M86 Security SWG User Manual Download

Page: 1 / 134

Secure Web Gateway

SWG User Guide

Release 10.2.0 • Manual Version v 10.2.0.1

Summary of Contents for SWG

Page 1: ...Secure Web Gateway SWG User Guide Release 10 2 0 Manual Version v 10 2 0 1...

Page 2: ...ent However M86 Security makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose M86 Security shall not be l...

Page 3: ...ltiple Windows 13 Relocating an Item in a Tree 13 Customizing the Management Console Toolbar 13 Using Keyboard Shortcuts 14 Chapter 2 Configuring Adding Scanning Servers 15 Configuring Device General...

Page 4: ...Creating Configuring User Groups 33 Adding and Defining Users 35 Moving Users To a Different Group 36 Defining User Lists 36 PART 3 Configuring Advanced Network Settings 38 Chapter 5 Implementing Iden...

Page 5: ...ining a Rule in a Logging Policy 58 Defining Conditions in a Logging Rule 59 Chapter 11 Configuring the Log Server 61 Configuring Log Server Settings 61 Chapter 12 Configuring Alerts 66 Assigning Aler...

Page 6: ...Reports 86 Defining Report Schedules 86 Adding Report Shortcuts to the Favorites Folder 88 Viewing a Report s History 88 Exporting Reports 88 Chapter 17 Maintaining Your System 91 Performing Manual Ba...

Page 7: ...ccess Lists 112 Configuring Transparent Proxy Mode 113 Scheduling Configuration And Security Updates for Scanning Server Device Groups 114 Implementing High Availability 114 Modifying LDAP Directory A...

Page 8: ...led the Secure Web Gateway in your organization For installation instruc tions see the Secure Web Gateway Installation Guide you have set up the SWG using the Limited Shell For setup instructions see...

Page 9: ...ge and License Installation Configuring The Mail Server Performing Basic Tasks in the Management Console Logging In and Logging Out Changing Your Password Committing Changes Working in Multiple Window...

Page 10: ...word Change and License Installation When logging onto the Management Console for the first time 1 In your web browser enter https appliance IP address 2 If an alert message identifies a problem with...

Page 11: ...Edit 3 To enable the sending of email ensure that the Enable Sending Email checkbox is selected 4 In the Hostname IP field specify the IP address or hostname of the SMTP Server you are using for examp...

Page 12: ...displayed Login window enter the user name and password and click Login To log out of the Management Console 1 Click the Logout main menu option 2 At the confirmation prompt click OK Changing Your Pa...

Page 13: ...click in the right corner of the tab Relocating an Item in a Tree Depending on the item and tree you can sometimes move an item to a different location in a tree To move an item to a different locati...

Page 14: ...le 1 Keyboard Shortcuts Keyboard Shortcut What it does F2 Activates same as clicking Edit ESC Activates same as clicking Cancel Alt u Opens the Users menu Alt p Opens the Policies menu Alt s Opens the...

Page 15: ...fferent Group Configuring Device General Settings Use the procedure to modify default settings and later after you have added devices to configure settings for specific devices To configure Device Gen...

Page 16: ...yet defined you can perform the policy assignments later For instructions see Chapter 9 Assigning Policies To Devices 8 If you want to apply all default settings to existing devices right click Defaul...

Page 17: ...ation changes will be committed and applied to the devices in the group You can choose between immediately upon commit specific interval in number of days at a specified time specific days of the week...

Page 18: ...cause the Policy server is on a different device 5 Optionally add a description of the server 6 Optionally in the Access List tab define an Access List to limit access to specific IPs For more informa...

Page 19: ...licy Defining Conditions in a Security Policy Rule Creating a Block Warn Message Editing a Message Template Chapter 4 Defining and Managing Users Setting Default User Policy Assignments Defining and M...

Page 20: ...u can create policies from scratch Pre supplied security policies come in three security levels Basic Medium and Strict M86 also provides special purpose advanced Security policies for different users...

Page 21: ...list type content that is for a URL Categorization or True Content Type list a Click Edit b Select the appropriate checkboxes in the list If displayed you can use the Select Deselect All checkbox c Cl...

