Ronde & Schwarz GP-E Скачать руководство пользователя страница 110 | Manualshive

Страница: 110 / 129

Ronde & Schwarz GP-E Скачать руководство пользователя страница 110

User Interface

R&S

®

GP-U/GP-E/GP-S/GP-T

110

User Manual 3646.3836.02 ─ 01

Field

Description

"IKE Version"

Select the Internet key exchange version to be used for the connection. IKEv2
is faster in establishing a tunnel and in rekeying. IKEv1 is maintained for com-
patibility reasons.

Note:

If you select the gateprotect VPN client as connection type or if you

enable L2TP in a Client-to-Site connection, IKEv2 is not available.

"Encryption algorithm"

Select the cryptographic hash to verify the message.

"Authentication algo-
rithm"

Select the algorithm to encrypt the message.

"DH group"

Select the Diffie-Hellman (DH) group to be used for IKE negotiation.

"Lifetime"

Specify the timeout (in seconds) after which the IKE connection expires and a
new exchange is performed.

Note:

This only has an indirect influence on the renegotiation time. The precise

point in time is determined randomly to avoid that all tunnels are re-established
at the same time which would result in a heavy system load.

"Use mobile IKE"

Only with IKEv2: Select this checkbox to allow one side to change its IP
address without disconnecting the tunnel.

On the "IPsec" tab, you can select the encryption and authentication algorithms for the
IPsec SA negotiation quick mode:

Field

Description

"Encryption algorithm"

Select the cryptographic hash to verify the message.

"Authentication algo-
rithm"

Select the algorithm to encrypt the message.

"Lifetime"

Specify the timeout (in seconds) after which the IPsec SA expires and a new
exchange is performed.

Note:

This only has an indirect influence on the renegotiation time – the precise

point in time is determined randomly to avoid that all tunnels are re-established
at the same time which would result in a heavy system load.

"Perfect Forward
Secrecy (PFS)"

Select this checkbox to activate Perfect Forward Secrecy.

Using PFS is recommended because it increases security. However, it has to
be deactivated if the remote end does not support it (such as Windows XP).

Note:

If you select IKEv2, PFS is automatically used.

"PFS group"

Only if PFS is enabled: Select the Diffie-Hellman (DH group) to be used with
PFS.

On the "Additional Settings" tab, you can set up port and protocol restrictions (for
example for L2TP) for the IPsec connection. Only packets matching the settings are
forwarded through the tunnel.

Field

Description

"Local Port"

Enter the local port you want to restrict traffic to.

"Remote Port"

Enter the remote port you want to restrict traffic to.

Menu Reference

«
...
108
109
110
111
112
...
»

Содержание GP-E

Страница 1: ...R S GP U GP E GP S GP T gateprotect Firewall User Manual User Manual 3646 3836 02 01 T VT2 Cybersecurity ...

Страница 2: ... Cybersecurity GmbH Mühldorfstr 15 81671 Munich Germany Phone 49 0 30 65 884 223 Email cybersecurity rohde schwarz com Internet cybersecurity rohde schwarz com Printed in Germany Subject to change Data without tolerance limits is not binding R S is a registered trademark of Rohde Schwarz GmbH Co KG Trade names are trademarks of the owners The following abbreviations are used throughout this manual...

Страница 3: ...igation Pane 15 3 1 3 Desktop 15 3 2 Icons and Buttons 17 3 3 Firewall Rule Settings 19 3 4 Menu Reference 22 3 4 1 Firewall 22 3 4 1 1 License Settings 22 3 4 1 2 Updates Settings 23 3 4 1 3 Administrators 26 3 4 1 4 User Authentication 28 3 4 1 5 Server Access Settings 41 3 4 1 6 Command Center Settings 43 3 4 1 7 Time Settings 43 3 4 1 8 High Availability Settings 45 3 4 1 9 Backup 49 3 4 2 Net...

Страница 4: ... 4 6 VPN User Groups 83 3 4 4 7 Networks 84 3 4 4 8 Host Groups 84 3 4 4 9 IP Ranges 85 3 4 4 10 VPN Hosts 86 3 4 4 11 VPN Groups 87 3 4 4 12 VPN Networks 88 3 4 4 13 Connections 89 3 4 5 Desktop 90 3 4 5 1 Services 90 3 4 5 2 Desktop Rules 90 3 4 6 UTM 91 3 4 6 1 Application Filter 91 3 4 6 2 URL Content Filter 93 3 4 6 3 Antivirus Settings 95 3 4 6 4 Email Security 98 3 4 6 5 Proxy 101 3 4 7 VPN...

Страница 5: ...icates 114 3 4 8 2 Templates 117 3 4 8 3 OCSP CRL Settings 118 3 4 8 4 Trusted Proxy CAs 119 3 4 9 Monitoring 119 3 4 9 1 SNMP Settings 119 3 4 9 2 Syslog Servers 121 3 4 9 3 Logs 122 3 4 10 Network Tools 123 3 4 10 1 Ping Settings 124 3 4 10 2 Traceroute Settings 124 Index 127 ...

Страница 6: ...Contents R S GP U GP E GP S GP T 6 User Manual 3646 3836 02 01 ...

Страница 7: ...hat meets the high demands of complex network structures in industry and enterprise environ ments GP Tough the firewall solution specifically designed for challenging environments There are license based features that distinguish individual product models within the product lines from one another For more information about your specific gateprotect Firewall see the information on the relevant data...

Страница 8: ...Description Graphical user interface ele ments All names of graphical user interface elements on the screen such as menu items buttons checkboxes dialog boxes list names are enclosed by quotation marks Top level menu item sub menu element A sequence of menu commands is indicated by greater than symbols between menu items and the whole sequence being enclosed by quota tion marks Select the submenu ...

