1. Manuals
  2. Brands
  3. Ronde & Schwarz Manuals
  4. Firewall
  5. GP-T
  6. User manual

Ronde & Schwarz GP-T User Manual

Gateprotect firewall
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
®
R&S
GP-U/GP-E/GP-S/GP-T
gateprotect Firewall
User Manual
(T^VT2)
3646.3836.02 ─ 01

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the GP-T and is the answer not in the manual?

Questions and answers

Summary of Contents for Ronde & Schwarz GP-T

  • Page 1 ® R&S GP-U/GP-E/GP-S/GP-T gateprotect Firewall User Manual (T^VT2) 3646.3836.02 ─ 01...
  • Page 2 Firewall GP-E ● ® R&S gateprotect Firewall GP-S ● ® R&S gateprotect Firewall GP-T © 2017 Rohde & Schwarz Cybersecurity GmbH Mühldorfstr. 15, 81671 Munich, Germany Phone: +49 (0) 30 65 884 - 223 Email: cybersecurity@rohde-schwarz.com Internet: cybersecurity.rohde-schwarz.com Printed in Germany – Subject to change – Data without tolerance limits is not binding.

  • Page 3: Table Of Contents

    ® Contents R&S GP-U/GP-E/GP-S/GP-T Contents 1 About This Manual................. 7 Audience........................7 What’s in This Manual....................8 Conventions........................8 Related Resources......................9 About Rohde & Schwarz Cybersecurity..............9 2 Getting Started..................11 3 User Interface..................13 Web Client Components.....................13 3.1.1 Header Area........................14 3.1.2...
  • Page 4 ® Contents R&S GP-U/GP-E/GP-S/GP-T 3.4.3 WAN..........................74 3.4.3.1 DNS Settings.........................74 3.4.3.2 DynDNS Accounts......................75 3.4.3.3 QoS Settings......................... 76 3.4.3.4 QoS Connection Settings....................77 3.4.4 Network Objects......................78 3.4.4.1 Internet Objects......................78 3.4.4.2 Hosts..........................79 3.4.4.3 Users..........................80 3.4.4.4 User Groups........................81 3.4.4.5 VPN Users........................82 3.4.4.6 VPN User Groups......................
  • Page 5 ® Contents R&S GP-U/GP-E/GP-S/GP-T 3.4.8.1 Certificates........................114 3.4.8.2 Templates........................117 3.4.8.3 OCSP/CRL Settings....................118 3.4.8.4 Trusted Proxy CAs...................... 119 3.4.9 Monitoring........................119 3.4.9.1 SNMP Settings......................119 3.4.9.2 Syslog Servers......................121 3.4.9.3 Logs..........................122 3.4.10 Network Tools......................123 3.4.10.1 Ping Settings....................... 124 3.4.10.2 Traceroute Settings.....................124...
  • Page 6 ® Contents R&S GP-U/GP-E/GP-S/GP-T User Manual 3646.3836.02 ─ 01...

  • Page 7: About This Manual

    ® About This Manual R&S GP-U/GP-E/GP-S/GP-T Audience 1 About This Manual The gateprotect Firewall User Manual describes the innovative firewall solution from Rohde & Schwarz Cybersecurity. gateprotect Firewall integrates firewall, application control, web filtering, malware protection and many more functions in a single system.

  • Page 8: What's In This Manual

    ® About This Manual R&S GP-U/GP-E/GP-S/GP-T Conventions ● To define filtering rules, you need to understand basic TCP/IP networking con- cepts. 1.2 What’s in This Manual The contents of this manual are designed to assist you in configuring your gateprotect Firewall.

  • Page 9: Related Resources

    ® About This Manual R&S GP-U/GP-E/GP-S/GP-T About Rohde & Schwarz Cybersecurity This note is a little hint that can help make your work easier. This note contains important additional information. This note contains information that is important to consider. Non-observance can dam- age your gateprotect Firewall or put your network security at risk.
  • Page 10 ® About This Manual R&S GP-U/GP-E/GP-S/GP-T About Rohde & Schwarz Cybersecurity For more information, visit our website at cybersecurity.rohde-schwarz.com. User Manual 3646.3836.02 ─ 01...

