Documente Academic
Documente Profesional
Documente Cultură
Panda GateDefender Performa User Guide If your company has acquired this program and you do not have a CORPORATE USER LICENSE, please contact Panda Software so that you can extend the use of this program to more than one computer. Copyright Notice 2010 Panda Security. All rights reserved. Neither the documentation nor the programs included in this package may be copied, reproduced, translated or reduced to any medium or electronic or machine-readable support without prior written consent from Panda Security. Trademarks Panda Security is a registered trademark owned by Panda Security. Windows is a registered trademark of Microsoft Corporation. Other product names that are mentioned in this guide may be registered trademarks of their respective owners.
2010 Panda Security. All Rights reserved. Printed in the European Union. Printed in 2010. 1008-PGDPMA-US-02
Table Of Contents
INTRODUCTION ................................................................................... 9
KEY FEATURES OF PANDA GATEDEFENDER PERFORMA ..........................................................9 FUNCTIONS.................................................................................................................11 PROTECTION ...............................................................................................................12
IMPLEMENTATION ............................................................................. 19
ACTIVATING PANDA GATEDEFENDER PERFORMA ...............................................................19 CONFIGURING THE APPLIANCE .......................................................................................19 Points to bear in mind before configuring the appliance..................................................19 Data required to configure the appliance.......................................................................20 Default settings...........................................................................................................21
COMMANDS ALLOWED IN READ-ONLY MODE ......................................................................27 COMMANDS ALLOWED IN ADMINISTRATOR MODE ...............................................................28
PROTECTION SETTINGS..................................................................... 43
ANTI-MALWARE PROTECTION .........................................................................................43 Malware types ............................................................................................................43 Anti-malware protection settings ..................................................................................43 Antivirus protection settings .........................................................................................44 Heuristic protection settings .........................................................................................48 Anti-phishing protection settings...................................................................................49 Protection against other security risks settings...............................................................50 Trusted sites and domains settings in the anti-malware protection ..................................51 CONTENT FILTER PROTECTION .......................................................................................52 Content Filter protection settings ..................................................................................52 HTTP/S and FTP protection settings..............................................................................52 Mail and news protection settings .................................................................................54 Trusted sites and domains settings in the Content Filter protection..................................57 ANTI-SPAM PROTECTION ...............................................................................................57 Anti-spam protection settings .......................................................................................57
4 Panda GateDefender Performa-User Guide
Spam white list and blacklist ........................................................................................60 Advanced SMTP anti-spam protection settings ...............................................................60 WEB AND IM/P2P/VOIP FILTER ..................................................................................70 Web filtering...............................................................................................................70 IM/P2P/VoIP application filter.......................................................................................74 USERS EXEMPT FROM FILTERING .....................................................................................75 Users excluded from web filtering.................................................................................75 Users exempt from P2P/IM filtering ..............................................................................76 Export/Import a list of computers. ................................................................................77 PROFILES ...................................................................................................................77 Configuration by profiles ..............................................................................................77 Managing settings .......................................................................................................77 Creating and modifying protection profiles.....................................................................78 Centralized protection settings .....................................................................................78
DEFINITIONS ............................................................................................................112 Introduction .............................................................................................................112 Managing IP addresses..............................................................................................113 Domain management ................................................................................................114 WARNINGS ...............................................................................................................114 Introduction .............................................................................................................114 Events to report settings............................................................................................115 Syslog warnings settings............................................................................................116 SNMP warnings settings.............................................................................................117 EMAIL WARNINGS ......................................................................................................117 Email warnings settings .............................................................................................117 Recipient mail account details ....................................................................................118 Periodic activity notification........................................................................................118 Periodic activity notification settings............................................................................120 CUSTOMIZING THE TEXTS/PAGES ..................................................................................120 Customizing the texts ................................................................................................120 Customization of the substitute HTTP/S page ..............................................................121
Stored filters.............................................................................................................134 Additional features in the report views ........................................................................135 PROTECTION REPORTS ................................................................................................135 Introduction .............................................................................................................135 Protection report .......................................................................................................136 SECURITY REPORTS ....................................................................................................137 Introduction .............................................................................................................137 Report on access restricted by the explicit proxy ..........................................................138 Report on invalid SSL certificates ................................................................................139 SYSTEM REPORT ........................................................................................................139 System report ...........................................................................................................139
TRUSTED SITES AND DOMAINS SETTINGS IN THE ANTI-MALWARE PROTECTION ......................152 RESTORING THE INITIAL VALUES FOR SIGNING IN TO THE WEB CONSOLE. ............................153 RESTORING THE APPLIANCE .........................................................................................153 RESCOVERY VIA CD ...................................................................................................153 RESTORING USING THE LIVE DVD ................................................................................154 Using the Live DVD ...................................................................................................154 RECOVERY WITH A USB DEVICE ...................................................................................155 THE LCD SCREEN: DEFINITION AND USE ........................................................................156 CONFIGURING INTERNAL NETWORKS .............................................................................157 CONFIGURING INTERNAL DOMAINS ...............................................................................158 USING THE BASIC ANTI-SPAM SETTINGS .........................................................................158 USING THE ADVANCED ANTI-SPAM SETTINGS ..................................................................159
Introduction
Panda
GateDefender Performa
Panda GateDefender Performa is a scalable and ultra-reliable SCM (Secure Content Management) perimeter security appliance. It delivers maximum proactive protection in the gateway against contentbased Web and email threats. It blocks all types of malware, spam, undesirable content and other Internet threats before they enter the company. Its simple "connect and forget" operation and complete anti-malware protection, along with content filtering, anti-spam, Web filtering and IM/P2P/VoIP filtering, make Panda GateDefender Performa a highly effective security solution.
Complete protection
It includes best-of-breed protection against malware, potentially dangerous content, spam, inappropriate Web content, and IM, P2P and VoIP protocols. It scans inbound and outbound traffic in all protocols (HTTP/S, FTP, SMTP, POP3, IMAP4 and NNTP) helping enforce security policies, and doesnt require additional protection or supporting devices, therefore reducing complexity and operational costs.
Modular structure
It provides specific protection for different threats, reinforcing the risk management systems where necessary. The cost is optimized since the organization only purchases the protection required.
Heuristic engines, Collective Intelligence and Quarantine combined in the perimeter optimize threat detection, ensuring reception of important information.
High performance
The hardware is designed to operate transparently in the perimeter, scanning large traffic volumes in real-time. Each units performance adapts to each organizations traffic, optimizing the risk management system. Its high performance improves user productivity, making sure that standard security policies are met and ensuring business continuity.
Zombie detection
Outbound SMTP detection allows administrators to identify internal computers that are infected and which are sending spam and malware to clients and contacts without users knowledge.
This improves corporate image and reputation with clients. Automatic updates
Updates are automatically carried out every hour in the case of malware and every minute in the case of spam. The protection is always updated against the latest threats, constantly improving the risk management system. The solution does not require continuous administration, thereby reducing complexity and operational costs.
It operates as a transparent bridge, and as installation does not require changes or redirections in the network settings, complexity is reduced. Once connected, it starts to work immediately, reducing operational costs.
Panda GateDefender Performa scans, disinfects, restores and resends files containing unknown malware without administrator intervention, reinforcing the risk management system. It also prevents critical information losses and protects the organization against known and unknown threats, helping enforce security policies. Additionally, it ensures business continuity and reduces operational costs.
Different console access levels reinforce security in the risk management system, as security settings are protected and business continuity is ensured. Access permission adapts to users different needs and reduces complexity for non-expert users.
The hardware models for large organizations include a bypass option to ensure traffic flow continues in the case of system failure.
Functions
The main functions of Panda GateDefender Performa include:
Load balancing
Automatic, native load balancing ensures high service availability in the event of unexpected failure, optimizes investment in the organizations computers, and improves the risk management system. It also prevents traffic reception delays, improving user productivity and ensuring business continuity. As it is native and automatic, it eliminates configuration complexity and reduces operational costs.
Different user profiles and groups can be defined to establish different security policies for each network user, reinforcing the risk management system. This way, user productivity is optimized and security policies are enforced.
Due to integration with directory systems, the user responsible for each action taken on the network is identified and the risk management system is improved. In addition, monitoring of internal users enforces security policies.
Centralized settings
All the units deployed can be configured from a single console. Centralized configuration of different access points improves the risk management system and reduces complexity.
The real-time activity graphic reports significantly reinforce the risk management system. Administrators and operators therfore have important information to hand, reducing complexity and operational costs.
Quarantine
It stores potentially dangerous files and messages in quarantine if they are suspected of containing unknown malware or are considered to be spam or probable spam. The aim of quarantine is to ensure access to any important files or emails.
Malware quarantine
Reserved for contaminated files that cannot be disinfected or are suspected of containing unknown malware.
Spam quarantine
11 Panda GateDefender Performa-User Guide
Protection
The protection units offered by Panda GateDefender Performa are:
Anti-malware
Detects and blocks damaging threats before they enter the corporate network: viruses, worms, Trojans, spyware, dialers, jokes, phishing, hacking tools, security risks and -through its heuristic engine- threats not yet cataloged.
Content Filter
The Content Filter lets you customize the types of files and messages to be filtered. It applies filters such as maximum file size, maximum number of compressed files, password protection With respect to messaging it analyzes and filters by content, subject, type, etc.
Anti-spam protection
It includes advanced spam detection techniques, such as DNSBL, anti-backscatter and SMTP Relay, minimizing the impact of spam on user productivity.
Web filtering
The Web filter can restrict access to Web pages with unproductive content simply by selecting prohibited categories. It therefore optimizes resource usage and improves user productivity.
Used to block attempts to access applications that can represent security holes. These include instant messaging (IM), peer-to-peer (P2P) and Voice over IP (VoIP), whose use from inside the network can be restricted.
Integration of Collective Intelligence with queries to the cloud and integrated cache of queries
With so much diverse malware in existence, it is impossible for a single network computer or appliance to make reliable detections. Panda Security has opted to move all scanning and malware detection intelligence out of the client's infrastructure and into the cloud, while respecting data confidentiality at all times. The system means that any item suspected of containing malware can be checked against Panda Security's cloud database. Panda GateDefender Performa intelligently uses this resource, combining the benefits provided by total detection with increased detection speed resulting from an intelligent internal cache of previously scanned items. This way, the data flow required to detect and disinfect malware is reduced to a minimum.
One of the most significant problems when calibrating the bandwidth required for your companys activities, is to ensure there is sufficient bandwidth available to cover your employees needs. To this end, the quick and accurate identification of restricted protocols -such as p2p (emule, bittorrent), VoIP (Skype), messaging (Messenger-) and others is vital. Access to these protocols and applications not only affects your bandwidth but also your company's productivity, and so it is essential to accurately determine which should be allowed and which not. Due to the constant evolution of these applications, Panda GateDefender Performa updates the set of rules that allow the detection of these types of data transfers, so that new versions of messaging and P2P programs are correctly identified and managed (block or report). Given that not everyone's needs are the same, Panda GateDefender Performa lets you define individual protection profiles for each user for P2P and messaging applications.
Other improvements New security reports and improvements to the filtering and presentation of current reports
The increasing amounts of malware being received and detected by companies means that there is also more information to make available to network administrators. Because of this, Panda Security provides search tools and filters for presenting reports as well as new types of reports. These new reports concern the SSL certificates and the explicit proxy, in addition to those offered in previous versions. The reports screen has been redesigned to jointly display a breakdown of the malware detected for all the protection modules purchased, minimizing the time spent navigating through the administration console. The limits for storing old reports have also been updated and expanded, in line with the increase in the amount of malware on the Web and the considerable increase in the information provided by Panda GateDefender Performa regarding each security problem. Now, Panda GateDefender Performa maximizes the potential of the reports, so that these show all possible details about each of the protection and the new features implemented.
Finally, the integrated proxy helps in the configuration and deployment of protection profiles, avoiding the need for validation servers in your corporate network, optimizing the number of servers and therefore the reducing the overall TCO.
Collective Intelligence
Panda GateDefender Performa supports Collective Intelligence, meaning that the detection capacity of the anti-malware protection is significantly increased as it is also based on queries to the Panda Security knowledge server (the cloud). This server is continually updated and contains all Panda Security's information about malware and security threats.
In the case of several load-balancing appliances, the cache of each of them operates as an independent entity.
The detection results contain only the identifier and the generic type of malware, both for results from the local cache and from the cloud. To complete the data with a name and a specific type of malware, a query is made to an extended information server. So the report and the notifications on malware detected, quarantine and the malware activity details page in the Web console have all the information they need. If the extended information system fails, the basic format is then used to display the report, using the identifier to link to the Panda Security Malware Information Center website, where all the information is available online.
Implementation
Activating Panda GateDefender Performa
1. 2. Click My license, next to the system clock. In the window that appears, click Registration/activation details. on the link (here) that appears under
3. 4.
A new window appears: Enter theuser name and password provided by Panda Security. Click Save. Panda GateDefender Performa will contact the Panda Security server to get license information (wait 10 seconds before consulting the information). If an error occurs, a message will be displayed.
More information.
Configuring the appliance Points to bear in mind before configuring the appliance
The correct configuration of Panda GateDefender Performa ensures optimum protection of your corporate network and improves your appliances performance. Therefore, before configuring Panda GateDefender Performa, it is important that you have a clear idea of the following: 1. Who will be able to change the settings and from which computers. 2. What type of malware you want Panda GateDefender Performa to detect. 3. What protocols you want to protect. 4. Whether a specific type of file to be allowed to enter or leave your organization through a certain protocol (for example, executable files via email). 5. What type of warnings you want to receive (whether Panda GateDefender Performa should warn you every time it detects a virus, updates, has connection problems, etc). 6. Who should receive the warnings. 7. Whether you want warning messages to display an explanatory text and the text it should include. 8. Whether there are trusted domains that will never send you malware. 9. Whether there are domains from which you never want to receive any email messages, as they will always be spam. You can configure automatic blocking - without scanning- of the messages received from those domains and optimize the performance of the appliance. 10. Whether you want to restrict access to certain Internet contents and what type of content. 11. Whether you want to allow access to a certain URL, regardless of whether it contains restricted contents or not. 12. Whether you want to deny access to a certain URL, regardless of whether it contains restricted contents or not. 13. Whether you want advanced log files with more detailed information. Having a clear idea about these issues will allow you to configure the solution for optimized performance from the start, the network traffic will adapt to your needs and you probably wont need to change the settings at a later stage. 19 Panda GateDefender Performa-User Guide
Before configuring the appliance, don't forget to have the necessary data to hand.
Once Panda GateDefender Performa is installed, access to the Web console is configured and the product is activated you can start to configure the system and the protection.
3. 4.
5.
You probably wont need to change the default settings. If you have your own DNS servers or DNS servers provided by your ISP, you can configure Panda GateDefender Performa to use them.
The appliance uses these DNS servers to establish its own connections, update, send warnings and validate licenses, etc. As a result, if these servers are not configured correctly, Panda GateDefender Performa will not work properly. 6. Proxy server IP address and authentication data: If Panda GateDefender Performa is going to connect to the Internet through an HTTP proxy, you will need to activate it here and specify the IP address of the server and the port and if it requires authentication, activate this option and enter the user name and password.
Configuration IP address: This is the IP address used to access the Web administration console. The default address is 172.16.1.1. For more information, click here. To activate Panda GateDefender Performa. 1. 2. Registration details User name: This is the user name provided by Panda Security with the appliance. This will identify your appliance in the updates server. Registration details Password: This is the password provided by Panda Security with the appliance. This will identify your appliance in the updates server.
The user name and password are different from the user details for accessing the Web console. These are the details identifying the registered user of Panda Security and which offer access, among other things, to the update servers. provided these when you bought the appliance.
Default settings
The default settings defined are: Appliance name: MachineName. Network IP address: 192.168.1.1. Net mask: 255.255.255.0. Default gateway: 192.168.1.200. Primary DNS server: 207.200.7.21
Console login
User name: defaultuser. Password: defaultpass. Configuration IP address: 172.16.1.1. Net mask: 255.255.255.0.
It is IMPORTANT to ensure that the USB device does not contain data that you want to keep, as all information will be deleted when the process of creating the installer is complete. Follow these steps: 1. 2. 3. Insert the device in the USB port and find the assigned drive in your file explorer. (Windows Explorer-> My Computer-> Removable drives). Right-click the removable drive icon and click Format. Select FAT32 as the file system and click Start.
You will then see a warning about the loss of data from the device after formatting. If you are sure there is no important data on the device, click OK to format it. 22 Panda GateDefender Performa-User Guide
Click OK.
6. 7. 8.
Make sure the value of the Type field is USB drive and the value of the Drive field corresponds to that of the USB device. Click OK. Once this process has finished, click Exit.
Click OK. The selected ISO image will be copied to the USB device.
Click Exit . IMPORTANT: Do not click Restart now, as this will cause all the data on the computer to be lost.
Remember to use the Safely remove hardware option to remove the USB device. Then, 1. 2. 3. 4. 5. follow the steps below: Export the current settings of Panda GateDefender Performa to a file. Insert the USB device in one of the appliance ports. To continue with the process, connect a screen to the VGA socket in the appliance. Also, connect a keyboard. Restart the appliance.
Once the restart is complete, the restore process will start. When it has finished, you will see the following notice:
To complete the restore process, press ENTER and remove the USB device.
Do not shut down the system while the appliance is working, other the entire system will be corrupted. The recovery process must not be interrupted once it has started. Panda GateDefender Performa will display the factory settings. Import the settings file that you have just exported to apply the settings defined before restoring the appliance.
Readonly role
This is a user with read-only permissions on a limited shell. This user cannot edit the appliance status or settings. The prompt is >.
Admin role
This is an administrative user with access to all commands and who can edit information relative to all of them. After logging in, the user will have limited access to the shell, but with administer rights, using the command enable. The prompt in administrator mode is # And to leave administrator mode: exit
Access
The CLI can be accessed through SSH as a serial port. In some appliances, access via VGA is also allowed, which requires connecting a keyboard and monitor. Click here to see the list of commands allowed in read-only mode. Click here to see the list of commands allowed in administrator mode.
For more information about any of the commands, enter the name of the command and then the character ? (without quotation marks).