Страница 9: ...l documents such as technical specifications please visit the my gatepro tect portal at www mygateprotect com 1 5 About Rohde Schwarz Cybersecurity Rohde Schwarz Cybersecurity is an IT security company that protects companies and public institutions around the world against cyberattacks The company develops and produces technologically leading solutions for information and network security includi...

Страница 10: ...About This Manual R S GP U GP E GP S GP T 10 User Manual 3646 3836 02 01 For more information visit our website at cybersecurity rohde schwarz com About Rohde Schwarz Cybersecurity ...

Страница 11: ... and the factory default Password admin Figure 2 1 Logging on to the gateprotect Firewall 2 Click Login 3 After your first logon using the standard credentials the system prompts you to change your password The new password has to be at least six characters long You cannot skip this step The web client appears If you forget the new password entered contact the Rohde Schwarz Cybersecurity support t...

Страница 12: ...Getting Started R S GP U GP E GP S GP T 12 User Manual 3646 3836 02 01 ...

Страница 13: ...ent Chapter 3 2 Icons and Buttons on page 17 explains the meaning of the icons and buttons commonly used on the user interface and throughout this manual Chapter 3 3 Firewall Rule Settings on page 19 describes how a firewall rule for a connection between two desktop nodes is set up Chapter 3 4 Menu Reference on page 22 reflects the arrangement of the menu items in the navigation bar on the left si...

Страница 14: ...by default see Chapter 3 1 2 Navigation Pane on page 15 the Rohde Schwarz Cybersecurity logo a language menu that allows you to select the language to be used in the web cli ent a user menu to end the current user session and return to the logon dialog a system menu to reboot or shut down power off your gateprotect Firewall and a help menu with links which provide access to a PDF version of the ga...

Страница 15: ... Firewall reduces the corresponding list to show only those menu items or entries that contain the characters you are typ ing Click in the input field to delete the search string and display an unfiltered view of the list You can expand all menus in the navigation bar at once by clicking or collapse them by clicking in the upper right corner of the navigation bar Furthermore you can hide the navig...

Страница 16: ... selection and the connection tool Use the selection tool for all actions on the desktop such as moving objects or selecting certain functions With the connection tool you can create or edit a connection between two desktop objects For further information see Chapter 3 3 Firewall Rule Settings on page 19 You can create an object on the desktop by clicking the respective desktop object button in th...

Страница 17: ...and Buttons This topic explains the icons and buttons commonly used on the user interface and throughout this manual Icon Button Description Hide and show the navigation bar Move objects or select objects and functions on the desktop Create or edit a connection between two desktop objects Create an Internet object Create a host Create a host group Create a network Create an IP range Create a VPN h...

Страница 18: ... blacklist whitelist to a file Import a backup from a file Export a backup to a file Create a list item in the item list bar Unfold a menu item to view subordinate items in the navigation bar Unfold a web filter category to view its subcategories Unfold a service category for firewall rules to view its subservices Hide subordinate menu items in the navigation bar Hide subcategories of a web filter...

Страница 19: ...efined Service Along with the Connection panel a list of predefined services available for the con nection opens on the right side of the browser window The list of services can be col lapsed and expanded by clicking the appropriate icon For further information see Chapter 3 2 Icons and Buttons on page 17 The Filter input field at the top of the list helps you quickly find a particular service As ...

Страница 20: ...ports port ranges and or protocols appear as an entry in the list You can edit or delete each single entry in the list by clicking the appro priate button next to an entry For further information see Chapter 3 2 Icons and Buttons on page 17 b In the Schedule tab you can specify the time when the firewall rule is active The tab provides the following options Set specific times and weekdays using th...

Страница 21: ...ff by clicking the icon in the Action column You can choose between the following four options Off All traffic between source and destination desktop objects is dropped for this service Bidirectional All traffic between source and destination desktop objects is allowed for this service Left to right The desktop object on the left is allowed to send requests The desktop object on the right is allow...

Страница 22: ...nstallation the gateprotect Firewall runs as a test version for 30 days You can see that it is a test version in the notification on the License Manager panel under Firewall License During this period of time it is not possible to create backups After this period of time the firewall remains active with your configuration However you are not able to make any changes and the HTTP and HTTPS protocol...

Страница 23: ...ly downloaded from the update server and installed on the firewall quickly and has sle free In addition the update system is equipped with various functions for notifying the system administrator if there are new updates available Furthermore you can view a history of the imported updates To prevent any unauthorized or malicious updates from being installed on the firewall all gateprotect Firewall...

Страница 24: ...pdate has been installed successfully Release Date Displays the date when the update was released Status Distinguishes between new updates and updates which have already been installed Note An update cannot be installed more than once Action Dependency If dependencies are met the Install action is allowed Otherwise a list of dependencies is dis played To meet the dependencies install the updates m...

Страница 25: ...o one of the other values as nec essary Update Servers The standard update server is http www gatepro tect com updateserver You can add as many update servers as you like Enter the URL of an update server and click Add to put the update server on the list Note If the URL contains a fully qualified domain name FQDN you need to configure the DNS set tings Otherwise the FQDN cannot be resolved You ca...

Страница 26: ... of administrators that are cur rently defined on the system in the item list bar The plus button above the list allows you to add new administrators In the expanded view the first table column displays the Name of the administrator The Admin column shows one of the following status indicators Green The administrator has been granted access to the web client Orange The administrator has not been g...

