manualshive.com logo in svg

McAfee SG310, Руководство администратора

McAfee SG310 – продукт, который обеспечивает безопасность на уровне предприятия. Для того чтобы ознакомиться с подробной информацией о настройке и управлении устройством, необходимо скачать бесплатное «Administration Manual». Скачать его можно с нашего сайта.

Поделиться
Скачать
background image

286

McAfee UTM Firewall 4.0.4 Administration Guide

VPN menu features
IPsec example

If the remote party is a UTM Firewall appliance, the ID must have the form abcd@efgh. If the remote 
party is not a UTM Firewall appliance, refer the interoperability documents in the KnowledgeBase 
(

mysupport.mcafee.com

) to determine what form it must take. 

3

Leave the IP Payload Compression checkbox unselected.

4

Leave the IPSec offload device as None.

5

Select the Dead Peer Detection checkbox. This allows the tunnel to be restarted if the remote party 
stops responding. This option is only used if the remote party supports Dead Peer Detection. It operates 
by sending notifications and waiting for acknowledgements.

6

Enter the Delay and Timeout values for Dead Peer Detection. The default times for the delay and 
time-out options are 9 and 30 seconds respectively. This means that a Dead Peer Detection notification 
is sent every 9 seconds (Delay) and if no response is received in 30 seconds (Timeout) then the UTM 
Firewall appliance attempts to restart the tunnel. In this example, leave the delay and time out as their 
default values.

7

Leave the Initiate Phase 1 & 2 rekeying checkbox selected. This enables automatic renegotiation of 
the tunnel when the keys are about to expire.

8

Click Next to configure the Remote Endpoint Settings.

Step 5: Remote endpoint settings

1

Enter the Internet IP address of the remote party in the remote party's IP address field. In this 
example, enter: 209.0.0.1

.

2

The Optional Endpoint ID is used to authenticate the remote party to the UTM Firewall appliance. For 
this example, leave the field blank.

The remote party's ID is optional if it has a static IP address and uses Preshared Secrets for 
authentication. It becomes a required field if the remote party has a dynamic IP or DNS hostname 
address or if RSA Digital Key Signatures are used for authentication. It is optional in this example, 
because the remote party has a static IP address. If the remote party is a UTM Firewall appliance, it 
must have the form abcd@efgh. If the remote party is not a UTM Firewall appliance, refer the 
interoperability documents on the KnowledgeBase (

mysupport.mcafee.com

) to determine what form it 

must take. 

3

Click Next to configure the Phase 1 Settings.

Step 6: IPSec VPN Phase 1 settings

1

In this example, leave the Key Lifetime as the default value of 3600 seconds.

Set the length of time before Phase 1 is renegotiated in the Key lifetime field. The length may vary 
between 60 and 86400 minutes. Shorter values offer higher security at the expense of the 
computational overhead required to calculate new keys. For most applications 3600 seconds is 
recommended.

2

A new Phase 1 key can be renegotiated before the current one expires. The time for when this new key 
is negotiated before the current key expires can be set in the Rekeymargin field. In this example, leave 
the Rekeymargin as the default value of 600 seconds.

3

The Rekey fuzz value refers to the maximum percentage by which the Rekeymargin should be 
randomly increased to randomize rekeying intervals. The Key lifetimes for both Phase 1 and Phase 2 
are dependent on these values and must be greater that the value of “Rekeymargin x (100 + 
Rekeyfuzz) / 100.” In this example, leave the Rekeyfuzz as the default value of 100%.

Содержание SG310

Страница 1: ...McAfee UTM Firewall Administration Guide version 4 0 4...

Страница 2: ...d or other countries McAfee Red in connection with security is distinctive of McAfee brand products All other registered and unregistered trademarks herein are the sole property of their respective ow...

Страница 3: ...21 Technical Support page 21 Technical Support Report page 22 2 Getting Started 23 Overview 23 Powering on the device 23 Connecting an administrative PC to the device 24 Setting password and LAN conn...

Страница 4: ...ault high availability script 77 Enabling high availability 78 Configuring high availability 78 DMZ network 80 Configuring a DMZ connection 80 Services on the DMZ network 81 Guest network 82 Configuri...

Страница 5: ...s 149 Controlling packet traffic 149 Firewall overview 151 Definitions 152 Service Groups page 152 Addresses page 155 Interfaces page 157 Packet filtering 159 Packet filtering actions 160 Packet Filte...

Страница 6: ...Virus scanning Web traffic 231 Enabling FTP virus scanning 231 Antispam TrustedSource 233 About TrustedSource 233 Enabling TrustedSource 234 5 VPN menu features 239 VPN overview 239 About PPTP 240 PP...

Страница 7: ...tunnel server 316 Creating nested port tunnels 318 6 System menu features 319 Status menu 319 Reviewing the general system status 319 Reviewing the status of the unit s connections 320 Reviewing the s...

Страница 8: ...e 377 Firmware upgrade best practices and precautions 377 Restoring factory default settings 377 Upgrading firmware using Netflash 378 Troubleshooting Windows Netflash upgrades 378 Recovering from a f...

Страница 9: ...or your specific needs Features may be enabled in screen captures to make them clear however not all features are appropriate or desirable for your setup Table 1 Conventions Convention Description Cou...

Страница 10: ...10 McAfee UTM Firewall 4 0 4 Administration Guide...

Страница 11: ...sonal Computer that the appliance is plugged into most network resources are freely accessible However any services that the PC provides such as file shares or Web services such as IIS are not accessi...

Страница 12: ...f H B does not begin flashing shortly after power is supplied refer to Recovering from a failed upgrade Table 1 SG310 LED descriptions Label Activity Description Power On steady Power is supplied to t...

Страница 13: ...ower adaptor voltage current depends on individual model Front panel operating status LEDs Power H B Operating temperature between 0 C and 40 C Storage temperature between 20 C and 70 C Humidity betwe...

Страница 14: ...tains two 10 100 1000 GbE Gigabit Ethernet ports A and B three 10 100BaseT FE Fast Ethernet ports C D and E a serial port that can be connected to an analog ISDN modem or terminal for serial console a...

Страница 15: ...threats as well as conventional Internet security concerns You can update configure and monitor the firewall and VPN connectivity of a workstation or server from any Web browser In the event of a bre...

Страница 16: ...ere you can view the current system status of your UTM Firewall appliance You can also view the status of the UTM Firewall connections and the services that are running on it by selecting one of the o...

Страница 17: ...ory with the styles you prefer UTM Firewall menus To navigate the UTM Firewall interface click a menu option on the left side of the screen The available menu options depend on the particular UTM Fire...

Страница 18: ...and Custom IPv6 Firewall Rules tabs See Packet filtering NAT Opens NAT pages for Port Forwarding Source NAT 1 to 1 NAT Masquerading and UPnP Gateway See NAT Connection Tracking Opens the Connection Tr...

Страница 19: ...em the unit s connections and the unit s services See Status menu System Setup Opens the Device Settings Security Policy Memory Allocation and Date and Time configuration pages See System Setup Menu B...

Страница 20: ...e 9 associated with the item you want to edit Figure 9 Edit icon You can click the delete icon Figure 10 associated with the item you want to delete Figure 10 Delete icon Add above and below icons Cer...

Страница 21: ...ears Figure 13 Figure 13 Online Help Search page To access context sensitive help for the page your are currently viewing click the help icon in the upper right corner of the page Help describes each...

Страница 22: ...always include the technical support report with your support request Without this report the technical support staff are unlikely to have enough information to assist you Security Alert To maintain y...

Страница 23: ...on the device 2 Connecting an administrative PC to the device 3 Configuring the UTM Firewall switch 4 Confirming settings 5 Setting up the PCs on your LAN 6 Registering your UTM Firewall Note These p...

Страница 24: ...wall Management Console does not automatically appear perhaps because you have no home page established on your browser navigate to 192 168 0 1 If you are unable to browse to the UTM Firewall device a...

Страница 25: ...model number Click Next The LAN dialog appears Figure 18 Figure 18 Quick Setup Wizard LAN dialog 4 Select an option for your LAN configuration Recommended To manually configure your LAN and optionall...

Страница 26: ...ess and Subnet Mask for the UTM Firewall s LAN connection Take note of the IP address and subnet mask you will need them later on To enable the UTM Firewall s built in DHCP server enter both the start...

Страница 27: ...ecting with a cable modem for configuration details If you selected Modem see Configuring a dialout connection on the COM port for configuration details If you selected ADSL see ADSL for configuration...

Страница 28: ...ixed IP to manually configure the Internet address using static parameters 9 Click Next If you chose Use an IP address obtained from a server on the Internet DHCP and you are setting up an SG310 the F...

Страница 29: ...itch The switch dialog displays if you are setting up the SG560 SG 560U SG565 or SG580 If you are setting up a different model skip to Selecting an initial firewall level By default the UTM Firewall s...

Страница 30: ...lock Everything Blocks all traffic that is not expressly allowed by a packet filtering rule Ultra VPN access Allows VPN Dialin and LAN traffic to move through the firewall Denies all Internet traffic...

Страница 31: ...and or your LAN hub directly to switch A If you are setting up the SG560 SG560U SG565 or SG580 and have configured its switch as 1 LAN Port 3 Isolated Ports connect port A1 directly to your LAN hub Ot...

Страница 32: ...ically 4 Click Obtain DNS server address automatically 5 Click OK Automatic LAN configuration using an existing DHCP server If you chose the Obtain LAN IP address from a DHCP server on LAN option we s...

Страница 33: ...lick OK Repeat for each PC on your network Quick setup is now complete Quick setup is all you need to do to get basic network connectivity to the Internet Network devices on the LAN should now be able...

Страница 34: ...You can access the site by either clicking one of the registration site links in the Quick Setup Wizard or on the Help and Support page or by navigating to http my securecomputing com You will be pro...

Страница 35: ...Account Request page 2 Enter your E mail address and click Create Account A message indicates a new account request is currently being processed Upon verification a login password is emailed to you O...

Страница 36: ...ted Registering your UTM Firewall 1 Log in to the My Secure Computing site at http my securecomputing com The Welcome page appears Figure 30 Figure 30 My Secure Computing Welcome page 2 Click Add Prod...

