Главная
/
Symantec
/
Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series
/
Руководство администратора

Symantec Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series, Руководство администратора

Поделиться

Страница: 294 / 861

Symantec Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series Скачать руководство пользователя страница 294

293

Controlling traffic at the security gateway

Using packet filters to allow or deny traffic

Applying packet filters to a VPN tunnel

When imposing a packet filter on a VPN tunnel, the entities that you create as endpoints do not have to
be the same for both the packet filter and the tunnel. For example, your tunnel endpoints can be the
Client VPN user and the secure subnet. The packet filter entities could be the Client VPN user and the
destination server (which is part of the secure subnet). You apply the packet filter to the VPN policy
that is used in the tunnel.

Note:

When you apply a filter to a VPN tunnel, the security gateway must be restarted for this change

to take effect.

Prerequisites

Complete the following tasks before beginning this procedure:

■

“Creating a packet filter”

■

“Creating packet filter groups”

To apply a packet filter to a VPN tunnel

1

In the SGMI, in the left pane, under Policy, click

VPN

.

2

On the VPN Policies tab, select the VPN policy to which you want to apply a packet filter, and then
click

Properties

.

3

In the Properties dialog box, on the General tab, in the Filter applied drop-down list, select the
packet filter you want to apply.

4

Click

OK

.

5

Optionally, do one of the following:

■

To save your configuration now and activate later, on the toolbar, click

Save

.

■

To activate your configuration now, on the toolbar, click

Activate

.

When prompted to save your changes, click

Yes

.

Related information

For further information related to this topic, see the following:

■

“IPsec static key policy Properties—General tab”

■

“IPsec IKE policy Properties—General tab”

Applying packet filters to individual network interfaces

The security gateway allows packet filtering on any of its logical network interfaces. Each interface can
have an input filter, an output filter, or both.

Input filters affect packets coming into the interface. The input filter is the first check performed on an
incoming packet. If the packets do not satisfy the filter, they are dropped before the proxies or local
applications see them.

An output filter affects packets going out of the interface. The output filter is the last check performed
on an outgoing packet. If the packets do not satisfy the filter, they are dropped. When the security
gateway drops a packet due to an output filter, no log message is recorded, and the input filter logs the
packet dropped.

«
...
292
293
294
295
296
...
»

Содержание Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series

Страница 1: ...ec Gateway Security 5000 Series v3 0 Administration Guide Supported hardware platforms Symantec Gateway Security 5600 Series Symantec Gateway Security 5400 Series Symantec Clientless VPN Gateway 4400...

Страница 2: ...s may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged The product described in this document is distributed under licenses restricting its use copy...

Страница 3: ...lable 24 hours a day 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support program Advanced features such as the Symantec Alerting Service and Technica...

Страница 4: ...Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information features language availability local dealers Latest info...

Страница 5: ...gging on to the SGMI from a browser 26 Avoiding hostname mismatches 27 Using the SGMI home page 29 Viewing Quick Status 29 Accessing commonly used configuration wizards 30 Viewing DeepSight s ThreatCo...

Страница 6: ...Viewing installed licenses 88 Obtaining licenses 89 Installing licenses 94 Removing all license files 95 Enabling and disabling security gateway features 96 Backing up and restoring configurations 98...

Страница 7: ...network or subnet with a subnet entity 162 Defining a registered domain with a domain name network entity 163 Creating security gateway network entities for use in tunnels 164 Creating a network enti...

Страница 8: ...ugh the firewall 270 Understanding and using rules 271 How rules are applied 271 Planning to create rules 272 Configuring rules 272 Rule examples 280 Configuring HTTP FTP and mail SMTP and POP3 rules...

Страница 9: ...ter 10 Providing remote access using VPN tunnels About VPN tunnels 373 Understanding gateway to gateway tunnels 374 Understanding Client VPN tunnels 374 Tunnel endpoints 375 Tunnel indexes 376 Tunnel...

Страница 10: ...435 Adding resource links to portal pages 436 Adding a corporate name and logo 437 Adding news items to a portal page 437 Removing news items from a portal page 438 Assign the portal page to a role 4...

Страница 11: ...ing a client program notification 488 Configuring an email notification 489 Configuring a pager notification 490 Configuring SNMPv1 and SNMPv2 notifications 491 Integrating Symantec DeepSight Threat M...

Страница 12: ...r clustering 530 Modifying the RIP daemon for use with clusters 533 Using hot standby mode 533 Configuring gateway to gateway VPN tunnels that use NAT 534 Backing up and restoring cluster configuratio...

Страница 13: ...ring Profile Properties General tab 649 URL Ratings tab 650 Newsgroups tab 651 Newsgroup Profiles 652 Client Compliance 653 Policy Parameters 654 Assets field descriptions 655 Network Entities 655 Net...

Страница 14: ...775 Configuration reports 775 Client VPN Package Wizard 776 Remote Access Tunnel Wizard for Client VPN 777 Remote Access Tunnel Wizard for Clientless VPN 782 Gateway to Gateway Tunnel Wizard 786 Glob...

Страница 15: ...among multiple security gateways Symantec includes an optional high availability load balancing HA LB component These features provide access control and security enforcement on traffic passing throug...

Страница 16: ...used protocols such as FTP HTTP NNTP POP3 and SMTP are predefined on the security gateway Over 150 protocols are included Unless specifically stated otherwise when this manual describes how traffic i...

Страница 17: ...ymantec Client VPN software connects to the security gateway from either inside the protected network or from a remote location through the Internet Gateway to gateway VPN tunnel configurations A gate...

Страница 18: ...The security gateway offers settings to help prevent denial of service attacks which are caused by large container files or files that contain multiple embedded compressed files You can also protect y...

Страница 19: ...date HTTP inclusion exclusion lists Configure rules for the HTTP proxy based on inclusion and exclusion lists This includes URL address URL pattern matching MIME type and file extensions Configuring...

Страница 20: ...s that are not critical such as FTP Telnet or Web servers These services are avenues of attack If they are removed blended threats have fewer exploitation points and you have fewer services to maintai...

Страница 21: ...ltaneous access to the security gateway For example the administrator who configures the security gateway can log on at the same time as an administrator who is responsible for monitoring log messages...

Страница 22: ...on from a browser The logon procedure can be affected by the computer from which you are connecting to the security gateway appliance the version of JRE that is running on it and the browser you use R...

Страница 23: ...ame of the security gateway you want to manage in one of the following formats https 10 161 131 12 2456 2 In the Security Alert dialog box verify the temporary certificate that is generated by the app...

Страница 24: ...c click Yes 13 If you had JRE 1 5 installed before you began the logon procedure with the Advanced Shortcut Creation option set to Prompt user a Create shortcut s dialog box is displayed To create an...

Страница 25: ...he Java Application Cache Viewer on the User tab highlight the application that is identified by the URL you used to connect to the appliance 6 On the Application menu click Remove Shortcuts 7 On the...

Страница 26: ...ou are warned that you have read only access You can continue the logon procedure and view status and configurations in the SGMI but you cannot make any changes If necessary you can gain write access...

Страница 27: ...from the desktop on page 25 Avoiding hostname mismatches When the security gateway is configured for the first time a certificate is created for host domain the default host name of the security gate...

Страница 28: ...age Symantec Gateway Security 5000 Series v3 0 appliances from your computer you can use the Web Start application to uninstall the SGMI application Uninstalling the SGMI from your management computer...

Страница 29: ...correlation service if there is Internet access Figure 2 1 SGMI home page The following topics describe the Homepage in more detail Viewing Quick Status Accessing commonly used configuration wizards...

Страница 30: ...4 Configuring HTTP FTP and mail SMTP and POP3 rules with the Firewall Rule Wizard on page 284 Managing clientless VPN users on page 411 Using the Remote Access Tunnel Wizard to create Client VPN tunne...

Страница 31: ...opic see the following Integrating Symantec DeepSight Threat Management System on page 494 Leaving the SGMI You can leave the SGMI in three ways By logging off The Symantec Gateway Security Series 500...

Страница 32: ...the following To return to managing the security gateway you logged off from enter your password and click Log On To manage a different security gateway enter your user name and password for that gat...

Страница 33: ...d information For further information related to this topic see the following Logging on to the SGMI on page 21 Terminating an active connection on page 467 Navigating in the SGMI By becoming familiar...

Страница 34: ...contains the following topics Using the SGMI menus Using the SGMI toolbar Navigating from the left pane Navigating the right pane Right pane tabs Left pane navigation Menus Product name Right pane co...

Страница 35: ...ient VPN information on page 401 Log Off Exit Logs you out temporarily or lets you leave the SGMI by exiting See Leaving the SGMI on page 31 Edit Cut Copy Paste Lets you perform cut copy and paste ope...

Страница 36: ...aking system changes with the System Setup Wizard on page 104 VPN Helps you create IPsec VPN tunnels and configuration packages for remote users See the following Simplifying multiple Client VPN compu...

Страница 37: ...ontext sensitive Help See Using online Help on page 45 About Symantec Gateway Security 5000 Series v3 0 Displays the Symantec Gateway Security software version and build information Table 2 1 SGMI men...

Страница 38: ...section is only visible if the security gateway you are managing is part of a cluster To view a description of the folders within each section click on the section heading As shown in the example of t...

Страница 39: ...t security features Firewall Lets you define rules packet filters and time periods to control access to the security gateway VPN Lets you configure virtual private network VPN tunnels to allow access...

Страница 40: ...Portal Pages Lets you customize the user experience for clientless VPN users Remote Mail Lets you configure clientless VPN to handle non standard mail resources Asset Parameters Lets you specify asset...

Страница 41: ...used in a cluster Watchlist Lets you select cluster processes to monitor Ping groups Lets you configure ping groups to monitor servers that are not part of the cluster but that offer services on the...

Страница 42: ...on Assets Authentication Servers Location Settings Advanced H 323 Aliases Assets Proxies H 323 Aliases Location Settings Advanced Local Administrators System Administration Local Administrators Locati...

Страница 43: ...e status page that displays when you click Monitors Overall Health Figure 2 4 Overall Health status page Monitoring Cluster Status Cluster Clusters Monitoring SESA Event Gating System Configuration SE...

Страница 44: ...Policy Firewall It contains a table of rule objects that you can create or modify Figure 2 5 Rules page showing table of objects Figure 2 6 shows the Antivirus Configuration page which displays when...

Страница 45: ...next topics in the Help system The following topics describe how to use Help Displaying Help Searching Help Printing Help Displaying Help Your location in the SGMI determines the method you use to di...

Страница 46: ...lowing Field descriptions on page 563 Searching Help The Help search engine uses different techniques to ensure that as many relevant topics are returned as possible For example if you search for the...

Страница 47: ...hard copy of one or more topics Prerequisites Complete the following tasks before beginning this procedure Displaying Help on page 45 To print Help 1 In the Symantec Gateway Security 5000 Series v3 0...

Страница 48: ...ion objects Configuring objects that reference other objects Saving and activating configuration changes Deleting configuration objects Changing the display of objects in a table Objects that you conf...

Страница 49: ...remove a column 1 Do one of the following On the View menu click Show Columns In the table right click on a row and click Show Columns 2 In the Show Columns dialog box to display a column in the tabl...

Страница 50: ...5 To modify the search click Search 6 To re display the entire table of objects click Clear Search Viewing and modifying object properties When you view a table of objects in the SGMI you can see the...

Страница 51: ...b to view additional property details Modifying the properties of an object As your security needs change you will need to modify the configuration objects that represent your security environment To...

Страница 52: ...assed You can add configuration objects by doing either of the following Creating a new object Copying an existing object Creating a new object You use the New button to create objects This button app...

Страница 53: ...have Enable check boxes object name Type a name for the object The maximum length is 256 characters Allowed characters are a z A Z numerals periods dashes and underscores _ Do not include spaces in t...

Страница 54: ...owing To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related...

Страница 55: ...s properties Click OK If you have made all required modifications the object is created in the table and you are returned to the Correct Pasted Items dialog box If the object still needs further modif...

Страница 56: ...u want to add a referenced object Then in the right pane click the appropriate tab For example you would click Policy Firewall Packet Filters to access a packet filter so that you can change one of th...

Страница 57: ...configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information For further information related to this topic see the following Saving and activating c...

Страница 58: ...r search select the desired protocols You can select multiple protocols by using the Shift and Control keys on the keyboard 7 Do one of the following To add the selected protocols to the service group...

Страница 59: ...unity to save changes T Two symbols in the far left column of a table of objects indicate unsaved changes A mark indicates that the object is new A blue ball indicates that it has been modified On the...

Страница 60: ...To activate only changes that you have previously saved without activating your unsaved changes click No 3 In the Activate Changes Wizard welcome panel click Next 4 In the Revision Comment panel in th...

Страница 61: ...The changes and change indicators are removed from the objects To revert changes to a single object 1 In the right pane select the object for which you want to revert changes 2 Right click and click R...

Страница 62: ...s validation messages and other security gateway objects that use a selected object This section includes the following topics Displaying and hiding the lower pane Viewing objects used by an object yo...

Страница 63: ...d to this topic see the following Viewing and modifying object properties on page 50 Deleting configuration objects on page 61 Viewing system information The System window is a read only display of se...

Страница 64: ...uration the SGMI includes the configuration wizards that are described in Table 2 7 These wizards give you step by step configuration instructions to ensure success Table 2 7 Symantec Gateway Security...

Страница 65: ...n SESA for scalable management Note Symantec Gateway Security 5000 Series v3 0 requires Symantec Advanced Manager for Security Gateways v3 0 Cluster Wizard Helps you create a cluster of security gatew...

Страница 66: ...anel lets you review your choices If you want to make a change you can click Back to return to a previous panel You use the Finish button to initiate the configuration changes that you have configured...

Страница 67: ...egrity of your security gateway An additional administrative access feature is the ability to configure SSH as a means of providing command line access to view configuration files or perform tasks tha...

Страница 68: ...at are listed on this tab Enable To enable the local administrator check Enable User Name Type the name of the administrator Full Name Type the full name of the administrator You can use this name to...

Страница 69: ...ount Properties Maintenance Privileges tab on page 760 Admin Account Properties Restrict To Address tab on page 761 Creating machine accounts for security gateway access from remote computers The Mach...

Страница 70: ...how to change these passwords using the SGMI Changing administrator passwords Changing the root password Changing a machine account password You can also use the LCD panel on the appliance to generat...

Страница 71: ...tem menu You can use the System menu to change the password with which you logged on to the SGMI When you do the change takes effect immediately You do not need to save and activate the change Changin...

Страница 72: ...ons a password warning displays with a recommendation and asks if you still want to use the password To change the password without taking the recommendation click Yes Continue at step 7 To return to...

Страница 73: ...word from the SGMI When you do the change takes effect immediately Prerequisites None To change the root password 1 In the SGMI on the System menu click Change Root Password 2 In the Change Root Passw...

Страница 74: ...assword again 5 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When pro...

Страница 75: ...onfiguration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information For furt...

Страница 76: ...76 Managing administrative access Enabling SSH for command line access to the appliance...

Страница 77: ...System Setup Wizard to make interface changes Tasks that you choose to perform regularly such as running LiveUpdate to update virus definitions and intrusion detection signatures and performing regula...

Страница 78: ...allation completes successfully a message displays depending on the content of the hotfix If the message tells you that the hotfix has been successfully installed click OK If the message tells you tha...

Страница 79: ...e LiveUpdate component of the security gateway lets you schedule updates of the definitions and signatures that are used by the following content security components Antispam Antivirus Content filteri...

Страница 80: ...aption text box 6 Click OK 7 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Acti...

Страница 81: ...Scheduling LiveUpdate of a component You schedule a LiveUpdate session separately for each of the components that has an update license Scheduling LiveUpdate lets you assure that your content securit...

Страница 82: ...nfigure one or more additional servers for use for LiveUpdate and specify them in the components properties A total of 10 servers can be listed for each component When LiveUpdate is performed these se...

Страница 83: ...rver on page 79 Specifying an HTTP proxy for LiveUpdate If one or more of your LiveUpdate servers uses HTTP to download updated definitions or signatures you can specify a proxy as one of the componen...

Страница 84: ...ells you that LiveUpdate has started for the component 4 Click OK Related information For further information related to this topic see the following Defining a LiveUpdate server on page 79 LiveUpdati...

Страница 85: ...incorporated into the following security gateway processes An appliance reboot occurs automatically If you use the System Setup Wizard to change the appliance host or domain name default gateway or an...

Страница 86: ...D panel For instructions see the section on shutting down the appliance in the Symantec Gateway Security 5000 Series v3 0 Installation Guide Prerequisites None To shut down the security gateway applia...

Страница 87: ...atus of security gateway components Viewing license usage Viewing installed licenses Obtaining licenses Preparing to install license files Installing licenses Removing all license files Enabling and d...

Страница 88: ...gateway The information displayed includes the number of security gateway servers and clients the number of licensed tunnels being used the number of configured clusters and so on The limits on each...

Страница 89: ...K Related information For further information related to this topic see the following Installed License Properties on page 767 Installing licenses on page 94 Removing all license files on page 95 Obta...

Страница 90: ...make it easier to organize this information complete the license file organization worksheet If you are licensing multiple appliances copy the worksheet and complete it for each appliance To obtain l...

Страница 91: ...e or more for each feature ordered The format of the license serial number is a letter followed by 10 digits For example F2430482013 The license serial numbers on serial number certificates correspond...

Страница 92: ...button to select the LCD system menu 2 Press the down arrow button until you see 4 System ID 3 Press the e button to view the Symantec System ID To obtain the Symantec System ID from the SGMI 1 In th...

Страница 93: ...mantec s Licensing and Registration Web site at https licensing symantec com 2 In the Licensing and Registration page follow all the on line instructions and complete all the required registration scr...

Страница 94: ...les to the appropriate folders 4 Create a backup copy of your license files in a secure location Related information For further information related to this topic see the following Installing licenses...

Страница 95: ...oad License Files panel is displayed and then repeat steps 5 through 8 to upload and verify the missing license files Click Next 11 In the License Installation Complete panel click Close 12 When promp...

Страница 96: ...e two ways to enable and disable the security gateway s features Running the System Setup Wizard See Enabling and disabling security gateway features from the System Setup Wizard on page 96 By using t...

