1. Manuals
  2. Brands
  3. Allied Telesis Manuals
  4. Firewall
  5. AR Router Series
  6. Technical manual

Allied Telesis AR Series Technical Manual

Feature overview and configuration guide advanced network protection
Hide thumbs Also See for AR Series:
Table of Contents

Advertisement

Quick Links

Technical Guide
Feature Overview and Configuration Guide
Advanced Network Protection
C613-22104-00 REV B

Advertisement

Table of Contents
loading

Related Manuals for Allied Telesis AR Series

Summary of Contents for Allied Telesis AR Series

  • Page 1 Technical Guide Feature Overview and Configuration Guide Advanced Network Protection C613-22104-00 REV B...
  • Page 2 GNU General Public License (GPL) and will make all required source code available. If you would like a copy of the GPL source code contained in Allied Telesis products, please send us a request by registered mail including a check for US$15 to cover production and shipping costs and a CD with the GPL code will be mailed to you.

  • Page 3: Table Of Contents

    Advanced Network Protection Contents Introduction ........................5 Products and Software Versions that apply to this Guide..............6 Related Documents..........................7 Licensing .............................8 Feature Overview....................... 9 Intrusion Prevention System (IPS) .....................10 Anti-virus ............................13 IP Reputation.............................14 Malware Protection ...........................16 Web Control............................17 URL filtering............................20 UTM Offload ............................22 Selecting a Security Solution..................
  • Page 4 Advanced Network Protection How to Discover which Web Control Categories Website URLs Belong to........42 Configuring Web Control with Firewall Enabled ................43 Configuring URL filtering ....................45 How to Use URL Filtering........................45 Configuring URL Filtering ........................48 Setting up and Configuring UTM Offload ..............53 Setting up UTM Offload ........................53 About the Offload Image ........................55 Configuring UTM Offload on VMware ESXi Server ................56...

  • Page 5: Introduction

    Introduction Advanced Network Protection Introduction This guide describes the Advanced Network Protection features on AR-Series UTM firewalls AR4050S and AR3050S and how to configure them. It also describes the performance effects when various combinations of advanced security features are in use. AlliedWare Plus Advanced Network Protection features provide the first line of defense against a wide range of malicious content.

  • Page 6: Products And Software Versions That Apply To This Guide

    Introduction Advanced Network Protection Products and Software Versions that apply to this Guide This guide applies to AlliedWare Plus™ products that support Advanced Network Threat Protection features, running version 5.4.5 and later. To see whether your AR-Series UTM Firewall supports a particular feature or command, see the following documents: ...

  • Page 7: Related Documents

    Introduction Advanced Network Protection UTM Offload  Version 5.4.8-1.2 supports UTM Offload (AR4050S only). Logging  Version 5.4.7-1.x assigns facility local5 for all log messages generated by firewall UTM features.  Version 5.4.7-1.x and later support firewall connection logging. Related Documents The following documents give more information about related features on AlliedWare Plus products: ...

  • Page 8: Licensing

    Introduction Advanced Network Protection Licensing The AR-Series UTM firewalls have two subscription licensing options for the advanced security features. The following table shows the features included in those licenses, and whether they are proxy or stream-based processes: License Type Features included Base Intrusion Prevention System (IPS) Next-Gen Firewall (NGFW)

  • Page 9: Feature Overview

    Feature Overview Advanced Network Protection Feature Overview This section provides a brief description of each of the Advanced Network Protection features available on the AR-Series UTM firewalls.  Intrusion Prevention System (IPS) IPS is a stream-based intrusion detection and prevention system that is positioned at the perimeter of a network and effectively protects the network security.

  • Page 10: Intrusion Prevention System (Ips)

    The pattern files are frequently updated (some are updated multiple times a day) and made available for download on the Allied Telesis update server. The AR-Series UTM firewalls automatically checks the Allied Telesis download server for new updates to pull down.
  • Page 11 Feature Overview Advanced Network Protection Once threats or attacks are detected, the IPS engine can take the following actions:  Alert: generate a log message (default action)  Deny: drop matching packets The firewall is used in conjunction with the IPS engine. The IPS engine is the first line of defense and it captures the traffic before it reaches the firewall.
  • Page 12 Feature Overview Advanced Network Protection AlliedWare Plus IPS supports the following key IPS features: Basic Operation  IPS protection is disabled by default  IPS is deployed in stream mode  IPS processing occurs before the firewall Configuration  All categories have a default action of alert ...