  • Page 11: Getting Started

    ® Getting Started R&S GP-U/GP-E/GP-S/GP-T 2 Getting Started Log on to your gateprotect Firewall to set up the system for your network. When first started after delivery or a new installation, the gateprotect Firewall runs as a test version for 30 days. For further information, see Chapter 3.4.1.1, "License Set-...
  • Page 12 ® Getting Started R&S GP-U/GP-E/GP-S/GP-T User Manual 3646.3836.02 ─ 01...

  • Page 13: User Interface

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Web Client Components 3 User Interface The sections in this chapter describe the components of the gateprotect Firewall user interface. The gateprotect Firewall web client requires a minimum display resolution of 1024 × 786 pixels (XGA).

  • Page 14: Header Area

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Web Client Components Figure 3-1: gateprotect Firewall web client. The information displayed in each area is described in the following sections. 3.1.1 Header Area The header area (1) contains the following elements (from left to right): Figure 3-2: gateprotect Firewall web client header area.

  • Page 15: Navigation Pane

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Web Client Components In addition, the header area displays unsaved configuration changes if you close an editor panel by pressing the ESC key on your computer keyboard. Unsaved changes are not displayed if you close an editor panel by clicking the button in the upper right corner of the panel, however.
  • Page 16 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Web Client Components Figure 3-3: gateprotect Firewall web client desktop. On the desktop, you always have a complete overview of your entire configured net- work. You can edit various settings in this pane or view the details of a configuration.

  • Page 17: Icons And Buttons

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Icons and Buttons When you click a desktop object with the left mouse button, several buttons appear in the circular menu, depending on the kind of desktop object. These buttons allow you to adjust the settings for an existing object and to create or edit a connection between two existing objects.
  • Page 18 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Icons and Buttons Icon/Button Description Marks a menu item with settings to configure in the navigation bar. Marks a table column with actions available for a table entry. Unpin the desktop object to be able to move it along with the desktop node that it is associated with via drag &...

  • Page 19: Firewall Rule Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Firewall Rule Settings Icon/Button Description Close a pop-up window. Clear all search criteria of a filter to show all results. 3.3 Firewall Rule Settings This topic describes how to create a firewall rule for a connection between two desktop objects.
  • Page 20 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Firewall Rule Settings To set up a custom firewall rule, perform the following steps: 1. In the "Rules" tab, click "Add Custom Rule " to set up a new firewall rule. An editor panel opens.
  • Page 21 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Firewall Rule Settings Field Description "Enable DMZ / Port Select this checkbox to enable DMZ and port forwarding for this rule. Forwarding for this service" "External IP address" Optional: Specify the destination IP address of the traffic to be manipu- lated.

  • Page 22: Menu Reference

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference 3.4 Menu Reference This reference section describes each menu item in the navigation pane on the left side of the browser window. The license acquired from Rohde & Schwarz Cybersecur- ity determines which menu items are available on your gateprotect Firewall. Features which are not included in your gateprotect Firewall license are grayed out in the navi- gation pane.

  • Page 23: Updates Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference To upload a new license, perform the following steps: 1. Click "Select File" behind the "License File" input field. The local disk search opens. 2. Select a new license file in GPLF format from the local disk.
  • Page 24 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Column Description "Name" Displays the name of the available update. "Type" Displays the type of the update. The update system differentiates between four types of updates: ● security – contains corrections which con- cern the security of the firewall ●...
  • Page 25 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Update Time" Enter the date and time for the first automatic refresh of the updates list and the first automatic update. If you click the input field, a pop-up window with a calender and input fields for changing the date and time opens.

  • Page 26: Administrators

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference In a High Availability configuration, system updates must be installed in two phases. First, the master system is updated and rebooted. The former slave takes over the master role. Then, the new master is updated and rebooted. The new slave (former master) takes over the master role again.
  • Page 27 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Name" Enter a unique name for the administrator. "Description" Optional: Enter additional information regarding the administrator for internal use. On the "Client Access" tab: Field Description "Granting access" Select this checkbox to grant the administrator access to the web client.