Страница 97: ...options are used For example if you disable the content filtering feature you cannot configure content profiles or specify URLs that should be blocked In addition you cannot add content filtering rest...

Страница 98: ...nfigurations between security gateways is by associating the security gateways with each other in a cluster Keep the following requirements in mind when you plan to back up and restore configurations...

Страница 99: ...7 When you are notified that the backup has completed successfully click OK Related information For further information related to this topic see the following Backup dialog box on page 774 Using com...

Страница 100: ...ed on the security gateway click Use current network interfaces data 5 Click Next 6 In the Restore Settings panel do the following Click Restore from a Symantec Gateway Security backup image To the ri...

Страница 101: ...nfiguration You can later use the SGMI to restore the backed up configurations just as you restore configurations that are backed up using the SGMI There are two ways to perform a command line back Fr...

Страница 102: ...ot access the appliance directly you can use the remote backup utility to perform a back up from a remote computer Operating system specific versions of the remote backup utility are provided on the r...

Страница 103: ...p sh host user password backupPassword backupFile Where 3 If the security gateway s certificate is not in the trust store of your computer you are prompted to install the certificate on the local comp...

Страница 104: ...perform the initial setup of the appliance you only have to enable two network interfaces one as an inside interface and one as an outside interface You can configure the additional network interfaces...

Страница 105: ...network interface to an appliance that is not part of a cluster click Standalone gateway To add a network interface to an appliance that is part of a cluster click Cluster member 6 Click Next 7 In the...

Страница 106: ...e requested address In address transforms as the point where traffic arrives at or leaves the security gateway Related information For further information related to this topic see the following Syste...

Страница 107: ...ffic arrives at or leaves the security gateway In clientless VPN profiles as the location of the DHCP server In host and subnet network entities as the spoof protected interface In security gateway ne...

Страница 108: ...icast traffic and adding interface protections Note If an interface has been designated as the heartbeat interface for a cluster you cannot modify it Prerequisites None To modify a network interface 1...

Страница 109: ...ries v3 0 logon dialog box displays and the security gateway reboots When the reboot has completed you can log on to the SGMI again Related information For further information related to this topic se...

Страница 110: ...hine settings on an appliance that is not part of a cluster click Standalone gateway To modify machine settings on an appliance that is part of a cluster click Cluster member 5 Click Next 6 On the Mac...

Страница 111: ...oot immediately 17 If you do not want to wait for the reboot to start click OK The Symantec Gateway Security 5000 Series v3 0 logon dialog box displays and the security gateway reboots When the reboot...

Страница 112: ...ble click the network interface you want to configure 3 In the network interfaces properties dialog box on the General tab do one or more of the following 4 On the Packet Filters tab do one of the fol...

Страница 113: ...spoof protection on page 370 Resolving host name requests for an outside system by creating a DNS recursion record on page 149 Allowing ICMP traffic on page 238 Enabling SYN flood protection on page...

Страница 114: ...ck Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Enable To enable process restart check Enable Interval be...

Страница 115: ...hind your security gateway for your remote users and trusted individuals and companies with whom you do business To know what traffic to allow and where to route it the security gateway must know how...

Страница 116: ...this configuration is typically reserved for one way traffic especially if one of the interfaces has direct access to a public network Connection requests are usually initiated from the protected netw...

Страница 117: ...connection requests are usually initiated from the protected network destined for external services A clustered configuration usually requires a third heartbeat network which is used to monitor the s...

Страница 118: ...ernal network enjoys For example one of these networks might be used for customer facing applications such as Web and mail servers or for connections to partner companies This scenario might look like...

Страница 119: ...n enclave security gateway is installed to further segment a network The enclave security gateway is usually managed from a host computer that is external to the enclave security gateway but which res...

Страница 120: ...ress changed to that of the security gateway to force them up the stack for processing If the request is ultimately for another computer host client or server and the connection request meets all requ...

Страница 121: ...TCP GSP is running Ensure that the SGMI protocol is configured to use native service Create a service group for SGMI management Create an allow rule for SGMI management To ensure that TCP GSP is runn...

Страница 122: ...e toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes To create an allow rule for SGMI management 1 In the SGMI in the left...

Страница 123: ...lowing Ensure that TCP GSP is running Create a new protocol for SGMI management Create a service group for SGMI management Create an allow rule for SGMI management Create a service redirect for SGMI m...

Страница 124: ...n the Network Protocol list box select the protocol that you created for SGMI management 7 Click OK 8 Optionally on the Description tab type a more detailed description than you typed in the Caption t...

Страница 125: ...activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Defining security gateway routing A company s internal network may...

Страница 126: ...ortest Path First OSPF Version 2 See Configuring dynamic routing on page 129 Routing Information Protocol Version 2 RIP 2 As defined in RFC 2453 RIP 2 is a UDP based dynamic routing protocol based on...

Страница 127: ...routing table for an entry that matches the packet s complete destination IP address If found the packet is sent directly to that IP address The security gateway next searches its internal routing ta...

Страница 128: ...directly connected Once you configure a static route and save the changes the new route takes effect immediately Static routes can be added or modified at any time as these procedures do not require...

Страница 129: ...OSPF have taken effect inspect the var lib sg portcontrol cf file and look for entries such as enable UDP 520 or enable IP 89 Configuring RIP support RIP is configured on each interface separately Cha...

Страница 130: ...n interface 5 In the Route Cost text box type a value for this interface s cost 6 In the Route Priority text box type a value for this interface s priority In the event of a cost tie between two inter...

Страница 131: ...client requests traverse two or more relay agents including the security gateway relay proxy See DHCP traffic multi hop example on page 132 DHCP traffic single hop example Figure 5 6 demonstrates a t...

Страница 132: ...h source and destination ports of 67 If there were additional relays in this network all the relays except the one closest to the client should be configured to pass a UDP port 67 datagram response Co...

Страница 133: ...RVER 10 3 3 2 To enable multiple DHCP servers next to DHCPSERVER type the IP addresses of the target DHCP servers For example DHCPSERVER 10 3 3 2 10 4 4 25 10 5 5 1 Use a space between each server 4 D...

Страница 134: ...e Service Groups tab click New 3 In the Service Group Properties dialog box on the General tab in the Service group name text box type a name for the service group such as Multi_hop_DHCP 4 On the Prot...

Страница 135: ...in the multicast group Systems not part of the multicast group do not receive unnecessary traffic Multicast packets can also traverse networks assuming that the router between the two networks is mul...

Страница 136: ...g Multicast support is disabled by default Multicast traffic may offer some risk to security as multicast traffic is not subject to rule checking antivirus and content scanning It is recommended that...

Страница 137: ...sert the commands see bold text as they appear in the file below bin sh raptor startup file PATH sbin usr sbin usr bin bin JAVA_HOME usr java jre1 3 1_04 LD_LIBRARY_PATH usr raptor bin LD_LIBRARY_PATH...

Страница 138: ...w your current network is configured and your DNS objectives Use the scenario descriptions below to help you decide how to implement DNS for your network The first scenario is to have a caching name s...

Страница 139: ...n record Figure 5 9 Example network with a caching name server with no internal name server In Figure 5 9 the security gateway acts as a caching name server and the client resolvers in the inside netw...

Страница 140: ...er that is responsible for a given domain The DNS proxy is only authoritative for those domains and networks that are defined through the DNS Record Properties dialog box This name server has the phys...

Страница 141: ...y Authority record See Defining an authoritative server with a DNS authority record on page 145 Host record See Identifying a host in a domain with a DNS host record on page 146 optional Mail server r...

Страница 142: ...tative name server with delegation configure the following records on the internal DNS server which in this case is represented by symantec org Authority record See Defining an authoritative server wi...

Страница 143: ...guring an authoritative name server with delegation on page 142 Understanding the security gateway s DNS resource records Before you set up the resource records for the security gateway DNS proxy you...

Страница 144: ...T record Table 5 3 Types of naming conventions Type Example Definition Domain name symantecs org Composed of a domain name symantecs and org Host name eng symantecs org Composed of a specific machine...

Страница 145: ...An authority record defines the name server that is responsible for a given domain You can make the DNS proxy authoritative for both public and private domains Prerequisites None To define an authori...

Страница 146: ...s dialog box on the General tab do the following 4 Optionally on the Description tab in the text box type a more detailed description than you typed in the Caption text box 5 Click OK 6 Optionally do...

Страница 147: ...mail server record A DNS mail server record known as mail exchange MX record in standard DNS defines the server responsible for handling email Use a public mail server record to point external mail s...

Страница 148: ...server record The DNS server supports defining name servers for a domain The name server entry marks the authoritative servers to consult when performing DNS lookups for a host in that domain Dependi...

Страница 149: ...r an outside system by creating a DNS recursion record By configuring a recursion record you instruct the security gateway to resolve host name requests from a specific outside system or network For s...

Страница 150: ...ble DNS lookups fail they do not fall back to the hard coded list Use this feature if you have a security gateway protecting an enclave network In this case the enclave security gateway cannot directl...

Страница 151: ...onfigured your security gateway as the reverse domain authority for the subnet Prerequisites Complete the following task before beginning this procedure Defining an authoritative server with a DNS aut...

Страница 152: ...is case the SPF record should point to the security gateway s outside IP address This may be not the case if there is an Address transform allowing client to see the server s actual IP address Use ori...

Страница 153: ...raffic One option for passing DNS traffic is to create a Generic Service Proxies GSPs for the Transmission Control Protocol TCP and the User Datagram Protocol UDP 53 destination port A GSP is not as e...

Страница 154: ...lution because a forwarding filter acts simply as a packet filter There is no screening for RFC compliance Therefore the target server must be hardened As with the GSP the security gateway is transpar...

Страница 155: ...dp_rev A B dns_udp_s2s B A dns_tcp B A dns_udp B A dns_udp_rev B A dns_udp_s2s 5 Click OK 6 Optionally do one of the following To save your configuration now and activate later on the tool bar click S...

Страница 156: ...related to this topic see the following Proxy Properties DNS General tab on page 699 Refresh interval Specify a value to tell configured secondary name servers how often to check with the system on t...

Страница 157: ...ater on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Solving DNS problems Name service...

Страница 158: ...gateway uses the loopback address 127 0 0 1 to pass DNS requests back to itself do not delete the address Related information Enabling reverse lookups on page 157 Resolve other DNS problems There are...

Страница 159: ...uring rules filters and tunnels to allow or deny the traffic Rules filters and tunnels point to other security gateway elements to specify the source and destination of traffic the interfaces through...

Страница 160: ...n with a domain name network entity Creating security gateway network entities for use in tunnels Creating a network entity group for rules that apply to multiple entities Defining an entity and secur...

Страница 161: ...with the host network entity click the right arrow button which moves them to the Selected list To remove an association in the Selected list select an interface and click the left arrow button to mo...

Страница 162: ...when you want to restrict access to only a defined set of hosts Prerequisites None To define a network or subnet with a subnet entity 1 In the SGMI in the left pane under Assets click Network 2 In th...

Страница 163: ...thin the Internet community Registered domain network entities end with an extension such as com edu or gov to indicate the type of domain or a country code such as jp Japan to indicate the location D...

Страница 164: ...ou can also use security gateway network entities to specify the source and destination of traffic in rules and packet filters When you define security gateway entities you can set up some basic chara...

Страница 165: ...teway VPN tunnel or local gateway in a Client VPN tunnel To specify the source or destination of traffic in rules and packet filters Related information For further information related to this topic s...

Страница 166: ...efore you create the network entity group Prerequisites None To create a network entity group for rules that apply to multiple entities 1 In the SGMI in the left pane under Assets click Network 2 In t...

Страница 167: ...ngs that you configure tunnel traffic is routed to the appropriate entities within the VPN security network entity Prerequisites Complete the following task before beginning this procedure Creating se...

Страница 168: ...s and packet types TCP UDP IP or ICMP You can use these predefined protocols singly or in combination in rules by including them in the service group that is specified for the rule You cannot change o...

Страница 169: ...traffic Use the following table to identify protocols that are not associated with proxies Table 6 1 Supplied protocols with their associated application proxy Protocol name Type Port Associated prox...

Страница 170: ...4 echo_tcp TCP based 7 echo_udp UDP based 7 echo_udp_rev UDP based 1024 EGP IP based n a EON IP based n a esm_agent TCP based 5601 esm_mgr TCP based 5600 esm_rem_install TCP based 5599 esm_rev_install...

Страница 171: ...os_7004_tcp TCP based 7004 kerberos_7004_udp UDP based 7004 kerberos_749_tcp TCP based 749 kerberos_749_udp UDP based 749 kerberos_auth_88 TCP based 88 kerberos_auth_88_tcp TCP based 88 kerberos_tcp T...

Страница 172: ...ed 5362 pcserver TCP based 600 pop 2 TCP based 109 pop 2_udp UDP based 109 printer TCP based 515 PUP IP based n a RAW IP based n a readeagle TCP based 414 readhawk TCP based 418 realaudio_proxy TCP ba...

Страница 173: ...ls Viewing port usage for all protocols This includes custom protocols sunrpc_tcp TCP based 111 sunrpc_udp UDP based 111 syslog UDP based 514 systat TCP based 11 t120 TCP based 1503 tacacs TCP based 4...

Страница 174: ...ation Low Port Protocol Description 7 TCP echo 7 UDP echo 9 TCP discard 9 UDP discard 11 TCP systat 13 TCP daytime 13 UDP daytime 15 TCP netstat 19 TCP chargen 19 UDP chargen 21 TCP ftpd control 22 TC...

Страница 175: ...P cifs 139 TCP netbios 139 UDP netbios 143 TCP imap 152 TCP bftp 161 TCP snmp 161 UDP snmp 162 TCP snmptrap 162 UDP snmptrap 179 TCP bgp 389 TCP ldap 414 TCP readeagle 416 TCP gwproxy 417 TCP visualiz...

Страница 176: ...024 UDP daytime_udp_rev 1024 UDP dns_udp_rev 1024 UDP kerberos_udp_rev 1024 UDP lockd_udp_rev 1024 UDP nfsd_udp_rev 1025 TCP esm_rev_install 1080 TCP socks 1090 TCP realaudio_proxy 1433 TCP mssql_tcp...

Страница 177: ...61 TCP pcAnywhere_5361 5362 TCP pcAnywhere_5362 5599 TCP esm_rem_install 5600 TCP esm_mgr 5601 TCP esm_agent 5998 TCP SESA_notification 6000 TCP x server0 6001 TCP x server1 6665 TCP irc_6665 6666 TCP...

Страница 178: ...define to manage traffic flow for custom applications that are not supported by the standard protocols delivered with the security gateway You can configure generic services provided by hosts residing...

Страница 179: ...eway that accepts Point to Point Tunneling Protocol PPTP connections Since the security gateway does not include a PPTP proxy which involves both GRE and TCP protocols the custom protocol must use the...

Страница 180: ...r application handles all TCP service requests transparently provided the destination is a published entity The GSP proxies these requests to their destinations as if the requester was directly connec...

Страница 181: ...ror and control messages about routing problems or simple inter network exchanges like timestamp or echo transactions to verify connections between TCP IP hosts Prerequisites None To configure ICMP ba...

Страница 182: ...igger IDS IPS events If you want IDS events to be triggered for traffic that is passed using a new protocol that you create you must add the protocol to one of the IDS IPS services on the IDS IPD port...

Страница 183: ...u organize access rights For example you can create one service group with only FTP enabled another with FTP Telnet and HTTP access and a third with full access You can then create rules that allow va...

Страница 184: ...egin with a specific text string select Starts with and then type the text string 6 In the Network Protocol list that is returned by your search select the desired protocols and then do one of the fol...

Страница 185: ...let you customize protocols for certain rules without changing protocol behavior for other rules To do this you create a service group specifically for a rule or set of rules After you add protocols...

Страница 186: ...you want to customize Not all protocols can be customized If a protocol can be customized the Configure button becomes active 4 Click Configure 5 In the parameters properties dialog box for the proto...

Страница 187: ...ll ports Standard ports 443 563 Ports named in the following list If you select this option in the Port text box type a port and then click Add Repeat until you have listed all the ports over which yo...

Страница 188: ...handles all service requests transparently as if the requester were directly connected to the remote destination machine All connections are subject to gateway authorization rules In addition when you...

Страница 189: ...oracle_netprxy directory When using the Oracle Connection Manager proxy all SQL Net traffic is handled according to the Oracle Net9 Connection Manager s configuration The security gateway passes all...

Страница 190: ...nection Manager 1 On the security gateway create a file named usr raptor bin startcmgw sh and add the following syntax startcmgw sh bin sh cd usr raptor oracle_netprxy bin ORACLE_HOME usr raptor oracl...

Страница 191: ...dd 4 Click OK 5 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When pro...

Страница 192: ...izing security gateway time Supporting UNIX services Handling streaming audio and video Managing electronic mail Enabling remote logon Allowing ICMP traffic Defining file control and access You can co...

Страница 193: ...hentication The client must know the name of the SMB server and the name of its shares because browsing through the security gateway is disabled Non transparent connections For non transparent connect...

Страница 194: ...M proxies are enabled Create a CIFS and NBDGRAM service group Create an allow rule for CIFS and NBDGRAM To ensure that the CIFS and NBDGRAM proxies are enabled 1 In the SGMI in the left pane under Ass...

Страница 195: ...r further information related to this topic see the following Proxy Properties CIFS General tab on page 699 Proxy Properties NBDGRAM General tab on page 710 Service Group Properties General tab on pag...

Страница 196: ...t your connections are timing out too quickly during average use Prerequisites Complete the following task before beginning this procedure Configuring access for CIFS and NBDGRAM traffic on page 194 T...

Страница 197: ...roubleshooting NetBIOS traffic connections The procedure in this section explains how to configure the NBDGRAM proxy to log this additional information Prerequisites Complete the following task before...

Страница 198: ...n to another through a pair of connections between a client and a server FTP also lets you remotely manage directories for those servers How the security gateway handles sending and receiving files Th...

Страница 199: ...the Protocols tab to display a list of available protocols to add to this service group click Add 5 In the Select protocols dialog box click ftp 6 Click OK 7 Optionally on the Description tab type a m...