SNMP configuration Statistics Status Syslog configuration Show traffic Show top processes Show uptime Virtual MAC configuration Report generic statistics
Status screen
Introduction
The Status screen is the first screen that users access after logging in to the administration console and it allows them not only to check that the appliance is operating correctly, but also Panda GateDefender Performa protection statistics. The screen header, which is common to all the console screens, shows the system clock, the Disconnect option and the My license link. This takes you to the License management screen where you can check or edit your registration or activation details and see the technical specifications of the appliance. You will also see information about the products you have contracted and the corresponding expiry dates. You will find the following areas in the Status screen:
Warnings
The Warnings area will be displayed when there are certain problems and will offer recommendations and advise you on the action to take.
Protection
Click the title of the section to display or hide the content. This section contains graphs with statistical information about scanning and detections performed by the protection modules. It also includes data about updates, licenses and quarantine. You can see details of the contents of the graphs through the corresponding options and export content to .csv format. To the left of the title of each protection (Anti-malware, Content Filter, Anti-spam, Web filter and IM/P2P filter) there will be a red icon if the protection is disabled, green if it is enabled, and orange if it is partially enabled. If you pass the cursor over the protection title, and it is partially enabled, you will see the actual status.
System
Use the arrow at the end of the title bar of the section to display or hide the content. Here you will see the system connections and network card traffic. You will also see a graph of the network load history, uninterrupted runtime, and load-balancing (if enabled). You can enlarge the graphs using the corresponding option, and export the content to .csv format.
Restart statistics
Use this button, at the bottom of the window, to restart the system graphic statistics. Obviously, on restarting the statistics the data displayed in the Status window will change.
License management
The License management screen lets you check the status of your licenses for each of the modules contracted. You can access the screen in two ways: 1. 2. By clicking the My license link, in the console header, next to the system clock. By clicking the date in Updates and licenses > Updates and services expire:, in the Status screen.
Products contracted
Bear the following in mind: 1. The anti-malware license covers the following types of protection: Anti-malware Content Filter The anti-spam license covers the protection against junk mail (spam). The Web filter license covers the following types of protection: Web filtering Filtering of IM (instant messaging), P2P (file-sharing) and VoIP (Voice over IP).
2. 3.
When the license for a module has expired or is about to expire, Panda GateDefender Performa will display the Renew license option, which will give you direct access to the renewals area on Panda Securitys website. If you do not have a license for a certain type of protection, Panda GateDefender Performa will indicate the protection is Without a license and give you the option to Get a license.
Registration/activation details
After installing the Panda GateDefender Performa software and accessing the console, activate the appliance. To do this, enter the activation details provided by Panda Security. Click the link to activate the product or consult activation details.. If you want to check these details after activating the unit, you can use the link in this section.
Technical specifications
This shows the serial number and hardware platform of the connected unit.
2.
Anti-malware
This displays real-time statistics on the anti-malware (viruses, jokes, dialers , spyware, hacking tools, security risks and phishing). It shows the following information:
Total files scanned. Malware detected. Files in which some kind of malicious code has been detected, in both Mail and News and for both HTTP and FTP. The number of files detected and their percentage of the total items scanned is also displayed. Evolution graph. This shows the evolution of the detections made by the protection. These are divided into two categories: Detections in Mail and News (red line) and Detections in HTTP and FTP (green line). Click Enlarge to expand the graph. View details. Lets you consult the Anti-malware protection details screen in the console with more detailed and complete information. Content Filter. This allows you to access real-time statistics on the content filter. Items scanned by Panda GateDefender Performa. Items filtered: Files in which some kind of unwanted content has been detected, in both Mail and News and for both HTTP and FTP. The number items filtered and their percentage of the total items scanned is also displayed. Evolution graph.This shows the evolution of the filtering applied by the protection. This is divided into two categories: Detections in Mail and News (red line) and Detections in HTTP and FTP (green line). Click Enlarge to expand the graph. View details: Lets you consult the Content Filter protection details screen in the console with more detailed and complete information.
Anti-spam
This displays real-time statistics on the anti--spam scan. It shows the following information: Messages scanned. Spam messages. Number of messages classified as spam and the percentage of the total messages scanned. Evolution graph. This shows the evolution of the detections made by the protection. Click Enlarge to expand it. View details. If you click on this link, the Details of the anti-spam protection will be displayed with more detailed and complete information. Web filtering Total pages scanned. Pages blocked: The number of access attempts blocked or monitored (access to URLs restricted by the administrator, which have not been blocked by Panda GateDefender Performa but are logged in the report). The number of events detected is displayed along with their percentage of the total items scanned. 31 Panda GateDefender Performa-User Guide
Evolution graph. This shows the evolution of the pages blocked by the protection. Click Enlarge to expand the graph. View details. If you click on this link, the Details of the Web filtering protection will be displayed with more detailed and complete information.
Click the dates to access the Version details and License management screens.
View selection
You can select the details according to the following values:
Protocol in which malicious code was detected (HTTP/S, FTP, SMTP -default mode-, POP3, IMAP4 or NNTP). Values of the data you want to see. Use the drop-down menu: Percentage: Shows percentage data in the status graphs. Absolute: Shows absolute data in the status graphics (default mode). Period. You can specify that the graphs must only show the malware detections during a certain interval. Last 24 hours. Last 7 days. Last month. 32 Panda GateDefender Performa-User Guide
Last year. Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates.
Graphs
Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph.
Percentages and evolution. This section shows two graphs. The pie chart shows the number and percentage of detections for a specific type of malware. Each type of malware is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Malware type: Viruses, dialers, jokes, phishing (only in SMTP, POP3, IMAP4 and NNTP), hacking tools, security risks or spyware. 2. Total number of detections of this type of malware. 3. Percentage of detections of this type of malware with respect to the total files scanned. The evolution graph shows the evolution of each type of malware during a specific period of time. The color of each line corresponds with the color of each type of malware.
Top 10 detections. A pie chart shows the top ten types of malware most frequently detected, taking into account the filtering criteria. Each type of malware is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Malware name. 2. Malware type (viruses, dialers, jokes, phishing, hacking tools, security risks or spyware). 3. Total number of detections of this type of malware. 4. Percentage of detections of this type of malware with respect to the total detections included in the Top Ten. Top 10 detections by user. A pie chart shows the ten IP addresses of the computers or the email address of the recipients of the most malicious codes that have been detected, bearing in mind the filtering criteria. Each computer is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. IP address (for HTTP/S and FTP) of the affected computer or Email address (for mail and new protocols) of the affected recipient. 2. Total number of detections. 3. Percentage of detections of this computer with respect to the total detections included in the Top Ten.
View selection
You can select the details according to the following values:
Protocol in which malicious code was detected (HTTP/S, FTP, SMTP -default mode-, POP3, IMAP4 or NNTP). Values of the data you want to see. Use the drop-down menu: Percentage: Shows percentage data in the status graphs. 33 Panda GateDefender Performa-User Guide
Absolute: Shows absolute data in the status graphics (default mode). Period. You can specify that the graphs must only show the events that occurred on a certain date. Last 24 hours. Last 7 days. Last month. Last year. Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates.
Graphs
Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph. The information displayed is the following:
Percentages and evolution. This section shows two graphs. The pie chart shows the amount and percentage of the items filtered. Each item is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Event type. Items allowed and filtered. 2. Total number of times this type of event has been filtered. 3. Percentage with respect to the total files scanned. The evolution graph shows the evolution of each item filtered during a specific period of time. The color of each line corresponds with the color of each item.
Top 10 content filtered. A pie chart shows the top ten most frequent content filtering events, taking into account the filtering criteria. Each item is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Item name. 2. Type of filter applied. 3. Total number of times the item has been filtered. 4. Percentage with respect to the total of the Top 10.
View selection
You can select the details according to the following values:
Protocol (SMTP (default), POP3, IMAP4 or NNTP). Values of the data you want to see. Use the drop-down menu: Percentage: Shows percentage data in the status graphs. Absolute: Shows absolute data in the status graphics (default mode). Period. You can specify that the graphs must only show the messages detected in a certain interval. Last 24 hours. Last 7 days. Last month. Last year.
Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates.
Graphs
Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph. The information displayed is the following:
Percentages and evolution. This section shows two graphs. The pie chart shows the number and percentage of detections for a specific type of message. Each type of message is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Classification of the message (mail allowed, spam and probably spam). 2. Total number of detections of this type of message. 3. Percentage of detections of this type of message with respect to messages scanned. The evolution graph shows the evolution of each type of message during a specific period of time. The color of each line corresponds with the color of each type of message.
Top 10 recipients of spam. A pie chart shows the top ten recipients of spam, taking into account the filtering criteria. Each recipient is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Recipients email address. 2. Total number of messages classified as spam. 3. Percentage of detections of this spam for this recipient with respect to the total Top Ten. Messages classified as probable spam are not included in this graph.
Top 10 recipients of spam. A pie chart shows the top ten senders of spam, taking into account the filtering criteria. Each sender is assigned a color, which corresponds to a section of the pie chart. The data is classified into: 1. Senders email address. 2. Total number of messages classified as spam. 3. Percentage of detections of this spam for this sender with respect to the total Top Ten. Messages classified as probable spam are not included in this graph.
View selection
You can select the details according to the following values:
Values of the data you want to see. Use the drop-down menu: Percentage: Shows percentage data in the status graphs. Absolute: Shows absolute data in the status graphs (default mode). Period. You can specify that the graphs must only show the access to restricted Web pages detected in a certain period. 35 Panda GateDefender Performa-User Guide
Last 24 hours. Default mode. Last 7 days. Last month. Last year. Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates.
Graphs
Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph. Percentages and evolution of pages. This section shows two graphs. The pie chart shows the number and percentage of detections for a specific type of page. Each type of page is assigned a color, which corresponds to a section of the pie chart. The data is classified into: 1. Classification of the pages (pages allowed and restricted pages). 2. Total number of detections of this type of page. 3. Percentage of detections of this type of page with respect to the total pages scanned. The evolution graph shows the evolution of each type of page during a specific period of time. The color of each line corresponds with the color of each type of page.
Top 10 filtered pages visited. A pie chart shows the top ten restricted pages visited, taking into account the filtering criteria. Each page is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Page URL. 2. Category by which it has been filtered. 3. Total number of visits. 4. Percentage of visits to this page with respect to the total in the Top 10. Top 10 most visited domains. Shows the top ten most visited domains, taking into account the filtering criteria. Each domain is assigned a color, which corresponds to a section of the pie chart. It displays the data as follows: 1. Domain. 2. Category to which the domain corresponds. 3. Total number of visits. 4. Percentage visits with respect to the Top Ten. Top 10 users that most browse the Web. Shows the top ten users that most use the Internet, taking into account the filtering criteria. Each user is assigned a color, which corresponds to a section of the pie chart. The data can be classified as follows: 1. User. 2. Total number of visits. 3. Percentage visits with respect to the Top Ten. Top 10 user access to blocked pages. A pie chart shows the top ten users that have most frequently visited blocked pages, taking into account the filtering criteria. Each user is assigned a color, which corresponds to a section of the pie chart. The data is classified into: 1. IP address. IP address of the user that accesses the restricted pages. 2. Total number of blocked pages visited. 3. Percentage with respect to the total of the Top 10.
If Panda GateDefender Performa is installed between the Internet and a Web proxy, only access of the proxy IP will be logged.
View selection
You can select the details according to the following values:
Values of the data you want to see. Use the drop-down menu: Percentage: Shows percentage data in the status graphs. Absolute: Shows absolute data in the status graphs (default mode). Period. You can specify that the graphs must only show the access to restricted Web pages detected in a certain period. Last 24 hours. Default mode. Last 7 days. Last month. Last year. Specify dates: If you select this option, text boxes will be enabled that will allow you to specify the start and end dates. The system uses cookies to remember youir preferences.
Graphs
Panda GateDefender Performa shows the results of the filter applied in the previous section as a graph.
Percentages and evolution. This section shows two graphs. The pie chart shows the number and percentage of detections for each type of protocol. Each type is assigned a color, which corresponds to a section of the pie chart. The data is classified into: 1. Protocol classification 2. Total number of detections for this type of protocol. 3. Percentage of detections for this type of protocol with respect to all traffic analyzed. The evolution graph shows the evolution of each type of protocol during a specific period of time. The color of each line corresponds with the color of each type.
Percentages and evolution of the applications. This section shows two graphs. The pie chart shows the number and percentage of detections for a specific type of access. Each type of access is assigned a color, which corresponds to a section of the pie chart. The data is classified into: Classification of the applications (connections or access of protocols allowed and restricted). Total number of detections of this type of access generated by the protocols specified. Percentage of detections of this type of access generated by the specified protocols, with respect to all access. The evolution graph shows the evolution of each type of protocol during a specific period of time. The color of each line corresponds with the color of each type of protocol.
Top 10 restricted protocols . A pie chart shows the top ten restricted resources accessed, taking into account the filtering criteria. Each application is assigned a color, which corresponds to a section of the pie chart. The data displayed is classified into: 1. Protocol name 2. Category by which it has been filtered. 37 Panda GateDefender Performa-User Guide
3. 4.
Total number of visits. Percentage of visits to this application with respect to the total in the Top 10.
Top 10 user access to restricted protocols . A pie chart shows the top ten users that have most frequently visited restricted protocols, taking into account the filtering criteria. Each user is assigned a color, which corresponds to a section of the pie chart. The data is classified into: 1. IP address. IP address of the user that accesses the restricted protocols. 2. Total number of restricted protocols visited. 3. Percentage with respect to the total of the Top 10.
If Panda GateDefender Performa is installed between the Internet and a Web proxy, only access of the proxy IP will be logged.
Version details
In order to check the version of the different modules incorporated in Panda GateDefender Performa: 1. Select the Status menu in the console main window. 2. Click the icon next to Last update. You can also access the screen by going to Status > Updates and licenses > Last updates. A window appears with the following data:
Date of the signature files and version of the anti-malware engine. Date of the signature files and version of the anti-spam engine. Version of the Web filtering engine. Date of the IM/P2P/VoIP protocol filter rules. IM/P2P/VoIP protocol filter engine version. System software version (firmware).
System status
This displays all information about system operation, through the following graphs: System connections System load Network interface cards System data
System connections
Indicates the number of current connections, as well as the graphic with data on the number of connections established and failed.
Connections established
Shows the number of connections successfully established through the appliance for the protocols that the device is scanning.
Simultaneous connections.
This is the number of connections open at the same time. In this case, it will indicate the average number of connections open at the same time for a given period. This information is particularly useful in order to know the workload of Panda GateDefender Performa at any given moment.
System load
Graph showing the CPU load.
Load balancing
If you have more than one unit working in load balancing mode, this section will allow you to view the rest of the units and access their Web administration consoles. You can also check the status (master or slave) of all units. To access the consoles of the other Panda GateDefender Performa units, you must: 1. 2. Click the Open console link next to the name of the other unit. Enter the user name and password for accessing the console of the device you want to access.
This section shows the Megabytes (or Gigabytes) passed through each network interface card (NIC1 and NIC2), distinguishing inbound and outbound data, and with the corresponding graphic.
System data
A progress bar shows the percentage system load and uninterrupted run time.
Restart statistics
Use this button, at the bottom of the window, to restart the system graphic statistics. Obviously, on restarting the statistics the data displayed in the Status window will change.
Protection settings
In addition to configuring the anti-malware and anti-spam protection, Panda GateDefender Performa lets you decide which Web pages to allow users to access, email, Internet or News content to permit or restrict, and to restrict access to instant messaging and P2P protocols. You can also add additional ports to the ports that Panda GateDefender Performa uses by default. You can also create specific profiles and assign them to the appliances you choose.
System settings
In this section of the Settings menu you will find options that allow you to configure general system features, internal networks, IP addresses and domains, warnings, etc.
Protection settings
Anti-malware protection Malware types
Panda GateDefender Performa protects against malware in general and viruses in particular, before these malicious codes can enter or leave your organization. Panda GateDefender Performa blocks attacks launched by: Viruses. Viruses are programs that can enter computers or IT systems in a number of ways, causing effects that range from simply annoying to highly-destructive and irreparable. 2. Worms. Programs similar to viruses but differ in that all they do is make copies of themselves (or parts of themselves). 3. Vulnerability exploits. Attempts to exploit vulnerabilities through both e-mail and HTTP. 4. Trojans. Strictly speaking, a Trojan is not a virus, although it is often thought of as such. Really they are programs that install themselves on computers appearing to be harmless programs and carry out actions compromising user confidentiality. 5. Dialers. These are programs that are often used to maliciously redirect Internet connections. They are designed to disconnect the legitimate telephone connection used to hook up to the Internet and re-connect via a premium rate number. Often, the first indication a user has of this activity is an extremely expensive phone bill. 6. Jokes. These are not viruses, but tricks that aim to make users believe they have been infected by a virus. 7. Spyware. Programs that are automatically installed with another, (usually without the users permission and even without the user realizing), which collect personal data (data on Internet access, action carried out while browsing, pages visited, programs installed on the computer, etc.). This information could be published, compromising user confidentiality. 8. Hacking tools and potentially unwanted programs. Programs that can be used by a hacker to carry out actions that cause problems for the user of the affected computer (allowing the hacker to control the computer, steal confidential information, scan communication ports, etc). 9. Security risks. Any program that can be used for malicious purposes to cause problems for the user of the computer. For example, a program for creating viruses or Trojans. 10. Phishing. This is an attack that uses social engineering. It consist of a message that seems to be sent from a reliable source and tries to trick the user into revealing private information (passwords, credit card number, etc.), which will then be used for fraudulent purposes (for example, identity theft). 1.
Bear in mind that the protocol settings defined for the antivirus protection will be applied to the rest of the types of anti-malware protection
You can configure the following types of protection: Antivirus protection: Viruses, worms and Trojans. Heuristic protection: Unknown viruses. Anti-phishing protection: Private data theft. Protection against other risks: Hacking tools and security risks. Trusted sites and domains: List of trusted domains and/or IP addresses whose traffic will not be scanned for malware.
To access the antivirus protection settings, click the Settings menu of the main console window, and select Antivirus. This window allows you to configure the protocols that Panda GateDefender Performa must scan for viruses, the file extensions that must be scanned or excluded from the scan and the actions Panda GateDefender Performa must take when malicious code is detected.
