1. Manuals
  2. Brands
  3. Symantec Manuals
  4. Gateway
  5. Security 5600 Series, Security 5400 Series,Clientless VPN 4400...
  6. Administration manual

Symantec Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series Administration Manual

Gateway security 5000 series v3.0
Hide thumbs
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
Table of Contents

Advertisement

Quick Links

Download this manual
Symantec™ Gateway Security 5000
Series v3.0
Administration Guide
Supported hardware platforms:
Symantec Gateway Security 5600 Series, Symantec Gateway Security 5400 Series,
Symantec Clientless VPN Gateway 4400 Series

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Symantec Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series

Summary of Contents for Symantec Security 5600 Series, Security 5400 Series,Clientless VPN 4400 Series

  • Page 1 Symantec™ Gateway Security 5000 Series v3.0 Administration Guide Supported hardware platforms: Symantec Gateway Security 5600 Series, Symantec Gateway Security 5400 Series, Symantec Clientless VPN Gateway 4400 Series...
  • Page 2 The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

  • Page 3: Technical Support

    Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.

  • Page 4: Customer Service

    Customer Service To contact Enterprise Customer Service online, go to www.symantec.com/techsupp, select the appropriate Global Site for your country, then select the enterprise Continue link. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization ■...

  • Page 5: Table Of Contents

    Contents Chapter 1 Introducing the security gateway About Symantec Gateway Security 5000 Series v3.0 ...................15 Key components of the security gateway ......................15 Firewall technology ............................16 Virtual Private Network (VPN) server technology ..................16 Antispam scanning ............................17 Antivirus scanning ............................18 Intrusion detection and prevention ........................18 Content filtering ..............................19...
  • Page 6 Contents Chapter 3 Managing administrative access Providing access to the security gateway ......................67 Creating administrator accounts ..........................67 Creating machine accounts for security gateway access from remote computers ......... 69 Changing passwords ..............................70 Changing administrator passwords ........................ 71 Changing the root password ..........................
  • Page 7 Contents Allowing DHCP traffic .............................131 How the security gateway handles DHCP traffic ..................131 Configuring the security gateway to allow DHCP traffic ................132 Allowing multicast traffic ............................135 How the security gateway handles multicast traffic ..................136 Configuring the security gateway to allow multicast traffic ..............136 About the security gateway’s implementation of DNS ..................138 Configuring a caching name server with no internal name server ............138 Configuring a caching name server with an internal name server ............140...
  • Page 8 Contents Chapter 7 Limiting user access Understanding authentication ..........................243 Configuring users for internal authentication ....................243 Creating a user account on the internal server ...................244 Creating an IKE-enabled user ........................245 Ensuring that the internal server is enabled ....................247 Configuring user groups for internal and external authentication ..............247 Configuring user groups to authenticate with the internal authentication server ......248 Creating an IKE user group ..........................250 Importing users and user groups ........................251...
  • Page 9 Applying client compliance to user groups ....................398 Simplifying multiple Client VPN computer configuration ................399 Delivering Client VPN packages to users .....................400 How the Client VPN package is processed on the Symantec Client VPN ..........400 Importing Client VPN information ........................401 Creating the pkimpvpn file ..........................401 Authenticating tunnels using Entrust certificates .....................402...
  • Page 10 Contents Chapter 11 Enabling remote access with clientless VPN About clientless VPN ...............................409 Clientless VPN concepts ..........................410 How clientless VPN controls authentication and remote access .............410 Managing clientless VPN users ..........................411 Controlling remote access ............................412 Defining VPN profiles to allow communication between the security gateway and clientless users ..413 Using rules to allow or deny clientless VPN access ...................415 Rule components .............................415 About simple rules ............................415...
  • Page 11 Configuring an email notification .........................489 Configuring a pager notification ........................490 Configuring SNMPv1 and SNMPv2 notifications ..................491 Integrating Symantec DeepSight Threat Management System ...............494 Reducing the volume of log messages ........................495 Modifying firewall rules to reduce log messages ..................495 Including host names in log entries ......................495 Configuring reverse lookup timeout value ....................496...
  • Page 12 Installing a signed certificate ..........................555 Appendix C Troubleshooting and problem solving About troubleshooting ............................557 Accessing Symantec Gateway Security 5000 Series troubleshooting information ......557 Important reminders ..............................558 Isolating a problem ..............................558 Using an IP address ............................558 Using the security gateway ..........................559 Troubleshooting utilities ............................560...
  • Page 13 Contents Appendix D Field descriptions Monitors field descriptions ............................563 Status .................................564 Logs ..................................570 Open Archived Log File dialog box ........................574 IDS/IPS Alerts tab ............................574 Notifications ..............................579 Policy field descriptions ............................589 Firewall ................................589 Packet Filters ..............................600 Time Periods ..............................602 VPN Tunnels ..............................605 VPN Policies ..............................609 IPsec static key policy Properties—Data Privacy Preference tab .............616 Clientless VPN ..............................617...
  • Page 14 Contents Cluster field descriptions ............................767 Cluster Status ..............................768 Cluster Members window ..........................768 VIPs window ..............................769 Watchlist window ............................770 Ping Groups window ............................770 NIC Monitoring window ..........................771 Traffic Grouping window ..........................772 Menu option field descriptions ..........................773 Analysis reports ..............................775 Configuration reports .............................775 Client VPN Package Wizard ...........................776 Remote Access Tunnel Wizard for Client VPN ...................777 Remote Access Tunnel Wizard for Clientless VPN ..................782...

  • Page 15: Introducing The Security Gateway

    ■ About Symantec Gateway Security 5000 Series v3.0 Symantec Gateway Security 5000 Series v3.0 is an integrated hardware and software appliance that provides many security technologies in one rack-mountable, plug-and-protect appliance that acts as a security gateway to your enterprise.

  • Page 16: Firewall Technology

    Configuration reports You can generate and print reports for every configurable feature of the security gateway. Virtual Private Network (VPN) server technology Symantec Gateway Security 5000 Series v3.0 includes VPN technology that lets organizations securely extend their network perimeters beyond the enterprise.

  • Page 17: Antispam Scanning

    IPsec/IKE or IPsec/Static secure tunnel that you create. Symantec Client VPN Client VPN tunnels let remote users running the Symantec Client VPN software (or any tunnel configurations IPsec compliant VPN client software) safely connect over the Internet to a network secured by a Symantec security gateway.

  • Page 18: Antivirus Scanning

    Intrusion detection and prevention Symantec Gateway Security 5000 Series v3.0 provides an intrusion detection and prevention component that protects internal network resources from attack by pinpointing malicious activities, identifying intrusions, and responding rapidly to attacks.

  • Page 19: Content Filtering

    (HA) for your security gateways and increases performance through load balancing (LB). To increase availability, you can cluster Symantec’s security gateways into groups of from two to eight security gateways. When two or more security gateways are clustered, the failure of one security gateway causes another security gateway to automatically pick up the workload of the failed cluster member.

  • Page 20: Security Gateway Management Interface

    LiveUpdate of content security components, create SSL certificates, and manage licenses for the security gateway features you have purchased. Network security best practices Symantec encourages all users and administrators to adhere to the following basic security practices: Turn off or remove unnecessary operating system services. ■...

  • Page 21: Becoming Familiar With The Sgmi

    ■ About the SGMI You manage Symantec Gateway Security 5000 Series v3.0 using the Security Gateway Management Interface (SGMI). The SGMI is an easy to navigate graphical user interface that lets you perform a variety of management functions.These include configuring the security gateway to meet the needs of your security plan, monitoring the performance of the security gateway appliance, or monitoring log and IDS/IPS alert messages to identify security threats.

  • Page 22: Logging On To The Sgmi For The First Time

    Becoming familiar with the SGMI Logging on to the SGMI The following tasks are included in this section: “Logging on to the SGMI for the first time” on page 22 ■ “Integrating the SGMI to the desktop” on page 24 ■...
  • Page 23 Prerequisites Complete the following tasks before beginning this procedure: Install and configure the appliance as described in the Symantec Gateway Security 5000 Series v3.0 ■ Installation Guide. To log on to the SGMI for the first time...

  • Page 24: Integrating The Sgmi To The Desktop

    ■ A Java Web Start progress box shows files being downloaded to your computer, followed by a security warning for a certificate that is signed by Symantec. 11 In the Warning - Security dialog box, click Yes. 12 In a final Warning - Security dialog box from Sun Microsystems, Inc., click Yes.

  • Page 25: Logging On To The Sgmi From The Desktop

    Becoming familiar with the SGMI Logging on to the SGMI To add the SGMI to the desktop On the Start menu, click Control Panel. In the Control Panel window, click Java. In the Java Control Panel dialog box, under Temporary Internet Files, click Settings. In the Temporary Files Settings dialog box, click View Applications.

  • Page 26: Logging On To The Sgmi From A Browser

    Becoming familiar with the SGMI Logging on to the SGMI To log on to the SGMI from the desktop On the desktop, double-click the SGMI icon. If a Warning - Security dialog box displays, do one of the following: Verify the certificate, and then click Yes. ■...

  • Page 27: Avoiding Hostname Mismatches

    Becoming familiar with the SGMI Logging on to the SGMI In the Security Alert dialog box, verify the temporary certificate that is generated by the appliance and then click Yes to accept it. In the Warning-Security dialog box, verify the certificate, and then click Yes. If a Hostname Mismatch dialog box is displayed, click Yes.
  • Page 28 ■ Uninstalling the SGMI application If are no longer going to manage Symantec Gateway Security 5000 Series v3.0 appliances from your computer, you can use the Web Start application to uninstall the SGMI application. Uninstalling the SGMI from your management computer does not uninstall the security gateway software from the appliance.

  • Page 29: Using The Sgmi Home Page

    The SGMI home page displays when you log on. It provides: Quick Status information ■ Access to commonly used security gateway configuration wizards ■ Information from Symantec’s DeepSight global threat correlation service, if there is Internet ■ access Figure 2-1 SGMI home page...

  • Page 30: Accessing Commonly Used Configuration Wizards

    Client VPN Package Wizard Use this wizard to simplify the configuration of multiple Symantec Client VPN computers. The wizard generates connection information for remote entities. You provide these packages to remote users, who install them on computers that are running Symantec Client VPN.

  • Page 31: Viewing Deepsight's Threatcon Status

    The time shown above the ThreatCon rating indicates the time of the most recent change to the ThreatCon status. The link below the Symantec ThreatCon indicator takes you to the Symantec Security Response Web site, where you can learn more about using the Symantec DeepSight threat management system to evaluate and improve your security posture.
  • Page 32 To log off from the SGMI In the SGMI, on the File menu, click Log Off. If you have saved all of your changes, the Symantec Gateway Security 5000 Series v3.0 logon dialog box is displayed. If you have unsaved changes, a message asks if you want to save the current changes before logging off.

  • Page 33: Navigating In The Sgmi

    Becoming familiar with the SGMI Navigating in the SGMI To respond to a timeout To return to managing the security gateway, in the Relogin dialog box, in the Password text box, enter your password, and then click Log On. To exit from the SGMI, in the Relogin dialog box, click Cancel. If there are no changes pending, the Relogin dialog box closes.
  • Page 34 Becoming familiar with the SGMI Navigating in the SGMI Figure 2-2 SGMI user interface structure Product name Right pane tabs Configuration Status messages table Menus Toolbar Left pane navigation Right pane configuration or status information Lower pane configuration messages This section contains the following topics: Using the SGMI menus ■...

  • Page 35: Using The Sgmi Menus

    Becoming familiar with the SGMI Navigating in the SGMI Using the SGMI menus The SGMI menus provide access to the following functionality. Table 2-1 SGMI menu options Menu Option Description File Save Saves changes to configurations. “Saving and activating configuration changes” on page 59.
  • Page 36 “Viewing or modifying the global IKE policy” on page 384 ■ Scalable Management Helps you join and leave the Symantec Enterprise Security Architecture (SESA) for scalable management of security gateway configurations. Note: Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced Manager for Security Gateways v3.0.

  • Page 37: Using The Sgmi Toolbar

    Security 5000 Series v3.0 “Using online Help” on page 45. Help About Symantec Displays the Symantec Gateway Security software version and build Gateway Security 5000 information. Series v3.0 Using the SGMI toolbar The SGMI tool bar buttons provide easy access to frequently used functions.

  • Page 38: Navigating From The Left Pane

    Becoming familiar with the SGMI Navigating in the SGMI Table 2-2 SGMI toolbar Icon Function Description Refresh Activated when you are viewing active sessions, such as active connections, logs, and IDS alerts. Refreshes the table with current data. AutoRefresh Activated when you are viewing active sessions, such as active connections, logs, and IDS alerts.
  • Page 39 Becoming familiar with the SGMI Navigating in the SGMI The following table summarizes the functions provided by the folders within each section: Table 2-3 Section and folder descriptions Section name Folder name Description Monitors Lets you view current and archived information about your security gateway, such as connections, resource usage, and log messages.

  • Page 40: System Information

    Lets you enable and disable security gateway features, control how events are sent to SESA, configure LiveUpdate of content security components, and manage clientless VPN certificates. Note: Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced Manager for Security Gateways v3.0. Administration Lets you define security gateway administrators and machine accounts with access to the security gateway.

  • Page 41: Tools Menu

    Changes to Symantec Gateway Security 5000 Series v3.0 navigation This section is intended to ease the transition from the Symantec Gateway Security v2.0 SGMI to the Symantec Gateway Security 5000 Series v3.0 SGMI. The table below compares the location of tasks in the two versions of the user interface.
  • Page 42 Becoming familiar with the SGMI Navigating in the SGMI Table 2-4 Navigation for SGMI v2.0 mapped to SGMI v3.0 SGMI v2.0 SGMI v 3.0 Policy > Advanced > System Parameters Policy > Policy Parameters Host name included in log Include host name in log entries Forwarding filter Packet filter Policy >...

  • Page 43: Navigating The Right Pane

    Monitoring > Cluster Status Cluster > Clusters Monitoring > SESA Event Gating System > Configuration > SESA Event Gating Note: Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced Manager for Security Gateways v3.0. Reports > Configuration Reports Reports menu > Configuration ..
  • Page 44 Becoming familiar with the SGMI Navigating in the SGMI Figure 2-5 shows the Rules page, one of the pages that you can view when you click Policy > Firewall. It contains a table of rule objects that you can create or modify. Figure 2-5 Rules page showing table of objects Figure 2-6...

  • Page 45: Using Online Help

    Becoming familiar with the SGMI Using online Help Using online Help The Symantec Gateway Security 5000 Series v3.0 online Help system is context sensitive and is available from any part of the SGMI. Help displays in a separate window, as shown in Figure 2-7.

  • Page 46: Searching Help

    In the SGMI, if your focus is on a right pane tab, do one of the following: Click F1. ■ In the Help menu, click Symantec Gateway Security 5000 Series v3.0 Help. ■ If you are creating or modifying an object using its properties dialog box, do one of the following: Click FI.

  • Page 47: Printing Help

    45 ■ To search Help In the Symantec Gateway 5000 Series v3.0 Help window, on the Search tab, in the Find text box, type a search term. Press Enter. To the right of the list of topics that is returned, two indicators help you choose a topic: A full red circle indicates that the topic meets the entire search criteria.

  • Page 48: Changing The Display Of Objects In A Table

    Becoming familiar with the SGMI Working with configurations of objects Buttons above the table of objects let you do the following: Table 2-5 Buttons used with objects Button Name Description Create a new object of the type in the table. In a dialog box, when this icon appears to the right of a drop-down list, it indicates that you can create a new object of the type that appears in the drop-down list.
  • Page 49 Becoming familiar with the SGMI Working with configurations of objects Changing sort order and column placement in a table You can sort objects in a table based on any column of the table. You can also move columns to make it easy to see the information in the columns that are most important to you.

  • Page 50: Viewing And Modifying Object Properties

    Becoming familiar with the SGMI Working with configurations of objects For each property by which you want to search, do one of the following: To search on part of a property name, click Contains, and specify one or more letters ■...
  • Page 51 Becoming familiar with the SGMI Working with configurations of objects Select the object, and then on the Edit menu, click Properties. ■ Properties dialog boxes have two or more tabs: The General tab shows whether the object is enabled and displays its name and a short ■...

  • Page 52: Adding Configuration Objects

    Becoming familiar with the SGMI Working with configurations of objects Do one of the following: Continue editing. ■ To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 53 Becoming familiar with the SGMI Working with configurations of objects A properties dialog box displays immediately. ■ On the General tab, do the following: Enable To enable the object, check Enable. Not all objects have Enable check boxes. <object> name Type a name for the object.
  • Page 54 Becoming familiar with the SGMI Working with configurations of objects For example, when configuring a DNS host record, on the Aliases tab, you can assign an alias, or short name for the host, to be used in DNS lookups. In the Alias text box, you would type the alias and then click Add to add it to the list. Optionally, on the Description tab, type a more detailed description than you typed in the Caption text box.

  • Page 55: Configuring Objects That Reference Other Objects

    Becoming familiar with the SGMI Working with configurations of objects On the Edit menu, click Copy. ■ On the keyboard, press Ctrl + C. ■ Paste the objects by doing one of the following: Right click again and click Paste. ■...
  • Page 56 Becoming familiar with the SGMI Working with configurations of objects When you create an object that references other objects, you have two choices: Create the required objects, such as network entities and service groups, before you begin to create ■ the object that references them.
  • Page 57 Becoming familiar with the SGMI Working with configurations of objects The properties dialog box for a new instance of the referenced object is displayed. Create or modify the referenced object. Click OK. The properties dialog box of the referenced object closes, and you can continue to work using the tabs of the referencing object.
  • Page 58 Becoming familiar with the SGMI Working with configurations of objects On the Protocols tab, to add protocols to the Selected list, click Add. In the Select protocols dialog box, the list of protocols displayed is determined by the search method you select and the value you specify. The default is to display all of the protocols.

  • Page 59: Saving And Activating Configuration Changes

    Becoming familiar with the SGMI Working with configurations of objects Saving and activating configuration changes When you configure a new object or modify an existing object, the SGMI indicates that there are unsaved changes: Two symbols in the far left column of a table of objects indicate unsaved changes: A + mark indicates that the object is new.
  • Page 60 Becoming familiar with the SGMI Working with configurations of objects Save and activate changes You can save and activate changes both from the toolbar and from menu options. To save changes Do one of the following: On the toolbar, click Save. ■...

  • Page 61: Deleting Configuration Objects

    Becoming familiar with the SGMI Working with configurations of objects Reverting changes The actions of saving and activating changes are not irrevocable. Prerequisites Complete the following task before beginning this procedure: “Saving and activating configuration changes” on page 59 ■ Revert changes When you want to undo changes, you can do either of the following: If you have unsaved changes, you can revert to the last changes that you saved.

  • Page 62: Using The Lower Pane When You Change Configurations

    Becoming familiar with the SGMI Working with configurations of objects If the object is referenced by other security gateway configurations, a warning displays, telling you that the object cannot be deleted because it is in use. Do the following: To clear the warning, click OK. ■...

  • Page 63: Viewing System Information

    The System window is a read-only display of several security gateway statistics. This page displays the operating system, system date and time, host name and gateway address, product name including the security gateway version number, and the Symantec System ID. You can also view the Symantec System ID on the LCD panel of the appliance.

  • Page 64: Using Wizards To Simplify Configuration

    In the right pane, in the System Information window, view the current information about the security gateway, including the product name and appliance model, date and time, status of the front panel of the appliance, and Symantec System ID. This window is read-only; however, you can copy information from it to the clipboard.
  • Page 65 Description Join SESA Wizard Helps you join SESA for scalable management. Note: Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced Manager for Security Gateways v3.0. Cluster Wizard Helps you create a cluster of security gateways for high availability and load balancing.
  • Page 66 Becoming familiar with the SGMI Using wizards to simplify configuration Detail panels prompt you for the information that you must provide. These panels include ■ instructions to help you provide the information. A Confirmation panel lets you review your choices. ■...

  • Page 67: Managing Administrative Access

    Manual creation of the Cluster account prevents a valid cluster configuration. You can use the Symantec Gateway Management Interface (SGMI) to create additional administrator accounts to delegate administrator responsibility for the security gateway. When you create an administrator account, you specify the account’s access privileges to security gateway services.
  • Page 68 Managing administrative access Creating administrator accounts Prerequisites None. To create local administrator accounts In the SGMI, in the left pane, under System, click Administration. In the right pane, on the Local Administrators tab, click New. In the Admin Account Properties dialog box, on the General tab, do the following: Enable To enable the local administrator, check Enable.

  • Page 69: Creating Machine Accounts For Security Gateway Access From Remote Computers

    Managing administrative access Creating machine accounts for security gateway access from remote computers Under Restrictions on the above, you can limit specific privileges of the local administrator by ■ unchecking one or more check boxes. On the Maintenance Privileges tab, enable the privileges you want to grant to the administrator. When the administrator logs on, the functions for which privileges are not enabled are greyed out.

  • Page 70: Changing Passwords

    Changing a machine account password ■ You can also use the LCD panel on the appliance to generate a new random root and admin password. For more information, see the Connecting and Configuring section of the Symantec Gateway Security 5000 Series Getting Started guide.

  • Page 71: Changing Administrator Passwords

    Managing administrative access Changing passwords An additional administrative account, the Cluster account, is created when you enable high availability/load balancing (HA/LB). You can change the Cluster account password, caption, and description. All other Cluster account information is read-only. “Changing the cluster account password” on page 519.
  • Page 72 Managing administrative access Changing passwords Click OK. If the passwords match and meet security recommendations, the new password is created. ■ If the passwords match but do not meet security recommendations, a password warning ■ displays with a recommendation and asks if you want to use the password anyway. To change the password without taking the recommendation, click Yes.

  • Page 73: Changing The Root Password

    Managing administrative access Changing passwords In the Confirm Password text box, type the password again. Click OK. If the new password does not contain the recommended characters, you are warned; however, the password is created. If you want to follow the recommendations, edit the administrator’s account again. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save.

  • Page 74: Changing A Machine Account Password

    IPsec tunnels. You can also connect to the appliance as an alternate way to perform a backup, or to retrieve an upgrade report. In addition, Symantec Technical Support may ask you to view or change a configuration that is not accessible through the SGMI.
  • Page 75 Managing administrative access Enabling SSH for command-line access to the appliance In the right pane, on the Features tab, under SSH connection, do the following: SSH Version 1 To enable SSH V1 connectivity, check this option. SSH Version 2 To enable SSH V2 connectivity, check this option. Port Type the port through which the connection is made.
  • Page 76 Managing administrative access Enabling SSH for command-line access to the appliance...

  • Page 77: Maintaining Your Security Gateway

    Installing and uninstalling hotfixes Periodically, Symantec issues hotfixes, which provide additional functionality or increased performance for the security gateway. To learn about available hotfixes, visit the Symantec hotfix download Web site at the following location: http://www.symantec.com/techsupp/enterprise/select_product_updates_nojs.html After you download the file that contains a hotfix to your workstation, you can install it using the hotfix option on the SGMI System menu.
  • Page 78 If you receive a message that the hotfix cannot be installed, check the Symantec product update Web site to find out if another hotfix needs to be installed first.

  • Page 79: Configuring And Running Liveupdate

    Maintaining your security gateway Configuring and running LiveUpdate If the message says that you must reboot the security gateway to remove the hotfix, do one of ■ the following: To reboot the security gateway immediately, click Yes. To close the message and continue working in the SGMI, click No. Reboot the security gateway at a later time to complete the removal of the hotfix.
  • Page 80 Maintaining your security gateway Configuring and running LiveUpdate Three public Symantec LiveUpdate servers are defined by default: Table 4-1 Default LiveUpdate servers Server name Server URL Symantec LiveUpdate http://liveupdate.symantecliveupdate.com Symantec LiveUpdate 2 http://liveupdate.symantec.com Symantec LiveUpdate FTP ftp://update.symantec.com/opt/content/onramp If a LiveUpdate server is deployed in your network, you can identify it to the security gateway for use in updating components.

  • Page 81: Liveupdating Components

    Maintaining your security gateway Configuring and running LiveUpdate LiveUpdating components LiveUpdate is run separately for each content security component. You can schedule LiveUpdate for each component, or you can manually run a LiveUpdate of a component at any time. Note: If you run LiveUpdate in a clustered environment, only the components on the security gateway where you issue the command are updated.
  • Page 82 ■ Adding a LiveUpdate server for a component Three LiveUpdate servers are provided by Symantec. By default, these are selected as the LiveUpdate servers for the content security components. You can also configure one or more additional servers for use for LiveUpdate and specify them in the components’...
  • Page 83 Maintaining your security gateway Configuring and running LiveUpdate In the Select LiveUpdate Servers dialog box, select a server from the LiveUpdate Server list, and then do one of the following: To add the server to the LiveUpdate Servers list without closing the Select dialog box, click ■...

  • Page 84: Starting And Stopping The Security Gateway

    Maintaining your security gateway Starting and stopping the security gateway Related information For further information related to this topic, see the following: “LiveUpdate Settings for Component Properties—Proxy tab” on page 756 ■ “Defining a LiveUpdate server” on page 79 ■ Running LiveUpdate manually When you schedule LiveUpdate for a component, the component is automatically updated on the scheduled days and times.

  • Page 85: Rebooting The Security Gateway Appliance

    You should not change security gateway configurations unless directed to do so by Symantec Technical Support. You can also reboot the appliance manually using the System menu options on the appliance front panel. See the section on using the System menu in the Symantec Gateway Security 5000 Series v3.0 Installation Guide.

  • Page 86: Shutting Down The Security Gateway Appliance

    In the log on screen, type your password and click Logon. Related information For further information related to this topic, see the section on using the System menu in the Symantec Gateway Security 5000 Series v3.0 Installation Guide. Understanding and using licenses The security gateway is comprised of a base firewall component that controls access through the security gateway and additional components that provide specific kinds of protection and connectivity.

  • Page 87: Viewing The License Status Of Security Gateway Components

    Maintaining your security gateway Understanding and using licenses Before the end of the grace period you must obtain and install licenses for each security gateway feature that you want to continue to use. When the grace period expires or when you install the first license, components for which you do not have licenses are disabled.

  • Page 88: Viewing License Usage

    Maintaining your security gateway Understanding and using licenses Viewing license usage The License Usage tab lets you view the usage rates of the various licensed security gateway components. You can only view the license usage if the security gateway is running. Prerequisites Complete the following task before beginning this procedure: “Starting and stopping the security gateway”...

  • Page 89: Obtaining Licenses

    ■ Obtaining licenses You obtain security gateway licenses from the Symantec Licensing and Registration Web site. This site prompts you for the information that is needed to issue your license files. After you enter all the requested registration information on the licensing Web site, Symantec sends an email with a license file attachment.

  • Page 90: Symantec System Id

    Symantec System ID ■ The Symantec system ID is a unique identifier for your appliance. You can obtain it from the LCD panel of the appliance or from the SGMI. Appliance serial number ■...
  • Page 91 ■ Gathering and sorting your serial number certificates Symantec provides evidence of your purchase using a serial number certificate. Check with your sales representative to understand how your certificates are sent. Each serial number certificate can contain several unique serial numbers, one or more for each feature ordered.
  • Page 92 Prerequisites None. Obtain the Symantec System ID You can obtain the Symantec System ID from the system menu on the LCD panel of the appliance or from the SGMI. To obtain the Symantec System ID from the appliance’s LCD On the front panel of the appliance, press the e button to select the LCD system menu.

  • Page 93: Obtaining

    When your license files are emailed to you, the subject line of the email shows the serial number used to request the license file. The message in the email shows the Symantec System ID of the security gateway to which the license belongs. You must install your license files before the 30-day grace period...

  • Page 94: Installing Licenses

    On the desktop, create a separate folder for each security gateway, in an accessible location on your network, with the folder name based on the Symantec System ID of the security gateway. When you receive the email that contains the security gateway’s license files, open the attached file using a decompression utility, such as WinZip or WinRAR.

  • Page 95: Removing All License Files

    When you are ready to restart the security gateway, on the System menu, click Reboot. To restart the security gateway now, click Yes. ■ The Symantec Gateway Security 5000 Series v3.0 logon dialog box displays and the security gateway reboots. Related information For further information related to this topic, see the following: “Removing all license files”...

  • Page 96: Enabling And Disabling Security Gateway Features

    If you do not want to wait for the reboot to start, click OK. The Symantec Gateway Security 5000 Series v3.0 logon dialog box displays and the security gateway reboots. When the reboot has completed, you can log on to the SGMI again.
  • Page 97 Maintaining your security gateway Understanding and using licenses Related information For further information related to this topic, see the following: Enabling and disabling security gateway features from the Features window ■ Enabling and disabling security gateway features from the Features window The Features window lets you enable both licensed features and other security gateway features such as the use of an uninterruptible power supply, Clientless VPN features, and the use of SSH.

  • Page 98: Backing Up And Restoring Configurations

    If you are upgrading from a previous version of the security gateway, you are instructed to back up and restore your configurations as part of the upgrade process. For backup and restore details that are specific to upgrading the security gateway, see the upgrade chapter of the Symantec Gateway Security 5000 Series v3.0 Installation Guide.

  • Page 99: Restoring Security Gateway Configuration Files From The Sgmi

    Configurations created using Symantec Gateway Security v2.0, Symantec Clientless VPN Gateway ■ v5.0, or Symantec Enterprise Firewall v8.0 software For detailed information about restoring configurations for these versions of the security gateway, see the chapter on upgrading in the Symantec Gateway Security 5000 Series v3.0 Installation Guide.

  • Page 100: Performing A Remote Command Line Backup

    Maintaining your security gateway Backing up and restoring configurations This procedure describes using the SGMI to restore a Symantec Gateway Security 5000 Series v3.0 configuration to a security gateway that is not part of a cluster. Prerequisites Complete one of the following tasks before beginning this procedure: “Backing up configuration files from the SGMI”...

  • Page 101: Using Command-Line Utilities To Perform A Local Or Remote Backup

    Backing up and restoring configurations 12 If you do not want to wait for the reboot to start, click OK. The Symantec Gateway Security 5000 Series v3.0 logon dialog box displays and the security gateway reboots. 13 When the reboot has completed, log on to the SGMI again.
  • Page 102 Maintaining your security gateway Backing up and restoring configurations Performing a local command line backup A local command line backup uses a backup utility that is installed on the security gateway whose configuration you want to back up. You run the backup utility through an SSH connection to the security gateway.
  • Page 103 Maintaining your security gateway Backing up and restoring configurations The main file containing the remote backup utility components is either a zip file with a .zip extension for use with Windows systems, or a gzip-compressed tar file with a.tgz extension for UNIX platforms. Within the main zip or gzip-compressed tar file, the remote tools are also zip or tgz files.

  • Page 104: Making System Changes With The System Setup Wizard

    For descriptions of how to use the System Setup Wizard, see the following: For information on using the System Setup Wizard for the first time, see the Symantec Gateway ■ Security 5000 Series v3.0 Installation Guide.
  • Page 105 To add a physical network interface On the back of the appliance, plug a network cable into the appropriate port. For a description of the available ports, see the Symantec Gateway Security 5000 Series v3.0 Installation Guide. In the SGMI, in the Tools menu, click System Setup Wizard.
  • Page 106 14 If you do not want to wait for the reboot to start, click OK. The Symantec Gateway Security 5000 Series v3.0 logon dialog box displays and the security gateway reboots. When the reboot has completed, you can log on to the SGMI again.
  • Page 107 15 If you do not want to wait for the reboot to start, click OK. The Symantec Gateway Security 5000 Series v3.0 logon dialog box displays and the security gateway reboots. When the reboot has completed, you can log on to the SGMI again.

