Home
/
Symantec
/
Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series
/
Administration Manual

Symantec Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series, Administration Manual, Page: 162 / 861

Share

Page: 162 / 861

Symantec Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series Administration Manual Download Page 162

162

Defining your security environment
Defining traffic endpoints with network entities

■

“Creating a packet filter”

■

“Configuring tunnels”

Defining a network or subnet with a subnet entity

A subnet entity is a group of hosts defined by a network address and netmask. You typically use subnet
entities to define whole networks, or subnetworks within a particular IP address range. The group of
hosts can sit either on the protected network, or on the public network.

You can create subnet entities to define a range of IP addresses that serve as the source or destination
of traffic in a rule, removing the requirement to create a separate access rule for each host. You can use
subnet entities to specify the source and destination of traffic controlled by packet filters and address
transforms, as well as the real or NAT subnet in a NAT pool. You can also use a subnet entity as the
local or remote endpoint in VPN tunnels.

By default, the security gateway ships with a subnet entity called Universe. The Universe subnet entity
has an IP address of 0.0.0.0 and a subnet mask of /0. The Universe subnet entity is similar to a wildcard
that defines the set of all valid IP addresses. You can use this entity in rules that apply to any IP
address, but you should only use it in these rules when any host can have access; do not use this entity
in a rule when you want to restrict access to only a defined set of hosts.

Prerequisites

None.

To define a network or subnet with a subnet entity

1

In the SGMI, in the left pane, under Assets, click

Network

.

2

In the right pane, on the Network Entities tab, click

New > Subnet Network Entity

.

3

In the Subnet Network Entity Properties dialog box, on the General tab, do the following:

4

Optionally, on the Spoof Protection tab, apply spoof protection to the subnet network entity by
specifying which interfaces are associated with it.
In the Available list, select one or more interfaces. To associate them with the subnet network
entity, click the right-arrow >> button, which moves them to the Selected list.
To remove an association, in the Selected list, select an interface and click the left-arrow << button
to move it to the Available list.

5

Optionally, on the Description tab, type a more detailed description than you typed in the Caption
text box.

6

Click

OK

.

7

Optionally, do one of the following:

■

To save your configuration now and activate later, on the toolbar, click

Save

.

■

To activate your configuration now, on the toolbar, click

Activate

.

When prompted to save your changes, click

Yes

.

8

Use the subnet network entity for any of the following:

■

To specify the source or destination of traffic in rules and packet filters.

■

To specify the local or remote endpoint in an IPsec static or gateway-to-gateway VPN tunnel.

Entity name

Type a name for the subnet entity.

Network address

Type the IP address of the subnet.

Netmask

Type the subnet mask.

Caption

Type a brief description of the subnet entity.

«
...
160
161
162
163
164
...
»

Summary of Contents for Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series

Page 1: ...ec Gateway Security 5000 Series v3 0 Administration Guide Supported hardware platforms Symantec Gateway Security 5600 Series Symantec Gateway Security 5400 Series Symantec Clientless VPN Gateway 4400...

Page 2: ...s may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged The product described in this document is distributed under licenses restricting its use copy...

Page 3: ...lable 24 hours a day 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support program Advanced features such as the Symantec Alerting Service and Technica...

Page 4: ...Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information features language availability local dealers Latest info...

Page 5: ...gging on to the SGMI from a browser 26 Avoiding hostname mismatches 27 Using the SGMI home page 29 Viewing Quick Status 29 Accessing commonly used configuration wizards 30 Viewing DeepSight s ThreatCo...

Page 6: ...Viewing installed licenses 88 Obtaining licenses 89 Installing licenses 94 Removing all license files 95 Enabling and disabling security gateway features 96 Backing up and restoring configurations 98...

Page 7: ...network or subnet with a subnet entity 162 Defining a registered domain with a domain name network entity 163 Creating security gateway network entities for use in tunnels 164 Creating a network enti...

Page 8: ...ugh the firewall 270 Understanding and using rules 271 How rules are applied 271 Planning to create rules 272 Configuring rules 272 Rule examples 280 Configuring HTTP FTP and mail SMTP and POP3 rules...

Page 9: ...ter 10 Providing remote access using VPN tunnels About VPN tunnels 373 Understanding gateway to gateway tunnels 374 Understanding Client VPN tunnels 374 Tunnel endpoints 375 Tunnel indexes 376 Tunnel...

Page 10: ...435 Adding resource links to portal pages 436 Adding a corporate name and logo 437 Adding news items to a portal page 437 Removing news items from a portal page 438 Assign the portal page to a role 4...

Page 11: ...ing a client program notification 488 Configuring an email notification 489 Configuring a pager notification 490 Configuring SNMPv1 and SNMPv2 notifications 491 Integrating Symantec DeepSight Threat M...

Page 12: ...r clustering 530 Modifying the RIP daemon for use with clusters 533 Using hot standby mode 533 Configuring gateway to gateway VPN tunnels that use NAT 534 Backing up and restoring cluster configuratio...

Page 13: ...ring Profile Properties General tab 649 URL Ratings tab 650 Newsgroups tab 651 Newsgroup Profiles 652 Client Compliance 653 Policy Parameters 654 Assets field descriptions 655 Network Entities 655 Net...

Page 14: ...775 Configuration reports 775 Client VPN Package Wizard 776 Remote Access Tunnel Wizard for Client VPN 777 Remote Access Tunnel Wizard for Clientless VPN 782 Gateway to Gateway Tunnel Wizard 786 Glob...

Page 15: ...among multiple security gateways Symantec includes an optional high availability load balancing HA LB component These features provide access control and security enforcement on traffic passing throug...

Page 16: ...used protocols such as FTP HTTP NNTP POP3 and SMTP are predefined on the security gateway Over 150 protocols are included Unless specifically stated otherwise when this manual describes how traffic i...

Page 17: ...ymantec Client VPN software connects to the security gateway from either inside the protected network or from a remote location through the Internet Gateway to gateway VPN tunnel configurations A gate...

Page 18: ...The security gateway offers settings to help prevent denial of service attacks which are caused by large container files or files that contain multiple embedded compressed files You can also protect y...

Page 19: ...date HTTP inclusion exclusion lists Configure rules for the HTTP proxy based on inclusion and exclusion lists This includes URL address URL pattern matching MIME type and file extensions Configuring...

Page 20: ...s that are not critical such as FTP Telnet or Web servers These services are avenues of attack If they are removed blended threats have fewer exploitation points and you have fewer services to maintai...

Page 21: ...ltaneous access to the security gateway For example the administrator who configures the security gateway can log on at the same time as an administrator who is responsible for monitoring log messages...

Page 22: ...on from a browser The logon procedure can be affected by the computer from which you are connecting to the security gateway appliance the version of JRE that is running on it and the browser you use R...

Page 23: ...ame of the security gateway you want to manage in one of the following formats https 10 161 131 12 2456 2 In the Security Alert dialog box verify the temporary certificate that is generated by the app...

Page 24: ...c click Yes 13 If you had JRE 1 5 installed before you began the logon procedure with the Advanced Shortcut Creation option set to Prompt user a Create shortcut s dialog box is displayed To create an...

Page 25: ...he Java Application Cache Viewer on the User tab highlight the application that is identified by the URL you used to connect to the appliance 6 On the Application menu click Remove Shortcuts 7 On the...

Page 26: ...ou are warned that you have read only access You can continue the logon procedure and view status and configurations in the SGMI but you cannot make any changes If necessary you can gain write access...

Page 27: ...from the desktop on page 25 Avoiding hostname mismatches When the security gateway is configured for the first time a certificate is created for host domain the default host name of the security gate...

Page 28: ...age Symantec Gateway Security 5000 Series v3 0 appliances from your computer you can use the Web Start application to uninstall the SGMI application Uninstalling the SGMI from your management computer...

Page 29: ...correlation service if there is Internet access Figure 2 1 SGMI home page The following topics describe the Homepage in more detail Viewing Quick Status Accessing commonly used configuration wizards...

Page 30: ...4 Configuring HTTP FTP and mail SMTP and POP3 rules with the Firewall Rule Wizard on page 284 Managing clientless VPN users on page 411 Using the Remote Access Tunnel Wizard to create Client VPN tunne...

Page 31: ...opic see the following Integrating Symantec DeepSight Threat Management System on page 494 Leaving the SGMI You can leave the SGMI in three ways By logging off The Symantec Gateway Security Series 500...

Page 32: ...the following To return to managing the security gateway you logged off from enter your password and click Log On To manage a different security gateway enter your user name and password for that gat...

Page 33: ...d information For further information related to this topic see the following Logging on to the SGMI on page 21 Terminating an active connection on page 467 Navigating in the SGMI By becoming familiar...

Page 34: ...contains the following topics Using the SGMI menus Using the SGMI toolbar Navigating from the left pane Navigating the right pane Right pane tabs Left pane navigation Menus Product name Right pane co...

Page 35: ...ient VPN information on page 401 Log Off Exit Logs you out temporarily or lets you leave the SGMI by exiting See Leaving the SGMI on page 31 Edit Cut Copy Paste Lets you perform cut copy and paste ope...

Page 36: ...aking system changes with the System Setup Wizard on page 104 VPN Helps you create IPsec VPN tunnels and configuration packages for remote users See the following Simplifying multiple Client VPN compu...

Page 37: ...ontext sensitive Help See Using online Help on page 45 About Symantec Gateway Security 5000 Series v3 0 Displays the Symantec Gateway Security software version and build information Table 2 1 SGMI men...

Page 38: ...section is only visible if the security gateway you are managing is part of a cluster To view a description of the folders within each section click on the section heading As shown in the example of t...

Page 39: ...t security features Firewall Lets you define rules packet filters and time periods to control access to the security gateway VPN Lets you configure virtual private network VPN tunnels to allow access...

Page 40: ...Portal Pages Lets you customize the user experience for clientless VPN users Remote Mail Lets you configure clientless VPN to handle non standard mail resources Asset Parameters Lets you specify asset...

Page 41: ...used in a cluster Watchlist Lets you select cluster processes to monitor Ping groups Lets you configure ping groups to monitor servers that are not part of the cluster but that offer services on the...

Page 42: ...on Assets Authentication Servers Location Settings Advanced H 323 Aliases Assets Proxies H 323 Aliases Location Settings Advanced Local Administrators System Administration Local Administrators Locati...

Page 43: ...e status page that displays when you click Monitors Overall Health Figure 2 4 Overall Health status page Monitoring Cluster Status Cluster Clusters Monitoring SESA Event Gating System Configuration SE...

Page 44: ...Policy Firewall It contains a table of rule objects that you can create or modify Figure 2 5 Rules page showing table of objects Figure 2 6 shows the Antivirus Configuration page which displays when...

Page 45: ...next topics in the Help system The following topics describe how to use Help Displaying Help Searching Help Printing Help Displaying Help Your location in the SGMI determines the method you use to di...

Page 46: ...lowing Field descriptions on page 563 Searching Help The Help search engine uses different techniques to ensure that as many relevant topics are returned as possible For example if you search for the...

Page 47: ...hard copy of one or more topics Prerequisites Complete the following tasks before beginning this procedure Displaying Help on page 45 To print Help 1 In the Symantec Gateway Security 5000 Series v3 0...

Page 48: ...ion objects Configuring objects that reference other objects Saving and activating configuration changes Deleting configuration objects Changing the display of objects in a table Objects that you conf...

Page 49: ...remove a column 1 Do one of the following On the View menu click Show Columns In the table right click on a row and click Show Columns 2 In the Show Columns dialog box to display a column in the tabl...

Page 50: ...5 To modify the search click Search 6 To re display the entire table of objects click Clear Search Viewing and modifying object properties When you view a table of objects in the SGMI you can see the...

Page 51: ...b to view additional property details Modifying the properties of an object As your security needs change you will need to modify the configuration objects that represent your security environment To...

Page 52: ...assed You can add configuration objects by doing either of the following Creating a new object Copying an existing object Creating a new object You use the New button to create objects This button app...

Page 53: ...have Enable check boxes object name Type a name for the object The maximum length is 256 characters Allowed characters are a z A Z numerals periods dashes and underscores _ Do not include spaces in t...

Page 54: ...owing To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related...

Page 55: ...s properties Click OK If you have made all required modifications the object is created in the table and you are returned to the Correct Pasted Items dialog box If the object still needs further modif...

Page 56: ...u want to add a referenced object Then in the right pane click the appropriate tab For example you would click Policy Firewall Packet Filters to access a packet filter so that you can change one of th...

Page 57: ...configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information For further information related to this topic see the following Saving and activating c...

Page 58: ...r search select the desired protocols You can select multiple protocols by using the Shift and Control keys on the keyboard 7 Do one of the following To add the selected protocols to the service group...

Page 59: ...unity to save changes T Two symbols in the far left column of a table of objects indicate unsaved changes A mark indicates that the object is new A blue ball indicates that it has been modified On the...

Page 60: ...To activate only changes that you have previously saved without activating your unsaved changes click No 3 In the Activate Changes Wizard welcome panel click Next 4 In the Revision Comment panel in th...

Page 61: ...The changes and change indicators are removed from the objects To revert changes to a single object 1 In the right pane select the object for which you want to revert changes 2 Right click and click R...

Page 62: ...s validation messages and other security gateway objects that use a selected object This section includes the following topics Displaying and hiding the lower pane Viewing objects used by an object yo...

Page 63: ...d to this topic see the following Viewing and modifying object properties on page 50 Deleting configuration objects on page 61 Viewing system information The System window is a read only display of se...

Page 64: ...uration the SGMI includes the configuration wizards that are described in Table 2 7 These wizards give you step by step configuration instructions to ensure success Table 2 7 Symantec Gateway Security...

Page 65: ...n SESA for scalable management Note Symantec Gateway Security 5000 Series v3 0 requires Symantec Advanced Manager for Security Gateways v3 0 Cluster Wizard Helps you create a cluster of security gatew...

Page 66: ...anel lets you review your choices If you want to make a change you can click Back to return to a previous panel You use the Finish button to initiate the configuration changes that you have configured...

Page 67: ...egrity of your security gateway An additional administrative access feature is the ability to configure SSH as a means of providing command line access to view configuration files or perform tasks tha...

Page 68: ...at are listed on this tab Enable To enable the local administrator check Enable User Name Type the name of the administrator Full Name Type the full name of the administrator You can use this name to...

Page 69: ...ount Properties Maintenance Privileges tab on page 760 Admin Account Properties Restrict To Address tab on page 761 Creating machine accounts for security gateway access from remote computers The Mach...

Page 70: ...how to change these passwords using the SGMI Changing administrator passwords Changing the root password Changing a machine account password You can also use the LCD panel on the appliance to generat...

Page 71: ...tem menu You can use the System menu to change the password with which you logged on to the SGMI When you do the change takes effect immediately You do not need to save and activate the change Changin...

Page 72: ...ons a password warning displays with a recommendation and asks if you still want to use the password To change the password without taking the recommendation click Yes Continue at step 7 To return to...

Page 73: ...word from the SGMI When you do the change takes effect immediately Prerequisites None To change the root password 1 In the SGMI on the System menu click Change Root Password 2 In the Change Root Passw...

Page 74: ...assword again 5 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When pro...

Page 75: ...onfiguration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information For furt...

Page 76: ...76 Managing administrative access Enabling SSH for command line access to the appliance...

Page 77: ...System Setup Wizard to make interface changes Tasks that you choose to perform regularly such as running LiveUpdate to update virus definitions and intrusion detection signatures and performing regula...

Page 78: ...allation completes successfully a message displays depending on the content of the hotfix If the message tells you that the hotfix has been successfully installed click OK If the message tells you tha...

Page 79: ...e LiveUpdate component of the security gateway lets you schedule updates of the definitions and signatures that are used by the following content security components Antispam Antivirus Content filteri...

Page 80: ...aption text box 6 Click OK 7 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Acti...

Page 81: ...Scheduling LiveUpdate of a component You schedule a LiveUpdate session separately for each of the components that has an update license Scheduling LiveUpdate lets you assure that your content securit...

Page 82: ...nfigure one or more additional servers for use for LiveUpdate and specify them in the components properties A total of 10 servers can be listed for each component When LiveUpdate is performed these se...

Page 83: ...rver on page 79 Specifying an HTTP proxy for LiveUpdate If one or more of your LiveUpdate servers uses HTTP to download updated definitions or signatures you can specify a proxy as one of the componen...

Page 84: ...ells you that LiveUpdate has started for the component 4 Click OK Related information For further information related to this topic see the following Defining a LiveUpdate server on page 79 LiveUpdati...

Page 85: ...incorporated into the following security gateway processes An appliance reboot occurs automatically If you use the System Setup Wizard to change the appliance host or domain name default gateway or an...

Page 86: ...D panel For instructions see the section on shutting down the appliance in the Symantec Gateway Security 5000 Series v3 0 Installation Guide Prerequisites None To shut down the security gateway applia...

Page 87: ...atus of security gateway components Viewing license usage Viewing installed licenses Obtaining licenses Preparing to install license files Installing licenses Removing all license files Enabling and d...

Page 88: ...gateway The information displayed includes the number of security gateway servers and clients the number of licensed tunnels being used the number of configured clusters and so on The limits on each...

Page 89: ...K Related information For further information related to this topic see the following Installed License Properties on page 767 Installing licenses on page 94 Removing all license files on page 95 Obta...

Page 90: ...make it easier to organize this information complete the license file organization worksheet If you are licensing multiple appliances copy the worksheet and complete it for each appliance To obtain l...

Page 91: ...e or more for each feature ordered The format of the license serial number is a letter followed by 10 digits For example F2430482013 The license serial numbers on serial number certificates correspond...

Page 92: ...button to select the LCD system menu 2 Press the down arrow button until you see 4 System ID 3 Press the e button to view the Symantec System ID To obtain the Symantec System ID from the SGMI 1 In th...

Page 93: ...mantec s Licensing and Registration Web site at https licensing symantec com 2 In the Licensing and Registration page follow all the on line instructions and complete all the required registration scr...

