Page 1 100 Administration Guide freeGuard 100 UTM Firewall ADMINISTRATION GUIDE P/N: F0025000 Rev. 1.1...
Page 2 © Copyright 2006, freeGuard and the freedom9 company logo are trademarks or registered trademarks of Freedom9 Inc. All rights reserved. Windows is a trademark or registered trademark of Microsoft Corporation. Other trademarks or registered trademarks are the property of their respective...
Page 3: Table Of Contents
INTRODUCTION ...1 100 UTM F BOUT FREE UARD 1.1.1 NTIVIRUS PROTECTION 1.1.2 EB CONTENT FILTERING 1.1.3 PAM FILTERING 1.1.4 ...2 IREWALL 1.1.5 VLAN S AND VIRTUAL DOMAINS 1.1.6 NTRUSION REVENTION 1.1.7 VPN ...4 1.1.8 IGH AVAILABILITY 1.1.9 ECURE INSTALLATION OCUMENT CONVENTIONS...
Page 4 100 Administration Guide 4.6.1 ONNECTING A MODEM TO THE FREE 4.6.2 ONFIGURING MODEM SETTINGS 4.6.3 EDUNDANT MODE CONFIGURATION 4.6.4 TANDALONE MODE CONFIGURATION 4.6.5 DDING FIREWALL POLICIES FOR MODEM CONNECTIONS 4.6.6 ONNECTING AND DISCONNECTING THE MODEM 4.6.7 HECKING MODEM STATUS VLAN ...49...
Page 5 ... 138 EY CHAIN LIST 10.4.11 N EW KEY CHAIN 10.4.12 K EY CHAIN LIST ENTRY 10.5 M ... 140 ONITOR ...97 ...99 ... 100 ESTORING ... 103 ... 106 ... 109 ... 109 ...110 ... 111 ...112 ...113 ...113 ...114...
Page 6 100 Administration Guide 10.5.1 R OUTING MONITOR LIST 11 FIREWALL ...142 11.1 P ... 142 OLICY 11.1.1 H OW POLICY MATCHING WORKS 11.1.2 P ... 143 OLICY LIST 11.1.3 P OLICY OPTIONS 11.1.4 A DVANCED POLICY OPTIONS 11.1.5 C ONFIGURING FIREWALL POLICIES 11.1.6 P...
Page 7 12.3.1 RADIUS SERVER LIST 12.3.2 RADIUS SERVER OPTIONS 12.4 LDAP ... 186 12.4.1 LDAP SERVER LIST 12.4.2 LDAP SERVER OPTIONS 12.5 U ... 188 SER GROUP 12.5.1 U SER GROUP LIST 12.5.2 U SER GROUP OPTIONS 13 VPN ...191 13.1 P 1 ...
Page 8 100 Administration Guide 15.2 C ... 225 ONFIG 15.2.1 V ... 226 IRUS LIST 15.2.2 C ... 226 ONFIG 15.2.3 G ... 227 RAYWARE 15.2.4 G RAYWARE OPTIONS 15.3 CLI ... 228 CONFIGURATION 15.3.1 CONFIG ANTIVIRUS HEURISTIC 15.3.2 CONFIG ANTIVIRUS SERVICE HTTP 15.3.3...
Page 9 17.7 B ... 256 ANNED WORD 17.7.1 B ANNED WORD LIST 17.7.2 B ANNED WORD OPTIONS 17.7.3 C ONFIGURING THE BANNED WORD LIST 17.8 U SING ERL REGULAR EXPRESSIONS 18 LOG & REPORT ...261 18.1 L ... 262 OG CONFIG 18.1.1 L ETTING OPTIONS 18.1.2 A...
Page 11: Introduction
For extra protection, you can configure antivirus protection to block specified file types from passing through the freeGuard 100. You can use the feature to stop files that might contain new viruses. freeGuard 100 antivirus protection can also identify and remove known grayware programs. Grayware programs are usually unsolicited commercial software programs that get installed on PCs, often without the user’s consent or knowledge.
Page 12: Web Content Filtering
Relay Database List (ORDBL) servers. These services contain lists of known spam sources. If an email message is found to be spam, the freeGuard 100 adds an email tag to the subject line of the email. The recipient can use their mail client software to filter messages based on the email tag.
Page 13 NAT/Route mode In NAT/Route mode, the freeGuard 100 is a Layer 3 device. This means that each of its interfaces is associated with a different IP subnet and that it appears to other devices as a router. This is how a firewall is normally deployed.
Page 14: Vlans And Virtual Domains
100 can provide security services to, and control connections between, multiple security domains according to the VLAN IDs added to VLAN packets. The freeGuard 100 can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between each security domain.
Page 15: High Availability
Protocol (FCP). Each freeGuard 100 in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 freeGuard 100s to an HA cluster. Each freeGuard 100 in an HA cluster must be the same model and must be running the same OS firmware image.
Page 16: Document Conventions
100 for HTTP and HTTPS administration from any freeGuard 100 interface. You can use the web-based manager to configure most freeGuard 100 settings. You can also use the web-based manager to monitor the status of the freeGuard 100. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service.
Page 17: Freedom9 Documentation
100. freeGuard 100 CLI Reference Guide Describes how to use the freeGuard 100 CLI and contains a reference to all freeGuard 100 CLI commands. ipmacbinding or get...
Page 18 100 Log Message Reference Guide Describes the structure of freeGuard 100 log messages and provides information on all log messages generated by the freeGuard 100.
Page 19: Web-Based Manager
100 for HTTP and HTTPS administration from any freeGuard 100 interface. You can use the web-based manager to configure most freeGuard 100 settings. You can also use the web-based manager to monitor the status of the freeGuard 100. Configuration changes made using the web-based manager are effective immediately without resetting the firewall or interrupting service.
Page 20: Contact Customer Support
2.1.2 Easy Setup Wizard The freeGuard 100 setup wizard provides an easy way to configure basic initial settings for the freeGuard 100. The wizard walks through the configuration of a new administrator password, freeGuard 100 interfaces, DHCP server settings, internal servers (web, FTP, etc.), and basic antivirus settings.
Page 21: Logout
100 Administration Guide Connect Connect to the freeGuard 100 using the CLI. Disconnect Disconnect from the freeGuard 100. Clear screen Clear the screen. 2.1.4 Logout The Logout button immediately logs you out of the web-based manager. Log out before you close the browser window.
Page 22: Web-Based Manager Menu
2.2.1 Web-based manager menu The menu provides access to configuration options for all major features of the freeGuard 100. System Configure system facilities, such as network interfaces, virtual domains, DHCP services, time and set system options. Router Configure the router.
Page 23: Icons
100 Administration Guide Figure 5: Example of a web-based manager list The list shows some information about each item and the icons in the rightmost column enable you to take action on the item. In this example, you can select Delete to remove the item or select Edit to modify the item.
Page 24: Status Bar
The status bar is at the bottom of the web-based manager screen. The status bar shows: • how long the freeGuard 100 has been operating since the last time it was restarted • the virtual domain to which the current page applies Virtual domain information is not shown if there is only one virtual domain.
Page 25: System Status
100 Administration Guide System Status You can connect to the web-based manager and view the current system status of the freeGuard 100. The status information that is displayed includes the system status, unit information, system resources, and session log.
Page 26 Refresh Select to manually update the system status display. System status UP Time The time in days, hours, and minutes since the freeGuard 100 was last started. System Time The current time according to the freeGuard 100 internal clock. Notification Contains reminders such as “Change Password”...
Page 27 Select Details to see the FTP site URL, date, time, user and lists of files uploaded and downloaded. Interface Status All interfaces in the freeGuard 100 are listed in the table. Interface The name of the interface. IP / Netmask The IP address and netmask of the interface (NAT/Route mode only).
Page 28: Changing Unit Information
To change to NAT/Route mode To change freeGuard 100 host name The freeGuard 100 host name appears on the Status page and in the freeGuard 100 CLI prompt. The host name is also used as the SNMP system name. The default host name is freeGuard 100.
Page 29 5. Select OK to copy the antivirus definitions update file to the freeGuard 100. 6. The freeGuard 100 updates the antivirus definitions. This takes about 1 minute. Go to System > Status to confirm that the Antivirus Definitions Version information has updated.
Page 30: Session List
IP address. To change to NAT/Route mode After you change the freeGuard 100 from the NAT/Route mode to Transparent mode, most of the configuration resets to Transparent mode factory defaults, except for HA settings. To change to NAT/Route mode: 1.
Page 31: Changing The Freeguard 100 Firmware
100 admin user can change the freeGuard 100 firmware. After you download a freeGuard 100 firmware image from freedom9, you can use the procedures listed in Table 1 to install the firmware image on your freeGuard 100.
Page 32: Upgrading To A New Firmware Version
4. Make sure the freeGuard 100 can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168:...
Page 33: Reverting To A Previous Firmware Version
• Back up web content and email filtering lists. If you are reverting to a previous freeGuard 100 version, you might not be able to restore the previous configuration from the backup configuration file. Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing.
Page 34 5. Type the path and filename of the firmware image file, or select Browse and locate the file. 6. Select OK. The freeGuard 100 uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the freeGuard 100 login. This process takes a few minutes.
Page 35: Installing Firmware Images From A System Reboot Using The Cli
4. Make sure that the internal interface is connected to the same network as the TFTP server. 5. To confirm that the freeGuard 100 can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is...