  • Page 108: Modifying A Network Interface

    Maintaining your security gateway Making system changes with the System Setup Wizard “Defining traffic endpoints with network entities” on page 160 ■ “Configuring redirected services” on page 364 ■ “Controlling IP addresses with address transforms” on page 359 ■ Modifying a network interface You must run the System Setup wizard to modify the interface type, IP address, or netmask.

  • Page 109: Modifying System Information

    15 If you do not want to wait for the reboot to start, click OK. The Symantec Gateway Security 5000 Series v3.0 logon dialog box displays and the security gateway reboots. When the reboot has completed, you can log on to the SGMI again.
  • Page 110 Maintaining your security gateway Making system changes with the System Setup Wizard Changing the administrator password ■ You can also change the administrator password by using the Change Admin Password option on the System menu. Prerequisites None. To modify system information In the SGMI, on the Tools menu, click System Setup Wizard.
  • Page 111 You can unlock the LCD panel from the appliance by using your root password. The LCD panel relocks again after 60 seconds of inactivity. For instructions on how to permanently unlock the LCD panel, see the Symantec Gateway Security 5000 Series v3.0 Installation Guide.

  • Page 112: Configuring Network Interface Properties

    Maintaining your security gateway Making system changes with the System Setup Wizard Configuring network interface properties The security gateway must have at least two network interfaces, which are configured during the initial setup of the appliance. Some network interface properties can only be changed by running the system setup wizard, including: The interface type: Inside or Outside ■...

  • Page 113: Maintaining Traffic Flow

    Maintaining your security gateway Maintaining traffic flow On the Routing tab, do the following: Allow multicast To enable this interface to pass multicast traffic, check this option. (UDP-based) traffic Enable OSPF on To enable the use of OSPF for dynamic routing updates, check this option. interface Set the following values: Key ID...
  • Page 114 Maintaining your security gateway Maintaining traffic flow Prerequisites None. To maintain traffic flow In the SGMI, in the left pane, under System, click Configuration. In the right pane, on the Services tab, click Process Restart. Click Properties. On the General tab, do the following: Enable To enable process restart, check Enable.

  • Page 115: Establishing Your Network

    Chapter Establishing your network This chapter includes the following topics: Understanding security gateway networking components ■ Deployment scenarios ■ Defining security gateway routing ■ Allowing DHCP traffic ■ Allowing multicast traffic ■ About the security gateway’s implementation of DNS ■ Understanding security gateway networking components The security gateway provides your users with access to the services they need, and protects your resources from attacks.

  • Page 116: Basic Deployment

    Establishing your network Deployment scenarios Basic deployment Figure 5-1 shows that the simplest deployment scenario requires the security gateway to have two interfaces, each on a different LAN segment. The Security Gateway Management Interface (SGMI), that manages the security gateway, is normally connected to the public Internet through a router. A security gateway in this configuration is typically reserved for one-way traffic, especially if one of the interfaces has direct access to a public network.

  • Page 117: Fault Tolerant Deployment

    Establishing your network Deployment scenarios Fault tolerant deployment You can extend the basic deployment by adding one or more security gateways. This type of configuration, shown in Figure 5-2, can provide redundant and load-balanced processing power in the event of a catastrophic failure of a security gateway. Again, connection requests are usually initiated from the protected network, destined for external services.

  • Page 118: Advanced Deployment

    Establishing your network Deployment scenarios Advanced deployment Companies hosting e-commerce solutions, or those offering access to services by untrusted users often have additional, directly connected network segments. These networks are protected LAN segments, but are not given the level of trust that a true internal network enjoys. For example, one of these networks might be used for customer-facing applications such as Web and mail servers, or for connections to partner companies.

  • Page 119: Enclave Deployment

    Establishing your network Deployment scenarios Enclave deployment An enclave security gateway, shown in Figure 5-4, protects sensitive machines and data from access by unauthorized internal users. An enclave security gateway may offer outbound access, but often requires extended user authentication for that access. Essentially, an enclave security gateway is installed to further segment a network.

  • Page 120: Advanced Enclave Deployment

    Establishing your network Deployment scenarios Advanced enclave deployment It may be necessary to manage an enclave security gateway that is protected by a second security gateway. This scenario presents a unique challenge; each security gateway listens for management requests and must understand whether the request was truly directed to itself, or to another security gateway that it protects.
  • Page 121 Establishing your network Deployment scenarios There are different ways to configure the security gateway to resolve this issue. The two most common approaches include: “Configuring advanced enclave management for routable addresses” on page 121 ■ “Configuring advanced enclave management for nonroutable addresses” on page 123 ■...
  • Page 122 Establishing your network Deployment scenarios Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■ When prompted to save your changes, click Yes. To create a service group for SGMI management In the SGMI, in the left pane, under Assets, click Protocols.
  • Page 123 Establishing your network Deployment scenarios Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■ When prompted to save your changes, click Yes. Related information None.
  • Page 124 Establishing your network Deployment scenarios In the Destination port use drop-down list, click Single port. In the Destination low port text box, type the port number. The port number defined here should be the port number to which a user directs management requests.

  • Page 125: Defining Security Gateway Routing

    Establishing your network Defining security gateway routing Service group Select the service group containing the SGMI protocol. Optionally, on the Description tab, type a more detailed description than you typed in the Caption text box. Click OK. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save.

  • Page 126: Understanding Dynamic Routing

    Establishing your network Defining security gateway routing You can add specific routing information manually to the security gateway’s routing table. Each routing entry identifies a specific network or subnet destination. Each entry in the table contains: Destination IP address Network, subnet, or host. Netmask This is generally an 8-bit, 16-bit, or 24-bit value depending on the destination.

  • Page 127: How The Security Gateway Routes Traffic

    Establishing your network Defining security gateway routing Open Shortest Path First (OSPF) Version 2 Defined in RFC 2328, OSPF Version 2 is a link state routing protocol. Unlike RIP-2, which measures the number of hops between networks, each router in an OSPF environment actively tests the status of the link to each of its neighbors, and then sends this information to each neighbor.

  • Page 128: Configuring Static Routes

    Establishing your network Defining security gateway routing Similar to network interfaces, the default gateway is defined by running the System Setup Wizard. Each security gateway must have a default gateway assigned to one of the interfaces to route packets properly. “Making system changes with the System Setup Wizard”...

  • Page 129: Configuring Dynamic Routing

    Establishing your network Defining security gateway routing Configuring dynamic routing The security gateway includes the RIP and OSPF portions of the GNU Zebra IP routing suite to support dynamic routing. The GNU Zebra suite includes zebrad (the manager daemon) and two protocol daemons: ripd and ospfd, that implement the RIP-2 and OSPF protocols, respectively.
  • Page 130 Establishing your network Defining security gateway routing Related information For further information related to this topic, see the following: “Network Interface Properties—Routing tab” on page 667 ■ “Understanding dynamic routing” on page 126 ■ “Routing Information Protocol Version 2 (RIP-2)” on page 126 ■...

  • Page 131: Allowing Dhcp Traffic

    Establishing your network Allowing DHCP traffic Allowing DHCP traffic Some hosts do not statically configure their network information, but instead, rely on a commonly used protocol called dynamic host control protocol (DHCP) to dynamically obtain their network addresses. DHCP uses a network’s broadcast address to communicate, and since broadcast packets are not propagated through the security gateway, any host requiring DHCP configuration information must be on the same network as the DHCP server.

  • Page 132: Configuring The Security Gateway To Allow Dhcp Traffic

    This example shows three networks. The gateways between the networks are a third-party security gateway and DHCP relay and a Symantec security gateway and DHCP relay. Relay requests from clients on the 10.5.5.0/24 subnet to the DHCP server on the 10.3.3.0/24 subnet will result in responses addressed directly to the third-party gateway.
  • Page 133 Establishing your network Allowing DHCP traffic To configure the DHCP relay proxy After establishing a Telnet, SSH or HyperTerminal connection to the security gateway, from the command-line, navigate to /var/lib/sg, and then edit the dhcprelay.conf file. The following is an example of the default file: # Example configurations: # A standard example that enables DHCP and specifies 10.3.3.2 as # the DHCP server.
  • Page 134 Establishing your network Allowing DHCP traffic Optionally, do one of the following: To save your configuration now, and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■ When prompted to save your changes, click Yes. ■...

  • Page 135: Allowing Multicast Traffic

    Establishing your network Allowing multicast traffic In the Rule Properties dialog box, on the General tab, do the following: Rule name Type a name for this rule, such as Allow_multi_hop_DHCP. Caption Type a brief description of the rule. Action Click allow. Arriving through Select the interface closest to the DHCP server.

  • Page 136: How The Security Gateway Handles Multicast Traffic

    Establishing your network Allowing multicast traffic How the security gateway handles multicast traffic Figure 5-8, the security gateway protects two networks that it connects to through network interfaces eth0 and eth2. Hosts 1, 2, and 3 are multicast hosts. If you decide that you want only the three hosts to communicate with each other, you need to enable multicast support on the network interfaces eth0 and eth2.
  • Page 137 Establishing your network Allowing multicast traffic To enable multicast support From a HyperTerminal connection, edit the raptor.init file located in the /etc/init.d directory. Use ◆ the command: /usr/raptor/bin/vpn set Callout/Multicast_Forwarding True The example multicast interface in the raptor.init file below uses eth0 and eth2. Replace the interface ID numbers with the proper IDs specific to your configuration.

  • Page 138: About The Security Gateway's Implementation Of Dns

    Establishing your network About the security gateway’s implementation of DNS echo "usage: $0 {start|stop}" esac Save and close the file. Restart the appliance. Related information For further information related to this topic, see the following: “Allowing multicast traffic” on page 135 ■...
  • Page 139 Establishing your network About the security gateway’s implementation of DNS The security gateway designates interfaces as either inside or outside. In a caching implementation, internal interfaces respond to DNS recursive requests from all internal clients or servers. External interfaces do not respond to any queries they receive, as the security gateway is not authoritative for any domain, unless a recursion record is configured.

  • Page 140: Configuring A Caching Name Server With An Internal Name Server

    Establishing your network About the security gateway’s implementation of DNS Configuring a caching name server with an internal name server You can also configure a caching name server to work in conjunction with an internal name server, as shown in Figure 5-10.
  • Page 141 Establishing your network About the security gateway’s implementation of DNS Figure 5-11 shows a network example where the security gateway is configured to be authoritative for symantecs.org. External requests for that specific domain are answered. Figure 5-11 Example network layout with an authoritative name server for symantecs.org Use this method if you do not want to have an another name server hosting your domain.

  • Page 142: Configuring An Authoritative Name Server With Delegation

    Example network layout of an authoritative name server with delegation To create an authoritative name server with delegation, configure the following records on the internal DNS server, which in this case, is represented by symantec.org: Authority record “Defining an authoritative server with a DNS authority record”...

  • Page 143: Configuring Enclave Dns

    Before you set up the resource records for the security gateway DNS proxy, you need to understand some of the differences between RFC-defined DNS and the way Symantec has implemented it. While the security gateway’s DNS implementation and RFC-defined methodologies are similar, the way in which they store their information is different.
  • Page 144 Not supported Stub Not supported Symantec does not support the use of third-party DNS servers running on the security gateway. The SGMI does not support the configuration of a third-party server. Third-party servers have not been tested with our security gateway.

  • Page 145: Configuring Resource Records For The Security Gateway

    Establishing your network About the security gateway’s implementation of DNS Configuring resource records for the security gateway After you understand the way to set up your environment, you need to configure the appropriate resource records for your configuration. This section describes the following tasks: Defining an authoritative server with a DNS authority record ■...
  • Page 146 Establishing your network About the security gateway’s implementation of DNS Pointing to an external name server with a DNS forwarder record Generally, it is unnecessary to create forwarders on the security gateway. A forwarder record points to an external server that is used to redirect DNS requests. If you decide that you would prefer not to have the security gateway perform DNS lookups, but instead offload this work to another DNS server, configure a forwarder record.
  • Page 147 Establishing your network About the security gateway’s implementation of DNS To identify a host in a domain with a DNS host record In the SGMI, in the left pane, under Assets, click Network. In the right pane, on the DNS tab, click New > DNS Host Record. In the DNS Host Record Properties dialog box, on the General tab, do the following: Enable To enable the DNS host record, check Enable.
  • Page 148 Establishing your network About the security gateway’s implementation of DNS Caption Type a brief description of the DNS record. On the Aliases tab, do the following: In the Alias text box, type the alias name. ■ Click Add. ■ On the Domains Served tab, you can configure the domains for which the mail server will provide service by doing the following: In the Domain text box, type the domain name.
  • Page 149 Establishing your network About the security gateway’s implementation of DNS On the Aliases tab, do the following: Type an alias name. ■ Click Add. ■ On the Domains Served tab, to configure the sub-domains for which the name server will provide service, do the following: In the Domain text box, type the domain name.
  • Page 150 Establishing your network About the security gateway’s implementation of DNS Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 151 Establishing your network About the security gateway’s implementation of DNS Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 152 Establishing your network About the security gateway’s implementation of DNS Related information For further information related to this topic, see the following: “DNS Subnet Record Properties—General tab” on page 682 ■ Help to block spam or email forgery by configuring a DNS TXT record DNS TXT resource records prevent spam or email forgery by informing an email server of verifiable sender IP addresses.

  • Page 153: Dns Alternatives

    Establishing your network About the security gateway’s implementation of DNS Click OK. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 154 Establishing your network About the security gateway’s implementation of DNS Click OK. On the Service Groups tab, select the service group to which you want to add the dns_udp protocol, and then click Properties. In the Service Group Properties dialog box, on the Protocols tab, click Add. In the Select Protocols dialog box, under Search, in the drop-down list, click Starts with.
  • Page 155 Establishing your network About the security gateway’s implementation of DNS Network address translation is not an option when using this method, so you need routable ■ addresses for your DNS servers. Forwarding filters require network entities for both the internal (A) and external (B) hosts. Prerequisites None.
  • Page 156 Establishing your network About the security gateway’s implementation of DNS Prerequisites None. To optimize the DNS proxy In the SGMI, in the left pane, under Assets, click Proxies. In the right pane, on the Proxies tab, in the Proxies table, click DNS, and then click Properties. In the Proxy Properties: DNS dialog box, on the General tab, do the following: To enable the DNS proxy, click Enable.

  • Page 157: Enabling Reverse Lookups

    Establishing your network About the security gateway’s implementation of DNS Enabling reverse lookups When the security gateway’s secure proxies look up a host name for an IP address, it is referred to as a reverse lookup. The secure proxies perform reverse lookups to prevent untrusted sites from pretending to be associated with trusted host names.
  • Page 158 Establishing your network About the security gateway’s implementation of DNS On the DNS tab, select the appropriate DNS entry, and then click Properties. In the DNS Properties dialog box, on the General tab, ensure that the Enable check box is checked. Related information None.

  • Page 159: Defining Your Security Environment

    In previous versions of the security gateway, you were required to define these elements before you created the rule or filter that used them. In Symantec Gateway Security 5000 Series v3.0, you can create the required elements as you create the rule, filter, or tunnel; however, you may prefer to create...

  • Page 160: Defining Traffic Endpoints With Network Entities

    Defining your security environment Defining traffic endpoints with network entities When you define rules and filters, you specify the following: Network entities The sources and destinations of traffic such as internal and external hosts, subnets, and mail servers. Network interfaces The security gateway interfaces through which the traffic passes.
  • Page 161 Defining your security environment Defining traffic endpoints with network entities An inside or outside host running a custom database application to which you must permit access, ■ such as an authentication server An internal or external computer that requires special privileges ■...

  • Page 162: Defining A Network Or Subnet With A Subnet Entity

    Defining your security environment Defining traffic endpoints with network entities “Creating a packet filter” on page 290 ■ “Configuring tunnels” on page 385 ■ Defining a network or subnet with a subnet entity A subnet entity is a group of hosts defined by a network address and netmask. You typically use subnet entities to define whole networks, or subnetworks within a particular IP address range.

  • Page 163: Defining A Registered Domain With A Domain Name Network Entity

    Defining your security environment Defining traffic endpoints with network entities To specify the local endpoint in a Client VPN tunnel. ■ To specify the source or destination of traffic in an address transform. ■ To specify the real or NAT subnet in a NAT Pool. ■...

  • Page 164: Creating Security Gateway Network Entities For Use In Tunnels

    Defining your security environment Defining traffic endpoints with network entities Click OK. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 165 Defining your security environment Defining traffic endpoints with network entities Domain name ■ Your address type selection determines the name of the field that follows the Address type drop- down list. Depending on what you chose from the Address type drop-down list, do one of the following: If you selected Interface In the Interface drop-down list, select the interface of the security gateway.

  • Page 166: Creating A Network Entity Group For Rules That Apply To Multiple Entities

    Defining your security environment Defining traffic endpoints with network entities “Configuring rules” on page 272 ■ “Creating a packet filter” on page 290 ■ “Authenticating tunnels using Entrust certificates” on page 402 ■ Creating a network entity group for rules that apply to multiple entities A network entity group is a collection of other network entities, such as hosts, domains, and subnets.

  • Page 167: Defining An Entity And Security Gateway Pair With A Vpn Security Entity

    Defining your security environment Defining traffic endpoints with network entities Related information For further information related to this topic, see the following: “Network Entity Group Properties—General tab” on page 659 ■ “Network Entity Group Properties—Network Entity tab” on page 660 ■...

  • Page 168: Understanding How Protocols Affect Traffic

    Defining your security environment Understanding how protocols affect traffic 11 Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...

  • Page 169: Using Protocols That Are Not Paired With Proxies

    Defining your security environment Understanding how protocols affect traffic Use the following table to identify protocols that are paired with proxies. Table 6-1 Supplied protocols with their associated application proxy Protocol name Type Port Associated proxy cifs TCP-based CIFS dns_tcp TCP-based dns_udp UDP-based...
  • Page 170 Defining your security environment Understanding how protocols affect traffic Table 6-2 Supplied protocols with no associated application proxy (Continued) Protocol name Type Port auth TCP-based bftp TCP-based TCP-based biff TCP-based biff_rev TCP-based 1024 chargen_tcp TCP-based chargen_udp UDP-based chargen_udp_rev TCP-based 1024 daytime_tcp TCP-based daytime_udp...
  • Page 171 Defining your security environment Understanding how protocols affect traffic Table 6-2 Supplied protocols with no associated application proxy (Continued) Protocol name Type Port IGMP IP-based imap TCP-based IPinIP IP-based IPIP IP-based irc_6665 TCP-based 6665 irc_6666 TCP-based 6666 irc_6667 TCP-based 6667 irc_6668 TCP-based 6668...
  • Page 172 Defining your security environment Understanding how protocols affect traffic Table 6-2 Supplied protocols with no associated application proxy (Continued) Protocol name Type Port netbios_138_tcp TCP-based netbios_139_udp UDP-based netbios_pm_135_tcp TCP-based netbios_pm_135_udp UDP-based netmeeting_audio_control TCP-based 1731 netstat TCP-based nfsd_tcp TCP-based 2049 nfsd_udp UDP-based 2049 nfsd_udp_rev...

  • Page 173: Viewing Reserved Ports

    Defining your security environment Understanding how protocols affect traffic Table 6-2 Supplied protocols with no associated application proxy (Continued) Protocol name Type Port sunrpc_tcp TCP-based sunrpc_udp UDP-based syslog UDP-based systat TCP-based t120 TCP-based 1503 tacacs TCP-based IP-based tftp UDP-based tftp_1758 UDP-based 1758 tftp_1758_tcp...
  • Page 174 Defining your security environment Understanding how protocols affect traffic Viewing port assignments for predefined protocols View the port assignments for predefined protocols by using the following table. Table 6-3 Port assignments for protocols provided with the security gateway Destination Protocol Description Low Port echo...
  • Page 175 Defining your security environment Understanding how protocols affect traffic Table 6-3 Port assignments for protocols provided with the security gateway (Continued) Destination Protocol Description Low Port auth nntp ntp_tcp netbios netbios netbios netbios nbdgramd netbios netbios cifs netbios netbios imap bftp snmp snmp...
  • Page 176 Defining your security environment Understanding how protocols affect traffic Table 6-3 Port assignments for protocols provided with the security gateway (Continued) Destination Protocol Description Low Port shell syslog printer uucp rtsp pcserver kerberos_749_tcp kerberos_t49_udp kerberos_tcp kerberos_udp udp_encap 1024 biff_rev 1024 chargen_udp_rev 1024 daytime_udp_rev...
  • Page 177 Defining your security environment Understanding how protocols affect traffic Table 6-3 Port assignments for protocols provided with the security gateway (Continued) Destination Protocol Description Low Port 1985 hsrp 2049 nfsd_tcp 2049 nfsd_udp 2456 SGMI 3633 ita_admin 3634 ita_view 4045 lockd_udp 4045 lockd_tcp 5051...

  • Page 178: Configuring Custom Protocols To Handle Data From Special Applications

    Defining your security environment Understanding how protocols affect traffic Viewing port usage for all protocols The Protocols tab lists the predefined protocols included with the security gateway. It also lists custom protocols that you or other administrators create. You can display the destination and source ports used by these protocols. The default display includes a column that shows the destination low ports.
  • Page 179 Defining your security environment Understanding how protocols affect traffic This section describes the following tasks associated with custom protocols to handle data from special applications: Configuring IP-based protocols ■ Configuring TCP/UDP-based protocols ■ Configuring ICMP-based protocols ■ Enabling a new protocol to trigger IDS/IPS events ■...
  • Page 180 Defining your security environment Understanding how protocols affect traffic Caption Type a brief description of the custom protocol. Optionally, on the Description tab, type a more detailed description than you typed in the Caption text box. Click OK. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save.
  • Page 181 Defining your security environment Understanding how protocols affect traffic Source port use Select whether a port range or a single port will be used as the protocol’s source port. Source low port If you selected to use a port range, type the port number at the lower end of the range of the protocol’s source ports.
  • Page 182 Defining your security environment Understanding how protocols affect traffic In the ICMP Based Protocol Properties dialog box, on the General tab, do the following: Protocol name Type a unique name for the protocol. Message type Type a number to represent the message type of the protocol. Use GSP Check this option to enable the custom protocol to use the GSP proxy.

  • Page 183: About Service Groups

    Defining your security environment About service groups Click OK. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■ When prompted to save your changes, click Yes.
  • Page 184 On the Additional Parameters tab, you can add additional parameters that apply to this service group. The syntax of these parameters must be exact. You should consult Symantec technical support before you add additional parameters. Optionally, on the Description tab, type a more detailed description than you typed in the Caption...

  • Page 185: Using Service Groups To Customize Protocols For Rules

    Defining your security environment About service groups 10 Click OK. 11 Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 186 Defining your security environment About service groups Table 6-5 Customizable protocols (Continued) Protocol Configurable parameters SMTP Includes setting hard and soft recipient limits, enabling recipient and sender checks, specifying recipient domains, and enabling ESMTP (extended SMTP) and its extensions. “Parameters for smtp—General tab” on page 735.

  • Page 187: Understanding Proxies

    ■ Understanding proxies Symantec’s application proxies, also known as a proxy daemons, provide full application inspection of security gateway traffic and help secure your network. Each proxy insures that any traffic it has examined is allowed through only if it complies with RFC specifications and has met all rule restrictions.

  • Page 188: Configuring A Gsp For Protocols Without Proxies

    You should use the GSP protocol to increase traffic flow only when there is no predefined proxy to handle the traffic, or when security is not the main concern. Note: Custom or generic services include any service not supported by one of the Symantec application proxies.

  • Page 189: Configuring The Oracle Net9 Connection Manager Proxy

    Defining your security environment Understanding proxies Enable IP GSP To enable the GSP proxy for use with IP-based custom protocols, check this option. Caption Type a brief description of the GSP proxy. On the Reserved Services tab, to enable the use of reserved services, check Allow GSP to use telnet and FTP ports.
  • Page 190 Defining your security environment Understanding proxies Before configuring this software, you need to prepare the security gateway to allow Oracle Net9 Connection Manager Proxy to handle the communication. This process includes the following tasks: Opening the Oracle Net9 Connection Manager proxy port ■...
  • Page 191 Defining your security environment Understanding proxies For example, if the firewall interface is 192.168.1.1, you would enter: cman=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.1)(PORT=1630) (QUEUESIZE=3))) Optionally, for enhanced security, add a rule to the cman_rules list. This is especially important if the Oracle Net9 Connection Manager Proxy is asked to listen on the outside IP address.

  • Page 192: Controlling Full Application Inspection Of Traffic

    Defining your security environment Controlling full application inspection of traffic CONNECT_DATA = (SID = ORCL)) (SOURCE_ROUTE = YES) In this example: ORCL is the DB ID. ■ firewall_interface_IP is the security gateway’s closest interface to the client. ■ Oracle_Database_IP is the IP address of the Oracle database server on the outside network. ■...
  • Page 193 Defining your security environment Controlling full application inspection of traffic Examples of traffic that the CIFS proxy supports include: External users trying to access internal SMB servers from home or on the road to read mail, access ■ databases, or access documents. For this type of access, you configure the security gateway to disable write access to the servers.
  • Page 194 Defining your security environment Controlling full application inspection of traffic The CIFS proxy does not support UDP port 138 (NetBIOS datagram service). This service is used by ■ some Microsoft applications, most notably NT Domain Controllers, to locate certain types of servers.
  • Page 195 Defining your security environment Controlling full application inspection of traffic Click Apply. In the Network Protocol list box, click nbdgram. Click OK. 10 Optionally, on the Description tab, type a more detailed description than you typed in the Caption text box. 11 In the Service Group Properties dialog box, click OK.
  • Page 196 Defining your security environment Controlling full application inspection of traffic Configuring additional CIFS and NBDGRAM features The security gateway’s ability to handle and process CIFS and NBDGRAM traffic can be modified to suit your specific needs. This section includes the additional tasks you have available to further define how the security gateway supports CIFS and NBDGRAM.
  • Page 197 Defining your security environment Controlling full application inspection of traffic Prerequisites Complete the following task before beginning this procedure. “Configuring access for CIFS and NBDGRAM traffic” on page 194 ■ To create trace files of CIFS connections In the SGMI, in the left pane, under Assets, click Proxies. In the right pane, on the Proxies tab, click the CIFS proxy and then click Properties.

  • Page 198: Sending And Receiving Files

    Defining your security environment Controlling full application inspection of traffic Prerequisites Complete the following task before beginning this procedure. “Configuring access for CIFS and NBDGRAM traffic” on page 194 ■ To enable mail slots filtering In the SGMI, in the left pane, under Assets, click Proxies. In the right pane, on the Proxies tab, click the NBDGRAM proxy and then click Properties.
  • Page 199 Defining your security environment Controlling full application inspection of traffic Configure the security gateway to send and receive files To configure the security gateway to send and receive files, you must do the following: Ensure that the FTP proxy is enabled ■...
  • Page 200 Defining your security environment Controlling full application inspection of traffic Service group Select the service group containing the ftp protocol. Optionally, on the Description tab, type a more detailed description than you typed in the Caption text box. Click OK. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save.
  • Page 201 Defining your security environment Controlling full application inspection of traffic Related information For related information, see the following: “Proxy Properties: FTP—General tab” on page 702 ■ Modifying the timeout period for inactive FTP connections By default, FTP connections timeout after an inactivity period of 900 seconds (15 minutes). If you find that connections are timing out too quickly for your environment, you can use this section’s procedure to increase the period of time that inactive connections stay open.
  • Page 202 Defining your security environment Controlling full application inspection of traffic Allow data connections to all ports ■ Blocks data connections to ports < 1024 is the most restrictive setting and is checked by default. Settings other than the default may allow attacks based on low reserved port numbers.

  • Page 203: Controlling Internet-Based Data Communications

    Defining your security environment Controlling full application inspection of traffic Controlling Internet-based data communications H.323 is an International Telecommunications Union (ITU) standard that supports the transmission of real-time video, audio, and data. The security gateway provides support for the H.323 protocol through the included H.323 application proxy.
  • Page 204 Defining your security environment Controlling full application inspection of traffic About direct access connections The security gateway lets you reveal inside addresses to an outside server, giving the appearance of direct access. For outbound connections, direct access reveals information about your private network to people on the Internet.
  • Page 205 Defining your security environment Controlling full application inspection of traffic In the Service Group Properties dialog box, click OK. To create an allow rule for H.323 In the SGMI, in the left pane, under Policy, click Firewall. In the right pane, on the Rules tab, click New. In the Rule Properties dialog box, on the General tab, do the following: Rule name Type a name for this rule.
  • Page 206 Defining your security environment Controlling full application inspection of traffic “Service Group Properties—General tab” on page 726 ■ “Rule Properties—General tab” on page 589 ■ “H.323 Alias Properties—General tab” on page 720 ■ Configuring additional H.323 features You can modify the security gateway’s ability to handle and process H.323 traffic to suit your specific needs.
  • Page 207 Defining your security environment Controlling full application inspection of traffic To enable support for loose interface connections In the SGMI, in the left pane, under Assets, click Proxies. In the right pane, on the Proxies tab, click the H.323 proxy, and then click Properties. In the Proxy Properties dialog box, on the Security tab, under the Available list box, select the interface on which you want to enable loose security, and then click the right-arrow >>...

  • Page 208: Controlling Web Traffic

    Defining your security environment Controlling full application inspection of traffic To enable socket linger In the SGMI, in the left pane, under Assets, click Proxies. In the right pane, on the Proxies tab, click the H.323 proxy, and then click Properties. In the Proxy Properties dialog box, on the Miscellaneous tab, check Enable socket linger.
  • Page 209 Defining your security environment Controlling full application inspection of traffic How the security gateway controls Web traffic The HTTP proxy operates as a non-caching proxy between Web clients and servers. The HTTP proxy supports all major features of HTTP 1.1, and also acts as a local Web server with its own document set. The server primarily fulfills requests for the security gateway’s home page and icons used in the protocol converters, but you can place any files desired into the document area.
  • Page 210 Defining your security environment Controlling full application inspection of traffic WebDAV support The HTTP proxy supports Web Distributed Authoring and Versioning (WebDAV). WebDAV is a set of additional methods that support version control for URLs, enabling distributed source control applications to be built using HTTP as the wire protocol. RFC 2518 defines the set of extensions to the HTTP protocol to support WebDAV.
  • Page 211 Defining your security environment Controlling full application inspection of traffic To create an HTTP service group In the SGMI, in the left pane, under Assets, click Protocols. In the right pane, on the Service Groups tab, click New. In the Service Group Properties dialog box, on the General tab, in the Service Group name text box, type a name for this service group.
  • Page 212 Defining your security environment Controlling full application inspection of traffic Configuring additional Web features The security gateway’s ability to handle and process HTTP traffic can be modified to suit your specific needs. This section presents an overview of the additional HTTP capabilities the security gateway supports, and the specific steps needed to configure those capabilities.
  • Page 213 Defining your security environment Controlling full application inspection of traffic Prerequisites Complete the following task before beginning this procedure. “Configuring access for Web traffic” on page 210 ■ To enable an external Web proxy In the SGMI, in the left pane, under Assets, click Proxies. In the right pane, on the Proxies tab, click the HTTP proxy, and then click Properties.
  • Page 214 Defining your security environment Controlling full application inspection of traffic Configuring the HTTP proxy to listen on additional ports for secure connections By default, the HTTP proxy listens on port 443 for secure HTTP (HTTPS) connections. You can use the procedure in this section to configure the security gateway to listen on additional ports for these types of connections.
  • Page 215 Defining your security environment Controlling full application inspection of traffic Specifying the location of the icon directory The HTTP proxy acts as a non-caching proxy between clients and servers. The HTTP proxy also acts as a local Web server with its own document set. The server primarily fulfills requests for the security gateway’s home page and icons used in the FTP protocol converter.