Страница 37: ...d underneath the appliance 4 Indicate the Year and Month for Date of Purchase 5 Click Submit To view a list of all products you have registered click List Products Activating a feature Use this proced...

Страница 38: ...ivate Feature page 3 Select your UTM Firewall appliance from the SnapGear Serial Number list 4 Enter the token in the Feature Serial Number token field 5 Click Submit Retrieving license information fo...

Страница 39: ...g your UTM Firewall Figure 33 My Secure Computing Product Management License data For those features that require a certificate and private key to activate click the associated View License data butto...

Страница 40: ...d Registering your UTM Firewall Figure 34 Product Management License details You can then copy and paste the license key for Web Filtering for instance into the Certificate copy paste page Note Be sur...

Страница 41: ...6 SIP Network overview This chapter describes the Network Setup options of the McAfee UTM Firewall Management Console Use the Network Setup options to configure each of your UTM Firewall appliance s E...

Страница 42: ...ions as a regular LAN switch with network traffic passing freely between its ports Typically port B is used as your primary Internet connection However switch A s ports can be configured individually...

Страница 43: ...changes and click Update You can also make changes in the additional tabs that appear for a connection such as Aliases and IPv6 For more information see Aliases tab and Enabling IPv6 for a connection...

Страница 44: ...s a direct IP connection to a network that does not require a modem to be established This is typically a LAN DMZ or Guest connection but it can also be an Internet connection Network settings can be...

Страница 45: ...entries in this field 10 Select a classification from the Firewall Class list The Firewall class setting controls the basic allow deny policy for this interface Allowed network traffic is accepted de...

Страница 46: ...plex 10 BaseT Auto Duplex 10 BaseT Full Duplex 10 BaseT Half Duplex 100 Base T4 6 Specify the MTU Maximum Transmission Unit for the interface in the MTU field This setting should normally be left at 1...

Страница 47: ...n your ISP has assigned you a range of IP addresses to use with your Internet connection or when you have more than one subnet connected to a single network interface Figure 39 Aliases tab For aliases...

Страница 48: ...Select the Enable IPv6 checkbox 5 LAN connections only You can enter a site level aggregation value for this connection in the Site Level Aggregation field This field is used to create a site local a...

Страница 49: ...connection to your ISP using the following methods Auto detect If you are unsure of your ADSL connection type the UTM Firewall appliance can attempt to Auto detect ADSL connection type The appliance...

Страница 50: ...tings for your ADSL Autodetect does not work for PPTP connections 1 From the Network Setup menu click Network Setup On the Connections page select ADSL from the Change Type list The ADSL Connection Me...

Страница 51: ...sh By default PPPoE connections are treated as always on and are kept up continuously Alternatively you can choose to only bring the connection up when PCs on the LAN DMZ or Guest network via a VPN tu...

Страница 52: ...allocates an address that is used as the actual Internet interface on the UTM Firewall appliance Usually the address supplied by the ISP is different from the local IP address entered here Even if th...

Страница 53: ...ADSL DHCP Configuration page appears Figure 44 Figure 44 ADSL DHCP Configuration page 3 Optional Enter a descriptive name in the Connection Name field 4 Enter the host name in the Hostname field 5 Sel...

Страница 54: ...Ethernet configuration tab depending on your connection type Aliases and IPv6 See Ethernet Configuration tab VLAN Aliases tab and Enabling IPv6 for a connection Connecting with a cable modem Use this...

Страница 55: ...page that appears depends on your provider choice If you chose Generic Cable Modem Provider as shown in Figure 47 enter a name for the connection in the Connection Name field optional and click Finis...

Страница 56: ...have the interface firewall class of Internet Caution Do not plug an ISDN connection directly into your UTM Firewall appliance You must first connect a terminal adaptor To connect to an ISDN line the...

Страница 57: ...Enter the Access Point Name for the connection You can get this from your ISP d Enter the DNS Server address given to you by your ISP You can enter multiple DNS servers into this field by separating t...

Страница 58: ...necessary 1 From the Network Setup menu click Network Setup The Connections tab opens Click the edit icon for the Unconfigured connection The Serial Port Setup page appears Figure 51 Figure 51 Port Se...

Страница 59: ...layer of tabs Figure 52 3 Optional To enable dial on demand select the Dial on Demand checkbox 4 In the Idle Time field enter the number of minutes the appliance waits after the connection becomes idl...

Страница 60: ...ally Assigned IP Address page appears Figure 53 Figure 53 Connections Static Addresses 3 Enter the static IP address from your ISP in the My Static IP Address field 4 Enter the address of the ISP gate...

Страница 61: ...t connection See Enabling IPv6 for a connection Setting up dial in access A remote user can dial directly to a modem connected to the serial port of the UTM Firewall appliance Once connected and authe...

Страница 62: ...tication CHAP This is the weakest type of encrypted password authentication to use It is not recommended that clients connect using this as it provides very little password protection Also note that c...

Страница 63: ...l in client Connecting a dial in client Remote users can dial in to the UTM Firewall appliance using the standard Windows Dial Up Networking software The network connection wizard guides you through s...

Страница 64: ...access Figure 59 New Connection WIzard Network Connection 4 Select Dial up connection and click Next The Select a Device page appears Figure 60 Figure 60 New Connection WIzard Select a Device 5 Select...

Страница 65: ...n access Figure 61 New Connection WIzard Connection Name 6 Enter a name for the connection and click Next The Phone Number to Dial page appears Figure 62 Figure 62 New Connection WIzard Phone Number t...

Страница 66: ...and click Next The Connection Availability page appears Figure 64 Figure 64 New Connection WIzard Connection Availability 9 To make the connection only available for you select the My use only option...

Страница 67: ...nection Enter the User name and Password set up for the UTM Firewall appliance dial in account and click Dial Failover load balancing and high availability Note This topic applies to UTM Firewall desk...

Страница 68: ...in the sections Direction Connection ADSL Cable Modem and Dialout ISDN earlier in this chapter See Direct connection overview ADSL Connecting with a cable modem and Configuring a dialout connection on...

Страница 69: ...rk connection The primary and secondary connection levels are tested in turn until one becomes available Internet failover is not stateful Any network connections that were established through the fai...

Страница 70: ...on before testing whether it is functioning correctly Use a longer delay for connection types that are slow to establish such as dialout The defaults vary depending on the type of connection and are a...

Страница 71: ...page Can be a fully qualified domain name of the form host domain com Both Host or domain can consist of alphabetic numeric or hyphen characters but cannot begin nor end with the hyphen character Can...

Страница 72: ...tions must be marked as Required or Enabled Internet connections that are marked Disabled are not part of this connection level The initial defaults on the modify levels page for a connection are Load...

Страница 73: ...ection on which to send outgoing traffic When an internal client makes a connection to a server on the Internet this and subsequent connections between the internal client and remote server are confin...

Страница 74: ...This allows these hosts to automatically switch from one UTM Firewall appliance to the other if an appliance becomes unavailable The two appliances negotiate for ownership of the shared IP address at...

Страница 75: ...ss assigned When the appliance becomes secondary all specified interfaces will have the shared IP address removed The following diagrams illustrate the basic HA configuration Figure 75 Basic HA config...

Страница 76: ...76 Basic HA configuration Appliance 1 loses LAN connectivity Should UTM Firewall appliance 1 lose LAN connectivity for example someone accidentally powers it down UTM Firewall appliance 2 assumes the...

Страница 77: ...gger The default location for the HA script is bin highavaild Customizing the HA script You can customize the HA script by replacing and modifying the bin highavaild script From the command line inter...

Страница 78: ...u can now configure the HA connection for each interface See Configuring high availability Disabling high availability 1 From the Network Setup menu click Network Setup Failover H A High Availability...

Страница 79: ...connections are accepted however administration connections are not 6 Enter the netmask in the Subnet Mask field Can be in the following forms A number from 0 32 255 255 255 0 7 Optional Enter an alia...

Страница 80: ...MZ and network traffic originating from the DMZ is allowed out to the Internet The topic Services on the DMZ network discusses how to allow certain traffic from the Internet into the DMZ To allow publ...

Страница 81: ...eferred gateway for load balancing select the Preferred Gateway checkbox 9 Click Update Services on the DMZ network Once you have configured the DMZ connection configure the UTM Firewall appliance to...

Страница 82: ...expense Machines on the guest network typically have addresses in a private IP address range such as 192 168 2 0 255 255 255 0 or 10 2 0 0 255 255 0 0 For NAT Network Address Translation purposes the...

Страница 83: ...The RADIUS server must be defined on the RADIUS page For information refer to RADIUS page WPA PSK Wi Fi Protected Access Preshared Key also known as WPA Personal An authentication and encryption prot...

Страница 84: ...erred Gateway checkbox 6 Click Next The Access Point Configuration page appears Figure 83 Figure 83 Wireless Configuration Access Point page 7 Optional Enter a descriptive name for the wireless networ...

Страница 85: ...ireless clients are trusted To bridge between clients select the Bridge Between Clients checkbox This setting enables the access point to forward packets between clients at the wireless level so that...

Страница 86: ...either of the above two methods Security Alert Due to flaws in the authentication protocol the Shared Key method reduces the security of the WEP key McAfee recommends using Open System authentication...

Страница 87: ...802 11i support which is also referred to as WPA2 b Specify the preshared key in the WPA Key field Allowed formats are 8 to 63 ASCII characters of any type at least 20 characters at a minimum recommen...

Страница 88: ...y method select the Bridge Between Clients checkbox Packets between bridged wireless clients will not be restricted by the firewall Note If this setting is disabled it is still possible to configure w...

Страница 89: ...wireless network For additional security you can specify a list of MAC addresses network hardware addresses to either allow or deny Security Alert MAC based ACL is a weak form of authentication and do...

Страница 90: ...on settings The ESSID may be the same or different If the access points have the same ESSID then clients can transparently roam between them There are two common scenarios for WDS bridging or repeatin...

Страница 91: ...is used for both the wireless clients and the WDS link Note You cannot enable both WDS and WEP with 802 1X Can be exactly 64 hexadecimal characters 0 9 a b or A B Can be from 8 to 63 characters of any...