Page 36 Enter Local Address [192.168.1.188]: 10. Type an IP address that the freeGuard 100 can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network that the interface is connected to. Make sure...
Page 37: Testing A New Firmware Image Before Installing It
CLI by connecting to the freeGuard 100 console port using a null-modem cable, • install a TFTP server that you can connect to from the freeGuard 100 internal interface. The TFTP server should be on the same subnet as the internal interface.
Page 38 Enter TFTP server address [192.168.1.168]: 9. Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: 10. Type an IP address that can be used by the freeGuard 100 to connect to the FTP server.
Page 39 Default saving:[D/B/R] 12. Type R. The freeGuard 100 image is installed to system memory and the freeGuard 100 starts running the new firmware image but with its current configuration. 13. You can log into the CLI or the web-based manager using any administrative account.
Page 40: System Network
100 IPv6 support Interface In NAT/Route mode, go to System > Network > Interface to configure freeGuard 100 interfaces and to add and configure VLAN sub interfaces. Note: Unless stated otherwise, in this section the term interface can refer to a physical freeGuard 100 interface or to a freeGuard 100 VLAN sub interface.
Page 41: Interface Settings
4.1.1 Interface settings Interface settings displays the current configuration of a selected freeGuard 100 interface or VLAN sub interface. Use interface settings to configure a new VLAN sub interface or to change the configuration of a freeGuard 100 interface or VLAN sub interface.
Page 42 If you configure the interface to use DHCP, the freeGuard 100 automatically broadcasts a DHCP request. You can disable Connect to server if you are configuring the freeGuard 100 offline and you do not want the freeGuard 100 to send the DHCP request.
Page 43 If you configure the interface to use PPPoE, the freeGuard 100 automatically broadcasts a PPPoE request. You can disable connect to server if you are configuring the freeGuard 100 offline and you do not want the freeGuard 100 to send the PPPoE request.
Page 44 PPPoE server. DDNS Enable or disable updates to a Dynamic DNS (DDNS) service. When the freeGuard 100 has a static domain name and a dynamic public IP address, select DDNS Enable to force the unit to update the DDNS server each time the address changes.
Page 45 The password to use when connecting to the DDNS server. Ping server Add a ping server to an interface if you want the freeGuard 100 to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is required for routing failover.
Page 46: Configuring Interfaces
To add interfaces to a zone If you have added zones to the freeGuard 100, you can use this procedure to add interfaces or VLAN sub interfaces to the zone. You cannot add an interface to a zone if you have added firewall policies for the interface.
Page 47 4. Select the Retrieve default gateway and DNS from server check box if you want the freeGuard 100 to obtain a default gateway IP address and DNS server IP addresses from the DHCP server. 5. Select the Connect to Server check box if you want the freeGuard 100 to connect to the DHCP server.
Page 48 7. Select the Retrieve default gateway from server check box if you want the freeGuard 100 to obtain a default gateway IP address from the PPPoE server. 8. Select the Override Internal DNS check box if you want the freeGuard 100 to obtain a DNS server IP address from the PPPoE server.
Page 49 4. From the Server list, select one of the supported dynamic DNS services. 5. In the Domain field, type the fully qualified domain name of the freeGuard 100. 6. In the Username field, type the user name that the freeGuard 100 must send when it connects to the dynamic DNS server.
Page 50: Zone
VLAN sub interfaces to add to the zone. Zones are added to virtual domains. If you have added multiple virtual domains to your freeGuard 100 configuration, make sure you are configuring the correct virtual domain before adding or editing zones.
Page 51: Zone Settings
100 Administration Guide 4.2.1 Zone settings Name Block intra-zone traffic Interface members To add a zone 1. If you have added a virtual domain, go to System > Virtual Domain > Current Virtual Domain and select the virtual domain to which you want to add the zone.
Page 52: Management
100. Administrators connect to this IP address to administer the freeGuard 100. The freeGuard 100 also uses this IP address to connect to the FSDN for virus and attack updates. You can also configure interfaces to control how administrators connect to the freeGuard 100 for administration.
Page 53: Dns
7. Click on the message to connect to the new Management IP. Several freeGuard 100 functions, including Alert E-mail and URL blocking, use DNS. You can add the IP addresses of the DNS servers to which your freeGuard 100 can connect. DNS server IP addresses are usually supplied by your ISP.
Page 54: Routing Table (Transparent Mode)
2. Change the primary and secondary DNS server IP addresses as required. 3. Select Apply to save the changes. Routing table (Transparent Mode) In Transparent mode, you can configure routing to add static routes from the freeGuard 100 to local routers. 4.5.1...
Page 55: Configuring The Modem Interface
Internet. 5. Select OK to save the route. Configuring the modem interface You can connect a modem to the freeGuard 100 and use it as either a backup interface or standalone interface in NAT/Route mode. •...
Page 56: Configuring Modem Settings
Hayes AT commands. To connect, install a USB-to-serial converter between one of the two USB ports on the freeGuard 100 and the serial port on the modem. The freeGuard 100 does not support a direct USB connection between the two devices.
Page 57: Redundant Mode Configuration
For the freeGuard 100 to be able to switch from an ethernet interface to the modem you must select the name of the interface in the modem configuration and configure a ping server for that interface.
Page 58: Standalone Mode Configuration
In standalone mode, the modem connects to a dialup account to provide a connection to the Internet. You can configure the modem to dial when the freeGuard 100 restarts or when there are unrouted packets. You can also hang up or redial the modem manually.
Page 59: Connecting And Disconnecting The Modem
3. Make sure there is correct information in one or more Dialup Accounts. 4. Select Apply if you make any configuration changes. 5. Select Dial Now. 6. The freeGuard 100 initiates dialing into each dialup account in turn until the modem connects to an ISP. To disconnect the modem Use the following procedure to disconnect the modem from a dialup account.
Page 60: Freeguard 100S And Vlans
VLANs in NAT/Route mode Operating in NAT/Route mode, the freeGuard 100 functions as a layer 3 device to control the flow of packets between VLANs. The freeGuard 100 can also remove VLAN tags from incoming VLAN packets and forward untagged packets to other networks, such as the Internet.
Page 61: Rules For Vlan Ids
In this configuration, you add VLAN sub interfaces to the freeGuard 100 internal interface that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk. The freeGuard 100 directs packets with VLAN IDs, to sub interfaces with matching VLAN IDs.
Page 62: Adding Vlan Sub Interfaces
8. Configure the VLAN sub interface settings as you would for any freeGuard 100 interface. 9. Select OK to save your changes. The freeGuard 100 adds the new VLAN sub interface to the interface that you selected in step 4.
Page 63: Vlans In Transparent Mode
VLAN sub interface pair are applied to the packet. If the packet is accepted by the firewall, the freeGuard 100 forwards the packet to the destination VLAN sub interface. The destination VLAN ID is added to the packet by the freeGuard 100 and the packet is sent to the VLAN trunk.
Page 64: Rules For Vlan Ids
VLAN ID. However, you can add two or more VLAN sub interfaces with the same VLAN IDs to different physical interfaces. There is no internal connection or link between two VLAN sub interfaces with same VLAN ID. Their relationship is the same as the relationship between any two freeGuard 100 network interfaces.
Page 65: Transparent Mode Vlan Settings
4.9.4 Transparent mode VLAN settings VLAN settings displays the current configuration of a selected freeGuard 100 interface or VLAN sub interface. Use VLAN settings to configure a new VLAN sub interface or to change the configuration of a freeGuard 100 interface or VLAN sub interface.
Page 66: Freeguard 100 Ipv6 Support
4.10 freeGuard 100 IPv6 support You can assign both an IPv4 and an IPv6 address to any interface on a freeGuard 100. The interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. freeGuard 100s support static routing, periodic router advertisements, and tunneling of IPv6- addressed traffic over an IPv4-addressed network.
Page 67: System Dhcp
You can configure DHCP server or DHCP relay agent functionality on any freeGuard 100 interface or VLAN sub interface. A freeGuard 100 interface can act as either a DHCP server or as a DHCP relay agent. An interface cannot provide both functions at the same time.
Page 68 DHCP server to the DHCP clients. The DHCP server must have a route to the freeGuard 100 that is configured as the DHCP relay so that the packets sent by the DHCP server to the DHCP client arrive at the freeGuard 100 performing DHCP relay.
Page 69: Server
5. Add a DHCP server configuration for this interface. Server You can configure one or more DHCP servers for any freeGuard 100 interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on a network connected to the interface.
Page 70: Dhcp Server Settings
DHCP client must ask the DHCP server for new settings. The lease time can range from 5 minutes to 100 days. DNS Server Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns to DHCP clients.
Page 71: Exclude Range
DHCP request. The DHCP configuration packets are sent back to the router and the router relays them to the DHCP client. Exclude range Add up to 16 exclude ranges of IP addresses that freeGuard 100 DHCP servers cannot assign to DHCP clients. Exclude ranges apply to all freeGuard 100 DHCP servers. Create New Select Create New to add an exclude range.
Page 72: Dhcp Exclude Range Settings
MAC address of the device. When you add the MAC address and an IP address to the IP/MAC binding list, the DHCP server always assigns this IP address to the MAC address. IP/MAC binding pairs apply to all freeGuard 100 DHCP servers. Create New Select Create New to add a DHCP IP/MAC binding pair.