  • Page 13: Anti-Virus

    Feature Overview Advanced Network Protection Anti-virus This feature is supported from AlliedWare Plus version 5.4.5 or later. AlliedWare Plus™ Anti-virus provides the first line of defense against a wide range of malicious content, guarding against threats, such as viruses, Trojans, worms, spyware and adware. In addition to protecting the local network by blocking threats in inbound traffic, it also prevents compromised hosts or malicious users from launching attacks.

  • Page 14: Ip Reputation

    Feature Overview Advanced Network Protection IP Reputation This feature is supported from AlliedWare Plus version 5.4.5 or later. IP Reputation uses Emerging Threats' ET Intelligence to identify and categorize IP addresses that are known sources of spam, viruses and other malicious activity. This can improve the success of Intrusion Prevention System (IPS) by reducing false positives.
  • Page 15 Feature Overview Advanced Network Protection Figure 1: IP Reputation Traffic Probes Threat Internet Analysis Category: spammer IP address A score: 30 Traffic IP address B score: 40 IP address C score: 20 Category: bot IP address score IP address A score: 30 <...

  • Page 16: Malware Protection

    Feature Overview Advanced Network Protection Malware Protection AlliedWare Plus Malware Protection is supported from AlliedWare Plus version 5.4.5 or later. Stream-based Malware Protection scans traffic as it traverses the device real-time for known malware and blocks the traffic once a threat has been detected. AlliedWare Plus Malware Protection provides the first line of defense against a wide range of malicious content.

  • Page 17: Web Control

    Feature Overview Advanced Network Protection Web Control Web Control is supported in version 5.4.5 or later. AlliedWare Plus Web Control provides a new level of service for business productivity management, compliance and web security. It offers an easy way to monitor and control the types of websites viewed by employees.
  • Page 18 Feature Overview Advanced Network Protection In the case of HTTPS, if the server name indicator (SNI) is present in the TLS handshake exchange, it is extracted and sent to the URL classifier engine for categorization. The SNI only includes the hostname of the website, not the full path of the URL requested.
  • Page 19 Feature Overview Advanced Network Protection Figure 2: Web Control block action Digital Arts Active Rating System Router Users Web Servers Figure 3: Web Control allow action Digital Arts Active Rating System Router Users Web Servers C613-22104-00 REV B Web Control Page 19...

  • Page 20: Url Filtering

    Kaspersky. If Kaspersky-sourced lists are being used, the device will automatically download list updates from the Allied Telesis update server. URL Filtering provides a fast efficient (stream-based) method of blocking web traffic from locations that are known to be undesirable.
  • Page 21 Feature Overview Advanced Network Protection are not visible for processing. Instead the domain name specified in TLS SNI (Transport Layer Security Server Name Indication) for each HTTPS request is used as the URL for matching. The SNI field is contained within the Client Hello message supplied during the TLS handshake when a client web browser first attempts to access a secure HTTPS server website.

  • Page 22: Utm Offload

    Feature Overview Advanced Network Protection UTM Offload UTM Offload is supported in version 5.4.8-1.2 or later on the AR4050. How does UTM Offload work? UTM Offload enables some security and threat protection features (IPS, IP Reputation, Malware Protection, and URL Filtering) to be offloaded to a secondary physical or virtual machine that is automatically managed by the AR4050S.
  • Page 23 Feature Overview Advanced Network Protection The AR4050S automatically manages the offload device for you. You don’t need to configure the offload device, as configuration and the status of all features is presented the same whether offloaded or not. See also "Setting up and Configuring UTM Offload"...

  • Page 24: Selecting A Security Solution

    Selecting a Security Solution Advanced Network Protection Selecting a Security Solution This section describes in more detail the following:  "Proxy Versus Stream-based Security Processing" on page 24  "Packet Flow Architecture" on page 25, including UTM CPU processing requirements ...