  • Page 28: User Authentication

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference administrator or "Reset" to discard your changes. You can click "Close" to shut the edi- tor panel as long as no changes have been made on it. 3.4.1.4 User Authentication The "User Authentication" settings determine the list of users who can be authorized to utilize your network resources, such as Internet access and VPN tunnels.
  • Page 29 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference This way, every user obtains their own IP address from a pool of IP addresses, similar to DHCP. Authentication server For smaller companies without central user management, the gateprotect Firewall pro- vides local user management. You can always use the local user database. However, it is also possible to use an external directory service, such as Microsoft Active Direc- tory server or an openLDAP server.
  • Page 30 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Figure 3-4: User authentication via web browser. 4. Enter the "Name". Note: If the user is an LDAP user, the user's login name has to exactly match the user name specified in the sAMAccountName attribute of the user. Otherwise, the name in the user-specific firewall rules will not correspond to the user logging on to the client and the rules will not match.
  • Page 31 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Figure 3-5: User authentication via UA client. 3. Under "Server Address", enter the IP address of your gateprotect Firewall. 4. Enter the "User Name". Note: If the user is an LDAP user, the user's login name has to exactly match the user name specified in the sAMAccountName attribute of the user.
  • Page 32 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference 8. Click "Login". The authentication is carried out. For security reasons, it is strongly recommended to update the UA client to the latest version available. However, a compatibility mode that allows older versions of the UA client to work with the gateprotect Firewall version 10 can be enabled.
  • Page 33 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference b) Under "First name", enter gpLogin. With this name, it is easier to find the user later in the user overview. c) Under "User logon name", enter gpLogin/<firewall name>. In the example above, the host name (<firewall name>) of the gateprotect Firewall is fw96 and, therefore, the user logon name is gpLogin/fw96.
  • Page 34 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference d) On the "Kerberos" tab, click the "Create Kerberos Key" button to generate the Kerberos key. The Active Directory is queried to validate the specified AD user and to obtain the relevant information, such as the Kerberos key version number. With that informa- tion, the gateprotect Firewall is able to generate a valid Kerberos key locally.
  • Page 35 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Group" which can be selected on the desktop. To this user group, no users are added. It comprises all of the users who are able to log on but have not been set up as individ- ual users or members of other user groups on the desktop.
  • Page 36 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Compatibility Mode" Select this checkbox if you are using user authenti- cation clients older than version 3.0.0 to logon to the gateprotect Firewall. Notice: By selecting this checkbox you are putting your network security at risk.
  • Page 37 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Server Address" Enter the host name or the IP address of the direc- tory server. Note: If you enter the host name of the directory server, you need to configure the DNS settings. Oth- erwise, the host name cannot be resolved.
  • Page 38 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Group Primary ID" Optional: Define the attribute where the group pri- mary identifier is retrieved from. "Group Parent" Optional: Define the attribute where the group parent is retrieved from. Upon clicking "Save", all optional fields which you did not specify are filled with default values by the system.
  • Page 39 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "User Name" Enter a unique name for the local user which will be the logon name. Important: The user's logon name has to exactly match the "User Name" (case-sensitive). Otherwise, the name in the user-specific firewall rules will not correspond to the user logging on to the client and the rules will not match.
  • Page 40 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Connect to a directory server as described under "User Authentication / Directory Ser- vice Settings" on page 35. Navigate to "Firewall > User Authentication > LDAP Groups" to display the list of LDAP groups that are currently defined on the directory server in the item list bar.

  • Page 41: Server Access Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Figure 3-8: Object settings – terminal server. If your users do need the authentication on the terminal server, you can activate Remote Desktop IP Virtualization on the terminal server. This way, all users are assigned their own IP address during a session.
  • Page 42 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Web Access from Internet" Select the respective radio button to specify external web access via the Internet. The option is set to Deny by default, but you can adjust the settings to one of the other values as necessary: ●...