Page 22: ...olicy Definition is displayed in the main window 3 Enter a name for the policy 4 Add or modify the policy description as needed 5 When done click Save 6 Continue with Defining a Rule in a Security Pol...

Page 23: ...diting End User Messages see Creating a Block Warn Message For Block actions only If the End User Message should not be displayed select the Do Not Display End User Message checkbox 4 To apply the rul...

Page 24: ...rea above the list select whether the condition will apply to the items you check or to the items you do not check 6 Select the appropriate checkboxes in the list If the window displays a Select Desel...

Page 25: ...ct Add Message 3 Type in the Message Name This field is mandatory 4 In the Message section enter the required message text 5 Use the Place Holders drop down menu to provide the end user with more info...

Page 26: ...e message display a Place the cursor at the location in the preview where you want the element added b Select the element in the drop down list Element options include Back button Adds a Back button u...

Page 27: ...you specify to which users the rule should apply and which users should be excluded from the application of the rule One of the methods for identifying these users is by defining User Lists which can...

Page 28: ...t Master Policy usage 4 When done click Save 5 If you are ready to distribute and implement the changes in your system devices click Security Logging and HTTPS policies are automatically apply to all...

Page 29: ...e General tab as follows 3 In the Base DN field enter the DNS domain component name for example dc M86security dc com 4 In the Address field specify the IP address or host name If the LDAP server does...

Page 30: ...y definition f Select the Use Kerberos Authentication checkbox g Clear the Do not check configuration settings on next save checkbox h Skip to Step 12 11 If you do not want the connection to the serve...

Page 31: ...figuring LDAP Group Settings NOTE Several LDAP Group parameters are relevant only if your site supports a Cloud in Internal mode In this case you must configure the cloud for instruction see Configuri...

Page 32: ...DAP directory right click the LDAP directory and select Import Users To import LDAP Users into a specific LDAP group right click the LDAP group and select Import Users 3 If you are ready to distribute...

Page 33: ...ment the changes in your system devices click Defining and Managing M86 Non LDAP Users This section contains the following topics Creating Configuring User Groups Adding and Defining Users Moving User...

Page 34: ...the changes in your system devices click Assigning Policies to M86 Predefined User Groups SWG comes with the following predefined User Groups Cloud User Groups Blocked Cloud Users group and Revoked Cl...

Page 35: ...o which the user will belong or the Independent Users node if the user will not belong to a group and select Add User The User Details screen is displayed in the main window To edit an existing use se...

Page 36: ...d HTTPS policies should apply and to identify which users should be excluded from those rules User lists can contain LDAP Groups and Users and M86 User Groups and users To define a User List 1 Select...

Page 37: ...ing Users If useful you can select clear the Select checkbox to select clear all items in the list and then adjust the selected items as needed 5 When done click Save 6 If you are ready to distribute...

Page 38: ...uthentication Configuring Default and Scanning Server Authentication Chapter 7 Defining and Customizing Upstream Proxy Policy Defining an Upstream Proxy Policy Defining a Rule in an Upstream Proxy Pol...

Page 39: ...ing an Active Directory Defining and Customizing Identification Policy M86 Security provides several predefined Identification Policies To set and customize Identification Policy 1 Decide which policy...

Page 40: ...Select the Authentication Protocols Basic NTLM or Basic and NTLM ii Select the Authentication site The drop down list includes all customer Authentication domains defined in the Authentication Directo...

Page 41: ...efined policy as the Identification Policy as follows a Select Administration System Settings M86 Devices b In the configuration tree at the right choose Scanning Server General c In the main screen a...

Page 42: ...tion Method select the appropriate value Primary Backup or Load Balancer e For each Domain Controller do the following i Click the icon ii Fill in the Controller Name iii If the Authentication Server...

Page 43: ...following procedure Configuring Default and Scanning Server Authentication Configuring Default and Scanning Server Authentication NOTE For instructions on configuring NTLM Authentication on Windows 7...