Страница 92: ...egulatory organization Tweaking these advanced wireless features can increase processing overhead so balance performance requirements with this in mind Advanced wireless settings include packet fragme...

Страница 93: ...that support 802 11g also support 802 11b 802 11g only Wireless clients can only connect using 802 11g 54 Mbit s Wireless clients that only support 802 11b are unable to connect 802 11b and 802 11g Re...

Страница 94: ...ance Another advantage is that network traffic not usually routed by an unbridged interface such as broadcast packets multicast packets and any non IPv4 protocols such as IPv6 IPX or Appletalk pass ov...

Страница 95: ...to specify this IP address as a gateway to the networks connected to the bridge It is not so important which IP address you choose to assign to the bridge interface it is primarily used by hosts on e...

Страница 96: ...field The delay usually only occurs when the appliance first boots or when the bridge configuration is modified This delay allows the appliance s bridge to detect which hosts are connected to each of...

Страница 97: ...om an existing configuration 1 From the Network Setup menu click Network Setup and select the Connections tab The Connections page appears 2 From below the main Connections table select Bridge from th...

Страница 98: ...opens 2 Click the delete icon for the bridge you want to delete The Bridge Deletion page appears Figure 99 Figure 99 Bridge Deletion page 3 Select the interface to which to transfer the bridge s IP co...

Страница 99: ...o enforce access policies between ports on an external switch that supports port based VLANs In this scenario only the switch and other trusted devices should be directly connected to the LAN port of...

Страница 100: ...ess between all ports the default or use port based VLANs to control access between each individual port in the switch This port based VLAN configuration makes it possible to assign each of the four p...

Страница 101: ...ports Tip If you previously selected 1 LAN Port 3 Isolated Ports in the Switch Configuration step of the Quick Setup Wizard port based VLANs are already enabled and a single isolated VLAN for each po...

Страница 102: ...k Update Adding a port based VLAN Use this procedure to manually add a port based VLAN on the switch of a UTM Firewall appliance Tip If you previously selected the 1 LAN Port 3 Isolated Ports option i...

Страница 103: ...e VLAN ID field Otherwise if there is not an existing VLAN enter the next available VLAN ID If the Default port based VLAN ID on the Ethernet Configuration page Figure 102 has been left at its default...

Страница 104: ...other devices that support the GRE protocol You can build GRE tunnels to other UTM Firewall appliances that support GRE or to other devices such as Cisco equipment A GRE tunnel must be created betwee...

Страница 105: ...3 Ensure the Enable checkbox is selected 4 Optional Enter a descriptive GRE Tunnel Name for this tunnel 5 Enter the address of the remote GRE endpoint in Remote Address for example the Internet IP ad...

Страница 106: ...across the GRE tunnel unless there is a route set up on the GRE tunnel 3G USB Modems UTM Firewall SG565 devices provide additional options for 3G EVDO modems Configuring 3G USB modem connections Use t...

Страница 107: ...onfirm Password field 8 Conditional if required Enter the SIM card PIN code for your GPRS or 3G connection 9 Optional Select a Firewall Class for the connection The firewall class determines the packe...

Страница 108: ...the Modem init string default value unchanged 6 Click Update Adding new 3G USB modem profiles Occasionally a modem may not present complete configuration information to the UTM Firewall device In thes...

Страница 109: ...s more than one serial interface to the UTM Firewall device enter the interface to use for PPP connections in the Serial Interface to use field 7 Conditional If the USB modem is a GPRS or 3G modem ent...

Страница 110: ...e A number between 0 and 32 Can also be in the form 255 255 255 0 6 Optional You can specify an Interface out which the network traffic should be routed from the Interface list Only current valid inte...

Страница 111: ...ou use the New button the route is added to the bottom of the list Use the up or down arrows to reposition a route For more information on icons see Interface icons Once the page is populated with rou...

Страница 112: ...ick New you can create an address definition when you create this route 7 Enter the Destination Address that matches the destination IP address of the packet When you click New you can create an addre...

Страница 113: ...efer to the Zebra Web site http www zebra org for comprehensive documentation Example Configuring RIP Route Management Ensure you have enabled RIP v1 v2 under Route Management then open zebra conf and...

Страница 114: ...istribute routing information from static route entries redistribute static Redistribute routing information from kernel route entries e g IPSec redistribute kernel The above files configure the devic...

Страница 115: ...to OSPF is based on Dijkstra s Shortest Path First algorithm which is CPU intensive compared to other routing algorithms OSPF counts with the special characteristics of networks and interfaces such as...

Страница 116: ...from the LARTC Linux Advanced Routing Traffic Control dynamic routing howto available from http lartc org howto LARTC is an invaluable resource for those wanting to learn about and take advantage of...

Страница 117: ...f neighbors to which the router is connected neighbor 192 168 1 1 remote as 2 neighbor 192 168 1 1 distribute list local_nets in neighbor 10 10 1 1 remote as 3 neighbor 10 10 1 1 distribute list local...

Страница 118: ...erver page Enabling DNS proxy server 1 From the Network Setup menu click Network Setup select the DNS tab and then select the DNS Proxy tab The DNS Proxy Server page appears 2 Enabled by default To en...

Страница 119: ...ed by the UTM Firewall appliance are as follows 3322 org Chinese provider http www 3322 org DyNS http www dyns cx dyndns org http www dyndns org GNUDip http gnudip cheapnet net ODS http www ods org TZ...

Страница 120: ...count in the Password and Confirm Password fields 8 Enter the domain for your dynamic account in the Domain field 9 Optional for dyndns org provider only If you have additional domains for this accoun...

Страница 121: ...tus column now displays Disabled without the need to refresh your browser Editing a dynamic DNS account 1 From the Network Setup menu click Network Setup select the DNS tab and then select the Dynamic...

Страница 122: ...Static Hosts tab The Static Hosts page appears 2 Select the edit icon for the static host you want to edit The Edit Static Hosts page appears 3 Make your changes and click Finish Deleting a static ho...

Страница 123: ...ssigning dynamic IP address to devices on a network IP addresses are assigned using the concept of a lease which is the amount of time the IP address is valid for a device With DHCP network administra...

Страница 124: ...s page Figure 128 DHCP Server Status Configured and Running You can disable and enable the configuration in the leftmost column The Interface column displays the interface for which the DHCP server or...

Страница 125: ...server address is set as per the following If the DNS Proxy is enabled default see DNS Proxy tab then the DNS server is set to the IP address of the network interface on which the DHCP server is liste...

Страница 126: ...or relay Note To configure a DHCP relay see Configuring a DHCP relay 1 From the Network Setup menu click DHCP Server The DHCP Configuration page appears 2 Clear the enable checkbox for the DHCP serve...

Страница 127: ...McAfee UTM Firewall 4 0 4 Administration Guide 127 Network Setup menu options DHCP Server Figure 130 DHCP Addresses page...

Страница 128: ...d to a host Click Refresh to obtain the most current information Click the delete icon to delete an IP address If an address is taken by a client a delete icon appears in the Free column so that you c...

Страница 129: ...or IP address range you want to remove 4 Click Remove The address or addresses are removed from the Address List pane Add Reserved IP Addresses pane Use this pane to reserve an IP address for a clien...

Страница 130: ...oes not support Network Address Translation NAT The UTM Firewall appliance is configured with the IP address of the DHCP Server The appliance accepts client DHCP Discover packets and relays them to th...

Страница 131: ...ssional operating system You must have administrative rights to configure Windows XP as a DHCP client 1 Click Start Control Panel Network Connections Local Area Connection The Local Area Connection St...

Страница 132: ...DHCP client If the UTM Firewall appliance is being used as an DHCP client inspect the front panel LEDs If the appliance s LAN interface cannot get a DHCP assigned IP address all lights flash simultane...

Страница 133: ...level are queried if the replies from sibling caches did not succeed For information see Configuring Web Cache Peers The Web cache can also be configured to pass off Web transaction requests or respo...

Страница 134: ...ing system capable of SMB sharing Refer to the documentation of your particular operating system for details on creating a network share This section includes basic procedures for creating a user acco...

Страница 135: ...change this to something easier to remember if you want 4 To set the security permissions of the newly created network share click Permissions 5 Recommended If you want to secure the network share wit...

Страница 136: ...blank and go to the last step Otherwise if the dedicated user account must authenticate to the network share continue with the next step 6 Enter the username of the dedicated user in the Username fie...

Страница 137: ...ver checkbox b Enter the IP address of your UTM Firewall appliance in the Address box c Enter 3128 in the Port box The Web cache of the UTM Firewall appliance uses port 3128 by default d Select the By...

Страница 138: ...e Local Storage tab The Local USB Storage page appears Figure 143 Figure 143 Web Cache Local USB Storage 2 Enter the cache size in the Cache Size field The size should be at least as big as the Cache...

Страница 139: ...r accept the default port 3128 6 Enter the ICP port for querying neighbor caches about objects in the ICP Port field or accept the default port 3130 7 Click Finish The peer is displayed in the edit li...

Страница 140: ...ons are blocked until the ICAP server becomes contactable 6 Click Submit Configuring advanced settings for the Web cache 1 Under the Network Setup menu click Web Cache select the Advanced tab and then...

Страница 141: ...lable options are None default No anonymity and no identifying information is removed from Web requests Basic Paranoid Custom The Custom setting is for users who have manually edited these settings in...

Страница 142: ...e 148 Figure 148 QoS Traffic Autoshaper 2 Click the edit icon next to the network interface on which you want to enable the autoshaper The QoS Autoshaper Edit page appears Figure 149 Figure 149 QoS Tr...

Страница 143: ...w priority to the following services domain tcp and udp ftp and ftp data http and https imap irc nntp ntp pop3 smtp ssh telnet Enabling and configuring ToS packet priorities You can configure the ToS...

Страница 144: ...ic Shaping and then select the ToS Packet Priority tab Figure 150 Figure 150 ToS Packet Priority 2 Select the Enable ToS Prioritization checkbox 3 Select a Default priority from the list The Default p...

Страница 145: ...col or ICMP message type in the Ports field Acceptable inputs are service name single port number between 1 and 65535 range of port numbers in the form a b comma or whitespace separated list of any of...