Protocols to scan
Panda GateDefender Performa intercepts and scans HTTP, HTTPS, FTP, SMTP, POP3, IMAP4 and NNTP traffic for viruses, worms and/or Trojans.
If you use Exchange servers in native mode, encrypted traffic generated between them will be let through without being scanned. If you disable the checkbox next to any protocol in the antivirus protection settings window, Panda GateDefender Performa will not scan that protocol for malware.
The protocols configured through the antivirus protection settings window will also be automatically applied to the rest of the protection types.
Click here to check the configuration options for each protocol.
After configuring the protocols and port, you can configure the Extensions to scan. If you click on this option, a new window appears in which you can specify if Panda GateDefender Performa must scan all files (Scan files with any extension) or the files whose extension appears in the Extensions to scan list (Scan files with the following extensions:). In this case, select the corresponding checkbox if you want Panda GateDefender Performa to Scan files without extensions.
Actions to take
In this section, you can specify the action Panda GateDefender Performa must take when malicious code is detected. 45 Panda GateDefender Performa-User Guide
Depending on the settings of the events to report, different types of notifications could be available. For more information, refer to Events to report settings. The actions that can be taken with messages automatically generated by viruses are: Completely delete the message. Delete only the infected attachment. For the rest of the detections, the options are:
Disinfect. Panda GateDefender Performa will disinfect the infected file. If disinfection is not possible because the virus code has overwritten the original code, for example: o o o For the HTTP/S and FTP protocols the file transfer will be blocked or it will be rendered unusable. For the rest of the protocols the infected files will be deleted. By default, a copy of files that cant be disinfected will be sent to quarantine. If you dont want these files to be stored in quarantine, clear this option.
When messages are deleted, Panda GateDefender Performa will reply to the computer trying to send the message carrying the malicious code so that it thinks that the message has been correctly sent.
Delete the file. Panda GateDefender Performa will directly delete the infected file. For the HTTP/S and FTP protocols the file transfer will be blocked or it will be rendered unusable. For the rest of the protocols: The infected files will be deleted. If you enable the checkbox For the SMTP protocol, completely delete the message (not just the file), email messages that use this protocol will be prevented from reaching the recipient.
It is advisable to select the option Disinfect, as almost all fake-from messages and messages sent by mass-mailing worms are infected, and will be deleted when they are detected. Attachments with useful content in other messages will be disinfected. The recipients of infected messages will be informed that they have been disinfected and a warning can also be sent to the sender.
Protocol settings
Protocols are rules and procedures for communication between computers.
Be particularly careful when configuring the protocols to scan, as these settings will be applied to the antivirus scan and the other types of anti-malware protection. Panda GateDefender Performa protects the most widely used communication protocols: HTTP/HTTPS: Hyper-Text Transfer Protocol. Internet. SMTP: Simple Mail Transfer Protocol. POP 3: Post Office Protocol Version 3. Protocol for managing in the Internet. IMAP4: Internet Message Access Protocol. FTP: File Transfer Protocol. For transferring files between computers that run TCP/IP. NNTP: Network News Transfer Protocol. Protocol for accessing newsgroups. If you use Exchange servers in native mode, encrypted traffic generated between them will be let through without being scanned.
Scans the traffic in connections whose target port is 25, or any of the additional SMTP ports specified. Scans SMTP traffic in both directions, regardless of which side of the appliance establishes the connection. Scans any transfer that uses SMTP, even those that could prevent the information from being correctly scanned (files downloaded in CHUNKING (BDAT) -rfc3030, BINARYMIME -rfc3030, 47 Panda GateDefender Performa-User Guide
PIPELING
-fr2920
mode,
etc.).
To access the heuristic protection settings, click the Settings menu of the main console window, and select Heuristic. The Panda GateDefender Performa heuristic protection detects viruses that are not yet cataloged. The same protocols as those configured for the antivirus protection will be scanned by the heuristic protection. Select Enable unknown threats protection to activate the heuristic protection. The heuristic scan options are only available when this checkbox is enabled.
Sensitivity level
The sensitivity level of the heuristic scan specifies the tolerance level of the protection to suspicious files. The higher the level of sensitivity, the higher the protection, but also the risks of a legitimate message being classified as suspicious.
Action
The actions that can be taken are: Send the suspicious file to quarantine. If you choose this option, the rest of the actions will be disabled. 48 Panda GateDefender Performa-User Guide
For HTTP and FTP: Panda GateDefender Performa blocks the transfer of those suspicious files or renders them unusable if they cannot be blocked. For the rest of the protocols: Delete the suspicious file: When files are deleted, Panda GateDefender Performa deletes the suspicious file and includes a text in the message that reports the deletion. Redirect the message: Panda GateDefender Performa The suspicious message will be redirected to the email address entered in the textbox corresponding to this option.
Messages will only be completely redirected for SMTP. For other mail and news protocols, the suspicious content will be deleted and a substitue text can be configured by clicking on the corresponding link
Click Mail server settings to specify the SMTP server that will be used to redirect mail. For more information about how to configure the mail server, click here.
To access the anti-phishing protection settings, click the Settings menu of the main console window, and select Anti-phishing. The anti-phishing protection will safeguard computers from all types of attacks related to private data theft such as passwords, banking details, etc. The same protocols as those configured for the antivirus protection will be scanned by the anti-phishing protection.
The anti-phishing protection will be enabled whenever the protection for any of the email protocols is enabled in the antivirus protection settings. To enable this protection, select the Enable Anti-phishing protection checkbox. In the SMTP traffic to scan checkbox, select the direction of the messages (inbound, outbound, inbound and outbound) you want to scan, and click Save. Remember that for this protection to operate correctly, it is important to define the internal networks in your organization. To do this, click Internal networks.
Action
Delete: Panda GateDefender Performa deletes the message. For SMTP, Panda GateDefender Performa will completely delete it. 49 Panda GateDefender Performa-User Guide
For the rest of the mail and news protocols, a message can be inserted in the subject and body of the original message. Enable the checkboxes for each option and enter the text that you want to insert in either the subject or message body.
Flag message subject and body: The message will be flagged and a text will be added to the subject and/or body of the message indicating that it is phishing. Enable the corresponding checkboxes for each option and enter the text you want to insert in either the subject or message body. Redirect the message: The suspicious message will be redirected to the email address entered in the textbox corresponding to this option. Enter the email address to which you want to redirect the message. Click Mail server settings to specify the SMTP server that will be used to redirect mail. For more information about configuring the mail server, click here. Enable the corresponding checkboxes for each option and enter the text you want to insert in either the subject or message body.
Messages will only be redirected for SMTP. For the rest of the mail and news protocols a copy will the sent to the address specified in the associated textbox.
Let it through, just generate report: Lets the file through and generates a detection report.
To access the protection against other security risks settings, click the Settings menu of the main console window, and select Other risks. The Panda GateDefender Performa protection against other risks keeps your organization safe from hacking, security risks caused by certain applications and potentially unwanted programs.
The same protocols as those configured for the antivirus protection will be scanned by the protection against security risks.
This protection is enabled whenever the antivirus protection is enabled, so that your organization will always be protected against these kinds of threats.
To access the trusted sites and domains settings, click the Settings menu in the main console, an in Protection > Anti-malware select Trusted sites and domains. Sometimes, the traffic sent from certain servers, computers or domains is reliable enough to be excluded from the scans. By excluding this traffic from the anti-malware scans, the workload of Panda GateDefender Performa is reduced and its performance is optimized. You can create a list of servers, websites, domains, subdomains, IP addresses and ranges that will be excluded from the list. This action will apply to all protocols. To do this: 1. 2. 3. 4. Click the Settings menu in the main Console screen. Go to Protection > Anti-malware and click Trusted sites and domains This shows the trusted sites and domains configured to date. To add a new domain, subdomain, range, etc, include it in the New box and click Add. In the case of IP addresses, you can use the CIDR format, and for sub-domains, you can use wildcards. The updated list will be displayed in the box. To delete any item, select it and click Delete.
After you have completed these steps, Panda GateDefender Performa will not scan traffic from those domains, servers or computers for malware.
domain.com).
HTTP/S and FTP protection settings Mail and news protection settings. Trusted sites and domains
To access the HTTP/S and FTP protection settings, click the Settings menu of the main console window, and select Content Filter > HTTPs and FTP. The Content Filter HTTP/S andFTP protection allows you to control the files that can or cannot enter your organization through HTTP/S and FTP.
Files to scan
Select Enable the content-filter HTTP/S and FTP protection to use this powerful content filter. For more information about configuring the files to scan, click here.
Traffic to scan
You can choose which traffic to scan. Enable the checkbox for the corresponding protocols: HTTP, HTTPS and FTP.
Filters
Select Enable file filter. For more information about configuring the file filtering, click here. Select Enable HTML page filter if you want to delete items that could be dangerous from HTML files. If this filter is enabled, you can also configure it to Delete embedded scripts in the code of HTML pages or Delete references to external scripts. If you selected Delete embedded scripts, click Settings to configure this option.
If you want to import a list of files for the same purpose, click on Import list and select the file to import. To delete a file from the list of exclusion, click on the file and then on Delete. 53 Panda GateDefender Performa-User Guide
To export your list of exclusions, click on Export list. Click on Clear list to delete all the files from the list, leaving it blank.
3.
4.
Remember that for this protection to operate correctly, it is important to define the internal networks in your organization. To do this, click Internal networks. For more information about configuring the filter of attachments, click here .
Filters
The message filter allows you to filter messages by their characteristics and delete potentially dangerous content: Enable message filter. The attachment filter scans and filters potentially dangerous items that could be included in email messages and allows actions to be taken on them or on the messages carrying them. For more information about configuring it, click here. Enable attachment filter. For more information about configuring it, click here.
Anomalies
Certain programs or computer systems have flaws that could be exploited. Panda GateDefender Performa protects your network from these types of vulnerabilities through its content-filter protection. Detect malformed messages to detect messages that do not meet messaging 1. Select standards and could, therefore, pose a threat to your organization. 2. Select the action to take if one of these messages is detected. The drop-down menu offers the following actions: Delete message. For SMTP, messages will be completely deleted. For the rest of the protocols, the texts in the message that the original recipient will receive will be replaced. You can configure the replacement text by clicking on the associated link. Redirect the message. For SMTP, messages will be redirected to the Address configured. You can modify this address by clicking on the link. For the rest of the protocols, a copy will be sent to the previous address and the texts in the message that the original recipient will receive will be replaced. You can configure the replacement text by clicking on the associated link. Let it through, just generate report: Lets the file through and generates a detection report. Send it to quarantine. You can configure automatic sending to quarantine. 3. Enable Block partial messages. Allows you to detect partially received messages received, which can pose a threat due to a possible vulnerability in mail programs. If a partial message is detected, the content will be replaced with a warning.
3. 4. 5.
Check Delete embedded scripts to delete potentially dangerous code inside messages. Click on Settings...to customize the filter. Check Delete only references to external scripts to delete only the references to scripts outside the message. Check Delete all external references to delete all the external references. Click on Settings.. to customize the filter.
Number of recipients
Many spam messages can be identified by the high number of recipients they are sent to. Content-filter allows you to control the number of recipients of a message, deleting messages that exceed the maximum established. To do this: 1. 2. Check Maximum number of recipients for inbound mail and enter the maximum number you want. Maximum number of recipients for outbound mail and enter the maximum Check number you want.
Lets the file through and generates a detection report. Send it to quarantine.
3.
Attachments will be deleted and a replacment text included in the message. You can configure the replacement text here. Additional settings can be configured for certain file types. If you have selected one of these types, the Settings button will be activated. Click this button to define the settings for this file type.
If the checkbox for a file type is disabled, the Settings button will not be available, even if this type of file allows additional settings to be defined.
56 Panda GateDefender Performa-User Guide
To access the trusted sites and domains settings for the Content Filter, click the Settings menu in the main console, and select Content Filter > Trusted sites and domains. Sometimes, the traffic sent from certain servers, computers or domains offers enough guarantees to be excluded form the Content Filter scans. By excluding this traffic from the Content Filter, the workload of Panda GateDefender Performa is reduced and its performance is optimized. In order to exclude trusted sites and domains from the Content Filter, follow the steps below: 1. 2. 3. 4. 5. 6. Click the Settings menu in the console. Go to Protection > Content Filter and click Trusted sites and domains HTTP/S and FTP protocols: use the New text box to enter domains and/or IP addresses (in CIDR format) whose traffic will not be filtered. You can use wildcards for sub-domains. Click Add. Mail and News: you can enter domains and IP ranges. You can use wildcards for sub-domains. Use the New text box to enter IP addresses (in CIDR format) whose traffic will not be filtered. Click Add. Trusted sites and domains added will be displayed in a list in the large box. To delete any of them, select them and click Delete. If you want to import or export a list of domains or IPs, consult the section Import /Export files or lists.
After you have completed these steps, the Panda GateDefender Performa Content Filter will not scan traffic from those domains, servers or computers.
Introduction
Spam is unsolicited email. Panda GateDefender Performa includes several technologies for detecting spam:
o o o o
Signature-based detection Detection based on DNSBLs Anti-backscatter protection Open Relay Spam protection
To configure the detection based on DNSBL, the protection against unwanted notification messages and the Open Relay Spam protection, go to the advanced settings screen. In the current screen you can only configure the signature-based protection.
o o o
Sensitivity of the scan to balance false positives against false positivies. The action Panda GateDefender Performa must take when it detects spam. Configure the white lists and blacklists if necessary.
Not all detection technologies are available for all possible scans and protocols. Detection based on DNSBL, protection against unwanted notification messages and Open Relay Spam protection are only available for inbound SMTP traffic.
SMTP protocol
To enable anti-spam protection for SMTP: 1. Select the SMTP checkbox. 2. Then, select the option you want from the Traffic to scan menu: o Inbound: enables detection of spam messages coming from the Internet. o Outbound: enables detection of spam messages coming from the internal network. o Inbound and outbound: enables detection of spam messages coming from the internal network and the Internet. Click Save to store the traffic to scan settings. To go to the advanced SMTP anti-spam protection options, click here. If any of the protection enabled in the SMTP anti-spam protection advanced settings is incompatible with the selected traffic direction to scan, Panda GateDefender Performa will display a warning. 58 Panda GateDefender Performa-User Guide
Sensitivity level
The sensitivity level of the anti-spam protection specifies the tolerance level of the protection to suspicious files. The higher the level of sensitivity, the higher the protection, but the risks of a legitimate message being classified as suspicious. Set the sensitivity level of the anti-spam protection by enabling the corresponding option (high, medium or low).
Delete: The suspicious file will be deleted. o For SMTP: Panda GateDefender Performa will delete it completely. o For the rest of the mail and news protocols: A text will be inserted in the subject of the original message. o You can write the text that you want to appear in the message subject. Redirect the message: The suspicious message will be redirected to the email address entered in the textbox associated to this option. o Click Mail server settings to specify the SMTP server that will be used to redirect mail. For more information about how to configure the mail server, click here. o For SMTP: Messages will be redirected to the address specified in the textbox. o For the rest of the mail and news protocols: A copy of the message will be sent to the specified address and the text entered in the textbox will be inserted in the subject of the original message. Let it through, just generate report: Allows you to let the message through, generating a detection report. Send it to quarantine. You can configure automatic sending to Quarantine. You can write the text that you want to appear in the message subject.
These actions are applicable in the case of signature-based detection and Open Relay Spam protection. For the other detection technologies, Panda GateDefender Performa offers specific actions in the SMTP anti-spam protection advanced settings.
In order to remove a domain, IP address or address from one of the lists (white or black), select it and click the corresponding Delete button. Repeat these steps for all the items you want to remove. If you want to import the content of the list, click Import list and then select the file to import. To export a list, click Export. Click Save to save any changes.
Open Relay Spam protection Response to the sender in the event of blocked SMTP messages Protection against unwanted notification messages (anti-backscatter)
60 Panda GateDefender Performa-User Guide
A DNS blacklist is a list of IP addresses of spammers recognized by the community. On receiving an email, Panda GateDefender Performa checks the IP address from which the message has been sent against the external DNSBL to determine if the message has been sent by a spammer or not, without having to analyze the content of the message itself. That's why classification is much faster that with other methods implemented in Panda GateDefender Performa. DNSBL is a complementary technology, that works in conjunction with the other anti-spam modules.
The DNSBL lists are accessed through DNS requests. Check that your firewall allows Panda GateDefender Performa to communicate with external DNS servers. Detection based on DNSBLs only works with inbound SMTP mail, so it is essential to indicate the internal networks of your organization so that Panda GateDefender Performa can distinguish between inbound and outbound traffic. If the internal networks in your organization are not defined, the DNSBL protection cannot operate. To enable the DNSBL protection, select Enable detection by DNBLs and choose the action you want to take on this type of message from the drop-down menu. If you select Redirect or Let it through, just generate report, you can insert a text in the Subject field to help you identify the message. In the case of the Redirect option, specify the recipients email address, and configure the mail server to be used. To do this, click Mail server settings. 61 Panda GateDefender Performa-User Guide
2. 3. 4. 5.
The maximum response time of DNSBLs can be configured in Tools: advanced settings in the section SMTP settings Maximum time to reply to DNSBL queries. To remove a DNSBL, select it in the list and click Delete. If you want to prevent an IP address from being checked in the DNSBL servers, add the IP to the spam white list in the Anti-spam protection settings.
Determining the source IP address of the SMTP connection established between the sender MTA (which could be that of a spammer) and the recipient in your organization. If the IP address of the sender MTA belongs to a DNSBL it will be classified as a spammer and the mail received will be marked as spam. Determining the IP addresses of the MTAs through which the message has passed before reaching the recipient server, as stored in the Received headers of each mail message.
With this option, Panda GateDefender Performa will not analyze the SMTP connection IP address, but will analyze the IP included in the Received header indicated in the console, determining if it coincides with any in the DNSBLs configured.