Page 44: ...oken Reuse Number field specify the number of times a Challenge Token can be reused iii In the Challenge Token Lifetime field specify the time in seconds before SWG generates a new Challenge Token b I...

Page 45: ...a computer name instead of a domain name e If an upstream proxy can and should authenticate users through the Secure Web Gateway system select the Forward Upstream Proxy Authentication checkbox In th...

Page 46: ...lied Upstream Proxy Policy However you can duplicate such a policy and edit the duplicate you can also create an Upstream Proxy policy from scratch To define an Upstream Proxy Policy 1 Select Policies...

Page 47: ...S W G U s e r G u i d e 47 Chapter 7 Defining and Customizing Upstream Proxy Policy 6 Continue with Defining a Rule in an Upstream Proxy Policy...

Page 48: ...xisting rule right click the existing rule and select Insert Rule The main window displays the Rule Definition screen 3 Enter a name for the rule 4 Provide a description of the rule This description i...

Page 49: ...d select the type of condition in the drop down list The list contains the following Condition types Header Fields limits direct internet access according to header name and value IP Range limits dire...

Page 50: ...d But you can use Caching policies to bypass caching or to determine which URLS or File extensions are cached This chapter contains the following procedures Enabling Caching Defining a Caching Policy...

Page 51: ...S W G U s e r G u i d e 51 Chapter 8 Enabling and Customizing Caching 6 If you are ready to distribute and implement the changes in your system devices click...

Page 52: ...in a Caching Policy If you duplicated a policy it already has the same rules as were found in the original policy You can edit these rules You can also create new rules from scratch To define a rule i...

Page 53: ...the Policy tree expand the relevant policy and rule For instructions on displaying the Policy tree see Step 1 in the procedure To define or duplicate and edit a Caching Policy 2 Do either of the foll...

Page 54: ...es to Specific Devices Setting Device Policy Defaults To assign device default policies 1 Select Administration System Settings M86 Devices 2 In the M86 Devices tree expand the Devices root note and s...

Page 55: ...Settings M86 Devices 2 In the M86 Devices tree expand the Devices root note and select devices_group device_ip Scanning Server General 3 In the main window click Edit 4 In the Device Policies tab set...

Page 56: ...res Chapter 10 Defining and Customizing Logging Policy Defining a Logging Policy Defining a Rule in a Logging Policy Defining Conditions in a Logging Rule Chapter 11 Configuring the Log Server Configu...

Page 57: ...not edit a pre supplied Logging Policy However you can duplicate such a policy and edit the duplicate you can also create a Logging policy from scratch To define a Logging Policy 1 Select Policies Log...

Page 58: ...Rule checkbox ensure that the checkbox is appropriately selected or cleared depending on whether or not the rule should be enabled after being committed d In the Send To area check the locations to w...

Page 59: ...b In the Condition Name field select the type of condition in the drop down list For any selected condition type except Malware Entrapment Profile the window displays an appropriate checkbox list For...

Page 60: ...following a To change the Security level setting slide the sliding button to the appropriate value for example Basic or Strict For information about the level click the relevant level link for example...

Page 61: ...formation to the Syslog file and or send Scanner information to an Archive zip file This chapter contains the following topic Configuring Log Server Settings Configuring Log Server Settings This task...

Page 62: ...changes in your system devices click Configuring Log Relays and their schedules NOTE This procedure is relevant only if your site is using multiple scanning servers By default the Log server collects...

Page 63: ...er Legacy Empty fields will not be shown in Syslog messages Standard Empty fields will be shown in Syslog messages ArcSight For sites using the external ArcSight sever If you choose this option you mu...

Page 64: ...ore details on each format see the Management Console Reference Guide 3 To have the Archive location tested when you save the definition select the Test Archive Loca tion on Save checkbox Otherwise en...

Page 65: ...nt Devices Group then the default IP node then Log Server and then Log Properties 3 Click Edit The main window is opened for editing 4 Click the Log Archiving tab 5 In the Log Archiving Location area...

Page 66: ...t Types To Assign Alert Channels to Event Types 1 Select Administration Alerts Alert Settings The Alert Settings window is displayed 2 Click Edit 3 For each type of Event check the type of alert notif...