  • Page 25: Packet Flow Architecture

    Selecting a Security Solution Advanced Network Protection By the nature of its operation, proxy-based scanning provides the best detection, and is equivalent to desktop computer based anti-virus systems. However, it is also more memory and CPU resource- intensive, and therefore inherently slower than stream-based scanning. A single-user connection to a single website can potentially involve managing multiple simultaneous sessions.
  • Page 26 Selecting a Security Solution Advanced Network Protection Firstly, let's take a look at the basic security architecture. Figure 5: Firewall proxy and stream processing order MALWARE IP REP PROTECTION FILTERING STREAM FORWARDING DPI APPLICATION FIREWALL DECODING ENGINE SHAPING ANTI- CONTROL VIRUS PROXY ENGINE PROXY...
  • Page 27 Selecting a Security Solution Advanced Network Protection matches. For example, an HTTP/1.1 Get request containing a URL would be processed via the URL filtering rule-set within the Suricata engine, whereas an IP data stream not containing a URL would not be matched against the URL filtering rule-set. UTM CPU processing requirements As each security function is enabled, the additional processing cost results in less CPU processing cycles being available to be dedicated to packet forwarding, so therefore overall throughput can be...

  • Page 28: Selecting A Utm Firewall

    Selecting a Security Solution Advanced Network Protection Selecting a UTM Firewall Use this section to select the appropriate UTM firewall router platform to meet your network security and forwarding performance requirements. Each network is different, so we recommend fully auditing your current network application traffic flows, and assess your network security and performance requirements as part of your platform selection process.
  • Page 29 Selecting a Security Solution Advanced Network Protection internal hosts. This method of security is inherently more secure than stream-based scanning. However, this reduces the number of concurrent connections per second and the recommended number of users. Features required for each scenario The following table shows the features to use to support each scenario, and the licenses that contain each feature: LICENSE...

  • Page 30: Url Filtering Or Web Control

    Selecting a Security Solution Advanced Network Protection The following table offers some guidelines for estimating the performance each UTM Firewall will experience under each scenario described above. APPLICATION- REAL-TIME HIGH AGGREGATION AWARE THREAT PROTECTION SECURITY GATEWAY FIREWALL AND WEB CONTROL Firewall throughput Throughput (Enterprise Throughput (Enterprise...

  • Page 31: Anti-Virus Or Malware Protection

    Selecting a Security Solution Advanced Network Protection Network administrators are allowed to statically configure any number of their own black-listed and white-listed URLs. Web-control is a proxy-based web-categorization service. This feature uses an external Control categorization service to provide real-time protection. The list of malicious and phishing websites is constantly updated in real-time by the categorization service provider.

  • Page 32: Firewall/Nat Rules, Entities And Performance

    Selecting a Security Solution Advanced Network Protection downloaded and scanned, whereas Malware Protection scans content as it passes through, so that the data is not held up waiting for the download to complete. As soon as Malware Protection detects a threat within a stream of data, it immediately stops forwarding any more of the stream. However, Malware Protection does not have the ability to serve an ‘Access Denied’...
  • Page 33 Selecting a Security Solution Advanced Network Protection In most situations, a single rule to masq any traffic from LAN to WAN is sufficient, without the need to configure NAT masq rules for each individual application. There may typically also be a few NAT port forwarding rules configured to allow external application traffic from the Internet to the public IP address to be translated to reach the internal addresses of internal servers.

  • Page 34: Configuring Intrusion Prevention System (Ips)

    Configuring Intrusion Prevention System (IPS) Advanced Network Protection Configuring Intrusion Prevention System (IPS) This is an example of how to configure IPS. By default, IPS protection is disabled; you need to explicitly enable it. To show the list of built-in categories that AlliedWare Plus IPS supports, use the command: awplus#show ips categories Enter the IPS mode.

  • Page 35: Configuring Anti-Virus

    Configuring Anti-virus Advanced Network Protection Configuring Anti-virus This section provides an example of how to configure Anti-virus. By default, Anti-virus protection is disabled and you need to explicitly enable it Enter the Antivirus mode. Step 1: awplus#configure terminal awplus(config)#antivirus Set the provider and enable Anti-virus protection. Step 2: awplus(config-antivirus)#provider kaspersky awplus(config-antivirus)#protect...

