the specified domain appear on the user list 4 Drag user icons onto the configuration desktop and assign rules to them The users have to enter the URL ...

Page 41: ...the gateprotect Firewall can be accessed from external networks or the Internet In addition you can determine how the gateprotect Firewall is to react for example to ping requests The Server Access settings only apply to external accesses to the gateprotect Fire wall for the defined users Accesses from the internal network are always possible Navigate to Firewall Server Access to open an editor pa...

Page 42: ...ewall via SSH external SSH access via the Internet is denied VPN only The same function as Deny How ever in this case SSH access from the Internet to the gateprotect Firewall via VPN is allowed Allow External SSH access to the gatepro tect Firewall via the Internet is allowed Note The Allow option provides SSH access to the gateprotect Firewall via the Internet The SSH access is useful for example...

Page 43: ...ents Field Description ON OFF A slider switch indicates whether the connection to the Command Center is active ON or inactive OFF By clicking the slider switch you can toggle the state of the connection The connection to the Command Center is deacti vated by default Host Enter the host name or IP address under which the Command Center is reach able from the gateprotect Firewall Port Enter the port...

Page 44: ...if the NTP Client checkbox is selected You can either use the prede fined NTP servers or add your own NTP servers to the list The standard NTP servers are de pool ntp org and europe pool ntp org You can add as many NTP servers as you like Enter the IP address or the fully qualified domain name of an NTP server in the input field Then click Add to put the NTP server on the list You can edit or dele...

Page 45: ...status of the paired sys tem The master machine synchronizes its configuration to the slave On the slave machine certain rules are applied which allow network communication with the master machine only If the slave system fails to detect a heartbeat signal from the master it takes over the role of the master system in the event of power outage or hardware failure shutdown When the slave machine ta...

Page 46: ...stems of the same hardware type for example GP U 300 with GP U 300 or GP S 1600 with GP S 1600 and software version Furthermore a free network interface NIC is required on both systems in other words a network interface that is not currently used by any other interface like VLAN or bridge or any network connection For more information see Chap ter 3 4 2 1 Interfaces on page 53 and Network Connecti...

Page 47: ...nized and ready High Availabil ity is enabled on the firewall the other firewall is reachable and synchronized Current Role Displays whether the gateprotect Firewall is config ured as a master or a slave machine Initial Role Select the respective radio button to specify the role which the gateprotect Firewall is to play in the HA cluster Master The gateprotect Firewall is active and synchronizes i...

Page 48: ...ilability configuration and operate it as a standalone system reinstall your gateprotect Firewall For further information see Disabling High Availability Configurations on page 48 Updating High Availability Configurations When High Availability is enabled the following considerations apply regarding the updating of the High Availability configurations In a High Availability configuration system up...

Page 49: ...t The options under Backup allow you to schedule regular backups of the current system configuration to back up the system configuration manually and to restore previous configurations Backups can be created once a license has been imported that is to say not during the test period of 30 days For more detailed information on backups see the following sections Automatic Backup Settings The Auto Bac...

Page 50: ... the user s password Server Type Select the respective radio button to specify which network protocol is used to upload the backups to the server The option is set to FTP by default but you can adjust the settings to SCP as necessary Filename Enter a name for automatically created backup files Encryption Password Enter a password for the encryption of the backup files The password can consist of u...

Page 51: ... MM DD YYYY format or use the date picker to set a date You can also set a time by entering the time in the hh mm ss format Under Interval and Unit define how often the configuration is backed up automatically Set the interval by entering a number or using the up and down arrows The option is set to 1 by default Then select one of the unit options from the drop down list The option is set to days ...

Page 52: ...s allowed are letters of the English alphabet integers and the special characters _ Show Password Optional Select this checkbox to verify the pass word Use auto backup password Optional Select this checkbox if you want to use the encryption password set for the creation of auto matic backup files see Automatic Backup Settings on page 49 instead of entering a new one If you want to export the backu...

Page 53: ...WLAN routing policies and DHCP settings 3 4 2 1 Interfaces Navigate to Network Interfaces to configure Ethernet VLAN Bridge PPP and WLAN interfaces The item list bar displays an overview of all interfaces which are cur rently defined on the system Ethernet Interfaces The physical Ethernet Interfaces receive the following default IP addresses 192 168 X 254 24 X being the number of the interface i e...