Page 94: ...les to the appropriate folders 4 Create a backup copy of your license files in a secure location Related information For further information related to this topic see the following Installing licenses...

Page 95: ...oad License Files panel is displayed and then repeat steps 5 through 8 to upload and verify the missing license files Click Next 11 In the License Installation Complete panel click Close 12 When promp...

Page 96: ...e two ways to enable and disable the security gateway s features Running the System Setup Wizard See Enabling and disabling security gateway features from the System Setup Wizard on page 96 By using t...

Page 97: ...options are used For example if you disable the content filtering feature you cannot configure content profiles or specify URLs that should be blocked In addition you cannot add content filtering rest...

Page 98: ...nfigurations between security gateways is by associating the security gateways with each other in a cluster Keep the following requirements in mind when you plan to back up and restore configurations...

Page 99: ...7 When you are notified that the backup has completed successfully click OK Related information For further information related to this topic see the following Backup dialog box on page 774 Using com...

Page 100: ...ed on the security gateway click Use current network interfaces data 5 Click Next 6 In the Restore Settings panel do the following Click Restore from a Symantec Gateway Security backup image To the ri...

Page 101: ...nfiguration You can later use the SGMI to restore the backed up configurations just as you restore configurations that are backed up using the SGMI There are two ways to perform a command line back Fr...

Page 102: ...ot access the appliance directly you can use the remote backup utility to perform a back up from a remote computer Operating system specific versions of the remote backup utility are provided on the r...

Page 103: ...p sh host user password backupPassword backupFile Where 3 If the security gateway s certificate is not in the trust store of your computer you are prompted to install the certificate on the local comp...

Page 104: ...perform the initial setup of the appliance you only have to enable two network interfaces one as an inside interface and one as an outside interface You can configure the additional network interfaces...

Page 105: ...network interface to an appliance that is not part of a cluster click Standalone gateway To add a network interface to an appliance that is part of a cluster click Cluster member 6 Click Next 7 In the...

Page 106: ...e requested address In address transforms as the point where traffic arrives at or leaves the security gateway Related information For further information related to this topic see the following Syste...

Page 107: ...ffic arrives at or leaves the security gateway In clientless VPN profiles as the location of the DHCP server In host and subnet network entities as the spoof protected interface In security gateway ne...

Page 108: ...icast traffic and adding interface protections Note If an interface has been designated as the heartbeat interface for a cluster you cannot modify it Prerequisites None To modify a network interface 1...

Page 109: ...ries v3 0 logon dialog box displays and the security gateway reboots When the reboot has completed you can log on to the SGMI again Related information For further information related to this topic se...

Page 110: ...hine settings on an appliance that is not part of a cluster click Standalone gateway To modify machine settings on an appliance that is part of a cluster click Cluster member 5 Click Next 6 On the Mac...

Page 111: ...oot immediately 17 If you do not want to wait for the reboot to start click OK The Symantec Gateway Security 5000 Series v3 0 logon dialog box displays and the security gateway reboots When the reboot...

Page 112: ...ble click the network interface you want to configure 3 In the network interfaces properties dialog box on the General tab do one or more of the following 4 On the Packet Filters tab do one of the fol...

Page 113: ...spoof protection on page 370 Resolving host name requests for an outside system by creating a DNS recursion record on page 149 Allowing ICMP traffic on page 238 Enabling SYN flood protection on page...

Page 114: ...ck Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Enable To enable process restart check Enable Interval be...

Page 115: ...hind your security gateway for your remote users and trusted individuals and companies with whom you do business To know what traffic to allow and where to route it the security gateway must know how...

Page 116: ...this configuration is typically reserved for one way traffic especially if one of the interfaces has direct access to a public network Connection requests are usually initiated from the protected netw...

Page 117: ...connection requests are usually initiated from the protected network destined for external services A clustered configuration usually requires a third heartbeat network which is used to monitor the s...

Page 118: ...ernal network enjoys For example one of these networks might be used for customer facing applications such as Web and mail servers or for connections to partner companies This scenario might look like...

Page 119: ...n enclave security gateway is installed to further segment a network The enclave security gateway is usually managed from a host computer that is external to the enclave security gateway but which res...

Page 120: ...ress changed to that of the security gateway to force them up the stack for processing If the request is ultimately for another computer host client or server and the connection request meets all requ...

Page 121: ...TCP GSP is running Ensure that the SGMI protocol is configured to use native service Create a service group for SGMI management Create an allow rule for SGMI management To ensure that TCP GSP is runn...

Page 122: ...e toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes To create an allow rule for SGMI management 1 In the SGMI in the left...

Page 123: ...lowing Ensure that TCP GSP is running Create a new protocol for SGMI management Create a service group for SGMI management Create an allow rule for SGMI management Create a service redirect for SGMI m...

Page 124: ...n the Network Protocol list box select the protocol that you created for SGMI management 7 Click OK 8 Optionally on the Description tab type a more detailed description than you typed in the Caption t...

Page 125: ...activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Defining security gateway routing A company s internal network may...

Page 126: ...ortest Path First OSPF Version 2 See Configuring dynamic routing on page 129 Routing Information Protocol Version 2 RIP 2 As defined in RFC 2453 RIP 2 is a UDP based dynamic routing protocol based on...

Page 127: ...routing table for an entry that matches the packet s complete destination IP address If found the packet is sent directly to that IP address The security gateway next searches its internal routing ta...

Page 128: ...directly connected Once you configure a static route and save the changes the new route takes effect immediately Static routes can be added or modified at any time as these procedures do not require...

Page 129: ...OSPF have taken effect inspect the var lib sg portcontrol cf file and look for entries such as enable UDP 520 or enable IP 89 Configuring RIP support RIP is configured on each interface separately Cha...

Page 130: ...n interface 5 In the Route Cost text box type a value for this interface s cost 6 In the Route Priority text box type a value for this interface s priority In the event of a cost tie between two inter...

Page 131: ...client requests traverse two or more relay agents including the security gateway relay proxy See DHCP traffic multi hop example on page 132 DHCP traffic single hop example Figure 5 6 demonstrates a t...

Page 132: ...h source and destination ports of 67 If there were additional relays in this network all the relays except the one closest to the client should be configured to pass a UDP port 67 datagram response Co...

Page 133: ...RVER 10 3 3 2 To enable multiple DHCP servers next to DHCPSERVER type the IP addresses of the target DHCP servers For example DHCPSERVER 10 3 3 2 10 4 4 25 10 5 5 1 Use a space between each server 4 D...

Page 134: ...e Service Groups tab click New 3 In the Service Group Properties dialog box on the General tab in the Service group name text box type a name for the service group such as Multi_hop_DHCP 4 On the Prot...

Page 135: ...in the multicast group Systems not part of the multicast group do not receive unnecessary traffic Multicast packets can also traverse networks assuming that the router between the two networks is mul...

Page 136: ...g Multicast support is disabled by default Multicast traffic may offer some risk to security as multicast traffic is not subject to rule checking antivirus and content scanning It is recommended that...

Page 137: ...sert the commands see bold text as they appear in the file below bin sh raptor startup file PATH sbin usr sbin usr bin bin JAVA_HOME usr java jre1 3 1_04 LD_LIBRARY_PATH usr raptor bin LD_LIBRARY_PATH...

Page 138: ...w your current network is configured and your DNS objectives Use the scenario descriptions below to help you decide how to implement DNS for your network The first scenario is to have a caching name s...

Page 139: ...n record Figure 5 9 Example network with a caching name server with no internal name server In Figure 5 9 the security gateway acts as a caching name server and the client resolvers in the inside netw...

Page 140: ...er that is responsible for a given domain The DNS proxy is only authoritative for those domains and networks that are defined through the DNS Record Properties dialog box This name server has the phys...

Page 141: ...y Authority record See Defining an authoritative server with a DNS authority record on page 145 Host record See Identifying a host in a domain with a DNS host record on page 146 optional Mail server r...

Page 142: ...tative name server with delegation configure the following records on the internal DNS server which in this case is represented by symantec org Authority record See Defining an authoritative server wi...

Page 143: ...guring an authoritative name server with delegation on page 142 Understanding the security gateway s DNS resource records Before you set up the resource records for the security gateway DNS proxy you...

Page 144: ...T record Table 5 3 Types of naming conventions Type Example Definition Domain name symantecs org Composed of a domain name symantecs and org Host name eng symantecs org Composed of a specific machine...

Page 145: ...An authority record defines the name server that is responsible for a given domain You can make the DNS proxy authoritative for both public and private domains Prerequisites None To define an authori...

Page 146: ...s dialog box on the General tab do the following 4 Optionally on the Description tab in the text box type a more detailed description than you typed in the Caption text box 5 Click OK 6 Optionally do...

Page 147: ...mail server record A DNS mail server record known as mail exchange MX record in standard DNS defines the server responsible for handling email Use a public mail server record to point external mail s...

Page 148: ...server record The DNS server supports defining name servers for a domain The name server entry marks the authoritative servers to consult when performing DNS lookups for a host in that domain Dependi...

Page 149: ...r an outside system by creating a DNS recursion record By configuring a recursion record you instruct the security gateway to resolve host name requests from a specific outside system or network For s...

Page 150: ...ble DNS lookups fail they do not fall back to the hard coded list Use this feature if you have a security gateway protecting an enclave network In this case the enclave security gateway cannot directl...

Page 151: ...onfigured your security gateway as the reverse domain authority for the subnet Prerequisites Complete the following task before beginning this procedure Defining an authoritative server with a DNS aut...

Page 152: ...is case the SPF record should point to the security gateway s outside IP address This may be not the case if there is an Address transform allowing client to see the server s actual IP address Use ori...

Page 153: ...raffic One option for passing DNS traffic is to create a Generic Service Proxies GSPs for the Transmission Control Protocol TCP and the User Datagram Protocol UDP 53 destination port A GSP is not as e...

Page 154: ...lution because a forwarding filter acts simply as a packet filter There is no screening for RFC compliance Therefore the target server must be hardened As with the GSP the security gateway is transpar...

Page 155: ...dp_rev A B dns_udp_s2s B A dns_tcp B A dns_udp B A dns_udp_rev B A dns_udp_s2s 5 Click OK 6 Optionally do one of the following To save your configuration now and activate later on the tool bar click S...

Page 156: ...related to this topic see the following Proxy Properties DNS General tab on page 699 Refresh interval Specify a value to tell configured secondary name servers how often to check with the system on t...

Page 157: ...ater on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Solving DNS problems Name service...

Page 158: ...gateway uses the loopback address 127 0 0 1 to pass DNS requests back to itself do not delete the address Related information Enabling reverse lookups on page 157 Resolve other DNS problems There are...

Page 159: ...uring rules filters and tunnels to allow or deny the traffic Rules filters and tunnels point to other security gateway elements to specify the source and destination of traffic the interfaces through...

Page 160: ...n with a domain name network entity Creating security gateway network entities for use in tunnels Creating a network entity group for rules that apply to multiple entities Defining an entity and secur...

Page 161: ...with the host network entity click the right arrow button which moves them to the Selected list To remove an association in the Selected list select an interface and click the left arrow button to mo...

Page 162: ...when you want to restrict access to only a defined set of hosts Prerequisites None To define a network or subnet with a subnet entity 1 In the SGMI in the left pane under Assets click Network 2 In th...

Page 163: ...thin the Internet community Registered domain network entities end with an extension such as com edu or gov to indicate the type of domain or a country code such as jp Japan to indicate the location D...

Page 164: ...ou can also use security gateway network entities to specify the source and destination of traffic in rules and packet filters When you define security gateway entities you can set up some basic chara...

Page 165: ...teway VPN tunnel or local gateway in a Client VPN tunnel To specify the source or destination of traffic in rules and packet filters Related information For further information related to this topic s...

Page 166: ...efore you create the network entity group Prerequisites None To create a network entity group for rules that apply to multiple entities 1 In the SGMI in the left pane under Assets click Network 2 In t...

Page 167: ...ngs that you configure tunnel traffic is routed to the appropriate entities within the VPN security network entity Prerequisites Complete the following task before beginning this procedure Creating se...

Page 168: ...s and packet types TCP UDP IP or ICMP You can use these predefined protocols singly or in combination in rules by including them in the service group that is specified for the rule You cannot change o...

Page 169: ...traffic Use the following table to identify protocols that are not associated with proxies Table 6 1 Supplied protocols with their associated application proxy Protocol name Type Port Associated prox...

Page 170: ...4 echo_tcp TCP based 7 echo_udp UDP based 7 echo_udp_rev UDP based 1024 EGP IP based n a EON IP based n a esm_agent TCP based 5601 esm_mgr TCP based 5600 esm_rem_install TCP based 5599 esm_rev_install...

Page 171: ...os_7004_tcp TCP based 7004 kerberos_7004_udp UDP based 7004 kerberos_749_tcp TCP based 749 kerberos_749_udp UDP based 749 kerberos_auth_88 TCP based 88 kerberos_auth_88_tcp TCP based 88 kerberos_tcp T...

Page 172: ...ed 5362 pcserver TCP based 600 pop 2 TCP based 109 pop 2_udp UDP based 109 printer TCP based 515 PUP IP based n a RAW IP based n a readeagle TCP based 414 readhawk TCP based 418 realaudio_proxy TCP ba...

Page 173: ...ls Viewing port usage for all protocols This includes custom protocols sunrpc_tcp TCP based 111 sunrpc_udp UDP based 111 syslog UDP based 514 systat TCP based 11 t120 TCP based 1503 tacacs TCP based 4...

Page 174: ...ation Low Port Protocol Description 7 TCP echo 7 UDP echo 9 TCP discard 9 UDP discard 11 TCP systat 13 TCP daytime 13 UDP daytime 15 TCP netstat 19 TCP chargen 19 UDP chargen 21 TCP ftpd control 22 TC...

Page 175: ...P cifs 139 TCP netbios 139 UDP netbios 143 TCP imap 152 TCP bftp 161 TCP snmp 161 UDP snmp 162 TCP snmptrap 162 UDP snmptrap 179 TCP bgp 389 TCP ldap 414 TCP readeagle 416 TCP gwproxy 417 TCP visualiz...

Page 176: ...024 UDP daytime_udp_rev 1024 UDP dns_udp_rev 1024 UDP kerberos_udp_rev 1024 UDP lockd_udp_rev 1024 UDP nfsd_udp_rev 1025 TCP esm_rev_install 1080 TCP socks 1090 TCP realaudio_proxy 1433 TCP mssql_tcp...

Page 177: ...61 TCP pcAnywhere_5361 5362 TCP pcAnywhere_5362 5599 TCP esm_rem_install 5600 TCP esm_mgr 5601 TCP esm_agent 5998 TCP SESA_notification 6000 TCP x server0 6001 TCP x server1 6665 TCP irc_6665 6666 TCP...

Page 178: ...define to manage traffic flow for custom applications that are not supported by the standard protocols delivered with the security gateway You can configure generic services provided by hosts residing...

Page 179: ...eway that accepts Point to Point Tunneling Protocol PPTP connections Since the security gateway does not include a PPTP proxy which involves both GRE and TCP protocols the custom protocol must use the...

Page 180: ...r application handles all TCP service requests transparently provided the destination is a published entity The GSP proxies these requests to their destinations as if the requester was directly connec...

Page 181: ...ror and control messages about routing problems or simple inter network exchanges like timestamp or echo transactions to verify connections between TCP IP hosts Prerequisites None To configure ICMP ba...

Page 182: ...igger IDS IPS events If you want IDS events to be triggered for traffic that is passed using a new protocol that you create you must add the protocol to one of the IDS IPS services on the IDS IPD port...

Page 183: ...u organize access rights For example you can create one service group with only FTP enabled another with FTP Telnet and HTTP access and a third with full access You can then create rules that allow va...

Page 184: ...egin with a specific text string select Starts with and then type the text string 6 In the Network Protocol list that is returned by your search select the desired protocols and then do one of the fol...

Page 185: ...let you customize protocols for certain rules without changing protocol behavior for other rules To do this you create a service group specifically for a rule or set of rules After you add protocols...

Page 186: ...you want to customize Not all protocols can be customized If a protocol can be customized the Configure button becomes active 4 Click Configure 5 In the parameters properties dialog box for the proto...

Page 187: ...ll ports Standard ports 443 563 Ports named in the following list If you select this option in the Port text box type a port and then click Add Repeat until you have listed all the ports over which yo...

Page 188: ...handles all service requests transparently as if the requester were directly connected to the remote destination machine All connections are subject to gateway authorization rules In addition when you...

Page 189: ...oracle_netprxy directory When using the Oracle Connection Manager proxy all SQL Net traffic is handled according to the Oracle Net9 Connection Manager s configuration The security gateway passes all...

Page 190: ...nection Manager 1 On the security gateway create a file named usr raptor bin startcmgw sh and add the following syntax startcmgw sh bin sh cd usr raptor oracle_netprxy bin ORACLE_HOME usr raptor oracl...

Page 191: ...dd 4 Click OK 5 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When pro...

Page 192: ...izing security gateway time Supporting UNIX services Handling streaming audio and video Managing electronic mail Enabling remote logon Allowing ICMP traffic Defining file control and access You can co...

Page 193: ...hentication The client must know the name of the SMB server and the name of its shares because browsing through the security gateway is disabled Non transparent connections For non transparent connect...

Page 194: ...M proxies are enabled Create a CIFS and NBDGRAM service group Create an allow rule for CIFS and NBDGRAM To ensure that the CIFS and NBDGRAM proxies are enabled 1 In the SGMI in the left pane under Ass...

Page 195: ...r further information related to this topic see the following Proxy Properties CIFS General tab on page 699 Proxy Properties NBDGRAM General tab on page 710 Service Group Properties General tab on pag...

Page 196: ...t your connections are timing out too quickly during average use Prerequisites Complete the following task before beginning this procedure Configuring access for CIFS and NBDGRAM traffic on page 194 T...