Page 73: Dhcp Ip/Mac Binding Settings
100 Administration Guide Delete icon. Delete an IP/MAC binding pair. Edit/View icon. View or modify an IP/MAC binding pair. 5.4.1 DHCP IP/MAC binding settings Name IP IP Address MAC Address To add a DHCP IP/MAC binding pair 1. Go to System > DHCP > IP/MAC Binding.
Page 74: System Config
System Config Use the System Config page to make any of the following changes to the freeGuard 100 system configuration: • System time • Options • • SNMP • Replacement messages System time Go to System > Config > Time to set the freeGuard 100 system time.
Page 75: Options
2. Select Synchronize with NTP Server to configure the freeGuard 100 to use NTP to automatically set the system time and date. 3. Enter the IP address or domain name of the NTP server that the freeGuard 100 can use to set its time and date.
Page 76 100 pings the target. Set the ping server dead gateway detection fail over number. Enter the number of times that ping fails before the freeGuard 100 assumes that the gateway is no longer functioning.
Page 77: System Time Options Ha
1. Go to System > Config > Options. 2. For Detection Interval, type a number in seconds to specify how often the freeGuard 100 tests the connection to the ping target. 3. For Fail-over Detection, type a number of times that the connection test fails before the freeGuard 100 assumes that the gateway is no longer functioning.
Page 78 Protocol (FCP). Each freeGuard 100 in an HA cluster enforces the same overall security policy and shares the same configuration settings. You can add up to 32 freeGuard 100s to an HA cluster. Each freeGuard 100 in an HA cluster must be the same model and must be running the same OS firmware image.
Page 79: Ha Configuration
HA mode. Also, if you are operating a freeGuard 100 HA cluster, you cannot change a freeGuard 100 interface in the cluster to be configured dynamically using DHCP or PPPoE. Configuring a freeGuard 100 interface to be a DHCP server or a DHCP relay agent is not affect by HA operation.
Page 80 Standalone Mode Standalone mode is the default operation mode. If Standalone mode is selected the freeGuard 100 is not operating in HA mode. Select Standalone Mode if you want to stop a cluster unit from operating in HA mode. High Availability Select High Availability to operate the freeGuard 100 in HA mode.
Page 81 You can configure a freeGuard 100 as the permanent primary unit by setting a high unit priority and by selecting override master. With this configuration, the same cluster unit always becomes the primary unit.
Page 82 Enter a password for the HA cluster. The password must be the same for all cluster units. The maximum password length is 15 characters. If you have more than one freeGuard 100 HA cluster on the same network, each cluster must have a different password.
Page 83 100 Administration Guide either of these interfaces or enable HA heartbeat for other interfaces. In most cases you can maintain the default heartbeat device configuration as long as you can connect the heartbeat device interfaces together. The heartbeat priority must be set for at least one cluster interface. If heartbeat communication is interrupted the cluster stops processing traffic.
Page 84: Configuring An Ha Cluster
For most freeGuard 100 models if you do not change the heartbeat device configuration, you would isolate the HA interfaces of all of the cluster units by connecting them all to the same switch. If the cluster consists of two freeGuard 100s you can connect the heartbeat device interfaces directly using a crossover cable.
Page 85 ARP table of your management PC by deleting the ARP table entry for the freeGuard 100. 13. If you are configuring a NAT/Route mode cluster, power off the freeGuard 100 and then repeat this procedure for all the freeGuard 100s in the cluster.
Page 86 As the cluster units start, they negotiate to choose the primary unit and the subordinate units. This negotiation occurs with no user intervention and normally just takes a few seconds. You can now configure the cluster as if it is a single freeGuard 100. Figure 38: HA network configuration...
Page 87 100 Administration Guide To add a new unit to a functioning cluster 1. Configure the new cluster unit for HA operation with the same HA configuration as the other units in the cluster. 2. If the cluster is running in Transparent mode, change the operating mode of the new cluster unit to Transparent mode.
Page 88: Managing An Ha Cluster
To switch between load balancing virus scanning sessions and all sessions By default a freeGuard 100 HA cluster load balances virus scanning sessions among all of the cluster units. All other traffic is processed by the primary unit. Using the CLI, you can configure the cluster to load balance all network traffic among all cluster units.
Page 89 Select to set the selected refresh interval. Close the cluster members list and return to the HA configuration page Use the cluster ID to identify each freeGuard 100 in the cluster. The cluster ID matches the freeGuard 100 serial number.
Page 90 The Traffic log, Event log, Attack log, Antivirus log, Web Filter log, and Email Filter log for the primary unit are displayed. The HA Cluster pull-down list displays the serial number of the freeGuard 100 for which logs are displayed.
Page 91: Snmp
SNMP You can configure the freeGuard 100 SNMP agent to report system information and send traps (alarms or event messages) to SNMP managers. Using an SNMP manager, you can access SNMP traps and data from any freeGuard 100 interface or VLAN sub interface configured for SNMP management access.
Page 92: Configuring Snmp
35 characters long. Enter the contact information for the person responsible for this freeGuard 100. The contact information can be up to 35 characters long. Save changes made to the description, location, and contact...
Page 93: Snmp Community
SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the freeGuard 100 for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community.
Page 94 SNMP Event To configure SNMP access to an interface in NAT/Route mode Before a remote SNMP manager can connect to the freeGuard 100 agent, you must configure one or more freeGuard 100 interfaces to accept SNMP connections. Figure 42: SNMP community options (part 2) Enter a name to identify the SNMP community.
Page 95: Freeguard 100 Mib
MIB) and the parts of RFC 1213 (MIB II) that apply to freeGuard 100 configuration. The freeGuard 100 MIBs are listed in Table 7. You can obtain these MIB files from freedom9 technical support. To be able to communicate with the SNMP agent, you must compile all of these MIBs into your SNMP manager.
Page 96: Free Guard 100 Mib S
6.4.4 freeGuard 100 traps The freeGuard 100 agent can send traps to SNMP managers that you have added to SNMP communities. For SNMP managers to receive traps, you must load and compile the freedom9 trap MIB (file name freedom9.trap.2.80.mib) onto the SNMP manager.
Page 97: Mib Fields
MIB fields and describe the status information available for each one. You can view more details about the information available from all freedom9 MIB fields by compiling the freedom9.2.80.mib file into your SNMP manager and browsing the freedom9 MIB fields.
Page 98 The index number of the administrator account added to the freeGuard 100. name The user name of an administrator account added to the freeGuard 100. addr Up to three trusted host IP addresses for the administrator account. mask Up to three trusted host netmasks for the administrator account.
Page 99: Replacement Messages
Change replacement messages to customize alert email and information that the freeGuard 100 adds to content streams such as email messages, web pages, and FTP sessions. The freeGuard 100 adds replacement messages to a variety of content streams. For example, if a virus is found in an email message, the file is removed from the email and replaced with a replacement message.
Page 100: Replacement Messages List
Description Description of the replacement message type. The web-based manager describes where each replacement message is used by the freeGuard 100. To change a replacement message 1. Go to System > Config > Replacement Messages.
Page 101: Changing Replacement Messages
100 Administration Guide 6.5.2 Changing replacement messages Figure 44: Sample HTTP virus replacement message Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. In addition, replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.
Page 102 The IPS attack message. %%NIDSEVENT%% is added to alert email intrusion messages. The name of the web filtering service. The name of the content category of the web site. The freedom9 logo. Table 21: Replacement message tags...
Page 103: System Admin
100 Administration Guide System Admin When the freeGuard 100 is first installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and control the IP address from which the administrator account can connect to the freeGuard 100.
Page 104: Administrators
Log & Report get alertemail get log execute enter Security Policy get antivirus get firewall get ips get spamfilter get vpn get webfilter execute enter execute vpn Auth Users get user execute enter Admin Users get system admin get system accprofile execute enter Update get system autoupdate...
Page 105: Administrators Options
Optionally, type the trusted host IP address and netmask from which the administrator can log in to the freeGuard 100. You can specify up to three trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system.
Page 106: Access Profiles
Console Access feature, see “Console Access”. Access profiles Go to System > Admin > Access Profile to add access profiles for freeGuard 100 administrators. Each administrator account belongs to an access profile. You can create access profiles that deny access or allow read-only or both read and write access to freeGuard 100 features.
Page 107: Access Profile List
100 Administration Guide 7.2.1 Access profile list Create New Profile Name Delete icon Edit icon 7.2.2 Access profile options Profile Name Access Control Allow Read All Allow Write All System Configuration Figure 48: Access profile list Add a new access profile.
Page 108 To allow an administrator to modify this feature, enable both Read and Write. Select Read to allow an administrator to view the freedom9 SP Distribution Network update feature. To allow an administrator to modify this feature, enable both Read and Write.
Page 109: System Maintenance
Configuration Reset the freeGuard 100 to factory defaults. This procedure deletes changes that you have made to the freeGuard 100 configuration and reverts the system to its original configuration, including resetting interface addresses. This procedure does not change the firmware version or the antivirus or attack definitions.
Page 110: Backing Up And Restoring
3. Enter the password you used when backing up All Configuration Files. 4. Enter the path and filename of the configuration file, or select Browse and locate the file. 5. Select OK to restore all configuration files to the freeGuard 100. The freeGuard 100 restarts, loading the new configuration files.
Page 111: Update Center
(including grayware), Spam Filter and attack definitions and engines. Before the freeGuard 100 can receive antivirus and attack updates, it must be able to connect to the freeGuard SP Distribution Network (FSDN). The freeGuard 100 uses HTTPS on port 443 to connect to the FSDN.