Страница 27: ... Optional and for newly added administrators only if the Granting access checkbox is selected Select this checkbox if you want the administrator to change the password after the next logon Optional and for edited administrators only if the Change checkbox is selected Select this check box if you want the administrator to change the password after the next logon On the Webclient Permissions tab you...

Страница 28: ...out and the new user is logged on Logging on to the firewall The gateprotect Firewall runs a special web server which only processes user logons It receives the user name and password With a user database which is created locally on the gateprotect Firewall an authentication service first verifies whether the user name and password are admissible If this logon fails and if a Microsoft Active Direc...

Страница 29: ...ication item list bar as well Active Direc tory groups are a powerful tool to set up and maintain security policies for each user For example you allocate Active Directory users to certain Active Directory groups and then create firewall rules for these groups on the gateprotect Firewall Logging on Users can log on to the gateprotect Firewall in different ways Logging on via web browser on page 29...

Страница 30: ...Click Login The authentication is carried out For security reasons the browser window in which the user logged on must remain open during the whole session Otherwise the user is logged out automatically after one minute to prevent unauthorized persons from accessing the firewall via a computer where a user has forgotten to log out Logging on via User Authentication Client UA Client The Windows bas...

Страница 31: ... specified in the sAMAccountName attribute of the user Otherwise the name in the user specific firewall rules will not correspond to the user logging on to the client and the rules will not match 5 Enter the Password of the user 6 Optional Select the Remember password checkbox if you want the password to be saved for future logons 7 Optional Adjust the period of time for reconnection under Setting...

Страница 32: ...es configured on the gateprotect Firewall concern ing these users are then automatically applied To realize SSO with the gateprotect Firewall in an Active Directory environment the following preconditions have to be met 1 As Kerberos is time critical make sure to set the same time NTP server for all components of SSO domain controller Windows client and gateprotect Firewall 2 Creating the user gpL...

Страница 33: ...ed 3 Using the gpLogin user to query the Active Directory In the User Name input field under Authentication Server enter gpLogin 4 Configuring the Service Principal Name SPN Assign an SPN to the newly created user so that thegateprotect Firewall is able to create a position of trust regarding the domain controller To do so run the follow ing command on the domain controller setspn A gpLogin fw10 g...

Страница 34: ...m puter For example if the host name of the gateprotect Firewall is fw96 and its IP address in the network of the client computer is 192 168 0 1 the target path for the installation of the UA SSO client is C Program Files R S Cybersecurity UA Client 3 0 UAClientSSO exe fw96 192 168 0 1 the UAClientSSO msi Microsoft installer file This file serves for the distribution of the client through a softwa...

Страница 35: ... local users LDAP users and groups and unassigned users that are currently defined on the system in the item list bar Click Settings under the item list bar header to open the editor panel The User Authentication Settings panel allows you to configure the following ele ments Field Description ON OFF A slider switch indicates whether user authentication is active ON or inactive OFF By clicking the ...

Страница 36: ...d to configure its set tings you first have to activate the Kerberos service on the Kerberos tab If Microsoft Active Directory Server is selected you can configure the fol lowing elements Field Description Host Enter the host name or the IP address of the direc tory server Note If you enter the host name of the directory server you need to configure the DNS settings Oth erwise the host name cannot...

Страница 37: ...efine the location within the directory from where the directory search should start User Query Optional Specify the filter to be used to retrieve the list of users User ID Optional Define the attribute where the user identi fier is retrieved from The user names displayed in the web client are actually coming from this attribute of the LDAP User The user ID is retrieved from the sAMAccountName att...

Страница 38: ...teprotect Firewall if necessary Domain Adjust the domain of your gateprotect Firewall so it matches the domain of the Active Directory if neces sary Local Users gateprotect Firewall offers local user administration for smaller companies without cen tral administration Use the Local Users settings to define and manage users by specifying the usernames and passwords that are authorized to connect to...

Страница 39: ...store the reconfigured user or Reset to discard your changes You can click Close to shut the editor panel as long as no changes have been made on it The local users defined here are available for use in desktop objects for example VPN users LDAP Users It is possible to connect gateprotect Firewall to an external directory server via the Lightweight Directory Access Protocol LDAP to retrieve users ...

Страница 40: ...controller To connect the user authentication to the Windows domain controller perform the fol lowing steps 1 Navigate to Firewall User Authentication 2 Click the Authentication Server tab 3 Enter the data of your domain controller All the users in the specified domain appear on the user list 4 Drag user icons onto the configuration desktop and assign rules to them The users have to enter the URL ...

Страница 41: ...the gateprotect Firewall can be accessed from external networks or the Internet In addition you can determine how the gateprotect Firewall is to react for example to ping requests The Server Access settings only apply to external accesses to the gateprotect Fire wall for the defined users Accesses from the internal network are always possible Navigate to Firewall Server Access to open an editor pa...

Страница 42: ...ewall via SSH external SSH access via the Internet is denied VPN only The same function as Deny How ever in this case SSH access from the Internet to the gateprotect Firewall via VPN is allowed Allow External SSH access to the gatepro tect Firewall via the Internet is allowed Note The Allow option provides SSH access to the gateprotect Firewall via the Internet The SSH access is useful for example...

Страница 43: ...ents Field Description ON OFF A slider switch indicates whether the connection to the Command Center is active ON or inactive OFF By clicking the slider switch you can toggle the state of the connection The connection to the Command Center is deacti vated by default Host Enter the host name or IP address under which the Command Center is reach able from the gateprotect Firewall Port Enter the port...