  • Page 43: Command Center Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference If you modify the settings, click "Save" to store your changes or "Reset" to discard them. Otherwise, click "Close" to shut the editor panel. Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
  • Page 44 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Time Zone" From the drop-down list, select one of the prede- fined time zones. The time zone is set to (+01:00) Europe - Berlin by default, but you can adjust the settings to one of the other values as necessary.

  • Page 45: High Availability Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes. 3.4.1.8 High Availability Settings The "High Availability" (HA) settings allow two independent gateprotect Firewall sys- tems to be connected in a master/slave configuration via a dedicated interface. The so- called HA cluster provides failover capability.
  • Page 46 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Figure 3-9: Sample network setup for High Availability. High Availability is not available for the gateprotect Firewall GP-U 50/100/200 product models. For more detailed information on High Availability, see the following sections. High Availability Settings Use the "High Availability"...
  • Page 47 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference High Availability can only be activated when no background processes, such as updates or backups, are running. Navigate to "Firewall > High Availability" to open an editor panel to set up High Availa- bility.
  • Page 48 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference "Local IP" and "Remote IP" must be in the same subnet. HA cluster communication over routed networks is not supported. If you modify the settings, click "Save" to store your changes or "Reset" to discard them.

  • Page 49: Backup

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference 2. Disconnect the Cluster Interconnect cable between the master and slave systems. 3. Reinstall the standby (slave) system via USB flash drive. 4. On the master system: a) Log on to the web client.
  • Page 50 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Server Address" Enter the IP address of the remote backup server on which you want to store automatically created back- ups. "Username" Enter the name of the user on the remote backup server.
  • Page 51 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Options" Select the respective radio button to specify what is added to the filenames to distinguish the backups from each other. The option is set to "Append cur- rent date to filename" by default, but you can adjust the settings to the other value as necessary: ●...
  • Page 52 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes. Backup Export The "Export" settings allow you to create and export a manual backup of the current firewall configuration.

  • Page 53: Network

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Backup File" Click "Select" to open the local disk search. Select a backup file in GP format to transfer from your local disk. Click "Open" to close the local disk search.
  • Page 54 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference For further information, see Chapter 3.2, "Icons and Buttons", on page 17. Ethernet Interfaces Settings Under "Network > Interfaces > Ethernet Interfaces", you can display more detailed information on the available Ethernet interfaces and adjust the settings.
  • Page 55 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference VLAN Interfaces Overview Navigate to "Network > Interfaces > VLAN Interfaces" to display the list of VLAN inter- faces that are currently defined on the system in the item list bar. In the expanded view, the first column of the table displays the "Name" of the VLAN interface.
  • Page 56 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference The buttons at the bottom right of the editor panel depend on whether you add a new VLAN interface or edit an existing virtual local area network. For a newly configured VLAN interface, click "Create" to add the VLAN to the list of available virtual local area network interfaces or "Cancel"...
  • Page 57 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Used by" Displays the network components (e.g. connections, other interfaces, etc.) that use the bridge interface. "Ports" Add the ports that the interface will bridge by clicking the input field. You can select any number of VLAN interfaces or other bridge interfaces.
  • Page 58 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference existing PPP interface, create a new PPP interface based on a copy of an existing PPP interface or delete a PPP interface from the system. For further information, see Chapter 3.2, "Icons and Buttons",...
  • Page 59 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference WLAN Interfaces Overview Navigate to "Network > Interfaces > WLAN Interfaces" to display the list of WLAN inter- faces that are currently defined on the system in the item list bar. In the expanded view, the first column of the table displays the "Name" of the WLAN interface.