  • Page 216: Controlling News Feeds

    Defining your security environment Controlling full application inspection of traffic Controlling news feeds The Network News Transfer Protocol (NNTP) has existed since 1986, and NNTP news servers have long been the targets of attacks. Much of this is because the management of news servers has, until recently, been unauthenticated.
  • Page 217 Defining your security environment Controlling full application inspection of traffic In the Caption text box, type a brief description of the NNTP proxy. Optionally, on the Description tab, type a more detailed description than you typed in the Caption text box. Click OK.
  • Page 218 Defining your security environment Controlling full application inspection of traffic Related information For further information related to this topic, see the following: “Proxy Properties: NNTP—General tab” on page 711 ■ “Rule Properties—General tab” on page 589 ■ Configuring additional NNTP features The security gateway’s ability to handle and process NNTP traffic can be modified to suit your specific needs.
  • Page 219 Defining your security environment Controlling full application inspection of traffic Modifying the minimum visit time necessary to log statistics You can control the frequency at which the NNTP proxy logs statistics events when users switch from one newsgroup to another. The user must stay in a newsgroup for as long as the time defined by this procedure for the event to be properly logged.
  • Page 220 Defining your security environment Controlling full application inspection of traffic Logging warnings for NNTP connections that terminate without sending a QUIT message NNTP connections normally issue a QUIT message when terminating the session. However, some NNTP clients are designed to behave differently and just terminate the connection without issuing a QUIT.
  • Page 221 Defining your security environment Controlling full application inspection of traffic Related information None. Modifying the timeout period to keep inactive NNTP connections open By default, NNTP connections timeout after an inactivity period of 3600 seconds (60 minutes). If you find that connections are timing out too quickly for your environment, you can use this section’s procedure to increase the period of time that inactive connections stay open.

  • Page 222: Synchronizing Security Gateway Time

    Defining your security environment Controlling full application inspection of traffic Related information None. Creating trace files of NNTP connections When troubleshooting NNTP connections, you can configure the security gateway to create a separate log file for only NNTP connections. You may want to do this if you want to track what is happening to NNTP packets as they pass through the security gateway, or you might simply want an audit trail for all NNTP connections.

  • Page 223: Supporting Unix Services

    Defining your security environment Controlling full application inspection of traffic To configure the security gateway to support time synchronization In the SGMI, in the left pane, under Assets, click Proxies. In the right pane, in the Proxies table, click NTP, and then click Properties. In the Proxy Properties dialog box, on the General tab, to enable the NTP proxy, click Enable.
  • Page 224 Defining your security environment Controlling full application inspection of traffic In the Proxy Properties dialog box, on the General tab, to enable the RCMD proxy, check Enable. In the Caption text box, type a brief description of the RCMD proxy. Optionally, on the Description tab, type a more detailed description than you typed in the Caption text box.

  • Page 225: Handling Streaming Audio And Video

    Defining your security environment Controlling full application inspection of traffic Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 226 Defining your security environment Controlling full application inspection of traffic In the Proxy Properties dialog box, on the General tab, to enable the RTSP proxy, click Enable. In the Caption text box, type a brief description of the RTSP proxy. Optionally, on the Description tab, type a more detailed description than you typed in the Caption text box.

  • Page 227: Managing Electronic Mail

    Defining your security environment Controlling full application inspection of traffic Related information For further information related to this topic, see the following: “Proxy Properties: RTSPD—General tab” on page 717 ■ “Rule Properties—General tab” on page 589 ■ Managing electronic mail To address a wide range of potential email security issues, the security gateway offers two application proxies: one that monitors email sent to a mail server (SMTP) and the other that monitors email received from a server.
  • Page 228 Defining your security environment Controlling full application inspection of traffic For example, in the network shown in Figure 6-2, the security gateway protects the 192.168.10.x network segment. An email client is running on the host 192.168.10.150 (EC-1) and there is a corporate email server with IP address 192.168.10.10 (ES-1).
  • Page 229 Defining your security environment Controlling full application inspection of traffic The most common way to protect your network is to force all email retrieval requests to pass through the security gateway, as shown in Figure 6-3, instead of letting your employees connect directly to the external server.
  • Page 230 Defining your security environment Controlling full application inspection of traffic For POP3 traffic: In the right pane, in the Proxies table, click POP3, and then click Properties. ■ In the Proxy Properties dialog box, on the General tab, to enable the POP3 proxy, check ■...

  • Page 231: Setting

    Defining your security environment Controlling full application inspection of traffic Destination Do one of the following: If you are configuring this rule for outbound SMTP email, select the network to which ■ email is allowed. This may be a defined subnet or, more commonly, the Universe entity.
  • Page 232 Defining your security environment Controlling full application inspection of traffic Modifying the timeout period to keep inactive POP3 connections open By default, POP-3 connections timeout after an inactivity period of 600 seconds (10 minutes). If you find that connections are timing out too quickly for your environment, you can use this section’s procedure to increase the period of time that inactive connections stay open.
  • Page 233 Defining your security environment Controlling full application inspection of traffic Modifying the SMTP greeting At some point, you may decide that you want to modify the standard SMTP greeting. This task shows you where to look in the SGMI to modify the existing banner and set it to the banner of your choosing. This change takes affect immediately after saving and activating your configuration.
  • Page 234 Defining your security environment Controlling full application inspection of traffic Creating trace files of SMTP connections When troubleshooting SMTP connections, you can configure the security gateway to create a separate log file for only SMTP connections. You may want to do this if you want to track what is happening to SMTP packets as they pass through the security gateway, or you might simply want an audit trail for all SMTP connections.
  • Page 235 Defining your security environment Controlling full application inspection of traffic Related information None. Configuring an external server to relay email With the procedure in this section, you can designate an external mail server to handle electronic mail when your normal mail server is unavailable. This is only required if you experience problems with internal mail servers not properly handling mail exchange (MX) rollover.

  • Page 236: Enabling Remote Logon

    Defining your security environment Controlling full application inspection of traffic Related information None. Enabling remote logon The security gateway supports connections from remote hosts to internal resources through the Telnet protocol. The Telnet protocol is commonly used to connect to a remote host, and execute commands on that remote host as if the user were physically sitting at the host.
  • Page 237 Defining your security environment Controlling full application inspection of traffic Configure access for Telnet traffic To configure the security gateway to allow sending and receiving of files, you must do the following: Ensure the Telnet proxy is enabled ■ Create a Telnet service group ■...

  • Page 238: Allowing Icmp Traffic

    Defining your security environment Controlling full application inspection of traffic Destination Select the defined network entity to which Telnet traffic is destined. This can be a host network entity representing a specific machine or a subnet network entity representing your internal network. Leaving through Select the connection point through which traffic leaves the security gateway.
  • Page 239 Defining your security environment Controlling full application inspection of traffic Configuring access for ICMP traffic Configuring access for ICMP traffic lets users test the availability of hosts through the ping and traceroute commands. Prior to configuring ICMP access, you should determine what level of access is to be granted, and who should have that access.
  • Page 240 Defining your security environment Controlling full application inspection of traffic Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 241 Defining your security environment Controlling full application inspection of traffic Enabling support for traceroute Traceroute has an option to specify a source route or to record the route taken. By default, the security gateway has these features turned off for security reasons, since they could compromise information about your inside networks.
  • Page 242 Defining your security environment Controlling full application inspection of traffic...
  • Page 243 Defining your security environment Controlling full application inspection of traffic...

  • Page 244: Limiting User Access

    Chapter Limiting user access This chapter includes the following topics: Understanding authentication ■ Configuring users for internal authentication ■ Configuring user groups for internal and external authentication ■ Authenticating with an external authentication server ■ Authenticating using Out-Of-Band Authentication (OOBA) ■...

  • Page 245: Creating A User Account On The Internal Server

    Note: With the 3.0 release, Bellcore S/Key and gwpassword are no longer supported authentication schemes. If you have upgraded from Symantec Gateway Security v2.0, see the upgrade section of the Symantec Gateway Security 5000 Series v3.0 Installation Guide for instructions.

  • Page 246: Creating An Ike-Enabled User

    Limiting user access Configuring users for internal authentication Last name Type the last name of the user. Caption Type a brief description of the user. On the Authentication tab, do the following: Password Type a password for the new user. Confirm Password Type the user password again to confirm the password you entered in the Password text box.
  • Page 247 Limiting user access Configuring users for internal authentication In the User Account Properties dialog box, on the VPN tab, do the following: IKE enabled To make the user an IKE-enabled user, check IKE enabled. When this option is checked, the user can be used as the remote endpoint of a VPN tunnel.

  • Page 248: Ensuring That The Internal Server Is Enabled

    Limiting user access Configuring user groups for internal and external authentication Related information For further information related to this topic, see the following: “User Account Properties—VPN tab” on page 695 ■ “User Account Properties—Groups tab” on page 696 ■ “Adding authentication to rules” on page 276 ■...

  • Page 249: Configuring User Groups To Authenticate With The Internal Authentication Server

    Limiting user access Configuring user groups for internal and external authentication You can create user groups for use with the security gateway’s internal authentication server and the external authentication servers you have configured: “Configuring user groups to authenticate with the internal authentication server” on page 248 ■...
  • Page 250 Limiting user access Configuring user groups for internal and external authentication “Using the Remote Access Tunnel Wizard to create Client VPN tunnels” on page 389 ■ “Manually configuring a Client VPN tunnel” on page 394 ■ Configuring user groups to authenticate with an external authentication server For external authentication servers, you create user groups to identify specific groups of users already created on the external servers.

  • Page 251: Creating An Ike User Group

    Limiting user access Configuring user groups for internal and external authentication “Using roles to assign rules to users” on page 424 ■ “Using the Remote Access Tunnel Wizard to create Client VPN tunnels” on page 389 ■ “Manually configuring a Client VPN tunnel” on page 394 ■...

  • Page 252: Importing Users And User Groups

    Symantec security gateway into an environment with a great deal of established user account information. If you upgrade from Symantec Clientless VPN Gateway v5.0 and have users and user groups defined in an LDIF file, you can import them during the upgrade process.
  • Page 253 Limiting user access Configuring user groups for internal and external authentication Creating the pkimpuser import file To import data correctly using the Import Users feature, you must store your user information in a file called pkimpuser in the following format: <username>...

  • Page 254: Authenticating With An External Authentication Server

    Limiting user access Authenticating with an external authentication server jondoe7 crypt onedayAtAtime QA Y {haq114021999} jondoe7 {paqo123uiui9uu9i} jondoe8 plaintext atmospherics!! principal Y {haq114021999} jondoe8 {paqo123uiui9uu9i} jondoe9 plaintext whattodo2435464 marketing Y {haq114021999} jondoe9 {paqo123uiui9uu9i} You can use any text editor to create this file. Once it is created, and saved, go to that file, right-click and rename it without a file extension.
  • Page 255 Limiting user access Authenticating with an external authentication server PassGo Defender version 5 authentication ■ RSA SecurID authentication ■ When you create an authentication server, it is automatically reflected in the following security gateway configurations: As an available server when you create an authentication scheme ■...
  • Page 256 Limiting user access Authenticating with an external authentication server After defining the Active Directory authentication server, you can use it in the following ways: Identify the server to be used for authentication in an authentication scheme. ■ Use the server as the authentication server in a clientless VPN role. ■...
  • Page 257 Limiting user access Authenticating with an external authentication server On the Search Parameters tab, do the following: Base DN (search root) Type the Distinguished Name where searches of the LDAP hierarchy begin. Search filter Type the filter to use as a search criteria. User DN Check this button to enable the User DN attribute.
  • Page 258 Limiting user access Authenticating with an external authentication server Remote Authentication Dial-In User Service (RADIUS) authentication RADIUS is a UDP-based authentication method that the security gateway supports for FTP, Telnet, NNTP, and HTTP connections. Note: For static RADIUS user authentication, you must have user accounts already defined on the security gateway.
  • Page 259 As of the Symantec Gateway Security v3.0 release, PassGo Defender is now supported through RADIUS. Note: Due to the way that Defender works, the authentication exchange will fail the first time before a challenge is issued.
  • Page 260 Limiting user access Authenticating with an external authentication server Installing RSA SecurID software You must install RSA SecurID/Server software a host on the inside (protected) network. After you install the software, you must configure it. Prerequisites None. To install RSA SecurID software Install the RSA SecurID/Server software on a host on the inside (protected) network, as described in the RSA SecurID/Server documentation.

  • Page 261: Configuring An Authentication Scheme

    Limiting user access Authenticating with an external authentication server In the SecurID Properties dialog box, on the General tab, do the following: Name Type a name for this authentication server. ACE Server Interface Select the interface on the security gateway that is connected to the network that connects to the RSA SecurID server.

  • Page 262: Adding An Authentication Scheme To A Rule

    Limiting user access Authenticating with an external authentication server Prerequisites None. To configure an authentication scheme In the SGMI, in the left pane, under Assets, click Authentication Servers. In the right pane, on the Schemes tab, click New. In the Scheme Properties dialog box, in the Scheme name text box, type a unique name for your new scheme.

  • Page 263: Authenticating Users On External Servers

    Limiting user access Authenticating with an external authentication server Prerequisites Complete the following task before beginning this procedure “Configuring an authentication scheme” on page 260 ■ To add an authentication scheme to an existing rule In the SGMI, in the left pane, under Policy, click Firewall. In the right pane, on the Rules tab, select the rule to which you want to add the authentication scheme, and click Properties.
  • Page 264 Limiting user access Authenticating with an external authentication server Optionally, on the Description tab, type a more detailed description than you typed in the Caption text box. Click OK. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■...

  • Page 265: Authenticating Using Out-Of-Band Authentication (Ooba)

    Limiting user access Authenticating using Out-Of-Band Authentication (OOBA) To have the security gateway receive the group information from a server, check Group Information. If you leave Group Information unchecked, group information is not passed to the security gateway and all users on the server are authenticated. Optionally, on the Description tab, type a more detailed description than you typed in the caption text box.

  • Page 266: Configuring The Ooba Service

    Limiting user access Authenticating using Out-Of-Band Authentication (OOBA) Table 7-2 contains a list of supported authentication servers (or conditionally supported) on the security gateway if you are not using the OOBA authentication capability. To authenticate any proxies that are not listed in the supported types list, or to authenticate those listed in the table unconditionally, you must use OOBA using the OOBA daemon listed among the services in the SGMI.

  • Page 267: Adding Ooba Authentication To A Rule

    Limiting user access Authenticating using Out-Of-Band Authentication (OOBA) On the Advanced tab, do the following: Include client IP address To include the IP address in the ticket information as well as the user name, check for ticket verification this option. Share Secret with other To use a shared secret with more than one security gateway, check this option.
  • Page 268 Limiting user access Authenticating using Out-Of-Band Authentication (OOBA) To specify the users and groups to which OOBA authentication applies, add them to the appropriate included and excluded lists t Click OK. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■...
  • Page 269 Limiting user access Authenticating using Out-Of-Band Authentication (OOBA)

  • Page 270: Controlling Traffic At The Security Gateway

    Your corporate security plan identifies the kinds of access you want to provide. If you do not have a security plan, see Symantec Gateway Security 5000 Series v3.0 Installation Guide. The security gateway includes the following features that let you allow or deny traffic.
  • Page 271 The security gateway’s VPN functionality lets you create encrypted tunnels for gateway-to-gateway communication and remote access for users who have installed Symantec Client VPN on their computers. By adding a filter to a VPN policy, you can further control the traffic.

  • Page 272: Understanding And Using Rules

    Controlling traffic at the security gateway Understanding and using rules Configure authentication servers and schemes. See the following: “Authenticating with an external authentication ■ server” on page 253 “Authenticating with an external authentication ■ server” on page 253 Create and deploy intrusion detection and prevention “Blocking suspicious or malicious traffic with IDS”...

  • Page 273: Configuring Rules

    With Symantec Gateway Security 5000 Series v3.0, you can choose to define these objects prior to creating rules, or you can create objects that are referenced in the rule as you create it.
  • Page 274 Controlling traffic at the security gateway Understanding and using rules For tighter monitoring of security gateway traffic, you can specify alert thresholds to be used to ■ trigger notifications. To limit user access, you can add authentication schemes and specify the users that must use ■...
  • Page 275 Controlling traffic at the security gateway Understanding and using rules In the Rule Properties dialog box, on the General tab, do the following: Enable To enable the new rule, check Enable. Rule name Type a unique name for the rule. Number This read-only field displays the rule’s number, which is automatically generated when you save the rule.
  • Page 276 Controlling traffic at the security gateway Understanding and using rules “Adding authentication to rules” on page 276 ■ “Using content security checks with rules” on page 278 ■ “Using advanced service parameters for nonstandard services” on page 279 ■ Enforcing time-based access restrictions You can restrict when trusted users can gain access to your corporate resources.
  • Page 277 Controlling traffic at the security gateway Understanding and using rules To apply alert thresholds to rules In the SGMI, in the left pane, under Policy, click Firewall. In the right pane, on the Rules tab, highlight the rule to which you want to apply alert thresholds, and then click Properties.
  • Page 278 Controlling traffic at the security gateway Understanding and using rules In the Rule Properties dialog box, click the Authentication tab. To specify the authentication to be used with the rule, do one of the following: To use Out-of-Band authentication with the selected authentication scheme, check Use Out- ■...
  • Page 279 Controlling traffic at the security gateway Understanding and using rules Using content security checks with rules The security gateway includes content security features that you can use to add protection to rules that control mail (SMTP and POP3), HTTP, NNTP, and FTP traffic. Protection from destructive content (viruses), unwanted content (spam) and inappropriate content (Web pages) are all part of content security.
  • Page 280 Advanced Service tab. The syntax must be correct: contact Symantec Technical Support for the exact syntax required for the special rule service you are creating. Some examples are shown in the following procedure.

  • Page 281: Rule Examples

    Controlling traffic at the security gateway Understanding and using rules The following are examples of advanced services that can be used in rules: ping.preserve.ttl Pass traceroute through the security gateway. The rule must use the ping protocol. http.remove- Removes the server information from HTTP response packets that are sent back header.server through the security gateway.
  • Page 282 Controlling traffic at the security gateway Understanding and using rules You can use the Universe entity to write a rule that applies to anything. This procedure describes how to create a rule that allows a host to Telnet or FTP to any system, anywhere. Note: Generally, you should not establish Universe-to-Universe rules because they impose no restrictions on the source and destination of traffic through the security gateway.
  • Page 283 Controlling traffic at the security gateway Understanding and using rules Prerequisites Complete the following tasks before beginning this procedure: Create a subnet entity to represent the internal subnet ■ “Defining a network or subnet with a subnet entity” on page 162. Create a host entity to represent the public service ■...
  • Page 284 Controlling traffic at the security gateway Understanding and using rules Related information For further information related to this topic, see the following: “Rule Properties—General tab” on page 589. ■ Providing public access to a server on a service network You can give the general public access to an internal server you operate. For example, if you have an internal Web server that hosts your company’s Web site, you can make this service available to the general public without compromising your security.

  • Page 285: Configuring Http, Ftp, And Mail (Smtp And Pop3) Rules With The Firewall Rule Wizard

    Controlling traffic at the security gateway Understanding and using rules Under Select the protocols and settings to apply content filter scanning, do any of the following: To enable HTTP, check HTTP, and then check the HTTP restrictions you want to enable. ■...
  • Page 286 Controlling traffic at the security gateway Understanding and using rules Accept mail for the following To have the security gateway accept mail from other domains, check this list of domains (comma option. separated) Type the fully-qualified domain names of the domains from which you want to accept mail.

  • Page 287: Synchronizing

    Controlling traffic at the security gateway Understanding and using rules 10 If you selected the FTP option in step 4, in the FTP Options panel, check one or more of the following: Allow antivirus scanning To apply antivirus parameters to the FTP rules, check this option. Allow puts To allow FTP put operations, check this option.

  • Page 288: Controlling Traffic By Date And Time

    Controlling traffic at the security gateway Controlling traffic by date and time Controlling traffic by date and time When you create rules, you can restrict access to resources by a time period range or group of time periods. You can also specify time periods when you create notifications, to limit when an administrator is notified about security gateway behavior.

  • Page 289: Configuring A Time Period Group

    Controlling traffic at the security gateway Controlling traffic by date and time Under Date Range, in the From and Through drop-down lists, select the starting and ending months for the time range. In the Day and Year text boxes, you can type in the starting and ending day and year or use the buttons to increment and decrement them.

  • Page 290: Using Packet Filters To Allow Or Deny Traffic

    Controlling traffic at the security gateway Using packet filters to allow or deny traffic Click OK. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar click Save. ■ To activate your configuration now, on the toolbar click Activate. ■...

  • Page 291: Creating A Packet Filter

    Controlling traffic at the security gateway Using packet filters to allow or deny traffic Creating a packet filter The packet filters and packet filter groups you create specify an allow or a deny action and an ordered set of match criteria. The order of packet filter elements is important since the first match to any packet passing through the security gateway or the tunnel is the only one that applies.

  • Page 292: Understanding Packet Filter Groups

    Controlling traffic at the security gateway Using packet filters to allow or deny traffic Caption Type a brief description of the filter. On the Entry Directions tab, in the Available list box select a protocol, and then Click Add to move it to the Selected list.

  • Page 293: Applying Filters And Filter Groups

    Controlling traffic at the security gateway Using packet filters to allow or deny traffic To create packet filter groups In the SGMI, in the left pane, under Policy, click Firewall. In the right pane, on the Packet Filters tab, click New > Filter Group. In the Filter Group Properties dialog box, do the following: Filter Name Type a name for the filter group.
  • Page 294 Controlling traffic at the security gateway Using packet filters to allow or deny traffic Applying packet filters to a VPN tunnel When imposing a packet filter on a VPN tunnel, the entities that you create as endpoints do not have to be the same for both the packet filter and the tunnel.
  • Page 295 Controlling traffic at the security gateway Using packet filters to allow or deny traffic Prerequisites Complete the following tasks before beginning this procedure: “Creating a packet filter” on page 290 ■ “Creating packet filter groups” on page 291 ■ To apply packet filters to individual network interfaces In the SGMI, in the left pane, under Assets, click Network.

  • Page 296: Blocking Inappropriate Content With Content Filtering

    Controlling traffic at the security gateway Blocking inappropriate content with content filtering To use packet filters as forwarding filters In the SGMI, in the left pane, under Policy, click Policy Parameters. In the right pane, under Forward Filter, in the Packet filter drop-down list, select a packet filter to use as a forwarding filter.

  • Page 297: Content Filtering Processing Order

    Controlling traffic at the security gateway Blocking inappropriate content with content filtering Content filtering processing order The security gateway filters email for content in a specific sequence. If a content filtering scanning process in the sequence is not enabled, the security gateway moves to the next scanning process that is enabled.
  • Page 298 Controlling traffic at the security gateway Blocking inappropriate content with content filtering Filtering by a specific URL The URL list lets you control access to certain URLs by specifying them and then setting the list to Allow (all URLs in the list are allowed) or Deny (all URLs in the list are denied. The security gateway uses this list of URLs when you apply URL restrictions to a rule that uses the HTTP protocol.
  • Page 299 Controlling traffic at the security gateway Blocking inappropriate content with content filtering To add URL filtering to a rule In the SGMI, in the left pane, under Policy, click Firewall. In the right pane, on the Rules tab, do one of the following: To add URL filtering to an existing rule, highlight the rule, and then double-click to display its ■...
  • Page 300 Controlling traffic at the security gateway Blocking inappropriate content with content filtering Filtering by URL pattern matching URL pattern matching uses regular expression syntax to deny access to URLs based on patterns. URL pattern matching is enabled when you check the Apply URL pattern match restrictions option on the Content Filtering tab of a rule that contains HTTP.
  • Page 301 Controlling traffic at the security gateway Blocking inappropriate content with content filtering Table 8-1 Supported regular expression symbols (Continued) Symbol Description Matches a non-word boundary. Matches a newline character. Matches any alphanumeric character, including the underscore (same as [A-Za-z0-9_]). Matches any non-word character (same as [^A-Za-z0-9_]). \<...
  • Page 302 Controlling traffic at the security gateway Blocking inappropriate content with content filtering Filter on URL pattern matches To filter traffic based on URL pattern matches, you must do the following: Specify the URL patterns. ■ Create a rule and apply the URL pattern match restriction. ■...
  • Page 303 Controlling traffic at the security gateway Blocking inappropriate content with content filtering On the Content Filtering tab, ensure that the HTTP check box is checked. Under Select the protocols and settings to apply content filtering scanning, check Apply URL pattern match restrictions. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save.
  • Page 304 Controlling traffic at the security gateway Blocking inappropriate content with content filtering Click OK. ■ To delete a MIME type from the Available list, highlight the entry, and then click Delete. To allow or deny the MIME types in the Selected list, below the list, select one of the following: Allow Permits users to download only the MIME types in the Selected list.
  • Page 305 Controlling traffic at the security gateway Blocking inappropriate content with content filtering Related information For further information related to this topic, see the following: “Content Filtering—Advanced Restrictions tab” on page 646 ■ “Content Filtering Advanced Restrictions tab—MIME Type dialog box” on page 648 ■...
  • Page 306 Controlling traffic at the security gateway Blocking inappropriate content with content filtering To add file extension filtering to a rule In the SGMI, in the left pane, under Policy, click Firewall. In the right pane, on the Rules tab, do one of the following: To add file extension filtering to an existing rule, highlight the rule, and then double-click to ■...

  • Page 307: Filtering By Subject Matter

    Symantec has populated the predefined content categories with URLs that contain related subject matter. Symantec regularly updates the content categories. If you have subscribed to the list updates (that is, you have applied a Content Filtering Subscription license key), you can configure the security gateway to automatically download updated lists at specified intervals using Symantec LiveUpdate technology.
  • Page 308 Blocking inappropriate content with content filtering To have a URL considered for inclusion in a predefined content category, send the URL and the name of the list to which you think it should be assigned to filtering@symantec.com. Table 8-2 describes each predefined list and includes sample URLs that represent the list content.
  • Page 309 Controlling traffic at the security gateway Blocking inappropriate content with content filtering Table 8-2 Predefined lists (Continued) List Description Real Estate Sites dedicated to providing information on buying and selling properties, property listings, commercial property listings, and real estate agents. Religion Sites dedicated to or describing one of the 12 classical world religions: Babi &...
  • Page 310 Controlling traffic at the security gateway Blocking inappropriate content with content filtering Searching content categories for URL ratings You can search for a specific site in the content categories to determine which categories it is in. All of the categories that contain the URL are displayed. URL lookups against the predefined content categories recognize UTF-8–encoded URLs as well as Akamai-encoded URLs.
  • Page 311 Each of the predefined content categories has an associated DDR dictionary with related trigger words that has been populated by Symantec. When you select the content categories to deny, the security gateway assumes that the type of content associated with that list is not acceptable. The dictionary that is associated with that content category is activated for DDR scanning.
  • Page 312 DDR is enabled, and the caption that you create. Periodically, Symantec may create new predefined content categories to address additional content areas. If you subscribe to the list updates, these new lists are automatically downloaded along with the regular updates to existing lists.
  • Page 313 URLs that are added manually or that are modified are stored in a local database that is separate from the predefined URL content category database that is supplied by Symantec. When a URL request is made, both databases are parsed. Entries in both databases have the same level of precedence. If an entry exists in both databases, but is assigned to different categories in each, users are denied access to the URL if any of the categories are in the deny list.
  • Page 314 Controlling traffic at the security gateway Blocking inappropriate content with content filtering The security gateway looks for the most exact match when checking a URL against content category lists. Matches with allowed categories take precedence over categories that are denied. Based on the entry in a list, you can block or allow individual Web pages or entire directories, computers, or domains.

  • Page 315: Understanding Content Filtering And Newsgroups

    Controlling traffic at the security gateway Blocking inappropriate content with content filtering “Rating Modification Properties—General tab” on page 650 ■ “Rating Modification Properties—Description tab” on page 650 ■ “Searching content categories for URL ratings” on page 309 ■ Understanding content filtering and newsgroups Just as you can control the Web pages that can be viewed within your network, you can control the newsgroups that can be read.
  • Page 316 Controlling traffic at the security gateway Blocking inappropriate content with content filtering Creating newsgroup profiles The second step in setting up content filtering for newsgroups is to configure a newsgroup profile. In the profile, you must use a predefined newsgroup, or configure your own before using it in the newsgroup profile.

  • Page 317: Adding Content Filtering Protection To A Rule

    Controlling traffic at the security gateway Blocking inappropriate content with content filtering Adding content filtering protection to a rule You can create or modify a rule to select the methods that you want to use to filter content. The more content filtering processes that you enable, the greater the demand on network and disk resources.
  • Page 318 Controlling traffic at the security gateway Blocking inappropriate content with content filtering Related information For further information related to this topic, see the following: “Rule Properties—Content Filtering tab” on page 599 ■ “Creating a content profile” on page 311 ■ “Filtering by a specific URL”...
  • Page 319 Controlling traffic at the security gateway Blocking inappropriate content with content filtering...

  • Page 320: Preventing Attacks

    Chapter Preventing attacks This chapter includes the following topics: About preventing attacks ■ Blocking suspicious or malicious traffic with IDS ■ Protecting your network resources from virus infections ■ Increasing productivity by identifying spam email ■ Making your network more secure by hiding addresses ■...

  • Page 321: About Ids/Ips Policies

    Preventing attacks Blocking suspicious or malicious traffic with IDS About intrusion detection and prevention The Internet exposes e-business resources to significant risks. Damage can include diminished customer confidence, intellectual property loss, legal liability, and time and money to recover from an attack.

  • Page 322: Creating Ids/Ips Policies

    Preventing attacks Blocking suspicious or malicious traffic with IDS each. For example, a High_Security policy indicates a high security level. Depending on the level of security you require and the situation in which you need to apply the policy, you can choose from or modify these pre-configured policies or create your own.
  • Page 323 Preventing attacks Blocking suspicious or malicious traffic with IDS Click OK. Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 324 Preventing attacks Blocking suspicious or malicious traffic with IDS To apply IDS/IPS policies to VPN policies In the SGMI, in the left pane, under Policy, click VPN. In the right pane, on the VPN Policies tab, select a VPN policy, and then click Properties. In the VPN policy properties dialog box, on the General tab, in the IDS/IPS policy name drop-down list, select a pre-configured or customized policy.
  • Page 325 Preventing attacks Blocking suspicious or malicious traffic with IDS Prerequisites None. To apply IDS/IPS policies to forward filters In the SGMI, in the left pane, under Policy, click Policy Parameters. In the right pane, under Forward Filter, in the Packet filter drop-down list, select a packet filter. In the IDS/IPS policy drop-down list, select a pre-configured or customized policy.
  • Page 326 Preventing attacks Blocking suspicious or malicious traffic with IDS Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■ When prompted to save your changes, click Yes.

  • Page 327: Managing Intrusion Events

    Preventing attacks Blocking suspicious or malicious traffic with IDS Managing intrusion events The security gateway displays detailed information about possible attacks in the form of intrusion events. An intrusion event is a significant security occurrence that appears to exploit a vulnerability of the system or application.
  • Page 328 Preventing attacks Blocking suspicious or malicious traffic with IDS You can view additional intrusion event details in the IDS Event Type Properties dialog box. This includes the information viewable from the table, as well as a description of the vulnerability that the signature is designed to protect against.
  • Page 329 Preventing attacks Blocking suspicious or malicious traffic with IDS Viewing intrusion events in the tree format In the tree format, events are displayed in a hierarchy, showing the severity levels for the selected policy group. From the severity levels, you can expand down to show the IDS/IPS services and then the individual intrusion events.
  • Page 330 Preventing attacks Blocking suspicious or malicious traffic with IDS Related information For further information related to this topic, see the following: “IDS Event Type Properties dialog box—General tab” on page 643 ■ Modifying event log and block settings An intrusion signature has a number of properties such as severity, reliability, and description. You can only modify the log and block settings.
  • Page 331 Preventing attacks Blocking suspicious or malicious traffic with IDS To modify event settings from the properties dialog box In the SGMI, in the left pane, under Policy, click IDS/IPS. In the right pane, on the Configuration tab, next to view, click Table. In the Policy name drop-down list, select an IDS/IPS policy.