Page 112 A red-yellow flashing indicator means that the freeGuard 100 cannot connect to the FSDN. Check your configuration. For example, you may need to add routes to the freeGuard 100 routing table or configure your network to allow the freeGuard 100 to use HTTPS on port 443 to connect to the Internet.
Page 113: Updating Antivirus And Attack Definitions
IP address and Port to the FSDN. The FSDN will now use this IP address and port for push updates to the freeGuard 100 on the internal network. If the External IP Address or External Service Port change, add the changes to the Use override push configuration and select Apply to update the push information on the FSDN.
Page 114 100 is located. 2. Go to System > Maintenance > Update center. 3. Select Refresh. The freeGuard 100 tests its connection to the FSDN. The test results are displayed at the top of the System Update page.
Page 115 To enable scheduled updates through a proxy server If your freeGuard 100 must connect to the Internet through a proxy server, you can use the config system autoupdate tunneling command to allow the freeGuard 100 to connect (or tunnel) to the FSDN using the proxy server.
Page 116: Enabling Push Updates
The SETUP message that the freeGuard 100 sends when you enable push updates includes the IP address of the freeGuard 100 interface that the FSDN connects to. If your freeGuard 100 is running in NAT/Route mode, the SETUP message includes the freeGuard 100 WAN1 IP address. If your freeGuard 100 is running in Transparent mode, the SETUP message includes the freeGuard 100 management IP address.
Page 117 7. Type the External Service Port that the FSDN connects to. 8. In the Map to IP section, type the IP address of the freeGuard 100 on the internal network. If the freeGuard 100 is operating in NAT/Route mode, enter the IP address of the external interface. If the freeGuard 100 is operating in Transparent mode, enter the management IP address.
Page 118 5. Set Port to the external service port added to the virtual IP. 6. Select Apply. The freeGuard 100 sends the override push IP address and port to the FSDN. The FSDN now uses this IP address and port for push updates to the freeGuard 100 on the internal network.
Page 119: System Virtual Domain
When a packet enters a virtual domain on the freeGuard 100, it is confined to that virtual domain. In a given domain, you can only create firewall policies for connections between VLAN sub interfaces or zones in the virtual domain.
Page 120: Shared Configuration Settings
o VLAN sub interfaces o Zones o Management IP • Routing configuration o Router configuration in NAT/Route mode o Routing table configuration in Transparent mode • Firewall settings o Policies o Addresses o Service groups o IP pools (are associated with an interface) o Virtual IPs (are associated with an interface) •...
Page 121: Administration And Management
In addition to the global properties, virtual domains share a common administrative model. Administrators have access to all of the virtual domains on the freeGuard 100. Administrators logging into the CLI or web-based manager always log into the root domain and then must enter the virtual domain that they want to administer.
Page 122: Adding A Virtual Domain
The default virtual domain is root. Management The name of the virtual domain used for system management. Select Change to choose a different domain. Shows the maximum number of virtual domains for this freeGuard 100. Max. Virtual Domains Name The name of the virtual domain.
Page 123: Selecting A Virtual Domain
3. Enter the Default Gateway. 4. Select the Management Virtual Domain. 5. Select Apply. The freeGuard 100 displays the following message: Management IP address was changed. Click here to redirect. 6. Click on the message to connect to the new Management IP.
Page 124: Configuring Virtual Domains
Configuring virtual domains The following procedures explain how to configure virtual domains: • Adding interfaces, VLAN sub interfaces, and zones to a virtual domain • Configuring routing for a virtual domain • Configuring firewall policies for a virtual domain • Configuring IPSec VPN for a virtual domain 9.3.1 Adding interfaces, VLAN sub interfaces, and zones to a virtual domain...
Page 125: Configuring Routing For A Virtual Domain
100 Administration Guide The VLAN sub interface moves to the virtual domain. Firewall IP pools and virtual IP added for this VLAN sub interface are deleted. You should manually delete any routes that include this VLAN sub interface. To view the interfaces in a virtual domain 1.
Page 126 3. Choose the virtual domain for which to configure firewall policies. 4. Select OK. 5. Go to Firewall > Policy. 6. Select Create new to add firewall policies to the current virtual domain. You can only add firewall policies for the physical interfaces, VLAN sub interfaces, or zones added to the current virtual domain.
Page 127: Configuring Ipsec Vpn For A Virtual Domain
100 Administration Guide 9.3.4 Configuring IPSec VPN for a virtual domain To configure VPN for a virtual domain The following procedure applies to NAT/Route and Transparent mode. 1. Go to System > Virtual domain > Virtual domains. 2. Select Change following the current virtual domain name above the table.
Page 128: Router
The freeGuard 100 routes packets using a best match algorithm (the order of static routes in the list is ignored). To select a route for a packet, the freeGuard 100 checks the destination address of the packet and searches through the routing table for the best matching destination address.
Page 129 In some cases, there may be routers behind the freeGuard 100. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the freeGuard 100 routing table must include a static route to that network. For example, in Figure 54, the freeGuard 100 must be configured with static routes to interfaces 192.168.10.1 and 192.168.10.2 in order to forward...
Page 130: Static Route List
• Distance: 10 To route packets from Network_2 to Network_1, Router_2 must be configured to use the freeGuard 100 dmz interface as its default gateway. On the freeGuard 100, you would create a new static route with these settings: •...
Page 131: Static Route Options
3. Enter the Destination IP address and netmask for the route. 4. Add the Gateway IP address. 5. For Device, select the freeGuard 100 interface through which to route traffic for this route. 6. If required, change the administrative Distance.
Page 132: Policy
Incoming or source interface The freeGuard 100 starts at the top of the policy routing list and attempts to match the packet with a policy. The policy route supplies the next hop gateway as well as the freeGuard 100 interface to be used by the traffic.
Page 133: Policy Route Options
100 Administration Guide Delete and Edit icons 10.2.2 Policy route options Protocol Match packets that have this protocol number. Incoming Interface Match packets that are received on this interface. Source Address / Match packets that have this source IP address and netmask.
Page 134: Rip
9. Select OK. 10.3 The freeGuard 100 implementation of the Routing Information Protocol (RIP) supports both RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453. RIP version 2 enables RIP messages to carry more information, and to support simple authentication and subnet masks.
Page 135: Networks List
100 Administration Guide Timeout The time interval in seconds after which a route is declared unreachable. The route is removed from the routing table. RIP holds the route until the garbage timer expires and then deletes the route. If RIP receives an update for the route before the timeout timer expires, then the timeout timer is restarted.
Page 136: Networks Options
Set authentication to None if SV or RV are set to 1 or 1 2. Create New Add a new RIP interface. Interface The freeGuard 100 interface name. Send Version The RIP send version for this interface. Receive Version The RIP receive version for this interface.
Page 137: Interface Options
Icons 10.3.4 Interface options Interface The freeGuard 100 interface name. RIP routing messages are UDP packets that use port 520. Send Version Select 1 to configure RIP to send RIP version 1 messages from an interface. Select 2 to configure RIP to send RIP version 2 messages from an interface.
Page 138: Distribute List
Authentication Select the authentication used for RIP version 2 packets sent and received by this interface. If you select None, no authentication is used. If you select Text, the authentication key is sent as plain text. If you select MD5, the authentication key is used to generate an MD5 hash.
Page 139: Distribute List Options
100 Administration Guide Create New Add a new distribute list. Direction The direction for the filter. Filter The type of filter and the filter name. Interface The interface to use this filter on. If no interface name is displayed, this distribute list is used for all interfaces.
Page 140: Offset List
3. Set Direction to In or Out. 4. Select either prefix-list or access-list. 5. Select the prefix list or access list to use for this distribute list. 6. Select an interface to apply this distribute list to, or select the blank entry to apply this distribute list to all interfaces.
Page 141: Offset List Options
10.4.1 Access list Access lists are filters used by freeGuard 100 routing features. Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.
Page 142: New Access List
The freeGuard 100 attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny.
Page 143: New Access List Entry
If no match is found the default action is deny. For a prefix list to take effect it must be called by another freeGuard 100 routing feature such as RIP or OSPF.
Page 144: New Prefix List
Create New Name Action Prefix Delete, Add prefix-list entry and Edit icons 10.4.5 New Prefix list To add a prefix list name 1. Go to Router > Router Objects > Prefix List. 2. Select Create New. 3. Enter a name for the prefix list. 4.
Page 145: New Prefix List Entry
100 Administration Guide 10.4.6 New prefix list entry list Entry The prefix list name and the number of this entry. Action Set the action to take for this prefix to Permit or Deny. Prefix Select Match any to match any prefix. Select Match a network address and enter the prefix (IP address and netmask) for this prefix list entry.
Page 146: Route-Map List
The freeGuard 100 attempts to match the rules in a route map starting at the top of the list. If it finds a match it makes the changes defined in the set statements and then takes the action specified for the rule.
Page 147: Route Map List Entry
100 Administration Guide 10.4.9 Route map list entry Route-map entry The route map name and the ID number of this route map entry. Action Select Permit to permit routes that match this entry. Select Deny denying routes that match this entry.
Page 148: Key Chain List
A key chain is a list of one or more keys and the send and receive lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes. The freeGuard 100 migrates from one key to the next according to the scheduled send and receive lifetimes. The sending and receiving routers should have their system dates and times synchronized, but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times.