  • Page 60: Connections

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference 3.4.2.2 Connections The "Connections" settings allow you to configure network and PPP connections on the gateprotect Firewall. Network Connections Use the "Network Connections" settings to configure network connections. The system offers default connections for all available Ethernet interfaces.
  • Page 61 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Type" From the drop-down list, select the connection type for the connection. The option is set to Static by default, but you can adjust the settings to the other value as necessary: ●...
  • Page 62 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Set default gateway" Only available if the selected connection "Type" is Static: Select this check- box if you want to set a default gateway for the network connection. Note: If you select DHCP as the connection "Type", this checkbox is always enabled and grayed out because the gateway is obtained from the DHCP server.
  • Page 63 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Heartbeats" Specify how the state of the connection is to be tested by adding tests. The default settings contain a ping test of the Google server (8.8.8.8). Click "Add" to add another test to the list. For information on configuring the reacha- bility test, see "Heartbeat Settings"...
  • Page 64 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference If you have defined a backup Internet connection on the "Failover" tab and the auto- matic heartbeat test defines the state of the connection as disconnected, the gate- protect Firewall automatically switches to the backup connection with the highest prior- ity available.
  • Page 65 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Type" Select the connection type from the drop-down list, depending on your Internet service provider: PPPoE or PPTP. Use the PPPoE mode to connect via Point-to- Point Protocol over Ethernet. PPPoE is typically used to share a broadband connection, such as a single DSL line or cable modem.
  • Page 66 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Time Restrictions" Select this checkbox if you want to limit the time when the connection is enabled. Click "Edit" to open the "Time Restrictions" editor panel that provides the follow- ing options: ●...

  • Page 67: Wlan Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Number of successful Set the number of successful tries required for a successful heartbeat. tries" "Arguments" Specify the arguments to be used in the test, e.g. IP addresses that will be pinged.
  • Page 68 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Country Code" From the drop-down list, select the correct two-letter code for your country. The set default value is the standard country code 00 which provides compatibility for all countries. "SSID"...

  • Page 69: Routing

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "MAC Filter Mode" Use the MAC filter to determine whether a wireless device is to be granted access to the WLAN. The default setting is "Disabled", that is to say that no fil-...
  • Page 70 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference ● Tables 64 to 250 are reserved for routes with a source address and appear with a source IP address during the set-up of routes. ● Table 293 is reserved for the transparent proxy.
  • Page 71 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Routing Rules Routing rules specify which packets are managed by which routing table. This allows for more differentiated routing as routing rules include more fields of the IP header in the routing decision, while routing tables only consider the destination IP address.

  • Page 72: Dhcp Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Output Interface" Optional: Select one of the interfaces defined on the gateprotect Firewall as output interface. "TOS" Optional: Specify the Type of Service value by entering a hexadecimal number from 0 to FF.
  • Page 73 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Default Lease Time" Enter the default lease time (in seconds) to determine the amount of time that a computer has a valid IP address. "Lease Time" Enter the maximum lease time (in seconds).

  • Page 74: Wan

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "MAC Address"/"IP Specify a static IP address for a host in the network by entering the host's MAC Address"/"Host Name" address and IP address. Aditionally, you can enter the host name. Click "Add"...

  • Page 75: Dyndns Accounts

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference The "DNS Settings" panel allows you to configure the following elements: Field Description "Acquire DNS server" Select this checkbox to connect to a DNS server selected by the router or the provider. Note: In case you are using several Internet lines from different providers, make sure that the DNS servers you use can be reached from all lines.

  • Page 76: Qos Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference DynDNS Accounts Settings The "WAN > DynDNS Accounts" settings allow you to define custom accounts for WAN access in general. You can add a new or edit an existing DynDNS account. The "DynDNS Account" settings allow you to configure the following elements:...

  • Page 77: Qos Connection Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference A precondition for Quality of Service is that applications or devices (such as VoIP tele- phone systems) set the ToS field in IP data packets. The gateprotect Firewall then sorts the packets based on the value of the ToS field and assigns them to several queues with different priorities.

  • Page 78: Network Objects

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference For further information, see Chapter 3.2, "Icons and Buttons", on page 17. QoS Connection Settings The "QoS" settings allow you to configure the following elements for every Internet connection: Field Description "QoS Down"/"QoS Up"...

  • Page 79: Hosts

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Internet Objects Settings The "Internet Object" settings allow you to configure the following elements: Field Description "Object Name" Specify a name for the Internet object. "Color" Select the color to be used for this object on the desktop.