Страница 44: ...if the NTP Client checkbox is selected You can either use the prede fined NTP servers or add your own NTP servers to the list The standard NTP servers are de pool ntp org and europe pool ntp org You can add as many NTP servers as you like Enter the IP address or the fully qualified domain name of an NTP server in the input field Then click Add to put the NTP server on the list You can edit or dele...

Страница 45: ...status of the paired sys tem The master machine synchronizes its configuration to the slave On the slave machine certain rules are applied which allow network communication with the master machine only If the slave system fails to detect a heartbeat signal from the master it takes over the role of the master system in the event of power outage or hardware failure shutdown When the slave machine ta...

Страница 46: ...stems of the same hardware type for example GP U 300 with GP U 300 or GP S 1600 with GP S 1600 and software version Furthermore a free network interface NIC is required on both systems in other words a network interface that is not currently used by any other interface like VLAN or bridge or any network connection For more information see Chap ter 3 4 2 1 Interfaces on page 53 and Network Connecti...

Страница 47: ...nized and ready High Availabil ity is enabled on the firewall the other firewall is reachable and synchronized Current Role Displays whether the gateprotect Firewall is config ured as a master or a slave machine Initial Role Select the respective radio button to specify the role which the gateprotect Firewall is to play in the HA cluster Master The gateprotect Firewall is active and synchronizes i...

Страница 48: ...ilability configuration and operate it as a standalone system reinstall your gateprotect Firewall For further information see Disabling High Availability Configurations on page 48 Updating High Availability Configurations When High Availability is enabled the following considerations apply regarding the updating of the High Availability configurations In a High Availability configuration system up...

Страница 49: ...t The options under Backup allow you to schedule regular backups of the current system configuration to back up the system configuration manually and to restore previous configurations Backups can be created once a license has been imported that is to say not during the test period of 30 days For more detailed information on backups see the following sections Automatic Backup Settings The Auto Bac...

Страница 50: ... the user s password Server Type Select the respective radio button to specify which network protocol is used to upload the backups to the server The option is set to FTP by default but you can adjust the settings to SCP as necessary Filename Enter a name for automatically created backup files Encryption Password Enter a password for the encryption of the backup files The password can consist of u...

Страница 51: ... MM DD YYYY format or use the date picker to set a date You can also set a time by entering the time in the hh mm ss format Under Interval and Unit define how often the configuration is backed up automatically Set the interval by entering a number or using the up and down arrows The option is set to 1 by default Then select one of the unit options from the drop down list The option is set to days ...

Страница 52: ...s allowed are letters of the English alphabet integers and the special characters _ Show Password Optional Select this checkbox to verify the pass word Use auto backup password Optional Select this checkbox if you want to use the encryption password set for the creation of auto matic backup files see Automatic Backup Settings on page 49 instead of entering a new one If you want to export the backu...

Страница 53: ...WLAN routing policies and DHCP settings 3 4 2 1 Interfaces Navigate to Network Interfaces to configure Ethernet VLAN Bridge PPP and WLAN interfaces The item list bar displays an overview of all interfaces which are cur rently defined on the system Ethernet Interfaces The physical Ethernet Interfaces receive the following default IP addresses 192 168 X 254 24 X being the number of the interface i e...

Страница 54: ...connected to the interface e g twisted pair ON OFF A slider switch indicates whether the Ethernet interface link is active ON or inactive OFF By clicking the slider switch you can toggle the state of the Ethernet interface link MTU Set the maximum size of each packet in bytes The Maximum Transmission Unit can be any integer from 64 to 16384 If you modify the settings click Save to store your chang...

Страница 55: ...rface panel displays the following information and allows you to config ure the following elements Field Description ON OFF A slider switch indicates whether the VLAN interface is active ON or inactive OFF By clicking the slider switch you can toggle the state of the VLAN interface A new VLAN interface is enabled by default Name Displays the name of the VLAN interface The name is generated automat...

Страница 56: ...me of the bridge interface The Status column shows one of the following status indicators Green The bridge interface is enabled Orange The bridge interface is disabled Furthermore the Ports that are assigned to the bridge interface are displayed The buttons in the last column allow you to view and adjust the settings for an existing bridge interface create a new bridge interface based on a copy of...

Страница 57: ... to configure the Priority and the Cost for the respective port and to remove the port from the bridge interface The buttons at the bottom right of the editor panel depend on whether you add a new bridge interface or edit an existing bridge For a newly configured bridge interface click Create to add the bridge to the list of available bridge interfaces or Cancel to dis card your changes To edit an...

Страница 58: ... of LCP echo failures after which the peer is considered dead by entering an integer value from 0 to 64 If you enter 0 failures are ignored MTU Set the maximum size of each packet in bytes The Maximum Transmission Unit can be any integer from 64 to 16384 MRU Specify the Maximum Receive Unit by entering an integer value from 128 to 16384 The buttons at the bottom right of the editor panel depend on...

Страница 59: ...r the WLAN interface is active ON or inactive OFF By clicking the slider switch you can toggle the state of the WLAN interface Name Displays the name of the WLAN interface wlan0 The name is automatically generated Device Status Displays the status of the device The status can be one of the following Plugged a wireless USB flash drive is connected to the gateprotect Firewall Unplugged a previously ...

Страница 60: ...e are displayed The buttons in the last column allow you to view and adjust the settings for an existing network connection create a new connection based on a copy of an existing network connection or delete a network connection from the system For further information see Chapter 3 2 Icons and Buttons on page 17 Network Connections Settings Use the Network Connections settings to configure custom ...