  • Page 332: Managing Portmap Settings

    Preventing attacks Blocking suspicious or malicious traffic with IDS To enable logging of all events for a service level, check the service level name. ■ For example, to log all critical TCP events, expand the Critical folder, and then check TCP. To enable logging of individual intrusion events, check the intrusion event name.
  • Page 333 Preventing attacks Blocking suspicious or malicious traffic with IDS For example, you decide to apply an IDS/IPS service to listen for incoming traffic on port 80. Since port 80 is used for HTTP traffic, you enable the HTTP service that includes the http protocol. You receive incoming traffic on port 80 in the form of http protocols.

  • Page 334: Protecting Your Network Resources From Virus Infections

    LiveUpdate, and to detect polymorphic viruses. If you would like to know whether the security gateway or any other Symantec product protects against a specific virus, visit the Symantec Security Response™ Web site at: http://securityresponse.symantec.com...
  • Page 335 Preventing attacks Protecting your network resources from virus infections The following topics describe ways you can use the antivirus component of the security gateway to protect your environment from threats: “Preventing denial of service attacks” on page 335 ■ “Blocking files that cannot be scanned” on page 336 ■...

  • Page 336: Subject Pattern Matching

    Protecting your network resources from virus infections Keeping your antivirus protection up-to-date You can update your antivirus definitions through Symantec LiveUpdate technology. LiveUpdate ensures that your antivirus protection remains current. After the 30-day grace period, you must have a valid antivirus and antispam subscription license to use the antivirus scanning feature.

  • Page 337: Blocking Files That Cannot Be Scanned

    Preventing attacks Protecting your network resources from virus infections To prevent denial of service attacks In the SGMI, in the left pane, under Policy, click Antivirus. On the Configuration tab, under File Extraction Limits, do the following: Maximum time (in To set a limit for maximum time, check this option.

  • Page 338: Optimizing Scanning Resources

    Preventing attacks Protecting your network resources from virus infections You can choose whether to block, allow, or delete encrypted containers. Note: Because email handled by the POP3 protocol has already arrived at the user’s mailbox, the security gateway cannot block it even when you configure the SGMI to block malformed containers. These messages are permitted to pass through and the incident is logged.
  • Page 339 Preventing attacks Protecting your network resources from virus infections Blocking mail that exceeds a maximum size You can filter mail based on the file size by specifying a maximum size for messages. The maximum size includes the message and all attachments. Messages that exceed the maximum size are rejected. Prerequisites None.
  • Page 340 Preventing attacks Protecting your network resources from virus infections To scan all files regardless of extension In the SGMI, in the left pane, under Policy, click Antivirus. In the right pane, on the Configuration tab, select one of the following protocol subtabs: SMTP ■...

  • Page 341: Avoiding Potential Session Time-Out Errors

    Preventing attacks Protecting your network resources from virus infections Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■ When prompted to save your changes, click Yes.
  • Page 342 The data that is trickled to the user may contain portions of a virus. ■ Note: If you enable data comforting, you should install an antivirus program such as Symantec AntiVirus Corporate Edition that provides real-time virus scanning. If the trickled data is infected,...

  • Page 343: Blocking Mail Attachments That Are Known Threats

    Preventing attacks Protecting your network resources from virus infections For FTP and HTTP downloads that use optimizers, when a broken connection is detected, the ■ optimizer resumes the download from the point in which the disconnection occurred. This results in downloading the remainder of the file and possibly reconstructing an infected file. The user receives no notification that the trickled data file is incomplete or infected.
  • Page 344 Preventing attacks Protecting your network resources from virus infections Related information For further information related to this topic, see the following: “Antivirus Mail Attachment Restrictions tab—Restricted Mail Attachment Filename dialog box” ■ on page 634 “Adding antivirus protection to a rule” on page 347 ■...

  • Page 345: Responding To Virus Detections

    Preventing attacks Protecting your network resources from virus infections Responding to virus detections You can specify how you want the security gateway to respond to virus detections for the SMTP, POP3, HTTP, and FTP protocols. Depending on the protocol and the response option that you choose, you can also notify the user when a virus has been detected and what action the security gateway has taken with the infected file.
  • Page 346 Preventing attacks Protecting your network resources from virus infections X-Virus:1 Message-ID: <34222396612167.52632qmailV06.58@<ISP address> MIME-Version: 1.0 Content-Type: multipart/mixed; Table 9-2 x-virus header definitions x-virus header value Definition Content cannot be scanned (for example, due to a container violation). No viruses were detected in the email. A virus was detected in the email.
  • Page 347 Preventing attacks Protecting your network resources from virus infections For customizable messages, you can use the language of your choice, including internationalized characters. However, internationalized characters might not correctly display in the email, depending on the encoding of the email body. Ensure that you enable the Substitute for infected file setting in the appropriate firewall rule.

  • Page 348: Adding Antivirus Protection To A Rule

    Preventing attacks Protecting your network resources from virus infections To repair or delete infected files In the SGMI, in the left pane, under Policy, click Antivirus. In the right pane, on the Response tab, in the drop-down list for the protocol that you want to configure, select Repair or delete.
  • Page 349 Preventing attacks Protecting your network resources from virus infections Prerequisites None. To add antivirus protection to a rule In the SGMI, in the left pane, under Policy, click Firewall. In the right pane, on the Rules tab, highlight the rule to which you want to add antivirus protection, and then click Properties.

  • Page 350: Troubleshooting Antivirus Protection

    Preventing attacks Increasing productivity by identifying spam email Troubleshooting antivirus protection By configuring the antivirus feature of the security gateway, you have fine-grained control over the email attachments and files that come through your security gateway; however, the combination of the different scanning mechanisms can inadvertently block content you really need to receive.

  • Page 351: About The Antispam Scanning Process

    Preventing attacks Increasing productivity by identifying spam email About the antispam scanning process The security gateway scans email in a specific sequence to detect spam. If a scanning process in the sequence is not enabled, the security gateway skips that process and moves to the next scanning process that is enabled.

  • Page 352: Identifying Spam Email

    Preventing attacks Increasing productivity by identifying spam email Table 9-4 Antispam scanning sequence (Continued) Order Scanning process Description Subject patterns identified The subject line content is matched against the Subject patterns as spam identified as spam list. If there is a match or no subject line content, the email is handled based on the settings that you configure.
  • Page 353 Preventing attacks Increasing productivity by identifying spam email “Identifying spam using subject pattern matching” on page 355 ■ “Identifying spam using subject pattern matching” on page 355 ■ Blocking spam using real-time blacklists The most common way to prevent spam is to reject email that comes from mail servers known or believed to send spam.
  • Page 354 Preventing attacks Increasing productivity by identifying spam email Identifying spam using heuristic antispam scanning The heuristic antispam engine performs an analysis of the entire incoming email message, looking for key characteristics of spam. It weighs its findings against key characteristics of legitimate email and assigns a spam score (1-100) to show how certain it is that the message is spam.
  • Page 355 Preventing attacks Increasing productivity by identifying spam email Related information For further information related to this topic, see the following: “Configuring and running LiveUpdate” on page 79 ■ “Adding antispam protection to a rule” on page 358 ■ “Understanding and using licenses” on page 86 ■...
  • Page 356 Preventing attacks Increasing productivity by identifying spam email On the Response tab, under Email senders identified as spam (SMTP only), select one of the following: Block the mail message ■ No response ■ Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■...

  • Page 357: Reducing False Positives

    Preventing attacks Increasing productivity by identifying spam email To apply these settings, create a rule and, on the Antispam tab, check Subject pattern matching. Related information For further information related to this topic, see the following: “Adding antispam protection to a rule” on page 358 ■...
  • Page 358 Preventing attacks Increasing productivity by identifying spam email Related information For further information related to this topic, see the following: “Adding antispam protection to a rule” on page 358 ■ “Understanding and using licenses” on page 86 ■ Reducing false positives using a custom allow list You can create a custom list of addresses or domains that are permitted to bypass the Email senders identified as spam list, the subject patterns identified as spam list, and heuristic scanning.

  • Page 359: Adding Antispam Protection To A Rule

    Preventing attacks Increasing productivity by identifying spam email Adding antispam protection to a rule You can create or modify an email rule to select the methods that you want to use to identify spam. You can configure these options separately for SMTP and POP3 on a rule-by-rule basis. Configure the spam detection settings, and then create a rule that enables the spam detection methods that you want to use.

  • Page 360: Making Your Network More Secure By Hiding Addresses

    Preventing attacks Making your network more secure by hiding addresses Making your network more secure by hiding addresses The use of address transforms, network address translation (NAT) pools, redirected services, and creating virtual clients can make your network more secure. Use an address transform when you want to replace client source addresses.
  • Page 361 Preventing attacks Making your network more secure by hiding addresses Configuring address transforms When you configure an address transform, you select one of three options: Use Original Source Address ■ Use Gateway Address ■ Use NAT Pool ■ The Use original source address option is for connections to allow an entity behind the security gateway to view the source address of the connecting client on the outside of the security gateway.

  • Page 362: Mapping Addresses With Nat Pools

    Preventing attacks Making your network more secure by hiding addresses Arriving through In the Arriving through drop-down list, select the interface or secure tunnel that the client is using to access the designated address. Source In the Source drop-down list, select among the available network entities for the entity that is the client or real address for a connection.
  • Page 363 If you are using NAT pool addressing with Symantec Client VPN tunnels, you must check the Pass Traffic to Proxies check box on the General tab of the VPN policy you are using. You must also configure address transforms.
  • Page 364 Preventing attacks Making your network more secure by hiding addresses Configuring NAT Pools You can configure either a static or dynamic NAT pool. To configure a static NAT pool In the SGMI, in the left pane, under Assets, click Network. In the right pane, on the NAT Pools tab, click New >...

  • Page 365: Redirecting Connections To Unpublished Addresses With Service Redirections

    Preventing attacks Making your network more secure by hiding addresses “Dynamic NAT Pool Properties—General tab” on page 670 ■ “Dynamic NAT Pool Properties—Description tab” on page 671 ■ “Static NAT Pool Properties—General tab” on page 671 ■ “Static NAT Pool Properties—Description tab” on page 672 ■...
  • Page 366 Preventing attacks Making your network more secure by hiding addresses To configure a redirected service In the SGMI, in the left pane, under Assets, click Network. In the right pane, on Redirected Services tab, click New. In the Redirected Services Properties dialog box, on the General tab, do the following: Enable To enable a redirected service, check Enable.

  • Page 367: Creating Virtual Clients By Using Nat Pools And Address Transforms

    Preventing attacks Making your network more secure by hiding addresses Creating virtual clients by using NAT pools and address transforms You can use NAT pools and address transforms to create virtual clients. A virtual client is used to describe a configuration that uses a virtual address in place of the real address of the host initiating the connection.
  • Page 368 Preventing attacks Making your network more secure by hiding addresses Prerequisites None. To configure a static NAT pool for a virtual client In the SGMI, in the left pane, under Assets, click Network. In the right pane, on the NAT Pools tab, click New > Static NAT Pool. In the Static NAT Pool Properties dialog box, on the General tab, do the following: NAT Pool Name Type a name for the NAT pool.

  • Page 369: Enabling Protection For Logical Network Interfaces

    Preventing attacks Enabling protection for logical network interfaces Optionally, do one of the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■ When prompted to save your changes, click Yes. Related information For further information related to this topic, see the following: “Static NAT Pool Properties—General tab”...

  • Page 370: Enabling Syn Flood Protection

    Preventing attacks Enabling protection for logical network interfaces To configure protection against port scan detections In the SGMI, in the left pane, under Assets, click Network. In the right pane, on the Network Interfaces tab, select the network interface on which you want to enable protection, and then click Properties.

  • Page 371: Enabling Spoof Protection

    Preventing attacks Enabling protection for logical network interfaces Prerequisites None. To configure SYN flood protection In the SGMI, in the left pane, under Assets, click Network. In the right pane, on the Network Interfaces tab, select the network interface on which you want to enable protection, and then click Properties.
  • Page 372 Preventing attacks Enabling protection for logical network interfaces Configuring protection against IP address spoofing Spoof protection is one of the many options that you can configure on network interfaces. To configure spoof protection, you need to know what network ranges you want to allow. Consider your current security gateway network and routing configurations to insure that you are not cutting off access for a network that you should allow.
  • Page 373 Preventing attacks Enabling protection for logical network interfaces...

  • Page 374: Providing Remote Access Using Vpn Tunnels

    Create network entities to serve as tunnel interfaces (security gateway entities) and tunnel ■ endpoints (host, group, or subnet entities). Create IKE-enabled users and groups to serve as remote Symantec Client VPN or clientless VPN ■ users and groups. Create, modify, or select a VPN policy to govern the encryption and authentication of traffic within ■...

  • Page 375: Understanding Gateway-To-Gateway Tunnels

    When Symantec Client VPN begins to negotiate a VPN tunnel with the security gateway, it does so in Aggressive mode. The security gateway responds to this negotiation. Client VPN tunnels are always...

  • Page 376: Tunnel Endpoints

    Tunnels also support users and user groups to define who may use the tunnel. Users and user groups are most commonly used with Symantec Client VPN tunnels. Note: You cannot select domain entities to be an endpoint of a secure tunnel. All tunnel endpoints must...

  • Page 377: Tunnel Indexes

    The security gateway uses tunnel indexes, also called security parameter indexes (SPIs), to handle VPN packets it receives from another security gateway or Symantec Client VPN. The index is a number agreed upon by each encryption device, and is unique for each destination address. The receiving security gateway uses the index to get the pointer to the packet’s security characteristics.

  • Page 378: Tunnel Security

    Providing remote access using VPN tunnels About VPN tunnels Tunnel security VPN tunnels pass data through the security gateway without any additional security checks. You can modify this default behavior so that VPN packets are subject to the same scrutiny as other traffic. You can subject tunnel traffic to authorization rules, input and output filters, and application proxies.

  • Page 379: Understanding Vpn Policies

    Figure 10-3 Figure 10-4 represent gateway-to-gateway VPN tunnels. Client VPN tunnels have Symantec Client VPN users as one endpoint. Understanding VPN policies Before you set up your secure tunnels, to make their configuration faster and easier, you can create VPN policies that work on a global level. Rather than configuring the components present in these policies for every tunnel you create, you can configure general policies and then later apply them to your secure tunnels.

  • Page 380: Understanding Tunnel Negotiation

    Providing remote access using VPN tunnels Understanding VPN policies Encapsulation Security Payloads (ESP) provide confidentiality to IP datagrams as well as the ability ■ to authenticate data. Security Parameter Indices (SPI) are part of, and defined by, the AH and ESP. The SPIs are included ■...

  • Page 381: Creating Custom Vpn Policies

    Providing remote access using VPN tunnels Understanding VPN policies static_default_crypto (IPsec/static with DES, MD5) ■ static_default_crypto_strong (IPsec/static with Triple DES, SHA1) ■ static_aes_crypto_strong (IPsec/static with AES 32-byte key, SHA1) ■ To use one of the pre-configured VPN policies, when running one of the VPN wizards or creating tunnels manually, select the VPN policy from the VPN Policy drop-down list.
  • Page 382 Providing remote access using VPN tunnels Understanding VPN policies In the IPsec IKE policy Properties dialog box, on the General tab, do the following: Name Type a unique name for the VPN policy. Caption Type a brief description of the VPN policy. Filter applied In the Filter applied drop-down list, select whether you want a filter applied as part of the VPN policy.

  • Page 383: Creating A Vpn Policy For Ipsec With Static Key

    Providing remote access using VPN tunnels Understanding VPN policies On the Data Compression Preference tab, in the Available list box, select a data compression preference, and then click the right-arrow >> button to move it to the Selected list box. Supported types are: LZS (compresses data by replacing redundant strings with abbreviated tokens) ■...
  • Page 384 Providing remote access using VPN tunnels Understanding VPN policies In the right pane, on the VPN Policies tab, click New > IPsec static key policy. In the IPsec static key policy Properties dialog box, on the General tab, do the following: Policy Name Type a unique name for the VPN policy.

  • Page 385: Viewing Or Modifying The Global Ike Policy

    Providing remote access using VPN tunnels Understanding VPN policies Related information For further information related to this topic, see the following: “IPsec static key policy Properties—General tab” on page 614 ■ “IPsec static key policy Properties—Data Integrity Preferences tab” on page 617 ■...

  • Page 386: Configuring Tunnels

    Tunnel Wizard security gateway. Remote Access To build a tunnel between your security gateway and a host using Symantec’s Client Tunnel Wizard VPN, Symantec Clientless VPN, or other IPsec-based VPN client. You can start the wizards from the Tools menu or from the home page of the SGMI.
  • Page 387 Providing remote access using VPN tunnels Configuring tunnels Click Next. In the Local Security Gateway panel, to specify the local security gateway, do one of the following: To use an existing network entity, click Use existing network entity. ■ To create a new network entity, click Create new network entity. ■...
  • Page 388 Providing remote access using VPN tunnels Configuring tunnels In the Local Endpoint panel, to specify the network entity that serves as the local endpoint of the gateway-to-gateway tunnel, do one of the following: To use an existing network entity, click Use existing network entity, select it from the drop- ■...
  • Page 389 Providing remote access using VPN tunnels Configuring tunnels IP address Type the IP address or fully-qualified domain name of the network entity. Authentication Do one of the following: method To use certificates to authenticate, click Certificates. ■ To use a shared secret to authenticate, click Shared secret. ■...

  • Page 390: Using The Remote Access Tunnel Wizard To Create Client Vpn Tunnels

    You can use the Remote Access Tunnel Wizard to construct VPN tunnels that are IKE-enabled between the local security gateway and remote client computers running Symantec Client VPN Note: You can also use the Remote Access Tunnel Wizard to create Symantec Clientless VPN connections.
  • Page 391 Providing remote access using VPN tunnels Configuring tunnels Click Next. In the Local Security Gateway panel, do one of the following: To use an existing local security gateway network entity, click Use existing network entity, ■ select the local security gateway network entity from the drop-down list, and then skip to step To create a new local security gateway network entity, click Create new network entity.
  • Page 392 Providing remote access using VPN tunnels Configuring tunnels For a Subnet network In the Name text box, type a name for the new endpoint. ■ entity: In the Subnet IP address, type the IP address or fully-qualified domain name of ■...

  • Page 393: Creating Tunnels Manually

    If your remote tunnel endpoint is a Symantec Client VPN that uses a mobile entity (user or user group), then you only have to select that entity in the Remote Endpoint drop-down list for that end of the tunnel.
  • Page 394 Providing remote access using VPN tunnels Configuring tunnels Manually configuring a gateway-to-gateway VPN tunnel Gateway-to-gateway VPN tunnels using IPsec with IKE are used as tunnels between two IPsec- compliant security gateways. For each gateway-to-gateway tunnel you create, you must configure a security gateway and network entity local to your site, as well as a security gateway and network entity at the remote end of the tunnel.
  • Page 395 Symantec Client VPN. If your remote tunnel endpoint is a Symantec Client VPN user, then you must configure a VPN security network entity to serve as the remote endpoint of the tunnel. VPN security network entities serve as both the network entity and security gateway for the remote end of the VPN tunnel.
  • Page 396 To specify how traffic arrives or leaves the security gateway, by including it in a rule. ■ To specify how traffic arrives at the security gateway, by including it in an address transform. ■ To simplify configuration for remote Symantec Client VPN users, by including creating a ■ Client VPN package. Related information For further information related to this topic, see the following: “Client VPN tunnel Properties—General tab”...
  • Page 397 Providing remote access using VPN tunnels Configuring tunnels On the Keys tab, do the following: Generate Keys If you have chosen to use a data integrity preference in your VPN policy, click Generate Keys. The appropriate key fields are available according to your VPN policy selection. It is strongly recommended that you use the Generate Keys button rather than creating your own keys.

  • Page 398: Ensuring Compliance Of Remote Client Vpn Computers

    Check this option to require client computers to have Symantec Client Firewall installed Client Firewall and enabled. If the Symantec Client Firewall has just been turned on, the security gateway may not recognize it immediately. Require auto-protect Check this option to require that clients have the antivirus auto-protect feature enabled.

  • Page 399: Applying Client Compliance To User Groups

    Providing remote access using VPN tunnels Ensuring compliance of remote Client VPN computers User name Type the user name for antivirus server access, if required. Password Type the password for antivirus server access, if required. Allow access to Check this option to allow antivirus server and LiveUpdate server access to non- antivirus and/or compliant clients.

  • Page 400: Simplifying Multiple Client Vpn Computer Configuration

    None. Simplifying multiple Client VPN computer configuration Security administrators may have hundreds of Symantec Client VPN users to administer. The concept of a Client VPN package simplifies the configuration of multiple Symantec Client VPN computers. Configuring the remote side (user’s computer) is normally performed by the user. To simplify set up for the user, the security gateway supports a feature called a Client VPN package.

  • Page 401: Delivering Client Vpn Packages To Users

    How the Client VPN package is processed on the Symantec Client VPN When the Symantec Client VPN starts, it looks for new Client VPN packages. If the client finds a new package, the user is asked if they want to load it. If the user clicks Yes, the package is processed. If a password is required, the Symantec Client VPN user is prompted to enter it.

  • Page 402: Importing Client Vpn Information

    Phase 1 ID based on the time of the package. This ensures that all Phase 1 IDs are unique for each gateway. When a package is loaded by the Symantec Client VPN, it is logged to the client log file. Any errors are also logged.

  • Page 403: Authenticating Tunnels Using Entrust Certificates

    Providing remote access using VPN tunnels Authenticating tunnels using Entrust certificates Table 10-2 pkimpvpn file format (Continued) Field Field name Example Description global_ike_policy global_ike_policy Global IKE policy. Spaces are not permitted in the name. local_entity engineering_subnet Name of the local endpoint for the secure tunnel. This must be a host, subnet, or group entity.

  • Page 404: Multicast Traffic Through Gateway-To-Gateway Ipsec Tunnels

    Providing remote access using VPN tunnels Multicast traffic through gateway-to-gateway IPsec tunnels Make a note of these two values. You will need them later to set up certificate generation on the system. To create a user profile (username.epf) based on the reference number and authorization code, use the Entrust Profile creation utility, accessible from Start >...

  • Page 405: How Multicast Traffic Passes Through A Gateway-To-Gateway Ipsec Tunnel

    Providing remote access using VPN tunnels Multicast traffic through gateway-to-gateway IPsec tunnels How multicast traffic passes through a gateway-to-gateway IPsec tunnel Figure 10-5 shows how multicast traffic can pass between Host 1, 2, and 3. To pass multicast traffic, you need to turn on multicast support. Additionally, for the gateway-to-gateway IPsec tunnel you need to: Configure multicast support.
  • Page 406 Providing remote access using VPN tunnels Multicast traffic through gateway-to-gateway IPsec tunnels To configure multicast traffic You must configure both security gateways and gateway-to-gateway tunnels between them. To configure security gateway 1 Create a security gateway network entity for eth1, and then do the following: For the address type, select interface.

  • Page 407: Configuring Multicast Support For A Gateway-To-Gateway Ipsec Tunnel

    Providing remote access using VPN tunnels Multicast traffic through gateway-to-gateway IPsec tunnels To create a gateway-to-gateway tunnel for the subnets Create a subnet network entity for 10.10.10.1. Create a subnet network entity for 10.10.20.1. Create a gateway-to-gateway VPN tunnel, and for the local endpoint, use the 10.10.20.1 subnet entity, and then do the following: Use the 10.10.10.1 subnet entity as the remote endpoint.
  • Page 408 Providing remote access using VPN tunnels Multicast traffic through gateway-to-gateway IPsec tunnels Save and close the file. Reboot the security gateway. Note: The raptor.init file is not saved as part of the security gateway backup. To preserve the multicast configuration when the security gateway is restored, back up raptor.init and replace it. To configure multicasting support for a gateway-to-gateway IPsec tunnel in the SGMI In the SGMI, in the left pane, under System, click Administration.
  • Page 409 Providing remote access using VPN tunnels Multicast traffic through gateway-to-gateway IPsec tunnels...

  • Page 410: Enabling Remote Access With Clientless Vpn

    ■ About clientless VPN Symantec Gateway Security’s clientless VPN feature provides portal-based access for Web-enabled and non-Web based applications over secure connections. The clientless VPN component runs on the security gateway and provides a simple, secure, and cost-effective way to connect large numbers of remote users to a corporate network.

  • Page 411: Clientless Vpn Concepts

    How clientless VPN controls authentication and remote access Symantec Gateway Security’s clientless VPN feature gives any external user with a Web browser and the proper user credentials secure, controlled access to an organization’s internal network resources.

  • Page 412: Managing Clientless Vpn Users

    Enabling remote access with clientless VPN Managing clientless VPN users administrators powerful and easy-to-use tools to control the authorization (access) and authentication (identity) phases. Authentication is the process of determining and verifying a user’s identity. The standard way of performing authentication is to prompt users for their user names, passwords, and possibly other information, and to verify that information against an authentication server (such as an LDAP or RADIUS server).

  • Page 413: Controlling Remote Access

    Enabling remote access with clientless VPN Controlling remote access Define users and user groups and their associated authentication “Configuring users for internal server or group server on the Assets > Users > Network Users or User authentication” on page 243. Groups tab.

  • Page 414: Defining Vpn Profiles To Allow Communication Between The Security Gateway And Clientless Users

    Enabling remote access with clientless VPN Defining VPN profiles to allow communication between the security gateway and clientless users Optionally, do one of the following: To save your configuration and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 415 Enabling remote access with clientless VPN Defining VPN profiles to allow communication between the security gateway and clientless users Select one of the following: DHCP In the DHCP sever location drop-down list, select the interface to the network on which the external DHCP server resides (usually Inside).

  • Page 416: Using Rules To Allow Or Deny Clientless Vpn Access

    Enabling remote access with clientless VPN Using rules to allow or deny clientless VPN access Related information For further information related to this topic, see the following: “VPN Profile Properties—General tab” on page 618 ■ “Creating and assigning roles” on page 426 ■...
  • Page 417 SimpleAllow1 is a rule for all Web resources that are not secure on host www.symantecexample.com. Since the wildcard (*) was typed in the path field, this rule allows access to any URL beginning http:// www.symantecexample.com/. The following URLs match SimpleAllow1: http://www.symantecexample.com ■ http://www.symantecexample.com/companyinfo/techsupport.html ■ http://www.symantecexample.com/product/product/Symantec.pdf ■...
  • Page 418 Enabling remote access with clientless VPN Using rules to allow or deny clientless VPN access The following URLs do not match: http://www.symantecexample.net ■ http://new.www.symantecexample.com ■ http://www.safe.com/companyinfo/techsupport.html ■ mail://www.symantecexample.com ■ Example 2 SimpleAllow2 is a rule for all non-secure Web resources on host www.symantecdomain.com that contain .pdf.
  • Page 419 Enabling remote access with clientless VPN Using rules to allow or deny clientless VPN access Outlook ■ MAPI ■ ■ Prerequisites None To add a simple rule In the SGMI, in the left pane, under Policy, click Clientless VPN. In the right pane, on the Clientless VPN Rules tab, click New > Simple Rule. In the Simple Rule Properties dialog box, do the following: Rule name Type a name for the simple rule.

  • Page 420: About Advanced Rules

    Enabling remote access with clientless VPN Using rules to allow or deny clientless VPN access Related information For further information related to this topic, see the following: “Simple Rule Properties—General tab” on page 619 ■ “Examples of simple rules” on page 416 ■...
  • Page 421 Matches dir only. directory, /dirt ^dir$ Matches any single character xyz, /s, sales/status.doc string. Matches $ only. $$, $$$, $/Symantec.pdf ^\$$ Matches any possible path. ^.*$ /dir /dir/file.txt Matches any path that is filled /aaaa, abc, /sales, doc ^a*$ with any number of the character a.
  • Page 422 Enabling remote access with clientless VPN Using rules to allow or deny clientless VPN access Table 11-3 Path element variations (Continued) Path Description Examples with possible Examples with no match path match Matches the string /dir/subdir dir/subdi, dir/subdir ^/dir/subdir.*$ /dir/subdir followed by /dir/subdir/ anything.
  • Page 423 Enabling remote access with clientless VPN Using rules to allow or deny clientless VPN access In the right pane, on the Clientless VPN Rules tab, click New > Advanced Rule. In the Advanced rule Properties dialog box, select the following attributes so remote users can gain access to multiple resources at log on: Rule name Type a name for the advanced rule.

  • Page 424: Using Rule Sets To Group Clientless Vpn Access Rules

    Enabling remote access with clientless VPN Using rule sets to group clientless VPN access rules Write allowed For allow rules only, do one of the following: To let the user upload files, select Yes. ■ To allow read-only access (for example, download), select No. ■...

  • Page 425: Using Roles To Assign Rules To Users

    Enabling remote access with clientless VPN Using roles to assign rules to users Optionally, do one of the following: To save your configuration and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...

  • Page 426: Role Structure And Inheritance

    Enabling remote access with clientless VPN Using roles to assign rules to users To create a role, see the following topic: “Creating and assigning roles” on page 426 ■ Role structure and inheritance The security gateway role structure lets you easily assign access privileges and customized portal pages to a user based on the existing group structure of the authentication server.

  • Page 427: Role Attributes

    Enabling remote access with clientless VPN Using roles to assign rules to users Role attributes Once a role is created, you must assign its attributes. These attributes influence a user’s access privileges. In general, there are three types of attributes that you can assign to a role: Access profiles Most common user privileges are defined in the access profile associated with the role.
  • Page 428 Enabling remote access with clientless VPN Using roles to assign rules to users Name Type a name for the new role. Authentication In the drop-down list, select the authentication server to use. server Parent role(s) To specify the roles that serve as parent roles to the new role, do one of the following: To add a parent role, click Add, select a parent role from the Role Selection dialog ■...
  • Page 429 Enabling remote access with clientless VPN Using roles to assign rules to users Optionally, do one of the following: To save your configuration and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...
  • Page 430 Enabling remote access with clientless VPN Using roles to assign rules to users Assigning a parent to a role To assign rules to multiple users or user groups, you can assign parents to roles and establish the child/parent hierarchy. Therefore, any rule assigned to the parent role is automatically inherited by the child role.

  • Page 431: Assigning A Rule Or Rule Set To A Role

    Enabling remote access with clientless VPN Using roles to assign rules to users Related information For further information related to this topic, see the following: “Clientless VPN Role Properties—General tab” on page 624 ■ Assigning a rule or rule set to a role For a user or group of users to have permission to access a network resource through clientless VPN, you must assign the access rule to a role to which the user or user group is assigned.
  • Page 432 Enabling remote access with clientless VPN Using roles to assign rules to users To configure clientless VPN logon policy You can configure a specific logon policy for each role. However, two clientless VPN logon policy parameters must be set for all clientless VPN users. To configure logon policy for a role In the SGMI, in the left pane, under Policy, click Clientless VPN.

  • Page 433: Using Portal Pages To Customize The User Experience

    Company logo and Appear on many pages, including the user sign-on page. To customize the user experience, name replace the default Symantec logo and name with those of your organization. The logo and name appear on all portal pages. News items Posts system-wide messages to display for a specific period of time.