  • Page 80: Users

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Icon" Select an icon to represent the host on the desktop. "Connected to" Select an interface that the host is connected to. "IP Address" Enter the IP address of the host object.

  • Page 81: User Groups

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference The buttons at the bottom right of the editor panel depend on whether you add a new user object or edit an existing object. For a newly configured object, click "Create" to add the object to the list of available user objects or "Cancel" to discard your changes.

  • Page 82: Vpn Users

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference card your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it. Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.

  • Page 83: Vpn User Groups

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference 3.4.4.6 VPN User Groups Create desktop objects for VPN user groups that can be used to create connections between multiple users and other network objects applying a common rule set to multi- ple VPN users. VPN user groups are displayed at the VPN node on the desktop.

  • Page 84: Networks

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference 3.4.4.7 Networks Create a network that can be used to create connections between the network and other objects (such as VPN objects, etc.). Networks Overview Navigate to "Network Objects > Networks" to display the list of networks that are cur- rently defined on the system in the item list bar.

  • Page 85: Ip Ranges

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Host Groups Overview Navigate to "Network Objects > Hosts Groups" to display the list of host groups that are currently defined on the system in the item list bar. In the expanded view, the table displays the "Name" of the host group. The buttons in...

  • Page 86: Vpn Hosts

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference range, create an object based on a copy of an existing IP range or delete an IP range from the system. For further information, see Chapter 3.2, "Icons and Buttons", on page 17.

  • Page 87: Vpn Groups

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference For further information, see Chapter 3.2, "Icons and Buttons", on page 17. VPN Hosts Settings The "VPN Host" settings allow you to configure the following elements: Field Description "Name" Specify a name for the VPN host object.

  • Page 88: Vpn Networks

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Object Name" Specify a name for the VPN group. "Color" Select the color to be used for this object on the desktop. "VPN Connections" Select the VPN connections you want to add to the group.

  • Page 89: Connections

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "VPN Connection Type" Select the type of the VPN connection by clicking the respective radio button. "IPsec Connec- This field depends on the selected connection type. Select the VPN connection tion"/"OpenVPN Connec- you want to associate to the VPN network from the drop-down list.

  • Page 90: Desktop

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Content Filter" Select the content filters by clicking the appropriate checkboxes. "Schedule" Displays whether the filter is always active, always inactive or active for a limi- ted time schedule. Click the entry to modify the schedule.

  • Page 91: Utm

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Navigate to "Desktop > Desktop Rules" to display the list of rules that are currently defined on the system. The "Filter Settings" allow you to narrow the list of rules to display only rules that include a certain search string.
  • Page 92 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "ON"/"OFF" A slider switch indicates whether the application fil- ter is active ("ON") or inactive ("OFF"). By clicking the slider switch, you can toggle the state of the application filter. The application filter is disabled by default.

  • Page 93: Url/Content Filter

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes. 3.4.6.2 URL/Content Filter URL and content filters determine which websites are available to computers on the protected network.
  • Page 94 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Content Filter License" This field displays your license information for the content filter. "URLs" Select this checkbox to exclude sections behind a ? (which serves to transfer variable values in PHP) from blacklists and whitelists.

  • Page 95: Antivirus Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Blacklist" /"Whitelist" You can specify a blacklist and/or a whitelist by adding as many terms as you like into the respective list. If both lists are applied at the same time, the white- list has higher priority.
  • Page 96 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "License" This field displays your license information for the antivirus scanner. The gateprotect Firewall uses an antivirus scanner provided by Kaspersky which is included in the UTM license. Note: When the firewall is started for the first time, the virus scanner runs as a test version for 30 days.
  • Page 97 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Max. size of files for Define the maximum size of files which are scanned directly in the main mem- main memory scan" ory. The default maximum size is set to 15360 kilobytes. If the files exceed the specified size, they are not scanned for viruses.