Page 149: Key Chain List Entry
100 Administration Guide To add a key chain name 1. Go to Router > Router Objects > Key-chain. 2. Select Create New. 3. Enter a name for the key chain. 4. Select OK. 10.4.12 Key chain list entry Key-chain entry The key chain name and the ID number for this key chain entry.
Page 150: Monitor
Filter the display to show routes using the specified gateway. Apply Filter Filter the routes according to the criteria you have specified. Type The type of route. Type refers to how the freeGuard 100 learned the route. Subtype The subtype for the route. Network The network for the route.
Page 151 100 Administration Guide Up Time How long the route has been available. To filter the routing monitor display 1. Go to Router > Monitor > Routing Monitor. 2. Select a type of route to display or select all to display routes of all types. For example, select Connected to display all the directly connected routes, or select RIP to display all the routes learned from RIP.
Page 152: Firewall
Configure spam filtering for IMAP, POP3, and SMTP policies • Enable IPS for all services You can also enable traffic logging for a firewall policy so that the freeGuard 100 logs all connections that use this policy. This chapter describes: •...
Page 153: How Policy Matching Works
The freeGuard 100 then starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses, service port, and time and date at which the connection attempt was received.
Page 154: Policy Options
The policy identifier. Policies are numbered in the order they are added to the policy list. Source The source address or address group to which the policy applies. Dest The destination address or address group to which the policy applies. Schedule The schedule that controls when the policy should be active.
Page 155 Destination Select the name of the destination interface or zone for the policy. Packets matched by the policy exit the freeGuard 100 from the destination interface or zone. Address Name Select the source and destination firewall addresses for the firewall policy. Before adding addresses to a policy, you must add them to the freeGuard 100 firewall configuration.
Page 156 An IP pool list appears if IP Pool addresses have been added to the destination interface or zone. Select ANY IP Pool to cause the freeGuard 100 to select any IP address in any IP Pool added to the destination interface or zone.Select the name of an IP Pool added to the destination interface or zone cause the freeGuard 100 to translate the source address to one of the addresses defined by this IP Pool.
Page 157: Advanced Policy Options
100 Administration Guide zone is configured using DHCP or PPPoE. Fixed Port Select Fixed Port to prevent NAT from translating the source port. Some applications do not function correctly if the source port is changed. Inmost cases, if you select Fixed Port, you would also select Dynamic IP pool. If you do not select Dynamic IP pool, a policy with Fixed Port selected can only allow one connection at a time.
Page 158 Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the freeGuard 100 device. For example, the policy for the corporate web server might be given higher priority than the policies for most employees’ computers.
Page 159: Configuring Firewall Policies
DS field in IPv4 header or the Traffic Class field in the IPv6 header. You can use the freeGuard 100 Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network uses these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing.
Page 160: Policy Cli Configuration
The natip keyword for the firewall policy command is used in encrypted (VPN) policies. A natip address cannot be added using the web-based manager. You can configure complete firewall policies using from the CLI. See the freeGuard 100 CLI Reference Guide for descriptions of all firewall policy keywords.
Page 161: Address
If you do not use natip to translate IP addresses, the source addresses of outbound VPN packets are translated into the IP address of the freeGuard 100 external interface. If you use natip, the freeGuard 100 uses a static mapping...
Page 162: Address List
11.2.1 Address list You can add addresses to the list and edit existing addresses. The freeGuard 100 comes configured with the default ‘All’ address which represents any IP address on the network. The address list has the following icons and features.
Page 163: Configuring Addresses
100 Administration Guide • All possible IP addresses (represented by IP Address: 0.0.0.0 and Netmask: 0.0.0.0) An IP address can be: • The IP address of a single computer (for example, 192.45.46.45). • The IP address of a sub network (for example, 192.168.1.0 for a class C subnet).
Page 164: Address Group List
11.2.4 Address group list You can organize related addresses into address groups to make it easier to configure policies. For example, if you add three addresses and then configure them in an address group, you can configure a single policy using all three addresses. Note: If an address group is included in a policy, it cannot be deleted unless it is first removed from the policy.
Page 165: Configuring Address Groups
100 Administration Guide the lists. 11.2.6 Configuring address groups To organize addresses into an address group 1. Go to Firewall > Address > Group. 2. Select Create New. 3. Enter a group name to identify the address group. 4. Select an address from the Available Addresses list and select the right arrow to move the address into the group.
Page 166: Predefined Service List
The name of the predefined services. Detail The protocol for each predefined service. Table 24 lists the freeGuard 100 predefined firewall services. You can add these services to any policy. Service name Description Match connections on any port. A connection that uses any of the predefined services is allowed through the firewall.
Page 167 100 Administration Guide configuration parameters from DHCP servers to hosts. Domain name service for translating domain names into IP addresses. A network service that provides information about FINGER users. FTP service for transferring files. GOPHER Gopher communication service. Gopher organizes and displays Internet server contents as a hierarchically structured list of files.
Page 168: Custom Service List
Add a custom service if you need to create a policy for a service that is not in the predefined service list. protocol email initiate interactive, Table 24: freeGuard 100 predefined services Figure 92: Sample custom service list icmp protocol 1723 26000...
Page 169: Custom Service Options
100 Administration Guide The custom services list has the following icons and features. Create New Select a protocol and then Create New to add a custom service. Service Name The name of the custom service. The protocol and port numbers for each custom service.
Page 170: Configuring Custom Services
Protocol Type Select the protocol type of the service you are adding (ICMP). Type Enter the ICMP type number for the service. Code Enter the ICMP code number for the service if required. IP custom service options Name The name of the IP custom service. Protocol Type Select the protocol type of the service you are adding: IP.
Page 171: Service Group List
100 Administration Guide To add a custom IP service 1. Go to Firewall > Service > Custom. 2. Select Create New. 3. Enter a name for the new custom IP service. 4. Select IP as the Protocol Type. 5. Enter the IP protocol number for the service.
Page 172: Configuring Service Groups
Service group has the following options. Group Name Enter a name to identify the address group. Available Services The list of configured and predefined services. Use the arrows to move services between the lists. Members The list of services in the group. Use the arrows to move services between the lists.
Page 173: Schedule
100 Administration Guide 4. Select OK. 11.4 Schedule Use schedules to control when policies are active or inactive. You can create one-time schedules and recurring schedules. You can use one-time schedules to create policies that are effective once for the period of time specified in the schedule.
Page 174: One-Time Schedule Options
11.4.2 One-time schedule options One-time schedule has the following options. Name Enter the name to identify the one-time schedule. Start Enter the start date and time for the schedule. Stop Enter the stop date and time for the schedule. 11.4.3 Configuring one-time schedules To add a one-time schedule 1.
Page 175: Recurring Schedule Options
Select the days of the week that you want the schedule to be active. Start Select the start time for the recurring schedule. Stop Select the stop time for the recurring schedule. Figure 100: Sample recurring schedule list Figure 101: Recurring schedule options...
Page 176: Configuring Recurring Schedules
11.4.6 Configuring recurring schedules To add a recurring schedule 1. Go to Firewall > Schedule > Recurring. 2. Select Create New. 3. Enter a name for the schedule. 4. Select the days of the week that you want the schedule to be active. 5.
Page 177: Virtual Ip List
100 Administration Guide Dynamic port forwarding This section describes: • Virtual IP list • Virtual IP options • Configuring virtual IPs 11.5.1 Virtual IP list The virtual IP list has the following icons and features. Select Create New to add a virtual IP.
Page 178 Virtual IP has the following options. Name External Interface Type External IP External Service Port Map to IP Map to Port Protocol Figure 103: Virtual IP options; static NAT Figure 104: Virtual IP options; port forwarding Enter the name to identify the virtual IP. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewallpolicies.
Page 179: Configuring Virtual Ips
VLAN sub interface. You can set the virtual IP external interface to any freeGuard 100 interface. Table 25 on page 230 contains example virtual IP external interface settings and describes the policies to which you can add the resulting virtual IP.
Page 180 to any other address. For example, if the virtual IP provides access from the Internet to a server on your internal network, the external IP address must be a static IP address obtained from your ISP for this server. This address must be a unique address that is not used by another host. However, this address must be routed to the external interface selected in step 4.
Page 181: Ip Pool
100 Administration Guide To edit a virtual IP 1. Go to Firewall > Virtual IP. 2. Select the Edit icon beside the virtual IP you want to modify. 3. Select OK. 11.6 IP pool An IP pool (also called a dynamic IP pool) is a range of IP addresses added to a firewall interface. You can enable Dynamic IP Pool in a firewall policy to translate the source address of outgoing packets to an address randomly selected from the IP pool.
Page 182: Ip Pool Options
11.6.2 IP pool options Virtual IP has the following options. Interface Select the interface to which to add an IP pool. Name Enter a name for the IP pool. IP Range/Subnet Enter the IP address range for the IP pool. 11.6.3 Configuring IP pools To add an IP pool...
Page 183: Ip Pools And Dynamic Nat
You can assign one of your organization’s Internet IP addresses to the external interface of the freeGuard 100. If the freeGuard 100 is operating in NAT/Route mode, all connections from your network to the Internet appear to come from this IP address.
Page 184: Protection Profile List
Modify an existing protection profile. 11.7.2 Default protection profiles The freeGuard 100 comes pre configured with four protection profiles. Strict To apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. You may not wish to use the strict protection profile under normal circumstances but it is available if you have extreme problems with viruses and require maximum screening.