If Panda GateDefender Performa is installed behind the organization's MTA, check that it is correctly configured to include information about the IP address of the sender MTA in each email. Some badly-configured mail servers will only include the domain name without indicating the IP address; in this case Panda GateDefender Performa will display a warning indicating the reason for the failure in the DNSBL module. Analysis of the Received header of the message is necessary when Panda GateDefender Performa is situated in the organization's network in such a way that there is no SMTP communication with the MTA from which the message has been sent. Given that all MTAs include this information in each message, it is not possible to determine which of the available headers carries the useful MTA information, as the number of MTAs through which an email may pass until reaching the client is variable and depends on the network. There are therefore several general scenarios possible that will influence which Received header is considered:
Scenario 3: Panda GateDefender Performa behind the last MTA of 3 MTAs in relay
In this scenario, Panda GateDefender Performa has to analyze the message headers. The relevant header is the one introduced by the first MTA of the organization, as it is the only one that can determine the source IP address of the MTA which has sent the email. The third header is the one to consider, as each MTA enters its own header on top of the previous one. See image.
The blocking of messages through this detection system will be reflected in the spam report, including whether the detection has been through recommended or additional DNSBLs.
FROM <> (empty) or MAILER-DAEMON or POSTMASTER. MIME header Content-type=message/Delivery-status; report-type=Delivery-status; Return-Path field: <MAILER-DAEMON> or <POSTMASTER> or empty
Backscatter
Backscatter is a technique which involves the receipt of an NDR (Non Delivery Report) for a message which has not really been sent. It is caused by a virus which has infected computers outside of the user's network. These viruses spoof the sender field ("From:") all of an email message, selecting addresses at random from the infected computer's contact list. Spammers also use backscatter techniques. They use legitimate users' addresses as the reply addresses of the spam messages they send. This way they can send hundreds or even thousands of email messages to the legitimate user's mail server. To enable the anti-backscatter protection, select Enable anti-backscatter protection, and select the action you want to take on these types of messages. If you select Redirect or Let it through, just generate report, you can insert a text in the Subject field to help you identify the message. In the case of the Redirect option, specify the recipients email address, and configure the mail server to be used. To do this, click Mail server settings.
If you select Delete, the option Reject message during connection will not be possible. Blocking of unwanted notification messages will be reflected in the spam report.
Then, select the method you want to use for this type of protection: BATV, or NDR restriction. Bear in mind that these methods are exclusive of each other. Backscatter diagram
In this diagram, destinatario@spam.com is the spam recipient and fake@caido.com is an existing but inaccessible domain.
How it works:
1. When sending a message, Panda GateDefender Performa transparently adds a tag in the MAIL FROM command of the SMTP session. This tag has the following format: prsv=KDDDSSSSSS=user@dominio.com K is the key number. It is a number from 0 to 9. This means several keys can be generated with the same information. DDD is the number of days elapsed since 1970, (applying MOD 1000). SSSSSS is the value of the three first bytes of the SHA-1 HMAC encryption of the KDDD string. As K is a number between 0 and 9 there are 9 different keys although only one of them is in the email. If the MTA cannot deliver an email, it will generate an NDR for the source of the original message along with the tag. Panda GateDefender Performa receives all messages that reach the MTA of the protected organization. The sequence of steps involved to check the authenticity is as follows: 67 Panda GateDefender Performa-User Guide
2. 3.
First it determines whether the message is an NDR or not (with the conditions described in the point above). If it is not an NDR, BATV is not applied and the message is delivered to the other modules: Anti-spam, Content-filter, Anti-malware, etc. If it is an NDR, the system checks for a tag. If there is no tag, it is marked as spam. If there is a tag, the following additional checks are made: The DDD value is extracted and compared with the current date. If the difference is greater than seven days it is rejected (a maximum of seven days difference with the original message is permitted). If the difference is less than seven days, the SSSSSS string is decrypted. The decrypted SSSSS string must coincide with KDDD. If the decrypted SSSSS string does coincide with KDDD, the message is taken as valid. If not, it is considered spam.
Conflict detection
If the MTA protected by Panda GateDefender Performa supports BATV (i.e. if the mail server already includes control tags and checks the validity of inbound NDRs), it is important not to overwrite these tags, as if Panda GateDefender Performa overwrites the control tag included by the MTA the message will be rejected by the MTA. Panda GateDefender Performa does not apply BATV if it verifies that outbound messages already have a tag. It also generates a system event and a warning in the Status page of the Web console. Before enabling BATV Remember that: 1. 2. 3. You must have configured internal networks to be able to differentiate between inbound and outbound mail. The traffic to analyze must be inbound or outbound. It is incompatible to enable BATV in Panda GateDefender Performa and another internal mail server at the same time.
To restrict receipt of NDR messages by any of the IP addresses defined in your internal networks, select Restrict NDR reception to the following IP addresses. Us the buttons Add and Remove to configure the list of addresses, or Import and Export to import or export lists of addresses.
This option is disabled while traffic direction is outbound and the list of internal networks defined is empty.
To access the Web filter settings click the Settings menu in the main console window, and select IM/P2P/VoIP and Web filter > Web filter.
Through this filter, Panda GateDefender Performa lets you restrict access to certain content (URLs or Web pages) on the Internet. To do this, all URLs accessed through HTTP and/or HTTPS are scanned and blocjed if they are restricted.
Unlike other anti-malware protection, Web filtering can be enabled even though the antivirus scan is not enabled. Through the Web filtering settings the administrator can:
Select the content to which access must be blocked. Define a timetable for the restrictions. This can be done through the chart displaying the days of the week and the time. Click the cell corresponding to the day and time to allow/restrict. Specify the URLs or websites that cannot be accessed under any circumstances (blacklist). Specify the URLs or websites that can be accessed regardless of their content (white list). Include a list of users exempt from the Web filter to which no access restrictions will be applied.
The first access to Web pages figure as uncategorized until they are included in the Commtouch URL cache.
Possible actions
You can perform different actions on the restricted URLs or domains accessed by users: Block access to the restricted page 71 Panda GateDefender Performa-User Guide
If this checkbox is enabled, Panda GateDefender Performa will block access to the restricted URLs.
If this checkbox is not enabled, Panda GateDefender Performa will allow access to the restricted URLs, whether they appear in the blacklist or not. It will log the access in the Web filtering report if configured to do so. Show a warning page instead
(If the option Block access to the restricted page is not selected, this option is disabled). Panda GateDefender Performa prevents access to restricted URLs and displays a screen that indicates the URL (variable %URL%) and the category (variable %URLCATEGORY%) under which the URL has been blocked. This warning page can be configured. To do this click Edit warning page .
The design of the page can be configured in Settings > System > Substitute page for HTTP/S, where you can choose from three types of design and add the company logo.
Users can automatically report false categorization to Commtouch through a simple link on the warning page. The report reaches the Web filter database and statistics are monitored from Panda Security to control the number of false positivies generated by the Web filter.
White list
The Web filtering white list contains domains, sites or specific addresses which, even though they dont belong to a restricted category, must be accessible for the network users. To enable this Web filtering feature: 1. Enable the Enable use of the white list checkbox. 2. Configure the list by clicking on To configure this list, click here. A window will then open that allows you to define what domains or Web pages should be added to the white list.
To configure the Web filtering white list, you can add: Full URL (www.domain.com/address): Only this address will be excluded from the filter (page, file or directory). Website (www.domain.com): All of the addresses belonging to the site will be excluded from the filter: (www.domain.com, www.domain.com/address_1, www.domain.com/address_2, etc.). Domain or sub-domain (domain.com or subdomain.domain.com): All of the addresses belonging to all the websites in the domain or subdomain will be excluded from the filter (www.domain.com, www3.domain.com, XXX.domain.com/address). You can use wildcards to define subdomains. When configuring the white list, you can use a wildcard provided that it is at the beginning of the string preceeded by the dot. For example: *.panda.com . Or at the end after the dot. E.g. www.panda.*
Blacklist
The Web filtering blacklist contains domains, sites or specific addresses which, even though they dont belong to a restricted category, must not be accessible for the network users. These will always be filtered, regardless of their category. To enable this Web filtering feature: 1. Enable the Enable use of the blacklist checkbox. 2. Configure the list. Configure the list by clicking on To configure this list, click here. When you do this, a window will open that allows you to define what domains or web pages should be added to the blacklist.
To access the IM/P2P/VoIP protocol filter settings, click the Settings menu in the main console window, and select IM/P2P/VoIP and Web filter > IM/P2P/VoIP filter.
Panda GateDefender Performa monitors and blocks access to instant messaging and file exchange protocols. Firstly, select Enable the P2P and messaging protocol filter.
Protection level
You can select different security levels in the filtering of protocols you want to restrict: If you choose maximum level security, all traffic will be scanned in-depth to restrict the protocols that you have specified, regardless of the port used. This is the safest option, but it may reduce the performance of the appliance. You can choose a mixed level. This analyzes the traffic in all ports, except those specified. For example, you can specify that traffic entering protocol ports http (80) or ftp (20) is not analyzed, so that traffic through these ports is not affected. If several ports are specified, they must be separated by commas. To obtain maximum performance from the appliance, you can choose to scan traffic only in ports used frequently by the applications you want to restrict. Also, you can specify as many additional TCP or UDP ports as you like. If several ports are specified, they must be separated by commas. If the port that uses the restricted protocols is different from the normal or specified ports, the protocols cannot be effectively restricted.
4. 5. 6.
Click Save. The computer will appear in the list of computers excluded from filtering. Repeat steps 2, 3 and 4 for each computer and subnet that you want to exclude from Web filtering.
Use the corresponding buttons to modify the list or remove any computers from it.
If when you enter an IP address you do not include the corresponding subnet details, the value 255.255.255.255 will ultimately be included, referring solely to this specific IP address.
Use the corresponding buttons to modify the list or remove any computers from it. 76 Panda GateDefender Performa-User Guide
Managing settings
Panda GateDefender Performa lets you set up various configurations which can subsequently be applied to a protection profile. This lets you configure the protection you can apply to specific users, addresses or IP ranges, domains, email addresses and specific Web pages. This is an easier method of managing configuration by profiles. Simply define the configuration required and apply it to the protection profiles that you have already created. Follow 1. 2. 3. 4. 5. these steps to set up a configuration: In the main screen of the Web console, click Settings. In Profiles, click List of settings. You will see the Settings manager window. Click Add. In the Edit settings window, specify the name with which you want to identify these settings. Indicate the protection, to configure (Anti-malware, Content Filter, Anti-spam and/or IM/P2P/VoIP and Web filter). You can use the Comments field to specify the details you create which will help you identify the configuration in the future. 6. Click Edit settings. 7. Set up the configuration you require for each of the protections specified. 8. Click Accept settings.
Once the required configuration has been set up, it can be modified or deleted by clicking Modify or Delete.
Edit Settings
Click the following links to find out more about the various protection settings:
Anti-malware protection Content Filter protection Anti-spam protection Web filtering IM/P2P/VoIP filter
77 Panda GateDefender Performa-User Guide
You can use Panda GateDefender Performa to specify profiles for the protection you want to apply to users or user groups, IP addresses, domains, email addresses, specific websites, etc. Before a protection profile can be created, you must first have created a configuration in the Settings manager.
This will take you to the Protection profile manager screen with the following options: Name:Descriptive name of the profile. Apply to: This specifies the items to which the settings will be applied. Enable the checkboxes that you want to include in the settings. The options available are:
Users: Select one of the two options offered by Panda GateDefender Performa: o User groups: This lets you apply a specific protection profile to the user groups or LDAP groups specified in the User management section. o Sub-tree/individual users: If you have already specified an LDAP server, you can specify the branch of the hierarchy to which you want to apply the protection profile. In the BaseDN field, specify the DN of a container, or else the DN of a specific user. o IP/IP address group: Enable the checkboxes corresponding to the options you want to include in the configuration: IP/Source group and IP/target group. Each of these consists of a list from which you can select the IP address group to which to apply the protection profile. You must have created it in the IP address management screen Domains: Enable the checkboxes corresponding to the options you want to include in the configuration: Source Domain and Target Domain. Each of these consists of a list from which you can select the domains to which to apply the protection profile. You must have created it in the Domain management screen. Email addresses: Enable the checkboxes corresponding to the options you want to include in the configuration: Email sender addresses, Email recipient addresses, Domain lists. Specify a list of addresses for each, separated by commas. Settings: Select one of the configurations from the drop-down menu. Remember that you must first have set up a configuration in the settings manager.
Once you have configured the user, click OK to save the changes.
On occasions, the complexity and extension of the corporate networks Panda GateDefender Performa must protect in corporate environments require more than one appliance to be deployed and running. Panda GateDefender Performas Web console allows you to manage the protection provided by the different appliances on the corporate network in a centralized way. In short, the centralized protection management in Panda GateDefender Performa lets you: Select the appliances or groups of appliances to which you want to remotely and automatically establish and apply protection settings. Select protection settings applicable to the different appliances. Select different configuration profiles applicable to the appliances. Monitor which settings and profiles have or haven't been applied to each appliance.
It is essential that all appliances whose protection settings will be managed centrally, have the same system version installed. By using this feature, you will not have to connect individually to each of the appliances every time you want to apply a protection configuration. You only have to enter the login details when you configure the appliances. Below you will find a summarized description of the screens you'll have to use to remotely and centrally manage the appliances deployed on your network. As you can see, the configuration is simple and intuitive:
2.
3.
group, etc., to which a certain configuration is applied (Example: blocking access to certain Web content to the group of IP addresses: 172.16.*.*).
List of appliances
These screens let you indicate which appliances or groups you want to manage. You can add new appliances or groups, modify them or delete them. You can change the structure of any group, adding or removing appliances. To access the List of appliances screen, click the Settings menu in the main console screen, and select Profiles > List of appliances.
Manageable appliances
In the Manageable appliances section you will see the appliances with their name and the console IP. To add a new appliance, click Add. In the Appliance detailsscreen enter the data needed in order to manage an appliance remotely: Name: a name to identify the appliance. IP: IP address used to access the console. User: name of a user with full administration permissions. Password: user password. Group: group to which the appliance belongs. This parameter is optional. Comment: here you can add additional information. This field is optional.
Manageable groups
In the Groups of manageable appliances section you will see groups of appliances, the names of each appliance in the group and the IP address of the console of each appliance. To add a new group click Add. In the Group details screen, enter the data needed in order to manage a group remotely: Name: name identifying the group. Appliances in the group: the table shows appliances that are not assigned to any group. Use the checkboxes to select the appliances that will make up the group. Then click Save.
Once you have defined in the List of appliances screen, the appliances and groups of appliances you want to configure remotely, you can assign and apply protection settings. If you want to create or edit protection settings to apply to managed appliances, use the Settings management screen. You may want to apply certain configuration profiles to appliances or groups of appliances. In this case, the Profile selection screen lets you select new profiles and assign them to appliances or groups of 80 Panda GateDefender Performa-User Guide
appliances. You can create or edit configuration profiles from the Create and modify profile settings screen.
When you click on the name of an appliance, you will access the corresponding Web console. 4. 5. 6. Click Modify to access the Centralized management screen. In the Settings menu, select the settings to assign to the appliance. Click Set.
The Apply button will only be visible when you select settings from the drop-down menu. If you want to send an associated settings profile instead, click Edit list to access the Profile selection screen.
When you click the triangle next to the group name, you will see the appliances in the group. 4. 5. 6. Click Modify to access the Centralized management screen. In the Settings menu, select the settings to assign to the group. Click Apply.
The Apply button will only be visible when you select settings from the drop-down menu. If you want to send an associated settings profile instead, click Edit list to access the Profile selection screen.
Profile selection
When you use the option in Panda GateDefender Performa, you may need a settings profile other than the one assigned to the appliance in the Assign settings to other appliances screen. You can use Profile selection to resolve this situation. To do this:
1. 2. 3.
In the list of Profiles available, select the profile you want to add to the list of assigned profiles and click >>. It will be removed from the list of profiles available and added to the list of profiles assigned. In the list of Profiles assigned, select the profile you want to remove from the list and click <<. It will be removed from the list of profiles assigned and added to the list of profiles available. Click Save.
The new profile will appear in the list of profiles in the Assign settings to other appliances screen. You can create or edit configuration profiles from the Create and modify profile settings screen. As you can see in this screen, a profile specifies the user group, domains, IP/address group, etc., to which a certain configuration is applied (Example: blocking access to certain Web content to the group of IP addresses: 172.16.*.*).
System settings
General settings Introduction
Click the Settings menu in the main Console screen. In the System section, you will find the Panda GateDefender Performa general settings options:
Access the console: This lets you define the configuration IP address, the time when the
configuration console should disconnect automatically and management of permissions and passwords for using the console.
System clock: Lets you set the system date and time. Explicit proxy: If Panda GateDefender Performa is not operating on the network infrastructure
along with a proxy, you will have to enable the internal (explicit) proxy for the various HTTP/HTTPs protection profiles depending on the user.
HTTPS connections and certificates: To manage HTTPS traffic and scan it for malware,
Panda GateDefender Performa authentication and certificates. has to establish connections that require
Advanced settings Quality of Service (QoS) settings: Panda GateDefender Performa has a Quality of Service
feature aimed at ensuring that traffic flow reaches its destination with certain levels of performance and minimum delays.
In this screen you can configure different general aspects of the console, such as:
Users
You can configure the users that can access the Web console, their passwords and permissions. You can add new users and edit existing ones, selecting them and then clicking the corresponding buttons. This will take you to the Edit user screen.
The default user cannot be deleted and its permissions cannot be changed.
83 Panda GateDefender Performa-User Guide
Configuration IP
Configuration IP address. This IP address is vital for accessing the console (not remote). This
address must be unique within the organization. The default IP is 172.16.1.1 and the default net mask is 255.255.255.0. The subnets or IP addresses from which users can access. Select Access is only available from the following IPs or subnets. Use the corresponding buttons to add, modify or remove IP's and subnets.
Editing users
Panda GateDefender Performa lets you change the user name and password for logging into the Web administration console. It also lets you assign different permissions to each user, depending on the specific needs of your organization. Users will be able to access functions in accordance with the specific permissions they have. Panda GateDefender Performa will ask for a user name and password whenever anyone accesses the Web administration console. The default user is defaultuser and the default password is defaultpass. It is advisable to change these details, at least the first time you access the Web administration console. For security reasons, the default user cannot be deleted and its Complete Administration permissions cannot be changed. Enter the following data: 1. 2. User name. Password (twice). Remember that: The password must be 6 to 12 characters long (numbers and/or letters). Panda GateDefender Performa does not allow you to copy and paste. The feature in some browsers that allows you to save previously entered data is disabled. If you lose or forget these details, you can recover the factory settings. 3. Permissions In corporate environments there may be several users that need to access the console, and each of them may need different permissions depending on the tasks they have to carry out. Panda GateDefender Performa includes four types of permissions:
Monitoring: Users have permission to access the Status, Reports and Services screens. Protection settings: Users have permission to access the Protection settings, Definitions, Profiles, Quarantine and Warnings screens.