  • Page 98: Email Security

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Update Servers" The standard update server is preconfigured: http://kav-8-5.gateprotect.com. You can add as many update servers as you like. Enter the IP address or the domain name of an update server and click "Add" to put the update server on the list.
  • Page 99 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "ON"/"OFF" A slider switch indicates whether the mail proxy is active ("ON") or inactive ("OFF"). By clicking the slider switch, you can toggle the state of this service. The mail proxy is deactivated by default.
  • Page 100 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "ON"/"OFF" A slider switch indicates whether antispam is active ("ON") or inactive ("OFF"). By clicking the slider switch, you can toggle the state of this service. This option is activated by default.

  • Page 101: Proxy

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference The antispam settings defined here for the Mail protocol are only applied to traffic which matches a rule with an active proxy for that protocol. Additionally, for Mail the proxy must be activated as described under "Mail Filter Settings"...
  • Page 102 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference On the "HTTPS" tab, you can configure the HTTPS proxy independently from the HTTP proxy. If the HTTPS proxy is active in a connection, the HTTPS traffic is forwar- ded through the HTTPS proxy on the gateprotect Firewall. This means that users can- not change any proxy settings in the browser.

  • Page 103: Vpn

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Internal Net" Select your local network interface from the drop-down list that is to be used to make phone calls. "Internet Connection" Select the Internet connection from the drop-down list which the gateprotect Firewall uses to forward the VoIP connections.

  • Page 104: Ipsec Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference For example, suppose a user utilizes a remote access VPN software client con- necting to a corporate network using a hotel wireless network. The user with split tunneling is able to connect to file servers, database servers, mail servers and other services on the corporate network through the VPN connection.

  • Page 105: Vpn Ssl Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference You need two VPN IPsec capable servers for an IPsec Site-to-Site connection. For a Client-to-Site connection, you need separate client software. Your gateprotect Firewall is able to create and use secured connections using the IPsec protocol suite.
  • Page 106 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "ON"/"OFF" A slider switch indicates whether VPN SSL is active ("ON") or inactive ("OFF"). By clicking the slider switch, you can toggle the state. "Host certificate" Select a host certificate that the gateprotect Firewall uses in all VPN SSL con- nections.

  • Page 107: Vpn Connections

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Protocol" Select the protocol to be used by clicking the respective radio button. "Port" Specify the VPN SSL listening port number to be used for incoming connec- tions. Note: The same port number must be specified on the remote site.
  • Page 108 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "ON"/"OFF" A slider switch indicates whether the IPsec connection is active ("ON") or inac- tive ("OFF"). By clicking the slider switch, you can toggle the state of the con- nection. A new connection is enabled by default.
  • Page 109 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Authentication type" Select the authentication type for the IPsec connection by selecting the respec- tive radio button. Note: The remaining elements on this tab depend on the selected authentica- tion type.
  • Page 110 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "IKE Version" Select the Internet key exchange version to be used for the connection. IKEv2 is faster in establishing a tunnel and in rekeying. IKEv1 is maintained for com- patibility reasons.
  • Page 111 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Protocol number" Enter the IANA protocol number for the protocol you want to restrict traffic to. "Data Compression" Optional: Select this checkbox to activate data compression. The buttons at the bottom right of the editor panel depend on whether you add a new VPN IPsec connection or edit an existing connection.
  • Page 112 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Certificate" Select the server certificate for VPN SSL connections from the drop-down list. Note: The VPN certificate has to be signed by the same certificate authority (CA) on all sites. Therefore, it is advisable to manage the VPN CA and the VPN certificates on one site and then to export and import the VPN certificates from there to the other sites.
  • Page 113 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Remote Networks" Indicate the networks which are available on the remote end. When the connec- tion is established, the server sets up routes in these networks. Click "Add" to add a network to the list.