Страница 146: ...SG580 and SG720 only The SIP proxy of the UTM Firewall appliance allows SIP software clients or SIP hardware clients to work from a private network such as your LAN behind a masquerading firewall such...

Страница 147: ...lick SIP The SIP Proxy page appears Figure 154 Figure 154 SIP Proxy page 2 Optional Select the Enabled checkbox 3 Select an interface from the Internal Interface list The outbound interface is typical...

Страница 148: ...148 McAfee UTM Firewall 4 0 4 Administration Guide Network Setup menu options SIP...

Страница 149: ...Antispam TrustedSource Controlling packet traffic Many features within the McAFee UTM Firewall Management Console can affect the flow of packet traffic within the appliance This topic outlines the hie...

Страница 150: ...guring connection tracking NAT The destination IP addresses and ports of incoming packets are modified by the UTM Firewall appliance See About port forwarding Packet filtering Traffic is then subjecte...

Страница 151: ...ured firewall The firewall allows you to control both incoming and outgoing access so that PCs on local networks can have tailored Internet access facilities while being shielded from malicious attack...

Страница 152: ...and interfaces used to match packets Definitions need not be created for simple rules that only specify a single service address or interface as these can be entered while creating the rule If a rule...

Страница 153: ...click Definitions Service Groups tab The Service Groups page appears Predefined services are displayed The Name column displays the name of the service group and the Details column displays the proto...

Страница 154: ...e Service Groups page appears 2 Click the edit icon for the service group you want to edit The Modify Service Group page appears 3 Make your changes and click Finish Deleting a service group 1 From th...

Страница 155: ...re predefined The Addresses page is shown in Figure 158 Figure 158 Addresses tab Adding an IP address or range 1 From the Firewall menu click Definitions Addresses tab The Addresses page opens Predefi...

Страница 156: ...ting the firewall rules 1 From the Firewall menu click Definitions Addresses tab The Addresses page appears 2 Select DNS Hostname from the Type list 3 Click New The Hostname page appears Figure 160 Fi...

Страница 157: ...k Finish Deleting an address Use this procedure to delete a single IP address range of addresses or address group If an address is being used by a packet filter or NAT rule a message informs you to mo...

Страница 158: ...xes for the interfaces to group 5 Click Finish Editing an Interface Group 1 From the Firewall menu click Definitions Interfaces tab The Interfaces page appears 2 Click the edit icon for the interface...

Страница 159: ...t filtering The majority of firewall customization is typically accomplished by creating Packet Filter and NAT Network Address Translation rules Packet filter rules match network packets based on a co...

Страница 160: ...s that have the same address and port information are considered part of the same connection as are any responses moving in the opposite direction A special built in rule matches all packets that are...

Страница 161: ...ket Filtering rule Packet Filtering page Use this page to define rules for packet filtering The factory default configuration includes the following predefined packet filter rules as shown in Figure 1...

Страница 162: ...re you want to add the rule The Packet Filter Rule page appears Figure 167 Figure 167 Packet Filter Rule page 3 Optional Enter a descriptive name in the Descriptive Name field 4 Make sure the Enable c...

Страница 163: ...s appliance None This option is automatically selected and displayed read only when the Input option is selected in the Type list Select this option to only match packets destined for this appliance 9...

Страница 164: ...g a packet filter rule 1 From the Firewall menu click Packet Filtering The Packet Filters Rules page appears 2 Click the delete icon for the packet filter rule you want to delete You are prompted to c...

Страница 165: ...d values Integer equal to or greater than 1 7 Select an action to take when a packet matches the packet filter rule but exceeds the rate limit from the Action if Limited list Available options are Non...

Страница 166: ...o default to the Any wildcard 8 Select the Log checkbox and enter log_SG_origin_traffic in the Log Prefix field 9 Click Finish Example 2 Creating a rule to allow access through the appliance This exam...

Страница 167: ...able 12 provides information about the services you can enable for each interface Table 12 Interface service descriptions Service Description Telnet This column controls access to the UTM Firewall app...

Страница 168: ...s 3 To allow echo requests on Internet interfaces select the Accept echo request incoming port checkbox The default recommended is to disallow echo requests so your UTM Firewall appliance does not res...

Страница 169: ...les It also displays how many times each rule has been matched which can be useful for troubleshooting Scroll through the page to view the iptables for Packet Filter Rules NAT Rules Packet Mangle Rule...

Страница 170: ...ck Update Custom IPv6 Firewall Rules tab This tab provides the ability to manually add custom entries to the IP tables using the ip6tables command syntax The custom rules are executed whenever the sta...

Страница 171: ...text box 4 Click Update Custom firewall rules and connection tracking Because selecting the Custom firewall rules instead of built in rules checkbox results in the default firewall functionality bein...

Страница 172: ...out masquerading and source NAT Source NAT rules are useful for masquerading one or more IP addresses behind a single other IP address This is the type of NAT used by the UTM Firewall appliance to mas...

Страница 173: ...contains the following main pages Port forwarding page Source NAT page One to one NAT Masquerading page Universal Plug and Play Gateway For further information on NAT investigate the solution finder f...

Страница 174: ...nd source address for matching incoming packets use the Advanced port forward page In addition if you want to disable the port forwarding rule from automatically creating a packet filtering rule follo...

Страница 175: ...port or ports in the Ports field If you want to show the definitions click Show Definitions The Protocol and Ports fields are replaced with the Services list Select a service from the list Figure 179...

Страница 176: ...eld 5 Leave the Enable checkbox selected To temporarily disable the rule clear the checkbox 6 Optional recommended To create a corresponding packet filter rule to accept NATed packets leave the Create...

Страница 177: ...Finish Disabling a port forwarding rule Use this procedure to temporarily disable a rule Tip Click the enable disable checkbox to the left of the object list to quickly disable the rule The page refre...

Страница 178: ...ition is created Next create the port forwarding rule that uses the service group 5 From the Firewall menu click NAT Port Forwarding tab The Port Forwarding page appears 6 If this is the first rule de...

Страница 179: ...stem This rule uses port 2222 for SSH rather than the standard SSH port of 22 Forwarding the SSH port allows remote access using SSH to the UTM Firewall appliance itself which runs an SSH server on po...

Страница 180: ...w icon to add a rule above or below an existing rule If you use the New button the rule is added to the bottom of the list Use the up or down arrows to reposition a rule For more information on icons...

Страница 181: ...can select the option Any to match packets that will be transmitted on any interface You should normally set this field to your Internet interface 6 Enter the address from which the request originate...

Страница 182: ...dress assigned as an alias to the UTM Firewall appliance In addition to addresses you have predefined the following options are also available Unchanged Do not translate the source address This is use...

Страница 183: ...ckbox to the left of the object list to quickly re enable the rule The page refreshes and a check mark indicates the rule is enabled again 1 From the Firewall menu click NAT Source NAT tab Any rules t...

Страница 184: ...an internal private address to an external public address and vice versa This form of NAT maps an external public address to an internal private address Figure 189 1 to 1 NAT page initial view Creatin...

Страница 185: ...page Make sure you add a corresponding packet filter rule See Creating a packet filter rule Editing a one to one NAT rule 1 From the Firewall menu click NAT 1 to 1 NAT tab The 1 to 1 NAT page is displ...

Страница 186: ...ed for port B 1 From the Firewall menu click NAT 1 to 1 NAT tab The 1 to 1 NAT page is displayed Any rules that have already been defined are displayed 2 Click New or the add above or below icon depen...

Страница 187: ...s on your LAN which is generally not recommended 3 Enabled by default To enable masquerading for connections between any LAN interface and any DMZ interface select the Enable NAT from LAN VPN interfac...

Страница 188: ...ce be power cycled or should the internal or external interface become unavailable The UPnP Gateway is intended for transitory application port forwarding such as those established by some versions of...

Страница 189: ...3 Open Internet Connection click Settings Add The Service Settings window appears Figure 195 Figure 195 Service Settings 4 Enter an arbitrary Description of service 5 Enter the Name or IP address of...

Страница 190: ...dress of packets that have been port forwarded Takes the form of target IP address port number Connection tracking Connection tracking keeps a record of packets that have passed through the appliance...

Страница 191: ...the original direction and the reply direction The addresses for the original direction are before NAT and the addresses for the reply direction are after NAT Tip Connection logging generates a large...

Страница 192: ...shed and expire however this can result in excessive log messages if you have a large or busy network Make sure you have enabled remote system logging if you enable connection logging See Enabling rem...

Страница 193: ...xpert firewall administrators See Custom firewall rules and connection tracking for details About the Connection Tracking Report Use this report to view information about the current connections to a...

Страница 194: ...ck Connection Tracking Report tab The Connection Tracking Report page is displayed Figure 199 2 Select the Display checkbox for the fields you want to include in the report 3 Optional If available for...

Страница 195: ...er of rows you want displayed in the Maximum display rows field This value cannot exceed the display only value shown in the System processing limit field The system limit value is dynamic depending o...

Страница 196: ...as identification However identification can be forged On the other hand intrusion detection systems are more like security systems with motion sensors and video cameras Video screens can be monitore...

Страница 197: ...e being blocked in the Trigger count before blocking field This option only takes effect when one of the blocking options is enabled The trigger count value should be between 0 and 2 zero represents a...

Страница 198: ...t to detect most scans The Strict setting includes all services in Standard and Basic in addition to its own unique settings Security Alert The list of network ports can be freely edited however addin...

Страница 199: ...t be enabled in the IDB configuration for any scanning or blocking to occur See Configuring basic IDB echo X Elite X X exec X filenet rmi X X X finger X X gopher X http X ida discover2 X imap X X X in...

Страница 200: ...n Standard and Basic in addition to its own unique settings Security Alert The list of network ports can be freely edited however adding network ports used by services running on the UTM Firewall unit...

Страница 201: ...detect many attacks by checking destination port number TCP flags and doing a simple search through the packet s data payload Rules can be quite complex allowing a trigger if one criterion matches but...

Страница 202: ...tab The Intrusion Prevention page appears Figure 204 Figure 204 Snort Configuration IPS 2 Select the Enabled checkbox 3 Recommended To restrict memory usage for the scanning select the Use less memor...