Complete administration: Users can access all console functions, including Updates, License management and Tools. If all three checkboxes are selected, the user will have Complete administration permissions.
Configuration IP address. This is the IP address that must be used to access the settings web console. Network IP address. This is the IP address that Panda GateDefender Performa uses to establish connections (to update, send warnings, etc.). It is configured through the System settings - Network environment window.
All Panda GateDefender Performa units are configured with the same configuration IP address by default. You can change it but bear in mind that if you forget it, you wont be able to access the settings web console unless you restore the factory settings of the appliance.
For information about the factory settings, click here. Whats more, this configuration IP address must not be in use by any other device in the network. If several Panda GateDefender Performa units are connected in parallel, set a different a unique configuration IP address for each of them. After setting the configuration IP address, you can access the appliance from both sides of Panda GateDefender Performa, as you can access the console through this IP address or through any of the network interface cards of Panda GateDefender Performa.
Enable the Automatically disconnect the Web console after XX minutes of inactivity checkbox in the System settings screen. In the textbox, enter the number of minutes before the Web console will disconnect.
After completing these steps, the console will stop functioning if no operations are carried out for the specified period of time. If this happens, in order to use the console again, you will have to log on again.
1. 2. 3.
Panda GateDefender Performa offers three operational modes: Normal or isolated High availability Load balancing
Normal
In normal mode, a single appliance protects the internal network
Both outbound traffic (originating from the internal network) and inbound traffic (originating from the external network) pass through it and are filtered.
Load balancing
Load balancing allows the workload to be shared between several Panda GateDefender Performa
units. This provides better performance and fault tolerance. By using this system, if one of the units fails, the rest will take care of the workload automatically. The time that passes between one unit failing and the rest taking over its workload is no longer than fifteen seconds. So that load-balancing appliances can communicate between each other, an IP multicast is required, meaning that all appliances must have their configuration interfaces on the same subnet. When a new appliance is installed and configured on a load-balancing cluster, Panda GateDefender Performa detects it automatically and re-organizes load-balancing depending on the new total number of appliances in the cluster.
High availability
If load-balancing is disabled, Panda GateDefender Performa allows appliances to operate in high availability mode when connected in parallel. In this case it will not be necessary to use the IP multicast, as the appliances do not communicate between each other.
Both load balancing and high availability require the bypass mechanism to be disabled in those appliances with these types of cards.
Bypass
The appliance network cards offer bypass functions, so that: - Without bypass or with bypass disabled: If the appliance is switched off (e.g. if the power supply is interrupted) or restarted (system or service restart), traffic cannot continue to pass through it. The connection with the external network will be cut off. - With bypass enabled: If the appliance is switched off or restarted, bypass will be activated with the advantage that traffic will continue to pass through, but without being filtered.
On activating high-availability or load balancing, the bypass function will be disabled. This avoids loops on the network. STP (Spanning Tree Protocol)
Spanning Tree Protocol is a data link level protocol (OSI level 2) that avoids creation of network loops. Panda GateDefender Performa supports this protocol, as it could be necessary to install appliances in parallel (high availability and load balancing): - If there are already devices on the network that support STP, it will not be necessary to enable STP on the appliances. - Otherwise (if there is no device with STP on the network on which the appliances are installed), you will have to enable STP. To enable STP Settings > System > General > Advanced settings In the General settings section, select the checkbox Enable support for STP (Spanning Tree Protocol) Support for STP is enabled by default.
It is always advisable to check with the support service before changing any feature in the Advanced settings screen.
At the bottom of the screen there is a list of load-balancing cluster units. A change to the operational mode of an appliance (slave or master) generates the corresponding system event. 87 Panda GateDefender Performa-User Guide
To access the console of any appliances in the cluster, click on the name of the appliance. For load-balancing to take effect, the Enable load-balancing checkbox must be selected in all appliances.
Load balancing
Load balancing operation
Load balancing enables Panda GateDefender Performa to increase the availability and capacity of the protection. By spreading the load, more connections can be scanned
Of all the traffic intercepted by the appliance/master node, a certain amount will be 'balanced' among the slaves, which will perform the scans. The load is balanced equally, and distributed so that all nodes have an equal level of occupation. If the master node should crash, one of the slaves will take over its functions, continuing to scan and protect the network.
Multicast To perform load balancing and maintain communication between the notes, multicast is required. Multicast addressing allows information to be sent across a network efficiently to a group of recipients (without broadcasts). For this a group multicast address is needed, through which the nodes send and receive data. Multicast diagram (a network node sends data to other nodes):
In Panda GateDefender Performa it is possible to configure this IP address in group or cluster. The IP address range is (RFC 3171): 224.0.0.0 - 239.255.255.255 By default the IP address of the cluster configured in the appliances is 239.0.0.1
Load-balancing deployment
Deployment of load-balancing involves the following steps: 1. 2. 3. 4. 5. 6. 7. Install/configure the necessary switches on the network Install the first node Configure the system in the node (name, IP addresses, etc) Connect to the network License Configure the protection (anti-malware, anti-spam, Content Filter, ) Enable load balancing
To complete the deployment: 1. Go to the Settings menu. 2. In the System section, in the General sub-section, click High availability/Load-balancing. 3. Enable the Enable high availability checkbox. 4. Enable the Enable load-balancing checkbox. 5. Configure the cluster multicast IP address. 6. Click Save. 7. Install the second node 8. Configure the system 9. Connect to the network 10. License 11. Configure the protection settings identically as for the first node (if you use QoS, enable it and configure it exactly the same as in the first node). After having configured the first node, you can send the settings information to the other nodes.
1. 2. 3. 4. 5. 6. 7.
Enable load-balancing (so that the appliances can communicate, the multicast IP address of the cluster must be the same in all nodes). Master node name: node-A Network IP address of the master node: 192.168.1.1/24 Configuration IP address of the master node: 172.16.1.1/24 Default gateway: 192.168.1.100 Multicast IP of the cluster: 239.0.0.1 Slave node name: node-B 90 Panda GateDefender Performa-User Guide
Network IP address of the slave node: 192.168.1.2/24 Configuration IP address of the slave node: 172.16.1.2/24 Default gateway: 192.168.1.100 Multicast IP of the cluster: 239.0.0.1 The protection settings must be exactly the same in all nodes. Load-balancing must be enabled in all nodes.
The Status screen will indicate that the appliance is in load-balancing mode. The list of cluster nodes will also appear. In the High availability/Load-balancing settings screen there is a table with the cluster nodes (indicating the IP of each node and whether it is a master/slave).
High availability
High availability mode
This operational mode improves the availability of the protection offered by Panda GateDefender Performa. High availability mode operates with an active node (through which traffic passes) and one or more passive nodes (through which traffic will pass if the active node fails).
Under normal circumstances -with the active node operating- traffic will be filtered by this node and the passive node will not take any action. If the system or services are restarted in the active node, or if the appliance is switched off, the passive node will take care of the filtering.
To complete the deployment: 1. 2. 3. 4. 5. 6. 7. 8. 9. Go to the Settings menu. In the System section, in the General sub-section, click High availability/Load-balancing. Enable the Enable high availability checkbox. Click Save. Install the second node Configure the system Connect to the network License Configure the protection settings identically as for the first node (if you use QoS, enable it and configure it exactly the same as in the first node).
After having configured the first node, you can send the settings information to the other nodes.
System clock
In this window, apart from showing the date and time of the appliance, you can also set it (in 24-hour format). First of all, the screen shows the system date and time: Then, Panda GateDefender Performa allows you to set the date and time of the appliance. To do this, specify:
The Date format: either day/month/year or month/day/year. The Time zone. Manual setting. You can manually edit the date and time. Automatic setting using NTP. Enter the address/URL of the NTP server.
Explicit proxy
If Panda GateDefender Performa is not operating on the network infrastructure along with a proxy, you will have to enable the internal (explicit) proxy for the various HTTP/HTTPs protection profiles depending on the user. As with a normal proxy, the user must be included in one of the local or remote groups (LDAP servers) defined in Panda GateDefender Performa. The protection profile will be defined by the group to which the user belongs. The user must be able to authenticate in the Panda GateDefender Performa internal proxy. Although this authentication is optional, it is required in order to apply the profile. To access the internal proxy, the IP of the user must belong to one of the internal networks configured in Panda GateDefender Performa.
Restricted access attempts generate a system event which can be seen in the Security reports screen. In the Warnings settings screen you can configure this event to be notified to a remote Syslog server.
To enable the explicit proxy you must have previously configured the internal networks.
Firstly, select Enable operation as proxy for HTTP/HTTPS. Then configure the proxy IP the entwork mask, and the HTTP and HTTPs ports on which the proxy will listen.
If you configure the proxy with an IP that already exists on the network, a duplicate IP event is generated, which you will see in the System Report screen, and a warning that will appear in the Status screen. Select the Use authentication checkbox and click Select users to configure the groups that can use the internal proxy. It is also possible to enable a page cache to increase browsing speed (the cache size is 1024 MB). Use the Clear button to empty the cache.
Panda GateDefender Performa can scan encrypted HTTPS traffic for malware, in the same ways as for HTTP. This HTTPS traffic is basically HTTP traffic across a secure, TLS channel (Transport Layer Security, previously SSL). On of the phases for establishing the TLS channel is the authentication of the server's identity. This authentication is based on digital certificates signed by a certification authority. In order for the encrypted traffic to be scanned in Panda GateDefender Performa, two encrypted connections must be established: one between the client and Panda GateDefender Performa, and the other between the appliance and the server. Without the interception by the appliance, there is only an encrypted connection between the client and the server. This type of connection means that not only does Panda GateDefender Performa have to authenticate the server, but the client will also authenticate Panda GateDefender Performa. Actually, Panda GateDefender Performa authenticates as if it were the server delivering the page in question. All of this requires management of digital certificates and certification authorities, which can be done in the Panda GateDefender Performa Web console, through Systems > General > HTTPS connections and certificates.
Normally, servers are authenticated by the client browser, although in some rare cases, a server may require authentication of the client. This represents a limitation for Panda GateDefender Performa, because client authentication cannot be handled by the transparent interception. However, it is possible to use IP white lists, so that traffic is not intercepted.
By enabling the corresponding checkboxes, you can prevent connections for either of these two situations: Don't allow connections with servers with invalid certificates for Panda GateDefender Performa: The certificate presented by the server must be signed by one of the certificate authorities configured in GateDefender. If this condition is not met, the corresponding system event will be generated, and will be visible in the System events screen. Don't allow expired certificates: Do not allow connections if the certificate is expired. If this condition is not met, the corresponding system event will be generated, and will be visible in the System events screen.
Panda GateDefender Performa lets you define a list of domains, sites or specific pages for which the validity of the certificate will not be checked. To apply this white list click Enable use of the white list, and you will go to the HTTPS URL white list screen where you can define the list.
Certification authorities
Internal certification authorities for signing certificates
This certification authority will be used by Panda GateDefender Performa for generating certificates that will be sent to end users. You can download the corresponding certificate for users to install in their browsers to prevent them from getting SSL security warnings. The file extension is .crt to ensure compatibility with Internet Explorer. You can import a certification authority certificate to use to generate certificates. In this case you will have to import the private key (RSA or DSA) used to sign them.
You can either download a new internal certification authority or edit an existing one. Either option, in the case of appliances operating in load-balancing mode, mean that this change will have to be exported to other units, to avoid having to install different certificates on clients for each appliance.
The Export private key button will only be enabled when modifications have been made to the default certification authority. If you click Restore, the default settings will be restored. You will then have to import the private key, (previously exported from another Panda GateDefender Performa) and the certification authority certificate in each of the appliances. Use the Modify button to change the internal certification authority, editing the corresponding data.
Advanced settings
The parameters on this page must not be modified unless specifically requested by our technical staff. If this is necessary, they will explain the steps to follow.
Panda GateDefender Performa has a Quality of Service feature aimed at ensuring that traffic flow reaches its destination with certain levels of performance and minimum delays. Panda GateDefender Performa bases this function on the assigning of bandwidth to interface outputs.
For the correct operation of QoS in Panda GateDefender Performa, the external interface or NIC1 must be connected to the external network (the Internet, for example), while the internal interface or NIC2 must be connected to the internal network (the corporate network for example).
Appliance connection
The most basic way of administering QoS in Panda GateDefender Performa is the configuration of bandwidth for each interface.
Downstream traffic goes from the external network to the internal network, passing through NIC1 as inbound traffic, and then through NIC2 as outbound traffic. Upstream traffic goes from the internal network to the external network, as inbound traffic in NIC2 and outbound traffic in NIC1. Panda GateDefender Performa lets you set the outbound bandwidth for NIC1 and NIC2 (marked in orange):
- When you set the maximum outbound traffic in NIC1 this restricts the amount of traffic going to the external network. - When you set the maximum outbound traffic in NIC2 this restricts the amount of traffic going to the internal network.
Existing network
- LAN at 100 Mbps - ADSL with download speed of 6 Mbps and upload of 1 Mbps Settings:
To achieve greater control over QoS, you can also use these settings, through which you can define the rules for managing outbound traffic in the external interface or NIC1:
Using these settings has the advantage that you can add rules, favoring certain types of outbound network traffic. Protocols and the source IP of data packets (which circulate from the internal network to the external network) are used to classify traffic flows. These flows can be assigned guaranteed bandwidth. Even if all outbound bandwidth is occupied, if there is guaranteed bandwidth for an IP address/protocol, this will be reserved for the IP/protocol. It is also possible to define maximum bandwidth, thereby controlling the amount of bandwidth for a certain protocol or group of IPs, leaving bandwidth free for other traffic. Finally, traffic priority is a factor to bear in mind for unused bandwidth.
HTTP traffic is considered of low importance and to restrict, except for a computer with the IP address: 192.168.1.112, in which case it has high importance.
Existing network:
Upload BW of the external link: 1024 Kbps
QoS settings:
Maximum outbound traffic for the external interface (NIC1): 1024 Kbps Maximum outbound traffic for the internal interface (NIC2): 100 Mbps Reserved bandwidth: 5 % The following rules are created: Rule 1 Source IP 192.168.1.112/32 Protocol HTTP Guaranteed BW 300 Kbps BW limit Not limit ed 200 Kbps 200 Kbps Not limit ed Not limit ed Priority High
2 3 4
Any
POP3
100 Kbps
medium
Rule 1
Provides guaranteed BW of 300 Kbps to HTTP traffic originating from IP 192.168.1.112. It will also have high priority in order to get any free BW if required-. 100 Panda GateDefender Performa-User Guide
Rule 2
For the rest of the subnet 192.168.1.0/24, the HTTP traffic has no guaranteed BW and will be limited to 200 Kbps. The priority will be low so that it does not compete for free BW. Rule 3 For the whole 192.168.2.0/24 subnet, the procedure is the same as the previous rule, limiting HTTP traffic to 200 Kbps and assigning low priority. Rule 4 SMTP traffic, whatever the origen, is guaranteed 400 Kbps (outbound) and will have medium priority. Rule 5 POP3 traffic, whatever the origen, is guaranteed 100 Kbps (outbound) and will also have medium priority.
The buttons to the side of the box let you move the selected rule up and down. The rules are applied in accordance with the order in which they are listed.
In this scenario, rule 1 should be listed before rule 2, so that it discriminates traffic originating from the computer or host 192.168.1.112.
Scenario 2: Web
There is an internal network from which outbound Web (HTTP, HTTPS) traffic originates and traffic that does not conform to the rules.
HTTP and HTTPS traffic is considered important and there is a lesser volume of traffic from other protocols which is given less importance.
Existing network
Upload BW of the external link: 512 Kbps Download BW of the external link: 100 Mbps
QoS settings
(must be adjusted to the previous BW) Maximum outbound traffic for the external interface (NIC1): 512 Kbps Maximum outbound traffic for the internal interface (NIC2): 100 Mbps Reserved bandwidth: 5 %
Rule 1 2
Rule 1
Guaranteed BW of 200 Kbps to HTTP traffic. It will also have high priority in order to get any free BW if required-. Rule 2 Guaranteed BW of 200 Kbps to HTTPS traffic. It will also have high priority in order to get any free BW if required-. The rest of the traffic will have medium priority, and so will not compete for free BW.
Configure the Panda GateDefender Performa network environment (IP address, net mask, default gateway, proxy server IP address and the DNS servers) to access the Internet in the same way as Internet access for any other computer in the same subnet is configured. To check the factory settings of Panda GateDefender Performa, click here. After configuring these parameters, Panda GateDefender Performa will be able to: Connect to the Internet to look for updates. Send warnings to any computer. Download the license file, etc. Check that the data entered is valid and coherent; otherwise Panda GateDefender Performa will not be able to establish the connections it needs to operate correctly. Enter the following data: Panda GateDefender Performa name: Network data: Additional routing table: DNS Servers: Internet access via HTTP proxy: Virtual MAC addresses:
Network data
Data (network IP address, net mask and default gateway) used by Panda GateDefender Performa to connect to the Internet. As it works like a bridge, the appliance only needs one network IP address, which it uses to establish 102 Panda GateDefender Performa-User Guide
connections through any of its network interface cards. The appliances use the network interface card that is connected to the network in which the target of the connection is located.
DNS servers
IP addresses of the primary and secondary DNS servers that Panda GateDefender Performa must use to resolve domain names and IP addresses. You can specify the preferred DNS servers and up to two alternative DNS servers, which will be used if it is not possible to connect to the preferred server because it cannot be found or because it returns an error.
The appliances are configured with a default DNS server that you can change to include the IP addresses or DNS serves that you want to use.
Network interfaces
Panda GateDefender Performa, by default, has the network cards in Autonegotiation mode and Auto-negotiation speed. It is not advisable to force them to function in a specific mode ((half-duplex or full-duplex) or at a specific speed (10 Mbps, 100 Mbps, 1 Gbps).