  • Page 434: Creating A User Portal Page

    Enabling remote access with clientless VPN Using portal pages to customize the user experience The sample clientless VPN home page identifies the location of some of these features. Figure 11-3 Sample clientless VPN home page Resource Navigation bar News Port Tunnel QuickLinks forwarder...

  • Page 435: Creating Resource Quicklinks

    Enabling remote access with clientless VPN Using portal pages to customize the user experience To create a portal page In the SGMI, in the left pane, under Assets, click Portal Pages. In the right pane, on the Portal Pages tab, click New. In the Portal Page Properties dialog box, on the General tab, in the Portal page name text box, type a name for the portal page.

  • Page 436: Grouping Resources

    Enabling remote access with clientless VPN Using portal pages to customize the user experience QuickLink Check if the resource will be accessed frequently and it will be displayed as a Resource QuickLink on the clientless VPN home page. Autostart Check to launch the resource when the user signs in. Caption Type a brief description of the portal page resource.

  • Page 437: Adding Resource Links To Portal Pages

    Enabling remote access with clientless VPN Using portal pages to customize the user experience Optionally, do the following: To save your configuration and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...

  • Page 438: Adding A Corporate Name And Logo

    Adding a corporate name and logo The security gateway comes with a default Symantec logo and company name that are displayed on all portal pages. You can replace these with your own corporate name and logo to display them to remote users.

  • Page 439: Removing News Items From A Portal Page

    Enabling remote access with clientless VPN Using portal pages to customize the user experience Optionally, do one of the following: To save your configuration and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...

  • Page 440: Enabling Single Sign-On For Remote Users

    Enabling remote access with clientless VPN Enabling single sign-on for remote users In the Portal Page Selection dialog box, select the portal page you want to add, and then click OK. Click OK. Optionally, do one of the following: To save your configuration and activate later, on the toolbar, click Save. ■...

  • Page 441: Deleting User Sign-On Data

    Enabling remote access with clientless VPN Enabling single sign-on for remote users To create a single sign-on rule In the SGMI, in the left pane, under Policy, click Clientless VPN. In the right pane, on the Single Sign-On tab, click New. In the Single Sign-On Rule Properties dialog box, on the General tab, do the following: Rule name Type a unique name to identify the single sign-on rule.

  • Page 442: Using Reverse Proxy Translation

    Enabling remote access with clientless VPN Using reverse proxy translation Prerequisites Complete the following tasks before beginning this procedure: “Creating a single sign-on rule” on page 439 ■ To delete user sign-on information Sign on to clientless VPN. On the clientless VPN home page, click Account Administration. On the Account Administration page, click Delete Single Sign-on Information.

  • Page 443: Using The Remote Access Tunnel Wizard To Set Up Clientless Vpn Connections

    Servers, paths, files (wild cards supported) Secure Network Hosts on the inside interface Connection The Remote Access Tunnel Wizard can also be used to build tunnels for Symantec Client VPN users. Prerequisites Complete the following tasks before beginning this procedure: “Configuring users for internal authentication”...
  • Page 444 Enabling remote access with clientless VPN Using the Remote Access Tunnel Wizard to set up clientless VPN connections To use the Remote Access Tunnel Wizard You can start the Remote Access Tunnel Wizard from the Tools menu or from the security gateway home page.
  • Page 445 Enabling remote access with clientless VPN Using the Remote Access Tunnel Wizard to set up clientless VPN connections If you selected File In the Path text box, type the path name for the share. ■ To enable a share of the resource, check Share. ■...
  • Page 446 Enabling remote access with clientless VPN Using the Remote Access Tunnel Wizard to set up clientless VPN connections In the Options panel, identify the host resource to which you are providing access by doing one of the following: To specify the host by DNS name, click Specify host by DNS name, and then type the DNS ■...

  • Page 447: Advanced Mail Actions

    Enabling remote access with clientless VPN Advanced mail actions In the Clientless VPN Profile panel, do one of the following: To use an existing clientless VPN profile, click Use existing clientless VPN profile, and then ■ click Next to skip to step 8. To create a new clientless VPN profile, click Create new clientless VPN profile.
  • Page 448 Enabling remote access with clientless VPN Advanced mail actions At another organization, the IMAP and SMTP servers might be running on the same host, mail.symantecexample.com, on the standard ports of 143 and 25, respectively. In this case, there is no need to create an advanced mail action because that configuration is standard.
  • Page 449 Enabling remote access with clientless VPN Advanced mail actions Prerequisites Complete the following tasks before beginning this procedure: “Managing clientless VPN users” on page 411 ■ Use the security gateway as a mail proxy To use the security gateway as a mail proxy for clientless VPN users, you must do the following: Configure the security gateway as a mail proxy.

  • Page 450: Ensuring Client Compliance For Clientless Vpn Users

    Client Firewall enabled. This option is checked by default. Note: If the Symantec Client Firewall has just been turned on, the security gateway may not recognize it immediately. Require auto-protect Check this option to require that the antivirus auto-protect feature is enabled. This option is checked by default.

  • Page 451: Applying Client Compliance To Clientless Vpn Roles

    Enabling remote access with clientless VPN Ensuring client compliance for clientless VPN users Secondary antivirus Specify the secondary antivirus server by selecting it from the drop-down list. server User name Type the user name for antivirus server access, if required. Password Type the password for antivirus server access, if required.

  • Page 452: Specifying The Ssl Cipher Suite For Data Encryption

    Enabling remote access with clientless VPN Specifying the SSL cipher suite for data encryption In the Clientless VPN Role Properties dialog box, on the General tab, in the Client compliance level drop-down list, select the action to take against non-compliant clients. Click OK.

  • Page 453: Configuring Access To Common Applications

    You can use a terminal emulation client to connect to a remote computer and have a full-featured desktop on that remote computer. Clientless VPN supports a number of common terminal emulators, including Symantec PC Anywhere, Microsoft Terminal Service, Citrix Nfuse, and Virtual Network Computing (VNC).
  • Page 454 Enabling remote access with clientless VPN Configuring access to common applications Access To let users access the resource defined by the rule, select Allow. Network Application In the drop-down list, select tcp. Host Type the fully qualified domain name (FQDN) of the remote computer to which the terminal emulator client will connect.

  • Page 455: Identifying Resources With Urls

    ■ “Clientless VPN Role Properties—Portal Pages tab” on page 625 ■ “Connecting to Symantec Clientless VPN with the terminal emulation client” on page 454 ■ Connecting to Symantec Clientless VPN with the terminal emulation client After the user logs on, clientless VPN downloads the port forwarder Java applet. After the user accepts the applet, a TCP tunnel is established for the previously configured client resource.

  • Page 456: Resource Url Syntax

    Enabling remote access with clientless VPN Identifying resources with URLs Resource URL syntax Clientless VPN uses standard extensions of URLs that are supported by browsers to represent Web content. About Web (HTTP and HTTPS) Clientless VPN supports both secure and non-secure Web resources. Note: Even though the slash (/) character is explicitly entered between the host and path elements of the URL, it is considered part of the path.

  • Page 457: Url Example

    Enabling remote access with clientless VPN Identifying resources with URLs The following table shows an example of an advanced Web URL with non-secure Web resource and query. Table 11-8 http://search.symantecexample.com/bin/search?p=Symantec Example protocol http host search.symantecexample.com path /bin/search query p=Symantec The following table shows an example of a secure Web resource with user name, password, and fragment.
  • Page 458 Enabling remote access with clientless VPN Identifying resources with URLs Mail resources Clientless VPN can control access to mail resources. These resources are configured and accessed in rules using the following URL syntax: Basic protocol://host Advanced protocol://username:password@host:port/mailbox The protocol is mail. The port is entered only if it is not the default IMAP port (143). Note: Users typically do not enter their user name and password because this information can be automatically inserted by clientless VPN.
  • Page 459 Enabling remote access with clientless VPN Identifying resources with URLs The protocol is always mapi. The host name is the fully qualified domain name or IP address of the host computer. Note: The Microsoft Outlook client does not launch automatically using this resource URL. The following table shows an example of a MAPI resource.
  • Page 460 Enabling remote access with clientless VPN Identifying resources with URLs Using Telnet sessions Th security gateway supports remote logon from the user interface to other computers using Telnet sessions. Telnet is a basic resource that lets administrators control the specific hosts (for example, computer) that the user can access.
  • Page 461 Enabling remote access with clientless VPN Identifying resources with URLs User Datagram Protocol (UDP) port forwarding The security gateway supports remote UDP (User Datagram Protocol) port forwarding. This feature lets users connect to any UDP resource (for example, application or applet) behind the security gateway without reconfiguring the application client.

  • Page 462: Monitoring The Security Gateway

    ■ Monitoring IDS/IPS alerts ■ Alerting using notifications ■ Integrating Symantec DeepSight Threat Management System ■ Reducing the volume of log messages ■ About monitoring The security gateway provides monitoring features that let you see the current status of the appliance, and take appropriate actions to respond to events in a timely manner.

  • Page 463: Viewing System Health

    The appliance also provides indicators of appliance health. For more information, see the sections on front panel status indicators and LCD system information in the Symantec Gateway Security Series 5000 v3.0 Installation Guide.

  • Page 464: Monitoring System Usage And Connections

    Monitoring disk usage can help you know when to delete archived log files or clean up unused configurations. You can also see whether a disk has failed and take action to avoid loss of data. On Symantec Gateway Security 5660 appliances and 5640 appliances that have more than one hard disk installed, RAID is implemented automatically to keep the appliance running in the event of a disk failure.

  • Page 465: Monitoring Appliance Temperature And Fan Status

    Events are logged to the SGMI if a threshold is met. Symantec Gateway Security 5400 Series appliances have a single fan that cools the CPU. Symantec Gateway Security 5600 Series appliances have four fans: two cool the CPU and two cool the rest of the board.

  • Page 466: Changing The Health Check Poll Interval

    Monitoring the security gateway Viewing system health Power supply status (5640 and 5660 only), when more than one power supply is installed. ■ Green check marks are displayed when these values are in the safe range. A red circle with an x is displayed when a value exceeds the safe range. If you see a red x, you should view the log file for messages that describe the nature of the problem and possible actions.

  • Page 467: Monitoring Connections

    The AntiVirus Servers tab shows the status of the virus scanning engine and definitions used by ■ the client compliance feature. It also shows the status of the antivirus servers. The Hardware Encryption Diagnostics tab run tests on the Symantec Gateway Security 5600 Series ■ hardware accelerator chip and shows if it is working properly.

  • Page 468: Viewing Active Connections

    Monitoring the security gateway Monitoring connections Closed Connections The number of closed connections. Bytes Received The number of bytes that have been received over the connection since it opened. Bytes Sent The number of bytes that have been sent over the connection. To change the columns displayed, right-click the entry, and then click Show Columns.

  • Page 469: Viewing Antivirus Server Status

    Monitoring the security gateway Monitoring connections To terminate an active connection In the SGMI, in the left pane, under Monitors, click Status. On the Active Connections tab, select the entry, and then click Kill Connection. Related Information None. Viewing antivirus server status The antivirus server status shows information about antivirus servers that are configured to support the client compliance features.

  • Page 470: Testing The Hardware Accelerator Chip With Hardware Encryption Diagnostics

    Testing the hardware accelerator chip with hardware encryption diagnostics Hardware encryption diagnostics run tests on the Symantec Gateway Security 5400 and 5600 Series appliances. On the 5400 Series, it could show that the accelerator card is broken and on the 5600, it could show a defective chip on the motherboard.

  • Page 471: Monitoring Log Files

    Monitoring the security gateway Monitoring log files To unlock user accounts In the SGMI, in the left pane, under Monitors, click Status. In the right pane, on the Clientless VPN Failed Logons tab, in the Locked user accounts list, all locked out users are displayed.
  • Page 472 Monitoring the security gateway Monitoring log files Click Properties. In the Service Parameters for Log Properties dialog box, on the General tab, configure or view the following parameters: Service Name The name of the log service is displayed. Text Log Creation To enable text logging as well as binary logging, check Text Log Creation Enabled.

  • Page 473: Using The Event Logs Toolbars

    Monitoring the security gateway Monitoring log files Rollover Request Use the up and down arrows to select the port number on which logserviced is listening Port Number for requests to roll over the logfile. Auto delete old To automatically delete old logfiles rather than suspend logging when there is no logfiles additional space, check Auto delete old logfiles.

  • Page 474: Viewing, Copying, And Printing Current Log Files

    Monitoring the security gateway Monitoring log files The SGMI tool bar also has buttons that affect the Event Logs view, as described in the following table. Table 12-2 Log message view icons Icon Function Description Refresh Retrieves the last page of data from the current open file. Enable/ When disabled, clicking this icon begins refreshing the Event Log every 5 seconds to Disable Auto...

  • Page 475: Viewing Cluster Log Files

    Monitoring the security gateway Monitoring log files To browse through events logged by the security gateway In the SGMI, in the left pane, under Monitors, click Logs. In the right pane, on the Event Logs tab, in the event log table, do one of the following: On your computer’s keyboard, use the up or down arrow to browse through the list of log ■...

  • Page 476: Opening, Deleting, And Backing Up Archived Log Files

    Monitoring the security gateway Monitoring log files Opening, deleting, and backing up archived log files You can open, delete, and back up log files older than 24 hours (or files that have been rolled over the same day) using the Open Log button on the Event Logs tab. The number and size of the archived log files depend on the configuration of the logging service.

  • Page 477: Starting A New Log File

    Monitoring the security gateway Monitoring log files In the show columns dialog box, you can do one or more of the following: To add columns, select the columns you want to view, and then click Close. ■ To restore the default settings in the Log Entries table, click Restore Defaults. ■...
  • Page 478 Monitoring the security gateway Monitoring log files Destination port The port number of the destination of the event. Time: Start The beginning of the time period specified for the search. Time: Duration The duration of the search period. Prerequisites None. To perform a basic log search In the SGMI, in the left pane, under Monitors, click Logs.
  • Page 479 Monitoring the security gateway Monitoring log files Related Information For further information related to this topic, see the following: “Event Log tab—Log Search dialog box—Search tab” on page 572 ■ “Event Log tab—Log Search dialog box—Advanced tab” on page 573 ■...
  • Page 480 Monitoring the security gateway Monitoring log files To uncheck all event types, click Clear All. To display events with specific event classifications, click Classification, and from the Classification tree, select a classification. You can expand the tree to make your search more specific.

  • Page 481: Managing Log Files Remotely

    Monitoring the security gateway Monitoring log files 11 To display events whose message text includes specific text patterns, do the following: Click Text Patterns. ■ In the Value text box, type the text pattern, and then click Add. ■ 12 Click OK. Related Information None.
  • Page 482 Monitoring the security gateway Monitoring log files Remotely managing log files You can remotely list, get, or delete log files. Use Table 12-3 to select the correct file for your specific platform. To remotely list log files ◆ On a client computer, where you installed the remote logfile management utility, run the following command: <remotearchive.sh>...

  • Page 483: Monitoring Ids/Ips Alerts

    Monitoring the security gateway Monitoring IDS/IPS alerts Monitoring IDS/IPS alerts When licensed, the IDS/IPS component examines all incoming packets, looking for anomalies. All detected anomalies are logged in the security gateway’s log file. Within the log file, they are identified as IDS/IPS alerts.
  • Page 484 Monitoring the security gateway Monitoring IDS/IPS alerts To change the configuration of the signature that generated the alert, to the right of the intrusion event, click the Properties button. In the Intrusion Event Properties dialog box, which is the same dialog box that displays when you view the properties of an event from the IDS/IPS Configuration tab, to configure the security gateway response to the event, do the following: Log this event...

  • Page 485: Displaying Selected Ids/Ips Alerts

    Monitoring the security gateway Monitoring IDS/IPS alerts Displaying selected IDS/IPS alerts Using the IDS/IPS Alert Search feature, you can control which kinds of IDS/IPS Alerts are displayed on the IDS/IPS Alert tab. Use the Log Search dialog box for IDS/IPS alerts for the following: Performing a basic IDS/IPS alert search ■...
  • Page 486 Monitoring the security gateway Monitoring IDS/IPS alerts Related Information For further information related to this topic, see the following: “IDS Alert Properties” on page 575 ■ Performing an advanced IDS/IPS alert search You can use the Advanced tab of the Log Search dialog box to apply more advanced search criteria. This lets you perform a more granular search than the basic search, using criteria such as specific log levels, specific message parameters, and so on.

  • Page 487: Alerting Using Notifications

    Monitoring the security gateway Alerting using notifications To display alerts that contain specific parameters, do the following: Click Parameters, and then click Add. ■ In the Select Parameters dialog box, in the Log Parameter Name list, select a parameter that ■...
  • Page 488 Monitoring the security gateway Alerting using notifications Prerequisites None. To configure a Blacklist notification In the SGMI, in the left pane, under Monitors, click Notifications. In the right pane, on the Notifications window, click New > IDS/IPS Blacklist Notification. In the ISDS/IPS Blacklist Notification Properties dialog box, on the General Tab, to enable blacklist notification, check Enable.

  • Page 489: Configuring A Client Program Notification

    Monitoring the security gateway Alerting using notifications Configuring a client program notification A client program notification causes the security gateway to start up a designated client program in response to a message. The security gateway supports invoking a client application or script as a notification method.

  • Page 490: Configuring An Email Notification

    Monitoring the security gateway Alerting using notifications Configuring an email notification Email notifications send the text of the log message that generated the notification to the recipient through email. When configuring a mail notification, ensure that the email address is valid and resolvable.

  • Page 491: Configuring A Pager Notification

    Monitoring the security gateway Alerting using notifications Configuring a pager notification Pager notifications transmit the text of the log message generating the notification to a designated paging device. Pager notifications require that you enter the telephone number of the pager to call. You must have a Hayes-compatible modem and specify its USB port using the Notify daemon properties dialog box on the Modem tab in the System >...

  • Page 492: Configuring Snmpv1 And Snmpv2 Notifications

    Monitoring the security gateway Alerting using notifications Configuring the Notify daemon To use page notifications, you must have a Hayes-compatible modem and you must specify its COM/ USB connection port through the Service Parameters For Notify Properties dialog box. Prerequisites None.
  • Page 493 Monitoring the security gateway Alerting using notifications Configuring SNMP1 notifications SNMPv1 notifications contain a community field, which is a text string holding a value agreed upon between a manager and the agents that it manages. The security gateway and any SNMPv1 managers with which it communicates must both be configured to accept the same community string.
  • Page 494 Monitoring the security gateway Alerting using notifications Configuring an SNMP2 notification SNMPv2 notifications contain object identifier (OID) values that represent the source and destination parties and trap context. An OID is a sequence of integers separated by periods, such as 1.3.1.6.1.4. You can use different privacy methods to hide the information in the trap as it crosses the network, and different authentication methods to ensure the identity of the trap originator.

  • Page 495: Integrating Symantec Deepsight Threat Management System

    Symantec DeepSight offers visual diagnostics about your firewall states and proactive alerting to guide you to correct responses to threats. Symantec DeepSight lets you see the threats experienced by your appliances in relation to the security threats worldwide, and take preventative measures against these threats. The Alerting Services provides alerting on particular threats along with recommendations for actions to be taken.

  • Page 496: Reducing The Volume Of Log Messages

    Monitoring the security gateway Reducing the volume of log messages Reducing the volume of log messages There are several techniques to reduce the volume of log messages without compromising your security: Modifying firewall rules to reduce log messages ■ Including host names in log entries ■...

  • Page 497: Configuring Reverse Lookup Timeout Value

    Monitoring the security gateway Reducing the volume of log messages Configuring reverse lookup timeout value The reverse lookup timeout value controls whether slow name-to-address or address-to-name lookups are logged. This is useful when trying to determine the reason for poor system performance. Disabling this feature reduces the number of log messages.

  • Page 498: Generating Reports

    Chapter Generating reports This chapter includes the following topics: About reports ■ Analysis reports ■ Configuration reports ■ Viewing validation reports ■ Upgrade reports ■ About reports You need to have Adobe Acrobat Reader installed to read reports in PDF format. There are four report categories for the security gateway: Analysis Displays reports that describe system activity.

  • Page 499: Generating And Viewing An Analysis Report

    Generating reports Analysis reports Generating and viewing an analysis report Once an analysis report is generated, you can either print it or save it in a PDF format. Once saved, you can email the report to interested parties using a native email program that can automatically send, such as sendmail on UNIX or some other public-domain Windows application.

  • Page 500: Analysis Report Descriptions

    Generating reports Analysis reports To save an analysis report From the report you generated, in the File menu, select Save As. ◆ Related information For further information related to this topic, see the following: “Analysis report descriptions” on page 499 ■...
  • Page 501 Generating reports Analysis reports Common Web Sites These reports provide details of Web access activity detected by the security gateway, letting you identify whether your Web access policy is performing as desired. Table 13-2 Common Web Sites report categories Report view Description Top Bytes Transferred by Lists and details (bytes) the source addresses who have most often accessed the sites...

  • Page 502: Configuration Reports

    Generating reports Configuration reports Content Filter These reports details all of the content filtering activity detected and addressed by the security gateway during the requested 24-hour period. Table 13-5 Content Filter report categories Report view Description Content Filter Summary by Lists each reason, showing the number of times content blocking for that reason has Reason occurred.

  • Page 503: Generating And Viewing A Configuration Report

    Generating reports Configuration reports Generating and viewing a configuration report You can generate and view a configuration report in either HTML or PDF format. Prerequisites None. To generate and view a configuration report In the SGMI, on the Reports menu, click Configuration. In the Configuration Reports dialog box, in the Reports list box, select the report category to generate.

  • Page 504: Configuration Report Descriptions

    Generating reports Configuration reports To save a configuration report, do one of the following: From a PDF file, on the File menu, click Save. ■ From an HTML file, in the browser File menu, click Save as. ■ Related information For further information related to this topic, see the following: “Configuration report descriptions”...
  • Page 505 Generating reports Configuration reports Table 13-8 Configuration reports categories (Continued) Report Description Clientless VPN Rule Sets Displays the configured rule set name, rules, and rule sets. Clientless VPN Rules Specifies the rule, type, network applications, host, port, path, and queries for the clientless VPN rule.
  • Page 506 Displays the selected SESA event types to send to SESA along with the message, URL, and other limitations you have configured. Note: For SESA management, Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced Manager for Security Gateways v3.0. SSH Options...

  • Page 507: Viewing Validation Reports

    These messages are categorized into the following four priorities: Action Describes changes that you have to modify to ensure proper gateway functionality, such as an authentication method that is no longer supported. Refer to the Symantec Gateway Security 5000 Series v3.0 Installation Guide for detailed information about upgrades.

  • Page 508: Retrieving Upgrade Reports Using Ftp Or Ssh

    Generating reports Upgrade reports Warning Describes changes that you likely want to view or test. For example, if your Symantec Gateway Security version 2.0 configuration let administrators access your security gateway using SRL, you now have to use SSH. Informational Describes changes that you might be interested in, but are not required to act upon.
  • Page 509 Generating reports Upgrade reports...

  • Page 510: High Availability And Load Balancing Using Clusters

    Chapter High availability and load balancing using clusters This chapter includes the following topics: About clustering ■ How clusters work ■ Creating a new cluster with the Cluster Wizard ■ Changing cluster settings ■ Managing clusters ■ Updating interfaces in a cluster configuration ■...
  • Page 511 How clusters work Virtual IP addresses and VIP owners Symantec’s cluster implementation uses virtual IP addresses (VIPs) to direct traffic. With VIPs, all cluster members share the same virtual IP addresses for a given subnet, although only one member can physically own the VIP at a time.

  • Page 512: Cluster Prerequisites

    Microsoft Windows or Sun Solaris security gateway, you need to backup your configuration and migrate to a Symantec Gateway Security 5600 Series v3.0 prior to adding it to a cluster. The network configuration of all cluster members must match; the IP addresses of all cluster ■...

  • Page 513: Creating A New Cluster With The Cluster Wizard

    When considering setting up your interfaces, understand that on the 5600 Series appliances, the ■ Ethernet ports have variable speeds. See the Symantec™ Gateway Security 5000 Series v3.0 Installation Guide for more information. Related information For further information related to this topic, see the following: “Modifying redirected services for clustering”...
  • Page 514 High availability and load balancing using clusters Creating a new cluster with the Cluster Wizard In the Define Cluster panel, do the following: Cluster name Type the name for the cluster. The maximum length is 256 characters. Allowed characters are a-z, A-Z, numerals, periods (.), and dashes (-). Do not include spaces or underscores in the name.

  • Page 515: Changing Cluster Settings

    High availability and load balancing using clusters Changing cluster settings In the Connect to New Cluster Member panel, do the following: User name Type the name of the administrator of the new cluster member. Allowed settings are a-z, A-Z, periods (.), dashes (-), and underscores (_). Do not include spaces in the user name.

  • Page 516: Changing Global Cluster Configurations

    High availability and load balancing using clusters Changing cluster settings Changing global cluster configurations You can modify settings for hot standby, load balancing, and weight. Global cluster settings affect all cluster members. While an individual setting, such as weight, might apply to an individual cluster member, that value affects all cluster members.

  • Page 517: Monitoring Cluster Processes

    High availability and load balancing using clusters Changing cluster settings To change virtual IP addresses for clusters In the SGMI, in the left pane, under Cluster, click VIPs. In the right pane, in the VIPs window, in the Select interface for VIP list drop-down list, select the interface that you want modify.

  • Page 518: Configuring Ping Groups For Clusters

    High availability and load balancing using clusters Changing cluster settings Configuring ping groups for clusters Ping groups are an optional configurable monitoring service that requires that the cluster has an active persistent connection to specific external machines. If there is a break in the connectivity to any of these machines, then the cluster member that cannot reach the external machine is pulled out of the cluster.

  • Page 519: Changing Traffic Groupings For Clusters

    High availability and load balancing using clusters Changing cluster settings To configure NIC monitoring on a cluster In the SGMI, in the left pane, under Cluster, click NIC Monitoring. In the right pane, in the NIC Monitoring window, to control which NICs are monitored, select the interface you want to monitor, and then click Properties.

  • Page 520: Managing Clusters

    High availability and load balancing using clusters Managing clusters Managing clusters The changes that you make on the first cluster member that you log on to are propagated to all other cluster members, letting them appear as one security gateway, with the same users, network entities, rules, and all other properties.
  • Page 521 High availability and load balancing using clusters Managing clusters Adding or removing a cluster member You can add or remove cluster members without using the Cluster Wizard. You must connect the SGMI computer to a cluster member. When you remove a cluster member, you cannot remove the cluster member you are logged on to.

  • Page 522: Dissolving A Cluster

    High availability and load balancing using clusters Managing clusters When a cluster member is removed, its previous stand-alone configuration is restored and the removed cluster member is immediately rebooted. Click OK. In the Add/Remove Cluster Members panel, click Finished modifying the cluster. Click Next.

  • Page 523: Rebooting A Cluster

    High availability and load balancing using clusters Managing clusters In the Confirmation panel, click Finish. Do one of the following: If the configuration is successful, click Close. ■ If the configuration is unsuccessful, the cluster configuration tasks that could not be ■...
  • Page 524 High availability and load balancing using clusters Managing clusters Rebooting a cluster You may need to reboot for several reasons. For example, when you add or remove an interface, when a cluster member is not responding, after you dissolve a cluster, when you enable hot standby, or when a hotfix has been applied.

  • Page 525: Using Stateful Failover To Maintain Cluster Connections

    High availability and load balancing using clusters Updating interfaces in a cluster configuration Using stateful failover to maintain cluster connections Stateful failover lets you maintain connections even after a security gateway fails in a cluster environment. The HA/LB feature maintains connections without reconnecting or reauthorizing as long as the connection was active for 60 seconds prior to the failure.

  • Page 526: Adding A Network Interface To A Cluster Member

    High availability and load balancing using clusters Updating interfaces in a cluster configuration Adding a network interface to a cluster member You can enable one of the unused interfaces on a cluster member as usage requirements increase. Add only one new interface at a time. Adding a network interface in a cluster environment requires changes to the individual cluster members and to the cluster itself.

  • Page 527: Removing A Network Interface From A Cluster Member

    High availability and load balancing using clusters Updating interfaces in a cluster configuration Click Finish. When the configuration is complete, a message dialog box tells you that the cluster status has been updated. To clear the message, click OK. To verify that the new interface has been added to the cluster configuration In the SGMI, in the left pane, view the Cluster >...

  • Page 528: Changing A Network Interface

    High availability and load balancing using clusters Updating interfaces in a cluster configuration Related information For further information related to this topic, see the following: “Rebooting a cluster” on page 523 ■ “Cluster Management Update Interface panel” on page 806 ■...

  • Page 529: Monitoring Cluster Status

    High availability and load balancing using clusters Monitoring cluster status Related information For further information related to this topic, see the following: “Rebooting a cluster” on page 523 ■ “Cluster Management Update Interface panel” on page 806 ■ “Confirmation panel” on page 805 ■...

  • Page 530: Viewing Cluster Status Using The Bfstat Utility

    Note: To learn about other bfstat usage, you can use the following command: bfstat help However, other bfstat commands are troubleshooting commands that you should only use if instructed by Symantec Technical Support. Prerequisites None. To view cluster member status using the bfstat utility Run SSH on any cluster member to open a command window.

  • Page 531: Cluster Interactions With Other Security Gateway Features

    High availability and load balancing using clusters Cluster interactions with other security gateway features Related information None. Cluster interactions with other security gateway features When you create clusters, be aware of how clustering affects the following security gateway features: Redirected services “Modifying redirected services for clustering”...
  • Page 532 High availability and load balancing using clusters Cluster interactions with other security gateway features Modify redirected services for clustering Pay close attention to the exact type of situation you have before proceeding. To add a security gateway with a redirected service to a cluster Log on to the security gateway that you want to add to a cluster.
  • Page 533 High availability and load balancing using clusters Cluster interactions with other security gateway features 11 On the non-clustered security gateway, before you activate the configuration, edit the redirected service. 12 In the Redirected Services Properties dialog, on the General tab, do the following: In the Requested Address text box, type the actual IP address of the security gateway’s ■...

  • Page 534: Modifying The Rip Daemon For Use With Clusters

    High availability and load balancing using clusters Cluster interactions with other security gateway features Related information For further information related to this topic, see the following: “Cluster prerequisites” on page 511. ■ “Adding or removing a cluster member” on page 520 ■...

  • Page 535: Configuring Gateway-To-Gateway Vpn Tunnels That Use Nat

    High availability and load balancing using clusters Backing up and restoring cluster configurations Rebooting cluster members that are in hot standby mode When you reboot the members of a cluster that are in hot standby mode, the reboot sequence is important.

  • Page 536: Restoring A Cluster Configuration

    High availability and load balancing using clusters Backing up and restoring cluster configurations when applying the restore in a cluster environment. You can specify the information to be restored or not to be restored independently in a dialog box that appears during the restore process. Table 14-3 Cluster configuration backup and restore information Process...
  • Page 537 ■ Click Next. On the Restore Settings panel, do the following: Check Restore from a Symantec Gateway Security backup image, and then browse to where ■ you have saved your backup file. In the Password text box, type the administrator’s password.
  • Page 538 High availability and load balancing using clusters Backing up and restoring cluster configurations Related information For further information related to this topic, see the following: “System Setup Wizard” on page 795 ■ “Restore Wizard” on page 808 ■ Validating backed up cluster configurations that use VIPs Since VIPs are used in a cluster configuration, then special attention is required when restoring the image to a cluster that does not share the same VIP information.
  • Page 539 To migrate a demonstration cluster configuration to a production network Unpack your new security gateways. Use the Connecting and Configuring section of the Symantec Gateway Security 5000 Series V3.0 Getting Started guide to set up your hardware and run the System Setup Wizard to pass traffic.