Страница 203: ...t Configuration page 2 Select the Enabled checkbox 3 Select the network Interface to monitor This is typically Internet or possibly DMZ 4 Select the checkbox or checkboxes for the Rule sets you want t...

Страница 204: ...dress or resolvable host name of the analysis server in the Hostname field 6 Enter the database port of the analysis server in the Database port field For MySQL type databases this is typically 3306 7...

Страница 205: ...use The access control Web proxy allows you to control access to the Internet based on the type of Web content being accessed through Web Filtering and the user or workstation that is accessing the In...

Страница 206: ...you want to apply access control At least one checkbox must be selected for any access control operation to take place Available options are Private includes the LAN VPN and Dialin firewall classes En...

Страница 207: ...are blocked resulting in faster Web access than that provided by the software HTTP proxy Once the Fast Web Mode checkbox is selected the UTM Firewall device will operate in Fast Web Mode whenever The...

Страница 208: ...ust also have Web access enabled by your administrator Without this your access will be blocked as shown in Figure 209 then configure the browser to use the appliance Web proxy See Configuring browser...

Страница 209: ...ect the Use a proxy server for your LAN and the Bypass proxy server for local addresses checkboxes All other options should remain cleared 3 Click Advanced The Proxy Settings dialog box is displayed F...

Страница 210: ...e Access Control Lists page appears Figure 212 Figure 212 ACL tab 2 Optional Select allowed source hosts from the Allowed Source Hosts list The default is None Available options Available options depe...

Страница 211: ...select the single address you defined which is 10 0 0 0 25 8 Click Submit Web Lists tab Use the tabs within Web Lists to configure allowed and blocked URL fragments Only WWW browsing is restricted by...

Страница 212: ...wed access again Policy enforcement Policy enforcement on the UTM Firewall appliance provides the ability for specific internal servers and workstations to have their network access through the applia...

Страница 213: ...checkbox Turning policy enforcement on without specifying anything to scan causes a slight decrease in performance of the appliance 3 Optional Select the Block Unscanned Hosts checkbox This checkbox...

Страница 214: ...resses and services groups See Addresses page and Creating a service group Enable policy enforcement See Enabling security policy enforcement Upload and test NSAL scripts optional See Uploading a NASL...

Страница 215: ...tically populated from the files ending with nasl in the etc config directory Security groups may overlap with respect to hosts within them In this case a single allow service overrides any number of...

Страница 216: ...no longer displays indicating the script is now disabled Deleting a policy enforcement script 1 From the Firewall menu click Access Control Script Management tab The Manage Scripts page appears 2 Cli...

Страница 217: ...ting a feature The McAfee Web Gateway URL filtering service on the UTM Firewall appliance is for the URL filtering and reporting if applicable feature only Advanced McAfee Web Gateway features include...

Страница 218: ...ories might be added after content filtering is configured on your appliance Note Content filtering is not performed for addresses specified in the Web Lists tab URL Allow or Block pages or for allowe...

Страница 219: ...ilter Service page appears 2 Clear the Enable content filtering checkbox 3 Click Submit Uploading a McAfee Web Gateway certificate and key Use this procedure to upload the McAfee Web Gateway certifica...

Страница 220: ...TE lines when copying and pasting text 3 Click Submit Blocking categories for McAfee Web Gateway filtering Use this procedure to block categories for McAfee Web Gateway filter service There is only on...

Страница 221: ...teway URL rating Use this procedure to test the URL rating of a given URL You can provide feedback if you think the rating for the URL is inaccurate and needs to be reassessed 1 Go to http www trusted...

Страница 222: ...mit URL for Review Figure 226 URL check results Antivirus The antivirus capabilities of the UTM Firewall appliance shield your LAN from viruses that propagate through email the Web and FTP An antiviru...

Страница 223: ...ion tab System System Setup Memory Allocation tab See Memory Allocation tab for more information The antivirus database is updated automatically at intervals set when antivirus is enabled If your UTM...

Страница 224: ...y Available options are Hourly Daily Weekly 5 Specify the maximum size in kilobytes of files to scan for viruses in the Maximum file size to virus scan KB field Files over this size are automatically...

Страница 225: ...nternet Ideally the freshclam utility that comes with clam antivirus should be used to download the database files to a local machine If freshclam is not available you can download the database files...

Страница 226: ...pears Figure 228 Figure 228 Antivirus Network Storage 2 Select the Use share checkbox 3 Enter the path of the network share in the Share field You can use the following formats HOSTNAME sharename OR a...

Страница 227: ...ng a Windows XP network share A network share is a shared folder or drive on a local Windows PC or a PC running another operating system capable of SMB sharing such as Mac OS X For details on creating...

Страница 228: ...email client that is not retrieving email from the default POP server this may be all email clients the email client s POP3 user name setting must be in the form of user mail isp com rather than simpl...

Страница 229: ...mply user user is the POP3 login and mail isp com is the POP3 mail server Additionally the email client s incoming POP3 email server setting must be sent to the UTM Firewall appliance s LAN IP address...

Страница 230: ...server address of your LAN in the Destination SMTP server field 6 Enabled by default To enable source address translation select the Source NAT connections checkbox This enabled option prevents your...

Страница 231: ...s check Web downloads checkbox You must have access control enabled for this to function For more information on access control see Enabling access control 3 To treat oversized downloads as potential...

Страница 232: ...in the Maximum simultaneous connections field This is the total number of FTP connections allowed from your LAN Once this number is reached subsequent FTP connections are rejected until previous FTP c...

Страница 233: ...ll not function on the appliance until it is licensed About TrustedSource To determine reputation scores TrustedSource uses servers around the world to gather and analyze messages TrustedSource assign...

Страница 234: ...an SMTP proxy Security Alert Since antivirus for SMTP email and TrustedSource share SMTP resources only one SMTP server can be protected by these features Prerequisites DNS is configured with access...

Страница 235: ...gured to trust and forward messages appearing to originate from the LAN address of the appliance If enabled the apparent source address for connections to the internal SMTP server is one of the WAN ad...

Страница 236: ...ry engine You can also use this page to query the reputation of a given server which allows you to more finely tune your reputation threshold If this test is failing to return a reputation it could me...

Страница 237: ...4 0 4 Administration Guide 237 Firewall menu options Antispam TrustedSource Disabling TrustedSource 1 Select Firewall Antispam TrustedSource tab The TrustedSource page appears 2 Clear the Enable chec...

Страница 238: ...238 McAfee UTM Firewall 4 0 4 Administration Guide Firewall menu options Antispam TrustedSource...

Страница 239: ...ed directly from your office Similarly telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP VPN technology can be deployed as a low cost way of securely li...

Страница 240: ...appliance can operate as a PPTP client or a PPTP server The configuration of the appliance defines which networks are accessible via the tunnel The appliance initiates the PPTP tunnel with a specifie...

Страница 241: ...the system administrator of the remote PPTP server The username cannot start with 8 Enter the password in the Password field to use when logging in to the remote VPN The password can be one or more ch...

Страница 242: ...the office printer access shared files and computers on the network as if you were physically on the LAN To disconnect right click the PPTP Status system tray icon and select Disconnect PPTP VPN Serve...

Страница 243: ...ge in the IP Addresses to give to remote hosts field This must be a free IP address or a range of free IP addresses from the network typically the LAN that remote users are assigned while connected to...

Страница 244: ...b of the Users page You must enable the Dial in Access option for the individual users that are allowed dial in access RADIUS Use an external RADIUS server as defined on the RADIUS tab of the Users pa...

Страница 245: ...ternet you must set up two networking connections One connection is for the ISP and the other connection is for the VPN tunnel to your office network The PPTP server of the appliance interoperates wit...

Страница 246: ...on Wizard Network Connection Type page 5 Select Connect to the network at my workplace and click Next The Network Connection page appears Figure 244 Figure 244 New Connection Wizard Network Connection...

Страница 247: ...Public Network page appears Figure 246 Figure 246 New Connection Wizard Public Network page 8 If you have set up your computer to connect to your ISP using dial up select Automatically dial this init...

Страница 248: ...PN Server Selection page 9 Enter the UTM Firewall PPTP appliance s Internet IP address or fully qualified domain name and click Next The Smart Cards page appears Figure 248 Figure 248 New Connection W...

Страница 249: ...r you want to make this connection available to all users or only available to yourself and click Next The Completion page appears Figure 250 Figure 250 New Connection Wizard Completion page 12 To add...

Страница 250: ...set up your VPN connection to automatically establish an initial Internet connection 14 Enter the user name and password added in the Adding a PPTP user account 15 Click Connect Figure 252 VPN connect...

Страница 251: ...hared secret 3 Set up VPN user accounts on the UTM Firewall appliance and enable the appropriate authentication security See Adding an L2TP user account 4 Configure the VPN clients at the remote sites...

Страница 252: ...e one that you want to connect remote users to from the IP Address to Assign VPN Server list This is typically a LAN interface or alias 5 Select the weakest Authentication Scheme to accept Access is d...

Страница 253: ...reate an IPSec tunnel for use with L2TP Authentication is performed using x 509 certificates or a preshared secret You can add a single shared secret tunnel for all remote clients authenticating using...

Страница 254: ...tab 2 Click the status link for the connection you want to monitor The configuration displays data similar to that shown in Figure 256 Figure 256 L2TP IPSec status down 3 Click Update to update the cu...

Страница 255: ...list select the certificate uploaded to the UTM Firewall appliance 5 Enter the Client Distinguished Name It must match exactly the distinguished name of the remote party s local certificate to succes...

Страница 256: ...er name and Password as these are required in configuring the remote L2TP client 1 Click System Users Local Users tab The Local Users page is displayed 2 Click New The Edit User Information page appea...

Страница 257: ...r IPSec Preshared Secret Configuration To authenticate using an x 509 Certificate Tunnel you must first install the local certificate The distinguished name of this local certificate must match the na...

Страница 258: ...P server which is usually a Microsoft Windows server 1 From the VPN main menu click L2TP and select the L2TP VPN Client tab The L2TP accounts page appears Figure 261 Figure 261 L2TP VPN Client Setup t...

Страница 259: ...rface field For more information on static routes see Creating a static route 11 Optional Set the strength of encryption to use by selecting a Required Encryption Level from the drop down menu 12 Opti...

Страница 260: ...g on an external DNS server The following is a list of configurations from most to least preferable remote to local location 1 Static IP address to static IP address 2 Dynamic IP address to static IP...

Страница 261: ...gs Once populated with tunnels the Tunnel List pane displays the following information Connection This is the user defined name for the IPSec tunnel connection Remote Party This is the identity of the...

Страница 262: ...abling IPsec VPN Use this procedure to enable IPSec VPN 1 From the VPN menu click IPSec The IPSec VPN Setup page appears 2 Select the Enable IPSec checkbox 3 Optional Enter a Maximum Transmission Unit...

Страница 263: ...the remote party Tunnels configured with this method of authentication using the Quick Setup will by default use the Aggressive Mode of keying Note Preshared Secret is the only authentication current...

Страница 264: ...uired local certificate to use to negotiate the tunnel from the Local Certificate list This is the list of local certificates that have been uploaded for x 509 authentication Select the required certi...

Страница 265: ...to refresh the status before clicking the Status link 1 From the VPN menu click IPSec The IPSec VPN Setup page appears 2 In the Tunnel List pane click the linked status in the Status column Figure 26...

Страница 266: ...formation An outline of the tunnel s network setup Phase 1 and Phase 2 key lifetimes ike_life and IPSec_life respectively Type of keying Type of authentication used The policy line displays PSK for Pr...

Страница 267: ...TM Firewall appliance are Main Aggressive and Manual as described below Main The main mode has a more restrictive exchange for its key mode which automatically exchanges encryption and authentication...

Страница 268: ...ample uses main_test b Leave the Enable this tunnel checkbox selected c From the Local Interface list select the interface the IPSec tunnel is to go out on The options depend on what is currently conf...

Страница 269: ...vailable options are Preshared Secret RSA Digital Key Signature x 509 Certificates This examples uses Preshared Secret for authentication For further information on available authentication schemes re...

Страница 270: ...form abcd efgh c Optional To apply IPComp compression before encryption select the Payload compression checkbox d Optional To offload VPN connections to another UTM Firewall appliance either select o...

Страница 271: ...1 Settings page appears Figure 271 Figure 271 IPSec VPN Phase 1 Settings page Fill in the fields a Allow all of the defaults for the Key lifetime Rekey margin and Rekey fuzz fields b Enter the Presha...

Страница 272: ...lick Add The pair appears in the Local and Remote Network list Figure 273 You can click the delete icon to delete the pair and define a different pair Note You can add as many network pairs as require...

Страница 273: ...lso a UTM Firewall appliance and both appliances have static IP addresses 1 From the VPN menu click IPSec The IPSec VPN Setup page appears 2 Click Advanced The Tunnel Settings page appears Figure 274...

Страница 274: ...page RSA authentication Fill in the fields a Enter the IP address of the remote party This example uses 1 1 1 3 b Enter the Required Endpoint ID This example uses remote branch c Select an option for...

Страница 275: ...Public Key field enter the public part of the remote party s RSA Key generated for RSA Digital Key authentication This field must be populated with the remote party s public RSA key d Allow the Phase...

Страница 276: ...ctions refer to Adding a certificate for use with IPSec VPN The root CA needs to be uploaded to both appliances The local and remote certificates and keys must be uploaded to their respective applianc...

Страница 277: ...mote party This example uses 1 1 1 3 b Enter the Distinguished Name This example uses C US ST MN L St Paul O McAfee CN vpn McAfee com emailAddress vpn mcafee com Tip Copy the distinguished name from t...

Страница 278: ...e 2 Proposal at the default d Leave Perfect Forward Secrecy enabled e Leave the Diffie Hellman Group at the default 8 Click Finish The tunnel is added to the Tunnel List pane and the Status column ind...

Страница 279: ...e address This example uses a static IP address g If you want to force clients to authenticate using XAUTH select the Require XAUTH authentication checkbox 3 Click Next The Local Endpoint Settings pag...

Страница 280: ...cal Network that will have access to the remote network You can select from a list of predefined values based on the current network configuration and existing Definitions or you can define custom net...

Страница 281: ...is added to the Tunnel List pane and the Status column indicates the current status of the tunnel Manual keying mode for an IPSec tunnel Use this procedure as guidance for creating an IPSec tunnel usi...

Страница 282: ...0xhex where hex is one or more hexadecimal digits The hex part must be exactly 16 characters long when using DES or 48 characters long when using 3DES excluding any underscore characters d Select a C...

Страница 283: ...the form 0xhex where hex is one or more hexadecimal digits The hex part must be exactly 16 characters long when using DES or 48 characters long when using 3DES excluding any underscore characters It...

Страница 284: ...Next The Remote Endpoint Settings page appears 7 Make your selections and click Next The Phase 1 Settings page appears 8 Make your selections and click Next The Phase 2 Settings page appears 9 Click...

Страница 285: ...the Keying list select the type of keying for the tunnel to use In this example select the Aggressive Mode option 6 From the Local address list select the type of IPSec endpoint this UTM Firewall app...

Страница 286: ...arty to the UTM Firewall appliance For this example leave the field blank The remote party s ID is optional if it has a static IP address and uses Preshared Secrets for authentication It becomes a req...

Страница 287: ...ly network traffic coming from a Local Network and destined for a Remote Network is allowed across the tunnel IPSec uses its own routing mechanisms and disregards the main routing table 2 For this exa...

Страница 288: ...ave the Enable IP Payload Compression checkbox unselected 3 Leave the Enable Phase 1 2 rekeying to be initiated from my end checkbox selected 4 Click Next to configure the Remote Endpoint Settings Ste...

Страница 289: ...DNS providers For information on configuring DNS see DNS When configuring the tunnel select the DNS hostname address type for the IPSec endpoint that has dynamic DNS supported and enable Dead Peer De...

Страница 290: ...m where pksc12_file is the PKCS12 file issued by the CA and local_private_key pem is the local private key certificate to be uploaded into the UTM Firewall appliance When the application prompts you t...

Страница 291: ...lic certificate cert1 pem and the local private key certificate cert1 key ready to use in the UTM Firewall appliance For each certificate required change the cert1 filenames referenced in the above sy...

Страница 292: ...es Certificate management Figure 296 Add Remove Snap in dialog 3 Click Add The Add Standalone Snap in dialog box is displayed Figure 297 Figure 297 Add Standalone Snap in 4 Select Certificates and cli...

Страница 293: ...certificates installed for and click Finish Click Close and OK 6 In the Certificate console double click Certificates to open the certificate store Figure 299 Figure 299 Certificates Current User 7 In...

Страница 294: ...on Guide VPN menu features Certificate management Figure 301 Action menu 9 The Certificate Import wizard starts Figure 302 Figure 302 Certificate Import Wizard Welcome page 10 Click Next The File to I...

Страница 295: ...e 303 Certificate Import Wizard File to Import page 11 Click Browse and locate your cert1 p12 12 Click Next The Password page appears Figure 304 Figure 304 Certificate Import Wizard Password 13 Type i...

Страница 296: ...on page 17 Click Finish Adding a certificate for use with IPSec VPN The following types of certificates can be installed for use with IPSec VPN Local Certificate is a private and public key pair signe...

Страница 297: ...e in the Local Certificate field Click Browse to locate the file 4 Enter the Local Private Key certificate in Private Key Certificate field 5 Enter the passphrase to unlock the private key certificate...

Страница 298: ...icate Use this procedure to add a CRL certificate for use with IPSec VPN The certificate must be in PEM or DER format 1 From the VPN menu click IPSec Certificate Lists tab The IPSec Certificates page...

Страница 299: ...path is functioning again and if so falls forward to use the primary link instead Figure 313 Example IPSec failover network The steps necessary to recreate this failover scenario are 1 Set up unused a...

Страница 300: ...rface default gateway interface Keying Aggressive mode IKE Local address dynamic IP address Remote address static IP address Local Required Endpoint ID primary branch Dead Peer Detection enabled Remot...

Страница 301: ...168 12 1 192 168 11 1 c 3 stopwhack terminate name primary_1 asynchronous connection secondary parentipsec tunnel secondary_1 parentofipsec tunnel secondary_0 retry_delay5 test_delay5 maximum_retries...

Страница 302: ...2 192 168 12 2 c 3 stopwhack terminate name secondary_1 asynchronous service ipsec failover groupprimary groupsecondary 9 After editing and saving ifmond conf on the Headquarters UTM Firewall run the...

Страница 303: ...e party IP address 210 0 0 1 Local Network 2 Address of primary port 209 0 0 1 32 Remote Network 2 Remote Endpoint Table 27 Primary IPSec tunnel Branch Office UTM Firewall configuration Field Value Tu...

Страница 304: ...1 1 32 Remote Network 2 Remote Endpoint Table 30 Primary GRE tunnel Headquarters UTM Firewall configuration Field Value GRE tunnel name primary Remote address 210 0 0 1 Local address 209 0 0 1 Firewal...

Страница 305: ...entipsec tunnel secondary parentofnetif gre2 testifretry 2 5 ping I 209 0 1 1 210 0 1 1 c 3 retry_delay5 test_delay5 Gateway Metric 1 Table 35 Static route 2 Headquarters UTM Firewall configuration Fi...

Страница 306: ...rall tunnel counts and throughput by configuring additional UTM Firewall appliances as an offload device An IPSec offload device is another McAfee UTM Firewall appliance that has been specifically con...

Страница 307: ...ogether as they do not communicate with each other and only require simple single IP address visibility to the Central UTM Firewall appliance The optimal arrangement for conserving switch ports is a t...

Страница 308: ...s some extra configuration required as described in the next topic Configuring for VPN offloading Configuring for VPN offloading In addition to configuring the offload device within the advanced wizar...

Страница 309: ...4500 if NAT T is negotiated successfully Review the system log There will be entries by Pluto with informative data Verify the VPN LED is lit when the VPN tunnel is established this LED applies to al...

Страница 310: ...not work Possible cause The MTU of the IPSec interface is too large Solution Reduce the MTU of the IPSec interface Symptom Tunnel goes down after awhile Possible causes The remote party has gone down...

Страница 311: ...Tunnel comes up but the application does not work across the tunnel Possible causes There may be a firewall device blocking IPSec packets The MTU of the IPSec interface may be too large The applicatio...

Страница 312: ...is behind a firewall that only allows outgoing HTTP connections and blocks all other traffic SSL Tunnels are port tunnels that send data using an encrypted SSL pipe In order to use an SSL tunnel you m...

Страница 313: ...P address of the remote tunnel server in the Tunnel Server field 7 Enter the TCP port on which the tunnel server is listening for connections in the Tunnel Port field This must match the tunnel server...

Страница 314: ...e proxy server requires authentication enter the details in the Proxy User name and Proxy Password fields Can consist of any characters or be left blank 15 Optional If the proxy accepts connects from...

Страница 315: ...o specify the maximum length to use in HTTP PUT requests enter a value in the Content Length field Default 102400 Can be an integer value equal to or greater than 1 9 Optional To force the content len...

Страница 316: ...y accessible IP address of the remote tunnel server in the Tunnel Server field 7 Enter the TCP port on which the tunnel server is listening for connections in the Tunnel Port field Range an integer va...

Страница 317: ...8 From the Protocol list select the protocol to use when negotiating the SSL connection Available options are Raw Default Use the default when incoming connections are from a tunnel client CIFS NNTP P...

Страница 318: ...create nested tunnels which is useful for creating a secure SSL tunnel over an HTTP tunnel 1 Create the HTTP tunnel client and server 2 Create a SSL tunnel client such that the Tunnel Endpoint of the...

Страница 319: ...grading firmware Status menu This menu provides access to high level summaries of the general status of the system including the connections to the unit and the services running on it Whenever you log...

Страница 320: ...the bottom of the tab shows CPU usage by default You can change the chart to display other information by clicking on any of the underlined items in the System Status table Reviewing the status of the...

Страница 321: ...cting any of the underlined rates will plot that rate over time on a chart below the physical and logical connection tables These statistics are measured over the statsd polling period To change the p...

Страница 322: ...hart below the Services table The Services table also provides shortcuts to the configuration page for each service Simply click on the service name to be taken to the associated configuration page Sy...

Страница 323: ...event If you use certificates for SSL or IPSec it is especially important that you set the date and time correctly as certificates include a start date and time before which they do not function and...

Страница 324: ...Submit Syncing appliance date and time with a PC Use this procedure to set the date and time of your appliance to a personal computer You must have JavaScript enabled in your Web browser to sync your...

Страница 325: ...the Network Time Protocol NTP services on the UTM Firewall appliance The appliance can make use of an NTP server or peer running the NTP to provide for time synchronization across a network The applia...

Страница 326: ...ding an NTP server The UTM Firewall appliance can synchronize its system time with a remote time server using the network time protocol NTP Adding an NTP server ensures the clock in the UTM Firewall a...

Страница 327: ...etwork 1 From the System menu click Date and Time NTP Time Server tab The NTP Time Server page appears 2 In the NTP Time Server pane enter the IP Address of the NTP server 3 Select Peer from the Type...

Страница 328: ...ick Apply Memory Allocation tab This Memory Allocation tab Figure 332 allows system resources to be managed and allocated between the various available subsystems For each subsystem it is possible to...

Страница 329: ...an also be saved as a plain unencrypted text file After configuring your UTM Firewall appliance it is strongly recommended that you remotely back up your configuration to an encrypted file If the appl...

Страница 330: ...re a locally backed up configuration by clicking its corresponding Restore icon in the Restore or Delete Configuration pane 3 A message requests you to confirm the restore Click OK A message indicates...

Страница 331: ...option Security Alert Ensure the configuration is transferred over an encrypted connection and stored on a secured system This file is not intended to be human readable although some portions can be...

Страница 332: ...nfiguration files from the text box to a plain text file stored on a PC Restoring a saved configuration text file 1 From the System menu click Backup Restore Text Save Restore tab The Save Restore Con...

Страница 333: ...ocal users Administrative user accounts on a UTM Firewall appliance allow administrative duties to be spread amongst a number of different people according to their level of competence and trust Each...

Страница 334: ...ield Note Users with a fixed IP address still require a dynamic IP address even though they do not use it The PPTP VPN Server dynamic IP address range must be large enough to accommodate users with bo...

Страница 335: ...that the user change their passwords to meet the updated password class requirements Deleting a user 1 From the System menu click Users The Administrative Users page appears 2 Click the delete icon ne...

Страница 336: ...sibilities select one of the built in Predefined Administration Roles from the drop down menu The pre defined roles are Administration Diagnostic VPN Administrator 6 Optional Select an access level fo...

Страница 337: ...tion can take place against the domain controller To configure your Windows NT workgroup settings 1 From the System menu click Users and select the Domain tab Figure 342 Domain tab 2 In the NT Domain...

Страница 338: ...ecret string in the RADIUS Secret field The secret is used to access the RADIUS server and can be 1 or more characters of any type 6 Click Finish The new RADIUS server appears on the RADIUS server lis...

Страница 339: ...s Each label cannot begin or end with the hyphen character The address can also be an IP address of the form a b c d 3 Enter the secret used to access the TACACS server in the TACACS Secret field The...

Страница 340: ...d the duration of the lock out in seconds Re authentication idle time the amount of time a user may do nothing before having to log in to the unit again Disuse deletion time the number of days an acco...

Страница 341: ...unit Note Any time a password class is changed the Change password on first access checkbox should be selected in order to force users to change their passwords to meet the new password class require...

Страница 342: ...icated against a Windows workgroup server Note Selecting NT Domain requires the fields on the Domain tab be completed See Domain page TACACS the service is authenticated against a remote TACACS server...

Страница 343: ...cond table lists login attempts by service Management menu The Management menu provides configuration options that control how the UTM Firewall appliance is managed Configuration options include setti...

Страница 344: ...administration is similar to http 192 168 0 1 888 4 Optional recommended To enable secure HTTP HTTPS select the Enable HTTPS Management checkbox 5 Optional The Management Console runs on the default H...

Страница 345: ...e uploaded or manually created at the earliest possible convenience A proper certificate enables remote clients to establish its authenticity upon connection using chain of trust root cert signed or s...

Страница 346: ...te key length from the Generate an RSA key of list Available options are 512 bits default 1024 bits 1536 bits 2048 bits 3072 bits 4096 bits Note The more bits in the key the longer it takes to generat...

Страница 347: ...at you take care to protect your private root certificate Should an untrusted party access your root CA it would enable that party to generate SSL certs that your browser would silently accept thus co...

Страница 348: ...e 355 General Certificate Information 4 You can view the Details or Certification by click the relevant tab Click Install Certificate The Certificate Import Wizard begins Figure 356 Figure 356 Certifi...

Страница 349: ...lect store based on type option and click Next The Completion page appears Figure 358 Figure 358 Certificate Import Wizard Completion page 7 Click Finish 8 A security warning dialog box displays the t...

Страница 350: ...onger receive alerts when you access the console via https To view the certificates installed in the browser click Tools Internet options Content and click the Certificates button The Certificates dia...

Страница 351: ...helps hide the service from would be attackers 4 Click Submit to save the configuration changes Enabling remote management by McAfee UTM Firewall Control Center Use this procedure to enable remote man...

Страница 352: ...the Control Center Typically a setting somewhere between the logging everything and nothing is appropriate Available options are Absolutely Everything Everything but Debug Notices Warnings and Errors...

Страница 353: ...anagement Control Center Attributes tab The Control Center Attributes page appears 2 Click the edit icon for the attribute you want to edit The Edit Control Center Device Attributes page appears 3 Mak...

Страница 354: ...on this device It is highly recommended you do not allow read write access otherwise take additional steps to secure the connection 5 Specify the endpoints on which the SNMP agent accepts requests in...

Страница 355: ...ormation that may be useful in determining whether all services for your UTM Firewall appliance are operating correctly Every message recorded by a service on the appliance has an associated logging l...

Страница 356: ...log isolates your search terms To clear the system log messages click Clear Messages To filter the log output to display based on output type select an option from the Display list To reset the defaul...

Страница 357: ...syslog messages Caution Make sure the value you enter does not exceed the maximum size of the var log filesystem available for your model as indicated in Table 38 For best results keep the log size a...

Страница 358: ...the Remote Host field 4 Enter the Remote Port on which the remote syslog server is listening for syslog messages Typically the default is correct 5 Set the Filter Level to only send syslog messages at...

Страница 359: ...from 6 Set the Filter Level to only send syslog messages at the selected level or above 7 Specify the number of seconds to wait after receiving a system log message before sending an email in Delay to...

Страница 360: ...of an IPSec tunnel use the LAN interface of the appliance where the LAN network is defined as the local network Otherwise the ping will fail 4 Optional To perform a reverse DNS names lookup on IP add...

Страница 361: ...Devices page appears Figure 376 Figure 376 USB Detected Devices The Vendor Product and ID details are obtained by querying the devices directly The ID field is a combination of the Product ID Vendor I...

Страница 362: ...n the appliance For further information on temporary storage space see Table 38 on page 357 For large packet captures decrease this value 4 Click Add The packet capture configuration is added to the I...

Страница 363: ...pcap file Use this procedure to delete pcap files when you no longer require them This keeps space available in the var tmp directory 1 From the System menu click Diagnostics Packet Capture The Packet...

Страница 364: ...e Reboot page appears Figure 380 Figure 380 Reboot tab 2 Click Reboot It usually takes around 10 seconds before the appliance is up and running again If you have enabled bridging the UTM Firewall appl...

Страница 365: ...signed address For additional recovery options see Recovering from a failed upgrade Upgrading firmware Periodically McAfee releases new versions of firmware for your UTM Firewall appliance If a new ve...

Страница 366: ...otocol TFTP is a simplified version of FTP that allows transfer of files between computers over a network An alternative method to flash upgrades via HTTP is to install and configure a TFTP server and...

Страница 367: ...Click Upgrade The firmware upload only accepts valid firmware images and only accepts newer images appropriate for your device Wait for the upgrade to complete Upgrading using TFTP from the command li...

Страница 368: ...te Configuration Files tab The Configuration Files tab provides direct and quick access to configuration files within the Edit Files tab The Filename column indicates the configuration file name The S...

Страница 369: ...tiple files select the checkboxes for the files and click Modify An edit window opens for each file you want to modify The Modify File page appears The name of the file you are editing displays in the...

Страница 370: ...delete 3 Click OK Tip You can also click the Delete button at the bottom of the configuration files list To delete multiple files select the checkboxes for the files and click Delete Uploading a conf...

Страница 371: ...u features Advanced menu 1 From the System menu click Advanced Device Config tab The Display Modify Device Configuration page appears Figure 387 Figure 387 Display Modify Device Configuration page 2 M...

Страница 372: ...372 McAfee UTM Firewall 4 0 4 Administration Guide System menu features Advanced menu...

Страница 373: ...incoming interface OUT outgoing interface MAC dst src MAC addresses SRC source IP DST destination IP SPT source port DPT destination port additional packet info Where prefix if non empty hints at cau...

Страница 374: ...0x00 TTL 62 ID 51683 DF PROTO TCP SPT 47044 DPT 22 WINDOW 5840 RES 0x00 SYN URGP 0 Packets going from the private network to the public come in eth0 and out eth1 as shown in the following example Mar...

Страница 375: ...LAN with address 192 168 1 1 iptables I FORWARD j LOG p tcp syn s 5 6 7 8 32 d 192 168 1 1 dport 25 log prefix Mail for flubber This results in log output similar to 12 Jan 24 18 17 19 2000 klogd Mail...

Страница 376: ...whether the authentication succeeded or failed and reason for the failure the user attempting authentication in this case root and the IP address from which the attempt was made Successful Telnet Com...

Страница 377: ...ppliance stops functioning and becomes unusable until its flash is reprogrammed at the factory or a recovery boot is performed User care is advised UTM Firewall firmware revision numbers have the form...

Страница 378: ...N port or switch directly to your PC using a straight cable 2 Login to your PC with administrator privileges 2000 XP NT4 only 3 Ensure there are no DHCP server programs or services Start Run Open serv...

Страница 379: ...with antivirus software the UTM Firewall may be unable to contact the TFTP server on your PC To resolve the issue temporarily disable the software 4 The UTM Firewall device upgrade begins The LEDs on...

Страница 380: ...restore factory default configuration power off the appliance and restart the recovery procedure from the beginning 12 When prompted select the appropriate final firmware image file sgu Each sgu file...

Страница 381: ...ance s LAN port or first port of the UTM Firewall appliance s switch directly to your PC using a straight cable 7 Power off the appliance Press and hold the erase button while powering the appliance o...

Страница 382: ...ower off the appliance 2 Push and hold in the erase button on the back panel of the UTM Firewall device 3 Plug in the power cord 4 Continue to hold the erase button for five seconds The UTM Firewall r...

Страница 383: ...following line connect bin chat f etc config chat ttyS0 4 Add the following line to the bottom of the file passive 5 Click Finish 6 Connect the serial port of the appliance directly to the serial port...

Страница 384: ...match those of the local PC On the UTM Firewall appliance 1 From the Network Setup menu click Network Setup The Connections page appears 2 Click the edit icon for the dial in connection 3 Select the...

Страница 385: ...SG580 SG640 SG720 acld McAfee access control list daemon arp Manipulate the system ARP cache ash Busybox version of the Almquist Shell auth down McAfee program to run when pptp pptpd are brought up au...

Страница 386: ...on Protocol Relay Agent diald Demand dialing daemon for IP links over phone lines discard Network utility that listens on the discard port dmesg Print or control the kernel ring buffer dnsmasq Caching...

Страница 387: ...e system fsck msdos Check and repair MS DOS file systems fsck vfat Check and repair MS DOS file systems ftp Internet file transfer program gen keys SSH key generation program gen ssl cert McAfee opens...

Страница 388: ...on insmod Simple program to insert a module into the Linux Kernel ip Show or manipulate routing devices policy routing and tunnels ip6tables IPv6 packet filter administration ipsec McAfee IPSec manage...

Страница 389: ...status mkdir Make directories mkdosfs Create an MS DOS file system under Linux mke2fs Create an ext2 ext3 file system mkfs msdos Create an MS DOS file system under Linux mkfs vfat Create an MS DOS fi...

Страница 390: ...of a running program ping Send ICMP ECHO_REQUEST packets to network hosts ping6 Send IPv6 pings pivot_root Tool to change root file system pluto IPSec IKE keying daemon pop3 proxy POP3 proxy server po...

Страница 391: ...ate the IP routing table routef IP Route tool to flush IPv4 routes routel IP Route tool to list routes rrdtool Tool for creating round robin database files and for creating graphs rsasigkey Generate R...

Страница 392: ...id ssh OpenSSH SSH client remote login program ssh keygen Authentication key generation management and conversion sshd OpenSSH SSH daemon sslwrap Program that allows plain services to be accessed via...

Страница 393: ...ts query Test TrustedSource settings and query the reputation score of a server tune2fs Adjust tunable file system parameters on ext2 ext3 file systems udevadm udev helper application udevd udev daem...

Страница 394: ...y for configuring WLAN Wireless LAN connections zcat Identical to gunzip c zebra Routing manager for use with associated components Table 40 Supported CLI programs and commands Comment continued Progr...

Страница 395: ...s type of keying automatically exchanges encryption and authentication keys and replaces them periodically B Block cipher A method of encrypting text to produce ciphertext in which a cryptographic key...

Страница 396: ...names and translates them into IP addresses A domain name is a meaningful and easy to remember name for an IP address DUN Dial Up Networking E Encapsulating Security Payload ESP Encapsulated Security...

Страница 397: ...es ciphertext that is evenly distributed This makes it difficult to compress If one wishes to compress the data it must be done prior to encrypting The IPcomp header provides for this One of the probl...

Страница 398: ...the local network MD5 Message Digest Algorithm Five is a 128 bit hash It is one of two message digest algorithms available in IPSec N NAT Network Address Translation The translation of an IP address u...

Страница 399: ...route packets to their final destination RSA Digital Signatures A public private RSA key pair used for authentication The UTM Firewall appliance can generate these key pairs The public keys need to b...

Страница 400: ...sociation of workstation names and locations with IP addresses X Z x 509 Certificates An x 509 certificate includes the format of the certificate the serial number of the certificate the algorithm use...

Страница 401: ...4 enabling SNMP 353 alias IP address adding for interface 47 deleting for interface 47 aliases interface 47 allowing URL 211 antispam 233 antivirus 222 disabling 224 enabling 223 local USB storage 226...

Страница 402: ...t display 370 direct edit 370 editing 368 uploading 370 configuring advanced Web Cache settings 140 advanced wireless features 92 DHCP 124 DHCP relay 130 DMZ connection 80 guest connection 82 IDB 196...

Страница 403: ...r or relay 126 relay 130 server 123 DHCP Addresses page 126 DHCP relay configuring 130 DHCP Status page 124 dial on demand disabling 60 dial on demand connection enabling 59 dial out null modem 383 di...

Страница 404: ...ased VLAN 101 QoS Autoshaper 142 route management 112 SNMP agent 353 source NAT rule 183 Web cache 133 erasing configuration and rebooting 365 EVDO 106 extended ISO date timestamping 356 extracting ce...

Страница 405: ...Custom Firewall Rules 170 disabling 123 disabling for connection 48 enabling 123 IRC 191 K kill command 388 L L2TP VPN client 258 VPN server 251 L2TP IPSec tunnel deleting 256 LEDs 12 16 limitation po...

Страница 406: ...P adding peer 327 adding server 326 null modem dial out 383 dial in 383 serial cable 383 O offloading IPSec VPN 306 online Help 21 Open Shortest Path First 115 OpenSSL 289 OSPF 115 P PAC file 133 pack...

Страница 407: ...atus 264 relay configuring DHCP 130 DHCP 130 remote restoring configuration 331 system log 357 report technical support 22 reserving IP address 129 restoring firmware factory default settings 377 loca...

Страница 408: ...log persistent remote 357 remote 357 System tab 355 T tab Local Syslog 356 TACACS server 339 tagged VLAN 100 tcpblast 393 technical support 21 report 22 test ping 360 trace route 360 Text Save Restor...

Страница 409: ...31 VLAN 99 adding 99 adding port based 102 deleting port based 104 editing port based 104 enabling port based 101 limitations of port based 100 tagged 100 untagged 100 VPN disabling IPSec 267 IPSec 28...

Страница 410: ...410 McAfee UTM Firewall 4 0 4 Administration Guide Index...

Страница 411: ......

Страница 412: ...700 2237A00...

Отзывы:

Нет отзывов

Похожие инструкции для SG310

Symantec Mail Security Administration Manual preview
Mail Security
Бренд: Symantec Страницы: 258
Lanner FW-8759 User Manual preview
FW-8759
Бренд: Lanner Страницы: 45
IBASE Technology FWA8600 User Manual preview
FWA8600
Бренд: IBASE Technology Страницы: 112
Barracuda CloudGen F80 Manual preview
CloudGen F80
Бренд: Barracuda Страницы: 6
IBM QRadar XGS 5200 Replacement Instructions preview
QRadar XGS 5200
Бренд: IBM Страницы: 2
Untangle u500 Setup Manual preview
u500
Бренд: Untangle Страницы: 2
IDQ Quantis Appliance User Manual preview
Quantis Appliance
Бренд: IDQ Страницы: 47
Pulse Secure PSA3000 Hardware Manual preview
PSA3000
Бренд: Pulse Secure Страницы: 42
Pulse Secure PSA7000 Hardware Manual preview
PSA7000
Бренд: Pulse Secure Страницы: 52
NetScreen Technologies NetScreen-10 Series Installer'S Manual preview
NetScreen-10 Series
Бренд: NetScreen Technologies Страницы: 48
Futurex USB Backup HSM User Manual preview
USB Backup HSM
Бренд: Futurex Страницы: 31

Бренды по названию

Популярные бренды

Загрузить еще бренды