Страница 200: ...customized FTP features you would like to implement Modifying the FTP greeting on page 200 Modifying the timeout period for inactive FTP connections on page 201 Configuring ports for FTP on page 201 A...

Страница 201: ...er timeout for data connections text box type the new timeout period 4 Click OK 5 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To acti...

Страница 202: ...nd the greeting is 512 characters In some cases however you may want this length to be longer This is most often the case when you want to present a small set of directions or a security statement pri...

Страница 203: ...is configured to reveal the addresses of hosts the security gateway protects connecting clients see only the security gateway s outside interface address To receive inbound H 323 connections when the...

Страница 204: ...aboration server s identity to prevent it from being attacked directly Prerequisites None Configure access for Internet based communications To configure access for Internet based communications you m...

Страница 205: ...ully qualified domain name of the destination host 6 Click OK 7 In the H323 Alias Properties dialog box click Apply 8 Optionally do one of the following To save your configuration now and activate lat...

Страница 206: ...anges you make take affect immediately after saving and activating the configuration Prerequisites Complete the following task before beginning this procedure Configuring access for Internet based com...

Страница 207: ...e that inactive connections stay open Similarly if the inactivity period is too long you can use the procedure in this section to reduce that period of time Prerequisites Complete the following task b...

Страница 208: ...ote The H 323 trace file is normally written to var log sg h323d log Prerequisites Complete the following task before beginning this procedure Configuring access for Internet based communications on p...

Страница 209: ...assword combination needs to be entered only once for each browser session Secure sockets layer The security gateway HTTP proxy passes secure HTTP traffic using secure sockets layer SSL transparently...

Страница 210: ...http protocol or use the more secure sockets layer SSL protocol Prerequisites None Configure access for Web traffic To configure access for Web traffic you must do the following Ensure that the HTTP...

Страница 211: ...tion text box 5 Click OK 6 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activa...

Страница 212: ...port WebDAV RFC 2518 fully defines the set of extensions to the HTTP protocol to support WebDAV The HTTP proxy supports the following three WebDAV extensions Overwrite prevention Properties Name space...

Страница 213: ...ng Proxy Properties HTTP Web Proxy tab on page 708 Configuring the HTTP proxy to listen on additional ports for standard connections By default the HTTP proxy listens on port 80 for normal HTTP connec...

Страница 214: ...onfiguration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Modifying the timeout period to keep inactive HTTP connections open By default HTTP...

Страница 215: ...g To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related info...

Страница 216: ...D Prerequisites None Configure access for news feeds To configure access for news feeds you must do the following Ensure the NNTP proxy is enabled Create an NNTP service group Create an allow rule for...

Страница 217: ...ew 3 In the new rule properties dialog box on the General tab do the following 4 Optionally on the Description tab type a more detailed description than you typed in the Caption text box 5 Click OK 6...

Страница 218: ...proxy listens on page 220 Modifying the timeout period to keep inactive NNTP connections open on page 221 Closing NNTP connections gracefully on page 221 Creating trace files of NNTP connections on pa...

Страница 219: ...bar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Dropping NNTP connections that use illegal command...

Страница 220: ...guration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Defining additional ports on which the NNTP proxy listens You can use the procedure in...

Страница 221: ...Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save yo...

Страница 222: ...activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Synchronizing security gateway time Unlike the other proxies which p...

Страница 223: ...as opposed to a GSP offers tighter port usage control and facilitates interactive strong authentication which would not otherwise be available Prerequisites None Configure the security gateway to sup...

Страница 224: ...in the Caption text box 12 In the Service Group Properties dialog box click OK To create an allow rule for RCMD 1 In the SGMI in the left pane under Policy click Firewall 2 In the right pane on the R...

Страница 225: ...her RTSP acts as a network remote control for multimedia servers There is no notion of an RTSP connection instead a server maintains a session labeled by an identifier An RTSP session is in no way tie...

Страница 226: ...he right pane on the Rules tab click New 3 In the Rule Properties dialog box on the General tab do the following 4 Optionally on the Description tab type a more detailed description than you typed in...

Страница 227: ...al buffer overflows or malformed packets If enabled the data stream is also passed to the antivirus engine so that exhaustive checks prevent the introduction of an email based virus Note With the appr...

Страница 228: ...S 2 and is eventually received by the intended recipient EC 2 when they retrieve their email Note There are two different ways in which SMTP mail can arrive at the security gateway it can originate fr...

Страница 229: ...raffic lets users send and receive Internet email Prior to configuring access you should determine what level of access is to be granted and who should have that access You should also consider for wh...

Страница 230: ...the Description tab type a more detailed description than you typed in the Caption text box 8 In the Service Group Properties dialog box click OK To create an allow rule for email 1 In the SGMI in th...

Страница 231: ...ollowing tasks Modifying the timeout period to keep inactive POP3 connections open on page 232 Modifying the timeout period to keep inactive SMTP connections open on page 232 Modifying the SMTP greeti...

Страница 232: ...click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Modifying the timeout period to keep inactive SMTP con...

Страница 233: ...When prompted to save your changes click Yes Related information For further information related to this topic see the following Proxy Properties SMTP General tab on page 717 Disabling SMTP flow contr...

Страница 234: ...lbar click Activate 6 When prompted to save your changes click Yes Related information None Setting the SMTP proxy to debug mode for more verbose error reporting Using the procedure in this section yo...

Страница 235: ...figuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate 6 When prompted to save your changes click Yes Related information None Ena...

Страница 236: ...the connection with user group or authentication restrictions If the connection is allowed but with restrictions and depending on the authentication method the Telnet proxy may prompt for a user name...

Страница 237: ...text box type a name for this service group 4 On the Protocols tab to display a list of available protocols to add to this service group click Add 5 In the Select protocols dialog box click telnet 6 C...

Страница 238: ...ance of an unmodified security gateway is to appear invisible on the network However it is often advantageous to have the security gateway respond to ICMP requests especially when testing or troublesh...

Страница 239: ...Proxies table click PINGD and then click Properties 3 In the Proxy Properties dialog box on the General tab to enable the Ping Proxy check Enable 4 In the Caption text box type a brief description of...

Страница 240: ...or ICMP traffic The ping proxy is normally enabled when access for the ping command is needed However you can modify the security gateway s behavior with regards to ICMP traffic or configure support f...

Страница 241: ...isites Complete the following task before beginning this procedure Configuring access for ICMP traffic on page 239 To enable support for traceroute 1 In the SGMI in the left pane under Policy click Fi...

Страница 242: ...242 Defining your security environment Controlling full application inspection of traffic...

Страница 243: ...243 Defining your security environment Controlling full application inspection of traffic...

Страница 244: ...able authentication on connections for which there is none The security gateway also lets you define a list called a scheme of authentication servers to verify user identity The security gateway requi...

Страница 245: ...ation server The internal authentication server replaces two older methods of authentication Bellcore S Key and gwpasswd which are no longer supported The security gateway s internal authentication se...

Страница 246: ...xternal authentication on page 247 Creating an IKE enabled user on page 245 Adding authentication to rules on page 276 Using roles to assign rules to users on page 424 Creating an IKE enabled user To...

Страница 247: ...h the Phase 1 ID used in the security gateway network entity properties dialog box Authentication Method Under Authentication Method do one of the following To give the user permission to use certific...

Страница 248: ...s click Authentication Servers 2 In the right pane on the Authentication Servers tab select the Internal server and then click Properties 3 In the Internal Properties dialog box on the General tab ens...

Страница 249: ...r group also makes it convenient to grant or remove access for a user by simply adding or removing their user name from the user group Similarly you can reduce the number of roles you create for clien...

Страница 250: ...create a dynamic authentication scheme on page 263 Prerequisites None To configure user groups 1 In the SGMI in the left pane under Assets click Users 2 In the right pane on the User Groups tab click...

Страница 251: ...To open tunnels automatically when the client reboots in the Tunnels to automatically open text box type the number of tunnels to open User Distinguished Name DN includes Type the Distinguished Name D...

Страница 252: ...y gateway s import feature if you already have the information stored elsewhere and can easily convert it into one of the security gateway s supported formats The import feature lets you add and updat...

Страница 253: ...entication for the user Click U to leave the S Key setting unmodified for the user If Y is selected a password must be entered in the SKey password field skey password Type the S Key password in plain...

Страница 254: ...may provide a higher level of security as some external systems use two factor or challenge response authentication mechanisms You authenticate users against an external authentication system by doin...

Страница 255: ...tory domain Prerequisites None To create a new Active Directory authentication server record 1 In the SGMI in the left pane under Assets click Authentication Servers 2 In the right pane on the Authent...

Страница 256: ...figuration The password is then used to bind to the entry A group list can be retrieved by searching for groups where the user s DN or other specified unique attribute is a member specified in the con...

Страница 257: ...page 688 LDAP Properties Schema tab on page 688 LDAP Properties Bind tab on page 689 LDAP Properties Description tab on page 690 Configuring an authentication scheme on page 260 Creating and assigning...

Страница 258: ...figuration now on the tool bar click Activate When prompted to save your changes click Yes 7 After defining the RADIUS authentication server you can use it in the following ways Identify the server to...

Страница 259: ...following Remote Authentication Dial In User Service RADIUS authentication on page 257 RSA SecurID authentication RSA SecurID is a strong two factor authentication method similar to PassGo Defender RS...

Страница 260: ...ID server time or synchronize them both to a common source 5 Optionally perform the RSA SecurID Client installation on the system with the clntchk applet Ensure that the host name and address of the m...

Страница 261: ...on page 691 Configuring an authentication scheme on page 260 Creating and assigning roles on page 426 Configuring an authentication scheme Authentication schemes define one or more authentication ser...

Страница 262: ...tion Use it to establish authentication for secure desktop mail access Use it as the authentication scheme when configuring OOBA authentication Related information For further information related to t...

Страница 263: ...uthentication you must create user group and authentication records in a specific manner Authenticate users on external servers To authenticate users that are defined on external servers you must do t...

Страница 264: ...e toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes To create a dynamic user group record for users who are not in a user...

Страница 265: ...low the Included user groups text box click Add 5 In the Select User Groups dialog box in the User Group list box select the groups whose users you want to authenticate You can select multiple groups...

Страница 266: ...n 1 In the SGMI in the left pane under System click Configuration 2 In the right pane on the Services tab select OOBA Daemon and then click Properties 3 In the Service Parameters for OOBA Properties d...

Страница 267: ...n to rules on page 276 Adding OOBA authentication to a rule After you configure the OOBA service you can use it to authenticate users by adding OOBA authentication to a rule Create a rule as you norma...

Страница 268: ...5 Click OK 6 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompt...

Страница 269: ...268 Limiting user access Authenticating using Out Of Band Authentication OOBA...

Страница 270: ...where it is going the interfaces through which it enters and leaves the security gateway the protocols that are in effect and whether the traffic is allowed or denied In addition with rules you can sp...

Страница 271: ...teway to gateway communication and remote access for users who have installed Symantec Client VPN on their computers By adding a filter to a VPN policy you can further control the traffic Clientless V...

Страница 272: ...and selects the most appropriate rule to apply In the first scan it searches for rules that match the time window and definition of the connection request From this list of possible matches the secur...

Страница 273: ...r user community and the security of your company As you plan you should ask the following questions Which systems are users allowed to access What services are allowed and in which direction During w...

Страница 274: ...traffic you can specify advanced service parameters See the following topics to create these types of rules Creating basic rules Applying alert thresholds to rules Adding authentication to rules Using...

Страница 275: ...page 275 Applying alert thresholds to rules on page 275 Enable To enable the new rule check Enable Rule name Type a unique name for the rule Number This read only field displays the rule s number whi...

Страница 276: ...nge period or time range group or to edit a selected entry 4 Click OK 5 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your...

Страница 277: ...ollowing Rule Properties Alert Thresholds tab on page 592 Alerting using notifications on page 486 Adding authentication to rules To increase the security provided by a rule you can use authentication...

Страница 278: ...le below Excluded network users click Add and then use the Excluded network users dialog box to add the excluded users to the list These users are disallowed by the rule even if they are members of a...

Страница 279: ...ules tab select the rule to which you want to add content security checks and then click Properties 3 In the Rule Properties dialog box if the tab for the content security feature you want to use is g...

Страница 280: ...ut parameters and additional HTTP connection ports When HTTP is included in a service group you can use the HTTP Parameters dialog box to specify ports for HTTP over SSL and an external Web proxy Howe...

Страница 281: ...faces flagged as internal during the security gateway setup All transparent entities can be accessed directly by systems connecting to that interface The Universe entity is a permanent part of the sec...

Страница 282: ...llowing Rule Properties General tab on page 589 Granting internal users access to public services You may want to give internal users access to a public service such as a news server so they can retri...

Страница 283: ...ny of the following To enable HTTP check HTTP and then check the HTTP restrictions you want to enable To enable newsgroups check NNTP and then in the Newsgroup profile drop down list select the newsgr...

Страница 284: ...quests to the publicly known IP address 3 To create a rule to allow public access to the server on a service network in the left pane under Policy click Firewall 4 In the right pane on the Rules tab c...

Страница 285: ...Wizard The Firewall Rule Wizard lets you configure HTTP FTP SMTP and POP3 rules for your security gateway These are among the most commonly needed rules and the wizard simplifies configuration so that...

Страница 286: ...r This is usually an internal mail server that receives and sends mail for your company domain Apply antivirus scanning To apply the antivirus options that you configure to the POP3 rules that are cre...

Страница 287: ...articular kind of traffic and then create a service group that contains the protocols for that traffic Within the service group you can configure specific settings for the protocols The following topi...

Страница 288: ...mix days and times such as 4 PM through 6 PM from July 1 2000 through July 31 2000 or 4 PM through 6 PM on Monday through Wednesday Once you have configured several time period ranges you can create t...

Страница 289: ...e Properties General tab on page 602 Time Period Range Properties Time Range tab on page 603 Configuring a time period group on page 288 Creating basic rules on page 273 Alerting using notifications o...

Страница 290: ...freeing up valuable resources to address legitimate connections Packet filtering is a versatile security gateway feature that is sometimes considered complicated because packet filters are order depen...

Страница 291: ...endpoint Note If you are remotely managing your security gateway ensure that you do not create a packet filter that eliminates remote SGMI access By placing several hosts in an entity group that you c...

Страница 292: ...ections tab on page 601 Creating packet filter groups on page 291 Using packet filters as forwarding filters on page 294 Applying packet filters to a VPN tunnel on page 293 Applying packet filters to...

Страница 293: ...able through a VPN tunnel On a network interface to restrict the types of packets passing into or out of the security gateway Related information For further information related to this topic see the...

Страница 294: ...General tab in the Filter applied drop down list select the packet filter you want to apply 4 Click OK 5 Optionally do one of the following To save your configuration now and activate later on the to...

Страница 295: ...k interfaces If the packet matches the chosen filter it is not sent up the protocol stack for authentication instead it passes through the security gateway bypassing normal security checking This feat...

Страница 296: ...license to enable any of the HTTP settings Configure content profiles that provide content filtering based on the subject matter of Web content Content profiles are applied on a per rule basis and le...

Страница 297: ...the following parameters After you specify the URLs URL patterns MIME types and file extensions to which users are allowed or denied access you can apply these settings selectively in rules When traf...

Страница 298: ...ts Web URL For example assume that there are two different Web sites that are hosted on the same server http www symantecdomain com and http www symantecexample com Both of theses sites return an IP a...

Страница 299: ...toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information For further information related to this topic see...

Страница 300: ...ust be used in a context where it cannot possibly indicate a range This can either be at the beginning of the set or immediately after a range Beginning anchor character and matches the blank space at...

Страница 301: ...range of characters that should be matched Because you are looking specifically for three consecutive letters you need to set up three sets of brackets Use caution when you use the character as a glo...

Страница 302: ...under Policy click Firewall 2 In the right pane on the Rules tab do one of the following To add URL pattern filtering to an existing rule highlight the rule and then double click to display its prope...

Страница 303: ...for a rule that contains HTTP The HTTP proxy can restrict or permit access according to a list of MIME types Each URL that is received is scanned to determine its content type If the content type matc...

Страница 304: ...ervice group with the HTTP protocol 5 On the Content Filtering tab ensure that the HTTP check box is checked 6 Under Select the protocols and settings to apply content filtering scanning check Apply M...

Страница 305: ...file extension 1 In the SGMI in the left pane under Policy click Content Filtering 2 In the right pane on the Advance Restrictions tab under File Extensions in the Available list select the file exte...

Страница 306: ...your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information F...

Страница 307: ...ntent categories are included with the software You can use these categories or create local modifications of the categories to fit your specific needs Symantec has populated the predefined content ca...

Страница 308: ...ing or general subterfuge and defeating of security measures Drugs Advocacy Sites advocating the use of illegal drugs for medical and personal use Drugs Non medical Sites providing information on grow...

Страница 309: ...ation Advanced Sites providing medical discussions of sexually transmitted diseases such as syphilis gonorrhea and HIV AIDS May include medical pictures of a graphic nature Includes sites providing in...

Страница 310: ...e left arrow button 7 Click OK 8 In the Rating Modification Properties dialog box click OK 9 Optionally do one of the following To save your configuration now and activate later on the toolbar click S...

Страница 311: ...is not acceptable The dictionary that is associated with that content category is activated for DDR scanning However you can choose whether to activate DDR for a content profile How DDR evaluates Web...

Страница 312: ...ontained in the list may be restricted or allowed and the corresponding dictionary may or may not be used by DDR to score Web page content By placing lists in different states you control not only acc...

Страница 313: ...the deny list and the other is not users are blocked from accessing the site This is because the URL is in at least one content category in the deny list When a request is made for a URL that is cont...

Страница 314: ...quisites None To modify the contents of a content category 1 In the SGMI in the left pane under Policy click Content Filtering 2 In the right pane on the URL Ratings tab do one of the following To set...

Страница 315: ...ffic until they are added to a newsgroup profile and then to a rule You should list all the newsgroups that you specifically want to address regardless of whether you intend to allow or deny them Prer...

Страница 316: ...file 5 On the Profile tab in the Available newsgroups list select a newsgroup and then click the right arrow button to move it to the Allowed newsgroups list Unless you are using a general wildcard pr...