Page 185 100 Administration Guide Configuring antivirus options Figure 109: Protection profile antivirus options Virus Scan File Block Pass fragmented Oversized file/email Note: For email scanning, the oversize threshold refers to the finalize of the email after encoding by the email client, including attachments. Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment.
Page 186 Note that some types of files, such as PDF, fragment files to increase download speed and enabling this option can cause Configuring web category filtering options Figure 111: Protection profile web category filtering options (freeGuard 100) Enable category Enable freeGuard 100 category blocking. block...
Page 187 100 checks the body of email messages to extract any URL links. These URL links are sent to a freeGuard 100 server to see if any of them is listed. Typically Spam messages contain URL links to advertisements (also called spamvertizing). If a URL match is found, the freeGuard 100 terminates the session.
Page 188 HELO DNS lookup Enable or disable looking up the source domain name (from the SMTP HELO command) in the Domain Name Server. E-mail address BWL Enable or disable checking incoming email addresses against the check configured spam filter email address list. Return e-mail DNS Enable or disable checking that the domain specified in the reply-to or from check...
Page 189: Configuring Protection Profiles
4. Configure the protection profile options. 5. Select OK. Note: If both Virus Scan and File Block are enabled, the freeGuard 100 blocks files that match enabled file patterns before they are scanned for viruses. To delete a protection profile 1.
Page 190: Profile Cli Configuration
Note: This guide only describes Command Line Interface (CLI) commands, keywords, or variables (in bold) that are not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands see the freeGuard 100 CLI Reference Guide.
Page 191 • Enter splice to enable the freeGuard 100 to simultaneously scan fragmail an email and send it to the SMTP server. If the freeGuard 100 no-content-summary detects a virus, it terminates the server connection and returns an oversize scan...
Page 192 Enter all the actions you want this profile to use. Use a space to separate the options you enter. If you want to remove an option from the list or add an option to the list, you must retype the list with the option removed or added.
Page 193: User
• IPSec, PPTP and L2TP VPN configurations When the user attempts to access the resource, the freeGuard 100 requests a user name and password. The freeGuard 100 can verify the user’s credentials locally or using an external LDAP or RADIUS server. Authentication expires if the user leaves the connection idle for longer than the authentication timeout period.
Page 194: Local User List
Select Radius to require the user to authenticate to a RADIUS server. Select the name of the RADIUS server to which the user must authenticate. You can only select a RADIUS server that has been added to the freeGuard 100 RADIUS configuration. To add a user name and configure authentication 1.
Page 195: Radius
100 contacts the RADIUS server for authentication. The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port. For more information see the config system global command entry in the freeGuard 100 CLI Reference Guide.
Page 196: Ldap
100 contacts the LDAP server for authentication. To authenticate with the freeGuard 100, the user enters a user name and password. The freeGuard 100 sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the freeGuard 100.
Page 197: Ldap Server Options
Distinguished Enter the distinguished name used to look up entries on the LDAP server. Enter the base distinguished name for the server using the correct X.500 or LDAP format. The freeGuard 100 passes this distinguished name unchanged to the server. For example, you could use the following base distinguished name: ou=marketing,dc=freedom9,dc=com where ou is the organization unit and dc is the domain component.
Page 198: User Group
100 checks for authentication. If user names are first, then the freeGuard 100 checks for a match with these local users. If a match is not found, the freeGuard 100 checks the RADIUS or LDAP server. If a RADIUS or LDAP server is added first, the freeGuard 100 checks the server and then the local users.
Page 199: User Group Options
100 Administration Guide Members The users, RADIUS servers, or LDAP servers in a user group. Protection Profile The protection profile associated with this user group. Delete & Edit Icons The Delete and Edit icons. 12.5.2 User group options Group Name Enter the name of the user group.
Page 200 To delete a user group You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. 1. Go to User > User Group. 2. Select Delete beside the user group that you want to delete. 3.
Page 201: Vpn
1 negotiations. To configure phase 1 settings 1. Go to VPN > IPSEC > Phase 1. 2. Follow the general guidelines in the following sub-sections. Note: The procedures in this section assume that you want the freeGuard 100 to...
Page 202: Phase 1 List
• If a remote peer with a static IP address will be connecting to the freeGuard 100, select Static IP Address and type the IP address of the remote VPN end point into the IP Address field. Figure 123: IPSec VPN Phase 1 list...
Page 203 Certificate Name If RSA Signature is selected, select the name of the digital certificate that the freeGuard 100 will use to authenticate itself to the remote peer during phase 1 negotiations. Peer Options These options are available to authenticate remote dialup clients or VPN peers with peer IDs or certificate names, depending on the Remote Gateway and Mode settings.
Page 204: Phase 1 Advanced Settings
The group must be added to the freeGuard 100 configuration through the config user peer and config user peergrp CLI commands before it can be selected. For more information, see the “config user” chapter of the freeGuard 100 CLI Reference Guide. 13.1.3 Phase 1 advanced settings...
Page 205 Enable this option if a NAT device exists between the local freeGuard 100 and the VPN peer or client. The local freeGuard 100 and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared).
Page 206: Phase 2
Phase 2 You configure phase 2 settings to specify the parameters for creating and maintaining a VPN tunnel between the freeGuard 100 and the remote peer or client. In most cases, you only need to configure the basic phase 2 settings.
Page 207: Phase 2 Basic Settings
Concentrator If the tunnel will be included in a hub-and-spoke configuration, you may select the concentrator from the list. The hub must be added to the freeGuard 100 configuration before it can be selected here. 13.3.2 Phase 2 advanced options...
Page 208 Enable the option if you want the tunnel to remain active when no data is being processed. If the freeGuard 100 will relay DHCP requests from dialup clients to an external DHCP server, you can select DHCP-IPsec Enable to enable DHCP over IPSec services.
Page 209: Manual Key
100 Administration Guide Quick Mode Identities 13.4 Manual key If required, you can manually define cryptographic keys for establishing an IPSec VPN tunnel. You would define manual keys in situations where: • Prior knowledge of the encryption and/or authentication key is required (that is, one of the VPN peers requires a specific IPSec encryption and/or authentication key).
Page 210: Manual Key List
Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles outbound traffic on the local freeGuard 100. The valid range is from 0xbb8to 0xffffffff. This value must match the Remote SPI value in the manual key configuration at the remote peer.
Page 211 16 characters and a second segment of 24 characters. If the tunnel will be included in a hub-and-spoke configuration, you may select the concentrator from the list. The hub must be added to the freeGuard 100 configuration before it can be selected here.
Page 212: Concentrator
100. Site-to-site connections between the remote peers do not exist; however, VPN tunnels between any two of the remote peers can be established through the freeGuard 100 “hub”. In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect to the hub are known as “spokes”.
Page 213: Ping Generator
100 Administration Guide Members A list of tunnels that are members of the concentrator. To remove a tunnel from the concentrator, select the tunnel and select the left-pointing arrow. 13.6 Ping Generator The ping generator generates traffic in an IPSec VPN tunnel to keep the tunnel connection open when no traffic is being generated inside the tunnel.
Page 214: Monitor
Proxy ID Source The IP address of the host, server, or private network behind the freeGuard 100. A network range may be displayed if the source address in the firewall encryption policy w as expressed as a range of IP addresses.
Page 215: Static Ip And Dynamic Dns Monitor
100s support PPTP to tunnel PPP traffic between two VPN peers. Windows or Linux PPTP clients can establish a PPTP tunnel with a freeGuard 100 that has been configured to act as a PPTP server. As an alternative, you can configure the freeGuard 100 to forward PPTP packets to a PPTP server on the network behind the freeGuard 100.
Page 216: L2Tp
The L2TP address range specifies the range of addresses reserved for remote clients. When a remote client connects to the freeGuard 100, the client is assigned an IP address from this range. Afterward, the freeGuard 100 uses the assigned address to communicate with the remote client.
Page 217: 13.10 Certificates
Select the option to disable PPTP support. 13.10 Certificates Digital certificates are downloadable files that you can install on the freeGuard 100 and on remote peers and clients for authentication purposes. An X.509 digital certificate contains information that has been digitally signed by a trusted third party known as a certificate authority (CA).
Page 218: Certificate Request
To obtain a personal or site certificate, you must send a request to a CA that provides digital certificates that adhere to the X.509 standard. The freeGuard 100 provides a way for you to generate the request. The generated request includes information such as the freeGuard 100’s public static IP address, domain name, or email address.
Page 219: Importing Signed Certificates
13.10.3 Importing signed certificates Your CA will provide you with a signed certificate to install on the freeGuard 100. When you receive the signed certificate from the CA, save the certificate on a PC that has management access to the freeGuard 100.
Page 220: Importing Ca Certificates
1. Define the phase 1 parameters that the freeGuard 100 needs to authenticate remote peers and establish a secure a connection. 2. Define the phase 2 parameters that the freeGuard 100 needs to create a VPN tunnel with a remote peer.
Page 221: Adding Firewall Policies For Ipsec Vpn Tunnels
100 Administration Guide 13.11.1 Adding firewall policies for IPSec VPN tunnels Firewall policies control all IP traffic passing between a source address and a destination address. A firewall encryption policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy.
Page 222: Pptp Configuration Procedures
13.11.2 PPTP configuration procedures If the freeGuard 100 will act as a PPTP server, perform the following tasks on the freeGuard 100: 1. Create a PPTP user group containing one user for each PPTP client. 2. Enable PPTP on the freeGuard 100 and specify the range of addresses that can be assigned to PPTP clients when they connect.