  • Page 36: Configuring Ip Reputation

    Configuring IP Reputation Advanced Network Protection Configuring IP Reputation This section shows an example of how to configure IP Reputation. By default, IP Reputation protection is disabled and you need to explicitly enable it Enter the IP Reputation mode. Step 1: awplus#configure terminal awplus(config)#ip-reputation Set the IP Reputation database provider.

  • Page 37: Configuring Malware Protection

    Configuring Malware Protection Advanced Network Protection Configuring Malware Protection This section shows an example of how to configure Malware Protection. By default, Malware Protection is disabled and you need to explicitly enable it. Enter the Malware Protection Configuration mode. Step 1: awplus#configure terminal awplus(config)#malware-protection Set the provider and enable Malware Protection.

  • Page 38: Configuring Web Control

    Configuring Web Control Advanced Network Protection Configuring Web Control This section provides examples of how to configure web control:  "How to Configure Basic Web Control" on page 38  "How to Configure Web Control Default Action Per-entity" on page 40 ...
  • Page 39 Configuring Web Control Advanced Network Protection provider categorization. If a URL or website matches custom criteria, then the URL will not be further sent for categorization by the provider criteria. The provider performs the categorization of URLs into the appropriate category, so there is no need to configure specific match criteria for predefined categories.

  • Page 40: How To Configure Web Control Default Action Per-Entity

    Configuring Web Control Advanced Network Protection How to Configure Web Control Default Action Per-entity The default action to take on uncategorized websites and categorized websites that do not hit any user-defined Web Control filter rules is to deny access to the website. However, if there are multiple firewall entities configured in the device (such as multiple firewall zones), then you may wish to configure different default actions for each individual entity for any URLs that do not match filter rules.
  • Page 41 Configuring Web Control Advanced Network Protection Figure 8: Web Control for more than one entity H o s H o s H o s category banned H o s blocked category art permitted category sports permitted other sites blocked Internet Example 3 The following shows how to configure two firewall entities, with a different default action being applied for each entity.

  • Page 42: How To Discover Which Web Control Categories Website Urls Belong To

    Configuring Web Control Advanced Network Protection awplus(config-category)#match youtube awplus(config-category)#match movies awplus(config-category)#match gambling awplus(config-category)#category art awplus(config-category)#match contemporary awplus(config-category)#match classic awplus(config-category)#category sports awplus(config-category)#match rugby Create rules for the categories. Step 5: awplus(config-category)#rule 10 permit art from marketing.research awplus(config-web-control)#rule 20 permit sports from marketing.research awplus(config-web-control)#rule 30 deny any from marketing.research awplus(config-web-control)#rule 40 deny banned from admin.payroll awplus(config-web-control)#rule 50 permit any from admin.payroll...

  • Page 43: Configuring Web Control With Firewall Enabled

    Configuring Web Control Advanced Network Protection awplus#web-control categorize http://www.ebay.com http://www.amazon.com http://ebay.com ==> 54 (Online Auctions) http://www.amazon.com ==> 55 (Online Shopping) You can inquire about HTTPS URLs: awplus#web-control categorize https://reddit.com/r/nfl awplus#web-control categorize https://reddit.com/r/nfl https://reddit.com ==> [Social Bookmarks(31)] [Forums(63)] Enable web control and control access to categories Step 2: Enable web control.
  • Page 44 Configuring Web Control Advanced Network Protection For example, the firewall rule below permits the HTTP traffic (containing categorization request) originating from the UTM firewall external interface (located with the public zone) to reach the Digital Arts ARS. awplus(config-firewall)#rule permit http from PUBLIC.EXTERNAL.INTERFACE to PUBLIC For more information about firewall rules and zone, network, or host entities see the Firewall and...