Страница 317: ...log box on the Protocols tab ensure that one of the following is listed If you want to apply a content profile and HTTP restrictions use HTTP If you want to apply a newsgroup profile use NTP Click OK...

Страница 318: ...rmation related to this topic see the following Rule Properties Content Filtering tab on page 599 Creating a content profile on page 311 Filtering by a specific URL on page 297 Filtering by URL patter...

Страница 319: ...318 Controlling traffic at the security gateway Blocking inappropriate content with content filtering...

Страница 320: ...includes defining filters enabling protection for logical network interfaces configuring address transforms an antivirus server and intrusion detection and prevention software You can configure these...

Страница 321: ...he values of the signature variables to adapt to your environment When you activate a change to a signature variable and the security gateway cannot validate the change a log event with a severity lev...

Страница 322: ...ronment When creating a new policy you must provide a name heuristic detection level and a brief caption Both pre configured and user configured policies can be deleted LiveUpdate may add delete or mo...

Страница 323: ...ss VPN connections Forward filters Web VPN connections Port forwarders Network interfaces Applying an IDS IPS policy to any of these components provides protection against malicious traffic passing th...

Страница 324: ...at the point of entry providing additional security to the connection Prerequisites None To apply IDS IPS policies to clientless VPN connections 1 In the SGMI in the left pane under Policy click Clie...

Страница 325: ...that matches signatures of possible threats Prerequisites None To apply IDS IPS policies to Web VPN connections 1 In the SGMI in the left pane under Policy click Policy Parameters 2 In the right pane...

Страница 326: ...ble threats at the point of entry Prerequisites None To apply IDS IPS policies to network interfaces 1 In the SGMI in the left pane under Assets click Network 2 In the right pane on the Network Interf...

Страница 327: ...S policy and apply all of the modifications by enabling the IDS IPS policy on an interface Viewing intrusion events You can view intrusion events and detailed information including protocols categorie...

Страница 328: ...pane on the Configuration tab next to View click Table 3 In the Policy name drop down list select an IDS IPS policy 4 Select the intrusion event you want to view and then click Properties 5 To close...

Страница 329: ...an IDS IPS service appears grey rather than black this indicates that some events below that level in the hierarchy are not configured for logging At the individual intrusion event level a red icon in...

Страница 330: ...ent settings in the tabular format In the tabular format you can modify individual intrusion events in the IDS Event Type Properties dialog box or directly from the table From the properties dialog bo...

Страница 331: ...eneral tab on page 643 Monitoring IDS IPS alerts on page 482 Modifying event settings in the tree format In the tree format you can modify individual intrusion events or you can modify globally at any...

Страница 332: ...e of the following To enable logging and traffic blocking of this event check Log this event and Block traffic if this event is detected To enable only logging of this event check Log this event To di...

Страница 333: ...ports for secure connections on page 214 See Customizing the HTTP protocol to pass HTTPS traffic on page 187 Prerequisites None To manage portmap settings 1 In the SGMI in the left pane under Policy...

Страница 334: ...technologies for heuristic detection of new or unknown viruses to provide protection from new classes of viruses automatically through LiveUpdate and to detect polymorphic viruses If you would like t...

Страница 335: ...error when downloading a large file Using data comforting can compromise the integrity of virus scanning You should consider the limitations of data comforting before you use this feature The followin...

Страница 336: ...m values is met or exceeded for a given file the security gateway stops processing the file and generates a log entry You can specify whether to allow or deny access to these files Access is denied by...

Страница 337: ...the antivirus scanner is unavailable for any reason you can still protect your environment from malicious attacks When this protection is enabled if the antivirus scanner reports an error during the s...

Страница 338: ...ock files when the antivirus scanner is unavailable 5 On the SMTP subtab check Block emails with partial message content type header 6 Optionally do one of the following To save your configuration now...

Страница 339: ...File Extension dialog box on page 633 Adding antivirus protection to a rule on page 347 Specifying file types to scan The security gateway lets you control the types of files that are scanned You can...

Страница 340: ...4 To modify the file exclusion list do one or more of the following To add a file extension click Add In the Add File Extension dialog box in the File extension text box type the file extension that y...

Страница 341: ...hen data comforting is enabled the requested file is sent trickled to the user in small amounts at regular intervals until the scan is complete When an infected file is detected while data comforting...

Страница 342: ...sent to the user Note When configuring the antivirus data comforting option for HTTP FTP and POP3 a pop up window reports that infected repairable and unrepairable files will be deleted even when the...

Страница 343: ...the message For each full file name that you want to filter you type a separate text string If the text string that you type matches the file name of any attachment the message is handled accordingly...

Страница 344: ...Size dialog box in the Mail attachment size text box type the maximum file size to permit for a binary file attached to an email 4 Click OK 5 Under the Binary file size list select one of the followi...

Страница 345: ...fected file even if the file could be repaired Repair or delete Attempts to repair the infected file If the file cannot be repaired the security gateway deletes the infected file You can configure the...

Страница 346: ...also include a message in the body of the email to notify the user that an infected file was deleted The SMTP and POP3 protocols replace the deleted infected file with a text message file The text fi...

Страница 347: ...olbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes 6 To apply this setting create a rule and enable the appropriate action o...

Страница 348: ...antivirus functionality you must create a rule and select the antivirus processes that you want to use You can specify separate options for each protocol The more antivirus scanning and filtering pro...

Страница 349: ...tivirus features that you want to use as follows Substitute for infected file SMTP POP3 HTTP FTP Replaces an infected attachment in an email with a text file when the infected attachment is deleted In...

Страница 350: ...POP3 protocol can only be scanned after it has been delivered to a mailbox but before it is read by a user You cannot block POP3 email because there is no way to remove the infected mail from the mail...

Страница 351: ...ubject pattern matching processing You can then make the appropriate adjustments to your antispam settings Figure 9 3 Antispam scanning sequence Table 9 4 Antispam scanning sequence Order Scanning pro...

Страница 352: ...am email Blocking spam using real time blacklists on page 352 Identifying spam using heuristic antispam scanning on page 353 Identifying spam using a custom known spammers list on page 354 5 Subject p...

Страница 353: ...ime blacklist rejects the sender address Messages from the rejected sender address are always blocked If the proxy does not get a suitable response from any of the real time blacklist servers a log en...

Страница 354: ...You can configure the options for SMTP and POP3 separately For the SMTP protocol only you can block the email message For both the SMTP and POP3 protocols you can send the message to the recipient unm...

Страница 355: ...antecdomain com it blocks only that subdomain and not the full domain for example symantecdomain com You can specify how you want to handle messages that are identified as spam by the custom known spa...

Страница 356: ...o the recipient unmodified Ensure that you enable the subject pattern matching setting in the appropriate firewall rule You must also have a valid Content Security license If you do not the security g...

Страница 357: ...st operators as a source of spam The security gateway lets you create a custom list of mail transfer agent IP addresses that are permitted to bypass the real time blacklist processing Ensure that you...

Страница 358: ...able the senders list setting in the appropriate security gateway rule You must also have a valid Firewall Base license If you do not the security gateway does not attempt to use this antispam scannin...

Страница 359: ...er on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information For further information related to this t...

Страница 360: ...e source IP address and leaves the destination IP address unchanged The topics in this section are Controlling IP addresses with address transforms Mapping addresses with NAT pools Redirecting connect...

Страница 361: ...eal packet source address to be overwritten by the security gateway address for the connection Note that this should be the addressing scheme for most connections except VPN tunnels With VPN tunnels t...

Страница 362: ...he allocated address If the NAT pool is being used in a VPN tunnel the tunnel itself can time out based on the parameters defined When this happens the connection is dropped and the NAT address is rel...

Страница 363: ...addresses but those subnets may consist of only one entity You must have the same number of entities in your real subnet as you do in your NAT subnet Use dynamic NAT pools to map a client IP address t...

Страница 364: ...on the NAT Pool tab click New Dynamic NAT Pools 3 In the Dynamic NAT Pool Properties dialog box on the General tab do the following 4 Optionally on the Description tab type a more detailed descriptio...

Страница 365: ...net as the security gateway s real address it automatically routes the packets using the address resolution protocol ARP If the virtual address is not on the same subnet add a static route on your Int...

Страница 366: ...Related information For further information related to this topic see the following Redirected Services Properties General tab on page 673 Redirected Services Properties Description tab on page 673 C...

Страница 367: ...nt configuration in essence a reverse NAT configuration the External host sees the security gateway address on any communication it receives back Figure 9 4 Virtual client configuration Creating a vir...

Страница 368: ...ss Transform Properties dialog box on the General tab do the following 4 On the Source Address Transform tab check Use NAT pool 5 Optionally on the Description tab type a more detailed description tha...

Страница 369: ...network interface naming convention when you configure the network adapters in the System Setup Wizard you can apply rules that use the logical network interface This section includes the following t...

Страница 370: ...ion attempt the response from the source host which happens in the third phase would be an acknowledgement packet ACK enabled and the two ends would establish the connection However the attacker skips...

Страница 371: ...otection feature to ignore when determining if the security gateway is under a SYN flood attack Prerequisites None To create a SYN flood allowed host list 1 In the SGMI in the left pane under System c...

Страница 372: ...under Assets click Network 2 In the right pane on the Network Interfaces tab select the network interface on which you want to enable protection and click Properties 3 In the Network Interface Propert...

Страница 373: ...372 Preventing attacks Enabling protection for logical network interfaces...

Страница 374: ...resources To make creating secure tunnels faster and easier you can define standard VPN policies that you can then select for your secure tunnels Rather than configuring the components present in thes...

Страница 375: ...by a security gateway at one site can establish a tunneled connection to the security gateway protecting the remotely located site The remote user can connect to and access the resources of the privat...

Страница 376: ...ints Tunnel endpoints perform encryption decryption encapsulation decapsulation and authentication operations on tunnel packets Tunnel endpoints are typically two security gateways gateway to gateway...

Страница 377: ...routable In addition an ICMP Parameter Problem message is sent back to the client The best solution to this symptom is to ask the end user to modify the default home subnet assigned by their home rout...

Страница 378: ...tly through If there is no proxy requirement the packets move on to their destination Proxying tunnel traffic lets the administrator control the type of traffic allowed through a tunnel Even between t...

Страница 379: ...l The decision to make two VPNs cascaded may reflect different levels of security on your private network and the Internet Figure 10 4 Cascaded VPN tunnels Note Figure 10 3 and Figure 10 4 represent g...

Страница 380: ...Main Mode and Phase 2 or Quick Mode The Phase 1 negotiation establishes a secure channel called the security association SA between two computers The SA is used to protect the security negotiations Ph...

Страница 381: ...IKE tunnels ISAKMP dynamically negotiates keys establishes SPIs negotiates transforms and provides key expiration for greater security and flexibility Configuring VPN policy for IPsec with IKE You ca...

Страница 382: ...d in the order they appear You can change their order by selecting an entry and clicking Up or Down Name Type a unique name for the VPN policy Caption Type a brief description of the VPN policy Filter...

Страница 383: ...toolbar click Activate When prompted to save your changes click Yes 11 To use the VPN policy do one of the following Create a VPN tunnel and select the VPN policy Create a clientless VPN rule with VP...

Страница 384: ...and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Policy Name Type a unique name for the VPN p...

Страница 385: ...name of the global IKE policy is displayed This default name cannot be changed 3 In the Connection timeout text box type an interval in minutes for connection timeout 4 On the Data Privacy Preference...

Страница 386: ...ess transforms as the method by which traffic arrives at the security gateway When you create Client VPN tunnels you can also incorporate them in packages that are sent to remote users to simplify the...

Страница 387: ...isting security gateway network entity select it from the drop down list If you are creating a new security gateway network entity do the following In the Name text box type the name of the new securi...

Страница 388: ...the drop down list and then skip to step 14 To create a new security gateway network entity click Create new security gateway network entity 12 To define the new network entity do the following For a...

Страница 389: ...a VPN policy for the new tunnel IP address Type the IP address or fully qualified domain name of the network entity Authentication method Do one of the following To use certificates to authenticate cl...

Страница 390: ...ing Gateway to Gateway Tunnel Wizard on page 786 Creating basic rules on page 273 Controlling IP addresses with address transforms on page 359 Using the Remote Access Tunnel Wizard to create Client VP...

Страница 391: ...g network entity select the network entity from the drop down list and then click Next to skip to step 13 To create a new network entity to serve as the local tunnel endpoint click Create new network...

Страница 392: ...imary IKE user group 14 Click Next 15 In the VPN Policy panel in the drop down list select a VPN policy 16 Click Next For a Subnet network entity In the Name text box type a name for the new endpoint...

Страница 393: ...omputer configuration on page 399 Creating tunnels manually For each VPN tunnel that you create you must select a pre configured security gateway and a network entity local to your site as well as a p...

Страница 394: ...Gateway to Gateway tunnel Properties dialog box on the General tab do the following 4 Click OK Enable To enable the tunnel check Enable Name Type a unique name for the tunnel VPN policy In the drop do...

Страница 395: ...to remote users to simplify the configuration of Symantec Client VPN If your remote tunnel endpoint is a Symantec Client VPN user then you must configure a VPN security network entity to serve as the...

Страница 396: ...le Client VPN computer configuration on page 399 Manually configuring a tunnel using IPsec with static key You can configure a VPN policy with static IKE to support static VPN tunnels In static VPN tu...

Страница 397: ...ck Generate Keys The appropriate key fields are available according to your VPN policy selection It is strongly recommended that you use the Generate Keys button rather than creating your own keys Loc...

Страница 398: ...enable a compliance check interval Check interval minutes If Periodically check compliance is checked type the number of minutes between automatic client compliance checks Require Symantec Client Fir...

Страница 399: ...ce of remote Client VPN computers on page 397 To apply the client compliance policy 1 In the SGMI in the left pane under Assets click Users 2 In the right pane on the User Groups tab select the user g...

Страница 400: ...on after the computer is initialized The Client VPN package is a single encrypted file that contains the following information Gateway IP address Server Phase 1 ID Authentication method Client Phase 1...

Страница 401: ...stallation directory with nsetup exe The installation will copy the Client VPN package file to the directory into which the client is installed Since the Symantec Client VPN application will always ch...

Страница 402: ...ort Client VPN tunnels 1 In the SGMI on the File menu click Import VPN Tunnels 2 Browse to the pkimpvpn file in the sg directory 3 Click Import VPN Tunnels File import can take several minutes After t...

Страница 403: ...rate the certificate To create the entrust ini and username epf files on the Entrust CA server 1 To create a new user use the Entrust Admin utility accessible from Start Programs Entrust Entrust Admin...

Страница 404: ...splayed in the Entrust Server window and then press Enter 6 When prompted type the profile filename for saving keys and then press Enter This is the epf file that contains your certificate and private...

Страница 405: ...unnel through the Internet Example multicast gateway to gateway IPsec tunnel configuration In addition to the following instructions be familiar with the general instructions for configuring a gateway...

Страница 406: ...twork entity for 10 10 10 1 2 Create a subnet network entity for 10 10 20 1 3 Create a gateway to gateway VPN tunnel and for the local endpoint use the 10 10 10 1 subnet entity and then do the followi...

Страница 407: ...nnel First edit the security gateway initialization file raptor init to add two additional commands immediately following the multicast callout and allmulti commands usr raptor bin vpn set Global Tunn...

Страница 408: ...erify_packet_exiting_tunnel The syntax must be exact 4 In the Caption text box type a brief description of the option 5 On the Value tab in the Value text box type false 6 Click Add 7 On the Descripti...

Страница 409: ...408 Providing remote access using VPN tunnels Multicast traffic through gateway to gateway IPsec tunnels...

Страница 410: ...less VPN users Configuring access to common applications Identifying resources with URLs About clientless VPN Symantec Gateway Security s clientless VPN feature provides portal based access for Web en...

Страница 411: ...ify users identities when they log on Group server A database that organizes users with similar attributes into groups such as LDAP and NT Domain the security gateway uses this data to determine users...

Страница 412: ...and user groups are arranged in a hierarchical role structure that ensures that any rule applying to a parent role also applies to a child role below it in the structure To customize the user experie...

Страница 413: ...ne an authentication scheme on the Assets Authentication Servers Schemes tab See Configuring an authentication scheme on page 260 Define a VPN profile to determine connection parameters on the Policy...

Страница 414: ...twork SNC is the most flexible mode from an application perspective since it is application agnostic SNC is only supported on Microsoft Windows XP Microsoft Windows 2000 client systems SNC can use an...

Страница 415: ...on now on the toolbar click Activate When prompted to save your changes click Yes To delete a VPN Profile 1 In the SGMI in the left pane under Policy click Clientless VPN 2 In the right pane on the Cl...

Страница 416: ...defines URLs that identify internal network resources Each rule is identified by a unique name There are two types of clientless VPN rules Rule components A rule specifies the minimum requirements nee...

Страница 417: ...he path element is used to control access and therefore the examples below demonstrate variations of the path element Other elements such as host name can be formulated using similar methods Figure 11...

Страница 418: ...main com mail www symantecdomain com jsmith Example 3 SimpleAllow3 is a rule for all file resources on the www symantecexample com server that are in a share folder named sales and have a single prece...

Страница 419: ...e rule select Deny Network application In the drop down list select the protocol matching the type of traffic you want to control with this rule You may select only one The fields available in the res...

Страница 420: ...h a backslash for example to use as a normal character type Additional regular expression characters besides those shown in Table 11 2 that must be preceded by a backslash are The table below shows a...

Страница 421: ...salesNW projects rtf Matches an empty string only dir a subdir status doc dir Matches any path with the string dir in it dir directory abc subdirectory subsub dir file txt a subdi sub text pdf dir Mat...

Страница 422: ...a link to the resource is immediately available Prerequisites None To add an advanced rule 1 In the SGMI in the left pane under Policy click Clientless VPN dir subdir Matches the string dir subdir fol...

Страница 423: ...names or IP addresses Port Type the port number used to access the resource if it is different from the default Path Type an expression that matches the allowed path This restricts access to the host...

Страница 424: ...ntire set of rules to a role and thereby apply multiple rules to a group of users You can create empty rule sets and add rules later or create individual rules and then group them in a rule set Creati...