However, if really necessary, you can configure the network interface card operational mode and speed. The options are: AutoSensing/Autonegotiation. This is the recommended, default mode. If you select this option, Panda GateDefender Performa assigns the autonegotiation value to the operational mode and the speed at which the network interface works. Full-duplex. Communication mode in which nodes can simultaneously send and receive data between one another. Full-duplex communication usually requires you to control the traffic flow in order to ensure that none of the devices send out data faster than the other can receive it. Half-duplex. Communication mode for transmitting data between two points in just one direction at a time (either of the two). This means that data cannot be sent and received at the same time, which is possible with full-duplex communications. When using a hub to interconnect several devices, all should be functioning in the same mode (half-duplex or full-duplex). If they work in different modes, communication between them will not be effective. In these circumstances, forcing cards to work in full-duplex or half-duplex mode could cause problems, considerably reducing network and appliance performance. However, when switches are used to connect devices, each device can work in a different mode. You also have the option to configure a set speed at which the network interface card should work. This can be done provided that the Autonegotiation option is not selected in Mode. The following speeds are available: 10 Mbps. 100 Mbps. 1 Gbps. In most cases the default mode (AutoSensing / Autonegotiation) is the most appropriate.
If you select Auto negotiation mode, you will not be able to configure the fixed speed of the network cards, as this option affects both cases.
The system uses the standard port for intercepting and filtering the traffic for each protocol. However, you can also enter additional ports for each protocol. To access the Port settings screen, click the Settings menu in the console, and in the Network section, select Additional ports. The communication that uses the standard ports and the additional ports entered will be scanned by Panda GateDefender Performa. Protocol HTTP HTTPS FTP SMTP Default port 80 443 21 25 104 Panda GateDefender Performa-User Guide
Panda GateDefender Performa does not allow you to enter the following ports: Invalid ports (higher than 65535, for example). Standard ports, as the traffic that passes through these ports will always be scanned (as they are defined in the factory settings and used by default). Ports already entered for other protocols.
Panda GateDefender Performa does not scan traffic in non-standard ports not included in the additional ports configured here.
By defining internal networks you can classify SMTP messages as inbound or outbound. This configuration is necessary for the anti-spam, anti-phishing and content-filter protections to operate correctly. SMTP messages will be classified as inbound in the following cases:
No internal networks have been defined. In this case, all SMTP mail will be considered inbound. The source IP address does not belong to any of the networks specified in the list of internal networks. The source IP address coincides with any of the IP's defined in the list of excluded IP's.
SMTP mail will be classified as outbound provided that the source IP address belongs to one of the internal networks defined.
The IP addresses defined in the list of internal networks will also have access to the HTTP/HTTPS explicit proxy.
Excluded IPs
105 Panda GateDefender Performa-User Guide
1. 2. 3. 4.
To add an IP to the list, enter the IP in the IP address box and click Add. Repeat this step for all the IPs you want to add to the list. To remove an IP, select it in the list and click Delete. Then accept the confirmation message. Click Export to export the content on the list to text file. Each line in the file will be an entry in the list. Click Import to display the screen for importing files. Use the Browse button to locate a file containing a list to import.
The IP addresses included in the list of internal networks will not have access to the HTTP/HTTPS explicit proxy.
You have to define internal domains for the protection of SMTP relay servers to operate correctly (configuration of advanced anti-spam protection options for SMTP). This protection classifies all inbound SMTP messages to unknown recipients as spam. The recipient of a message will be considered unknown in the following cases: No internal domains have been defined. In this case, all SMTP messages will be understood to be addressed to unknown recipients. The domain of the recipient's address does not coincide with any of the internal domains defined. The recipient of an SMTP message will be considered as known provided that the address domain belongs to the list of internal domains.
Panda GateDefender Performa periodically carries out updates that will not interfere with the functioning of the unit or allow traffic to enter or leave the corporate network without being scanned. There are three types of updates:
Update definition files for malware, spam rules and web filtering categories. Panda
GateDefender Performa will attempt to perform this type of update every fifteen minutes.
System software upgrade: for example, the operating system, the hardware drivers, the web
server used to view the administration console, etc. or the malware and spam scan and detection engines. Install hotfixes: Lets you view the hotfixes installed and install new hotfixes. 106 Panda GateDefender Performa-User Guide
The appliance is updated via the Internet. Panda GateDefender Performa checks if new updates are available at regular intervals.
The definition files are automatically updated every 15 minutes and a system event with the result is generated. An email message is also sent if the corresponding option is enabled and the SMTP server for sending the warnings has been defined. When it updates the system software, Panda GateDefender Performa reports if an update is available and the administrator must decide when the update should be installed (by clicking on the corresponding option in the Update - System software upgrade window).
Panda GateDefender Performa will only update the definition files of the protection modules that have an active license.
Update settings
Panda GateDefender Performa allows you to select the way in which you want to update malware signatures. 1. If you want to continue updating them through the Internet, select the From the Internet option. 2. To update locally, select From a local server and enter the URL to access the pavsig.zip file in the Update URL text box. 3. Click Save. 4. Confirm if you want to perform updates locally. 5. Once the Panda GateDefender Performa Services have restarted, click OK. This will take you to the Status screen. If you select From a local server, the protection modules that require an Internet connection (anti-spam, IM/P2P protocol and Web filtering, spam quarantine, spam detected report, Web and IM/P2P protocol filtering report) will be disabled for the time Panda GateDefender Performa works in local mode.
If the update is 1MB or less, you will access a Web page, where in addition to information about the new version, you will find the steps to follow in order to download and install it. In order to perform the update click Update. First of all, the compressed file is downloaded. Through the progress bar, Panda GateDefender Performa informs you of the status of the download, specifying the kilobytes downloaded and the total size of the download. The console indicates if a system software update is available. The appliance can also send you an email. If you want to receive an email notification when an update is available, click the link and configure the target email account(s).
If the console and the appliance web server have problems establishing a connection, after accepting the warning in the browser, Panda GateDefender Performa will open the access page. In this case, access again and go to the System software update page. The console will show the current status of the download and application of the update.
Hotfix management
Hotfixes are updates containing improvements and solutions to problems. Every month, a new hotfix pack is published on our Web page. Follow these steps to open the published hotfxes: 1. 2. 3. 4. 5. 6. 7. Go to the following page: http://www.pandasecurity.com/enterprise/support/ In the section Other corporate solutions select your version of Panda GateDefender Performa from the drop-down menu and click Find. From the first drop-down menu, select Solve incidents with the product, and from the second, select Solve other incidents with the product. Click Find. A list of incidents and hotfix packs available appears. You can use the drop-down menu to order the list by date or number of visits. Select the hotfix pack you require. Next, a page appears with detailed information on the features of the hotfix pack and a download link. There are two options: If the hotfix pack is in a compressed file (zip, or tgz), you can install it from the Panda GateDefender Performa console, following the instructions given below. If the hotfix pack is in an ISO image, follow the instructions given on the Web page.
If you have downloaded a hotfix pack in a zip or tgz file, follow these steps to install it from the Panda GateDefender Performa console: 1. In the Panda GateDefender Performa console, click Settings. 108 Panda GateDefender Performa-User Guide
2. 3. 4. 5. 6.
In the Update section, click Update settings. In Hotfix management, click in the link here. Go the Hotfix management screen to see a chronological list of hotfixes installed. Click Browse and find the ZIP or TGZ file you have just downloaded. Click Install hotfix. Click Install now to start the process.
Once you have downloaded the hotfix, this will appear in the list which its details (Name, Description, and Installation date). The list of hotfixes installed is ordered in reverse chronlogical order.
Hotfix management
To uninstall the latest hotfixes installed, use the button Uninstall. Confirm the uninstallation, and when you finish the hotfix will disappear from the list, which will now display the most recently installed hotfix. If the uninstallation process requires a restart, this will be indicated in the uninstallation confirmation screen.
If you are using LDAP, you can obtain a list of users or user groups to which you can apply a specific security protocol in the configuration of protection profiles. To do this, in the Settinings menu of the main window, select Domain users > LDAP sources.
LDAP servers
Follow these steps to add or modify LDAP servers: Click on the Add button (if you want to enter an LDAP server) or Modify (if you want to modify one that already exists). This takes you to theDefinitions: LDAP servers screen with the following options:
Name: Descriptive name of the server. 109 Panda GateDefender Performa-User Guide
Server/IP: Server IP address. You can enter the required data, or if you have specified it previously, select the server from
BaseDN: Specify the base from which to look up information on the LDAP server. Type of server: When you select one of the default types, the User and User groups fields are automatically completed. If your server has a special characteristic, these data can also be specified manually. o Active Directory o LDAP v3 Names of the attributes defined in the LDAP server: Complete or modify these fields to establish a link between the names of the LDAP server attributes and those used by Panda GateDefender Performa. The fields are the following: o For the user: ObjectClass, User ID, Name, Email, Description. o For the user group: Object, Class, Group ID, Member, Description. Port: Port used to connect to the server. The default port is 389. SSL connections. Bind DN (optional): Specify the DN that enables the appliance to be identified to the LDAP server. Only if the server requires authentication. Password and Repeat password (optional): These fields enable you to enter the password given for Bind DN. Description (optional).
Panda GateDefender Performa enables you to specify servers whose validation of users is made through LDAP. In this way, you can obtain LDAP groups to which you can apply a specific security protocol in the configuration of protection profiles. To do this, in the Settings menu of the main window, select Domain users > User authentication.
Name: Specify a name for the server. Server IP address. You can enter the required data, or if you have specified it previously, select the server from
Protocol: Protocol operated by the server: HTTP, FTP, SMTP, POP3 or IMAP4. LDAP servers: LDAP server to be validated. The drop-down menu contains the option localusers for users specified internally in the appliance, plus the LDAP servers defined previously in the Definitions: LDAP source management screen. Description (optional). 110 Panda GateDefender Performa-User Guide
The IP address of the domain controller may be among the IP addresses previously defined in the Definitions: IP addresses screen. If so, click Address settings and select from the list of IP addresses displayed. Click Save and check that the agent configured appears correctly in the list in the section Agent for identifying domain users. Then enter the port, the time period during which the agent will be consulted (in seconds), and the password. Use the button Test connection with agents to check the connection with the agents configured. The Verification of the connection with the agents screen displays a list of the agents configured and the progress of the connection with each of them.
User management
This option of Panda GateDefender Performa enables you to create users and groups of users to which you can apply a specific security protocol through configuration of protection profiles. To do this, click the Settings menu in the main Console screen. Then select Domain users > Local groups and users. Go to Definitions: User management.
Users
Follow these steps to add users: 1. In the Users section, click Add. 2. Give a descriptive name for the user, an email address to help identify the user, and the name of the user you wish to add. 3. Enter a password and confirm it (optional). 4. If you have already created a group of users, this will appear in the Group box. You can add users to these groups by ticking the relative boxes. This makes it easier to manage users. 5. You can also add a comment, if you want. 6. Click Add. 111 Panda GateDefender Performa-User Guide
You can modify the data entered, or delete a user whenever you want by clicking the corresponding buttons.
If you want, you can use the Export option to save this data in a file. You can import these files again later. User groups
Follow these steps to add a user group: 1. 2. 3. 4. 5. In the Panda GateDefender Performa console, click the Definitions > User management menu. In the Groups section, click Add. Specify the name of the user group you wish to add. You can also add a descriptive comment, if you wish. If you have already added users, these will appear in the Local users frame. You can add them to the group by ticking the relative boxes. Click Add.
You can modify the data entered, or delete a user group whenever you want by clicking the corresponding buttons. If you want, you can use the Export option to save this data in a file. You can import these files again later.
Definitions Introduction
Panda GateDefender Performa makes it easy for you to access the definition of those elements most relevant to the operation of the appliance. The options available are:
IP addresses
This enables you to specify IP addresses or ranges of IP addresses to which a specific security protocol is to be applied through the configuration of protection profiles.
User management
This enables you to manage the list of LDAP servers that will later be used to obtain a list of users, also other servers requiring validation. Next, you can apply the security policy as required to these users through the configuration of protection profiles. This enables you to create and modify profiles for users and groups which can be used when configuring various protections.
Domain management
This enables you to create and modify profiles for domains and groups which can be used when configuring various protections.
Managing IP addresses
This option of Panda GateDefender Performa enables you to specify the IP addresses to which you can apply a specific security protocol through configuration of protection profiles. To access theIP address management screen click in the Settings menu of the main console window. Then select Definitions > IP address.
IP addresses
Follow these steps to add IP addresses: 1. 2. 3. In the Addresses section, click Add. Add a descriptive name and an IP address in the relative boxes. If you have already created a group of IP addresses, you can add this IP address to the group by ticking the box next to it. Click Add.
Groups of IP addresses
Follow these steps to add groups of IP addresses: 1. 2. 3. 4. In the Panda GateDefender Performa console, click the Definitions > IP Addresses menu. In the Groups section, click Add. Specify a name for the group. Add the IP addresses as required. You can add: Previously specified IP addresses. Other previously defined groups. Specific IP addresses and subnet masks in short format and short CIDR format (xxx.xxx.xxx.xxx/yy).
yy is the number of bits in binary, starting from the left. For example: 24 = (11111111. 11111111. 11111111.00000000) = 255.255.255.0.
5. 6. Click Add. If you wish, you can add a descriptive comment in the field. Click Add at the bottom of the page to save the changes.
You can modify or delete IP addresses and groups added whenever you want. All you have to do is highlight the address or group from the list and click Modify or Delete. If you want, you can use the Export option to save this data in a file. You can import these files again later.
Domain management
This option in Panda GateDefender Performa enables you to create domains, groups of domains or subdomains to which you can apply a specific security protocol through configuration of protection profiles. To go to this screen, click the Settings menu in the main Console screen. Then select Definitions > Domains.
Domains
Follow these steps to add specific domains or groups of domains: 1. 2. In the corresponding section (Domains or Groups) use the Add button. Specify the domain or the group to be added.
If it is a domain, specify which domain group you wish to add it to by marking the relative box. A domain group must have been added previously before you can do this. If it is a domain group, you can also specify additional domains that belong to the group, separated by commas. In the case of sub-domains, you can use wildcards to define them.In both cases you add a descriptive text.
3.
Click Add.
You can modify the data entered, or delete a user whenever you want by clicking the corresponding buttons. If you want, you can use the Export option to save this data in a file. You can import these files again later.
Warnings Introduction
Panda GateDefender Performa will keep you informed about all the incidents detected. To do this, you must configure the parameters of the warnings that must be sent via email to syslog servers or to SNMP managers whenever an incident is logged and select the types of events you want to be informed about.
Events to report settings. Lets you select which events will be reported via email, Syslog
and SNMP. It allows you to specify the language in which warnings will be received, the events to report to the administrator or recipient of the message and the events for which replacement texts will be available for the attached files deleted. Email warnings settings. Lets you configure parameters related to warnings sent via email. Allows you to Configure the periodic activity notification and Recipient mail account details. Syslog warnings settings. Lets you configure parameters related to warnings sent to a remote Syslog server. Allows you to configure the name or IP address of the server, the port to which the events will be sent and other options. 114 Panda GateDefender Performa-User Guide
SNMP warning settings. Lets you configure parameters related to warnings sent to
SNMP servers: the general SNMP v1/v2c settings and the communities. Customize texts. You can choose to keep the default warning texts or to customize them.
This feature lets you select the events that will be reported via email, SNMP and syslog.
Language
Use the drop-down menu to select the language in which all notifications will be received (to the administrator, to the sender of the message and the replacement text for attached files deleted from messages).
Notification to administrators
This allows you to customize the events to report and how notification will be sent (via SMTP, SNMP or syslog):
Various checkboxes can be enabled for each event. Each checkbox enables an event with a type of notification (SMTP, SNMP, syslog). If the checkbox is for a main group, click on it to select or clear all of the check boxes for the events in the group. If the group checkbox is selected, and you clear a check box for one of the events in the group, it will not be disabled unless all events are disabled. If groups are partially selected, when opening the page, the groups will be expanded to show the content and the group will be selected. If the checkbox for all events is cleared, the check box for the group will also be cleared. Event: Shows the name of the group or event. If it is a group, the name will be preceded by one of two symbols. This appears when the group branch is collapsed. If you click , the rows belonging to the group 1. are expanded. This appears when the group branch is expanded. If you click , the rows belonging to the group 2. are collapsed. To find out how to configure the syslog or SNMP notifications, refer to syslog warnings settings or SNMP warnings settings.
Notification to sender
Panda GateDefender Performa allows you to send an email message to the sender with notification of the event. As with the administrator notifications, there are events and main groups; groups made up of events: SMTP:
Notifications are sent to the senders email address. If the checkbox is for a main group, click on it to select or clear all of the checkboxes for the events in the group. If the group checkbox is selected, and you clear a checkbox for one of the events in the group, it will not be disabled unless all events are disabled. If groups are partially selected, when opening the page, the groups will be expanded to show the content and the group will be selected. If the checkbox for all events is cleared, the checkbox for the group will also be cleared. Event: Shows the name of the group or event. If it is a group, the name will be preceded by one of two symbols. 1. This appears when the group branch is collapsed. If you click , the group is expanded. This appears when the group branch is expanded. If you click , the rows belonging to the group 2. are collapsed.
The syslog utility allows you to export all errors that occur in the application, as well as information about its status. Network administrators can monitor different devices through the information sent by each one through syslog. To access the Warnings: Syslog warnings settings screen, click the Settings menu in the main console window and select Warnings > Syslog warnings. 116 Panda GateDefender Performa-User Guide
Panda GateDefender Performa includes the option to report the log files to a remote server. To do this: 1. 2. 3. 4. 5. 6. Select the Syslog Registry checkbox. If you clear the Syslog registry checkbox, Panda GateDefender Performa will not send any type of message to the remote syslog. Server: This informs the syslog server that it will receive notifications, using its IP address or name. Port to which events will be sent (port 514 by default). Panda GateDefender Performa uses UDP. Facility (local0 to local7). The messages are sent to the remote server through one of the eight facilities available. The facility must be the same in the Panda GateDefender Performa syslog and in the remote syslog. The default value is local0. Select the CSV format checkbox to use this format. Otherwise, the warning will be sent in plain text. Click OK to save the current settings.
If you clear the Syslog registry check box, Panda GateDefender Performa will not send any type of message to the remote Syslog.
Panda GateDefender Performa lets you manage warnings through an SNMP manager. If you use this type of tool on your network, you can conduct queries on the warnings generated by the appliance, or receive this information directly in the SNMP manager (trap). To access the Warnings: SNMP warnings settings screen, click the Settings menu in the main console window and select Warnings > SNMP warnings. Follow these steps to enable and configure SNMP warnings: 1. Select the SNMP agent checkbox. 2. Complete the fields Description, Location and Contact. The data entered here is not relevant for the settings. 3. Click Add. You will see the Warnings: SNMP community screen. 4. In the Name field, enter the name of the SNMP manager community to use. This must be a word (you can use alphanumeric characters) that matches the one entered in the SNMP manager. Otherwise it wont be possible to establish a communication between the appliance and the SNMP manager. 5. Specify the IP address of the SNMP manager. If you are using multiple managers, enter their IP addresses, separating them with commas. 6. To be able to conduct queries regarding the warnings sent, you must configure the ports the appliance will receive the queries at. In the Query section, select the checkboxes of the two available protocols (v1 and v2c) and enter the appropriate ports. These ports will remain open in the appliance to receive the queries made from the SNMP manager. 7. For the appliance to send warnings to the SNMP manager (trap), indicate the SNMP manager ports that warnings must be sent to. These ports must be open in the SNMP manager for warnings to be sent correctly.
Recipient mail account details. Allows you to configure the address or addresses to which the
warning will be sent and the mail server to use.
Periodic activity notification settings. Allows you to customize the intervals at which the
notification summary will be received.
systems@organization.com.
Enter the details of the email account that warnings must be sent to: Email address(es). Enter the email address of the person that you want to send the message to. If the warning must be sent to more than one recipient enter the addresses separated by commas. For example: administrator@organization.com, admin@organization.com,
SMTP server Panda GateDefender Performa must use to send warnings. Port through which communication must be established. Requires authentication: If the SMTP server requires authentication, enable the Requires authentication checkbox and indicate the user name and password that are valid for the mail server. Use the following sender. Email address that will appear as the sender of the message.
Header
The header of the warning summary message appears in the following format:
. Panda GateDefender Performa Start: <Start date> End date: <End date>. Panda GateDefender Performa identification System version Name: <name> IP address: <IP address>.
Security protection
118 Panda GateDefender Performa-User Guide
It shows the following fields: Anti-malware protection: Files scanned Detections in mail and news. Detections in HTTP and FTP. Evolution graph. Content Filter protection: Items scanned. Filtering in mail and news. Detections in HTTP and FTP. Evolution graph. For the anti-spam protection: Files scanned Spam messages. Evolution graph. For the Web filtering: Pages scanned: Restricted pages Evolution graph. IM/P2P/VoIP filter: Restricted P2P protocols Restricted IM protocols: Evolution graph All protection includes the View details link. Click it to access the details screen, with more detailed information.
If a protection is not enabled or does not have a license, the content will be displayed in gray to indicate that it is not available.
System activity
It shows the following fields: System: Active connections Connections established Failed connections Evolution graph. 119 Panda GateDefender Performa-User Guide
Network cards (NIC1 and NIC2) Inbound traffic. Outbound traffic. Evolution graph.
3.
Panda GateDefender Performa allows you to customize the warnings and substitute texts for the following events:
Detection of malware. Detection of potentially dangerous file. Items filtered by the Content Filter protection. Item deleted because it could not be scanned.
To customize the texts click the Settings menu in the main console window, and select Customization > Texts for substitute pages and warnings. For each of the event above, you can edit the following texts:
Sender: This option allows you to customize the message to send to the sender of the infected email message. This field cannot be edited for the warnings sent for events related to files downloaded from the Internet (HTTP) or to file transfers through FTP. When you click this link you will see the Customize warning to the sender screen, where you can define the text of the warning. Substitute text: When Panda GateDefender Performa detects a malicious code, it will delete it and replace it with a text. If you click this option, you can edit the text that will be inserted in the email message, web page or file transferred through FTP. When you click this link, you will see the Customize replacement text screen, where you can enter the text to replace the infected item. Administrator: This option allows you to customize the message to send to the administrator. When you click this link you will see the Customize warning to the administrator screen, where you can enter the text to be sent to the administrator.
Panda GateDefender Performa lets you customize the HTTP/S substitute page, that is, the page displayed when the anti-malware, Content Filter or Web filter block suspicious content. You can choose between several screens, adding the logo you want and customizing the text. Click Settings in the main console window and select Customization > Substitute page for HTTP/S.
To see an example of the substitute page, with a sample descriptive text, use the link Substitute page preview. 4. User profile information. Enable the checkbox if you want the page to display the protection profile applied when the suspicious content was blocked.
Click Save.
Quarantine
Introduction to quarantine
Panda GateDefender Performa has three quarantine areas:
Malware quarantine: This is a place for isolating suspicious files and malware that cannot be disinfected at the time of detection. Panda GateDefender Performa will attempt to disinfect these files after each update (if so indicated in the settings), although it is also possible to do this at any other time using the Analyse quarantine button.
You can also send us these files to be analysed by our experts.
Content-filter quarantine: This is the place where all filtered items are sent (as long as this is
indicated in the settings). It is advisable to review it periodically in order decide on the best way of dealing with the items stored there. You can restore them, send them to another location, delete them, etc.
Spam Quarantine: Contains email messages that have been classified as, or are suspected to
be, spam. It is advisable to review the spam quarantine from time to time in order to take pertinent decisions about these messages. You can restore them, redirect them to another location, delete them, etc. You can also add the domains of senders you choose to the blacklist and white list of the Anti-Spam module.
Malware quarantine
As long as it has been indicated in the anti-malware settings, Panda GateDefender Performa will isolate all suspicious files and threats that cannot be disinfected at a given moment to quarantine. Once stored, you can take a series of actions on the items. Follow these steps to access malware quarantine: 1. 2. Click the Quarantine menu in the main Console screen. Select Malware quarantine.
For much more detailed information, click on the + symbol appearing to the left of each item. You can see the name and location of the detected file, the source and destination IP, etc.
Instance details
Malware quarantine shows the number of times each threat has been detected. If you want more information about any of the items, select it and click on the number corresponding to it in the Instances column. A screen will appear with information about each detection:
The date when it was sent to quarantine. The item included in quarantine. The reason why it was included in quarantine. The source (protocol) in which it was detected.
Other options
If any of the items arrived via the SMTP protocol, you can return it to its original location. To do this, select the item and click Restore. If the items have arrived via the SMTP protocol, you can resend them to an email address using the Redirect button. This permits you to review the content of the messages. You can also delete the items you wish by clicking the corresponding button.
Adjust its size. Enable the sending of suspicious files for analysis by experts. Specify the number of lines to display in the list. Activate automatic analysis of items after each update. Specify quarantines behavior on restoring items to their original location.
Follow these steps to go to the malware quarantine settings: 1. 2. Click Quarantine in the console and then select Malware quarantine. Click Settings in the quarantine window.
You can also set the maximum size of files to be sent to quarantine. In this way you will avoid excessively large files being stored that may saturate quarantine. The maximum size of a file will not be able to exceed 100 MB. If a message is received with an attached file that cannot be included in quarantine because it exceeds the maximum size setting, you can specify a warning message for such a circumstance.
General preferences
This section allows you to:
Limit the amount of information that will be shown in each quarantine page. To do this, enable the Lines to display on each page box, and indicate the number of lines. Activate automatic analysis of quarantine after each update. Indicate if you want a copy of items that are restored to their original location to be stored in quarantine. If you wish, you can include a text in the subject of the messages restored.
Once you have set the configuration you want, click Save.
In order to withdraw malware from quarantine you just have to check the checkboxes that correspond to the items you want and click on the Exclude button. You can see the items withdrawn from quarantine by clicking on the Exclusions link. If you want any excluded item to return to quarantine if it is detected again in the future, click on Consider dangerous.
As long as it has been indicated in the anti-malware settings, Panda GateDefender Performa will isolate all suspicious files and threats that cannot be disinfected at a given moment to quarantine. Once stored, you can take a series of actions on the items. Follow these steps to access malware quarantine: 1. 2. Click the Quarantine menu in the main Console screen. Select Malware quarantine.
The window displayed shows a list of the items isolated in the Content Filter quarantine.
Click on the heading of each column to arrange the information they contain as you want. By clicking on the + symbol, appearing to the left of each of the items in quarantine, you will obtain detailed information about them.
Options:Lets you adjust the quarantine size using various settings. You will also be able to indicate the number of lines in the list and how to behave towards restored messages. For more information, consult the section on Content Filter quarantine settings.
Download file: If the file has arrived via protocols http or ftp, you can use this button to download it. Restore: Allows you to return the selected items to their original location. This option is available if the items arrived via the SMTP protocol. Redirect. Allows the selected items to be sent to the email address indicated. For more information, consult the section Resend Address. Delete: Permits deletion of items selected from the list. A pop-up window will ask for confirmation. Clear quarantine: Deletes all items without having to select them previously.
Adjust the size of the quarantine. Specify the number of lines to display in the list. Specify how quarantine operates on restoring items.
Follow these steps to go to Content Filter quarantine settings: 1. 2. Click Quarantine in the Panda GateDefender Performa console and then select Content Filter quarantine. Click Settings in the quarantine window.
Delete the oldest items: If you select this option, the oldest items will be deleted to free up space and allow more recent items to be stored. Reject new items: When it reaches its maximum size no more files will be included in quarantine.
You can also set the maximum size of an item to be sent to quarantine. In this way you will avoid excessively large items being stored that may saturate quarantine. The maximum size of an item will not be able to exceed 20 MB. If you want, you can indicate an email address to which to redirect messages that exceed this size. Finally, if you wish, you can indicate the maximum number of days that items will remain in quarantine. Once this period is reached, the items will be deleted. 126 Panda GateDefender Performa-User Guide
General preferences
This section allows you to: Limit the amount of information that will be shown in each quarantine page. To do this, enable the Lines to display on each page box, and indicate the number of lines. Indicate if you want a copy of items that are restored to their original location to be stored in quarantine. If you want, you can include a text in the subject of the messages restored. Once you have set the configuration you want, click Save.
Spam quarantine
As long as it has been indicated in the anti-spam protection settings, Panda GateDefender Performa will isolate all email messages classified as spam, or suspected of being so, to quarantine. Once stored you can take a series of actions on quarantined messages. Follow these steps to access spam quarantine: 1. 2. Click the Quarantine menu in the main Console screen. Select Spam quarantine.
The window displayed shows a list of the items isolated in spam quarantine.
Date: Indicates when the item was included in quarantine. Sender: The person that has sent the email message. Recipient:: the recipient of the message. Reason: Gives details of why the message was included in quarantine. This allows you to know if the message was classified as spam, or as probable spam. Subject: The subject of the message. Source: Indicates the protocol in which the unwanted message was detected: SMTP / POP3 / IMAP4.
If the item has been sent to to be analyzed, it will show you the date when sent. Otherwise, you will be able see its current status. For example, if it is pending being sent or it is not possible to send it. Source: Indicates the protocol in which the item was detected: Source IP: Specifies the IP address from which the item was sent. Target IP: Specifies the IP address to which the item was being sent.
In the case of an email, you can see the subject, sender and recipients of the message, as well as a link to download the message. Click on the heading of each column to arrange the information they contain as you want.
Filter:This allows you to specify the information to be shown in the listing, using a range of parameters. For example, you can indicate that you only want items shown that were included in quarantine between two dates, messages with a certain subject, sender or destination, etc. For more information, consult the section on Spam quarantine filter . Options: Allows you to adjust the quarantine size using various settings. It also lets you indicate the number of lines per page in the list and what to do with restored messages. For more information, consult the section on Spam quarantine settings.
Add domain to: o Blacklist: With this button you can add the domains of the messages selected to the spam blacklist. In this way other messages coming from these domains will always be treated as spam. o White list: With this button you can add the domains of the messages selected to the spam white list. In this way, messages coming from these domains will not be analyzed for spam. Restore: This allows you to return the selected messages to their original location, as long as they have arrived by SMTP. Redirect. Allows you to redirect the messages selected to a specific email address. For more information, refer to the Resend address section. Delete: Allows you to delete messages selected from the list. Empty quarantine: Deletes all items without having to select them previously.
Adjust the size of the quarantine. Limit the number of lines to display per page. Specify its behavior on restoring files to their original location.
1. 2.
Click Quarantine in the Panda GateDefender Performa console and then select Content Filter quarantine. Click Settings in the quarantine window.
Delete the oldest items: If you select this option, the oldest items will be deleted to free up space and allow more recent items to be stored. Reject new items: When it reaches its maximum size no more messages will be included in quarantine.
You can also set the maximum size of a message to be sent to quarantine. In this way you will avoid excessively large messages being stored that may saturate quarantine. The maximum size of a file will not be able to exceed 20 MB. If you want, you can indicate an email address to which you want to redirect the messages that exceed this size. Finally, if you want, you can indicate the maximum number of days that messages will remain in quarantine. Once this period is reached, the messages will be deleted.
General preferences
This section allows you to:
Limit the amount of information that will be shown in each quarantine page. To do this, enable the Lines to display on each page box, and indicate the number of lines. Indicate if you want a copy of messages that are restored to their original location to be stored in quarantine. If you want, you can include a text in the subject of the messages restored.
Once you have set the configuration you want, click Save.
To enable a filter
You can apply a filter to the information shown by quarantine, by following these steps: 1. 2. 3. 4. 5. Select the Quarantine option from the menu on the left of the Web administration console. Click on the quarantine for which you want to filter information (malware quarantine, Content Filter quarantine or spam quarantine). Click on the Filter link. Another window appears with the filtering options. For example, you can indicate that you only want items shown that were included in quarantine between certain dates, messages from a certain sender, etc. Once you have indicated the options you want, click on Apply filter. Click OK for quarantine start to show the information you have just specified. 129 Panda GateDefender Performa-User Guide
To disable a filter
1. 2. 3. 4. 5. Select the Quarantine option from the menu on the left of the Web administration console. Click on the quarantine for which you want to filter information (malware quarantine, spam quarantine or Content Filter quarantine). In the new window, click on the Filter link. Another window appears with the filtering options. Click Disable filter. Click OK for quarantine start to apply the new filtering settings.
Filtering settings
The filtering options are different for each type of quarantine. To obtain more information on the available filtering options for each type of quarantine, refer to the following sections:
Malware quarantine filtering Content Filter quarantine filtering Spam quarantine filtering
< BACK
< BACK
You can also filter information on the basis of percentages of probability of spam in the messages in quarantine. You can indicate the percentages interval desired in the fields for this purpose. You can perform filtering by one of the data items available or by a combination of a number of them. Once you have configured the filter as you wish, click on Apply filter and then on OK.
Reports
Introduction
Panda GateDefender Performa generates a series of reports that contain the events related to the scans and the activity of the appliance. These are:
Protection reports:
HTTP/HTTPS/FTP Mail/News IM/P2P/VoIP filter
Security reports:
Report on access restricted by the explicit proxy Report on invalid SSL certificates
System report:
System events report
To view this report at any time, click the Reports menu and select the report. As a general rule, these reports contain different options and can be exported to a text file. You can also use filters to select the information displayed.
Access to the report settings options Filtering the information logged in the reports.
To remove the content of the reports, use the Clear report button. If you want to arrange the data in the columns, click on the column header. The columns that can be rearranged have an arrow icon to the left of the column name.
The options you can configure in the report are: Continue generating this report If you don't want Panda GateDefender Performa to generate the report, unselect the corresponding checkbox. Automatically delete events after XX days Specify the period for which events should remain in the reports (90 days by default). Panda GateDefender Performa will automatically delete events after this period.
You can save the information displayed in the report to a txt file. To do this, click on the Export: csv link. The content of the report will be exported to .csv format
1. 2. 3.
Click the Reports menu and select the type of report you want to filter. In the new window, select the corresponding option from the Filter period drop-down menu. Set the filter you want. Use the Filtering conditions menu. Use the Add condition button to add conditions, and click Filter.
When adding conditions, you can use wildcard characters to refine the search ("*", "?", etc)
Filtering conditions according to the type of report Protection report Security report System report
If you want to save the filter, use the Save button and enter the name of the filter in the textbox in Filters stored. Then click Enter. To remove the data from the latest filter click Clean. In addition to clearing the filter, a report will be generated without filters, corresponding to the filter period All.
Stored filters
Once certain filters have been stored, or you are using certain parameters to filter (even though they have not been stored), Panda GateDefender Performa lets you take the following actions:
If you want to set one of the stored filters as default, i.e. you want a filter to be applied by default when a report is opened, just click on the link Preset, which appears to the right of the filter name when you pass the mouse pointer over it.
Bookmark a filter:
Another useful feature in Panda GateDefender Performa is the option to bookmark a filter. To do this you must first have run a stored filter. This gives you quick access to the filter once it is stored. If the filter is deleted however, when you try to access via the bookmark, you will open the reports without applying the filter (or with the default filter if one has been set).
If you want, you can filter the information in the report. You can do this with a simple and easy-to-use filter tool. The protection reports are structured into four areas: the filtering tool and another three, corresponding to HTTP/HTTPS/FTP, Mail/ News and IM/P2P/VoIP protocol filtering.
Protection report
This report offers data on malware and spam, the Content Filter events, and access to Web pages and P2P, VoIP and IM protocols.
HTTP/HTTPS/FTP
The report then displays the data organized into columns. You can select the columns to be displayed in the report, using the drop-down menu
Detection source.
When malware has been detected in HTTP or FTP, the report specifies if it was uploaded or downloaded. 136 Panda GateDefender Performa-User Guide
Mail/News
Use the boxes to select the protection data you want displayed in the report. If you select Highlight outbound mail, the lines marked as SMTP Out will be highlighted in bold. The report then displays the data organized into columns. You can select the columns to be displayed in the report, using the drop-down menu Columns
Protocol
IM/P2P/VoIP filter
In this case, select the Columns to be displayed in the report.