  • Page 45: Configuring Url Filtering

    Configuring URL filtering Advanced Network Protection Configuring URL filtering This section describes how to use, configure and monitor URL filtering. For more information about the URL Filtering feature, see "URL filtering" on page How to Use URL Filtering To use URL filtering, you can either use: ...
  • Page 46 Configuring URL filtering Advanced Network Protection Details of the content of custom lists A custom list is an ASCII formatted text file containing zero or more single-line pattern matches. So far, we have looked at the general syntax of the entries in these files. Here we look in more detail at the rules governing the content of these files: ...
  • Page 47 Advanced Network Protection Table 2: Blacklisted domain and string pattern match criteria PATTERN BLOCKED URLS NON-BLOCKED URLS www.mydotcomurl.com myausurl.com.au com.au www.myausurl.com.au:8080/file.txt mydotcomurl.com myrussian.pp.ru myfakerussian.ru.org faz.com auzi.id.au zulu.com me.kiwi.nz fish.com/folder1/file.gz www.google.co.nz/search?client=ubuntu&channel=fs&q=ziare&ie=utf- 8&oe=utf-8&gfe_rd=cr&ei=ZfKWVqgtk5PABN6YtqgD *mysite.com/ mysub.mysite.com mysub.mysite.com/mypage www.mysite.com mysite.com/* www.mysite.com/mypage.html mysub.mysite.com/mypage www.mysite.com/ www.mysite.com.au www.mysite.com *mysite.com* mypage.mysite.com.au...

  • Page 48: Configuring Url Filtering

    Configuring URL filtering Advanced Network Protection Limits URL filtering is limited to 1000 custom whitelist and 1000 custom blacklist rules, spread over any number of list files. Configuring URL Filtering URL filtering is turned on by configuring a whitelist that uses a custom file, a blacklist that uses a custom file, or blacklisting that uses the Kaspersky service.
  • Page 49 Configuring URL filtering Advanced Network Protection Using multiple whitelists and blacklists The AR-Series firewall support pattern checking against multiple whitelists and multiple blacklists. Multiple custom whitelists or blacklists can be configured and checked as follows: awplus(config)#url-filter awplus(config-url-filter)#blacklist blacklist1.txt awplus(config-url-filter)#blacklist blacklist2.txt awplus(config-url-filter)#blacklist blacklist3.txt awplus(config-url-filter)#whitelist whitelist1.txt awplus(config-url-filter)#whitelist whitelist2.txt...
  • Page 50 Configuring URL filtering Advanced Network Protection Rules for processing lists The order of processing of lists is:  First—whitelists  Second—custom blacklists  Third—Kaspersky-provided blacklists The matching logic is that as soon as a URL matches an entry in a list that it is being compared against, then comparing stops and the relevant action (allow, if the match occurs in a whitelist, or deny if the match occurs in a blacklist) is taken.
  • Page 51 Configuring URL filtering Advanced Network Protection Updating lists Updating the Kaspersky blacklist When subscribed to the Kaspersky URL Filter service, updates to the Kaspersky blacklist will be made available. By default URL filtering checks for updates to the Kaspersky blacklist every hour. You can configure the update interval via the update-interval command in url-filter configuration mode.
  • Page 52 Configuring URL filtering Advanced Network Protection Monitoring URL Filtering The show url-filter command displays a summary of the state of URL filtering, including the provider state, and counts of entries in each provided list. Any lists that contain too many entries to load will be noted here.

  • Page 53: Setting Up And Configuring Utm Offload

    Setting up and Configuring UTM Offload Advanced Network Protection Setting up and Configuring UTM Offload Setting up UTM Offload These are the steps, described in more detail below, are required to set up UTM Offload:  Purchase, download, and install the UTM Offload license on the AR4050S ...
  • Page 54 Setting up and Configuring UTM Offload Advanced Network Protection The AR4050S manages the offload device and offloads traffic automatically. Setting up the offload device The offload device can be any physical computer or virtual machine (VM). To use the UTM Offload feature, there must be a direct Ethernet connection from the forwarding device (AR4050S) to the offload device.

  • Page 55: About The Offload Image

    Advanced Network Protection About the Offload Image The Allied Telesis Next Generation Firewall Appliance (AFA) software release is the image that is automatically downloaded and installed into the UTM Offload device. The offload image is downloaded from the Update Server by the forwarding device and used to network boot the offload device.