  • Page 114: Certificate Management

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference 3.4.8 Certificate Management The " Cert. Management" settings allow you to control the certificates used by the gateprotect Firewall web client, the built-in SSL proxy and the OpenVPN server, to cre- ate templates to ease the creation of certificates and to enable OCSP/CRL services.
  • Page 115 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference In the expanded view, the item list bar displays the name of the certificate and its dependency. The buttons behind the individual certificates show you the validity status and the type of each certificate, allow you to view the details of each certificate, replace a certificate by importing a new certificate, export and verify a certificate, temporarily suspend or renew the validity of a certificate, and permanently revoke the certificate.
  • Page 116 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Country" Optional: Enter the two-letter code denoting the country. "State" Optional: Enter the name of the state. "City" Optional: Enter the name of the city. "Organization" Optional: Enter the name of the organization.

  • Page 117: Templates

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Certificate type Description VPN Certificate Creates a certificate that is used to identify VPN clients and servers. A suitable parent CA has to be selected. Webserver Creates a certificate that is used for webservers. A suitable parent CA has to be Certificate selected.

  • Page 118: Ocsp/Crl Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Organizational Unit" Optional: Enter the name of the unit within the organization. "Subject Alternative Optional: Enter as many custom subject alternative names (SAN) as you like for Names" the certificate for specific usage and select the appropriate types from the drop- down list.

  • Page 119: Trusted Proxy Cas

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "ON"/"OFF" A slider switch indicates whether the appropriate service is active ("ON") or inactive ("OFF"). By clicking the slider switch, you can toggle the state of both services individually. Both options are deactivated by default.
  • Page 120 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference based information exchange are the SNMP manager (e.g. Nagios) and the SNMP cli- ents (devices such as your gateprotect Firewall that are meant to be monitored by the SNMP manager). While the SNMP manager requests, receives and monitors information, the SNMP cli- ents respond to information requests (e.g.

  • Page 121: Syslog Servers

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Privacy Protocol" Optional and only available if the selected "Protocol Version" is v3 and the selected "Authentication Protocol" is MD5 or SHA: From the drop-down list, select the algorithm to be used to encrypt the communication with the SNMP service.

  • Page 122: Logs

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference For further information, see Chapter 3.2, "Icons and Buttons", on page 17. Syslog Servers Settings The "Syslog Servers" settings allow you to specify connection details for multiple remote syslog servers to forward log messages generated by different message sour- ces.

  • Page 123: Network Tools

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference To view the complete logs again, delete all search criteria by clicking "Reset", the button on the left side of the selected "Type" or the button in the other input fields. Figure 3-10: Sample filtered system log.

  • Page 124: Ping Settings

    ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Use the diagnostic tools to verify whether the gateprotect Firewall can communicate with a computer or other device at a specific network address (ping) or to follow the path a message takes as it travels through the network (traceroute).
  • Page 125 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference Field Description "Destination" Enter the IP address of the final destination. "Max Hops" Enter the maximum number of nodes (routers or other devices) to be traversed on the way to the destination. The default number is set to 30, but you can enter any integer from 1 to 255.
  • Page 126 ® User Interface R&S GP-U/GP-E/GP-S/GP-T Menu Reference User Manual 3646.3836.02 ─ 01...

  • Page 127: Index

    ® Index R&S GP-U/GP-E/GP-S/GP-T Index AD, see directory service ..........35 GUI, see web client ............13 Administrators ..............26 Antispam ................99 Antivirus ................95 Header area ..............14 Application filter ............89, 91 High Availability (HA) ............45 Audience ................
  • Page 128 ® Index R&S GP-U/GP-E/GP-S/GP-T Internet objects ............78 QoS connections ............77 IP ranges ..............85 Quality of Service (QoS) ..........76 Networks ..............84 Server access ............. 41 User groups ..............81 SNMP ............... 119 Users ................80 Time settings .............. 43 VPN groups ..............
  • Page 129 ® Index R&S GP-U/GP-E/GP-S/GP-T VPN ................. 103 IPsec connections ............. 107 IPsec settings ............104 VPN connections ............107 VPN SSL connections ..........111 VPN SSL settings ............. 105 VPN connections .............107 VPN groups ............... 87 VPN hosts ................. 86 VPN networks ..............

This manual is also suitable for:

Gp-sGp-eGp-u

Table of Contents