Page 67: ...heckboxes optionally specify up to three possible destination servers Note If the device is set up to query a Domain Name System DNS server you are permitted to specify a host name instead of an IP ad...

Page 68: ...itoring select the Use SNMP MIB Monitoring Information checkbox Otherwise fill in a Security name Security level Authentication Protocol Authentication key and Encryption key for SNMP Traps The same a...

Page 69: ...r which the percentages should be measured alert clearing percentage amount of blocked incoming traffic as a percentage of total incoming traffic below which the alert will be cleared and it must be l...

Page 70: ...Chapter 14 Viewing Logs Viewing Logs Creating Editing and Managing Log Profiles Viewing Transaction Details Web Log only Chapter 16 Viewing and Working With Reports Running and Viewing Reports Creati...

Page 71: ...ormation The values you select affect the other graphs displayed in the window Alternatively you can adjust the time period by moving the period slider that appears in a number of graphs The time peri...

Page 72: ...inistration System Settings M86 Devices In the configuration tree click the device Information is displayed in the Status tab Logs Web System and Audit See Viewing Logs See Viewing Logs Scanning Engin...

Page 73: ...ontains the following topics Viewing Logs Creating Editing and Managing Log Profiless Viewing Transaction Details Web Log only Viewing Logs To view a log 1 Choose Logs and Reports View logtype The log...

Page 74: ...t profile and several have other profiles pre supplied with the SWG application but you can define additional profiles To create or edit a log profile 1 Select Logs and Reports Log Profiles View logty...

Page 75: ...it is displayed Otherwise right click the icon of the row and choose Delete Filter 6 Click Save To delete a profile 1 If the Profiles tree is not displayed display it by selecting Logs and Reports Log...

Page 76: ...ansaction Entry details window contains a number of tabs transaction user policy and so on that displays information related to the transaction For an explanation of the information displayed in the t...

Page 77: ...ing To configure ICAP Service module defaults choose Devices Default Values Device Settings ICAP Service To configure ICAP Service settings for a specific non cloud scanning server choose device_group...

Page 78: ...rd Policy rules This section contains the following topics Configuring the ICAP Client Defining ICAP Service Groups Defining ICAP Services Defining an ICAP Forward Policy Configuring the ICAP Client T...

Page 79: ...vice Group 1 Select Policies Condition Settings ICAP Service Groups 2 Do either of the following To create an ICAP Service Group right click the ICAP Service Groups root node and choose Add Group The...

Page 80: ...hoose Add Service The main window for defining the ICAP Service is displayed To edit an existing ICAP Service select the service node and in the main window click Edit The ICAP Service window is displ...

Page 81: ...eviously created from scratch or created by dupli cating select the policy in the tree and then in the main window click the Edit button The Policy Definition is displayed in the main window 3 Enter a...

Page 82: ...inue as if nothing happened Fail close In case of any ICAP conversation failure fail the HTTP transaction 8 Click Save 9 To make rule triggering conditional continue with Defining Conditions in an ICA...

Page 83: ...op down list For any selected condition type the window displays an appropriate checkbox list For detailed information on condition types and the particular items in a condition list see the Managemen...

Page 84: ...e you can find it there For instructions on adding a report to the Favorites folder see Adding Report Shortcuts to the Favorites Folder 3 Right click the report in the tree or Favorites folder and cho...

Page 85: ...abs General Columns and Filters 3 In the General tab define the general details about the report name description and format in the View As field 4 In the Columns tab select the data columns that shou...

Page 86: ...rt When you define the schedule you can also modify which columns are displayed and the filtering criteria as part of the schedule When you define a schedule for a report it appears in the tree under...

Page 87: ...ter for example Equals Note that the Operator drop down list varies according to the selected filter type Depending on your selections the Value field displays either a drop down list or a blank field...

Page 88: ...ites folder and click Remove from Favorites Viewing a Report s History The history of scheduled report runs is automatically saved You can also save the history of a report that you run on demand by r...