Page 54: ...connected to the interface e g twisted pair ON OFF A slider switch indicates whether the Ethernet interface link is active ON or inactive OFF By clicking the slider switch you can toggle the state of the Ethernet interface link MTU Set the maximum size of each packet in bytes The Maximum Transmission Unit can be any integer from 64 to 16384 If you modify the settings click Save to store your chang...

Page 55: ...rface panel displays the following information and allows you to config ure the following elements Field Description ON OFF A slider switch indicates whether the VLAN interface is active ON or inactive OFF By clicking the slider switch you can toggle the state of the VLAN interface A new VLAN interface is enabled by default Name Displays the name of the VLAN interface The name is generated automat...

Page 56: ...me of the bridge interface The Status column shows one of the following status indicators Green The bridge interface is enabled Orange The bridge interface is disabled Furthermore the Ports that are assigned to the bridge interface are displayed The buttons in the last column allow you to view and adjust the settings for an existing bridge interface create a new bridge interface based on a copy of...

Page 57: ... to configure the Priority and the Cost for the respective port and to remove the port from the bridge interface The buttons at the bottom right of the editor panel depend on whether you add a new bridge interface or edit an existing bridge For a newly configured bridge interface click Create to add the bridge to the list of available bridge interfaces or Cancel to dis card your changes To edit an...

Page 58: ... of LCP echo failures after which the peer is considered dead by entering an integer value from 0 to 64 If you enter 0 failures are ignored MTU Set the maximum size of each packet in bytes The Maximum Transmission Unit can be any integer from 64 to 16384 MRU Specify the Maximum Receive Unit by entering an integer value from 128 to 16384 The buttons at the bottom right of the editor panel depend on...

Page 59: ...r the WLAN interface is active ON or inactive OFF By clicking the slider switch you can toggle the state of the WLAN interface Name Displays the name of the WLAN interface wlan0 The name is automatically generated Device Status Displays the status of the device The status can be one of the following Plugged a wireless USB flash drive is connected to the gateprotect Firewall Unplugged a previously ...

Page 60: ...e are displayed The buttons in the last column allow you to view and adjust the settings for an existing network connection create a new connection based on a copy of an existing network connection or delete a network connection from the system For further information see Chapter 3 2 Icons and Buttons on page 17 Network Connections Settings Use the Network Connections settings to configure custom ...

Page 61: ...the IP address to the list You can edit or delete each single entry in the list by clicking the appropriate button next to an entry For further information see Chapter 3 2 Icons and Buttons on page 17 Note If you edit an IP address a check mark appears on the right of the entry Click the check mark to be able to save the settings of the IP address Obtain Gateway Only available if the selected conn...

Page 62: ...ich provides the fol lowing options Set specific times and weekdays using the sliders Always On The connection is always enabled Always Off The connection is always disabled The buttons at the bottom right of the editor panel allow you to confirm your changes to the time restrictions OK and to reject your changes Cancel The editor panel closes and the chosen option is displayed to the left of the ...

Page 63: ...e entry Click the check mark to be able to save the settings of the backup con nection The buttons at the bottom right of the editor panel depend on whether you add a new network connection or edit an existing connection For a newly configured network con nection click Create to add the connection to the list of available network connec tions or Cancel to reject the creation of a new network conne...

Page 64: ...int to Point Protocol that are currently defined on the system in the item list bar In the expanded view the columns of the table display the Name of the connection whether it is Active or not its Interface and the Type of the connection The but tons in the last column allow you to view and adjust the settings for an existing PPP connection create a new connection based on a copy of an existing co...

Page 65: ...ke authentication for Microsoft Username Enter the username required to connect to your Internet service provider Password Enter the password required to connect to your Internet service provider PPTP Server IP If you chose PPTP as connection type enter the IP address of the PPTP server MPPE If you chose PPTP as connection type select the Microsoft Point to Point Encryption key length mppe 40 mppe...

Page 66: ...Click Add to add another test to the list For information on configuring the reacha bility test see Heartbeat Settings on page 66 You can edit or delete each single entry in the list by clicking the appropriate button next to an entry For further information see Chapter 3 2 Icons and Buttons on page 17 Use as backup connec tion Select this checkbox if you want to configure the connection as backup...

Page 67: ...eless USB flash drive to create a wireless access point in your network Connect a compatible wireless USB adapter to the USB port of your gateprotect Fire wall to configure a wireless access point A successful configuration allows wireless cli ents to connect to this access point to join the wireless local area network WLAN Navigate to Network Connections WLAN Settings to display and edit the WLAN...

Page 68: ...o supply this password in order to establish a secured connection to the gateprotect Firewall On the Advanced tab Field Description Channel Width If you selected an or gn as the communication mode you can now select the channel width from the drop down list Disabled HT 40 40MHz below the selected channel for the channels 5 to 13 in mode g HT40 40MHz above the selected channel for the channels 1 to...

Page 69: ...uting rules The routing settings allow you to define custom routes that are used to reach devices on a given destination network Routes between network objects are created automatically and hidden You should not normally need to create routes unless you have an upstream router that requires spe cial routes To influence traffic between network objects create a firewall rule as described under Chapt...

Page 70: ...ppropriate button next to an entry The Edit Route panel allows you to configure the following elements Field Description Interface Select an interface for the route Destination Enter the IP address of the destination network in CIDR notation IP address followed by a slash and the number of bits set in the subnet mask for example 192 168 50 0 24 Gateway Enter an IP address as the gateway for this r...

Page 71: ...o define which traffic should be routed where The buttons in the right column allow you to view and adjust the settings of a routing rule or delete a rule from the system For further information see Chapter 3 2 Icons and Buttons on page 17 System routing rules cannot be modified or deleted To close the Routing Rules panel click in the upper right corner of the panel Routing Rules Settings Under Ne...

Page 72: ...click Create to add the rule to the list of available routing rules or Cancel to reject the creation of the new rule To edit an existing rule click Save to store the reconfigured rule or Reset to discard your changes You can click Close to shut the editor panel as long as no changes have been made on it Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4...

Page 73: ...re distributed by the DHCP server Range Start IP Enter a start IP to specify the range of IP addresses that are distributed to the client computers Range End IP Enter an end IP to specify the range of IP addresses that are distributed to the client computers Note Make sure that the permanent IP addresses are not inside the IP address range of the DHCP server as permanent IP addresses are not exclu...

Page 74: ... to another network because DHCP requests cannot be routed Field Description DHCP Server IP Address Enter the IP address of the server to which the DHCP requests will be redirec ted Relay through these interfaces Select one or more interfaces from which DHCP requests will be forwarded Also select the interface that the DHCP server is connected to The buttons at the bottom right of the editor panel...

Page 75: ...f it has no fixed public IP address This is accomplished by sending the current IP address to a DynDNS provider that maps it to a domain name so that the firewall is accessible using that domain name If the IP address changes due to a DSL disconnect forced by your Internet service provider for example the IP address is re sent to the DynDNS pro vider This ensures that the dynamic DNS always points...

Page 76: ...r Show Password Optional Select this checkbox to verify the password Custom Server Address Optional Enter the address of the server if your DynDNS provider requires the definition of a different server address MX Record Optional If you wish to use an MX record enter its IP address or hostname Wildcards Optional Select this checkbox to activate the possibility to use wildcards in host names if you ...

Page 77: ... mark appears on the right of the entry Click the check mark to apply your changes Click to change the priority of an entry The first entry in the list has the highest priority The buttons at the bottom right of the editor panel allow you to shut Close the editor panel as long as no changes have been made and to store Save or to discard Reset your changes Click Activate in the toolbar at the top o...

Page 78: ...s VPN and IP ranges The created objects are displayed as nodes on the desktop and can be used as sources and or destinations in connections to apply firewall rules The item list bar displays all network objects that are defined on the system If you click on an entry in the item list bar the respective desktop object is highlighted on the desk top All connections it is used in are highlighted as we...

Page 79: ...d other network objects such as VPN objects etc A host for example a printer or a VoIP phone can be assigned a dedicated IP address so that firewall rules can be spe cifically applied to it For further information on creating firewall rules see Chapter 3 3 Firewall Rule Settings on page 19 Hosts Overview Navigate to Network Objects Hosts to display the list of host objects that are cur rently defi...

Page 80: ...ween the users and other network objects such as VPN objects etc The menu Network Objects Users only serves to create desktop objects for users that already exist in the system For information on how to add and manage users see Chapter 3 4 1 4 User Authentication on page 28 Users Overview Navigate to Network Objects Users to display the list of user objects that are cur rently defined on the syste...

Page 81: ...isting user group object create an object based on a copy of an existing user group or delete an object from the system For further information see Chapter 3 2 Icons and Buttons on page 17 User Groups Settings The User Group settings allow you to configure the following elements Field Description Object Name Specify a name for the user group Color Select the color to be used for this object on the...

Page 82: ...you to view and adjust the settings for an existing VPN user object create an object based on a copy of an existing VPN user object or delete an object from the system For further information see Chapter 3 2 Icons and Buttons on page 17 VPN Users Settings The VPN User settings allow you to configure the following elements Field Description Object Name Specify a name for the VPN user object Color S...

Page 83: ...oup Color Select the color to be used for this object on the desktop User Select the users you want to add to the VPN user group The left hand list displays the users belonging to the group The right hand list displays the users available in the system that do not belong to the group To add a user to the group click Click if you want to add all available users at once To remove a user from the gro...

Page 84: ...t Firewall via the IP address of this network object This allows your gateprotect Firewall to apply user specific firewall rules to the user being logged on Interface Select the interface that the network is connected to Network IP Enter the IP address of the network in CIDR notation IP address followed by a slash and the number of bits set in the subnet mask for example 192 168 50 0 24 The button...

Page 85: ...s and Buttons on page 17 Note If you edit an entry a check mark appears on the right of the entry Click the check mark to apply your changes The buttons at the bottom right of the editor panel depend on whether you add a new host group or edit an existing group For a newly configured group click Create to add the group to the list of available host groups or Cancel to discard your changes To edit ...

Page 86: ...ce click the Use DHCP IP range button at the bottom left of the editor panel The buttons at the bottom right of the editor panel depend on whether you add a new IP range or edit an existing IP range For a newly configured IP range click Create to add the IP range to the list of available IP ranges or Cancel to discard your changes To edit an existing IP range click Save to store the reconfigured I...

Page 87: ... or Cancel to discard your changes To edit an existing host click Save to store the reconfigured object or Reset to discard your changes You can click Close to shut the editor panel as long as no changes have been made on it Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4 4 11 VPN Groups Create VPN groups that can be used to create connections betwee...

Page 88: ...ges To edit an existing group click Save to store the reconfigured group or Reset to dis card your changes You can click Close to shut the editor panel as long as no changes have been made on it Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4 4 12 VPN Networks Create a VPN network object that can be used to configure firewall rules for VPN Site to Si...

Page 89: ...ous network objects that are defined on the system Connections Overview In the expanded view the columns of the table display the nodes of the connection The buttons in the last column allow you to view and adjust the settings for an existing connection create a connection based on a copy of an existing connection or delete a connection from the system For further information see Chapter 3 2 Icons...

Page 90: ...ontent filters and the application filter see Chap ter 3 4 6 2 URL Content Filter on page 93 and Chapter 3 4 6 1 Application Filter on page 91 3 4 5 Desktop The Desktop settings display a list of all available services and the firewall rules defined in the system 3 4 5 1 Services Navigate to Desktop Services to display a list of all services available in the system When you click a service in the ...

Page 91: ...tion dialog opens For more detailed information on how to create firewall rules and editing connections see Chapter 3 3 Firewall Rule Set tings on page 19 and Chapter 3 4 4 13 Connections on page 89 To close the Desktop Rules panel and return to the desktop click in the upper right corner of the panel 3 4 6 UTM The UTM settings allow you to create and edit application filter profiles define URL co...

Page 92: ...lect this checkbox to enable SSL interception With SSL interception the gateprotect Firewall can evaluate the incoming traffic routed through SSL encrypted connections and apply the configured application filter profile to it In the Rules section Select the applications to be added to the profile The table groups the applications by Category Use the Filter field to narrow the list of applications ...

Page 93: ...or usage and block all others For example if the subcategory Shopping is on the blocking list but you want to allow access to the URL http www amazon de this URL must be entered into a whitelist If websites do not contain any verifiable terms in their URLs a URL filter on its own is not enough Therefore the gateprotect Firewall also filters the HTTP data communica tion by the content of the websit...

Page 94: ...ew Navigate to UTM URL Content Filter URL Content Filter to display the URL and content filters currently defined on the system In the expanded view the columns of the table display the Name of the filter and the number of selected content filter blacklist and whitelist entries The buttons in the last column allow you to view and adjust the settings for an existing URL and content filter create a ...

Page 95: ...r sin gle characters To create the Blacklist or Whitelist you can enter the search terms directly or use regular expressions RegEx RegEx Description Example Placeholder for any single character ho me e g home hole Any number of repetitions of the charac ter hom e g hom homm Any number of characters ho e e g home house Start of a line home home only at the start of the line End of a line home home ...

Page 96: ...eckbox is pre selected by default Clear the checkbox if you do not want the antivirus scanner to check compressed files for viruses Block files containing viruses This checkbox is pre selected by default Clear the checkbox if you do not want the antivirus scanner to scan attachments in emails and to block files with clearly identified viruses If a virus is detected the recipient will receive the e...

Page 97: ...s and servers to a whitelist Data trans mitted from these hosts via HTTP or FTP is not scanned for viruses Under Trusted Hosts enter the IP address or the domain name Click Add to add the host or server to the whitelist You can use wildcards for whole words for single characters to include subdo mains You can edit or delete each single entry in the list by clicking the appropriate button next to a...

Page 98: ...ngle entry in the list by clicking the appropriate button next to an entry For further information see Chapter 3 2 Icons and Buttons on page 17 Note If you edit an entry a check mark appears on the right of the entry Click the check mark to apply your changes The buttons at the bottom right of the editor panel allow you to shut Close the editor panel as long as no changes have been made and to sto...

Page 99: ...imported from a text file by clicking Import and opening the file The default maximum file size for imports is 1 mega byte Each non empty line of the selected text file adds an entry to the list You can edit or delete each single entry in the list by clicking the appropriate button next to an entry For further information see Chapter 3 2 Icons and Buttons on page 17 You can export the complete mai...

Page 100: ...are identified as spam The subject tag can be any text and contain the variables SUBJECT original subject of the spam email SPAMCLASS and SPAMCLASSNUM spam category By clicking the subject tag format is set to the default SPAM SUBJECT Mail Lists You can specify a blacklist and or a whitelist by adding as many email addresses as you like into the respective list Both mail lists can be applied at th...

Page 101: ...rwards all requests which arrive on port 80 HTTP automatically through the proxy default setting If you choose the Intransparent mode the HTTP proxy of the gateprotect Fire wall must explicitly be addressed on port 10080 The elements in the Intransparent mode settings section can only be configured if you select the intransparent mode for the HTTP proxy Field Description Authentication Select the ...

Page 102: ...or a whitelist by adding as many domains as you like into the respective list Both lists can be applied at the same time Domains in the blacklist are blocked by the gateprotect Firewall and cannot be accessed by users Domains in the whitelist are accepted by the HTTPS proxy without analysis and become directly available to the users browser No certificates are created This is necessary for service...

Page 103: ...discard Reset your changes Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4 7 VPN Use the VPN settings to configure the gateprotect Firewall for use as a virtual pri vate network server to provide Client to Site C2S VPN connections which enable remote computers to securely access resources on the local network via IPsec and VPN SSL and as a Site to Si...

Page 104: ...onnections Settings on page 111 Site to Site VPN Connections With a Site to Site connection two locations are connected using an encrypted tunnel to a virtual network and exchanging data through this tunnel The two locations can have fixed IP addresses Authentication is either effected with IPsec using issued cer tificates or a so called PSK preshared key or with VPN SSL using certificates IPsec I...

Page 105: ...s of the address range from which IP addresses are assigned to clients This address range must not overlap any of your local net works Local IP Enter the local IP address which the gateprotect Firewall uses for communica tion with the clients DNS IP Optional Enter the DNS server address which is transmitted to the client when the connection is established WINS IP Optional Enter the WINS server add...

Page 106: ...L connections Click Add to add the route to the list You can edit or delete each single entry in the list by clicking the appropriate button next to an entry For further informa tion see Chapter 3 2 Icons and Buttons on page 17 Note If you edit an entry a check mark appears on the right of the entry Click the check mark to apply your changes On the Client to Site tab Field Description Protocol Sel...

Page 107: ...as no changes have been made and to store Save or to discard Reset your changes Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4 7 3 VPN Connections Under VPN Connections you can create and manage VPN connections IPsec Connections The gateprotect Firewall allows you to provide VPN access to remote clients via IPsec IPsec Client to Site and to create a...

Page 108: ...ollowed by a slash and the number of bits set in the subnet mask for example 192 168 1 0 24 Note For full tunneling enter 0 0 0 0 0 Client IP Optional and for gateprotect VPN client and Client to Site connections only Enter the IP address under which the client is reachable Use L2TP Optional and for Client to Site connections only This checkbox is cleared by default You can select the checkbox if ...

Page 109: ...he username the firewall uses in XAUTH client mode to authenticate towards the remote end XAUTH Password Enter the password the firewall uses in XAUTH client mode to authenticate towards the remote end Show Password Optional Select this checkbox to verify the password Host certificate Select a certificate which the gateprotect Firewall uses to authenticate towards the remote end The private key fo...

Page 110: ...b you can select the encryption and authentication algorithms for the IPsec SA negotiation quick mode Field Description Encryption algorithm Select the cryptographic hash to verify the message Authentication algo rithm Select the algorithm to encrypt the message Lifetime Specify the timeout in seconds after which the IPsec SA expires and a new exchange is performed Note This only has an indirect i...

Page 111: ...to Site VPN SSL Connections Overview Navigate to VPN VPN Connections VPN SSL Connections to display the list of VPN SSL connections that are currently defined on the system in the item list bar In the expanded view the columns of the table display the Name of the VPN SSL connection the Certificate used in the connection the Status and the Type of the connection The buttons in the last column allow...

Page 112: ...ction with your gateprotect Firewall serving as a client is established The elements in the settings section depend on the selected connection type For Client to Site gateprotect VPN client connections you can configure the following elements Field Description Set default gateway Select this checkbox to use the VPN SSL tunnel as default route i e for full tunneling Client IP Optional You can manua...

Page 113: ...ettings For more informa tion see Chapter 3 4 7 2 VPN SSL Settings on page 105 Host Enter the network IP address under which the remote end is reachable Click Add to add a network to the list If you add more than one network an automatic failover occurs in case the first network is not reachable The gate protect Firewall then successively tries to reach the networks on the list until one network i...

Page 114: ...d by the other firewalls to use it If the other firewalls require the ability to create certificates for mostly local purposes which are however recognized as valid to your whole organization you can use multi staged certification chains Therefore you need a so called root CA certificate on your central firewall with which you sign the secondary CA certificates You need to create requests for thes...

Page 115: ...he certificate type was set to VPN Certificate Webserver Certificate Secondary CA or HTTPS Proxy CA you can now select the certificate authority that is to be used to sign the new certificate This CA will be the parent CA that is used to verify or to revoke the certificate CA Password Optional Enter a password for the private key of the signing CA if the certificate type was set to VPN Certificate...

Page 116: ...CRL Settings on page 118 CRL Optional and only available for CAs Select the checkbox to activate validation via CRL Certificate Revocation List for the CA and its subcertificates For more information see Chapter 3 4 8 3 OCSP CRL Settings on page 118 Addresses for OCSP Responder CRL Down load Optional and only available for CAs Define base URLs for OCSP and CRL by entering a URL and clicking Add Th...

Page 117: ...hority that is used by the HTTPS proxy to sign the fake interception certificates This CA must be trusted in the browsers of all clients 3 4 8 2 Templates To ease the creation of new certificates you can use templates to prepopulate the input fields regarding the Distinguished Name and the Subject Alternative Names Templates Overview Navigate to Cert Management Templates to display the list of tem...

Page 118: ...vices to allow clients to verify the validity of certifi cates issued by the central firewall If co workers quit their job or a private key gets lost the corresponding certificate must be blocked to assure the company s security This has to be done on the firewall which issued the certificate The deletion of the certificate on the issuing firewall always includes the revocation of the certificate ...

Page 119: ...As Navigate to Cert Management Trusted Proxy CAs to display the list of custom and system certificate authorities that are currently defined on the system in the item list bar and that the SSL proxy trusts for external connections In the expanded view the first column of the table displays the Name of the CA certif icate The buttons in the last column allow you to view the settings for an existing...

Page 120: ...tening Port Optional Specify the port number on which the service will be listening Port number 161 is pre defined by default Protocol Version From the drop down list select the version of the SNMP protocol to be used Depending on the version selected additional options become available Ver sion v2c is pre selected by default Community String Only available if the selected Protocol Version is v2c ...

Page 121: ...ation Base MIB sysContact The buttons at the bottom right of the editor panel allow you to shut Close the editor panel as long as no changes have been made and to store Save or to discard Reset your changes Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4 9 2 Syslog Servers The gateprotect Firewall can be used to configure multiple external syslog ser...

Page 122: ... at the top of the desktop to apply your configuration changes 3 4 9 3 Logs The gateprotect Firewall stores records of system events status information errors and other communication in a log database The Logs panels display the contents of the logs If a problem occurs you may be able to find technical details about the cause of the problem by viewing these logs The logs are automatically reloaded...

Page 123: ...ontain the following information Column Description Time The timestamp of the log entry Type The message type which can be one of the following OK the service is working correctly Error an error occured and an error message is displayed Service The name of the service that created the entry such as Server or VPN Message The log message itself You can filter the contents of the system log The Messa...

Page 124: ...you to configure the following Parameters Field Description Destination Enter the valid network address to ping Request Count Select the number of ICMP echo request packets to be sent to the target You can choose any integer from 1 to 10 from the drop down list The default num ber is set to 4 Click Run to start pinging The Output area displays the output of the ping com mand If the other device re...

Page 125: ...y to the destination The default number is set to 30 but you can enter any integer from 1 to 255 If the destination is not reached before this threshold probe packets are discarded Click Run to start tracerouting The Output area displays the list of gateways trav ersed along the way The Close button at the bottom of the panel allows you to shut the panel and return to the complete overview of your...

Page 126: ...User Interface R S GP U GP E GP S GP T 126 User Manual 3646 3836 02 01 Menu Reference ...

Page 127: ...LDAP user 39 openLDAP setup 35 DNS 74 DynDNS accounts 75 E Email security 98 Ethernet interfaces Network 53 F Firewall rules 19 90 Firewall settings 22 G GUI see web client 13 H Header area 14 High Availability HA 45 Host groups 84 Hosts 79 HTTP proxy 101 I Icons 17 Interfaces Network 53 Internet objects 78 IP ranges 85 IPsec 107 IPsec settings 104 Item list bar 15 K Kerberos service see directory...

Page 128: ...L 118 Ping 124 QoS connections 77 Quality of Service QoS 76 Server access 41 SNMP 119 Time settings 43 Traceroute 124 Updates 23 URL Content filter 93 User authentication 35 VoIP proxy 102 VPN SSL 105 WLAN 67 Single sign on see user authentication 29 SNMP 119 SSL proxy 119 SSO see user authentication 29 Syslog servers 121 System date and time see time settings 43 System log 123 T Templates Certifi...

Page 129: ...ngs 105 VPN connections 107 VPN groups 87 VPN hosts 86 VPN networks 88 VPN SSL 111 VPN SSL settings 105 VPN user groups 83 VPN users 82 W WAN 74 DNS settings 74 DynDNS accounts 75 QoS connections 77 QoS settings 76 Web client 13 Desktop 15 Header area 14 Item list bar 15 Navigation bar 15 Navigation pane 15 WLAN 67 Interfaces 58 Settings 58 WLAN interfaces Network 58 ...

Search results

Summary of Contents for GP-E

Reviews:

Brands by name

Popular brands

Ronde & Schwarz GP-E, User Manual

Search results

Summary of Contents for GP-E

Reviews:

Brands by name

Popular brands