Страница 425: ...et Properties General tab on page 623 Clientless VPN Role Properties General tab on page 624 About simple rules on page 415 About advanced rules on page 419 Assigning a rule or rule set to a role on p...

Страница 426: ...el all the administrator has to do is assign the CEO role to the user who is the current CEO on the authentication server All privileges pertaining to that role in the organization are automatically a...

Страница 427: ...r role that controls the access privileges of all users on the server and a default group role that controls the access privileges of all groups on the server See Creating authentication server record...

Страница 428: ...import group roles 1 In the SGMI in the left pane under Policy click Clientless VPN 2 In the right pane on the Roles tab click Import Roles 3 In the Import Roles dialog box in the Authentication serve...

Страница 429: ...ing task before beginning this procedure Configuring users for internal authentication on page 243 To import user roles 1 In the SGMI in the left pane under Policy click Clientless VPN 2 In the right...

Страница 430: ...your configuration and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information For fu...

Страница 431: ...n the Rules tab click Add 4 In the Rule Rule Set Selection dialog box in the Rules or Rule Sets list select a rule or rule set and then click OK The rules and rule sets listed in the Rules from parent...

Страница 432: ...VPN users check Enable expanded DNS lookups 5 Optionally do one of the following To save your configuration and activate later on the toolbar click Save To activate your configuration now on the toolb...

Страница 433: ...ault Symantec logo and name with those of your organization The logo and name appear on all portal pages News items Posts system wide messages to display for a specific period of time This can be used...

Страница 434: ...page and configure the links that display on the page Once the page exists it can be assigned to a role influencing the QuickLinks that appear on a role s portal page You can organize the lists of li...

Страница 435: ...430 Assign the portal page to a role on page 438 Creating resource QuickLinks Resource QuickLinks are used on portal pages to help remote users access internal resources They allow users to access con...

Страница 436: ...ote users Prerequisites Complete the following tasks before beginning this procedure Creating resource QuickLinks on page 434 To create a resource group 1 In the SGMI in the left pane under Assets cli...

Страница 437: ...page 433 Creating resource QuickLinks on page 434 To add a resource link to a portal page 1 In the SGMI in the left pane under Assets click Portal Pages 2 In the right pane on the Portal Pages tab sel...

Страница 438: ...e toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click Yes Related information None Adding news items to a portal page News item...

Страница 439: ...pearance tab select the news item you want to remove and then click Delete The news item is marked for deletion from the system The actual deletion will happen the next time the security gateway confi...

Страница 440: ...The administrator must create a single sign on access rule for each resource Collecting resource logon information You can configure the security gateway to prompt users for their user names and pass...

Страница 441: ...o disable the single sign on feature an authenticated user can delete sign on information stored by the security gateway This might be done if the user password or the resources being accessed changed...

Страница 442: ...ions to convert or rewrite resource host names or URLs with the security gateway s address instead of the actual network host or URL Prerequisites None Enable reverse proxy translation for hosts or fo...

Страница 443: ...n use to simplify setting up clientless VPN connections The Remote Access Tunnel Wizard builds connections in a who what how methodology who is being provided access to what resource are they provided...

Страница 444: ...n the Options panel identify the host resource to which you are providing access by doing one of the following To specify the host by DNS name click Specify host by DNS name and then type the DNS name...

Страница 445: ...ion panel review the configuration and then do one of the following If the connection is configured properly click Finish You need to activate the change before using the connection To reconfigure the...

Страница 446: ...from the drop down list and then click Next to skip to step 12 To create a new user role click Create a new user role To create a new group role click Create a new group role 9 In the User name or Gro...

Страница 447: ...hen do one of the following If the connection is configured properly click Finish You need to activate the change before using the connection To reconfigure the connection click Back until you reach t...

Страница 448: ...ther information related to this topic see the following Secure Web Mail Access Properties General tab on page 742 Advanced mail actions on page 446 Using the security gateway as a mail proxy on page...

Страница 449: ...On the client computer specify the fully qualified domain name of the security gateway as the incoming mail server 2 Select the mail protocol that corresponds with the appropriate proxy that the admi...

Страница 450: ...s enabled type the number of minutes between automatic client compliance checks The default is 10 minutes Require Symantec Client Firewall Check this option to require that clients have Symantec Clien...

Страница 451: ...tasks before beginning this procedure Ensuring client compliance for clientless VPN users on page 449 To apply client compliance 1 In the SGMI in the left pane under Policy click Clientless VPN 2 In...

Страница 452: ...supports The cipher suites that are available are defined by RFC and cannot be modified however you can specify which cipher suites are used to protect data for your security gateway Prerequisites Non...

Страница 453: ...less VPN consists of five major steps Gathering information about the terminal emulation client Creating a clientless VPN access rule or rule set for the terminal emulation client Assigning the termin...

Страница 454: ...the terminal emulation server 1 In the SGMI in the left pane under Assets click Portal Pages 2 In the right pane on the Resources tab click New 3 In the Resource Properties dialog box on the General t...

Страница 455: ...on page 454 Connecting to Symantec Clientless VPN with the terminal emulation client After the user logs on clientless VPN downloads the port forwarder Java applet After the user accepts the applet a...

Страница 456: ...a user name password and other supplementary information such as query data The most typical form is either protocol username password host port path query or protocol username password host port path...

Страница 457: ...nnecessary if the FTP server is configured with the default port The following table shows an example of an FTP URL resource with user name and password Table 11 8 http search symantecexample com bin...

Страница 458: ...re allows users to connect to Microsoft Exchange servers behind the security gateway without reconfiguring Microsoft Outlook This resource uses the following URL syntax protocol host name The protocol...

Страница 459: ...optional element like port because there is no default share When using the advanced syntax the domain value is optional Most file shares are password protected The single sign on feature prompts the...

Страница 460: ...ehind the security gateway without reconfiguring the application client The TCP IP port forwarding feature changes the host files on the end user s computer Therefore only users who have permission to...

Страница 461: ...pple MAC OS X Resource links can be configured from the Portal tab to automatically start when the user signs on Autostart is particularly useful for mail applications UDP is a basic resource and uses...

Страница 462: ...be the first warning of an attack Temperature fan and disk warnings can alert you to problems with the security gateway appliance Status Shows general and detailed information about the properties of...

Страница 463: ...put The Network Throughput chart lets you see the volume of traffic through the security gateway You can view activity on all network interfaces or select a specific interface to monitor Unusual spike...

Страница 464: ...of the chart indicates time The legend to the left of the chart shows connections measured by hundreds 4 To change the active connections that are displayed do one or more of the following Related in...

Страница 465: ...his topic see the following Viewing copying and printing current log files on page 473 Monitoring appliance temperature and fan status Sensors on the security gateway appliance report the appliance te...

Страница 466: ...the SGMI in the right pane under System click Administration 2 In the right pane on the Advanced Options tab click ui_status_poll_interval and then click Properties 3 In the Advanced Options Properti...

Страница 467: ...ervers The Hardware Encryption Diagnostics tab run tests on the Symantec Gateway Security 5600 Series hardware accelerator chip and shows if it is working properly The Clientless VPN Failed Logons tab...

Страница 468: ...s tab in the Active Connections table select an active connections entry 3 Click Properties The Active Connections Properties dialog box provides an alternate view of an active connection It also lets...

Страница 469: ...Complete the following tasks before beginning this procedure Ensuring client compliance for clientless VPN users on page 449 Ensuring compliance of remote Client VPN computers on page 397 To view ant...

Страница 470: ...ostics The results of the test successful or failed display on the Hardware Encryption Diagnostics window If there is no encryption card installed the message Hardware Diagnostics Not Successful resul...

Страница 471: ...vice Viewing copying and printing current log files Viewing cluster log files Opening deleting and backing up archived log files Adding or removing Event Log table columns Starting a new log file Disp...

Страница 472: ...displayed Maximum Log File Size KB Select the maximum size for your logging file Low Disk Threshold KB Select the threshold at which to warn about the log file size This threshold is set against dev...

Страница 473: ...end logging when there is no additional space check Auto delete old logfiles Minimum number of hours to keep logfile Use the up and down arrows to select the minimum time in hours to keep old log file...

Страница 474: ...ation changes are made they do not apply to existing connections Until a connection is terminated any log messages generated by it will show the configuration that was in effect when the connection be...

Страница 475: ...opy 4 Paste the message into the application of your choice 5 To close the Event dialog box click Close To print log file text 1 In the SGMI in the left pane under Monitors click Logs 2 In the right p...

Страница 476: ...chived log file 1 In the SGMI in the left pane under Monitors click Logs 2 In the right pane on the Event Logs tab click Open Log 3 In the Open Archived Log File dialog box select the log file for the...

Страница 477: ...log file is always the logfile rollover which will have the new timestamp Subsequent entries will be any queued entries timestamped with the time at which they were generated Prerequisites None To st...

Страница 478: ...list select one of the following Access allowed Access denied Configuration Connection established Internal License Operational You can choose more specific classifications within these broad categor...

Страница 479: ...sages that are displayed are those that meet all search criteria Note An advanced search of a large log file can impact performance You can search the log file and limit the display based on the follo...

Страница 480: ...th In the Search text box type the text on which you want to search Click Search 7 To display events that contain specific parameters do the following Click Parameters and then click Add In the Select...

Страница 481: ...nment on a Linux Solaris or Windows computer Accessing your security gateway using an outside untrusted network can present danger If the certificate for the security gateway is not in the trust store...

Страница 482: ...management utility run the following command remotearchive sh delete host user password logfile1 logfile2 Where Related Information None list Lists log files host The host name or IP address of the se...

Страница 483: ...uniquely identify IDS IPS events each event is also assigned a unique base event type value The alert events that you can see in the logs are those that have been configured and applied on the IDS IPS...

Страница 484: ...o configure the security gateway response to the event do the following 9 Click OK 10 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To...

Страница 485: ...rce IP address check Source IP address and then type the IP address of the source of an intrusion 4 To display alerts with a specific source port check Source port and then type the port number of the...

Страница 486: ...d are those that meet all search criteria Note An advanced search of a large log file can impact performance You can search the log file and limit the display of IDS IPS alerts based on the following...

Страница 487: ...ern and then click Add 10 Click OK Related Information For further information related to this topic see the following Performing a basic IDS IPS alert search on page 484 Performing an advanced IDS IP...

Страница 488: ...klist notification check the appropriate severity levels 9 Optionally on the Description tab type a more detailed description than you typed in the Caption text box 10 Click OK 11 Optionally do one of...

Страница 489: ...ication 5 Optionally in the Time Period drop down list you can select a time period in which the notification will be valid 6 To define the severity of the alerts necessary to trigger the notification...

Страница 490: ...e notification 5 Optionally in the Time Period drop down list you can select a time period in which the notification will be valid 6 To define the severity of the alerts necessary to trigger the notif...

Страница 491: ...agers check enable 4 In the Notification Name text box type a name for the notification 5 Optionally in the Time Period drop down list you can select a time period in which the notification will be va...

Страница 492: ...or Notify Properties General tab on page 748 Service Parameters For Notify Properties Description tab on page 748 Configuring SNMPv1 and SNMPv2 notifications The Simple Network Management Protocol SNM...

Страница 493: ...iod in which the notification will be valid 6 To define the severity of the alerts necessary to trigger the notification check the appropriate Triggered by Event options 7 In the Community text box ty...

Страница 494: ...ication 3 In the SNMP V2 Trap Notification Properties dialog box on the General Tab to enable the new notification through SNMP V2 trap check Enable 4 In the Notification Name text box type a name for...

Страница 495: ...es product OS restore CD ROM in the ClientSoftware directory The Symantec DeepSight Extractor for the Symantec Gateway Security 5000 Series v3 0 Installation and Configuration Instructions is found in...

Страница 496: ...box on Miscellaneous tab uncheck Log successful connections 4 Optionally do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configurat...

Страница 497: ...er of log messages Prerequisites None To configure the reverse lookup timeout value 1 In the SGMI in the left pane under Assets click Asset Parameters 2 In the right pane in the Asset Parameters windo...

Страница 498: ...ou can either view print or save it Note Be aware that the amount messages logged in your log file can affect the size of your report The more information in the log file for example spam messages the...

Страница 499: ...hour and minutes to begin the report Select AM or PM In the Duration drop down lists select the time in seconds minutes or hours for which you would like to run the report You can also use the time s...

Страница 500: ...access denied by the security gateway within a requested 24 hour period and provides information about users who have made connection attempts that do not conform to the security policy Note If the r...

Страница 501: ...Lists and details bytes the source addresses who have most often accessed the sites through the security gateway Top Bytes Transferred by Web Site Lists sites both inside and outside the security gate...

Страница 502: ...you can view The status of all security gateway configurations from one central location Individual component configuration reports All reports begin with a cover page that shows when the report was l...

Страница 503: ...onfiguration report descriptions on page 503 Printing and saving a configuration report To view PDF reports you must have Adobe Reader installed on the same computer as the one that hosts the SGMI The...

Страница 504: ...ished name settings Client Compliance Profile Details your client compliance settings In addition displays your antivirus settings for your antivirus server Clientless VPN Certificates Authorities Sho...

Страница 505: ...nt Security Antivirus Response Settings Displays the actions you have set to perform when mail messages are identified as spam Content Security Email Restrictions Shows the content security email rest...

Страница 506: ...slation NAT pools including the starting and ending addresses in the pool the addresses being modified and the description Network Entity Lists all configured network entities Information reported is...

Страница 507: ...onfigured service groups Covered information includes the group s description protocols applied ratings and any additional parameters Services Shows the current status of key daemons and services Gate...

Страница 508: ...or SSH from a command prompt on the computer you use to connect to the security gateway go to the following directory on the security gateway var lib sg management 2 In the management folder retrieve...

Страница 509: ...508 Generating reports Upgrade reports...

Страница 510: ...lustering technology to ensure high availability HA and increase performance through load balancing LB In a cluster two to eight security gateways are grouped together and instructed to work as a sing...

Страница 511: ...ing to change or reassign default gateways on any computers All hosts point to the local default gateway and not the real IP address of a given cluster member Because the VIP is assigned to a subnet a...

Страница 512: ...cluster members must match the IP addresses of all cluster members must be on the same subnets Each cluster member must have a unique member ID The member ID is the last octet in the IP address All m...

Страница 513: ...you have just added a license for HALB you must reboot prior to running the Cluster Wizard A cluster consists of at least two cluster members and can include up to eight Before you create a cluster en...

Страница 514: ...Cluster description Type a brief description of the type of cluster you are creating This description is used to identify the type and intent of the cluster Heartbeat interface Select a dedicated priv...

Страница 515: ...lete a message tells you that all cluster members must be rebooted to activate the cluster 14 To reboot immediately click OK 15 If you disabled redirected services before creating the cluster edit the...

Страница 516: ...after you save and activate changes To remove the cluster from hot standby mode uncheck Hot standby If you have change this option it requires a reboot after you save and activate changes 3 In the Lo...

Страница 517: ...able on one of the cluster members then the entire cluster signals the fault The cluster status on the Cluster Member Settings window displays that the cluster node is down and the reason displayed is...

Страница 518: ...the IP Addresses tab to add an entry to the Address list in the text box type the IP address of a host that you want to monitor and then click Add 5 Optionally on the Description tab type a more deta...

Страница 519: ...clusters You can choose to assign specific traffic for instance from a Web server through a specific cluster member regardless of load balancing For incoming traffic you cannot specify a service redir...

Страница 520: ...onal cluster member Although this is an administrator account it is only for internal cluster management you should never log on using this account If you change the cluster password you must log on t...

Страница 521: ...r panel in the IP address text box type the new IP address 5 Click Next 6 In the Connect to New Cluster Member panel do the following In the User name text box type the user name In the Password text...

Страница 522: ...solve a cluster all of its cluster members must then be individually managed You would dissolve a cluster when you no longer want to manage them in a clustered environment and you want to return to in...

Страница 523: ...d information For further information related to this topic see the following Adding or removing a cluster member on page 520 Remove Cluster Member panel on page 806 Confirmation panel on page 805 Spe...

Страница 524: ...viewing the cluster status Note This stepped reboot process does not apply to rebooting when you add delete an interface or a new cluster member When you reboot for these two situations all cluster me...

Страница 525: ...click Firewall 2 In the right pane select the rule that you want to modify to use stateful failover and then click Properties 3 In the Rule s Properties dialog box on the Miscellaneous tab check State...

Страница 526: ...interface by providing the following information You must define the same logical name IP address netmask and interface type on all cluster members 6 Click Next 7 In the Confirmation panel click Finis...

Страница 527: ...uster member 1 Log on to the first cluster member 2 In the SGMI on the Tool menu click System Setup Wizard 3 In the System Setup Wizard click Next on each panel until the Network Interfaces panel disp...

Страница 528: ...the System Setup Wizard click Next on each panel until the Network Interfaces panel displays 4 In the Network Interfaces panel select the interface 5 Change any of the following 6 In the Confirmation...

Страница 529: ...ster member Prerequisites None To view cluster status in the SGMI 1 In the SGMI in the left pane under Cluster click Cluster Status 2 In the right pane on the Cluster Status window you can view the IP...

Страница 530: ...the cluster member is up or down Note To learn about other bfstat usage you can use the following command bfstat help However other bfstat commands are troubleshooting commands that you should only u...

Страница 531: ...traffic on the outside interface of the security gateway and redirects it to your mail server When the HTTP redirected service is used on a security gateway that is not in a cluster the requested addr...

Страница 532: ...rties 10 In the Redirected Services Properties dialog box on the General tab check Enabled 11 In the Requested Address text box type the VIP address for external interface 12 Click OK 13 Optionally do...

Страница 533: ...to remove and then click Remove the selected cluster member 6 In the Remove Cluster Member panel select Yes remove this member from the cluster 7 In the Connect to Host panel do the following 8 Click...

Страница 534: ...ng service is not disrupted in the event of a cluster node failure RIP is configured on a physical inside interface but is applied using the VIP address Note OSPF will not advertise VIPs Due to this t...

Страница 535: ...tering and leaving values If you configure more than one address transform using ANY VPN it is likely to confuse the cluster settings Before you configure a gateway to gateway tunnel be aware that the...