Страница 61: ...the IP address to the list You can edit or delete each single entry in the list by clicking the appropriate button next to an entry For further information see Chapter 3 2 Icons and Buttons on page 17 Note If you edit an IP address a check mark appears on the right of the entry Click the check mark to be able to save the settings of the IP address Obtain Gateway Only available if the selected conn...

Страница 62: ...ich provides the fol lowing options Set specific times and weekdays using the sliders Always On The connection is always enabled Always Off The connection is always disabled The buttons at the bottom right of the editor panel allow you to confirm your changes to the time restrictions OK and to reject your changes Cancel The editor panel closes and the chosen option is displayed to the left of the ...

Страница 63: ...e entry Click the check mark to be able to save the settings of the backup con nection The buttons at the bottom right of the editor panel depend on whether you add a new network connection or edit an existing connection For a newly configured network con nection click Create to add the connection to the list of available network connec tions or Cancel to reject the creation of a new network conne...

Страница 64: ...int to Point Protocol that are currently defined on the system in the item list bar In the expanded view the columns of the table display the Name of the connection whether it is Active or not its Interface and the Type of the connection The but tons in the last column allow you to view and adjust the settings for an existing PPP connection create a new connection based on a copy of an existing co...

Страница 65: ...ke authentication for Microsoft Username Enter the username required to connect to your Internet service provider Password Enter the password required to connect to your Internet service provider PPTP Server IP If you chose PPTP as connection type enter the IP address of the PPTP server MPPE If you chose PPTP as connection type select the Microsoft Point to Point Encryption key length mppe 40 mppe...

Страница 66: ...Click Add to add another test to the list For information on configuring the reacha bility test see Heartbeat Settings on page 66 You can edit or delete each single entry in the list by clicking the appropriate button next to an entry For further information see Chapter 3 2 Icons and Buttons on page 17 Use as backup connec tion Select this checkbox if you want to configure the connection as backup...

Страница 67: ...eless USB flash drive to create a wireless access point in your network Connect a compatible wireless USB adapter to the USB port of your gateprotect Fire wall to configure a wireless access point A successful configuration allows wireless cli ents to connect to this access point to join the wireless local area network WLAN Navigate to Network Connections WLAN Settings to display and edit the WLAN...

Страница 68: ...o supply this password in order to establish a secured connection to the gateprotect Firewall On the Advanced tab Field Description Channel Width If you selected an or gn as the communication mode you can now select the channel width from the drop down list Disabled HT 40 40MHz below the selected channel for the channels 5 to 13 in mode g HT40 40MHz above the selected channel for the channels 1 to...

Страница 69: ...uting rules The routing settings allow you to define custom routes that are used to reach devices on a given destination network Routes between network objects are created automatically and hidden You should not normally need to create routes unless you have an upstream router that requires spe cial routes To influence traffic between network objects create a firewall rule as described under Chapt...

Страница 70: ...ppropriate button next to an entry The Edit Route panel allows you to configure the following elements Field Description Interface Select an interface for the route Destination Enter the IP address of the destination network in CIDR notation IP address followed by a slash and the number of bits set in the subnet mask for example 192 168 50 0 24 Gateway Enter an IP address as the gateway for this r...

Страница 71: ...o define which traffic should be routed where The buttons in the right column allow you to view and adjust the settings of a routing rule or delete a rule from the system For further information see Chapter 3 2 Icons and Buttons on page 17 System routing rules cannot be modified or deleted To close the Routing Rules panel click in the upper right corner of the panel Routing Rules Settings Under Ne...

Страница 72: ...click Create to add the rule to the list of available routing rules or Cancel to reject the creation of the new rule To edit an existing rule click Save to store the reconfigured rule or Reset to discard your changes You can click Close to shut the editor panel as long as no changes have been made on it Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4...

Страница 73: ...re distributed by the DHCP server Range Start IP Enter a start IP to specify the range of IP addresses that are distributed to the client computers Range End IP Enter an end IP to specify the range of IP addresses that are distributed to the client computers Note Make sure that the permanent IP addresses are not inside the IP address range of the DHCP server as permanent IP addresses are not exclu...

Страница 74: ... to another network because DHCP requests cannot be routed Field Description DHCP Server IP Address Enter the IP address of the server to which the DHCP requests will be redirec ted Relay through these interfaces Select one or more interfaces from which DHCP requests will be forwarded Also select the interface that the DHCP server is connected to The buttons at the bottom right of the editor panel...

Страница 75: ...f it has no fixed public IP address This is accomplished by sending the current IP address to a DynDNS provider that maps it to a domain name so that the firewall is accessible using that domain name If the IP address changes due to a DSL disconnect forced by your Internet service provider for example the IP address is re sent to the DynDNS pro vider This ensures that the dynamic DNS always points...

Страница 76: ...r Show Password Optional Select this checkbox to verify the password Custom Server Address Optional Enter the address of the server if your DynDNS provider requires the definition of a different server address MX Record Optional If you wish to use an MX record enter its IP address or hostname Wildcards Optional Select this checkbox to activate the possibility to use wildcards in host names if you ...

Страница 77: ... mark appears on the right of the entry Click the check mark to apply your changes Click to change the priority of an entry The first entry in the list has the highest priority The buttons at the bottom right of the editor panel allow you to shut Close the editor panel as long as no changes have been made and to store Save or to discard Reset your changes Click Activate in the toolbar at the top o...

Страница 78: ...s VPN and IP ranges The created objects are displayed as nodes on the desktop and can be used as sources and or destinations in connections to apply firewall rules The item list bar displays all network objects that are defined on the system If you click on an entry in the item list bar the respective desktop object is highlighted on the desk top All connections it is used in are highlighted as we...