  • Page 540: Troubleshooting Cluster Configuration Problems

    High availability and load balancing using clusters Troubleshooting cluster configuration problems Migrating a cluster configuration from a two member to three member cluster You can restore a configuration from a two member cluster to three member cluster. The first step is to backup the two-member cluster configuration using a backup password and restore the three member cluster using the restore option in the System Setup Wizard.

  • Page 541: Errors On The Cluster Member That Propagates The Configuration

    High availability and load balancing using clusters Troubleshooting cluster configuration problems Errors on the cluster member that propagates the configuration Errors on the cluster member that propagates the configuration can cause the cluster configuration to fail immediately. After you close an error message, possible reasons for cluster configuration failure are displayed.
  • Page 542 High availability and load balancing using clusters Troubleshooting cluster configuration problems Table 14-5 Common errors on remote cluster members (Continued) Error message Description Action Redirected services will not work if This occurs frequently for standard When creating a cluster, existing the requested address is set to the SMTP configuration created by the entities must use a VIP address and...
  • Page 543 High availability and load balancing using clusters Troubleshooting cluster configuration problems Table 14-5 Common errors on remote cluster members (Continued) Error message Description Action The remote member <IP> is a The cluster member that you are Delete the cluster member from the member of a different cluster.
  • Page 544 High availability and load balancing using clusters Troubleshooting cluster configuration problems Table 14-5 Common errors on remote cluster members (Continued) Error message Description Action The remote host is using a duplicate The security gateway that you are Ensure that the security gateway address of <IP>.
  • Page 545 High availability and load balancing using clusters Troubleshooting cluster configuration problems Table 14-5 Common errors on remote cluster members (Continued) Error message Description Action The configuration cannot be Invalid update of the heartbeat None updated, the heartbeat address <IP> interface information causes severe cannot be modified without problems with the cluster.

  • Page 546: Configuring Advanced Options

    They are also commonly used by Symantec Technical Support as a method of generating more verbose log messages to help diagnose and troubleshoot issues. Caution: You should not add advanced options unless directed to do so by Symantec Technical Support. Incorrectly entering advanced options can cause performance problems.
  • Page 547 Advanced system settings Configuring advanced options Table A-1 Advanced options (Continued) Option name Description connection_rate.interval Period of time (in seconds) in which the number of connections from a single source IP address must exceed the connection limit defined by connection_rate.limit. The default value is 30.
  • Page 548 Advanced system settings Configuring advanced options Table A-1 Advanced options (Continued) Option name Description idssym.external_lan Large area networks for external communication. idssym.external_net Network segments for external communication. idssym.h323_ports Ports normally related to H323 traffic. idssym.highload_ports Ports normally related to Highload traffic. idssym.http_servers Systems running HTTP servers.
  • Page 549 The default value is 80. misc.vpn.enabled Enables the security gateway low level driver. You should not set this to disable unless Symantec Technical Support instructs you to do so. The default value is Enable. non_RFC_language Encoding language the HTT P proxy should use.

  • Page 550: Tcp-Gsp..Nolinger

    Advanced system settings Configuring advanced options Table A-1 Advanced options (Continued) Option name Description portcontrol.enable_udp_ports Specifies the UDP port to open. There is no default value. smtpd.loose_relay_check Loosens up syntax checking on recipient addresses. You have t set this option to true to get smtpd.no_srcroutes to work. The default value is false.
  • Page 551 Advanced system settings Configuring advanced options Prerequisites None. Add, modify, or delete advanced options You can perform the following functions with advanced options: ■ Modify ■ Delete ■ To add an advanced option In the SGMI, in the left pane, under System, click Administration. In the right pane, on the Advanced Options tab, click New.
  • Page 552 Advanced system settings Configuring advanced options Do one of the following: To save your configuration now and activate later, on the toolbar click Save. ■ To activate your configuration now, on the toolbar click Activate. ■ When prompted to save your changes, click Yes. Related information None.
  • Page 553 Advanced system settings Configuring advanced options...

  • Page 554: About Ssl Certificates

    Appendix SSL server certificate management This chapter includes the following topics: About SSL certificates ■ Installing a certificate authority ■ Creating a new certificate ■ Generating a request file ■ Installing a signed certificate ■ About SSL certificates The security gateway’s Clientless VPN uses the Secure Sockets Layer (SSL) protocol to authenticate and encrypt client connections.
  • Page 555 SSL server certificate management Creating a new certificate Click Add. The certificate authority appears in the Certificate Authorities list. Optionally, do the following: To save your configuration now and activate later, on the toolbar, click Save. ■ To activate your configuration now, on the toolbar, click Activate. ■...

  • Page 556: Generating A Request File

    SSL server certificate management Generating a request file Generating a request file After you have generated a certificate on the security gateway, you can use it as is (that is, self-signed) or you can generate a request file with which to send it to a certificate authority to get it signed. Prerequisites Complete the following tasks before beginning this procedure: “Installing a certificate authority”...
  • Page 557 SSL server certificate management Installing a signed certificate...

  • Page 558: Appendix C Troubleshooting And Problem Solving

    Click on your specific product name and version. On the knowledge base page for Symantec Gateway Security 5000 Series, do any of the following: On the Hot Topics tab, click any of the items in the list to view a detailed list of knowledge ■...

  • Page 559: Important Reminders

    Many problems right after installation come from basic connectivity glitches. Use the verification ■ procedure in the Symantec Gateway Security 5000 Series v3.0 Installation Guide to test your basic connectivity. Isolating a problem To solve a problem, you must locate it.

  • Page 560: Using The Security Gateway

    Troubleshooting and problem solving Isolating a problem Using the security gateway The best technique for locating a problem is using the security gateway as a client. Figure C-1 shows an example network. Figure C-1 Troubleshooting from the security gateway 206.7.7.7 Boxprime 206.7.7.14 Router...

  • Page 561: Troubleshooting Utilities

    This section provides details on utility programs that are shipped with the security gateway. These utilities let you perform command-line troubleshooting and diagnostic tasks. You must have solid networking background to use these utilities. If necessary, contact Symantec Technical Support before using the utilities described in this section.

  • Page 562: Using The Ftp Client

    Troubleshooting and problem solving Troubleshooting utilities For binary files, translate into text without any further parsing. Ignored unless -b is used. Print out sequence number, class and tag ID for each message. Follow output. (Binary files, default interval 2s). Follow update interval in seconds. (Implies -f). Tail the last n log messages.

  • Page 563: Using Tcpdump

    ■ Remarchive ■ ■ Related information For further information related to this topic, see the following: “Integrating Symantec DeepSight Threat Management System” on page 494 ■ “Using command-line utilities to perform a local or remote backup” on page 101 ■...

  • Page 564: Appendix D Field Descriptions

    Appendix Field descriptions This chapter includes the following topics: Monitors field descriptions ■ Policy field descriptions ■ Assets field descriptions ■ System field descriptions ■ Cluster field descriptions ■ Menu option field descriptions ■ The topics in this appendix represent the online Help that you can display from specific points in the SGMI, including the following: Individual tabs of properties dialog boxes that you use to configure security gateway objects.

  • Page 565: Status

    Field descriptions Monitors field descriptions Associated tasks The task that you can perform with this window is: “Viewing system health” on page 462 ■ Table D-1 Overall Health window descriptions Field Definition Network Throughput Provides information about the throughput, in megabits per second (Mbps), on each configured network interface and the combined throughput, in megabits per second (Mbps), on all configured network interfaces.
  • Page 566 It also shows the status of the antivirus servers that are configured for client compliance. The Hardware Encryption Diagnostics tab run tests on the Symantec Gateway Security 5600 Series ■ hardware accelerator chip. This functionality is available only on Symantec Gateway Security 5600 Series appliances.
  • Page 567 Field descriptions Monitors field descriptions Associated tasks The task that you can perform with this dialog box is: “Viewing active connections” on page 467 ■ Table D-3 Active Connection Properties dialog box Field Description Service Name of the service on which the connection is open. Source Host name or IP address of the source of the connection.
  • Page 568 Field descriptions Monitors field descriptions Table D-3 Active Connection Properties dialog box (Continued) Field Description Operation Protocol specified operations (such as GET, PUT for HTTP). For IPsec stats, this field is always blank. Operand Qualifier or target of the operation (such as URL for HTTP). This field may be blank.

  • Page 569: Antivirus Servers Tab

    Field descriptions Monitors field descriptions Antivirus Servers tab The Antivirus Servers tab identifies the antivirus servers that are configured in the Policy > Client Compliance window to check for client compliance during VPN connection attempts. Associated tasks The task that you can perform with this tab is: “Viewing antivirus server status”...

  • Page 570: Clientless Vpn Failed Logons Tab

    The hardware accelerator chip is working correctly. Failed ■ The hardware accelerator chip is not working correctly. If the diagnostics fail, you should contact Symantec Technical Support. Diagnostics Initiates the hardware encryption diagnostics test. Clientless VPN Failed Logons tab The Clientless VPN Failed Logons tab displays clientless VPN user accounts that are not allowed to log on because the number of allowed failed logon attempts was exceeded.

  • Page 571: Logs

    Field descriptions Monitors field descriptions Logs The SGMI has several windows that let you monitor current information about the event log messages and IDS/IPS alerts. The Event Logs window shows detailed information about all connections, connection attempts, ■ and system operations. IDS/IPS Alerts window shows detailed information about IDS/ IPS alerts.
  • Page 572 Indicates an emergency. The system will no longer allow traffic through. Security is ensured by shutting down all network traffic through the security gateway. Unknown ■ Issued only when Symantec Technical Support runs a diagnostic program. Event Description of the event. Classification Major class under which this event falls.
  • Page 573 Field descriptions Monitors field descriptions Table D-8 Event dialog box (Continued) Field Description > Displays the properties of the next event in the log. < Displays the properties of the previous event in the log. Event Log tab—Log Search dialog box—Search tab The Log Search dialog box lets you reduce the number of log messages in the event log table by specifying that only events that match certain criteria are displayed.
  • Page 574 Emergency ■ Indicates an emergency. The system will no longer allow traffic through. Security is ensured by shutting down all network traffic through the security gateway. Unknown ■ Issued only when Symantec Technical Support runs a diagnostic program.

  • Page 575: Open Archived Log File Dialog Box

    Field descriptions Monitors field descriptions Table D-10 Event Log tab—Log Search dialog box—Advanced tab (Continued) Field Description Classification Limits the log messages displayed according to their classification. You can expand the Classification tree to select a classification category at any level in the tree.
  • Page 576 Field descriptions Monitors field descriptions Table D-12 IDS/IPS Alerts tab (Continued) Field Description Open Log Lets you open, delete, or back up an archived log file. Current If you are viewing an archived log file, returns you to the current log file. If an old log file is open (shown in the view), this opens the log file that is currently being written to.
  • Page 577 Field descriptions Monitors field descriptions Table D-13 IDS Alert Properties (Continued) Field Description Severity Displays the severity level of this event. Severity ratings describe the severity of the threat that the event type covers. The severity ratings are: Informational ■ An informational severity level indicates an issue that is not generally considered malicious, such as policy violations.
  • Page 578 Field descriptions Monitors field descriptions Table D-14 IDS/IPS Alerts tab—Log Search dialog box—Search tab (Continued) Field Description Destination IP IP address of the destination of the intrusion. This option is unchecked by default Destination port Port number of the destination of the intrusion. This option is unchecked by default.

  • Page 579: Text Patterns

    Unknown ■ Issued only when Symantec Technical Support runs a diagnostic program. Parameters Limits the alerts displayed according to parameters contained in the messages and the values you specify.

  • Page 580: Notifications

    Field descriptions Monitors field descriptions Notifications Notifications are configured to alert administrators by email, pager, or SNMP message when events requiring attention occur. You can also configure the security gateway to invoke an application, potentially resolving an issue without administrator intervention. IDS/IPS Blacklist Notification Properties—General tab You can configure the security gateway to drop all packets from a source address for a set period of time.
  • Page 581 Field descriptions Monitors field descriptions IDS/IPS Blacklist Notification Properties—Blacklist tab The Blacklist tab lets you specify the security gateway to which blacklist information is sent. Associated tasks The task that you can perform with this tab is: “Configuring IDS/IPS blacklist notifications” on page 486 ■...
  • Page 582 Field descriptions Monitors field descriptions Table D-18 IDS/IPS Blacklist Notification Properties—Severity tab (Continued) Field Description Informational Standard messages that indicate the security gateway is operating properly. IDS/IPS Blacklist Notification Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches.
  • Page 583 Field descriptions Monitors field descriptions Table D-19 Client Program Notification Properties—General tab (Continued) Field Description Triggered by Indicates an emergency. The system no longer allows traffic through. Security is ensured by Emergency Event shutting down all network traffic through the security gateway. This option is unchecked by default.
  • Page 584 Field descriptions Monitors field descriptions Table D-20 Email Notification Properties—General tab (Continued) Field Description Notification Name A unique name for the email notification. The maximum length is 256 characters. Allowed characters are a-z, A-Z, numerals, periods (.), dashes (-), and underscores (_). Do not include spaces in the name.
  • Page 585 Field descriptions Monitors field descriptions Email Notification Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches. The maximum length is 20,000 alphanumeric characters. Pager Notification Properties—General tab A pager notification causes the security gateway to page the user you specify when log messages of the designated level are generated.
  • Page 586 Field descriptions Monitors field descriptions Table D-21 Pager Notification Properties—General tab (Continued) Field Description Triggered by Alert Event A security rule has been triggered, and could potentially be an attempt to breach the network perimeter. This option is unchecked by default. Triggered by Error Event Normal security gateway operation cannot complete successfully.
  • Page 587 Field descriptions Monitors field descriptions Table D-22 SNMP V1 Trap Notification Properties—General tab (Continued) Field Description Notification Name A unique name for the SNMP V1 trap notification. The maximum length is 256 characters. Allowed characters are a-z, A-Z, numerals, periods (.), dashes (-), and underscores (_). Do not include spaces in the name.
  • Page 588 Field descriptions Monitors field descriptions Table D-22 SNMP V1 Trap Notification Properties—General tab (Continued) Field Description Port The port number provided by the SNMP system administrator. The default is 162. Caption An optional, brief description of the SNMP V1 trap notification. The maximum length is 128 characters.
  • Page 589 Field descriptions Monitors field descriptions Table D-23 SNMP V2 Trap Notification Properties—General tab (Continued) Field Description Triggered by Indicates an emergency. The system no longer allows traffic through. Security is ensured by Emergency Event shutting down all network traffic through the security gateway. This option is unchecked by default.

  • Page 590: Policy Field Descriptions

    Rule Properties—General tab Rules control access to and from your private networks through your Symantec security gateways. Basic rules include source and destination entities and the interface or secure tunnel to use for access into and out of the designated security gateway. You specify these values on the General tab.
  • Page 591 Field descriptions Policy field descriptions Table D-24 Rule Properties—General tab (Continued) Field Description Arriving through The interface or tunnel through which the traffic arrives. All interfaces or tunnels configured on the security gateway appear in the drop-down list. In addition to any interfaces or tunnels you have created, the drop-down list contains the following options: <ANY>...
  • Page 592 Field descriptions Policy field descriptions Table D-24 Rule Properties—General tab (Continued) Field Description Destination A network entity that represents the destination of the traffic. See the specific network entity descriptions for the Source field. The default selection is (none). You must select a destination to create the rule. Note: When you choose a specific tunnel for the Leaving through field, the user or user group specified as the remote end point of the tunnel is automatically be filled in as the destination and cannot be changed.
  • Page 593 Field descriptions Policy field descriptions Rule Properties—Alert Thresholds tab You can specify alert thresholds to trigger log messages. Alert thresholds work according to the number of connections or connection attempts made over a given period of time. Associated tasks The task that you can perform with this tab is: “Applying alert thresholds to rules”...
  • Page 594 Field descriptions Policy field descriptions Rule Properties—Miscellaneous tab Use the Miscellaneous tab to enable or disable the options that affect logging, content security scanning, and high availability/load balancing. Associated tasks The tasks that you can perform with this tab include: “Modifying firewall rules to reduce log messages”...
  • Page 595 An example of the use of a special service would be to limit the length of lines in the body of an SMTP message. Note: The syntax must be correct; consult Symantec Technical Support for the exact syntax required for the special rule service you are creating.
  • Page 596 Field descriptions Policy field descriptions Table D-28 Rule Properties—Authentication tab (Continued) Field Description Excluded network Displays users that are disallowed by the rule. users All users that you add are disallowed by the rule. You can use the excluded list in conjunction with the included user groups list to allow most users of a group but exclude some specific individuals.
  • Page 597 Field descriptions Policy field descriptions Table D-29 Rule Properties—Antivirus tab (Continued) Field Description POP3 Indicates whether antivirus scanning is applied to POP3 email traffic that is controlled by this rule. This option is only available if the service group used in the rule includes the POP3 protocol. This option is unchecked by default.
  • Page 598 Field descriptions Policy field descriptions Table D-29 Rule Properties—Antivirus tab (Continued) Field Description Indicates whether antivirus scanning is applied to FTP traffic that is controlled by this rule. This option is only available if the service group used in the rule includes the FTP protocol. This option is unchecked by default.
  • Page 599 Field descriptions Policy field descriptions Associated tasks The task that you can perform with this tab is: “Adding antispam protection to a rule” on page 358 ■ Table D-30 Rule Properties—Antispam tab Field Description Real-time blacklist Enables the following antispam processes: servers Real-time blacklist servers ■...
  • Page 600 Field descriptions Policy field descriptions Rule Properties—Content Filtering tab With the exponential growth of the World Wide Web, much of the traffic on the Internet is HTTP traffic. The security gateway offers a variety of tools for managing Web access for both incoming and outgoing traffic.

  • Page 601: Packet Filters

    Field descriptions Policy field descriptions Rule Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches. The maximum length is 20,000 alphanumeric characters. Packet Filters Packet filters let you discard packets that should not be forwarded or serviced locally. A well constructed filter reduces a significant portion of undesired traffic, freeing up valuable resources to address legitimate connections.
  • Page 602 Field descriptions Policy field descriptions Packet Filter Properties—Entry Directions tab The Entry Directions tab lets you choose specific entity/protocol pairs and control the order in which they are applied. The order of filter elements is important since the first match to any packet passing through the security gateway or the tunnel is the only one that applies.

  • Page 603: Time Periods

    Field descriptions Policy field descriptions Packet Filter Group Properties—Filter Sequence tab The Filter Sequence tab lets you select filters or filter groups to be included in this filter group, and specify the order in which they are applied. Associated tasks The task that you can perform with this tab is: “Creating packet filter groups”...
  • Page 604 Field descriptions Policy field descriptions Time Period Range Properties—Time Range tab Use the Time Range tab to specify the time limits that are enforced when the time period is included in a rule or notification. Associated tasks The task that you can perform with this tab is: “Configuring a time period range”...
  • Page 605 Field descriptions Policy field descriptions Time Period Range Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches. The maximum length is 20,000 alphanumeric characters. Time Period Group Properties—General tab The Time Period Group Properties dialog box lets you group time period ranges together in an inclusive OR relationship.

  • Page 606: Vpn Tunnels

    Field descriptions Policy field descriptions VPN Tunnels Virtual Private Network (VPN) technology lets you securely extend the boundaries of your internal network through the use of VPN tunnels. Tunnels are used to let either a single user or a remote network gain access to your protected resources.
  • Page 607 If you have also selected to use a data privacy algorithm, when you click Generate Keys, Symantec generates a set of privacy algorithm keys. If you selected DES rather than 3DES as the data privacy algorithm in your VPN policy, only one set of keys is required instead of three.
  • Page 608 Field descriptions Policy field descriptions Table D-41 IPsec static key tunnel Properties—Keys tab (Continued) Field Description Authentication Security Parameter Index (SPI) for the remote endpoint of the tunnel. Header SPIs Remote The SPI is part of, and defined by, the AH and ESP protocols. The SPI is included in the network entity packet header and it lets the receiver identify the tunnel to which the packet belongs.
  • Page 609 Field descriptions Policy field descriptions Table D-42 Gateway-to-Gateway tunnel Properties—General tab (Continued) Field Description Caption An optional, brief description of the VPN tunnel. The maximum length is 128 characters. For longer descriptions, use the Description tab. Gateway-to-Gateway tunnel Properties—Description tab Optionally, provides an extended description.

  • Page 610: Vpn Policies

    Field descriptions Policy field descriptions VPN Policies Before you set up your secure tunnels, to make their configuration faster and easier, you can create VPN policies that work on a global level. Rather than configuring the components present in these policies for every tunnel you create, you can configure general policies and then later apply them to your secure tunnels.
  • Page 611 Field descriptions Policy field descriptions Table D-44 IPsec IKE policy Properties—General tab (Continued) Field Description Encapsulation mode Select the encapsulation mode: Tunnel mode ■ This is the default. Transport mode ■ You should only select transport mode when both tunnel endpoints are the same as their gateway addresses.
  • Page 612 Field descriptions Policy field descriptions IPsec/IKE policy Properties—Data Privacy Preference tab The data privacy preference is one of the algorithms that you specify when you create an IPsec/IKE policy for VPN tunnels. It specifies the encapsulation security payload for packets sent through the tunnel.
  • Page 613 Field descriptions Policy field descriptions IPsec IKE policy Properties—Data Integrity Preference tab The data integrity preference is one of the algorithms that you specify when you create an IPsec/IKE policy for VPN tunnels. It dictates the type of authentication header that is prepended to packets sent through the tunnel.
  • Page 614 Field descriptions Policy field descriptions IPsec IKE policy Properties—Data Compression Preference tab The data compression preference is an algorithm that you specify when you create an IPsec/IKE policy for VPN tunnels. It identifies the kind of compression that is used on data in a tunnel that uses the policy.
  • Page 615 Field descriptions Policy field descriptions Table D-48 IPsec IKE policy Properties—Diffie-Hellman Preference tab (Continued) Field Description Selected Lists Diffie-Hellman groups that are used in the policy. The default is group 1 then group2. Moves the selected item in the Selected list up in the list. If more than one algorithm is assigned, the first one is tried, and if unsuccessful, the next algorithm is tried.
  • Page 616 Field descriptions Policy field descriptions Table D-49 IPsec static key policy Properties—General tab (Continued) Field Description Data integrity Select one of the following data integrity protocols: protocol Apply integrity preference to data portion of the packet (ESP). ■ This option provides integrity, authentication, and confidentiality to the packet. It works between hosts, between hosts and security gateways, and between security gateways ensuring that data have not been modified in transit.

  • Page 617: Ipsec Static Key Policy Properties-Data Privacy Preference Tab

    Field descriptions Policy field descriptions IPsec static key policy Properties—Data Privacy Preference tab The data privacy preference is one of the algorithms that you specify when you create an IPsec/static policy for VPN tunnels. It specifies the encapsulation security payload for packets sent through the tunnel.

  • Page 618: Clientless Vpn

    The maximum length is 20,000 alphanumeric characters. Clientless VPN Symantec Clientless VPN enables complete, secure, authenticated, auditable, and controlled remote access to email, shared network files and resources, corporate applications, corporate intranets, and corporate Web-based applications from any location. Remote users at any dial-up, broadband, or...
  • Page 619 Field descriptions Policy field descriptions VPN Profile Properties—General tab You can select from either an address pool or a DHCP interface for the clientless connection. The necessary routes for the connection are also defined here. Associated tasks The task that you can perform with this tab is: “Defining VPN profiles to allow communication between the security gateway and clientless ■...
  • Page 620 Field descriptions Policy field descriptions VPN Profile Properties—Add Route dialog box The Add Route dialog box lets you populate the VPN Profile Route Table with subnets accessible to remote users. Associated tasks The task that you can perform with this dialog box is: “Defining VPN profiles to allow communication between the security gateway and clientless ■...
  • Page 621 An optional query to help locate http and https resources. Wildcard expressions may be used. For example, in the Web URL http:// jdoe:passwd@dir.anywhere.com/products.html?Symantec, the query ?Symantec locates dynamic content containing the name Symantec. Share For file resource rules, the share mount point.
  • Page 622 Field descriptions Policy field descriptions Simple Rule Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches. The maximum length is 20,000 alphanumeric characters. Advanced Rule Properties—General tab An advanced rule identifies a resource and the attributes required to access it.
  • Page 623 Expression that matches the text after the ? symbol in a Web URL. Wildcard expressions may be used. For example, in the Web URL http:// jdoe:passwd@dir.symantecs.com/products.html?Symantec, the query ?Symantec locates dynamic content containing the name Symantec. User name User name to whom to allow (or deny) access to the resource.
  • Page 624 Field descriptions Policy field descriptions Rule Set Properties—General tab A rule set is a group of rules. Once grouped, you can assign the entire set of rules to a role. Administrators can assign individual rules and/or rule sets to roles. A rule set can contain both allow and deny rules, other rule sets (including itself), and contradicting allow/deny rules (deny always overrides allow).
  • Page 625 Field descriptions Policy field descriptions Clientless VPN Role Properties—General tab Roles let you assign users access privileges and customized portal pages based on a user’s function within an organization. You use the General tab to name the role and associate it with an authentication server. Associated tasks The task that you can perform with this tab is: “Creating and assigning roles”...
  • Page 626 Field descriptions Policy field descriptions Clientless VPN Role Properties—Portal Pages tab The Portal Pages tab lets you select a portal page to be included in the role you are creating or modifying. Associated tasks The task that you can perform with this tab is: “Assign the portal page to a role”...
  • Page 627 Field descriptions Policy field descriptions Clientless VPN Role Properties—Rule/Rule Set Selection dialog box The Rule/Rule Set Selection dialog box lets you select rules or rule sets to associate with a role. Associated tasks The task that you can perform with this dialog box is: “Assigning a rule or rule set to a role”...
  • Page 628 Field descriptions Policy field descriptions Clientless VPN Role Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches. The maximum length is 20,000 alphanumeric characters. Clientless VPN Role Properties—Import Roles dialog box You can import Clientless VPN user roles or group roles that have been pre-configured on an internal or external authentication server or from a database file.
  • Page 629 Field descriptions Policy field descriptions Table D-66 Single Sign-on Rule Properties—General tab (Continued) Field Description Authentication URL URL that handles the authentication data from the form on the logon HTML page. Authentication The method used to gather authentication variables. method The options are: ■...
  • Page 630 Field descriptions Policy field descriptions Host Translation Rule Properties—General tab The security gateway can use reverse proxy translation operations to convert or rewrite resource host names or URLs with the security gateway’s address instead of the actual network host or URL. Use the host translation rules properties General tab to specify a host name or a range of host names to either allow or deny reverse proxy translation.

  • Page 631: Antivirus

    Field descriptions Policy field descriptions Antivirus The security gateway lets you configure antivirus scanning and filtering policies. The security gateway antivirus scanner detects viruses, worms, and Trojan horses in all major file types. The security gateway also includes a decomposer that handles most compressed and archive file formats and nested levels of files.
  • Page 632 Field descriptions Policy field descriptions Table D-70 Antivirus—Configuration tab (Continued) Field Description Maximum depth Indicates whether this option is enabled and displays the maximum number of nested levels of files that are decomposed within a container file. Use any number from 1 to 49. This option is checked by default.
  • Page 633 Field descriptions Policy field descriptions “Specifying file types to scan” on page 338 ■ “Avoiding potential session time-out errors” on page 340 ■ Table D-71 Antivirus—Configuration tab Field Description Block files when the Antivirus Indicates whether to block all files when the antivirus scanner is unavailable. scanner is unavailable This option is unchecked by default.
  • Page 634 Field descriptions Policy field descriptions Antivirus Configuration tab—Add File Extension dialog box This dialog box lets you add a file extension to the file extension exclusion list. Associated tasks The task that you can perform with this dialog box is: “Optimizing scanning resources”...
  • Page 635 Field descriptions Policy field descriptions Table D-73 Antivirus—Mail Attachment Restrictions tab Field Description Remove attachment Indicates whether the security gateway will remove attachments that exactly match one of the specified file sizes and deliver the remainder of the message, including attachments that do not match a specified file size.
  • Page 636 Field descriptions Policy field descriptions Antivirus—Response tab You can specify how you want the security gateway to respond to virus detections for each protocol. Depending on the protocol and the response option that you choose, you can also notify the user when a virus has been detected and what action the security gateway has taken with the infected file.
  • Page 637 Field descriptions Policy field descriptions Table D-76 Antivirus—Response tab (Continued) Field Description POP3 Specifies how you want the security gateway to respond to virus detections for the POP3 protocol. Insert x-virus header ■ Adds an x-virus header to an email message and forwards the email and any attachments to the recipient.

  • Page 638: Antispam

    Field descriptions Policy field descriptions Table D-76 Antivirus—Response tab (Continued) Field Description Message Your customized message for what displays when a file has been replaced. contained in the Your custom message can be up to 20,000 alphanumeric characters. You can use the following file that replaces variables: a deleted file...
  • Page 639 Field descriptions Policy field descriptions “Identifying spam using subject pattern matching” on page 355 ■ Table D-77 Antispam—Configuration tab Field Description Real-time blacklist servers Identifies the blacklist servers used by the security gateway. Up to three real-time blacklist server domains can be entered. There is no limit on the domain name size.
  • Page 640 Field descriptions Policy field descriptions Table D-78 Antispam—Response tab (Continued) Field Description POP3 Indicates response to heuristic scanning. Prepend to the mail subject ■ The default text is [Spam]. When no text is typed in the box, the subject line is not modified.
  • Page 641 Field descriptions Policy field descriptions — Antispam Configuration tab Senders identified as spam dialog box You can configure the security gateway to identify spam email based on a list of sender addresses or domains that you create. Associated tasks The task that you can perform in this dialog box is: “Identifying spam using a custom known spammers list”...

  • Page 642: Ids/Ips-Policies Tab

    Field descriptions Policy field descriptions — Antispam Configuration tab Subject patterns identified as spam dialog box The security gateway lets you identify spam email based on the content in the subject line. When the content of an email message subject line matches the pattern that you specify, the security gateway handles the email based on the settings that you configure.

  • Page 643: Ids/Ips-Configuration Tab

    Field descriptions Policy field descriptions Table D-83 IDS/IPS Policy Properties dialog box—General tab Field Description Heuristic Heuristic detection level for the selected IDS/IPS policy. Options are: ■ This low security IDS/IPS policy can be applied to inside interfaces. Medium ■ This medium security IDS/IPS policy can be applied to service networks.
  • Page 644 Field descriptions Policy field descriptions IDS Event Type Properties dialog box—General tab The IDS Event Type Properties dialog box lets you review signature details, including an overview, definitions and functions, possible false positives, affected products and components, and additional references. Table D-84 IDS Event Type Properties dialog box—General tab Field...

  • Page 645: Ids/Ips-Portmap Tab

    Field descriptions Policy field descriptions Table D-84 IDS Event Type Properties dialog box—General tab (Continued) Field Description Severity Displays the severity level of this event. Severity ratings describe the severity of the threat that the event type covers. The severity ratings are: Informational ■...
  • Page 646 Field descriptions Policy field descriptions IDS Portmap Configuration Properties dialog box—General tab The IDS Portmap Configuration Properties dialog box lets you enable and disable IDS/IPS services and change associated protocols. Associated tasks The task that you can perform with this tab is: “Managing portmap settings”...