Page 89: ...xported Reports Location as described below in To define the Exported Reports Location To define the Exported Reports Location 1 Navigate to Logs and Reports Reporting Tool Exported Reports Location T...

Page 90: ...ocation must include the server IP address and directory for your selected location in the following format server_ip_address dir for example 192 168 1 10 backup User to connect with must include the...

Page 91: ...nually backup your system NOTE Before performing backup ensure that the backup settings have been configured For instructions see Configuring Backup Settings 1 Select Administration Rollback Backup No...

Page 92: ...K in response to the Confirmation prompt The Reports data will be restored to the system 5 To verify that the operation was successful check the System log Viewing and Installing Updates In the Update...

Page 93: ...local location containing the updates provided by M86 iii Click Import 3 To view relevant details about an update click the icon next to the update 4 To install an update click next to the update and...

Page 94: ...e 1 Select Administration Export Import Export The File Download message appears 2 Click Save and choose the location to save this file To import policies rules and conditions from an exported databas...

Page 95: ...t window is displayed 3 Select the desired action To leave the original conditions unchanged choose Leave original To overwrite the existing condition with the imported condition of the same name choo...

Page 96: ...ning a Rule in a Device Logging Policy Configuring Default and Device Specific Access Lists Configuring Transparent Proxy Mode If you are ready to distribute and implement the changes in your system d...

Page 97: ...S W G U s e r G u i d e 97 PART 6 Performing Advanced Configuration Defining an ICAP Forward Policy...

Page 98: ...tomatically placed in a group called the RADIUS Default Group If your site has implemented Master Policy usage you can also assign a Master Policy to the Administrator Group This chapter contains the...

Page 99: ...dministrator In the tree pane select the Administrator Group to which the Administrator should be added and click the icon Alternatively you can right click the administrator group and choose Add Admi...

Page 100: ...lds the screen displays either a table of object types objects or a set of two radio button options The first option keeps the default permissions the second option lets you change the permissions 5 I...

Page 101: ...column 5 Repeat as necessary 6 Click Save 7 If you are ready to distribute and implement the changes in your system devices click Configuring RADIUS Server Authentication You configure RADIUS Server A...

Page 102: ...string to authenticate the client and the server 10 Select a number from the Retry Limit drop down menu For example retry limit is 6 times 11 Select a number from the Retry Interval drop down menu to...

Page 103: ...tribute and implement the changes in your system devices click Scheduling Configuration And Security Updates for Scanning Server Device Groups Implementing High Availability Modifying LDAP Directory A...

Page 104: ...4 Depending on the action that you want to perform a Enter the number of the main configure_network option b At each successive prompt enter the expected information for example item number or specifi...

Page 105: ...ayed asking you if you would like to change the time configuration 3 Enter y to change the time configuration The screen displays a number of Time and Date config uration options 4 Enter 3 the option...

Page 106: ...tab is displayed 4 In the Console Timeout field set the number of idle minutes that will result in the current session timing out 5 If the administrator should be required to provide a relevant commen...

Page 107: ...ate and select Import Certificate in the drop down menu The Import Digital Certificate screen is displayed in the main window 3 Browse to the required file location and then Import the file making sur...

Page 108: ...to connect to the Backup file storage location FTP connect using regular File Transfer Protocol FTP Passive connect using File Transfer Protocol where there is a firewall located between the Policy Se...

Page 109: ...lled Note that if the Internet connection is blocked for the SWG appliance you can still receive updates by routing them through a proxy To configure automatic Update Handling 1 Select Administration...

Page 110: ...e Policies root node in the tree and choose Add Policy To duplicate a Device Logging policy right click the policy in the tree that you want to dupli cate and choose Duplicate Policy To edit a Device...

Page 111: ...continue with 9 To define additional rules in this policy repeat this procedure 10 If you are ready to distribute and implement the changes in your system devices click To define conditions in a Devi...

Page 112: ...controlling which device IPs have access to the SWG system It is recommended that you use the procedure to modify default settings and later after you have added devices to configure settings for spe...