Page 223: Ips
Network. When the freeGuard 100 installs an updated attack definition file, it checks to see if the default configuration for any existing signatures has changed. If the default configuration has changed, the changes are preserved.
Page 224: Predefined
IPS generates. For example, the IPS detects a large number of web server attacks. If you do not provide access to a web server behind your freeGuard 100, you can disable all web server attack signatures.
Page 225 100 session table. Used for TCP connections only. If you set this action for non- TCP connection based attacks, the action will behave as Clear Session. If the Reset action is triggered before the TCP connectionism fully established it acts as Clear Session.
Page 226 5. Select the Logging box to enable logging for this signature or clear the Logging box to disable logging for this signature. 6. Select the Action for the freeGuard 100 to take when traffic matches this signature. 7. Select OK.
Page 227: Custom
You can create custom IPS signatures. The custom signatures you create are added to a single Custom signature group. Custom signatures provide the power and flexibility to customize the freeGuard 100 IPS for diverse network environments. The freeGuard 100 predefined signatures cover common attacks. If you are using an unusual or specialized application or an uncommon platform, you can add custom signatures based on the security alerts released by the application and platform vendors.
Page 228 containing pornography, you can add custom signatures similar to the following: F-SBID (--protocol tcp; --flow established; --content "nude cheerleader"; --no_case) When you add the signature set action to Drop Session. Note: Custom signatures are an advanced feature. This document assumes the user has previous experience creating intrusion detection signatures.
Page 229: Anomaly
For information on backing up and restoring the custom signature list, see “Backing up and Restoring”. 14.2 Anomaly The freeGuard 100 IPS uses anomaly detection to identify network traffic that does not fit known or preset traffic patterns. The freeGuard 100 IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP protocols.
Page 230: Configuring An Anomaly
For more information on minimum, maximum, and recommended thresholds for the anomalies with configurable thresholds, see the freeGuard 100 IPS Anomaly Thresholds and Dissector Values Technical Bulletin. Figure 151: The Anomaly list...
Page 231 Logging Select the Logging box to enable logging for the anomaly or clear the Logging box to disable logging for the anomaly. Select an action for the freeGuard 100 to take when traffic triggers this Action anomaly. Pass The freeGuard 100 lets the packet that triggered the anomaly pass through the firewall.
Page 232 4. Select the Logging box to enable logging for this anomaly or clear the Logging box to disable logging for this anomaly. 5. Select an action for the freeGuard 100 to take when traffic triggers this anomaly. 6. Enter a new threshold value if required.
Page 233: Antivirus
Antivirus processing includes various modules and engines that perform separate tasks. The freeGuard 100 performs antivirus processing in the order the features appear in the web-based manager menu: file block, virus scan, and grayware, followed by heuristics, which is configurable only through the CLI.
Page 234: File Block
The freeGuard 100 blocks files that match a configured file pattern and displays a replacement message instead. The freeGuard 100 also writes a message to the virus log and sends an alert email if configured to do so.
Page 235: Config
4. Select the protocols for which you want to block the file, or select Check All. 5. Select Apply. 15.2 Config Config displays a list of the current viruses blocked by the freeGuard 100. You can also configure file and email size limits, and grayware blocking. This section describes: •...
Page 236: Virus List
The maximum file size allowed in memory is usually 10% of the freeGuard 100 RAM size. For example, a freeGuard 100 with 256 MB of RAM could have a memory oversize threshold range of 1 to 25 MB. The range for each freeGuard 100 is displayed in the web-based manager as shown in Figure 166.
Page 237: Grayware
The freeGuard 100 scans for known grayware executable programs in each category you enable. The category list and contents are added or updated whenever your freeGuard 100 receives a virus update package.
Page 238: Cli Configuration
15.3.1 config antivirus heuristic The freeGuard 100 heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. Heuristic scanning is performed last, after file blocking and virus scanning have found no matches. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results.
Page 239: Config Antivirus Service Http
15.3.2 config antivirus service http Use this command to configure how the freeGuard 100 handles antivirus scanning of large files in HTTP traffic and what ports the freeGuard 100 scans for HTTP. Command syntax pattern config antivirus service http set <keyword>...
Page 240: Config Antivirus Service Ftp
15.3.3 config antivirus service ftp Use this command to configure how the freeGuard 100 handles antivirus scanning of large files in FTP traffic and how the freeGuard 100 handles the buffering and uploading of files to an FTP server. encoding types and some encoding types translate into larger file sizes than the original attachment.
Page 241 This example shows how to set the maximum file size buffered to memory for scanning at 25 MB, the maximum uncompressed file size that can be buffered to memory at 100 MB, and how to enable antivirus scanning on ports 20 and 21 for FTP traffic.
Page 242: Config Antivirus Service Pop3
15.3.4 config antivirus service pop3 Use this command to configure how the freeGuard 100 handles antivirus scanning of large files in POP3 traffic and what ports the freeGuard 100 scans for POP3. Command syntax pattern config antivirus service pop3 set <keyword>...
Page 243: Config Antivirus Service Imap
15.3.5 config antivirus service imap Use this command to configure how the freeGuard 100 handles antivirus scanning of large files in IMAP traffic and what ports the freeGuard 100 scans for IMAP. Command syntax pattern config antivirus service imap set <keyword>...
Page 244: Config Antivirus Service Smtp
15.3.6 config antivirus service smtp Use this command to configure how the freeGuard 100 handles antivirus scanning of large files in SMTP traffic, what ports the freeGuard 100 scans for SMTP, and how the freeGuard 100 handles interaction with an SMTP server for delivery of email with infected email file attachments.
Page 245 This example shows how to set the maximum file size that can be buffered to memory for scanning at 100 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 1 GB (1000 MB), and how to enable antivirus scanning on ports 25, and 465 for SMTP traffic.
Page 246: Web Filter
Add URLs to exempt them from web and virus filtering. Web Filter > Script Filter Select the scripts to block. downloaded. Web Filter > Category Block > Configuration Enable or disable freeGuard 100 and enable and set the size limit for the cache.
Page 247: Content Block
16.1 Content block Control web content by blocking specific words or word patterns. The freeGuard 100 blocks web pages containing banned words and displays a replacement message instead. You can use Perl regular expressions or wildcards to add banned word patterns to the list.
Page 248: Configuring The Web Content Block List
2. Select Create New to add a banned word or select Edit for the banned word you want to modify. 3. Enter the word or phrase. If you enter a single word, the freeGuard 100 blocks all web pages that contain that word.
Page 249: Url Block
If you want to use more than one URL block list, simply combine the lists in a text file and upload them to the freeGuard 100 by selecting the Upload URL block list icon. URLs in a text file must be separated by hard returns to upload correctly.
Page 250: Configuring The Web Url Block List
(or wildcard characters). For example, badsite.* matches badsite.com, badsite.org, badsite.net and so on. freeGuard 100 web pattern blocking supports standard regular expressions. You can add up to 20 patterns to the web pattern block list.
Page 251: Web Pattern Block Options
You can configure specific URLs as exempt from web filtering. URLs on the exempt list are not scanned for viruses. If users on your network download files through the freeGuard 100 from trusted Figure 162: Sample web pattern block list...
Page 252: Url Exempt List Options
URL of this website to the exempt list so that the freeGuard 100 does not virus scan files downloaded from this URL. Note: Enable Web filtering > Web Exempt List in your firewall Protection Profile to activate the URL exempt settings.
Page 253: Freeguard 100 Managed Web Filtering Service
The freeGuard 100 communicates with the Service Point over UDP on port 8888. freeGuard 100 licensing freeGuard 100 license management is done by freedom9 servers, so there is no need to enter a license number. The freeGuard 100 automatically contacts a freeGuard 100 Service Point when you enable freeGuard 100 category blocking.
Page 254: Configuring Web Category Block
5. Select Apply. You can now enable web category blocking and configure categories for any firewall protection profile you create. Once you select Apply, the freeGuard 100 license type and expiration date appears on the configuration screen (Web Filter > Category Block).
Page 255 100 Administration Guide Script filter You can configure the freeGuard 100 to filter certain web scripts. You can filter Java applets, cookies, and ActiveX controls from web pages. Note: Blocking any of these items may prevent some web pages from functioning and displaying correctly.
Page 256: Spam Filter
Enable or disable freedom9’s antispam service called freeGuard freeGuard freedom9’s own DNSBL server that provides spam IP address and URL blacklists. freedom9 keeps the IP and URLs up-to-date as new spam source are found. IP address BWL check Black/white list check. Enable or disable checking incoming IP addresses against the configured spam filter IP address list.
Page 257 Each filter passes the email to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the freeGuard 100 will tag or discard (SMTP only) the email according to the settings in the protection profile.
Page 258: Freeguard Sp Anti Spam
Banned word • Using Perl regular expressions 17.1 freeGuard SP Anti Spam You can filter Spam with an IP address black list and a URL black list using the freedom9 freeGuard SP product. This section describes: • freeGuard SP Spam filtering •...
Page 259: Freeguard Sp Options
17.1.2 freeGuard SP options If you have ordered freeGuard SP through freedom9 technical support, you only need to enable the service to start configuring and using freeGuard SP. You can configure or view the following settings for the freeGuard SP service: Enable Service Select to enable the freeGuard SP service.