Страница 79: ...d other network objects such as VPN objects etc A host for example a printer or a VoIP phone can be assigned a dedicated IP address so that firewall rules can be spe cifically applied to it For further information on creating firewall rules see Chapter 3 3 Firewall Rule Settings on page 19 Hosts Overview Navigate to Network Objects Hosts to display the list of host objects that are cur rently defi...

Страница 80: ...ween the users and other network objects such as VPN objects etc The menu Network Objects Users only serves to create desktop objects for users that already exist in the system For information on how to add and manage users see Chapter 3 4 1 4 User Authentication on page 28 Users Overview Navigate to Network Objects Users to display the list of user objects that are cur rently defined on the syste...

Страница 81: ...isting user group object create an object based on a copy of an existing user group or delete an object from the system For further information see Chapter 3 2 Icons and Buttons on page 17 User Groups Settings The User Group settings allow you to configure the following elements Field Description Object Name Specify a name for the user group Color Select the color to be used for this object on the...

Страница 82: ...you to view and adjust the settings for an existing VPN user object create an object based on a copy of an existing VPN user object or delete an object from the system For further information see Chapter 3 2 Icons and Buttons on page 17 VPN Users Settings The VPN User settings allow you to configure the following elements Field Description Object Name Specify a name for the VPN user object Color S...

Страница 83: ...oup Color Select the color to be used for this object on the desktop User Select the users you want to add to the VPN user group The left hand list displays the users belonging to the group The right hand list displays the users available in the system that do not belong to the group To add a user to the group click Click if you want to add all available users at once To remove a user from the gro...

Страница 84: ...t Firewall via the IP address of this network object This allows your gateprotect Firewall to apply user specific firewall rules to the user being logged on Interface Select the interface that the network is connected to Network IP Enter the IP address of the network in CIDR notation IP address followed by a slash and the number of bits set in the subnet mask for example 192 168 50 0 24 The button...

Страница 85: ...s and Buttons on page 17 Note If you edit an entry a check mark appears on the right of the entry Click the check mark to apply your changes The buttons at the bottom right of the editor panel depend on whether you add a new host group or edit an existing group For a newly configured group click Create to add the group to the list of available host groups or Cancel to discard your changes To edit ...

Страница 86: ...ce click the Use DHCP IP range button at the bottom left of the editor panel The buttons at the bottom right of the editor panel depend on whether you add a new IP range or edit an existing IP range For a newly configured IP range click Create to add the IP range to the list of available IP ranges or Cancel to discard your changes To edit an existing IP range click Save to store the reconfigured I...

Страница 87: ... or Cancel to discard your changes To edit an existing host click Save to store the reconfigured object or Reset to discard your changes You can click Close to shut the editor panel as long as no changes have been made on it Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4 4 11 VPN Groups Create VPN groups that can be used to create connections betwee...

Страница 88: ...ges To edit an existing group click Save to store the reconfigured group or Reset to dis card your changes You can click Close to shut the editor panel as long as no changes have been made on it Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4 4 12 VPN Networks Create a VPN network object that can be used to configure firewall rules for VPN Site to Si...

Страница 89: ...ous network objects that are defined on the system Connections Overview In the expanded view the columns of the table display the nodes of the connection The buttons in the last column allow you to view and adjust the settings for an existing connection create a connection based on a copy of an existing connection or delete a connection from the system For further information see Chapter 3 2 Icons...

Страница 90: ...ontent filters and the application filter see Chap ter 3 4 6 2 URL Content Filter on page 93 and Chapter 3 4 6 1 Application Filter on page 91 3 4 5 Desktop The Desktop settings display a list of all available services and the firewall rules defined in the system 3 4 5 1 Services Navigate to Desktop Services to display a list of all services available in the system When you click a service in the ...

Страница 91: ...tion dialog opens For more detailed information on how to create firewall rules and editing connections see Chapter 3 3 Firewall Rule Set tings on page 19 and Chapter 3 4 4 13 Connections on page 89 To close the Desktop Rules panel and return to the desktop click in the upper right corner of the panel 3 4 6 UTM The UTM settings allow you to create and edit application filter profiles define URL co...

Страница 92: ...lect this checkbox to enable SSL interception With SSL interception the gateprotect Firewall can evaluate the incoming traffic routed through SSL encrypted connections and apply the configured application filter profile to it In the Rules section Select the applications to be added to the profile The table groups the applications by Category Use the Filter field to narrow the list of applications ...

Страница 93: ...or usage and block all others For example if the subcategory Shopping is on the blocking list but you want to allow access to the URL http www amazon de this URL must be entered into a whitelist If websites do not contain any verifiable terms in their URLs a URL filter on its own is not enough Therefore the gateprotect Firewall also filters the HTTP data communica tion by the content of the websit...

Страница 94: ...ew Navigate to UTM URL Content Filter URL Content Filter to display the URL and content filters currently defined on the system In the expanded view the columns of the table display the Name of the filter and the number of selected content filter blacklist and whitelist entries The buttons in the last column allow you to view and adjust the settings for an existing URL and content filter create a ...

Страница 95: ...r sin gle characters To create the Blacklist or Whitelist you can enter the search terms directly or use regular expressions RegEx RegEx Description Example Placeholder for any single character ho me e g home hole Any number of repetitions of the charac ter hom e g hom homm Any number of characters ho e e g home house Start of a line home home only at the start of the line End of a line home home ...

Страница 96: ...eckbox is pre selected by default Clear the checkbox if you do not want the antivirus scanner to check compressed files for viruses Block files containing viruses This checkbox is pre selected by default Clear the checkbox if you do not want the antivirus scanner to scan attachments in emails and to block files with clearly identified viruses If a virus is detected the recipient will receive the e...