Страница 536: ...lt gateway When restoring an image to a standalone system the interface information is always restored and you can correct the information on the Network Interface panel of the System Setup Wizard Clu...

Страница 537: ...the Setup Options panel under What type of system do you want to configure click Cluster member 4 If you are using the System Setup Wizard to restore from a backup image check Restore from a backup im...

Страница 538: ...restoring to a standalone security gateway except for a panel that is presented to you to determine whether the cluster information should be restored from this image Restore a configuration to a clus...

Страница 539: ...stration cluster configuration to a production network 1 Unpack your new security gateways 2 Use the Connecting and Configuring section of the Symantec Gateway Security 5000 Series V3 0 Getting Starte...

Страница 540: ...eginning of the configuration An error at the beginning of the configuration indicates problems with the cluster member that is deploying the configuration which is the first cluster member you logged...

Страница 541: ...interface on all cluster members must have a heartbeat address defined On all cluster members run the System Setup Wizard to define the heartbeat interface address There are pending changes Modifying...

Страница 542: ...n added Ensure that the correct address was specified Could not start remote host IP cluster propagation engine Failed to start the propagation engine Reboot the remote system Could not synchronize re...

Страница 543: ...member certificate A cluster member that you are adding does not have an SSL certificate defined Restore the initial installation of the cluster member No DNS entry found for new member The cluster ma...

Страница 544: ...ely remove a cluster before adding it back again Cannot coordinate delete of remote systems you must cancel the delete operation and fix the problem Delete message flowing error when qualifying a remo...

Страница 545: ...the correct heartbeat interface attribute was selected when you ran the Cluster Wizard No interface changes were detected Update the system interface information on all members prior to invoking this...

Страница 546: ...se but are not enabled by default Table A 1 Advanced options Option name Description blacklistd blacklist_time Period of time in minutes that an IP address remains on the blacklist The default value i...

Страница 547: ...must convert it to its ASCII equivalent ACE before it can query DNS for resolution If the client s Web browser is set to use a proxy such as the security gateway it is the proxy s responsibility to c...

Страница 548: ...r traffic idssym ports_bd_evolution Ports normally related to BD Evolution traffic idssym sara_ports Ports running security Auditor s Research Assistant traffic idssym sunrpc Ports running Sun Remote...

Страница 549: ...es exceeds this threshold all message above the threshold are dropped This helps prevent a flood of log messages from overloading the security gateway s processing ability The default value is 200 mis...

Страница 550: ...lt value is true tcp gsp service halfclose_timeout Half close timeout for a particular service handled by TCP GSP where service is in the format of port tcp For example tcp gsp 123 tcp halfclose_timeo...

Страница 551: ...of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save your changes click...

Страница 552: ...ed options 4 Do one of the following To save your configuration now and activate later on the toolbar click Save To activate your configuration now on the toolbar click Activate When prompted to save...

Страница 553: ...552 Advanced system settings Configuring advanced options...

Страница 554: ...ou can also request that a certificate be signed by a third party certificate authority CA and install third party certificate authorities on the gateway to facilitate certificate verification in your...

Страница 555: ...Server Certificates tab click Create new certificate 3 In the Create New Certificate dialog box do the following 4 Click OK 5 Optionally do one of the following To save your configuration now and acti...

Страница 556: ...urther information related to this topic see the following Installing a signed certificate on page 555 Installing a signed certificate After you send the request file to the certificate authority that...

Страница 557: ...556 SSL server certificate management Installing a signed certificate...

Страница 558: ...ase To access Symantec Gateway Security 5000 Series troubleshooting information 1 Go to http www symantec com 2 On the top of the home page click support 3 Under Product Support enterprise click Conti...

Страница 559: ...ave one serious log message look at the messages immediately preceding and following it for subsidiary informational messages Many problems right after installation come from basic connectivity glitch...

Страница 560: ...lowing Use SSH to FTP from the security gateway first using the IP address and then the host name or URL If you cannot connect to the FTP site you could have a routing problem a DNS problem or your IS...

Страница 561: ...e viewer Ensure that your LANG environment variable is set to or en_US UTF 8 before running flatten or remotelogfile Note Use the version of flatten that comes with the version of your appliance Note...

Страница 562: ...er it If a system has client listed after it it initiated a connection If a system has server listed after it it was the destination of a connection Every connection through the security gateway invol...

Страница 563: ...DeepSight Threat Management System on page 494 Using command line utilities to perform a local or remote backup on page 101 Managing log files remotely on page 480 Enabling SSH for command line acces...

Страница 564: ...us and antispam Dialog boxes that display when you make a menu selection Each topic provides a brief description of the SGMI feature one or more cross references to how you can use the feature and a t...

Страница 565: ...st the chart displays total throughput and incoming and outgoing throughput for the interface System Usage Percentage of CPU and memory usage System Active connections Number of active connections Che...

Страница 566: ...ring connections on page 466 Connection Summary Properties dialog box The Connection Summary Properties dialog box shows the connection details for a selected connection Associated tasks The task that...

Страница 567: ...he following format hndl type id rem_gw Where hndl handle type protocol type id internal tunnel ID rem_gw remote gateway For example a tunnel presented as 2 isakmp 16 20 20 20 1 has the following valu...

Страница 568: ...type For example ldap ooba For IPsec stats this field is always blank This field is not the authentication method in IKE negotiation Authentication User The authenticated gateway user The user name c...

Страница 569: ...erver Primary Server Last updated Date and time of the last LiveUpdate Primary Server Status Primary server status is one of the following Up Last server query was successful Pending Server query is i...

Страница 570: ...s exceeded You can unlock these user accounts Associated tasks The tasks that you can perform with this tab include Viewing clientless VPN failed logon attempts on page 469 Unlocking user accounts on...

Страница 571: ...d backing up archived log files on page 475 Adding or removing Event Log table columns on page 475 Starting a new log file on page 476 Table D 7 Event Logs tab Field Description New Log Saves the exis...

Страница 572: ...en triggered and could potentially be an attempt to breach the network perimeter Critical Indicates that the security gateway security is still working but one or more services have failed Emergency I...

Страница 573: ...ts you limit the events that are displayed in the table by searching the event log for one of the following classifications of events Access allowed Access through the security gateway was allowed Acc...

Страница 574: ...arch dialog box Advanced tab Field Description Event Types Limits the log messages displayed according to their event types Event types are Informational Indicates the security gateway is operating pr...

Страница 575: ...s the log messages displayed according to parameters contained in the messages and the values you specify System names Limits the log messages displayed according to the security gateway that generate...

Страница 576: ...S alerts table to a display of all alerts in the log Table D 13 IDS Alert Properties Field Description Time Date and time stamp of when the intrusion occurred Type Event type IDS IPS events always hav...

Страница 577: ...moderate impact denial of service attacks and threats permitting write access to important data or read access to sensitive data High A high severity level indicates a threat that poses a high risk su...

Страница 578: ...stination of the intrusion This option is unchecked by default Time Time period for which IDS IPS alerts are displayed This option is unchecked by default When Time is checked the following controls s...

Страница 579: ...potentially be an attempt to breach the network perimeter Critical Indicates that the security gateway security is still working but one or more services have failed Emergency Indicates an emergency T...

Страница 580: ...on is checked by default Notification Name A unique name for the blacklist notification The maximum length is 256 characters Allowed characters are a z A Z numerals periods dashes and underscores _ Do...

Страница 581: ...ss or fully qualified domain name of the selected remote security gateway Port Port number over which to send the blacklist information to the remote security gateway The default value is 426 Password...

Страница 582: ...whether this option is enabled This option is checked by default Notification Name A unique name for the client program notification The maximum length is 256 characters Allowed characters are a z A Z...

Страница 583: ...potentially be an attempt to breach the network perimeter This option is unchecked by default Triggered by Error Event Normal security gateway operation cannot complete successfully The security of y...

Страница 584: ...ffic through the security gateway This option is unchecked by default Triggered by Critical Event The security gateway security is still working but one or more services have failed This option is unc...

Страница 585: ...include spaces in the name The characters and other reserved characters are also invalid Time Periods Indicates the time period during which the pager notification is active Options are ANYTIME When...

Страница 586: ...tempt to correct the error as soon as possible This option is unchecked by default Triggered by Warning Event Indicates an error condition that the security gateway can recover from but that requires...

Страница 587: ...teway This option is unchecked by default Triggered by Critical Event The security gateway security is still working but one or more services have failed This option is unchecked by default Triggered...

Страница 588: ...General tab Field Description Enable Indicates whether this option is enabled This option is checked by default Notification Name A unique name for the SNMP V1 trap notification The maximum length is...

Страница 589: ...s still ensured but you should attempt to correct the error as soon as possible This option is unchecked by default Triggered by Warning Event Indicates an error condition that the security gateway ca...

Страница 590: ...s whether this option is enabled For traffic to be controlled using this rule it must be enabled This option is checked by default Rule name A unique name for this rule The maximum length is 256 chara...

Страница 591: ...her IKE policies are used and the use of certificates or shared secrets Network entity group A collection of other network entities such as hosts domains and subnets When multiple hosts require simila...

Страница 592: ...Psec_Pass_Through Contains the ESP isakmp and udp_encap protocols Use it for rules that allow IPsec traffic through the security gateway to a VPN server on the other side News Contains the NNTP protoc...

Страница 593: ...ty gateway has been enabled to log alert messages when specified alert thresholds are reached This option is unchecked by default For rules that experience a high level of activity such as rules that...

Страница 594: ...ilable if the service group for the rule contains the HTTP protocol This option has the following effects When checked on a rule that controls HTTP HTTPS traffic the driver forwards protocol packets u...

Страница 595: ...at have been added to the rule Parameter Lets you add modify or delete the syntax for the advanced service The syntax must be correct Contact Symantec Technical Support for the exact syntax Table D 28...

Страница 596: ...list in conjunction with the included user groups list to allow most users of a group but exclude some specific individuals Excluded user groups Displays user groups that are disallowed by the rule A...

Страница 597: ...ion is unchecked by default HTTP Indicates whether antivirus scanning is applied to HTTP traffic that is controlled by this rule This option is only available if the service group used in the rule inc...

Страница 598: ...by default If you enable antivirus scanning you can select any of the following options Replace deleted files with message file Replaces an infected attachment in an HTTP container file for example a...

Страница 599: ...time blacklisted senders to allow list Lets you create a custom list of mail transfer agent IP addresses that are permitted to bypass the real time blacklist processing Note These features are only av...

Страница 600: ...an select an existing content profile from the list or create a new one HTTP Applies content filtering to HTTP traffic that is controlled by this rule This option is checked by default if the service...

Страница 601: ...matched to a specific pair of network entities All filters are characterized as A B and B A where the letters A and B stand for the network entities The direction of the arrow specifies which entity...

Страница 602: ...you have configured individual packet filters you can put them together in filter groups to refine the filtering of traffic A filter group can also include other filter groups Associated tasks The tas...

Страница 603: ...ecify the time periods by either of the following Time period ranges Time period groups Time Period Range Properties General tab The Time Period Range Properties dialog box lets you specify a single w...

Страница 604: ...which the time period range begins The default Not Defined means that this time period range does not use a day range Day range Through Day of the week on which the time period range ends The default...

Страница 605: ...sk that you can perform with this tab is Configuring a time period group on page 288 Time Period Group Properties Description tab Optionally provides an extended description This information is useful...

Страница 606: ...this option is enabled This option is checked by default Name A unique name for the VPN tunnel The maximum length is 256 characters Allowed characters are a z A Z numerals periods dashes and underscor...

Страница 607: ...Keys button rather than creating your own keys Local network entity key Data integrity key for the local entity This dictates the type of authentication header AH that is prepended to packets sent thr...

Страница 608: ...r and it lets the receiver identify the tunnel to which the packet belongs Encryption Header SPIs Remote network entity Security Parameter Index SPI for the remote endpoint of the tunnel The SPI is pa...

Страница 609: ...is 128 characters For longer descriptions use the Description tab Table D 43 Client VPN tunnel Properties General tab Field Description Enable Indicates whether this option is enabled This option is e...

Страница 610: ...ion tab Filter applied Applies a filter as part of the VPN policy The options are Sample_Denial of Service_filter Blank Any filter you have previously configured The default is none Data integrity pro...

Страница 611: ...check box sends the data packet up the protocol stack for authorization The packets are then subject to all the address transforms and rule checking performed by the proxies This check box is uncheck...

Страница 612: ...ion Standard using 56 bit key 3DES Uses the triple Data Encryption Standard using three 56 bit keys AES 16 Uses Advanced Encryption Standard with a 16 byte key AES 24 Uses Advanced Encryption Standard...

Страница 613: ...ntication header that will be prepended to packets sent through the tunnel Supported types are SHA1 Uses an algorithm that generates a 160 bit message digest slower but more secure than MD5 MD5 Uses a...

Страница 614: ...ates tables of these strings and replacement tokens which consist of pointers to the previous data streams LZS uses these pointers to remove redundant strings from the new data streams DEFLATE Uses a...

Страница 615: ...ssful the next algorithm is tried Down Moves the selected item in the Selected list down in the list Table D 49 IPsec static key policy Properties General tab Field Description Policy name A unique na...

Страница 616: ...AH holds authentication information for its IP packets It accomplishes this by computing a cryptographic function for the packets using a secret authentication key If you select this option but you h...

Страница 617: ...is is the default DES Uses the Data Encryption Standard using a 56 bit key to encrypt and decrypt messages 3DES Uses triple Data Encryption Standard using three 56 bit keys to encrypt and decrypt mess...

Страница 618: ...d corporate Web based applications from any location Remote users at any dial up broadband or wireless access point can gain access to specific applications by logging in to a secure extranet Table D...

Страница 619: ...l traffic to the security gateway proxies This option is unchecked by default DHCP Enables DHCP connections This option is checked by default DHCP server location If DHCP is enabled select an existing...

Страница 620: ...entary patterns for the most essential URL components An access rule identifies specific resources and the attributes required to access them Each simple rule can only define one resource protocol Dif...

Страница 621: ...t Port number to use This is only necessary if it is not the default port number for that resource protocol Path Folder file or URL path to the resources made available or restricted on the destinatio...

Страница 622: ...rce defined by the rule select Allow To specifically prevent users from accessing the resource defined by the rule select Deny Allow is the default Network application s Network application to which t...

Страница 623: ...name User name to whom to allow or deny access to the resource Domain For file resources only an expression that matched the domain in which the resource resides Share For file resources only an expr...

Страница 624: ...tion is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 56 Rule Set Properties General tab Field Description Rule s...

Страница 625: ...signing a parent to a role on page 429 Table D 58 Clientless VPN Role Properties General tab Field Description Role type Role type The role type options include User Group Custom role The default is G...

Страница 626: ...are added to the role This is a read only field To remove a portal page from parent you must remove the parent role entirely Portal pages To add portal pages to this role click Add select the portal p...

Страница 627: ...lows remote users to log on to the security gateway This option is checked by default Lock user accounts automatically Automatically locks user accounts in accordance with the parameters set in the Fa...

Страница 628: ...urces from the user interface without re entering their user name and passwords Associated tasks The task that you can perform with this tab is Creating a single sign on rule on page 439 Table D 65 Cl...

Страница 629: ...ntication data appears within the message body This is the default Failed method URL to which users are redirected when the authentication fails Capture all authentication variables Captures all authe...

Страница 630: ...operations to convert or rewrite resource host names or URLs with the security gateway s address instead of the actual network host or URL Use the URL Translation Rules properties General tab to speci...

Страница 631: ...uration tab Field Description Maximum time in seconds Indicates whether this option is enabled and displays the maximum time that the security gateway can spend extracting a single container file Use...

Страница 632: ...is checked by default When an email has malformed containers Indicates the action the security gateway should take when an email has malformed containers Options are Block the file SMTP Only This is...

Страница 633: ...ing options apply to file scanning Scan all files This option will scan all files regardless of extension This option is unchecked by default Scan all files except the following types This option will...

Страница 634: ...Mail Attachment Restrictions tab Field Description Files Lists file names and search strings that identify mail attachments that should be restricted The Add button lets you add file names and search...

Страница 635: ...specified file sizes and deliver the remainder of the message including attachments that do not match a specified file size The mail message is not updated to indicate that an attachment has been dele...

Страница 636: ...he SMTP protocol Insert x virus header Adds an x virus header to an email message and forwards the email and any attachments to the recipient The Insert x virus header option does not repair or delete...

Страница 637: ...ile the security gateway removes the infection and rebuilds the container You can replace the deleted infected file with a text file that notifies the recipient that an infected file was deleted You c...

Страница 638: ...ts on page 356 Reducing false positives using a custom allow list on page 357 Identifying spam using a custom known spammers list on page 354 Message contained in the file that replaces a deleted file...

Страница 639: ...e is 3 When you increase the sensitivity level more false positives are likely to occur Real time blacklisted senders to allow Lists IP addresses or fully qualified domain names of real time blacklist...

Страница 640: ...ault text is Spam When no text is typed in the box the subject line is not modified No response The default value is Prepend to the mail subject Email senders identified as spam SMTP only Indicates an...

Страница 641: ...dialog box is Reducing false positives using a custom allow list on page 357 Related information For further information related to this topic see the following About the antispam scanning process on...

Страница 642: ...S IPS policy change the heuristic detection level that is enforced by an existing policy and add a brief caption describing the policy Associated tasks The task that you can perform with this tab is C...

Страница 643: ...s that you can perform with this tab are Viewing intrusion events on page 326 Modifying event log and block settings on page 329 Heuristic Heuristic detection level for the selected IDS IPS policy Opt...

Страница 644: ...s Medium_Security A medium security IDS IPS policy can be applied to service networks High_Security A high security IDS IPS policy can be applied to outside interfaces Very_High_Security A very high s...

Страница 645: ...rovide troubleshooting information Low A low severity level indicates reconnaissance tools general malicious indicators and threats with a low impact Medium A medium severity level indicates a threat...

Страница 646: ...to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 85 IDS Portmap Configuration Properties dialog box General tab Field Descr...

Страница 647: ...list Deny Permits users to access any URL address except those in the list Deny URLs that contain the following patterns Lists URL patterns that are used to restrict access to sites URL patterns must...