Page 260: Configuring The Freeguard Sp Cache
IP address list You can configure the freeGuard 100 to filter email from specific IP addresses. You can mark each IP address as clear, spam, or reject. You can filter a single IP address or a range of addresses at the network level by configuring an address and mask.
Page 261: Configuring The Ip Address List
The freeGuard 100 communicates with DNSBL servers using UDP through port 53. The freeGuard 100 compares the IP address or domain name of the sender to any database lists you configure. The Figure 170: Adding an IP address...
Page 262: Dnsbl & Ordbl List
100 checks all the servers in the list simultaneously. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter. Note: Because the freeGuard 100 uses the server domain name to connect to the DNSBL or ORDBL server, it must be able to look up this name on the DNS server.
Page 263: Email Address
Configuring the email address list 17.5.1 Email address list The freeGuard 100 can filter email from specific senders or all email from a domain (such as sample.net). You can mark each email address as clear or spam. 17.5.2 Email address options...
Page 264: Configuring The Email Address List
Action The action to take on email from the configured address. Actions are: Mark as Spam to apply the spam action configured in the protection profile, or Mark as Clear to let the email pass to the next filter. The Delete and Edit/View icons. 17.5.3 Configuring the email address list To add an email address or domain to the list...
Page 265: Mime Headers List
100 Administration Guide for each header you configure. The freeGuard 100 compares the MIME header key-value pair of incoming email to the list pair in sequence. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter.
Page 266: Banned Word
Words can be marked as spam or clear. Banned words can be one word or a phrase up to 127 characters long. If you enter a single word, the freeGuard 100 blocks all email that contain that word. If you enter a phrase, the freeGuard 100 blocks all email containing the exact phrase. To block any word in a phrase, use Perl regular expressions.
Page 267: Banned Word Options
The character set to which the banned word belongs: Simplified Chinese, Traditional Chinese, French, Japanese, Korean, Thai, or Western. Where The location which the freeGuard 100 searches for the banned word: subject, body, or all. Action The selected action to take on email with banned words.
Page 268: Configuring The Banned Word List
In Perl regular expressions, ‘.’ character refers to any single character. It is similar to the ‘?’ character in wildcard match pattern. As a result: • freedom9.com not only matches freedom9.com but also matches freedom9acom, freedom9bcom, freedom9ccom and so on. To match a special character such as '.' and ‘*’ use the escape character ‘\’. For example: •...
Page 269 “word”: a nonempty sequence of alphanumeric characters and low lines (underscores), such as foo and 12bar8 and foo_1 the strings 100 and mk optionally separated by any amount of white space(spaces, tabs, newlines) abc when followed by a word boundary (e.g. in abc! but not in abcd) perl when not followed by a word boundary (e.g.
Page 270 Examples To block any word in a phrase /block|any|word/ To block purposely misspelled words Spammers often insert other characters between the letters of a word to fool spam blocking software. /^.*v.*i.*a.*g.*r.*a.*$/i /cr[eéèêë][\+\-\*=<>\.\,;!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i To block common spam phrases The following phrases are some examples of common phrases found in spam messages. /try it for free/i /student_loans/i /you’re already approved/i...
Page 271: Log & Report
It is not necessary for an event to be logged to trigger an alert email. The freeGuard 100 will collect and send log messages in alert emails according to the level and time intervals you configure in the alert email options. All collected messages are assembled in one alert email which is sent as soon the time interval is reached for a message at or above the configured level.
Page 272: Log Config
Traffic and content logs cannot be stored in the memory buffer. When the memory is full, the freeGuard 100 begins to overwrite the oldest messages. All log entries are deleted when the freeGuard 100 restarts.
Page 273: Alert E-Mail Options
Facility as local7. You might want to change Facility to distinguish log messages from different freeGuard 100s. Enable CSV Format If you enable CSV format, the freeGuard 100 produces the log in Comma Separated Value (CSV) format. If you do not enable CSV format the freeGuard 100 produces plain text files.
Page 274 Select Test to send a test alert email to the configured recipients. Test Level The freeGuard 100 sends alert email for all messages at and above the logging severity level you select. Emergency The interval to wait before sending an alert e-mail for emergency level log messages.
Page 275: Log Filter Options
To configure alert email Note: Before configuring alert email, make sure you configure at least one DNS server. The freeGuard 100 uses the SMTP server name to connect to the mail server, and must look up this name on your DNS server.
Page 276 Anti-virus log The Anti-virus Log records virus incidents in Web, FTP, and email traffic, such as when the freeGuard 100 detects an infected file, blocks a file type, or blocks an oversized file or email. You can apply the following filters: Virus infected The freeGuard 100 logs all virus infections.
Page 277: Configuring Log Filters
The freeGuard 100 logs all instances of web category filtering rating errors errors. Attack log The Attack Log records attacks detected and prevented by the freeGuard 100. You can apply the following filters: Attack Signature The freeGuard 100 logs all detected and prevented attacks based on the attack signature, and the action taken by the freeGuard 100.
Page 278: Log Access
the interface are recorded in the traffic log. Note: To record traffic log messages you must set the logging severity level to Notification when configuring the logging location. Traffic log messages do not generally have a severity level higher than Notification. 1.
Page 279: Searching Log Messages
Select Raw to switch to an unformatted log message display. Select Formatted to switch to a log message display organized into columns. To view log messages in the freeGuard 100 memory buffer 1. Go to Log&Report > Log Access. 2. Select the log type you wish to view.
Page 280: Freeguard 100 Categories
100 is a web filtering solution provided by freedom9. The freeGuard 100 sorts thousands of Web pages into a wide variety of categories that users can allow, block, or monitor. The freeGuard 100 accesses the nearest freeGuard 100 server to determine the category of a requested Web page and then follows the policy configured for that user or interface.
Page 281 100 Administration Guide 3. Hacking 4. Illegal or Questionable 5. Racism or Hate 6. Violence Objectionable or Controversial 7. Abortion 8. Adult Materials 9. Advocacy Groups 10. Alcohol and Tobacco 11. Gambling powers, satanic or supernatural beings. Sites that provide information about or promote...
Page 282 12. Militancy and Extremist 13. Nudity 14. Pornography 15. Tasteless 16. Weapons Potentially Non-productive 17. Advertisement 18. Brokerage and Trading 19. Freeware and Software Download 20. Games 21. Internet Communication gambling or support online gambling, involving a risk of losing money. Sites that offer information about or promote or are sponsored by groups advocating anti government beliefs or action.
Page 283 100 Administration Guide 22. Pay to Surf 23. Web-based Email Potentially Bandwidth Consuming 24. File Sharing and Storage 25. Streaming Media Potentially Security Violating 26. Malicious Web Sites 27. Spyware General Interest 28. Arts and Entertainment 29. Cultural Institutions 30.
Page 284 33. Health 34. Job Search 35. Medicine 36. News and Media 37. Personals and Dating 38. Political Organizations 39. Reference Materials 40. Religion 41. Search Engines and Portals 42. Shopping and Auction lesbian, or bisexual lifestyles, including those that support online shopping, but excluding those that are sexually or issue-oriented.
Page 285 100 Administration Guide 43. Social Organizations 44. Society and Lifestyles 45. Special Events 46. Sports 47. Travel 48. Vehicles Business Oriented 49. Business and Economy 50. Computer Security 51. Government and Legal Organizations 52. Information Technology - Sites that support the offering and purchasing of goods between individuals.
Page 286 IP addresses. Private IP Addresses -- IP addresses defined in RFC 1918, 'Address Allocation for Private Intranets. Web Hosting -- Sites of organizations that provide hosting services, or top-level domain pages of Web communities. Table 32: freeGuard 100 categories firms, including sites...
Page 287: Glossary
An application that requires and requests services from a server. cluster: A group of freeGuard 100s that act as a single virtual freeGuard 100 to maintain connectivity even if one of the freeGuard 100s in the cluster fails. cluster unit: A freeGuard 100 operating in a freeGuard 100 HA cluster.
Page 288 (also known as a Media Access Controller or MAC). external interface: The freeGuard 100 interface that connects to the Internet. failover: A freeGuard 100 taking over the processing of network traffic for another unit in the cluster that suffered a device or link failure.
Page 289 IKE, Internet Key Exchange: A method of automatically exchanging authentication and encryption keys between two secure servers. IMAP, Internet Message Access Protocol: An Internet email protocol that allows access to an email server from any IMAP-compatible browser. internal interface: interface that connects to an internal (private) network.
Page 290 100 Administration Guide NAT, Network Address Translation: A way of routing IPv4 packets transparently. Using NAT, a router or freeGuard 100 between a private and public network translates private IP addresses to public addresses. netmask, network mask: Also sometimes called subnet mask.
Page 291 However, active-passive subordinate units track cluster connections and keep their configurations synchronized with the primary unit. The freeGuard 100 firmware uses the terms “slave” and “subsidiary unit” to refer to a subordinate cluster unit. TCP, Transmission Control Protocol: One of the main protocols in TCP/IP networks.
Page 292 100 Administration Guide broadcasting messages network. virus: A computer program that replicates and spreads itself through computers or networks, usually with harmful intent. VPN, Virtual Private Network: A secure logical network created separate networks. VPNs use encryption and throughout...

Freedom9 freeGuard 100 Administration Manual

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Freedom9 freeGuard 100

Summary of Contents for Freedom9 freeGuard 100