  • Page 56: Configuring Utm Offload On Vmware Esxi Server

    Setting up and Configuring UTM Offload Advanced Network Protection Configuring UTM Offload on VMware ESXi Server Many enterprises today have bare-metal hypervisor technology such as VMware ESXi Server running on powerful server hardware locally, to provide business critical applications and resources. This is a great use case for UTM Offload as businesses can utilize already existing hardware, simply by creating a new VM instance (virtual machine) to provide throughput improvements with the AR4050S while using the Advanced Threat Protection feature set.
  • Page 57 Setting up and Configuring UTM Offload Advanced Network Protection Note: The offload device must have an unused serial port. From the Select a name and guest OS page, enter a unique Name Use the drop down boxes to select, Compatibility, Guest OS family, and Guest OS version. From the Select storage page, select the datastore for your configuration.
  • Page 58 Setting up and Configuring UTM Offload Advanced Network Protection From the Customize settings page, configure the Virtual Hardware and VM Options.  Select Serial port. C613-22104-00 REV B Configuring UTM Offload on VMware ESXi Server Page 58...
  • Page 59 Setting up and Configuring UTM Offload Advanced Network Protection  Select Connect  Check the settings and click Finish. C613-22104-00 REV B Configuring UTM Offload on VMware ESXi Server Page 59...
  • Page 60 Setting up and Configuring UTM Offload Advanced Network Protection  Click Play C613-22104-00 REV B Configuring UTM Offload on VMware ESXi Server Page 60...

  • Page 61: Security Considerations

    Setting up and Configuring UTM Offload Advanced Network Protection Expand the Networking drop down menu and select the vSwitch that attaches to the UTM Offload device and set the MTU to be 1600 bytes. Security Considerations In all use cases UTM Offload should be deployed on a physically secured network because data traffic between the forwarding device and offload device has no additional security applied.

  • Page 62: Configuring Firewall And Nat Allowing Utm Offload On The Ar4050S

    Setting up and Configuring UTM Offload Advanced Network Protection Configuring Firewall and NAT allowing UTM Offload on the AR4050S The following is a simple configuration for firewall and NAT allowing UTM Offload. Configuration notes  Rule 30 will allow the device to access the Update Manager. ...

  • Page 63: Utm Offload Glossary

    Setting up and Configuring UTM Offload Advanced Network Protection UTM Offload Glossary  Forwarding device (AR4050S) The device that intercepts packets, sends them to the offload device for processing and finally forwards the packets when they return. It also manages the configuration of the offload device. ...

  • Page 64: Logging

    Logging Advanced Network Protection Logging This section gives a brief summary of what you can log in AlliedWare Plus devices, including how to read AlliedWare Plus log messages, followed by details about logging for each of the UTM features, and a simple configuration example. ...

  • Page 65: Reading Log Messages

    Logging Advanced Network Protection Reading Log Messages Log messages generated by AlliedWare Plus show information in the following format: <date> <time> <facility>.<severity> <hostname> <program>[<pid>]: <message> Table 3: Elements in log messages ELEMENT DESCRIPTION The date and time when the log message was generated, according to the device’s clock. <date>...

  • Page 66: Utm Log Messages

    Logging Advanced Network Protection Output 6: Example firewall log messages 2016 Nov 28 23:26:34 kern.info awplus kernel: Firewall rule 10: PERMIT IN= OUT=eth0 SRC=192.168.5.2 DST=192.168.5.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=7935 DF PROTO=ICMP TYPE=8 CODE=0 ID=2406 SEQ=1 2016 Nov 25 14:10:38 kern.info awplus kernel: Firewall: DENY probe FIN IN=vlan1 OUT=eth1 MAC=00:00:cd:38:00:bc:52:54:6b:6b:0f:1e:08:00 SRC=192.168.1.1 DST=172.16.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=54219 PROTO=TCP SPT=6000 DPT=21 WINDOW=512 RES=0x00 UG PSH FIN URGP=0...

  • Page 67: Ips Log Messages

    Logging Advanced Network Protection For each specific UTM feature, particular information will be generated in the log messages, as described below. IPS Log Messages IPS log messages have severity ‘info’ (6). The message part includes information in the following format: <action>...

  • Page 68: Ip Reputation Log Messages

    Logging Advanced Network Protection IP Reputation Log Messages IP Reputation log messages have severity ‘info’ (6). The message includes information in the following format: <action> IPREP: <alert-msg> (URL:<url>) <protocol> <source-ip>:<source- port> -> <dest-ip>:<dest-port> Table 6: Elements in IP Reputation log messages Message element Description The action applied by the IP reputation feature;...