  • Page 647: Content Filtering-Advanced Restrictions Tab

    Field descriptions Policy field descriptions Content Filtering—Advanced Restrictions tab The Advanced Restrictions tab contains content filtering settings that apply to all content filtering. It lets you specify which URLs, MIME types, and file extensions should be allowed or denied. It also lets you define subject line patterns that you want to block.
  • Page 648 Field descriptions Policy field descriptions Table D-87 Content Filtering—Advanced Restrictions tab (Continued) Field Description File Extensions Lists file extensions that identify files that are controlled by the content filtering features. Use the Available and Selected lists, as follows: The Available list displays file extensions that have been defined for use with ■...
  • Page 649 Field descriptions Policy field descriptions Content Filtering Advanced Restrictions tab—MIME Type dialog box The MIME Type dialog box lets you specify a MIME type to be used for content filtering. Associated tasks The task that you can perform with this dialog box is: “Filtering by MIME type”...

  • Page 650: Content Filtering Profile Properties-General Tab

    Field descriptions Policy field descriptions Associated tasks The tasks that you can perform with this tab include: “Adjusting the sensitivity of DDR” on page 310 ■ “Creating a content profile” on page 311 ■ Table D-92 Content Filtering–Content Profiles tab Field Description Incoming document...

  • Page 651: Url Ratings Tab

    Field descriptions Policy field descriptions Content Filtering Profile Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches. The maximum length is 20,000 alphanumeric characters. URL Ratings tab Use this tab to determine URL ratings for predefined content categories, and to modify URL ratings within content categories.

  • Page 652: Newsgroups Tab

    Field descriptions Policy field descriptions Content Filtering—Rating Category Selection dialog box The Rating Category Selection dialog box lets you add or remove URL rating categories. Associated tasks The task that you can perform with this dialog box is: “Modifying the contents of a content category” on page 312 ■...

  • Page 653: Newsgroup Profiles

    Field descriptions Policy field descriptions Newsgroup Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches. The maximum length is 20,000 alphanumeric characters. Newsgroup Profiles Newsgroup profiles are sets of newsgroups that you configure using a single newsgroup profile name. Once you have included newsgroups to a newsgroup profile, to control access to these newsgroups, you add the newsgroup profile to a rule and indicate whether to allow or deny access.

  • Page 654: Client Compliance

    Field descriptions Policy field descriptions Newsgroup Profile Properties—Profile tab Use the Profile tab to create list of allowed newsgroups and denied newsgroups, using the newsgroups in the available newsgroups list. Associated tasks The task that you can perform with this tab is: “Creating newsgroup profiles”...

  • Page 655: Policy Parameters

    Client Compliance window (Continued) Field Description Require Symantec Requires that clients have Symantec Client Firewall installed and enabled. Client Firewall This option is checked by default. Require auto-protect Requires that the antivirus auto-protect feature is enabled. This option is checked by default.

  • Page 656: Assets Field Descriptions

    Field descriptions Assets field descriptions “Applying IDS/IPS policies to clientless VPN connections” on page 323 ■ “Advanced mail actions” on page 446 ■ > Table D-101 Policy Parameters window Field Description Include host name in log Controls whether the source and destination of each connection through the security entries gateway are logged as IP addresses or as both IP addresses and host names.
  • Page 657 Field descriptions Assets field descriptions Host Network Entity Properties—General tab A host network entity defines a single host, located either inside or outside of the security gateway. These hosts frequently have specialized uses in your network, such as mail servers and Web servers. Associated tasks The task that you can perform with this tab is: “Configuring a single computer with a host network entity”...
  • Page 658 Field descriptions Assets field descriptions Associated tasks The task that you can perform with this tab is: “Configuring a single computer with a host network entity” on page 160 ■ Table D-103 Host Network Entity Properties—Spoof Protection tab Field Description Available Lists the interfaces that are not associated with this host network entity for the purpose of spoof protection.

  • Page 659: Subnet Network Entity

    Field descriptions Assets field descriptions Table D-104 Subnet Network Entity Properties—General tab (Continued) Field Description Caption An optional brief description of the subnet entity. The maximum length is 128 characters. For longer descriptions, use the Description tab. Subnet Network Entity Properties—Spoof Protection tab Use the Spoof Protection tab to tighten security by applying spoof protection to the host network entity.
  • Page 660 Field descriptions Assets field descriptions Domain Name Network Entity Properties—General tab You use the domain name entity properties dialog box to define a group of computers that share the network portion of their host names. A rule that uses a domain name network entity applies to any computer in that domain. Associated tasks The task that you can perform with this tab is: “Defining a registered domain with a domain name network entity”...
  • Page 661 Field descriptions Assets field descriptions Table D-107 Network Entity Group Properties—General tab (Continued) Field Description Caption An optional brief description of the network entity group. The maximum length is 128 characters. For longer descriptions, use the Description tab. Network Entity Group Properties—Network Entity tab Use the Network Entity tab to specify which network entities are included in the network entity group.
  • Page 662 Field descriptions Assets field descriptions Table D-109 Security Gateway Network Entity Properties—General tab (Continued) Field Description Caption An optional brief description of the security gateway network entity. The maximum length is 128 characters. For longer descriptions, use the Description tab. Security Gateway Network Entity Properties—Security Gateway tab The Security Gateway tab lets you define the security gateway address and IKE information that are used in the VPN tunnel.
  • Page 663 The maximum length is 20,000 alphanumeric characters. VPN Security Entity Properties—General tab You create VPN security network entities to serve as the endpoints for VPN tunnels between security gateways and Symantec Client VPN users. Associated tasks The task that you can perform with this tab is: “Defining an entity and security gateway pair with a VPN security entity”...

  • Page 664: Network Interfaces

    Field descriptions Assets field descriptions Table D-111 VPN Security Entity Properties—General tab (Continued) Field Description Caption An optional brief description of the VPN security entity. The maximum length is 128 characters. For longer descriptions, use the Description tab. VPN Security Entity Properties—Tunnel Endpoints tab The Tunnel Endpoints tab lets you specify network entity and security gateway pairings or user account and security gateway pairings, for use as endpoints in tunnels.
  • Page 665 Field descriptions Assets field descriptions Network Interface Properties—General tab The Network Interface Properties dialog box lets you configure security features, filters, and routing for the selected network interface. Associated tasks The tasks that you can perform with this tab include: “Enabling port scan detection”...

  • Page 666: Syn Flood Protection

    Field descriptions Assets field descriptions Table D-113 Network Interface Properties—General tab (Continued) Field Description Suppress reset and ICMP Indicates whether resets and ICMP error messages are suppressed on this interface. error messages Enabling this option puts the interface into stealth mode. This option is unchecked by default.
  • Page 667 Field descriptions Assets field descriptions Table D-113 Network Interface Properties—General tab (Continued) Field Description Caption An optional brief description of the network entity. The maximum length is 128 characters. For longer descriptions, use the Description tab. Network Interface Properties—Static IP tab The Static IP tab contains read-only information about the network interface, including its IP address and, if it is an inside interface, whether it is configured for DHCP.
  • Page 668 Field descriptions Assets field descriptions Network Interface Properties—Routing tab The Routing tab lets you enable and configure multicast traffic on this network interface. Associated tasks The tasks that you can perform with this tab include: “Allowing multicast traffic” on page 135 ■...

  • Page 669: Address Transforms

    Field descriptions Assets field descriptions Table D-116 Network Interface Properties—Routing tab (Continued) Field Description Enable RIP on interface Enables support for RIP on this interface This option is unchecked by default. When you enable RIP, you can set the following parameters: Default Metric ■...
  • Page 670 Field descriptions Assets field descriptions Address Transform Properties—General tab The General tab lets you specify the address transform parameters that are used by a source when it communicates with a given destination. You can view the properties of the parameters you want to specify, such as the source and destination, and, if they do not serve your needs, you can create new ones.

  • Page 671: Nat Pools

    Field descriptions Assets field descriptions Address Transform Properties—Source Address Transform tab The Source Address Transform tab lets you specify how the source address is transformed. Associated tasks The task that you can perform with this tab is: “Configuring address transforms” on page 360 ■...
  • Page 672 Field descriptions Assets field descriptions This allocated pool of addresses is dynamically assigned to connecting clients. An IP address becomes available for reassignment again when the connection ends, and the assigned address is no longer in use. Associated tasks The task that you can perform with this tab is: “Configuring NAT pools”...

  • Page 673: Redirected Services

    Field descriptions Assets field descriptions Associated tasks The task that you can perform with this tab is: “Configuring NAT pools” on page 362 ■ Table D-120 Static NAT Pool Properties—General tab Field Description NAT Pool Name The maximum length is 256 characters. Allowed characters are a-z, A-Z, numerals, periods (.), dashes (-), and underscores (_).

  • Page 674: Dns

    Field descriptions Assets field descriptions Redirected Services Properties—General tab You configure redirected services to enable the security gateway to perform load balancing among multiple internal hosts. Redirected services also give outside users the appearance of transparent access. Associated tasks The task that you can perform with this tab is: “Configuring redirected services”...
  • Page 675 Field descriptions Assets field descriptions The security gateway offers many scenarios for implementing DNS. The scenario you choose depends on how your current network is configured and your DNS objectives. Use the scenario descriptions below to help you decide how to implement DNS for your network. The first scenario is to have a caching name server and this option is configured by default out of the box.
  • Page 676 Field descriptions Assets field descriptions DNS Forwarder Record Properties—General tab A forwarder record points to an external server used to redirect DNS requests. If you prefer not to have the security gateway perform DNS lookups, but instead offload this work to another DNS server, configure a forwarder.
  • Page 677 Field descriptions Assets field descriptions Table D-124 DNS Host Record Properties—General tab (Continued) Field Description Host name A unique name for the DNS host record. The maximum length is 256 characters. Allowed characters are a-z, A-Z, numerals, periods (.), and dashes (-). Do not include spaces in the name.
  • Page 678 Field descriptions Assets field descriptions DNS Mail Server Record Properties—General tab A DNS mail server record, known as mail exchange (MX) record in BIND, defines the server responsible for handling email. Use a public mail server record to point external mail systems to the address for your domain’s mail server, usually the outside address of the security gateway.
  • Page 679 Field descriptions Assets field descriptions DNS Mail Server Record Properties—Aliases tab Use the Aliases tab to assign an alias, or short name, to a mail server to be used in DNS lookups. Aliases are only resolvable for access requests originating from the security gateway itself. Associated tasks The task that you can perform with this tab is: “Defining your email server with a DNS mail server record”...
  • Page 680 Field descriptions Assets field descriptions Associated tasks The task that you can perform with this tab is: “Defining the server that performs lookups with a DNS name server record” on page 148 ■ Table D-129 DNS Name Server Record Properties—General tab Field Description Enable...
  • Page 681 Field descriptions Assets field descriptions DNS Name Server Record Properties—Domains Served tab The Domains served tab lets you configure the domains for which the name server will provide service. Associated tasks The task that you can perform with this tab is: “Defining the server that performs lookups with a DNS name server record”...
  • Page 682 Field descriptions Assets field descriptions DNS Recursion Record Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches. The maximum length is 20,000 alphanumeric characters. DNS Root Server Record Properties—General tab DNS lookups begin with the root servers, which send back either the requested DNS information or the name server that can get the requester closer to the DNS information they seek.
  • Page 683 Field descriptions Assets field descriptions DNS Subnet Record Properties—General tab Use the DNS subnet record properties dialog box to delegate naming authority for a range of addresses, including Classless Inter-Domain Routing (CIDR) addresses. Subnet records are also sometimes referred to as subnet maps. Associated tasks The task that you can perform with this tab is: “Delegating naming authority with a DNS subnet record”...
  • Page 684 Field descriptions Assets field descriptions DNS TXT Record Properties—General tab DNS TXT resource records prevent spam or email forgery by informing an email server of verifiable sender IP addresses. A domain publishes the criteria for legitimate mail sent by it in sender policy framework (SPF) records served by DNS.
  • Page 685 Field descriptions Assets field descriptions Table D-136 DNS TXT Record Properties—General tab (Continued) Field Description Caption An optional, brief description of the DNS TXT record. The maximum length is 128 characters. For longer descriptions, use the Description tab. DNS TXT Record Properties—Text tab Displays the text value of the SPF record.

  • Page 686: Routes

    Field descriptions Assets field descriptions Routes A company’s internal network may consist of many smaller, private networks that connect to a larger core network. When the security gateway is introduced into the corporate environment, it is normally connected directly to the larger core network, which lets the security gateway easily route packets to any directly connected destination.
  • Page 687 The maximum length is 20,000 alphanumeric characters. Internal Properties—General tab Symantec’s internal authentication server is a local database of users and groups. The primary purpose of the internal authentication server is to provide a mechanism for administrators without an external authentication server to configure and control access for defined users and groups.
  • Page 688 Field descriptions Assets field descriptions LDAP Properties—General tab Lightweight Directory Access Protocol (LDAP) provides access to a directory that holds user and group information that can be used to authenticate users accessing the security gateway. LDAP authentication for the security gateway includes both LDAP and LDAPS, which is LDAP over SSL.
  • Page 689 Field descriptions Assets field descriptions LDAP Properties—Search Parameters tab Use the Search Parameters tab to specify the location within the LDAP directory hierarchy where searches begin. Associated tasks The task that you can perform with this tab is: “Lightweight Directory Access Protocol (LDAP) authentication” on page 255 ■...
  • Page 690 Field descriptions Assets field descriptions Table D-143 LDAP Properties—Schema tab (Continued) Field Description User object class Name of the object class within the schema that defines user and user record attributes. Within the standard LDAP v.3-compliant schema, the default object class used for this purpose is the person object class. The default value is inetorgperson.
  • Page 691 Field descriptions Assets field descriptions Table D-144 LDAP Properties—Bind tab (Continued) Field Description Server authentication password LDAP password to secure the connection between the security gateway and the LDAP server. LDAP Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches.
  • Page 692 Field descriptions Assets field descriptions RADIUS Properties—Description tab Optionally, provides an extended description. This information is useful to help track changes or it can be used as criteria for searches. The maximum length is 20,000 alphanumeric characters. SecurID Properties—General tab RSA SecurID is a strong authentication method supported by the security gateway.
  • Page 693 Field descriptions Assets field descriptions Active Directory Properties—General tab The Active Directory Properties dialog box lets you configure an external Active Directory server that is consulted when users log on to the security gateway through OOBA, inband, Client VPN, and Clientless VPN.

  • Page 694: Schemes

    Field descriptions Assets field descriptions Schemes Authentication schemes define one or more authentication methods that are used to validate the identity of a user. To assign authentication to a rule, you must first define one or more authentication servers in an authentication scheme. Scheme Properties—General tab The Scheme Properties General tab lets you specify which of your configured authentication schemes are used for authentication and group information.

  • Page 695: Network Users

    Field descriptions Assets field descriptions Network Users All authentication systems require that you define and store the information necessary to authenticate a user. This normally includes a user name to identify the user and a password, key, or hash to validate the user’s identity.
  • Page 696 Field descriptions Assets field descriptions User Account Properties—Authentication tab The Authentication tab lets you specify the users password and optional details such as the length of time the password is valid and an expiration date for the user account. Associated tasks The task that you can perform with this tab is: “Configuring users for internal authentication”...

  • Page 697: User Groups

    Field descriptions Assets field descriptions Table D-151 User Account Properties—VPN tab (Continued) Field Description Generate Generates a shared secret. Select a primary IKE Names of all the groups of which the user is a member. user group If this is a new user, the Groups tab lets you add this user to an IKE user group so that it will appear in this drop-down list.
  • Page 698 It then determines whether the user belongs to the group by checking whether the certificate’s subject contains this user DN value. For example, a user DN value might be: ou=Sales, o=Symantec, c=US. Issuer Distinguished Distinguished Name (DN) of the LDAP server. This is used for authenticating VPN clients Name (DN) includes with X.509 client certificates.
  • Page 699 Field descriptions Assets field descriptions Table D-154 User Group Properties—VPN Authentication tab (Continued) Field Description User binding Type of binding, if any, between the extended authentication user name and the Phase 1 ID for the user. The options are: No binding (default) ■...

  • Page 700: Proxies

    The CIFS Proxy Properties dialog box lets you modify the settings of the CIFS proxy, which lets programs make requests for files and services on remote computers on the Internet. The CIFS proxy integrates applications like Microsoft networking into the Symantec Gateway Security environment. Associated tasks The tasks that you can perform with this tab include: “Configuring access for CIFS and NBDGRAM traffic”...
  • Page 701 The Proxy Properties: DNS dialog box lets you change DNS proxy settings; however, you should not change default settings unless you completely understand the ramifications or have been instructed to change these settings by Symantec Technical Support. Associated tasks The task that you can perform with this tab is: “Optimizing the DNS proxy”...
  • Page 702 The Proxy Properties: DNS dialog box lets you change DNS proxy settings; however, you should not change default settings unless you completely understand the ramifications or have been instructed to change these settings by Symantec Technical Support. Associated tasks The task that you can perform with this tab is: “Optimizing the DNS proxy”...
  • Page 703 Field descriptions Assets field descriptions Table D-159 Proxy Properties: DNS—Miscellaneous tab Field Description Deny outside RFC1918 When enabled, lookup responses received from the outside interface that contain addresses such addresses (RFC 1918) are denied. If you are using reserved addresses on the outside interface of your security gateway, disable this option.
  • Page 704 Field descriptions Assets field descriptions Proxy Properties: FTP—Timeout tab The Timeout tab lets you specify the timeout for data transfers. If no data is received by the FTP application proxy during this period of time, then the FTP session times out. Associated tasks The task that you can perform with this tab is: “Modifying the timeout period for inactive FTP connections”...
  • Page 705 Field descriptions Assets field descriptions Proxy Properties: GSP—General tab Use the Generic Service Proxy (GSP) to configure the security gateway to pass traffic for services that are not already predefined on the security gateway. Rules can use the GSP proxy to allow or deny TCP, UDP, or IP-based traffic. Associated tasks The task that you can perform with this dialog box is: “Configuring a GSP for protocols without proxies”...
  • Page 706 Field descriptions Assets field descriptions Proxy Properties: GSP—Connection Timeout tab The Connection Timeout tab lets you configure when TCP, UPD, or IP connections time out when there is no data flowing through the connections. Associated tasks The task that you can perform with this tab is: “Configuring a GSP for protocols without proxies”...
  • Page 707 Field descriptions Assets field descriptions Proxy Properties: H.323—Ports tab The Ports tab lets you specify the H.323 proxy ports policy. Associated tasks The task that you can perform with this tab is: “Changing the default ports on which the H.323 proxy listens” on page 206 ■...
  • Page 708 Field descriptions Assets field descriptions “Enabling tracing” on page 208 ■ Table D-169 Proxy Properties: H.323—Miscellaneous tab Field Description Timeout (seconds) Timeout interval (in seconds) for H.323 connections. If there is no activity for any H.323 session within this time period, the H.323 daemon closes the session. The default is 300 seconds.
  • Page 709 Field descriptions Assets field descriptions Proxy Properties: HTTP—Web Proxy tab The Web Proxy tab lets you improve the performance of internal Web browsers by using an external Web caching proxy. Associated tasks The task that you can perform with this tab is: “Enabling an external Web proxy”...
  • Page 710 Field descriptions Assets field descriptions Proxy Properties: HTTP—Timeout tab The Timeout tab lets you configure the timeout and keepalive values for the HTTP proxy. Associated tasks The task that you perform with this tab is: “Modifying the timeout period to keep inactive HTTP connections open” on page 214 ■...
  • Page 711 Field descriptions Assets field descriptions Proxy Properties: NBDGRAM—General tab The NetBIOS Datagram (NBDGRAM) proxy transports NetBIOS traffic over UDP port 138. This proxy is most useful in cases where NetBIOS services need to pass through the security gateway, but some sort of non-standard routing or address hiding is in effect.
  • Page 712 Field descriptions Assets field descriptions Proxy Properties: NNTP—General tab The NNTP proxy modifies the behavior of the Network News Transfer Protocol (NNTP), which controls traffic to and from news servers. Some protections you can configure through the NNTP proxy are: Limiting internal user access to newsgroups ■...
  • Page 713 Field descriptions Assets field descriptions Proxy Properties: NNTP—Policy tab The Policy tab lets you specify how the NNTP proxy responds to invalid connections. A connection is invalid if it includes a command or response that is not designated in RFC-977, or if an article that does not comply with RFC-1036 is received.
  • Page 714 Field descriptions Assets field descriptions Proxy Properties: NNTP—Miscellaneous tab The Miscellaneous tab lets you specify when inactive NNTP connections time out and how they are closed. Associated tasks The tasks that you can perform with this tab include: “Configuring access for news feeds” on page 216 ■...
  • Page 715 Field descriptions Assets field descriptions Table D-184 Proxy Properties: NTP—General tab (Continued) Field Description Caption An optional, brief description of the NTP proxy. The maximum length is 128 characters. For longer descriptions, use the Description tab. Proxy Properties: NTP—Servers tab The Servers tab is used to define the servers the security gateway uses to synchronize the security gateway’s internal clock.
  • Page 716 Field descriptions Assets field descriptions Proxy Properties: PINGD—General tab The ping proxy handles ICMP echo traffic, letting you ping external networks and receive a response back through the security gateway. Using ping lets you check network connectivity and troubleshoot possible networking problems. Associated tasks The task that you can perform with this tab is: “Configuring access for ICMP traffic”...
  • Page 717 Field descriptions Assets field descriptions Proxy Properties: POP3—Timeout tab Use the Timeout tab to specify how long the POP3 proxy keeps an inactive connection open. Associated tasks The task that you can perform with this tab is: “Modifying the timeout period to keep inactive POP3 connections open” on page 232 ■...
  • Page 718 Field descriptions Assets field descriptions Proxy Properties: RTSPD—General tab The Real-Time Streaming Protocol (RTSP) proxy handles real-time data such as the audio and video produced by RealPlayer and QuickTime. Sources of data can include both live data feeds and stored clips.
  • Page 719 Instructs the Telnet proxy to create trace files of Telnet connection attempts made. This option is unchecked by default. Enable SMTPD to recognize Enables more verbose logging of SMTP exchanges. the debug command This option is unchecked by default. This option should be checked only when directed by Symantec Technical Support.
  • Page 720 Use the ODMR tab to enable on-demand mail relay (ODMR) and specify the port to use if you do not want to use the default port, 366. Caution: Do not change the port number unless you are instructed to do so by Symantec Technical Support.

  • Page 721: H.323 Aliases

    Field descriptions Assets field descriptions Proxy Properties: Telnet—General tab The Telnet proxy lets users remotely log on to another network-connected computer and interact with it as though they were physically logged on to the remote computer. Associated tasks The tasks that you can perform with this tab include: “Configuring access for Telnet traffic”...

  • Page 722: Protocols

    Field descriptions Assets field descriptions Table D-198 H.323 Alias Properties—General tab (Continued) Field Description Destination Host IP address of the real server. Caption An optional, brief description of the H.323 alias. The maximum length is 128 characters. For longer descriptions, use the Description tab. H.323 Alias Properties—Description tab Optionally, provides an extended description.
  • Page 723 Field descriptions Assets field descriptions Table D-199 ICMP Based Protocol Properties—General tab (Continued) Field Description Message type The message type of the protocol. The following message types are supported: 0 Echo reply 3 Destination unreachable 3 Net unreachable 3 Host unreachable 3 Protocol unreachable 3 Port unreachable 3 Fragmentation needed and DF set...
  • Page 724 Protocol number Type of protocol. If you do not know the protocol number to use, contact Symantec Technical Support. Use GSP Indicates whether this option is enabled This option must be enabled for the custom protocol to use the GSP proxy.
  • Page 725 Field descriptions Assets field descriptions Associated tasks The task that you can perform with this tab is: “Configuring TCP/UDP-based protocols” on page 180 ■ Table D-201 TCP UDP Based Protocol Properties—General tab Field Description Protocol name A unique name for the protocol. The maximum length is 256 characters.
  • Page 726 Field descriptions Assets field descriptions Table D-201 TCP UDP Based Protocol Properties—General tab (Continued) Field Description Source port use Type of source port used by the protocol. Select one of the following: Single Port ■ Lets you specify a Source low port only. Port Range ■...

  • Page 727: Service Groups

    Field descriptions Assets field descriptions Table D-201 TCP UDP Based Protocol Properties—General tab (Continued) Field Description Caption An optional brief description of the custom protocol. The maximum length is 128 characters. For longer descriptions, use the Description tab. TCP based Protocol Properties—Description tab Optionally, provides an extended description.
  • Page 728 Use the Additional Parameters tab to configure protocol parameters that are supported by the security gateway but are not available from the Protocols tab. To obtain the correct syntax, contact Symantec Technical Support. Associated tasks The task that you can perform with this tab is: “Creating service groups”...

  • Page 729: Parameters For Protocols Within Service Groups

    Field descriptions Assets field descriptions Parameters for protocols within service groups Additional parameters can be configured for some protocols when they are included in a service group. Parameters for cifs—General tab These parameters let you further customize the behavior of the CIFS protocol. Associated tasks None.
  • Page 730 Field descriptions Assets field descriptions Table D-205 Parameters for cifs—General tab (Continued) Field Description SMB Operation Allowed Causes the CIFS daemon to perform an audit log of all SMB operations attempted. This causes performance degradation under heavy loads, but lets you see what files are being read, modified, or deleted on each SMB server.
  • Page 731 Field descriptions Assets field descriptions Parameters for ftp—Additional Commands tab These parameters let you further customize the behavior of the FTP protocol. Associated tasks None. Table D-207 Parameters for ftp—Additional Commands tab Field Description Command list Current list of additional commands for this protocol. Command Additional command to add.
  • Page 732 Field descriptions Assets field descriptions Table D-209 Parameters for http—Options tab (Continued) Field Description Allow HTTP over valid SSL on the Allows SSL connections over the ports defined. following ports Once this option is checked, you can select one of the following: All ports ■...
  • Page 733 Field descriptions Assets field descriptions Parameters for nntp—General tab These parameters let you further customize the behavior of the NNTP protocol. Associated tasks None. Table D-211 Parameters for nntp—General tab Field Description Service Group Name Unique name for this service group. This field is read-only. Protocol Name Protocol with which you are currently working.
  • Page 734 Field descriptions Assets field descriptions Table D-212 Parameters for pop-3—General tab (Continued) Field Description Caption An optional, brief description of the modifiable parameters for the POP3 protocol. The maximum length is 128 characters. For longer descriptions, use the Description tab. Parameters for pop-3—Advanced tab These parameters let you further customize the behavior of the POP3 protocol.
  • Page 735 Field descriptions Assets field descriptions Table D-214 Parameters for realaudio—General tab (Continued) Field Description Bandwidth Limit Network bandwidth limit for RealAudio connections. If clients on your network are using HTTP as a transport rather than RealAudio, bandwidth limits are not applicable. In this case, to configure RealAudio limits, you must set up MIME type restrictions.
  • Page 736 Field descriptions Assets field descriptions Parameters for smtp—General tab These parameters let you further customize the behavior of the SMTP protocol. Associated tasks None. Table D-216 Parameters for smtp—General tab Field Description Service Group Name Unique name for this service group. This field is read-only. Protocol Name Protocol with which you are currently working.
  • Page 737 Field descriptions Assets field descriptions Table D-216 Parameters for smtp—General tab (Continued) Field Description ESMTP Enabled Provides access to the Extended Simple Mail Transfer Protocol (ESMTP) as defined in RFC 2821. If you uncheck this option, the individual components of ESMTP—AUTH, ATRN, ETRN, EXPN, VRFY—are disabled.

  • Page 738: Portal Pages

    Field descriptions Assets field descriptions Portal Pages The Portal Pages tabs are used to control the appearance and behavior of the clientless VPN user interface. Portal Page Appearance—Organization Properties dialog box The Organization Properties dialog box lets you customize the appearance of remote users’ portal pages with your own corporate name and logo.
  • Page 739 Field descriptions Assets field descriptions Access to all resources must be previously configured before it is available on the portal page. Associated tasks The task that you can perform with this tab is: “Using portal pages to customize the user experience” on page 432 ■...
  • Page 740 Field descriptions Assets field descriptions Resource Properties—General tab This General tab lets you associate a portal page name with a list of resources. Associated tasks The task that you can perform with this tab is: “Creating resource QuickLinks” on page 434 ■...
  • Page 741 Field descriptions Assets field descriptions Resource Group Properties—General tab Use the General tab to define groups of resources to display on portal pages. Resources can be grouped to make access easier for remote users. Associated tasks The task that you can perform with this tab is: “Creating resource QuickLinks”...

  • Page 742: Secure Desktop Mail Access

    Field descriptions Assets field descriptions Secure Desktop Mail Access Clientless VPN can serve as a proxy to connect a remote user’s mail client to a company POP or IMAP server that is located behind a security gateway. Secure Desktop Mail Access Properties—General tab Use the Secure Desktop Mail Access General tab to configure the security gateway as a mail proxy.

  • Page 743: Asset Parameters

    Field descriptions Assets field descriptions Secure Web Mail Access Properties—General tab Use the Secure Web Mail Access General tab to map IMAP servers to SMTP servers for use with the Web mail client. Associated tasks The task that you can perform with this tab is: “Advanced mail actions”...

  • Page 744: System Field Descriptions

    Features tab Use the Features tab to enable and disable security gateway features, including licensed features, the use of an uninterruptible power source, hardware encryption, Symantec Clientless VPN features, and the use of SSH to connect to the appliance. If a feature that is controlled by a license is not accessible, it means that the license is not installed.

  • Page 745: Symantec Client Vpn

    Symantec Client VPN Indicates whether this option is enabled. support Symantec Client VPN lets remote users securely connect to and use resources on a private network as if the remote computers are physically located inside of the protected network. This option is checked by default.
  • Page 746 Take one or more of the following actions to configure the use of SSH: SSH version 1 ■ Lets you use SSH v1 for command line access to the Symantec Gateway Security v3.0 software. SSH v1 is based on the V1.5 protocol and 1.3.7 F-Secure code base. This option is unchecked by default.
  • Page 747 Field descriptions System field descriptions Service Parameters For Log Properties—General tab For the security gateway, the logging service lets you configure settings that affect how the security gateway collects information on all connections and connection attempts. Using the Logging Service Properties dialog box, you can configure whether the local log files for each managed security gateway are saved in binary (default) or text format.
  • Page 748 Field descriptions System field descriptions Table D-229 Service Parameters For Log Properties—General tab (Continued) Field Description Consolidation Window If, in this amount of time, more than the configured threshold of the same messages (seconds) are seen, a special consolidated log message is generated. If the message has not been seen in the time specified, it is removed from the consolidation tree.
  • Page 749 Field descriptions System field descriptions Service Parameters For Notify Properties—General tab Use the General tab to specify whether the Notify daemon should execute notification when a rule’s alert thresholds are met or exceeded. Associated tasks The tasks that you can perform with this tab include: “Configuring the Notify daemon”...
  • Page 750 Field descriptions System field descriptions Table D-231 Service Parameters For OOBA Properties—General tab (Continued) Field Description Caption An optional, brief description of the OOBA daemon. The maximum length is 128 characters. For longer descriptions, use the Description tab. Service Parameters For OOBA Properties—Timeout tab The Timeout tab lets you specify timeout values for HTTPD and other services that use OOBA.
  • Page 751 The default value is 888. Service Parameters For OOBA Daemon Properties—Secret tab Use the Secret tab to provide the shared secret that will be shared with other Symantec security gateways. Associated tasks The task that you can perform with this tab is: “Configuring the OOBA service”...