Страница 97: ...s and servers to a whitelist Data trans mitted from these hosts via HTTP or FTP is not scanned for viruses Under Trusted Hosts enter the IP address or the domain name Click Add to add the host or server to the whitelist You can use wildcards for whole words for single characters to include subdo mains You can edit or delete each single entry in the list by clicking the appropriate button next to a...

Страница 98: ...ngle entry in the list by clicking the appropriate button next to an entry For further information see Chapter 3 2 Icons and Buttons on page 17 Note If you edit an entry a check mark appears on the right of the entry Click the check mark to apply your changes The buttons at the bottom right of the editor panel allow you to shut Close the editor panel as long as no changes have been made and to sto...

Страница 99: ...imported from a text file by clicking Import and opening the file The default maximum file size for imports is 1 mega byte Each non empty line of the selected text file adds an entry to the list You can edit or delete each single entry in the list by clicking the appropriate button next to an entry For further information see Chapter 3 2 Icons and Buttons on page 17 You can export the complete mai...

Страница 100: ...are identified as spam The subject tag can be any text and contain the variables SUBJECT original subject of the spam email SPAMCLASS and SPAMCLASSNUM spam category By clicking the subject tag format is set to the default SPAM SUBJECT Mail Lists You can specify a blacklist and or a whitelist by adding as many email addresses as you like into the respective list Both mail lists can be applied at th...

Страница 101: ...rwards all requests which arrive on port 80 HTTP automatically through the proxy default setting If you choose the Intransparent mode the HTTP proxy of the gateprotect Fire wall must explicitly be addressed on port 10080 The elements in the Intransparent mode settings section can only be configured if you select the intransparent mode for the HTTP proxy Field Description Authentication Select the ...

Страница 102: ...or a whitelist by adding as many domains as you like into the respective list Both lists can be applied at the same time Domains in the blacklist are blocked by the gateprotect Firewall and cannot be accessed by users Domains in the whitelist are accepted by the HTTPS proxy without analysis and become directly available to the users browser No certificates are created This is necessary for service...

Страница 103: ...discard Reset your changes Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4 7 VPN Use the VPN settings to configure the gateprotect Firewall for use as a virtual pri vate network server to provide Client to Site C2S VPN connections which enable remote computers to securely access resources on the local network via IPsec and VPN SSL and as a Site to Si...

Страница 104: ...onnections Settings on page 111 Site to Site VPN Connections With a Site to Site connection two locations are connected using an encrypted tunnel to a virtual network and exchanging data through this tunnel The two locations can have fixed IP addresses Authentication is either effected with IPsec using issued cer tificates or a so called PSK preshared key or with VPN SSL using certificates IPsec I...

Страница 105: ...s of the address range from which IP addresses are assigned to clients This address range must not overlap any of your local net works Local IP Enter the local IP address which the gateprotect Firewall uses for communica tion with the clients DNS IP Optional Enter the DNS server address which is transmitted to the client when the connection is established WINS IP Optional Enter the WINS server add...

Страница 106: ...L connections Click Add to add the route to the list You can edit or delete each single entry in the list by clicking the appropriate button next to an entry For further informa tion see Chapter 3 2 Icons and Buttons on page 17 Note If you edit an entry a check mark appears on the right of the entry Click the check mark to apply your changes On the Client to Site tab Field Description Protocol Sel...

Страница 107: ...as no changes have been made and to store Save or to discard Reset your changes Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4 7 3 VPN Connections Under VPN Connections you can create and manage VPN connections IPsec Connections The gateprotect Firewall allows you to provide VPN access to remote clients via IPsec IPsec Client to Site and to create a...

Страница 108: ...ollowed by a slash and the number of bits set in the subnet mask for example 192 168 1 0 24 Note For full tunneling enter 0 0 0 0 0 Client IP Optional and for gateprotect VPN client and Client to Site connections only Enter the IP address under which the client is reachable Use L2TP Optional and for Client to Site connections only This checkbox is cleared by default You can select the checkbox if ...

Страница 109: ...he username the firewall uses in XAUTH client mode to authenticate towards the remote end XAUTH Password Enter the password the firewall uses in XAUTH client mode to authenticate towards the remote end Show Password Optional Select this checkbox to verify the password Host certificate Select a certificate which the gateprotect Firewall uses to authenticate towards the remote end The private key fo...

Страница 110: ...b you can select the encryption and authentication algorithms for the IPsec SA negotiation quick mode Field Description Encryption algorithm Select the cryptographic hash to verify the message Authentication algo rithm Select the algorithm to encrypt the message Lifetime Specify the timeout in seconds after which the IPsec SA expires and a new exchange is performed Note This only has an indirect i...

Страница 111: ...to Site VPN SSL Connections Overview Navigate to VPN VPN Connections VPN SSL Connections to display the list of VPN SSL connections that are currently defined on the system in the item list bar In the expanded view the columns of the table display the Name of the VPN SSL connection the Certificate used in the connection the Status and the Type of the connection The buttons in the last column allow...

Страница 112: ...ction with your gateprotect Firewall serving as a client is established The elements in the settings section depend on the selected connection type For Client to Site gateprotect VPN client connections you can configure the following elements Field Description Set default gateway Select this checkbox to use the VPN SSL tunnel as default route i e for full tunneling Client IP Optional You can manua...

Страница 113: ...ettings For more informa tion see Chapter 3 4 7 2 VPN SSL Settings on page 105 Host Enter the network IP address under which the remote end is reachable Click Add to add a network to the list If you add more than one network an automatic failover occurs in case the first network is not reachable The gate protect Firewall then successively tries to reach the networks on the list until one network i...