  • Page 69: Url Filtering Log Messages

    Logging Advanced Network Protection Output 9: Example Malware Protection log messages 2016 Nov 17 02:13:08 local5.info awplus IPS[1939]: [Drop] MALWARE: Virus detected by signature URL:http:/[172.16.92.2]/data/byte/sample.exe [http] 172.16.92.2:80 -> 192.168.92.1:60784 2016 Nov 17 02:32:02 local5.info awplus IPS[2014]: [Drop] MALWARE: Virus detected by signature [tcp] 172.16.92.2:42168 -> 192.168.92.1:45528 2016 Nov 17 02:33:59 local5.info awplus IPS[1913]: [Drop] MALWARE: File with known bad MD5 detected (ITW) URL:http:/[172.16.92.2]/data/md5/EICAR-Test-File [http] 172.16.92.2:80 ->...
  • Page 70 Logging Advanced Network Protection Output 10: Example URL filtering log message for a dropped URL request 2016 Nov 17 02:02:21 local5.info awplus IPS[2039]: [Drop] URLFILTER: URL:http:/ kdskspb.ru/ [http] 192.168.1.1:58272 -> 172.16.1.2:80 Output 11: Example URL filtering log message for a permitted URL request when log url-requests is configured 2017 Apr 12 03:47:21 local5.info awplus IPS[3885]: [Http] URL:http://172.16.1.2/ 192.168.1.1:53698 ->...

  • Page 71: Web Control Log Messages

    Logging Advanced Network Protection Output 12: Example URL filtering log message for a dropped URL request 2016 Nov 17 02:02:21 local5.info awplus IPS[2039]: [Drop] URLFILTER: URL:http:/ kdskspb.ru/ [http] 192.168.1.1:58272 -> 172.16.1.2:80 Output 13: Example URL filtering log message for a permitted URL request when log url-requests is configured 2017 Apr 12 03:47:21 local5.info awplus IPS[3885]: [Http] URL:http://172.16.1.2/ 192.168.1.1:53698 ->...

  • Page 72: Firewall Connection Logging

    Logging Advanced Network Protection antivirus: Unable to scan <url> to <client-ip>: <reason> antivirus: Unable to allocate memory to scan <url> to <client-ip> antivirus: Max scan depth exceeded for <url> to <client-ip> All the above Anti-virus log messages have severity level ‘warning’ (4). Table 11: Elements in Anti-virus log messages Message element Description...
  • Page 73 Logging Advanced Network Protection New connection log messages includes information in the following format for a newly started firewall connection: NEW proto={tcp|udp|icmp|...|<number>} orig_src={<ipv4-addr>|<ipv6-addr>} orig_dst={<ipv4-addr>|<ipv6-addr>} [orig_sport=<source-port>] [orig_dport=<dest-port>] reply_src={<ipv4-addr>|<ipv6-addr>} reply_dst={<ipv4-addr>|<ipv6-addr>} reply_sport=<source-port> reply_dport=<dest-port> Closed connection log messages includes information in the following format for a firewall connection that has ended: END proto=[tcp|udp|icmp|...|<protocol-number>] orig_src={<ipv4-addr>| <ipv6-addr>} orig_dst={<ipv4-addr>|<ipv6-addr>} [orig_sport=<source-port>]...

  • Page 74: Utm Offload Logging

    Logging Advanced Network Protection Output 17: Example connection log messages for TCP connection NEW proto=TCP orig_src=192.168.1.100 orig_dst=192.168.1.1 orig_sport=55532 orig_dport=80 reply_src=192.168.1.1 reply_dst=192.168.1.100 reply_sport=80 reply_dport=55532 END proto=TCP orig_src=192.168.1.100 orig_dst=192.168.1.1 orig_sport=55532 orig_dport=80 orig_pkts=7 orig_bytes=522 reply_src=192.168.1.1 reply_dst=192.168.1.100 reply_sport=80 reply_dport=55532 reply_pkts=4 reply_bytes=811 Output 18: Example connection log messages for ICMP connection NEW proto=ICMP orig_src=192.168.1.1 orig_dst=192.168.1.100 reply_src=192.168.1.100 reply_dst=192.168.1.1 END proto=ICMP orig_src=192.168.1.1 orig_dst=192.168.1.100 orig_pkts=2...
  • Page 75 F: +31 20 7950021 alliedtelesis.com © 2018 Allied Telesis, Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.

This manual is also suitable for:

Ar3050sAr4050s

Table of Contents