Страница 648: ...ing file extensions from the Available list When you apply file extension restrictions to a rule the security gateway allows or denies download of files with the file extensions in this list Select on...

Страница 649: ...rofile you control the degree of filtering that is applied by choosing to deny particular content categories Depending on the state of a particular list access to the URLs contained in the list may be...

Страница 650: ...ges from 1 to 10 where 10 is the most sensitive The default value is 8 Content Profiles Lists the content profiles that you configured for your security gateway Table D 93 Content Filtering Profile Pr...

Страница 651: ...ying the contents of a content category on page 312 Rating Modification Properties Description tab Optionally provides an extended description This information is useful to help track changes or it ca...

Страница 652: ...ion Field Description Available rating categories Lists rating categories to which URLs or newsgroups can be added so that they can be blocked To move a rating category to the Selected categories list...

Страница 653: ...profile or create a new one A newsgroup profile specifies a list of allowed and denied newsgroups Because newsgroups can have different scope it is necessary to have both an allow and a deny list For...

Страница 654: ...can perform with this tab include Ensuring compliance of remote Client VPN computers on page 397 Ensuring client compliance for clientless VPN users on page 449 Table D 99 Newsgroup Profile Properties...

Страница 655: ...of scanning engine Requires that the client has the latest version of the antivirus scanning engine This option is unchecked by default Require latest virus definitions Requires that the client has th...

Страница 656: ...with the selected packet filter Web VPN Single sign on Enables single sign on rules for clientless VPN users Web VPN Store Web VPN passwords for use with single sign on When the feature is enabled th...

Страница 657: ...k interface See Enabling spoof protection on page 370 Table D 102 Host Network Entity Properties General tab Field Description Entity name A unique name for the host network entity The maximum length...

Страница 658: ...ve through the interfaces in this list the security gateway does not check whether they are arriving through the correct interface Selected Lists the interfaces that are associated with this host netw...

Страница 659: ...brief description of the subnet entity The maximum length is 128 characters For longer descriptions use the Description tab Table D 105 Subnet Network Entity Properties Spoof Protection tab Field Desc...

Страница 660: ...ith this tab is Creating a network entity group for rules that apply to multiple entities on page 166 Table D 106 Domain Name Network Entity Properties General tab Field Description Entity name A uniq...

Страница 661: ...Creating security gateway network entities for use in tunnels on page 164 Caption An optional brief description of the network entity group The maximum length is 128 characters For longer description...

Страница 662: ...This is useful for deployments where the security gateway is using a DHCP server on the outside VIP Only available when the security gateway is a member of a cluster and a virtual IP address VIP has b...

Страница 663: ...sed for authentication This option is unchecked by default Shared secret When IKE is enabled and your address type is an IP address or Domain name selecting this option indicates that a shared secret...

Страница 664: ...Network Interfaces tab lets you modify the parameters of the network interfaces for your security gateway To configure new network interfaces or to modify a network interface IP address or netmask yo...

Страница 665: ..._ Do not include spaces in the name The characters and other reserved characters are also invalid Port Scan detection Indicates whether port scan detection is enabled on this interface This option is...

Страница 666: ...t in the allowed list throttling is applied No selection blank line in drop down list SYN flood protection is disabled Both forms of throttling are triggered only if the security gateway is already ex...

Страница 667: ...293 Caption An optional brief description of the network entity The maximum length is 128 characters For longer descriptions use the Description tab Table D 114 Network Interface Properties Static IP...

Страница 668: ...ameters Route Cost This field is often used as a mechanism to give priority to one interface over another The lower the cost the more likely it is that this interface gets chosen over another Acceptab...

Страница 669: ...security gateway is not the default route and you are using static one to one mapping of addresses to conceal addresses on your network or to handle the problem of address overlapping When the securit...

Страница 670: ...Description tab Arriving through Interface or secure tunnel that the client is using to access the designated address For example if all packets coming from the interface to the network destination a...

Страница 671: ...ters defined When this happens the connection is dropped and the NAT address is released back into the pool The security gateway translates source addresses for transmitted packets and destination add...

Страница 672: ...consist of only one entity if necessary The mapping must also be one to one In other words you must have the same number of entities in your real subnet as you do in your NAT subnet Table D 119 Dynami...

Страница 673: ...e has to be two published IP addresses or the validation errors will occur If clientless VPN is enabled with the same external IP address the security gateway does not know where to direct the traffic...

Страница 674: ...ion Paul Albitz and Cricket Liu O Reilly Associates Inc 2001 ISBN 0 596 00158 4 Before configuring DNS you should familiarize yourself with the differences between RFC defined DNS and the security gat...

Страница 675: ...rver with a DNS authority record on page 145 DNS Authority Record Properties Description tab Optionally provides an extended description This information is useful to help track changes or it can be u...

Страница 676: ...ifies either a host name or IP address in a given domain This type of record serves a dual purpose acting as either an A address record which resolves a name to an address or a PTR pointer record whic...

Страница 677: ...d characters are also invalid Accessibility The drop down list contains the following Public Defines the outside interface as the authoritative DNS server for your domain Any host internal or external...

Страница 678: ...ord Properties General tab Field Description Enable Indicates whether this option is enabled This option is checked by default Server name A unique name for the DNS mail server record The maximum leng...

Страница 679: ...DNS system supports defining name servers for a domain The name server entry marks the authoritative servers to consult when performing DNS lookups for a host in that domain Authoritative name server...

Страница 680: ...record The maximum length is 256 characters Allowed characters are a z A Z numerals periods and dashes Do not include spaces in the name The characters _ and other reserved characters are also invali...

Страница 681: ...for the external network Associated tasks The task that you can perform with this tab is Resolving host name requests for an outside system by creating a DNS recursion record on page 149 Table D 131...

Страница 682: ...ecord if you have no access to the Internet if you have your own internal root servers This is also preferred to using a forwarder on the internal security gateway Associated tasks The task that you c...

Страница 683: ...help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 134 DNS Subnet Record Properties General tab Field Description Enable Indicat...

Страница 684: ...s an Address transform allowing client to see the server s actual IP address Use original source address if selected The SPF record should resolve to the actual mail server address Address transform w...

Страница 685: ...omain If the mail is not received from one of the listed MX servers then the message does not meet a domain s strict definition of legitimacy and the domain cannot confidently state that the message i...

Страница 686: ...s requesting that access This is most commonly done through a security mechanism called authentication The authentication process verifies the identity of a user requesting access by contacting an aut...

Страница 687: ...rs and groups The primary purpose of the internal authentication server is to provide a mechanism for administrators without an external authentication server to configure and control access for defin...

Страница 688: ...erver record The maximum length is 256 characters Allowed characters include a z A Z numerals periods dashes and underscores _ Do not include spaces in the name The characters and other reserved chara...

Страница 689: ...determined using the attributes found within LDAP group records Using this approach the DN returned during the authentication process is used in conjunction with the values specified in the Group Obje...

Страница 690: ...During authorization checks the value specified here is used by the LDAP Ticket Agent in conjunction with the value specified in the Group Member Attribute text box and the Distinguished Name returne...

Страница 691: ...unique name for the RADIUS authentication server record The maximum length is 256 characters Allowed characters include a z A Z numerals periods dashes and underscores _ Do not include spaces in the...

Страница 692: ...This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 146 SecurID Properties General tab Field Descri...

Страница 693: ...ength is 256 characters Allowed characters include a z A Z numerals periods dashes and underscores _ Do not include spaces in the name The characters and other reserved characters are also invalid Joi...

Страница 694: ...alphanumeric characters Table D 148 Scheme Properties General tab Field Description Scheme name A unique name for the authentication scheme The maximum length is 256 characters Allowed characters are...

Страница 695: ...le D 149 User Account Properties General tab Field Description User name A unique name for the user The maximum length is 256 characters Allowed characters include a z A Z numerals periods dashes and...

Страница 696: ...sword Confirmation of the password typed in the Password field This field is used when configuring a password to confirm what you typed in the Password field Account expiration date Date that this acc...

Страница 697: ...r group Names of all the groups of which the user is a member If this is a new user the Groups tab lets you add this user to an IKE user group so that it will appear in this drop down list An IKE enab...

Страница 698: ...n optional brief description of this user group The maximum length is 128 characters For longer descriptions use the Description tab Table D 154 User Group Properties VPN Authentication tab Field Desc...

Страница 699: ...ethod Enforce client compliance Selects level of client compliance required The default selection is Ignore Enforce group binding Enforces binding between the extended authentication user name and a g...

Страница 700: ...Properties CIFS Description tab Optionally provides an extended description This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alp...

Страница 701: ...ry name servers how often to check with the system on the accuracy of the secondary name server s DNS database If there is a discrepancy a DNS zone transfer of information occurs between the secondary...

Страница 702: ...ier It can be up to 10 characters The default is yyyymmddHHM Hostmaster This address should be in the format account server and not account server This address is then passed along to other name serve...

Страница 703: ...Modifying the FTP greeting on page 200 Deny outside RFC1918 addresses When enabled lookup responses received from the outside interface that contain such addresses RFC 1918 are denied If you are using...

Страница 704: ...FTP Description tab Optionally provides an extended description This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric ch...

Страница 705: ...l GSP proxies are enabled allowing traffic to be passed using protocols that do not have proxies The Use GSP option must also be checked on the protocol This option is checked by default Enable TCP GS...

Страница 706: ...tasks The task that you can perform with this tab is Configuring access for Internet based communications on page 204 Table D 165 Proxy Properties GSP Connection Timeout tab Field Description TCP tim...

Страница 707: ...ions are closed and whether tracing is enabled Associated tasks The tasks that you can perform with this tab include Modifying the timeout period to keep inactive H 323 connections open on page 207 En...

Страница 708: ...mon closes the session The default is 300 seconds Enable Socket Linger Defines how connections are closed You should only check this option in a closed environment This option is unchecked by default...

Страница 709: ...at you can perform with this tab is Configuring the HTTP proxy to listen on additional ports for secure connections on page 214 Table D 171 Proxy Properties HTTP Web Proxy tab Field Description Extern...

Страница 710: ...Changing the default extension added to URLs on page 215 Proxy Properties HTTP Description tab Optionally provides an extended description This information is useful to help track changes or it can be...

Страница 711: ...through mail slots on page 197 Proxy Properties NBDGRAM Description tab Optionally provides an extended description This information is useful to help track changes or it can be used as criteria for...

Страница 712: ...ticle cache Associated tasks The task that you can perform with this tab is Changing the size of the news cache on page 218 Table D 179 Proxy Properties NNTP General tab Field Description Enable Indic...

Страница 713: ...h the NNTP proxy listens on page 220 Table D 181 Proxy Properties NNTP Policy tab Field Description Minimum Visit Time seconds Controls the frequency at which NNTP logs statistics events when users sw...

Страница 714: ...e nearest interface of the security gateway for NTP They cannot query outside NTP servers Associated tasks The task that you can perform with this tab is Configuring access for news feeds on page 216...

Страница 715: ...n Internal NTP servers Servers that are used to synchronize the system clocks Optionally these are needed if the security gateway does not use the public NTP servers For example if the security gatewa...

Страница 716: ...when users retrieve their email from external servers The POP3 proxy provides services such as access control address transparency NAT RFC compliance enforcement and antispam and antivirus scanning In...

Страница 717: ...ogon rlogon shell rsh Associated tasks The task that you can perform with this tab is Configuring the security gateway to support UNIX commands on page 223 Proxy Properties RCMD Description tab Option...

Страница 718: ...ms checking on each mail connection and can be configured to scan for known mail based forms of attack such as viruses and spam Associated tasks The tasks you can perform with this tab include Configu...

Страница 719: ...e SMTP proxy to debug mode for more verbose error reporting on page 234 Table D 192 Proxy Properties SMTP Timeout tab Field Description Connection timeout seconds Determines how long the SMTP proxy wa...

Страница 720: ...Description tab Optionally provides an extended description This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric chara...

Страница 721: ...the system the alias file you create lets it locate the hidden inside address of its final destination The aliases you create here are eventually typed into the H 323 client interface Associated tasks...

Страница 722: ...dividual predefined proxy or a Generic Service Proxy GSP ICMP Based Protocol Properties General tab You use an Internet Control Message Protocol ICMP to send error and control messages about routing p...

Страница 723: ...sage type of the protocol The following message types are supported 0 Echo reply 3 Destination unreachable 3 Net unreachable 3 Host unreachable 3 Protocol unreachable 3 Port unreachable 3 Fragmentatio...

Страница 724: ...destinations as if the requester was directly connected to the remote destination machine Note Source ports are only maintained for connections if the original client address is maintained Table D 20...

Страница 725: ...pe of destination port used by the protocol Select one of the following Single Port Lets you specify a Destination low port only Port Range Use a port range if the application for which you are creati...

Страница 726: ...tion is enabled Check this option to enable the custom protocol to use the GSP proxy since custom protocols are not supported by the system proxies This option is checked by default Use native service...

Страница 727: ...me protocol as it is used in different service groups You can create a service group before creating the rule or create the service group as you create the rule Service Group Properties General tab A...

Страница 728: ...ion tab Optionally provides an extended description This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Tab...

Страница 729: ...on an SMB server File Permission Change Allowed Lets users and applications change modal attributes of any file on an SMB server File Generic Access Allowed Lets users connect to any shared resource n...

Страница 730: ...e security gateway log file Kerberos Authentication Allowed Microsoft Windows 2000 uses Kerberos as an authentication method for any connecting systems You should enable this option should if you are...

Страница 731: ...of the HTTP protocol Associated tasks None Table D 207 Parameters for ftp Additional Commands tab Field Description Command list Current list of additional commands for this protocol Command Additiona...

Страница 732: ...it is necessary to create client side transparency using an address transform on the system depending on whether the DCOM connection is incoming or outgoing server side transparency exists by default...

Страница 733: ...ting Allowed Enables posting to a newsgroup This option is enabled by default Loose Filter Policy Allowed When this option is enabled any message that is posted to at least one of your allowed newsgro...

Страница 734: ...rameters for pop 3 Advanced tab Field Description Allow DELE command Support for deleting email This option is checked by default Enable POP3 extensions Enables support for POP3 extended commands Once...

Страница 735: ...th limits are not applicable In this case to configure RealAudio limits you must set up MIME type restrictions Caption An optional brief description of the modifiable parameters for RealAudio The maxi...

Страница 736: ...ines that match the hidden domain name are replaced by the message private information removed Suppression is for a single block of received header lines Sender Domain Checked Forces the sender s addr...

Страница 737: ...by default ATRN Enabled Allows an on demand mail relay from the server to the client by turning the existing connection around This option is checked by default ETRN Enabled Lets clients access mail I...

Страница 738: ...mum length is 20 000 alphanumeric characters Portal Page Properties General tab The Portal Page Properties General tab lets you completely customize the user experience by configuring quick links that...

Страница 739: ...perties General tab Field Description Portal page name A unique name for the portal page The maximum length is 256 characters Allowed characters are a z A Z numerals periods dashes and underscores _ D...

Страница 740: ...Allowed characters are a z A Z numerals periods dashes and underscores _ Do not include spaces in the name The characters and other reserved characters are also invalid Display name Type a name for t...

Страница 741: ...ion is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 223 Resource Group Properties General tab Field Description...

Страница 742: ...s The Secure Web Mail tabs let you accommodate different possible mail server configurations by mapping IMAP servers to SMTP servers for use with the Web mail client In addition you can set the domain...

Страница 743: ...page 430 Table D 226 Secure Web Mail Access Properties General tab Field Description Domain name Domain name of the host mail server IMAP host name IP address or fully qualified domain name of the IMA...

Страница 744: ...tion password for user accounts that use internal authentication The maximum value is 9999 The default value is 10 Clientless VPN User timeout seconds Number of seconds to wait until timing out a clie...

Страница 745: ...irus is installed Antispam Indicates whether this option is enabled The antispam feature provides scanning processes that let you optimize spam detection and reduce false positives You can also config...

Страница 746: ...you log on to the security gateway over the network If you enable both SSH version1 and SSH version 2 simultaneously the appliance makes an SSH v2 connection which is more secure Take one or more of...

Страница 747: ...nd localized Enabling text logging instructs the security gateway to write out two separate versions of the log file one in binary and the other in text There is a performance impact as the security g...

Страница 748: ...equest Port Number Port number on which logserviced listens for requests from services to translate log messages The default value is 6867 Rollover Request Port Number Port number on which logserviced...

Страница 749: ...ntication or support a limited set of authentication types like HTTP The most common use for OOBA is to enable authentication on a GSP which does not have authentication by default The General tab let...

Страница 750: ...et information as well as the user name This means that a user must connect to a server from the same IP address each time for the ticket to be valid Including the client IP address with the user name...

Страница 751: ...s tab is Maintaining traffic flow on page 113 Port Port number for authenticating connections requiring a log on and log off Do not change this port unless you have a direct conflict The default value...

Страница 752: ...onds that are allowed to elapse between the time a process restart on a daemon is first attempted to when the restart functions stops trying to restart the process Use this parameter in conjunction wi...

Страница 753: ...violations to SESA This option is checked by default Intrusion Detection Reports Sends events that are generated by intrusion detection violations to SESA This option is checked by default Client Com...

Страница 754: ...ated by network traffic are tallied during the time period specified for the Message Send Rate At the end of this period a single message summarizing the tally is sent to SESA Not Consolidated All eve...

Страница 755: ...tion This information is useful to help track changes or it can be used as criteria for searches The maximum length is 20 000 alphanumeric characters Table D 237 LiveUpdate Server Properties General t...

Страница 756: ...ettings for Component Properties General tab Field Description Last update Date the last LiveUpdate was run Version Current version of the definitions For IDS IPS Signature version Current version of...

Страница 757: ...te Settings for Component Properties Schedule tab Field Description Automatic update Runs LiveUpdate automatically at the specified time This option is unchecked by default Multiple times a day Perfor...

Страница 758: ...e includes both the host and the domain name The maximum length is 64 characters Allowed characters are a z A Z numerals and periods Hyphens cannot be used in the common name Generally it is the host...