  • Page 752: Sesa Event Gating

    SESA event gating provides a means of filtering the log files that are sent to the SESA Manager if the security gateway is joined to SESA for event management. Note: For management through SESA, Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced Manager for Security Gateways v3.0.
  • Page 753 Field descriptions System field descriptions Table D-236 SESA Event Gating window Field Description License Reports Sends messages that are generated as a result of license installation and removal to SESA. This option is checked by default. Configuration Modification Sends events that are generated by configuration modifications to SESA. Reports This option is checked by default.
  • Page 754 Field descriptions System field descriptions Table D-236 SESA Event Gating window Field Description URL Send Limit Maximum number of Web sites to include in the event data that is sent at the end of the message period, if message consolidation is enabled for network traffic reports or denied access reports.

  • Page 755: Liveupdate

    Field descriptions System field descriptions LiveUpdate The LiveUpdate tab lets you configure LiveUpdate servers and schedule LiveUpdate for the following components: Antispam ■ Antivirus ■ Content filtering ■ Dynamic Document Rating (DDR) ■ Intrusion detection and intrusion protection (IDS/IPS) ■ LiveUpdate Server Properties—General tab Use the LiveUpdate Server Properties dialog box to define a new LiveUpdate server or change the properties of an existing LiveUpdate server.
  • Page 756 Field descriptions System field descriptions LiveUpdate Settings for Component Properties—General tab Regardless of the security gateway component for which you want to schedule LiveUpdate, the properties pages you use are identical. You can schedule LiveUpdate for the following components: Antispam ■...
  • Page 757 Field descriptions System field descriptions LiveUpdate Settings for Component Properties—Schedule tab Use the Schedule tab to specify how often LiveUpdate should be performed, and at what times. Associated tasks The task that you can perform with this tab is: “Scheduling LiveUpdate of a component” on page 81 ■...

  • Page 758: Ssl Server Certificates

    Field descriptions System field descriptions SSL Server Certificates The security gateway’s clientless VPN uses the Secure Sockets Layer (SSL) protocol to authenticate and encrypt client connections. SSL relies on X.509 certificate technology, and the security gateway is shipped with un unsigned certificate to facilitate the basic operation of this feature. For enhanced security and improved user experience, you can install a self-signed certificate (one that is signed by the gateway itself) on the gateway.

  • Page 759: Administration

    Field descriptions System field descriptions Administration When you expand the Administration folder, you have access to tabs from which you can do the following: Create and modify local “Admin Account Properties—General tab” on page 758 administrator accounts Create and modify machine “Machine Account Properties—General tab”...
  • Page 760 Field descriptions System field descriptions Table D-242 Admin Account Properties—General tab (Continued) Fields Description Caption An optional, brief description of the administrator account. The maximum length is 128 characters. For longer descriptions, use the Description tab. Admin Account Properties—Configuration Privileges tab Use the Configuration Privileges tab to specify the privileges the administrator has to read and write configurations.
  • Page 761 This option is unchecked by default. Join SESA allowed Enables the administrator to join SESA to use the Symantec Advanced Manager to manage security gateways. This option is unchecked by default. Note: Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced Manager for Security Gateways v3.0.
  • Page 762 Field descriptions System field descriptions Table D-244 Admin Account Properties—Maintenance Privileges tab (Continued) Field Description Manage cluster Enables the administrator to manage clusters of security gateways for high availability and allowed load balancing by creating VIPs, changing the watchlist, defining ping groups, and creating traffic groupings.
  • Page 763 Field descriptions System field descriptions Table D-246 Cluster Account Properties—General tab (Continued) Fields Description Password Cluster account password. The password is encrypted and appears as a string of asterisk (*) characters. The password should be at least 10 characters long, with both upper and lowercase letters, a punctuation mark, and at least one numeric digit.
  • Page 764 Enables the installation of hotfixes to update the security gateway. allowed Join SESA allowed Enables the cluster members to join SESA to use the Symantec Advanced Manager to manage security gateways. Note: Symantec Gateway Security 5000 Series v3.0 requires Symantec Advanced Manager for Security Gateways v3.0.
  • Page 765 Field descriptions System field descriptions Cluster Account Properties—Restrict To Address tab The Cluster account can be used from all addresses on the security gateway. You should not restrict the addresses that can be used. Associated tasks None. Table D-249 Cluster Account Properties—Restrict To Address tab Field Description Permitted logon...
  • Page 766 Field Description Option Name Name of the variable that you are modifying. The syntax of this name must be exact. If you are unsure of the syntax, contact Symantec Technical Support. Caption An optional, brief description of the advanced option.

  • Page 767: Syn Flood Allowed Hosts

    Field descriptions System field descriptions Advanced Options Properties—Value tab The Value tab lets you specify the value or values to use with the option. Associated tasks The task that you can perform with this tab is: “Configuring advanced options” on page 545 ■...

  • Page 768: Licensing

    Feature Name Name of the licensed component. Symantec System ID Symantec System ID that was used to obtain the license. The system on which you install the license must have the System ID that was used to obtain the license.

  • Page 769: Cluster Status

    Field descriptions Cluster field descriptions Cluster Status The Cluster Status window lets you monitor a cluster of security gateways. The display shows the following: Whether each cluster member is up and running ■ IP address and Virtual IP Address (VIP) of each cluster member ■...

  • Page 770: Vips Window

    Field descriptions Cluster field descriptions Cluster Member Properties—General tab On the Cluster Member Properties General tab, you can set the member weight. Associated tasks The tasks that you can perform with this tab is: “Changing global cluster configurations” on page 515 ■...

  • Page 771: Watchlist Window

    Field descriptions Cluster field descriptions Watchlist window You can select different security gateway processes to monitor at any time. For example; If you have a deployment where the only purpose is to serve up Web pages and the HTTP proxy goes down, this causes the entire cluster to signal the fault.

  • Page 772: Nic Monitoring Window

    Field descriptions Cluster field descriptions Associated tasks The task that you can perform with this tab is: “Configuring ping groups for clusters” on page 517 ■ Table D-261 Ping Groups Properties—General tab Field Description Enable Indicates whether this option is enabled. This option is enabled by default.

  • Page 773: Traffic Grouping Window

    Field descriptions Cluster field descriptions NIC Monitoring Properties—General tab You can monitor the status of each network interface by configuring NIC monitoring. The SGMI only monitors actual network interfaces. Virtual IP addresses and virtual LANs are not shown in the monitoring window.

  • Page 774: Menu Option Field Descriptions

    Field descriptions Menu option field descriptions Associated tasks The task that you can perform with this window is: “Changing traffic groupings for clusters” on page 518 ■ Table D-264 Traffic Grouping window Field Description Address IP address of a server to be associated with a single cluster member. Menu option field descriptions The topics in this section provide field level Help for dialog boxes that are displayed when you choose a menu option.
  • Page 775 Confirms the new password. Hotfix dialog box Use the Hotfix dialog box to view, install and remove security gateway hotfixes. To see if hotfixes are available, and to download them, go to the Symantec Web site, http://www.symantec.com/techsupp/enterprise/select_product_updates.html. Associated tasks The task that you can perform with this dialog box is: “Installing and uninstalling hotfixes”...

  • Page 776: Analysis Reports

    Field descriptions Menu option field descriptions Analysis reports You can access analysis reports by using the Reports menu. When you select Analysis from the Reports menu, a submenu lets you specify a report category. In the Analysis Reports dialog box, you can select the paper size, hour range, and date from which to generate a report.

  • Page 777: Client Vpn Package Wizard

    Field descriptions Menu option field descriptions Table D-270 Configuration reports dialog box Field Description Paper type Select a paper type for the output: Letter size (8.5 x 11 inch) paper. ■ Legal size (8.5 x 14 inch) paper. ■ Executive size (11 x 17 inch) paper. ■...

  • Page 778: Remote Access Tunnel Wizard For Client Vpn

    Field descriptions Menu option field descriptions “Associated panels” on page 776 ■ Table D-271 Users/User Groups panel Field Description Available Lists the available users and user groups. Each user or user group must be the endpoint of a configured Client VPN tunnel. Each user in a group must have its IKE user group defined or no Client VPN package files will be generated.
  • Page 779 Field descriptions Menu option field descriptions “VPN Policy panel” on page 781 ■ “Confirmation panel” on page 781 ■ Remote Access Tunnel Wizard panel This is the first panel of the Remote Access Tunnel Wizard. In the Remote Access Tunnel Wizard panel, you select whether to create tunnels for Client VPN users or configure connections for clientless VPN users.
  • Page 780 Field descriptions Menu option field descriptions Local Security Gateway panel In the Local Security Gateway panel, you select the security gateway network entity that serves as the local security gateway. Associated tasks The tasks that you can perform with this panel include: “Using the Remote Access Tunnel Wizard to create Client VPN tunnels”...
  • Page 781 Field descriptions Menu option field descriptions New Local Endpoint and Create a Local End Group panels You create a new network entity to serve as the local Client VPN tunnel endpoint using either the New Local Endpoint panel for a host or subnet entity, or the Create a Local End Group panel for a group network entity.
  • Page 782 Field descriptions Menu option field descriptions Remote Endpoint panel In the Remote Endpoint panel, you specify the IKE-enabled user or user group that serves as the remote Client VPN tunnel endpoint. Associated tasks The task that you can perform with this panel is: “Using the Remote Access Tunnel Wizard to create Client VPN tunnels”...

  • Page 783: Remote Access Tunnel Wizard For Clientless Vpn

    Field descriptions Menu option field descriptions Associated tasks The task that you can perform with this panel is: “Using the Remote Access Tunnel Wizard to create Client VPN tunnels” on page 389 ■ “Using the Remote Access Tunnel Wizard to set up clientless VPN connections” on page 442 ■...
  • Page 784 Field descriptions Menu option field descriptions Associated tasks The task that you can perform with this panel is: “Using the Remote Access Tunnel Wizard to set up clientless VPN connections” on page 442 ■ “Associated panels” on page 782 ■ Table D-281 Rule panel Field...
  • Page 785 Field descriptions Menu option field descriptions Table D-282 Clientless VPN Profile panel (Continued) Field Description Create new clientless vpn Lets you create a new clientless VPN profile by specifying the following: profiles Profile name ■ A unique name for the clientless VPN profile. The maximum length is 256 characters.
  • Page 786 Field descriptions Menu option field descriptions “Associated panels” on page 782 ■ Table D-283 Options panel Field Description Specify host by DNS Specifies the host by DNS name. name Specify host by IP Specifies the host by IP address. address Path Specifies the path to the resource.

  • Page 787: Gateway-To-Gateway Tunnel Wizard

    Field descriptions Menu option field descriptions User/Group Role panel In the User/Group Role panel, you can select the clientless role to which to assign the rule. Associated tasks The task that you can perform with this panel is: “Using the Remote Access Tunnel Wizard to set up clientless VPN connections” on page 442 ■...
  • Page 788 Field descriptions Menu option field descriptions Gateway-to-Gateway Tunnel Wizard panel This is the first panel of the Gateway-to-Gateway Tunnel Wizard. This panel introduces you to the wizard. Associated tasks The task that you can perform with this panel is: “Running the Gateway-to-Gateway Tunnel Wizard” on page 385 ■...
  • Page 789 Field descriptions Menu option field descriptions Table D-288 Local Security Gateway panel (Continued) Field Description Create new network Lets you create a new security gateway network entity by specifying the following: entity Name ■ A unique name for the new security gateway network entity. The maximum length is 256 characters.
  • Page 790 Field descriptions Menu option field descriptions “Associated panels” on page 786 ■ Table D-290 Local Endpoint panel Field Description New Local Endpoint On the New Local Endpoint panel, for a host network entity, you supply the following panel—host network values: entity Name ■...
  • Page 791 Field descriptions Menu option field descriptions Table D-291 Remote Security Gateway panel (Continued) Field Description Create new security Lets you create a new security gateway network entity by defining the following: gateway network Gateway name ■ entity A unique name for the new security gateway network entity. The maximum length is 256 characters.
  • Page 792 Field descriptions Menu option field descriptions Table D-292 Remote Endpoint panel (Continued) Field Description Create new network Lets you select the type of network entity to serve as the remote endpoint. entity On the New Remote Endpoint panel, for a host network entity, you supply the following values: Name ■...

  • Page 793: Global Ike Policy

    Field descriptions Menu option field descriptions Confirmation panel In the Confirmation panel, you can review the gateway-to-gateway tunnel information. If you are satisfied that the information is correct, click Finish to create the tunnel or configure the connection. To make changes, click Back to return to a previous panel. Associated tasks The task that you can perform with this panel is: “Running the Gateway-to-Gateway Tunnel Wizard”...
  • Page 794 Field descriptions Menu option field descriptions Associated tasks The task that you can perform with this tab is: “Viewing or modifying the global IKE policy” on page 384 ■ Table D-295 Global IKE Policy Properties—Data Privacy Preference tab Field Description Available Data privacy algorithms available for use.
  • Page 795 Field descriptions Menu option field descriptions Associated tasks “Viewing or modifying the global IKE policy” on page 384 ■ Table D-297 Global IKE Policy Properties—Diffie-Hellman Groups tab Field Description Available Diffie-Hellman options available for use. Diffie-Hellman is the standard IKE method of establishing shared secrets. Group 1 and Group 2 are the Diffie-Hellman group numbers for establishing these IKE session keys.

  • Page 796: System Setup Wizard

    Field descriptions Menu option field descriptions Associated tasks The task that you can perform with this dialog box is: “Generating and viewing an analysis report” on page 498 ■ Table D-299 Select Date dialog box Field Description Calendar Currently specified date. Use the calendar controls to navigate to new calendar pages to change the date as follows: Move to the same month in the previous year.
  • Page 797 Symantec Client VPN Indicates whether this option is enabled. support Symantec Client VPN lets remote users securely connect to and use resources on a private network as if the remote computers are physically located inside of the protected network. This option is checked by default.
  • Page 798 Field descriptions Menu option field descriptions Table D-300 Optional Features panel (Continued) Field Description Content filtering Indicates whether this option is enabled. Content filtering lets you control Web access through the security gateway by defining URLs, MIME types, and newsgroups to which you allow or deny user access.
  • Page 799 This option is unchecked by default. You can restore a backup from the following security gateways: The current security gateway, ■ Another Symantec Gateway Security 5000 Series v3.0 security gateway ■ Symantec Gateway Security v2.0 s ■ Symantec Clientless VPN Gateway v5.0 ■...
  • Page 800 Field descriptions Menu option field descriptions Machine Settings panel The Machine Settings panel lets you configure the system time zone, date, and time, and view or specify the host name, domain name, and default gateway. It also lets you lock the LCD panel and change the administrator password.
  • Page 801 Field descriptions Menu option field descriptions Network Interfaces panel The Network Interfaces panel lets you specify parameters for all security gateway interfaces, including virtual local area network (VLAN) interfaces. When you are configuring eth1 as an outside interface, you can also enable the appliance as a DHCP client.

  • Page 802: Cluster Wizard

    Field descriptions Menu option field descriptions Table D-304 Add VLANs dialog box (Continued) Field Description Starting VLAN ID ID of the first VLAN. Number of VLANS Number of VLANs being added. The maximum number of supported VLANs is 48. Confirmation panel In the Confirmation panel, you can review the configuration before activating it.
  • Page 803 Field descriptions Menu option field descriptions A cluster consists of at least two cluster members, and can include up to eight. Before you create a cluster, ensure that all of the prerequisites are met. After the second cluster member is added, you can add additional members, modify settings of the members you have already added, or finish the wizard.
  • Page 804 Field descriptions Menu option field descriptions Define Cluster panel This is the second panel of the Cluster Wizard. On this panel you name the cluster, select the heartbeat interface, and set up hot standby or load balancing options. Associated tasks The tasks that you can perform with this panel include: “Creating a new cluster with the Cluster Wizard”...
  • Page 805 Field descriptions Menu option field descriptions Cluster VIP Addresses panel This is the third panel of the Cluster Wizard. Here you can set up your VIP addresses. Associated tasks The tasks that you can perform with this panel include: “Creating a new cluster with the Cluster Wizard” on page 512 ■...
  • Page 806 Field descriptions Menu option field descriptions “Dissolving a cluster” on page 521 ■ Table D-309 Connect to New Cluster Member panel Field Description User name Administrator name of the of the new cluster member. Allowed settings are a-z, A-Z, periods (.), and dashes (-). Do not include spaces in the user name.
  • Page 807 Field descriptions Menu option field descriptions Remove Cluster Member panel The second panel in the Modify Cluster option. On this panel, you select whether to remove the cluster member. Associated tasks The tasks that you can perform with this panel include: “Adding or removing a cluster member”...

  • Page 808: Activate Changes Wizard

    Field descriptions Menu option field descriptions Activate Changes Wizard The Activate Changes Wizard makes pending changes–changes you have saved locally–active on the security gateway, so that they affect traffic through the gateway. Before the wizard displays, you have the option of saving any unsaved changes. If you do so, you can continue and activate all changes.

  • Page 809: Restore Wizard

    Optional Features panel The Optional Features panel lets you enable the system features for which you have licenses. Available features are gateway-to-gateway VPN, Symantec Client VPN support, high availability/load balancing (HA/LB), content filtering, antivirus, antispam, intrusion detection and prevention, and hardware encryption.
  • Page 810 Symantec Client VPN Indicates whether this option is enabled. support Symantec Client VPN lets remote users securely connect to and use resources on a private network as if the remote computers are physically located inside of the protected network. This option is checked by default.
  • Page 811 Field descriptions Menu option field descriptions Setup Options panel The Setup Options panel lets you indicate whether the security gateway will be used as a standalone security gateway or will be a member of a cluster. You can also choose to restore the backup configuration’s network interface data. Associated tasks The tasks that you can perform with this panel include: “Restoring security gateway configuration files from the SGMI”...
  • Page 812 Symantec Clientless VPN Gateway configuration. When you restore a Symantec Gateway Security backup file, you must provide the password with which it was created. You can also choose to restore the administrator accounts that existed when the backup was made.

  • Page 813: Firewall Rule Wizard

    Field descriptions Menu option field descriptions Table D-318 Restore Cluster Options panel (Continued) Field Description Restore Process Monitors Displays selected option to restore. Restore Failover Timeout Displays selected option to restore. Restore Traffic Groups Displays selected option to restore. Restore Ping Groups Displays selected option to restore.
  • Page 814 Field descriptions Menu option field descriptions “Associated panels” on page 812 ■ Table D-319 Optional Security Gateway Configuration panel Field Description SMTP mail services Creates SMTP rules for inbound and outbound mail services. POP3 mail services Creates a POP3 rule for sending and receiving POP3 mail. HTTP services Create a rule to allow internal users to have access to HTTP services.
  • Page 815 Field descriptions Menu option field descriptions POP3 Options panel The POP3 Options panel helps you creates a POP3 rule for sending and receiving POP3 mail. Additional configuration options for POP3 rules are available through the Rule Property and Service Group Property dialog boxes.
  • Page 816 Field descriptions Menu option field descriptions Table D-322 HTTP Options panel (Continued) Field Description Allow HTTPS only on Specifies that HTTPS connections will use only port 443/tcp or 563/tcp as the standard ports destination port. Other port numbers are disallowed. This option is checked by default.

  • Page 817: License Installation Wizard

    Field descriptions Menu option field descriptions Associated tasks The tasks that you can perform with this panel include: “Configuring HTTP, FTP, and mail (SMTP and POP3) rules with the Firewall Rule Wizard” ■ page 284 “Associated panels” on page 812 ■...
  • Page 818 Upload File Displays a dialog box that lets you browse to the location of the Symantec Gateway Security license files that you have copied to your computer. When you select a file and click Open, the file displays in the license table.
  • Page 819 Field descriptions Menu option field descriptions License Error Check panel The License Error Check panel verifies the licenses that you have uploaded for installation and notifies you of conflicts and potential loss of functionality. Associated tasks The tasks that you can perform with this panel include: “Installing licenses”...

  • Page 820: Securid Server Connection Wizard

    Field descriptions Menu option field descriptions Associated tasks The tasks that you can perform with this panel include: “Installing licenses” on page 94 ■ “Associated panels” on page 816 ■ Table D-328 License Installation Complete panel Field Description Close Lets you close the License Installation Wizard. A pop-up message informs you that you must reboot to make the licenses take effect and asks if you want to reboot immediately.
  • Page 821 Field descriptions Menu option field descriptions Active Directory Server Connection Wizard panel This is the first screen of the wizard. It explains that this wizard tests connectivity to the Active Directory authentication server. Associated tasks The task that you can perform with this panel is: “Associated panels”...
  • Page 822 Glossary about box A dialog box containing basic information about the application, such as product name and version number, company name, logo, copyright date, trademarks, and legal notices. access control The mechanisms and policies that restrict access to computer resources. An access control list (ACL), for example, specifies what operations different users can perform on specific files and directories.
  • Page 823 A setting on a rule that triggers an action when the specified conditions are met. In Symantec security gateways, suspicious activity is monitored based on access attempts, time intervals, and other criteria. You can customize or disable the default threshold according to your needs.
  • Page 824 Glossary blended threat An attack that uses multiple methods to transmit and spread. The damage caused by blended threats can be rapid and widespread. Protection from blended threats requires multiple layers of defense and response mechanisms. blocking A configured mode for preventing malicious or unwanted network traffic from passing a certain point in the network.
  • Page 825 The registry settings for client computers that are set during the execution of a console task. connection The successful establishment of a communications link. console A program interface for the management of software or networks. See also Symantec management console. content blocking The ability to block network traffic based on actual packet content.
  • Page 826 Glossary data transfer The movement of information from one location to another. The speed of transfer is called the data rate or data transfer rate. decrypt To convert either encoded or enciphered text into plain text. denial of service (DoS) attack A type of attack in which a user or program takes up all of the system resources by launching a multitude of requests, leaving no resources and thereby denying service to other users.
  • Page 827 .com domain identifies host systems that are used for commercial business. domain entity A group of computers sharing the network portion of their host names, for example symantec.com. Domain entities are registered within the Internet community. Registered domain entities end with an extension such as .com, .edu, or .gov or a country code such as .jp (Japan).
  • Page 828 LAN and are frequently encrypted for privacy. factory reset In the context of Symantec Gateway Security appliances, an action that returns the appliance to its default state and removes any software patches and hotfixes that have been applied. This is the state the appliance was in when it was first shipped.
  • Page 829 A URL that consists of a host and domain name, including top-level domain. For example, www.symantec.com is a fully qualified domain name. www is the host, symantec is the second-level domain, and .com is the top-level domain. An FQDN always starts with a host name and continues to the top-level domain name, so www.sesa.symantec.com is also an FQDN.
  • Page 830 A single computer. It can be either inside or outside of the Symantec Enterprise Firewall system host. A host is specified using its IP address in fully qualified dotted quad format. HTML (Hypertext Markup Language) A standard set of commands used to structure documents and format text so that it can be used on the Web.
  • Page 831 In Symantec Intruder Alert, an organization or group of Agents. ITA policies are applied to domains. Agents can belong to more than one domain.
  • Page 832 Glossary intranet A private network that serves users of an enterprise. Although intranet pages may link to the Internet, an intranet is not a network that is accessed by the general public. intrusion detection A security service that monitors and analyzes system events for the purpose of finding and providing real-time, or near real-time, warning of attempts to access system resources in an unauthorized manner.
  • Page 833 A unique identification number used to register a Symantec product. list box A dialog box containing a list of items from which a user can choose.
  • Page 834 Glossary macro A set of keystrokes and instructions that are recorded, saved, and assigned to a short key code. When the key code is typed, the recorded keystrokes and instructions execute (or play back). Macros can simplify day-to-day operations that otherwise become tedious. For example, a single macro keystroke can set up a connection using pcAnywhere.
  • Page 835 See also ARP (Address Resolution Protocol), MAC (Media Access Control), RIP (Routing Information Protocol). network entity A host or group of hosts on the Internet or on your private networks. Supported Symantec Enterprise Firewall entities include: host, domain, subnet, and group. network-level firewall A firewall in which traffic is examined at the network protocol packet level.
  • Page 836 Packet filters are simple and fast, but they make decisions based on a very limited amount of information. In Symantec security gateways, the access control that describes your corporate security stance. A policy combined with location and system settings make up a complete Symantec security gateway configuration.
  • Page 837 Glossary physical address See MAC (Media Access Control). PIN (personal identification number) In computer security, a number used during the authentication process that is known only to the user. ping (Packet Internet Groper) A program that system administrators and hackers or crackers use to determine whether a specific computer is currently online and accessible.
  • Page 838 Glossary private key A part of asymmetric encryption that uses a private key in conjunction with a public key. The private key is kept secret, while the public key is sent to those with whom a user expects to communicate. The private key is then used to encrypt the data, and the corresponding public key is used to decrypt it.
  • Page 839 Glossary report A formatted query that is generated from a database. Reports are included with managed security products. Administrators can modify reports to create custom reports of specific event data. reporting The output generated by products and services that illustrates the information (sometimes the data) that is collected.
  • Page 840 SESA operation. For example, logging servlets and configuration servlets. SESA (Symantec Enterprise Security The centralized, scalable management architecture that is used by Symantec’s security products. Architecture) SESA Agent A Java Common Information Model Object Manager (CIMOM) that provides a secure conduit between SESA-integrated products on any given end-point and the SESA Manager.
  • Page 841 Glossary SESA Integration Wizard A Java application that is used to install the SESA Integration Package (SIP). See also SIPI (Symantec Integrated Product Installer). session hijacking An attack in which someone intercepts and co-opts an active, established connection. SESA Manager The Hypertext Transfer Protocol (HTTP) server and associated applications and servlets that manage communication with all SESA Agents, the SESA DataStore, and the SESA Directory.
  • Page 842 Glossary source-routed IP packets Packets with additional information in the header that specifies the route the packet should take. This additional routing is specified by the source host, hence the name source-routed. Normal IP packets have only source and destination addresses in their headers, leaving the actual route taken to the routers in between the source and the destination.

  • Page 843: Symantec Security Response

    Management. Symantec Security Response The Symantec team of intrusion experts, security engineers, virus hunters, and global technical support teams that work to provide security coverage for enterprise businesses and consumers. Symantec Security Response delivers security protection through product security policies and best practice guidelines that can be updated and distributed through automated processes.
  • Page 844 A permanent host entity created when Symantec Enterprise Firewall or Symantec Enterprise VPN Server is installed. The universe entity is similar to a wildcard and specifies the set of all computers both inside and outside of the Symantec Enterprise Firewall system. The universe entity’s associated IP address is 0.0.0.0.
  • Page 845 A file that provides information to antivirus software for finding and repairing viruses. In Symantec AntiVirus Corporate Edition, the administrator must regularly distribute updated virus definitions files to Symantec AntiVirus Corporate Edition servers and clients.
  • Page 846 Index advanced options (cont.) idssym.im_yahoo_ports 547 access control idssym.internal_lan 547 FTP 412 idssym.internal_net 547 mail 412 idssym.mssql_servers 547 Web VPN 412 idssym.networkdevice_servers 547 activation, description 59 idssym.novarg_ports 547 Active Connections tab 467 idssym.ntp_servers 547 Active Directory authentication server idssym.pctssl_ports 547 clientless VPN usage 411 idssym.ports_bd_evolution 547 configuring 254...
  • Page 847 Index alerts, monitoring, IDS/IPS 482 attachment allowed host list, SYN flood protection 370 blocking by name 342 alphabetic sorting of tables 49 blocking by size 342 analysis reports 497 attacks, preventing 319 antispam 501 audio data, providing access 225 antivirus 501 authentication common Web sites 500 clientless VPN 410...
  • Page 848 Index CIFS proxy clientless VPN (cont.) configuring 194 simple rules 415 creating trace files 196 single sign-on rule 410, 439 description 192 terminal emulation 452 non-transparent connections 193 URL syntax 410 restrictions 193 user accounts, unlocking 469 setting timeout 196 viewing failed logon attempts 469 transparent connections 193 VPN profile 410, 413, 415, 432...
  • Page 849 155 buffer overflow attacks 300 root server records 150 by specific URL 297 troubleshooting 157 by subject matter 306 with Symantec gateway security 138 content categories 306 DNS tab 138 content profile 311 DNS-based blocking lists 352 denying content 296...
  • Page 850 Index deployment 117 managed security gateway 125 e-commerce, managed security gateway 125 features Edit menu 35 enabling from Features tab 97 email 446 enabling from System Setup Wizard 96 antivirus options 342 Features tab clientless VPN, access control 412 enabling licensed features 97 filter on file size 338 file extensions, content filtering 304 notification, configuring 489...
  • Page 851 Index group network entity 166 HTTP proxy (cont.) group server, LDAP 411 HTTPs ports, adding 214 modifying 212 configuring 188 persistent connections 209 description 188 ports, adding 213 secure sockets layer 209 timeout, modifying 214 WebDAV 210 H.323 Aliases tab 205 httpd advanced options H.323 proxy httpd.allow_idn_to_ace 546...
  • Page 852 NNTP connections 219 storing 93 IMAP 457 summary, viewing 87 default port 457 Symantec System ID 90, 92 IMAP to SMTP, mapping Web mail servers 446 usage, viewing 88 importing group roles 427 Licensing window importing user roles 428...
  • Page 853 Index logging off 31 description 461 logging on 21 Monitors section from the desktop 25 Logs window 470 initial 22 Notifications window 486 integrating to the desktop 24 Overall Health window 462 using a browser 26 Status window 466 logging service, configuring 470 Monitors section, description 39, 461 login, UNIX service multicast traffic...
  • Page 854 Index network protocols ICMP-based 181 objects IP-based 179 copying 54 TCP-based 180 creating 52 UDP-based 180 deleting 61 network throughput, viewing 462 references to other objects 55 Network window ODMR (On-demand mail relay), enabling 235 Address Transforms tab 359, 366 On Demand Mail Relay.
  • Page 855 558 Redirected Services tab 364 process restart, configuring 113 redirected services, configuring 364 properties, of objects regular expressions 419 modifying 51 remlog, using with Symantec DeepSight 494 viewing 50 Remote Access Tunnel Wizard client VPN 385, 389 clientless VPN 442...
  • Page 856 Index Remote Access Tunnel Wizard, description 30 Response tab remote access, machine accounts 69 antispam scanning 353 remote logon, using Telnet 236 Response tab, antivirus scanning 344 Remote Mail window 446 restart, security gateway 84 Secure Desktop Mail Access tab 447 restore Secure Web Mail Access tab 446 configurations 98...
  • Page 857 Index home page 29 home page, wizards 30 Secure Desktop Mail Access tab 447 SGMI (cont.) secure network connection 460 integrating to the desktop 24 creating rules 442 left pane navigation 38 description 411 logging off 31 secure sockets layer (SSL) 209 logging on 21 Secure Web Mail Access tab 446 menu 35...
  • Page 858 399 threats. See antivirus scanning configuring tunnels 394 time period 287 importing tunnels 401 time period range 287 Symantec DeepSight. See DeepSight time periods 287 Symantec Security Response 333 Time Periods tab 287 Symantec System ID time, security gateway...
  • Page 859 Index troubleshooting 557 UserPreferences.MaxReturnSet 549 antivirus scanning 349 users SGMI display problems 562 creating 244 SMTP debug 234 description 243 troubleshooting utilities 560 IKE-enabled 245 FTP client (passive mode) 561 importing 251 listlicense 561 Users window tcpdump 562 Network Users tab 243 using the flatten utility 560 User Groups tab 247 tunnels...
  • Page 860 Index Web protocols, HTTPS 455 wizards fragments 456 Client VPN Package Wizard 30, 399 URL 455, 456 Firewall Rule Wizard 30, 284 Web proxy, enabling 212 Gateway-to-Gateway Tunnel Wizard 30, 385 Web scheme HTTP 455 License Installation 94 Web traffic, enabling 210 Remote Access Tunnel 442 Web VPN Remote Access Tunnel Wizard 30, 385, 389...
  • Page 861 Index...

Table of Contents