To access these reports, click the Reports menu in the main console menu, and then select Security report. 137 Panda GateDefender Performa-User Guide
The reports include settings options and can also be exported to .csv format. Also, if you place the cursor on a selected item, you will get specific information about the event in question. If you want, you can filter the information in the report. You can do this with a simple and easy-to-use filter tool. In addition to the system and protection reports, Panda GateDefender Performa offers other reports on access restricted by the explicit proxy and the use of invalid certification authorities and certificates for HTTPS.
Panda GateDefender Performa shows a detailed report on system events (updates, restarts, etc.). In order to view this report, click the Reports System report menu.
Some of the events logged in this report are: Result of every update process. Update performed. Update errors, clearly specifying the cause of the error (for example: Could not connect to the
updates server; The updates server has returned an error; An error occurred during the download process; An error occurred during the update process, etc.).
Error sending email warnings. Appliance start up. Problems starting the appliance (the problems and the actions taken to resolve them will be specified). Could not connect to the DNS server. Problems connecting to the proxy server configured (for example, due to a validation error). Could not connect to the license server. The license server has returned an error. Quarantine space about to be used up. Quarantine space exceeded.
Tools
Introduction
Panda GateDefender Performa includes a series of useful tools to deal with situations in which the appliance performance is less than optimum. Use the links below to find out more about them:
Diagnosis tools
Export / Import settings Sending statistics Restarting the system services Complete system restart Shutting down the system
Diagnosis tools
Panda GateDefender Performa has a series of tools for diagnosing problems on the appliance. The options available are:
Ping Traceroute DNS resolution Connectivity with Panda Security Show network status Packet capture
Ping
The tools screen has two parts: Tool and Result.
Tools
Settings options: Tool: Select Ping. Parameters Target addresses: Specify the target host. Number of pings to be sent. Specify the number of pings. TTL: Specify the TTL value. Types: Select the type of ping required, TCP, UDP or ICMP. If you want to launch the tool, click on Run.
Result
Displays the result obtained from running the tool. If you want to save the result in a file, click on Export to file. 141 Panda GateDefender Performa-User Guide
Traceroute
The tools screen has two parts: Tool and Result.
Tools
Settings options: Tool: Select Traceroute. Parameters o Target addresses: Specify the target host. o Number of pings to be sent. Specify the number of pings. o TTL: Specify the TTL value. o Types: Select the type of ping required, TCP, UDP or ICMP. If you want to launch the tool, click on Run.
Result
Displays the result obtained from running the tool. If you want to save the result in a file, click on Export to file. Click on OK to return to the Support tools screen.
DNS resolution
The tools screen has two parts: Tool and Result.
Tools
Settings options: Tool: Select DNS resolution. Parameters Address: Specify the address to be resolved. If an IP is entered, an inverse resolution will be carried out. Request type: Select a value from the list: A, ANY, CNAME, NS, MX, PTR, SOA, TXT, LOC, RP and SIG. Protocols: Select the type of connection required, TCP or UDP. Port: Specify the port. The default port is 53. Server: Specify the server. If you want to launch the tool, click on Run.
Result
Displays the result obtained from running the tool. If you want to save the result in a file, click on Export to file. Click on OK to return to the Support tools screen.
In the Result field, check the connectivity for each of the servers. You can save the results in a TXT file in your chosen route by clicking Export results.
Packet capture
The Tools screen has two parts: Tool and Result. Using this tool can negatively affect the performance of your appliance.
Tool
Settings: 1. 2. Tool: Select Packet capture. Parameters - Type of capture: Select the type of capture: Maximum capture time, Maximum capture size, Maximum packets for capture or Circular capture. Circular capture consists of a buffer that allows the capture of the last megabytes transferred. This can be specified in the Value field. 143 Panda GateDefender Performa-User Guide
Capture size is limited to 300 MB - Value: Set the capture limit. This can be specified in seconds, megabytes or packets, depending on the type of capture selected. - Capture interface: Select the network interface on the appliance. - Maximum packet size: Select one of these two options: Capture headings or Complete traffic. - Filter: Select filtering: - Capture protocol traffic. - Capture port traffic. - Capture special traffic. - Capture all traffic. 3. 4. 5. 6. 7. 8. Protocols: This option appears after selecting the Capture protocol traffic filter. It establishes the protocol to be used in the filter. Ports: This option is displayed when the Capture port traffic filter is selected. Establish the ports to be used in filtering. A range can be chosen by specifying two ports separated by a hyphen. Source IP: Specify the source IP. Target IP: Specify the target IP. If you want to launch the tool, click Run. If you want to stop the capture, click Stop capture.
Result
Displays the result obtained from running the tool. If you want to save the result in a file, click Export to file. Click OK to return to the Support tools screen.
The internal log files allow you to carry out an advanced diagnosis in order to resolve problems.
These files may be requested by tech support services when resolving an incident. It is not advisable to generate these files, unless you are asked to do so by Panda Security technicians.
To generate log files, select the level of detail that the technicians have specified: 1. In the Tools menu of the console, select Internal log files. 2. Select the log generation mode:
4.
Basic mode. Select this option if you want to record basic level information in the log files. Debug mode. Select this option if you want to a greater level of detail in the information in the log files.
Select the level of debugging: Standard. Level of detail necessary for most cases. Advanced. Lets you control the type of information you want to collect. Enable the checkboxes according to the options you want. Select the level of detail you want.
5.
To download the log files onto your computer, click Download logs. 6. Click Save to save the changes. Otherwise, click Cancel.
Online services
The services provide help and benefits in addition to those offered by the unit. Thanks to these services, you will always have a team of experts on hand that will help you to resolve any queries and problems you might have with viruses and other threats. The services offered by Panda GateDefender Performa are:
Online Support Center: A fast, simple way to find answers to your queries. Virus encyclopaedia: Detailed and accurate information about the characteristics of each virus and how to eliminate it. Virus news: The latest virus news. Virus Infection Map: Live graphic coverage of the percentage of computers infected by viruses worldwide. Suggestion box: Allows you to inform Panda Security of the improvements you would make to Panda GateDefender Performa. Your suggestions will be thoroughly studied by the Panda Security technicians. Global ThreatWatch: Check out the current virus situation, and find out if there are alerts anywhere in the world or in your country.
In order to use these services, you need an open connection to the Internet.
Once the appliance has been correctly configured and is working properly, you can save the settings parameters. It is useful to do this as: You can recover them (import them) later. 145 Panda GateDefender Performa-User Guide
You can apply the same settings to another unit without needing to do so manually.
Importing settings
When importing a settings file from another unit, remember that the name and network settings of the appliance must be unique. Therefore, these details must be modified if another unit is using them.
To import or restore settings that you have previously saved, follow the steps below: 1. 2. 3. 4. Click on Browse... Find the settings file that you want to install and click on OK. Then click on Import. If no warning messages are returned, the appliance will have applied the new settings. If a warning appears, you will be informed of the problem and the steps for resolving it.
Sending statistics
Select: 1. 2. Allow information about malware and other threats to be sent if you want to authorize sending of information about malware and other threats detected by your appliance. Send information about spam detected if you want to authorize sending of information about detected by your appliance.
In this way you will be helping improve the detection capacity of Panda GateDefender Performa. The information is sent anonymously, with no data identifying your company. 3. Click Save.
Statistics are sent via https, and so all data will be encrypted.
Restarting the system services can be useful as an initial means for resolving functionality issues in Panda GateDefender Performa. The system services can be restarted in two ways: Click Restart services in the Tools menu. If the appliance has an LCD screen use the Reset Services option. Panda GateDefender Performa will perform a clean restart of all services without completely restarting the appliance. This process is much quicker than completely restarting the system. However, while it is in progress, the network traffic will be blocked in order to guarantee that no traffic goes through Panda GateDefender Performa without being scanned. While Panda GateDefender Performa is restarting the services and the network traffic is blocked, the console informs you of the status of the appliance.
When the restart is complete, you will see the screen for logging in to the console. If this doesn't happen after a few minutes, open another window in the browser, and connect again to Panda GateDefender Performa.
Restarting the system ensures, in the vast majority of cases, that any possible problems detected while the unit is running are resolved. The system can be restarted in two ways:
Click Restart System in the Tools menu. If the appliance has an LCD screen use the Reset System option. More information
Panda GateDefender Performa will run a clean restart: It closes all operating system processes and services in order to avoid problems like corrupting the file system. If the appliance has a bypass card, network traffic will not be blocked, but will pass through without being scanned. If the appliance does not have a bypass card, the network traffic will be blocked to guarantee that no traffic passes through without being scanned. Under no circumstances will traffic be allowed through until the system has restarted and the appliance is fully operative. This takes approximately 90 seconds. The system restart and its result are logged in the system events report.
In order to check if the system has completely restarted, the administrator can check the following:
The Web console displays a warning while the computer is restarting. If the console access window does not appear within a few minutes, you must open another browser window and connect to the appliance again. Ping the appliance network IP address. When restart has been completed successfully, the IP address must respond to the ping commands. Ping a computer connected to the other side of the appliance. Panda GateDefender Performa will not allow traffic through until it has been started completely. Then, if you get a reply to the ping, the system has restarted successfully. Check that the LED display in the appliance is on. This means that restart is complete.
Panda GateDefender Performa lets you shut the system down correctly, blocking all network traffic. If the appliance has a bypass card, the traffic won't be blocked, The system can be correctly shut down in two ways:
A pop-up window will ask for confirmation. If the appliance has an LCD screen use the Shutdown option.
Panda GateDefender Performa 9100: It is advisable to completely shut down the appliance. To do this, press the switch. It will completely shut down after a few seconds. To restart the appliance, press the switch and wait a few seconds.
Panda GateDefender Performa 9500: It is advisable to completely shut down the appliance. To do this, disconnect the network cables. To restart the appliance, reconnect the network cables.
Note: Network traffic through Panda GateDefender Performa will be blocked once the system has shutdown.
How do I...
Activating Panda GateDefender Performa
1. 2. 3. Click My license, next to the system clock. In the window that appears, click Registration/activation details. on the link (here) that appears under
3. 4.
A new window appears: Enter theuser name and password provided by Panda Security. Click Save. Panda GateDefender Performa will contact the Panda Security server to get license information (wait 10 seconds before consulting the information). If an error occurs, a message will be displayed.
More information.
Update the signature files, malware, spam and web filtering files. System software upgrade (firmware): for example, the operating system, the hardware
drivers, the web server used to view the administration console, etc. or the malware and spam scan and detection engines. Hotfix update. Hotfix updates allow users to include performance improvements and solve specific problems.
For information about the factory settings, click here. To install these units in load balancing mode, it is advisable to: Use switches instead of hubs. This reduces the number of collisions and increases performance. Use Ethernet Gigabit connections only if the unit supports them. Check that the appliance network interface cards are working in full-duplex mode . All of the different types of protection must have the same settings in all the units working in load balancing mode. The network settings (name, IP address, etc.) must be different.
In order to guarantee the correct operation of several units working in load balancing, all of the different types of protection must have the same settings in all of them. The network settings (name, IP address, etc.) must be different.
Once the appliance has been correctly configured and is working properly, you can save the settings parameters. It is useful to do this as: You can recover them (import them) later. You can apply the same settings to another unit without needing to do so manually.
Importing settings
When importing a settings file from another unit, remember that the name and network settings of the appliance must be unique. Therefore, these details must be modified if another unit is using them.
To import or restore settings that you have previously saved, follow the steps below: 1. Click on Browse... 2. Find the settings file that you want to install and click on OK. 3. Then click on Import. 4. If no warning messages are returned, the appliance will have applied the new settings. If a warning appears, you will be informed of the problem and the steps for resolving it.
To access the trusted sites and domains settings, click the Settings menu in the main console, an in Protection > Anti-malware select Trusted sites and domains. Sometimes, the traffic sent from certain servers, computers or domains is reliable enough to be excluded from the scans. By excluding this traffic from the anti-malware scans, the workload of Panda GateDefender Performa is reduced and its performance is optimized. You can create a list of servers, websites, domains, subdomains, IP addresses and ranges that will be excluded from the list. This action will apply to all protocols. To do this: 1. Click the Settings menu in the main Console screen. 2. Go to Protection > Anti-malware and click Trusted sites and domains 3. This shows the trusted sites and domains configured to date. To add a new domain, subdomain, range, etc, include it in the New box and click Add. In the case of IP addresses, you can use the CIDR format, and for sub-domains, you can use wildcards. 4. The updated list will be displayed in the box. To delete any item, select it and click Delete. After you have completed these steps, Panda GateDefender Performa will not scan traffic from those domains, servers or computers for malware.
If you do not want to enter sub-domains, you do not need to use the asterisk (for example, domain.com).
1. 2.
Dont confuse the F/D button with the Reset (system) button, which resets the whole system.
1. 2.
SB, 9100 and 9500 models have a CD drive. Find the Reset button at the back of the appliance. Hold this button down for a few seconds. The unit restores the factory settings for accessing the Web console.
In order to view the factory settings of Panda GateDefender Performa click here .
Rescovery via CD
This can be used to restore any appliances with CD or DVD drives.
2.
3.
Rescovery via CD
The restore CD included with the Panda GateDefender Performa appliance allows you to restore the system if errors occur. 153 Panda GateDefender Performa-User Guide
It is important to bear in mind that this method for restoring Panda GateDefender Performa must only be used as a last resort to solve possible errors. Never use the self-restore CD if you have not been advised to do so by Panda Securitys technical support team.
To restore the system, follow the steps below: 1. 2. 3. 4. 5. 6. 7. 8. Export the current settings of the appliance to a file. Click here for instructions on how to do this. Connect to http://www.pandasecurity.com/enterprise/downloads/tree/ Enter the user name and password of your license. Go to the section Downloads available In the section Software available para Panda GateDefender Performa > Restore CD, download the ISO for recovery via CD of the latest version available for the SUN platform. Insert the CD in the CD drive. Switch off the Panda GateDefender Performa appliance. Start the appliance The restore process will automatically start and the appliance software will be reinstalled.
Do not shut down the system while the appliance is working, other the entire system will be corrupted. The recovery process must not be interrupted once it has started. Panda GateDefender Performa will display the factory settings. Import the settings file that you have just exported to apply the settings defined before restoring the appliance. Click here for instructions on how to do this.
Restoring Panda GateDefender Performa should always be considered as a last resort. Never use the self-restore DVD if you have not been advised to do so by Panda Securitys technical support team.
1. 2. 3. 4. 5. 6. 7. 8. 9.
Connect to http://www.pandasecurity.com/enterprise/downloads/tree/ Enter the user name and password of your license. Go to the section Downloads available In the section Software available for Panda GateDefender Performa > Restore DVD, download the ISO for recovery via LiveDVD of the latest version available for the 8000 series and SB. Export the current settings of Panda GateDefender Performa to a file. Insert the LiveDVD in the computer and restart it. Live DVD will start, showing the restore interface. Restart the Panda GateDefender Performa appliance. The computer will send and install the software needed for recovery. When this has been done, the Start restore button is activated, which you must press to start the process. The appliance will send the information about this process to the computer.
When this process is complete, the following text is displayed in the computer:
Remote host restoration completed Click OK to restart the appliance from the hard disk.
Do not shut down the system while the appliance is working, other the entire system will be corrupted. The recovery process must not be interrupted once it has started. Panda GateDefender Performa will display the factory settings. Import the settings file that you have just exported to apply the settings defined before restoring the appliance.
For more information about the restore process, for example, the minimum requirements for the restore server, refer to the restore guide available in the downloads area of the website www.pandasecurity.com/enterprise/downloads/.
6. 7.
To complete the restore process, press ENTER and remove the USB device. The system will restart and the restored software will start. All of the settings will be lost and the factory settings will be displayed. Import the settings file that you have just exported to apply the settings defined before restoring the appliance. Click here for instructions on how to do this.
This section explains the LCD screen and how to use it.
The Panda GateDefender Performa SB and Panda GateDefender Performa 9100 and 9500 models do not have an LCD screen. Specifications of the interface behavior The following characters appear at the start of each line in a menu: To access a submenu, press Enter. Specifies that you are in a submenu and that you can exit to the main menu. To do this, press ESC. When in a submenu, the last character of the first line shows one of the following characters: Press the downward arrow to move to a lower option. You can press any of the arrows to go up to the previous option or go on to the next option. Press the upward arrow to move to a higher option. The appliance LCD screen shows the following: 156 Panda GateDefender Performa-User Guide
Status. Possible values are: Running - OK: The appliance is functioning correctly. Starting: The appliance is starting. Closing: The appliance is closing. Restarting: The appliance is re-starting. You may shutdown: The system has closed but the power source is still on. CPU use: Shows the load of the appliance. Configuration. Shows information about the appliance settings. Config IP: IP address used to access the console. Network IP: Shows the network IP of the appliance. Cluster mode Master / Slave: Shows the role of the appliance (Master or Slave). Version info: Shows the version of the appliance system software. Serial number: Shows the serial number of the appliance. Reset access: Allows you to reset the appliance access details (user name, password and IP address). To confirm, press ENTER. To cancel, press ESC. Reset Services: Lets you completely restart the services. To confirm, press ENTER. To cancel, press ESC. Reset System: Allows you to restart the appliance. To confirm, press ENTER. To cancel, press ESC. Shutdown: Allows you to shut down the appliance hardware. To confirm, press ENTER. To cancel, press ESC.
2.
Add the IP address ranges of your internal network (protected by Panda GateDefender Performa).
Example 1: If you have just one internal network with IP addresses in the range
192.168.1.0/24, enter this on the page. 172.16.2.0/24, include both ranges. Click Save.
Example 2: If you want to protect two internal networks, such as 172.16.1.0/24 and
3.
2.
Add the domains used on your internal network (protected by Panda GateDefender Performa).
Example 1: If you have a single domain 'company.com' include it on this page. Users of the
protected internal network will have email addresses with the format user@company.com. them all. Click Save.
3.
Protocol:
Select traffic to scan: Inbound, Outbound, or Inbound and Outbound Select the POP3 checkbox Select the IMAP4 checkbox
Sensitivity level:
Select High
3.
Click the existing link. You will see the screen for configuring additional DNSBL servers.
Anti-backscatter protection:
- Select the Enable anti-backscatter protection checkbox - Select the action Delete - Select Enable BATV