Page 197: ...roubleshooting NetBIOS traffic connections The procedure in this section explains how to configure the NBDGRAM proxy to log this additional information Prerequisites Complete the following task before...

Page 198: ...n to another through a pair of connections between a client and a server FTP also lets you remotely manage directories for those servers How the security gateway handles sending and receiving files Th...

Page 199: ...the Protocols tab to display a list of available protocols to add to this service group click Add 5 In the Select protocols dialog box click ftp 6 Click OK 7 Optionally on the Description tab type a m...

Page 200: ...customized FTP features you would like to implement Modifying the FTP greeting on page 200 Modifying the timeout period for inactive FTP connections on page 201 Configuring ports for FTP on page 201 A...

Page 201: ...er timeout for data connections text box type the new timeout period 4 Click OK 5 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To acti...

Page 202: ...nd the greeting is 512 characters In some cases however you may want this length to be longer This is most often the case when you want to present a small set of directions or a security statement pri...

Page 203: ...is configured to reveal the addresses of hosts the security gateway protects connecting clients see only the security gateway s outside interface address To receive inbound H 323 connections when the...

Page 204: ...aboration server s identity to prevent it from being attacked directly Prerequisites None Configure access for Internet based communications To configure access for Internet based communications you m...

Page 205: ...ully qualified domain name of the destination host 6 Click OK 7 In the H323 Alias Properties dialog box click Apply 8 Optionally do one of the following To save your configuration now and activate lat...

Page 206: ...anges you make take affect immediately after saving and activating the configuration Prerequisites Complete the following task before beginning this procedure Configuring access for Internet based com...

Page 207: ...e that inactive connections stay open Similarly if the inactivity period is too long you can use the procedure in this section to reduce that period of time Prerequisites Complete the following task b...

Page 208: ...ote The H 323 trace file is normally written to var log sg h323d log Prerequisites Complete the following task before beginning this procedure Configuring access for Internet based communications on p...

Page 209: ...assword combination needs to be entered only once for each browser session Secure sockets layer The security gateway HTTP proxy passes secure HTTP traffic using secure sockets layer SSL transparently...

Page 210: ...http protocol or use the more secure sockets layer SSL protocol Prerequisites None Configure access for Web traffic To configure access for Web traffic you must do the following Ensure that the HTTP...

Page 211: ...tion text box 5 Click OK 6 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activa...

Page 212: ...port WebDAV RFC 2518 fully defines the set of extensions to the HTTP protocol to support WebDAV The HTTP proxy supports the following three WebDAV extensions Overwrite prevention Properties Name space...

Page 213: ...ng Proxy Properties HTTP Web Proxy tab on page 708 Configuring the HTTP proxy to listen on additional ports for standard connections By default the HTTP proxy listens on port 80 for normal HTTP connec...

Page 214: ...onfiguration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Modifying the timeout period to keep inactive HTTP connections open By default HTTP...

Page 215: ...g To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related info...

Page 216: ...D Prerequisites None Configure access for news feeds To configure access for news feeds you must do the following Ensure the NNTP proxy is enabled Create an NNTP service group Create an allow rule for...

Page 217: ...ew 3 In the new rule properties dialog box on the General tab do the following 4 Optionally on the Description tab type a more detailed description than you typed in the Caption text box 5 Click OK 6...

Page 218: ...proxy listens on page 220 Modifying the timeout period to keep inactive NNTP connections open on page 221 Closing NNTP connections gracefully on page 221 Creating trace files of NNTP connections on pa...

Page 219: ...bar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Dropping NNTP connections that use illegal command...

Page 220: ...guration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Defining additional ports on which the NNTP proxy listens You can use the procedure in...

Page 221: ...Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save yo...

Page 222: ...activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Synchronizing security gateway time Unlike the other proxies which p...

Page 223: ...as opposed to a GSP offers tighter port usage control and facilitates interactive strong authentication which would not otherwise be available Prerequisites None Configure the security gateway to sup...

Page 224: ...in the Caption text box 12 In the Service Group Properties dialog box click OK To create an allow rule for RCMD 1 In the SGMI in the left pane under Policy click Firewall 2 In the right pane on the R...

Page 225: ...her RTSP acts as a network remote control for multimedia servers There is no notion of an RTSP connection instead a server maintains a session labeled by an identifier An RTSP session is in no way tie...

Page 226: ...he right pane on the Rules tab click New 3 In the Rule Properties dialog box on the General tab do the following 4 Optionally on the Description tab type a more detailed description than you typed in...

Page 227: ...al buffer overflows or malformed packets If enabled the data stream is also passed to the antivirus engine so that exhaustive checks prevent the introduction of an email based virus Note With the appr...

Page 228: ...S 2 and is eventually received by the intended recipient EC 2 when they retrieve their email Note There are two different ways in which SMTP mail can arrive at the security gateway it can originate fr...

Page 229: ...raffic lets users send and receive Internet email Prior to configuring access you should determine what level of access is to be granted and who should have that access You should also consider for wh...

Page 230: ...the Description tab type a more detailed description than you typed in the Caption text box 8 In the Service Group Properties dialog box click OK To create an allow rule for email 1 In the SGMI in th...

Page 231: ...ollowing tasks Modifying the timeout period to keep inactive POP3 connections open on page 232 Modifying the timeout period to keep inactive SMTP connections open on page 232 Modifying the SMTP greeti...

Page 232: ...click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Modifying the timeout period to keep inactive SMTP con...

Page 233: ...When prompted to save your changes click Yes Related information For further information related to this topic see the following Proxy Properties SMTP General tab on page 717 Disabling SMTP flow contr...

Page 234: ...lbar click Activate 6 When prompted to save your changes click Yes Related information None Setting the SMTP proxy to debug mode for more verbose error reporting Using the procedure in this section yo...

Page 235: ...figuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate 6 When prompted to save your changes click Yes Related information None Ena...

Page 236: ...the connection with user group or authentication restrictions If the connection is allowed but with restrictions and depending on the authentication method the Telnet proxy may prompt for a user name...

Page 237: ...text box type a name for this service group 4 On the Protocols tab to display a list of available protocols to add to this service group click Add 5 In the Select protocols dialog box click telnet 6 C...

Page 238: ...ance of an unmodified security gateway is to appear invisible on the network However it is often advantageous to have the security gateway respond to ICMP requests especially when testing or troublesh...

Page 239: ...Proxies table click PINGD and then click Properties 3 In the Proxy Properties dialog box on the General tab to enable the Ping Proxy check Enable 4 In the Caption text box type a brief description of...

Page 240: ...or ICMP traffic The ping proxy is normally enabled when access for the ping command is needed However you can modify the security gateway s behavior with regards to ICMP traffic or configure support f...

Page 241: ...isites Complete the following task before beginning this procedure Configuring access for ICMP traffic on page 239 To enable support for traceroute 1 In the SGMI in the left pane under Policy click Fi...

Page 242: ...242 Defining your security environment Controlling full application inspection of traffic...

Page 243: ...243 Defining your security environment Controlling full application inspection of traffic...

Page 244: ...able authentication on connections for which there is none The security gateway also lets you define a list called a scheme of authentication servers to verify user identity The security gateway requi...

Page 245: ...ation server The internal authentication server replaces two older methods of authentication Bellcore S Key and gwpasswd which are no longer supported The security gateway s internal authentication se...

Page 246: ...xternal authentication on page 247 Creating an IKE enabled user on page 245 Adding authentication to rules on page 276 Using roles to assign rules to users on page 424 Creating an IKE enabled user To...

Page 247: ...h the Phase 1 ID used in the security gateway network entity properties dialog box Authentication Method Under Authentication Method do one of the following To give the user permission to use certific...

Page 248: ...s click Authentication Servers 2 In the right pane on the Authentication Servers tab select the Internal server and then click Properties 3 In the Internal Properties dialog box on the General tab ens...

Page 249: ...r group also makes it convenient to grant or remove access for a user by simply adding or removing their user name from the user group Similarly you can reduce the number of roles you create for clien...

Page 250: ...create a dynamic authentication scheme on page 263 Prerequisites None To configure user groups 1 In the SGMI in the left pane under Assets click Users 2 In the right pane on the User Groups tab click...

Page 251: ...To open tunnels automatically when the client reboots in the Tunnels to automatically open text box type the number of tunnels to open User Distinguished Name DN includes Type the Distinguished Name D...

Page 252: ...y gateway s import feature if you already have the information stored elsewhere and can easily convert it into one of the security gateway s supported formats The import feature lets you add and updat...

Page 253: ...entication for the user Click U to leave the S Key setting unmodified for the user If Y is selected a password must be entered in the SKey password field skey password Type the S Key password in plain...

Page 254: ...may provide a higher level of security as some external systems use two factor or challenge response authentication mechanisms You authenticate users against an external authentication system by doin...

Page 255: ...tory domain Prerequisites None To create a new Active Directory authentication server record 1 In the SGMI in the left pane under Assets click Authentication Servers 2 In the right pane on the Authent...

Page 256: ...figuration The password is then used to bind to the entry A group list can be retrieved by searching for groups where the user s DN or other specified unique attribute is a member specified in the con...

Page 257: ...page 688 LDAP Properties Schema tab on page 688 LDAP Properties Bind tab on page 689 LDAP Properties Description tab on page 690 Configuring an authentication scheme on page 260 Creating and assigning...

Page 258: ...figuration now on the tool bar click Activate When prompted to save your changes click Yes 7 After defining the RADIUS authentication server you can use it in the following ways Identify the server to...

Page 259: ...following Remote Authentication Dial In User Service RADIUS authentication on page 257 RSA SecurID authentication RSA SecurID is a strong two factor authentication method similar to PassGo Defender RS...

Page 260: ...ID server time or synchronize them both to a common source 5 Optionally perform the RSA SecurID Client installation on the system with the clntchk applet Ensure that the host name and address of the m...

Page 261: ...on page 691 Configuring an authentication scheme on page 260 Creating and assigning roles on page 426 Configuring an authentication scheme Authentication schemes define one or more authentication ser...

Page 262: ...tion Use it to establish authentication for secure desktop mail access Use it as the authentication scheme when configuring OOBA authentication Related information For further information related to t...

Page 263: ...uthentication you must create user group and authentication records in a specific manner Authenticate users on external servers To authenticate users that are defined on external servers you must do t...

Page 264: ...e toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes To create a dynamic user group record for users who are not in a user...

Page 265: ...low the Included user groups text box click Add 5 In the Select User Groups dialog box in the User Group list box select the groups whose users you want to authenticate You can select multiple groups...

Page 266: ...n 1 In the SGMI in the left pane under System click Configuration 2 In the right pane on the Services tab select OOBA Daemon and then click Properties 3 In the Service Parameters for OOBA Properties d...

Page 267: ...n to rules on page 276 Adding OOBA authentication to a rule After you configure the OOBA service you can use it to authenticate users by adding OOBA authentication to a rule Create a rule as you norma...

Page 268: ...5 Click OK 6 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompt...

Page 269: ...268 Limiting user access Authenticating using Out Of Band Authentication OOBA...

Page 270: ...where it is going the interfaces through which it enters and leaves the security gateway the protocols that are in effect and whether the traffic is allowed or denied In addition with rules you can sp...

Page 271: ...teway to gateway communication and remote access for users who have installed Symantec Client VPN on their computers By adding a filter to a VPN policy you can further control the traffic Clientless V...

Page 272: ...and selects the most appropriate rule to apply In the first scan it searches for rules that match the time window and definition of the connection request From this list of possible matches the secur...

Page 273: ...r user community and the security of your company As you plan you should ask the following questions Which systems are users allowed to access What services are allowed and in which direction During w...

Page 274: ...traffic you can specify advanced service parameters See the following topics to create these types of rules Creating basic rules Applying alert thresholds to rules Adding authentication to rules Using...

Page 275: ...page 275 Applying alert thresholds to rules on page 275 Enable To enable the new rule check Enable Rule name Type a unique name for the rule Number This read only field displays the rule s number whi...

Page 276: ...nge period or time range group or to edit a selected entry 4 Click OK 5 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your...

Page 277: ...ollowing Rule Properties Alert Thresholds tab on page 592 Alerting using notifications on page 486 Adding authentication to rules To increase the security provided by a rule you can use authentication...

Page 278: ...le below Excluded network users click Add and then use the Excluded network users dialog box to add the excluded users to the list These users are disallowed by the rule even if they are members of a...

Page 279: ...ules tab select the rule to which you want to add content security checks and then click Properties 3 In the Rule Properties dialog box if the tab for the content security feature you want to use is g...

Page 280: ...ut parameters and additional HTTP connection ports When HTTP is included in a service group you can use the HTTP Parameters dialog box to specify ports for HTTP over SSL and an external Web proxy Howe...

Page 281: ...faces flagged as internal during the security gateway setup All transparent entities can be accessed directly by systems connecting to that interface The Universe entity is a permanent part of the sec...

Page 282: ...llowing Rule Properties General tab on page 589 Granting internal users access to public services You may want to give internal users access to a public service such as a news server so they can retri...

Page 283: ...ny of the following To enable HTTP check HTTP and then check the HTTP restrictions you want to enable To enable newsgroups check NNTP and then in the Newsgroup profile drop down list select the newsgr...

Page 284: ...quests to the publicly known IP address 3 To create a rule to allow public access to the server on a service network in the left pane under Policy click Firewall 4 In the right pane on the Rules tab c...

Page 285: ...Wizard The Firewall Rule Wizard lets you configure HTTP FTP SMTP and POP3 rules for your security gateway These are among the most commonly needed rules and the wizard simplifies configuration so that...

Page 286: ...r This is usually an internal mail server that receives and sends mail for your company domain Apply antivirus scanning To apply the antivirus options that you configure to the POP3 rules that are cre...

Page 287: ...articular kind of traffic and then create a service group that contains the protocols for that traffic Within the service group you can configure specific settings for the protocols The following topi...

Page 288: ...mix days and times such as 4 PM through 6 PM from July 1 2000 through July 31 2000 or 4 PM through 6 PM on Monday through Wednesday Once you have configured several time period ranges you can create t...

Page 289: ...e Properties General tab on page 602 Time Period Range Properties Time Range tab on page 603 Configuring a time period group on page 288 Creating basic rules on page 273 Alerting using notifications o...

Page 290: ...freeing up valuable resources to address legitimate connections Packet filtering is a versatile security gateway feature that is sometimes considered complicated because packet filters are order depen...

Page 291: ...endpoint Note If you are remotely managing your security gateway ensure that you do not create a packet filter that eliminates remote SGMI access By placing several hosts in an entity group that you c...

Page 292: ...ections tab on page 601 Creating packet filter groups on page 291 Using packet filters as forwarding filters on page 294 Applying packet filters to a VPN tunnel on page 293 Applying packet filters to...

Page 293: ...able through a VPN tunnel On a network interface to restrict the types of packets passing into or out of the security gateway Related information For further information related to this topic see the...

Page 294: ...General tab in the Filter applied drop down list select the packet filter you want to apply 4 Click OK 5 Optionally do one of the following To save your configuration now and activate later on the to...

Page 295: ...k interfaces If the packet matches the chosen filter it is not sent up the protocol stack for authentication instead it passes through the security gateway bypassing normal security checking This feat...

Page 296: ...license to enable any of the HTTP settings Configure content profiles that provide content filtering based on the subject matter of Web content Content profiles are applied on a per rule basis and le...

Page 297: ...the following parameters After you specify the URLs URL patterns MIME types and file extensions to which users are allowed or denied access you can apply these settings selectively in rules When traf...

Page 298: ...ts Web URL For example assume that there are two different Web sites that are hosted on the same server http www symantecdomain com and http www symantecexample com Both of theses sites return an IP a...

Page 299: ...toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information For further information related to this topic see...

Page 300: ...ust be used in a context where it cannot possibly indicate a range This can either be at the beginning of the set or immediately after a range Beginning anchor character and matches the blank space at...

Page 301: ...range of characters that should be matched Because you are looking specifically for three consecutive letters you need to set up three sets of brackets Use caution when you use the character as a glo...

Page 302: ...under Policy click Firewall 2 In the right pane on the Rules tab do one of the following To add URL pattern filtering to an existing rule highlight the rule and then double click to display its prope...

Page 303: ...for a rule that contains HTTP The HTTP proxy can restrict or permit access according to a list of MIME types Each URL that is received is scanned to determine its content type If the content type matc...

Page 304: ...ervice group with the HTTP protocol 5 On the Content Filtering tab ensure that the HTTP check box is checked 6 Under Select the protocols and settings to apply content filtering scanning check Apply M...

Page 305: ...file extension 1 In the SGMI in the left pane under Policy click Content Filtering 2 In the right pane on the Advance Restrictions tab under File Extensions in the Available list select the file exte...

Page 306: ...your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information F...

Page 307: ...ntent categories are included with the software You can use these categories or create local modifications of the categories to fit your specific needs Symantec has populated the predefined content ca...

Page 308: ...ing or general subterfuge and defeating of security measures Drugs Advocacy Sites advocating the use of illegal drugs for medical and personal use Drugs Non medical Sites providing information on grow...

Page 309: ...ation Advanced Sites providing medical discussions of sexually transmitted diseases such as syphilis gonorrhea and HIV AIDS May include medical pictures of a graphic nature Includes sites providing in...

Page 310: ...e left arrow button 7 Click OK 8 In the Rating Modification Properties dialog box click OK 9 Optionally do one of the following To save your configuration now and activate later on the toolbar click S...

Page 311: ...is not acceptable The dictionary that is associated with that content category is activated for DDR scanning However you can choose whether to activate DDR for a content profile How DDR evaluates Web...

Page 312: ...ontained in the list may be restricted or allowed and the corresponding dictionary may or may not be used by DDR to score Web page content By placing lists in different states you control not only acc...

Page 313: ...the deny list and the other is not users are blocked from accessing the site This is because the URL is in at least one content category in the deny list When a request is made for a URL that is cont...

Page 314: ...quisites None To modify the contents of a content category 1 In the SGMI in the left pane under Policy click Content Filtering 2 In the right pane on the URL Ratings tab do one of the following To set...

Page 315: ...ffic until they are added to a newsgroup profile and then to a rule You should list all the newsgroups that you specifically want to address regardless of whether you intend to allow or deny them Prer...

Page 316: ...file 5 On the Profile tab in the Available newsgroups list select a newsgroup and then click the right arrow button to move it to the Allowed newsgroups list Unless you are using a general wildcard pr...

Page 317: ...log box on the Protocols tab ensure that one of the following is listed If you want to apply a content profile and HTTP restrictions use HTTP If you want to apply a newsgroup profile use NTP Click OK...

Page 318: ...rmation related to this topic see the following Rule Properties Content Filtering tab on page 599 Creating a content profile on page 311 Filtering by a specific URL on page 297 Filtering by URL patter...

Page 319: ...318 Controlling traffic at the security gateway Blocking inappropriate content with content filtering...

Page 320: ...includes defining filters enabling protection for logical network interfaces configuring address transforms an antivirus server and intrusion detection and prevention software You can configure these...

Page 321: ...he values of the signature variables to adapt to your environment When you activate a change to a signature variable and the security gateway cannot validate the change a log event with a severity lev...

Page 322: ...ronment When creating a new policy you must provide a name heuristic detection level and a brief caption Both pre configured and user configured policies can be deleted LiveUpdate may add delete or mo...

Page 323: ...ss VPN connections Forward filters Web VPN connections Port forwarders Network interfaces Applying an IDS IPS policy to any of these components provides protection against malicious traffic passing th...

Page 324: ...at the point of entry providing additional security to the connection Prerequisites None To apply IDS IPS policies to clientless VPN connections 1 In the SGMI in the left pane under Policy click Clie...

Page 325: ...that matches signatures of possible threats Prerequisites None To apply IDS IPS policies to Web VPN connections 1 In the SGMI in the left pane under Policy click Policy Parameters 2 In the right pane...

Page 326: ...ble threats at the point of entry Prerequisites None To apply IDS IPS policies to network interfaces 1 In the SGMI in the left pane under Assets click Network 2 In the right pane on the Network Interf...

Page 327: ...S policy and apply all of the modifications by enabling the IDS IPS policy on an interface Viewing intrusion events You can view intrusion events and detailed information including protocols categorie...

Page 328: ...pane on the Configuration tab next to View click Table 3 In the Policy name drop down list select an IDS IPS policy 4 Select the intrusion event you want to view and then click Properties 5 To close...

Page 329: ...an IDS IPS service appears grey rather than black this indicates that some events below that level in the hierarchy are not configured for logging At the individual intrusion event level a red icon in...

Page 330: ...ent settings in the tabular format In the tabular format you can modify individual intrusion events in the IDS Event Type Properties dialog box or directly from the table From the properties dialog bo...

Page 331: ...eneral tab on page 643 Monitoring IDS IPS alerts on page 482 Modifying event settings in the tree format In the tree format you can modify individual intrusion events or you can modify globally at any...

Page 332: ...e of the following To enable logging and traffic blocking of this event check Log this event and Block traffic if this event is detected To enable only logging of this event check Log this event To di...

Page 333: ...ports for secure connections on page 214 See Customizing the HTTP protocol to pass HTTPS traffic on page 187 Prerequisites None To manage portmap settings 1 In the SGMI in the left pane under Policy...

Page 334: ...technologies for heuristic detection of new or unknown viruses to provide protection from new classes of viruses automatically through LiveUpdate and to detect polymorphic viruses If you would like t...

Page 335: ...error when downloading a large file Using data comforting can compromise the integrity of virus scanning You should consider the limitations of data comforting before you use this feature The followin...

Page 336: ...m values is met or exceeded for a given file the security gateway stops processing the file and generates a log entry You can specify whether to allow or deny access to these files Access is denied by...

Page 337: ...the antivirus scanner is unavailable for any reason you can still protect your environment from malicious attacks When this protection is enabled if the antivirus scanner reports an error during the s...

Page 338: ...ock files when the antivirus scanner is unavailable 5 On the SMTP subtab check Block emails with partial message content type header 6 Optionally do one of the following To save your configuration now...

Page 339: ...File Extension dialog box on page 633 Adding antivirus protection to a rule on page 347 Specifying file types to scan The security gateway lets you control the types of files that are scanned You can...

Page 340: ...4 To modify the file exclusion list do one or more of the following To add a file extension click Add In the Add File Extension dialog box in the File extension text box type the file extension that y...

Page 341: ...hen data comforting is enabled the requested file is sent trickled to the user in small amounts at regular intervals until the scan is complete When an infected file is detected while data comforting...

Page 342: ...sent to the user Note When configuring the antivirus data comforting option for HTTP FTP and POP3 a pop up window reports that infected repairable and unrepairable files will be deleted even when the...

Page 343: ...the message For each full file name that you want to filter you type a separate text string If the text string that you type matches the file name of any attachment the message is handled accordingly...

Page 344: ...Size dialog box in the Mail attachment size text box type the maximum file size to permit for a binary file attached to an email 4 Click OK 5 Under the Binary file size list select one of the followi...

Page 345: ...fected file even if the file could be repaired Repair or delete Attempts to repair the infected file If the file cannot be repaired the security gateway deletes the infected file You can configure the...

Page 346: ...also include a message in the body of the email to notify the user that an infected file was deleted The SMTP and POP3 protocols replace the deleted infected file with a text message file The text fi...

Page 347: ...olbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes 6 To apply this setting create a rule and enable the appropriate action o...

Page 348: ...antivirus functionality you must create a rule and select the antivirus processes that you want to use You can specify separate options for each protocol The more antivirus scanning and filtering pro...

Page 349: ...tivirus features that you want to use as follows Substitute for infected file SMTP POP3 HTTP FTP Replaces an infected attachment in an email with a text file when the infected attachment is deleted In...

Page 350: ...POP3 protocol can only be scanned after it has been delivered to a mailbox but before it is read by a user You cannot block POP3 email because there is no way to remove the infected mail from the mail...

Page 351: ...ubject pattern matching processing You can then make the appropriate adjustments to your antispam settings Figure 9 3 Antispam scanning sequence Table 9 4 Antispam scanning sequence Order Scanning pro...

Page 352: ...am email Blocking spam using real time blacklists on page 352 Identifying spam using heuristic antispam scanning on page 353 Identifying spam using a custom known spammers list on page 354 5 Subject p...

Page 353: ...ime blacklist rejects the sender address Messages from the rejected sender address are always blocked If the proxy does not get a suitable response from any of the real time blacklist servers a log en...

Page 354: ...You can configure the options for SMTP and POP3 separately For the SMTP protocol only you can block the email message For both the SMTP and POP3 protocols you can send the message to the recipient unm...

Page 355: ...antecdomain com it blocks only that subdomain and not the full domain for example symantecdomain com You can specify how you want to handle messages that are identified as spam by the custom known spa...

Page 356: ...o the recipient unmodified Ensure that you enable the subject pattern matching setting in the appropriate firewall rule You must also have a valid Content Security license If you do not the security g...

Page 357: ...st operators as a source of spam The security gateway lets you create a custom list of mail transfer agent IP addresses that are permitted to bypass the real time blacklist processing Ensure that you...

Page 358: ...able the senders list setting in the appropriate security gateway rule You must also have a valid Firewall Base license If you do not the security gateway does not attempt to use this antispam scannin...

Page 359: ...er on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information For further information related to this t...

Page 360: ...e source IP address and leaves the destination IP address unchanged The topics in this section are Controlling IP addresses with address transforms Mapping addresses with NAT pools Redirecting connect...

Page 361: ...eal packet source address to be overwritten by the security gateway address for the connection Note that this should be the addressing scheme for most connections except VPN tunnels With VPN tunnels t...

Page 362: ...he allocated address If the NAT pool is being used in a VPN tunnel the tunnel itself can time out based on the parameters defined When this happens the connection is dropped and the NAT address is rel...

Page 363: ...addresses but those subnets may consist of only one entity You must have the same number of entities in your real subnet as you do in your NAT subnet Use dynamic NAT pools to map a client IP address t...

Page 364: ...on the NAT Pool tab click New Dynamic NAT Pools 3 In the Dynamic NAT Pool Properties dialog box on the General tab do the following 4 Optionally on the Description tab type a more detailed descriptio...

Page 365: ...net as the security gateway s real address it automatically routes the packets using the address resolution protocol ARP If the virtual address is not on the same subnet add a static route on your Int...

Page 366: ...Related information For further information related to this topic see the following Redirected Services Properties General tab on page 673 Redirected Services Properties Description tab on page 673 C...

Page 367: ...nt configuration in essence a reverse NAT configuration the External host sees the security gateway address on any communication it receives back Figure 9 4 Virtual client configuration Creating a vir...

Page 368: ...ss Transform Properties dialog box on the General tab do the following 4 On the Source Address Transform tab check Use NAT pool 5 Optionally on the Description tab type a more detailed description tha...

Page 369: ...network interface naming convention when you configure the network adapters in the System Setup Wizard you can apply rules that use the logical network interface This section includes the following t...

Page 370: ...ion attempt the response from the source host which happens in the third phase would be an acknowledgement packet ACK enabled and the two ends would establish the connection However the attacker skips...

Page 371: ...otection feature to ignore when determining if the security gateway is under a SYN flood attack Prerequisites None To create a SYN flood allowed host list 1 In the SGMI in the left pane under System c...

Page 372: ...under Assets click Network 2 In the right pane on the Network Interfaces tab select the network interface on which you want to enable protection and click Properties 3 In the Network Interface Propert...

Page 373: ...372 Preventing attacks Enabling protection for logical network interfaces...

Page 374: ...resources To make creating secure tunnels faster and easier you can define standard VPN policies that you can then select for your secure tunnels Rather than configuring the components present in thes...

Page 375: ...by a security gateway at one site can establish a tunneled connection to the security gateway protecting the remotely located site The remote user can connect to and access the resources of the privat...

Page 376: ...ints Tunnel endpoints perform encryption decryption encapsulation decapsulation and authentication operations on tunnel packets Tunnel endpoints are typically two security gateways gateway to gateway...

Page 377: ...routable In addition an ICMP Parameter Problem message is sent back to the client The best solution to this symptom is to ask the end user to modify the default home subnet assigned by their home rout...

Page 378: ...tly through If there is no proxy requirement the packets move on to their destination Proxying tunnel traffic lets the administrator control the type of traffic allowed through a tunnel Even between t...

Page 379: ...l The decision to make two VPNs cascaded may reflect different levels of security on your private network and the Internet Figure 10 4 Cascaded VPN tunnels Note Figure 10 3 and Figure 10 4 represent g...

Page 380: ...Main Mode and Phase 2 or Quick Mode The Phase 1 negotiation establishes a secure channel called the security association SA between two computers The SA is used to protect the security negotiations Ph...

Page 381: ...IKE tunnels ISAKMP dynamically negotiates keys establishes SPIs negotiates transforms and provides key expiration for greater security and flexibility Configuring VPN policy for IPsec with IKE You ca...

Page 382: ...d in the order they appear You can change their order by selecting an entry and clicking Up or Down Name Type a unique name for the VPN policy Caption Type a brief description of the VPN policy Filter...

Page 383: ...toolbar click Activate When prompted to save your changes click Yes 11 To use the VPN policy do one of the following Create a VPN tunnel and select the VPN policy Create a clientless VPN rule with VP...

Page 384: ...and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Policy Name Type a unique name for the VPN p...

Page 385: ...name of the global IKE policy is displayed This default name cannot be changed 3 In the Connection timeout text box type an interval in minutes for connection timeout 4 On the Data Privacy Preference...

Page 386: ...ess transforms as the method by which traffic arrives at the security gateway When you create Client VPN tunnels you can also incorporate them in packages that are sent to remote users to simplify the...

Page 387: ...isting security gateway network entity select it from the drop down list If you are creating a new security gateway network entity do the following In the Name text box type the name of the new securi...

Page 388: ...the drop down list and then skip to step 14 To create a new security gateway network entity click Create new security gateway network entity 12 To define the new network entity do the following For a...

Page 389: ...a VPN policy for the new tunnel IP address Type the IP address or fully qualified domain name of the network entity Authentication method Do one of the following To use certificates to authenticate cl...

Page 390: ...ing Gateway to Gateway Tunnel Wizard on page 786 Creating basic rules on page 273 Controlling IP addresses with address transforms on page 359 Using the Remote Access Tunnel Wizard to create Client VP...

Page 391: ...g network entity select the network entity from the drop down list and then click Next to skip to step 13 To create a new network entity to serve as the local tunnel endpoint click Create new network...

Page 392: ...imary IKE user group 14 Click Next 15 In the VPN Policy panel in the drop down list select a VPN policy 16 Click Next For a Subnet network entity In the Name text box type a name for the new endpoint...

Page 393: ...omputer configuration on page 399 Creating tunnels manually For each VPN tunnel that you create you must select a pre configured security gateway and a network entity local to your site as well as a p...

Page 394: ...Gateway to Gateway tunnel Properties dialog box on the General tab do the following 4 Click OK Enable To enable the tunnel check Enable Name Type a unique name for the tunnel VPN policy In the drop do...

Page 395: ...to remote users to simplify the configuration of Symantec Client VPN If your remote tunnel endpoint is a Symantec Client VPN user then you must configure a VPN security network entity to serve as the...

Page 396: ...le Client VPN computer configuration on page 399 Manually configuring a tunnel using IPsec with static key You can configure a VPN policy with static IKE to support static VPN tunnels In static VPN tu...

Page 397: ...ck Generate Keys The appropriate key fields are available according to your VPN policy selection It is strongly recommended that you use the Generate Keys button rather than creating your own keys Loc...

Page 398: ...enable a compliance check interval Check interval minutes If Periodically check compliance is checked type the number of minutes between automatic client compliance checks Require Symantec Client Fir...

Page 399: ...ce of remote Client VPN computers on page 397 To apply the client compliance policy 1 In the SGMI in the left pane under Assets click Users 2 In the right pane on the User Groups tab select the user g...

Page 400: ...on after the computer is initialized The Client VPN package is a single encrypted file that contains the following information Gateway IP address Server Phase 1 ID Authentication method Client Phase 1...

Page 401: ...stallation directory with nsetup exe The installation will copy the Client VPN package file to the directory into which the client is installed Since the Symantec Client VPN application will always ch...

Page 402: ...ort Client VPN tunnels 1 In the SGMI on the File menu click Import VPN Tunnels 2 Browse to the pkimpvpn file in the sg directory 3 Click Import VPN Tunnels File import can take several minutes After t...

Page 403: ...rate the certificate To create the entrust ini and username epf files on the Entrust CA server 1 To create a new user use the Entrust Admin utility accessible from Start Programs Entrust Entrust Admin...

Page 404: ...splayed in the Entrust Server window and then press Enter 6 When prompted type the profile filename for saving keys and then press Enter This is the epf file that contains your certificate and private...

Page 405: ...unnel through the Internet Example multicast gateway to gateway IPsec tunnel configuration In addition to the following instructions be familiar with the general instructions for configuring a gateway...

Page 406: ...twork entity for 10 10 10 1 2 Create a subnet network entity for 10 10 20 1 3 Create a gateway to gateway VPN tunnel and for the local endpoint use the 10 10 10 1 subnet entity and then do the followi...

Page 407: ...nnel First edit the security gateway initialization file raptor init to add two additional commands immediately following the multicast callout and allmulti commands usr raptor bin vpn set Global Tunn...

Page 408: ...erify_packet_exiting_tunnel The syntax must be exact 4 In the Caption text box type a brief description of the option 5 On the Value tab in the Value text box type false 6 Click Add 7 On the Descripti...

Page 409: ...408 Providing remote access using VPN tunnels Multicast traffic through gateway to gateway IPsec tunnels...

Page 410: ...less VPN users Configuring access to common applications Identifying resources with URLs About clientless VPN Symantec Gateway Security s clientless VPN feature provides portal based access for Web en...

Page 411: ...ify users identities when they log on Group server A database that organizes users with similar attributes into groups such as LDAP and NT Domain the security gateway uses this data to determine users...

Page 412: ...and user groups are arranged in a hierarchical role structure that ensures that any rule applying to a parent role also applies to a child role below it in the structure To customize the user experie...

Page 413: ...ne an authentication scheme on the Assets Authentication Servers Schemes tab See Configuring an authentication scheme on page 260 Define a VPN profile to determine connection parameters on the Policy...

Page 414: ...twork SNC is the most flexible mode from an application perspective since it is application agnostic SNC is only supported on Microsoft Windows XP Microsoft Windows 2000 client systems SNC can use an...

Page 415: ...on now on the toolbar click Activate When prompted to save your changes click Yes To delete a VPN Profile 1 In the SGMI in the left pane under Policy click Clientless VPN 2 In the right pane on the Cl...

Page 416: ...defines URLs that identify internal network resources Each rule is identified by a unique name There are two types of clientless VPN rules Rule components A rule specifies the minimum requirements nee...

Page 417: ...he path element is used to control access and therefore the examples below demonstrate variations of the path element Other elements such as host name can be formulated using similar methods Figure 11...

Page 418: ...main com mail www symantecdomain com jsmith Example 3 SimpleAllow3 is a rule for all file resources on the www symantecexample com server that are in a share folder named sales and have a single prece...

Page 419: ...e rule select Deny Network application In the drop down list select the protocol matching the type of traffic you want to control with this rule You may select only one The fields available in the res...

Page 420: ...h a backslash for example to use as a normal character type Additional regular expression characters besides those shown in Table 11 2 that must be preceded by a backslash are The table below shows a...

Page 421: ...salesNW projects rtf Matches an empty string only dir a subdir status doc dir Matches any path with the string dir in it dir directory abc subdirectory subsub dir file txt a subdi sub text pdf dir Mat...

Page 422: ...a link to the resource is immediately available Prerequisites None To add an advanced rule 1 In the SGMI in the left pane under Policy click Clientless VPN dir subdir Matches the string dir subdir fol...

Page 423: ...names or IP addresses Port Type the port number used to access the resource if it is different from the default Path Type an expression that matches the allowed path This restricts access to the host...

Page 424: ...ntire set of rules to a role and thereby apply multiple rules to a group of users You can create empty rule sets and add rules later or create individual rules and then group them in a rule set Creati...

Page 425: ...et Properties General tab on page 623 Clientless VPN Role Properties General tab on page 624 About simple rules on page 415 About advanced rules on page 419 Assigning a rule or rule set to a role on p...

Page 426: ...el all the administrator has to do is assign the CEO role to the user who is the current CEO on the authentication server All privileges pertaining to that role in the organization are automatically a...

Page 427: ...r role that controls the access privileges of all users on the server and a default group role that controls the access privileges of all groups on the server See Creating authentication server record...

Page 428: ...import group roles 1 In the SGMI in the left pane under Policy click Clientless VPN 2 In the right pane on the Roles tab click Import Roles 3 In the Import Roles dialog box in the Authentication serve...

Page 429: ...ing task before beginning this procedure Configuring users for internal authentication on page 243 To import user roles 1 In the SGMI in the left pane under Policy click Clientless VPN 2 In the right...

Page 430: ...your configuration and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information For fu...

Page 431: ...n the Rules tab click Add 4 In the Rule Rule Set Selection dialog box in the Rules or Rule Sets list select a rule or rule set and then click OK The rules and rule sets listed in the Rules from parent...

Page 432: ...VPN users check Enable expanded DNS lookups 5 Optionally do one of the following To save your configuration and activate later on the toolbar click Save To activate your configuration now on the toolb...

Page 433: ...ault Symantec logo and name with those of your organization The logo and name appear on all portal pages News items Posts system wide messages to display for a specific period of time This can be used...

Page 434: ...page and configure the links that display on the page Once the page exists it can be assigned to a role influencing the QuickLinks that appear on a role s portal page You can organize the lists of li...

Page 435: ...430 Assign the portal page to a role on page 438 Creating resource QuickLinks Resource QuickLinks are used on portal pages to help remote users access internal resources They allow users to access con...

Page 436: ...ote users Prerequisites Complete the following tasks before beginning this procedure Creating resource QuickLinks on page 434 To create a resource group 1 In the SGMI in the left pane under Assets cli...

Page 437: ...page 433 Creating resource QuickLinks on page 434 To add a resource link to a portal page 1 In the SGMI in the left pane under Assets click Portal Pages 2 In the right pane on the Portal Pages tab sel...

Page 438: ...e toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Adding news items to a portal page News item...

Page 439: ...pearance tab select the news item you want to remove and then click Delete The news item is marked for deletion from the system The actual deletion will happen the next time the security gateway confi...

Page 440: ...The administrator must create a single sign on access rule for each resource Collecting resource logon information You can configure the security gateway to prompt users for their user names and pass...

Page 441: ...o disable the single sign on feature an authenticated user can delete sign on information stored by the security gateway This might be done if the user password or the resources being accessed changed...

Page 442: ...ions to convert or rewrite resource host names or URLs with the security gateway s address instead of the actual network host or URL Prerequisites None Enable reverse proxy translation for hosts or fo...

Page 443: ...n use to simplify setting up clientless VPN connections The Remote Access Tunnel Wizard builds connections in a who what how methodology who is being provided access to what resource are they provided...

Page 444: ...n the Options panel identify the host resource to which you are providing access by doing one of the following To specify the host by DNS name click Specify host by DNS name and then type the DNS name...

Page 445: ...ion panel review the configuration and then do one of the following If the connection is configured properly click Finish You need to activate the change before using the connection To reconfigure the...

Page 446: ...from the drop down list and then click Next to skip to step 12 To create a new user role click Create a new user role To create a new group role click Create a new group role 9 In the User name or Gro...

Page 447: ...hen do one of the following If the connection is configured properly click Finish You need to activate the change before using the connection To reconfigure the connection click Back until you reach t...

Page 448: ...ther information related to this topic see the following Secure Web Mail Access Properties General tab on page 742 Advanced mail actions on page 446 Using the security gateway as a mail proxy on page...

Page 449: ...On the client computer specify the fully qualified domain name of the security gateway as the incoming mail server 2 Select the mail protocol that corresponds with the appropriate proxy that the admi...

Page 450: ...s enabled type the number of minutes between automatic client compliance checks The default is 10 minutes Require Symantec Client Firewall Check this option to require that clients have Symantec Clien...

Page 451: ...tasks before beginning this procedure Ensuring client compliance for clientless VPN users on page 449 To apply client compliance 1 In the SGMI in the left pane under Policy click Clientless VPN 2 In...

Page 452: ...supports The cipher suites that are available are defined by RFC and cannot be modified however you can specify which cipher suites are used to protect data for your security gateway Prerequisites Non...

Page 453: ...less VPN consists of five major steps Gathering information about the terminal emulation client Creating a clientless VPN access rule or rule set for the terminal emulation client Assigning the termin...

Page 454: ...the terminal emulation server 1 In the SGMI in the left pane under Assets click Portal Pages 2 In the right pane on the Resources tab click New 3 In the Resource Properties dialog box on the General t...

Page 455: ...on page 454 Connecting to Symantec Clientless VPN with the terminal emulation client After the user logs on clientless VPN downloads the port forwarder Java applet After the user accepts the applet a...

Page 456: ...a user name password and other supplementary information such as query data The most typical form is either protocol username password host port path query or protocol username password host port path...

Page 457: ...nnecessary if the FTP server is configured with the default port The following table shows an example of an FTP URL resource with user name and password Table 11 8 http search symantecexample com bin...

Page 458: ...re allows users to connect to Microsoft Exchange servers behind the security gateway without reconfiguring Microsoft Outlook This resource uses the following URL syntax protocol host name The protocol...

Page 459: ...optional element like port because there is no default share When using the advanced syntax the domain value is optional Most file shares are password protected The single sign on feature prompts the...

Page 460: ...ehind the security gateway without reconfiguring the application client The TCP IP port forwarding feature changes the host files on the end user s computer Therefore only users who have permission to...

Page 461: ...pple MAC OS X Resource links can be configured from the Portal tab to automatically start when the user signs on Autostart is particularly useful for mail applications UDP is a basic resource and uses...

Page 462: ...be the first warning of an attack Temperature fan and disk warnings can alert you to problems with the security gateway appliance Status Shows general and detailed information about the properties of...

Page 463: ...put The Network Throughput chart lets you see the volume of traffic through the security gateway You can view activity on all network interfaces or select a specific interface to monitor Unusual spike...

Page 464: ...of the chart indicates time The legend to the left of the chart shows connections measured by hundreds 4 To change the active connections that are displayed do one or more of the following Related in...

Page 465: ...his topic see the following Viewing copying and printing current log files on page 473 Monitoring appliance temperature and fan status Sensors on the security gateway appliance report the appliance te...

Page 466: ...the SGMI in the right pane under System click Administration 2 In the right pane on the Advanced Options tab click ui_status_poll_interval and then click Properties 3 In the Advanced Options Properti...

Page 467: ...ervers The Hardware Encryption Diagnostics tab run tests on the Symantec Gateway Security 5600 Series hardware accelerator chip and shows if it is working properly The Clientless VPN Failed Logons tab...

Page 468: ...s tab in the Active Connections table select an active connections entry 3 Click Properties The Active Connections Properties dialog box provides an alternate view of an active connection It also lets...

Page 469: ...Complete the following tasks before beginning this procedure Ensuring client compliance for clientless VPN users on page 449 Ensuring compliance of remote Client VPN computers on page 397 To view ant...

Page 470: ...ostics The results of the test successful or failed display on the Hardware Encryption Diagnostics window If there is no encryption card installed the message Hardware Diagnostics Not Successful resul...

Page 471: ...vice Viewing copying and printing current log files Viewing cluster log files Opening deleting and backing up archived log files Adding or removing Event Log table columns Starting a new log file Disp...

Page 472: ...displayed Maximum Log File Size KB Select the maximum size for your logging file Low Disk Threshold KB Select the threshold at which to warn about the log file size This threshold is set against dev...

Page 473: ...end logging when there is no additional space check Auto delete old logfiles Minimum number of hours to keep logfile Use the up and down arrows to select the minimum time in hours to keep old log file...

Page 474: ...ation changes are made they do not apply to existing connections Until a connection is terminated any log messages generated by it will show the configuration that was in effect when the connection be...

Page 475: ...opy 4 Paste the message into the application of your choice 5 To close the Event dialog box click Close To print log file text 1 In the SGMI in the left pane under Monitors click Logs 2 In the right p...

Page 476: ...chived log file 1 In the SGMI in the left pane under Monitors click Logs 2 In the right pane on the Event Logs tab click Open Log 3 In the Open Archived Log File dialog box select the log file for the...

Page 477: ...log file is always the logfile rollover which will have the new timestamp Subsequent entries will be any queued entries timestamped with the time at which they were generated Prerequisites None To st...

Page 478: ...list select one of the following Access allowed Access denied Configuration Connection established Internal License Operational You can choose more specific classifications within these broad categor...

Page 479: ...sages that are displayed are those that meet all search criteria Note An advanced search of a large log file can impact performance You can search the log file and limit the display based on the follo...

Page 480: ...th In the Search text box type the text on which you want to search Click Search 7 To display events that contain specific parameters do the following Click Parameters and then click Add In the Select...

Page 481: ...nment on a Linux Solaris or Windows computer Accessing your security gateway using an outside untrusted network can present danger If the certificate for the security gateway is not in the trust store...

Page 482: ...management utility run the following command remotearchive sh delete host user password logfile1 logfile2 Where Related Information None list Lists log files host The host name or IP address of the se...

Page 483: ...uniquely identify IDS IPS events each event is also assigned a unique base event type value The alert events that you can see in the logs are those that have been configured and applied on the IDS IPS...

Page 484: ...o configure the security gateway response to the event do the following 9 Click OK 10 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To...

Page 485: ...rce IP address check Source IP address and then type the IP address of the source of an intrusion 4 To display alerts with a specific source port check Source port and then type the port number of the...

Page 486: ...d are those that meet all search criteria Note An advanced search of a large log file can impact performance You can search the log file and limit the display of IDS IPS alerts based on the following...

Page 487: ...ern and then click Add 10 Click OK Related Information For further information related to this topic see the following Performing a basic IDS IPS alert search on page 484 Performing an advanced IDS IP...

Page 488: ...klist notification check the appropriate severity levels 9 Optionally on the Description tab type a more detailed description than you typed in the Caption text box 10 Click OK 11 Optionally do one of...

Page 489: ...ication 5 Optionally in the Time Period drop down list you can select a time period in which the notification will be valid 6 To define the severity of the alerts necessary to trigger the notification...

Page 490: ...e notification 5 Optionally in the Time Period drop down list you can select a time period in which the notification will be valid 6 To define the severity of the alerts necessary to trigger the notif...

Page 491: ...agers check enable 4 In the Notification Name text box type a name for the notification 5 Optionally in the Time Period drop down list you can select a time period in which the notification will be va...

Page 492: ...or Notify Properties General tab on page 748 Service Parameters For Notify Properties Description tab on page 748 Configuring SNMPv1 and SNMPv2 notifications The Simple Network Management Protocol SNM...

Page 493: ...iod in which the notification will be valid 6 To define the severity of the alerts necessary to trigger the notification check the appropriate Triggered by Event options 7 In the Community text box ty...

Page 494: ...ication 3 In the SNMP V2 Trap Notification Properties dialog box on the General Tab to enable the new notification through SNMP V2 trap check Enable 4 In the Notification Name text box type a name for...

Page 495: ...es product OS restore CD ROM in the ClientSoftware directory The Symantec DeepSight Extractor for the Symantec Gateway Security 5000 Series v3 0 Installation and Configuration Instructions is found in...

Page 496: ...box on Miscellaneous tab uncheck Log successful connections 4 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configurat...

Page 497: ...er of log messages Prerequisites None To configure the reverse lookup timeout value 1 In the SGMI in the left pane under Assets click Asset Parameters 2 In the right pane in the Asset Parameters windo...

Page 498: ...ou can either view print or save it Note Be aware that the amount messages logged in your log file can affect the size of your report The more information in the log file for example spam messages the...

Page 499: ...hour and minutes to begin the report Select AM or PM In the Duration drop down lists select the time in seconds minutes or hours for which you would like to run the report You can also use the time s...

Page 500: ...access denied by the security gateway within a requested 24 hour period and provides information about users who have made connection attempts that do not conform to the security policy Note If the r...

Page 501: ...Lists and details bytes the source addresses who have most often accessed the sites through the security gateway Top Bytes Transferred by Web Site Lists sites both inside and outside the security gate...

Page 502: ...you can view The status of all security gateway configurations from one central location Individual component configuration reports All reports begin with a cover page that shows when the report was l...

Page 503: ...onfiguration report descriptions on page 503 Printing and saving a configuration report To view PDF reports you must have Adobe Reader installed on the same computer as the one that hosts the SGMI The...

Page 504: ...ished name settings Client Compliance Profile Details your client compliance settings In addition displays your antivirus settings for your antivirus server Clientless VPN Certificates Authorities Sho...

Page 505: ...nt Security Antivirus Response Settings Displays the actions you have set to perform when mail messages are identified as spam Content Security Email Restrictions Shows the content security email rest...

Page 506: ...slation NAT pools including the starting and ending addresses in the pool the addresses being modified and the description Network Entity Lists all configured network entities Information reported is...

Page 507: ...onfigured service groups Covered information includes the group s description protocols applied ratings and any additional parameters Services Shows the current status of key daemons and services Gate...

Page 508: ...or SSH from a command prompt on the computer you use to connect to the security gateway go to the following directory on the security gateway var lib sg management 2 In the management folder retrieve...

Page 509: ...508 Generating reports Upgrade reports...

Page 510: ...lustering technology to ensure high availability HA and increase performance through load balancing LB In a cluster two to eight security gateways are grouped together and instructed to work as a sing...

Page 511: ...ing to change or reassign default gateways on any computers All hosts point to the local default gateway and not the real IP address of a given cluster member Because the VIP is assigned to a subnet a...

Page 512: ...cluster members must match the IP addresses of all cluster members must be on the same subnets Each cluster member must have a unique member ID The member ID is the last octet in the IP address All m...

Page 513: ...you have just added a license for HALB you must reboot prior to running the Cluster Wizard A cluster consists of at least two cluster members and can include up to eight Before you create a cluster en...

Page 514: ...Cluster description Type a brief description of the type of cluster you are creating This description is used to identify the type and intent of the cluster Heartbeat interface Select a dedicated priv...

Page 515: ...lete a message tells you that all cluster members must be rebooted to activate the cluster 14 To reboot immediately click OK 15 If you disabled redirected services before creating the cluster edit the...

Page 516: ...after you save and activate changes To remove the cluster from hot standby mode uncheck Hot standby If you have change this option it requires a reboot after you save and activate changes 3 In the Lo...

Page 517: ...able on one of the cluster members then the entire cluster signals the fault The cluster status on the Cluster Member Settings window displays that the cluster node is down and the reason displayed is...

Page 518: ...the IP Addresses tab to add an entry to the Address list in the text box type the IP address of a host that you want to monitor and then click Add 5 Optionally on the Description tab type a more deta...

Page 519: ...clusters You can choose to assign specific traffic for instance from a Web server through a specific cluster member regardless of load balancing For incoming traffic you cannot specify a service redir...

Page 520: ...onal cluster member Although this is an administrator account it is only for internal cluster management you should never log on using this account If you change the cluster password you must log on t...

Page 521: ...r panel in the IP address text box type the new IP address 5 Click Next 6 In the Connect to New Cluster Member panel do the following In the User name text box type the user name In the Password text...

Page 522: ...solve a cluster all of its cluster members must then be individually managed You would dissolve a cluster when you no longer want to manage them in a clustered environment and you want to return to in...

Page 523: ...d information For further information related to this topic see the following Adding or removing a cluster member on page 520 Remove Cluster Member panel on page 806 Confirmation panel on page 805 Spe...

Page 524: ...viewing the cluster status Note This stepped reboot process does not apply to rebooting when you add delete an interface or a new cluster member When you reboot for these two situations all cluster me...

Page 525: ...click Firewall 2 In the right pane select the rule that you want to modify to use stateful failover and then click Properties 3 In the Rule s Properties dialog box on the Miscellaneous tab check State...

Page 526: ...interface by providing the following information You must define the same logical name IP address netmask and interface type on all cluster members 6 Click Next 7 In the Confirmation panel click Finis...

Page 527: ...uster member 1 Log on to the first cluster member 2 In the SGMI on the Tool menu click System Setup Wizard 3 In the System Setup Wizard click Next on each panel until the Network Interfaces panel disp...

Page 528: ...the System Setup Wizard click Next on each panel until the Network Interfaces panel displays 4 In the Network Interfaces panel select the interface 5 Change any of the following 6 In the Confirmation...

Page 529: ...ster member Prerequisites None To view cluster status in the SGMI 1 In the SGMI in the left pane under Cluster click Cluster Status 2 In the right pane on the Cluster Status window you can view the IP...

Page 530: ...the cluster member is up or down Note To learn about other bfstat usage you can use the following command bfstat help However other bfstat commands are troubleshooting commands that you should only u...

Page 531: ...traffic on the outside interface of the security gateway and redirects it to your mail server When the HTTP redirected service is used on a security gateway that is not in a cluster the requested addr...

Page 532: ...rties 10 In the Redirected Services Properties dialog box on the General tab check Enabled 11 In the Requested Address text box type the VIP address for external interface 12 Click OK 13 Optionally do...

Page 533: ...to remove and then click Remove the selected cluster member 6 In the Remove Cluster Member panel select Yes remove this member from the cluster 7 In the Connect to Host panel do the following 8 Click...

Page 534: ...ng service is not disrupted in the event of a cluster node failure RIP is configured on a physical inside interface but is applied using the VIP address Note OSPF will not advertise VIPs Due to this t...

Page 535: ...tering and leaving values If you configure more than one address transform using ANY VPN it is likely to confuse the cluster settings Before you configure a gateway to gateway tunnel be aware that the...

Page 536: ...lt gateway When restoring an image to a standalone system the interface information is always restored and you can correct the information on the Network Interface panel of the System Setup Wizard Clu...

Page 537: ...the Setup Options panel under What type of system do you want to configure click Cluster member 4 If you are using the System Setup Wizard to restore from a backup image check Restore from a backup im...

Page 538: ...restoring to a standalone security gateway except for a panel that is presented to you to determine whether the cluster information should be restored from this image Restore a configuration to a clus...

Page 539: ...stration cluster configuration to a production network 1 Unpack your new security gateways 2 Use the Connecting and Configuring section of the Symantec Gateway Security 5000 Series V3 0 Getting Starte...

Page 540: ...eginning of the configuration An error at the beginning of the configuration indicates problems with the cluster member that is deploying the configuration which is the first cluster member you logged...

Page 541: ...interface on all cluster members must have a heartbeat address defined On all cluster members run the System Setup Wizard to define the heartbeat interface address There are pending changes Modifying...

Page 542: ...n added Ensure that the correct address was specified Could not start remote host IP cluster propagation engine Failed to start the propagation engine Reboot the remote system Could not synchronize re...

Page 543: ...member certificate A cluster member that you are adding does not have an SSL certificate defined Restore the initial installation of the cluster member No DNS entry found for new member The cluster ma...

Page 544: ...ely remove a cluster before adding it back again Cannot coordinate delete of remote systems you must cancel the delete operation and fix the problem Delete message flowing error when qualifying a remo...

Page 545: ...the correct heartbeat interface attribute was selected when you ran the Cluster Wizard No interface changes were detected Update the system interface information on all members prior to invoking this...

Page 546: ...se but are not enabled by default Table A 1 Advanced options Option name Description blacklistd blacklist_time Period of time in minutes that an IP address remains on the blacklist The default value i...

Page 547: ...must convert it to its ASCII equivalent ACE before it can query DNS for resolution If the client s Web browser is set to use a proxy such as the security gateway it is the proxy s responsibility to c...

Page 548: ...r traffic idssym ports_bd_evolution Ports normally related to BD Evolution traffic idssym sara_ports Ports running security Auditor s Research Assistant traffic idssym sunrpc Ports running Sun Remote...

Page 549: ...es exceeds this threshold all message above the threshold are dropped This helps prevent a flood of log messages from overloading the security gateway s processing ability The default value is 200 mis...

Page 550: ...lt value is true tcp gsp service halfclose_timeout Half close timeout for a particular service handled by TCP GSP where service is in the format of port tcp For example tcp gsp 123 tcp halfclose_timeo...

Page 551: ...of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click...

Page 552: ...ed options 4 Do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save...

Page 553: ...552 Advanced system settings Configuring advanced options...

Page 554: ...ou can also request that a certificate be signed by a third party certificate authority CA and install third party certificate authorities on the gateway to facilitate certificate verification in your...

Page 555: ...Server Certificates tab click Create new certificate 3 In the Create New Certificate dialog box do the following 4 Click OK 5 Optionally do one of the following To save your configuration now and acti...

Page 556: ...urther information related to this topic see the following Installing a signed certificate on page 555 Installing a signed certificate After you send the request file to the certificate authority that...

Page 557: ...556 SSL server certificate management Installing a signed certificate...

Page 558: ...ase To access Symantec Gateway Security 5000 Series troubleshooting information 1 Go to http www symantec com 2 On the top of the home page click support 3 Under Product Support enterprise click Conti...

Page 559: ...ave one serious log message look at the messages immediately preceding and following it for subsidiary informational messages Many problems right after installation come from basic connectivity glitch...

Page 560: ...lowing Use SSH to FTP from the security gateway first using the IP address and then the host name or URL If you cannot connect to the FTP site you could have a routing problem a DNS problem or your IS...

Page 561: ...e viewer Ensure that your LANG environment variable is set to or en_US UTF 8 before running flatten or remotelogfile Note Use the version of flatten that comes with the version of your appliance Note...

Page 562: ...er it If a system has client listed after it it initiated a connection If a system has server listed after it it was the destination of a connection Every connection through the security gateway invol...

Page 563: ...DeepSight Threat Management System on page 494 Using command line utilities to perform a local or remote backup on page 101 Managing log files remotely on page 480 Enabling SSH for command line acces...

Page 564: ...us and antispam Dialog boxes that display when you make a menu selection Each topic provides a brief description of the SGMI feature one or more cross references to how you can use the feature and a t...

Page 565: ...st the chart displays total throughput and incoming and outgoing throughput for the interface System Usage Percentage of CPU and memory usage System Active connections Number of active connections Che...

Page 566: ...ring connections on page 466 Connection Summary Properties dialog box The Connection Summary Properties dialog box shows the connection details for a selected connection Associated tasks The task that...

Page 567: ...he following format hndl type id rem_gw Where hndl handle type protocol type id internal tunnel ID rem_gw remote gateway For example a tunnel presented as 2 isakmp 16 20 20 20 1 has the following valu...

Page 568: ...type For example ldap ooba For IPsec stats this field is always blank This field is not the authentication method in IKE negotiation Authentication User The authenticated gateway user The user name c...

Page 569: ...erver Primary Server Last updated Date and time of the last LiveUpdate Primary Server Status Primary server status is one of the following Up Last server query was successful Pending Server query is i...

Page 570: ...s exceeded You can unlock these user accounts Associated tasks The tasks that you can perform with this tab include Viewing clientless VPN failed logon attempts on page 469 Unlocking user accounts on...

Page 571: ...d backing up archived log files on page 475 Adding or removing Event Log table columns on page 475 Starting a new log file on page 476 Table D 7 Event Logs tab Field Description New Log Saves the exis...

Page 572: ...en triggered and could potentially be an attempt to breach the network perimeter Critical Indicates that the security gateway security is still working but one or more services have failed Emergency I...

Page 573: ...ts you limit the events that are displayed in the table by searching the event log for one of the following classifications of events Access allowed Access through the security gateway was allowed Acc...

Page 574: ...arch dialog box Advanced tab Field Description Event Types Limits the log messages displayed according to their event types Event types are Informational Indicates the security gateway is operating pr...

Page 575: ...s the log messages displayed according to parameters contained in the messages and the values you specify System names Limits the log messages displayed according to the security gateway that generate...

Page 576: ...S alerts table to a display of all alerts in the log Table D 13 IDS Alert Properties Field Description Time Date and time stamp of when the intrusion occurred Type Event type IDS IPS events always hav...

Page 577: ...moderate impact denial of service attacks and threats permitting write access to important data or read access to sensitive data High A high severity level indicates a threat that poses a high risk su...

Page 578: ...stination of the intrusion This option is unchecked by default Time Time period for which IDS IPS alerts are displayed This option is unchecked by default When Time is checked the following controls s...

Page 579: ...potentially be an attempt to breach the network perimeter Critical Indicates that the security gateway security is still working but one or more services have failed Emergency Indicates an emergency T...

Page 580: ...on is checked by default Notification Name A unique name for the blacklist notification The maximum length is 256 characters Allowed characters are a z A Z numerals periods dashes and underscores _ Do...

Page 581: ...ss or fully qualified domain name of the selected remote security gateway Port Port number over which to send the blacklist information to the remote security gateway The default value is 426 Password...

Page 582: ...whether this option is enabled This option is checked by default Notification Name A unique name for the client program notification The maximum length is 256 characters Allowed characters are a z A Z...

Page 583: ...potentially be an attempt to breach the network perimeter This option is unchecked by default Triggered by Error Event Normal security gateway operation cannot complete successfully The security of y...

Page 584: ...ffic through the security gateway This option is unchecked by default Triggered by Critical Event The security gateway security is still working but one or more services have failed This option is unc...

Page 585: ...include spaces in the name The characters and other reserved characters are also invalid Time Periods Indicates the time period during which the pager notification is active Options are ANYTIME When...

Page 586: ...tempt to correct the error as soon as possible This option is unchecked by default Triggered by Warning Event Indicates an error condition that the security gateway can recover from but that requires...

Page 587: ...teway This option is unchecked by default Triggered by Critical Event The security gateway security is still working but one or more services have failed This option is unchecked by default Triggered...

Page 588: ...General tab Field Description Enable Indicates whether this option is enabled This option is checked by default Notification Name A unique name for the SNMP V1 trap notification The maximum length is...

Page 589: ...s still ensured but you should attempt to correct the error as soon as possible This option is unchecked by default Triggered by Warning Event Indicates an error condition that the security gateway ca...

Page 590: ...s whether this option is enabled For traffic to be controlled using this rule it must be enabled This option is checked by default Rule name A unique name for this rule The maximum length is 256 chara...

Page 591: ...her IKE policies are used and the use of certificates or shared secrets Network entity group A collection of other network entities such as hosts domains and subnets When multiple hosts require simila...

Page 592: ...Psec_Pass_Through Contains the ESP isakmp and udp_encap protocols Use it for rules that allow IPsec traffic through the security gateway to a VPN server on the other side News Contains the NNTP protoc...

Page 593: ...ty gateway has been enabled to log alert messages when specified alert thresholds are reached This option is unchecked by default For rules that experience a high level of activity such as rules that...

Page 594: ...ilable if the service group for the rule contains the HTTP protocol This option has the following effects When checked on a rule that controls HTTP HTTPS traffic the driver forwards protocol packets u...

Page 595: ...at have been added to the rule Parameter Lets you add modify or delete the syntax for the advanced service The syntax must be correct Contact Symantec Technical Support for the exact syntax Table D 28...

Page 596: ...list in conjunction with the included user groups list to allow most users of a group but exclude some specific individuals Excluded user groups Displays user groups that are disallowed by the rule A...

Page 597: ...ion is unchecked by default HTTP Indicates whether antivirus scanning is applied to HTTP traffic that is controlled by this rule This option is only available if the service group used in the rule inc...

Page 598: ...by default If you enable antivirus scanning you can select any of the following options Replace deleted files with message file Replaces an infected attachment in an HTTP container file for example a...

Page 599: ...time blacklisted senders to allow list Lets you create a custom list of mail transfer agent IP addresses that are permitted to bypass the real time blacklist processing Note These features are only av...

Page 600: ...an select an existing content profile from the list or create a new one HTTP Applies content filtering to HTTP traffic that is controlled by this rule This option is checked by default if the service...

Page 601: ...matched to a specific pair of network entities All filters are characterized as A B and B A where the letters A and B stand for the network entities The direction of the arrow specifies which entity...

Page 602: ...you have configured individual packet filters you can put them together in filter groups to refine the filtering of traffic A filter group can also include other filter groups Associated tasks The tas...

Page 603: ...ecify the time periods by either of the following Time period ranges Time period groups Time Period Range Properties General tab The Time Period Range Properties dialog box lets you specify a single w...

Page 604: ...which the time period range begins The default Not Defined means that this time period range does not use a day range Day range Through Day of the week on which the time period range ends The default...

Page 605: ...sk that you can perform with this tab is Configuring a time period group on page 288 Time Period Group Properties Description tab Optionally provides an extended description This information is useful...

Page 606: ...this option is enabled This option is checked by default Name A unique name for the VPN tunnel The maximum length is 256 characters Allowed characters are a z A Z numerals periods dashes and underscor...

Page 607: ...Keys button rather than creating your own keys Local network entity key Data integrity key for the local entity This dictates the type of authentication header AH that is prepended to packets sent thr...

Page 608: ...r and it lets the receiver identify the tunnel to which the packet belongs Encryption Header SPIs Remote network entity Security Parameter Index SPI for the remote endpoint of the tunnel The SPI is pa...

Page 609: ...is 128 characters For longer descriptions use the Description tab Table D 43 Client VPN tunnel Properties General tab Field Description Enable Indicates whether this option is enabled This option is e...

Page 610: ...ion tab Filter applied Applies a filter as part of the VPN policy The options are Sample_Denial of Service_filter Blank Any filter you have previously configured The default is none Data integrity pro...

Page 611: ...check box sends the data packet up the protocol stack for authorization The packets are then subject to all the address transforms and rule checking performed by the proxies This check box is uncheck...

Page 612: ...ion Standard using 56 bit key 3DES Uses the triple Data Encryption Standard using three 56 bit keys AES 16 Uses Advanced Encryption Standard with a 16 byte key AES 24 Uses Advanced Encryption Standard...

Page 613: ...ntication header that will be prepended to packets sent through the tunnel Supported types are SHA1 Uses an algorithm that generates a 160 bit message digest slower but more secure than MD5 MD5 Uses a...

Page 614: ...ates tables of these strings and replacement tokens which consist of pointers to the previous data streams LZS uses these pointers to remove redundant strings from the new data streams DEFLATE Uses a...

Page 615: ...ssful the next algorithm is tried Down Moves the selected item in the Selected list down in the list Table D 49 IPsec static key policy Properties General tab Field Description Policy name A unique na...

Page 616: ...AH holds authentication information for its IP packets It accomplishes this by computing a cryptographic function for the packets using a secret authentication key If you select this option but you h...

Page 617: ...is is the default DES Uses the Data Encryption Standard using a 56 bit key to encrypt and decrypt messages 3DES Uses triple Data Encryption Standard using three 56 bit keys to encrypt and decrypt mess...

Page 618: ...d corporate Web based applications from any location Remote users at any dial up broadband or wireless access point can gain access to specific applications by logging in to a secure extranet Table D...

Page 619: ...l traffic to the security gateway proxies This option is unchecked by default DHCP Enables DHCP connections This option is checked by default DHCP server location If DHCP is enabled select an existing...

Page 620: ...entary patterns for the most essential URL components An access rule identifies specific resources and the attributes required to access them Each simple rule can only define one resource protocol Dif...

Page 621: ...t Port number to use This is only necessary if it is not the default port number for that resource protocol Path Folder file or URL path to the resources made available or restricted on the destinatio...

Page 622: ...rce defined by the rule select Allow To specifically prevent users from accessing the resource defined by the rule select Deny Allow is the default Network application s Network application to which t...

Page 623: ...name User name to whom to allow or deny access to the resource Domain For file resources only an expression that matched the domain in which the resource resides Share For file resources only an expr...

Page 624: ...tion is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 56 Rule Set Properties General tab Field Description Rule s...

Page 625: ...signing a parent to a role on page 429 Table D 58 Clientless VPN Role Properties General tab Field Description Role type Role type The role type options include User Group Custom role The default is G...

Page 626: ...are added to the role This is a read only field To remove a portal page from parent you must remove the parent role entirely Portal pages To add portal pages to this role click Add select the portal p...

Page 627: ...lows remote users to log on to the security gateway This option is checked by default Lock user accounts automatically Automatically locks user accounts in accordance with the parameters set in the Fa...

Page 628: ...urces from the user interface without re entering their user name and passwords Associated tasks The task that you can perform with this tab is Creating a single sign on rule on page 439 Table D 65 Cl...

Page 629: ...ntication data appears within the message body This is the default Failed method URL to which users are redirected when the authentication fails Capture all authentication variables Captures all authe...

Page 630: ...operations to convert or rewrite resource host names or URLs with the security gateway s address instead of the actual network host or URL Use the URL Translation Rules properties General tab to speci...

Page 631: ...uration tab Field Description Maximum time in seconds Indicates whether this option is enabled and displays the maximum time that the security gateway can spend extracting a single container file Use...

Page 632: ...is checked by default When an email has malformed containers Indicates the action the security gateway should take when an email has malformed containers Options are Block the file SMTP Only This is...

Page 633: ...ing options apply to file scanning Scan all files This option will scan all files regardless of extension This option is unchecked by default Scan all files except the following types This option will...

Page 634: ...Mail Attachment Restrictions tab Field Description Files Lists file names and search strings that identify mail attachments that should be restricted The Add button lets you add file names and search...

Page 635: ...specified file sizes and deliver the remainder of the message including attachments that do not match a specified file size The mail message is not updated to indicate that an attachment has been dele...

Page 636: ...he SMTP protocol Insert x virus header Adds an x virus header to an email message and forwards the email and any attachments to the recipient The Insert x virus header option does not repair or delete...

Page 637: ...ile the security gateway removes the infection and rebuilds the container You can replace the deleted infected file with a text file that notifies the recipient that an infected file was deleted You c...

Page 638: ...ts on page 356 Reducing false positives using a custom allow list on page 357 Identifying spam using a custom known spammers list on page 354 Message contained in the file that replaces a deleted file...

Page 639: ...e is 3 When you increase the sensitivity level more false positives are likely to occur Real time blacklisted senders to allow Lists IP addresses or fully qualified domain names of real time blacklist...

Page 640: ...ault text is Spam When no text is typed in the box the subject line is not modified No response The default value is Prepend to the mail subject Email senders identified as spam SMTP only Indicates an...

Page 641: ...dialog box is Reducing false positives using a custom allow list on page 357 Related information For further information related to this topic see the following About the antispam scanning process on...

Page 642: ...S IPS policy change the heuristic detection level that is enforced by an existing policy and add a brief caption describing the policy Associated tasks The task that you can perform with this tab is C...

Page 643: ...s that you can perform with this tab are Viewing intrusion events on page 326 Modifying event log and block settings on page 329 Heuristic Heuristic detection level for the selected IDS IPS policy Opt...

Page 644: ...s Medium_Security A medium security IDS IPS policy can be applied to service networks High_Security A high security IDS IPS policy can be applied to outside interfaces Very_High_Security A very high s...

Page 645: ...rovide troubleshooting information Low A low severity level indicates reconnaissance tools general malicious indicators and threats with a low impact Medium A medium severity level indicates a threat...

Page 646: ...to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 85 IDS Portmap Configuration Properties dialog box General tab Field Descr...

Page 647: ...list Deny Permits users to access any URL address except those in the list Deny URLs that contain the following patterns Lists URL patterns that are used to restrict access to sites URL patterns must...

Page 648: ...ing file extensions from the Available list When you apply file extension restrictions to a rule the security gateway allows or denies download of files with the file extensions in this list Select on...

Page 649: ...rofile you control the degree of filtering that is applied by choosing to deny particular content categories Depending on the state of a particular list access to the URLs contained in the list may be...

Page 650: ...ges from 1 to 10 where 10 is the most sensitive The default value is 8 Content Profiles Lists the content profiles that you configured for your security gateway Table D 93 Content Filtering Profile Pr...

Page 651: ...ying the contents of a content category on page 312 Rating Modification Properties Description tab Optionally provides an extended description This information is useful to help track changes or it ca...

Page 652: ...ion Field Description Available rating categories Lists rating categories to which URLs or newsgroups can be added so that they can be blocked To move a rating category to the Selected categories list...

Page 653: ...profile or create a new one A newsgroup profile specifies a list of allowed and denied newsgroups Because newsgroups can have different scope it is necessary to have both an allow and a deny list For...

Page 654: ...can perform with this tab include Ensuring compliance of remote Client VPN computers on page 397 Ensuring client compliance for clientless VPN users on page 449 Table D 99 Newsgroup Profile Properties...

Page 655: ...of scanning engine Requires that the client has the latest version of the antivirus scanning engine This option is unchecked by default Require latest virus definitions Requires that the client has th...

Page 656: ...with the selected packet filter Web VPN Single sign on Enables single sign on rules for clientless VPN users Web VPN Store Web VPN passwords for use with single sign on When the feature is enabled th...

Page 657: ...k interface See Enabling spoof protection on page 370 Table D 102 Host Network Entity Properties General tab Field Description Entity name A unique name for the host network entity The maximum length...

Page 658: ...ve through the interfaces in this list the security gateway does not check whether they are arriving through the correct interface Selected Lists the interfaces that are associated with this host netw...

Page 659: ...brief description of the subnet entity The maximum length is 128 characters For longer descriptions use the Description tab Table D 105 Subnet Network Entity Properties Spoof Protection tab Field Desc...

Page 660: ...ith this tab is Creating a network entity group for rules that apply to multiple entities on page 166 Table D 106 Domain Name Network Entity Properties General tab Field Description Entity name A uniq...

Page 661: ...Creating security gateway network entities for use in tunnels on page 164 Caption An optional brief description of the network entity group The maximum length is 128 characters For longer description...

Page 662: ...This is useful for deployments where the security gateway is using a DHCP server on the outside VIP Only available when the security gateway is a member of a cluster and a virtual IP address VIP has b...

Page 663: ...sed for authentication This option is unchecked by default Shared secret When IKE is enabled and your address type is an IP address or Domain name selecting this option indicates that a shared secret...

Page 664: ...Network Interfaces tab lets you modify the parameters of the network interfaces for your security gateway To configure new network interfaces or to modify a network interface IP address or netmask yo...

Page 665: ..._ Do not include spaces in the name The characters and other reserved characters are also invalid Port Scan detection Indicates whether port scan detection is enabled on this interface This option is...

Page 666: ...t in the allowed list throttling is applied No selection blank line in drop down list SYN flood protection is disabled Both forms of throttling are triggered only if the security gateway is already ex...

Page 667: ...293 Caption An optional brief description of the network entity The maximum length is 128 characters For longer descriptions use the Description tab Table D 114 Network Interface Properties Static IP...

Page 668: ...ameters Route Cost This field is often used as a mechanism to give priority to one interface over another The lower the cost the more likely it is that this interface gets chosen over another Acceptab...

Page 669: ...security gateway is not the default route and you are using static one to one mapping of addresses to conceal addresses on your network or to handle the problem of address overlapping When the securit...

Page 670: ...Description tab Arriving through Interface or secure tunnel that the client is using to access the designated address For example if all packets coming from the interface to the network destination a...

Page 671: ...ters defined When this happens the connection is dropped and the NAT address is released back into the pool The security gateway translates source addresses for transmitted packets and destination add...

Page 672: ...consist of only one entity if necessary The mapping must also be one to one In other words you must have the same number of entities in your real subnet as you do in your NAT subnet Table D 119 Dynami...

Page 673: ...e has to be two published IP addresses or the validation errors will occur If clientless VPN is enabled with the same external IP address the security gateway does not know where to direct the traffic...

Page 674: ...ion Paul Albitz and Cricket Liu O Reilly Associates Inc 2001 ISBN 0 596 00158 4 Before configuring DNS you should familiarize yourself with the differences between RFC defined DNS and the security gat...

Page 675: ...rver with a DNS authority record on page 145 DNS Authority Record Properties Description tab Optionally provides an extended description This information is useful to help track changes or it can be u...

Page 676: ...ifies either a host name or IP address in a given domain This type of record serves a dual purpose acting as either an A address record which resolves a name to an address or a PTR pointer record whic...

Page 677: ...d characters are also invalid Accessibility The drop down list contains the following Public Defines the outside interface as the authoritative DNS server for your domain Any host internal or external...

Page 678: ...ord Properties General tab Field Description Enable Indicates whether this option is enabled This option is checked by default Server name A unique name for the DNS mail server record The maximum leng...

Page 679: ...DNS system supports defining name servers for a domain The name server entry marks the authoritative servers to consult when performing DNS lookups for a host in that domain Authoritative name server...

Page 680: ...record The maximum length is 256 characters Allowed characters are a z A Z numerals periods and dashes Do not include spaces in the name The characters _ and other reserved characters are also invali...

Page 681: ...for the external network Associated tasks The task that you can perform with this tab is Resolving host name requests for an outside system by creating a DNS recursion record on page 149 Table D 131...

Page 682: ...ecord if you have no access to the Internet if you have your own internal root servers This is also preferred to using a forwarder on the internal security gateway Associated tasks The task that you c...

Page 683: ...help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 134 DNS Subnet Record Properties General tab Field Description Enable Indicat...

Page 684: ...s an Address transform allowing client to see the server s actual IP address Use original source address if selected The SPF record should resolve to the actual mail server address Address transform w...

Page 685: ...omain If the mail is not received from one of the listed MX servers then the message does not meet a domain s strict definition of legitimacy and the domain cannot confidently state that the message i...

Page 686: ...s requesting that access This is most commonly done through a security mechanism called authentication The authentication process verifies the identity of a user requesting access by contacting an aut...

Page 687: ...rs and groups The primary purpose of the internal authentication server is to provide a mechanism for administrators without an external authentication server to configure and control access for defin...

Page 688: ...erver record The maximum length is 256 characters Allowed characters include a z A Z numerals periods dashes and underscores _ Do not include spaces in the name The characters and other reserved chara...

Page 689: ...determined using the attributes found within LDAP group records Using this approach the DN returned during the authentication process is used in conjunction with the values specified in the Group Obje...

Page 690: ...During authorization checks the value specified here is used by the LDAP Ticket Agent in conjunction with the value specified in the Group Member Attribute text box and the Distinguished Name returne...

Page 691: ...unique name for the RADIUS authentication server record The maximum length is 256 characters Allowed characters include a z A Z numerals periods dashes and underscores _ Do not include spaces in the...

Page 692: ...This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 146 SecurID Properties General tab Field Descri...

Page 693: ...ength is 256 characters Allowed characters include a z A Z numerals periods dashes and underscores _ Do not include spaces in the name The characters and other reserved characters are also invalid Joi...

Page 694: ...alphanumeric characters Table D 148 Scheme Properties General tab Field Description Scheme name A unique name for the authentication scheme The maximum length is 256 characters Allowed characters are...

Page 695: ...le D 149 User Account Properties General tab Field Description User name A unique name for the user The maximum length is 256 characters Allowed characters include a z A Z numerals periods dashes and...

Page 696: ...sword Confirmation of the password typed in the Password field This field is used when configuring a password to confirm what you typed in the Password field Account expiration date Date that this acc...

Page 697: ...r group Names of all the groups of which the user is a member If this is a new user the Groups tab lets you add this user to an IKE user group so that it will appear in this drop down list An IKE enab...

Page 698: ...n optional brief description of this user group The maximum length is 128 characters For longer descriptions use the Description tab Table D 154 User Group Properties VPN Authentication tab Field Desc...

Page 699: ...ethod Enforce client compliance Selects level of client compliance required The default selection is Ignore Enforce group binding Enforces binding between the extended authentication user name and a g...

Page 700: ...Properties CIFS Description tab Optionally provides an extended description This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alp...

Page 701: ...ry name servers how often to check with the system on the accuracy of the secondary name server s DNS database If there is a discrepancy a DNS zone transfer of information occurs between the secondary...

Page 702: ...ier It can be up to 10 characters The default is yyyymmddHHM Hostmaster This address should be in the format account server and not account server This address is then passed along to other name serve...

Page 703: ...Modifying the FTP greeting on page 200 Deny outside RFC1918 addresses When enabled lookup responses received from the outside interface that contain such addresses RFC 1918 are denied If you are using...

Page 704: ...FTP Description tab Optionally provides an extended description This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric ch...

Page 705: ...l GSP proxies are enabled allowing traffic to be passed using protocols that do not have proxies The Use GSP option must also be checked on the protocol This option is checked by default Enable TCP GS...

Page 706: ...tasks The task that you can perform with this tab is Configuring access for Internet based communications on page 204 Table D 165 Proxy Properties GSP Connection Timeout tab Field Description TCP tim...

Page 707: ...ions are closed and whether tracing is enabled Associated tasks The tasks that you can perform with this tab include Modifying the timeout period to keep inactive H 323 connections open on page 207 En...

Page 708: ...mon closes the session The default is 300 seconds Enable Socket Linger Defines how connections are closed You should only check this option in a closed environment This option is unchecked by default...

Page 709: ...at you can perform with this tab is Configuring the HTTP proxy to listen on additional ports for secure connections on page 214 Table D 171 Proxy Properties HTTP Web Proxy tab Field Description Extern...

Page 710: ...Changing the default extension added to URLs on page 215 Proxy Properties HTTP Description tab Optionally provides an extended description This information is useful to help track changes or it can be...

Page 711: ...through mail slots on page 197 Proxy Properties NBDGRAM Description tab Optionally provides an extended description This information is useful to help track changes or it can be used as criteria for...

Page 712: ...ticle cache Associated tasks The task that you can perform with this tab is Changing the size of the news cache on page 218 Table D 179 Proxy Properties NNTP General tab Field Description Enable Indic...

Page 713: ...h the NNTP proxy listens on page 220 Table D 181 Proxy Properties NNTP Policy tab Field Description Minimum Visit Time seconds Controls the frequency at which NNTP logs statistics events when users sw...

Page 714: ...e nearest interface of the security gateway for NTP They cannot query outside NTP servers Associated tasks The task that you can perform with this tab is Configuring access for news feeds on page 216...

Page 715: ...n Internal NTP servers Servers that are used to synchronize the system clocks Optionally these are needed if the security gateway does not use the public NTP servers For example if the security gatewa...

Page 716: ...when users retrieve their email from external servers The POP3 proxy provides services such as access control address transparency NAT RFC compliance enforcement and antispam and antivirus scanning In...

Page 717: ...ogon rlogon shell rsh Associated tasks The task that you can perform with this tab is Configuring the security gateway to support UNIX commands on page 223 Proxy Properties RCMD Description tab Option...

Page 718: ...ms checking on each mail connection and can be configured to scan for known mail based forms of attack such as viruses and spam Associated tasks The tasks you can perform with this tab include Configu...

Page 719: ...e SMTP proxy to debug mode for more verbose error reporting on page 234 Table D 192 Proxy Properties SMTP Timeout tab Field Description Connection timeout seconds Determines how long the SMTP proxy wa...

Page 720: ...Description tab Optionally provides an extended description This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric chara...

Page 721: ...the system the alias file you create lets it locate the hidden inside address of its final destination The aliases you create here are eventually typed into the H 323 client interface Associated tasks...

Page 722: ...dividual predefined proxy or a Generic Service Proxy GSP ICMP Based Protocol Properties General tab You use an Internet Control Message Protocol ICMP to send error and control messages about routing p...

Page 723: ...sage type of the protocol The following message types are supported 0 Echo reply 3 Destination unreachable 3 Net unreachable 3 Host unreachable 3 Protocol unreachable 3 Port unreachable 3 Fragmentatio...

Page 724: ...destinations as if the requester was directly connected to the remote destination machine Note Source ports are only maintained for connections if the original client address is maintained Table D 20...

Page 725: ...pe of destination port used by the protocol Select one of the following Single Port Lets you specify a Destination low port only Port Range Use a port range if the application for which you are creati...

Page 726: ...tion is enabled Check this option to enable the custom protocol to use the GSP proxy since custom protocols are not supported by the system proxies This option is checked by default Use native service...

Page 727: ...me protocol as it is used in different service groups You can create a service group before creating the rule or create the service group as you create the rule Service Group Properties General tab A...

Page 728: ...ion tab Optionally provides an extended description This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Tab...

Page 729: ...on an SMB server File Permission Change Allowed Lets users and applications change modal attributes of any file on an SMB server File Generic Access Allowed Lets users connect to any shared resource n...

Page 730: ...e security gateway log file Kerberos Authentication Allowed Microsoft Windows 2000 uses Kerberos as an authentication method for any connecting systems You should enable this option should if you are...

Page 731: ...of the HTTP protocol Associated tasks None Table D 207 Parameters for ftp Additional Commands tab Field Description Command list Current list of additional commands for this protocol Command Additiona...

Page 732: ...it is necessary to create client side transparency using an address transform on the system depending on whether the DCOM connection is incoming or outgoing server side transparency exists by default...

Page 733: ...ting Allowed Enables posting to a newsgroup This option is enabled by default Loose Filter Policy Allowed When this option is enabled any message that is posted to at least one of your allowed newsgro...

Page 734: ...rameters for pop 3 Advanced tab Field Description Allow DELE command Support for deleting email This option is checked by default Enable POP3 extensions Enables support for POP3 extended commands Once...

Page 735: ...th limits are not applicable In this case to configure RealAudio limits you must set up MIME type restrictions Caption An optional brief description of the modifiable parameters for RealAudio The maxi...

Page 736: ...ines that match the hidden domain name are replaced by the message private information removed Suppression is for a single block of received header lines Sender Domain Checked Forces the sender s addr...

Page 737: ...by default ATRN Enabled Allows an on demand mail relay from the server to the client by turning the existing connection around This option is checked by default ETRN Enabled Lets clients access mail I...

Page 738: ...mum length is 20 000 alphanumeric characters Portal Page Properties General tab The Portal Page Properties General tab lets you completely customize the user experience by configuring quick links that...

Page 739: ...perties General tab Field Description Portal page name A unique name for the portal page The maximum length is 256 characters Allowed characters are a z A Z numerals periods dashes and underscores _ D...

Page 740: ...Allowed characters are a z A Z numerals periods dashes and underscores _ Do not include spaces in the name The characters and other reserved characters are also invalid Display name Type a name for t...

Page 741: ...ion is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 223 Resource Group Properties General tab Field Description...

Page 742: ...s The Secure Web Mail tabs let you accommodate different possible mail server configurations by mapping IMAP servers to SMTP servers for use with the Web mail client In addition you can set the domain...

Page 743: ...page 430 Table D 226 Secure Web Mail Access Properties General tab Field Description Domain name Domain name of the host mail server IMAP host name IP address or fully qualified domain name of the IMA...

Page 744: ...tion password for user accounts that use internal authentication The maximum value is 9999 The default value is 10 Clientless VPN User timeout seconds Number of seconds to wait until timing out a clie...

Page 745: ...irus is installed Antispam Indicates whether this option is enabled The antispam feature provides scanning processes that let you optimize spam detection and reduce false positives You can also config...

Page 746: ...you log on to the security gateway over the network If you enable both SSH version1 and SSH version 2 simultaneously the appliance makes an SSH v2 connection which is more secure Take one or more of...

Page 747: ...nd localized Enabling text logging instructs the security gateway to write out two separate versions of the log file one in binary and the other in text There is a performance impact as the security g...

Page 748: ...equest Port Number Port number on which logserviced listens for requests from services to translate log messages The default value is 6867 Rollover Request Port Number Port number on which logserviced...

Page 749: ...ntication or support a limited set of authentication types like HTTP The most common use for OOBA is to enable authentication on a GSP which does not have authentication by default The General tab let...

Page 750: ...et information as well as the user name This means that a user must connect to a server from the same IP address each time for the ticket to be valid Including the client IP address with the user name...

Page 751: ...s tab is Maintaining traffic flow on page 113 Port Port number for authenticating connections requiring a log on and log off Do not change this port unless you have a direct conflict The default value...

Page 752: ...onds that are allowed to elapse between the time a process restart on a daemon is first attempted to when the restart functions stops trying to restart the process Use this parameter in conjunction wi...

Page 753: ...violations to SESA This option is checked by default Intrusion Detection Reports Sends events that are generated by intrusion detection violations to SESA This option is checked by default Client Com...

Page 754: ...ated by network traffic are tallied during the time period specified for the Message Send Rate At the end of this period a single message summarizing the tally is sent to SESA Not Consolidated All eve...

Page 755: ...tion This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 237 LiveUpdate Server Properties General t...

Page 756: ...ettings for Component Properties General tab Field Description Last update Date the last LiveUpdate was run Version Current version of the definitions For IDS IPS Signature version Current version of...

Page 757: ...te Settings for Component Properties Schedule tab Field Description Automatic update Runs LiveUpdate automatically at the specified time This option is unchecked by default Multiple times a day Perfor...

Page 758: ...e includes both the host and the domain name The maximum length is 64 characters Allowed characters are a z A Z numerals and periods Hyphens cannot be used in the common name Generally it is the host...

Page 759: ...eral tab Fields Description Enable Indicates whether this option is enabled This option is checked by default User Name Name of the administrator The maximum length is 32 characters Allowed characters...

Page 760: ...r accounts This option is unchecked by default Read IDS allowed Enables the administrator to view IDS signatures This option is checked by default Write IDS allowed Enables the administrator to modify...

Page 761: ...t Issue alert Enables the administrator to create notifications for events This option is checked by default SSH allowed Enables the administrator to connect to the security gateway appliance using SS...

Page 762: ...u must log on to each cluster member and make the same change All cluster passwords must match Associated tasks The task that you can perform with this tab is Changing the cluster account password on...

Page 763: ...tion An optional brief description of the Cluster account The maximum length is 128 characters For longer descriptions use the Description tab Table D 247 Cluster Account Properties Configuration Priv...

Page 764: ...bles log file management on nodes in a cluster Issue alert Enables the creation of notifications for events Reboot allowed Enables rebooting of the security gateway Backup allowed Enables the back up...

Page 765: ...Address tab Field Description Permitted logon addresses Lists the IP addresses from which the cluster account can be accessed When restricted addresses are assigned the cluster account cannot be acces...

Page 766: ...Account Properties Privileges tab Field Description View log Lets the remote computer be used to view security gateway log files This option is checked by default Manage log Lets the remote computer b...

Page 767: ...nt to avoid having blocked in the event that SYN flood protection is enabled and the security gateway is currently throttling connections because it believes it is under attack Associated tasks The ta...

Page 768: ...ecurity gateways are grouped together and instructed to work as a single entity All cluster members share the state information of all other cluster members and any cluster member can immediately assu...

Page 769: ...ancing If potential overload is anticipated you should enable load balancing rather than hot standby mode If load balancing is enabled the load will be shared between the configured cluster members If...

Page 770: ...IP addresses for clusters on page 515 Table D 257 Cluster Member Properties Field Description Member ID Displays the cluster member ID This field is read only Weight Weight is a number between 1 leas...

Page 771: ...rocesses on page 516 Ping Groups window You can configure ping groups to monitor any device on any network For example servers switches hosts routers and so forth If the Ping group fails the whole clu...

Page 772: ...erface by configuring NIC monitoring NIC monitoring does not work on VLAN interfaces Associated tasks The task that you can perform with this window is Configuring NIC monitoring on a cluster on page...

Page 773: ...rs Traffic Grouping window You can choose to assign specific traffic for instance from a Web server through a specific cluster member regardless of load balancing For incoming traffic you cannot speci...

Page 774: ...ociated tasks The task that you can perform with this dialog box is Changing the root password on page 73 Table D 264 Traffic Grouping window Field Description Address IP address of a server to be ass...

Page 775: ...locked and the new password contains digits or punctuation characters you are warned however you can still create the password If the LCD panel is locked If the LCD panel is locked the password must...

Page 776: ...viewed with any standard Web browser if generated in HTML format or Adobe Acrobat reader if generated in PDF Associated tasks The tasks that you can perform with this dialog box include Generating and...

Page 777: ...page 777 Client VPN Package Wizard panel This is the first panel of the Client VPN Package Wizard This panel introduces you to the wizard Associated tasks The task that you can perform with this panel...

Page 778: ...es the configuration of VPN tunnels for remote Client VPN users Associated panels These are the individual panels of the Remote Access Tunnel Wizard for Client VPN Remote Access Tunnel Wizard panel on...

Page 779: ...e Remote Access Tunnel Information panel you assign a name to the Client VPN tunnel and provide a brief description Associated tasks The tasks that you can perform with this panel include Using the Re...

Page 780: ...you select an existing security gateway network entity from the drop down list Create new network entity Lets you create a new security gateway network entity by specifying the following Name A uniqu...

Page 781: ...riods and dashes Do not include spaces in the name The characters and other reserved characters are also invalid Host IP IP address of the Host network entity New Local Endpoint panel For a Subnet net...

Page 782: ...re satisfied that the information is correct click Finish to create the tunnel or configure the connection To make changes click Back to return to a previous panel Table D 278 Remote Endpoint panel Fi...

Page 783: ...page 784 User Group Role panel on page 786 Confirmation panel on page 781 Clientless Access Method panel In the Clientless Access Method panel you select the type of clientless VPN connection that yo...

Page 784: ...ashes Do not include spaces in the name The characters and other reserved characters are also invalid Protocol The selected entry in the drop down list indicates the type of traffic to allow or deny F...

Page 785: ...able D 283 describes the options Table D 284 and Table D 285 indicate which options are used for each type of connection Associated tasks The task that you can perform with this panel is Using the Rem...

Page 786: ...connection Share Enables a share of the resource Read allowed Enables read access of the resource Write allowed Enables write access of the resource Table D 284 Protocol option matrix for Client VPN...

Page 787: ...panel on page 789 Remote Endpoint panel on page 790 VPN Policy panel on page 791 Confirmation panel on page 792 Table D 286 User Group Role panel Field Description Use existing role Lets you select an...

Page 788: ...y panel you select an existing security gateway network entity or create a new security gateway network entity to serve as the local gateway for the gateway to gateway tunnel Associated tasks The task...

Page 789: ...urity gateway network entity by specifying the following Name A unique name for the new security gateway network entity The maximum length is 256 characters Allowed characters are a z A Z numerals per...

Page 790: ...ntity On the New Local Endpoint panel for a subnet network entity you supply the following values Name A unique name for the new remote endpoint The maximum length is 256 characters Allowed characters...

Page 791: ...curity gateway network entity by defining the following Gateway name A unique name for the new security gateway network entity The maximum length is 256 characters Allowed characters are a z A Z numer...

Page 792: ...e New Remote Endpoint panel for a subnet network entity you supply the following values Name A unique name for the new remote endpoint The maximum length is 256 characters Allowed characters are a z A...

Page 793: ...ith the IPsec IKE VPN policy you configure to perform Phase 1 negotiations for VPN tunnels You can have only one global IKE policy but you may change the values of the default policy at any time Globa...

Page 794: ...g three 56 bit keys The default is Triple DES and DES Selected Data privacy methods selected for packet data You can use a combination of these options The one listed first is tried first If this meth...

Page 795: ...and Group 2 are the Diffie Hellman group numbers for establishing these IKE session keys Group 1 is 768 bits long and Group 2 is 1024 bits long Using Group 2 is more secure but it also uses more CPU p...

Page 796: ...TP traffic options from the Firewall Rule Wizard Associated panels These are the individual panels of the System Setup Wizard for the initial configuration System Setup Wizard panel on page 796 Option...

Page 797: ...tent filtering antivirus antispam intrusion detection and prevention and hardware encryption Associated tasks The tasks that you can perform with this panel include Making system changes with the Syst...

Page 798: ...Indicates whether this option is enabled The antispam feature provides scanning processes that let you optimize spam detection and reduce false positives You can also configure how to respond to spam...

Page 799: ...rity gateway Another Symantec Gateway Security 5000 Series v3 0 security gateway Symantec Gateway Security v2 0 s Symantec Clientless VPN Gateway v5 0 If you check this option you must select one of t...

Page 800: ...ay IP address of the default gateway In most cases the default gateway is the router or connection you have to your ISP Lock LCD panel Prevents personnel who do not have access privileges from making...

Page 801: ...that is used in rules IP address IP address in dotted quad notation You must use an IP address that is unique to the subnet to which it connects Netmask Subnet mask address MAC address MAC address is...

Page 802: ...tion on page 535 Cluster Wizard When creating a new cluster you can choose any available security gateway and that security gateway becomes the cluster member from which you deploy the configuration T...

Page 803: ...Cluster Wizard and click Next you cannot click Back Later when you need to modify remove or dissolve a cluster or cluster member you can do so from the Tools Cluster menu These options share panels A...

Page 804: ...of active interfaces defined by the System Setup Wizard is listed in the drop down list If the interface you require is not listed cancel out of the this wizard return to the System Setup Wizard and...

Page 805: ...include Creating a new cluster with the Cluster Wizard on page 512 Associated panels on page 802 Adding or removing a cluster member on page 520 Table D 307 Cluster VIP Addresses panel Field Descripti...

Page 806: ...n perform with this panel include Creating a new cluster with the Cluster Wizard on page 512 Associated panels on page 802 Adding or removing a cluster member on page 520 Dissolving a cluster on page...

Page 807: ...select Update Interface utility from the Tools Clusters menu While this is not a shared panel with the Cluster Wizard it does share some of the other panels Associated tasks The tasks that you can per...

Page 808: ...sks that you can perform with this panel include Saving and activating configuration changes on page 59 Associated panels on page 807 Revision Comment panel This panel lets you provide a revision comm...

Page 809: ...isplay it by running the System Setup Wizard and on the Setup Options panel checking Restore from a backup image Associated tasks The tasks that you can perform with this panel include Restoring secur...

Page 810: ...tivirus feature lets you establish scanning and blocking policies for traffic using the FTP HTTP SMTP and POP3 protocols This option is checked by default if a license for antivirus is installed Antis...

Page 811: ...HA LB is not enabled these options are not accessible By default the security gateway is configured as a standalone gateway Restore backup configuration s network interfaces data If you are restoring...

Page 812: ...perform with this panel include Restoring security gateway configuration files from the SGMI on page 99 Restoring a cluster configuration on page 535 Associated panels on page 808 Table D 317 Restore...

Page 813: ...ring HTTP FTP and mail SMTP and POP3 rules with the Firewall Rule Wizard on page 284 Associated panels on page 812 Optional Security Gateway Configuration panel The Optional Security Gateway Configura...

Page 814: ...es Table D 320 SMTP Options panel Field Description Mail server IP address or domain name IP address or fully qualified domain name of your mail server This is usually an internal mail server that rec...

Page 815: ...sociated panels on page 812 Table D 321 POP3 Options panel Field Description Mail server IP address or domain name IP address or fully qualified domain name of your mail server This is usually an inte...

Page 816: ...port 443 tcp or 563 tcp as the destination port Other port numbers are disallowed This option is checked by default Allow FTP through HTTP Lets the FTP protocol be handled by the HTTP proxy This optio...

Page 817: ...use them in security gateway rules filters and tunnels Before the end of the grace period you must obtain and install licenses for each security gateway feature that you want to continue to use The o...

Page 818: ...Field Description Visit Licensing Web Site Lets you connect to the Symantec Licensing and Registration Web site where you can enter the license serial numbers Symantec System ID and appliance serial n...

Page 819: ...at the licenses have been installed Note Any loss of functionality for example when the new licenses do not support components included in the 30 day grace period takes place immediately Any new funct...

Page 820: ...h this panel is Associated panels on page 819 Test Server panel This is the last wizard screen It shows the current testing status in the bottom of the summary window Associated tasks The task that yo...

Page 821: ...sociated tasks The task that you can perform with this panel is Associated panels on page 819 Table D 329 Active Directory Server Connection Wizard panel Field Description Name Name assigned to the Mi...

Page 822: ...ing programs on a network and configuring them for distribution to workstations The administrator may also update security settings on workstations agent See SESA Agent In SESA a message that notifies...

Page 823: ...other part the public key is published widely but is still associated with the owner attachment A file that a user adds to an email message to transfer it to another user attack signature The feature...

Page 824: ...r to a modem or a cable that connects two computers directly which is sometimes called a null modem cable Certificate Authority signed SSL A type of Secure Sockets Layer SSL that provides authenticati...

Page 825: ...r See also computer group computer group A group of LAN or WLAN Ethernet devices to which firewall rules and security policies are applied For example all printers may be in a computer group that has...

Page 826: ...Different strengths are available and are referred to as Group 1 Group 2 and Group 5 and higher DH is used as part of VPN negotiations to create new keys See also Perfect Forward Secrecy DHCP client...

Page 827: ...reate send and read email messages email server An application that controls the distribution and storage of email messages Extended MAPI Messaging Application Programming Interface An interface devel...

Page 828: ...risk The event or result of a threat that exploits a vulnerability of the system external threat A threat that originates outside of an organization extranet The extension of the LAN via remote or In...

Page 829: ...rnet s TCP IP protocols gateway A network point that acts as an entrance to another network In a company network a proxy server acts as a gateway between the internal network and the Internet A gatewa...

Page 830: ...ion protocol HTTPS Hypertext Transfer Protocol Secure A variation of HTTP that is enhanced by a security mechanism which is usually Secure Sockets Layer SSL icon A graphic representation of a containe...

Page 831: ...t priority A number between one and five that is assigned to an incident The number is assigned based on signature attributes system attributes organization attributes vulnerability attributes and ser...

Page 832: ...ve one or more domain names that are easier for people to remember IP sniffing The stealing of network addresses by reading the packets Harmful data is then sent stamped with internal trusted addresse...

Page 833: ...ies and content in the event of litigation LB Load Balancing On clustered security gateways sharing the traffic load to maintain high throughput local attack An attack that takes place against a compu...

Page 834: ...streams of data without the user noticing MAPI Messaging Application Programming Interface An interface developed by Microsoft that provides messaging functions including addressing sending receiving...

Page 835: ...text in the field normalization See event normalization In Symantec NetProwler a notification or warning that a NetProwler Agent sends when network traffic matches an attack signature that is associat...

Page 836: ...passing the packets to the application layer Packets that are not allowed through the forwarding filter continue up the stack to be inspected by the proxies packet sniffing The interception of packet...

Page 837: ...ged it can be distributed to all security gateways within an organizational unit policy management The creation configuration and monitoring of security assets and information to ensure that they are...

Page 838: ...requests forward them out to Internet servers and then receive the responses and in turn forward them to the original requester within the company public key A part of asymmetric encryption that opera...

Page 839: ...on a server computer The client program sends a message to the server with appropriate arguments and the server returns a message containing the results of the program executed RSA Rivest Shamir Adle...

Page 840: ...e a mass mailer but isn t strictly a worm because you can choose to use it before it activates serial port A location for sending and receiving serial data transmissions Also known as a communications...

Page 841: ...of activity that indicates a violation of policy a vulnerable state or an activity that may relate to an intrusion 2 Logic in a product that detects a violation of policy a vulnerable state or an acti...

Page 842: ...or program a device or other outside element Stateful means that the computer or program keeps track of the state of interaction usually by setting values in a storage field designated for that purpo...

Page 843: ...ating system providing correct settings or allowing the network administrator to tune the size of the buffer and the time out period synchronize To copy files between two folders on host and remote co...

Page 844: ...y created when Symantec Enterprise Firewall or Symantec Enterprise VPN Server is installed The universe entity is similar to a wildcard and specifies the set of all computers both inside and outside o...

Page 845: ...r present on a diskette The source of the file you are downloading or of a diskette you have received is often unaware of the virus The virus lies dormant until circumstances cause the computer to exe...

Page 846: ...547 idssym im_msn_ports 547 advanced options cont idssym im_yahoo_ports 547 idssym internal_lan 547 idssym internal_net 547 idssym mssql_servers 547 idssym networkdevice_servers 547 idssym novarg_port...

Page 847: ...335 Mail Attachment Restrictions tab 342 Response tab 344 appliance serial number 90 Asset Parameters window enabling reverse lookups 157 setting clientless VPN logon policy 431 Assets section descri...

Page 848: ...ure network connection 442 460 clientless VPN cont simple rules 415 single sign on rule 410 439 terminal emulation 452 URL syntax 410 user accounts unlocking 469 viewing failed logon attempts 469 VPN...

Page 849: ...ontent profile adding to a rule 316 creating 311 Content Profiles tab content filtering 306 corporate name adding to portal page 437 custom services configuring 178 D daemons logservice 470 process re...

Page 850: ...antispam 350 353 356 fan status monitoring 464 fault tolerant deployment 117 managed security gateway 125 features enabling from Features tab 97 enabling from System Setup Wizard 96 Features tab enab...

Page 851: ...description 208 enabling 210 HTTP proxy cont HTTPs ports adding 214 modifying 212 persistent connections 209 ports adding 213 secure sockets layer 209 timeout modifying 214 WebDAV 210 httpd advanced o...

Page 852: ...VPN tunnels 393 VPN policy 380 IPsec with static key 383 J JAR cache clearing 25 77 Java Runtime Environment installation 22 Java antivirus scanning 333 K Keytool remote back up 103 remote management...

Page 853: ...ME partial message content 336 MIME types content filtering 302 misc logserviced logsesa 548 misc ports shortlived 548 misc vpn enabled 548 modem 490 491 monitoring cluster status 528 description 461...

Page 854: ...NTP proxy description 222 NTP proxy configuring 222 O objects copying 54 creating 52 deleting 61 references to other objects 55 ODMR On demand mail relay enabling 235 On Demand Mail Relay See ODMR OOB...

Page 855: ...60 preventing attacks 319 privileges clientless VPN 411 problems isolating 558 process restart configuring 113 properties of objects modifying 51 viewing 50 protocols clientless VPN advanced file serv...

Page 856: ...mponent 415 single sign on 432 SMTP 446 URL 457 URL example 457 resources adding to portal page 436 creating 434 grouping 435 Resources tab 434 Response tab antispam scanning 353 Response tab antiviru...

Page 857: ...g process restart 113 configuring the logging service 470 configuring the Notify service 491 SGMI description 33 exiting 32 home page 29 home page wizards 30 SGMI cont integrating to the desktop 24 le...

Page 858: ...94 System section description 40 System Setup Wizard 368 511 description 104 enabling licensed features 96 system usage viewing 463 T tables adding columns 49 changing sort order 49 filtering objects...

Page 859: ...rces 456 user comforting 340 user groups applying client compliance 398 external authentication 249 IKE enabled 250 importing 251 internal authentication 247 248 User Groups tab 247 user sign on 411 U...

Page 860: ...creating rules 442 description 411 WebDAV description 210 enabling 212 wizards Client VPN Package Wizard 30 399 Firewall Rule Wizard 30 284 Gateway to Gateway Tunnel Wizard 30 385 License Installatio...

Page 861: ...860 Index...

Reviews:

No comments