Page 113: ...evice_group device_ip Scanning Server General 3 In the main window click Edit 4 Select the Transparent Proxy Mode tab 5 Select the Enable Transparent Proxy Mode checkbox 6 Specify the FTP HTTPS and HT...

Page 114: ...ices in the group You can choose between Immediately upon commit Specific interval in number of days at a specified time Specific days of the week at a specified time Specific day of the month at a sp...

Page 115: ...Save 5 Optionally specify a virtual device IP which will automatically route to whichever Policy Server is active at any given time as follows a In the tree pane select Management Devices Group b In...

Page 116: ...rectory The attribute types are follows ImemberOf Attribute Means that each user has zero or more memberOf attributes each specifying a group to which the user belongs member Attribute Means that each...

Page 117: ...define an HTTPS Policy 1 Select Policies HTTPS 2 Do one of the following To create a policy from scratch right click the Policies root node in the tree and choose Add Policy To duplicate an HTTPS pol...

Page 118: ...e rule The description is optional c If the rule has an Enable Rule checkbox ensure that the checkbox is appropriately selected or cleared depending on whether or not the rule should be enabled after...

Page 119: ...tions in an HTTPS Rule To define conditions in an HTTPS Rule 1 In the Policy tree expand the relevant policy and rule For instructions on displaying the Policy tree see Step 1 in the procedure To defi...

Page 120: ...rt value in the HTTPS Service tab 6 If other configuration adjustments are needed in any of the tabs perform them For information on the fields in each tab see the Management Console Reference Guide 7...

Page 121: ...the default c In the Certificate field paste the Certificate Public key d In the Private Key field paste the Private Key e Fill in the Password f Click OK Then continue with Step 3 3 Propagate the ce...

Page 122: ...ly from user computers running the M86 Mobile Security Client or specifically defined proxy servers for example in remote offices Cloud Scanners can be run on a number of different platforms and altho...

Page 123: ...tificate management creation and signing In Internal mode you designate which users are cloud users and manage users certificates and certification status You can also designate specific User Groups a...

Page 124: ...will listen and to which all clients will connect b In the Client Side area do the following i In the Local Control Port field specify the port to which the client uses to perform control activities s...

Page 125: ...network this name must be resolvable to the Internal Hostname IP which is specified in the next sub step When the user is outside the corporate network this name should not be resolvable to the Intern...

Page 126: ...proxy add it to the bypass list as follows i Click the icon ii In the opened detail line specify the Network IP and Network Mask iii To delete a network bypass right click the icon and choose Delete...

Page 127: ...lly download and modify the PAC file for later distribution Configuring Cloud Settings in PKI Mode NOTE Before configuring cloud settings ensure that you have added the needed cloud scanning servers F...

Page 128: ...specify the client side port number used to uniquely identify a specific cloud proxy or cloud based load balancer for HTTP e In the Local Client HTTPS Port field specify the client side port number u...

Page 129: ...tes a Server Certificate iii Open the certificate in a text editor for example Notepad and copy the certificate iv Click the Import CSR based Server Certificate button v In the displayed Certificate f...

Page 130: ...In the EKU field specify the OID provided by the domain administrator 9 Define Certificate Revocation List handling in the CRL Handling tab as follows a Specify the location of the Certificate Revocat...

Page 131: ...for certification you can make a group level request to issue certificates to all non provisioned users in the group You can also at the group level download all certificates issued to provisioned us...

Page 132: ...on 5 To export all certificates for all users who have valid certificates click the button at the bottom of the display To enable automatic certification of all new users in a group and to prevent dis...

Page 133: ...ration 1 Display the list of user LDAP groups as follows For a regular user group select Users Users User Groups For an LDAP group select Users Authentication Directories LDAP 2 In the tree do any of...

Page 134: ...ngs M86 Devices 4 If the device that you are defining as a private cloud scanner is currently defined as a local scanner delete the device from the Device list by right clicking the device and choosin...

Search results

Summary of Contents for SWG

Reviews:

Related manuals for SWG

Brands by name

Popular brands

M86 Security SWG, User Manual

Search results

Summary of Contents for SWG

Reviews:

Related manuals for SWG

Brands by name

Popular brands