Страница 114: ...d by the other firewalls to use it If the other firewalls require the ability to create certificates for mostly local purposes which are however recognized as valid to your whole organization you can use multi staged certification chains Therefore you need a so called root CA certificate on your central firewall with which you sign the secondary CA certificates You need to create requests for thes...

Страница 115: ...he certificate type was set to VPN Certificate Webserver Certificate Secondary CA or HTTPS Proxy CA you can now select the certificate authority that is to be used to sign the new certificate This CA will be the parent CA that is used to verify or to revoke the certificate CA Password Optional Enter a password for the private key of the signing CA if the certificate type was set to VPN Certificate...

Страница 116: ...CRL Settings on page 118 CRL Optional and only available for CAs Select the checkbox to activate validation via CRL Certificate Revocation List for the CA and its subcertificates For more information see Chapter 3 4 8 3 OCSP CRL Settings on page 118 Addresses for OCSP Responder CRL Down load Optional and only available for CAs Define base URLs for OCSP and CRL by entering a URL and clicking Add Th...

Страница 117: ...hority that is used by the HTTPS proxy to sign the fake interception certificates This CA must be trusted in the browsers of all clients 3 4 8 2 Templates To ease the creation of new certificates you can use templates to prepopulate the input fields regarding the Distinguished Name and the Subject Alternative Names Templates Overview Navigate to Cert Management Templates to display the list of tem...

Страница 118: ...vices to allow clients to verify the validity of certifi cates issued by the central firewall If co workers quit their job or a private key gets lost the corresponding certificate must be blocked to assure the company s security This has to be done on the firewall which issued the certificate The deletion of the certificate on the issuing firewall always includes the revocation of the certificate ...

Страница 119: ...As Navigate to Cert Management Trusted Proxy CAs to display the list of custom and system certificate authorities that are currently defined on the system in the item list bar and that the SSL proxy trusts for external connections In the expanded view the first column of the table displays the Name of the CA certif icate The buttons in the last column allow you to view the settings for an existing...

Страница 120: ...tening Port Optional Specify the port number on which the service will be listening Port number 161 is pre defined by default Protocol Version From the drop down list select the version of the SNMP protocol to be used Depending on the version selected additional options become available Ver sion v2c is pre selected by default Community String Only available if the selected Protocol Version is v2c ...

Страница 121: ...ation Base MIB sysContact The buttons at the bottom right of the editor panel allow you to shut Close the editor panel as long as no changes have been made and to store Save or to discard Reset your changes Click Activate in the toolbar at the top of the desktop to apply your configuration changes 3 4 9 2 Syslog Servers The gateprotect Firewall can be used to configure multiple external syslog ser...

Страница 122: ... at the top of the desktop to apply your configuration changes 3 4 9 3 Logs The gateprotect Firewall stores records of system events status information errors and other communication in a log database The Logs panels display the contents of the logs If a problem occurs you may be able to find technical details about the cause of the problem by viewing these logs The logs are automatically reloaded...

Страница 123: ...ontain the following information Column Description Time The timestamp of the log entry Type The message type which can be one of the following OK the service is working correctly Error an error occured and an error message is displayed Service The name of the service that created the entry such as Server or VPN Message The log message itself You can filter the contents of the system log The Messa...

Страница 124: ...you to configure the following Parameters Field Description Destination Enter the valid network address to ping Request Count Select the number of ICMP echo request packets to be sent to the target You can choose any integer from 1 to 10 from the drop down list The default num ber is set to 4 Click Run to start pinging The Output area displays the output of the ping com mand If the other device re...

Страница 125: ...y to the destination The default number is set to 30 but you can enter any integer from 1 to 255 If the destination is not reached before this threshold probe packets are discarded Click Run to start tracerouting The Output area displays the list of gateways trav ersed along the way The Close button at the bottom of the panel allows you to shut the panel and return to the complete overview of your...

Страница 126: ...User Interface R S GP U GP E GP S GP T 126 User Manual 3646 3836 02 01 Menu Reference ...

Страница 127: ...LDAP user 39 openLDAP setup 35 DNS 74 DynDNS accounts 75 E Email security 98 Ethernet interfaces Network 53 F Firewall rules 19 90 Firewall settings 22 G GUI see web client 13 H Header area 14 High Availability HA 45 Host groups 84 Hosts 79 HTTP proxy 101 I Icons 17 Interfaces Network 53 Internet objects 78 IP ranges 85 IPsec 107 IPsec settings 104 Item list bar 15 K Kerberos service see directory...

Страница 128: ...L 118 Ping 124 QoS connections 77 Quality of Service QoS 76 Server access 41 SNMP 119 Time settings 43 Traceroute 124 Updates 23 URL Content filter 93 User authentication 35 VoIP proxy 102 VPN SSL 105 WLAN 67 Single sign on see user authentication 29 SNMP 119 SSL proxy 119 SSO see user authentication 29 Syslog servers 121 System date and time see time settings 43 System log 123 T Templates Certifi...

Страница 129: ...ngs 105 VPN connections 107 VPN groups 87 VPN hosts 86 VPN networks 88 VPN SSL 111 VPN SSL settings 105 VPN user groups 83 VPN users 82 W WAN 74 DNS settings 74 DynDNS accounts 75 QoS connections 77 QoS settings 76 Web client 13 Desktop 15 Header area 14 Item list bar 15 Navigation bar 15 Navigation pane 15 WLAN 67 Interfaces 58 Settings 58 WLAN interfaces Network 58 ...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды