UsersGuide 6.0

Version 6.
Users Guide
GB-OS
GBOSUG201111-03
Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL 32817
Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email: info@gta.com Web: www.gta.com
GB-OS 6.0 Users Guide
Table of Contents
Preface_____________________________________________________________________________________ 11
About This Guide................................................................................................................................................................................13 Conventions 13 Icons 13 About GTA Firewalls...........................................................................................................................................................................14 What is a Firewall? 14 A GB-OS firewall system is: 15 Features 16 New Features 16 Standard Features 16 Optional Features 16 Support................................................................................................................................................................................................ 17 Support Options 17 Software Updates 17 Additional Documentation. .................................................................................................................................................................18
Initial Setup_ ________________________________________________________________________________ 19

Overview.............................................................................................................................................................................................. 21 Preparation..........................................................................................................................................................................................22 Registration 22 Retrieving Your Activation Code 22 Planning Your Network 22 Connecting Your Computer to the Firewall 23 Requirements 23 Setup by Temporary Peer Network 23 Powering On the Firewall 24 Entering Firewall Network Settings...................................................................................................................................................25 Browser Compatibility 25 Connecting to the Web Interface 25 Using the Basic Setup Wizard 26 Entering Your Network Information Manually 31 Using CIDR Notation 32 Setting Your Time 32 Re-configuring Your Computer 32 Placing the Firewall on the Network. ................................................................................................................................................. 33
Basic Setup Tasks_ ___________________________________________________________________________ 35

Basic Setup Tasks. .............................................................................................................................................................................. 37 Setting the Configuration Mode 37 Defining a Network 38 Entering the Host Name 38 Entering the Default Gateway 38 Defining Logical Interfaces 39 DNS Setup 40 DNS Proxy vs. DNS Server 40 Configuring the DNS Proxy 41 Date/Time Setup 42 Network Time Setup 42 Designating the Firewall as a NTP Server 43 System Clock 43 GB-OS Certificate Management 44 Defining Objects 45 Address Objects 45 Selecting the Address Objects Type 46 Using Regular Expressions 47 Default Address Objects 47 Bookmark Objects 48 Service Group Objects 48 Default Service Group Objects 49 Time Group Objects 50 IPSec Objects 50 Table of Contents
iii
GB-OS 6.0 Users Guide Encryption Objects Policy Sets Allowing Inbound Traffic Blocking Outbound Traffic Managing Policies Tips for Using Policies Verifying the Configuration Navigation Menu Icons Verification Flags Applying the Configuration Importing/Exporting Firewall Configuration Automatic Backup Email Backup Cloud Backup USB Backup Restoring Backups from the Cloud or USB Device via the Web Interface Restoring Backups Via the Console Cloud or USB Device Directory High Availability and Automatic Backup 50 51 51 51 52 52 53 53 54 55 56 57 57 57 58 59 59 59 59
Advanced Setup Tasks________________________________________________________________________ 60

Advanced Setup Tasks....................................................................................................................................................................... 62 Firewall User Account and Group Setup 62 Creating User Accounts 62 Creating Groups 63 Creating an Administrator Group 64 Configuring Remote Administration 66 Lockout 66 Remote Administration 66 Changing the Remote Administration Port 67 Encryption 67 Policy Compatibility 68 Authentication Setup 69 GTA Authentication 71 Using GTA Authentication on a GTA Firewall 71 LDAPv3 72 Using LDAPv3 on a GTA Firewall 72 RADIUS 73 Using RADIUS on a GTA Firewall 73 Active Directory Single Sign-On 73 Requirements For Single Sign-On 73 Single Sign-On Server Installation on Windows 73 Configuring Single Sign-On 73 PPP Setup 74 PPPoE Transport 77 PPTP Transport 80 DHCP Server 83 DHCPv4 83 DHCPv6 85 DHCP Relay 86 DHCP Relay Requirements 86 Example DHCP Relay 86 Configuration 87 PSN to Protected DHCP Relay 87 Dynamic DNS Setup 89 DNS Server Setup 90 Configuring the DNS Server 90 Creating DNS Domains 92 Routing Traffic 93 Alias Setup 93 NAT Setup 94 Creating Inbound Tunnels 94 Creating Static Mappings 96 Allowing Static Mapping 97 Pass Through Setup 97 Security Policies 98 Creating Pass Through Policy Pairs 98 Defining Bridged Protocols 99 Protocol Definitions 99 Defining Hosts/Networks 100
iv
Table of Contents
GB-OS 6.0 Users Guide Bridging Interfaces Bridging Mode BGP Setup OSPF Setup RIP Setup Static Routes Multiple Gateway Setup Gateway Failover Selecting Useful Beacons Gateway Sharing Policy Based Routing Source Routing Requirements Preferences Defining the Internet Protocol Defining Connection Timeouts and Limiting Creating Advanced Security Policies Detailed List View Policy Preferences Options Automatic Policies Address Spoof Connection Limiting Doorknob Twist Fragmented Packets Invalid Packets Unexpected Packets Ident Option Stealth Mode TCP SYN Cookies Advanced: Coalesce Setting Notifications Email SMS SNMP Trap Alarms Applying Traffic Shaping Weight vs. Priority Using Traffic Shaping VPN Setup VPN Concepts Authentication Multiple Networks Mobile Protocol IPSec Objects SSL Client and Browser Setup PPTP & L2TP Setup VLAN Setup VLAN Terms and Concepts VLAN Interface VLAN IDs VLAN Trunk VLAN Switch Creating a VLAN SNMP Setup Remote Logging Setup WELF (WebTrends Enhanced Log Format) Unix Facilities Policy NAT (Network Address Translation) WWW 101 102 103 105 108 110 110 112 112 112 113 113 113 114 114 114 116 117 117 117 118 118 118 118 118 118 119 119 119 119 119 120 120 121 121 121 122 122 122 124 124 124 125 125 125 125 125 126 127 127 127 127 127 128 129 130 131 132 132 132 132
Threat Management_ __________________________________________________________________________ 133

Threat Management..........................................................................................................................................................................135 Intrusion Prevention System (IPS) 136 Running the IPS Setup Wizard 137 Configuring the IPS Proxy 138 Configuring Performance Tuning Settings 139 Configuring IPS Policies 140
Table of Contents
GB-OS 6.0 Users Guide Filtering Displayed IPS Policies Mail Sentinel Mail Sentinel Policies Defining Email White (Allow) or Black (Deny) Lists RDNS (Reverse DNS) Defining a Mail Abuse Prevention System (MAPS) Surf Sentinel Configuring the Surf Sentinel Proxy Enabling the Traditional Proxy Transparent Proxy Block Actions Surf Sentinel Policies Local Allow and Deny Lists Content Blocking Surf Sentinel Categories Creating Advanced Surf Sentinel Policies 141 142 143 145 146 146 147 147 148 148 148 148 150 150 151 151
Monitoring Reports & Administrative Tools_______________________________________________________ 153

Monitoring, Reports, and Administrative Tools.............................................................................................................................155 Administrative Tools 155 Interfaces 155 Network Diagnostics 155 Ping 155 Trace Route 156 Shutdown 157 Halt 157 Reboot 157 Audit Events......................................................................................................................................................................................158 Viewing Firewall Logs.......................................................................................................................................................................158 Viewing Activity.................................................................................................................................................................................159 Accounts 159 Authenticated 159 Locked Out 159 Sessions 160 Network 160 ARP Table 160 Flushing the ARP Table 160 Connections 160 Hosts 161 Routing 161 Statistics 162 Security Policies 162 Services 162 DHCP Leases 162 Flushing DHCP Leases 162 Threat Management 163 IPS 163 Mail Sentinel 163 Anti-Spam 163 Anti-Virus 163 Statistics 163 Surf Sentinel 163 VPN 164 IPSec Tunnels 164 Reporting...........................................................................................................................................................................................165 Configuration 165 Executive Reports 166 Schedule Executive Reports 166 Historical Statistics 167 Preferences 167 Updating Your Firewalls Software..................................................................................................................................................168 Scheduling Checks for Automatic Updates 168 Performing a Manual Software Update 169
vi
Table of Contents
Troubleshooting_ ____________________________________________________________________________ 170

Troubleshooting Guidelines............................................................................................................................................................. 172 Frequently Asked Questions (FAQ). ................................................................................................................................................173 Administration 174 Network Connectivity 175 Services and Options 179 Hardware 182 Other 182 Automatic Backup 183
User Interface_ ______________________________________________________________________________ 184

Reference A: User Interface.............................................................................................................................................................186 Web Interface 186 Features 187 Web Interface Access 187 Characteristics 187 How to Access the Web Interface 187 Navigation and Data Entry 188 Menu 188 Verification Icons 188 Main Window 189 Advanced Tab 189 Buttons and Icons 190 Screen Buttons 190 List Icons 191 Flags 191 Index Numbers 192 Pull Down Menus 192 System Overview Screen 193
System Parameters___________________________________________________________________________ 196

Reference B: System Parameters. ................................................................................................................................................... 198 How to find your section: 198 2. Configure 199 2.2.1 Summary 199 2.2.2 Apply 199 2.2.3 Backup 200 2.2.4 Change Mode 200 2.2.5 Import/Export 201 2.2.6 Runtime 201 2.2.6.1 Options 201 2.2.6.2 Update 202 2.3 System 203 2.3.1 Summary 203 2.3.2 Information 203 2.3.3 Activation Codes 203 2.3.4 Contact Information 203 2.3.5 Date/Time 204 2.3.6 Notifications 204 2.4 Accounts 206 2.4.1 Summary 206 2.4.2 Authentication 206 2.4.3 Groups 208 2.4.4 Remote Administration 209 2.4.5 Users 210 2.5 Network 211 2.5.1 Summary 211 2.5.2 Interfaces 211 2.5.2.1a Settings 211 2.5.2.2 Aliases 213 2.5.2.3 PPP 214 2.5.3 NAT 217 2.5.3.1 Inbound Tunnels 217 2.5.3.2 Static Mappings 218 2.5.4 Pass Through 219 2.5.4.1 Bridged Protocols 219 2.5.4.2 Host/Networks 219 2.5.5 Preferences 220
Table of Contents
vii
GB-OS 6.0 Users Guide 2.5.6 Routing 2.5.6.1 BGP 2.5.6.2 Gateway Policies 2.5.6.3 OSPF 2.5.6.4 RIP 2.5.6.5 Static Routes 2.5.7 Traffic Shaping 2.6 Objects 2.6.1 Summary 2.6.2 Address Objects 2.6.3 Bookmark Objects 2.6.4 Encryption Objects 2.6.5 IPSec Objects 2.6.6 Service Groups 2.6.7 Time Groups 2.7 Reporting 2.8 Security Policies 2.8.1 Summary 2.8.2 Policy Editor 2.8.2.1-4 Inbound, Outbound, Pass Through, VPN (IPSec, L2TP, PPTP, SSL Client) 2.8.3 Preferences 2.9 Services 2.9.1 Summary 2.9.2 DHCP 2.9.3 DNS 2.9.4 Dynamic DNS 2.9.5 High Availability 2.9.6 Remote Logging 2.9.7 SNMP 2.10 Threat Management 2.10.1 Summary 2.10.2 IPS 2.10.2.1 Proxy 2.10.2.2 Policies 2.10.3 Mail Sentinel 2.10.3.1 Proxy 2.10.3.2 Policies 2.10.4 Surf Sentinel 2.10.4.1 Proxy 2.10.4.2 Policies 2.11 VPN 2.11.1 Summary 2.11.2 Certificates 2.11.3 Preferences 2.11.4.1 IPSec 2.11.4.2 L2TP 2.11.4.3 PPTP 2.11.4.4 Preferences 2.11.4.5 SSL Client 2.11.5 Site-to-Site 221 221 222 223 224 225 226 227 227 227 227 228 229 230 230 231 232 232 232 232 234 235 235 235 236 238 239 239 240 241 241 241 241 242 243 243 243 246 246 246 248 248 248 249 249 250 251 252 253 254
Utilities_____________________________________________________________________________________ 257
Reference C: Utilities........................................................................................................................................................................259 GBAuth 259 Using GBAuth for GTA Authentication 259 Using GBAuth for LDAP Authentication 260 Using GBAuth for RADIUS Authentication 261 GTA SSOAuth 262 Using Active Directory Single Sign-On 262
Upgrading_ _________________________________________________________________________________ 265

Upgrading to GB-OS 6.0................................................................................................................................................................... 267 Upgrading from GB-OS 5.2.0 - 5.4.x 268 Updating Runtimes 268 Scheduling Checks for Automatic Updates 269 Performing a Manual Software Update 270 Step 1: Generate GB-OS 6.0 Feature Activation Codes 270 Step 2: Load GB-OS 6.0 Feature Activation Codes Into the Configuration 270 Step 3: Upgrade to GB-OS 6.0 270
viii
Table of Contents
GB-OS 6.0 Users Guide Upgrading from GB-OS 3.7.3, and GB-OS 4.0.6 - 5.1.5 Step 1: Upgrade to GB-OS 5.2 1.1: Generate GB-OS 5.2 Feature Activation Codes 1.2: Load GB-OS 5.2 and 5.3 Feature Activation Codes Into the Configuration 1.3: Upgrade to GB-OS 5.2 Upgrading from GB-OS 4.0.0 - GB-OS 4.0.5 Step 1: Upgrade to GB-OS 4.0.6 Step 2: Upgrade to GB-O 5.2 Upgrading from GB-OS 3.4.0 - 3.7.2 Step 1: Upgrade to GB-OS 3.7.3 1.1: Generate GB-OS 3.7 Feature Activation Codes 1.2: Load GB-OS 3.7 Feature Activation Codes Into the Configuration 1.3: Upgrade to GB-OS 3.7.3 Step 2: Upgrade to GB-OS 5.2 Upgrade Notes Re-sizing Slices and Runtime Upgrades Error Messages Upon Initial Reboot Default Login and Password Changes Remote Administration Policy Compatibility in GB-OS 6.0.3 and Above GB-250 Upgrade Notice IPSec Object Upgrade Notice GB-OS 5.4.2 and Above Firewall Controll Center (FWCC) No Longer Supported Corrupt Object Names and Descriptions Static Gateway to Static Gateway VPN Failure Restrictive VPN Configurations Naming Conventions User Group Names and Assignments VPN Object Names Address Object Identification 271 271 271 271 271 272 272 272 273 273 273 273 273 274 275 275 275 275 275 275 276 276 276 276 276 277 277 277 277
Log Messages_______________________________________________________________________________ 278

Reference E: Log Messages............................................................................................................................................................280 System Notices 280 Hardware Errors 280 Failed Network Connectivity 280 Implicit Policies 280 Other Firewall Behaviors 280 Ping Flood/DoS Attack (ICMP Limiting) 281 TCP SYN Flood 281 Spoof Attempt 281 Door Knob Twist (Attempted Connect to Closed Port) 281 FTP Bounce 281 User Licenses 282 Maximum Firewall Users Exceeded 282 Maximum Surf Sentinel Users Exceeded 282 Configuration Changes by User 282 Automatic Backup 282 Permission/Policy Notices 283 Allowed Connections 283 Inbound (Remote Access) 283 Open 283 Close 283 FTP Port Updating 284 Outbound 284 Open 284 Close 284 Successful Administrative Access Attempts 285 Firewall Control Center Updating Firewall Control Center Configuration 285 Denied Connections 285 Inbound (Remote Access) 285 Outbound 285 Unsuccessful Administrative Access Attempts 286 Web Interface Compromise Attempt 286 Routing Notices 287 ICMP Types and Codes 287 ICMP Types 287 ICMP Codes 289 OSPF 291 Network Address Translation (NAT) 291
Table of Contents
ix
TCP Open Close HTML Sessions Open Close ICMP Open Close UDP Open Close Pass Through (No NAT) Open Close Bridged Interfaces Cabling Loop Bridged Protocols Firewall Service Notices Authentication Expired Authentication Session Authentication Denied Due to Closed Authentication Connection Authentication Denied Due to Old GBAuth Version Gateway Selector Email Notification from Gateway Selector Intrusion Prevention System (IPS) Connection Passed Connection Dropped Connection Reset Mail Sentinel Email Filtering Email Delivered Email Rejected Due to Source or Destination of Policy Email Rejected Due to Exhaustion of Policies (Reject by Default If No Match Is Found) Email Rejected Due to Reverse DNS Email Rejected Due to MAPS Email Rejected Due to Invalid Recipient Email Connection Incomplete Maximum Count of Threads Exceeded Mail Sentinel Anti-Virus and Mail Sentinel Anti-Spam Options Email Confirmed Spam by Mail Sentinel Anti-Spam but Delivered Email Confirmed Spam by Mail Sentinel Anti-Spam and Quarantined Email Virus Found by Mail Sentinel Anti-Virus and Cured Then Delivered Email Virus Found by Mail Sentinel Anti-Virus but Delivered Email Virus Found by Mail Sentinel Anti-Virus and Quarantined Email Virus Found by Mail Sentinel Anti-Virus and Rejected Email Headers VPN Security Associations Mobile Client VPN Authentication and Connection Web Content Filtering Transparent Proxy Traditional Proxy Surf Sentinel Option
291 291 291 291 291 291 291 291 291 291 291 292 292 292 292 292 292 292 293 293 293 293 293 294 294 294 294 294 294 295 295 295 295 295 295 296 296 296 296 296 296 297 297 297 297 298 299 299 299 300 301 301 301
Glossary____________________________________________________________________________________ 302
Reference F: Glossary......................................................................................................................................................................304 License Agreement...........................................................................................................................................................................318 Legal Notices.....................................................................................................................................................................................320
Preface
11
About This Guide

The GB-OS Users Guide covers the configuration and use of GB-OS version 6.0. Organization of the chapters in this guide is according to common tasks. Exceptions to this rule include the Preface, Troubleshooting and Reference chapters. For the location of specific topics, please see the table of contents.
Conventions
A few conventions are used in this guide to help you recognize specific elements of the text. If you are viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and new sections. Bold Italics
Italics Blue Underline Small Caps Monospace Font Emphasis Publications Clickable hyperlink (email address, Web site or in-PDF link) On-screen field names On-screen text On-screen menus, menu items On-screen buttons, links
Condensed Bold
Bold Small Caps
Icons
Note
Note icons are points of interest GTA has chosen to highlight. These notes represent tips or additional information beyond standard instruction.
Caution
Caution icons are used to highlight important information which may affect the use of GTA products.
Preface
13
About GTA Firewalls

Global Technology Associates, Inc. (GTA) has been designing and building Internet firewalls since 1994. In 1996, GTA developed the first truly affordable commercial-grade firewall, the GNAT Box. Now, ICSAcertified GB-OS is the engine that drives all GTA Firewall UTM Appliances and GB-Ware firewalls.
What is a Firewall?
When creating or upgrading a computer network, security is an important consideration. Who should be allowed to see or change your data? What policies should govern the use of the network? You probably dont want unknown people using your resources without your consent. You may wish to restrict use, for example, to employees that have been given a login. You may wish to further protect sensitive data from accidental or malicious damage. And in a time when network attacks are increasingly common, you may also wish to provide your clients with additional peace of mind regarding security of customer data. After assessing these kinds of policy needs, it is important to choose a device that will help you apply your network security decisions. Many people mistake a router for a firewall. While many modern routers do have some firewall functionality, their primary task is as their name designates: to route network traffic. Firewalls differ because they apply sophisticated policy controls to traffic that is allowed to travel across the network. Because firewall applications also run alongside other software on your computer, which may have unknown vulnerabilities, firewall applications are also generally less effective than a dedicated firewall device. Firewall applications (which run on your computer) provide some protection. However, they may not be the most secure choice because of disparities in power and sophistication. This is especially true if your network must protect many computers, then it may also be more efficient to maintain a single firewall device rather than copies of firewall software installed on every computer. Firewall devices simplify policy application and provide additional strength by securing your network at the gateway level, before an attack can reach your internal network. As dedicated firewall devices, GB-OS systems are devoted entirely to network security. Unlike servers and computers whose many running software applications may inadvertently open your network to vulnerability, GTA Firewall UTM Appliances only run necessary security software. No unrelated applications run on them. An authorized user can log on only to configure and administer the firewall. By definition, the effectiveness of a firewall is determined by the traffic it denies. GB-OS is based on the basic firewall principle: that which is not explicitly allowed is denied. If all policies were deleted and nothing was explicitly allowed, a GTA Firewall UTM Appliance would deny all traffic, both inbound and outbound.
14
Preface
A GB-OS firewall system is:

A firewall that prevents unauthorized access to internal networks, while allowing authorized connections to operate normally. A unified threat management appliance that protects your network from spam, viruses and unauthorized access. A virtual private network (VPN) gateway between two networks or a network and a mobile client using IPSec VPN standards; it supports many third-party IPSec-compliant VPN products. A networkaddresstranslation (NAT) engine that allows unregistered IPaddresses to be used on the protected and PSN networks so that IPaddresses are hidden from external networks and translated to the primary external network interface IPaddress. A network gateway that links network topographies (e.g. 10 Mbps to gigabit) and replaces a router in a PPP configuration. A bridging firewall that links Ethernet networks together transparently like a bridge, while filtering IP packets as a firewall. An email proxy that restricts access to your email server. A DNS proxy or server that makes DNS requests or maintains a database of domain names (host names) and their corresponding IP addresses. A DHCP server that automates the assignment of IPaddresses to host systems on locally attached networks.
Preface
15
Features
GB-OS firewall software has a number of features to help you protect your network resources from unauthorized use.
New Features
GB-OS provides a graphical user interface accessed using a Web browser with an improved workflow and setup wizards. New and improved features in GB-OS 6.0 include: IPv6 support DHCPv6 client support Stateless Address Autoconfiguration for interfaces Improved web interface display and functionality
Standard Features
GTAs NAT (Network Address Translation) and Stateful Packet Inspection engine are at the heart of all GB-OS firewalls. These facilities, tightly integrated with the network layer, guarantee maximum data throughput, reliable NAT and unparalleled security. (Pass through policies allow the use of the firewall without NAT.) GB-OS version 6.0 features also include: Email proxy with anti-virus and optional spam prevention tools IPSec VPN (Virtual Private Networking) Encryption methods including DES, 3DES, AES, Blowfish and Camellia User authentication via the GBAuth utility and Active Directory Single Sign-On Email notifications and SMS messaging support Advanced routing protocols including RIP, BGP and OSPF DHCP and DNS services via built-in DHCP and DNS servers* Transparent network access for standard IP applications Protocols including FTP, PASV FTP, RealAudio/Video, ICQ, AIM, online gaming, Net2Phone, PPP, PPPoE and PPTP Bridging for user-specified Ethernet protocols Safe access to servers from external networks using the PSN, GTAs enhanced DMZ network Secure remote logging using the GTAsyslog or a third-party syslog Default stealth (no ping) mode GB-Ware installation support via Virtual Machine packages PPTP and L2TP support Monitoring and data reports Automatic configuration backup and Cloud server storage
GB-OS administrators have a choice of two user interfaces: Web interface: A secure platform independent remote management interface providing comprehensive access to configuration options via a frames-enabled, SSL-compatible Web browser. Console interface: On-site serial or video fail-safe and firewall recovery access with limited configuration options.
Optional Features
Secure mobile remote network access with IPSec VPN clients Email filtering with Mail Sentinel Anti-Spam Web content filtering with Surf Sentinel Firewall failover ability with H2A - High Availability* VPN hardware acceleration* A variety of support offerings for firmware upgrades
16
Preface
*Available on select GTAfirewalls.
Support
Installation (up and running) support is available to original owners who have registered their product. If you need installation assistance during the first 30 days of ownership, contact the GTA Support team by emailing support@gta.com. Be sure to include your product name, serial number, activation code, feature activation code numbers for your optional/subscription features and if possible a Configuration Report. Installation support only covers installation and default configuration of the firewall. For further assistance, contact an authorized GTA Channel Partner or GTA Sales staff for information about support offerings.
Support Options
If you need support after installation and default configuration, a variety of support contracts are available. Contact an authorized GTA Channel Partner or GTA Sales staff for more information. Support ranges from support per incident to annual contract coverage. Other avenues for assistance are available through an authorized GTA Channel Partner, the GTA Firewall User Forum (forum.gnatbox.com), or the GTA Web site (www.gta.com).
Software Updates
Once registered, you can view available updates in the GTA Online Support Center section of the GTA Web site (www.gta.com/support/center/login/). Click on the serial number of your registered product to see if an update is available for that specific unit. Click on the Downloads link to view all available software versions. Software updates are also available through the GB-OS Web interface. Navigate to Configure>Configuration>Runtime>Update. If there are no updates, click Check Now. All available updates will appear here. Caution
Before updating, be sure to backup your configuration.
Preface
17
Additional Documentation
For additional instructions on installation, registration and setup of a GTA product, see applicable Quick Guides, FAQs or technical papers. For optional features, see the appropriate option guide. Documentation is included on the CD shipped with new GTA products, and is also available for download from the GTA Web site. Note
For the latest documentation, check the GTA Web site for current PDFs.
These manuals and other documentation can also be found on the GTA Web site (www.gta.com). Documents on the Web site are either in plain text (*.txt) or portable document format (*.pdf) which requires Adobe Reader version 7.0 or greater. A free copy of Adobe Reader can be obtained from www.adobe.com. Available Documentation
Document
GB-OS Users Guide GB Commander Feature Guide Mail Sentinel Feature Guide
Topics
GB-OS features and Web user interface GB Commander for GTA firewalls Stand-alone reporting software Email anti-spam and anti-virus filtering feature Content filtering optional feature High availability optional feature VPN (virtual private networks) feature Hardware specifications, current documentation and examples
GTA Reporting Suite Feature Guide Surf Sentinel Feature Guide GTA VPN Feature Guide
H2A High Availability Feature Guide www.gta.com
18
Preface
Initial Setup
19
Overview
The Initial Setup chapter describes how to set up your new GTA Firewall UTM Appliance. Steps include registration, initial physical connection, entering network settings through the firewalls Web interface, and installation on your network. Instructions assume that the firewall is being added to an existing network. If you need help setting up a computer network, instructions for setting up a simple office network (LAN) can be found on the GTA Web site. This chapters content reflects the Quick Guide included with all new GTA firewalls, but provides alternative methods and more detailed instructions. Expected completion time is approximately 30 minutes. Main steps include: 1. Preparation 2. Connecting Your Computer to the Firewall 3. Entering Firewall Network Settings 4. Placing the Firewall on the Network What youll need:
Firewall serial number Firewall and feature activation code(s) Internal and external IP addresses for your firewall Internal and external subnet masks for your firewall Gateway/default route IP address for your firewall DHCP or DNS information if your firewall has a static IP address A crossover Ethernet cable Your new firewall with its power cable or power adapter A computer with an Ethernet network card and compatible Web browser
Note
These instructions are for GTA Firewall UTM Appliances only, and do not apply to GB-Ware. See the GB-Ware Product Guide for installation and setup of GB-Ware firewalls. Any firewall use or administration described in later chapters assumes that you have completed this chapters instructions or the equivalent instructions in the GB-Ware Product Guide, as appropriate to your firewall model.
Chapter 1: Initial Setup
21
Preparation
Gather necessary information before proceeding with firewall setup. This includes any activation codes and network planning information such as IP addresses and subnet masks for the firewalls network ports.
Registration
In order to retrieve activation codes and receive software updates and technical support, you must register your GTA firewall. Registration also archives your valuable activation codes and serial numbers with GTA, protecting against their loss should your own records be lost or destroyed. In addition to qualifying you for installation support, your product registration will allow GTA to inform you about software updates and special offers. 1. To register, visit www.gta.com. Click on Support and then the Support Center link. 2. If you do not have an online support account, click the Create an Account Now link and enter your information. Once the form is completed, click the Submit button to save the profile. Enter your user ID and password on the login page. Click on the Register a Product link. Enter your serial number and activation code, then click the Submit button. To view your registered products, click the View Products link. Note
If you cannot retrieve your activation code, or a code does not appear under View Products, please email support@gta.com with a brief description of your problem in the body of the email. Be sure to include the products serial number and your online support accounts user ID in the message subject.
Retrieving Your Activation Code

All GTA firewalls use an activation code to protect software from illegal duplication. Serial numbers and activation codes are included with the packaging. Should you lose records of your activation codes, registration allows them to be retrieved from the GTA Online Support Center (http://www.gta.com/support/center/login/), under View Products.
ate. Select Check Now if now updates display.
Activation codes are also available throughout the GB-OS Web interface at Configuration>Configure>Runtime>Upd
The primary activation code is pre-installed in all GTA Firewall UTM Appliance models. Optional features require separate feature activation codes, available through the GTA Online Support Center.
Planning Your Network

These instructions assume that you have an existing network. If you do not yet have a network, simple network setup examples are available on the GTA Web site. To add your firewall to your existing network, you will first need to determine a suitable place for attachment. Physical location can partly determine the effectiveness of the firewall in performing its role, so choose a location carefully.
If your firewall will be performing a perimeter security role, defending your network from Internetsourced attacks, then consider placement between your Internet router/gateway and your LAN. If your firewall will be performing as an internal mediator or routing role on your intranet/LAN, then consider placement between two internal routers.
22
Once you have chosen a suitable installation location for your firewall, you will need to devise firewall network settings (IP addresses and subnet masks) for the firewalls connected ports. Correct network settings will vary according to the settings of attached devices. For example, many LANs consist of computers with private IP addresses, as defined in RFC 1918, such as 192.168.1.xxx using a 24-bit subnet mask of 255.255.255.0; in this case, a valid firewall IP address could be 192.168.1.1 with a subnet mask of 255.255.255.0. Note
For more information on the basics of TCP/IP networking and how to plan a network, one recommended source is TCP/IP Network Administration, 3rd Edition by Craig Hunt from OReilly and Associates.
Connecting Your Computer to the Firewall

First physically connect the firewall to your computer using the provided cables. Configure your computer to access the firewalls IP address, then add your network settings to the firewall. Then add your firewall to its intended place on the network. Connecting your computer to the firewall takes about 15 minutes. It assumes youve already planned out your network, or have a network already set up.
Requirements
To connect the firewall, gather the following hardware:
1 crossover Ethernet cable to connect directly to the firewall or through a router; or 1 straightthrough cable to connect through a hub or switch (1 yellow crossover cable may be included; consult your package contents list) 1 external power supply or power cord (may be included; consult your package contents list) 1 computer with an Ethernet network card (NIC) IP addresses and subnet mask plans for all devices on your network Gateway/router IP address (default path for traffic going to the Internet or other external network) An understanding of TCP/IP networking
Straight-through cable: both ends have wires in the same order. Computer to hub/switch. Crossover cable: each end has wires in a different order. Computer to router or firewall.
In addition, you will need:
Figure 1.1: Choosing the Correct Type of

Ethernet Cable
Setup by Temporary Peer Network

Temporarily join a computer to the firewalls default network. This allows you to connect and configure the firewalls network settings to match your own network scheme, integrating it with your network. 1. Connect the computers NIC to the firewalls NIC 0 using a crossover cable. (Alternatively, use a straight-through cable to connect the computer to the firewalls NIC 0 through a hub or switch.) Note
NIC 0 is the Ethernet port/connector labelled with a zero (0) on the firewalls chassis.
23
2. Back up the computers network settings, then temporarily change your computers network settings (this allows you to access the firewalls default network): IP Address: 192.168.71.253 Gateway/Router: 192.168.71.254 Subnet Mask: 255.255.255.0 DNS Server: none (or 192.168.71.254, if this field is required)
Figure 1.2: Changing Network Settings to Match Firewall Defaults (Windows XP)
Figure 1.3: Changing Network Settings to Match Firewall Defaults (OS X) 3. If necessary, reboot your computer to apply the network configuration.
Powering On the Firewall

1. Connect the power supply to a power outlet. 2. Insert the power connector tip into the firewall. 3. If there is a power switch, turn the firewall on; if there is no switch, applying the power cable will cause the boot process to begin. The system will be operational in approximately one minute. 4. Verify your ability to connect to the firewall by pinging the default IP address of 192.168.71.254. Preparation is now complete.
24
Entering Firewall Network Settings

The following sections will describe how to replace the firewalls default configuration with your own network settings.
Browser Compatibility
GTA recommends using an SSL-compatible and frames-capable browser to administer your firewall. Caution
Administration of the firewall without SSL is insecure and may send sensitive information such as passwords in clear text. It is not recommended if you have a hub or other network device between your computer and the firewall appliance.
Connecting to the Web Interface

1. Start a Web browser on your computer and enter the firewalls URL into the browsers location/ address field: https://192.168.71.254. 2. If your network and cables are set up correctly, you will be prompted with a security alert dialog indicating that the certificate authority is not one you have chosen to trust; that the security certificate date is valid; and that the name on the security certificate does not match the name of the site. Click Yes, or if your alert differs, choose the selection that allows you to proceed. (You may establish your firewalls SSL certificate once you have logged on to the firewall.)
Figure 1.4: Accepting the Firewalls SSL Certificate (Internet Explorer) 3. Next, in the login screen, enter the default user ID, fwadmin (all lower case). Then enter the default password, also fwadmin (all lower case). Click OK or press the return key when finished.
Figure 1.5: Entering the Default User ID and Password Caution

GTA recommends changing the default user ID and password to prevent unauthorized access. Passwords can be changed after logging in.
25
Using the Basic Setup Wizard

Upon initial login to the GTA Firewall UTM Appliance, you will be prompted with the Basic Setup Wizard, which is designed to facilitate the entry of basic network settings. The firewall has default settings which need to be changed to match your network settings. Based upon the information you enter, the Basic Setup Wizard will configure your firewall, generate a default set of policies and create a GB-OS CA and local certificate for administrator and VPN. Upon successful completion of the wizard the GB-OS Web interface will unlock, providing full access to configuration options. Before running the wizard, it may be helpful to print out and fill in the table which follows. Note
When defining the IP address for network interfaces, a class C (24-bit) netmask will automatically be assigned unless a netmask is explicitly entered. For more information on assigning a netmask to your network and CIDR notation, see Using CIDR Notation later in this chapter.
Table 1.1: Basic Setup Wizard Worksheet

Field
Serial Number Serial Number Activation Code The firewalls serial number. This can be found on the card shipped with the firewall or physically on the firewalls label. The firewalls activation code. This can be found on the card shipped with the firewall or retrieved online from the GTA Online Support Center. The default administrators user ID. The administrators new password. Minimum 3 characters Minimum 4 characters
Description
Value
Administrator User ID Password Network Preferences Enable Date/Time Date Time Enable NTP Server Protected Interface Type (circle one) IP Address Select DHCP if you wish to have the firewall use DHCP to obtain the protected interfaces IP address. To manually assign a static IP address, select Static. If Static has been selected for the protected interfaces Type, enter the protected interfaces IP address and netmask. Select DHCP if you wish to have the firewall use DHCP to obtain an IP address. Select PPP to configure a PPP, PPPoE or PPTP connection for the external interface. To manually assign a static IP address, select Static. Static DHCP ... The current date. The current time. NTP (Network Time Protocol) is a protocol that assures accurate local timekeeping. Use of a NTP server is highly recommended. This field is enabled by default. If the NTP checkbox is enabled, enter the NTP servers location, such as 0.gta.pool.ntp.org. Enable support for IPv4 networks, or both IPv4 and IPv6 networks.
External Interface Type (circle one) DHCP PPP Static
26
Table 1.1: Basic Setup Wizard Worksheet

Field
IP Address Default Gateway DNS Server Host Name Host Name Enter the identifying host name for the firewall. GTA recommends using a fully qualified domain name as the host name (e.g., firewall.example.com). Select DHCP if you wish to have the firewall use DHCP to obtain the PSN interfaces IP address. To manually assign a static IP address, select Static. If Static has been selected for the PSN interfaces Type, enter PSN interfaces IP address. DHCP Static ...
Description
If Static has been selected for the external interfaces Type, enter the external interfaces IP address. If Static has been selected for the external interfaces Type, enter the Default Gateway. If Static has been selected for the external interfaces Type, enter the DNS Server.
Value
... ... ...
PSN Interface Type (circle one) IP Address
Running the Basic Setup Wizard

If this is your first time logging in to your GTA firewall, you will be presented with the Basic Setup Wizard by default. Otherwise, navigate to Wizards>Basic Setup from the firewalls menu. 1. On the first screen of the Basic Setup Wizard, you will be prompted to enter the firewall administrators contact information. Click the Next Arrow to continue.
Figure 1.6: Entering the Administrators Contact Information
2. The next screen will allow for entry of the firewalls serial number and any activation codes for optional features that you purchased along with your product. Enter activation codes (hexadecimal characters only - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F) with dashes included. The serial number and activation code(s) can be found on the card that shipped with the firewall. Click the Next Arrow to continue.
Figure 1.7: Entering the Serial Number and Activation Codes
27
3. You will then be prompted to enter and confirm a new username and password for the firewalls default administrator account. The username must be a minimum of three (3) characters, and the password a minimum of four (4) characters. Click the Next Arrow to continue.
Figure 1.8: Entering the Firewall Administrators Password
4. The following screen pertains to Network Preferences. Select the type of network to support: either IPv4 or both IPv4 and IPv6. Click the Next Arrow to continue.
Figure 1.9: Network Support
5. The next screen will configure the firewalls date and time settings. Although it is possible to manually configure the firewall date and time, it is highly recommended that you enable the NTP checkbox and enter an NTP server. Note
For more information on configuring Date/Time settings and the NTP service, see Date/Time Setup in Basic Setup Tasks.
Figure 1.10: Configuring the Date and Time
6. The next screen will configure the protected interface. A protected interface is the interface which is connected to the protected network. Select DHCP Server to have the firewall use DHCP to obtain the protected interfaces IP address. The protected interface does not require a registered IP address. Click the Next Arrow to continue.
Figure 1.11: Configuring the Protected Interface
28
7. You will then be prompted to define the external interface. The external interface is used to communicate to the external network, typically the Internet. An external interface requires a public or legitimate IP address (if attached to the Internet). Select DHCP to have the firewall use DHCP to obtain the external interfaces IP address. Select PPP to configure a PPP connection for the external interface. Select Static to assign a static IP address, default gateway and DNS server to the external interface. Click the Next Arrow to continue. Note
For more information on configuring a PPP connection, see PPP Setup in Advanced Setup Tasks.
Figure 1.12: Configuring the External Interface
8. The host name is the system name assigned to the GTA firewall. The host name is used to tag log messages and for creating SSL certificates. GTA recommends using a fully qualified domain name as the host name for your GTA firewall. A fully qualified domain name is the complete domain name for a specific computer (host) on the network, which is broken down to a host, domain and top-level domain (e.g. firewall.example.com). Host names must be unique. If your network DHCP servers make IP address assignments based on the system name, enter the host name, often assigned by your ISP. Click the Next Arrow to continue.
Figure 1.13: Entering the Host Name
9. The next screen configures the PSN interface. A Private Service Network (PSN) is optional and may not be required for configurations such as intranets or for outbound access only. However, if you offer public access to servers (such as a Web server) the installation of a PSN interface is highly recommended. To configure a PSN interface, select the Enable checkbox, otherwise select the Next Arrow to proceed with the wizard. Select DHCP to have the firewall use DHCP to obtain the interfaces IP address, otherwise select Static to assign a static IP address manually. The PSN interface does not require a registered IP address. Click the Next Arrow to continue.
Figure 1.14: Configuring the PSN Interface
29
10. The final screen of the Basic Setup Wizard is a summary view of all entered settings. Please review your firewalls setup prior to committing the displayed configuration. To make changes to your basic setup, select the Back button to return to the appropriate screen. Click the Save icon to save the displayed configuration, or select the Cancel icon to abort. Caution
Saving settings configured using the Basic Setup Wizard will erase any existing configuration settings and will reboot the firewall if it is in Live Mode.
Figure 1.15: Reviewing the Firewalls Basic Setup
Completion of the Basic Setup Wizard will automatically create a new GB-OS CA and local certifcate singed by the CA, and the Notifications section will set the To Address as the Contact Address.
30
Entering Your Network Information Manually

Using the Basic Setup Wizard is the recommended method to initially configure your firewall. However, should you wish to enter your network information manually, select the Close icon in the Basic Setup Wizard. Doing so will unlock the rest of GB-OS configuration settings. Navigate to the Configure category, click on Network to expand the menu, select Interfaces and then Settings. Only one external and one protected network interface is initially required to configure and test the firewall. The other interface(s) can be defined as any of the three network types: protected, external or PSN (Private Service Network, GTAs enhanced DMZ). To enter your network information: 1. Navigate to Configure>Network>Interfaces>Settings. 2. Enter the host name for the GTA firewall in the Settings section. (e.g, firewall.gta.com) 3. To edit an existing logical interface, select the desired logical interface and select the Edit icon. Otherwise, select the New icon to create a new logical interface. Enter IP addresses and netmasks (in either dotted decimal or CIDR notation) for your external and protected networks on each network interface. Disable the DHCP option on the external network interface if necessary. Enter the default route to your Internet routers IP address. 4. Once you have completed the network configuration, apply the changes by clicking Save. The firewall will then join the assigned network. For additional information, see Defining a Network in Basic Setup Tasks. Caution
Closing the browser without clicking Save will cause entered data to be lost, and your firewall will remain in default configuration. You will then need to re-connect to the firewall and re-enter the network information.
Note
If you changed the IP address of eth0s protected network, the firewall will now be on a different logical network than your computer, and you will not be able to access the firewall from your computer. You must restore your computers original network settings to regain access to the firewall.
Figure 1.16: Entering Network Information
31
Using CIDR Notation

GB-OS uses CIDR (Classless Inter-Domain Routing) notation for subnet masks, not dotted decimal (e.g. 255.255.255.0). This provides more specificity when defining subnetworks. Dotted decimal, the most common notation, divides network size into 4 classes (A, B, C, or D) using fixed 8, 16, 24 or 32-bit IP address masks. Because network classes are defined by 8-bit-increment masks and only 32 bits are allowed for the whole bit mask, dotted decimal can only represent networks of 4 host capacity magnitudes. For example, a Class D with a 32-bit mask represents a subnetwork of up to 1 network host, Class C with a 24-bit mask represents a subnetwork of up to 254 network hosts, etc. Note
To determine the limit of the number of hosts on your subnetwork (h), first subtract your bit mask (m) from 32; then raise 2 by the power of your answer, and subtract 2:
h = (2(32-m))-2 By using 1-bit increment masks (instead of 8), CIDR (also called slash (/)) notation can divide the network into 32 subnet sizes. (Subnet definitions, in dotted decimal format, are therefore more coarse, lacking the fine granularity of CIDR notation.) CIDR notation uses any number from 1 to 32 to determine network class (/32 representing one IPaddress). For example, the CIDR address 192.168.1.2/24 indicates that the first 24 bits are used for the network class. The /24 mask includes 254 hosts on the network, and is equivalent to 255.255.255.0 (a Class C network) in dotted-decimal notation. Calculate a CIDR-based notation net mask by converting the dotted decimal net mask to binary and counting the ones. For a Class C network, the dotted decimal net mask is 255.255.255.0. The binary notation of that net mask is 11111111.11111111.11111111.00000000. There are 24 ones, so the CIDR notation would be /24. Using a 255.255.255.240 net mask, the binary representation would be: 1111111 1.11111111.11111111.11110000. The notation would be /28. You may also enter a host address that is defined by not including a bit mask (e.g. 192.168.123.1). This is equivalent to a /32 bit mask. To enter a range of addresses, use a hyphen (-) between the two extremes of the range (e.g. 192.168.123.0-192.168.123.255). If you prefer to not use CIDR notation, dotted decimal may still be used: enter the dotted decimal net mask after the forward slash (e.g. 192.168.71.254/255.255.255.0).
Setting Your Time

Firewall logs record events and schedule time-based policies by current time. To ensure that the correct time is used, your GTA firewall should poll a network time (NTP) server. To enter which network time servers you would like to use, navigate to Configure>System>Date/Time. Under the Network Time section, check the enable box and click the New icon to add a new network time server. Enter the domain name of a network time server (e.g. time.apple.com), then click the Save and Ok buttons. For additional information, see Network Time Setup.
Re-configuring Your Computer

If you temporarily changed your computers network configuration to connect to the firewall, restore the original configuration now. If you formed a temporary peer network during network configuration, disassemble it now; reconnect your computer to your network. Reboot your computer if necessary to apply the network configuration change.
32
Placing the Firewall on the Network

To place your GTA firewall on the network, it will need to be powered off. Connect your firewall to its intended place on your network. (In most cases, this will connect the firewalls external port directly to the Internet router/gateway, and the internal/protected port to the LAN.) Power on the firewall. The firewall should now be active and functioning in basic security mode (all internal users are allowed outbound and no unsolicited inbound connections are allowed). Now your computer and firewall should both be members of your network. Access the firewall using a browser and the IP address you assigned to the protected network port. You can now perform any additional configuration tasks, including changing the administrative password. Caution
Failure to change the default password is a serious security risk. GTA recommends changing the default user ID and password to prevent unauthorized access.
Your firewall can perform a number of additional tasks. To configure and activate additional firewall features, see the Basic Setup Tasks and Advanced Setup Tasks chapters.
33
Basic Setup Tasks
2
35
Basic Setup Tasks

This chapter covers the basic functions for initial firewall setup and configuration, organized in the order in which GTA recommends they should be completed. Certain tasks explained in this chapter can also be performed using the Basic Setup Wizard. If you have not yet configured your firewall using the wizard, it is recommended to do so.
Setting the Configuration Mode

Configuration modes allow you to preview changes to the firewalls settings without immediately applying them. Working in Test Mode allows you to configure your firewall as needed, without compromising your networks security. The Configuration section found within the Configure category allows you to toggle between Live and Test configuration modes, verify your configurations settings, apply a configuration change and import/ export configuration settings. The most basic of GB-OS settings toggles the GTA firewall between Live and Test configuration modes. To make any changes to the configuration, consider working in Test Mode. Test Mode is useful for verifying a new configuration for correctness and adherence to your security policy. All changes, including configuration changes in multiple areas, can be reviewed in complete safety before applying them to your running firewall. Once you have verified your new configuration in Test Mode, you may apply it to the currently running (Live) configuration. Test Mode configurations may also be reset to factory defaults. Live Mode is useful for immediately applying a configuration change without testing. A Live Mode configuration can also be copied to the firewalls Test Mode. To toggle between Live MODE and Test MODE: 1. Navigate to Configure>Configuration>Change Mode 2. Select Live Mode or Test Mode 3. Click Submit to commit the change
Figure 2.1: Setting the Configuration Mode
Chapter 2: Basic Setup Tasks
37
Defining a Network
The information entered in the Network Settings screen is used to define the network connected to your GTA firewall. Much of this information is required to be entered during the initial setup of the firewall and can be configured using the Basic Setup Wizard. To define your network manually, navigate to Configure>Network>Interfaces>Settings.
Figure 2.2: Defining a Network
Entering the Host Name

The host name, located in the Settings box, is the system name assigned to the GTA firewall and is used to tag log messages. GTA recommends using a fully qualified domain name as the host name for your GTA firewall. A fully qualified domain name is the complete domain name for a specific computer (host) on the network, which is broken down to a host, domain and top-level domain (e.g. firewall.example. com). Host names must be unique. If your networks DHCP servers create IP address assignments based on the system name, enter the host name, often assigned by your ISP. Note
Changing the host name of your firewall will cause it to automatically generate a new default SSL certificate using the new host name. Once a new SSL certificate has been generated, the firewall will prompt the user to re-approve the certificate
Entering the Default Gateway

The default gateway, located at Configure>Network>Routing>Static Routes, is a node on the network that serves as a packet forwarder for all packets for which no routing has been configured. Enter the IP address of the selected default route. This value is usually the IP address of the router connecting the network to the Internet and must be on the same logical network as the associated external interface. If your external interface uses PPP or DHCP to obtain an IP address, entering an IP address in the Default Gateway field is not required.
Figure 2.3: Defining a Network
38
Defining Logical Interfaces

A logical interface: Assigns a network (represented by an IP address and a subnet mask) to a physical NIC Designates a network type Identifies a gateway (default route) A GTA firewall requires two logical networks, a protected network and an external network. Additional external and protected logical networks can be added, as well as one or more Private Service Networks (PSN). Defined logical interfaces serve as interface objects throughout the configuration, allowing the administrator to reference the interface quickly when configuring the firewall. Caution
If a logical interfaces name is changed, but a security policy that references it is not updated to refer to the new name, all connections maintained by the security policy will be lost.
Logical network interfaces that do not use PPP or DHCP configurations require an IP address and subnet mask. If a subnet mask is not entered, the system will default to a Class C netmask (/24), which helps prevent misconfiguration. To create a new logical interface, click the New icon.
Figure 2.4: Defining a Logical Interface
Table 2.1: Defining Logical Interfaces

Field
Disable Type
Description
Disables the configured logical interface. Define the type of interface. Options include <Standard>, <Bridge>, <Failover>, <LACP>, <Load Balance>, and <Round Robin>. Enter the IP address/subnet to assign to the logical interface. Connections using DHCP or PPP do not require an IP address to be entered. Dynamic Host Configuration Protocol. When checked, DHCP is used to obtain an IP address for the specified interface. DHCP is typically required for connections using a cable modem, but may be used on any network interface. Enable this checkbox if you wish to make the logical interface the default gateway. This option is only available for connections using DHCP or PPP. Enable this checkbox if configuring for a High Availability interface. Enable this checkbox if configuring for a VLAN interface.
IP Address Options DHCP
Gateway High Availability VLAN
39
Table 2.1: Defining Logical Interfaces

Field
Interfaces Name Zone NIC Description Enter a unique name for the logical interface. The name entered may not use a number as its first character. A selection for the logical interfaces type. Options include <External>, <Protected> and <PSN>. The network interface card to associate with the network. The pull down menu lists all physical devices on the firewall and configured PPP connections. Enter a description to explain the function of the logical interface.
Description
DNS Setup
The DNS (Domain Name System) service translates alphanumeric server names into IP addresses. Every time you use a server name, the DNS service must translate the name into its corresponding IP address. For example, the server name example.com might translate to 204.96.115.2.
DNS Proxy vs. DNS Server

The DNS proxy service allows the firewall to act as a proxy for translating host (domain) names into IP addresses by passing on DNS information requests to external and internal DNS servers. The DNS proxy is especially helpful when using DHCP or PPP, since the firewall will automatically detect the internal or external DNS servers IP address. The DNS server allows the firewall to be configured to function as a primary domain name server, maintaining a database of domain names and the IP addresses of hosts where those domain names reside. The built in DNS server is functional and flexible enough for most GTA firewall users, but may not support all possible DNS options. If your site requires a more complex configuration, or hosts secondary name services, GTA suggests using a dedicated DNS host. Since GTA firewalls provide network transparency for users on protected and private service networks, all outbound DNS queries operate normally. Users on protected networks and PSNs may use a DNS server on the external network for address resolution. However, a DNS server on the external network cannot be used by hosts on the external network to resolve protected hosts. Network address translation hides all network addresses on both protected networks and PSNs. Therefore, an internal DNS server must be in place to resolve internal host names. Note
GTA recommends a thorough knowledge of the domain name system before configuring any DNS server. One reference is DNS and Bind, 5th Edition, by Paul Albitz & Cricket Liu, published by OReilly and Associates.
Note
On select GTA firewalls, the DNS Server is an option and requires an activation code. See your product specifications for more information.
40
Configuring the DNS Proxy

When selecting an external DNS server, use a DNS server from outside your network (e.g., a name server accessed through your ISP). If an internal DNS server is available, enter its IP address in the Internal Network Section. At least one DNS server, either internal or external, is required. See Configuring the DNS Server in Advanced Setup Tasks to configure the firewall as a DNS server if an internal DNS server is not available. Note
A DNS proxy is unnecessary with a local DNS server configured, so enabling the DNS server will disable the DNS proxy feature.
To setup the DNS proxy, navigate to Configure>Services>DNS.
Figure 2.5: Configuring the DNS Proxy
Table 2.2: Configuring the DNS Proxy

Field
Name Servers External Enable IP Address Internal Enable IP Address Primary Domain Name Enables the name servers listed in this section. Disabled by default. IP address(es) of the internal DNS server(s) that will provide records for your internal DNS server or proxy. Primary domain name used for the network (e.g., example.com). Entering a primary domain name allows hosts on the primary network to be referred by name instead of their fully qualified domain name. For example, server.example.com can be simply referred to as server. Enables the DNS service. To configure the DNS Proxy, select the DNS Proxy option. Option to allow connections to the firewall on UDP Port 53 from Protected Networks for name resolutions. Enables the name servers listed in this section. Disabled by default. IP address(es) of the external DNS server(s) that will provide records for your internal DNS server or proxy.
Description
DNS Enable Service Advanced Automatic Policies
41
Date/Time Setup
Since the firewalls date and local time are used to tag log messages, having the firewall configured to operate using accurate time settings is important. The Date/Time service uses UTC (Universal Time Coordinated) as its default time zone. To set the firewalls time zone to one other than the default, select the appropriate time zone from the Time Zone pull down. Note
After making changes to the firewalls time zone, GTA recommends rebooting the firewall.
To configure the firewalls date, local time, time zone and network time service navigate to Configure>System>Date/Time.
Figure 2.6: Date/Time Setup
Network Time Setup

Network time synchronizes your firewall and local computers with an NTP (Network Time Protocol) server. Synchronizing with an NTP server allows for accurate time-based logs and security policies. To ensure that the correct date and time is used, your GTA firewall should poll an NTP server. Use of an NTP server is highly recommended, and is enabled by default. NTP is extremely accurate, with a resolution of under a nanosecond (one billionth of a second) and the ability to combine the output of the available time servers to reduce error. It also uses past measurements to estimate the current time should the network go down. The following NTP resources are available: NIST Network Time Servers. www.boulder.nist.gov/timefreq Network Time Protocol organization. www.ntp.org Network Time Protocol RFC 1305 NTP Zeit. www.ntp-zeit.de GB-OS comes standard with four defined NTP servers that belong to the NTP Pool Project. GB-OS default NTP servers are part of a dynamic collection of servers that are distributed via round robin DNS. This creates a level of redundancy that allows for highly available access to NTP servers, which ensures consistent time-based logs and security policies regardless if an NTP server in the dynamic collection becomes unreachable. Note
Additional NTP Pool Project servers specific to the GTA Firewall UTM Appliances locale can be found at the NTP Pool Project Web site, pool.ntp.org.
42
To define an additional NTP server: 1. Navigate to Configure>System>Date/Time. 2. Check the Enable checkbox to enable the service. 3. Click the New icon to add a new NTP server. 4. Enter a description of the NTP server as well as its host name or IP address and click OK. 5. Click Save at the Date/Time screen list to save the configuration.
Figure 2.7: Adding an NTP Server
Designating the Firewall as a NTP Server

The firewall is automatically enabled as an NTP server when the Network Time service is enabled in Configure>System>Date/Time. To allow hosts on the network to access the firewalls NTP server, a remote access policy that allows UDP port 123 must be created. See Allowing and Denying Traffic for more information on creating remote access policies. Once the remote access policy has been defined, configure your hosts to indicate the firewall as their NTP server.
System Clock
Firewall logs record events and schedule time groups by current time. To ensure that the most accurate time is used, the firewall will need to poll a network time (NTP) server. To enter which network time servers you would like to use, navigate to Configure>System>Date/Time. Check the enable box and enter the domain name of a network time server (e.g. 0.gtantp.pool.ntp.org). Because boot occurs before NTP synchronization, the firewall may not have the correct time at bootup.
GB-250
GB-250 has no battery and the initial boot is:
2000-01-01 00:00:00
The time will be properly adjusted after NTP synchonization.
GB-Ware
The start up time of GB-Ware is either acquired from the on board battery backed up clock or will have the fixed start up time of 1970-01-01 00:00:00 in the event the hardware does not contain a battery backed clock. GB-Ware default system time will vary depending on the hardware manufacturer and if the system has a functioning battery. It is possible that when using GB-Ware and hardware not supplied by GTA the start up time may not be accurate as some CMOS clocks have time keeping issues. The time will correct after NTP synchronization.
43
GB-OS Certificate Management

GB-OS 5.3 and above can create signing Certificate Authorities (or CAs) for creating GTA firewall certificates. These CAs can be used for remote firewall administration, SSL Browsers, and Remote Administration Certificates which are used for the SSL Client and both Mobile IPSec VPN Clients and Firewall to Firewall IPSec VPNs. GB-OS will automatically create a GB-OS CA, Remote Administration and VPN certificate under the following conditions: Basic Setup Wizard is employed to configure the firewall Certificate section is defaulted (Automatically configured based on firewall configuration) GB-OS will automatically create user certificates when: Administrator is defined during the Basic Setup Wizard A new user is created and the certificate field is set to generate During upgrade, if no user certificate has been created on previous versions Note
For information on managing GB-OS certificates, see the GB-OS Certificate Management Guide.
44
Defining Objects
Objects increase speed and consistency when configuring your GTA Firewall UTM Appliance using GB-OS. By using objects, a user needs to define an address, group or interface only once. From then on, the object can be selected throughout the configuration where it might be needed. Once an object has been defined, only the object will need to be edited in order to modify the definition in all the locations where it is used. Additionally, previously defined objects can be combined in the Address Objects section of the configuration screen to create a broader definition. For example, you may have already defined two address objects, Joes Computer and Janes Computer, each of which points to a specific IP address on the protected network. If you wish to apply the same security policy to both IP addresses, you can combine them under a general address object. Objects are created and defined at Configure>Objects. To create or edit an object, navigate to its appropriate sub-section. Note
Configuration data does not receive automatic updates when an object name is changed, but retains references with the old, invalid name. As a result, connections maintained by that object may be lost when the object name is changed. To change the object name without losing connectivity:
Duplicate the object and save it with a different name. Change references to the new object throughout the firewalls configuration. You may then safely delete the original object.
Address Objects
Address objects can be used to reference either a single IP address, a range of IP addresses, a subnet specified by an IP address and subnet mask, or another address object. Note
See product specifications for the maximum number of address objects available for your GTA Firewall UTM Appliance.
Figure 2.10: Creating a New Address Object
45
Selecting the Address Objects Type

When configuring an address objects Type, a number of options are available. Based upon the selection made, the configured object may only be available for use in a specific section of the firewalls configuration. For example, if an address object of type Security Policies is selected, it will only be available when configuring a security policy. If no Type is selected when configuring an address object, it will only be accessible when configuring another address object. Not selecting a Type is useful when you wish to have a set of IP addresses or domains on hand for pooling into other defined objects, but it is not required to be used elsewhere in the configuration. When no Type has been selected for an address object, it will be identified as being of type Internal. Table 2.8: Address Object Types
Type
All Surf Sentinel Mail Sentinel Network Security Policies VPN
Description
An IP address or domain name that is available and can be used throughout the firewalls configuration. An IP address or domain name that can only be used when configuring Surf Sentinel policies. An IP address or domain name that can only be used when configuring Mail Sentinel policies. An IP address that can only be used in configuration areas that require a location on the firewalls network. An IP address used in any firewall policy. Domain names are not accepted by security policies, and should not be used here. An IP address or domain name that can only be used when creating a IPSec VPN.
To create a new address object: 1. Navigate to Configure>Objects>Address Objects and click the New icon. 2. Enter a unique name by which the object will be referenced in the Name field. The objects name cannot begin with a number. 3. Enter a description of the object in the Description field. 4. To define how the object will be used, select a category from the Type category. The Type selected will determine where the object may be used, and what addresses are valid entries for the object. 5. To add additional addresses to the object, select the add icon on the right side to create additional address object fields. Next, select the address object from the Object pull down. <USER DEFINED> is used when entering IP addresses, while <USE REGULAR EXPRESSION> is used when entering domain names. Enter the address objects IP address or domain name in the Address field and a description in the Description field. Previously defined address objects are also available for selection from the Object pull down. 6. Click OK and then Save. Note
To avoid bottlenecks associated with DNS lags or time-outs, specify hosts by IP address instead of their domain name when possible.
46
Using Regular Expressions

Domain names can be entered in the Address field for an address object. Domain name sets can also be specified by using special characters to denote the patterns as regular expressions. Firewall policies will only require the use of two regular expression characters: the asterisk and the question mark. The * (asterisk) matches any number of any type of characters, while a ? (question mark) matches only one character of any type. For example, *.com will match any domain that ends in .com, such as gta.com or example.com. exa?ple.com will match any domain that triggers the wild card character, such as example.com, exaqple.com or exa4ple.com. Multiple regular expression characters can also be combined to create a more robust matching. For example, *.exa?ple.com will match any domain that triggers the ? (question mark) wild card character that includes a subdomain, such as mail.example.com or time.exaqple.com. Advanced users may wish to specify more complex matching rules for domain names. To activate the use of the full regular expression character set, simply begin your domain entry with the ^ (caret) character and end it with the $ (dollar sign) character. For example, ^*.com$. Table 2.9: Using Regular Expressions
Sample Address Entry
example.com exa?ple.com *.com *.example.com
Sample Matches
example.com example.com, exaqple.com, exa4ple.com example.com, mail.example.com, gta.com time.example.com, mail.example.com, server.example.com
Description
Matches exact listing only. Subdomains or variants will not match. Any character replacing the wild card character can trigger a match. In this example, the domain must be eleven characters long, begin with exa and end with ple.com. Any series of characters replacing the wild card character can trigger a match. In this example, the domain must end in .com. Any series of characters replacing the wild card character can trigger a match. In this example, the domain must end in .example.com.
Note
One reference for regular expression is Mastering Regular Expressions, Second Edition, by Jeffrey Friedl, published by OReilly Media, Inc.
Default Address Objects

GB-OS has a variety of built-in, un-editable default address objects which can be identified by their lock icon. They can be viewed and duplicated, but cannot be deleted. The ANY_IP and ANY_MULTICAST address objects are examples. All other default address objects can be modified or deleted. To return the address objects list to its default configuration, select the Default icon and Save the section. Caution
Restoring the address objects list to its default configuration will remove all user configured address objects.
47
Bookmark Objects
Bookmark objects are shortcuts for users using the SSL Browser. Note
Please see the GTA SSL Client Guide for more details on configuring the SSL service.
Figure 2.11: Creating a Bookmark Object
To create a new bookmark object: 1. Navigate to Configure>Objects>Bookmark Objects and click the New icon. 2. Enter a unique name by which the object will be referenced in the Name field. The objects name cannot begin with a number. 3. Enter a description for the object in the Description field. 4. Enter a label for the bookmark objects in the Label field. This is the label the user will see for the configured bookmark. 5. Select the object type from the Object pulldown. 6. Select a built-in icon to represent the type of object from the Icon pulldown. 7. Enter the Label for the bookmark object. 8. Specify the network protocol type and enter the bookmark URL and a brief description. 9. To add additional bookmark objects, select the add icon on the right for additional rows. 10. Click OK and then Save.
Service Group Objects

Service group objects define protocols and services for use when creating definitions throughout the firewalls configuration. Administrators can explicitly allow or deny a protocol on a certain port or a range of ports according to configured service group objects. Additionally, when used with inbound tunnels, ports can also be redirected. When creating a service group object, the following syntax is used to define ports: Table 2.10: Syntax Used When Defining Ports
Type
Single Port Multiple Ports Range of Ports Source and Destination Ports
Syntax
PN PN1,PN2
Example Entry
1 1,2,3,5
Example Matches
1 1235
Description
Matches the exact listing only. Valid port values are 0 through 65535. In this example, only port 1 is matched. Matches the exact listing (separated by commas) only. Valid port values are 0 through 65535. Up to 12 ports may be entered into a list. Entering spaces to increase legibility is allowed. In this example, ports 1, 2, 3 and 5 are matched. Matches the range (defined by the starting and ending port values, and separated by a dash). Valid port values are 0 through 65535. In this example, ports 1 through 5 are matched. Matches the source port (the value before the ->) to the destination port (the value after the ->). Valid port values are 0 through 65535. In this example, port 1 is matched to port 5.
PN1-PN2
1-5
12345
PN1->PN2
1->5
n/a
48
Security policies and inbound tunnels interpret ports defined in service group objects in slightly different ways. Entering a destination port (the value after ->) is not necessary. If an explicit destination port is entered: A security policy will treat the source port as the port from which the connection originates and the destination port as the connections destination. An inbound tunnel will interpret the source port as the port on the firewall that should be redirected and the destination port as the internal port to which the connection should be redirected. If an explicit destination port is not entered: A security policy will interpret the entered port(s) as referring to a connections destination port. An inbound tunnel will interpret the entered port(s) as the port on the firewall that should be redirected, as well as the internal port to which the connection will be redirected.
Figure 2.12: Creating a Service Group Object
To create a new service group object: 1. Navigate to Configure>Objects>Service Groups and click the New icon. 2. Enter a unique name by which the object will be referenced in the Name field. The objects name cannot begin with a number. 3. Enter a description for the object in the Description field. 4. To add services to the object, select the services object from the Object pull down. Select a service group object to use preconfigured protocol and port number(s), or; Select <USER DEFINED> to create a custom service group object. 5. If <USER DEFINED> has been selected as the services Object, select the services Protocol and enter the port number(s). Port numbers can be entered individually (1,2,3,4,5), as a range (15) or using a source and destination (1->5). Then enter a description to describe the service. 6. To add additional service group objects, select the add icon on the right for additional rows. 7. Click OK and then Save.
Default Service Group Objects

GB-OS generates a variety of service group objects, identified by their lock icon, for use throughout the configuration by default. They can be viewed, but cannot be deleted. To return the address objects list to its default configuration, select the Default icon and Save the section. Caution
Restoring the service group objects list to its default configuration will remove all user configured service group objects.
49
Time Group Objects

Administrators can explicitly allow or deny traffic according to time constraints set by time group objects when configuring policies. Time group objects are configured using a 24-hour clock. For example, if you wish to configure a policy that will only operate during your companys normal business hours (for example, Monday through Friday, 8:00 AM to 5:00 PM), a time group object will need to be created with a start time of 8:00, an end time of 17:00 and a day range of Monday through Friday.
Figure 2.13: Creating a Time Group Object
To create a new time group object: 1. Navigate to Configure>Objects>Time Groups and click the New icon. 2. Enter a unique name by which the object will be referenced in the Name field. The objects name cannot begin with a number. 3. Enter a description of the time group objects function in the Description field. 4. To add time constraints to the object, select the time constraints object from the Object pull down. Select a time group object to use preconfigured time constraints, or; Select <USER DEFINED> to create a custom time constraint. 5. If <USER DEFINED> has been selected as the time constraints Object, enter a start time and end time and select all days that the time constraint should be applied. 6. To add additional time group objects, select the add icon on the right for additional rows. 7. Click OK and then Save.
IPSec Objects
IPSec Objects determine how IPSec VPN connections will be negotiated by defining what initiation behavior should be accepted by your GTA firewall. For more information on how IPSec VPNs and IPSec Objects work, see the GB-OS VPN Option Guide.
Encryption Objects
Encryption objects are used to easily reference encryption settings in IPSec Objects. For more information on encryption objects and how they are used in conjunction with IPSec Objects, see the GB-OS VPN Option Guide.
50
Allowing and Denying Traffic

Security policies are what control access to and through the GTA firewall. Remote access policies control inbound traffic, while outbound policies control outbound traffic. Remote access policies primarily control tunnels, but also control inbound traffic from any attached network device to any service on the GTA firewall as well. Outbound policies control access from hosts on protected networks and PSNs to IP addresses that reside on an external network, and from hosts on a protected network to those that reside on a PSN. The implicit rule, that which is not explicitly allowed is denied, applies to both outbound and inbound packets. Unless a security policy is in place allowing for a situation where a packet is accepted, it will always be denied by default. Note
All GTA firewalls deny all unsolicited inbound packets by default. Security policies must be defined in order to control traffic flow.
Policy Sets
A policy set is a group of policies of a given type. The order of the policy set is important since each packet is compared to the policy set starting with the first policy (index 1). The packet is compared sequentially against each policy until one of two events occurs: 1. A policy is matched. The packet is either accepted or denied based on the policy definition and the actions associated with the policy are performed. 2. No policies are matched and the policy list is exhausted. If this event occurs, the packet is then denied.
Allowing Inbound Traffic

Inbound traffic, packets sent from the external network to the firewall, can be controlled by defining policies in the Remote Access Policy Editor. A remote access policy makes tunnels accessible to hosts on the external network. Any address object of type Security Policies defined in the Address Object Editor (Configure>Objects>Address Objects) can be used in a remote access policy. Additionally, remote access policies control access to services running on the firewall. To configure inbound traffic, navigate to Configure>Security Policies>Policy Editor>Inbound.
Figure 2.14: Allowing Inbound Traffic
Blocking Outbound Traffic

Outbound traffic, packets sent from hosts on the protected networks and PSNs through the firewall, can be controlled by defining policies in the Outbound Policy Editor. Any address object of type Security Policies defined in the Address Object Editor (Configure>Objects>Address Objects) can have a outbound policy applied to it. To configure outbound traffic, navigate to Configure>Security Policies>Policy Editor>Outbound.
Figure 2.15: Blocking Outbound Traffic

51
Managing Policies
All policies share the same elements for configuration. To create a new policy, or to edit an existing one, navigate to the appropriate sub-section in the Policy Editor (Configure>Security Policies>Policy Editor) select the appropriate sub-section and click the New icon to create a new policy or the Edit icon to edit an existing one.
Figure 2.16: Managing Policies
Table 2.11: Managing Policies

Field
Disable Type Description Interface
Description
Check this option to disable the configured policy. Enter a description to explain the function of the policy. A selection for the function of the policy; Accept or deny. A selection for the interface the policy will be applied to. The selected interface is matched against the interface on which the IP packet arrived. <ANY> will match any interface. TCP, UDP, HTTP or any other service defined in the Service Group Object Editor can be selected to match against the packet. A selection for the time parameters of the policy as defined in the Time Group Object Editor. Selecting *EDIT* allows you to define a new time group object. <ALWAYS> means no time constraints will be applied to the policy. A selection for the IP address to be matched against the source IP address of the packet. <ANY_IP> will match any source IP address. Select *EDIT* to define a new address object of type Security Policies. Select <USER DEFINED> to enter the IP address manually. A selection for the IP address to be matched against the destination IP address of the packet. <ANY_IP> will match any destination IP address. Select *EDIT* to define a new address object of type Security Policies. Select <USER DEFINED> to enter the IP address manually.
Service Time Group Source Address Destination Address
Tips for Using Policies

The following are some tips for when using policies: Once you have defined your network, you can use the Default button to auto-configure an initial set of policies according to your networks configuration. Auto-configured policies will be left enabled or disabled according to the factory default (the most secure setting). If you used the Basic Setup Wizard to initially configure your firewall, default policies will automatically have been generated. The Default command does not reset to factory original policies but instead attempts to create policies that match your firewalls configuration. When a policy section is defaulted, the policies do not retain manual changes. If you have created custom policies you wish to save, either create new policies manually or print a copy of your configuration for reference before auto-configuration. Changes to policies will not be effective until the section is saved. Should you leave the policy or policy set before saving, all changes will be lost. The Duplicate function can be used to duplicate the definition of a policy. Combining multiple policies can be efficient and useful when they share the same basic criteria. This often occurs when all the policy parameters are the same except for the destination port. Policies that are often combined are for SMTP, FTP and HTTP since they are all TCP-based protocols and are frequently served from the same system.
52
Verifying the Configuration

GB-OS automatically verifies configuration settings for correctness and adherence to your security policy. When working in Test Mode, verification can help point out potential problems with your firewalls configuration before they are applied to Live Mode. Detailed descriptions for verification errors and warnings are available at Configure>Verify. Descriptions for errors are displayed with a red font, while warnings are displayed with a black font.
Figure 2.17: Verifying the Configuration
Navigation Menu Icons

The navigation menu, located on the left side of the browser window, is dynamically updated to display the verification status of a configuration area. Icons displayed alongside a menu item have four states: White (default/non-configurable): Menu items with a white icon are either using default settings or cannot be configured (such as Summary display screens, which do not contain configuration options). Grey (disabled): Menu items with a grey icon are disabled and are not used in the firewalls configuration. Green (verified): Menu items with a green icon have been verified to be configured correctly and should not conflict with the firewalls configuration. Yellow (warning): Menu items with a yellow icon may be incorrectly configured and can conflict with the firewalls configuration. Red (error): Menu items with a red icon are verified to be incorrectly configured and can conflict with the firewalls configuration. Icon states move up through the menu tree. For example, in Figure 2.24, configuration settings in Address Objects have resulted in a verification error. Since the Address Objects screen is nested within the Objects menu, the verification state is identified by a red icon for the Address Objects screen, and the Objects menu. Errors take precedence over warnings, and warnings take precedence over verified settings. Thus, menus that contain configuration screens with both errors and warnings will be identified with an error icon.
53
Verification Flags
In addition to menu icons, GB-OS also displays verification flags if a configuration area contains warnings or errors. If a configuration area contains a warning or an error in its configuration, a verification flag will be displayed in the top menu bar of the GB-OS interface. Verification flags are hyperlinked to their specific section in the Configure>Verify screen. Verification flags have two states: Yellow (warning): Configuration areas with a yellow verification flag may be incorrectly configured and can conflict with the firewalls configuration. Red (error): Configuration areas with a red verification flag are verified to be incorrectly configured and can conflict with the firewalls configuration. If there are no verification warnings or errors for a configuration area, then no verification flags will be displayed.
Figure 2.18: A Verification Flag
54
Applying the Configuration

The Apply sub section allows you to apply your Test Mode configuration to the firewall as well as copy your Live Mode configuration to a Test Mode configuration. By copying your Live Mode configuration to a Test Mode configuration, you are able to safely make changes to your already working configuration without compromising security. If you are configuring the firewall in Test Mode, the Reset Configuration option will be available as well. Resetting the configuration will restore the Test Mode configuration to factory defaults.
Figure 2.19: Applying the Configuration
Note
Selecting Change Mode will switch the Admin to Test or Live mode.
To apply your Test Mode configuration: 1. Navigate to Configure>Configuration>Apply 2. Select the Apply Test Configuration radio button. 3. Select Submit. Note
Applying your Test configuration will make it Live.
To copy your Live Mode configuration to a Test Mode configuration: 1. Navigate to Configure>Configuration>Apply 2. Select the Copy Live Configuration radio button. 3. Select Submit. To reset your Test Mode configuration to factory defaults: 1. Verify GB-OS is operating in Test Mode. See Setting the Configuration Mode if GB-OS is operating in Live Mode. 2. In the firewalls Web Interface menu, navigate to Configure>Configuration>Apply 3. Select the Reset Configuration radio button. 4. Select Submit. Caution
Resetting your Test Mode configuration will restore the Test Mode configuration to factory defaults, erasing all user defined configurations except for entered activation codes. GTA recommends backing up your configuration.
55
Importing/Exporting Firewall Configuration

Once all desired changes to the firewalls configuration have been applied you may export it for backup purposes. GB-OS configurations are exported using XML (Extensible Markup Language) files and can be exported for backup or for manual configuration changes. Caution
Manually altering the configurations XML file may result in undesired or unforeseen changes to the firewalls configuration if it is imported back into GB-OS. GTA does not support importing configuration backup files that have been manually altered.
Configuration files are named after the GTA Firewall UTM Appliances model, GB-OS version number, host name, configuration mode and time stamp. For example, an exported configuration file could be called GB-3000_v530_HostName_Live_2009_12_10.xml. To export your configuration: 1. Navigate to Configure>Configuration>Import/Export. 2. Select the configuration you wish to export, Live or Test. 3. Click the Download button to select a location to store the configuration file. 4. Click Save. Note
The Live mode configuration can also be exported by appending /config to the firewalls URL and placing it in a script. For example, to download the firewalls configuration with a user ID of fwadmin, a password of fwadmin, and host name of firewall.example.com, run the following script: curl -k -o config.xml http(s)://fwadmin:fwadmin@firewall.example.com/config This will download a file, named config.xml, which contains the firewalls Live mode configuration.
Figure 2.20: Exporting Up Your Firewalls Configuration
56
Automatic Backup
Firewall configurations can be automatically backed up and sent via email or saved to a USB device or Cloud Server. The firewall will backup the configuration, in the format configured, when any Live mode changes or modifications are saved. Backup configurations can be restored to the firewall manually, or via the web interface from a USB device or Cloud server. Backup configurations can also be restored from a USB device via the console. More than one backup method can be used at a time. To configure: 1. Navigate to Configure>Configuration>Backup. 2. Select the format in which to save backup files. Configuration files are available in XML, 7-Zip and Zip format. It is recommended to use a password with 7-Zip and Zip. 3. Select the maximum backup count. Available options are 50 or 100. Once the limit has been reached, the oldest saved configuration file will be deleted. 4. Enable at least one of the backup methods below - email, cloud or USB.
Figure 2.21: Automatic Backup Settings
Email Backup
1. To enable automatic backups via email, select enable. 2. Enter an email address to which the backup configuration files will be sent. Only one email address can be designated.
Figure 2.22: Automatic Backup via Email
Cloud Backup
Requirements: GB-OS 6.0.1 or above Valid support or maintenance contract Cloud service account via Dropbox or Box.net To set up Cloud backup, an account must first be created with a Cloud service. GTA currently supports Dropbox and Box.net. Both services have free and paid account options. Once a Cloud service account has been set up, enable GTA Cloud Backup: 1. Select Enable. 2. Select the cloud service to be used. 3. Select authorize. The authorization screen will open up in a new window. Enter applicable cloud service account credentials.
57
4. Once the service is authorized, select Login. The firewall will now display all available backups as well as the available storage.
Figure 2.23: Automatic Backup via Cloud - Authorize and Login
Figure 2.24: Automatic Backup via Cloud
USB Backup
Requirements: GB-OS 6.0.1 or above Valid support or maintenance contract USB device connected directly to the firewall (not available for GB-250 Rev A) USB device must be FAT32 or NTFS. To enable USB backup, ensure a properly formatted USB device is connected to the firewall. Select Enable. All available backups will be displayed.
Figure 2.25: Automatic Backup via USB device
Note
The firewall administrator can choose to immediately backup up a configuration by selecting the Backup Now button in the Cloud or USB backup sections.
58
Restoring Backups from the Cloud or USB Device via the Web Interface
Cloud and USB backups will be restored to Test mode only. To restore a backup configuration via the web interface: 1. Select the backup file and click the Upload icon under the Action column. A dialog box will confirm a successful upload to test mode.
Figure 2.26: Backup Action Items - Upload and Delete
2. GTA recommends verifying the backup configuration before applying to Live mode. 3. Navigate to Configure>Configuration>Apply and select Apply Test Configuration. For more information, see Applying the Configuration. Note
Backups can also be deleted from storage by clicking the Delete button under the Action column.
Note
If you are restoring a password protected configuration file, the firewall will use the password configured in the Automatic Backup section. If this password has been changed and does not match the selected files password, the restore will fail.
Restoring Backups Via the Console

Backups can be restored via the console from a USB device. For more information, see the GTA Console Users Guide.
Cloud or USB Device Directory

The firewall will search the directory for one matching the systems serial number. Backups will be created and placed in the directory at: GTA/<fw _ serial _ number>/backups You may manually edit and delete files in this directory. To save a backup configuration from automatic deletion when the maximum limit has been reached, you must move a file OUT of the specified directory to another folder on the Cloud server or USB device.
High Availability and Automatic Backup

To enable automatic backup via Cloud or USB device, each High Availability group must be covered by a valid support contract and the firewalls must both be authorized for cloud service.
59
Advanced Setup Tasks
60
Advanced Setup Tasks

Advanced Setup Tasks covers the advanced functions of your GTA Firewall UTM Appliances configuration, organized in the order in which GTA recommends they should be completed.
Firewall User Account and Group Setup

The Accounts section under the Configure category allows the administrator to set up additional user accounts and groups. User accounts can be enabled for general access, VPNs, or other restricted access points. Administrator accounts can be given full access to the firewalls configuration through the Web interface. This is useful if someone other than the firewalls primary administrator will need to access the firewall to alter the configuration.
Creating User Accounts
User accounts are used for authentication, VPNs, or restricted access points. User groups can be selected in security policies and inbound tunnels to regulate access from outside the protected network and to restrict access from a specified network interface to an IP address/port. User accounts are configured under Configure>Accounts>Users. Select New to create a new user account or select Edit to modify a pre-defined account. Note
Administrator user accounts are created by selecting a configured administrator group as the Primary Group. See Creating Groups for more information.
Figure 3.1: Creating User Accounts
Table 3.1: Creating User Accounts

Field Name
Disable Identity Full Name
Description
Disables the account. Used for authentication purposes, this is typically the users email account. The name for the account. A short description to identify the use of the account. A selection for the user group to bind to the user account. Selecting ??? means no user group has been selected. Select an administrator group to create an Administrator user. Primary Group determines a users Administrative, SSL, and Mobile IPSec Privileges as well as access based on security policies and content filtering policies. See Creating Groups for more information.
Description
Primary Group
62
Chapter 3: Advanced Setup Tasks
Table 3.1: Creating User Accounts

Certificate Authentication Modify Password Password Confirm Remote Access L2TP/PPTP Disable Password Mobile IPSec Disable Authentication Pre-shared Secret Remote Network Groups Group Description A selection for applying additional groups to the user account, making the user a member of the selected groups. Includes all group privileges except for Mobile IPSec. A short description of the group. Disables Mobile IPSec access for the account. Select the authentication method to be used when the user establishes a VPN connection. Choose Pre-shared Secret or Certificate If the Authentication method is set to Pre-shared Secret, then enter the ASCII or HEX value pre-shared secret to be used. Once entered, this field will be obscured. Select modify to enter a new pre-shared secret. The IP address or address object of the remote network from which the mobile IPSec VPN user is connecting from. Disables L2TP/PPTP access for the account The password for L2TP/PPTP access. A selection for creating or changing a password. The password for user authentication. Re-enter the password to confirm. Default is to generate a new user certificate. These are used in IPSec and SSL VPNs. For more information see GB-OS Certificate Management.
Creating Groups
Groups are a collection of user accounts used for reference throughout the configuration, much like objects. For example, when defining a policy, a user group can be selected to require authentication before a policy can be applied to the groups traffic. When defining a group, additional pre-defined groups can also be added to reference a larger amount of users. Additionally, GB-OS contains a default user group called ALL_USERS that automatically refers to all configured users defined in Configure>Accounts>Users. Creating a user group with sub-groups or using the ALL_USERS group can be useful if a security policy is required to affect multiple user groups or all configured users. Groups are configured under Configure>Accounts>Groups. Select New to create a new group or select Edit to modify a pre-defined group. Note
If this user group is to be connecting to the firewall using the GTA Mobile IPSec VPN Client, settings are available to define the groups VPN object and local network. For more information on configuring a VPN, see the GTA VPN Option Guide. For additional information on configuring SSL Browser and Client access, see the GTA SSL Client Guide.
63
Creating an Administrator Group

Administrative user accounts are defined by creating and assigning an administrator group as a users Primary Group. Administrator accounts have full access to the firewall and are able to make changes to the configuration using the Web or Console interface. By default, the user ID and password for the administrator account are both fwadmin. Read-only groups will not be able to make changes to the firewalls configuration or view pre-shared secrets.
Figure 3.2: Creating Groups
Table 3.2: Creating Groups

Field Name
Disable Name Description Administrator Enable Read Only L2TP Enables administrator privileges for the user group. A selection for creating a read-only administrator user group. A toggle for enabling L2TP for the user group. A toggle for enabling PPTP for the user group. Enables VPN access for the user group. A toggle for whether users configured under the group should be required to authenticate with the firewall using the GTA Mobile IPSec VPN Client or not. The local network for the VPN which the configured user can access. Configuring this section will override settings defined under Configure>VPN>Remote Access>IPSec.
Description
Disables the group. The name for the group. A short description to identify the use of the group.
Remote Access PPTP Mobile IPSec Enable Advanced
Authentication Required Local Network
64
Table 3.2: Creating Groups

SSL Browser Enable Bookmarks Only Read Only Client Bookmarks Enable Mobile IPSec Enable Authentication Required IPSec Object Enables VPN access for the user group. A toggle for whether users configured under the group should be required to authenticate with the firewall using the GTA Mobile IPSec VPN Client or not. The VPN object to be used by the user group. The local network for the VPN which the configured user can access. Configuring this section will override settings defined under Configure>VPN>Remote Access>IPSec. Select a previously defined group for which the main group will include. A short description to explain the use of the included sub-group. Enables SSL browser access for the user group. Displays only Bookmarks for SSL Browser access. Read only access. Users can only download files via the browser. Displays the defined bookmarks for the group. Allows SSL Client access.
Local Network Groups Sub Group Description
65
Configuring Remote Administration

This section allow for the configuration of lockout, remote administration and customized login screens. Lockout disallows further logins from a users IP address if a login is repeatedly entered incorrectly. Remote administration regulates administrative access to the Web interface from outside of the protected network. Account preferences are configured under Configure>Accounts>Remote Administration.
Lockout
Lockout gives the administrator the ability to disable login attempts to the Web or Console interface from a users IP address if repeated login attempts are entered incorrectly. Settings available for configuration include the threshold (the number of times an invalid entry may be entered) and the duration of time the users IP address will be blocked. Networks exempt from lockout can also be specified.
Figure 3.3: Configuring Account Preferences - Lockout
Table 3.3: Lockout

Field Name
Enable Allowed Advanced Threshold Duration The number of attempts a user can make from an IP address before that IP address is locked out. Threshold values may range between 5 and 100. The number of seconds an IP address is locked out. The duration may range between 30 and 86,400 seconds.
Description
Disallow further logins from a users IP address if a login is entered incorrectly. Enabled by default. Specify the network (address object) that is exempt from lockout, if necessary.
Remote Administration
The factory default settings enable remote administration from the protected interface. The Web interface is served on standard TCP port 443 for SSL encryption. The firewall can also be accessed using the Console interface using the accounts with administrative access. Access to the Console interface cannot be disabled.
Figure 3.4: Configuring Account Preferences - Remote Administration
66
Changing the Remote Administration Port
To maintain access when changing the port number used for remote administration, ensure that Automatic Policies are enabled (located under the Advanced tab) or configure a new service group object and remote access policy for the new port before changing the existing port number. Caution
Changing the TCP port for remote administration without enabling automatic policies or first adding the new port to a remote access policy will result in a loss of remote administration connectivity. To prevent this, either create a new service group object to be used in a remote access policy, or connect to the firewall locally.
Table 3.4: Remote Administration

Field Name
Enable Port Authentication LDAP RADIUS Advanced Encryption Policy Compatibility A selection for the level of SSL encryption. All levels of SSL encryption are enabled by default. Setting encryption to <none> will turn off SSL encryption. A selection for preserving previous remote administration settings for firewalls that do not properly upgrade to GB-OS 6.0.3 and above. Disabling this option allows the web administration to send CAs imported on the firewall to a connecting client to assist in validating the authenticity of the remote administration certificate. A selection for whether remote connections should be timed out after a period of inactivity. A selection for whether the virtual keyboard is enabled, disabled or force use. A selection for whether automatic policies should be enabled. Specifies the Zone which will be allowed to connect. Options are External, Protected, and PSN. Specifies the source address allowed to connect. Enables LDAP users to administer the firewall. Enables Radius users to administer the firewall.
Description
Enables remote administration for the Web interface. Enabled by default. The TCP port allowing Web administration. SSL encryption default is 443.
Timeout Sessions Virtual Keyboard Automatic Policies Zone Enable
Source Address
Encryption
For additional security, SSL (Secure Sockets Layer) encryption is available. SSL encryption (HTTPS) is the standard in Internet security for HTTP, supporting server/client authentication, and maintaining security and integrity in transmission. SSL encrypted administration requires a remote access policy with a port that matches the remote administration port (443, by default). Table 3.5: Encryption Levels
Level
None SSL
Key Strength
n/a 168-bit
Description
Disables SSL encryption A high level of SSL encryption.
67
Policy Compatibility
Upgrading to GB-OS 6.0.3 and above, from GB-OS 6.0.2 and below, may result in remote administration certificate errors. These errors may prevent web administration of the firewall via Firefox or Google Chrome and some other browsers. A connection error or SSL error will be displayed in the web browser. GTA recommends resolving all certificate errors, but remote administration settings can be preserved by enabling Policy Compatibility at Configure>Accounts>Remote Administration>Advanced via Internet Explorer or Safari. For more details and additional certificate error troubleshooting, see the GB-OS Certificate Management guide. Policy Compatibility may also be enabled through the Console interface at Configure>Accounts>Remote Administration. See the Console Guide for more details or for creating a new certificate on the console.
Customized Login
Customize the login screen to display a unique title and logo. The logo must be file format JPEG, PNG, or GIF, 32 x 32 pixels and 100 KB or less.
Figure 3.5: Customized Login
68
Authentication Setup
Authentication allows the administrator to require authentication using GBAuth or GTA SSOAuth Service before initiating a connection to or through the firewall. There are four authentication methods available on GTA firewalls: GTA Authentication, LDAP, RADIUS and Active Directory Single Sign-On. For more information on configuring and using GBAuth for user authentication, refer to Reference C: Utilities. Authentication is configured in Configure>Accounts>Authentication
Figure 3.6: Authentication Setup
69
Table 3.7: Authentication

Field Name
Enable Advanced Automatic Policies Service Port Valid A toggle for whether automatic policies should be generated to allow any of the three methods of authentication. The service port used. The default port for GTA Authentication is 76. The valid duration for an authenticated user (in minutes). If using a one time password, this value should be high. A toggle for whether keep alives should be sent or not. Enables LDAPv3 authentication. Authentication must be enabled to allow for LDAPv3 authentication. The server IP address or host name and port number of the LDAP server used. The port number defaults to 389. To enter a specific port number, use the format ldap.example.com:389. A toggle for enabling SSL support. The root distinguished name of the LDAP server, comparable to the domain name in an Internet address. Used for LDAP searches. The group name field where group names are stored on the LDAP server. Select the checkbox to automatically add groups when GBAuth is used to authenticate with the firewall. Select the checkbox to return the full group name. The address from which authentication information is sourced. Selecting <AUTOMATIC> will indicate the firewalls IP address to the server location. To force packets to have a specific source IP address, choose the interface object from the pull down menu. The amount of time, in seconds, that the GTA firewall will wait on results from an LDAP search. Select the method that the user will use to bind (authenticate) with the LDAP server. Select <Anonymous> to authenticate with the LDAP server anonymously. Select <User> to authenticate with the LDAP server with a user name. Select <Username Search> to authenticate with the LDAP server using the root distinguished name and password. Enter the user name to bind with the user. This field is only available if <User> is selected for the Bind Method. Select this checkbox to have the value entered in the Base DN string appended to the User Bind String value. This field is only available if <User> is selected for the Bind Method. Enter the root distinguished name of the LDAP server. This field is only available if <Username Search> is selected for the Bind Method. Enter the root password of the LDAP server. This field is only available if <Username Search> is selected for the Bind Method. Enables RADIUS authentication. Authentication must be enabled to allow for RADIUS authentication. The server IP address or host name and port number of the RADIUS server used. The port number defaults to 1812. To enter a specific port number, use the format radius.example.com:1812.
Description
Enables authentication.
Send Keep Alives LDAPv3 Enable Server Use SSL
Base DN Group Field Advanced Automatically Add Groups Use Full Group Name Binding Interface
Timeout Bind Options Bind Method
User Bind String Append Base DN Bind DN Password Radius Enable Server
70
Table 3.7: Authentication

Field Name
Pre-shared Secret
Description
The pre-shared secret as defined in the RADIUS service. This field is case sensitive. Once entered, this field will be obscured. Select modify to enter a new pre-shared secret. The address from which authentication information is sourced. Selecting <AUTOMATIC> will indicate the firewalls IP address to the server location. To force packets to have a specific source IP address, choose the interface object from the pull down menu. By default (if the field is empty), this is the firewalls local IP address. Match the RADIUS servers expected identity for authentication requests. Matches the RADIUS servers channel number. Filling out this field is only necessary if the RADIUS server distinguishes between its NAS ports (channels). Matches the RADIUS servers connection type, namely a modem (Async, etc.) or TCP/IP (Virtual) connection. Enables Single Sign-On authentication. Authentication must be enabled to allow for Single Sign-On authentication. The server IP address or host name and port number of the Single Sign-On server used. The port number defaults to 28800. To enter a specific port number, use the format 192.168.71.1:2880.
Advanced Binding Interface
NAS Identity NAS Channel NAS Channel Type
Active Directory Single Sign-On Enable Server/Certificate
GTA Authentication
GTA Authentication requires the setup of firewall user accounts. Users can be configured with the instructions found in the Firewall Administrator and User Setup section of this chapter. GTA Authentication can be selected in inbound tunnels and security policies. Users enter the values defined in the Identity and Password fields from Configure>Accounts>Users to log in using GBAuth.
Using GTA Authentication on a GTA Firewall

To use GTA Authentication: 1. Enable Authentication and enter the desired port (TCP port 76, by default). 2. Click Save.
71
LDAPv3
LDAP (Lightweight Directory Access Protocol) is a specification for accessing directories on the Internet to obtain information such as email addresses and public keys. Support for TCP/IP for Internet access is also included. Like the Internet protocols HTTP and FTP, LDAP is used in the protocol prefix of a URL (e.g., ldap://example.com). LDAP version 3, completed in 1997, is the latest implementation of the protocol at the time of this release.
Using LDAPv3 on a GTA Firewall

The LDAP authentication option allows you to accept or deny traffic by querying an LDAP server. The LDAP authentication option can be used on inbound, outbound and pass through policies. LDAP authentication requires an LDAP server with users, organizational units and domains. GTA Firewall LDAP searches return a users primary Active Directory group to the firewall. Table 3.8: LDAP Authentication Components
Field Name
cn rdn ou
Description
Common name; specified on the LDAP server and entered in the Identity field of GBAuth, e.g. Joe Q User. Relative distinguished name; the common name plus the cn= identifier, e.g. cn=Joe Q User. Organizational unit; group to which the user has been assigned. There can be a hierarchy of ous defined. Enter each in the order of its specificity: if Joe Q User belongs to the FreeBSD group within the support group, ou would be entered into the Identity field of GBAuth, after the cn, as: ou=FreeBSD, ou=support. Domain component; single domain component of an FQDN (fully-qualified domain name) such as qa.gta.com, e.g. dc=qa, dc=com, dc=gta. Distinguished name; entries in an LDAP server are located by way of the distinguished name, a globally unique identifier designed to be readable by any LDAP-compliant client. This is the entire string sent to the LDAP server by GBAuth: cn=Joe Q User, ou=support,dc=qa, dc=com, dc=gta.
dc dn
To use LDAPv3: 1. Enable Authentication and the LDAPv3 feature. 2. Enter the IP address and desired port (TCP port 389, by default) of the LDAP server in the Server field. 3. Enter the base distinguished name for your network in the Base DN field. 4. In the Group Field, enter the location where groups are stored under. 5. Next, select the method that the user will bind (authenticate) with the LDAP server. To bind with the user, select <User> for the Bind Method and enter the User Bind String. Optionally, enable Append Base DN to have the Base DN value appended to the User Bind String. To bind anonymously, select <Anonymous> for the Bind Method. When <Anonymous> is selected, the Username Field will appear in the LDAPv3 section. Enter the username that will be used for authentication. To bind using the root distinguished name and password, select <Username Search> for the Bind Method. Enter the root distinguished name in the Bind DN field, and the root password in the Root Password field. When <Username Search> is selected, the Username Field will appear in the LDAPv3 section. Enter the username that will be authenticated with in the Username Field. 6. Click Save.
72
RADIUS
RADIUS (Remote Authentication Dial-In User Service) is an authentication and management system used by many ISPs. RADIUS requires the customer to enter a user ID and password to access the service. The RADIUS server then verifies the information and authorizes access. Historically, RADIUS has been used to authenticate dial-up connections, but it can be used to authenticate traditional TCP/IP connections as well.
Using RADIUS on a GTA Firewall

To use RADIUS: 1. Enable Authentication and the RADIUS feature. 2. Enter the IP address, desired port (UDP port 1812, by default) and pre-shared secret of the RADIUS server in their respective fields. 3. Click Save.
Active Directory Single Sign-On

GTAs Active Directory Single Sign-On (GTA SSOAuth) is a system which allows a user to authenticate only once while gaining access to multiple software systems. When a user logins into the domain and attempts to access the Internet via a GTA firewall, the firewall checks to see if the users IP address is in the Authentication server database. If yes, the firewall retrieves the group, matching policies, to see if the Internet access is allowed. When a user logs in, the GTA SSOAuth service returns the users primary group to the firewall. The GTA SSOAuth server maintains the database of users that have authenticated via Active Directory. For more information on using GTA SSOAuth, see Reference C: Utilities. Note
All Single Sign-On users are members of the Single Sign-On and ALL users groups.
Requirements For Single Sign-On

In order to use Single Sign-On the following requirements must be met: 1. Windows 2003 server or 2003 R2 server 2. Single Sign-On service (GTA-SSOAuth server installed on AD server) 3. Active Directory server certificate installed on the firewall (Configure>VPN>Certificates) 4. .NET Framework 2.0 (or above)
Single Sign-On Server Installation on Windows

Server Mode In server mode, the firewall can point to up to three servers. The SSOAuth servers are installed on other hosts, or on the AD server itself. The firewall and SSOAuth clients then connect to the SSOAuth server. Client Mode The client mode is used when there is more than one AD server. In this mode, the clients point to the server and are installed on the AD servers.
Configuring Single Sign-On

1. Enable Authentication and the Single Sign-On feature. 2. Enter the AD server IP address and select the AD server certificate. 3. Click Save. 4. Optional: Configure the same groups, that are on the AD server, on the firewall at Configure>Accounts>Groups. The ALL group or LDAP group can be used if the user does not wish to configure the groups. 5. Apply Authentication on security policies per corporate policy.
73
PPP Setup
PPP connections are frequently used in conjunction with dial-up modems or DSL ISPs. PPP configures a PPP (Point-to-Point Protocol), PPPoE (PPP over Ethernet) or PPTP (Point-to-Point Transport Protocol) connection for the firewall. PPP, PPPoE and PPTP are not supported on a bridged interface. To configure a PPP connection, navigate to Configure>Network>Interfaces>PPP. After PPP has been configured, the connection must be enabled in Configure>Network>Interfaces>Settings. Caution
PPP connections are automatically named PPP0, 1, 2, 3 or 4, in order of creation. When an entry in the PPP section is deleted, the remaining entries will be renamed according to the new order. Interfaces which use PPP connections must be changed to the revised designations.
To enable PPP in Network Settings: 1. After completing the PPP configuration, navigate to Configure>Network>Interfaces>Settings, go to the Logical Interfaces section and select the NIC number (e.g., PPP0) on the logical interface for the external network interface you have selected for the PPP interface. 2. Select the logical interface as the gateway. Once these have been selected, the system will dynamically negotiate the IP address of the gateway. If you wish to configure a PPPoE or PPTP connection, please refer to their appropriate subsections.
Figure 3.7: PPP Setup
74
Table 3.9: PPP Setup

Field
Name Description Transport PPP Connection Type
Description
PPP0, 1, 2, 3 or 4. The name is automatically assigned. A user-defined description of the connection. For a PPP connection, select Serial. <On-Demand> Initiates and establishes a link with the remote site whenever a packet arrives on a protected or PSN interface destined for the external network. The link will stay up as long as packets continue to be received before the time-out has expired. <Dedicated> Establishes a link when the firewall boots up and remains up until the interface is manually disabled, or the system is halted. COM port or USB port used for the PPP interface. The phone number used to dial the remote site. This field should contain any required access codes (e.g. 9 to dial out). Characters used for pauses and secondary dial tones can be used. Consult your modem or ISDN TA manual for dialing codes. User ID for remote access. User ID and password are generally issued by the remote site. Password for remote access. Once entered, this field will be obscured. Select modify to enter a new password. A PPP-type link uses a local and remote IP address. If the remote site supports dynamic IP address assignments (as for most ISPs and remote sites), leave the local address set to the default, 0.0.0.0. Set the remote address to an IP address on the remote network, such as the router IP or the DNS server address. PPP will use that address to dynamically negotiate the actual value. If the Remote IP address is static (dedicated), enter the address and leave the Local IP address set to 0.0.0.0. If both addresses are static, set both fields to the appropriate IP address.
Primary COM Port Phone Number
User Name Password
Local IP Address/Remote IP Address Default
Advanced Connection Login User Name Login Password Speed Number of Retries Enter a login user name for cases in which CHAP or PAP is negotiated, and a separate name and password are required to log in. Enter a login password for cases in which CHAP or PAP is negotiated, and a separate name and password are required to log in. DTE (Data Terminating Equipment) speed is the speed at which the firewall communicates with the modem. Default is <115200>. The number of attempts the system will make to establish a connection. After failure, any new packets arriving for the external network will restart a new dialing attempt. Dedicated connections do not use retries, they continue to try to connect. Default is 3. The amount of time the system waits before re-dialing to establish a connection. Default is 10 seconds.
Time Before Retry
75
Table 3.9: PPP Setup

Field
Timeout
Description
The number of seconds during which a connection will stay connected during periods of inactivity. To prevent timing out on a connection, enter a value of 0. Default is 600 (10 minutes).
Link Control Protocol * Local/Remote Address/Field Compression Line Quality Report Enabled by default. Disabled by default.
Protocol Field Compression Enabled by default. Van Jacobson Compression Enabled by default.
Debug (must be in Detailed List View to see debug messages) Chat LCP Phase ISDN Dont Bond Channels Switch Type Use to configure ISDN connections. Check with your provider for required settings. Disabled by default. Use to configure ISDN connections. Check with your provider for required settings. Records dialing and login chat script conversations. Records LCP conversations. Use to set non-default Link Control Protocol options. Records network phase conversations. Use to determine Local and Remote IP address specifications.
* Each Link Control Protocol (LCP) option has a pair of settings for each link, Local and Remote. If a local setting is enabled, the firewall will request that the remote side use that LCP. If Local is disabled, the firewall will not send a request for that LCP. If Remote is enabled, and the remote side of the connection offers to use the protocol, the firewall will accept it. If it is disabled, then the firewall will not accept the LCP if the remote side offers it.
76
PPPoE Transport
PPPoE is commonly used to assign IP addresses by DSL service providers. Note
GB-OS automatically detects connection preferences so that the user is no longer required to enter chat or dial scripts, select CHAP or PAP, or set parity and flow control.
Enabling PPPoE in Network Settings: 1. After completing the PPP configuration, navigate to Configure>Network>Interfaces>Settings, go to the Logical Interfaces section and select the NIC number (e.g., PPP0) on the logical interface for the external network interface you have selected for the PPP interface. 2. Select the logical interface as the gateway. Once these have been selected, the system will dynamically negotiate the IP address of the gateway. The DHCP Selection will be unavailable.
Figure 3.8: PPP Setup using PPPoE Transport
77
Table 3.10: PPP Setup using PPPoE Transport

Field
Description
PPP0, 1, 2, 3 or 4. The name is automatically assigned. A user-defined description of the connection. For a PPPoE connection, select PPPoE. <On-Demand> Initiates and establishes a link with the remote site whenever a packet arrives on a protected or PSN interface destined for the external network. The link will stay up as long as packets continue to be received before the time-out has expired. <Dedicated> Establishes a link when the firewall boots up and remains up until the interface is manually disabled, or the system is halted. A selection for the network interface on which PPPoE will run. User ID for remote access. User ID and password are generally issued by the remote site. Password remote access. Once entered, this field will be obscured. Select modify to enter a new password. A PPP-type link uses a local and remote IP address. If the remote site supports dynamic IP address assignment (as for most ISPs and remote sites), leave the local address set to the default, 0.0.0.0. Set the remote address to an IP address on the remote network, such as the router IP or the DNS server address. PPP will use that address to dynamically negotiate the actual value. If the Remote IP address is static (dedicated), enter the address and leave the Local IP address set to 0.0.0.0. If both addresses are static, set both fields to the appropriate IP address.
NIC
User Name Password
Advanced Connection PPPoE Provider MTU Number of Retries Designation for the PPPoE Provider. Leave blank if you do not know the exact designation. The value is usually not required for the connection, and an incorrect setting can prevent the connection. Maximum Transmission Unit. GTA recommends setting the field at 0, which allows the system to negotiate the MTU value for each PPPoE connection. Incorrect values can cause the system to perform poorly, or not at all. The number of attempts the system will make to establish a connection. After failure, any new packets arriving for the external network will restart a new dialing attempt. Dedicated connections do not use retries, they continue to try to connect. Default is 3. The amount of time the system waits before re-dialing to establish a connection. Default is 10 seconds. The number of seconds during which a connection will stay connected during periods of inactivity. To prevent timing out on a connection, enter a value of 0. Default is 600 (10 minutes).
Time Before Retry Timeout
Link Control Protocol * Local/Remote Address/Field Compression Line Quality Report Enabled by default. Enabled by default.
Protocol Field Compression Enabled by default.
Van Jacobson Compression Disabled by default.
78
Table 3.10: PPP Setup using PPPoE Transport

Field
Chat LCP Phase
Description
Records dialing and login chat script conversations. Records LCP conversations. Use to set non-default Link Control Protocol options. Records network phase conversations. Use to determine Local and Remote IP address specifications.
Debug (must be in Detailed List View to see debug messages)
79
PPTP Transport
PPTP is typically used on GTA firewalls by some ISPs as an alternative to DHCP when allocating subnet IP addresses. It encapsulates and uses encryption on packets so that data or internal network IPs cannot be seen during transit over phone lines or the Internet. It does this by creating a link from an unroutable internal IP address to an external IP address through the use of an internal PPTP server with a routable IP address. PPTP requires the creation of a remote access policy for use. To use PPTP: 1. Create a new logical interface in Configure>Network>Settings and set its Type to <EXTERNAL>. 2. Configure the settings for a PPTP connection as described in Table 3.10. For the PPTP connections Interface, select the interface created in Step 1. Click OK and then Save. 3. Return to the Configure>Network>Settings screen to create another logical interface and select the PPP. Select the PPP object created in Step 2 as the interfaces NIC. Click OK and then Save.
Figure 3.9: PPP Setup using PPTP Transport
80
Table 3.11: PPP Setup using PPTP Transport

Field
Description
PPP0, 1, 2, 3 or 4. The name is automatically assigned. A user-defined description of the connection. For a PPTP connection, select PPTP. <On-Demand> Initiates and establishes a link with the remote site whenever a packet arrives on a protected or PSN interface destined for the external network. The link will stay up as long as packets continue to be received before the time-out has expired. <Dedicated> Establishes a link when the firewall boots up and remains up until the interface is manually disabled, or the system is halted. Select the interface defined in Configure>Network>Interfaces>Settings to be used for transporting PPTP packets. Enter the IP address of the PPTP server. The phone number used to dial the remote site. This field should contain any required access codes (e.g. 9 to dial out). Characters used for pauses and secondary dial tones can be used. Consult your modem or ISDN TA manual for dialing codes. User ID for remote access. User ID and password are generally issued by the remote site. Password remote access. Once entered, this field will be obscured. Select modify to enter a new password. A PPP-type link uses a local and remote IP address. If the remote site supports dynamic IP address assignment (as for most ISPs and remote sites), leave the local address set to the default, 0.0.0.0. Set the remote address to an IP address on the remote network, such as the router IP or the DNS server address. PPP will use that address to dynamically negotiate the actual value. If the Remote IP address is static (dedicated), enter the address and leave the Local IP address set to 0.0.0.0. If both addresses are static, set both fields to the appropriate IP address.
Interface PPTP Server IP Address Phone Number
User Name Password
Advanced Connection Number of Retries The number of attempts the system will make to establish a connection. After failure, any new packets arriving for the external network will restart a new dialing attempt. Dedicated connections do not use retries, they continue to try to connect. Default is 3. The amount of time the system waits before re-dialing to establish a connection. Default is 10 seconds. The number of seconds during which a connection will stay connected during periods of inactivity. To prevent timing out on a connection, enter a value of 0. Default is 600 (10 minutes).
Time Before Retry Timeout
Link Control Protocol * Local/Remote Address/Field Compression Line Quality Report Enabled by default. Enabled by default.
Protocol Field Compression Enabled by default.
Van Jacobson Compression Disabled by default.
81
Table 3.11: PPP Setup using PPTP Transport

Field
Chat LCP Phase
Description
Records dialing and login chat script conversations. Records LCP conversations. Use to set non-default Link Control Protocol options. Records network phase conversations. Use to determine Local and Remote IP address specifications.
Debug (must be in Detailed List View to see debug messages)
82
DHCP Server
The DHCP service automates assignment of IP addresses and configures the DNS server and gateway for computers on local networks using DHCP (Dynamic Host Configuration Protocol). When the DHCP service receives an initial request from a client host, it assigns an available IP address from its address range. Upon subsequent requests by the same MAC address, the DHCP Server will attempt to reassign the same IP address. The only case in which it will not reassign the same IP address is when the number of DHCP clients exceeds the number of IP addresses available, and the IP address has been assigned to a different host. The DHCP service manages a range of IP addresses (e.g. 10.10.10.4 through 10.10.10.254) which can be assigned to hosts. Non-contiguous sets of IP addresses can be defined using exclusion ranges. Exclusion ranges, configured under the Advanced tab, indicate which IP addresses within the previously defined address range must not be assigned to hosts. WINS uses a distributed database that is automatically updated with the names of computers currently available and the IP address assigned to each one. To use WINS, enter the IP address of the WINS server in the WINS Server IP Address field. Hosts on the network must be configured to point to the Default Gateway for the location of their WINS server. The DHCP service can also assign static leases to hosts on the network. Static leases are useful for managing static systems, such as print servers, mail servers or other hosts that need fixed configurations. Static leases are configured under the Advanced tab. To configure the DHCP server, navigate to Configure>Services>DHCP>Server and unselect the Disable checkbox. Both DHCPv4 and DHCPv6 are supported. Changes to the DHCP service are applied when you click Save.
DHCPv4
Figure 3.10a: DHCPv4 Server Setup
83
Table 3.12a: DHCPv4 Setup

Field
Disable Type Description
Description
Disable this DHCP IP address pool. Select DHCPv4. User-defined description of the IP address pool. First IP address of the pools range. Last IP address of the pools range. Subnet mask used to divide hosts into network groups. Maximum length of time the assigned IP address may be used before renewal. A client must negotiate IP address renewal before the expiration of the lease, or quit using the IP address. Gateway (default route) given to DHCP clients. For hosts located behind a firewall (on protected or PSNs) this will be the IP address of the firewalls corresponding interface. DNS domain name, typically that of the local network. IP address of a DNS server that will be issued to the requesting client. This can be any valid server: a local server, such as the built-in DNS Server, or a remote server, such as one located at an ISP. Up to three name servers can be defined. IP address of the WINS server that will be issued to the requesting client. Up to three WINS servers can be defined. IP address of the network time server that will be issued to the requesting client. Up to three network time servers can be defined. Maximum Transmission Unit. The MTU size determines the greatest packet size that can be transmitted by the DHCP service. A value of 0 means the field is ignored. Enter the TFTP server for transferring data.
Beginning Address Netmask Ending Address
Lease Duration
Options Default Gateway Domain Name
Name Server IP Address WINS Server IP Address Network Time Advanced MTU
TFTP Server Advanced Static Leases Disable Host Name IP Address MAC Address Description Exclusion Ranges Exclusion Ranges
Disables the selected row. The host name to be used by the static lease. The desired IP address to be statically leased to the host. The hosts MAC address. A description of the hosts static lease. Define up to five address ranges to exclude from each DHCP range. To exclude a single IP address, enter it in both the beginning and ending address fields.
84
DHCPv6
The IPv6 DHCP Server requires that the firewall be configured for prefix advertisement. For more information, see the Configuring IPv6 Guide. To configure the DHCP server, navigate to Configure>Services>DHCP>Server and choose DHCPv6 in the Type pulldown.
Figure 3.10b: DHCPv6 Server Setup
Table 3.12b: DHCPv6 Setup

Field
Description
Disable this DHCP IP address pool. Select DHCPv6. User-defined description of the IP address pool. First IP address of the pools range. Last IP address of the pools range. Define the prefix length. Maximum length of time the assigned IP address may be used before renewal. A client must negotiate IP address renewal before the expiration of the lease, or quit using the IP address. DNS domain name, typically that of the local network. IP address of a DNS server that will be issued to the requesting client. This can be any valid server: a local server, such as the built-in DNS Server, or a remote server, such as one located at an ISP. Up to three name servers can be defined.
Beginning Address Prefix Length Ending Address
Lease Duration
Options Domain Name Name Server IP Address
Advanced Static Leases Disable Host Name IP Address Client DUID Disables the selected row. The host name to be used by the static lease. The desired IP address to be statically leased to the host. Enter the clients DHCP unique identifier. A description of the hosts static lease. Define up to five address ranges to exclude from each DHCP range. To exclude a single IP address, enter it in both the beginning and ending address fields.
Description Exclusion Ranges Exclusion Ranges
85
DHCP Relay
The DHCP Relay screen is used to relay DHCP (Dynamic Host Configuration Protocol) traffic through the firewall. GB-OS 5.3.2 and above supports DHCP relay based on RFC3046 and RFC2131. RFC 5107 is not supported.
DHCP Relay Requirements

GB-OS v5.3.2 or above DHCP server with a scope assigned to the same network as a GTA firewall interface upon which the broadcast messages arrives. If the firewall will be the default route for the host receiving DHCP addresses, the DHCP server must assign the firewall interface IP which received the client broadcast messages as the router or gateway.
Example DHCP Relay

The example below displays a Protected Zone to Protected Zone connection. The firewall IP address on the DHCP client network is 192.168.1.254/24. The DHCP server, 192.168.71.1, is configured to assign addresses from the range (scope) 192.168.1.5 192.168.1.25 with a netmask of 255.255.255.0 (24 bits) and default gateway of 192.168.1.254.
InternetRouter
GTAFirewall (DHCPRelay)
GB-2000
FirewallInterfaceIP 192.168.71.254/24
FirewallInterfaceIP 192.168.1.254/24
Switch
Switch DHCPScope 192.168.1.1 192.168.1.25 Netmask:255.255.255.0 Gateway:192.168.1.254
DHCPServer IPAddress192.168.71.1/24 DHCPClient
Figure 3.11: Example DHCP Relay Setup with a Protected Zone to Protected Zone Connection.
Note
DHCP server and DHCP Relay are mutually exclusive. You cannot run both services on the same firewall. You also cannot relay DHCP client requests through an IPSec Tunnel/VPN.
86
Configuration
1. Navigate to Configure>Services>DHCP>Relay. Check the enable box and enter the DHCP server IP address.
Figure 3.12: DHCP Relay Setup
2. Under Advanced, enable automatic policies to create an automatic remote access policy as needed to accept DHCP responses from the configured DHCP server(s). Example Automatic Policy: Accept notice ANY nolog udp/67->67 from 192.168.71.254 to 192.168.71.1 3. Select the type of binding interface. 4. The firewall will listen for DHCP client broadcast messages, change these requests to unicast messages, and then forward them to the configured DHCP server(s). 5. Once the client has a DHCP address, it will connect directly to the DHCP server when the lease is renewed. Outbound security policies will control access between the DHCP client and server. By default, all access is allowed between Zones of type Protected. If a restrictive security policy is in place you may need to add an outbound policy to allow connection to and from the DHCP clients and server(s). Below are examples of these policies:
Figure 3.13: Outbound Secuirty Policies
If the DHCP Server is located on an interface whose Zone is Protected and the clients are on an interface whose Zone is type PSN or External. The client will receive an initial lease, however, renewals will fail. The firewall will log =Invalid NAT request. Example Block Message:
Jun 29 09:27:02 pri=4 pol _ action=block count=3 msg=Invalid NAT request duration=11 proto=67/udp src=192.168.1.15 srcport=68 dst=192.168.41.203 dstport=67 interface=Avlan1 attribute=alarm
PSN to Protected DHCP Relay
Note
GTA firewalls configured for DHCP relay will pass the DHCP server options such as NTP, DNS and others. More than one DHCP server can be configured for relay by creating an address object with the DHCP server address and then reference this in the Servers object.
87
By default, connections from a PSN or External Network to an internal network whose zone is Protected are not allowed. In addition, connections from a PSN zone to another PSN zone are not allowed. The initial connection to the DHCP server is handled by the firewall DHCP relay server. The client broadcast messages are converted to unicast messages and directed to the DHCP server. Once the initial lease is handed out to the client, the client will send a renewal request directly to the DHCP server. If the client is on PSN or an External network it will attempt to directly connect to the DHCP server, resulting in an invalid NAT request. Resolution to this issue is to remove Network Address Translation from the DHCP server going to the PSN or External network. This is configured in Configure>Network>Pass Through>Host/Networks. Next, add a Security Policy to allow access for DHCP requests to the server. This is located in Configure>Security Policies>Policy Editor>Pass Through. Example of the Host Networks and Pass Through Policy to allow DHCP relay from a PSN client to a DHCP server on Protected or another PSN network:
Figure 3.14: Configuring Hosts/Networks and Pass Through Policies for DHCP Relay
A common problem is that the DHCP clients initial DHCP request will work, however, the renewals will fail. To correct: 1. Confirm the DHCP server(s) can route correctly to the DHCP client network. If the DHCP server gateway does not point to the firewall performing the DHCP relay service, static routes MAY need to be added to the DHCP server, or to the DHCP servers gateway, to correctly route to the DHCP client network. 2. Confirm the gateway option assigned to the client is the firewalls local interface that receives the DHCP client broadcast messages.
88
Dynamic DNS Setup

Dynamic DNS automates the process of advising DNS servers when the dynamically assigned IP address for a network device is changed, ensuring that a specific domain name always points to the correct IP address. The domain name tracks the dynamic address so that other users on the Internet can easily reach the domain, allowing you to host a Web site, FTP or email server even when your IP address is dynamic. The Dynamic DNS service allows you to publish your new dynamic IP address by using one of the following services from the Service pull down menu: DynDNS (http://www.dyndns.com) ChangeIP (http://www.changeip.com) Note
To sign up for the Dynamic DNS services and for more information on Dynamic DNS, see the providers Web site.
The current external IP address on the firewall will update the selected service each time the IP address changes, or once a month, whichever comes first. To configure Dynamic DNS, navigate to Configure>Services>Dynamic DNS and toggle to the Enable checkbox to enable the service. Select New to create a new Dynamic DNS definition or select Edit to modify a pre-defined one.
Figure 3.15: Configuring Dynamic DNS
Table 3.13: Dynamic DNS Setup

Field
Disable Description Host Name Interface Service Login User Name Login Password
Description
Disables the Dynamic DNS service. Enter a description of the Dynamic DNS service. The host name registered with the Dynamic DNS service that will be updated. A selection for the interface to have Dynamic DNS applied to it. A selection for the Dynamic DNS service provider. An active account with the selected service provider is required. The user name registered with your Dynamic DNS service provider. The password associated with the registered user name. Once entered, this field will be obscured. Select modify to enter a new password.
89
DNS Server Setup

The DNS (Domain Name System) service translates alphanumeric server names into IP addresses. Each time a server name is used, the DNS service must translate the name into its corresponding IP address. For example, the server name example.com might translate to 204.96.115.2. In this section, configuration of the DNS server will be explained. To learn more about setting up a DNS proxy, as well as the advantages and disadvantages of running a DNS proxy versus a DNS server, see DNS Setup in Basic Setup Tasks. Note
GTA recommends a thorough knowledge of the domain name system before configuring any DNS server. One reference is DNS and Bind, 5th Edition, by Paul Albitz & Cricket Liu, published by OReilly and Associates.
Note
On select GTA firewalls, the DNS Server is an option and requires an activation code. See your product specifications for more information.
Configuring the DNS Server

The DNS server allows the firewall to function as a primary domain name server, maintaining a database of domain names and IP addresses of hosts where those domains reside. See Configuring the DNS Proxy in Basic Setup Tasks to configure the firewall as a DNS proxy if an internal DNS server is not necessary. To setup the DNS server, navigate to Configure>Services>DNS. Select New to create a new DNS server definition or select Edit to modify a pre-defined one.
Figure 3.16: Configuring the DNS Server
90
Table 3.14: Configuring the DNS Server

Field
Name Servers External Enable IP Address Internal Enable IP Address Primary Domain Name DNS Enable Service Advanced Automatic Policies DNS Server Server Name Host name of your DNS server. This may be the host name assigned to your firewall. When configuring an external DNS server, this will be the Internet apparent host name. The host name should be listed as a host in the DNS Domain screen or tab. Host names of DNS servers acting as alternate name servers for the domain. Allows the DNS server to act as a proxy and forward DNS lookups to other DNS servers. Networks or IP Addresses allowed for recursive DNS searches. Email address of the primary contact for the domain. Click the link to create new DNS domains Enable to have the firewall generate automatic policies to allow the use of the DNS server. Enabled by default. Enables the select DNS service. DNS Proxy is selected by default. To configure the DNS server, select the DNS server option to allow hosts to use the firewall as a DNS resolver. Enables the name servers listed in this section. Disabled by default. IP address(es) of the internal DNS server(s) that will provide records for your internal DNS server. Primary domain name used for the network (e.g., example.com) Enables the name servers listed in this section. Disabled by default. IP address(es) of the external DNS server(s) that will provide records for your external hosts.
Description
Secondary Server Names Forwarders
Trusted Networks Email Contact Domains Press New to Create Advanced Subnets Network IP Address Reverse Zone Name
Network address/subnet mask of the desired subnet. Class C: /24 (255.255.255.0) and Class B: /16 (255.255.0.0) are commonly used networks. Optional name used by reverse DNS, which looks up an IP address to obtain a domain name and confirm a DNS record. The firewall can determine the zone name automatically if the subnet uses a Class A, B or C subnet mask. Reverse zone names are typically assigned by your ISP.
91
Creating DNS Domains

The DNS Domain screen allows the user to define host names and associated IP addresses (A records), aliases (CNAME records) and email exchangers (MX records) for the selected domain. Select New to create a new DNS domain or select Edit to modify a pre-defined DNS domain.
Figure 3.17: Creating DNS Domains
Table 3.15: DNS Server Setup

Field
Disable Domain Name
Description
Disables the domain definition so the zone will not be served by the DNS server. Domain name of the defined zone (e.g., example.com) Description of the domain for reference. IP address of a host to respond to the zone name. A host can have the same name as the zone, e.g., example.com, meaning that if you have a Web server, a visitor can use the zone name rather than the Web servers host name. When a remote system sends mail to a domain, it will query a DNS server to determine which IP addresses are designated to accept email for the zone. The Mail Exchanger (MX) fields define the mail servers for the domain. When there is more than one email exchanger, the order of preference is specified by entering the preferred server in the first field, followed by the second and third entry. The first mail exchanger will be priority 5, the second priority 10 and the third priority 15. Disables the host entry. Optional name used by reverse DNS (RDNS), which looks up an IP address to obtain a domain name and confirm a DNS record. The firewall can determine the zone name automatically if the subnet uses a Class A, B or C subnet mask. Reverse zone names are often assigned by your ISP. IP address of the host. Primary host name in the first field and aliases in succeeding fields. The domain portion of the host name should not be entered. For example, enter mail instead of mail.example.com. To define more than two aliases, repeat the hosts IP address in the next row.
Description IP Address
Mail Exchangers
Hosts Disable RDNS
IP Address
Host Names
92
Routing Traffic
Traffic routing is based upon the combined configuration of aliases, tunnels, pass through policies, RIP (Routing Information Protocol), and gateways. Note
Any packet that goes through the firewall will use the firewalls routing tables. If Configure>Network> Routing>Gateway Policies Policy Based Routing and appropriate firewall policies dictate, the default gateway may also be altered.
Alias Setup
Aliases allow a network interface to possess multiple IP addresses. An IP alias may be assigned to any network interface. Aliases are especially useful on the external network interface, or if multiple hosts on the PSN or protected network are required for the same service via a tunnel (e.g., multiple internal Web servers that all serve content to the external network). Aliases used on an external interface attached to the Internet must be legitimate, registered IP addresses. An alias does not need to have the same subnet as the real IP address, since the GTA firewall will route packets between all networks to which it is logically attached. If the IP alias is on the same logical network as the network interfaces primary IP address, use a subnet mask of 32 bits (255.255.255.255). Note
See product specifications for the maximum number of IP aliases available on a specific model.
To configure aliases, navigate to Configure>Network>Interfaces>Aliases. Select New to create a new alias or select Edit to modify a pre-defined alias.
Figure 3.18: Alias Setup
Table 3.16: Aliases

Field Name
Disable Name
Description
A toggle for whether the alias should be disabled or not. Default is off. A unique name to identify the alias elsewhere in the firewalls configuration. Alias names may not use a number as the first character. A short description to identify the function of the alias. The interface the alias will be applied to. The IP address of the alias.
Description Interface IP Address
93
NAT Setup
Network Address Translation (NAT) translates an IP address behind the firewall to the IP address of the external network interface, disguising the original IP address. Using NAT makes it possible to use a non-registered IP address within protected networks and PSNs, while still presenting a registered IP address to the external network (typically the Internet). NAT is active by default on all GTA firewalls. NAT is applied to outbound packets from: A protected network to an external network A protected network to a PSN A PSN to an external network A protected network to another protected network NAT is available in two forms: dynamic and static, which are referred to as default NAT and static mapping. If needed, NAT can be bypassed by using pass through policies.
Creating Inbound Tunnels

Inbound tunnels allow external hosts to initiate connections with internal hosts using service groups (e.g., TCP, UDP or ICMP). Normally the firewall blocks all inbound traffic to the internal networks. Tunnels allow, for example, computers such as Web (service group HTTP) servers on a PSN to be accessible from the Internet. Note
See product specifications for the number of tunnels available on a specific model.
Tunnels can be defined for traffic from either external networks or the PSN. Tunnels are typically used with inbound connections, they are not normally used for traffic originating from a protected network interface, which is by default allowed access to the other logical network types without use of a tunnel. Tunnels can be created for these inbound connections: From an external network interface to a host on a PSN From an external network interface to a host on a protected network From a PSN interface to a host on a protected network Tunnels are defined by an interface, service and an internal destination IP address. The external and internal destination port of the tunnel definition need not be the same; it is possible to provide access to multiple hosts for the same service using a single IP address. For example, telnet operates on port 23, but a tunnel could be defined with an external destination port of 99 and an internal destination port of 23. Only the external destination side of the tunnel is visible. Since tunnels transparently forward the connection using NAT, a user on the external network side will never see the ultimate destination of the tunnel. The tunnel appears to be a service operating on the firewall to the connecting host. If a tunnel originates from an IP alias address, you may need to map the destination host to the IP alias using static address mapping so that secondary connections appear to originate from the same address as the tunnel.
94
To create an inbound tunnel: 1. Navigate to Configure>Network>NAT>Inbound Tunnels and click the New icon to create a new inbound tunnel. 2. Select the Service the tunnel will use from the drop down list. In the From field, select the address object that represents the source interface for the beginning of the tunnel. In the To field, select the address object that represents the destination IP address for the end of the tunnel. 3. Unless disabled, Automatic Allow All Policy will generate policies to allow connection to the inbound tunnel. Otherwise, allow access to the inbound tunnel by using a remote access policy. A tunnel is a mapping from one IP address/port to another IP address/port, allowing the connection to be properly routed. However, the tunnel will not be usable unless an appropriate policy on the firewall allows the connection to be made in the first place.
Figure 3.19: Creating Inbound Tunnels
Table 3.17: Inbound Tunnels

Field Name
Disable Description Service From To
Description
A toggle for whether the inbound tunnel should be disabled or not. Default is off. A short description to identify the function of the inbound tunnel. Select the IP Protocol to be used by the inbound tunnel. Select the interface or alias for the beginning of the tunnel. Select the internal destination address of the tunnel. Select <USER DEFINED> to manually define the tunnels destination. Selecting * EDIT * allows you to create a new address object. A toggle for whether the firewall should automatically accept all traffic for the tunnel regardless of configured policies. Disabling this checkbox renders the Options and Traffic Shaping configuration settings uneditable. Hides the source of the inbound tunnel connection. Hiding the source of the inbound tunnel can be useful for getting around some internal routing conflicts. Normally, hiding the inbound tunnels source is not required. Authentication allows the administrator to require users to authenticate to the firewall using GBAuth before initiating a connection.
Advanced Automatic Accept All Policy
Hide Source
Options Authentication Required
95
Table 3.17: Inbound Tunnels

Field Name
IPS Source SYN Cookies Time Group Policy Weight Traffic Shaping Select the traffic shaping policy to be used. See Applying Traffic Shaping for more information. Select the weight of the allocation for the inbound tunnels bandwidth. A weight of 10 has the highest priority, a weight of 1 has the lowest. If the Automatic Accept All Policy checkbox has been disabled, this field will uneditable.
Description
A toggle for whether traffic travelling along the inbound tunnel should be checked against configured Intrusion Prevention policies. See Intrusion Prevention System in the Threat Management chapter for more information. A selection for the source of the inbound tunnel. Select <* EDIT *> to define a new address object A toggle for whether TCP SYN Cookies should be used or not. A selection for which, if any, time group the inbound tunnel options will be applied.
Creating Static Mappings

Static mapping allows an internal IP address, subnet, alias or interface to be statically mapped to an external IP address during NAT. By default, all IP addresses on the protected networks and PSNs are dynamically assigned to the primary IP address of the outbound network interface. Static address mapping is used when it is desirable to statically assign the IP address used in NAT. Note
See product specifications for the number of static mappings available on a specific model.
To use static address mapping, first assign at least one IP alias to the desired outbound network interface (external network interface or PSN interface). Mapping is only associated with outbound connections Map definitions may be for a single host or a subnet To configure static mapping, navigate to Configure>Network>NAT>Static Mapping. Select New to create a new static mapping or select Edit to modify a pre-defined static mapping.
Figure 3.20: Creating Static Mappings
Table 3.18: Static Mappings

Field Name
Disable Description Service From To
Description
A toggle for whether the static mapping should be disabled or not. Default is off. A short description to identify the function of the static mapping. A selection to specify a service group to statically map to an Alias. Select the address object that will be mapped. Select the interface representing the IP address to which the source will be mapped.
96
Allowing Static Mapping

Static mapping is allowed in the following cases: From a host or subnet on the protected network to an IP alias assigned to the PSN interface From a host or subnet on the protected network to an IP alias assigned to the external network interface From a host or subnet on the PSN to an IP alias assigned to the external network interface
Pass Through Setup

Functions in the Configure>Network>Pass Through section allow the user to route connections through the firewall, thus bypassing NAT. Pass through security policies (found in Configure>Security Policies>Policy Editor>Pass Through) control what connections are allowed to be passed through the firewall. Note
By default, all outbound connections destined for external or PSN networks are NATd to the IP address of the external or PSN interface. Pass through bypasses this default NAT.
NAT is not performed on inbound pass through connections, from the external network to the PSN or protected network, or from the PSN to the protected network. Pass through policies support all IP protocols. Pass through can define traffic without NAT for a host on a: Protected network to a host on another protected network Protected network outbound through a PSN and external interface Protected network outbound through a PSN interface only Protected network outbound through an external interface only PSN outbound through an external interface only A pass through security policy requires: Defined IP addresses in Hosts/Networks (Configure>Network>Pass Through>Hosts\Networks) Internal hosts to have a routable address on the subnet if the traffic goes to the Internet through the external interface A pass through security policy allowing connections to flow from and/or to the internal IP address Note
By default, inbound traffic will not know how to route back to reach the internal pass through hosts. To allow inbound traffic to pass through hosts, add a static route to the gateway (Internet router) that routes packets for the pass through hosts through the firewalls external interface.
Note
If an IP address in a pass through policy uses the external network or protected network interface as a routable address with the Internet, the IP address must be registered. See RFC 1918 for more information (http://ietf.org/rfc/rfc1918.txt).
By default, pass through policies are configured for outbound traffic only. Stateful packet inspection information is maintained for outbound sessions originating from hosts on a PSN or a protected network, guaranteeing that only replies to the initiated connections are accepted. If the connection protocol calls for a secondary inbound connection from an external host to the originating internal host, virtual cracks are created to allow the secondary connection. This allows multi-connection protocols such as FTP to be used without arbitrary, semi-permanent inbound connections. Pass through provides great routing flexibility. For example, with proper pass through policies, the firewall can apply NAT to some traffic (e.g. protected network packets with a destination within the PSN), but not apply NAT to other traffic (e.g. external/Internet traffic).
97
Security Policies
Pass through security policies control access to and from hosts specified in Hosts/Networks. These policies are different from remote access and outbound policies, since they control both inbound and outbound access, so the firewall functions as either a router or gateway for these IP addresses. Pass through policies use addresses defined in Hosts/Networks in their definitions, not firewall network interface addresses. Pass through policies are used in two scenarios: When pass through hosts/networks are defined When the firewall is using bridging mode Typically, two policies are required for each host/network IP address: outbound and inbound. If hosts/ networks are already defined, the firewall will create a pre-configured inbound/outbound policy pair based on those defined IP addresses. The pre-configured (default) policies vary according to options selected. Pass through policies are defined in the same manner as remote access or outbound policies, and the rules concerning policy index order and order of evaluation also apply. Denial of all traffic not explicitly allowed applies to pass through policies. For more information on configuring security policies, see Allowing and Denying Traffic in Basic Setup Tasks and Creating Advanced Allow/Deny Policies later in this chapter.
Creating Pass Through Policy Pairs

Pass through addresses need inbound and outbound policies, one policy for each direction of traffic. To create a pass through policy pair: Create the outbound connection policy by adding a policy. Complete the policy definition in the same manner as an outbound policy, specifying the same source address object as the pass through address. Click OK to save. Create the inbound connection by adding an empty policy definition. Define the policy as you would a remote access policy except the destination address object will be the pass through address, not the IP address on the firewalls network interface. Click OK to save. Once you have completed all the desired pass through policies, click the Save button on the policy set to save the policies and apply them to your firewalls configuration. Ensure pass through policies organized above the newly created policies do not supersede them.
98
Defining Bridged Protocols

Bridged protocols specify any non-IP Ethernet protocols you wish to explicitly allow to bypass all firewall policies between bridged interfaces. (IP protocols on bridged interfaces will still use normal firewall policies.) Requires bridge mode to be configured. Caution
There are no firewall policies applied to protocols that have been allowed in the Bridged Protocols section..
To define a bridged protocol, navigate to Configure>Network>Pass Through>Bridged Protocols.
Figure 3.21: Configuring Bridged Protocols
Table 3.19: Configuring Bridged Protocols

Field Name
Description
A toggle for whether the bridged protocol should be disabled or not. Default is off. A short description to identify the bridged protocol. The number of the packet header of the designated protocol. 0x0 is a placeholder for the full hexadecimal protocol type number. Use the 0x prefix when entering a number in hex format. Enable this checkbox to allow the protocols traffic on the bridged interface. Disabled by default. Enable to log events of that protocol type. Enabled by default.
Allowed Log
Protocol Definitions
Ethernet protocol definitions are generally unpublished, but some protocols in use are well known. For a collection of known Ethernet protocol types, please visit IANAs Web site at http://www.iana.org/ assignments/ethernet-numbers. To locate a definition for a protocol you need to bridge: 1. Configure the bridged protocol as desired. 2. Log blocked non-TCP/IP traffic on bridged interfaces. By default, this traffic is denied, but not logged. To log this denied traffic, enable logging for Deny Unexpected Packets in Configuration>Security Policies>Preferences under Advanced Options. This will generate log messages (found in Monitor>System>Log Messages) containing the protocol types of the IP packets. 3. Enter the protocols hexadecimal number with its prefix into the Type field. Decimal format numbers can also be entered; they will be displayed in hexadecimal. 4. Defined non-TCP/IP protocol definitions may be enabled and protocol acceptance and logging may be specified on an individual basis. To continue to deny a specific protocol but not log it, enter the protocol number and deselect the Allowed and Log check box. To deny a protocol and log the denials, deselect the Allowed checkbox and select the Log checkbox. To allow a protocol and not log it, select the Allowed checkbox and deselect the Log checkbox.
99
Defining Hosts/Networks
Hosts/Networks specifies an IP address, subnet or network that will not have NAT applied to its traffic. See product specifications for the number of pass through hosts/networks available on a specific model. Note
A Hosts/Networks entry is not required for pass through in bridging mode because no NAT is applied by definition.
To create a new host or network: 1. Navigate to Configure>Network>Pass Through>Hosts/Networks. 2. In the Hosts/Networks configuration screen, select an object or <USER DEFINED> and enter an IP address (for a single host), IP address with subnet mask (for a subnet), or multiple IP address sets (for a network or multiple non-contiguous hosts) in the Host field. Single IP addresses use /32 or /255.255.255.255, indicating that there is only one host member of that subnet. 3. Select the Destination Interface that should not apply NAT when outbound IP packets are received. The destination interface is the interface the packet exits through. 4. If unsolicited IP packets should be accepted for the specified address, select the Inbound check box. If you wish to allow only replies to outbound traffic, deselect Inbound.
Figure 3.22: Configuring Hosts/Networks
Table 3.20: Configuring Hosts/Networks

Field Name
Disable Hosts Description IP Address Destination Interface Inbound
Description
A toggle for whether the host/network should be disabled or not. Default is off. A short description to identify the host/network. Select the address object that will be used as the host member. If an address object cannot be used, enter the IP address and subnet mask that will be mapped (e.g., to a map a single IP address, use a subnet mask of /32 (255.255.255.255)). Select the destination interface that should not apply NAT when outbound connections are received. Accepts unsolicited connections from the specified IP address. Disabled by default.
100
Bridging Interfaces
By bridging interfaces, additional interfaces can be configured to share the IP address from one of the primary interfaces. TCP/IP packets pass between these bridged interfaces according to normal firewall rules on specified ports if allowed by a pass through security policy. Bridging is only supported for IPv4 interfaces. Caution
Packets with TCP/IP Ethernet protocols that have been allowed in Configure>Network>Pass Through>Bridged Protocols can bypass all filtering between bridged interfaces. Allowing unnecessary protocols, or protocols that may contain untrusted traffic, can pose a serious security vulnerability to your network and is not recommended by GTA.
To bridge interfaces: 1. Navigate to Configure>Network>Interfaces>Settings. 2. Select the Edit button to bridge a previously configured interface or select New to create a new interface. 3. In the Type field, select Bridge. 4. Inn the IP Address field, manually enter the IP address for the bridged interface. 5. Select the VLAN checkbox if configuring a VLAN interface. The DHCP, Gateway, and High Availability fields are all disabled in bridge mode. 6. Enter a name for the bridged interface in the Name field. 7. Select the bridged interfaces Zone, options are <External>, <Protected> or <PSN>. 8. Select the NIC to associate with the bridged network, such as <eth0>. The pull down menu lists all physical devices. 9. Enter description to explain the function of the bridged interface. 10. Click OK and then Save.
Figure 3.23: Bridging Interfaces
Table 3.21: Bridging Interfaces

Field Name
Disable Type Name Zone NIC IP Address
Description
Select the Disable checkbox to disable the bridged interface. Select Bridge to in order to create a bridged interface. Enter the primary IP address that will be bridged. The logical name for assigned to the bridged interface. A selection for the interfaces type. Options are <External>, <Protected> or <PSN> A selection for the network interface card to associate with the bridged network. The pull down lists all physical devices and VLANs. A short description to identify the use of the bridged interface.
Description
101
Bridging Mode
By default, a GTA firewall acts as a firewall router so that systems on the internal network see it as a gateway to the external network, and systems on the external network see it as the gateway to the internal network. The GTA firewall connects networks transparently like a bridge for specified Ethernet protocol types, while continuing to apply policies to other IP packets as a firewall. A GTA firewall in bridging mode can be inserted behind a router to the Internet between the router and the internal networks without changing IP addresses, gateways or any other network addresses for the rest of your network hosts. A GTA firewall in bridging mode can also be inserted into an internal network to separate networks that are at a peer level, or to further segregate PSNs. This configuration allows two internal networks to communicate as one, while filtering non-bridged IP traffic between them and preventing the passage of non-IP protocols (except ARP, which operates at both data link layer 2, and network layer 3). When in bridging mode, a GTA firewall can be connected directly to a host, a switch, a router or a non-bridged firewall. H2A - High Availability is not supported in bridging mode. PPP, PPPoE and PPTP are not supported on a bridged interface. If a host points to a router or gateway on a bridged interface as its default route to the Internet, the firewall will override that preference, routing the packet through its logical external network interface. Also, in bridging mode (as in unbridged firewall operation) any packet that goes through the firewall will use the firewalls routing tables. This means that even though a host may have indicated a particular route, the firewall will instead use the routes set up in Configure>Network>Routing>Static Routing and Configure>Network>Routing>RIP to route the traffic.
102
BGP Setup
BGP (Border Gateway Protocol) is an Exterior Gateway Routing Protocol (EGRP) used for larger networks such as the Internet. BGP uses TCP port 179 to establish a connection between two or more routers. These routers are considered peers. Initially the routers exchange full routing information, once the connection is established the routers only send updates to their routing tables. Note
BGP is only available on GB-2000, GB-2100, GB-2500, GB-3000 and GB-Ware.
Note
For more information on BGP, one recommended source is IP Routing, 1st Edition by Ravi Malhotra from OReilly and Associates.
Requirements for BGP: 1. Basic understanding of BGP. 2. Understanding of TCP/IP and routing. 3. BGP Neighbor(s) IP and Autonomous System (AS). To configure BGP: 1. Navigate to Configure>Network>Routing>BGP. 2. Select Enable. 3. Define the Router AS in which the firewall belongs. 4. Configure the Router ID. This number must be unique 5. Define the Networks. This is the network(s) which will use BGP. 6. Define the BGP Neighbor(s). 7. Enter the neighbors Remote AS and whether the firewall will Advertise the Default Route. 8. Configure the Advanced Redistribute and Aggregation options if needed.
Figure 3.24: BGP Setup
103
Table 3.22: Configuring BGP

Field
Enable Router AS Router ID Networks Advanced Automatic Policies Enables the firewall to generate a set of automatic policies to allow a configured BGP interface to function properly. By default this is enabled. The policy created is for TCP port 179 and is viewable in the Monitor> Activity>Security Policies>Automatic section. Configure the metric when the route is redistributed. If enabled, routing information is sent for those networks directly assigned to the firewall--such as interfaces and aliases If enabled, routing information is sent for those networks that are configured via IGRP or OSPF. If enabled, routing information is sent for those networks configured via RIP. If enabled, outing information is sent for those networks that are statically assigned to the firewall. The network(s) to aggregate. This selection will generate or send the AS set of other routers to the remote router. This selection filters the more specific routes when sending updates.
Description
Enables the BGP interface and starts the service. The number assigned to a router or set of routers in a single technical administration. Router ID number. A selection for the network(s) which will use BGP.
Redistribute Metric Connected OSPF RIP Static Route Aggregation Aggregate Addresses AS set
Summary Only
To edit an existing BGP interface, select the Edit icon. To create a new BGP interface, select the New icon.
Figure 3.25: BGP Setup
Table 3.23: Configuring BGP

Field
Disable Description Neighbor Remote AS Advanced eBGP Multihop Next Hop Self Enables BGP multihop. This selection disables the Next Hop Self attribute for BGP.
Description
Disables the BGP interface. A short description to identify the BGP interface. A selection for the IP address used to configure the peer routers the firewall will use to connect to BGP. The AS number of the peer router. Enable if the firewall will advertise itself as the default route.
Advertise Default Route
104
OSPF Setup
OSPF (Open Shortest Path First Protocol) is an interior gateway routing protocol (IGRP). Using link state algorithm advertisements (LSAs) the router builds a database (LSDB) of the networks. OSPF uses protocol 89. Requirements for OSPF: 1. Basic understanding of OSPF. 2. Understanding of TCP/IP and routing. 3. OSPF Area information and IP Router ID for Virtual Links if needed. To configure OSPF: 1. Navigate to Configure>Network>Routing>OSPF. 2. Select Enable. 3. Enter the Router ID in the form of 0.0.0.0. (Example: 0.0.0.1). 4. Enable the Advertise Default Route if the firewall will be the default route. 5. Create the OSPF Area(s). a. Area: Specify the OSPF area. b. Type: Determine the behavior of the firewall/router. i. Normal: No restriction. ii. Stub: No Type 5 AS-external LSA allowed. iii. Stub No Summary: No Type 3, 4, or 5 LSAs allowed except the default route summary route. iv: NSSA: No Type 5 AS-external LSAs allowed; Type 7 LSAs that convert to Type 5 at the NSSA ABR can traverse.. v: NSSA No Summary: No Type 3, 4, or 5 LSAs except the default summary route; Type 7 LSAs that convert to Type 5 at the NSSA ABR are allowed. c. Networks: Select the network(s) which will use OSPF. d. Authentication: Must be enabled if authentication is required. Other routers in the same area must have a matching ID and password. e. Virtual Links: Identify if the firewall is not directly connected to the back bone (area 0). Virtual links are used to create a link to another router directly connected to the back bone. The target router should have a virtual link pointing back to this router. 6. Advanced steps a. Set the Default Metric and Distance. b Configure redistribution if needed. Note
For more information on OSPF, one recommended source is IP Routing, 1st Edition by Ravi Malhotra from OReilly and Associates.
105
Figure 3.26: OSPF Setup
Table 3.24: Configuring OSPF

Field
Enable Router ID Advertise Default Route Advanced Automatic Policies Enables the firewall to generate a set of automatic policies to allow a configured OSPF interface to function properly. By default this is enabled. The policy created is for IP Protocol 89 and is viewable in the Monitor>Activity>Security Policies>Automatic section. The value used by a routing algorithm by which one route is determined to perform better than another. When metrics do not convert, the default metric will provide a substitute, enabling redistribution to proceed. A selection used to determine which routes a router should trust if the router receives two routes with identical information. Configure the metric when the route is redistributed. If enabled, routing information is sent for those networks directly assigned to the firewall--such as interfaces and aliases If enabled, routing information is sent for those networks that are configured via BGP. Only supported on GB-2000, GB-3000, and GB-Ware. If enabled, routing information is sent for those networks configured via RIP. If enabled, outing information is sent for those networks that are statically assigned to the firewall.
Description
Enables the OSPF interface. Uniquely identified for the firewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1) A toggle for whether or not the firewall will advertise itself as the default route.
Default Metric Distance Redistribute Metric Connected BGP RIP
Static
106
To edit an existing OSPF interface, select the Edit icon. To create a new OSPF interface, select the New Icon.
Figure 3.27: OSPF Setup
Table 3.25: Configuring OSPF

Field
Disable Area Description Type Networks Advanced Link Cost Priority Dead Interval Hello Interval The cost to send a packet via an interface. The cost value is set to router-LSAs metric field and used for SPF calculation A selection for the priority status of the route. The router with the highest priority will be more eligible to become the Designated Router. Setting the value to 0 makes the router ineligible to become the Designated Router. Default value is 1. Define the period of time (in seconds) after which the route will be considered down. Define the period of time (in seconds) in which updates will be sent. Define the period of time (in seconds) in which the router will wait after an update is sent. If time expires, the router will resend the update. Define the estimated time (in seconds) to send an update. This value must be greater than zero. Pre-shared secret key ID. Password that must be used to collect routing information through OSPF. Once entered, this field will be obscured. Select modify to enter a new password. Uniquely identified for the firewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1)
Description
Disables OSPF for the specified area. This selection specifies the OSPF area. A short description to identify the OSPF area. This selection is used to determine the behavior of the firewall/router. A selection for the network(s) which will use OSPF.
Retransmit Interval Transmit Delay Authentication KeyID Password Virtual Links Router ID
107
RIP Setup
RIP (Routing Information Protocol) is typically used by routers to receive updated routing tables. RIP is a TCP/IP routing protocol defined by RFC 1058 that allows broadcasting and/or listening to routing information in order to choose the most efficient route for a packet. Hosts using RIP select the routes that use the fewest hops, or select an alternate path if a route is down or has been slowed by high traffic. RIP is limited to 15 hops; more than that, and the route is flagged as unreachable. Caution
Most smaller network configurations do not benefit from RIP. Before using RIP, be aware that the protocol may decrease performance rather than help small networks and acceptance of RIP sources can compromise network security.
RIP is disabled by default on GB-OS, so routing information to redirect packets is not accepted from external sources. If RIP is enabled, the firewall can receive and/or broadcast routing information for either RIP version 1 or 2. To configure RIP version 2.0: 1. Navigate to Configure>Network>Routing>RIP. 2. Check Enable to enable the RIP messages over RIP interfaces. 3. Enable the Advertise Default Route checkbox if you wish to do so on any protected network or PSN on which RIP is enabled. 4. Select a RIP interface and click the Edit icon to configure it. 5. Select v2 from either the input or output field, or both, to indicate version 2 of the protocol. 6. In the password fields, you may select a password encryption scheme from the menu. The <None> option will require no password and no encryption. <Clear> will send an unencrypted password, while <MD5> will use MD5 encryption on the password. 7. If you selected <Clear>, enter a password in the text box. If you selected <MD5> encryption for your password, you must enter a pre-shared secret along with the password that will be used to encrypt the password. 8. Configure Redistribution if needed. Caution
Sending unencrypted (clear/plain) passwords can expose your RIP password to the network and potential attackers, and therefore it is not recommended by GTA.
Figure 3.28: RIP Setup
Table 3.26: Configuring RIP

Field
Disable Interface Description
Description
Disables the RIP interface. The interface for which RIP is being configured. A short description to identify the RIP interface.
108
Table 3.26: Configuring RIP

Field
Input/Output
Description
Controls how RIP is implemented. Input determines whether any version of RIP will be accepted from other routers. Output determines whether any version of RIP will be exported or broadcast. The choices are: <V1>: Version 1 RIP is accepted or exported. <V2>: Version 2 RIP is accepted or exported. <Both>: Both version 1 and 2 are used. Type of encryption that will be used. If an encryption is selected, the password field is enabled. Encryption types are: None, Clear and MD5. This only applies to RIPv2 Password that must be used to collect routing information through RIPv2. Pre-shared secret key ID. This only applies to RIPv2 when MD5 encryption is used. Enables the firewall to generate an automatic set of policies to allow configured RIP interface settings to function properly. Default is selected. The value used by a routing algorithm by which one route is determined to perform better than another. The rate at which RIP sends a message containing the complete routing table to all neighboring RIP routers. Timer limit is 30 seconds. Upon expiration of the timeout, the route is no longer vaild. The route is retained in the routing table for a short time so neighbors can be notified that the route has been dropped. Timer limit is 180 seconds. Upon expiration of the garbage timer, the route is completely removed from the routing table. Timer limit is 120 seconds.
Password Type Password Key ID
Advanced Automatic Policies Default Metric RIP Timers Update Timeout Garbage
109
Static Routes
Static Routes define routing paths between one subnet and another. Static routes supersede the default gateway defined in Configure>Network>Routing>Static Routes. Defining a static route is useful when there is a router between different parts of an internal network, creating multiple subnets within your internal network. Without a static route, the firewall routes all traffic, even if it should be directed to a different subnet on the internal network to the default gateway. Traffic will not travel from internal subnets in this case, causing spoofing messages. Static routes solve this problem by diverting internal traffic back to the appropriate internal subnet instead of the default gateway. Using a static route, the firewall correctly routes internal multi-subnet traffic to other internal IPs. To configure static routes, navigate to Configure>Network>Routing>Static Routes. Select New to create a new static route or select Edit to modify a pre-defined static route.
Figure 3.29: Configuring Static Routes
Table 3.27: Configuring Static Routes

Field
Disable Description Network IP Address
Description
Disables the static route. A short description to identify the static route. IP address(es) whose traffic will be subject to the static route, either by selecting the appropriate interface object in the drop down box or by selecting <USER DEFINED> and entering the address and subnet mask, either in CIDR-based (slash) notation or dotted decimal. IP address or interface object of the destination/gateway (default route) selected for this static route.
Gateway
Multiple Gateway Setup

Gateway policies control entry and exit routing for networks with multiple connections to the Internet or other external networks. It contains controls for: Gateway Failover Gateway Sharing Policy Based Routing Source Routing These features can provide alternative routing if your primary Internet connection fails (gateway failover), distribute outbound connections evenly across multiple Internet connections (gateway sharing), or specify gateways for certain types of connections via indication in a policy (policy based and source routing). The default gateway is specifiable in Configure>Network>Interfaces>Settings. To specify additional gateways, create new Gateway Policies. Note
Gateway policies will initially take the first gateway from the default route listed in Configure>Network>Interfaces >Settings. Further modifications to Gateway Policies cause it to override the default route listed in Configure>Net work>Interfaces>Settings. The first gateway listed in Gateway Policies will become the firewalls default gateway, regardless of the default route listed in Configure>Network>Interfaces>Settings.
110
By default, Gateway Policies gives priority to the first gateway listed. Gateway Sharing changes this default behavior, causing policy-selected traffic to be distributed evenly among the available gateways. Policy based routing and source based routing may also change this default behavior and override gateway sharing by specifying gateway overrides on a per-connection basis, also indicated in your outbound policies. When the gateway changes, the firewall logs a route change notification and sends an email notification (if email notification is enabled). The active routes table, located at Monitor>Activity>Network>Routes, will also be updated with the new gateway. If using only gateway failover (not sharing or policy based routing), alternative gateways will deactivate once the first listed gateway becomes active again. To define additional gateways, navigate to Configure>Network>Routing>Gateway Policies and click New.
Figure 3.30: Creating New Gateway Policies
Table 3.28: Creating New Gateway Policies

Field
Disable Name Description Route Failover Enable Beacons A toggle to enable gateway failover capabilities. Enter pingable IP addresses that are within five hops of the gateway. GTA recommends that both beacons are specified to confirm when failover is necessary. For more information on selecting useful beacons, see Selecting Useful Beacons. A toggle to allow or unallow pinging of the gatway. A toggle to enable traffic connection balancing across gateways for which you have selected sharing.
Description
Disables the configured gateway policy. A unique name used to identify the gateway policy. A brief description to describe the function of the gateway policy. The IP address of the gateway. Select <USER DEFINED> if you wish to manually enter the IP address, otherwise select an address object.
Advanced Do Not Ping Gatway Sharing Enable
111
Gateway Failover
Gateway failover provides alternative routing should your primary Internet connection fail. If your network has multiple routes to the Internet, you can use the Gateway Failover feature to automatically switch to an alternate route should your primary gateway to the Internet go down. To use gateway failover: Enable gateway failover by selecting the enable checkbox on the Gateway Policies screen. Edit existing gateway policies or create new ones with the failover option enabled. Provide beacon addresses for those gateways. In addition, the following advanced options for configuring gateway failover are available on the Gateway Policies screen: Table 3.29: Gateway Failover Advanced Settings
Field
Add Static Routes For Beacons
Description
Adds a static route for each defined beacon. For more information on selecting useful beacons, see Selecting Useful Beacons. Pings the failover gateway only if pinging the primary is unsuccessful.
Ping Secondary Only if Primary Down
Selecting Useful Beacons

Beacons determine if a route is accessible by testing accessibility. Beacon IP addresses typically reside on the remote side of WAN connection or beyond. Each beacon must be unique. GTA recommends using both beacons. The Gateway Policies ICMP ping TTL (Time To Live) value is thirty. Therefore, beacons can be no more than thirty (30) hops away (hops are intermediate network nodes such as routers or gateways). A beacon more than thirty hops away will mark routes inaccessible, and Gateway Policies will perform improperly. One way to select a beacon is to test hop count by performing a traceroute from each interface. Once the traceroute is complete, select the next one or two IP addresses in the trace past the gateway as beacons. GB-OS pings each beacon address every half second. When a beacon address does not respond for five consecutive pings or 2.5 seconds, Gateway Policies will consider the route down and switch to the next accessible failover route in the Gateway Policies list.
Gateway Sharing
Gateway sharing distributes outbound connections evenly across multiple gateways when enabled. To use gateway sharing: 1. On the Gateway Policies screen, select the Gateway Sharing checkbox to enable the service. a. Edit existing gateway policies or create new ones with Sharing enabled. b. Click Save on the Gateway Polices screen to commit the changes. 2. Navigate to Configure>Security Policies>Policy Editor>Outbound to configure your outbound policies. a. Under the Advanced tab, select <Sharing> for the policys Route. b. Click OK. Doing so will bring you back to the Outbound Policy Editor. c. Position in the policy list is important since policies are evaluated by their list order and the firewall will ignore further policies if a match is made. Place the policy at the top of the list if it must override all other outbound policies. See Allowing and Denying Traffic in Basic Setup Tasks and Creating Advanced Allow/Deny Policies later in this chapter for information on creating a firewall policy. Click Save.
112
Policy Based Routing

Policy based routing allows you to route traffic to a specific gateway based upon outbound policy definitions. To use policy based routing: 1. On the Gateway Policies screen: Select the Policy Based Routing checkbox to enable the service. Click Save. 2. Navigate to Configure>Security Policies>Policy Editor>Outbound to configure your outbound policies. Edit an existing policy or create a new one. Enter a description for your policy, e.g. Policy Based Route: Use Gateway 2 for Outbound HTTP Packets. Set the policys Type to <Accept> and the Route to your desired gateway. If desired, specify other parameters to limit the connections that should receive policy based treatment, e.g. restrict your gateway policy to only HTTP. Click OK. Doing so will bring you back to the Outbound Policy Editor. Position in the policy list is important since policies are evaluated by their list order and the firewall will ignore further policies if a match is made. Place the policy at the top of the list if it must override all other outbound policies. See Allowing and Denying Traffic in Basic Setup Tasks and Creating Advanced Allow/Deny Policies later in this chapter for information on creating a firewall policy. Click Save.
Source Routing
Source routing automatically returns connections with NAT through the gateway to their original source.
Requirements
1. Interface Zones of EXTERNAL only can used for Source Based routing. 2. Default gateway must be on or via an interface of Zone EXTERNAL. To use source routing: On the Gateway Policies screen: Select the Source Routing checkbox to enable the service. Click Save.
113
Preferences
Defining the Internet Protocol
Define the internet protocol for the supported network. Choose either IPv4 only, or both IPv4 and IPv6 networks. When IPv6 is enabled, automatic policies for IPv6 neighbor discovery may also be enabled. When saving changes to this section, the firewall must be rebooted to reset appropriate configurations sections affected by the change in internet protocols.
Figure 3.31: Defining the Internet Protocol
Table 3.30: Defining Connection Timeouts

Field
Internet Protocol Enable Advanced IPv6 Neighbor Discovery Automatic Policies Select to enable automatic policies. Select the type of internet protocols to be supported. Options include IPv4 only, or both IPv4 and IPv6.
Description
Defining Connection Timeouts and Limiting

Timeouts define how long a connection should be idle before it is marked ready to close. The result of a connection reaching timeout value differs for each protocol. For example, TCP has enough information embedded for the firewall to determine when the connection is ready to close, but with ICMP and UDP, it is generally impossible to determine when the connection is ready to close. To define timeouts for TCP, UDP and ICMP connections, navigate to Configure>Network>Preferences.
Figure 3.32: Defining Connection Timeouts
114
Table 3.30: Defining Connection Timeouts

Field
TCP Wait for ACK
Description
Enter the amount of time, in seconds, a TCP connection is allowed to remain idle before GB-OS closes the connection. Default is 600 seconds (10 minutes). As part of the creation of a TCP connection, the client and server exchange several IP packets. All packets sent from the server will have a header bit indicating ACK (acknowledgement). As part of GB-OS stateful packet inspection, the firewall keeps record of this bit. If it is not seen, it is likely that the remote server is down. If the idle time is reached without an ACK from the server, the connection is marked ready to close. Default is 30 seconds.
This field is enabled by default so that if a TCP connection remains idle during the timeout period, a keep alive packet is sent. If the connection is still valid, the firewall will set the idle time to zero. If the connection is invalid, the firewall will see a reset packet and will mark the connection ready to close. If no response is received within five minutes, the firewall will mark the connection ready to close. If the Send Keep Alives field is disabled, then the connection is marked ready for close.
Send Keep Alives
UDP ICMP Default
Enter the amount of time, in seconds, a UDP connection is allowed to remain idle before GB-OS closes the connection. Default is 600 seconds (10 minutes). Enter the amount of time, in seconds, a ICMP connection is allowed to remain idle before GB-OS closes the connection. Default is 30 seconds. Enter the amount of time, in seconds, that connections using supported protocols other than TCP, UDP and ICMP are allowed to remain idle. After a connection is marked ready for close, the firewall waits five seconds before it actually closes the connection, giving redundant IP packets a chance to clear the firewall without causing false doorknob twist error messages. If the firewall experiences spurious blocks from reply packets (typically port 80), increasing this value gives packets from slow or distant connections more time to return before the connection is closed.
Wait for Close
Advanced Connection Limiting ICMP Packets Maximum ICMP Packet Size New Connections SIP Support Enable Enable or disable SIP support. The limit number of ICMP packets (per second). Maximum ICMP packet size is disabled if set to zero (0) and has a range of 84 to 65,536 bytes. The limit number of new connections (per second). The limit number of new connections per host (per second).
New Connections Per Host
115
Creating Advanced Security Policies

Security policies defined in the Policy Editor (Configure>Security Policies>Policy Editor) contain additional, advanced settings not discussed in Basic Setup Tasks. These functions, located under the Advanced tab, allow for the advanced configuration of a security policy.
Figure 3.33: Creating Advanced Allow/Deny Policies
Table 3.31: Applying Advanced Allow/Deny Policies

Field
Broadcast Options Priority Action Alarm Email ICMP IPS Log Report SMS SNMP Trap Stop Interface Coalesce Source Address Source Ports Destination Address Destination Ports Coalescing blends similar data into a single log event: Source address/ports and destination address/ports. By default, ports and addresses are coalesced when a new or auto-configured policy is created. Enable to notify the administrator of an event logging of Firewall Control Center alarm mechanisms. Disabled by default. Enable to notify the administrator of an event using email. Disabled by default. Enable to respond to the event with ICMP unreachable or TCP reset. Disabled by default. A toggle for whether traffic should be checked against configured Intrusion Prevention System policies. See Intrusion Prevention System (IPS) in the Threat Management chapter for more information. Options include <Yes>, <No> and <Default>. <Default> is the value defined in Configuration>Security Policies>Preferences. Enable to include policy data in reports. Enable to notify the administrator of an event using SMS. Disabled by default. Enable to notify the administrator of an event using a SNMP trap alarm. Disabled by default. Enable to shut down the arriving interface. Disabled by default. User-defined priority used for alarms and logging data.
Description
Enable if the Destination Address is a broadcast address.
116
Detailed List View

Firewall administrators who wish to view additional details for configured security policies can do so by appending ?details to the end of the firewalls URL. For example, to view a detailed security policy list on a firewall with a URL of https://firewall.example.com, enter https://firewall.example.com?details in your browsers location/address field. Policy details displayed in the list view are the policys criteria for the Type, Priority, Interface, Options, Service, Source Address, Destination Address, Traffic Shaping and Coalesce options.
Figure 3.34: Detailed List View
Policy Preferences
Policy preferences allow the firewall administrator to globally define most logging and policy definitions for all defined policies in one location. Logging options for automatic policies, tunnel connections (opens and closes) and policy blocks may be selected. To configure policy preferences, navigate to Configure>Security Policies>Preferences.
Figure 3.35: Policy Preferences
Under Preferences, additional options are available for configuring policy preferences. From the Options table, the firewall administrator can enable or disable automatic policies, generate alarms, send email, send an ICMP service not available message, or log an event. Table 3.32: Preference Options
Field
Automatic Policies Connection Limiting
Options
Description
Options: Enable/Disable; Log; Report. GTA recommends leaving automatic policies enabled. Enabling or disabling automatic policies requires a reboot to take effect. Always enabled. Options: Log, Report. Always enabled. Options: Alarm, Email, Log, Report. Always enabled. Options: Alarm, Email, ICMP, Log, Report. Options: Enable/Disable, Log, Report. Can be used to block some fragment attacks. GTA recommends leaving this option disabled.
Deny Address Spoof
Deny Doorknob Twist
Deny Fragmented Packets
117
Deny Invalid Packets Ident
Deny Unexpected Packets Stealth Mode
Always enabled. Option: Log, Report. Always enabled. Option: Enable/Disable, Log, Report. Option: Enable/Disable Options: Enable/Disable, Log, Report. Options: Enable/Disable, Log. Options: Enable/Disable, Log. Stealth mode has priority over all filters. Always enabled. Option: Log, enabled by default. Always enabled. Option: Log, enabled by default.
TCP Syn Cookies Default Logging Policy Blocks Tunnel Opens
Tunnel Closes
Automatic policies create the necessary security policies automatically to allow the use of enabled services and configured tunnels. The Automatic Policies checkbox is a toggle that will enable or disable automatic policies for the following services: NTP IPSec Tunnels DNS Proxy DNS Server SNMP Authentication Inbound Tunnels Remote Administration GTA recommends leaving automatic policies enabled. Note
Enabling or disabling automatic policies requires a reboot for changes to take effect.
Automatic Policies
Address Spoof
An IP address spoof occurs when a packet arrives at one interface and its return path is through a different interface. This may be caused by an intrusion attempt made altering the packet source IP address or a mis-configured firewall (e.g., networks or hosts located on, or connected to, the internal side of a firewall have not been defined using static routes or RIP).
Connection Limiting Doorknob Twist
Connection Limiting is configured at Configure>Network>Preferences>Advanced.
A doorknob twist occurs when a connection is attempted on a port for which there is no service or tunnel in place and a policy has accepted the packet. A doorknob twist usually indicates that the firewall is mis-configured.
Fragmented Packets
By default, fragmented packets are reassembled and forwarded only if the resulting packet does not violate a security policy; otherwise, they are dropped. This option is rarely necessary.
Invalid Packets
Invalid packets are those that are not the expected size or have an invalid option bit (e.g., an ICMP port unreachable packet must have at least 28 bytes). Invalid packets are dropped silently by default, but the firewall can log dropped packets.
118
Unexpected Packets
If a packet is valid, but not expected by the state table, the firewall denies it (e.g., a packet can only generate a single ICMP port unreachable response). A second one may indicate an ICMP replay attack. An unexpected packet may also be a packet that does not have the correct flags during TCPs three-way handshake.
Ident Option
Ident receives requests as a server daemon and then sends a response identifying the user as Hidden User. When Ident is disabled, the firewall will no longer respond to Ident and may result in timeout delays and will connect slower to external servers that make Ident requests. The Ident option is enabled by default.
Stealth Mode
Stealth mode is the factory set default for new GTA Firewall UTM Appliances. In stealth mode, the firewall will not respond to ICMP ping requests, ICMP traceroute requests or UDP traceroute requests to external interfaces. Policies that allow pings, traceroutes, etc. from the external interface are not functional when the firewall is in stealth mode. In addition, the firewall will not respond with an ICMP message when a packet arrives for a port without a tunnel or service set on any external network interface. Stealth mode has priority over other policy types.
TCP SYN Cookies

TCP SYN cookies are a SYN flood defense technique that works by sending a secure cookie as the sequence number in the second packet of the TCPs three-way handshake, then discarding all state for that connection. If enabled, the firewall can also log sent cookies.
Advanced: Coalesce
Coalescing is enabled by default in Configure>Security Policies>Preferences. Data coalescing reduces the amount of individual policy event data logged, merging similar data into a single log event. It applies only to automatic policies, such as those created by a tunnel when Automatic Accept All Policy is selected on an inbound tunnel definition. The Interval is an option for all policy event coalescing; set the interval to zero (0) to turn off all coalescing. Table 3.33: Advanced: Coalesce
Field
Interval Source Address Source Ports Destination Address Destination Ports
Description
60 seconds by default. Zero (0) turns off coalescing. When selected, it coalesces log messages from like source IP addresses. When selected, it coalesces log messages from like source ports. When selected, it coalesces log messages from like destination IP addresses. When selected, it coalesces log messages from like destination ports.
119
Setting Notifications
This user preference table allows the firewall administrator to enable or disable notifications by email, SMS, and SNMP trap on the specified service or event. To configure notifications, navigate to Configure>System>Notifications.
Figure 3.36: System Notifications
Email
The firewall will perform an MX lookup of the domain specified in the to field. It will then attempt to send an email. If it is unable to connect to the email server, the firewall will try the secondary email server set in MX record. Note
The firewall will attempt to send the email 5 times, after which a log will be created for the failure.
Table 3.34: Email

Field
Enable From
Description
Send email and alarm notification. Disabled by default. Email address that will appear in From field. An invalid address or a server that does not allow email with an empty From field can cause an email loop. The address can be a fully-qualified address, such as jdoe@gta.com, or the mailbox name on the specified email server: jdoe. Email address where notifications should be sent, fwadmin by default. The address can be a fully-qualified address, such as jdoe@gta.com, or the mailbox name on the specified email server: jdoe.
To
120
SMS
To receive notifications via SMS text messaging, the user must have a phone which supports SMS messaging. Check with your provider to determine the formatting of your phones email address. For example, a Sprint user would use the format: phonenumber@messaging.sprintpcs.com Table 3.35: SMS
Field
Enable From To
Description
Send SMS text message notifications. Disabled by default. SMS messaging email address from which notifications will be sent. SMS messaging email address where notifications will be sent.
SNMP Trap
Simple Network Management Protocol (SNMP) is a standard for managing network configuration data for each host. If SNMP trap is disabled, selecting SNMP policy actions on the policy definition screen has no effect. If SNMP is checked as an action, the firewall will generate an enterprise-specific generic trap on a policy definition when the policy is matched. The SNMP manager is typically on the protected network, though it may reside on any network. Selecting <Automatic> from the Binding interface pull down menu will select the interface configured in Configure>Network>Interface>Settings through which the packet would normally exit based on the routing table. Table 3.36: SNMP Trap
Field
Enable Manager Advanced Binding Interface Address from which SNMP traps are sourced, <Automatic> by default. To force the SNMP traps to have a specific source IP address, choose the pre-configured interface object from the drop down list. Normally, this is only used if an SNMP manager accessed over a VPN.
Description
Enable the SNMP alarm facility. Disabled by default. Host IP address to receive SNMP trap messages.
Alarms
Alarms sets the default parameters for generating alarm notifications. When a policy with alarm enabled is matched, an alarm event is activated. Each alarm event increments the alarm count by one. When the Threshold for Generating Email is exceeded within the Threshold Interval, a notification will be sent documenting all of the events. Multiple messages will be sent if the number of events exceeds the Maximum Alarms Per Email. Table 3.37: Alarms
Field
Threshold for Generating Email Threshold Interval Maximum Alarms Per Email Attempt to Log Host Names
Description
Number of alarms above which a notification is sent. Length of time after which to send alarms. Maximum number of alarm messages included in a per email message. An alarm message is generally 200 bytes. Attempt to resolve the host name of the IP address that generated the alarm.
121
Applying Traffic Shaping

Traffic shaping restricts users to the amount of bandwidth specified. All users affected will share the allocated bandwidth; policies and tunnels can be defined to command more or less of the allocated or available bandwidth by selecting a weight for each of the policies that use the same traffic shaping policy. The Default policy does not restrict traffic flow, allowing traffic to utilize all available bandwidth, first come, first served. If traffic shaping is enabled, the default policy cannot be disabled, but an alternate selection for a policy can be made. A security policy or tunnel using a traffic shaping policy restricts users to the amount of bandwidth specified. All users affected will share the allocated bandwidth. Security policies and tunnels can be defined to command more or less of the allocated or available bandwidth by selecting a weight for each of the security policies that utilize the same traffic shaping policy. Configure traffic shaping at Configure>Network>Traffic Shaping
Figure 3.37: Applying Traffic Shaping
Weight vs. Priority

The weight applied to a security policy or tunnel when using a traffic shaping policy is similar, but not the same as, priority (the security policys order in the security policy set). Two connections with different priorities in the policy list will use a connection one at a time, the one with the highest priority first. On the other hand, a connection with a higher weight applied to its matching policy or tunnel will use a higher percentage of available bandwidth, still allowing the lower weight connection to use a percentage (though smaller) of the available bandwidth. Weights of 10 have the greatest percentage, and 1 has the lowest percentage of available bandwidth.
Using Traffic Shaping

Traffic shaping policies can be used in security policies as well as inbound tunnels. The following example shows the use of a traffic shaping policy in an outbound or pass through policy and in an inbound tunnel.
Figure 3.38: Creating a Traffic Shaping Policy
Table 3.38: Creating a Traffic Shaping Policy

Field
Disable Name
Description
Selecting this checkbox disables the traffic shaping policy. A unique name used to identify the traffic shaping policy throughout the configuration. A brief description of the function of the traffic shaping policy. The number of kilobits per second to which policies or tunnels using this pipe will be restricted. The largest amount of bandwidth that can be specified is 1,000,000 Kb. Entering a value of 0 indicates that the policy allows unlimited use of the available bandwidth.
Description Bandwidth
122
The following example traffic shaping policy is intended to limit the bandwidth that slow FTP connections can use, allowing other, faster traffic more bandwidth. 1. Create a new traffic shaping policy: Navigate to Configure>Network>Traffic Shaping Click the Enable checkbox to enable the service. Click the New icon to configure a new traffic shaping policy. 2. Create an outbound or pass through policy for the traffic. In the outbound policy, select the traffic shaping policy previously created from the Traffic Shaping pull down. Using this, the policy will restrict all inbound and outbound packets, including the virtual crack created for the data the size of the traffic shaping policy pipe. 3. Select a weight for the connection. The weight selected will prioritize the connections that match the policy.
Figure 3.39: Selecting the Policys Traffic Shaping Policy and Weight
4. Create an inbound tunnel (Configure>Network>NAT>Inbound Tunnels) for your bandwidth limited connection. (Other protocols can be added to the inbound tunnels list by adding the protocol/ port number combination in Configure>System>Objects>Service Groups). Under the Advanced tab is the Traffic Shaping section. Select the traffic shaping policy previously created for the policy. When selected, the tunnel will restrict all inbound and outbound packets, including the virtual crack created for the data the size of the traffic shaping policy pipe. 5. Select a weight for the connection. The weight selected will prioritize the connections that match the filter.
Figure 3.40: Selecting the Inbound Tunnels Traffic Shaping Policy and Weight
123
VPN Setup
A Virtual Private Network (VPN) is a combined method of tunneling, authentication and encryption that allows a host on an external, untrusted network (e.g., the Internet) to connect to an internal, protected network. VPNs are typically used by telecommuters or remote offices that need access to resources on the protected network. Before manually configuring a VPN, consider running the IPSec Setup Wizard, located at Wizards>IPSec Setup. The IPSec Setup Wizard is designed to help configure a simple VPN quickly and easily. Note
For detailed information on Site to Site IPSec VPN Setup, configuration and certificate management, see the GB-OS VPN Option Guide. For information on Mobile IPSec Clients, PPTP and L2TP see the GTA Remote Access Guide.
VPN Concepts
The following are concepts used when defining a VPN using a GTA firewall.
Authentication
When a VPN is being configured using the IKE IPSec key mode, authentication is performed with either pre-shared secrets or VPN certificates. GB-OS supports both methods of authentication for IPSec key mode VPNs. A pre-shared secret is used to identify a party during the authentication phase of the VPN connection. By its definition, a pre-shared secret is shared with the other party before the VPN connection can be established. VPN certificates, which contain a public key, can be distributed to parties that wish to connect to the VPN. During the authentication phase of the connection, the requesting party then authenticates using the VPN certificate and the private key. To create VPN certificates for authentication, see the GB-OS VPN Option Guide.
Security Associations
A Security Association (SA) specifies the parameters connecting two hosts. Security Associations are one-way, so each active two-way VPN connection uses a minimum of two SAs, one for each direction of communication. For the total number of potential SAs used by each VPN authorization, see the VPN section in the Configure>VPN>Summary. To see the current number of VPN security associations, navigate to Monitor>Activity>VPN>IPSec Tunnels. For the number of security associations supported by a specific model, see its product specifications. Note
Each authorization in the configuration report will contain one or more VPNs, depending on the number of networks represented by each VPN or address object.
124
Multiple Networks
A VPN authorization can define one VPN connection or many, depending on the number of networks represented by each object. For example, if a VPN authorization contains an object with two separate local networks and single remote network, two VPNs are defined, for a total of four SAs.
Inbound SA Outbound SA Protected Network 10.10.1.0/24 Remote Network 200.168.1.1
GB-2000
1 2
Protected Network 192.168.71.0/24 Outbound SA Inbound SA 3 4
Figure 3.41: Two VPNs, Four VPN Security Associations
Mobile Protocol
A VPN using mobile protocol - either a mobile IPSec VPN created in the Configure>Accounts>Users section, or gateway-to-gateway VPN with Force Mobile Protocol selected - will use SAs while active. The number of SAs potentially used by mobile and gateway-to-gateway VPNs can be higher than the number of licensed SAs; however, the number of SAs used by active VPNs, mobile IPSec VPNs included, cannot exceed this number.
IPSec Objects
IPSec Objects determine how incoming VPN connections will be negotiated by defining what client or VPN gateway initiation behavior should be acceptable by your GTA firewall.
SSL Client and Browser Setup

GTAs SSL Service has two components: Browser The SSL Browser provides client-less remote network access. Using a standard Web browser, users launch a customized Web portal (the SSL Browser) for access to files, applications and internal and external web sites. Supported protocols include http, https, ftp, ftps, and cifs. Client The SSL Client is a remote access VPN client that uses SSL to establish a secure, encrypted connection to the network firewall. Via the SSL Browser, the SSL Client is downloaded and installed to the authorized remote users machine. Browser access for SSL users is determined by their group privileges. Some users may only have access to browse files and only use bookmarks. While other users may have access to browse any internal host using http, https, CIFS or ftp. In addition, users may be restricted to read only access for browsing or have upload and download access. Client access is also determined by group privileges. A user must have SSL Browser capability in order to have Client access. The SSL Client is downloaded via the SSL Browser Interface for each user. Note
For more information on SSL installation, configuration and use, see the GTA SSL Client Guide.
PPTP & L2TP Setup

GTAs remote access options include PPTP and L2TP. Users can easily connect via mobile devices, such as iPhone and Android phones and the iPad. For more information on connecting via PPTP or L2TP, see the GTA Remote Access Guide.
125
VLAN Setup
Short for Virtual Local Area Network and defined in the IEEE 802.1Q standard, a VLAN is a network of hosts, servers and other network devices that appear and behave as if they are on the same LAN, regardless of their physical location. With a configured VLAN, workstations scattered across an office or complex can be physically independent in their connection to the network, yet still be able to access one another. VLANs are configured through software instead of hardware, allowing for flexible implementations. A large advantage of segregating network devices by setting up a VLAN is that when a computer is physically moved to another location, it can remain on the same VLAN without any hardware reconfiguration. Each VLAN is treated as a broadcast domain. For example, if a physical network has two VLANs configured, VLAN 1 and VLAN 2, devices located on VLAN 1 can communicate with other devices on VLAN 1, but cannot connect with devices that are located on VLAN 2 unless the two networks are bridged. To configure a network managed by a GTA firewall to make use of VLANs, an IEEE 802.1Q- compliant VLAN switch is required. Note
For information on how to configure your VLAN switch so it can direct VLAN traffic, consult your switchs documentation.
Internet
Untagged Packets
GB-2000
GTA Firewall
VLAN Trunk
VLAN 1 VLAN 2
VLAN Switch
VLAN 2 Network
VLAN 1 Network
VLAN 1 Network
VLAN 2 Network
Figure 3.42: Basic VLAN Topology with Two VLANs.
126
VLAN Terms and Concepts

The following are terms and concepts used when working with a VLAN.
VLAN Interface
A VLAN interface is the physical interface that is connected to a VLAN switch. A VLAN interface can be assigned to any physical interface, even if it is not defined in Configure>Network>Settings. For example, a VLAN interface can be assigned to eth0, which may already be assigned to your protected network. Adding a VLAN interface to a physical interface that has already been assigned as an external network, protected network or PSN will not create conflicts. Like physical interfaces, VLANs can be bridged. For more information on bridging interfaces, see Bridging Interfaces. Note
See product specifications for the number of available VLANs for your GTA firewall.
VLAN IDs
A VLAN segregates devices that are physically separate from each other based upon the IEEE 802.1Q VLAN ID tag that has been sent and received by the devices in the VLAN. For example, packets with a VLAN ID of 1 will only be sent to network devices logically located on the VLAN 1 network. The VLAN ID can be any number between 1 and 4095, and must match the VLAN ID configured on the VLAN switch. When configuring multiple VLANs over one physical interface, it is not possible to have a VLAN interface share the same VLAN ID. It is possible, however, to add a VLAN interface to another physical interface that has the same VLAN ID. For example, a VLAN interface on eth0 with a VLAN ID of 1 and a VLAN interface on eth1 with a VLAN ID of 1 can both be created without conflict.
VLAN Trunk
In a typical configuration, VLAN routers or switches and GTA firewalls add VLAN IDs to packets travelling to or from a VLAN. A VLAN trunk is the physical connection between the two devices. Packets travelling along a VLAN trunk must be handled by a VLAN router, VLAN switch or GTA firewall. VLAN IDs are only added to data packets when travelling along the VLAN trunk. Once the data packet passes through a VLAN network device, such as a GTA firewall or VLAN switch, the VLAN ID is stripped.
VLAN Switch
A VLAN switch is the network device that resides on the other end of a VLAN trunk. When data packets with a VLAN ID travel through the switch, its logic will direct the traffic to the appropriate VLAN. For example, a header with a VLAN ID of 12 will be directed to VLAN 12. Since VLAN configuration varies with each make and model, it is necessary to consult your VLAN switchs documentation for instructions on defining VLAN settings.
127
Creating a VLAN
To configure a VLAN, navigate to Configure>Network>Interfaces>Settings 1. Click the New icon to create a define a new interface. 2. Select the type of interface being created. For example, <Standard> 3. If DHCP will not be used to obtain the VLAN interfaces IP address, enter it manually in the IP address field. 4. Select the DHCP checkbox if DHCP will be used to obtain the VLAN interfaces IP address. 5. Select the VLAN checkbox to define the interface as a VLAN. 6. Enter the VLANs VLAN ID. This ID must be matched on the VLAN switch or router. 7. Enter a name for the VLAN, such as Marketing. 8. Select the interfaces Zone, such as <Protected>. 9. For the VLANs NIC, select the physical interface that will be connected to the VLAN switch or router. For example, <eth0>. 10. Enter a description to explain the use of the VLAN, such as VLAN for marketing department 11. Click OK and then Save. Note
VLANs are not supported if using link aggregation. Bridged interfaces are supported for IPv4 only.
Figure 3.43: Creating a VLAN
Table 3.49: Creating a VLAN

Field
Disable Type DHCP Gateway IP Address Options High Availability Router Advertisement VLAN VLAN ID Interfaces Name NIC Zone A unique name used to identify the VLAN. Determine the interface zone. Options are <External>, <Protected> or <PSN>. A selection for the network interface card to associate with the VLAN. A brief description to describe the function of the VLAN. Select the High Availability checkbox if High Availability will be configured. Enabling High Availability will disable the DHCP and Gateway fields. Select to configure the router advertisement section. Select the VLAN checkbox to create the VLAN interface. The VLAN ID that matches the VLAN ID of packets to be received by the VLAN switch or router. Valid VLAN IDs are range from 1 to 4095.
Description
A toggle to disable the configured VLAN. A selection for the interfaces Type. Options are <Standard> and <Bridge>. If DHCP will be used to obtain the VLAN interfaces IP address, enable the DHCP checkbox. Enabling DHCP will disable the IP Address field. The Gateway toggle is only available if DHCP is enabled. If DHCP will not be used to obtain the VLAN interfaces IP address, enter it manually.
128
Description
SNMP Setup
SNMP (Simple Network Management Protocol) is a standard for managing IP devices and sending and retrieving data with designated hosts. In its full implementation, SNMP uses both read and write access. In GB-OS, SNMP is read-only (preventing write access security issues). SNMP data, contained in the Management Information Base (MIB) and organized in report form, helps the administrator ensure optimal performance in the managed devices. SNMP version 2 provides enhancements including security and an RMON (Remote Monitoring) MIB, which provides continuous feedback without being queried by the SNMP facility. SNMP version 3 introduced a revised nomenclature for SNMP, a new access method using authentication, and the ability to encrypt SNMP data packets. To configure SNMP, navigate to Configure>Services>SNMP. Caution
GTA strongly recommends restricting SNMP access to specific hosts in order to reduce dissemination of information about the network. Allow access to the information only from designated, secure hosts because the data could be transmitted in clear (non-encrypted) text, providing potential attack information to any unauthorized users between the host and the firewall.
Figure 3.44: SNMP Setup
Table 3.50: SNMP

Field
Enable Contact Information Location Version 2 Configuration Enable Community Enables SNMP version 2. Essentially, a password. With the password, those with access can see SNMP information and/or receive trap notifications. In the full SNMP implemenxtation, there are three community levels: read access, read-write access and trap notification. Members of a community can access information at the level allowed in the community. Enables SNMP version 3. User name assigned separately from other user authorization names. An extra layer of protection against unauthorized and undesirable interest in your network. Password for this extra authorization level. This is an encrypted password. Once entered, this field will be obscured. Select modify to enter a new password. Security levels: <AuthPriv> (Authentication, Privacy): Access to SNMP information only with both authentication and data encryption of all SNMP packets (privacy). <AuthNoPriv>: Access to SNMP information with only authentication. Enable to have the firewall generate a set of automatic policies to allow use of the SNMP service. If disabled, remote access policies must be created.
Description
Enables the SNMP service. Disabled by default. Email address of the administrator. User defined description of the administrators location.
Version 3 Configuration Enable User ID Password Security Level
Advanced Automatic Policies
129
Remote Logging Setup

GTA firewalls support remote logging of events. Remote logging provides a means to configure how and where log information is sent. Recent events are stored in a local buffer on the firewall and can be accessed under Monitor>Log Messages. Log messages can also be viewed by using GTA Reporting Suite (available separately). To enable remote logging: 1. Navigate to Configure>Services>Remote Logging. 2. Select the Enable checkbox. 3. Select the source IP address object from the Binding Interface drop down box. 4. Enter the server IP address and port number in the Syslog Server field. See Reference E: Log Messages for more information about logs and default logging.
Figure 3.45: Remote Logging Setup
Table 3.52: Remote Logging

Field
Enable Syslog Server
Description
Enables remote logging. Disabled by default. IP address or host name of a system that will accept the remote logging data. Data can be accepted by any program that accepts the syslog protocol. The port is 514 by default. To enter a different port number, use the standard format, e.g. 192.168.71.2:514 or example.gta.com:514. Address from which logging is sourced. <Automatic> by default. Selecting <Automatic> will indicate the firewalls usual source IP address to the syslog server location. To force the logging packets to have a specific source IP address, choose the interface object from the drop down menu. Logs information associated with any policy that has logging enabled. Any attempts at unauthorized access will be logged to the policy log stream. Logs information associated with Network Address Translation. Essentially, outbound packets. Logs all URLs accessed through the firewall.
Advanced Binding Interface
Facility Policy Facility NAT Facility WWW Facility
130
WELF (WebTrends Enhanced Log Format)

The remote logging facility uses the WebTrends Enhanced Logging Format (WELF) to record log messages. The following table shows the fields used: Table 3.53: WELF Fields
Field
id time fw pri rule
Description
Type of record. Local date and time of the event in UTC format. Firewall logging the event. Event priority: 0=emergency, 1=alert, 2=critical, 3=error, 4=warning, 5=notice, 6=information, 7=debug. Index number of the item that triggered the entry. Protocol or service used by the event. Time required for the event operation, in seconds. Number of bytes transferred from source to destination. Number of bytes transferred from destination to source. IP address that generated the event. Port number where the event was generated. IP address where NAT was performed for the event. Port number where NAT was performed for the event. IP address that received the event. Port number where the event was generated. Network interface where the event occurred. User name. For HTTP and FTP, an operation such as GET or POST. For HTTP and FTP, this is the URL. Specific VPN object shows the most used connections. Local or Surf Sentinel category: e.g. Local Accept or Deny List item; Drug Culture or Pornography. Action performed by the filter: Block or Pass. Security policy description: Default, OBP - Outbound Policy, IBP - Inbound Policy, VPN - IPSec VPN, PPTP - PPTP Remote Access, L2TP - L2TP Remote Access, SSL - SSL Remote Access, ATP - Automatic Policy Security policy action: Block or Accept. Details events such as a VPN starting, the configuration changing, or a port scan being detected; also captures the index/rule number of the generating filter or facility. Action taken when the policy was triggered, e.g. Alarm, Email, Stop.
proto sent src nat dst
duration rcvd srcport nat_port dstport interface user op arg
vpn
cat_type cat_action pol_type
pol_action msg
attribute
To learn more about WELF, please refer to www.netiq.com/partners/technology/welf.asp.
131
Unix Facilities
A syslog service (daemon) that can accept and record the log data is a standard feature on Unix or Linux operating systems. GB-OS logging provides for Unix syslog, as well as auth, authpriv, console, cron, daemon, ftp, kern, lpr, mail, news, ntp, security, user, uucp and local0 through local7. Since syslog redirects logs to another location, a configuration file must direct the log stream to a file or receiving software. The priority (set on each policy definition under the Advanced tab) is used by the remote log host to determine if and where the information in the syslog log stream should be displayed or stored.
Policy
Policy log messages are generated due to a policy rule, either explicit or automatic. Policy messages are logged by default to local1.
NAT (Network Address Translation)

Network Address Translation log messages are generated due to a NAT action, which can be both outbound traffic and inbound tunnel traffic. All NAT messages are logged by default to local0 and NAT session closes are logged at priority. Notice, and NAT session opens are not logged.
WWW
WWW log messages are generated when an outbound HTTP access occurs. The complete URL is logged. By default, all HTTP URLs are logged to local2. Log messages are sent at priority Notice.
132
Threat Management
4
133
Threat Management
Threat Management covers the configuration of GB-OS standard threat management features, which ensure unhindered user productivity by defending against dynamic Internet-based threats. Threat management features described in this chapter are: Intrusion Prevention System (IPS): IPS acts as a front line defense to safeguard your network against Internet-based attacks. Powerful policy definitions create a secure, tailored solution that helps protect against the theft and destruction of sensitive data. Mail Sentinel: Mail Sentinel allows you to take back control of your email. Basic Mail Sentinel features allow for customized email delivery settings. Use the Mail Sentinel Anti-Virus feature and the Mail Sentinel Anti-Spam subscription based option to unlock Mail Sentinels full potential as a gateway-level solution. Surf Sentinel: Surf Sentinel assists organizations by reducing risk of legal and privacy issues with the implementation of Internet content filtering on a per policy basis. When the Surf Sentinel content filtering subscription based option has been activated, Web requests are not only filtered by policies, but by rating categories as well. GTAs full featured threat management suite of products provides a robust gateway level solution. While enabling all services will provide the greatest level of protection possible, it may affect network performance, especially during high traffic loads. GTA Firewall UTM Appliance administrators should adjust configuration settings to ensure a proper balance between performance and threat management. Note
30-day evaluations are available for Mail Sentinel and Surf Sentinel. Simply click on Request Evaluation besides the specific header on the System Overview screen or visit the GTA Web site at www.gta.com/options.
Caution
The GB-250 and GB-250e were designed for small business networks, yet offer a full complement of threat management and network services to allow administrators to select the features that best match their needs. In order to provide network administrators with the broadest range of choices, GTA offers all threat management features (IPS, Mail Sentinel Anti-Spam, Mail Sentinel Anti-Virus, and Surf Sentinel Content Filtering) on the GB-250 and GB-250e. Additionally, many advanced network services (traditional and transparent proxy, authentication server, SNMP server, DHCP server, and VPN) are also available on these units. However, the hardware specifications of these products necessitates limitations on utilizing every threat management and network service, as each additional service places greater demands the firewalls CPU and memory. Firewall administrators should carefully select which threat management features and network services to activate on the firewall, and monitor the results to prevent undesired interruptions of service. By activating all threat management and network services it is possible to exceed the available resources of the GB-250 and GB-250e. Should enabled services exceed the GB-250 or GB-250es resources, administrators will notice that GB-OS will restart enabled services as they exceed available memory and will generate a log message. These periodic restarts may result in a temporary loss of enabled services or network connectivity. GB-250 and GB-250e administrators with multiple threat management services should monitor GB-OS log messages to ensure continuous network connectivity. If the GB-250 or GB-250e consistently exceeds available memory, administrators should consider disabling unnecessary GB-OS services or reducing defined threat management settings. If all services are desired, administrators may wish to consider one of GTAs more powerful products, such as the GB-800 or GB-2000 Firewall UTM Appliance family, which are designed to meet the needs of more robust network implementations.
Chapter 4: Threat Management
135
Intrusion Prevention System (IPS)

As network attacks become more sophisticated, viruses and spam are not the only threats that network administrators must face. Increasingly powerful network attack tools and applications are readily available on the Internet, which makes intrusion prevention a vital component for a secure network. A successful attack or network intrusion can result in the loss of confidential information, bring the network down, or even use network resources to launch other attacks. GB-OS Intrusion Prevention System (IPS) uses robust signature-based policy definitions to recognize attacks and protect against network anomalies. IPS carefully analyzes traffic and automatically blocks attacks before they can reach the network. Administrators are notified of intrusions and intrusion attempts using either log messages or email alerts. GB-OS comes with a standard set of policies that are designed to help create a powerful, customized IPS configuration. GTA Firewall UTM Appliances that have a current GTA support contract and IPS activation code can receive automatically updated IPS policies. Administrators can incorporate these updated policies into their IPS configuration as new security threats are identified. Although IPS settings are configured using the IPS Setup Wizard or the IPS proxy and IPS policy screens, IPS settings are applied when defining security policies, security policy preferences and inbound tunnels. Security policies and inbound tunnels that have the IPS checkbox enabled will have GB-OS IPS settings applied to their traffic. If the IPS checkbox is not enabled in a security policy or inbound tunnel, traffic allowed by the security policy or inbound tunnel that would otherwise be restricted by IPS settings will pass through the firewall unhindered. Note
For more information on selecting the IPS checkbox in a security policy and inbound tunnels, see Creating Advanced Security Policies and Creating Inbound Tunnels in Advanced Setup Tasks.
Figure 4.1: The IPS Checkbox in a Security Policy (Left) and an Inbound Tunnel (Right)
To effectively use IPS, a network administrator is required to monitor and analyze log messages in order to determine the nature and potential threat of an attack. Small businesses or home offices that do not have a dedicated network administrator may find themselves overwhelmed with log messages. The IPS Setup Wizard is designed to help such users by providing a simple two-step configuration process. IPS settings can either be configured using the IPS Setup Wizard or manually using the IPS proxy and IPS policies screens. The IPS Setup Wizard is designed to quickly configure and define settings to establish an Intrusion Prevention System for network traffic. Manually defining the IPS proxy and IPS policies allows for a custom, tailored IPS solution.
136
Running the IPS Setup Wizard

The IPS Setup Wizard is used to configure and define IPS settings suitable for most networks. Settings are defined for a group of similar exploits and anomalies. For example, if the IM Clients group toggle is selected, GB-OS will handle all IM client traffic according to settings applied by the IPS Setup Wizard. When defining settings for a group, the following actions may be available: Block: The Block action blocks all traffic related to the selected group from passing through the firewall. Protect: The Protect action protects all traffic related to the selected group by blocking known vulnerabilities while allowing legitimate traffic to pass through the firewall. Log: The Log action logs all traffic related to the selected group. For example, an administrator would like to protect a network from vulnerabilities that stem from IM client traffic. To do so, the administrator will use the IPS Setup Wizard and select the IM Clients toggle. Since the administrator wants to protect against IM client vulnerabilities, and does not want to block all IM client traffic, they will select the Protect option from the pull down. After saving the IPS Setup Wizards settings, GB-OS will now protect the network from known exploits and vulnerabilities related to IM client traffic. To run the IPS Setup Wizard, navigate to Wizards>IPS Setup. 1. The first screen of the wizard will allow you to select the groups to configure, and whether GB-OS should block or protect traffic related to the selected groups. Once settings have been configured as desired, select the Next icon to continue. Note
Configuring IPS settings for a network that does not receive traffic related to a group can add unnecessary overhead and may impact network performance. For example, IPS settings designed to protect against known Web server vulnerabilities should not be enabled if the GTA Firewall UTM Appliance is not protecting any Web servers.
Figure 4.2: Protecting IM Clients Using the IPS Setup Wizard
2. The final screen of the IPS Setup Wizard is a summary view of all entered settings. Please review the wizards settings prior to committing the displayed configuration. To make changes to your setup, select the Back icon to return to the appropriate screen. Click the Save icon to save the displayed configuration, or select the Cancel icon to abort.
Figure 4.3: Reviewing the IPS Setup Wizards Settings

137
Configuring the IPS Proxy

The IPS proxy contains settings to enable the IPS service, the IPS rule set as well as performance tuning options. If the GTA Firewall UTM Appliance has a valid GTA support contract and an IPS activation code, administrators can elect to have GB-OS automatically download updated IPS policies as they become available. Up-to-date IPS policies provide an additional level of defense against known exploits and anomalies. As new IPS policies are downloaded into GB-OS configuration, administrators can configure them as desired. To automatically download new IPS policies from GTA servers, select the Subscription option from the Rule Set pull down. If the IPS Setup Wizard has been previously used to configure IPS settings, a Wizard Settings box will be visible. The Wizard Settings box displays a summary of the settings applied by the IPS Setup Wizard and contains a Persistent checkbox. If the Persistent checkbox is enabled, the IPS proxy will persistently use settings defined by the IPS Setup Wizard and will lock configuration options for the IPS policies screen. Disabling the Persistent checkbox will result in the loss of all settings applied by the IPS Setup Wizard. To enable the IPS proxy, navigate to Configure>Threat Management>IPS>Proxy and select the Enable checkbox.
Figure 4.4: Configuring the IPS Proxy
Table 4.1: Configuring the Intrusion Prevention Proxy

Field Name
Enable Rule Set Advanced Performance Tuning Networks External Protected Any external IP the IPS applies to; not editable. A selection for the GTA Firewall UTM Appliances internal networks the IPS proxy should protect. Default is FW-Networks-Local.
Description
A toggle for whether the Intrusion Protection proxy should be enabled or not. Default is unselected. A selection for the IPS rule set used by the IPS proxy. GTA Firewall UTM Appliances that do not have a valid GTA support contract use the default rule set.
138
Table 4.1: Configuring the Intrusion Prevention Proxy

External Servers AIM A selection for the address object that contains addresses of known AOL Instant Messenger servers. A selection for defining the IP of internal DNS servers. A selection for defining the IP of internal email servers. A selection for defining the IP of internal SNMP servers. A selection for defining the internal servers allowing telnet. A selection for defining the internal Web server IP address. A selection for defining the DNS service. A selection for defining the FTP service. A selection for defining the Email service. A selection for defining the SSH service. A selection for defining the Telnet service. A selection for defining the Web service.
Internal Servers
DNS Email
SNMP Telnet Web
Services DNS FTP Email SSH Telnet Web
* Wizard settings are only displayed if the IPS Setup Wizard has been used to configure IPS settings.
Configuring Performance Tuning Settings

Additional, advanced options designed to fine tune the performance of the IPS proxy are available under the Advanced tab. Performance tuning settings can be used to improve the overall performance of the IPS proxy.
Networks
The Protected Networks pull down selects an address object that contains the networks to be protected and monitored by the IPS proxy. Assigning a protected network to the IPS proxy can improve performance and reduce the occurrence of false positives. To select two or more networks, add additional IP addresses, as required, to the address object. Note
If no network is selected for the Protected Networks pull down, Intrusion Prevention will monitor and analyze all traffic, which may impact network performance.
External Servers
The AIM pull down selects an address object that contains IP addresses of known AOL Instant Messenger (AIM) servers. By enabling the IPS policies related to AOL Instant Messenger traffic, network administrators can effectively restrict access to AOL Instant Messenger and other similar chat programs.
Internal Servers
The internal servers section allows the administrator to further define the specific internal servers for which the IPS policies will apply.
Services
The services section allows the administrator to further define the specific services for which the IPS policies will apply.
139
Configuring IPS Policies

IPS policies define which traffic is allowed to pass through the firewall to the networks protected by the IPS proxy. Each IPS policy contains specific criteria that checks for known vulnerabilities and weaknesses. By default, the majority of the IPS policies are disabled to prevent interference with legitimate traffic. For each enabled IPS policy, configure the action the policy should perform against any packet that triggers it. Three actions are available when configuring an IPS policy: Drop: GB-OS drops the packet that triggered the IPS policy. Pass: GB-OS allows the packet that triggered the IPS policy pass through the firewall. Reset: GB-OS drops the packet that triggered the IPS policy and sends a reset to both the client and server. IPS policies that are designed to protect against similar vulnerabilities are organized into groups. For example, all IPS policies that detect known P2P (peer to peer) vulnerabilities are organized in the P2P group. Administrators who wish to block all P2P traffic can filter displayed policies that contain P2P in their group name, enable them and select their Action to drop all packets. Note
Disabling unneeded IPS policies can improve system performance and reduce the amount of log messages generated. For example, IPS policies designed to protect against known Web server attacks should be disabled if the GTA firewall is not protecting any Web servers.
To configure IPS policies, navigate to Configure>Treat Management>IPS>Policies.
Figure 4.5: Defining Intrusion Prevention System Policies
Table 4.2: Configuring Intrusion Prevention Policies

Field
Enable Log Alarm
Description
Enables the IPS policy. If enabled, GB-OS will generate a log message when the policy is triggered. If enabled, GB-OS will generate an alarm when the policy is triggered. Selections include <Drop>, <Pass> and <Reset>. The policys group. The policys name. Clicking the policies name will launch a new browser window with detailed information on the IPS policy. The policys unique ID.
Action Group Name ID
140
Filtering Displayed IPS Policies

GB-OS ships with a diverse set of IPS policies designed to protect networks from a variety of attacks. Displayed policies can be filtered down to a more manageable amount by using filtering options located along the top of the IPS policies screen. The Up and Down arrows allow for navigation through the displayed policies. Adjusting the displayed rows changes the number of policies shown on each page. Note
Displaying 500 or more rows per page may impact the Web browsers performance.
Under the Advanced tab are additional filtering options. Each column has a set of options that can be used to sort through the available IPS policies. Filtered columns will have the filter icon displayed next to the column name change from blue to red. Once filtering options have been configured as desired, select the Filter icon to display the filtered results. For example, to display only IPS policies that have been enabled, select Enable from the Column pull down, toggle the Filter checkbox on and select Yes from the Field pull down. Then select the Filter icon to display only IPS policies that have been enabled.
Figure 4.6: Filtering Displayed IPS Policies
141
Mail Sentinel
Mail Sentinel can be used to shield an internal email server from unauthorized access and reduce unsolicited email (spam). Basic Mail Sentinel features provide a foundation that allows you to control your email by utilizing customized policies. The Mail Sentinel Anti-Virus feature and the Anti-Spam subscription option build upon the capabilities of the basic feature set by adding a strong defense at the perimeter that safeguards against unsolicited spam and viruses (subscription charges apply). Mail Sentinel configures an SMTP (Simple Mail Transfer Protocol) email proxy for inbound email on TCP port 25. To enable the Mail Sentinel email proxy, navigate to Configure>Threat Management>Mail Sentinel>Proxy and select the Enable checkbox. Mail Sentinels connection settings define how long an idle connection to an email server should remain active, as well as the maximum number of simultaneous connections Mail Sentinel should allow. Note
For information on instructions on configuring the Mail Sentinel Anti-Virus feature and the Mail Sentinel Anti-Spam subscription option, please refer to the Mail Sentinel Feature Guide.
Figure 4.7: Enabling Mail Sentinel
Table 4.3: Configuring the Mail Sentinel Proxy

Field
Enable Connection Timeout Maximum Connections The amount of time before Mail Sentinel will drop an idle connection. The number of simultaneously allowed connections. The maximum number of connections for GB-250, GB-800, and GB-Ware 10 user license is 50. GB-2000 has a maximum of 1000 connections and GB-3000 and GB-Ware unrestricted have a maxium number of 5000 connections.
Description
Enables the Mail Sentinel proxy.
Advanced Options Automatic Policies Enables GB-OS to automatically configure the necessary security policies to allow Mail Sentinel to operate.
142
Mail Sentinel Policies

With every email message, Mail Sentinel must choose to accept or deny transmission. Mail Sentinel policies contain the criteria that cause an email to be accepted or denied (much like white lists and black lists), and can define the destination server. Policies also contain Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus options which you may apply on a per-policy basis. By default, the Mail Sentinel email proxy denies all email. This default will be enacted if an email does not match any listed policy. To ensure that email is not rejected by default, at least one policy of type <Accept> must be created. Note
Mail Sentinel policies are evaluated in the order in which they are listed. When the email proxy receives an email, policies are each tested for matching conditions. Once an email property is matched with a policy indicating acceptance or denial, that policy action is performed and no further policies will be tested for matching. If the policy list has been exhausted but no match has been found, the email will be rejected.
Policies accept or deny email based upon address objects, reverse DNS, message size, mail exchange (MX) or mail abuse prevention system (MAPS) criteria. Using multiple policies in conjunction can sort email types to different destination SMTP servers. When considering the destination domain for a policy match, three cases arise: No email recipients match the policys destination domain One or more email recipients match the policys destination domain All the email recipients match the policys destination domain If no email recipients match, Mail Sentinel checks the next policy for a match. Behavior for the other two cases is controlled by the Match All Addresses check box: when unchecked, any one or more matching email recipients will cause a policy match, but when checked, all of the email recipients must match to cause a policy match. To create a new Mail Sentinel policy, navigate to Configure>Threat Management>Mail Sentinel>Policies and click the New icon. Note
To accept or reject email regardless of their file size, enter 0 (zero) as the maximum file size in your Mail Sentinel policy. A maximum size of zero does not mean that only email with no file size will be considered; instead, it means that the size limit consideration has been removed from the policy.
Caution
The IP address receiving email from Mail Sentinel should not simultaneously have an inbound tunnel on TCP port 25 because this will bypass the email proxy, and could compromise your security.
143
Figure 4.8: Configuring Mail Sentinel Policies
Table 4.4: Configuring Mail Sentinel Policies

Field
Disable Description
Description
Disables the configured Mail Sentinel policy. Enter a description to explain the function of the policy. Specifies which email server should receive email if the policys criteria has been matched. Specifies the action that should be done to an email matching the source, destination and other criteria. <Accept> allows transmission while <Deny> disallows it. Specifies a source (sender) match criteria for email. Only address objects of type All or Mail Sentinel are available for selection. Specifies a destination (recipient) match criteria for email. Makes a DNS MX (Mail Exchanger) recorded query that tries to match the target IP address to the recipient in the SMTP mail header. The email is rejected if there is no match, preventing the domain from being used to relay email to other domains.
Email Server Type
Source Address Destination Address Match Against MX
144
Table 4.4: Configuring Mail Sentinel Policies

Field
Match All Addresses
Description
If checked, the policy will match only if all email recipients contain the destination address. If unchecked, the policy will match if any one or more email recipients contain the destination address. If enabled, the policy will perform a Reverse DNS lookup on the remote host and refuse the connection if the lookup fails to match the hosts offered identity. The maximum size (in kilobytes) of an email message to be accepted. Configuring a maximum size can prevent email bombs (large attachments that cause problems for email clients). Enter a value of 0 to allow any email message size. MAPS; a special DNS server that contains only reverse DNS entries of known spam servers. Enables the Mail Sentinel Anti-Spam service. Rejects email evaluated as confirmed spam if enabled. Rejects email evaluated as suspect spam if enabled. Enables the Mail Sentinel Anti-Virus service. Rejects email containing known viruses if enabled.
Email to Block Reject if RDNS Fails Maximum Size
Mail Abuse Prevention System Mail Sentinel Anti-Spam * Enable Reject Reject Mail Sentinel Anti-Virus Enable Reject
Mail Sentinel Anti-Spam - Confirmed *
Mail Sentinel Anti-Spam - Suspect *
*The Mail Sentinel Anti-Spam subscription option is purchased separately. Feature activation codes must be entered before Mail Sentinel Anti-Spam subscription options can be utilized. Instructions for Mail Sentinel Anti-Spam and/or Mail Sentinel Anti-Virus are available in the Mail Sentinel Feature Guide.
Defining Email White (Allow) or Black (Deny) Lists

White lists and black lists consist of policies set to unconditionally accept or deny connections from a group of email servers. For example, you may wish to white list the email server of a known business partner to accept all email from that IP, or black list a known spam server to reject all email from that IP. To define a white (allow) or black (deny) list: 1. Create an address object of type Mail Sentinel (you may use the pre-defined white list and black list defaults as templates). 2. Add the IP addresses from which you want to accept or deny transmissions and save the object. 3. Save the address object. 4. Create Mail Sentinel policy that specifies an accept or deny action for that address object. Click the OK and then the Save button. To ensure that your white list or black list has priority over other policy rules, place it at the top of your Mail Sentinel policy list. White listing or black listing by source, destination, or a combination of the two may have very different effects. For example, black listing a sender (source) will prevent everyone on your network from receiving email from that source; however, setting a destination of employee@example.com in addition to a source will block email from that source only when it is sent to employee@example.com. Conversely, setting a white list for all email with a destination of sales@ example.com would allow anyone to email that address, but allow you to black list sources sending to any other destination in subsequent policies. A combination of policy order (priority) and source and/or destination contents can provide for complex email accept and deny rules.
145
RDNS (Reverse DNS)

Selecting the Reject If RDNS Fails check box can prevent the reception of spoofed or spam email. It performs a reverse DNS lookup on the IP address of the remote host trying to make an SMTP connection, and then compares it to a DNS lookup of the offered host name. If the lookup fails or domain name and IP address records dont match (as may be the case with illegitimate mail servers), the connection is refused. RDNS requires a defined DNS server to function correctly. Note
If Reject If RDNS Failed is selected, legitimate hosts with misconfigured DNS entries will not be able to deliver email to your domain.
Defining a Mail Abuse Prevention System (MAPS)

When deciding to accept or reject email, you may wish to check the message for criteria known to a Mail Abuse Prevention System (MAPS). When validating email connections, you may use one of the pre-defined MAPS or specify a custom MAPS by using an Email Abuse type address object. A custom MAPS object may refer to a MAPS provider (such as zen.spamhouse.org and list.dsbl.org) or to your own MAPS server. A MAPS server is a DNS server whose reverse DNS entries are spam servers. Any name resolved by the MAPS server therefore indicates that the email originated from a spam server. Additional information on creating your own MAPS server or subscribing to MAPS services is available from many sources. To specify which address object to use as a MAPS, select an object from the pull-down menu labeled Mail Abuse Prevention System under the Email To Block heading in your Mail Sentinel policy. To define a custom MAPS solution: 1. Create an address object of type Mail Sentinel and name it MAPS server. 2. Specify your domain name or IP address under the Address field and add a Description if you wish. Note that you can define multiple MAPS servers in a single address object; this can be useful if the first MAPS is slow or unresponsive. 3. Save the address object. 4. In the Mail Sentinel policy, select the Mail Abuse Prevention System toggle and select the previously defined address object. To finalize your MAPS object definition, click the OK and then the Save button.
146
Surf Sentinel
With every Web page request, GB-OS must choose to accept or deny transmission. Surf Sentinel controls Web site access based upon the domain name and content of the site. Surf Sentinel policies allow the use of the Surf Sentinel subscription option (subscription charges apply). Note
Surf Sentinels performance relies on an efficient, enabled DNS server.
Surf Sentinel requires the use of an HTTP proxy. The Surf Sentinel Proxy section allows the administrator to specify a traditional proxy, a transparent proxy, or both. In addition, an action concerning blocked content can be selected. Note
For information on instructions on configuring the Surf Sentinel subscription option, please refer to the Surf Sentinel Feature Guide.
Configuring the Surf Sentinel Proxy

To configure the Surf Sentinel HTTP proxy, navigate to Configure>Threat Management>Surf Sentinel>Proxy.
Figure 4.9: Configuring the Surf Sentinel Proxy
Table 4.5: Configuring the Surf Sentinel Proxy

Field
Traditional Proxy Enable Port Advanced Automatic Policies A toggle for whether the firewall should automatically generate the required policies for the email proxy to function. If unselected, it is necessary to define remote access policies. Enables the transparent proxy. Disabled by default. A selection for the action to be performed when a request for blocked content is performed. If <Use message> is selected for the Action, the message will be displayed. If <Redirect to URL> is selected for the Action, the user will be directed to the entered URL. Enables the traditional proxy. Disabled by default. The port through which the proxy will run. Default is 2784.
Description
Transparent Proxy Enable Block Action Action Message
URL
147
Enabling the Traditional Proxy

When the firewall is operating without Surf Sentinel enabled, it does not use a proxy. When the HTTP proxy is used in conjunction with a Web filtering facility, it runs on TCP port 2784 by default. To run the HTTP proxy on a different port, enter the desired port number in the Port field. In order to enable access to the traditional proxy, a remote access policy that allows connection to the entered Port value must be configured and enabled. The traditional proxy requires users located on protected networks to have browsers configured to use a proxy connection with the proxy IP address and port number. Only users specifying the traditional proxy port will use Web filtering for their traffic.
Transparent Proxy
This method is invisible to users located on the protected network. No modification to their browsers settings is required, and there is no Port field. The transparent proxy allows the firewall to filter and mediate HTTP traffic transparently to end users. The following are inspected by the transparent proxy: Port 80 Port 8000 Port 8080 (http) Port 433 (https) HTTP represents URL based filtering, while HTTPS represents DNS and IP adress basaed filtering.
Block Actions
If a policy blocks a Web address (URL) and a user attempts to load a page from that address, the user will see a custom message, or be redirected to a URL (e.g., an internal Web site that defines the companys Internet policies and the administrative process to gain access to a blocked Web site).
Surf Sentinel Policies

Surf Sentinel policies contain the criteria that cause a Web page to be accepted or denied and define any scripts or applets that should be blocked. Note
Surf Sentinel policies are evaluated in the order they are listed. When the firewall receives a Web page request, policy rules are each tested for matching conditions. Once a Web page request is matched with a policy indicating acceptance or denial, the policys actions are performed and no further policies will be tested for matching. If the policy list has been exhausted and no match has been found, the Web page will be denied.
By default, Surf Sentinel denies all Web page requests. This default will be enacted if a Web page request does not meet any listed policy. To ensure that all Web page requests are not rejected by default, at least one policy of type <Accept> must be in place.
148
To configure Surf Sentinel policies, navigate to Configure>Threat Management>Surf Sentinel>Policies and click the New icon to create a new policy.
Figure 4.10: Configuring Surf Sentinel Policies
Table 4.6: Configuring Surf Sentinel Policies

Field
Disable Description Source Address Time Group Advanced Authentication Required HTTPS Filtering Destination Address Enable to require user authentication. A selection for restricting access based on the destination address. Enable filtering of https protocols. Enable to use the firewalls local allow list by selecting its address object. Enable to use the firewalls local deny list by selecting its address object. Enable to use the Surf Sentinel Categories list. Enable to block ActiveX controls. Enable to block Java applets. Enable to block Javascript. Enable to block unknown HTTP commands and unencrypted HTTP protocols. Specify allowed or blocked Surf Sentinel categories. Switch a category from one list to the other by selecting the item and clicking the left or right arrow button.
Description
Disables the policy. A description for the policy. If a request matches an element of the specified address object of type Surf Sentinel, the packet will be compared to the policy. Select a user-defined time group in which the policy will be enabled. Time groups are defined at Configure>System>Objects>Time Groups.
Content Filtering Facilities Local Allow List Local Deny List Surf Sentinel *
Content Blocking ActiveX Objects Java Javascript
Unknown HTTP Commands Surf Sentinel Categories * Accept / Deny *
* Requires a feature activation code and a valid Surf Sentinel subscription (purchased separately).
149
Local Allow and Deny Lists

Local allow and deny lists allow customization of content filtering using customized address objects. You can choose to execute all content filtering locally, allow access to sites that are disallowed by another content filtering facility or deny access to sites that are otherwise allowed. To add domain names to the local allow and deny lists: 1. Navigate to Configure>System>Objects>Address Objects. 2. Select the local list you wish to edit. 3. In the Address field, enter the desired domain name and an optional description. 4. For additional domain names, select the Add button for additional rows. 5. Click OK and then Save. Enter domain names in the following format: example.com. WWW and other such subdomain prefixes (www2, www3) limit the effectiveness of the local allow or deny lists. For example, the value www. example.com only accepts or denies access for the specific site only, not to sites such as www2. example.com or subdomain.example.com. Thus, if you wish to block an entire domain and all of its subdomains, enter example.com. Additionally, you may use regular expressions to create more elaborate local allow and deny lists. See Using Regular Expressions for more information.
Figure 4.11: Editing Local Allow List
Content Blocking
Portable code blocking for ActiveX objects, Java, Javascript and unknown HTTP commands can protect your network from malicious programs such as viruses spread by Web pages (applets or scripts appear in inbound TCP ports 80 and 8080). In addition to blocking mobile programs embedded in Web pages, Content Blocking can also prevent tunneled, unencrypted non-HTTP connections over standard HTTP ports. Non-HTTP protocols (such as FTP) or unknown HTTP commands may be transmitted over standard HTTP ports. For example, if your firewall is configured to allow only Web traffic, this may indicate an effort of internal network users to bypass your policy by redirecting blocked non-HTTP protocols ports to open HTTP ports. To block transmission of non-standard HTTP commands and unencrypted non-HTTP protocols over HTTP ports, check the Unknown HTTP Commands box in the Content Blocking section.
150
Surf Sentinel Categories

Surf Sentinel is a subscription option that provides firewall system administrators with a user-friendly interface and easy access to an exhaustive list of Web categories for content filtering. Surf Sentinel is superior to local allow and deny lists alone. Using local allow and deny lists, an administrator is able to enter only a limited number of URLs. With Surf Sentinel, the administrator can easily allow or deny whole categories of content. Local allow and deny lists then allow further customization. Specific time groups can also be applied to Surf Sentinel policies, allowing the administrator to specify more or less access during various time periods. Surf Sentinel is specifically designed for firewalls as a content filtering solution. It features a small, ultra-light footprint. An annual subscription for Surf Sentinel can be purchased from GTA, or through an authorized GTA Channel Partner. With your subscription, use the Surf Sentinel Feature Guide, which provides more information and understanding on using Surf Sentinel categories.
Creating Advanced Surf Sentinel Policies

Surf Sentinel policies contain additional, advanced settings. Policies can require user groups to authenticate with the firewall using GBAuth as well as control Internet access based on the destination address. Restricting access by destination address is useful if the administrator wishes to block content on a certain Web site, such as ActiveX objects. Regular expression can also be used when defining the policys Destination Address. For example, entering a value of *.edu will result in a policy match whenever a destination address ending in .edu is entered. Caution
Using regular expression in policy definitions may result in an unexpected policy match. See Using Regular Expressions for more information on using regular expressions.
Advanced settings for Surf Sentinel policies are configured from Configure>Threat Management>Surf Sentinel>Policies under the Advanced tab.
Figure 4.12: Advanced Surf Sentinel Policies
Table 4.7: Advanced Surf Sentinel Policies

Field
Authentication Required Destination Address
Description
Enable to require users to authenticate with the GTA firewall using GBAuth. When enabled, a pull down will appear with configured user groups that will have the policy applied to them. A selection of address objects that are of type Surf Sentinel. Select <USER DEFINED> to manually enter a destination address.
151
Monitoring Reports & Administrative Tools
5
153
Monitoring, Reports, and Administrative Tools

This chapter details the administrative tools which are available, monitoring capabilities such as viewing activities, and reporting features.
Administrative Tools
The Tools section under the Monitor action button contains a number of tools useful for administrating and troubleshooting the firewalls configuration.
Interfaces
The Interfaces configuration screen, located at Monitor>Tools>Interfaces, allows a network interface on the firewall to be <Up> (capable of sending/receiving packets), or <Down> (incapable of sending/receiving packets). Caution
Disabling the network interface on which your computer resides will result in loss of connectivity to the firewall.
Figure 5.1: Configuring Firewall Interfaces
Network Diagnostics
The Network Diagnostics configuration screen, located at Monitor>Tools>Network Diagnostics, contains ping and trace route tests, which are useful for verifying connectivity.
Ping
The ping function executes the network ping connectivity test by using the ICMP protocol. The ping is executed from the GTA firewall, not from your computer. Pinging an IP address is useful for verifying connectivity from the firewall to any target host on the external or internal network. The firewall will attempt to send five ICMP ping packets to the target destination and will display relevant statistics. Note
Pinging IP addresses instead of domain names is recommended when possible, as it eliminates the possibility of DNS errors. Pinging a domain name may only function when a DNS proxy or DNS server has been enabled.
Chapter 5: Monitoring and Administrative Tools
155
To ping an IP address or domain name: Navigate to Monitor>Tools>Network Diagnostics and select the Ping radio button. In the Host field, enter the desired IP address or fully qualified domain name to ping. If an IP address is entered, it must be entered in dotted decimal notation. Click the Submit to execute the ping command.
Figure 5.2: Pinging an IP Address
Figure 5.3: Reviewing Ping Results
Trace Route
The trace route function performs a routing trace from the firewall to a designated IP address or domain name. Like Ping, Trace Route is useful for testing network connectivity. To determine whether a route to an Internet host is viable, the trace route function launches UDP probe packets with a short time to live (TTL), and then listens for an ICMP time exceeded reply from a gateway. When the trace is active, three probes are launched from each gateway, with the output showing the TTL, address of the gateway, and round trip time of each probe. Note
Performing a trace route on IP addresses instead of domain names is recommended when possible, as it eliminates the possibility of DNS errors. Tracing a domain name may only function when a DNS proxy or DNS server has been enabled.
To perform a trace route: Navigate to Monitor>Tools>Network Diagnostics and select the Trace Route radio button. In the Host field, enter the desired IP address or fully qualified domain name to ping. If an IP address is entered, it must be entered in dotted decimal notation. Click the Submit to execute the trace route command.
Figure 5.4: Tracing a Domain Name
Figure 5.5: Reviewing Trace Route Results
156
Shutdown
The Shutdown configuration screen, located at Monitor>Tools>Shutdown, contains halt and reboot services. Under the Advanced tab, selecting the disk purge options for historical statistics, IPS and Mail Sentinel will clean up all old files.
Figure 5.6: Shutting down the Firewall
Note
GTA recommends halting the system prior to disconnecting the firewall to ensure proper shutdown. Additionaly, use the reboot feature as necessary.
Halt
Halt properly shuts down all services, preparing the firewall so it can be powered off. Once halted, the firewall must be restarted from the Console interface or be physically reset.
Figure 5.7: Halting the Firewall
Reboot
Reboot restarts the firewall.
Figure 5.8: Rebooting the Firewall
157
Audit Events
Audit Events, located at Monitor>Audit Events, contains a log of activity performed by administrators to the firewalls configuration. Normal events are displayed in black text, while warnings and higher priority events will be displayed in red. The audit events are divided into two sections: access and system.
Viewing Firewall Logs

Recent event messages are locally stored in a buffer on the firewall. The size of the buffer is dependent on the GTA Firewall UTM Appliances memory configuration. When the buffer is filled, it will begin writing over the oldest data. Log messages are displayed in reverse order, with the most recent message appearing at the top. Messages are written in the standard WebTrends Enhanced Log Format (WELF). Warning messages are displayed in red. For more information on interpreting log messages, refer to Reference E: Log Messages. To view log messages, navigate to Monitor>System>Log Messages. The Log Messages menu allows for log messages to be viewed in their entirety by selecting the All menu item, or they can be filtered based upon menu selections such as Connections or Management. The display is static; if you wish to update the list, click the Refresh button, or configure the Refresh button to automatically reload after a desired time frame.
Figure 5.9: Viewing Firewall Logs
158
Viewing Activity
The Activity section under the Monitor action button provides direct access to firewall account, network, threat management and VPN statistics. System data is continuously updated, so activity snapshots will always be current. Some statistics may not appear if they are not activated in your configuration. Data displayed on-screen is static; to update the displayed data click the Refresh button located along the top of the screen, or configure the Refresh button to automatically reload after a desired time frame. To review system activity navigate to Monitor>Activity. Note
All activity reported is based upon the firewalls Live Mode configuration.
Accounts
Accounts activity, located at Monitor>Activity>Accounts, displays statistics for authenticated users and failed authentication attempts.
Authenticated
Authenticated tracks access by users authenticated through the firewall with GBAuth for GTA, GB SSOAuth, LDAP and RADIUS authentication. The record includes: The outbound users name as defined in Configure>Accounts>Authorization The LDAP configuration or the RADIUS configuration The GBAuth Identity field The source IP address The users group The number of minutes the user has been active, and when their lease expires (if applicable) The last column, lease duration (time remaining), applies only to mobile VPN users. If a user is actively connected with the GTA Mobile VPN Client, the lease will renew each time a request is made. If the user remains inactive for the timeout period, the lease duration column will report an expiration until the license is required for another user or the original user renews the lease. Note
Flush Authenticated Users: Flush will drop all authenticated users from the firewall. Users will need to reauthenticate.
Locked Out
Locked Out lists IP addresses from which unsuccessful login attempts exceed the threshold number of attempts set in the Configure>Accounts>Preferences Lockout Threshold field. A failed logon attempt occurs when the wrong firewall administration user name and/or password has been entered. The duration shows how long the IP address will be locked out and is expressed as a count-down, (e.g. if the administrator has set five minutes as the lockout duration, the counter will start at 00.05.00 and count down to zero (00.00.00)). At that time, the user may again attempt logon from the IP address. When the lockout time duration expires, the IP address will disappear from Locked Out.
159
Sessions
Sessions displays recent firewall account sessions. Information displayed includes the user, the location from which the firewall was accessed, whether or not the user has administrative priveledges, SSL and the duration of the session.
Network
Network activity, located at Monitor>Activity>Network, displays statistics for the ARP table, connections, routes and more.
ARP Table
Address Resolution Protocol (ARP) is used to dynamically map host addresses to Ethernet addresses. When an interface requests a routing map for an IP address not in the cache, ARP queues the message and broadcasts a request for the map on the associated network. If a response is provided, the new map is cached, and any pending message is transmitted. ARP will queue at most one packet while waiting for a response to a map request and only the most recent packet is kept. If the target host does not respond after several requests, the host is considered to be down for a short period (20 seconds), allowing an error to be returned for transmission attempts during this interval. The error host is down indicates a non-responding destination host, and host unreachable indicates a non-responding router. The ARP Table list displays a list of currently known ARP addresses. The list displays the IP address to MAC address translations and the TTL (Time to Live) for each entry. ARP table entries are kept for 20 minutes and are scanned every five (5) minutes to check for expired entries. Once an entry is expired, the firewall will not try to re-map the address for 20 seconds.
Flushing the ARP Table

Clicking the Flush X at the top will clear the cache of IP addresses resolved by the address resolution protocol and recorded in the ARP table.
Connections
Connections displays a list of currently active inbound and outbound connections by protocol, port, type, internal, NAT and address, route, time the connection has been active and/or idle as well as packets and bytes that have been sent and received.
Figure 5.10: Connections
160
Hosts
Hosts appears only on firewalls with a restricted number of concurrent users. For the number of concurrent users licensed on your model, navigate to Monitor>System>Overview. Hosts tracks and regulates outbound access. The number of licenses used is determined by the number of IP addresses from which outbound requests are currently being made. This count includes: Connections from a protected to external network Connections from a protected to PSN Connections from a PSN to external network Outbound connections opened by a protected network or PSN when responding to requests The record includes the outbound users IP address and lease duration (time remaining). If the user continues to send outbound requests, remaining active, the lease will renew each time a request is made. If the user remains inactive for the timeout period, the lease duration column will report expired until the license is required for another user or the original user renews the lease.
Routing
Routing displays the active routing tables for BGP, OSPF, RIP, Neighbor Discovery and normal routes, which can be helpful in troubleshooting routing problems. The list displays destination, gateway and flags. Flags are defined in the table below. Table 5.1: Routes
Field
B b c C D H L
Description
Recently discarded packets. The route represents a broadcast address. Generate new routes on use. Protocol-specified generate new routes on use. Created dynamically. Destination requires forwarding by intermediary. Host entry. Valid protocol to link address translation. Modified dynamically. Host or network unreachable. Static route, manually added. Route is usable. Route was generated as a result of cloning. External daemon translates protocol to link address. Protocol specific.
M R S U X 1
161
Statistics
Statistics displays the firewalls current connections of TCP, UDP, ICMP or other protocols by utilization and bandwidth used. A summary of the information appears at the bottom of the list, including total packets, current average packets, peak average packets, date, CPU usage percentage of user process, percentage of system process, percentage of interrupt, and percentage of idle - and firewall update.
Figure 5.11: Viewing Activity Statistics
Security Policies
Security Policies, located at Monitor>Activity>Security Policies, displays a list of policies for each of the five policy types: IPSec, Outbound, Pass Through, Remote Access, SSL Client and Automatic. Information includes the policys order in its policy list (index number) the number of hits (count) and a description of the policy. Inactive time-based policies have a red asterisk (*) next to the entry.
Services
Services, located at Monitor>Activity>Services, contains statistics on DHCP lease activity.
DHCP Leases
DHCP Leases lists DHCP-assigned IP addresses and their host identities. If activated, DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses to internal hosts logging onto a TCP/IP network. It eliminates having to manually assign permanent IP addresses. DHCP dynamically updates DNS servers after making assignments.
Flushing DHCP Leases

Clicking the Flush X at the top will clear all DHCP-assigned IP addresses resolved by the DHCP Server and recorded in the DHCP Leases table.
162
Threat Management
Threat Management, located at Monitor>Activity>Threat Management, contains statistics on IPS, Mail Sentinel Anti-Spam, Mail Sentinel Anti-Virus, the Mail Sentinel proxy and Surf Sentinel. Note
Mail Sentinel Anti-Spam activities will not be available unless you have purchased and activated the Mail Sentinel subscription option. See the Mail Sentinel Feature Guide for more information.
Rejected emails are those for which a message undeliverable signal has been returned to the sender. Quarantined emails are those that have been sent to a quarantine email address. Other emails are delivered normally. Percentages are relative to the total for the section. For example, the percentage of rejected Confirmed spam email is relative to the total number of email processed by Mail Sentinel Anti-Spam, and is not relative to the total number of email processed by the email proxy as a whole.
IPS
IPS displays a statistical summary on IPS activity.
Mail Sentinel
Anti-Spam
Mail Sentinel Anti-Spam displays a statistical summary on the number of processed emails with spam, number of rejected emails that are both suspected and confirmed, number of quarantined emails that are both suspected and confirmed as well as the total number of received emails of unknown status, as well as greylisting statistics.
Anti-Virus
Mail Sentinel Anti-Virus displays a statistical summary on the number of processed emails with viruses, number of rejected emails, number of quarantined emails as well as the total number of confirmed viruses. The bottom table displays a current list of the most recent viruses identified by Mail Sentinel Anti-Virus.
Statistics
The Mail Sentinel Statistics statistical summary includes fields describing total connections, rejected and timed-out connections, as well as email processed by Mail Sentinels policies. Access Control List statistics assist troubleshooting by indicating the count of messages that triggered a Mail Sentinel policy of a given index number. The index and description columns describe which Mail Sentinel policy was triggered by email of the given number (count). Because the last time the Mail Sentinel policies were saved or changed may not be the time when the Mail Sentinel engine was last initialized, the total count of Mail Sentinel policy matches may be less than the total number of email processed by Mail Sentinel. Note
Not all email processed by the Mail Sentinel email proxy are necessarily processed by Mail Sentinel Anti-Spam or Mail Sentinel Anti-Virus, so these email totals may not be equivalent.
Surf Sentinel
The Surf Sentinel Statistics statistical summary includes fields describing total Web access and the percentage denied as well as policy counts with descriptions. Inactive time based policies are marked with a red asterisk.
163
VPN
VPN, located at Monitor>Activity>VPN, displays IPSec tunnel statistics.
IPSec Tunnels
IPSec Tunnels displays all current active IPSec tunnels. There is an inbound and outbound tunnel for each VPN connection. Table 5.2: IPSec Tunnels
Field
Security Associations Active Connections Source Destination Type Hash Algorithm State Source IP address of the gateway. Destination IP address of the gateway. The type of VPN connection. The hash algorithm used by the VPN. Values include: larval, mature, dying and dead. Larval and dead states frequently occur to quickly to be observed. The amount of time the VPN connection has been active. The amount of time the VPN connection has been idle. The number of bytes transferred by the connection. The description used in the IPSec tunnels configuration for identification. The percent of active security associations.
Description
Active Idle Bytes
Description
164
Reporting
The Reporting section, located at Monitor>Reporting, provides access to configurations, executive reports and historical statistics. Scheduling reports and defining graph perferences are available at Configure>Reporting.
Configuration
Navigate to Monitor>Reporting>Configuration, to send via email, or download, system configuration and reports. 1. Select the Format. 7-Zip and Zip require a password. 2. Customize the Subject and Comment(s) fields as neccessary. 3. Select the Configuration and Reports to be included as attachements. Reports can be generated in 7-Zip, Zip, or HTML format. 4. If Email was selected as the Format, enter the destination and orginiation email addresses. 5. Under Advanced, select the reports to be included 6. Click Submit at the top of the configuration page to download or email the configuraiton and reports.
Figure 5.12: Generating Configuration Reports

165
Executive Reports
Navigate to Monitor>Reporting>Executive, to generate an Executive Report. 1. Select the Type of report to be generated. Options include Hourly, Daily, Weekly, Monthly or Yearly. 2. Select the Format for the Executive Report. 7-Zip and Zip require a password. 3. Under Advanced, modify the data that will be generated with the report as neccessary. 4. Click Submit at the top of the page to generate and download the Executive Report.
Figure 5.13: Generating Executive Reports
Schedule Executive Reports

Executive Reports can be scheduled by navigating to Configure>Reporting>Schedule. Edit an existing schedule or select Create New. 1. Check Disable to disable a scheduled report. 2. Enter a Description for the scheduled report. 3. Choose the Type of report to be generated. Reports include Daily, Weekly, Monthly and Yearly. Note
Daily will include data from the past 24 hours, weekly the past 7 days, and monthly the past 30 days.
4. Under Advanced, select and modify the data that will be generated for the report as necessary. 5. In Schedule, designate the frequency and time at which the report will run. Executive reports can be scheduled to run daily, weekly, or monthly. Note
Reports scheduled to run monthly will run on the first of every month.
6. Under Email, customize the Subject line of the email as necessary. Enter the destination email address or email lists. 7. Click OK to save changes.
Figure 5.14: Scheduling Executive Reports
166
Historical Statistics
Historical Statistics, located at Monitor>Reporting>Historical Statistics, contains graphical information representing past activity. Activity is displayed in Hourly, Daily, Weekly, Monthly and Yearly graphs. The graphs are organized in four main categories:
System Resources - CPU, Memory, Security Associations Network Traffic - Packets Denied, Active Connections Bandwidth - Bandwidth , External Mail Sentinel - Mail Sentinel, SPAM, Rejected
Figure 5.15: Historical Statistics (Network Traffic-Packets Denied shown)
Preferences
The Historical Statistics graphs can be color-customized by navigating to Configure>Reporting>Preferences. 1. Enter the Hex code or click to use the color picker to select a color. 2. Click Save when finished.
Figure 5.16: Historical Statistics Graph Customization
167
Updating Your Firewalls Software

GTA routinely publishes updates to GB-OS. These updates provide new features and enhanced security options. When GTA publishes an update to GB-OS, availability will be announced at Configure>Configuration>Runtime>Update in the Available Update(s) section. In order to check for available updates, GB-OS requires that the firewall is registered in the GTA Online Support Center, that the firewall has access to the Internet and that SSL connections are allowed. Available updates are displayed depending on whether a current support contract is available for the GTA Firewall UTM Appliance. If there is a current support contract, the following will be displayed: The highest available patch level upgrade The latest available version of GB-OS Any intermediate versions of GB-OS that are required to upgrade to the latest available version If there is no current support contract, the following will be displayed: The highest available patch level upgrade The latest available version of GB-OS Note
Updating the GB-OS runtime always takes place as a Live Mode change.
To check for and install updates to GB-OS: 1. Navigate to Configure>Configuration>Runtime>Update. 2. In the Available Update(s) section, click the Check Now button. 3. Download the available runtime by clicking Download. The runtime will be stored on the firewall until installed. Rebooting the firewall or selecting Check now will remove the stored runtime. 4. Install the runtime by clicking Install.
Figure 5.13: Updating GB-OS
Scheduling Checks for Automatic Updates

GB-OS can automatically check for eligible software updates. By enabling automatic updates, administrators can rest assured knowing their GTA Firewall UTM Appliance is operating the most current available version of GB-OS. To schedule automatic runtime updates, navigate to Configure>Configuration>Runtime>Update.
Figure 5.14: Scheduling Automatic Updates
168
Table 5.3: Scheduling Automatic Updates

Field
Schedule Update Check Enable Frequency Day Time Email Notification Select the Enable checkbox to schedule automatic runtime updates. Select the frequency that GB-OS will check for updates. Options are Daily and Weekly. Select the day that GB-OS will check for updates. Select the time that GB-OS will check for updates. Select the Email Notification checkbox to have GB-OS email the firewall administrator when a new runtime is available, or when an automatic update has been performed.
Description
Performing a Manual Software Update

If a new version of GB-OS has been announced at Configure>Configuration>Runtime>Update, administrators can log into the GTA Support Center (https://www.gta.com/support/center/) to download the runtime. If you are not eligible for an upgrade, contact the GTA Sales staff (sales@gta.com) or your local GTA Channel Partner for information on support contracts. Once the runtime has been downloaded, navigate to Configure>Configuration>Runtime>Update and click the Advanced tab. In the Runtime section, click the Choose File button and select the runtime. The file will have an extension of .rtm. Select Upload to upload the runtime file. GB-OS will then validate the file. If it is valid, the system will install it.
Figure 5.15: Manually Updating Your Firewalls Software
Note
If upgrading to a major version (such as 5.3.0 to 5.4.0) new activation codes are required. The activation codes can be obtained from the GTA Support Center.
169
Troubleshooting
170
Troubleshooting Guidelines
Log messages, reports and activity snapshots are your first resource for general troubleshooting. This section contains useful troubleshooting procedures and frequently asked questions for solving firewall configuration errors. GTA Support recommends the following guidelines as a starting point when troubleshooting network problems:
Check your policies. Are the correct policies in place for the type of traffic you are trying to allow or disallow? Start with the simplest case of hosts directly attached to the firewall. Use IP addresses, not names. The problem could be DNS. Work with one network segment at a time.
Verify your firewall system configuration by navigating to Configure>Verify. The verification check is the best method of ensuring that your system is configured correctly. Correct all errors and warnings listed. Your first tests should be connectivity tests. Ping and traceroute are very useful tools for testing connectivity.
Make sure the network cabling is connected to the correct network interface. Some useful guidelines are:
Verify the network interface numbers, MAC addresses and logical names listed on the Monitor>System>Overview screen and in log reports. Use the logical elimination method. Connect a network cable to the first network interface and use the ping facility to test for connectivity with a host on the desired network. If unsuccessful, move the cable to the next network interface and perform the test again. Repeat until successful, or all network interfaces have been tested. View the hardware report located at Monitor>System>Hardware. Check the report to ensure all your network devices have been recognized by the system at boot time.
172
Chapter 6: Troubleshooting
Frequently Asked Questions (FAQ)

Common configuration errors or questions are grouped by the feature type. Select a question from the list below. If your question is not answered below, please contact GTA Support for more information. Administration I lost my user name and/or password. How can I log on to my firewall? Why cant I access the Web interface from the protected network? How do I revert to my previous runtime after a version upgrade? Network Connectivity Why is my GB-250 or GB-250e periodically resetting services? Which policy should I use? How do I determine which rule or policy is causing rejected traffic? Why cant ALL hosts (computers and devices) behind the firewall reach the Internet? Why cant ONE host (computers and devices) behind the firewall reach the Internet? I cant access a tunnel that I have created. Why? Why cant I see or ping the protected network interface? How do I bypass NAT, allowing no-NAT routing to an IP address on the internal network? I get a bridging loop error message when I am in bridging mode. My Microsoft Exchange server located on the PSN cant find the PDC (Primary Domain Controller) on the protected network. Why? Services and Options IPS policies cannot be configured. Why? I enabled Mail Sentinel options. Why did the firewall automatically disable them? My email quarantine does not work. Why? Mail Sentinel rejects too little email. Why? Mail Sentinel rejects too much email. Why? Mail Sentinel rejects all email. Why? Hardware Why are the interfaces green LEDs not lighting up? I get an alarm: Interface down message. Other I get errors when using GBAuth. What do they mean? AOL Web email access is blocked when I use Surf Sentinel. How do I allow it? Automatic Backup I get an error message Hardware does not support USB devices. Firewall shows as not licensed for Cloud backup.
173
Administration
Q: I lost my user name and/or password. How can I log on to my firewall?
If login information has been irretrievably lost, a firewall can be reset to factory defaults, erasing all current configuration data and resetting both the case-sensitive user name and password to fwadmin. Caution
Resetting the firewall will cause it to lose current configuration data, including activation codes and your firewalls serial number. The configuration data can only be restored by loading a saved configuration with a known user name and password, or by manually entering the information.
To reset your firewall to factory defaults, attach either a terminal (using a serial console cable), or a computer with terminal emulation software (using a DB-9 null-modem cable). Enter these settings for the console connection: Table 5.1: Connecting to the Console Interface
Field Emulation Port Baud Rate Parity Stop Description VT-100 or PuTTY COM port connected via DB-9 cable to the firewall 38400 8 None 1 Hardware
Data/Bit Rate
Flow Control
Power on the GTA firewall. The following will be displayed: GB-OS 5.x.x loading ... When the word loading appears, immediately press control-R. The system will begin to load, and configuration and hardware data will appear on screen. Finally, a confirmation question displays: Are you sure you want to reset your firewall configuration?: (yes or no) To reset to factory defaults, type the word yes in lower case letters. Typing any other key will reboot the system without resetting to defaults. If there is no input after two minutes, the firewall will continue its boot process.
Q: Why cant I access the Web Interface from the protected network?
The default remote access policy set is generated from the configuration parameters entered in the Basic Setup Wizard or in the Configure>Network>Interfaces>Settings screen. It is possible that the firewalls protected network interface is on a different subnet from your host. Enable automatic policies or check the remote access policy for the Web interface; it may need to be adjusted.
174
Q: How do I revert to my previous runtime after a version upgrade?

The firewalls flash memory is in two sections (slices); one contains the current software version plus any saved configuration, the other contains the previous software version and configuration. A new firewalls two memory slices are identical. When the firewall is upgraded to a new runtime, the upgrade process automatically overwrites the memory slice not in use with the new software version and the existing configuration, leaving the production firewall version and configuration intact. When the firewall is rebooted, the updated memory slice will load by default. To select a memory slice other than the default, navigate to Configure>Configuration>Runtime>Options. Caution
Changing the active slice will cause the firewall to reboot.
Note
When changing between a slice with a GB-OS 5.x installation and a slice with a GB-OS 3.x installation, the browser will display an error message stating Requested method not implemented. Clear the error message and resume administration by refreshing the browser window.
Network Connectivity
Q: Why is my GB-250 or GB-250e periodically resetting services?
The GB-250 and GB-250e were designed for small business networks, yet offer a full complement of threat management and network services to allow administrators to select the features that best match their needs. In order to provide network administrators with the broadest range of choices, GTA offers all threat management features (IPS, Mail Sentinel Anti-Spam, Mail Sentinel Anti-Virus, and Surf Sentinel Content Filtering) on the GB-250 and GB-250e. Additionally, many advanced network services (traditional and transparent proxy, authentication server, SNMP server, DHCP server, and VPN) are also available on these units. However, the hardware specifications of these products necessitates limitations on utilizing every threat management and network service, as each additional service places greater demands the firewalls CPU and memory. Firewall administrators should carefully select which threat management features and network services to activate on the firewall, and monitor the results to prevent undesired interruptions of service. By activating all threat management and network services it is possible to exceed the available resources of the GB-250 and GB-250e. Should enabled services exceed the GB-250 or GB-250es resources, administrators will notice that GB-OS will restart enabled services as they exceed available memory and will generate a log message. These periodic restarts may result in a temporary loss of enabled services or network connectivity. GB-250 and GB-250e administrators with multiple threat management services should monitor GB-OS log messages to ensure continuous network connectivity. If the GB-250 or GB-250e consistently exceeds available memory, administrators should consider disabling unnecessary GB-OS services or reducing defined threat management settings. To assist administrators in evaluating threat management features and their impact on performance of these units, GTA offers 30 day evaluation versions of Mail Sentinel Anti-Spam and Surf Sentinel Content Filtering. These evaluation versions may be requested at www.gta.com. If all services are desired, administrators may wish to consider one of GTAs more powerful products, such as the GB-800 or GB-2000 Firewall UTM Appliance family, which are designed to meet the needs of more robust network implementations.
175
Q: Which policy should I use?

As packets flow into the firewall, they may be stopped, redirected or transformed depending on the types of policies that the packet hits. If a packet succeeds through all possible checks and transformations, it is transmitted to a network destination on the other side of the firewall. But which policy set should you use to create your desired traffic flow to your desired destination? You must use policies to tell the firewall how traffic should be handled by the firewalls logic. Policies are enacted according to the firewalls logical order. Based upon the type of packet, remote access, outbound, and/or pass-through policies may be required to permit a connection.
Is the packet outgoing from a network protected by the firewall? Is the packet incoming to a network protected by the firewall (including from a PSN)?
Create an outbound policy.
If it has NAT or VPN tunnel encapsulation, create a remote access policy. If it has no NAT, or has had NAT removed during decapsulation, use a pass through policy. Note that for encapsulated traffic, this may mean that you need both a remote access and a pass through policy. Also note that even if all your firewall policies are correct, a packet without a valid route cannot be delivered, even if it is allowed! If policies have been ruled out as the source of your problem, check routing settings.
Q: How do I determine which rule or policy is causing rejected traffic?

When the firewall evaluates a packet for acceptance or rejection, many rules may be used. However, they are not evaluated in a random order, but sequentially, and you can use this knowledge to help you trace conditions that may be causing firewall misconfiguration. Order of evaluation is indicated on some screens by the index number (listed order on the screen) of a rule. Start by testing the configurations on the top of the page, and work your way down until all configurations have been tested. For example, a rule/policy with an index of 1 will be evaluated before a rule/policy with an index of 5, and should be tested first.
Q: Why cant ALL hosts (computers and devices) behind the firewall reach the Internet?
This is usually a routing problem. The traceroute facility can be very useful in debugging routing problems. Check for these problems:
Are the hosts that cant reach the Internet on a different network subnet from the firewall? Have you added a static route on the firewall to tell it which router is used to reach the Internet? Have you set the routers default route to be the firewall? Have you set the default route for hosts on the problem network to be the router or firewall? Is the wrong IP address assigned to the hosts or firewall? All network interfaces on the firewall must be on different logical networks. Is the default route incorrectly assigned? The default route should always be on the same subnet as the network interface of the host (this is true for all hosts, not just the firewall). For a firewall, the default route must be an IP address on the network which is attached to the network interface.
Note
When using PPP, PPTP or PPPoE, the default route is not necessarily on the same subnet. The route is assigned by your PPP provider.
176
Q: Why cant ONE host (computers and devices) behind the firewall reach the Internet?
This may indicate that the default route is assigned incorrectly (or not at all) to hosts on the protected or Private Service Networks. All hosts protected by the firewall must use the IP address of the firewalls network interface for the respective network. Hosts that reside behind routers or other gateways on these networks generally use the IP address of the gateway or router instead.
Q: I cant access a tunnel that I have created. Why?

There are a few key points to remember about tunnels:
You cannot access a tunnel from the protected network, since you can access the host directly (use the real IP address of the host). The source side of the tunnel must use an interface or alias that is on the external network for tunnels from the external network to the PSN or to the protected network.
The source side of the tunnel must use an interface or alias that is on the Private Service Network for tunnels from the PSN to the protected network. You must have a remote access policy that allows access to the tunnel from the host in question. A tunnel that has no remote access policy, or an improperly configured policy assigned to it, will generate a blocked packet message to the log file. Policies can be defined by using the tunnels automatic policies, located under the Advanced tab, or by manually creating remote access policies.
Ensure that your tunnel is active. Check the Monitor section to verify that both your tunnel and remote access policies are active. Check the log messages for policy blocks when a remote host attempts to access the tunnel. If you see a block message, your remote access policy is most likely not configured correctly. If no block message appears, check the host that is specified as the target in the tunnel definition. The target host should have a default route configured, with the service in question running on the specified port. From the target host try to ping the remote host.
Q: Why cant I see or ping the protected network interface?

You may have the wrong cable for your connection.
For a direct connection (GTA Firewall to host or router) you need a crossover cable. For a connection to a hub or switch you need a straight-through cable.
A yellow crossover cable and grey straight-through cable may be included with hardware appliances. Note
Distinguish between crossover cables and straight-through cables by comparing the connection ends. On a straight-through cable, the wire order matches; on a crossover cable, the first three of the four cables are in reverse order.
Also check that your computer belongs to the same subnet as the IP address of the protected network interface.
177
Q: How do I bypass NAT, allowing no-NAT routing to an IP address on the internal network?
NAT is applied by default, using connection state tracking to hide and protect internal IP addresses from the external network. In some cases, it is desirable to bypass NAT and make an internal hosts IP address visible to the external network. To bypass NAT, use pass through. Pass through connections require two main configuration aspects on the firewall:

Hosts/Networks to define groups of hosts that may bypass NAT Policies to specify conditions (such as specific ports or times) pass through hosts/networks connections must satisfy to be accepted
Note that pass through hosts must have an externally routable IP address; internal (RFC 1918) IP addresses (e.g. 192.168.1.2) cannot be used with pass through, because they do not have valid routes. Additionally, some paths may need to be added to external routers, indicating the firewalls external interface as the gateway for the pass through hosts/networks. Because pass through bypasses NAT, its policies are bidirectional: they can allow both inbound and outbound connections from pass through hosts/networks. An outbound policy is not necessary.
Q: I get a bridging loop error message when I am in bridging mode.

A bridging loop message indicates a physical loop in the network cabling. Feb 2 02:04:30 pri=4 msg=Bridging loop (13) 00:00:5e:00:01:60->01:00:5e:00:00:12 eth1->eth0 (muted) src=199.120.225.53 dst=224.0.0.18 Check physical wiring of hubs and switches to be sure there are no crossed wires. Bridged networks must be physically isolated.
Q: My Microsoft Exchange server located on the PSN cant find the PDC (Primary Domain Controller) on the protected network. Why?
Normally, NetBIOS locates the primary domain controller (PDC) and other peer hosts by using broadcast packets. Since the firewall blocks all broadcast packets, another method of locating the PDC needs to be used. The solution is to use an LMHOST file and add an entry for the PDC providing a conduit for NetBIOS traffic to the PDC via a tunnel and allow access via remote access policies. 1. Create a LMHOST file and insert an entry for the PDC. This entry will use the PDCs NetBIOS name, the NetBIOS domain name, and the PSN interface IP address where the tunnel will be created. 2. Create three tunnels from the PSN interface to the PDC for NetBIOS services. UDP 137 - NetBIOS name resolution UDP 138 - NetBIOS datagrams TCP 139 - NetBIOS data transfer 3. Create three remote access policies that allow the MS Exchange server on the PSN to access the three tunnels you created in step 2. 4. Reboot the Microsoft Exchange server.
178
Services and Options

Q: IPS policies cannot be configured. Why?
If IPS settings are initially configured using the IPS Setup Wizard, the IPS Proxy will persistently use settings defined by the wizard. As a result, settings in the IPS policies screen will be locked. To unlock settings defined by the IPS Setup Wizard and to manually configure IPS policies, navigate to Configure>Threat Management>IPS>Proxy and disable the Persistent checkbox in the Wizard Settings section.
Q: I enabled Mail Sentinel options. Why did the firewall automatically disable them?
Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus require Internet access over TCP port 443 (SSL) in order to authorize and update from GTA servers. If Mail Sentinel cannot access GTA servers (*.gta.com) on TCP port 443, or if there is no DNS Proxy or Service enabled, then the email proxy may wait for Mail Sentinel option authentication that it cannot get; if the SSL connection times out, the email proxy will disable Mail Sentinel options and continue processing email according to standard policy rules. The Mail Sentinel email proxy will then log that it has disabled Mail Sentinel options, and will periodically check for Internet SSL connection restoration. If the connection is restored and Mail Sentinel activation codes are valid, the email proxy automatically re-enables those Mail Sentinel options that were automatically disabled. To correct this problem, check that your network allows SSL connections to the Internet over an external network interface (no routing rules may deny port 443). Use ping and traceroute to verify connectivity to the Internet, including gta.com and its sub-domains, and check all routers that may block Internet SSL access.
Q: My email quarantine does not work. Why?

An email quarantine object must be an address object that contains only a single email address such as email-quarantine@gta.com. It is not valid to enter only the domain name of your email server; your quarantine object must have a full email address that contains an account as well as a domain name. Use of wild card (regular expression) characters is also not allowed. If you wish to use multiple email addresses as quarantines in different firewall configuration areas, you should create one quarantine address object per quarantine email address. For example, if you wish to separate suspect spam email and virus email, you might create address objects named Suspect Quarantine (containing suspect-quarantine@gta.com) and Virus Quarantine (containing virusquarantine@gta.com).
179
Q: Mail Sentinel rejects too little email. Why?

First check that your email proxy policies reject those domains or IP address ranges that are known spam servers. Remember that email proxy policies evaluate in the order they are listed. Make sure that an all-accepting policy is listed underneath those exclusion policies to ensure that every email is not accepted before being tested for a spam domain. Check the specific policy that you expected the email to match for configuration errors that may cause failed matches. Correct configuration errors in any policies before they may cause a premature match. To rule out either Mail Sentinel Anti-Spam or Mail Sentinel Anti-Virus options as a source of the problem, uncheck all of the Enable check boxes in the Anti-Spam and Anti-Virus sections of your email proxys access control lists (policies). When you re-enable Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus in each policy, be sure to do it one at a time so you can narrow down the source of the misconfiguration. Note
The Mail Sentinel System Activity report can provide useful diagnostic information to determine whether Mail Sentinel options are causing email rejection.
Indicating a large maximum email file size in either the Email to Block or Mail Sentinel Anti-Virus sections of your email proxy policy will allow larger email through. To limit the size of email that your firewall accepts for transmission, reduce the maximum file size to a small, non-zero number. Be sure to allow external Internet access from your firewall to the Internet. Mail Sentinel uses various servers to keep its Mail Sentinel options up-to-date; if you have routing rules preventing this access, your Mail Sentinel options may lapse or use old spam and virus definitions, allowing newer spam and viruses through. Note
A maximum size of zero does not mean that only zero-sized email will be considered; instead, it means that the size limit consideration has been removed from the policy.
If you notice that some spam email is still not being caught by Mail Sentinel Anti-Spam, consider adjusting your Mail Sentinel Anti-Spam threshold or greylisting options to a more aggressive setting. You might also choose to restrict Suspect category email as well as Confirmed category email. Additional use of a MAPS (a kind of real-time black list, or RBL) can also help.
180
Q: Mail Sentinel rejects too much email. Why?

When the firewall evaluates a packet for acceptance or rejection, many rules may be used. It is important to check other rules such as routing rules before investigating Mail Sentinel policy rules. Remember that email proxy policies evaluate in the order they are listed. Make sure that any white list policies are listed above any black list policies to ensure that all email is not rejected before being tested for a known-good email address. To rule out Mail Sentinel features as a source of the problem, un-check the Enable check box in the Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus headings of your email proxys access control lists (policies). When you re-enable Mail Sentinel Anti-Spam and Mail Sentinel Anti-Virus, be sure to do it one at a time so you can narrow down the source of the misconfiguration. Note
The Mail Sentinel System Activity report can provide useful diagnostic information to determine whether Mail Sentinel options or other policy rules are causing email rejection.
Indicating a small maximum email file size is also a common cause for rejected email. Indicating a low threshold for the Mail Sentinel Anti-Spam categories can also be a common cause.
Q: Mail Sentinel rejects all email. Why?

If your firewall rejects all email, first check to see that email TCP ports (especially the standard SMTP port 25) have not been filtered out in other policies, and that your email proxy is enabled. If your firewall accepts port 25 connections but still rejects all email, check your email proxys policy settings. If your policies are set to reject email fitting your rules and all email matches your rules, all email will be rejected. Make sure you have at least one email proxy policy set to accept email; denial-type policies or an absence of policies will cause email to be rejected. Note
The Mail Sentinel activity reports (Monitor>Activity>Threat Management>Mail Sentinel) can provide useful diagnostic information to determine whether Mail Sentinel options or other policy rules are causing email rejection.
Additionally, if all email servers are listed on your MAPS, all email could be rejected.
181
Hardware
Q: Why are the interfaces green LEDs not lighting up?
This indicates that you do not have network connectivity. Make sure all cables are functional, the firewall is powered on, and the connected computers are correctly configured. You may have selected the wrong network connection type. Check under the Advanced tab in Configure>Network>Interfaces>Settings to ensure the appropriate connection type is selected. If you have selected one of the specific settings, try resetting to Auto, the factory setting.
Q: I get an alarm: Interface down message.

An interface down error message indicates that an interface has failed. Feb 2 13:44:18 pri=4 msg=alarm: Interface EXTERNAL (rl1) down type=mgmt This could be caused by a loose or disconnected cable or disconnected Internet service.
Other
Q: I get errors when using GBAuth. What do they mean?
GBAuth requires use of remote access policies, users, SSL certificates, and authorization services on your firewall. GBAuth 1.1.2 and Java Runtime Environment 1.4 are also required to be installed on the client computer. If any of these are set up improperly, if your password or other entry was incorrect, or if you are using an older version of GBAuth, errors may be generated. RMCAuth: Command authLoginGet (400) rejected, incorrect size errors may be caused by using an older version of GBAuth. This error is logged on the firewall as well as displayed on the GBAuth client. To correct this error, upgrade to GBAuth 1.1.2. IOException errors generally refer to inability to form a network connection (e.g. incorrect remote access policies cause traffic denial by the firewall and the connection times out, or incorrect Firewall field entry) or problems with the SSL certificate (e.g. the computer and firewall have out-of-sync clocks so that according to the computers clock, the SSL certificate has not yet become valid). Verify your remote access policies, network connections and your computers clock. If you have repeated java.security.cert.CertificateException: Certificate not yet valid. problems with SSL certificates due to your computers or firewalls clock, you may wish to use an NTP service such as the firewalls Network Time Service to keep its clock correct.
Q: AOL Web email access is blocked when I use Surf Sentinel. How do I allow it?
AOL uses pr.atwola.com, an advertisement server, to redirect to Webmail.aol.com. If Surf Sentinel is set to block the Advertisement category, access to pr.atwola.com will be blocked, and Webmail.aol.com will never be reached. To allow AOL Web email access, first create an address object of type Surf Sentinel that contains pr.atwola.com. Next, create a Surf Sentinel policy that uses the address object as the local allow list. AOL Web email should now be accessible.
182
Automatic Backup
Q: I get an error message Hardware does not support USB devices.
Confirm hardware USB ports are properly functioning and enabled. GB-250 Rev A devices do not support USB devices.
Q: Firewall shows as not licensed for Cloud backup.

Confirm that DNS is configured. Confirm valid support or maintenance contract. Cloud backup and restore requires a valid support or mainenance contract.
183
User Interface
184
Reference A: User Interface

GB-OS introduces an updated user interface with this release. Used as the primary interface, it includes comprehensive administrative access and user-friendly hints. A second interface, the console, is primarily a fail-safe. It is used for resetting a misconfigured firewall to default, recovering a GTA firewall and for basic configuration. The console interface has limited functionality. Note
See the Console Interface Users Guide for additional information on using the Console interface.
In this reference, the Web interface is illustrated and described, including navigation, tool bars, menu items and buttons. For configuration, use the setup chapters of this users guide.
Web Interface
The Web interface is platform-independent and can be used on any frames-capable, Javascript-enabled browser such as Internet Explorer, Apple Safari or Mozilla Firefox running on platforms such as Windows, Mac and Unix.
Figure A.1: The Web Interface
186
Features
SSL Encryption Option Secure administration from any location connected to the Internet Intuitive browser-based user interface Platform-independent, compatible with most browsers and platforms Immediate modification as changes are saved to the firewall Live Mode and Test Mode configurations
Web Interface Access

By default, the firewalls Web server operates on the standard SSL-encrypted port 443.
Characteristics
Changes take place immediately upon saving when operating in Live Mode Re-sizing the browser window will change the size of the main screen Password authorization is persistent for a session The firewall contains a built-in Web server that only serves the firewalls remote administration Web pages; it cannot be used for other purposes The factory default user ID and password are both fwadmin
How to Access the Web Interface

To access the Web interface, start a JavaScript-enabled, frames-capable Web browser. Enter the IP address or host name of the firewalls protected network interface as a URL in the address/ location field (e.g. https://192.168.71.254). If your computer does not have an IP address on the same logical network as the firewalls protected network interface, you will need to adjust the remote access policy that controls access. Caution
Firewall login persists until the user quits the browser application. To prevent unauthorized access, remember to quit the browser application.
187
Navigation and Data Entry

The Web interface uses HTML frames to subdivide the browsers display. The main parts of the Web interface screen are: Menu: Provides access to all command functions. Main Window: Work area where data is entered and displayed. Hints: Brief explanations of the functions of the section being worked on.
Menu
The menu is the main navigation tool, and is displayed on the left side of the browser window. There are four main categories within the menu: Wizards: Contains setup wizards. Configure: Contains settings and options for configuring the GTA Firewall UTM Appliance. Monitor: Contains an overview based on the GTA Firewall UTM Appliances log files. SSL: Contains the set up for the SSL Browser. Support: Contains helpful links and documentation. Each category is divided into sections. When selected, sections expand to reveal items in a functional area. Click on functions within the sections to display their configuration screen. While optional features will appear within sections on your GTA Firewall UTM Appliance, they will not be functional until a valid activation code has been entered.
Figure A.2: Menu Categories
Verification Icons
The menu is dynamically updated to display the verification status of a configuration area. Icon states move up through the menu tree. Errors take precedence over warnings, and warnings take precedence over verified settings. Thus, menus that contain configuration screens with both errors and warnings will be identified with an error icon. Table A.1: Verification Icons
Button Value
Default Settings Verified
Description
Menu items with a grey icon are either using default settings or cannot be configured (such as Summary display screens, which do not contain configuration options). Menu items with a green icon have been verified to be configured correctly and should not conflict with the firewalls configuration. Menu items with a yellow icon may be configured incorrectly and can conflict with the firewalls configuration. Menu items with a red icon are verified to be configured incorrectly and can conflict with the firewalls configuration.
Warning Error
188
Main Window
The main window displays screens selected from the menu located along the left hand side of the screen. The main window can be broken down into three sections: 1. Control Bar: Contains screen buttons that vary depending on the nature of the display. 2. Display Screen: The main work area where data is entered and displayed. 3. Hints: Displays a brief summary of the nature of the display screen. By clicking the Live or Test tab you can change the firewalls configuration mode. When the firewall is operating in Test Mode, the background behind the Hints area will change to a construction theme. The hints area can be hidden to maximize workspace by clicking the arrow in Hints tab. When the hints area is hidden, clicking either tab will make the hints area reappear.
Figure A.3: Main Window Displaying the Control Bar (Red), Display Screen (Green) and Hints (Blue)
Advanced Tab
The Advanced tab allows for the configuration of additional settings that are generally not required for basic configuration. By default, advanced configuration settings are hidden by the Advanced tab. To reveal advanced configuration settings, click the Advanced tab.
Figure A.4: Advanced Tab
Note
For information on settings available under advanced tabs, please refer to Advanced Setup Tasks and Reference B: System Parameters.
189
Buttons and Icons

Screen Buttons
Screen buttons, located along the top of the Web interface, allow the user to navigate, manipulate data and display information. Not all buttons are always displayed, they only appear when they pertain to the data being displayed. Table A.2: Screen Buttons
Button Value
Back Copy Default Delete Add Duplicate Edit Filter Forward New OK Paste Print Refresh Reset Save Sort Sync
Description
Goes back to the previous screen or sorts backwards through IPS policy rows. Copies the selected list entry to memory. Uses default values for a list or configuration screen. Deletes the selected items. Adds a new row in the network settings, address objects, service groups, time groups, account groups, DHCP static leases, DNS hosts and DNS subnet sections. Duplicates the selected list item. Allows editing of the selected list item. Filters displayed list items according to specific criteria. Sorts forwards through IPS policy rows Creates a new list item or object. Applies changes to the modified list entry. Pastes a copied list entry from memory. Prints the displayed screen. Refreshes the displayed screen. Resets the configuration screen to initial values. Saves the section and applies it to the firewalls configuration. Re-sorts the index order. Synchronizes configuration section from Live mode to Test mode. Only available in Test mode.
190
List Icons
List icons, which are always the left most object in a tables row, provide quick at-a-glance information regarding the line item. Table A.3: List Icons
Button Value
Locked , Edit
Description
Indicates that the list entry is built-in and cannot be modified. To edit a locked list entry, select the Duplicate button to duplicate the items configuration in to a new object or policy. Indicates that the list entry is editable. If the icon is greyed out, then the list item has been disabled. Indicates the status of the configured administrator account. If the icon is greyed out, then the administrator account has been disabled. Indicates the status of the configured user account. If the icon is greyed out, then the user account has been disabled. Indicates the status of the configured group. If the icon is greyed out, then the group has been disabled. Indicates the status of the configured logical interface. A green, upwards pointing arrow means the interface is up, while a red, downwards pointing arrow means the interface is down. Indicates the status of the configured policy of type accept. If the icon is greyed out, then the policy has been disabled. Indicates the status of the configured policy of type deny. If the icon is greyed out, then the policy has been disabled.
General List Icons
Configure>Accounts , , , Admin Status User Status
Groups
Configure>Network>Interfaces>Settings , Interface Status
Configure>Security Policies>Policy Editor / Configure>Threat Management>IPS>Policies , , Accept Deny
Flags
Flags are displayed along the top of the Web interface when the configuration screen contains an error, a warning or if the screens Test mode settings differ from the screens Live mode settings. Table A.4: Flags
Button Value
Warning Error Test mode
Description
Indicates a verification warning. The flag is hyperlinked to the configuration screens verification section in Configure>Verify. Indicates a verification error. The flag is hyperlinked to the configuration screens verification section in Configure>Verify. Indicates that the configuration screens Test mode settings differ from the screens Live mode settings. The flag is hyperlinked to Configure>Configuration>Apply.
191
Index Numbers
Index numbers are used in lists. In some instances they are editable, allowing the data to be resorted based on importance. For instance, since policies are evaluated in sequential order, sorting the order affects their primacy. To sort editable index numbers, simply enter new values corresponding to the order you wish to sort the table rows and click Sort or save the configuration screen to update the listing.
Figure A.4: Index Numbers
Note
Sorting will not take effect until the section has been saved.
Text Fields
Text fields allow the user to enter data by typing.
Pull Down Menus

Values available in pull down menus vary by the configuration screen in which they are found. Click on the downward pointing arrow to open a pull down menu, then click on an item to select it. An item labeled as <* EDIT *> will allow for the configuration of a new configuration object. An item labeled with three question marks, <???>, indicates an unknown value. Fields with a value of <???> require information in order to be used in the configuration being attempted.
Figure A.5: Pull Down Menus
192
System Overview Screen
The Overview screen, initially displayed after successfully logging on to a configured firewall, displays a snapshot of the firewalls current status. Displayed data includes the current state of the firewalls interfaces, CPU and memory usage, traffic flow, and more. The Overview screen can be accessed by clicking next to the GTA logo at top of the Web interface, which acts as a shortcut. Additionally, the Overview screen can also be viewed by navigating to Monitor>System>Overview. When working in Live mode, Edit buttons will be available next to editable fields. When working in Test mode, the Overview screen will only display configuration data and will not be editable.
Figure A.5: System Overview Shortcut
At the top of the Overview screen, the Refresh button also includes a drop down menu to select a time frame for which the page will automatically refresh. Available time fields are: Off, 30 seconds, 1 minute, 5 minutes and 10 minutes.
Figure A.6: Refresh Button
The Overview screen displays the following containers: Audit Events contains a log of activity performed by administrators to the firewalls configuration. Verification displays the number of verification warnings and errors in the GB-OS configuration. Runtime displays the GB-OS version the GTA Firewall UTM Appliance is running, the current slice, whether updates are available and the last update check. If a runtime update has been downloaded, but not yet installed, the update status will be displayed here. System displays basic information regarding the firewalls configuration, such as the firewall administrator, host name, product, license, serial number, date/time and firewall uptime. Historical Statistics displays graphical information representing past activity. Categories include CPU Usage, Memory Usage and Security Associations. By placing the mouse over each graph, a larger graph will display. Clicking on any of the graphs will open the Historical Statistics screen. Activation Codes displays all entered activation codes. Interfaces provides a summary view of the firewalls logical interfaces and their status (up or down). System Resources gives an overview of the firewalls CPU usage, memory usage and security associates. The enabled/disabled status of the High Availability feature with total user licences and feature licenses shown as percentage used. The GTA SSL Browser and Client, and IPSec/ L2TP/PPTP licenses percentage used are also displayed. Network Traffic shows the amount of denied packets from policy blocks, the number of active connections to the firewall as well as current and peak bandwidth usage. Contracts displays current contracts and licenses for GB-OS, Mail Sentinel Anti-Spam, AntiVirus, IPS, Surf Sentinel, and support contracts. The date/time of the last update check is also displayed. Mail Sentinel Anti-Spam displays information on Mail Sentinel Anti-Spam activity. If this feature has not been activated and configured, no data will be displayed. Mail Sentinel Anti-Virus provides a summary on Mail Sentinel Anti-Virus activity. If this feature has not been activated and configured, no data will be displayed. Surf Sentinel displays information on Surf Sentinel activity. If this feature has not been activated and configured, no data will be displayed. IPS displays the rule set used by the IPS proxy. Current Administrators displays a list of administrators currently logged in to GB-OS.
193
Figure A.7: System Overview
194
System Parameters
196
Reference B: System Parameters

This section describes the input type, range and general results of each field in the firewall configuration. It is most useful for network engineers who are already familiar with networking terminology but wish to know the exact specifications of a configuration option.
How to find your section:

For rapid lookups on a particular configuration section or field, this reference contains sections indexed by a number formatted as x.y.z where: x: Menu buttons number y: Menu tree items number within the button area z: Menu tree sub-items number within the parent section As shown in this example, a configuration section located in the second section, second tree item and fifth tree sub-item would be indexed as 2.2.5 Import/Export.
Tables within a reference section contain field details from the configuration section. Entries are in order from top- and left-most positions on the screen. Groups of fields that are labeled areas will be titled by their label. Fields listed under an Advanced tab will be labeled as such. Note that not all areas may not be immediately visible, as they may be hidden under an Advanced tab.
198
2. Configure
The Configure section provides access to manual configuration options. This area may be especially useful to network engineers who are designing more complex configurations as it allows for total customization.
2.1 Verify
The Verify sub-section allows the user to verify their configuration. Verification points out potential problems with the firewalls configuration. Containers and sub-containers can be expanded or collapsed to navigate through displayed data. Caution
Verification may not catch all errors in the configuration. GTA recommends that administrators always check their configuration to ensure that no potential security issues are present.
Note
GTA recommends that verification should always be performed before applying a Test Mode configuration to a Live Mode configuration. This prevents errors in the Test Modes configuration from being applied to network traffic.
2.2 Configuration
The Configuration section allows the user to toggle between Live and Test configuration modes, verify or apply configurations, change the active slice and import or export saved configurations.
2.2.1 Summary
The Summary sub-section provides on overview of the current firewall modes configuration settings. Links to containers pertaining to specific sections of the firewalls configuration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.2.2 Apply
The Apply sub-section allows the user to apply their Test Mode configuration to the firewall to make it Live, as well as copy their Live Mode configuration to the Test Mode configuration. Table 2.2.2: Configure > Configuration > Apply
Field Name
Apply Test Configuration
Field Type
Value Range
Description
A toggle to apply the test configuration to the firewall, making it Live. A toggle to copy the Live mode configuration to the Test mode configuration. This option is only available when GB-OS is in Test mode. Default is selected. A toggle to reset the Test mode configuration to factory defaults. This option is only available when GB-OS is in Test mode.
Radio Button Enabled/Disabled Radio Button Enabled/Disabled Radio Button Enabled/Disabled
Copy Live Configuration Reset Configuration
199
2.2.3 Backup
The Backup sub-section provides automatic backup settings and access to backups on the GTA Cloud Server. Table 2.2.3: Configure > Configuration > Backup
Field Name
Automatic Backup Format Password Pulldown Text Pulldown XML, 7-Zip, Zip Up to 255 characters 50, 100 The format for the configuration. Enter the password for the configuration file. The format for the configuration.
Field Type
Value Range
Description
Maximum Backup Count Email Enable To Cloud Enable Service Account Name Email Storage Total Usage Available Backups Restore Delete USB Enable Available Backups Restore Delete
Check box Text
Enabled/Disabled Up to 255 characters
Enable the emailing of automatic backups created when changes/modifications during live mode are saved. The email address to which backup configurations will be sent. Enable cloud storage. Select the Cloud service to be used for automatic backups. Login user name for Cloud service. Login email for cloud service. Displays total size of connected USB device. Displays total usage of connected USB device Backups available on the GTA Cloud Server. Click Restore to restore to the selected backup. Click Delete to delete to the selected backup. Enable USB device backup storage. Backups available on the attached USB device. Click Restore to restore to the selected backup. Click Delete to delete to the selected backup.
Check box Pulldown
Enabled/Disabled Dropbox, Box.net
n/a n/a n/a n/a Button Button Check box Button Button
n/a n/a n/a n/a Restore Delete Enabled/Disabled Restore Delete
2.2.4 Change Mode

The Change Mode sub-section allows the user to toggle between Live Mode and Test Mode configuration modes. Live Mode is useful for immediately applying a configuration change to the firewall. Test Mode is useful for modifying and verifying a new configuration for correctness and adherence to your security policy before applying it.
200
Table 2.2.4: Configure > Configuration > Change Mode

Field Name
Live Mode Test Mode
Field Type
Radio Button Radio Button
Value Range
Enabled/Disabled Enabled/Disabled
Description
A toggle to set the firewalls configuration mode to Live Mode. A toggle to set the firewalls configuration mode to Test Mode.
2.2.5 Import/Export
The Import/Export sub-section allows the user to back up their configuration, upload a partially updated back up configuration or a complete back up configuration. Import/Export settings are only available when the firewall is operating in Live Mode. Table 2.2.5: Configure > Configuration > Import/Export
Field Name
Configuration Mode: Live Mode: Test File Radio Button Radio Button Text Button Button Check box Enabled/Disabled Enabled/Disabled n/a n/a n/a Enabled/Disabled A toggle to set the firewall to Live configuration mode. Default is selected. A toggle to set the firewall to Test configuration mode. Default is unselected. File name of the configuration file. Opens a window to select the configuration file. Imports the selected configuration file. Partially updates the firewalls configuration if the configuration file contains partial, selective configuration changes. Default is unselected. Preserves correct serial numbers and activation codes when importing configurations. Downloads the selected configuration. File format.
Field Type
Value Range
Description
Browse Import Partial Update
Preserve Section Activation Codes Export Format Toggle Button Drop Down Enabled/Disabled n/a XML, 7-Zip, Zip
2.2.6 Runtime
The Runtime section contains options to change the firewalls active slice as well as the ability to update the firewalls runtime and schedule automatic updates.
2.2.6.1 Options
The Options sub-section allows the user to select the memory section of the firewalls flash memory to be used when configuring the firewall. The firewalls flash memory is in two sections (slices); one contains the current software version plus any saved configuration, the other contains the previous software version and configuration. Caution
Changing the active slice will cause the firewall to reboot.
201
Table 2.2.6.1: Configure > Configuration > Runtime > Options

Field Name
Runtime Slice Current Slice Alternate Slice Console Mode Video Serial Advanced Update MBR Check box Enabled/Disabled A toggle to enable an update of MBR. Default is selected. Radio Button Radio Button Enabled/Disabled Enabled/Disabled A toggle to define Video for the Console Mode. A toggle to define Serial for the Console Mode. Radio Button Radio Button Enabled/Disabled Enabled/Disabled The current runtime slice used by the firewall. Default is selected. A toggle to change to the alternate runtime slice.
Field Type
Value Range
Description
2.2.6.2 Update
The Update sub-section allows the user to schedule checks for available updates to GB-OS and to update the firewalls runtime by either applying an automatically downloaded runtime or by importing a new runtime manually. Caution
Updating the firewalls runtime will cause the firewall to reboot.
Note
Settings for updating the firewalls runtime are only available in Live Mode.
Table 2.2.6.2: Configure > Configuration > Runtime > Update

Field Name
Current Version Last Update Check Available Updates Check Now Download Install Button Button Button n/a n/a n/a Checks for available updates. Downloads available updates. Installs available updates. Option only available after available updates have been downloaded. A toggle to enable scheduling to check for updates. Default is unselected. A selection for the frequency of checks for available updates. A selection for the day the check for available updates should be performed. This field is only available when the Frequency pulldown is set to <Weekly>. A selection for the time the check for available updates should be performed. File location of the runtime file. Uploads the selected runtime file.
Field Type
n/a n/a
Value Range
n/a n/a
Description
The current version of GB-OS installed. The last time a check for an available update was performed.
Schedule Update Check Enable Frequency Day Check box Pulldown Pulldown Enabled/Disabled <Daily>, <Weekly> <Sunday> - <Saturday>
Time Advanced File Import
Pulldowns
<00> - <24>, <00> - <50>
Text Button
n/a n/a
202
2.3 System
The System section contains the Objects, which allows the user to configure address, encryption objects, service group objects, time group objects and IPSec Objects.
2.3.1 Summary
The Summary sub-section provides on overview of the current firewall modes configuration settings found in the System section. Links to containers pertaining to specific sections of the firewalls configuration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.3.2 Information
The Information sub-section displays an overview of the current firewall modes functionality. Editable fields can be edited by selecting the Edit icon. The display is static; if you wish to update the list, click the Refresh icon.
2.3.3 Activation Codes

The Activation Codes sub-section allows the entry of the firewalls serial number and activation codes that unlock additional firewall features. Activation codes can be found on the card that shipped with your firewall or in the GTA Online Support Center. Selecting the New icon allows for entry of new activation codes. Table 2.3.3: Configure > System > Activation Codes
Field Name
Activation Code Serial Number
Field Type
Text Text
Value Range
Up to 8 characters Up to 35 characters
Description
The firewalls serial number. The product activation code.
2.3.4 Contact Information
The Contact Information sub-section allows for the entry of the firewall administrators contact information. Table 2.3.4: Configure > System > Contact Information
Field Name
Administrator Name Company Email Address Phone Number Text Text Text Text Text Text Text Text Up to 119 characters Up to 119 characters Up to 119 characters Up to 119 characters Up to 119 characters Up to 119 characters Up to 119 characters Up to 119 characters The firewall administrators name. The firewall administrators company. The firewall administrators email address. The firewall administrators phone number. The firewall administrators country. The firewall administrators state or region. The firewall administrators city. The email address for the firewalls support contact. Default is gbconfig@gta.com.
Field Type Value Range
Description
Country
State/Region City/Locality Support Email Address
203
2.3.5 Date/Time
The Date/Time sub-section allows the configuration of the firewalls local time and network time service. The network time service allows the administrator to synchronize the firewall and the computers behind it with an NTP server located on the Internet. Table 2.3.5.a: Configure > System > Date/Time
Field Name
Date/Time Date (yyyy-mm-dd) Time (hh-mm-ss) Time Zone Network Time Enable Advanced Automatic Policies Check box Enabled/Disabled A toggle to enable the firewall to generate an automatic set of policies to allow the network time service to function properly. Default is selected. Check box Enabled/Disabled A toggle to enable the network time service. Default is unselected. Pulldown Pulldown Pulldown Up to 10 characters Up to 8 characters n/a The local date, to be entered in YYYY-MM-DD format. For example, December 31st, 2008 would be entered as 2008-12-31. The local time, to be entered in HH-MM-SS format. The field uses the 24 hour time format. Select to edit the firewalls local time zone. Default is UTC (Coordinated Universal Time).
Description
Selecting the New icon allows for entry of a new network time server. Table 2.3.5.b: Configure > System > Date/Time > Edit Network Time Server
Field Name
Disable Description Server
Field Type
Check box Text Text
Value Range
Enabled/Disabled Up to 79 characters Up to 79 characters
Description
A toggle for whether the network time server should be enabled or not. Default is unselected. A description of the network time server. The network time servers IP address or DNS resolvable host name. A toggle for whether or not Peer should be used. Disabled by default. The key of the network time server, if any.
Advanced Peer Key Check box Text Enabled/Disabled Up to 5 characters
2.3.6 Notifications
The Notifications section allows the firewall administrator to manage settings for all notifications. Table 2.3.6: Configure > System > Notifications
Field Name
Email Enable From To Check box Text Text Enabled/Disabled Up to 55 characters Up to 55 characters A toggle for whether the email server should be enabled or not. Email address that will appear in From field. Email address where notifications will be sent.
Field Type
Value Range
Description
204
Table 2.3.6: Configure > System > Notifications

SMS Enable From To SNMP Trap Enable Manager Type Check box Text Pulldown Enabled/Disabled Up to 55 characters SNMPv1 Trap, SNMPv2c Trap, SNMPv2 c Inform <AUTOMATIC>, all defined interfaces, all defined aliases, all defined VLANs Enable/Disable: Email, SMS, SNMP Trap Enable/Disable: Email, SMS Enable/Disable: Email, SMS Enable/Disable: Email, SMS, SNMP Trap Enable/Disable: Email, SMS Enable/Disable: Email, SMS Enable/Disable: Email, SMS Enable/Disable: Email, SMS, SNMP Trap A toggle for whether SNMP Traps should be enabled or not. Default is unselected. Host IP address to receive SNMP trap messages. Selects the SNMP Trap version. Check box Text Text Enable/Disable Up to 55 characters Up to 55 characters A toggle for whether SMS should be enabled or not. SMS messaging email address from which notifications will be sent. SMS messaging email address where notifications will be sent.
Advanced Binding Interface Pulldown Address from which SNMP traps are sourced. Default is <AUTOMATIC>.
Notifications Alarms Gateway Failover High Availability IPSec Tunnels License Lockout Runtime Updates Security Policies Checkboxes Checkboxes Checkboxes Checkboxes Checkboxes Checkboxes Checkboxes Checkboxes Enable to send an alarm notification when Alarm threshold is met. Enable to send a notification when the Gateway fail over event occurs. Enable to send a notification when HA state change occurs. Enable to send a notification with IPSec Tunnel changes and events. Enable to send a notification when License changes occur. Enable to send a notification when Login failure occurs for specified number of times. Enable to send a notification an update to the runtime is ready. Enable to send a notification when a security policy is matched and email/SMS/SNMP is configured on the alarm.
Advanced Alarms Threshold for Generating Email Text Text Text Check box Up to 5 characters Up to 5 characters Up to 5 characters Enabled/Disabled Number of alarms above which a notification is sent. Default is 10. Length of time after which to send alarms. Default is 120. Maximum number of alarms per email sent. Default is 500. A toggle for whether an attempt should be made to resolve the host name of the IP address that generated the alarm or not. Default is unselected.
Threshold Interval Maximum Alarms Per Email
Attempt to Log Host Names
205
2.4 Accounts
The Accounts section allows the administrator to edit, delete and create new administrator or user accounts, assign them to groups, configure authentication and customize preferences.
2.4.1 Summary
The Summary sub-section provides an overview of the current firewall modes configuration settings found in the System section. Links to containers pertaining to specific sections of the firewalls configuration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.4.2 Authentication
The Authentication sub-section allows the administrator to require users to authenticate using GBAuth before initiating a connection to or through the firewall. Table 2.4.2: Configure > Accounts > Authentication
Field Name
Enable

Check box Enabled/Disabled
Description
A toggle for whether authentication should be used or not. Must be enabled if LDAPv3 or RADIUS authentication is to be used. Default is unselected. A toggle to enable the firewall to generate an automatic set of policies to allow configured authentication settings to function properly. Default is selected. The service port used. The default port for GTA Authentication is 76. The valid duration for an authenticated user (in minutes). If using one-time passwords, this should be a high value. A toggle for selecting whether or not keep alives are sent. A toggle for whether the LDAPv3 authentication should be used or not. Default is unselected. Server IP address or host name and port number of the LDAP server. The service port number defaults to 389. To enter a specific port number, use the format ldap.example.com:398. A toggle for whether SSL should be used or not. Default is unselected. Root distinguished name on the LDAP server. The group name field where group names are stored on the LDAP server. A toggle for whether groups will be added automatically. Default is unselected. A toggle for whether the entire group name should be returned or not. Default is unselected. A selection for the binding interface to be used. The amount of time, in seconds, that the GTA firewall will wait on results from an LDAP search. Default is 120.
Advanced Automatic Policies Check box Enabled/Disabled
Service Port Valid Send Keep Alives LDAPv3 Enable Server
Text Text Check box
Up to 5 characters Up to 5 characters Enabled/Disabled
Check box Text
Use SSL Base DN Group Field Advanced Automatically Add Groups Use Full Group Name
Check box Text Text
Enabled/Disabled Up to 127 characters Up to 127 characters Enabled/Disabled Enabled/Disabled <AUTOMATIC>, all defined interfaces and aliases Up to 5 characters
Check box Check box Pulldown Text
Binding Interface Timeout
206
Table 2.4.2: Configure > Accounts > Authentication

Bind Options Bind Method Pulldown User, Username Search, Anonymous Select the method that the user will use to bind (authenticate) with the LDAP server. To bind with the user, select <User>; to bind anonymously, select <Anonymous>; to bind using the root distinguished name and password, select <Username Search>. Default is <User>. Enter the user name to bind with the user. This field is only available if <User> is selected for the Bind Method. Select to have the value entered in the Base DN string appended to the User Bind String value. This field is only available if <User> is selected for the Bind Method. Default is selected. Enter the distinguished name used for searching the LDAP server. This field is only available if <Username Search> is selected for the Bind Method. Enter the password of the bind DN. This field is only available if <Username Search> is selected for the Bind Method. A toggle for whether the RADIUS authentication should be used or not. Default is unselected. Server IP address or host name and port number of the RADIUS server. The service port number defaults to 1812. To enter a specific port number, use the format radius.example.com:1812. Pre-shared secret as defined in the RADIUS service. Alphanumeric value. A selection for the binding interface to be used. Match the RADIUS servers expected identity for authentication requests. If this field is empty, then it is the firewalls IP by default. Matches the RADIUS servers channel number. Only necessary if the RADIUS server distinguishes between its NAS ports (channels). Matches the RADIUS servers connection type, namely a modem (async etc.) or TCP/IP (virtual) connection.
User Bind String Append Base DN
Text Check box
Up to 127 characters Enabled/Disabled
Bind DN Password
Text Text
Up to 127 characters Up to 127 characters
RADIUS Enable Server Check box Text Enabled/Disabled Up to 79 characters
Pre-shared Secret Advanced Binding Interface NAS Identity NAS Channel NAS Channel Type
Text
Up to 127 characters <AUTOMATIC>, all defined interfaces and aliases Up to 127 characters Up to 5 characters Async, Sync, ISDN Sync, ISDN Async v. 120, ISDN Async v.110, Virtual Enabled/Disabled Up to 79 characters
Pulldown Text Text Pulldown
Active Directory Single Sign-On Enable Server Check box Text Enables Single Sign-On authentication. Authentication must be enabled to allow for Single Sign-On authentication. The server IP address or host name and port number of the Single Sign-On server used. The port number defaults to 8443. To enter a specific port number, use the format 192.268.71.1:8443. A selection of certificate the Active Directory Single Sign-On server will use. A selection for the binding interface to be used.
Certificate Binding Interface
Pulldown Pulldown
All defined certificates. <AUTOMATIC>, all defined interfaces and aliases
207
2.4.3 Groups
The Groups section allows the administrator to define a pool to group users. Additional groups can be combined in the Groups section to create a broader definition. Table 2.4.3: Configure > Accounts > Groups
Field Name
Disable Name Description Administrator Enable Read Only Remote Access L2TP Check box Check box Enabled/Disabled Enabled/Disabled Check box Check box Enabled/Disabled Enabled/Disabled A selection for creating a group with Administrator privileges. A selection for creating a read-only Administrator group. A selection for enabling L2TP remote access for the group. A selection for enabling PPTP remote access for the group. Enables the group to access the firewall using the GTA Mobile VPN Client. A toggle for whether users associated with the group should require authentication or not. Default is unselected. A selection for the local network that the user group will connect to. Select <USER DEFINED> to manually enter the networks IP address. Select <* EDIT *> to define a new local network. This will override configuration settings defined under Configure>VPN>Remote Access>IPSec.
Field Type
Check box Text Text
Value Range
Description
A toggle for whether the group should be disabled or not. Default is unselected. A unique identifier for the group. A description used to further identify the group.
PPTP Mobile IPSec Enable Advanced
Check box
Enabled/Disabled
Authentication Required Local Network
Check box Pulldown
Enabled/Disabled ???, <USER DEFINED>, all defined address objects of type All or VPN, *EDIT *
SSL Browser Enable Check box Check box Check box Pulldown Enabled/Disabled Enabled/Disabled Enabled/Disabled All configured bookmark objects Enabled/Disabled <???>, all defined groups Up to 79 characters Enables SSL browser access for the user group. Displays only Bookmarks for SSL Browser access. Read only access. Users can only download files via the browser. Displays the defined bookmarks for the group.
Bookmarks Only Read Only
Bookmarks Client
Enable Groups Sub Group Description
Check box Pulldown Text
Allows SSL Client access. A selection of groups to be pooled under the group being configured. <???> means no group has been selected. A description of the selected group.
208
2.4.4 Remote Administration

The Remote Administration section allows the administrator to set account preferences such as remote administration and lockout. Table 2.4.4: Configure > Accounts > Preferences
Field Name
Lockout Enable Allowed Check box Pulldown Enabled/Disabled ???, <USER DEFINED>, all available address objects, *EDIT * Up to 3 characters Up to 5 characters A toggle for whether lockout should be enabled or not. Default is selected. A selection for specifying a network (address object) as exempt from lockout.
Description
Advanced Threshold Duration Text Text Number of tries a user can make from an IP address before that IP address is locked out. Default is 5. The amount of time, in minutes and seconds, that an IP address is locked out. Default is 300. A toggle for whether remote administration should be enabled or not. Default is selected. The TCP port allowing Web administration. SSL encryption default is 443. Enables LDAP users to administer the firewall. Enables RADIUS users to administer the firewall. The level of SSL encryption. Default is <All>, which means all encryption levels are used. A toggle for whether sessions should be timed out after a period of inactivity or not. Default is unselected. Valid range is 5 to 1440 minutes. A selection for whether the virtual keyboard is used. Enable/Disable <Enable>, <Disable>, <Force Use> ???, <USER DEFINED>, all available networks, *EDIT * A toggle for whether automatic policies should be disabled for remote administration or not. Default is unselected. Specifies the Zone which will be allowed to connect. Options are External, Protected, and PSN. Specifies the source address allowed to connect.
Remote Administration Enable Port Authentication LDAP RADIUS Advanced Encryption Timeout Sessions Virtual Keyboard Automatic Policies Enable Zone Source Address Radio Button Pulldown Pulldown Pulldown Check box Pulldown <All>, <None>, <Low>, <Medium>, <High> Enable/Disable Check box Check box Enabled/Disabled Enabled/Disabled Check box Text Enabled/Disabled Applicable port number
Customization Login Title Logo Text Browser field Up to 62 characters 32 x 32 pixels; 100KB max Customized title to be displayed upon login. Logo to be displayed upon login. JPEG, GIF or PNG
209
2.4.5 Users
The Users section allows the administrator to edit, delete and create new user accounts. User accounts are used for controlling connections passing through the firewall or services running on the firewall. Table 2.4.5: Configure > Accounts > Users
Field Name
Disable Identity Full Name Description

Check box Text Text Text Pulldown Enabled/Disabled Up to 127 characters Up to 59 characters Up to 79 characters
Description
A toggle for whether the user account should be disabled or not. Default is unselected. The users identity to be used when authenticating with the firewall. Typically, this is an email address such as user@example.com. A unique identifier for the account. The users name cannot begin with a number. A description used to further identify the account.
Primary Group
Certificate
???, all defined user A selection for the user group to pool the configured groups, * EDIT * user. Selecting <* EDIT *> allows for the creation of a new user group. Administrator accounts are configured by choosing a configured Admin user group. ???, <Generate>, all defined certificates, *EDIT* Enabled/Disabled Up to 127 characters Enabled/Disabled <???>, <USER DEFINED>, * EDIT *, all defined address objects of type All or VPN Certificates/ Pre-shared secret ASCII, HEX/Up to 59 characters If the Authentication method is set to Certificates, select the certificate from the pulldown.
Pulldown
Authentication Modify Password Password Check box Text Select to edit or set a password. A text string used to protect access to the account.
Mobile IPSec Disable Remote Network Check box Pulldown A toggle for whether the account can connect over a mobile VPN. Default is selected. A selection for the Remote Network to be used by the VPN connection.
Authentication Pre-shared secret
Radio Button Pulldown/ Text
A selection for the authentication method the user will use when connecting over a mobile VPN. Default is Pre-shared secret. If the Authentication method is set to Pre-shared secrets, then enter the pre-shared secret as either ASCII or HEX.
Valid HEX characters: 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F
210
2.5 Network
The Network section allows the administrator to adjust network settings, define aliases as well as configure NAT, pass through and routing.
2.5.1 Summary
The Summary sub-section provides an overview of the current firewall modes configuration settings found in the Network section. Links to containers pertaining to specific sections of the firewalls configuration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.5.2 Interfaces
2.5.2.1a Settings
The Interfaces section contains configuration settings for network interfaces, PPP connections, VLANs and aliases. The Settings sub-section allows the administrator to adjust network settings such as the host name and default gateway, as well as define logical interfaces. Table 2.5.2.1a: Configure > Network > Interfaces > Settings
Field Name
Settings Host Name Default Gateway Text Text Up to 51 characters IP address The host name of the GTA firewall. GTA recommends using a fully qualified domain name as the host name for your GTA firewall. Enter the default gateway, a node on the network that serves as an access point to another network, of the GTA firewall. The name of the defined logical interface. The type of the defined logical interface. The zone of the defined logical interface. The IP address of the defined logical interface. The NIC used by the defined logical interface. The actual connection option of the logical interface. Values differ based on the logical interfaces Type. The description of the defined logical interface.
Description
Logical Interfaces Name Type Zone NIC n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a
IP Address
Options Description Advanced
Network Interface Cards NIC Device n/a n/a n/a Pulldown n/a n/a n/a <AUTO>, <10baseT/UTP>, <100baseTX> Network interface (Ethernet) cards detected, including configured PPP (modem) connections. The device name of the configured NIC. If the physical interface device is an Ethernet card, the cards MAC address will be displayed. Otherwise, the field will be blank. <AUTO> is generally recommended. <AUTO>: Auto-select the active network connection. <10baseT/UTP>: Unshielded twisted pair interface at 10 Mbps. <100baseTX>: Unshielded twisted pair interface at 100 Mbps. Default (full- or half-duplex) full duplex or half duplex. Maximum Transmission Unit. Default is 1500. Incorrect MTUs can cause poor performance, but it may be beneficial to increase MTU for a gigabit Ethernet interface when jumbo packets are to be used.
MAC Address Connection
Option MTU
Pulldown Text
<Default>, <full_ duplex> Up to 5 characters.
211
2.5.2.1b Edit Logical Interface

Selecting Edit or New icon from the Network Settings screen allows for the configuration of an existing or new logical interface as well as bridged interfaces, High Availability interfaces and VLANs. Table 2.5.2.1b: Configure > Network > Interfaces > Settings > Edit Logical Interfaces
Field Name
Disable Type

Checkbox Pulldown Enabled/Disabled <Standard>, <Bridge>, <Link Aggregation (Failover)>, <Link Aggregation (LACP)>, <Link Aggregation (Load Balance)>, <Link Aggregation (Round Robin)> Enabled/Disabled
Description
A toggle to disable the selected/defined interface. Default is unselected. Defines the type of interface that will be configured. When configuring a bridged interface, bridge must be selected. Selecting Bridge will also disable the DHCP, Gateway, and High Availability fields below.
IP Address DHCP Checkbox A toggle for whether DHCP should be used to obtain the logical interfaces IP address or not. This field is disabled if the primary interface uses PPP. Default is unselected. A toggle enabling the gateway. Option only available if DHCP is enabled. The IP Address of the logical interface. This field is disabled if DHCP is toggled or if the primary interface uses PPP. IPv4 and IPv6 fields will be available as configuration is allowed. Select the High Availability checkbox if High Availability will be configured. Enabling High Availability will disable the DHCP and Gateway fields. A toggle for enabling router advertisement configuration. A toggle defining the interface as a VLAN. The VLAN ID that matches the VLAN ID of packets to be received by the VLAN switch or router. Valid VLAN IDs are range from 1 to 4095. Up to 19 characters <External>, <Protected>, <PSN> <???>, <eth0> <ethX> Up to 79 characters Up to 127 characters IP address The interface object name for this bridged connection. A selection for the interface zone. A selection for the NIC to associate with the bridged network. A description of the bridged interface. Enter a description to describe the nature of the High Availability interface. Enter the virtual IP address that will be used for a given network interface. This IP address is used by firewall users.
Gateway IP Address
Checkbox Text
Enabled/Disabled IP address
Options High Availability Router Advertisement VLAN VLAN ID Checkbox Checkbox Checkbox Text Enabled/Disabled Enabled/Disabled Enabled/Disabled
Interfaces Name Zone NIC Description Description Virtual IP Address Text Pulldown Pulldown Text Text Text
High Availability (only available if High Availability is enabled above)
212
Table 2.5.2.1b: Configure > Network > Interfaces > Settings > Edit Logical Interfaces
Field Name
Beacon IP Address

Text/Text/ Text IP address/ IP address/ IP address
Description
Enter up to three beacon IP addresses. Normally, one beacon is the IP address of the interface on the other high availability system, but do not configure it as the only beacon. Doing so could lead to improper configuration. Select the setting for the DHCPv6 override. Enter the domain assigned to the hosts using the prefix advertisement. Enter the DNS server IP. Up to two (2) DNS servers may be defined. Select the preference as a gateway. Enter the maximum time allowed between sending unsolicited multicast router advertisements from the interface, in seconds. Valid range is 4-1800 seconds. The maximum transmission unit to ensure that all nodes on a link use the same MTU. Must not be greater than the MTU specified on the interface. Enter the length of time that addresses generated from the prefix via Stateless Address Auto configuration (SLAAC) remain preferred. Enter the length of time the prefix is valid.
Router Advertisement (only available if Router Advertisement is selected above; required for IPv6 DHCP servers) DHCPv6 Override Domain Name Server IP Address Preference Advanced Maximum Interval MTU Preferred Lifetime Valid Lifetime Text Text Text Text Up to 4 characters Up to 4 characters Up to 4 characters Up to 4 characters Pulldown Text Text Pulldown Disable, Non-Address Information, All Up to 31 characters Up to 31 characters Low, Medium, High
2.5.2.2 Aliases
Aliases allow a network interface to possess multiple IP addresses. An IP alias may be assigned to any network interface. Aliases can be used wherever interfaces can be selected, such as in security policies, inbound tunnels and IPSec tunnels. The Aliases sub-section displays the name and description of all defined aliases. The administrator is able to edit, delete and create new aliases from this sub-section. Table 2.5.2.2: Configure > Network > Interfaces > Aliases
Field Name
Disable Name Description Interface

Checkbox Text Text Pulldown Text Enabled/Disabled Up to 19 characters Up to 79 characters ???, all defined logical interfaces Up to 31 characters
Description
A toggle for whether the alias should be disabled or not. Default is unselected. A unique identifier for the alias, used for reference elsewhere in the configuration. A description used to further identify the alias. A selection for the interface to assign to the alias. The IP Address of the alias. If no netmask is entered, it will default to /32. IPv4 and IPv6 IP address fields are available.
IP Address
213
2.5.2.3 PPP
The PPP sub-section allows for the configuration of PPP, PPPoE or PPTP connections. Table 2.5.2.3a: Configure > Network > Interfaces > PPP Common Fields
Field Name
Description Name
Field Type
n/a Text
Value Range
n/a Up to 31 characters
Description
PPP0, 1, 2 or 3. The name is automatically assigned. The IP Address of the logical interface.
Table 2.5.2.3b: Configure > Network > Interfaces > PPP w/Serial Transport
Field Name
Transport PPP Connection Type
Field Type
Radio Button Pulldown Pulldown Text Text Text Text
Value Range
Serial <On-Demand>, <Dedicated> <COM1>-<COM4>, <USB> Up to 39 characters Up to 51 characters Up to 51 characters IP address
Description
PPP connection using a serial transport. A selection for the connection type of the PPP connection. A selection for the COM port or USB port used by the PPP connection. The phone number used to dial the remote site. The user name used for remote access. The password used for remote access. The default local IP address of the PPP link. Default is 0.0.0.0. The default remote IP address of the PPP link. Default is 0.0.0.0.
Primary COM Port Phone Number User Name Password Default Remote IP Address Default Advanced Connection Login User Name Login Password Speed
Local IP Address
Text
IP address
Text Text Pulldown
Up to 51 characters Up to 51 characters 1200, 2400, 4800, 9600, 19200, 38400, 57600, 76800, 115200, 230400 Up to 4 characters Up to 4 characters Up to 4 characters
For cases in which CHAP or PAP is negotiated, and a separate name and password are required to login. For cases in which CHAP or PAP is negotiated, and a separate name and password are required to login. The speed at which the firewall communicates with the modem.
Number of Retries Time Before Retry Timeout
Text Text Text
The number of attempts the firewall will make to establish a connection. Default is 3. The amount of time, in seconds, before the firewall attempts to retry establishing a connection. Default is 10. The number of seconds during which a connection will stay connected during periods of inactivity. Default is 600.
Link Control Protocol Local/Remote Address Field Compression Checkbox Checkbox Enabled/Disabled Enabled/Disabled A toggle for whether address/field compression should be enabled or not. Default is selected. A toggle for whether the line quality report should be enabled or not. Default is unselected.
Line Quality Report
214
Table 2.5.2.3b: Configure > Network > Interfaces > PPP w/Serial Transport
Protocol Field Compression Checkbox Checkbox Enabled/Disabled Enabled/Disabled A toggle for whether protocol field compression should be enabled or not. Default is selected. A toggle for whether Van Jacobson compression should be enabled or not. Default is selected. A toggle for whether dialing and logging chat scripts should be recorded or not. Default is unselected. A toggle for whether LCP conversations should be recorded or not. Default is unselected. A toggle for whether network phase conversations should be recorded or not. Default is unselected. A toggle for whether or not channels should be bonded. Default is unselected.
Van Jacobson Compression Debug Chat LCP Phase ISDN Dont Bond Channels
Checkbox Checkbox Checkbox
Enabled/Disabled Enabled/Disabled Enabled/Disabled
Checkbox Pulldown
Enabled/Disabled
Switch Type
<Default>, <NI-1>, A selection of the switch type used to configure ISDN <DMS-100>, <5ESS connections. P2P>, <5ESS MP>
Table 2.5.2.3c: Configure > Network > Interfaces > PPP w/PPPoE Transport
Field Name
Transport PPP Connection Type NIC User Name Password Default Remote IP Address Default Advanced Connection PPPoE Provider MTU Text Text Text Text Text Up to 51 characters Up to 4 characters Up to 4 characters Up to 4 characters Up to 4 characters Designation for the PPPoE provider. The Maximum Transmission Unit of the PPPoE connection. The number of attempts the firewall will make to establish a connection. Default is 3. The amount of time, in seconds, before the firewall attempts to retry establishing a connection. Default is 10. The number of seconds during which a connection will stay connected during periods of inactivity. Default is 600. Text IP address The default remote IP address of the PPP link. Default is 0.0.0.0. Local IP Address Text IP address The default local IP address of the PPP link. Default is 0.0.0.0.
Field Type
Button Pulldown Pulldown Text Text
Value Range
PPPoE <On-Demand>, <Dedicated> <eth0>-<ethX> Up to 51 characters Up to 51 characters
Description
PPP connection using PPPoE transport. A selection for the connection type of the PPP connection. A selection for the NIC on which PPPoE will run. The user name used for remote access. The password used for remote access.
Number of Retries Time Before Retry Timeout
Link Control Protocol Local/Remote Address Field Compression Checkbox Enabled/Disabled A toggle for whether address/field compression should be enabled or not. Default is selected.
215
Table 2.5.2.3c: Configure > Network > Interfaces > PPP w/PPPoE Transport
Line Quality Report Protocol Field Compression Checkbox Checkbox Checkbox Enabled/Disabled Enabled/Disabled Enabled/Disabled A toggle for whether the line quality report should be enabled or not. Default is selected. A toggle for whether protocol field compression should be enabled or not. Default is selected. A toggle for whether Van Jacobson compression should be enabled or not. Default is unselected. A toggle for whether dialing and logging chat scripts should be recorded or not. Default is unselected. A toggle for whether LCP conversations should be recorded or not. Default is unselected. A toggle for whether network phase conversations should be recorded or not. Default is unselected.
Van Jacobson Compression Debug Chat LCP Phase
Table 2.5.2.3d: Configure > Network > PPP w/PPTP Transport

Field Name
Transport PPP Connection Type Interface
Field Type
Button Pulldown Pulldown Text Text Text Text Text
Value Range
PPTP <On-Demand>, <Dedicated> Configured logical interfaces IP address Up to 39 characters Up to 51 characters Up to 51 characters IP address
Description
PPP connection using PPTP transport. A selection for the connection type of the PPP connection. A selection for the interface on which PPTP will run. The IP address of the internal PPTP server. The phone number used to dial the remote site. The user name used for remote access. The password used for remote access. The default local IP address of the PPP link. Default is 0.0.0.0. The default remote IP address of the PPP link. Default is 0.0.0.0.
PPTP Server IP Address Phone Number User Name Password Default Remote IP Address Default Advanced Connection Number of Retries Time Before Retry Timeout
Local IP Address
Text
IP address
Text Text Text
Up to 4 characters Up to 4 characters Up to 4 characters
The number of attempts the firewall will make to establish a connection. Default is 3. The amount of time, in seconds, before the firewall attempts to retry establishing a connection. Default is 10. The number of seconds during which a connection will stay connected during periods of inactivity. Default is 600.
Link Control Protocol Local/Remote Address Field Compression Checkbox Checkbox Enabled/Disabled Enabled/Disabled A toggle for whether address/field compression should be enabled or not. Default is selected. A toggle for whether the line quality report should be enabled or not. Default is unselected.
Line Quality Report
216
Table 2.5.2.3d: Configure > Network > PPP w/PPTP Transport

Protocol Field Compression Checkbox Checkbox Enabled/Disabled Enabled/Disabled A toggle for whether protocol field compression should be enabled or not. Default is selected. A toggle for whether Van Jacobson compression should be enabled or not. Default is unselected. A toggle for whether dialing and logging chat scripts should be recorded or not. Default is unselected. A toggle for whether LCP conversations should be recorded or not. Default is unselected. A toggle for whether network phase conversations should be recorded or not. Default is unselected.
Van Jacobson Compression Debug Chat LCP Phase
2.5.3 NAT
The NAT sub-section allows the administrator to configure the Inbound Tunnels and Static Mappings aspects of the NAT facility.
2.5.3.1 Inbound Tunnels

The Inbound Tunnels sub-section displays the name and description of all defined inbound tunnels. Inbound tunnels allow a host to initiate a connection with an otherwise inaccessible host. The administrator is able to edit, delete and create new inbound tunnels from this sub-section. Table 2.5.3.1: Configure > Network > NAT > Inbound Tunnels
Field Name
Disable Description Service From

Checkbox Text Pulldown Pulldown Enabled/Disabled Up to 79 characters <ANY_SERVICE>, <TCP>, <HTTP>, etc. All defined interfaces and aliases, <ANY_IP>, * EDIT * ???, all defined address objects of type All or Network, * EDIT *
Description
A toggle for whether the inbound tunnel should be disabled or not. Default is unselected. An identifier used to describe the function of the inbound tunnel. A selection for the IP Protocol to be used by the inbound tunnel. A selection for the source side of the tunnel. Select <* EDIT *> to define a new address object. A selection for the destination side of the tunnel. If multiple IP addresses are referenced in the inbound tunnel, the inbound tunnel will utilize round-robin load balancing. Select <* EDIT *> to define a new address object. A toggle for whether the inbound tunnel should use automatic policies or not. A toggle for whether the source side of the tunnel should be hidden from the destination side or not. Default is unselected. A toggle for whether a user should be required to authenticate or not. If selected, select the user group that is to require authentication. Select <* EDIT *> to define a new user group. Default is unselected. If the Automatic Accept All Policy checkbox is unselected, this field will uneditable.
To
Pulldown
Advanced Automatic Policies Hide Source Checkbox Checkbox Enabled/Disabled Enabled/Disabled
Options Authentication Required Checkbox / Enabled/Disabled / Pulldown ???, ALL_USERS, all configured user groups, * EDIT *
217
Table 2.5.3.1: Configure > Network > NAT > Inbound Tunnels
IPS Source SYN Cookies Checkbox Pulldown Checkbox Enabled/Disabled All defined interfaces, <ANY_ IP>, * EDIT * Enabled/Disabled A toggle for whether traffic on the inbound tunnel should be checked against configured IPS policies. Default is unselected. A selection for the source interface/IP. A toggle for whether TCP SYN Cookies should be used or not. Default is selected. If the Automatic Accept All Policy checkbox is unselected, this field will uneditable. A selection for which, if any, time group the inbound tunnel options will be applied. Traffic Shaping policy to be used as defined in Configuration>Configurations>Network>Traffic Shaping. Selecting <* EDIT *> allows for the creation of a new traffic shaping policy. If the Automatic Accept All Policy checkbox is unselected, this field will uneditable. A selection for the weight of the allocation of the inbound tunnels bandwidth. A weight of 10 has the highest priority, a weight of 1 has the lowest. If the Automatic Accept All Policy checkbox is unselected, this field will uneditable.
Time Group Traffic Shaping Policy
Pulldown
All defined time groups <DEFAULT>, Defined Policy, * EDIT *
Pulldown
Weight
Pulldown
1, 2, 3, 4, 5, 6, 7, 8, 9, 10
2.5.3.2 Static Mappings

The Static Mappings sub-section displays the name and description of all defined static mappings. Static mappings allow an internal IP address or subnet to be statically mapped to an interface during NAT. The administrator is able to edit, delete and create new static mappings from this sub-section. Table 2.5.3.2: Configure > Network > NAT > Static Mappings
Field Name
Disable Description From
Field Type
Checkbox Text Pulldown
Value Range
Enabled/Disabled Up to 79 characters ???, <USER DEFINED>, all defined address objects of type All or Network, * EDIT * ???, <USER DEFINED>, all defined address objects of type All or Network, * EDIT * ???, <USE_IP_ ADDRESS>, all defined address objects of type All or Network, all defined aliases, all defined H2A interfaces * EDIT *
Description
A toggle for whether the static mapping should be disabled or not. Default is unselected. An identifier used to describe the function of the static mapping. A selection for the object to be statically mapped. Select <* EDIT *> to define a new address object. If <USER DEFINED> has been selected in the From field, the IP address will need to be entered manually. To map a single IP address, use a subnet mask of /32 (255.255.255.255). A selection to specify a service group to statically map to an Alias.
Service
Pulldown
To
Pulldown
A selection for the object to which the source will be matched. Select <* EDIT *> to define a new address object.
218
2.5.4 Pass Through

The Pass Through sub-section allows the administrator to configure the Bridged Protocols and Hosts/ Networks aspects of the Pass Through facility.
2.5.4.1 Bridged Protocols

The Bridged Protocols sub-section displays the name, type and description of all defined bridged protocols. The administrator is able to edit, delete and create new bridged protocols from this sub-section. Table 2.5.4.1: Configure > Network > Pass Through > Bridged Protocols
Field Name
Disable Description Type

Checkbox Text Text Enabled/Disabled Up to 59 characters Up to 6 characters
Description
A toggle for whether or not the bridged protocol should be used. Default is selected. Description of the bridged protocol type. Hexadecimal number of the Ethernet protocol. 0x0 is a placeholder for the full hexadecimal protocol type number. Use the 0x prefix when entering a number in hex format. Allows the protocols traffic on the bridged interface. Default is unselected. Logs events of the protocol type. Default is selected.
Allowed Log
Checkbox Checkbox
2.5.4.2 Host/Networks
The Hosts/Networks sub-section displays all defined hosts/networks. The administrator is able to edit, delete and create new hosts or networks from this sub-section. Table 2.5.4.2: Configure > Network > Pass Through > Host/Networks
Field Name
Disable Description Host

Checkbox Text Pulldown Enabled/Disabled Up to 79 characters <USER DEFINED>, <ANY_IP>, all defined address objects of type All or Network, * EDIT * ???, <ANY>, all defined firewall interfaces and VLANs Enabled/Disabled
Description
A toggle for whether the host or network should be disabled of not. Default is selected. An identifier used to describe the function of the host or network. A selection of objects for use as a host. Select <* EDIT*> to define a new address object.
Destination Interface
Pulldown
A selection of the destination interface to have NAT not applied when outbound IP packets are received. A toggle for whether unsolicited IP packets should be accepted for the selected address.
Inbound
Checkbox
219
2.5.5 Preferences
The Preferences section defines timeout settings for network connections. Table 2.5.6: Configure > Network > Timeouts
Field Name
Internet Protocol Enable Advanced IPv6 Neighbor Discovery Automatic Policies Timeouts TCP Wait for ACK Send Keep Alives UDP ICMP Default Wait for Close Text Text Checkbox Text Text Text Text Up to 4 characters Up to 4 characters Enabled/Disabled Up to 4 characters Up to 4 characters Up to 4 characters Up to 4 characters The amount of time, in seconds, before a TCP packet will time out. Default is 600. The amount of time, in seconds, for the firewall to wait for an Acknowledgement code. Default is 30. A toggle for whether the firewall should send TCP Keep Alives or not. Default is selected. The amount of time, in seconds, before a UDP packet will time out. Default is 600. The amount of time, in seconds, before a ICMP packet will time out. Default is 15. The amount of time, in seconds, before a supported protocol other than TCP, UDP or ICMP packet will time out. Default is 600. If the firewall experiences spurious blocks from reply packets (typically port 80), increasing this value gives packets from slow or distant connections more time to return before the connection is closed. Default is 20. Checkbox Enabled/Disabled A toggle for enabling automatic policies for IPv6 neighbor discovery. Pulldown IPv4, IPv4 and IPv6 A toggle for defining the internet protocol. Options include IPv4 only or both IPv4 and IPv6.
Description
Advanced Connection Limiting ICMP Packets New Connections New Connections Per Host SIP Support Enable Checkbox Enabled/Disabled A toggle for enabling or disabling SIP support. Default is selected. Text Text Text Up to 5 characters Up to 5 characters Up to 5 characters The limit number of ICMP packets (per second). The limit number of new connections (per second). The limit number of new connections per host (per second).
220
2.5.6 Routing
The Routing sub-section allows the administrator to configure the Gateway Policies, RIP and Static Routes aspects of the Routing facility.
2.5.6.1 BGP
The BGP (Border Gateway Protocol) sub-section displays the name, type and description of all BGP protocols. The administrator is able to edit, delete and create new BGPs from this sub-section. Table 2.5.6.1a: Configure > Network > Routing > BGP
Field Name
Enable Router AS Router ID
Field Type
Checkbox Text Text Pulldown, Text
Value Range
Enabled/Disabled Up to 5 characters Up to 31 characters ???, <USER DEFINED>, all defined networks, *EDIT*; Enabled/Disabled
Description
Enables the BGP interface and starts the service. Default is unselected. The number assigned to a router or set of routers in a single technical administration. Router ID number. A selection for the network(s) which will use BGP.
Networks
Advanced Automatic Policies Checkbox Enables the firewall to generate a set of automatic policies to allow a configured BGP interface to function properly. The policy created is for TCP port 179 and is viewable in the Monitor> Activity>Security Policies>Automatic section. Default is selected. A toggle for whether redistribution should be used or not. Configure the metric when the route is redistributed.
Redistribute (Categories for Connected, OSPF, RIP, and Static) Enable Metric Route Aggregation Aggregate Addresses AS Set Summary Only Pulldown ???, <USER DEFINED>, all defined networks, *EDIT* Enabled/Disabled Enabled/Disabled The network(s) to aggregate. Checkbox Checkbox, Text Enabled/Disabled Enabled/Disabled, Up to 2 characters
Checkbox Checkbox
This selection will generate or send the AS set of other routers to the remote router. Default is unselected. This selection filters the more specific routes when sending updates. Default is unselected.
To edit an existing BGP interface, select the Edit icon. To create a new BGP interface, select the New Icon. Table 2.5.6.1b: Configure > Network > Routing > BGP > Edit BGP Interface
Field Name
Disable Description Neighbor

Checkbox Text Text Text Checkbox Enabled/Disabled Up to70 characters Up to 31 characters Up to 5 characters Enabled/Disabled
Description
Disables the BGP interface. Default is unselected. A short description to identify the BGP interface. A selection for the IP address used to configure the peer routers the firewall will use to connect to BGP. The AS number of the peer router. Enable if the firewall will advertise itself as the default route. Default is unselected.
Remote AS
Advertise Default Route
221
Table 2.5.6.1b: Configure > Network > Routing > BGP > Edit BGP Interface
Advanced Next Hop Self Checkbox Enabled/Disabled This selection disables the Next Hop Self attribute for BGP. Default is unselected.
2.5.6.2 Gateway Policies

The Gateway Policies sub-section displays the name, type and description of all defined gateway policies. The administrator is able to enable or disable various options in this sub-section. Table 2.5.6.2a: Configure > Network > Routing > Gateway Policies
Field Name
Gateway Failover Enable Advanced Add Static Routes For Beacons Ping Secondary Only if Primary Down Enable Checkbox Checkbox Enabled/Disabled Enabled/Disabled A toggle for whether static routes should be added for defined beacons. Default is selected. A toggle for whether the failover gateway should be pinged only if pinging the primary gateway is unsuccessful. Default is unselected. A toggle for whether traffic connection sharing between the selected gateways should be enabled or not. Default is unselected. A toggle for whether the ability to select a gateway for connections with outbound policies should be enabled or not. Default is unselected. A toggle for whether the ability to select a return gateway for connections with inbound policies or not. Default is unselected. Checkbox Enabled/Disabled A toggle for whether gateway failover capabilities should be used or not. Default is unselected.
Description
Gateway Sharing Checkbox Enabled/Disabled
Policy Based Routing Enable Checkbox Enabled/Disabled
Source Routing Enable Checkbox Enabled/Disabled
The Edit Gateway Policy screen can be accessed by selecting New along the top right of the Gateway Policies screen. Table 2.5.6.2b: Configure > Network > Routing > Edit Gateway Policies
Field Name
Disable Name Description Route
Field Type
Checkbox Text Text Pulldown
Value Range
Enabled/Disabled Up to 19 characters Up to 79 characters ???, <USER DEFINED>, all defined dynamic, external interfaces Up to 15 characters
Description
A toggle for whether gateway policy should be used or not. Default is unselected. A unique identifier for the gateway policy, used for reference elsewhere in the configuration. A description used to further identify the gateway policy. A selection for the route to be used by the gateway policy. The IP address of the gateway policys route if <USER DEFINED> is selected in Route.
IP Address
Text
222
Table 2.5.6.2b: Configure > Network > Routing > Edit Gateway Policies
Failover Enable Beacons Sharing Enable Checkbox Enabled/Disabled A toggle for whether to share traffic load with this gateway (if gateway sharing is enabled). Default is selected. Checkbox Text / Text Enabled/Disabled IP address / IP address A toggle for whether gateway failover should be enabled for the gateway policy (if gateway failover is enabled). Default is selected. Pingable IP addresses that are within five (5) hops of the gateway.
2.5.6.3 OSPF
The OSPF (Open Shortest Path First Protocol) sub-section displays the name, type and description of all defined OSPF protocols. The administrator is able to edit, delete and create new OSPFs from this sub-section. Table 2.5.6.3a: Configure > Network > Routing > OSPF
Field Name
Enable Router ID Advertise Default Route Advanced Automatic Policies Checkbox Enabled/Disabled Enables the firewall to generate a set of automatic policies to allow a configured OSPF interface to function properly. The policy created is for IP Protocol 89 and is viewable in the Monitor>Activity>Security Policies>Automatic section. Default is selected. The value used by a routing algorithm by which one route is determined to perform better than another. When metrics do not convert, the default metric will provide a substitute, enabling redistribution to proceed. A selection used to determine which routes a router should trust if the router receives two routes with identical information. A toggle for whether redistribution should be used or not. Configure the metric when the route is redistributed.

Checkbox Text Checkbox Enabled/Disabled Up to 31 characters Enabled/Disabled
Description
A toggle for whether or not OSPF should be used. Default is unselected. Uniquely identified for the firewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1) A toggle for whether or not the firewall will advertise itself as the default route.
Default Metric
Text
Up to 8 characters
Distance
Text
Up to 3 characters
Redistribute (Categories for Connected, OSPF, RIP, and Static) Enable Metric Checkbox Checkbox, Text Enabled/Disabled Enabled/Disabled, Up to 2 characters
To edit an existing OSPF interface, select the Edit icon. To create a new OSPF interface, select the New Icon. Table 2.5.6.3b: Configure > Network > Routing > OSPF > Edit OSPF Interface
Field Name
Disable

Checkbox Enabled/Disabled
Description
Disables OSPF for the specified area. Default is unselected.
223
Table 2.5.6.3b: Configure > Network > Routing > OSPF > Edit OSPF Interface
Area Description Type Text Text Pulldown Up to 19 characters Up to 79 characters This selection specifies the OSPF area. A short description to identify the OSPF area.
Networks
Normal, NSSA, This selection is used to determine the behavior of the NSSA-No Summary, firewall/router. Stub, Stub-No Summary ???, <USER DEFINED>, all defined networks, *EDIT*; Up to 5 characters Up to 3 characters Up to 5 characters Up to 5 characters Up to 5 characters Up to 5 characters A selection for the network(s) which will use OSPF.
Pulldown
Advanced Link Cost Priority Dead Interval Hello Interval Retransmit Interval Transmit Delay Authentication KeyID Text Up to 3 characters KEYID identifies secret key used to create the message digest. This ID is part of the protocol and must be consistent across routers on a link. Valid numbers 1-255. The password that must be used to collect routing information through OSPF. Uniquely identified for the firewall/router. Must be in the form of 0.0.0.0 (Example: 0.0.0.1) Text Text Text Text Text Text The cost to send a packet via an interface. A selection for the priority status of the route. Define the period of time (in seconds) after which the route will be considered down. Define the period of time (in seconds) in which updates will be sent. Define the period of time (in seconds) in which the router will wait after an update is sent. If time expires, the router will resend the update. Define the estimated time (in seconds) to send an update. This value must be greater than zero.
Password Virtual Links Router ID
Text
Up to 16 characters
Text
Up to 31 characters
2.5.6.4 RIP
The RIP (Routing Information Protocol) sub-section displays the name, type and description of all defined routing information protocols. The administrator is able to edit, delete and create new RIPs from this sub-section. Table 2.5.6.4a: Configure > Network > Routing > RIP
Field Name
Enable Advertise Default Route Advanced Automatic Policies Checkbox Enabled/Disabled A toggle to enable the firewall to generate an automatic set of policies to allow configured RIP interface settings to function properly. Default is selected.

Checkbox Checkbox Enabled/Disabled Enabled/Disabled
Description
A toggle for whether or not RIP should be used. Default is unselected. A toggle for whether or not the default route (gateway) on any protected network or PSN should be advertised or not. Default is unselected.
224
Table 2.5.6.4a: Configure > Network > Routing > RIP

Default Metric RIP Timers Update Timeout Text Text Up to 5 characters Up to 5 characters The rate at which RIP sends a message containing the complete routing table to all neighboring RIP routers. Timer limit is 30 seconds. Upon expiration of the timeout, the route is no longer valid. The route is retained in the routing table for a short time so neighbors can be notified that the route has been dropped. Timer limit is 180 seconds. Upon expiration of the garbage timer, the route is completely removed from the routing table. Timer limit is 120 seconds. A toggle for whether redistribution should be used or not A toggle for whether a metric should be used and to what degree. Field Up to 2 characters The value used by a routing algorithm by which one route is determined to perform better than another.
Garbage
Text
Up to 5 characters
Redistribute (Categories for Connected, OSPF, RIP, and Static) Enable Metric Checkbox Checkbox, Text Enabled/Disabled Enabled/Disabled, Up to 2 characters
To edit an existing RIP interface, select the Edit icon. To create a new RIP interface, select the New Icon. Table 2.5.6.4b: Configure > Network > Routing > RIP > Edit RIP Interface
Field Name
Disable Interface Input

Checkbox n/a Test Pulldown Pulldown Pulldown Text Text Enabled/Disabled n/a Up to 79 characters <None>, <Both>, <v1>, <v2> <None>, <Both>, <v1>, <v2> <None>, <Clear>, <MD5> Up to 19 characters Up to 5 characters
Description
A toggle for whether the RIP Interface should be disabled or not. Default is unselected. The interface being used. A description of the RIP interface. A selection to determine what version of RIP will be accepted by other routers. A selection to determine what version of RIP will be exported or broadcast. A selection for the type of encryption that will be used for the password. The password that must be used to collect routing information through RIP version 2. Pre-shared secret key ID. This only applies to RIPv2 when MD5 encryption is used.
Description
Output Password Password Key ID
2.5.6.5 Static Routes

The Static Routes sub-section displays the name, type and description of all defined static routes. The administrator is able to edit, delete and create new static routes from this sub-section. Table 2.5.6.5a: Configure > Network > Routing > Static Routes
Field Name
Default Gateway IPv4 IPv6 Text Text IP Address IP Address IPv4 IP address. IPv6 IP address.
Description
225
Table 2.5.6.5b: Configure > Network > Routing > Static Routes
Field Name
Disable Description

Checkbox Text Pulldown Pulldown/ Text Enabled/Disabled Up to 79 characters All configured address objects of type All or Network All defined address objects of type All or Network
Description
A toggle for whether the static route should be disabled or not. Default is unselected. A description of the static route. The address object(s) whose traffic will be reached via the static route. The address object or IP address of the destination/ gateway selected for this static route.
Network IP Address Gateway
2.5.7 Traffic Shaping

The Traffic Shaping section list displays the name and description of all defined Traffic Shaping policies. Traffic Shaping policies allow the administrator to allocate available bandwidth for specific security policies and tunnels by defining a bandwidth pipe. Traffic shaping policies are used in tunnels and security policies. The Default policy does not restrict traffic flow, allowing traffic to utilize all available bandwidth, first come, first served. If traffic shaping is enabled, the default policy cannot be disabled, but an alternate selection can be made. Traffic Shaping is enabled by selecting the Enable check box on the top of the Traffic Shaping list. Table 2.5.6.7a: Configure > Network > Traffic Shaping
Field Name
Enable Default

Check box Text Enabled/Disabled ???, all defined traffic shaping policies
Description
A toggle for whether the Traffic Shaping should be disabled or not. Default is unselected. A selection for the traffic shaping policy to be used by default if Traffic Shaping is enabled.
To create a new traffic shaping policy, select the New icon. Table 2.5.7b: Configure > Network> Traffic Shaping > Edit Traffic Shaping Policy
Field Name
Disable Name Description Bandwidth

Check box Text Text Text Enabled/Disabled Up to 59 characters Up to 79 characters Up to 10 characters
Description
A toggle for whether the Traffic Shaping Object should be disabled or not. Default is unselected. A unique identifier for the object, used to reference it elsewhere in the configuration. A brief description used to further identify the use of the Traffic Shaping Object. The data transfer speed limit of the Traffic Shaping Object. Values entered as kilobits per second.
226
2.6 Objects
The Objects section allows the administrator to add or edit address objects, encryption objects, service group objects, time group objects and IPSec Objects. An object needs only to be defined once, after that it can be selected throughout the Configuration section where the defined object is required. Note
If an object that is used throughout the configuration is updated, configuration settings may inadvertently change.
2.6.1 Summary 2.6.2 Address Objects

The Address Object list displays the name, type and description of all defined address objects. The administrator is able to edit, delete and create new objects from this sub-section by double-clicking on a previously configured object or by selecting the New icon. Additional address objects can be pooled together in the Address Objects section to create a broader definition. Table 2.6.2: Configure > Objects > Address Object > Edit Address
Field Name
Disable Name Description Type
Field Type
Check box Text Text Checkboxes
Value Range
Enabled/Disabled Up to 19 characters Up to 79 characters All, Surf Sentinel, Mail Sentinel, Network, Security Policies, VPN
Description
A toggle for whether the configured address object should be disabled or not. Default is unselected. A unique identifier for the address object. The objects name must not begin with a number. A brief description of the address object. A selection for how the address object will be used. All allows for the object to be used throughout the configuration, while other options restrict use to their specific section. Not selecting a Type creates an internal object that can only be pooled into another objects definition. A selection for the previously defined address object to be pooled in the definition. If <USER DEFINED> has been selected, enter the address manually. A brief description explaining the use of the additional address object.
Address Objects Object Address Description Pulldown Text Text All defined address objects Up to 499 characters Up to 79 characters
2.6.3 Bookmark Objects

The administrator is able to edit, delete and create new objects from this sub-section by double-clicking on a previously configured object or by selecting the New icon. Table 2.6.3: Configure > Objects > Bookmark Objects > Edit Address
Field Name
Disable Name Description Label
Field Type
Check box Text Text Text
Value Range
Enabled/Disabled Up to 19 characters Up to 79 characters Up to 19 characters
Description
A toggle for whether the configured bookmark object should be disabled or not. Default is unselected. A unique identifier for the bookmark object. The objects name must not begin with a number. A brief description of the bookmark object. A brief label for the bookmark object.
227
Table 2.6.3: Configure > Objects > Bookmark Objects > Edit Address
Bookmarks Object Icon Label Type URL Description Pulldown Pulldown Text Pulldown Text Text All defined bookmark objects None, Browser, Document, Email, Folder, Network, Web Up to 19 characters <cifs://>, <ftp://>, <ftps://>, <http://>, <https://> Up to 499 characters Up to 79 characters A selection for the previously defined bookmark object to be pooled in the definition. A selection to display a built-in icon for the bookmark. Enter a label for the bookmark object. The type of protocol used for the bookmark objects URL. The URL for the bookmark object. A brief description explaining the use of the additional bookmark object.
2.6.4 Encryption Objects

Encryption objects define encryption settings and are used when creating IPSec Objects. The Encryption Object list displays the name, type and description of all defined encryption objects. The administrator is able to edit, delete and create new objects from this sub-section by double-clicking on a previously configured object or by selecting the New icon. Table 2.6.4: Configure > Objects > Encryption Objects > Edit Encryption Object
Field Name
Disable Name
Field Type
Check box Text
Value Range
Description
A toggle for whether the configured encryption object should be disabled or not. Default is unselected. A unique identifier for the encryption object. It is recommended that the encryption objects Name includes the encryption algorithms used. The objects name must not begin with a number. A brief description of the encryption object. A selection for a user defined encryption object or a default encryption object. A selection for the encryption method to be used by the object. For an explanation on available encryption methods, see Encryption Methods.
Object
Description
Text Pulldown Pulldown
Up to 79 characters <???>, <USER DEFINED>, all defined objects. <none>, <null>, <Camilla>, <AES128>, <AES-192>, <AES-256>, <blowfish>, <des>, <3des>, <strong> <none>, <hmac-md5>, <hmac-sha1>, <hmac-sha2>, <all>
<any>, <DH Group 1>, <DH Group 2>, <DH Group 5>, <DH Group 14>, <DH Group 15>, <DH Group 16> Up to 79 characters
Encryption Method
Hash Algorithm
Pulldown
Key Group
A selection for the hash algorithm to be used by the object. For an explanation on available hash algorithms, see Hash Algorithms. A selection for the key group to be used by the object. For an explanation on key groups, see Key Group.
Pulldown
Description
Text
A brief description of the encryption object to identify multiple objects contained in an encryption object.
228
2.6.5 IPSec Objects

IPSec Objects are used when defining IPSec tunnels and user groups. The IPSec Object list displays the name and description of all defined IPSec Objects. IPSec Objects configure how incoming VPN connections will be negotiated by defining what client or VPN gateway initiation behavior should be accepted by your GTA firewall. Table 2.6.5: Configure > Objects > VPN Object
Field Name
Disable Name

Check box Text Enabled/Disabled Up to 19 characters
Description
A toggle for whether access to the VPN Object should be disabled or not. The Default is unselected. A unique identifier for the network connection, used to reference it elsewhere in the configuration. The objects name cannot begin with a number. A description used to further identify the use for the specific VPN Object. A selection for flexible (Main) or forced (Aggressive) negotiation of acceptable encryption algorithms for IKE. Aggressive mode is required if one component of the VPN has a dynamic (DHCP or PPP) IP address, such as with a dynamically addressed VPN gateway or mobile VPN client. A selection for the encryption object to be used during Phase I. Selecting * EDIT * allows for the editing of an existing or creation of a new encryption object. A selection for whether the NAT-Transversal (a method for circumventing IPSec NATing problems) should be forced. Default is <Automatic>. The length of time in minutes before the Phase I (IKE) security associations must be renewed. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection. The interval in seconds between checks for continued viability of the VPN connection (also known as dead peer detection). To disable DPD queries made by the firewall, set the interval to 0. The firewall will continue to respond to DPD signals from other VPN gateways and clients, but will not initiate any signals of its own. A selection for the encryption object to be used during Phase II. Selecting * EDIT * allows for the creation of a new encryption object. The length of time in minutes before the Phase II security associations must be renewed. This time must be smaller than the Lifetime value set for Phase I. Shorter times are generally more secure, but may reduce performance by adding renewal overhead time to the connection.
Description Phase I Exchange Mode
Text
Up to 80 characters
Pulldown
Main, Aggressive
Encryption Object
Pulldown
???, All defined encryption objects, *EDIT * <Automatic>, <Disable>, <Force> Up to 5 characters
Advanced NAT-T Lifetime Pulldown Text
DPD Interval
Text
Up to 5 characters
Phase II Encryption Object Pulldown ???, All defined encryption objects, * EDIT * Up to 5 characters
Advanced Lifetime Text
229
2.6.6 Service Groups

Service group objects are used when defining security policies and inbound tunnels. The Service Group object list displays the name, type and description of all defined service group objects. The administrator is able to edit, delete and create new objects from this sub-section. Additional service group objects can be pooled together in the Services section to create a broader definition. Table 2.6.6: Configure > Objects > Service Groups
Field Name
Disable Name Description Services Object Pulldown <???>, <USER DEFINED>, All defined service group objects <TCP>, <UDP>, <ICMP>, <IP> Up to 12 port and/or port ranges Up to 79 characters A selection for the service group object to be used.
Field Type
Check box Text Text
Value Range
Description
A toggle for whether the configured service group object should be disabled or not. Default is unselected. A unique identifier for the service group object. The objects name must not begin with a number. A brief description of the service group object.
Protocol Port(s) Description
Pulldown Text Text
If <USER DEFINED> has been selected, select the protocol to be added. If <USER DEFINED> has been selected, enter the port number manually. Port numbers can be entered individually (1,2,3,4,5) or as a pool (1-5). A brief description of the service.
2.6.7 Time Groups

The Time Group object list displays the name, type and description of all defined time group objects. Time Group objects can be used when creating security policies. The administrator is able to edit, delete and create new objects from this sub-section. Additional time group objects can be pooled together in the Time Groups section to create a broader definition. Table 2.6.7: Configure > Objects > Time Groups
Field Name
Disable Name Description Time Groups Object Pulldown <???>, <USER DEFINED>, all defined time group objects. 00:00-24:00 00:00-24:00 Enabled/Disabled A selection for the time group object to be used. Selecting a previously defined object allows for additional edits. If <USER DEFINED> has been selected, a selection for the start period of the time group. If <USER DEFINED> has been selected, a selection for the end period of the time group. If <USER DEFINED> has been selected, a toggle for the days of the week that the start and end times will be applied to the time group. Default is unselected.
Field Type
Check box Text Text
Value Range
Description
A toggle for whether the configured time object should be disabled or not. Default is unselected. A unique identifier for the time group object. The objects name must not begin with a number. A brief description of the time group object.
Start End Sun, Mon, Tue, Wed, Thr, Fri, Sat
Pulldowns Pulldowns Checkboxes
230
2.7 Reporting
The Reporting section allows the administrator to schedule executive reports and configure preferences for historical statistic graphs.
2.7.1 Summary
The Summary sub-section provides on overview of the current firewall modes configuration settings found in the Reporting section. Links to containers pertaining to specific sections of the firewalls configuration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.7.2 Preferences
The Preferences sub-section allows administrators to customize the colors for the Historical Statistics graphs displayed in the user interface and included in the Executive Reports. Edit the colors by entering the color Hex number or using the color picker.
2.7.3 Schedule
The Schedule sub-section allows administrators to schedule daily, weekly or monthly executive reports/ Table 2.7.3: Configure > Reporting > Schedule
Field Name
Disable Description Report Type Locale Advanced Reporting Options Check box Enabled/Disabled Data options for the scheduled report. Select the categories for which the report will display data and graphs. The frequency for which the scheduled report will run. Select the day of the week in which the scheduled report will run if frequency is set to weekly. Select the time of day at which the scheduled report will run. Pulldown Pulldown Executive Daily, Weekly, Monthly Yearly Default, English The type of report to be run. The type determines the time period for which report data is presented. The locale option determines the report language.
Field Type
Check box Text
Value Range
Description
A toggle for enabling or disabling the scheduled report. Default is unselected. A description for the scheduled report.
Schedule Frequency Day Time Email Subject To Text Pulldown Up to 255 characters The subject line for the report email. Address Objects, <USER DEFINED> The email(s) to which the scheduled report will be sent. Pulldown Pulldown Pulldown Daily, Weekly, Monthly Sunday- Friday 00:01 - 23.59
231
2.8 Security Policies

The Security Policies section allows the administrator to edit policies with the Policy Editor as well as adjust security preferences.
2.8.1 Summary
The Summary sub-section provides on overview of the current firewall modes configuration settings found in the Security Policies section. Links to containers pertaining to specific sections of the firewalls configuration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.8.2 Policy Editor

The Policy Editor sub-section allows the administrator to edit, delete or create new Inbound, Outbound, Pass Through, and VPN policies.
2.8.2.1-4 Inbound, Outbound, Pass Through, VPN (IPSec, L2TP, PPTP, SSL Client)
All security policies contain identical configuration options. To define a specific security policy, navigate to its appropriate screen. The administrator is able to edit, delete and create new policies. Table 2.8.2.1-5: Configure > Security Policies > Policy Editor > Security Policies
Field Name
Disable Description Type Interface Service Time Groups Source Address
Field Type
Check Cbox Text Pulldown Pulldown Pulldown Pulldown Pulldown
Value Range
Enabled/Disabled Up to 79 characters Accept, Deny <ANY>, all defined logical interfaces ???, all defined service group objects, * EDIT * ???, all defined time group objects, * EDIT * ???, <USER DEFINED>, <ANY_ IP>, all defined address objects of type All or Security Policy, * EDIT * ???, <USER DEFINED>, all defined interfaces and address objects of type All or Security Policy, * EDIT * Enabled/Disabled
Description
A toggle for whether or not the policy is to be used. Default is unselected. Description of the policy. A selection for the nature of the policy. Default is Deny. A selection for the interface to which the policy will apply. A selection for the service group object to be used by the policy. Selecting <*EDIT*> allows for the configuration of new object. A selection for the time group object to be used by the policy. Selecting <* EDIT*> allows for the configuration of new object. A selection for the source IP address of the policy. Selecting <USER DEFINED> will allow for the manual entry of the source address.
Destination Address
Pulldown
A selection for the destination IP address of the policy. Selecting <USER DEFINED> will allow for the manual entry of the destination address.
Advanced Broadcast Options Priority Pulldown <0> - <7> A value for the priority of the policy to be tagged in log messages. Check box A toggle for whether the Destination Address is a broadcast address or not. Default is unselected.
232
Table 2.8.2.1-5: Configure > Security Policies > Policy Editor > Security Policies
Action Alarm Email ICMP IPS Log Report SMS SNMP Trap Stop Interface Check box Check box Check box Check box Pulldown Check box Check box Check box Check box Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled <Default>, <Yes>, <No> Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled A toggle for whether or not the administrator should be notified if a policy alarm is triggered. Default is unselected. A toggle for whether or not the administrator should be notified by email if the policy is triggered. Default is unselected. A toggle for whether the policy should respond with ICMP unreachable or TCP reset if triggered. Default is unselected. A toggle for whether traffic on the security policy should be checked against configured IPS policies. Default is unselected. A selection for whether the action should be logged or not. <Default> is the value defined in Configure>Security Policies>Preferences. A toggle for whether or not the policy should be included in report data. A toggle for whether or not the administrator should be notified by SMS policy alarm if the policy is triggered. Default is unselected. A toggle for whether or not the administrator should be notified if an SNMP trap policy alarm is triggered. Default is unselected. A toggle for whether or not the administrator should be notified if a stop interface policy alarm is triggered. Default is unselected. A toggle for whether the source address should be coalesced or not. Default is unselected. A toggle for whether source ports should be coalesced or not. Default is unselected. A toggle for whether the destination address should be coalesced or not. Default is unselected. A toggle for whether the destination ports should be coalesced or not. Default is unselected.
Coalesce Source Address Source Ports Destination Address Destination Ports Check box Check box Check box Check box Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled
233
2.8.3 Preferences
The Preferences sub-section allows the firewall administrator to set global preferences to be applied to security policies. Table 2.8.3: Configure > Security Policies > Preferences
Field Name
Options Automatic Policies Check box Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled Options include enabling the use of automatic policies and logging activity generated by them, as well as inclusion in report data. Always enabled. Options include generating alarms, emailing the administrator and logging activity when an alarm is tripped. Always enabled. Options include generating alarms, emailing the administrator, enabling ICMP and logging activity when an alarm is tripped. Options include enabling the ability to deny fragmented packets and logging activity generated by them. Always enabled. An option is available to log denied invalid packets. Always enabled. An option is available to log denied unexpected packets. Options include enabling Ident. Options include enabling the ability to have the firewall operate in stealth mode and logging activity generated by it. Options include enabling the ability the use of TCP SYN cookies and logging activity generated by them. Always enabled. An option is available to log policy blocks. Always enabled. An option is available to log tunnel opens. Always enabled. An option is available to log tunnel closes. Entering a value of zero (0) turns off coalescing. Default is 60. A toggle for whether log messages should be coalesced from similar source addresses or not. Default is selected. A toggle for whether log messages should be coalesced from similar source ports or not. Default is selected. A toggle for whether log messages should be coalesced from similar destination addresses or not. Default is selected. A toggle for whether log messages should be coalesced from similar destination ports or not. Default is selected.
Field Type
Value Range
Description
Deny Address Spoof Check box Deny Doorknob Twist Deny Fragmented Packets Deny Invalid Packets Check box Check box Check box Check box Check box Check box Check box Check box Check box Check box
Deny Unexpected Packets Ident Stealth Mode TCP SYN Cookies Policy Blocks Tunnel Opens Tunnel Closes Coalesce Interval Source Address Source Ports Destination Address Destination Ports
Text Check box Check box Check box Check box
Up to 5 characters Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled
234
2.9 Services
The Services section allows the administrator to enable and edit services such as DHCP, DNS, Dynamic DNS, Firewall Control Center, High Availability, Remote Logging and SNMP. Some of these services are optional on select GTA firewalls.
2.9.1 Summary
The Summary sub-section provides on overview of the current firewall modes configuration settings found in the Services section. Links to containers pertaining to specific sections of the firewalls configuration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.9.2 DHCP
The DHCP sub-section allows the administrator to edit, delete or create new DHCP address pools. Table 2.9.2a: Configure > Services > DHCP
Field Name
Enable

Check box Enabled/Disabled
Description
A toggle for whether or not the DHCP service should be used. Default is unselected.
Selecting New creates a new DHCP address range. Table 2.9.2b: Configure > Services > DHCP > Edit DHCP Address Range
Field Name
Disable Type

Check box Pulldown Text Text Text Text Text Text/Text/ Text Enabled/Disabled DHCPv4, DHCPv6 Up to 79 characters IP address IP address IP address Up to 5 characters Up to 5 characters/ Up to 2 characters/ Up to 2 characters IP address Up to 57 characters IP address IP address IP Address
Description
A toggle for whether the DHCP address range should be used or not. Default is unselected. Selection of DHCPv4 versus DHCPv6. A description of the IP address pool range. The first IP address of the pools range. The last IP address of the pools range. Subnet mask used to divide hosts into network groups. Default is 255.255.255.0. Only for IPv4 networks. Enter the prefix length for DHCPv6. The length of the lease, entered in day/hours/minutes. Default is 1 day, 0 hours, 0 minutes.
Description
Netmask
Ending Address
Beginning Address
Prefix Length
Lease Duration
Options Default Gateway Domain Name Name Server IP Address WINS Server IP Address Network Time Text Text Text Text Text Gateway given to DHCP clients. DNS domain name. IP address of the DNS that will be issued to the requesting client. Up to three DNSs can be assigned. IP address of the WINS server that will be issued to the requesting client. Up to three WINS servers can be assigned. IP address of the network time server that will be issued to the requesting client. Up to three network time servers can be assigned. The MTU size determines the greatest packet size that can be transmitted by the DHCP service. A value of 0 means the field is ignored.
Advanced MTU Text Up to 5 characters
235
Table 2.9.2b: Configure > Services > DHCP > Edit DHCP Address Range
Advanced Static Leases Disable Host Name IP Address MAC Address Description Check box Text Text Text Text Enabled/Disabled Up to 119 characters IP address Up to 17 characters Up to 159 characters IP address/ IP address A toggle for whether the configured static lease should be disabled or not. Default is unselected. The host name to be used by the static lease. The desired IP address to be statically leased to the host. The hosts MAC address. A description of the hosts static lease.
Exclusion Ranges Range Text/Text Define up to five address ranges to exclude from each DHCP range. To enter a single IP address, enter its value in both the beginning and ending address fields.
2.9.3 DNS
The DNS sub-section allows the administrator to configure the firewall as a primary Domain Name Server, maintaining a database of domain names and their corresponding IP addresses. Toggling between the DNS Proxy and DNS Server radio buttons will allow for the configuration of each. Table 2.9.3a: Configure > Services > DNS Proxy
Field Name
Name Servers External Enable IP Address Internal Enable IP Address Check box Text Text Enabled/Disabled IP address Up to 79 characters A toggle for whether the internal name server should be enabled or not. Default is unselected. The IP address of the internal name server. The primary domain name used for the network. Check box Text Enabled/Disabled IP address A toggle for whether or not the external name server should be enabled. Default is unselected. The IP address of the external name server.
Description
Primary Domain Name DNS Enable Service Advanced Automatic Policies
Check box Radio Button Check box
A toggle for whether or not the DNS service should be enabled. Default is unselected. To configure the DNS Proxy, select the DNS Proxy option. A toggle to have the DNS proxy automatically accept all policies. Default is selected.
Enabled/Disabled
236
Table 2.9.3b: Configure > Services > DNS Server

Field Name
Name Servers External Enable IP Address Internal Enable IP Address Check box Text Text Enabled/Disabled IP address Up to 79 characters A toggle for whether the internal name server should be enabled or not. Default is unselected. The IP address of the internal name server. Enter the primary domain name used for the network. Check box Text Enabled/Disabled IP address A toggle for whether the external name server should be enabled or not. Default is unselected. The IP address of the external name server.
Description
Primary Domain Name DNS Enable Service Advanced Automatic Policies DNS Server Server Names Secondary Server Names Forwarders
Check box Radio Button Check box
A toggle for whether the DNS service should be enabled or not. Default is unselected. To configure the DNS server, select the DNS Server option. A toggle to have the DNS proxy automatically accept all policies. Default is selected. The host name of your DNS server. The host names of DNS servers acting as alternate name servers for the domain. DNS servers that will be utilized as DNS forwarders. Networks or IP Addresses allowed for recursive DNS searches. The email contact for the DNS server.
Enabled/Disabled
Text Text Text/Text/ Text Pulldown
Up to 79 characters Up to 79 characters IP address/ IP address/ IP address ???, <USER DEFINED>, * EDIT *, all configured networks Up to 127 characters
Trusted Networks
Email Contact Advanced Subnets Reverse Zone Name Network IP Address
Text
Text Text
IP address IP address
The network IP address of the subnet. The reverse zone name of the subnet.
237
Clicking the New icon or the Press New to Create link in the Domains section will open the Edit DNS Domain screen. Table 2.9.3.2c: Configure > Services > Edit DNS Domain
Field Name
Disable Domain Name Description IP Address Mail Exchangers Hosts Disable RDNS IP Address Host Names Check box Check box Text Text Enabled/Disabled Enabled/Disabled IP address Up to 79 characters A toggle for whether the host entry should be disabled or not. Default is selected. A toggle for whether reverse DNS should be used by the entry or not. Default is unselected. The IP address of the host entry. Enter the primary host name in the first field and aliases in succeeding fields.

Check box Text Text Text Text Enabled/Disabled Up to 79 characters Up to 79 characters IP address Up to 79 characters
Description
A toggle for whether or not DNS Domain should be disabled. Default is unselected. The domain name of the defined zone. A description of the DNS domain. The IP address of a host to respond to the zone name. The mail exchangers for the DNS domain.
2.9.4 Dynamic DNS

The Dynamic DNS sub-section allows the administrator to automate the process of advising DNS servers when the automatically assigned IP address for a network device is changed, ensuring that a specific domain name always points to the correct machine. Table 2.9.4a: Configure > Services > Dynamic DNS
Field Name
Enable
Field Type
Check box
Value Range
Enabled/Disabled
Description
A toggle for whether or not Dynamic DNS should be used. Default is unselected.
Selecting New creates a new a new Dynamic DNS entry. Table 2.9.4b: Configure > Services > Dynamic DNS
Field Name
Disable Description Host Name Interface Service Login User Name Login Password
Field Type
Check box Text Text Pulldown Pulldown Text Text
Value Range
Enabled/Disabled Up to 79 characters Up to 79 characters All configured logical interfaces <DynDNS>, <ChangeIP> Up to 79 characters Up to 79 characters
Description
A toggle for whether the Dynamic DNS entry should be disabled or not. Default is unselected. A description of the Dynamic DNS entry. The host name of the service that will use Dynamic DNS. A selection for the logical interface for the Dynamic DNS entry. A selection for the Dynamic DNS service provider. An active account with the selected service provider is required. The login name for the selected Dynamic DNS service account. The login password for the selected Dynamic DNS service account.
238
2.9.5 High Availability

The High Availability sub-section allows the administrator to configure two systems to operate as a single virtual firewall, ensuring network access and security are maintained with minimum downtime. Table 2.9.5: Configure > Services > High Availability
Field Name
Enable Status VRID

Check box n/a Text Text Enabled/Disabled n/a Up to 2 characters Up to 3 characters
Description
A toggle for whether or not H2A - High Availability should be used. Default is unselected. An indication of the services status. Enter a value between 0 and 15 to uniquely identify the H2A group. All systems within the group must have the same VRID. Enter a value between 1 and 255. The firewall with the highest number and confirmed communications beacons will operate in Master mode and will process network traffic as the virtual firewall. Update the status of the H2A slave firewall. A toggle for whether automatic policies are used. A setting for how long a firewall will stay (in seconds in a mode during a HA transition, before probing its beacons. The name of the configured H2A firewall.
Priority
Update Slave Advanced Automatic Policies Settle Time
Button Check box Text
Update Enabled/Disabled Up to 5 characters
High Availability Interface Virtual IP Address Description Name n/a Pulldown Pulldown n/a n/a ???, all defined interfaces ???, all defined interfaces n/a The interface of the configured H2A firewall. The virtual IP address of the configured H2A firewall. A description of the configured H2A firewall.
2.9.6 Remote Logging

The Remote Logging sub-section allows the administrator to configure how and where log information is sent. Table 2.9.6: Configure > Services > Remote Logging
Field Name
Enable Syslog Server Advanced Binding Interface Pulldown <AUTOMATIC>, all defined interfaces and VLANs Syslog facility Syslog facility Syslog facility Address from which logging is sourced. Default is <AUTOMATIC>.

Check box Text Enabled/Disabled Up to 79 characters
Description
A toggle for whether or not the Remote Logging service should be used. Default is unselected. IP Address or host name of a system that will accept the remote logging data.
Facilities Policy Facility NAT Facility WWW Facility Pulldown Pulldown Pulldown Logs information associated with any policy that has logging enabled. Default is local1. Logs information associated with outbound packets. Default is local0. Logs all URLs accessed through the GTA firewall. Default is local2.
239
2.9.7 SNMP
The SNMP sub-section allows the administrator to manage IP devices, retrieving data from each device on a network and sending it to designated hosts. Table 2.9.7: Configure > Services > SNMP
Field Name
Enable Contact Information Location
Field Type
Check box Text Text
Value Range
Description
A toggle for whether or not the SNMP service should be used. Default is unselected. Email address of the administrator. User defined description of the location of the administrator. A toggle for whether or not the SNMP version 2 service should be used. Default is unselected. User defined description of community members. Doubles as a password. A toggle for whether or not the SNMP version 3 service should be used. Default is unselected. User name assigned separately from other user authorization names. Encrypted password assigned to the user name. Security level of the SNMP server. Default is AuthPriv.
Version 2 Configuration Enable Community Check box Text Enabled/Disabled Up to 59 characters
Version 3 Configuration Enable User ID Password Check box Text Text Pulldown Enabled/Disabled Up to 19 characters Up to 59 characters <AuthPriv>, <AuthNoPriv> Enabled/Disabled
Security Level Advanced Automatic Policies
Check box
A toggle for whether the firewall should automatically generate a set of policies to allow user of the SNMP service. If disabled, remote access policies must be defined. Default is selected.
240
2.10 Threat Management

The Threat Management section allows the administrator to enable and configure IPS, Mail Sentinel and Surf Sentinel.
2.10.1 Summary
The Summary sub-section provides an overview of the current firewall modes configuration settings found in the Threat Management section. Links to containers pertaining to specific sections of the firewalls configuration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.10.2 IPS
The IPS sub-section allows the administrator to enable and configure GB-OS Intrusion Prevention System.
2.10.2.1 Proxy
The Proxy sub-section allows the administrator to enable and configure IPS. Table 2.10.2.1 Configure > Threat Management > IPS > Proxy
Field Name
Enable Rule Set

Check box Pulldown Enabled/Disabled Default/Subscription
Description
A toggle for whether the Intrusion Protection proxy should be enabled or not. Default is unselected. A selection for the IPS rule set used by the IPS proxy. GTA Firewall UTM Appliances that do not have a valid GTA support contract use the default rule set.
Advanced Performance Tuning Networks External Protected N/A Pulldown N/A All defined address objects of type Network All defined address objects of type Network All defined address objects of type Network ???, <USER DEFINED>, all defined address objects of type Email, *EDIT* All defined address objects of type Network All defined address objects of type Network Any external IP the IPS applies to; not editable. A selection for the GTA Firewall UTM Appliances networks the IPS proxy should protect.
External Servers AIM Pulldown A selection for the address object that contains addresses of known AOL Instant Messenger servers.
Internal Servers DNS Email Pulldown Pulldown Defines IP of internal DNS servers. Defines IP of internal email servers.
SNMP Telnet
Pulldown Pulldown
Defines IP of internal SNMP servers. Defines IP of internal servers allowing telnet.
241
Table 2.10.2.1 Configure > Threat Management > IPS > Proxy
Web Pulldown All defined address objects of type Network All defined services All defined services All defined services All defined services All defined services All defined services Defines internal Web server IP address.
Services DNS FTP Email SSH Telnet Web Pulldown Pulldown Pulldown Pulldown Pulldown Pulldown Defines the DNS service. Defines the FTP service. Defines the email service. Defines the SSH service. Defines the telnet service. Defines the Web service.
2.10.2.2 Policies
The Policies sub-section allows for the configuration of Intrusion Protection policies. Table 2.10.2.2: Configure > Threat Management > IPS > Policies
Field Name
Filter Row Rows per Page Text Pulldown Up to 6 characters 50, 100, 500, all A selection for the row number that should be displayed. A selection for the number of rows to be displayed. Displaying 500 or more rows per page may impact browser performance.
Description
Advanced Column Column Filter Field Policies Enable Log Alarm Action Check box Check box Check box Pulldown Enabled/Disabled Enabled/Disabled Enabled/Disabled Drop, Pass, Reset A toggle for whether the selected IPS policy should be enabled or not. Default is unselected. A toggle for whether the selected IPS policy should be logged or not. Default is unselected. A toggle for whether the selected IPS policy should generate alarms if triggered or not. Default is unselected. A selection for the action to be performed by the IPS policy if triggered. <Drop> drops the packet, <Pass> passes the packet through the firewall, <Reset> responds to the start and end points of the connection with a reset packet. Pulldown Check box Pulldown Enable, Log, Alarm, Action, Name, ID, Group Enabled/Disabled Variable A selection for the column to filter. A toggle for whether the selected column should be filtered or not. Default is unselected. A selection for the value to be filtered according to the selected Column.
242
2.10.3 Mail Sentinel

The Mail Sentinel sub-section allows the administrator to enable and configure Mail Sentinel. Some of these services are optional on select GTA firewalls.
2.10.3.1 Proxy
The Proxy sub-section allows for the configuration of the Mail Sentinel proxy. Table 2.10.3.1: Configure > Threat Management > Mail Sentinel > Proxy
Field Name
Enable Connection Time Out Maximum Connections Advanced Options Automatic Policies Check box Enabled/Disabled A toggle for whether the firewall should automatically generate the required policies for the email proxy to function. Default is selected. Text Text Up to 5 characters Up to 5 characters The amount of time, in seconds, before the connection will time out. Default is 120. The number of simultaneously allowed connections. Default is 25.
Field Type
Check box
Value Range
Enabled/Disabled
Description
A toggle for whether the Mail Sentinel proxy should be enabled or not. Default is unselected.
2.10.3.2 Policies
The Policies sub-section allows for the configuration of Mail Sentinel policies. Table 2.10.3.2: Configure > Threat Management > Mail Sentinel > Policies
Field Name
Disable Description
Field Type
Check box Text Pulldown
Value Range
Enabled/Disabled Up to 79 characters <???>, all configured address objects of type Mail Sentinel, * EDIT * <Accept>, <Deny> ???, <USER DEFINED>, ANY_ IP, all configured address objects of type Mail Sentinel, * EDIT* ???, <USER DEFINED>, ANY_ IP, all configured address objects of type Mail Sentinel, * EDIT*
Description
A toggle for whether or not the Mail Sentinel policy should be used. Default is unselected. A brief description of the policys function. A selection for the email server to apply to the Mail Sentinel policy. Select <* EDIT *> to define a new address object. A selection for the nature of the policy. A selection for the source (sender) of the email. Select <* EDIT *> to define a new address object.
Email Server
Type Source Address
Pulldown Pulldown
Destination Address Pulldown A selection for the destination (recipient) of the email. Select <* EDIT *> to define a new address object.
243
Table 2.10.3.2: Configure > Threat Management > Mail Sentinel > Policies
Match Against MX Check box Enabled/Disabled A toggle for whether a DNS Mail Exchanger record query should be checked against the domain in the To: field, causing the email to be rejected if there is no match. Default is unselected. A toggle for whether the policy should be matched only if all email recipients contain the destination address. Default is unselected. A toggle for whether a Reverse DNS lookup on the remote host should be performed or not. If enabled, the connection will be refused if the lookup fails to match the hosts offered identity. Maximum size in kilobytes (KB) of email message to accept. The default, 0, allows any email message size. MAPS; a special DNS server that contains only reverse DNS entries of known spam servers. Default of custom MAPS objects may be specified. Select <* EDIT *> to define a new address object.
Match All Addresses Check box
Enabled/Disabled
Email To Block Reject if RDNS Fails Check box Enabled/Disabled
Maximum Size Mail Abuse Prevention System
Text Check box, Pulldown
Up to 8 characters Enabled/Disabled, All defined address objects of type Mail Sentinel, * EDIT *
Mail Sentinel Anti-Spam* Greylisting Enable Default USER DEFINED Deny Check box Radio Button Radio Button Text Enabled/Disabled Enabled/Disabled Enabled/Disabled Up to 5 characters A toggle for whether greylisting settings should be applied to the Mail Sentinel policy or not. Default is unselected. A selection for using default greylisting settings. Default is selected. A selection for using customized greylisting settings. Default is unselected. If USER DEFINED is selected, enter the amount of time, in seconds, before Mail Sentinel will accept a repeat connection from the originating mail server. Default is 20. If USER DEFINED is selected, enter the amount of time, in hours, until Mail Sentinel stops waiting for a repeat connection from the originating mail server. Default is 4. If USER DEFINED is selected, enter the amount of time, in hours, that Mail Sentinel will keep a record of the connection. Default is 36. A toggle for whether Mail Sentinel Anti-Spams categorization features should be enabled or not. Default is unselected. A toggle for whether email evaluated as confirmed spam should be rejected or not. Disabled by default. The score email must receive before being categorized as confirmed spam. Higher scores are more tolerant of spam-like qualities.
Expires
Text
Up to 5 characters
Time to Live
Text
Up to 5 characters
Categorization Enable Check box Enabled/Disabled
Confirmed Reject Advanced Threshold Text Up to 3 characters Check box Enabled/Disabled
244
Table 2.10.3.2: Configure > Threat Management > Mail Sentinel > Policies
Tag Quarantine Check box Text Check box, Pulldown Enabled/Disabled, Up to 39 characters Enabled/Disabled, All address objects of type Mail Sentinel Enabled/Disabled A toggle for whether confirmed spam should be tagged with the configured text string. A selection for an email address object that should receive quarantined (redirected) confirmed spam.
Suspect Reject Advanced Threshold Tag Quarantine Text Check box Text Check box, Pulldown Up to 3 characters Enabled/Disabled, Up to 39 characters Enabled/Disabled, All address objects of type Mail Sentinel Enabled/Disabled Enabled/Disabled The score email must receive before being categorized as suspected spam. Higher scores are more tolerant of spam-like qualities. A toggle for whether confirmed spam should be tagged with the configured text string. A selection for an email address object that should receive quarantined (redirected) suspect spam. Check box A toggle for whether email evaluated as suspected spam should be rejected or not. Disabled by default.
Mail Sentinel Anti-Virus* Enable Reject Advanced Tag Quarantine Check box Text Pulldown Enabled/Disabled, Up to 39 characters Enabled/Disabled, All defined address objects of type Mail Sentinel Up to 8 characters A toggle for whether email with known viruses should be tagged with the configured text string. A selection for an email address object that should receive quarantined (redirected) email with known viruses. Maximum size in kilobytes (KB) of email message to scan for viruses. If this value is lower than the Mail Sentinel policys Maximum Size, email may not be fully scanned for viruses. A value of 0 will scan any size email. Check box Check box A toggle for whether Mail Sentinel Anti-Virus should be enabled or not. Disabled by default. A toggle for whether email with known viruses should be rejected or not. Disabled by default.
Maximum Size
Text
*Optional feature requires purchase separately. Requires activation code.
245
2.10.4 Surf Sentinel

The Surf Sentinel sub-section allows the administrator to enable and configure Surf Sentinel. Some of these services are optional on select GTA firewalls.
2.10.4.1 Proxy
The Proxy sub-section allows for the configuration of the Surf Sentinel proxy. Table 2.10.4.1: Configure > Threat Management > Surf Sentinel > Proxy
Field Name
Traditional Proxy Enable Port Advanced Automatic Policies Check box Enabled/Disabled A toggle for whether the firewall should automatically generate the required policies for the email proxy to function. Default is selected. A toggle for whether the transparent proxy should be enabled or not. Default is unselected. A selection for the action to be performed should a users request be blocked. If <Use message> is selected for the Action, the entered message will be displayed. Default is Local policy denies access to Web page. If <Redirect to URL> is selected for the Action, the user will be directed to the entered URL. Check box Text Enabled/Disabled Up to 5 characters. A toggle for whether or not the Surf Sentinel proxy should be enabled. Default is unselected. The port through which the proxy will run. Default is 2784.
Field Type
Value Range
Description
Transparent Proxy Enable Block Action Action Message URL Pulldown Text Text <Use Message>, <Redirect to URL> Up to 159 characters Up to 127 characters Check box Enabled/Disabled
2.10.4.2 Policies
The Policies sub-section allows for the configuration of Surf Sentinel policies. Table 2.10.4.2: Configure > Threat Management > Surf Sentinel > Policies
Field Name
Disable Description
Field Type
Value Range
Enabled/Disabled Up to 79 characters/ ???, <USER DEFINED>, ANY_IP, all defined address objects of type All or Surf Sentinel, * EDIT * ???, Always, all defined time group objects, * EDIT * Enabled/Disabled
Description
A toggle for whether or not the Surf Sentinel policy should be used. Default is unselected. A brief description of the Surf Sentinel policy. If a request matches an element of the specified address object, the packet will be compared to the policy. Select <* EDIT *> to define a new address object.
Source Address
Time Group
Pulldown
A selection to apply a time group object to the Surf Sentinel Policy.
Advanced Authentication Required Check box A toggle for whether the user should require authentication or not. Default is unselected.
246
Table 2.10.4.2: Configure > Threat Management > Surf Sentinel > Policies
Destination Address Pulldown ???, <USER DEFINED>, ANY_IP, all defined address objects of type All or Surf Sentinel, * EDIT * Enabled/Disabled A selection for the destination address. If <USER DEFINED> is selected, enter the address manually. This field is useful if the administrator wishes to restrict access based on the destination. Select <* EDIT *> to define a new address object. A toggle for enabling or disabling filtering of https protocols. Default is disabled. Use the firewalls Allow list.
HTTPS Filtering
Check box
Content Filtering Facilities Local Allow List Pulldown All defined address objects of type All or Surf Sentinel All defined address objects of type All or Surf Sentinel Enabled/Disabled
Local Deny List Surf Sentinel*
Pulldown Check box
Use the firewalls Deny list. Use the Surf Sentinel categories list. Requires an optional Surf Sentinel subscription. Purchased separately. A toggle for whether ActiveX objects should be blocked or not. Default is unselected. A toggle for whether Java applets should be blocked or not. Default is unselected. A toggle for whether Javascript should be blocked or not. Default is unselected. A toggle for whether Unknown HTTP commands should be blocked or not. Default is unselected. Specify allowed Surf Sentinel categories. Switch a category from one list to the other by selecting the item and clicking the left or right arrow button. Surf Sentinel subscription must be enabled. Specify blocked Surf Sentinel categories. Switch a category from one list to the other by selecting the item and clicking the left or right arrow button. Surf Sentinel subscription must be enabled.
Content Blocking ActiveX Objects Java Javascript Unknown HTTP Commands Accept Check box Check box Check box Check box Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled
Surf Sentinel Categories* Selection Surf Sentinel Categories Surf Sentinel Categories
Deny
Selection
*Optional feature requires purchase separately. Requires activation code.
247
2.11 VPN
The VPN section allows the administrator to enable and configure VPN IPSec Tunnels and remote access options - the Mobile IPSec Client and SSL Browser and Client. Some of these services are optional on select GTA firewalls.
2.11.1 Summary
The Summary sub-section provides on overview of the firewalls configuration settings found in the VPN section. Links to containers pertaining to specific sections of the firewalls configuration are provided along the top of the screen. Containers and sub-containers can be expanded or collapsed to navigate through displayed data.
2.11.2 Certificates
The Certificates section allows for the creation and configuration of certificates. Table 2.11.2: Configure > VPN > Certificates
Field Name
Disable Name Description Certificate

Check box Text Text Radio Button Enable/Disable Up to 19 characters Up to 19 characters <Import>, <Generate>
Description
A selection to disable the certificate. Default is unselected. A unique identifier for the certificate. A brief description of the certificate. Selection to either import a certificate or generate a new certificate. Import will allow a certificate to be uploaded. A selection for the certificates type. <Certificate> generates a self signed certificate. <CA> creates a certificate authority. <CSR> creates a certificate for submission to a certificate authority. The certificates common name. This field is pre-populated with the administrators email address. The certificates country. The certificates state or region. The certificates state or region. The certificates organization. The certificates organizational unit. The valid duration of the certificate, in years. The certificates key size, in bits. Larger key sizes are more CPU intensive.
Generate Type Pulldown <Certificate>, <CA>, <CSR>
Common Name Email Address Country State/Region City/Locality Organization Duration
Text Text Pulldown Text Text Text Text Text Pulldown
Up to 127 characters Up to 127 characters Countries Up to 127 characters Up to 127 characters Up to 127 characters Up to 127 characters Up to 3 characters 512, 1024, 1536, 2048
Organizational Unit Key Size Import Certificate File Browse
Pulldown Button
<DER>, <PEM>, <PKCS #12> n/a Up to 127 characters
A selection for the certificates type. Select the button to browse the certificate files location. If the certificates file format is PKCS #12, enter the files associated password, if any. A selection for the certificates private keys type. Select the button to browse the certificates private keys location.
PKCS #12 Password Text Private Key File Browse Pulldown Button
<DER>, <PEM> n/a
248
2.11.3 Preferences
The Preferences section is used to configure IPSec options for the IPSec Client and Firewall. Table 2.11.3.1 Configure > VPN > Preferences
Field IPSec Advanced Automatic Policies Check box Enabled/Disabled A selection for enabling automatic policies for IPSec. Field Type Value Range Description
2.11.4 Remote Access

The Remote Access section allows for the configuration of the IPSec Client and SSL service.
2.11.4.1 IPSec
The IPSec sub-section allows for the configuration of the Mobile IPSec Client. Table 2.11.4.1 Configure > VPN > Remote Access > IPSec
Field Client Enable IPSec Object Local Network Check box Pulldown Pulldown Enabled/Disabled ???, *EDIT*, all configured IPSec Objects Enable or disable the IPSec Client. A selection for the IPSec Object to be used by the IPSec Client. Selecting <* EDIT *> allows for the configuration of a new IPSec Object. Field Type Value Range Description
Pool Network
???, <USER Select the host/subnetwork that should be accessible DEFINED>, All from the VPN. Select <* EDIT *> to define a new configured networks, address object. * EDIT * ???, <USER DEFINED>, All configured pool networks, * EDIT * Up to 127 characters IP Address IP Address Select the DHCP pool that will be assigned to connecting clients. Select <* EDIT *> to define a new address object. Domain assigned to the Mobile IPSec Client DNS server(s) pushed to IPSec Client. WINS server(s) pushed to IPSec Client.
Pulldown
Domain Name Name Server IP Address WINS Server IP Address Advanced
Text Text Text
Override Host Name Text
Up to 127 characters
Authentication Local Identity Method Pulldown
Allows an administrator to override default firewall host name, which is configured in Network Settings. Entry can be an IP address or a fully qualified host name.
IP Address, Domain, Firewalls identity used for mobile IPSec client Email Address, connections. Certificate Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled Enable or disable Hybrid + XAUTH authentication. Enable or disable pre-shared secret authentication. Enable or disable RSA authentication. Enable or disable RSA + XAUTH authentication.
Hybrid + XAUTH Pre-shared Secret RSA RSA + XAUTH
Check box Check box Check box Check box
249
Table 2.11.4.1 Configure > VPN > Remote Access > IPSec
Field Hybrid + XAUTH LDAPv3 RADIUS Enable Check box Check box Check box Text Enabled/Disabled Enabled/Disabled Enabled/Disabled Up to 4095 characters Enables LDAP users. Enables RADIUS users. Enable or disable the login banner message. Enter a message to be displayed upon logging into the IPSec Client. Field Type Value Range Description
Login Banner Message
2.11.4.2 L2TP
The L2TP sub-section allows for the configuration of L2TP remote access. Table 2.11.4.2 Configure > VPN > Remote Access > L2TP
Field Enable Interface Local Network Field Type Check box Pulldown Pulldown Value Range Enabled/Disabled ???, ANY, External, Protected Description Enable or disable L2TP. The interface in which to access connections.
???, <USER Select the host/subnetwork that should be accessible DEFINED>, All from the VPN. Select <* EDIT *> to define a new configured networks, address object. * EDIT * ???, <USER DEFINED>, All configured pool networks, * EDIT * IP Address IP Address Select the range IP address assigned to the host connecting to the L2TP server. The Pool Address must be in a logically different network than any network assigned to the firewall. Select <* EDIT *> to define a new address object. DNS server(s) pushed to L2TP. WINS server(s) pushed to L2TP.
Pool Network
Pulldown
Name Server IP Address WINS Server IP Address Authentication Radius
Text Text
Preshared Secret
Check box Check box
Enable or disable pre-shared secret authentication. Enable or disable Radius authentication. Requires Radius server and authentication for Radius configured on the firewall at Configure>Accounts>
Authentication.
Advanced Automatic Policies Check box Enabled/Disabled
Enable to create an automatic policy to TCP port 1723 and GRE connections to establish the L2TP session with the client.
250
Table 2.11.4.2 Configure > VPN > Remote Access > L2TP
Field MTU Time Out Field Type Text Text Value Range Up to 5 characters Up to 5 characters Description Define the Maximum Transmission Unit (MTU) assigned to the client. Default value is 1460. Define the number of seconds during which a connection will stay connected during periods of inactivity in the Time Out field. To prevent timing out on a connection, enter a value of 0. Select Chat to record dialing and login chat script conversations. Select LCP to record LCP conversations. Select Phase to record network phase conversations.
Debug Chat LCP Check box Check box Check box Enabled/Disabled Enabled/Disabled Enabled/Disabled
Phase
2.11.4.3 PPTP
The PPTP sub-section allows for the configuration of PPTP remote access. Table 2.11.4.3 Configure > VPN > Remote Access > PPTP
Field Enable Local Network Field Type Check box Pulldown Value Range Enabled/Disabled Description Enable or disable PPTP.
???, <USER Select the host/subnetwork that should be accessible DEFINED>, All from the VPN. Select <* EDIT *> to define a new configured networks, address object. * EDIT * ???, <USER DEFINED>, All configured pool networks, * EDIT * IP Address IP Address Select the range IP address assigned to the host connecting to the PPTP server. The Pool Address must be in a logically different network than any network assigned to the firewall. Default network is 192.168.75.0/24 Select <* EDIT *> to define a new address object. DNS server(s) pushed to PPTP. WINS server(s) pushed to PPTP.
Pool Network
Pulldown
Authentication Radius
WINS Server IP Address
Name Server IP Address
Text Text
Check box
Enabled/Disabled
Enable or disable Radius authentication. Requires Radius server and authentication for Radius configured on the firewall at Configure>Accounts>
Authentication.
Advanced
Automatic Policies Encryption MTU
Check box Pulldown Text
Enabled/Disabled None, 40 Bits, 56 Bits, 128 Bits, All Up to 5 characters
Enable to create an automatic policy to TCP port 1723 and GRE connections to establish the PPTP session with the client. Select the level of encryption to be used for the connection. Define the Maximum Transmission Unit (MTU) assigned to the client. Default value is 1460.
Table 2.11.4.3 Configure > VPN > Remote Access > PPTP
Field Time Out Field Type Text Value Range Up to 5 characters Description Define the number of seconds during which a connection will stay connected during periods of inactivity in the Time Out field. To prevent timing out on a connection, enter a value of 0. Select Chat to record dialing and login chat script conversations. Select LCP to record LCP conversations. Select Phase to record network phase conversations.
Debug Chat LCP Check box Check box Check box Enabled/Disabled Enabled/Disabled Enabled/Disabled
Phase
2.11.4.4 Preferences
The Preferences sub-section allows for the configuration Remote Access Preferences including alternative port options and SSL Browser customization. Table 2.11.4.4 Configure > VPN > Remote Access > Preferences
Field Alternative Port Enable Port Authentication LDAP RADIUS Check box Check box Pulldown Text Pulldown Enabled/Disabled Enabled/Disabled <None>, <Low>, <Medium>, <High>, <All> 5 - 1440 minutes <Disable>, <Enable>, <Force Use> Check box Text Enabled/Disabled Up to 5 characters Starts the SSL Browser service. Port through which browser access will be allowed. Default is TCP port 443. Enables LDAP users. Enables RADIUS users. Level of encryption to be used. See table below for more information. Define the timeout range. Default is 10 minutes. Force Use: requires users to use the virtual keyboard for logins to the browser interface; Enable: allows users to use or not use the virtual keyboard; Disable: turn off the virtual keyboard Allows the firewall to automatically create policies for SSL. Field Type Value Range Description
Advanced
Encryption Timeout Sessions Virtual Keyboard
Automatic Policies Enable Zone Source Address Check box Pulldown Pulldown Enabled/Disabled
<ANY>, <External>, Specifies the Zone which will be allowed to connect. <Protected>, <PSN> Options are External, Protected, and PSN. ???, <USER Specifies the source address allowed to connect. DEFINED>, All configured networks, * EDIT *
Customization Login Title Logo Text Upload Field
Up to 127 characters JPG, GIF, PNG; 100KB max; 32 x 32 pixels
Enter a customized title for the SSL Browser. Upload a logo to be displayed on the SSL login. Images must be 100 KB or less, JPEG, PNG, or GIF format.
252
Table 2.11.4.4 Configure > VPN > Remote Access > Preferences
Field Disclaimer Enable Message Characters Remaining Check box Text Field Enabled/Disabled Up to 4095 Characters Uneditable Enable the disclaimer message to appear upon login Enter a disclaimer, note or welcome to appear when users login to the SSL Browser. Character count field detailing the number of characters remaining for the disclaimer message. Maximum characters is 4095. Field Type Value Range Description
2.11.4.5 SSL Client

The SSL Client sub-section allows for the configuration the SSL Client. Table 2.11.4.5 Configure > VPN > Remote Access > SSL Client
Field Name
Enable Port Accessible Networks Client DHCP Network Domain Name Server IP Address WINS Server IP Address Advanced
Field Type
Value Range
Enabled/Disabled Up to 5 characters ???, <USER DEFINED>, All configured networks, * EDIT * ???, <USER DEFINED>, All configured networks, * EDIT * Up to 127 characters IP address IP address
Description
Starts the SSL Client Service. Port for SSL Client access. Default Local Protected Networks.
Pulldown
Default DHCP range of 192.168.72.0/24
Text Text Text
Domain assigned to SSL Client. DNS server(s) pushed to SSL Client. WINS server pushed to SSL Client.
Automatic Policies
Encryption Objects Lifetime
Check box Pulldown Text Check box Text
Enabled/Disabled All encryption objects Up to 5 characters Enabled/Disabled Up to 127 characters Enabled/Disabled Enabled/Disabled Enabled/Disabled Enabled/Disabled
Creates an auto policy based on SSL port. Encryption used for SSL. Re-key time. Allows duplicate certificates. Allows an administrator to override default firewall host name, which is configured in Network Settings. Entry can be an IP address or a fully qualified host name. Force all client connections via VPN. Use UDP instead of TCP for SSL connection. Disable to not use compression. Increase SSL logging for debug purposes.
Allow Duplicate CN
Override Host Name
Redirect Client Gateway UDP Use Compression Verbose Logging
Check box Check box Check box Check box
253
2.11.5 Site-to-Site
The Site-to-Site sub-section allows for the configuration of a VPN connection when used in conjunction with VPN and encryption objects. Table 2.11.5a: Configure > VPN > Site-to-Site
Field Name
Enable
Field Type
Check box
Value Range
Enabled/Disabled
Description
Enable or disable the site to site VPN.
Clicking the New icon or editing an existing Site-to-Site VPN will display the Edit Site-to-Site screen. Table 2.11.5b: Configure > VPN > Site-to-Site - IKE IPSec Key Mode
Field Name
Disable Description
Field Type
Value Range
Enabled/Disabled Up to 79 characters ???, all defined IPSec Objects, * EDIT * IKE, Manual
Description
A toggle for whether or not the IPSec tunnel should be disabled. Default is unselected. A brief description of the IPSec tunnel. A selection for the IPSec Object to be used by the IP Tunnel. Selecting <* EDIT *> allows for the configuration of a new VPN object. A selection for the IPSec Tunnels key mode. For an IKE IPSec Key Mode VPN connection, select <IKE>. A toggle for whether email notifications will be sent. A toggle for whether SMS notifications will be sent. A toggle for whether SNMP Trap notifications will be sent. A selection for the method of authentication. Default is RSA.
IPSec Object
Advanced IPSec Key Mode Notifications Email SMS SNMP Trap Authentication Method Pre-shared Secret Radio Buttons Pulldown/ Text RSA / Pre-shared Secrets Check box Check box Check box Enabled/Disabled Enabled/Disabled Enabled/Disabled Radio Buttons
<ASCII>, <HEX>/Up If Pre-shared secret is selected, the ASCII or HEX to 59 characters format value preshared secret as defined in the VPN. This same key needs to be entered in the GTA Mobile VPN Client when configuring the security policy. Enabled/Disabled Enabled/Disabled A toggle to enable failover. A toggle for whether keep alives should be sent to keep the connection alive or not. If enabled, GB-OS will send a keep alive packet every 20 seconds to maintain the connection. Default is unselected. A toggle for firewalls that are not compatible with unique policies. The type of interface for the local firewall that will serve as the VPN gateway. The IP address of the remote gateway. A selection for the identity of the tunnel. If <Domain Name> or <Email Address> are selected, enter the appropriate value in the corresponding text field. Available if authentication method is set to Pre-shared Secret.
Options Failover Send Keep Alives Check box Check box
Advanced Policy Compatibility Check box Enabled/Disabled
Gateway (A Primary field will always be available. A Secondary field will be available if Failover is enabled above.) Local Remote Identity Pulldown Text Pull down/ Text ???, <External>, <Protected> IP Address IP Address, Domain Name, Email Address / Up to 127 characters
Table 2.11.5b: Configure > VPN > Site-to-Site - IKE IPSec Key Mode
Local NAT Network Check box Pulldown Enabled/Disabled ???, <USER DEFINED>, all configured IP address objects of type All or VPN, * EDIT * IP Address, Domain Name, Email Address/Up to 127 characters Enabled/Disabled ???, <USER DEFINED>, all configured IP address objects of type All or VPN, * EDIT */Up to 31 characters A toggle for whether NAT should be applied to local VPN traffic or not. Default is unselected. Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. Select <* EDIT *> to define a new address object. A selection for the local identity of the tunnel. If <Domain Name> or <Email Address> are selected, enter the appropriate value in the corresponding text field.
Identity
Pulldown/ Text
Remote NAT Network Check box Pulldown/ Text A toggle for whether NAT should be applied to remote VPN traffic or not. Default is unselected. Previously defined address object or an IP address of the network that resides behind the remote firewall. This can be just the part of the network to which access is desired. If <USER DEFINED> has been selected, enter the remote networks IP address manually. Select <* EDIT *> to define a new address object. Not available if NAT is enabled.
Table 2.11.5c: Configure > VPN > Site-to-Site - Manual IPSec Key Mode
Field Name
Disable Description
Field Type
Value Range
Enabled/Disabled Up to 79 characters ???, all defined IPSec Objects, * EDIT * IKE, Manual
Description
A toggle for whether or not the IPSec tunnel should be disabled. Default is unselected. A brief description of the IPSec tunnel. A selection for the IPSec Object to be used by the IP Tunnel. Selecting <* EDIT *> allows for the configuration of a new IPSec Object. A selection for the IPSec Tunnels key mode. For a Manual IPSec Key Mode VPN connection, select <Manual>. The type of interface for the local firewall that will serve as the VPN gateway. The IP address of the remote gateway. A selection for the identity of the tunnel. If <Domain Name> or <Email Address> are selected, enter the appropriate value in the corresponding text field. Available if authentication method is set to Pre-shared Secret. Select the host/subnetwork that should be accessible from the VPN. Typically this is the protected network or PSN. If <USER DEFINED> has been selected, enter the local networks IP address manually.
IPSec Object
Advanced IPSec Key Mode Radio Buttons
Gateway Local Remote Identity Pulldown Text Pull down/ Text ???, <External>, <Protected> IP Address IP Address, Domain Name, Email Address / Up to 127 characters
Local Network Pulldown ???, <USER DEFINED>, All configured IP address objects of type All or VPN, * EDIT *
255
Table 2.11.5c: Configure > VPN > Site-to-Site - Manual IPSec Key Mode
Remote Network Pulldown/ Text <USER DEFINED>, all configured IP address objects of type All or VPN/Up to 31 characters <ASCII>, <HEX>, Up to 59 characters Previously defined address object or an IP address of the network that resides behind the remote firewall. This can be only the part of the network to which access is desired. If <USER DEFINED> has been selected, enter the remote networks IP address manually. ASCII or hexadecimal format value encryption key as defined in VPN.
Manual
Encryption Key Hash Key
Pulldown/ Text Pulldown/ Text Text Text
Security Parameter Index (SPI) Inbound SPI Outbound SPI
<ASCII>, <HEX>/Up ASCII or hexadecimal format value hash algorithm for to 59 characters the authentication transformation. Up to 9 characters Up to 9 characters Default is 256. Default is 256.
256
Utilities
C
257
Reference C: Utilities
This chapter describes the utility software used in conjunction with your GTA Firewall UTM Appliance.
GBAuth
If authentication is required by a policy or tunnel, a user accessing the GTA Firewall UTM Appliance may use the GBAuth utility to authenticate themselves. This is done by entering the GTA Authentication, LDAP or RADIUS name and password into GBAuth before initiating a connection. To use authentication, both the desired authentication method and a user authentication remote access policy must be enabled and configured on the GTA firewall. GBAuth is a platform-independent, Java application. Install the software on the computer from which authentication will be used. As long as data is being exchanged, GBAuth automatically re-authenticates. To manually close GBAuth, either right-click on the system tray icon and select Close or click the Disconnect button. Note
All data is sent from GBAuth to the firewall via SSL.
Figure C.1: GBAuth
Using GBAuth for GTA Authentication

To use GTA Authentication: The authentication feature must be enabled on the GTA firewall. A user authentication remote access policy must be configured and enabled on the GTA firewall. Users must be created on the GTA firewall. Users must have the GBAuth client installed on their computer. To authenticate with the firewall using GBAuth, users enter values from Configure>Accounts>Authentication: 1. Enter the name or IP address of the firewall in the Firewall field, or if previously entered, they can select it from the pulldown menu. 2. Enter the users identity in email format in the Identity field, or if previously entered, they can select it from the pulldown menu. 3. Click the Connect button. 4. If you are authenticating for the first time, or if the SSL certificate was recently changed, a security alert may appear. If you know the certificate is correct, click Yes. 5. The cursor will move to the Response field. Enter the password from Configuration>Accounts> Authentication, and click Connect. Should the identity or password not be recognized, an Authentication Failed notice will appear. If the information is correct, the unlocked padlock icon will replace itself with a locked padlock icon, indicating that other actions can now be performed, e.g., initiating a VPN connection through the firewall.
259
Table C.1: GBAuth for GTA Authentication

Field Name
Firewall Identity
Description
Name or IP address of the GTA firewall. Login data provided to the user: the value from the Users Identity field. The field allows up to 127 characters and is case sensitive. N/A Alphanumeric password from the Users Password field under Authentication.
Challenge Response
Using GBAuth for LDAP Authentication

To use LDAPv3 Authentication: The Authentication and LDAPv3 features must both be enabled on the GTA firewall. A user authentication remote access policy must be configured on the GTA firewall. The LDAP server must be configured with users, domains and passwords. Users must have the GBAuth client installed on their computer. To authenticate with the firewall using LDAP, users enter values from Configure>Accounts>Authentication: 1. Enter the name or IP address of the firewall in the Firewall field, or if previously entered, they can select it from the pulldown menu. 2. Either the cn and ou identifier plus the value in the users Identity field using the format User Name. 3. Click the Connect button. 4. The cursor will move to the Response field. Enter the userss password from the LDAP server. Should the identity or password not be recognized, an Authentication Failed notice will appear. If the information is correct, the unlocked padlock icon will replace itself with a locked padlock icon, indicating that other actions can now be performed, e.g., initiating a VPN connection through the firewall. Table C.2: GBAuth for LDAP Authentication
Field Name
Firewall Identity
Description
Name or IP Address of the GTA firewall. Login data provided to the user: cn (common name) and ou (organizational unit) combined. Do not enter the cn= identifier, this will be prepended when the data is sent to the LDAP server. The field allows up to 127 characters and is case sensitive. N/A Alphanumeric password specified for the user on the LDAP server.
Challenge Response
260
Using GBAuth for RADIUS Authentication

To use RADIUS Authentication: The Authentication and RADIUS features must both be enabled on the GTA firewall. A user authentication remote access policy must be configured on the GTA firewall. The RADIUS server must be configured. Users must have the GBAuth client installed on their computer. To authenticate with the firewall using RADIUS: 1. Enter the name or IP address of the firewall in the Firewall field, or if previously entered, they can select it from the pulldown menu. 2. Enter the RADIUS identity. 3. Click the Connect button. 4. The cursor will move to the Response field. Enter the users password from the LDAP server. Should the identity or password not be recognized, an Authentication Failed notice will appear. If the information is correct, the unlocked padlock icon will replace itself with a locked padlock icon, indicating that other actions can now be performed, e.g., initiating a VPN connection through the firewall. Table C.3: GBAuth for RADIUS Authentication
Field Name
Firewall Identity
Description
Name or IP Address of the GTA firewall. Login data provided to the user, specified on the RADIUS server. The field allows up to 127 characters and is case sensitive. N/A Alphanumeric pre-shared secret (password) specified for the user in the RADIUS section of Authentication. This field is case sensitive.
Challenge Response
261
GTA SSOAuth
If authentication is required by a policy or tunnel, a user may authenticate through use of the GTA SSOAuth service. To utilize the GTA SSOAuth service, install the service and configuration utility on all Active Directory servers (up to three) in the domain on which the service will be utilized. In order to make a secure connection between the firewall and the GTA SSOAuth service, all Active Directory servers must have a valid SSL certificate. It is required that each servers SSL certificate be imported into the GTA Firewall UTM Appliance. Repeat this process for configuring each additional GTA SSOAuth service, as necessary, on up to three Active Directory servers. When a user attempts to login using an enabled authentication policy, the firewall will contact each configured GTA SSOAuth service until a matching IP address is found for the client machine. If the IP address is associated with a vaild domain user, the users group and user name are provided to the firewall. The firewall then checks the groups configured security policies to determine whether or not the user is allowed access to the client machine. Note
All data is sent between the GTA SSOAuth service and the firewall is encrypted via SSL.
The GTA SSOAuth configuration utility has the ability to easily start/stop the GTA SSOAuth service and to apply configuration changes. Caution
Applying configuration changes will stop and restart the GTA SSOAuth service, which will purge the database of authenticated domain users. The database will repopulate automatically as domain users authenticate.
Note
For GTA SSOAuth requirements and installation, refer to Chapter 3: Advanced Setup Tasks.
Using Active Directory Single Sign-On

To use Active Directory Single Sign-On Authentication and the Active Directory Single Sign-On features must both be enabled on the GTA firewall. A user authentication remote access policy must be configured on the GTA firewall. A Single Sign-On server must be configured. To authenticate with the firewall using Active Directory Single Sign-On: 1. A user authenticates by logging onto the Windows Active Directory domain using a client machine. 2. Any access through the firewall (using a policy that requires authentication) is then verified by the GTA SSOAuth service to validate the domain users access.
262
Figure C.2: GTA SSOAuth
Table C.4: Active Directory Single Sign-On Authentication

Field Name
Mode
Description
GTA SSOAuth service operates in two modes, either Server or Client. Client mode can only be utilized if more than one Active Directory server is running GTA SSOAuth. Server mode allows firewalls to connect directly to the Active Directory server to query its database of authenticated domain users. When a direct connection between the Active Directory server and the firewall is not available, client mode is utilized. Client mode will connect to a GTA SSOAuth service running in server mode to propagate domain authentication information. The amount of time an authenticated domain user remains in the GTA SSOAuth database before requiring the user to reauthenticate with the domain. The SSL port the GTA SSOAuth service uses for firewall and GTA SSOAuth client connections. The address of a GTA SSOAuth service running in server mode. Starts or stops the GTA SSOAuth Service. Exports the Active directory server certificate. If not highlighted, this indicates the Active Directory server certificate may not be valid. Show Contents in the Event Log: Exports current database to the Windows Event log. Clear: Clears the entire authenticated user database. Clearing the database may force users to re-login to their systems.
Valid Duration Port Server (Client mode only) Service Certificate Database
263
Upgrading
D
265
Upgrading to GB-OS 6.0

In order to determine what upgrade path is required for upgrading to GB-OS 6.0, you must first establish the version from which you will be upgrading. To do so, login to your GTA firewall using the Web interface. Upon logging in, you will be prompted with an opening screen. Located in the center of the screen is the version number.
Figure D.1: Locating the GB-OS Version Number in GB-OS 3.x (left) and GB-OS 4.0 (right)
Based on the version of GB-OS your GTA firewall is currently running: If the version number is 5.2.0 - 5.4.x follow the instructions in Upgrading from GB-OS 5.2.0 - 5.3.x. If the version number is 3.7.3, 4.0.6 - 5.1.5, follow the instructions in Upgrading from GB-OS 3.7.3, and GB-OS 4.0.6 - 5.1.5. If the version number is 4.0.0 - 4.0.5, follow the instructions in Upgrading from GB-OS 4.0.0 - 4.0.5. If the version number is 3.4.0 - 3.7.2, follow the instructions in Upgrading from GB-OS 3.4.0 - 3.7.2. Upgrading from versions prior to GB-OS 3.4 is not supported. Note
GTA recommends to read and review the Upgrade Notes section of this reference before upgrading a GTA Firewall UTM Appliance to avoid complications during the upgrade process.
Note
Test mode configuration data is reset to default when upgrading runtimes.
Reference D: Upgrading
267
Upgrading from GB-OS 5.2.0 - 5.4.x

GTA routinely publishes updates to GB-OS. These updates provide new features and enhanced security options. When GTA publishes an update to GB-OS, availability will be announced at Configure>Configuration>Runtime>Update in the Available Update(s) section. In order to check for available updates, GB-OS requires that the firewall is registered in the GTA Online Support Center, that the firewall has access to the Internet and that SSL connections are allowed. Version updates may be available only to firewalls covered by a valid support contract. Note
Updating the GB-OS runtime always takes place as a Live Mode change.
Caution
Some GB-250 Rev B firewalls require a BIOS Update before updating to GB-OS 5.3.0 or higher. If the BIOS version is not v0.99h or higher, the BIOS may need to be updated. Please read the BIOS Update Information page if you are updating a GB-250 Rev B system. Additionally, GB-250 Rev B systems should be on slice 2 when updating.
To check for and install updates to GB-OS: Navigate to Configure>Configuration>Runtime>Update. In the Available Update(s) section, click the Check Now button. If an update is available, installation notes and an Install button will appear for the update.
Figure D.2: Updating GB-OS
Updating Runtimes
GB-250, GB-800, GB-820, GB-2000, GB-2100, GB-2500, and GB-3000 firewall appliance families running GB-OS 5.2.0 and above will have a two step process for updating runtimes. 1. Download the available runtime by clicking Download. The runtime will be stored on the firewall until installed. Rebooting the firewall or selecting Check now will remove the stored runtime. 2. Install the runtime by clicking Install.
Figure D.3: Download Runtime
Figure D.4: Install Runtime
268
Scheduling Checks for Automatic Updates

GB-OS can automatically check for eligible software updates. By enabling automatic updates, administrators can rest assured knowing their GTA Firewall UTM Appliance is operating the most current available version of GB-OS. To schedule automatic runtime updates, navigate to Configure>Configuration>Runtime>Update.
Figure D.5: Scheduling Automatic Updates
Table D.1: Scheduling Automatic Updates

Field
Schedule Update Check Enable Frequency Day Time Select the Enable checkbox to schedule automatic runtime updates. Select the frequency that GB-OS will check for updates. Options are Daily and Weekly. Select the day that GB-OS will check for updates. Select the time that GB-OS will check for updates.
Description
269
Performing a Manual Software Update

If a new version of GB-OS has been indicated at Configure>Configuration>Runtime>Update, administrators can log into the GTA Support Center (https://www.gta.com/support/center/) to download the runtime. If available updates cannot be applied to the firewall, contact the GTA Sales staff (sales@gta.com) or your local GTA Channel Partner for information on support contracts.
Step 1: Generate GB-OS 6.0 Feature Activation Codes

In order to upgrade your version of GB-OS to version 6.0, first you must generate GB-OS 6.0 feature activation codes from the GTA Online Support Center (https://www.gta.com/support/center/). Login to the GTA Online Support Center and navigate to the View Products page. The View Products page displays all products registered with GTA. If your firewall is eligible for the upgrade, an Upgrade to 6.0.0 link will be available in the Action row. Click the link to generate the GB-OS 6.0 feature activation code(s). Now that the GB-OS 6.0 feature activation codes have been generated, they must be loaded into the firewalls configuration.
Step 2: Load GB-OS 6.0 Feature Activation Codes Into the Configuration
Login to your firewall using an administrative account and copy the feature activation code(s) and paste them into the Features screen (Basic Configuration>Features). Do not paste the feature activation code(s) over any previously entered codes, they should be entered into a blank line. Once entered, click the Save button. If entered correctly, the rows description should say ???? GB-X 6.0 - Registered, where X is your GTA firewalls model number. Now that the GB-OS 6.0 feature activation codes have been loaded into the firewalls configuration, the GB-OS 6.0 runtime file must be uploaded.
Step 3: Upgrade to GB-OS 6.0

After the GB-OS 6.0 feature activation codes have been successfully inserted into the firewalls configuration, you may upgrade the firewall to GB-OS 6.0. To obtain the GB-OS 6.0 runtime, login to the GTA Online Support Center (https://www.gta.com/support/ center/) and navigate to Downloads>System Software. Select the appropriate GB-OS 6.0 runtime for your firewall (e.g., if you are upgrading a GB-2000e, select the GB-2000 Firewall Family runtime file saved for your operating system under the 6.0 section). Download and extract the runtime file to an easy to remember location on your workstation, such as the desktop (if you are running Microsoft Windows, the runtime will extract to C:\Program Files\GTA\GB-X-6.0\GB-X-60.rtm, where X is the GTA firewalls model number). Next, login to your GTA firewall using an administrative account and navigate to Configure>Configuration> Runtime>Update and click the Advanced tab. In the Runtime section, click the Browse button and select the runtime. The file will have an extension of .rtm. Select Upload to upload the runtime file. GB-OS will then validate the file. If it is valid, the system will install it.
Figure D.6: Manually Updating Your Firewalls Software
270
Upgrading from GB-OS 3.7.3, and GB-OS 4.0.6 - 5.1.5

Upgrading from GB-OS 3.7.3, or GB-OS 4.0.6 - 5.1.5 is a two step process. To upgrade to GB-OS 6.0 you must: 1. Upgrade to GB-OS 5.2 2. Upgrade to GB-OS 6.0

1.1: Generate GB-OS 5.2 Feature Activation Codes
Login to the GTA Online Support Center and navigate to the View Products page. The View Products page displays all products registered with GTA. If your firewall is eligible for the upgrade, an Upgrade to 5.2.x or 5.3.x link will be available in the Action row. Click the link to generate the GB-OS 5.2 feature activation code(s). Now that the GB-OS 5.3 feature activation codes have been generated, they must be loaded into the firewalls configuration.
1.2: Load GB-OS 5.2 and 5.3 Feature Activation Codes Into the Configuration
Login to your firewall using an administrative account and copy the feature activation code(s) and paste them into the Features screen (Basic Configuration>Features). Do not paste the feature activation code(s) over any previously entered codes, they should be entered into a blank line. Once entered, click the Save button. If entered correctly, the rows description should say ???? GB-X 5.2 - Registered, where X is your GTA firewalls model number. Now that the GB-OS 5.2 feature activation codes have been loaded into the firewalls configuration, the GB-OS 5.2 runtime file must be uploaded.
1.3: Upgrade to GB-OS 5.2

After the GB-OS 5.2 feature activation codes have been successfully inserted into the firewalls configuration, you may upgrade the firewall to GB-OS 5.2. To obtain the GB-OS 5.2 runtime, login to the GTA Online Support Center (https://www.gta.com/support/ center/) and navigate to Downloads>System Software. Select the appropriate GB-OS 5.2 runtime for your firewall (e.g., if you are upgrading a GB-2000e, select the GB-2000 Firewall Family runtime file saved for your operating system under the 5.2 section). Download and extract the runtime file to an easy to remember location on your workstation, such as the desktop (if you are running Microsoft Windows, the runtime will extract to C:\Program Files\GTA\GB-X-5.2\GB-X-52.rtm, where X is the GTA firewalls model number). Next, login to your GTA firewall using an administrative account and navigate to Administration>Upload Runtime. Browse to the downloaded runtime file and select the Submit button. The GTA firewall will then validate the runtime file. If the file is valid, the system will install it and reboot. Your firewall is now running GB-OS 5.2 and can now be upgraded to GB-OS 5.3.

Go to Upgrading from GB-OS 5.2.0 Through 5.4.x to finish the upgrade process.
271
Upgrading from GB-OS 4.0.0 - GB-OS 4.0.5

Upgrading from GB-OS 4.0.0 - 4.0.5 to GB-OS 6.0 is a three step process. To upgrade to GB-OS 6.0 you must: 1. Upgrade to GB-OS 4.0.6. 2. Upgrade to GB-OS 5.2. 3. Uprgade to GB-OS 6.0.
Step 1: Upgrade to GB-OS 4.0.6

To obtain the GB-OS 4.0.6 or above runtime, login to the GTA Online Support Center (https://www.gta. com/support/center/) and navigate to Downloads>System Software. Select the appropriate GB-OS runtime for your firewall (e.g., if you are upgrading a GB-2000e, select the GB-2000 Firewall Family runtime file saved for your operating system under the 4.0 section). Download and extract the runtime file to an easy to remember location on your workstation, such as the desktop (if you are running Microsoft Windows, the runtime will extract to C:\Program Files\GTA\GB-X-4.0.6\GB-X-406.rtm, where X is the firewalls model number). Now that the GB-OS 5.3 feature activation codes have been generated, they must be loaded into the firewalls configuration. Next, login to your GTA firewall using an administrative account and navigate to Configure>Import/Export. Under the Runtime section, click the Browse button and select the runtime. Select Upload to upload the runtime file. If the file is valid, the system will install it and reboot. Your GTA Firewall Appliance has now been upgraded to GB-OS version 4.0.6. Next, GB-OS 5.2 feature activation codes must be entered.
Figure D.7: Upgrading to GB-OS 4.0.6
Step 2: Upgrade to GB-O 5.2

Go to Upgrading from GB-OS 3.7.3, and GB-OS 4.0.6 - 5.1.7 to finish the upgrade process.
272
Upgrading from GB-OS 3.4.0 - 3.7.2

Upgrading from GB-OS 3.4.0 - 3.7.2 to GB-OS 6.0 is a three step process. To upgrade to GB-OS 6.0 you must: 1. Upgrade to GB-OS 3.7.3 2. Upgrade to GB-OS 5.2 3. Upgrade to GB-OS 6.0
Step 1: Upgrade to GB-OS 3.7.3

1.1: Generate GB-OS 3.7 Feature Activation Codes
Note
If the GTA firewall is running GB-OS 3.7.0, 3.7.1, or 3.7.2, skip to step 1.3.
Login to the GTA Online Support Center and navigate to the View Products page. The View Products page displays all products registered with GTA. If your firewall is eligible for the upgrade, an Upgrade to 3.7.3 link will be available in the Action row. Click the link to generate the GB-OS 3.7 feature activation code(s). Now that the GB-OS 3.7 feature activation codes have been generated, they must be loaded into the firewalls configuration.
1.2: Load GB-OS 3.7 Feature Activation Codes Into the Configuration
Login to your firewall using an administrative account and copy the feature activation code(s) and paste them into the Features screen (Basic Configuration>Features). Do not paste the feature activation code(s) over any previously entered codes, they should be entered into a blank line. Once entered, click the Save button. If entered correctly, the rows description should say ???? GB-X 3.7 - Registered, where X is your GTA firewalls model number. Now that the GB-OS 3.7 feature activation codes have been loaded into the firewalls configuration, the GB-OS 3.7.3 runtime file must be uploaded.
Figure D.8: Successful Feature Activation
1.3: Upgrade to GB-OS 3.7.3

After the GB-OS 3.7 feature activation codes have been successfully inserted into the firewalls configuration, you may upgrade the firewall to GB-OS 3.7.3. To obtain the GB-OS 3.7.3 runtime, login to the GTA Online Support Center (https://www.gta.com/ support/center/) and navigate to Downloads>System Software. Select the appropriate GB-OS 3.7.3 runtime for your firewall (e.g., if you are upgrading a GB-2000e, select the GB-2000 Firewall Family runtime file saved for your operating system under the 3.7.3 section). Download and extract the runtime file to an easy to remember location on your workstation, such as the desktop (if you are running Microsoft Windows, the runtime will extract to C:\Program Files\GTA\GB-X-3.7.3\GB-X-37.rtm, where X is the GTA firewalls model number).
273
Next, login to your GTA firewall using an administrative account and navigate to Administration>Upload Runtime. Browse to the downloaded runtime file and select the Submit button. The GTA firewall will then validate the runtime file. If the file is valid, the system will install it and reboot. Your firewall is now running GB-OS 3.7.3 and and can now be upgraded to GB-OS 5.2.
Figure D.9: Upgrading to GB-OS 3.7.3

Go to Upgrading from GB-OS 3.7.3, and GB-OS 4.0.6 - 5.1.5 to finish the upgrade process.
274
Upgrade Notes
The following are noted issues that may occur when upgrading to GB-OS 6.0.
Re-sizing Slices and Runtime Upgrades

In order to support the new features in GB-OS 6.0, some firewalls may require partition re-sizing during the upgrade process. Upon re-sizing, both runtime slices will have GB-OS 6.0, and firewall administrators WILL NOT be able to revert to previous runtimes via the Console or Web interface. Caution
GTA strongly recommends backing up current firewall configurations PRIOR to upgrading. Firewalls requiring re-sized partitions will take approximately 5-8 minutes to reboot and fully update once the runtime has been applied. DO NOT switch off or reboot the firewall during this process.
Error Messages Upon Initial Reboot

Upon rebooting after successful installation, the GTA Firewall UTM Appliance may display errors when accessed using the Web interface. This is expected, these errors are generated because the browsers cache is trying to access files and locations that no longer apply. Click OK to any displayed errors and refresh the browser window to access GB-OS 6.0. If the error messages persist, clear your browsers cache.
Default Login and Password Changes

Firewall administrators who have never changed their default login and password in the Admin Accounts section of GB-OS 3.x will find that their default accounts login information will no longer work with GB-OS 6.0. After the firewall administrator has upgraded to GB-OS 6.0, their login and password will both default to fwadmin. Caution
GTA recommends changing the default user ID and password to prevent unauthorized access. Passwords can be changed after logging in.
Remote Administration Policy Compatibility in GB-OS 6.0.3 and Above

Upgrading to GB-OS 6.0.3 and above, from GB-OS 6.0.2 and below, may result in remote administration certificate errors. These errors may prevent web administration of the firewall via Firefox or Google Chrome and some other browsers. A connection error or SSL error will be displayed in the web browser. GTA recommends resolving all certificate errors, but remote administration settings can be preserved by enabling Policy Compatibility at Configure>Accounts>Remote Administration>Advanced via Internet Explorer or Safari or through the Console interface at Configure>Accounts>Remote Administration. For more details and additional certificate error troubleshooting, see the GB-OS Certificate Management guide. Through the Console interface, the firewalls built in certificate may also be regenerated and set as the remote administration certificate. See the Console Guide for more information on creating a new certificate on the console.
GB-250 Upgrade Notice

GB-250 Firewall UTM Appliances may reboot multiple times, and may install GB-OS 6.0 on both memory slices during the upgrade process. It is important that administrators do not shut down their firewall when upgrading to GB-OS 6.0. If GB-OS 6.0 is installed on both memory slices, it will not be possible to revert back to the previously installed version of GB-OS.
275
IPSec Object Upgrade Notice GB-OS 5.4.2 and Above

When upgrading to GB-OS 5.4.2 and above, all firewalls using SHA-2, with keys larger than 128, will need to be upgraded. If unable to upgrade, firewalls must be switched to a compatible algorithm.
Firewall Controll Center (FWCC) No Longer Supported

With the release of GB-OS 6.0, GTAs Firewall Control Center (FWCC) will no longer be supported and will be removed from the firewall interface for all products.
Corrupt Object Names and Descriptions

GB-OS 6.0 uses the UTF-8 character set, wherein the past previous versions of GB-OS allowed administrators to select the character set according to their locale. When upgrading to GB-OS 6.0, it is necessary to match your Web browsers character set with the character set used by GB-OS. In GB-OS 3.x, the default character set is set at Basic Configuration>Preferences. In GB-OS 4.0, the default character set is set at Configure>Accounts>Preferences. Note
Consult your Web browsers documentation for information on how to match the character set with the character set used by GB-OS 3.x or GB-OS 4.0.
Static Gateway to Static Gateway VPN Failure

Firewall administrators that have a configured VPN between two static gateways may find that their VPN no longer functions after they have upgraded to GB-OS 6.0 from GB-OS 3.x. This is caused when the firewall administrator had a local identity configured in the Authorization>VPN section of GB-OS 3.x on their GTA firewall before it was upgraded to GB-OS 6.0. GB-OS versions prior to GB-OS 4.0 ignored this field when a static gateway to static gateway VPN was configured; in GB-OS 4.0 and above, the local identity is recognized and can result in a failure when a VPN connection previously worked. To correct this issue, navigate to Configure>VPN>IPSec Tunnels and edit the IPSec tunnel in question by setting the local identity to <IP Address>.
Restrictive VPN Configurations

When upgrading to GB-OS 6.0 from GB-OS 3.x, firewall administrators may need to rebuild their VPN policies. In versions of GB-OS 3.x, VPN access was controlled using pass through filters. In GB-OS 4.0 and above, VPN access is controlled using VPN policies which allow all VPN traffic by default. Firewall administrators who have upgraded to GB-OS 6.0 from GB-OS 3.x will need to manually recreate any restrictive VPN policies.
276
Naming Conventions
When upgrading to GB-OS 6.0 from GB-OS 3.7 or earlier, previously defined objects will have their names changed and may affect automatically generated user group names.
User Group Names and Assignments

When upgrading to GB-OS 6.0 from GB-OS 3.x, users will automatically be organized into groups based on the name of the their VPN object. For example, a user that made use of a VPN object with a name of Marketing Department will be assigned to a group named Group Marketing Department, while a user that made use of a VPN object with the name of MOBILE will be assigned to a group named Group MOBILE. Users that have no VPN object assigned to them will be organized into groups based on the GB-OS version that the administrator is upgrading from, such as Users_370.
VPN Object Names

Previously defined VPN objects will have the GB-OS version number appended to their name after the GTA firewall has been upgraded to version 6.0 from GB-OS 3.x. For example, a VPN object with a name of IKE in GB-OS 3.7.0 will be named IKE_370 after the upgrade.
Address Object Identification

Previously defined address objects that were of type IP Addresses will be re-categorized as being of type All after the GTA Firewall UTM Appliance has been upgraded to GB-OS 6.0 from GB-OS 3.x.
277
Log Messages
278
Reference E: Log Messages

By default, firewall log messages are kept locally on the firewall. If you have enabled remote logging, log messages may also be sent to an external log. External logging can provide extra reporting on firewall activity and attack analysis. GB-OS firewall log messages follow WELF logging standards. To view firewall logs kept locally on the firewall, navigate to Monitor>Log Messages.
System Notices
Hardware Errors
Hardware messages include physical connectivity or memory errors. They are always logged.
Failed Network Connectivity

Hardware errors most commonly indicate that the network interface (Ethernet port) is not operational, possibly due to a disconnected or failed network cable. The key identifier for failure of a network port is the word interface in the msg attribute.
Mar 4 21:06:44 pri=4 msg=alarm: Interface EXTERNAL (rl1) down type=mgmt
PPP, PPPoE and PPTP interface errors all log as failed PPP interfaces.
Mar 4 21:06:44 pri=6 msg=PPP1: [PPP1] cant connect by pass,link0 and [b]:,session-PPP1: File exists type=mgmt
If another host is using the firewalls broadcast IP address and attempts to modify the firewalls IP address, the MAC address of the host will be logged. Check IP addresses and netmasks assigned to hosts on the local network. The key identifier for this type of message is attempts to modify permanent entry.
Mar 4 21:06:44 pri=3 msg=kernel: arp: 00:d0:68:04:98:b5 attempts to modify permanent entry for 192.168.71.255 on en1 type=mgmt
Implicit Policies
Some firewall policies are implemented automatically based upon services running on the firewall. By default, automatic policy activations (immutable firewall behaviors) are logged. The key identifier for automatic policies is POLICY: ATP. Automatic policies are logically necessary for expected firewall operation. Automatic Accept All policies are merely a shorthand way of specifying remote access, outbound, or other policy application for a whole set of IP addresses or ports, rather than entering each one.
Mar 4 21:06:44 firewall.example.com POLICY: ATP (5) accept - notice ICMP [192.168.1.12:3]->[192.168.1.78:3] External l=32 f=0x3.
Other Firewall Behaviors

Some firewall behaviors, such as dropping invalid or fragmented TCP packets, are not an explicit connection refusal or acceptance, but nonetheless part of loggable firewall behavior.
Mar 4 21:06:44 firewall.example.com POLICY: Rejecting invalid packet: warning TCP [10.10.1.98:0]->[10.10.1.78:0] Protected l=20 f=0x0
Additionally, some remote access or other types of policies have special rules called Automatic Accept All policies; these policies cause the remote access or other policy rule to be applied to all IP addresses or ports, rather than just those manually specified.
280
Ping Flood/DoS Attack (ICMP Limiting)

ICMP Limiting is logged by default. When excessive pings are executed against the firewall or its networks, such as during a denial of service (DoS) or distributed denial of service (DDoS) attack, the firewall limits the number of ICMP/ping packets it will process per second to maintain normal traffic throughput. The key identifier for this events message is Limiting ICMP ping responses.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 msg=POLICY: Limiting ICMP ping responses from 149 to 100 packets per second. type=mgmt
TCP SYN Flood

Excessive TCP SYN signals, indicative of a SYN flood attack, may be blocked and logged according to preferences. The key identifiers for this kind of message include Blocking TCP SYN flood attack.
Jan 1 00:02:04 pri=4 msg=kernel: Blocking TCP SYN flood attack (4416) type=mgmt
Spoof Attempt
IP address spoof attempts are logged by default. In this example, a packet is arriving on PROTECTED eth0 (protected network interface) destined for the external network. The protected network consists of only 192.168.181.0/24, but the sender IP address is not part of that logical network (192.168.191.1). Therefore, the packet is considered a spoof, since it should be arriving on the EXTERNAL interface (eth1). The key identifier for this type of message is Possible spoof in the msg attribute.
Jan 12 09:03:19 pri=4 pol _ action=block count=1 msg=Possible spoof, return interface doesnt match arrival interface proto=icmp src=192.168.191.1 srcport=8 dst=192.168.181.254 dstport=8 interface=PROTECTED returnInterface=EXTERNAL attribute=alarm
Door Knob Twist (Attempted Connect to Closed Port)

Door knob twists are logged by default. When a packet arrives for a closed port, attempting to open a connection for attack purposes, the firewall blocks the attempt by default. The key identifier for this type of message is Connect to closed port in the msg attribute.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=3 pol _ type=default msg=Connect to closed port proto=23/TCP src=199.120.220.100 srcport=1036 dst=199.120.225.80 dstport=23 interface=External flags=0x2
FTP Bounce
For this attack type, the FTP session is immediately dropped and all successive connections are denied as unexpected. The key identifiers for this kind of message include FTP: illegal access attempt and an access attempt from an IP address that differs from the original source of the FTP connection.
Mar 4 21:06:44 pri=4 msg=FTP: illegal access attempt (192.168.1.1) inbound, pass through proto=21/tcp src=192.168.1.2 srcport=32876 dst=192.168.2.5 dstport=21 rule=1 Mar 4 21:06:45 pri=4 pol _ action=block count=1 msg=Packet unexpected proto=21/ tcp src=192.168.1.2 srcport=32876 dst=192.168.2.5 dstport=21 interface=sis1 flags=0x18
281
User Licenses
By default, exceeding the count of licensed users on the firewall or a firewall option is logged. The method of counting user licenses may vary by feature; generally, however, unique host IP addresses or email addresses are counted as one user for a particular service.
Maximum Firewall Users Exceeded

Mar 4 21:06:44 pri=3 msg=NAT: Max of 25 simultaneous hosts reached (192.168.71.50 denied). type=mgmt
Maximum Surf Sentinel Users Exceeded

Mar 4 21:06:44 pri=4 msg=proxyWWW: Surf Sentinel host licenses reached (25), 192.168.71.92 denied. type=mgmt
Configuration Changes by User

Changes made to the firewalls configuration are logged with the administrator account used. The key identifier for this kind of message is the user= tag.
Mar 8 19:56:30 pri=5 msg=WWWadmin: Add address object Protected Networks . type=mgmt user=fwadmin src=10.10.1.2 srcport=52334 dst=10.10.1.84 dstport=443
Automatic Backup
USB drive not connected or identified.
Aug 24 10:08:25 pri=3 msg=XMLverify: Unable to backup configuration to USB device type=mgmt Aug 24 10:08:25 pri=3 msg=XMLverify: Unable to mount USB device type=mgmt
USB device is full.

Aug 24 15:54:19 pri=3 msg=WWWadmin: Unable to copy configuration backup to USB device. No space left on device type=mgmt user=fwadmin src=10.10.1.163 srcport=60695 dst=10.10.1.80 dstport=443 duration=86
Cannot back up USB is read only drive.

Aug 29 12:51:05 pri=4 msg=WWWadmin: Mounted MSDOS filesystem as readonly type=mgmt user=fwadmin src=10.10.1.163 srcport=51064 dst=10.10.1.80 dstport=443 duration=43
Configured password is not correct. If the configured password for the configuration file and the automatic backup section do not match, or if the cloud service password is incorrect, error messages will be logged.
Aug 15 09:37:52 pri=3 msg=WWWadmin: Unable to delete file GB-Ware _ v601 _ gb-ware _ Live _ 2011-08-15 _ 092922 _ EDT.7z from cloud type=mgmt user=fwadmin src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197 Aug 15 09:37:52 pri=4 msg=WWWadmin: Unable to open old configuration. No error: 0 type=mgmt user=fwadmin src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197 Aug 15 09:37:52 pri=3 msg=WWWadmin: Unable to uncompress input file; No such file or directory type=mgmt user=fwadmin src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197 Aug 15 09:37:52 pri=4 msg=WWWadmin: Program 7za exited with code 2. type=mgmt user=fwadmin src=10.10.1.223 srcport=49966 dst=10.10.1.80 dstport=443 duration=197
282
Permission/Policy Notices
Allowed Connections
To allow a connection to the firewall, two components are required: permission and routing rules. Permission for the connection can be granted by either an outbound policy or a remote access policy. Routing for permitted connections can be created via NAT or passthrough. By default, if a packet matches an acceptance policy/rule regardless of destination (inbound, outbound or directly to the firewall) it will be logged. The message includes the policy type (designated as OBP, RAP, NAT PASS, or SSL), the policy number, the word accept, log priority level, protocol, source IP, source port, destination IP, destination port, network interface, packet length and TCP flags if appropriate.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 pol _ type=OBP pol _ action=pass msg=Accept OBP (2) rule=2 proto=500/UDP src=192.168.71.12 srcport=500 dst=199.120.225.8 dstport=500 interface=sis0
Inbound (Remote Access)

Remote access policies create permission for inbound connections. The key identifier for inbound connection messages is incoming in the msg attribute. When an authorized inbound connection is made via a remote access policy (for permission) and a passthrough or NAT tunnel (for routing), three possible log messages can be generated. By default, one is created only when the session is closed. To generate a log message when an inbound session is started, enable the Tunnel opens field in Preferences under Security Policies. The log messages for a permitted inbound connection are almost identical in both the open and close messages, except that the close message contains connection information such as duration, packets sent/received and bytes transmitted. The IP address/port pairs in the log message detail the route of the packet. Note
There is no explicit tag in the log message indicating that the packet was permitted, since the log message indicates this implicitly by logging the opened connection.
Open
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Open incoming NAT tunnel proto=80/tcp src=199.120.225.3 srcport=4175 nat=199.120.225.78 natport=80 dst=192.168.71.98 dstport=80
Close
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Allow incoming NAT tunnel proto=80/tcp src=199.120.225.3 srcport=4175 nat=199.120.225.78 natport=80 dst=192.168.71.98 dstport=80 duration=22 sent=144 rcvd=120
283
FTP Port Updating
FTP connections may require some additional negotiation for the opening connection. During this exchange, the port may be updated (but this will only be logged if you have also elected to log opening connections). The initial opening port is logged as port 0 until the actual connection port is determined, and an updated port is logged. This occurs for both tunneled (NAT) and passthrough connections. The key indicator of a port update is Update in the msg attribute.
Mar 4 21:14:43 pri=5 msg=Open inbound, NAT proto=54834/tcp src=192.168.81.233 srcport=0 nat=192.168.71.117 natport=54834 dst=192.168.51.137 dstport=54834 rule=1 Mar 4 21:14:43 pri=5 msg=Update inbound, NAT proto=54834/tcp src=192.168.81.233 srcport=2053 nat=192.168.71.117 natport=54834 dst=192.168.51.137 dstport=54834 rule=1 Mar 4 21:06:44 pri=5 msg=Open outbound, pass through proto=1988/tcp src=192.168.51.137 srcport=0 dst=192.168.71.233 dstport=1988 rule=1 Mar 4 21:06:44 pri=5 msg=Update outbound, pass through proto=1988/tcp src=192.168.51.137 srcport=20 dst=192.168.71.233 dstport=1988 rule=1
Outbound
Outbound policies create permission for outbound connections. The key identifier for outbound connection messages is outbound in the msg attribute. When an authorized outbound connection is made, two possible log messages can be generated. By default, one is created only when the session is closed. To generate a log message when an outbound session is created, enable the Tunnel closes field in Preferences under Security Policies (enabled by default). The log messages for a permitted outbound request are almost identical for an open and close messages, except that the close message contains connection information such as duration, packets sent/received, and bytes transmitted. An outbound request can be identified by the direction the arrows are pointing in the log file: left for inbound and right for outbound. The IP address/port pairs in the log message detail the route of the packet. The packet below shows an outbound request from the protected network to a web server on the Internet. Note
There is no explicit tag in the log message indicating that the packet was permitted, since the log message indicates this implicitly by logging the opened connection.
Open
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Open outbound NAT proto=80/tcp src=192.168.71.12 srcport=1683 nat=207.69.99.201 natport=1683 dst=160.239.1.10 dstport=80 rule=2
Close
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Allow outgoing NAT cat _ action=pass dstname=www. soliton.co.jp proto=80/tcp src=192.168.71.12 srcport=1684 nat=207.69.99.201 natport=1684 dst=160.239.1.10 dstport=80 rule=2 op=GET arg=/img/privacy _ txt.gif duration=50 sent=777 rcvd=9657.
284
Successful Administrative Access Attempts

When a successful access attempt is made from the web interface, a log entry is created for the first access. Since HTTP is stateless and continuous connections are not maintained, each subsequent access from the same authenticated host is not logged (as if it is automatically authenticated). Once an hour, however, a successful access entry is added to the log if the same HTTP session is still in existence. A successful log message for a web interface administrative access includes the tag WWWadmin, a message indicating remote administration access, and the IP address of the clients computer.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=WWWadmin: Remote administration access. type=mgmt src=192.168.71.12 srcport=1107 dst=10.10.1.78 dstport=443
When a successful access attempt is made from console, a log message is generated. The message includes the tag cci (console command interface) and a message indicating a successful administrative access.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=cci: Successful administration login. type=mgmt
Firewall Control Center Updating Firewall Control Center Configuration
The Firewall Control Center can be used to perform updates of the servers Firewall Control Center refresh rate.
Mar 4 21:06:44 pri=5 msg=WWWadmin: Update of FWCC . type=mgmt src=192.168.71.243 srcport=2759 dst=192.168.71.77 dstport=443 Mar 4 21:06:44 pri=6 msg=gblogd: Reinitializing. type=mgmt Mar 4 21:06:44 pri=5 msg=FWCC: Connected to server successfully type=mgmt src=199.120.225.77 srcport=2033 dst=204.94.136.20 dstport=76 Mar 4 21:06:44 pri=5 msg=FWCC: Already connected to server type=mgmt src=199.120.225.77 srcport=2033 dst=204.94.136.20 dstport=76
Denied Connections
By default, if a packet is denied access either explicitly by a policy or implicitly by the default rule (deny all unless explicitly allowed) it will be logged. The log message includes the policy type (OBP: outbound, RAP: remote access, NAT: NAT or PASS: pass through), the policy number, the word block, log priority level, protocol, source IP, source port, destination IP, destination port, the word alarm if an alarm was generated due to policy settings, network interface, packet length and TCP flags if appropriate.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 pol _ type=RAP pol _ action=block msg=Block RAP (20) rule=20 proto=23/TCP src=199.120.225.4 srcport=1601 dst=207.69.99.201 dstport=23 interface=PPP0 attribute=alarm flags=0x2
Inbound (Remote Access)

Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 pol _ type=RAP pol _ action=block msg=Block RAP proto=23/TCP src=192.168.71.12 srcport=1900 dst=10.10.1.78 dstport=23 interface=External flags=0x2
Outbound
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 pol _ type=OBP pol _ action=block msg=Block OBP proto=80/TCP src=10.254.254.80 srcport=1755 dst=199.120.225.3 dstport=80 interface=Protected flags=0x2
285
Unsuccessful Administrative Access Attempts

When an unsuccessful access attempt is made from the web interface, a log message is generated. The message includes the tag WWWadmin and a message indicating a failed remote administrative access attempt along with the IP address of the clients host system. The first message indicates a failed login without coalescing enabled, while the second message indicates a failed login with coalescing enabled. Login failure represents a bad user ID/password combination and Remote indicates the access attempt was via IP.
Jan 6 14:14:27 pri=4 msg=WWWadmin: Remote login failure type=mgmt user=foobar src=10.10.1.223 srcport=2230 dst=10.10.1.79 dstport=443 count=1 Jan 6 14:15:46 pri=4 msg=WWWadmin: Remote login failures type=mgmt user=foo src=10.10.1.223 srcport=2231 dst=10.10.1.79 dstport=443 duration=43 count=2
When an unsuccessful access attempt is made from the console, a log message is generated. Console indicates the access attempt was via console.
Jan 6 14:18:12 pri=4 msg=WWWadmin: Console login failure type=mgmt user=foobar dst=10.10.1.79 dstport=443 duration=58 count=1
Web Interface Compromise Attempt
Remote management using a web browser normally uses SSL; attempts to access the administrative interface without SSL may therefore represent a compromise attempt. (Although the web interface can be configured to operate without SSL encryption, this can compromise your security, and is not recommended.) The WWWadmin tag indicates that the message is associated with web interface remote administration access. The first example indicates that a remote host (192.168.71.12) connected to the firewall on the web interface port (by default 443 for SSL or 80 for non-SSL). The next message indicates that the connection was rejected as a key could not be negotiated. This could indicate that SSL was not running, or that an attempt to compromise the firewall was made via the web interface).
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=WWWadmin: Remote administration access. type=mgmt src=10.254.254.205 srcport=1028 dst=10.254.254.1 dstport=443 Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 msg=WWWadmin: Unable to establish SSL session type=mgmt src=10.254.254.205 srcport=1028 dst=10.254.254.1 dstport=443 duration=2
When an unsuccessful access attempt is made from the console, a log message is generated. The message includes the tag cci and a message indicating a failed access attempt.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 msg=cci: Password verification failure. type=mgmt
286
Routing Notices
Permitted connections require a valid route to reach their destinations. Routing may be achieved with either a NAT tunnel, to hide internal IP addresses from untrusted networks, or with a pass through policy to make internal IP addresses apparent to untrusted networks. If selected, any arriving packets matching a protocol on any of the firewalls network interfaces can be logged. The log message includes the protocol, source IP, source port, destination IP, destination port, network card (NIC), packet length and TCP flags if appropriate.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=6 pol _ type=RAP pol _ action=pass msg=Received (4) rule=4 proto=443/TCP src=192.168.71.12 srcport=1599 dst=192.168.71.254 dstport=443 interface=sis0 flags=0x11
Inbound or outbound connections are evaluated for permission before routes are constructed. This means that logs for remote access or outbound policy (which affect permission) appear before their corresponding NAT or pass through policy (which affect routing) message.
ICMP Types and Codes

ICMP log messages have sections indicating the ICMP type and the ICMP code. In the log message below, srcport & dstport indicate the ICMP Type while the flags indicate the ICMP Code.
Aug 1 11:47:46 pri=4 pol _ action=block count=1 m sg=Packet invalid rule=1 proto=icmpV4 src=192.168.51.1 srcport =3 dst=10.10.1.76 dstport =3 interface=PROTECTED-192 flags=0x7
Full details on ICMP parameters can be found here: http://www.iana.org/assignments/icmp-parameters/ icmp-parameters.xml IPv6 parameters are also available here: http://www.iana.org/assignments/ipv6-parameters/ipv6parameters.xml
ICMP Types
Log messages can be identified by their type as follows: ICMPv4 Log Message - Type
Type 0 1 2 3 4 5 6 7 8 9 10 11 12 13 Name Echo Reply Unassigned Unassigned Destination Unreachable Source Quench Redirect Alternate Host Address Unassigned Echo Router Advertisement Router Solicitation Time Exceeded Parameter Problem Timestamp
287
ICMPv4 Log Message - Type

Type 14 15 16 17 18 19 20-29 30 31 32 33 34 35 36 37 38 39 40 41 42-255 Name Timestamp Reply Information Request Information Reply Address Mask Request Address Mask Reply Reserved Reserved Traceroute Datagram Conversion Error Mobile Host Redirect IPv6 Where-Are-You IPv6 I-Am-Here Mobile Registration Request Mobile Registration Reply Domain Name Request Domain Name Reply SKIP Photuris ICMP messages utilized by experimental mobility protocols Reserved
ICMPv6 Log Message - Type

Type 0 1 2 3-252 253 254 255 Name Source Route Nimrod Type 2 Routing Header Unassigned RFC3692-style Experiment 1 RFC3692-style Experiment 2 Reserved
288
ICMP Codes
Many of the ICMP types have codes - listed below: ICMPv4 Type 3 - Destination Unreachable
Code 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Description Net Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation Needed and Dont Fragment was Set Source Route Failed Destination Network Unknown Destination Host Unknown Source Host Isolated Communication with Destination Network is Administratively Prohibited Communication with Destinaation Host is Administratively Prohibited Destination Network Unreachable for Type of Service Destination Host Unreachable for Type of Service Communication Administratively Prohibited Host Precedence Violation Precedence cutoff in effect
ICMPv4 Type 5 - Redirect

Code 0 1 2 3 Description Redirect Datagram for the Network (or subnet) Redirect Datagram for the Host Redirect Datagram for the Type of Service and Network Redirect Datagram for the Type of Service and Host
ICMPv4 Type 6 - Alternate Host Address

Code 0 Description Alternate Address for Host
ICMPv4 Type 9 - Router Advertisement

Code 0 16 Description Normal Router Advertisement Does not route common traffic
ICMPv4 Type 11 - Time Exceeded

Code 0 1 Description Time to Live exceeded in Transit Fragment Reassembly Time Exceeded
289
ICMPv4 Type 12 - Parameter Problem

Code 0 1 2 Description Pointer indicates the error Missing a required option Bad length
ICMPv4 Type 40- Photuris

Code 0 1 2 3 4 5 Description Bad SPI Authentication Failed Decompresssion Failed Decryption Failed Need Authentication Need Authorization
290
OSPF
Mis-matched key or mis-matched password in OSPF authentication.

Apr 17 18:01:48 pri=4 msg=ospfd: interface fxp3:172.16.4.1: auth-type mismatch, local 2, rcvd 0, router-id 0.0.0.4 type=mgmt Apr 17 19:12:26 pri=4 msg=ospfd: interface sis0:172.16.4.2: auth-type mismatch, local 0, rcvd 2, router-id 0.0.0.5 type=mgmt
Network Address Translation (NAT)

Connections using NAT translate internal IP addresses to external IP addresses when passing through the firewall, hiding internal IP addresses from untrusted networks. NAT connections can be of any type including TCP/IP (with HTTP, FTP, etc.), ICMP, or UDP connections. The key identifier for NAT messages is NAT in the msg attribute.
TCP
Open
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Open outbound NAT proto=22/TCP src=192.168.71.12 srcport=1026 nat=199.120.225.78 natport=1026 dst=199.120.225.4 dstport=22 rule=2
Close
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Close outbound NAT proto=22/TCP src=192.168.71.98 srcport=1025 nat=199.120.225.78 natport=1025 dst=199.120.225.4 dstport=22 rule=2 duration=176 sent=847 rcvd=788
HTML Sessions Open
Opening NATd connections are not logged by default, but may be enabled as a debug aid.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Open outbound NAT proto=80/tcp src=192.168.71.12 srcport=1569 nat=199.120.225.78 natport
Close
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Accept outgoing NAT cat _ action=pass dstname=www.gta. com proto=80/tcp src=192.168.71.12 srcport=1569 nat=199.120.225.78 natport=1569 dst=199.120.225.2 dstport=80 rule=2 op=GET arg=/Media/GB-Group.jpg duration=47 sent=547 rcvd=340
ICMP
Open
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Open outbound NAT proto=icmp src=192.168.71.12 srcport=3 nat=199.120.225.78 natport=3 dst=199.120.225.1 dstport=3 rule=2
Close
Aug 30 11:19:46 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Close outbound NAT proto=icmp src=192.168.71.12 srcport=3 nat=199.120.225.78 natport=3 dst=199.120.225.1 dstport=3 rule=2 duration=70 sent=3240 rcvd=3240
UDP
Open
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Open outbound NAT proto=53/UDP src=192.168.71.98 srcport=1035 nat=199.120.225.78 natport=1035 dst=204.94.136.5 dstport=53 rule=1
291
Close
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Close outbound NAT proto=22/TCP src=192.168.71.98 srcport=1025 nat=199.120.225.78 natport=1025 dst=199.120.225.4 dstport=22 rule=2 duration=176 sent=847 rcvd=788
Pass Through (No NAT)

Connections using IP pass through dont perform any NAT; internal IP addresses are fully apparent to untrusted networks. Pass through connections can be of any type including TCP/IP (with HTTP, FTP, etc.), ICMP, or UDP connections. Pass through messages are mostly identical to the messages for connections with NAT. The chief difference is the msg attribute will contain pass through instead of NAT. Other details in the message related to the accept/deny status, IP addresses, ports and others remain the same. The key identifier for pass through policy messages is pol _ type=PASS.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 pol _ type=PASS pol _ action=block msg=Block PASS proto=23/ TCP src=10.254.254.205 srcport=1030 dst=192.168.71.12 dstport=23 interface=Protected flags=0x2
Open
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Open outbound pass through proto=23/TCP src=192.168.71.98 srcport=1027 dst=10.254.254.80 dstport=23
Close
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Close outbound pass through proto=23/TCP src=192.168.71.98 srcport=1027 dst=10.254.254.80 dstport=23 duration=89 sent=444 rcvd=400
Bridged Interfaces
Cabling Loop
When a physical loop in the cabling exists in the network a log message is generated. Check physical wiring of hubs and switches to be sure no cables loop back into the same device. Bridged networks must be physically distinct. The key identifier for this type of message is msg=Bridging loop.
Mar 4 21:06:44 pri=4 msg=Bridging loop (13) 00:00:5e:00:01:60->01:00:5e:00:00:12 External->Protected (muted) src=199.120.225.53 dst=224.0.0.18
Bridged Protocols
Non-TCP/IP protocols may be encapsulated in a TCP/IP layer (bridged) to allow them to pass over the Internet, which requires TCP/IP. Caution
No firewall policies are performed on bridged protocols; this can result in a weakening of your security perimeters. Great care should be taken in allowing bridged protocol packets.
Denied protocols are logged only when the firewall is set to log invalid packets. If desired, allow packets of these protocol types by adding them to the bridged protocol list. The key identifier for bridged protocol messages is Bridged protocol in the msg attribute.
Feb 2 13:28:53 pri=3 msg=Bridged protocol type 0x42 denied (00:08:83:08:82:2a->0 1:80:c2:00:00:00)
292
Firewall Service Notices

Authentication
Remote access polices give permission for authentication connections to the firewall. Therefore every authentication log message is accompanied by an associated remote access log message. Authentication log messages are also written for both successful open and close of an authenticated session. The key identifiers for authenticated connections are user=[Username] and RMCauth.
Mar 4 21:06:44 pri=5 msg=Open inbound, NAT tunnel proto=smtp src=199.120.225.77 srcport=1753 user=Nick nat=199.120.225.78 natport=25 dnat=10.10.1.78 dnatport=1753 dst=10.10.1.9 dstport=25 rule=1 Mar 4 21:06:44 pri=6 msg=RMCauth: Allow support@gta.com , authentication successful. type=mgmt src=192.178.71.254 srcport=3630 dst=10.10.1.84 dstport=76 duration=7 Jun 13 11:06:52 pri=5 msg=AUTH: Assign 192.178.71.254, to Mary type=mgmt Jun 13 11:06:46 pri=5 msg=RMCauth: Accepted connection type=mgmt src=192.178.71.254 srcport=3630 dst=10.10.1.84 dstport=76 duration=1 Mar 4 21:06:44 pri=5 msg=RMCauth: Close connection type=mgmt src=192.178.71.254 srcport=3630 dst=10.10.1.84 dstport=76 duration=675 Jun 13 11:18:00 pri=5 msg=AUTH: Release 192.178.71.254, from Mary type=mgmt
Tunnel accesses by an authenticated user are labeled with their account name.
Mar 4 21:06:44 pri=5 msg=Open inbound, NAT tunnel proto=smtp src=199.120.225.20 srcport=1806 user=Nick nat=199.120.225.78 natport=25 dnat=10.10.1.78 dnatport=1806 dst=10.10.1.9 dstport=25 rule=1
Without a remote access policy, the authentication connection attempt will be denied.
Mar 4 21:06:44 pri=4 pol _ type=RAP pol _ type=block msg=Rejecting unathenticated access (1) rule=1 proto=25/tcp src=199.120.225.77 srcport=1700 dst=199.120.225.78 dstport=25 interface=sis1 flags=0x2
Expired Authentication Session

Users whose authenticated sessions have expired must authenticate again to gain access to restricted areas of the network. The key identifier for this message is Release in the msg attribute.
Mar 4 21:06:44 pri=5 msg=USER: Release 199.120.225.20, from Nick type=mgmt
Authentication Denied Due to Closed Authentication Connection

If the authentication connection is closed, the user must reinitiate the authentication connection and complete it before they will be fully authenticated. The key identifiers for this event occur in a sequence of messages. First a message with RMCauth: Close connection in the msg attribute occurs; then, if the user attempts to continue authentication on the closed connection, a message with RMCauth: Deny [username], authentication failure in the msg attribute occurs. If the user reattempts authentication, a third message with RMCauth: Accepted connection in the msg attribute will occur.
Mar 4 21:06:44 pri=5 msg=RMCauth: Close connection type=mgmt src=192.178.71.254 srcport=3569 dst=10.10.1.84 dstport=76 duration=17 Jun 13 11:04:38 pri=4 msg=RMCauth: Deny support@gta.com , authentication failure. type=mgmt src=192.178.71.254 srcport=3569 dst=10.10.1.84 dstport=76 duration=16 Jun 13 11:04:22 pri=5 msg=RMCauth: Accepted connection type=mgmt src=192.178.71.254 srcport=3569 dst=10.10.1.84 dstport=76
Authentication Denied Due to Old GBAuth Version

Previous versions of GBAuth are not compatible with GB-OS 4.0.
Mar 4 21:06:44 pri=3 msg=RMCauth: command authLoginGet (400) rejected, incorrect size. type=mgmt src=192.168.71.253 srcport=4192 dst=192.168.71.254 dstport=76
293
Gateway Selector
The gateway selector service first listens for a series of failed pings to its beacons through the primary route (current default gateway). If these beacons remain unreachable (no reply), then a new default gateway is set. The key identifier for gateway selector messages is selector.
Mar 4 21:06:44 selector: No reply from 199.120.225.79. Mar 4 21:06:44 selector: No reply from 205.111.80.180. Mar 4 21:06:44 selector: No reply from 205.111.110.180. Mar 4 21:06:44 selector: Verification of default gateway 199.120.225.79 failed. Mar 4 21:06:44 selector: Default gateway set to 200.120.225.79.
Email Notification from Gateway Selector

If email notification is selected, the gateway selector logs the email notification when it is sent.
NOTIFICATION TYPE: Default gateway change NAME: firewall.example.com DATE: Wed 2002-05-29 12:59:18 EDT Default gateway changed to 200.120.225.79.
Intrusion Prevention System (IPS)

IPS policies can be configured to generate a log message when they are triggered. The typical identifier for IPS log messages is msg=IPS:. The action= value declares the action performed by the triggered IPS policy.
Connection Passed
Apr 28 00:38:04 pri=4 msg=IPS: MISC MS Terminal server request action=pass rule _ id=1448 rule _ rev=13 classification=Generic Protocol Command Decode proto=3389/tcp src=24.227.126.130 srcport=2647 dst=192.168.172.25 dstport=3389
Connection Dropped
Apr 28 01:21:16 pri=4 msg=IPS: BLEEDING-EDGE RDP connection confirm action=drop rule _ id=2001330 rule _ rev=5 classification=Misc activity proto=3007/tcp src=192.168.172.25 srcport=3389 dst=24.227.126.130 dstport=3007
Connection Reset
Apr 28 00:45:13 pri=4 msg=IPS: BLEEDING-EDGE RDP connection confirm action=reset rule _ id=2001330 rule _ rev=5 classification=Misc activity proto=2681/tcp src=192.168.172.25 srcport=3389 dst=24.227.126.130 dstport=2681
294
Mail Sentinel Email Filtering

By default, the Mail Sentinel email proxy will block all email from reaching your email server, and log each denied email. Email proxy policies must be created to specify which email you wish to allow. The typical identifier for Mail Sentinel log messages is smtp _ action.
Email Delivered
Delivered email is not logged by default. However, it may be enabled as a debug aid.
Mar 4 21:06:44 pri=5 msg=SMTP: Close smtp _ action=pass virus=none found spam=unknown,2 rule=5 server=192.168.71.1 proto=smtp user=user@example.com srcuser=user2@source.com src=199.120.225.254 srcport=4711 dst=199.120.225.5 dstport=25 duration=2 sent=136 rcvd=1709
Email Rejected Due to Source or Destination of Policy

If an email proxy policy is set to reject all email from a source or destination, that rejection will be logged. Additionally, the index number of the policy that triggered the rejection will be logged in the rule attribute.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 msg=SMTP: Rejected (rule) smtp _ action=block rule=6 proto=smtp user=user@example.com srcuser=sender@source.com src=199.120.225.254 srcport=34813 dst=199.120.225.5 dstport=25 duration=2 sent=42 rcvd=67
Email Rejected Due to Exhaustion of Policies (Reject by Default If No Match Is Found)

If no email proxy policies exist, or an email has exhausted the list of policies while looking for a match, the default rule to reject the email is enacted. The key identifier is rule=0.
Mar 4 21:06:44 pri=4 msg=SMTP: Rejected (rule) smtp _ action=block rule=0 proto=smtp user=user@example.net srcuser=sender@source.net src=199.120.225.254 srcport=2107 dst=199.120.225.5 dstport=25 duration=13 sent=70 rcvd=68
Email Rejected Due to Reverse DNS

If the email has matched an email proxy policy specifying reverse DNS lookups and has failed the lookup, the log message will contain RDNS in its msg attribute.
Mar 4 21:06:44 pri=4 msg=SMTP: Rejected (RDNS) smtp _ action=block rule=1 proto=smtp user=user@example.com srcuser=sender@source.com src=199.120.225.254 srcport=1696 dst=199.120.225.5 dstport=25 duration=10 sent=74 rcvd=60
Email Rejected Due to MAPS

If the email has matched an email proxy policy specifying MAPS lookup and has failed the lookup, the log message will contain MAPS in its msg attribute.
Mar 4 21:06:44 pri=4 msg=SMTP: Rejected (MAPS list.dsbl.org) smtp _ action=block rule=2 proto=smtp user=user@example.com,user2@example.com srcuser=spammer@ source.com src=199.120.225.254 srcport=2327 dst=199.120.225.5 dstport=25 duration=4 sent=111 rcvd=107
295
Email Rejected Due to Invalid Recipient

If the email initially matches a policy causing its acceptance, but the receiving email server returns a code indicating that the recipient does not exist for its domain, the email proxy may reject the email. The key identifier for this type of message is 550 Invalid recipient in the msg attribute.
Mar 4 21:06:44 pri=4 msg=SMTP: Server returned, 550 Invalid recipient <user@ example.com> type=mgmt proto=smtp user=user@example.com srcuser=sender@ source.com src=199.120.225.254 srcport=4599 dst=199.120.225.5 dstport=25 duration=5
If there is no spam or virus scanning enabled for that email, you may see that message paired with one for an incomplete SMTP connection. This message occurs when the email data is stopped during transmission. The internal email server may have determined that an email account does not exist, and cause the Mail Sentinel email proxy to terminate the SMTP data reception.
Email Connection Incomplete

If the email transmission was incomplete, it is handled as a rejection. This could be caused by a premature termination from either the sender or recipient server. The key identifier for this type of message is Incomplete in the msg attribute.
Mar 4 21:06:44 pri=4 msg=SMTP: Incomplete smtp _ action=block virus=not found spam=confirmed,96 rule=8 server=192.168.71.1 proto=smtp user=user@example.com srcuser=sender@source.com src=199.120.225.254 srcport=4599 dst=199.120.225.5 dstport=25 duration=5 sent=214 rcvd=2765
Maximum Count of Threads Exceeded
If the Mail Sentinel email proxy has been overloaded with connection attempts (which generate email proxy threads), some connections will be delayed or rejected. The key identifier for this type of message is Maximum number of threads exceeded in the msg attribute.
Mar 4 21:06:44 pri=3 msg=SMTP: Maximum number of threads exceeded type=mgmt proto=smtp
Mail Sentinel Anti-Virus and Mail Sentinel Anti-Spam Options

If you have installed Mail Sentinel Anti-Spam or Mail Sentinel Anti-Virus options on your Mail Sentinel email proxy, additional controls may be available to your email proxy ACLs. These options have key identifiers of virus or spam in their associated log messages.
Email Confirmed Spam by Mail Sentinel Anti-Spam but Delivered
If the matching email proxy ACL specified Mail Sentinel Anti-Spam scanning, but did not elect to reject or quarantine confirmed spam, it will be delivered normally. The key identifiers for this type of message are spam=confirmed and smtp _ action=pass.
Mar 4 21:06:44 pri=4 msg=SMTP: Close smtp _ action=pass virus=none found spam=confirmed,99 rule=5 server=192.168.71.1 proto=smtp user=user@example.com srcuser=spammer@source.com src=199.120.225.254 srcport=3260 dst=199.120.225.5 dstport=25 duration=4 sent=110 rcvd=3396
Email Confirmed Spam by Mail Sentinel Anti-Spam and Quarantined
If the matching email proxy ACL specified Mail Sentinel Anti-Spam scanning, and elected to quarantine confirmed spam, it will be delivered to the indicated quarantine email address. The key identifiers for this type of message are spam=confirmed and smtp _ action=quarantine.
Mar 4 21:06:44 pri=4 msg=SMTP: Close smtp _ action=quarantine virus=none found spam=confirmed,98 rule=3 server=192.168.71.1 proto=smtp user=user@example.com srcuser=spammer@source.com src=199.120.225.254 srcport=4282 dst=199.120.225.5 dstport=25 duration=2 sent=110 rcvd=3549
296
Email Virus Found by Mail Sentinel Anti-Virus and Cured Then Delivered
If the matching email proxy ACL specified Mail Sentinel Anti-Virus scanning, but did not elect to reject or quarantine viruses, Mail Sentinel Anti-Virus attempts to remove the virus from the email attachment before it will be delivered normally. The key identifier for this type of message is virus=Cured .
Mar 4 21:06:44 pri=4 msg=SMTP: Close smtp _ action=block virus=Cured,I-Worm. Bagle.au spam=unknown,50 rule=5 server=192.168.71.1 proto=smtp user=user@ example.com srcuser=sender@source.com src=199.120.225.254 srcport=4124 dst=199.120.225.5 dstport=25 duration=83 sent=82 rcvd=26436
Email Virus Found by Mail Sentinel Anti-Virus but Delivered
If the matching email proxy ACL specified Mail Sentinel Anti-Virus scanning, but did not elect to reject or quarantine viruses, and the virus was not removable from the file, virus email will be delivered normally. The key identifiers for this type of message are virus=[Virus name] and smtp _ action=pass.
Mar 4 21:06:44 pri=4 msg=SMTP: Close smtp _ action=pass virus=I-Worm.Bagle.as spam=unknown,64 rule=5 server=192.168.71.1 proto=smtp user=user@example.com srcuser=sender@source.com src=199.120.225.254 srcport=3364 dst=199.120.225.5 dstport=25 duration=10 sent=82 rcvd=31669
Email Virus Found by Mail Sentinel Anti-Virus and Quarantined
If the matching email proxy ACL specified Mail Sentinel Anti-Virus scanning, and elected to quarantine viruses, virus email will be delivered to the quarantine email address. The key identifiers for this type of message are virus=[Virus name] and smtp _ action=quarantine.
Mar 4 21:06:44 pri=4 msg=SMTP: Close smtp _ action= quarantine virus=I-Worm. NetSky.q spam=confirmed,98 rule=5 server=192.168.71.1 proto=smtp user=user@ example.com srcuser=sender@source.com src=199.120.225.254 srcport=4272 dst=199.120.225.5 dstport=25 duration=5 sent=110 rcvd=41496
If the matching email proxy ACL specified Mail Sentinel Anti-Virus scanning, and elected to reject viruses, virus email will be rejected. The key identifiers for this type of message are virus=[Virus name] and smtp _ action=block.
Mar 4 21:06:44 pri=4 msg=SMTP: Close smtp _ action=block virus=I-Worm.Bagle. au spam=unknown,50 rule=5 server=192.168.71.1 proto=smtp user=user@example. com srcuser=sender@source.com src=199.120.225.254 srcport=4124 dst=199.120.225.5 dstport=25 duration=83 sent=82 rcvd=26436
Email Virus Found by Mail Sentinel Anti-Virus and Rejected
297
Email Headers
Email headers, often invisible to a user unless they view the email source or view it as plain text, contain information about email delivery and processing. The Mail Sentinel email proxy adds additional SMTP X-headers to processed email. These headers can help diagnostic or tracking processes. Some X-headers specifically track events of an email proxy that has enabled Mail Sentinel options. The GB prefix shows that this header was appended by a receiving GTA firewall. Headers can include:
X-GB-Received: from domain.example.com (192.168.71.9) by firewall.example.com (3.6.0)
Lists the host that the email originated from, followed by the host name and IP address of the receiving firewall.
X-GB-From: sendername@example.com
Lists the email address of the sender. (The originating domain and the domain in the senders email are not necessarily the same.)
X-GB-To: recipient@example.com
Lists the email address of the intended recipient. If an email has been cleared from quarantine, this header allows the email to be sent on to its final destination.
X-GB-Mail-Format-Warning : Bad RFC2822 line length
Describes a badly-formatted email.

X-GB-Rule : 5
Lists the email proxy ACL that was matched.

X-GB-AS
Lists the spam category assigned to the email (e.g. Confirmed or Suspect) and the score that caused the categorization. May describe any error conditions that occurred during Mail Sentinel Anti-Spam processing, causing it to not process the email. These errors can include an expired Mail Sentinel Anti-Spam license or inability to contact the Mail Sentinel Anti-Spam license server.
X-GB-AS-Summary
Contains the Mail Sentinel Anti-Spam engine processing summary.

X-GB-AV
Lists any viruses found; if they could be removed from the email, it will also say cured. May describe any error conditions that occurred during Mail Sentinel Anti-Virus processing, causing it to not process the email.
X-GB-Quarantined
Note
Lists the email address that a quarantined email was sent to.
For ease of identification, GTA recommends that the host name be a fully qualified domain name (FQDN), as in the example above. The firewall host name is entered in the Host Name field of the Configuration>Network>Settings section.
298
VPN
VPN connections tunnel network traffic over untrusted networks using authentication and encryption for security. If an IKE type of VPN is used, IKE messages may appear in the log (IKE server); another key identifier is type=mgmt, vpn. When the IKE server starts up due to firewall reboot or saving a VPN configuration section, the startup is logged, along with the number of allowed concurrent mobile users.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=WWWadmin: Starting IKE server. type=mgmt src=192.168.71.2 srcport=2206 dst=192.168.71.254 dstport=80 duration=2 Mar 4 21:06:44 firewall.example.com id=firewall time=2002-08-30 14:12:18 fw=ipsec pri=5 msg=Licensed for 100 mobile client connections. type=mgmt,vpn
Failed VPN authentications are logged with the account name.

Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=RMCauth: Accepted connection type=mgmt src=199.120.225.78 srcport=2197 dst=199.120.225.200 dstport=76 Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 msg=RMCauth: Authentication failure for support@gta.com . type=mgmt src=199.120.225.78 srcport=2197 dst=199.120.225.200 dstport=76 duration=4
Security Associations
By default, each IPSec security association (SA) creation is logged. VPN connections require at least two SAs.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=IPsec-SA established type=mgmt,vpn src=199.120.225.200 dst=24.170.164.183 Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=IPsec-SA established type=mgmt,vpn src=24.170.164.183 dst=199.120.225.200
VPN phases occasionally expire and renew themselves to prevent attacks using compromised keys. After expiration, they must be renewed or the connection will be closed.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=ipsec pri=5 msg=IPsec-SA established type=mgmt,vpn src=199.120.225.200 dst=24.170.164.183 Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=ipsec pri=5 msg=IPsec-SA expired type=mgmt,vpn src=199.120.225.200 dst=24.170.164.183
Mobile Client VPN Authentication and Connection

Mobile clients must authenticate first before establishing a connection.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=RMCauth: Accepted connection type=mgmt src=199.120.225.78 srcport=2170 dst=199.120.225.200 dstport=76 Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=6 msg=RMCauth: Authentication successful for support@gta. com . type=mgmt src=199.120.225.78 srcport=2170 dst=199.120.225.200 dstport=76 duration=4
Attempts to connect without authentication will be denied.

Mar 4 21:06:44 pri=4 msg=Authentication needed, access for support@gta.com denied. type=mgmt,vpn src=65.33.234.134 dst=199.120.225.78
299
Web Content Filtering

On GTA firewalls utilizing content filtering, two different HTTP proxy mechanisms are possible: traditional proxy or transparent proxy. If the traditional proxy is used, each user must configure their browser to use a proxy (the IP address is that of the protected network interface of the firewall). The transparent proxy requires no configuration of the users browser, as it occurs transparently with normal port 80 HTTP. Content policies can accept or deny TCP/IP packets based upon their HTTP content as well as their TCP/IP properties. Local content lists (LCLs) cause cat _ site to be Local Accept or Local Deny.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 msg=Block outbound NAT cat _ action=block cat _ site=Local Deny dstname=ad.doublclk.net proto=80/tcp src=src=192.168.71.33 srcport=4991 nat=199.20.136.33 natport=4991 dst=205.138.3.82 dstport=80 rule=2 duration=22 sent=861 rcvd=60 pkts _ sent=3 pkts _ rcvd=1 op=GET arg=/adi/caranddriver.lana. com/kw=;;ord=180587622710292244
Persistent (secondary) web connections will be logged.

Mar 4 21:06:44 pri=5 msg=Accept persistent outbound, NAT cat _ action=pass cat _ site=Reference dstname=www.example.com proto=80/tcp src=192.168.1.1 srcport=1043 nat=200.200.200.200 natport=1043 dst=100.100.100.100 dstport=80 rule=5 duration=0 sent=633 rcvd=400 pkts _ sent=2 pkts _ rcvd=1 op=GET arg=/images/example.gif
Unknown HTTP commands being transmitted over HTTP ports (such as tunnels for non-HTTP protocols such as AIM) may be blocked. The key identifier for this type of message is op=Unknown.
M a r 4 21:06:44 pri=4 m s g =Blo ck out b ou n d, N AT c at _ ac t io n= blo ck dstname=200.200.200.200 proto=80/tcp src=192.168.1.1 srcport=1688 nat=100.100.100.100 natport=1688 dst=200.200.200.200 dstport=80 rule=1 duration=22 sent=138 rcvd=94 pkts _ sent=3 pkts _ rcvd=2 op=Unknown
Saving the content policy preferences causes the HTTP proxy (transparent or traditional; proxyWWW) to restart.
Mar 4 21:06:44 pri=5 msg=proxyWWW: Surf Sentinel successfully initialized type=mgmt Mar 4 21:06:44 pri=6 msg=proxyWWW: Listening at port 2784. type=mgmt Mar 4 21:06:44 pri=6 msg=proxyWWW: Reinitializing. type=mgmt Mar 4 21:06:44 pri=5 msg=WWWadmin: Update of URL Access Lists . type=mgmt src=192.168.71.243 srcport=2447 dst=192.168.71.77 dstport=443
Saving an LCL (black list/white list) or an ACL (who should follow the black lists/white lists) causes the HTTP proxy to update and reinitialize.
Mar 4 21:06:44 pri=5 msg=WWWadmin: Update of Local Content Lists . type=mgmt src=192.168.71.243 srcport=2460 dst=192.168.71.77 dstport=443 Mar 4 21:06:44 pri=6 msg=proxyWWW: Reinitializing. type=mgmt Mar 4 21:06:44 pri=5 msg=WWWadmin: Update of URL Access Lists . type=mgmt src=192.168.71.243 srcport=2447 dst=192.168.71.77 dstport=443 Mar 4 21:06:44 pri=6 msg=proxyWWW: Reinitializing. type=mgmt
Attempts to use the HTTP proxy without policy permission for port 2784 (or other HTTP proxy port) will log an error.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 pol _ type=RAP pol _ action=block msg=Block RAP (25) rule=25 proto=2784/TCP src=192.168.71.12 srcport=1521 dst=10.10.1.78 dstport=2784 interface=External attribute=alarm flags=0x2
300
Transparent Proxy
A cat _ action=pass or cat _ action=block and a msg=Allow outgoing NAT or msg=Block outgoing NAT determines if a transparent proxy connection was accepted or denied.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Allow outgoing NAT cat _ action=pass dstname=www.gta. com cat _ site=Information Technology/Computers proto=80/tcp src=192.168.71.12 srcport=1439 nat=199.120.225.78 natport=1439 dst=199.120.225.2 dstport=80 rule=2 op=GET arg=/ duration=43 sent=2701 rcvd=1141 Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 msg=Block outgoing NAT cat _ action=block dstname=www. playboy.com cat _ site=Pornography proto=80/tcp src=192.168.71.12 srcport=1454 nat=199.120.225.78 natport=1454 dst=209.247.228.201 dstport=80 rule=2 op=GET arg=/ duration=25 sent=666 rcvd=44
Traditional Proxy
A cat _ action=pass or cat _ action=block determines if a traditional proxy connection was accepted or denied.
Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=5 msg=Proxy cat _ action=pass proto=80/tcp src=192.168.71.12 dst=199.120.225.3 cat _ site=Information Technology/Computers op=GET dstname=www. gnatbox.com arg=/GeneratedItems/CSScriptLib.js Mar 4 21:06:44 firewall.example.com id=firewall time=2005-03-04 21:06:44 fw=firewall pri=4 msg=Proxy cat _ action=block proto=80/tcp src=192.168.71.12 dst=209.247.228.201 cat _ site=Pornography op=GET dstname=www.playboy.com arg=/
Surf Sentinel Option

Surf Sentinel can cause traffic to be accepted or denied based upon their content category (look for a message such as msg=Accept outbound, NAT or msg=Block outbound, NAT). If Surf Sentinel was used to determine packet acceptance or rejection, cat _ site will be set to the category of the content requested, such as Entertainment and Arts, Adult and Pornograpy or Hacking. Surf Sentinel can be used with either the transparent or traditional HTTP proxy. Persistent Connection message
May 15 18:37:16 pri=5 msg=Accept persistent outbound, NAT cat _ action=pass cat _ site=Sports dstname=www.cmdarts.com proto=80/tcp src=192.168.71.199 srcport=3817 nat=24.227.126.130 natport=3817 dst=64.34.176.47 dstport=80 rule=11 duration=6 sent=1205 rcvd=12709 pkts _ sent=11 pkts _ rcvd=12 op=GET arg=/images/ newlogo.gif
Accept message
May 15 18:39:03 pri=5 msg=Accept outbound, NAT cat _ action=pass cat _ site=News and Media dstname=technology.timesonline.co.uk proto=80/tcp src=192.168.71.199 srcport=2452 nat=24.227.126.130 natport=2452 dst=72.247.134.216 dstport=80 rule=11 duration=327 sent=260 rcvd=636 pkts _ sent=5 pkts _ rcvd=3 op=GET arg=/tol/img/ global/chevron-back-to-top.gif
Deny message
May 15 18:39:27 pri=4 msg=Block outbound, NAT cat _ action=block cat _ site=Adult and Pornography dstname=www.playboy.com proto=80/tcp src=192.168.71.199 srcport=3827 nat=24.227.126.130 natport=3827 dst=216.163.137.3 dstport=80 rule=11 duration=22 sent=486 rcvd=48 pkts _ sent=3 pkts _ rcvd=1 op=GET arg=/favicon.ico
301
Glossary
302
Reference F: Glossary
The following are common terms and phrases encountered when configuring a GTA firewall. A Address Object ARP Protocol ARP Table Authentication Automatic Policy B Bandwidth Bandwidth Capping (Bandwidth Limiting) BGP Bridged Interface Bridged Protocol C Content Filtering Crack D DHCP DHCP Lease DMZ DNS DNS Proxy Domain Name Dynamic (default) NAT Dynamic DNS E Email Proxy Encapsulation Ethernet Ethernet Card External Network F Failover Feature Firewall Firewall Control Center G Gateway GB Commander H H2A High Availability Hop Count Host HTTP HTTP Proxy I Inbound Tunnel Interface Object Internal Network Intrusion Prevention System IP Address IP Alias IP Protocol L LAN LCL Lease Logical Network Log Message M Mail Sentinel Mail Sentinel Anti-Spam Mail Sentinel Anti-Virus N NAT Net Mask Network Network Card Network Class Network Transparency Network Type NIC NTP O Object Option OSPF Outbound Policy P Packet Pass Through Policy Phishing Ping Policy Policy Type Port Scan PPP Private Network Protected Network Proxy PSN R Remote Access Policy Remote Administration Remote Logging RIP Router Routing Runtime S Secure SNMP Spam Spoofing SSL Stateful Packet Inspection Static Address Mapping Static NAT Static Routes Stealth Mode Subnet Mask Subscription Surf Sentinel Syslog T TCP/IP Protocol Time Group Timeout Traceroute Traffic Shaping Traffic Shaping Object Trojan Tunnel U URL V Verification Virtual Crack Virus VLAN VPN VPN Certificate VPN Object W Web Content Filtering Worm
304
Address Object
An object type containing IP addresses, domain names or email addresses. For example, creating the address objects Home Office and Branch Office with their respective IP address groups would help to rapidly reference those IP addresses in all areas of the firewall configuration. Address Routing Protocol; one of the protocols firewalls and routers use when deciding how to send network traffic to its destination. A data set containing the IP addresses of recently-determined routes; it is a cache used to speed routing, and may be flushed (erased) to force a router or firewall to update its routing information. Verifying the identity of a user, usually by testing that a user knows a valid account name and the secret value (password) associated with that record. A firewall policy that is part of inherent firewall logic, and is therefore not configurable by the administrator. A default, uneditable firewall policy that may only be enabled or disabled. The amount of network traffic that may be sent per unit of time. Usually expressed in the units bits per second or kilobits per second (1 kilobit = 1,024 bits). Limiting bandwidth a host/network may send over time, and prioritizing which hosts/ networks should be allowed to reach that limit before allocating the remaining bandwidth to other hosts/networks. BGP (Border Gateway Protocol) is an Exterior Gateway Routing Protocol (EGRP) used for larger networks such as the Internet. BGP uses TCP port 179 to establish a connection between two or more routers. These routers are considered peers. Initially the routers exchange full routing information, once the connection is established the routers only send updates to their routing tables. A network interface whose network traffic is selected to be transmitted to another network interface as if they were part of the same logical network. This is different from pass through hosts because it applies a static NAT/route to join discontiguous networks, rather than applying no NAT. A non-TCP/IP protocol selected to be transmitted without applying firewall policies. Denial of network content according to known content; this usually refers to denial of web page traffic based upon the domain name or IP address range serving the web page, or by categorization within a content rating system. Local content lists provide basic domain/IP-based content filtering, while the Surf Sentinel option provides more sophisticated rating-based content filtering. An open network port; an exception or hole made in firewall policies to allow certain types of traffic. Cracks must be carefully designed to allow desirable traffic while still denying undesirable traffic, otherwise network security may be compromised. Dynamic Host Control Protocol; a TCP/IP protocol used by a DHCP server to automatically assign IP addresses, assign gateways, and propagate DNS server information to network hosts. The amount of time before a host must renew the request for an IP address and DNS proxy information from the DHCP server. De-militarized zone; see PSN.
ARP Protocol ARP Table
Authentication Automatic Policy
Bandwidth Bandwidth Capping (Bandwidth Limiting) BGP
Bridged Interface
Bridged Protocol Content Filtering
Crack
DHCP
DHCP Lease DMZ
305
DNS
Domain Name System; a TCP/IP protocol and same-named server or proxy that provides information to requestors about which domain names are found on an IP address. A service that passes on DNS information requests to a DNS server, and returns the response to the original requestor. Because it does not keep DNS records itself, it is not considered a DNS server, but only a requestor stand-in. A host name registered within a DNS hierarchy, such as firewall.example.com. This allows the convenience of referring to a host by an easily-remembered name rather than an IP address. A service that automatically receives dynamic (such as DHCP-driven) IP address updates to its DNS records, and propagates them. DNS normally assumes the use of hosts with static IP addresses, so a dynamic DNS service automates the DNS update process for hosts without static IP addresses. A NAT that is determined automatically by the firewall or router when network traffic has been sent without an applicable static (manual) NAT. An SMTP server stand-in that serves to determine which communications should be allowed to reach the SMTP (email) server, and to relay valid connections. See Mail Sentinel. Wrapping a traffic packet within another protocol to facilitate routing, add encryption, or bypass restrictions. For example, encapsulating HTTP traffic within an SSH tunnel wraps HTTP within the SSH protocol commands and adds a layer of encryption.
DNS Proxy
Domain Name
Dynamic DNS
Dynamic (default) NAT Email Proxy
Encapsulation
Figure F.1: How Encapsulation Works
306
Ethernet Ethernet Card External Network
A family of TCP/IP and other protocols and networking hardware standards. Network card specializing in Ethernet communications. See Network Card. A network that is logically outside of the scope of firewall protection. Since all firewalls have limited processing power and not all networks are under your direct responsibility, it is desirable, for example, to put the Internet on the external network, where the firewall will not attempt to apply policies to traffic passing into it. A mechanism for automatically replacing a failed unit with a functionally equivalent substitute unit. In networking, failovers are used to minimize interruptions in service when a hardware or software malfunction occurs. See H2A High Availability. An aspect of software functionality, either standard or optional. A network device specializing in security policy enforcement for the acceptance or denial of network traffic. Because routers specialize in routing policy but lack sophisticated security policy enforcement tools, they should not be considered a substitute for a firewall. The Firewall Control Center acts as the central hub for GTA software products such as GB Commander and GTA Reporting Suite. A default route, a host through which all outbound network traffic must pass. If NAT is applied, outbound traffic packets receive the external IP address of the gateway host when leaving the internal network. A software tool for global/multi-firewall administration of GTA firewalls. Useful for applying security policies across multiple firewalls. See Firewall Control Center. A failover service option available on select GTA firewalls. The number of network hosts, such as routers or firewalls, that a packet reaches before arriving at its final destination. A computer or other network device such as a firewall or router. Hyper-Text Transfer Protocol; a TCP/IP protocol specializing in the transfer of web pages (HTML documents and their embedded media), typically used by web browsers like Internet Explorer, Mozilla and Safari. An HTTP (web page) request stand-in service. On GTA firewalls, it may restrict transmitted web page traffic requests based upon configuration of Surf Sentinel policies. A firewall policy enacted to allow traffic from external or PSN networks to protected or PSN networks. Tunnels are different from bridging because they may involve the application of NAT to hide the IP addresses and open ports of hosts on the internal, destination network. Because it typically applies NAT and is not an unconditional acceptance of network traffic, inbound tunnels are not generally considered cracks. An object type containing network interface configuration information, such as Ethernet/NIC or modem.
Failover
Feature Firewall
Firewall Control Center Gateway
GB Commander H2A High Availability Hop Count Host HTTP
HTTP Proxy
Inbound Tunnel
Interface Object
307
Internal Network
A logically protected network; by default, GTA Firewall UTM Appliances allow all outbound traffic from internal (protected or PSN) networks, but deny inbound traffic from external (external or PSN) networks. An Intrusion Prevention System (IPS) is used to protect hosts behind the GTA Firewall UTM Appliance by using policies that allow or deny traffic based upon access control restrictions, rather than IP address or port restrictions. A number used with IP protocols to signify a host. Sometimes this also includes the subnet mask, a number which specifies the network to which a host belongs. An IP address consists of four network class designation numbers, each ranging from 0 to 255, each separated by a period character; an example internal IP address is 192.168.71.254. An IP address that is not the real IP address of a host, but is merely a pointer to a real IP address. By using an IP alias, firewall filters can create additional alias-based policies to reflect more complex security policies.
Intrusion Prevention System IP Address
IP Alias
Using IP Aliases
IP aliases are additional IP addresses hosted on the same network card. They allow additional separation of network ports and addresses for finely tuned policy control. Protected Network PSN (DMZ) Network External Network
IP address: 192.168.1.74 IP aliases:
10.10.2.80 10.10.1.80
2 1b 1a
200.200.200.200 200.200.200.201 200.200.200.202
1. IP aliases allow multiple hosts to have tunnels that require the same port. For example, one alias could be used to direct an SSH tunnel to a web server on the PSN (1a), while another alias directs a second SSH tunnel to an internal-only file server on the protected network (1b). 2. IP aliases allow separation of outgoing traffic to multiple IP addresses. For example, an outgoing connection from a personal computer might have all of its FTP traffic routed to one external alias for the purpose of bandwidth tracking.
Figure F.2: Using IP Aliases
308
IP Protocol L2TP LAN
A type of protocol hosts use to communicate with other hosts who also have an IP address. Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). Local Area Network; typically the internal network, using Ethernet 10/100 Mbps connections facilitated by Ethernet network cards.
Figure F.3: Simple LAN Setup LCL

Local Content List; on GTA firewalls, a list of accepted and denied URLs used when the traditional or transparent HTTP proxy receives a hosts request for web page network traffic. A period of time that a host is given to possess a given resource. Typically this is a DHCP lease or VPN lease. A record that a host keeps of its activities. On GTA firewalls, messages use the WELF standard to record GB-OS and network activities. This is especially useful when tracing network attacks or unintentionally denied network traffic.
Lease Log Message
309
Logical Network
An organizationally separate part of a larger network. Hosts within a given logical network differ in some semantically important way from hosts on other logical networks, this is usually reflected in the firewall configuration. Basic GTA firewall logical network types include protected, PSN and external.
Traffic allowed by default Traffic denied by default
3 Logical Network Types:

Default Firewall Behaviors for Network Types PSN (DMZ):
Internal untrusted; protected from External
Example: Web and Email Servers
WAN
External:
External untrusted; not protected
Example: Internet
GB-2000
Protected:
Internal trusted; protected from all
Example: Office Personal Computers
Three levels of network security can be developed with different levels of trust/visibility. These three logical network types have distinct rules for default passage of unsolicited traffic from other network types. Choose the network type according to which connection sources the firewall should refuse by default, and if the network should be protected by your firewall.
Figure F.4: 3 Logical Network Types Mail Sentinel Mail Sentinel Anti-Spam Mail Sentinel Anti-Virus
The SMTP proxy on GTA firewalls. Mail Sentinel options allow extended SMTP proxy features, such as virus and spam scanning. A Mail Sentinel subscription option providing email categorization and acceptance, conditional acceptance (quarantine) or denial based upon spam-like characteristics. A Mail Sentinel feature providing email acceptance, conditional acceptance (quarantine), or denial based upon the presence of a known virus in an email attachment. Network Address Translation; a dynamic (automatic) or static (manual) translation of source and destination of IP addresses applied to TCP/IP packet headers. This is usually used to hide the IP addresses and open ports of internal networks from potential attackers on outside networks. On GTA firewalls, NAT translation is kept in a connection state table, allowing for stateful packet inspection. See Subnet Mask. One or more hosts connected to each other with a communication method such as TCP/IP over Ethernet cables. Network Interface Card (NIC); a hardware device providing a type of connection point on the host for networks such as Ethernet or serial modem (PPP). The size level of a network, as determined by its subnet mask. For example, Class A networks (subnet mask of 255.0.0.0) have up to 16,777,215 hosts or subnetworks, while Class B networks (subnet mask of 255.255.0.0) have only up to 65,535 hosts or subnetworks. Most internal networks are typically Class C networks, containing up to 255 hosts or subnetworks.
NAT
Net Mask Network Network Card Network Class
310
Network Transparency
The ability for network-capable computer software to transmit data through the firewall without additional software workarounds, as if it were a router or other non-firewall network device. See Logical Network. See Network Card. Network Time Protocol; this is used by NTP servers worldwide to synchronize clocks on hosts, assuring atomically accurate time stamps for the purpose of log stamping and other time-based software. A data set that is defined once but may be referred to many times throughout the GTA firewall configuration. Types may include address objects, encryption objects, service group objects, time group objects or IPSec Objects. A non-standard feature that must be purchased separately; payment may be either one-time or subscription-based. OSPF (Open Shortest Path First Protocol) is an interior gateway routing protocol (IGRP). Using link state algorithm advertisements (LSAs) the router builds a database (LSDB) of the networks. OSPF uses protocol 89. A type of firewall rule affecting outbound traffic. By default, all outbound traffic from the protected network is allowed; outbound policies are useful when restricting certain internal hosts to accessing only certain external hosts, rather than the whole Internet. The basic unit of data transmission in TCP/IP computer networks. A packet contains a header portion, including the source and destination IP address of the data (for routing purposes), and a data portion, containing the portion of data payload. Size (MTU) of a TCP/IP packet is typically 1,500 bytes, but is adjustable.
Network Type NIC NTP
Object
Option OSPF
Outbound Policy
Packet
Figure F.5: The Packet

311
Pass Through Policy
A type of firewall filter describing traffic that should not have NAT applied. This is different from a bridged interface because it bypasses NAT rather than applying a static route. The use of communications such as email, web pages or instant messages to present a fraudulent identity causing a person to divulge personal information to an attacker. For example, an attacker might send an email that looks like a bank communication with a link to a web page, asking recipients to click the link and confirm some bank information, where the attacker then gathers their account information. Restrictive security policies on a firewalls email and web proxy combined with user education can successfully combat phishing attacks. A network connectivity test that sends ICMP packets to a host and times the response, if any. Also, software of the same name. A systematic test for open ports within a network. By identifying open communication ports, points of network security weakness and potential points of attack can be found, so this information is frequently gathered as a security tool, although it is also used by attackers; nmap is some software frequently used to perform port scans. A firewall rule to accept or deny network traffic, filtering out undesirable network traffic transmission according to your network security policy. GTA firewalls may employ ACLs to configure filter behavior.
Phishing
Ping Port Scan
Policy
How to Connect Through the Firewall

Internet
inbound traffic
Remote access policies Tunnels and pass-through policies Surf Sentinel and Mail Sentinel Static address maps and pass-through policies
GB-2000
outbound traffic
Outbound policies
If you cant connect through the firewall: 1. Is access allowed?

(remote access/outbound policies)
2. Is the connection routable?

(tunnels/static address maps/pass-through)
3. Is the content permissable (if the connection is proxied)?

(Surf Sentinel/Mail Sentinel)
Figure F.6: How to Connect Through the Firewall
312
Policy Type
Fundamentally, all firewall filters are rules about traffic acceptance or denial. Basis of accepted or denied traffic may include time, location on a logically internal (protected or PSN) or external network, or protocol type. Point-to-Point Protocol; a protocol frequently used to negotiate serial modem network connections. The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. An internal (protected or PSN) network. A logical network type. It is most protected by default, as all outgoing connections are allowed but all unsolicited inbound connections are denied. A type of internal network, typically the LAN. A stand-in between a requestor host and a server that mediates requests, such as an HTTP proxy or SMTP proxy. Because proxies are an intermediate point, they are also a point where policy enforcement can occur, such as refusing invalid email connections or refusing web page requests to inappropriate URLs. Private Service Network; a type of semi-internal network that is protected by the firewall, but has many more open ports (cracks) to allow for services made available to the external network. Because it is less sheltered than the protected network type, it is logically separate. GTAs DMZ provides additional protection over the standard DMZ implementation, and so is called a PSN instead. A firewall policy affecting external connections to and through the firewalls external network interface, such as remote administration connections, user authentication connections, and VPN connections. A method or its software used to configure the firewall through the network without a direct console connection (serial, terminal or monitor and keyboard). If performed from the external network, this requires a remote access policy to allow that connection. Providing a copy of firewall event notices on a network host other than the firewall. This is useful as a diagnostic and recovery tool, especially since attackers first objectives is to remove attack evidence such as logs from compromised hosts. Routing Information Protocol; a way of distributing best-known routing information amongst a group of routers and firewalls on a network experiencing heavy traffic. A network device whose primary function is to route network traffic packets to their correct destination. Because routers do not provide frameworks for security policy enforcement but are merely traffic directors, they should not be considered a replacement for a firewall. The reception and redirection of a network packet according to delivery rules. Static and dynamic routing rules, as well as router protocols, help a router or firewall to determine network traffic paths (routes). A runnable software program. On GTA firewalls, this is the firewall software that runs on appliances and software firewalls. Protected from harm; in computing, this usually also implies that access has been restricted, authentication has been used, and encryption has been applied as measures of knowing all users of the computing resources, logging unusual behavior, and cryptographically protecting resource information from unauthorized users.
PPP PPTP
Private Network Protected Network
Proxy
PSN
Remote Access Policy
Remote Administration
Remote Logging
RIP Router
Routing
Runtime Secure
313
SNMP
Simple Network Management Protocol; a way of sending router or firewall configuration information among a group of routers or firewalls, making it faster to configure groups of network appliances. Without authentication and encryption, this is inherently insecure, but the third version of the protocol has enabled a secure version. Unsolicited bulk email. While some security professionals do not consider spam to be a security threat, there is an increasing correlation between spam, electronic fraud and worms that may make spam a significant security threat. GTA firewalls equipped with Mail Sentinel Anti-Spam can reduce spam transmission. Presenting a fraudulent identity such as an email or IP address in the attempt to pose as a known person or host, or gaining access to network resources. GTA firewalls prevent spoofing by maintaining a connection table, checking against it to make sure that connections arrive on expected channels, and performing other policy checks on all incoming traffic to verify its authenticity. Secure Socket Layers; a way of providing authenticated and encrypted communications using certificates or keys; this is primarily used for secure web browser communications, but is used in many other ways as well. GTAs remote access SSL Browser and Client. On GTA firewalls, a system of checks that is performed on each network packet to verify that it meets transmission expectations logically deduced from the routing state table. Packets that do not meet these expectations are attacks such as IP address spoofs, and are denied. A routing rule that directs outbound NATd traffic through an IP alias other than the default route. Default NAT is automatically determined, but in some cases a pre-determined IP address translation for outgoing traffic is desirable, and a manual (static) NAT mapping may be applied. A routing rule that overrides the subnet mask gateway indicator when determining whether a network packet is outbound traffic or internal traffic. For example, packets from an IP address of 200.200.200.200 on a class C network could be routed to another internal class C IP address of 300.300.300.300 using a static route, even though their class C subnet masks of 255.255.255.0 would normally indicate routing the traffic externally. A set of firewall rules specifying that no ping or traceroute requests for the firewall IP from the external network should be answered. Because this means that the firewall cannot be seen using these conventional connection tests, it is hidden from some network scans. A numerical exclusion value often shown as an IP address, like 255.255.255.0 (which assigns all IP addresses beginning with the same nine numbers to the same internal subnetwork), that shows which network (or subnetwork) an IP address belongs to. Without a static route, IP addresses outside the range indicated by the subnet mask are assumed to be external traffic, and hence the packets are routed to the gateway. GTA firewall optional features that require periodic renewal fees. A GTA firewall content filtering option.
Spam
Spoofing
SSL
SSL Browser & Client Stateful Packet Inspection
Static Address Mapping Static NAT
Static Routes
Stealth Mode
Subnet Mask
Subscription Surf Sentinel
314
Syslog TCP/IP Protocol Time Group Timeout
A style of logging and same-named Unix software that facilitates both local and remote event logging. A group of defined network behaviors that allow networked hosts to exchange data. A method of defining time-dependent filters on GTA firewalls. The expiration of a waiting period for an expected event. For example, many network connections have timeouts, after which the connection is closed if there is no further data transmission. A network connectivity test that uses ICMP packets to determine which routers or firewalls that packets encounter on their way to a given destination by gradually increasing the hop count and waiting for a hop count expiration response after each increase. Also, software of the same name. Bandwidth Limiting. Because a finite amount of data can be transmitted per time unit, the resource must sometimes be allocated according to need and priority. On GTA firewalls, traffic shaping policies apply bandwidth need and priority policies. Also, an object type that stores a traffic shaping configuration. An object that defines traffic shaping policies that may be applied to traffic passing through a GTA firewall. A type of computer virus that might normally be prevented, but uses psychological tricks to convince users to activate them and unwittingly override other security measures. The path established by one network to send its data via another networks connections. Tunneling works by encapsulating a network protocol within packets carried by the second network. Sometimes also called port forwarding.
Traceroute
Traffic Shaping
Traffic Shaping Object Trojan
Tunnel
How IPSec Tunnels Work

Tunnels encrypt/encapsulate packets within other packets to facilitate routing (non-IP protocol traffic over the Internet, TCP/IP port redirection) and security (encryption). VPN and SSH connections are types of frequently tunneled connections. 1
GB-2000
Interne
GB-2000
Packet sent with internal source IP address.
2
Outgoing port and external IP address wrapper added by the sources gateway. Encryption may be added.
2 To
To 1 10. 0.1 .8:2 2
01.
.2 201
.8:2
288
3
A destination tunnel gateway removes the wrapper, allowing packets to be routed to an internal destination. Additional encryption is removed.
Destination receives packets.
Figure F.7: How Tunnels Work
315
URL
Uniform Resource Locator; the protocol prefix, host address and file location of a network resource, such as a web page or folder. An example is http://www.gta.com/ index.php. In authentication, the process of checking provided credentials for a match with known acceptable credentials. This may include checking the user name and/or a password and/or an SSL certificate. A temporary, automatic crack created by the firewall when stateful packet inspection determines that a secondary connection is necessary and allowable. Because firewalls are by definition security policy enforcement devices, cracks in this security are not advisable but sometimes nevertheless necessary to provide application functionality. Virtual cracks used by GTA firewalls reduce administrator burden and security risk by minimizing the amount of risk time and human error normally associated with the creation of cracks. A self-replicating computer program that attempts to spread itself to other computers, usually with unauthorized methods and usually with bad effects. Computer viruses exist for many kinds of electronic devices, including cell phones and computers, and are considered a compromise of network security. Viruses can be denied with anti-virus scanning software such as Mail Sentinel Anti-Virus and with secure network policies enacted on the firewall. Virtual Local Area Network; a network of computers that behave as if they are connected to the same wire even though they may actually be physically located on different segments of a LAN. VLANs are configured through software rather than hardware, which makes them extremely flexible. Virtual Private Network; a combined method of packet encapsulation (tunneling), authentication and encryption used to connect a host on an external, untrusted network (e.g. the Internet) to the internal (private) network. Secure VPN connections are typically used by travelers, remote offices or telecommuters to access internal network resources from abroad without creating cracks that could compromise internal network security.
Verification
Virtual Crack
Virus
VLAN
VPN
Figure F.8: How VPNs Work
316
VPN Object VPN Certificate Web Content Filtering Worm
An object type storing configuration data used by VPN connections. A VPN certificate is a data structure used to authenticate parties when initiating a VPN connection. See Content Filtering. A type of virus that spreads automatically by network connection to other susceptible hosts. Worm propagation can be effectively contained if the firewall denies communication on ports a worm requires to transmit itself.
317
License Agreement
READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THIS SOFTWARE OR THE ACCOMPANYING USER DOCUMENTATION (THE PROGRAM). THE PROGRAM IS COPYRIGHTED AND LICENSED (NOT SOLD). BY USING THE PROGRAM, YOU ARE ACCEPTING AND AGREEING TO THE TERMS OF THIS LICENSE AGREEMENT. IF YOU ARE NOT WILLING TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT, PROMPTLY RETURN THE UNUSED PROGRAM WITHIN TEN (10) DAYS AND YOU WILL RECEIVE A FULL REFUND OF THE AMOUNTS YOU PAID FOR THE USE OF THE PROGRAM. Global Technology Associates, Inc. License Agreement for GB-OS 1 January 2011 The enclosed Licensed Program (Software) from Global Technology Associates, Inc. (GTA) contains modules contributed by or licensed from other third parties. Copyrights in the Software are claimed by GTA, The Regents of the University of California (the Regents) and other contributors as indicated by proprietary notices located within their respective modules. Copyright 1996-2009 Global Technology Associates, Inc. All rights reserved. 1. License Grant. Under the terms of this license, you are hereby granted and you accept a non-exclusive license to use the Software and the accompanying user documentation (Users Guide) only as authorized in this license agreement. This license agreement allows you to run one copy of the Software on a single system (the System) only. In addition, you may make copies of the Software in machine-readable form for backup purposes only in the event that the supplied Media are damaged or destroyed. All copies of the Software must be kept in your possession and are the property of GTA. Any such copies of the Software and the Users Guide shall include the GTA copyright notice and other proprietary notices as contained in the original materials licensed to you. Except as authorized under this paragraph, no copies of the Software or Users Guide or any portions thereof may be made by you or any person under your authority or control. 2. Restrictions. You agree that you will not assign, sublicense, transfer, pledge, lease, rent, or share your rights under this License Agreement. You agree that you may not reverse engineer, reverse assemble, reverse compile, or otherwise translate the Software. You may not modify, distribute or create derivative works based on the Software in whole or part. You agree that you may not reverse engineer, reverse assemble or attempt to duplicate any copy protection mechanism. 3. Licensors Rights. You acknowledge and agree that the Software and the Users Guide are proprietary products of GTA and/or GTAs licensors protected under U.S. Copyright law. You further agree that all right, title and interest in and to the Software, including associated intellectual property rights, are and shall remain with GTA and/or GTAs licensors. 4. Term. This license will terminate immediately without notice from GTA if you fail to comply with any provision of this license agreement. Upon such termination, you agree to return to GTA or destroy all copies of the Software and Users Guide, along with any backup or other copies in your possession and a signed statement to the effect that no other customer-made copies are in existence. 5. Limited Warranty. 5.1. GTA warrants, for your benefit alone, that the Media on which the Software is contained is free from defects in material and workmanship under normal use for a period of thirty (30) days from the date of delivery (referred to as the Warranty Period). GTAs entire liability and your exclusive remedy if the Media is defective, and which is returned to GTA, shall be the replacement of the Software during the warranty period. 5.2. GTA warrants, for your benefit alone, that during the Warranty Period the Software shall operate substantially in accordance with the functional specifications in the Users Guide. If during the Warranty Period, a defect in the Software appears, GTAs sole obligation under this warranty shall be limited to either replacement of the Software or using reasonable efforts to correct such defects and provide you with a corrected version of such Software as soon as practicable after you have notified GTA of such defects. GTA does not warrant that operation of any of the Software shall be error-free or uninterrupted or the Software will meet your requirements. 5.3. This Limited Warranty is void, if failure of the Software or Media is the result of accident, abuse or misapplication. 5.4. Except for the warranties set forth above, the Software is licensed as is and GTA specifically disclaims any and all other warranties, whether express or implied, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose. 6. Limitation of Liability. In no event shall GTAs cumulative liability to you or any other party for any loss or damages resulting from any claims, demands, or actions arising out of or relating to this Agreement exceed the amount paid by you for use of the Software. IN NO EVENT SHALL GTA BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR EXEMPLARY DAMAGES OR LOST PROFITS, EVEN IF GTA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. 7. Trademark. GNAT Box is a registered trademark of GTA. No right, license, or interest to such trademark is granted hereunder, and you agree that no such right, license, or interest shall be asserted by you with respect to such trademark.
318
Legal
8. U.S. Government Restricted Rights. The Licensed Program is Restricted Computer Software as that term is defined in Clause 55.227-19 of the Federal Acquisition Regulations (FAR) and is Commercial Computer Software as that term is defined in Subpart 227.401 of the Department of Defense Federal Acquisition Regulation Supplemental (DFARS). If the Licensed Program is supplied to the Department of Defense (DoD), it is classified as Commercial Computer Software and the Government is acquiring only restricted rights in the Licensed Program and its documentation as that term is defined in Clause 252.227-7013 of the DFARS. If the Licensed Program is supplied to any unit or agency of the United States Government other than the DoD, the Governments rights in it and its documentation will be as defined in Clause 55.227-7013. Where the terms and conditions of this Software License Agreement conflict in any manner with the FAR or DFARS, the terms and conditions specified herein shall take precedence. Under the terms of this license, you are required to include the foregoing restrictions in all license agreements with the United Stated government or any subdivision thereof and in all sublicense agreements with other third parties which permit further sublicense of the Licensed Program for eventual end-use by the United States government or any subdivision thereof. 9. Governing Law and Severability. This license agreement shall be governed by and construed in accordance with the laws of the State of Florida. Should any term of this license agreement, or portion thereof, be declared void or unenforceable by any court of competent jurisdiction, such declaration shall have no effect on the remaining terms thereof. 10. Compliance with Law; Export. You agree not to export or re-export the Software and other technical data received from GTA (i) into (or to a national or resident of) Cuba, Iraq, Libya, Sudan, North Korea, Iran, Syria or any other country to which the U.S. has embargoed goods; or (ii) to anyone on the U.S. Treasury Departments list of Specially Designated Nationals or the U.S. Commerce Departments Table of Denial Orders. By using the Software, you are agreeing to the foregoing and you are representing and warranting that you are not located in, under the control of, or a national or resident of any such country or on any such list. 11. Complete Agreement. You acknowledge that you have read this agreement and understand it and agree to be bound by its terms and conditions. You further agree that it is the complete and exclusive statement of the agreement between GTA and you which supersedes any proposal or prior written agreement, oral or written, and any other communications between us relating to the subject matter of this agreement. No amendment to or modification of this agreement will be binding unless in writing and signed by a duly authorized representative of GTA. 12. The Regents Copyright and Disclaimer. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. This product includes software developed by the University of California, Berkeley and its contributors. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The views and conclusions contained in the software and documentation are those of the authors and should not be interpreted as representing official policies, either expressed or implied, of the Regents of the University of California.
Legal
319
Legal Notices
Copyright 1996-2011, Global Technology Associates, Incorporated (GTA). All rights reserved. Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated. Technical Support GTA includes 30 days up and running installation support from the date of purchase. See GTAs Web site for more information. GTAs direct customers in the USA should call or email GTA using the telephone and email address below. International customers should contact a local Authorized GTA Channel Partner. Tel: +1.407.380.0220 Email: support@gta.com Disclaimer Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications of the program and contents of the manual without obligation to notify any person or organization of such changes. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products. Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors. Trademarks & Copyrights GB-OS, Surf Sentinel, Mail Sentinel and GB-Ware are registered trademarks of Global Technology Associates, Incorporated. GB Commander is a trademark of Global Technology Associates, Incorporated. Global Technology Associates and GTA are service marks of Global Technology Associates, Incorporated. Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley. WELF and WebTrends are trademarks of NetIQ. Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. Java software may include software licensed from RSA Security, Inc. Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/. Some products include software developed by the OpenSSL Project (http://www.openssl.org/). Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell Incorporated. All other products are trademarks of their respective companies.
Global Technology Associates, Inc. 3505 Lake Lynda Drive, Suite 109 Orlando, FL 32817 USA Tel: +1.407.380.0220 Fax: +1.407.380.6080 Web: http://www.gta.com Email: info@gta.com
320
Legal

UsersGuide 6.0

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

UsersGuide 6.0

Încărcat de

Drepturi de autor:

Formate disponibile

Version 6.

Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email: info@gta.com Web: www.gta.com

GB-OS 6.0 Users Guide

Initial Setup_ ________________________________________________________________________________ 19

Basic Setup Tasks_ ___________________________________________________________________________ 35

Advanced Setup Tasks________________________________________________________________________ 60

Threat Management_ __________________________________________________________________________ 133

Monitoring Reports & Administrative Tools_______________________________________________________ 153

GB-OS 6.0 Users Guide

Troubleshooting_ ____________________________________________________________________________ 170

User Interface_ ______________________________________________________________________________ 184

System Parameters___________________________________________________________________________ 196

Upgrading_ _________________________________________________________________________________ 265

Log Messages_______________________________________________________________________________ 278

GB-OS 6.0 Users Guide

GB-OS 6.0 Users Guide

About This Guide

GB-OS 6.0 Users Guide

About GTA Firewalls

GB-OS 6.0 Users Guide

A GB-OS firewall system is:

GB-OS 6.0 Users Guide

*Available on select GTAfirewalls.

GB-OS 6.0 Users Guide

Before updating, be sure to backup your configuration.

GB-OS 6.0 Users Guide

H2A High Availability Feature Guide www.gta.com

GB-OS 6.0 Users Guide

GB-OS 6.0 Users Guide

Chapter 1: Initial Setup

GB-OS 6.0 Users Guide

Retrieving Your Activation Code

Planning Your Network

Chapter 1: Initial Setup

GB-OS 6.0 Users Guide

Connecting Your Computer to the Firewall

In addition, you will need:

Figure 1.1: Choosing the Correct Type of

Setup by Temporary Peer Network

Chapter 1: Initial Setup

GB-OS 6.0 Users Guide

Powering On the Firewall

Chapter 1: Initial Setup

GB-OS 6.0 Users Guide

Entering Firewall Network Settings

Connecting to the Web Interface

Figure 1.5: Entering the Default User ID and Password Caution

Chapter 1: Initial Setup

GB-OS 6.0 Users Guide

Using the Basic Setup Wizard

Table 1.1: Basic Setup Wizard Worksheet

External Interface Type (circle one) DHCP PPP Static

Chapter 1: Initial Setup

GB-OS 6.0 Users Guide

Table 1.1: Basic Setup Wizard Worksheet

PSN Interface Type (circle one) IP Address

Running the Basic Setup Wizard

Figure 1.6: Entering the Administrators Contact Information

Figure 1.7: Entering the Serial Number and Activation Codes

Chapter 1: Initial Setup

GB-OS 6.0 Users Guide

Figure 1.8: Entering the Firewall Administrators Password

Figure 1.9: Network Support