Страница 759: ...eral tab Fields Description Enable Indicates whether this option is enabled This option is checked by default User Name Name of the administrator The maximum length is 32 characters Allowed characters...

Страница 760: ...r accounts This option is unchecked by default Read IDS allowed Enables the administrator to view IDS signatures This option is checked by default Write IDS allowed Enables the administrator to modify...

Страница 761: ...t Issue alert Enables the administrator to create notifications for events This option is checked by default SSH allowed Enables the administrator to connect to the security gateway appliance using SS...

Страница 762: ...u must log on to each cluster member and make the same change All cluster passwords must match Associated tasks The task that you can perform with this tab is Changing the cluster account password on...

Страница 763: ...tion An optional brief description of the Cluster account The maximum length is 128 characters For longer descriptions use the Description tab Table D 247 Cluster Account Properties Configuration Priv...

Страница 764: ...bles log file management on nodes in a cluster Issue alert Enables the creation of notifications for events Reboot allowed Enables rebooting of the security gateway Backup allowed Enables the back up...

Страница 765: ...Address tab Field Description Permitted logon addresses Lists the IP addresses from which the cluster account can be accessed When restricted addresses are assigned the cluster account cannot be acces...

Страница 766: ...Account Properties Privileges tab Field Description View log Lets the remote computer be used to view security gateway log files This option is checked by default Manage log Lets the remote computer b...

Страница 767: ...nt to avoid having blocked in the event that SYN flood protection is enabled and the security gateway is currently throttling connections because it believes it is under attack Associated tasks The ta...

Страница 768: ...ecurity gateways are grouped together and instructed to work as a single entity All cluster members share the state information of all other cluster members and any cluster member can immediately assu...

Страница 769: ...ancing If potential overload is anticipated you should enable load balancing rather than hot standby mode If load balancing is enabled the load will be shared between the configured cluster members If...

Страница 770: ...IP addresses for clusters on page 515 Table D 257 Cluster Member Properties Field Description Member ID Displays the cluster member ID This field is read only Weight Weight is a number between 1 leas...

Страница 771: ...rocesses on page 516 Ping Groups window You can configure ping groups to monitor any device on any network For example servers switches hosts routers and so forth If the Ping group fails the whole clu...

Страница 772: ...erface by configuring NIC monitoring NIC monitoring does not work on VLAN interfaces Associated tasks The task that you can perform with this window is Configuring NIC monitoring on a cluster on page...

Страница 773: ...rs Traffic Grouping window You can choose to assign specific traffic for instance from a Web server through a specific cluster member regardless of load balancing For incoming traffic you cannot speci...

Страница 774: ...ociated tasks The task that you can perform with this dialog box is Changing the root password on page 73 Table D 264 Traffic Grouping window Field Description Address IP address of a server to be ass...

Страница 775: ...locked and the new password contains digits or punctuation characters you are warned however you can still create the password If the LCD panel is locked If the LCD panel is locked the password must...

Страница 776: ...viewed with any standard Web browser if generated in HTML format or Adobe Acrobat reader if generated in PDF Associated tasks The tasks that you can perform with this dialog box include Generating and...

Страница 777: ...page 777 Client VPN Package Wizard panel This is the first panel of the Client VPN Package Wizard This panel introduces you to the wizard Associated tasks The task that you can perform with this panel...

Страница 778: ...es the configuration of VPN tunnels for remote Client VPN users Associated panels These are the individual panels of the Remote Access Tunnel Wizard for Client VPN Remote Access Tunnel Wizard panel on...

Страница 779: ...e Remote Access Tunnel Information panel you assign a name to the Client VPN tunnel and provide a brief description Associated tasks The tasks that you can perform with this panel include Using the Re...

Страница 780: ...you select an existing security gateway network entity from the drop down list Create new network entity Lets you create a new security gateway network entity by specifying the following Name A uniqu...

Страница 781: ...riods and dashes Do not include spaces in the name The characters and other reserved characters are also invalid Host IP IP address of the Host network entity New Local Endpoint panel For a Subnet net...

Страница 782: ...re satisfied that the information is correct click Finish to create the tunnel or configure the connection To make changes click Back to return to a previous panel Table D 278 Remote Endpoint panel Fi...

Страница 783: ...page 784 User Group Role panel on page 786 Confirmation panel on page 781 Clientless Access Method panel In the Clientless Access Method panel you select the type of clientless VPN connection that yo...

Страница 784: ...ashes Do not include spaces in the name The characters and other reserved characters are also invalid Protocol The selected entry in the drop down list indicates the type of traffic to allow or deny F...

Страница 785: ...able D 283 describes the options Table D 284 and Table D 285 indicate which options are used for each type of connection Associated tasks The task that you can perform with this panel is Using the Rem...

Страница 786: ...connection Share Enables a share of the resource Read allowed Enables read access of the resource Write allowed Enables write access of the resource Table D 284 Protocol option matrix for Client VPN...

Страница 787: ...panel on page 789 Remote Endpoint panel on page 790 VPN Policy panel on page 791 Confirmation panel on page 792 Table D 286 User Group Role panel Field Description Use existing role Lets you select an...

Страница 788: ...y panel you select an existing security gateway network entity or create a new security gateway network entity to serve as the local gateway for the gateway to gateway tunnel Associated tasks The task...

Страница 789: ...urity gateway network entity by specifying the following Name A unique name for the new security gateway network entity The maximum length is 256 characters Allowed characters are a z A Z numerals per...

Страница 790: ...ntity On the New Local Endpoint panel for a subnet network entity you supply the following values Name A unique name for the new remote endpoint The maximum length is 256 characters Allowed characters...

Страница 791: ...curity gateway network entity by defining the following Gateway name A unique name for the new security gateway network entity The maximum length is 256 characters Allowed characters are a z A Z numer...

Страница 792: ...e New Remote Endpoint panel for a subnet network entity you supply the following values Name A unique name for the new remote endpoint The maximum length is 256 characters Allowed characters are a z A...

Страница 793: ...ith the IPsec IKE VPN policy you configure to perform Phase 1 negotiations for VPN tunnels You can have only one global IKE policy but you may change the values of the default policy at any time Globa...

Страница 794: ...g three 56 bit keys The default is Triple DES and DES Selected Data privacy methods selected for packet data You can use a combination of these options The one listed first is tried first If this meth...

Страница 795: ...and Group 2 are the Diffie Hellman group numbers for establishing these IKE session keys Group 1 is 768 bits long and Group 2 is 1024 bits long Using Group 2 is more secure but it also uses more CPU p...

Страница 796: ...TP traffic options from the Firewall Rule Wizard Associated panels These are the individual panels of the System Setup Wizard for the initial configuration System Setup Wizard panel on page 796 Option...

Страница 797: ...tent filtering antivirus antispam intrusion detection and prevention and hardware encryption Associated tasks The tasks that you can perform with this panel include Making system changes with the Syst...

Страница 798: ...Indicates whether this option is enabled The antispam feature provides scanning processes that let you optimize spam detection and reduce false positives You can also configure how to respond to spam...

Страница 799: ...rity gateway Another Symantec Gateway Security 5000 Series v3 0 security gateway Symantec Gateway Security v2 0 s Symantec Clientless VPN Gateway v5 0 If you check this option you must select one of t...

Страница 800: ...ay IP address of the default gateway In most cases the default gateway is the router or connection you have to your ISP Lock LCD panel Prevents personnel who do not have access privileges from making...

Страница 801: ...that is used in rules IP address IP address in dotted quad notation You must use an IP address that is unique to the subnet to which it connects Netmask Subnet mask address MAC address MAC address is...

Страница 802: ...tion on page 535 Cluster Wizard When creating a new cluster you can choose any available security gateway and that security gateway becomes the cluster member from which you deploy the configuration T...

Страница 803: ...Cluster Wizard and click Next you cannot click Back Later when you need to modify remove or dissolve a cluster or cluster member you can do so from the Tools Cluster menu These options share panels A...

Страница 804: ...of active interfaces defined by the System Setup Wizard is listed in the drop down list If the interface you require is not listed cancel out of the this wizard return to the System Setup Wizard and...

Страница 805: ...include Creating a new cluster with the Cluster Wizard on page 512 Associated panels on page 802 Adding or removing a cluster member on page 520 Table D 307 Cluster VIP Addresses panel Field Descripti...

Страница 806: ...n perform with this panel include Creating a new cluster with the Cluster Wizard on page 512 Associated panels on page 802 Adding or removing a cluster member on page 520 Dissolving a cluster on page...

Страница 807: ...select Update Interface utility from the Tools Clusters menu While this is not a shared panel with the Cluster Wizard it does share some of the other panels Associated tasks The tasks that you can per...

Страница 808: ...sks that you can perform with this panel include Saving and activating configuration changes on page 59 Associated panels on page 807 Revision Comment panel This panel lets you provide a revision comm...

Страница 809: ...isplay it by running the System Setup Wizard and on the Setup Options panel checking Restore from a backup image Associated tasks The tasks that you can perform with this panel include Restoring secur...

Страница 810: ...tivirus feature lets you establish scanning and blocking policies for traffic using the FTP HTTP SMTP and POP3 protocols This option is checked by default if a license for antivirus is installed Antis...

Страница 811: ...HA LB is not enabled these options are not accessible By default the security gateway is configured as a standalone gateway Restore backup configuration s network interfaces data If you are restoring...

Страница 812: ...perform with this panel include Restoring security gateway configuration files from the SGMI on page 99 Restoring a cluster configuration on page 535 Associated panels on page 808 Table D 317 Restore...

Страница 813: ...ring HTTP FTP and mail SMTP and POP3 rules with the Firewall Rule Wizard on page 284 Associated panels on page 812 Optional Security Gateway Configuration panel The Optional Security Gateway Configura...

Страница 814: ...es Table D 320 SMTP Options panel Field Description Mail server IP address or domain name IP address or fully qualified domain name of your mail server This is usually an internal mail server that rec...

Страница 815: ...sociated panels on page 812 Table D 321 POP3 Options panel Field Description Mail server IP address or domain name IP address or fully qualified domain name of your mail server This is usually an inte...

Страница 816: ...port 443 tcp or 563 tcp as the destination port Other port numbers are disallowed This option is checked by default Allow FTP through HTTP Lets the FTP protocol be handled by the HTTP proxy This optio...

Страница 817: ...use them in security gateway rules filters and tunnels Before the end of the grace period you must obtain and install licenses for each security gateway feature that you want to continue to use The o...

Страница 818: ...Field Description Visit Licensing Web Site Lets you connect to the Symantec Licensing and Registration Web site where you can enter the license serial numbers Symantec System ID and appliance serial n...

Страница 819: ...at the licenses have been installed Note Any loss of functionality for example when the new licenses do not support components included in the 30 day grace period takes place immediately Any new funct...

Страница 820: ...h this panel is Associated panels on page 819 Test Server panel This is the last wizard screen It shows the current testing status in the bottom of the summary window Associated tasks The task that yo...

Страница 821: ...sociated tasks The task that you can perform with this panel is Associated panels on page 819 Table D 329 Active Directory Server Connection Wizard panel Field Description Name Name assigned to the Mi...

Страница 822: ...ing programs on a network and configuring them for distribution to workstations The administrator may also update security settings on workstations agent See SESA Agent In SESA a message that notifies...

Страница 823: ...other part the public key is published widely but is still associated with the owner attachment A file that a user adds to an email message to transfer it to another user attack signature The feature...

Страница 824: ...r to a modem or a cable that connects two computers directly which is sometimes called a null modem cable Certificate Authority signed SSL A type of Secure Sockets Layer SSL that provides authenticati...

Страница 825: ...r See also computer group computer group A group of LAN or WLAN Ethernet devices to which firewall rules and security policies are applied For example all printers may be in a computer group that has...

Страница 826: ...Different strengths are available and are referred to as Group 1 Group 2 and Group 5 and higher DH is used as part of VPN negotiations to create new keys See also Perfect Forward Secrecy DHCP client...

Страница 827: ...reate send and read email messages email server An application that controls the distribution and storage of email messages Extended MAPI Messaging Application Programming Interface An interface devel...

Страница 828: ...risk The event or result of a threat that exploits a vulnerability of the system external threat A threat that originates outside of an organization extranet The extension of the LAN via remote or In...

Страница 829: ...rnet s TCP IP protocols gateway A network point that acts as an entrance to another network In a company network a proxy server acts as a gateway between the internal network and the Internet A gatewa...

Страница 830: ...ion protocol HTTPS Hypertext Transfer Protocol Secure A variation of HTTP that is enhanced by a security mechanism which is usually Secure Sockets Layer SSL icon A graphic representation of a containe...

Страница 831: ...t priority A number between one and five that is assigned to an incident The number is assigned based on signature attributes system attributes organization attributes vulnerability attributes and ser...

Страница 832: ...ve one or more domain names that are easier for people to remember IP sniffing The stealing of network addresses by reading the packets Harmful data is then sent stamped with internal trusted addresse...

Страница 833: ...ies and content in the event of litigation LB Load Balancing On clustered security gateways sharing the traffic load to maintain high throughput local attack An attack that takes place against a compu...

Страница 834: ...streams of data without the user noticing MAPI Messaging Application Programming Interface An interface developed by Microsoft that provides messaging functions including addressing sending receiving...

Страница 835: ...text in the field normalization See event normalization In Symantec NetProwler a notification or warning that a NetProwler Agent sends when network traffic matches an attack signature that is associat...

Страница 836: ...passing the packets to the application layer Packets that are not allowed through the forwarding filter continue up the stack to be inspected by the proxies packet sniffing The interception of packet...

Страница 837: ...ged it can be distributed to all security gateways within an organizational unit policy management The creation configuration and monitoring of security assets and information to ensure that they are...

Страница 838: ...requests forward them out to Internet servers and then receive the responses and in turn forward them to the original requester within the company public key A part of asymmetric encryption that opera...

Страница 839: ...on a server computer The client program sends a message to the server with appropriate arguments and the server returns a message containing the results of the program executed RSA Rivest Shamir Adle...

Страница 840: ...e a mass mailer but isn t strictly a worm because you can choose to use it before it activates serial port A location for sending and receiving serial data transmissions Also known as a communications...

Страница 841: ...of activity that indicates a violation of policy a vulnerable state or an activity that may relate to an intrusion 2 Logic in a product that detects a violation of policy a vulnerable state or an acti...

Страница 842: ...or program a device or other outside element Stateful means that the computer or program keeps track of the state of interaction usually by setting values in a storage field designated for that purpo...

Страница 843: ...ating system providing correct settings or allowing the network administrator to tune the size of the buffer and the time out period synchronize To copy files between two folders on host and remote co...

Страница 844: ...y created when Symantec Enterprise Firewall or Symantec Enterprise VPN Server is installed The universe entity is similar to a wildcard and specifies the set of all computers both inside and outside o...

Страница 845: ...r present on a diskette The source of the file you are downloading or of a diskette you have received is often unaware of the virus The virus lies dormant until circumstances cause the computer to exe...

Страница 846: ...547 idssym im_msn_ports 547 advanced options cont idssym im_yahoo_ports 547 idssym internal_lan 547 idssym internal_net 547 idssym mssql_servers 547 idssym networkdevice_servers 547 idssym novarg_port...

Страница 847: ...335 Mail Attachment Restrictions tab 342 Response tab 344 appliance serial number 90 Asset Parameters window enabling reverse lookups 157 setting clientless VPN logon policy 431 Assets section descri...

Страница 848: ...ure network connection 442 460 clientless VPN cont simple rules 415 single sign on rule 410 439 terminal emulation 452 URL syntax 410 user accounts unlocking 469 viewing failed logon attempts 469 VPN...

Страница 849: ...ontent profile adding to a rule 316 creating 311 Content Profiles tab content filtering 306 corporate name adding to portal page 437 custom services configuring 178 D daemons logservice 470 process re...

Страница 850: ...antispam 350 353 356 fan status monitoring 464 fault tolerant deployment 117 managed security gateway 125 features enabling from Features tab 97 enabling from System Setup Wizard 96 Features tab enab...

Страница 851: ...description 208 enabling 210 HTTP proxy cont HTTPs ports adding 214 modifying 212 persistent connections 209 ports adding 213 secure sockets layer 209 timeout modifying 214 WebDAV 210 httpd advanced o...

Страница 852: ...VPN tunnels 393 VPN policy 380 IPsec with static key 383 J JAR cache clearing 25 77 Java Runtime Environment installation 22 Java antivirus scanning 333 K Keytool remote back up 103 remote management...

Страница 853: ...ME partial message content 336 MIME types content filtering 302 misc logserviced logsesa 548 misc ports shortlived 548 misc vpn enabled 548 modem 490 491 monitoring cluster status 528 description 461...

Страница 854: ...NTP proxy description 222 NTP proxy configuring 222 O objects copying 54 creating 52 deleting 61 references to other objects 55 ODMR On demand mail relay enabling 235 On Demand Mail Relay See ODMR OOB...

Страница 855: ...60 preventing attacks 319 privileges clientless VPN 411 problems isolating 558 process restart configuring 113 properties of objects modifying 51 viewing 50 protocols clientless VPN advanced file serv...

Страница 856: ...mponent 415 single sign on 432 SMTP 446 URL 457 URL example 457 resources adding to portal page 436 creating 434 grouping 435 Resources tab 434 Response tab antispam scanning 353 Response tab antiviru...

Страница 857: ...g process restart 113 configuring the logging service 470 configuring the Notify service 491 SGMI description 33 exiting 32 home page 29 home page wizards 30 SGMI cont integrating to the desktop 24 le...

Страница 858: ...94 System section description 40 System Setup Wizard 368 511 description 104 enabling licensed features 96 system usage viewing 463 T tables adding columns 49 changing sort order 49 filtering objects...

Страница 859: ...rces 456 user comforting 340 user groups applying client compliance 398 external authentication 249 IKE enabled 250 importing 251 internal authentication 247 248 User Groups tab 247 user sign on 411 U...

Страница 860: ...creating rules 442 description 411 WebDAV description 210 enabling 212 wizards Client VPN Package Wizard 30 399 Firewall Rule Wizard 30 284 Gateway to Gateway Tunnel Wizard 30 385 License Installatio...

Страница 861: ...860 Index...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды