Page 1: User Manual
® R&S GP-E/GP-S gateprotect Firewall User Manual v16.2.1 ─ 01...
Page 2 ® This document describes the following R&S gateprotect Firewall models: ● ® R&S gateprotect Firewall GP-E ● ® R&S gateprotect Firewall GP-S © 2017 R&S Cybersecurity gateprotect GmbH Augustusplatz 9, 04109 Leipzig, Germany Phone: +49 (0) 341 392 993 43-0...
Page 3: Table Of Contents
® Contents R&S GP-E/GP-S Contents 1 About This Manual................. 9 Audience........................9 What’s in This Manual....................10 Conventions........................ 10 Related Resources......................11 About Rohde & Schwarz Cybersecurity..............11 2 Getting Started..................13 Logging On........................13 Resetting the Hardware....................14 3 User Interface..................17 Web Interface Components..................17...
Page 4 ® Contents R&S GP-E/GP-S 3.4.2.3 Syslog Servers......................58 3.4.2.4 SSL Proxy........................59 3.4.2.5 High Availability......................60 3.4.2.6 Support Access......................63 3.4.2.7 FTC (Forensic Traffic Capture)..................64 3.4.2.8 NAT Rules........................66 3.4.3 LAN..........................68 3.4.3.1 Ethernet Zones......................68 3.4.3.2 WLAN Zones.........................72 3.4.3.3 VLAN Zones........................76 3.4.4...
Page 5 ® Contents R&S GP-E/GP-S 3.4.8.1 Certificates........................122 3.4.8.2 Templates........................125 3.4.8.3 OCSP/CRL Settings....................126 3.4.8.4 Truststore........................126 4 Application Examples................129 Firewall Rule Examples.................... 129 4.1.1 Blocking Certain Websites Using Applications............130 4.1.2 Blocking Certain Websites Using Web Filters.............130 4.1.3 Allowing Certain Websites Using Web Filters............. 132 4.1.4...
Page 6 ® Contents R&S GP-E/GP-S 4.10.3 Replacing a Certificate....................154 4.10.4 Exporting a Certificate....................155 4.10.5 Exporting a Certificate Signing Request..............155 4.10.6 Suspending a Certificate..................... 156 4.10.7 Resuming a Certificate....................156 4.10.8 Renewing a Certificate....................156 4.10.9 Revoking a Certificate....................157 4.11 Setting Up OCSP/CRL Services................157...
Page 7 ® Contents R&S GP-E/GP-S Annex....................209 A Decoder Reference................209 FTP Commands......................209 HTTP MIME Types..................... 211 Index....................231 User Manual v16.2.1 ─ 01...
Page 8 ® Contents R&S GP-E/GP-S User Manual v16.2.1 ─ 01...
Page 9: About This Manual
Rohde & Schwarz Cybersecurity. gateprotect Firewall integrates firewall, intrusion prevention, application control, web filtering, malware protection and many more functions in a single system. Figure 1-1: Sample gateprotect Firewall GP-E-1200. This document applies to two gateprotect Firewall product lines: ●...
Page 10: What's In This Manual
® About This Manual R&S GP-E/GP-S Conventions 1.2 What’s in This Manual The contents of this manual are designed to assist you in installing and configuring gateprotect Firewall. This document includes the following chapters and appendixes: Chapter 2, "Getting Started", on page 13 Log on to gateprotect Firewall to set up the system for your network.
Page 11: Related Resources
® About This Manual R&S GP-E/GP-S About Rohde & Schwarz Cybersecurity This note is a little hint that can help make your work easier. This note contains important additional information. This note contains information that is important to consider. Non-observance can dam- age your gateprotect Firewall or put your network security at risk.
Page 12 ® About This Manual R&S GP-E/GP-S About Rohde & Schwarz Cybersecurity Rohde & Schwarz, active for over 20 years in the field of IT security, is now expanding into this sector. The integration of enterprise security experts gateprotect, ipoque and Sirrix has created the new brand »Rohde &...
Page 13: Getting Started
® Getting Started R&S GP-E/GP-S Logging On 2 Getting Started 2.1 Logging On Log on to gateprotect Firewall to set up the system for your network. After having completed the installation and licensing procedure for gateprotect Firewall as described in the gateprotect Firewall Getting Started guide, you can begin working with the firewall: 1.
Page 14: Resetting The Hardware
Figure 2-2: Resetting the hardware of the gateprotect Firewall GP-S series. With models GP-E-1000/GP-S-1800 or higher, connect the first two ports in the first module (for example eth11 and eth12) with a patch cable, then power off and power Figure 2-3: Resetting the hardware of gateprotect Firewall models GP-E-1000/GP-S-1800 or higher.
Page 15 ® Getting Started R&S GP-E/GP-S Resetting the Hardware The default settings are restored. Booting to a factory reset can take up to 5 minutes. User Manual v16.2.1 ─ 01...
Page 16 ® Getting Started R&S GP-E/GP-S Resetting the Hardware User Manual v16.2.1 ─ 01...
Page 17: User Interface
® User Interface R&S GP-E/GP-S Web Interface Components 3 User Interface The sections in this chapter describe the components of the gateprotect Firewall user interface. The gateprotect Firewall web interface requires a minimum display resolution of 1024 × 786 pixels (XGA).
Page 18: Header Area
® User Interface R&S GP-E/GP-S Web Interface Components Figure 3-1: gateprotect Firewall web interface. The information displayed in each area is described in the following sections. 3.1.1 Header Area The header area (1) contains the following elements (from left to right): Figure 3-2: gateprotect Firewall web interface header area.
Page 19: Navigation Pane
® User Interface R&S GP-E/GP-S Web Interface Components are not displayed if you close an editor panel by clicking the button in the upper right corner of the panel, however). The PDF version of the gateprotect Firewall User Manual is also available from the logon page.
Page 20 ® User Interface R&S GP-E/GP-S Web Interface Components Figure 3-3: gateprotect Firewall desktop. On the desktop you always have a complete overview of your entire configured net- work. You can edit various settings in this pane or view the details of a configuration.
Page 21: Icons And Buttons
® User Interface R&S GP-E/GP-S Icons and Buttons It is possible to customize the desktop layout by dragging the objects to the desired positions where they are automatically pinned. Use the buttons in the toolbar to save and restore your customized layout or to arrange the objects automatically.
Page 22: Firewall Rule Settings
® User Interface R&S GP-E/GP-S Firewall Rule Settings Icon/Button Description View the details of a list item in the item list bar. Import a backup or a certificate from a file. Export a backup or a certificate to a file.
Page 23 ® User Interface R&S GP-E/GP-S Firewall Rule Settings There are two ways to create firewall rules: ● You can start by first setting up a connection between two objects on the desktop and then configuring firewall rules for this connection.
Page 24 ® User Interface R&S GP-E/GP-S Firewall Rule Settings Field Description "Alert Log" Optional: To add an entry to the alert log when traffic matches this firewall rule, select one of the following alert levels from the drop-down list: ● emergency – system is unusable (highest priority) ●...
Page 25 ® User Interface R&S GP-E/GP-S Firewall Rule Settings Field Description "QoS Upstream" / "QoS Optional: To ensure Quality of Service, enter the bandwidth thresholds that Downstream" should be applied to traffic matching this rule. The two input fields determine the maximum bandwidth (in bits per second) for download and upload. For an application example using QoS, see Chapter 4.1.5, "Using Quality of...
Page 26 ® User Interface R&S GP-E/GP-S Firewall Rule Settings Field Description "Warning Page" Optional: The Reject action can be combined with a warning page which appears to the user in the browser window. To enable a warning page, select this checkbox and one of the following options from the drop-down list: ●...
Page 27 ® User Interface R&S GP-E/GP-S Firewall Rule Settings placed at the beginning of the list, followed by more general rules that apply to a broader range of traffic. You can rearrange rules by dragging and dropping them in the list to create the desired sequence.
Page 28 ® User Interface R&S GP-E/GP-S Firewall Rule Settings Checkbox/Field Description "Left Anchor"/ Anchors define which boundary is set before (left anchor) or after (right anchor) the search string. The decoder will search for the "Expression" (preceded or fol- "Right Anchor"...
Page 29: Menu Reference
® User Interface R&S GP-E/GP-S Menu Reference Checkbox Description "dollar end only" Make the $ anchor match only at the end of the string (or end of line if multi-line mode is enabled). "caseless" Ignore case: pattern is treated as case insensitive.
Page 30: Reports
® User Interface R&S GP-E/GP-S Menu Reference the interfaces that are assigned to the zones, their link status, transmitted and received bytes and the data throughput for every zone. ● In the "Services" section you can see whether the services DHCP, DNS, Firewall, High Availability, NTP, and Updater are running on the system.
Page 31 ® User Interface R&S GP-E/GP-S Menu Reference Figure 3-5: Sample users report. Reports typically contain drop-down lists that can be used to adjust the data displayed in the report and the quantity or »depth of interest« in the report data. For example, a traffic volume report may have an option to display the traffic in incoming ( "Rx"...
Page 32 ® User Interface R&S GP-E/GP-S Menu Reference Users The "Users" reports contain information relating to end-user hosts either by IP address or by name (depending on the integration of gateprotect Firewall into your environ- ment). The administrator can use these reports to discover heavy users of the network to determine whether this behavior is expected or represents a threat to the business.
Page 33: Updates
® User Interface R&S GP-E/GP-S Menu Reference 3.4.1.3 Updates These options allow you to download new software for gateprotect Firewall, to install system updates as well as updates for the Application Signatures, Certificates, Intru- sion Prevention System (IPS), Malware Protection and Web Filter.
Page 34: Backup
® User Interface R&S GP-E/GP-S Menu Reference In a High Availability configuration, system updates must be installed in two phases. First, by clicking "Download" , "Install" and "Reboot" on the master system, the standby (slave) system is updated and rebooted. If the update was successful, the former slave takes over the master role, since the software version is newer than the software ver- sion on the other system.
Page 35 ® User Interface R&S GP-E/GP-S Menu Reference Creating a Backup 1. Navigate to "Firewall > Backup > Local Backups" . 2. Click the plus button (Create a new backup) in the item list bar header. 3. On the "Backup" panel that opens, enter a "Custom name" for the backup. This name has to be unique and may consist of 3 to 25 characters (allowed are letters of the English alphabet, integers, dashes, underscores and dots).
Page 36 ® User Interface R&S GP-E/GP-S Menu Reference 2. Expand the view of the "Local Backups" list by clicking next to the search field at the top of the item list bar. 3. Click the (Export backup) button behind the backup which you would like to export to transfer the current configuration in YML.ZIP file format to your computer...
Page 37 ® User Interface R&S GP-E/GP-S Menu Reference Before you proceed, make sure that you set the time zone for your gateprotect Firewall as described under "Settings" on page 45. Otherwise, the backups are created according to Etc/UTC instead of the time specified by you in the backup profiles.
Page 38: Local Logs
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Number of Backups From the drop-down list, select how many backups should be stored locally if stored" the "Store Locally" checkbox has been selected. The option is set to Last 5 by default.
Page 39 ® User Interface R&S GP-E/GP-S Menu Reference "Manual Reload" . To enable automatic reload again, click the slider switch to turn it The filter options in the first row of the tables allow you to narrow the list of results to display only items that include a certain search string.
Page 40 ® User Interface R&S GP-E/GP-S Menu Reference Column Description "Protocol" The protocol that was detected for the connection triggering the alert. "Message" The log message itself. You can filter the contents of the Alert log. The "Message" filter returns all results that contain the input string, whereas the remaining filter fields return exact matches only.
Page 41 ® User Interface R&S GP-E/GP-S Menu Reference Figure 3-7: Sample filtered Audit log. System Log The "System Log" displays a list of recent system messages (e.g. from the kernel, DHCP, DNS services, etc.). The columns of the table contain the following information:...
Page 42: Network Diagnostics
® User Interface R&S GP-E/GP-S Menu Reference Figure 3-8: Sample filtered System log. 3.4.1.6 Network Diagnostics Use the "Network Diagnostics" tools to verify whether gateprotect Firewall can commu- nicate with a computer or other device at a specific network address (ping) or to follow the path a message takes as it travels through the network (traceroute).
Page 43 ® User Interface R&S GP-E/GP-S Menu Reference 5. Under "Request Count" , select the number of ICMP echo request packets to be sent to the target. You can choose any integer from 1 to 10 from the drop-down list. The default number is set to 4.
Page 44: System
® User Interface R&S GP-E/GP-S Menu Reference 3. Under "Max Hops" , enter the maximum number of nodes (routers or other devices) to be traversed on the way to the destination. The default number is set to 30, but you can enter any integer from 1 to 255. If the destination is not reached before this threshold, probe packets are discarded.
Page 45 ® User Interface R&S GP-E/GP-S Menu Reference The "Notifications" panel provides the following SMTP setting options: Field Description "Relay Host" Specify the outgoing mail server by entering a host name or an IP address. "Port" Enter the port to be used for communication. The default value is port 25.
Page 46 ® User Interface R&S GP-E/GP-S Menu Reference The "Hostname" entered here is used to identify the gateprotect Firewall in the local network. The host name may consist of a combination of upper and lower case letters of the English alphabet, dashes and dots.
Page 47: User Authentication
® User Interface R&S GP-E/GP-S Menu Reference 3.4.1.8 User Authentication The "User Authentication" settings determine which users are authorized to connect to gateprotect Firewall for VPN access and allow you to connect gateprotect Firewall to an external directory server via the Lightweight Directory Access Protocol (LDAP) to manage users that appear in the web interface.
Page 48 ® User Interface R&S GP-E/GP-S Menu Reference The "Single Sign-On" settings allow you to configure the following elements: Field Description "Keytab File" By clicking "Select File" , you can import the keytab file generated on the domain controller. Note: The dialog changes as soon as the keytab file has been imported suc- cessfully.
Page 49 ® User Interface R&S GP-E/GP-S Menu Reference Local Users gateprotect Firewall offers local user administration for smaller companies without cen- tral administration. Use the "Local Users" settings to define and manage users by specifying the user names and passwords that are authorized to connect to gateprotect Firewall for VPN access.
Page 50 ® User Interface R&S GP-E/GP-S Menu Reference Figure 3-10: Sample Local User settings. The buttons at the bottom right of the editor panel depend on whether you add a new VPN user or edit an existing user. For a newly configured local user, click "Create" to add the new user to the list of available local VPN users or "Cancel"...
Page 51 ® User Interface R&S GP-E/GP-S Menu Reference To make the LDAP users in this list available for use in connections and firewall rules, the users have to be added to the desktop by clicking (Pin this user to the desktop) next to the respective user in the item list bar.
Page 52 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "use TLS" / "use SSL" Optional: To encrypt communication with the directory server, select either of the "use TLS" or "use SSL" checkboxes (or both). Important: To use SSL encryption, select "use SSL" on your gateprotect Fire- wall and configure this option on the directory server.
Page 53: License
® User Interface R&S GP-E/GP-S Menu Reference – Optional: The "Group Object Class" – Optional: The "Group Member Selector" > Access to LDAP Server The settings in this section determine whether gateprotect Firewall connects to the server anonymously or logs in using a specified user account to access the necessary entries in the directory.
Page 54: Time Profiles
® User Interface R&S GP-E/GP-S Menu Reference Navigate to "Firewall > License" to view the validity period of your license or to upload a new license. In fixed intervals, the deployed firewall will check whether a license update for its Machine ID is available on the update server. At the same time, the expi- ration dates of the license and individual feature licenses are checked as well.
Page 55: Network
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Month of Year" Select one or more months of the year to associate with the profile. "Day of Week" Select one or more days of the week to associate with the profile.
Page 56: Static Routes
® User Interface R&S GP-E/GP-S Menu Reference Column Description Indicates that you can rearrange rules by dragging and dropping them in the list to create the desired sequence. "State" The icon in this column indicates whether the firewall rule is active or not. Newly created rules are enabled by default.
Page 57 ® User Interface R&S GP-E/GP-S Menu Reference Routes between zones are created automatically and hidden. You should not normally need to create routes unless you have an upstream router that requires special routes. To influence traffic between zones, create a firewall rule as described under Chap- ter 3.3, "Firewall Rule...
Page 58: Syslog Servers
® User Interface R&S GP-E/GP-S Menu Reference 3.4.2.3 Syslog Servers gateprotect Firewall can be used to configure multiple external syslog servers to for- ward log messages generated by different message sources based on the level of severity for reporting purposes.
Page 59: Ssl Proxy
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Protocol" Optional: Select the protocol type to be used from the drop-down list. UDP is pre-selected by default. "Message Level" From the drop-down list, select the minimum logged severity level of each mes- sage source that can generate log messages: ●...
Page 60: High Availability
® User Interface R&S GP-E/GP-S Menu Reference The SSL proxy server certificate is evaluated by the gateprotect Firewall. Under "Han- dling" , decide what to do if the certificate is not trusted: ● Use invalid certificate (invalidate connection) – a different inva- lid certificate is presented to the client, ●...
Page 61 The High Availability feature requires two identical systems of the same hardware type (for example GP-E-800 with GP-E-800 or GP-S-1600 with GP-S-1600) and software version, each with a free network interface (NIC) that is not currently associated with a zone.
Page 62 ® User Interface R&S GP-E/GP-S Menu Reference – Set "Mode" to Master. – From the drop-down list, select an "Interface" as the Cluster Interconnect interface. – Click "Save" to store your settings. 2. On the standby (slave) system: ● Connect the slave system to the master with the Cluster Interconnect cable.
Page 63: Support Access
® User Interface R&S GP-E/GP-S Menu Reference ● In a High Availability configuration, system updates must be installed in two phases (see also Chapter 3.4.1.3, "Updates", on page 33). First, by clicking "Download" , "Install" and "Reboot" on the master system, the standby (slave) system is updated and rebooted.
Page 64: Ftc (Forensic Traffic Capture)
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Active Period" Set the time (in minutes) for how long remote access will be granted. When this time elapses, the CLI access will be disabled automatically. "Start Time" Set the date and time when remote access to the gateprotect Firewall will become available for the support team.
Page 65 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Max number of PCAPs" Specify the maximum number of PCAP files to be stored for all firewall rules and flows using the FTC profile. The default maximum number is set to 500. To separate flows from each other for a more effective analysis, PCAP files are stored separately for each single flow.
Page 66: Nat Rules
® User Interface R&S GP-E/GP-S Menu Reference The FTC profile defined here is available for use in custom firewall rules as described under Chapter 3.3, "Firewall Rule Settings", on page 22. FTC Data Navigate to "Network > FTC" to display information about the forensic traffic captured for each custom firewall rule in which FTC has been enabled.
Page 67 ® User Interface R&S GP-E/GP-S Menu Reference NAT Rules Settings The "NAT Rules" settings allow you to manipulate packets directly in a zone. The "NAT Rule" settings allow you to configure the following elements: Field Description "On" / "Off" A slider switch indicates whether the NAT rule is active ( "On" ) or inactive ( "Off"...
Page 68: Lan
® User Interface R&S GP-E/GP-S Menu Reference Field Description "New Source Address" Specify a new source IP address for the selected traffic. "New Source Ports" Specify a new source port or a source port range for the selected traffic. "New Destination Specify a new destination IP address for the selected traffic.
Page 69 ® User Interface R&S GP-E/GP-S Menu Reference – "Web Admin Access" , an encrypted connection to the web interface, being activated and – a DHCP server running on the management port (192.168.255.0/24) to allow you to connect a PC and configure the system even if it is not (yet) reach- able via the network.
Page 70 ® User Interface R&S GP-E/GP-S Menu Reference For more detailed information on Ethernet zones, see the following sections. Ethernet Zones Overview Navigate to "LAN > Ethernet Zones" to display the list of Ethernet zones that are cur- rently defined on the system in the item list bar.
Page 71 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Enable DNS Cache" This checkbox is pre-selected by default; it has to be selected to activate DNS caching. Clear the checkbox to disable DNS caching. "Log Refused Connec- Optional: Select this checkbox to create an entry in the System log (see "Sys-...
Page 72: Wlan Zones
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Web Admin Access" Select the checkbox to enable HTTP(S) access to the web admin frontend. "HTTPS" This option determines whether an encrypted connection is used to access the gateprotect Firewall web interface. The option is set to "Off" by default but you can turn it "On"...
Page 73 ® User Interface R&S GP-E/GP-S Menu Reference WLAN Zones Settings Use the "WLAN Zones" settings to configure your gateprotect Firewall as a wireless access point. Under "LAN > WLAN Zones" , you can edit an existing WLAN zone. The "WLAN Zone" settings allow you to configure the following elements:...
Page 74 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Dynamic DHCP Scope" To supply clients with addresses, a range of IP addresses can be assigned to the server using these settings. You can use the default DHCP address range, or enter a different beginning and end of the range of addresses that you want to distribute to computers in this zone.
Page 75 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Encryption Mode" Select the desired encryption mode from the drop-down list. The mode can be one of the following: ● Open (i.e. not encrypted) ● ● WPA2 ● WPA+WPA2 The WPA+WPA2 encryption is set by default.
Page 76: Vlan Zones
® User Interface R&S GP-E/GP-S Menu Reference 3.4.3.3 VLAN Zones Use the "VLAN Zones" settings to add custom Virtual Local Area Network tags to all traffic on a given interface. This method can be used to create »virtual interfaces« that allow you to put several logical network zones on one physical interface.
Page 77 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Enable DNS Cache" This checkbox is pre-selected by default; it has to be selected to activate DNS caching. Clear the checkbox to disable DNS caching. "Log Refused Connec- Optional: Select this checkbox to create an entry in the System log (see "Sys-...
Page 78: Wan
® User Interface R&S GP-E/GP-S Menu Reference If you configure an IP address from within the dynamic DHCP address range as a static IP address, this IP address will not be dynamically assigned by the DHCP server to a client other than the one specified any more.
Page 79 ® User Interface R&S GP-E/GP-S Menu Reference monitor to determine which interfaces fail and to switch them accordingly (see Chap- ter 3.4.4.3, "Failover Settings", on page 82). For more detailed information on connection monitoring, see the following sections. Connection Monitoring Overview Navigate to "WAN >...
Page 80: Dyndns Accounts
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Destinations" Add up to three desired URLs or IP addresses and click "Add" after each entry. You can edit or delete each single entry in the list by clicking the appropriate button next to an entry.
Page 81 ® User Interface R&S GP-E/GP-S Menu Reference In the expanded view, the columns of the table display the "Name" of the DynDNS account, indicate whether the account is "Enabled" and show the "Server Type" . The buttons in the last column allow you to view and adjust the settings for an existing DynDNS account, create an account based on a copy of an existing DynDNS account or delete an account from the system.
Page 82: Failover Settings
® User Interface R&S GP-E/GP-S Menu Reference Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes. 3.4.4.3 Failover Settings Use the "Failover" settings to configure a backup connection to the wide area network, typically the Internet.
Page 83 ® User Interface R&S GP-E/GP-S Menu Reference Figure 3-14: Failover settings. Field Description "Failover Time" Set the time (in seconds) after which the WAN interface will be switched should the connection enter the critical state. The default failover time is set to 80 sec- onds.
Page 84: Wan Zone
® User Interface R&S GP-E/GP-S Menu Reference ● OK (green) – the connection is working ● WARNING (yellow) – the connection attempt failed ● CRITICAL (red) – at least three connection attempts failed ● PENDING (gray) – the connection setup is still in progress Manual Failover To initiate failover manually, navigate to "WAN >...
Page 85 ® User Interface R&S GP-E/GP-S Menu Reference In the expanded view, the "Interface" column of the table displays the name of the WAN zone. The button in the right column allows you to view and adjust the settings of the WAN zone.
Page 86 ® User Interface R&S GP-E/GP-S Menu Reference For further information, see Chapter 3.2, "Icons and Buttons", on page 21. The WAN zone has to have at least one physical interface connected to it. Thus, the last remaining interface cannot be deleted.
Page 87: Interface Groups
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Local IP" Optional: Enter your local IP address. "Peer IP" Optional: Enter the IP address of the peer. "MRU" Optional: Set the maximum receive unit. "MTU" Optional: Set the maximum transmission unit.
Page 88 ® User Interface R&S GP-E/GP-S Menu Reference The current version allows you to activate either failover (see Chapter 3.4.4.3, "Failover Settings", on page 82) or WAN load balancing, not both together. Some services rely on your gateprotect Firewall being reachable under a specific IP address.
Page 89: Port Forwarding
® User Interface R&S GP-E/GP-S Menu Reference Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes. 3.4.4.5 Port Forwarding gateprotect Firewall supports "Port Forwarding" rules, which can be defined to forward connections from a source port range to a given IP address and target port range for a specific zone.
Page 90: Ip Forwardings
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Zone" From the drop-down list, select the zone to which this port forwarding rule should apply. "Source Port Range" Enter a unique single port (for example 800) or a port range using a hyphen '-' character (for example 800-810) as the source.
Page 91 ® User Interface R&S GP-E/GP-S Menu Reference For further information, see Chapter 3.2, "Icons and Buttons", on page 21. IP Forwarding Settings Under "WAN > IP Forwardings" , you can add a new or edit an existing IP forwarding rule.
Page 92: Policy Based Routes
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Destination Zone" From the drop-down list, select the zone in which the destination host (the inter- nal IP address) is located. "Destination Host" From the drop-down list with all available IP addresses for the destination zone, select the custom host to which the traffic should be forwarded (the internal IP address).
Page 93 ® User Interface R&S GP-E/GP-S Menu Reference The "Policy Based Route" settings allow you to configure the following elements: Field Description "On" / "Off" A slider switch indicates whether the policy-based route is active ( "On" ) or inactive ( "Off" ). By clicking the slider switch, you can toggle the state of the policy-based route.
Page 94: Nodes
® User Interface R&S GP-E/GP-S Menu Reference The values of single selectors have the following order of importance: ● "Destination Ports" : – a single port takes priority over a port range – smaller single ports and ranges take priority over larger single ports and ranges ●...
Page 95: Network Groups
® User Interface R&S GP-E/GP-S Menu Reference A custom host (for example a printer or a VoIP phone) can be assigned a dedicated IP address so that firewall rules can be specifically applied to it. Custom hosts are dis- played as nodes on the desktop.
Page 96: Custom Networks
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Zone" From the drop-down list, select the zone that you want the network group to be associated with. Note: As long as a network group is associated with a zone, you cannot change the IP address or the netmask of this zone.
Page 97: Utm
® User Interface R&S GP-E/GP-S Menu Reference The "Custom Network" settings allow you to configure the following elements: Field Description "Name" Enter a unique name for the subnet. The name must consist of 3 to 100 alpha- numeric characters (allowed are letters of the English alphabet, integers, dashes, and underscores).
Page 98: Ips/Ids Profiles
® User Interface R&S GP-E/GP-S Menu Reference If you modify the settings, click "Save" to store your changes or "Reset" to discard them. Otherwise, click "Close" to shut the editor panel. Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes.
Page 99 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Alert Level" You can select one of the following alert levels from the drop-down list: ● emergency – system is unusable (highest priority) ● alert – action must be taken immediately ●...
Page 100: Web Filter Profiles
® User Interface R&S GP-E/GP-S Menu Reference changes. To edit an existing profile, click "Save" to store the reconfigured profile or "Reset" to discard your changes. You can click "Close" to shut the editor panel as long as no changes have been made on it.
Page 101 ® User Interface R&S GP-E/GP-S Menu Reference any from the "Hostname Whitelist" , the web filter triggers a »Reject« action. If a warn- ing page has been configured, the user is directed to it. For more detailed information on web filter profiles, see the following sections.
Page 102 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Warning Page" Optional: To set up a warning page, select one of the following options from the drop-down list: ● Off – no warning page is set up (default setting) ●...
Page 103: Antispam Settings
® User Interface R&S GP-E/GP-S Menu Reference The buttons at the bottom right of the editor panel depend on whether you add a new web filter profile or edit an existing profile. For a newly configured profile, click "Create" to add the profile to the list of available web filter profiles or "Cancel" to discard your changes.
Page 104: Antivirus Settings
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Subject Tag format" Optional: You are able to tag emails which are identified as spam. The subject tag can be any text and contain the variables %SUBJECT% (original subject of the spam email), %SPAMCLASS%, and %SPAMCLASSNUM% (spam cate- gory).
Page 105: Mail Filter Settings
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Block files containing Optional: Select this checkbox to scan attachments in emails and to block files viruses" with clearly identified viruses. If a virus is detected, the recipient will receive the email without the attachment but with the notification that the attachment was infected.
Page 106 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "POP3" A slider switch indicates whether the mail filter for incoming emails that are not encrypted is currently active ( "On" ) or inactive ( "Off" ). By clicking on the slider switch, you can toggle the state of this service.
Page 107: Vpn
® User Interface R&S GP-E/GP-S Menu Reference Click " Activate" in the toolbar at the top of the desktop to apply your configuration changes. Only if the mail proxy has been activated, the other mail filter, antispam and antivirus settings will have an impact. For more information, see Chapter 3.4.6.4, "Antispam Set-...
Page 108: Ipsec
® User Interface R&S GP-E/GP-S Menu Reference tunneling enabled is able to connect to file servers, database servers, mail servers and other services on the corporate network through the VPN connection. When the user connects to Internet resources (websites, FTP sites, and so on), the con- nection request goes directly out the gateway provided by the hotel network.
Page 109 ® User Interface R&S GP-E/GP-S Menu Reference ● legacy – uses IKEv1 settings to provide access to devices that do not support IKEv2 ● secure – uses the Elliptic Curve key exchange algorithm (Diffie-Hellman group ● windows – dedicated IKEv2 profile to meet the requirements of Windows For more detailed information on IPsec profiles, see the following sections.
Page 110 ® User Interface R&S GP-E/GP-S Menu Reference To avoid generating a rekeying loop, the margin time should be much lower than the key lifetime (recommendation: < 0.5 x key lifetime). The Diffie-Hellman group is left empty by default in the "Encapsulating Security Pay- load (ESP)"...
Page 111 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "On" / "Off" A slider switch indicates whether the IPsec C2S connection is active ( "On" ) or inactive ( "Off" ). By clicking the slider switch, you can toggle the state of the connection.
Page 112 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Access Zone" From the drop-down list, select the zone in which the tunnel should end and encrypted data being sent through the VPN tunnel arrive. "Local Address" Enter a valid public IP address or the fully qualified domain name (FQDN) under which the firewall is reachable from the outside.
Page 113 ® User Interface R&S GP-E/GP-S Menu Reference If you do not enable local and remote identities, the connection will not provide a local identity in the case of outgoing connections and will accept any remote identity (or none) in the case of incoming connections respectively.
Page 114 ® User Interface R&S GP-E/GP-S Menu Reference "Status" column shows whether the VPN daemon is running on the system. The but- tons in the last column allow you to view and adjust the settings for an existing IPsec S2S connection, create a connection based on a copy of an existing IPsec connection or delete a connection from the system.
Page 115 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Connection Mode" You can choose from three modes: ● auto start – the tunnel is established immediately and stays up even if there is no traffic ● on demand – the tunnel is only established if there is traffic generated by the initiator ●...
Page 116 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Remote Address" Enter a valid public IP address in CIDR notation (IP address followed by a slash »/« and the number of bits set in the subnet mask, for example 192.168.50.1/24) or the fully qualified domain name (FQDN) at which the remote end is reachable from the outside.
Page 117: Openvpn
® User Interface R&S GP-E/GP-S Menu Reference If you do not enable local and remote identities, the connection will not provide a local identity in the case of outgoing connections and will accept any remote identity (or none) in the case of incoming connections.
Page 118 ® User Interface R&S GP-E/GP-S Menu Reference to view and adjust the settings of an existing OpenVPN C2S connection, create a con- nection based on a copy of an existing OpenVPN connection or delete a connection from the system. For further information, see Chapter 3.2, "Icons and...
Page 119 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Network IP Address" Specify the subnet from which the VPN clients will receive an IP address when they connect to gateprotect Firewall. Enter a valid CIDR subnet notation (IP address followed by a slash »/« and the number of bits set in the subnet mask, for example 192.168.50.1/24 ).
Page 120 ® User Interface R&S GP-E/GP-S Menu Reference The "Site-to-Site" settings allow you to configure the following elements: Field Description "On" / "Off" A slider switch indicates whether the OpenVPN S2S connection is active ( "On" ) or inactive ( "Off" ). By clicking the slider switch you, can toggle the state of the connection.
Page 121: Certificate Management
® User Interface R&S GP-E/GP-S Menu Reference Field Description "Remote Certificate" From the drop-down list, select the VPN certificate of the remote site. "Remote Host" Enter the host name or IP address under which the remote gateprotect Firewall is reachable from the Internet in its access zone.
Page 122: Certificates
® User Interface R&S GP-E/GP-S Menu Reference 3.4.8.1 Certificates The "Certificates" settings allow you control the certificates used by the gateprotect Firewall web interface, the built-in SSL proxy and the OpenVPN server. To secure encrypted connections, gateprotect Firewall uses digital certificates as described in the X.509 standard.
Page 123 ® User Interface R&S GP-E/GP-S Menu Reference Signing Request (CSR) from a certificate and verifying, temporarily suspending or renewing the validity of a certificate. For further information, see Chapter 3.2, "Icons and Buttons", on page 21 and Chap- ter 4.10, "Handling Certificates",...
Page 124 ® User Interface R&S GP-E/GP-S Menu Reference Field Description "Subject Alternative Optional: Enter as many custom subject alternative names as you like for the Name (SAN)" certificate for specific usage and select the appropriate types from the drop- down list. Available types are: E-Mail, DNS, DirName, URI and IPv4. Click "Add"...
Page 125: Templates
® User Interface R&S GP-E/GP-S Menu Reference Certificate type Description Authentication Creates a certificate that is used for webservers and user identification for HTTPS connections and that provides HTTPS access to the management fron- tend in LAN/WAN zones. A suitable parent CA has to be selected.
Page 126: Ocsp/Crl Settings
® User Interface R&S GP-E/GP-S Menu Reference 6. Click "Create" to add the new template to the list of available templates. 3.4.8.3 OCSP/CRL Settings Enable the OCSP and/or CRL services to allow clients to verify the validity of certifi- cates issued by the central firewall.
Page 127 ® User Interface R&S GP-E/GP-S Menu Reference In the expanded view, the columns of both tables display the "Common Name, Organi- zation" of the CA certificate, its validity information ( "Start Date" and "Expiration Date" ) and its trust setting (whether the CA is "Trusted" or not). The buttons in the last column allow you to view and adjust the settings for an existing truststore certificate or delete a custom certificate from the system.
Page 128 ® User Interface R&S GP-E/GP-S Menu Reference User Manual v16.2.1 ─ 01...
Page 129: Application Examples
® Application Examples R&S GP-E/GP-S Firewall Rule Examples 4 Application Examples This chapter includes various examples that illustrate how to use firewall rules to man- age network traffic, set up specific features, services and VPN connections, and con- figure decoders to block communication containing certain file types or keywords.
Page 130: Blocking Certain Websites Using Applications
® Application Examples R&S GP-E/GP-S Firewall Rule Examples 4.1.1 Blocking Certain Websites Using Applications This example shows a basic blacklisting scenario that allows users full access to the Internet, except for Amazon and eBay. To apply this scenario to all users on your network, you have to create a separate fire- wall rule set for each zone.
Page 131 ® Application Examples R&S GP-E/GP-S Firewall Rule Examples Figure 4-3: Sample General tab settings. 3. Enter a suitable name for the profile. 4. Go to the "Categories" tab and open the category Interests. 5. Select the subcategory Gaming. 6. Optional: If you wish to get an alert when the web filter is triggered, open the "Warning Page and Alerts"...
Page 132: Allowing Certain Websites Using Web Filters
® Application Examples R&S GP-E/GP-S Firewall Rule Examples Figure 4-4: Sample firewall rules settings to block certain websites. Position Policy Source Destina- Applications/Protocols Filter Enabled tion Options Allow Zone-eth2 Allow Zone-eth2 HTTP Web Filter Profile Inspection With this set of rules all websites/URLs are allowed except those related to gaming.
Page 133 ® Application Examples R&S GP-E/GP-S Firewall Rule Examples 3. Enter a suitable name for the profile. 4. Go to the "Categories" tab and open the category Interests. 5. Select the sub-category Educational. 6. Optional: If you wish to get an alert when the web filter is triggered, open the "Warning Page and Alerts"...
Page 134: Forcing Secure Communication
® Application Examples R&S GP-E/GP-S Firewall Rule Examples With this set of rules, all websites/URLs including the educational website wiki.example.com are blocked, except of those websites which are related to edu- cation and the wiki.intern.com website. 4.1.4 Forcing Secure Communication This example shows a basic whitelisting scenario that allows users from Zone-eth2 to access Google, but only via an SSL-encrypted connection.
Page 135: Using Quality Of Service
® Application Examples R&S GP-E/GP-S Firewall Rule Examples Figure 4-9: Sample firewall rules settings to allow filtered Internet access. Position Policy Source Destina- Applications/Protocols Enabled Options tion Allow WARE- DNS, HTTP IDS/IPS, Anti Malware, HOUSE SSL Inspection 4.1.5 Using Quality of Service This example shows a possible use case for the QoS (Quality of Service) feature.
Page 136: Using Dhcp In Bridge Mode
® Application Examples R&S GP-E/GP-S Firewall Rule Examples 4.1.6 Using DHCP in Bridge Mode Bridge two zones and create the firewall rules required to allow DHCP requests. 1. On the desktop, click the icon in the circular menu of the first zone in the bridge.
Page 137: Setting Up Single Sign-On
® Application Examples R&S GP-E/GP-S Setting Up Single Sign-On 4.2 Setting Up Single Sign-On When using Single Sign-On (SSO), users can log in to a Windows client with their Active Directory credentials and firewall rules configured on the gateprotect Firewall concerning these users will be automatically applied.
Page 138 ® Application Examples R&S GP-E/GP-S Setting Up Single Sign-On Figure 4-12: Creating a new user. Note: Make sure that the user logon name is spelled exactly as indicated. 3. The remaining information, such as first name, last name and so on, can be chosen at will.
Page 139: Configuring The Firewall
® Application Examples R&S GP-E/GP-S Setting Up Single Sign-On 4.2.3 Configuring the Firewall Set up the gateprotect Firewall for Single Sign-On. Configuring User Authentication 1. Navigate to "Firewall > User Authentication > Single Sign-On" . The "Single Sign-On" editor panel opens.
Page 140 ® Application Examples R&S GP-E/GP-S Setting Up Single Sign-On 5. Click "Save" to store your settings. The editor panel disappears automatically. Configuring the Zones of the Windows Clients 1. Navigate to "LAN > Ethernet Zones" . 2. In the item list bar, click next to a zone that is supposed to provide Windows cli- ents with SSO capabilities.
Page 141 ® Application Examples R&S GP-E/GP-S Setting Up Single Sign-On 3. Select the custom host node of the domain controller. The "Firewall Rules" panel for this connection opens. 4. Click the plus button to set up a firewall rule for this connection.
Page 142: Configuring User-Specific Firewall Rules
® Application Examples R&S GP-E/GP-S Setting Up Single Sign-On 14. For the fourth rule configure the following settings: a) "Name" : [Rule 4] b) "Policy" : Allow c) "Source(s)" : [Client Zone] d) "Destination(s)" : [Domain Controller] e) "Applications / Protocols" : LDAP 15.
Page 143: Configuring The Windows Clients
® Application Examples R&S GP-E/GP-S Setting Up Single Sign-On 6. Under "Search Base DN" , enter a distinguished name as a sequence of relative distinguished names (RDN) connected by commas to define the location within the directory from where the directory search starts.
Page 144 ® Application Examples R&S GP-E/GP-S Setting Up Single Sign-On 3. Double-click UAClientSSOSetup.exe to start the setup program. The UAClientSSOSetup.exe setup program installs the UAClientSSO.exe file in C:\Program Files\gateprotect\UAClientSSO.exe and creates a short- cut on your desktop. 4. Right-click on the gateprotect User Authentication Client desktop shortcut.
Page 145: Setting Up A Static Route
® Application Examples R&S GP-E/GP-S Setting Up a Static Route 10. Click "OK" to store your settings. The "Properties" dialog disappears. 11. Double-click the edited shortcut to establish the connection. The connection is established. A successfully established connection is indicated by a green connection icon in the system tray, located in the Windows taskbar at the bottom of the desktop.
Page 146: Using Nat Rules
® Application Examples R&S GP-E/GP-S Setting Up a Syslog Server 6. Define the "Gateway" for this route. Traffic from the source zone to the destination network is routed via this gateway (rather than the standard gateway). 7. Click "Create" to add the new route to the list of available static routes.
Page 147 ® Application Examples R&S GP-E/GP-S Setting Up a Syslog Server 1. Navigate to "Network > Syslog Servers" . 2. Click the plus button in the item list header. An editor panel is opened, allowing you to configure a remote syslog server.
Page 148: Setting Up A Vlan
® Application Examples R&S GP-E/GP-S Setting Up a VLAN 4.6 Setting Up a VLAN gateprotect Firewall can be used to add custom Virtual Area Network tags to all traffic on a given interface. The following example shows how to set up a new VLAN.
Page 149: Setting Up Port Forwarding
® Application Examples R&S GP-E/GP-S Setting Up Port Forwarding 7. Click "Create" to add the new VLAN to the list of available virtual local area net- works and as a new node to the desktop. 8. Click " Activate" in the toolbar at the top of the desktop to apply your configura- tion changes.
Page 150: Sorting Policy-Based Routes
® Application Examples R&S GP-E/GP-S Sorting Policy-Based Routes 5. Enter the "Source Port Range" or an individual source port. 6. Enter the "Target Port Range" or an individual target port. 7. Enter the "Target IP" . 8. Under "Protocols" , select at least one protocol.
Page 151: Overall Sorting
® Application Examples R&S GP-E/GP-S Sorting Policy-Based Routes ber is selected. Policy_3 takes priority over Policy_4 because a smaller port range is selected. "Name" "Routing Target" "Destination "Protocol" "Source Ports" Address" Policy_1 eth0 10.10.10.0/24 Policy_2 eth7 10.10.0.0/16 As these routes have identical port numbers, the system compares the destination IP addresses.
Page 152: Setting Up The Mail Filter With Ssl Inspection
® Application Examples R&S GP-E/GP-S Setting Up the Mail Filter with SSL Inspection 4.9 Setting Up the Mail Filter with SSL Inspection Set up the mail proxy and traffic SSL inspection so that gateprotect Firewall decrypts and analyzes encrypted emails and traffic.
Page 153: Handling Certificates
® Application Examples R&S GP-E/GP-S Handling Certificates Click the (Import) button in the item list header to upload the CA. k) Click "Select" to choose the CA file from the local disk and open it. Click "Import" to add the CA to the truststore.
Page 154: Replacing A Certificate
® Application Examples R&S GP-E/GP-S Handling Certificates 5. Optional: Select "Show New Password" to verify the new password. 6. Click "Select" to choose a file from the local disk. The imported file can contain: ● a single public certificate (self-signed or signed by a known or unknown CA), ●...
Page 155: Exporting A Certificate
® Application Examples R&S GP-E/GP-S Handling Certificates Exporting the certificate signing request (CSR), signing it externally with a CA and then reimporting the new public certificate with or without a CA chain, can be used in an environment that already has a trusted CA to extend that trust onto the SSL proxy CA.
Page 156: Suspending A Certificate
® Application Examples R&S GP-E/GP-S Handling Certificates 3. Click the (Export CSR) button behind the certificate you desire to renew to down- load the certificate signing request from the certificate to the local disk. 4. The CSR can then be used to get your CA's certificate signed by an external CA.
Page 157: Revoking A Certificate
® Application Examples R&S GP-E/GP-S Setting Up OCSP/CRL Services 2. Expand the view of the "Certificates" list by clicking next to the search field at the top of the item list bar. 3. Click the (Renew) button behind the certificate or CA that you desire to renew.
Page 158: Vpn Setup Examples
® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-20: Sample OCSP/CRL settings. 2. Activate the service which you desire by clicking the slider switch next to it. The slider switch turns from OFF to ON. 3. Click "Save" to store your settings.
Page 159: Setting Up A Client-To-Site Vpn Via Ipsec
® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-21: Sample network zones. For more detailed information on the available options, see Chapter 3.4.7, "VPN", on page 107. 4.12.1 Setting Up a Client-to-Site VPN via IPsec gateprotect Firewall can provide VPN access via IPsec, enabling remote client comput- ers to connect securely to the internal network via the Internet.
Page 160: Setting Up The Vpn Connection
® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-22: gateprotect Firewall as a VPN gateway. 4.12.1.1 Setting Up the VPN Connection Define a connection to enable remote client computers to connect securely to the inter- nal network via the Internet.
Page 161 ® Application Examples R&S GP-E/GP-S VPN Setup Examples 5. If the connection should be shown on the desktop, choose a color for its represen- tation. 6. Specify a unique "Name" for the connection. The name must consist of three to ten lowercase alphanumeric characters.
Page 162 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-26: Sample Local Configuration settings. 1. Under "Access Zone" , select the zone in which the tunnel should end and encryp- ted data being sent through the VPN tunnel arrive. 2. Under "Local Address" , specify the IP address or domain name at which gatepro- tect Firewall will respond to VPN connection requests.
Page 163 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-27: Sample Remote Configuration settings. 1. Specify the "Remote Subnet" for the new network object. Clients receive an IP address from this subnet when they connect to gateprotect Firewall. 2. Enable "Use Remote Identity" if you set up more than one IPsec connection for the same access zone.
Page 164 ® Application Examples R&S GP-E/GP-S VPN Setup Examples 5. Tap " Back". 6. Enter the following information (see Figure 4-28): a) Under "Description" , enter a name for the new VPN connection. b) Enter the gateprotect Firewall WAN IP address or a fully qualified domain name under "Server"...
Page 165 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Setting Up an iOS Client Using Certificates ® ® ® Mobile devices running iOS (such as the Apple iPhone or iPad ) can be configured to communicate securely with gateprotect Firewall via a VPN connection. The connec- tion is authenticated using certificates.
Page 166 ® Application Examples R&S GP-E/GP-S VPN Setup Examples c) Under "Distinguished Name" , enter the name of the gateprotect Firewall that serves as host, i.e. its IP address or hostname. d) Adjust the remaining information as necessary for your environment.
Page 167 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-31: Exporting the VPN certificate. 2. Export the CA as described under Chapter 4.10, "Handling Certificates", on page 153. Select the CRT format for the CA. For more information, see Chapter 3.4.8.1, "Certificates",...
Page 168 ® Application Examples R&S GP-E/GP-S VPN Setup Examples b) Enter the gateprotect Firewall WAN IP (used as distinguished name in the cer- tificate) under "Server" . c) Specify an authorized user name as "Account" . The user name must be defined on gateprotect Firewall in the list of VPN users under "Firewall >...
Page 169 ® Application Examples R&S GP-E/GP-S VPN Setup Examples 3. In the "General" tab, specify a name for the firewall rule. 4. Select Allow from the "Policy" drop-down list. 5. There are two ways to allow ICMP. Directly in the firewall rule, you can allow ICMP in general: a) In the "General"...
Page 170 ® Application Examples R&S GP-E/GP-S VPN Setup Examples n) Click "OK" . Figure 4-34: Sample decoder rules allowing ICMP. o) Click "Create" to create the firewall rule. 7. Click " Activate" in the toolbar at the top of the desktop to apply your configura- tion changes.
Page 171 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-35: Sample Android VPN setup. 4. Tap "Save" to store the settings. 5. Select the new configuration, enter the "User Name" and "Password" , and tap "Connect" . Setting Up an Android Client Using Certificates...
Page 172 ® Application Examples R&S GP-E/GP-S VPN Setup Examples The system prompts you to select the service that the new certificate should be used for. a) Under "Type" , select Certificate Authority Without Subordinate Certificate Authorities which will be used to authorize the necessary VPN certificate.
Page 173 ® Application Examples R&S GP-E/GP-S VPN Setup Examples a) Under "Type" , select Authentication and VPN. b) Under "Signing CA" , select the CA created in step 2. c) Adjust the remaining information as necessary for your environment. d) Click "Create" to add the new certificate to the list of available certificates.
Page 174 ® Application Examples R&S GP-E/GP-S VPN Setup Examples 2. Copy the client certificate created under "Creating VPN Certificates for Android Cli- ents" on page 171 into the internal storage of the device. 3. Go to "Settings > Security > Install from Storage".
Page 175: Setting Up Authentication
® Application Examples R&S GP-E/GP-S VPN Setup Examples 11. Tap "Save" to store the settings. 12. Select the new configuration, enter the "User Name" and "Password" , and tap "Connect" . 4.12.1.2 Setting Up Authentication Specify the authentication method used to determine which users are authorized to connect to the gateprotect Firewall for VPN access.
Page 176 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-40: Sample local user settings for internal authentication. 7. Click "Create" to add the new user to the list of available local users. The new user appears in the list of available local users and as a node on the desktop.
Page 177: Setting Up A Site-To-Site Vpn Via Ipsec
® Application Examples R&S GP-E/GP-S VPN Setup Examples 5. Click " Activate" in the toolbar at the top of the desktop to apply your configura- tion changes. For authentication by "Client Certificate" : For authentication by "Client Certificate" , export the client certificates with private keys: 1.
Page 178 ® Application Examples R&S GP-E/GP-S VPN Setup Examples If you establish an IPsec connection, there are two ways to secure your connection – either by pre-shared key or by certificates. Take to the following steps only if you intend to use certificates as authentication method.
Page 179 ® Application Examples R&S GP-E/GP-S VPN Setup Examples c) Adjust the remaining information as necessary for your environment. Figure 4-43: Sample VPN certificate settings for the »headquarters« (server). d) Click "Create" to add the new certificate to the list of available certificates.
Page 180 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-45: Exporting the VPN certificate for the »subsidiary«. On the remote system (at the »subsidiary«): ► Import the CA and both VPN certificates as described under Chapter 4.10, "Han- dling Certificates", on page 153.
Page 181: Setting Up The Vpn Connection
® Application Examples R&S GP-E/GP-S VPN Setup Examples For more information, see Chapter 3.4.8.1, "Certificates", on page 122. 4.12.2.2 Setting Up the VPN Connection Define a Site-to-Site connection to enable a secure connection between two remote networks. 1. From the menu in the navigation pane, select "VPN > IPsec > Site-to-Site".
Page 182 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-48: Sample connection authentication with Preshared Key . The remote network needs to supply this password to establish a VPN connec- tion to gateprotect Firewall. ● If you select "Certificate" , select the certificate and signing CA created earlier, Chapter 4.12.2.1, "Creating VPN...
Page 183 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-50: Sample Local Configuration settings. 1. From the drop-down list under "Access Zone" , select the zone in which the tunnel should end and encrypted data being sent through the VPN tunnel arrive.
Page 184 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-51: Sample Remote Configuration settings. 1. Under "Remote Address" , specify the IP address or domain name of the remote network. 2. Under "Remote Subnets" , select the subnets that should be available.
Page 185: Setting Up Ipsec Site-To-Site For Complex Networks
® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-52: Sample Remote Ports/Protocols settings. 1. Specify any traffic restrictions you want to apply to the tunnel. For more informa- tion, see "IPsec Site-to-Site Settings" on page 114. 2. Click "Create" to add the new VPN to the list of connections.
Page 186 ® Application Examples R&S GP-E/GP-S VPN Setup Examples a) Navigate to "Nodes > Custom Networks" . b) Click the plus button in the item list bar header. c) Specify a "Name" for the new custom network. d) Enter the IP address in CIDR notation, 10.10.10.0/24 in this example.
Page 187: Setting Up A Client-To-Site Vpn Via Openvpn
® Application Examples R&S GP-E/GP-S VPN Setup Examples 4. From the drop-down list, select the network "Source" where the IPsec tunnel termi- nates. 5. Enter the "Destination" IP address (in CIDR notation) of the network which you want to reach via the IPsec tunnel.
Page 188: Configuring Authentication
® Application Examples R&S GP-E/GP-S VPN Setup Examples b) Adjust the information as necessary for your environment. Figure 4-56: Sample CA certificate settings. c) Click "Create" to add the new certificate authority to the list of available certifi- cates. 3. Click the plus button in the item list header to create a VPN certificate.
Page 189 ® Application Examples R&S GP-E/GP-S VPN Setup Examples 2. Click the plus button in the item list header. 3. Enter a "User Name" and a "Password" and confirm the password. Note: The user's login name has to exactly match the "User Name" (case-sensi- tive).
Page 190: Setting Up The Vpn Connection
® Application Examples R&S GP-E/GP-S VPN Setup Examples 3. Add an LDAP user to the desktop by clicking (Pin this user to desktop) in the item list bar. The LDAP user appears as a node on the desktop. Note: The user's login name has to exactly match the name displayed on the desk- top (case-sensitive).
Page 191 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-59: Sample OpenVPN C2S connection settings. 3. Decide whether you want to enable the connection. (This option is enabled by default.) 4. Decide whether you want the connection to be shown on the desktop.
Page 192: Setting Up A Site-To-Site Vpn Via Openvpn
® Application Examples R&S GP-E/GP-S VPN Setup Examples 8. Specify the OpenVPN "Port" to which clients should connect. 9. Specify the "Key Renegotiation" time (in seconds) after which the session key will be renegogiated. 10. Select the VPN "Certificate" created earlier and enter its password, if applicable.
Page 193: Creating Vpn Certificates
® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-60: Connecting two remote sites with a VPN. 4.12.4.1 Creating VPN Certificates Digital certificates secure communication between both sites. Use the settings under "Cert. Management > Certificates" to create the necessary certificates for your VPN connection.
Page 194 ® Application Examples R&S GP-E/GP-S VPN Setup Examples 3. Click the plus button in the item list bar header to create a VPN certificate for the »headquarters« (server). The system prompts you to select the service that the new certificate should be used for.
Page 195 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Important: Export the VPN certificate for the »subsidiary« (client) with a "Transport Password" to be able to export the private key. Figure 4-64: Exporting the VPN certificate for the »subsidiary«. On the remote system (at the »subsidiary«): ►...
Page 196: Setting Up The Primary Box
® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-65: Importing the VPN certificate for the »subsidiary«. For more information, see Chapter 3.4.8.1, "Certificates", on page 122. 4.12.4.2 Setting Up the Primary Box To connect two remote site networks, one of the devices must be configured to initiate the connection (the company »headquarters«...
Page 197 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-66: Sample OpenVPN S2S connection settings for the »headquarters«. 3. Decide whether you want to enable the connection. 4. Decide whether the connection should be displayed on the desktop. 5. If you want the connection to be displayed on the desktop, choose a color for its representation.
Page 198 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-67: Sample Site-to-Site settings for the »headquarters«. 1. Specify the "Key Renegotiation" time after which the session key will be renegoti- ated. 2. Select the VPN "Certificate" created earlier for this site (the company »headquar- ters«...
Page 199: Setting Up The Secondary Box
® Application Examples R&S GP-E/GP-S VPN Setup Examples 4.12.4.3 Setting Up the Secondary Box On the receiving end, the system must be configured to accept the connection request (the branch office, or »subsidiary« in this example). Before you proceed, make sure the gateprotect Firewall at the remote site (at the »...
Page 200 ® Application Examples R&S GP-E/GP-S VPN Setup Examples Figure 4-69: Sample Site-to-Site settings for the »subsidiary«. 1. Specify the "Key Renegotiation" time after which the session key will be renegoti- ated. 2. Select the VPN "Certificate" created and imported earlier for this site (the »subsid- iary«) and enter its password, if applicable.
Page 201: Connecting The Remote Networks
® Application Examples R&S GP-E/GP-S Decoder Examples 4.12.4.4 Connecting the Remote Networks Once the firewalls on each end of the VPN connection are configured to communicate with each other securely, you need to specify which subnets should be made available to the remote network over this connection.
Page 202: Blocking Pdf Files
® Application Examples R&S GP-E/GP-S Decoder Examples For more information on configuring protocol decoders in firewall rules, see Chap- ter 3.3, "Firewall Rule Settings", on page 22. 4.13.1 Blocking PDF Files An HTTP protocol decoder can be used to prevent the transmission of PDF files.
Page 203: Blocking Keywords In Webmail
® Application Examples R&S GP-E/GP-S Decoder Examples Create a firewall rule with the Reject action. Open the "Decoders" tab to add a new decoder with the following settings to prevent connections to a certain web host. Table 4-3: Sample decoder settings to block connections to a web host.
Page 204: Using Anchors In String Decoders
® Application Examples R&S GP-E/GP-S Decoder Examples Field Setting "Type" string "Left Anchor" "Right Anchor" "Expression" [keyword] 4.13.6 Using Anchors in String Decoders Protocol decoders that use the string type can use anchors to define which part of the expression to search for keywords.
Page 205: Using Iec 104 Protocol Decoders
® Application Examples R&S GP-E/GP-S Decoder Examples – Right anchor: any – Visited URL: www.amazon.com/books-reused-books-textbooks No match, because the expression used does not appear as a single word when read from left to right ● Case 4: – Left anchor: any –...
Page 206 ® Application Examples R&S GP-E/GP-S Decoder Examples a) Start to configure a firewall rule as described under Chapter 3.3, "Firewall Rule Settings", on page 22. Note: Under "Policy" , you can either Allow (in the case of whitelisting) or Reject (in the case of blacklisting) the IEC 104 protocol. In the case of TCP connections, it is not recommended to silently Drop the traffic.
Page 207 ® Application Examples R&S GP-E/GP-S Decoder Examples If multiple IEC 104 protocol decoders are defined for a single firewall rule, these decod- ers are linked with AND logic. IEC 104 protocol decoders of different firewall rules for the same network connection are OR-connected.
Page 208 ® Application Examples R&S GP-E/GP-S Decoder Examples User Manual v16.2.1 ─ 01...
Page 209: Annex
® Decoder Reference R&S GP-E/GP-S FTP Commands Annex A Decoder Reference The gateprotect Firewall protocol decoder can detect FTP commands and HTTP MIME types in traffic flows. A.1 FTP Commands Firewall rules that use the decoder can inspect the contents of traffic flows for FTP commands.
Page 210 ® Decoder Reference R&S GP-E/GP-S FTP Commands Command Expected action Integrity protected command Create a directory at the server site mlsd List the contents of a directory if a directory is named mlst Provide data about exactly the object named on its command line and no others...
Page 211: Http Mime Types
® Decoder Reference R&S GP-E/GP-S HTTP MIME Types Command Expected action xpwd Print the current working directory xrcp xrmd Remove the directory from the server xrsq xsem Send, mail if cannot xsen Send to terminal A.2 HTTP MIME Types Firewall rules that use the decoder can inspect the contents of traffic flows for HTTP MIME types.
Page 212 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/mime application/octet-stream application/arj application/octet-stream image/x-jg video/x-ms-asf text/x-asm text/asp application/x-mplayer2 video/x-ms-asf video/x-ms-asf-plugin audio/basic audio/x-au application/x-troff-msvideo video/avi video/msvideo video/x-msvideo video/avs-video BCPIO application/x-bcpio application/mac-binary...
Page 213 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) text/plain text/x-c text/plain application/vnd.ms-pki.seccat text/plain text/x-c CCAD application/clariscad application/x-cocoa application/cdf application/x-cdf application/x-netcdf application/pkix-cert application/x-x509-ca-cert application/x-chat CHAT application/x-chat CLASS application/java CLASS application/java-byte-code...
Page 214 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/x-pointplus text/css text/plain application/x-director DEEPV application/x-deepv text/plain application/x-x509-ca-cert video/x-dv application/x-director video/dl video/x-dl application/msword application/msword application/commonground application/drafting DUMP application/octet-stream video/x-dv application/x-dvi drawing/x-dwf (old) model/vnd.dwf...
Page 215 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) text/x-setext application/envoy application/x-envoy application/octet-stream text/plain text/x-fortran text/x-fortran text/plain text/x-fortran application/vnd.fdf application/fractals image/fif video/fli video/x-fli image/florian text/vnd.fmi.flexstor video/x-atomic3d-feature text/plain text/x-fortran image/vnd.fpx image/vnd.net-fpx...
Page 216 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/x-compressed application/x-gzip GZIP application/x-gzip GZIP multipart/x-gzip text/plain text/x-h application/x-hdf HELP application/x-helpfile application/vnd.hp-hpgl text/plain text/x-h text/x-script application/hlp application/x-helpfile application/x-winhelp application/vnd.hp-hpgl HPGL application/vnd.hp-hpgl...
Page 217 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) image/ief IEFS image/ief IGES application/iges IGES model/iges application/iges model/iges application/x-ima IMAP application/x-httpd-imap application/inf application/x-internett-signup application/x-ip2 video/x-isvideo audio/it application/x-inventor i-world/i-vrml application/x-livescreen audio/x-jam...
Page 218 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) image/jutvision audio/midi music/x-karaoke application/x-ksh text/x-script.ksh audio/nspaudio audio/x-nspaudio audio/x-liveaudio LATEX application/x-latex application/lha application/octet-stream application/x-lha application/octet-stream LIST text/plain audio/nspaudio audio/x-nspaudio text/plain application/x-lisp text/x-script.lisp...
Page 219 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/x-troff-man application/x-navimap text/plain application/mbedlet application/x-magic-cap-package-1.0 application/mcad application/x-mathcad image/vasa text/mcf application/netmc application/x-troff-me message/rfc822 MHTML message/rfc822 application/x-midi audio/midi audio/x-mid audio/x-midi music/crescendo x-music/x-midi MIDI...
Page 220 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/base64 audio/mod audio/x-mod MOOV video/quicktime video/quicktime MOVIE video/x-sgi-movie audio/mpeg audio/x-mpeg video/mpeg video/x-mpeg video/x-mpeq2a audio/mpeg3 audio/x-mpeg-3 video/mpeg video/x-mpeg audio/mpeg video/mpeg application/x-project video/mpeg...
Page 221 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) NAPLPS image/naplps application/x-netcdf application/vnd.nokia.configuration-message image/x-niff NIFF image/x-niff application/x-mix-transfer application/x-conference application/x-navidoc application/octet-stream application/oda application/x-omc OMCD application/x-omcdatamaker OMCR application/x-omcregerator text/x-pascal application/pkcs10 application/x-pkcs10 application/pkcs-12...
Page 222 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/pdf PFUNK audio/make PFUNK audio/make.my.funk image/x-portable-graymap image/x-portable-greymap image/pict PICT image/pict application/x-newton-compatible-pkg application/vnd.ms-pki.pko text/plain text/x-script.perl application/x-pixclscript image/x-xpixmap text/x-script.perl-module application/x-pagemaker application/x-pagemaker image/png application/x-portable-anymap...
Page 223 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/postscript application/octet-stream paleovu/x-pv application/vnd.ms-powerpoint text/x-script.phyton applicaiton/x-bytecode.python audio/vnd.qcelp x-world/x-3dmf QD3D x-world/x-3dmf image/x-quicktime video/quicktime video/x-qtc image/x-quicktime QTIF image/x-quicktime audio/x-pn-realaudio audio/x-pn-realaudio-plugin audio/x-realaudio audio/x-pn-realaudio application/x-cmu-raster...
Page 224 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/vnd.rn-realplayer ROFF application/x-troff image/vnd.rn-realpix audio/x-pn-realaudio-plugin text/richtext text/vnd.rn-realtext application/rtf application/x-rtf text/richtext application/rtf text/richtext video/vnd.rn-realvideo text/x-asm audio/s3m SAVEME application/octet-stream application/x-tbook application/x-lotusscreencam text/x-script.guile text/x-script.scheme...
Page 225 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/x-shar text/x-script.sh SHAR application/x-bsh SHAR application/x-shar SHTML text/html SHTML text/x-server-parsed-html audio/x-psid application/x-sit application/x-stuffit application/x-koan application/x-koan application/x-koan application/x-koan application/x-seelogo application/smil SMIL application/smil...
Page 226 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) SV4CPIO application/x-sv4cpio SV4CRC application/x-sv4crc image/vnd.dwg image/x-dwg application/x-world x-world/x-svr application/x-shockwave-flash application/x-troff TALK text/x-speech application/x-tar application/toolbook application/x-tbook application/x-tcl text/x-script.tcl TCSH text/x-script.tcsh application/x-tex TEXI...
Page 227 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) text/x-uil text/uri-list UNIS text/uri-list application/i-deas text/uri-list URIS text/uri-list USTAR application/x-ustar USTAR multipart/x-ustar application/octet-stream text/x-uuencode text/x-uuencode application/x-cdlink text/x-vcalendar application/vda video/vdo application/groupwise video/vivo video/vnd.vivo...
Page 228 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/x-visio application/x-visio application/x-visio application/wordperfect6.0 application/wordperfect6.1 application/msword audio/wav audio/x-wav application/x-qpro WBMP image/vnd.wap.wbmp application/vnd.xara application/msword application/x-123 windows/metafile text/vnd.wap.wml WMLC application/vnd.wap.wmlc WMLS text/vnd.wap.wmlscript WMLSC application/vnd.wap.wmlscriptc...
Page 229 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) text/scriplet WSRC application/x-wais-source application/x-wintalk image/x-xbitmap image/x-xbm image/xbm video/x-amt-demorun xgl/drawing image/vnd.xiff application/excel application/excel application/x-excel application/x-msexcel application/excel application/vnd.ms-excel application/x-excel application/excel application/vnd.ms-excel application/x-excel application/excel...
Page 230 ® Decoder Reference R&S GP-E/GP-S HTTP MIME Types File type MIME type (to be entered in the "Expression" field) application/excel application/x-excel application/excel application/x-excel application/excel application/vnd.ms-excel application/x-excel application/x-msexcel audio/xm application/xml text/xml xgl/movie XPIX application/x-vnd.ls-xpix image/x-xpixmap image/xpm X-PNG image/png video/x-amt-showrun image/x-xwd image/x-xwindowdump...
Page 231: Index
® Index R&S GP-E/GP-S Index AD, see directory service ..........51 Factory reset ..............14 Alert log ................39 Failover Anchors Automatic ..............82 Decoder examples ............ 204 Manual ................ 82 Antispam ................. 103 Firewall ................29 Antivirus ................104 Firewall rule examples ............
Page 232 ® Index R&S GP-E/GP-S Logs Settings Local logs ..............38 Antispam ..............103 Syslog servers ............ 58, 146 Antivirus ..............104 Directory service ............51 Failover ............... 82 Forensic Traffic Capture (FTC) ........64 Mail filter ..............105, 152 High Availability ............61 Multi-WAN ..............
Page 233 ® Index R&S GP-E/GP-S WAN .................. 78 Interface groups ............87 Load balancing ............87 Physical interfaces ............85 WAN zone ................. 84 Web filter Blacklist ..............100 Whitelist ..............100 Web interface ..............17 Desktop ............... 19 Header area ..............18 Item list bar ..............

Rohde & Schwarz GP-S User Manual

1 About this Manual

2 Getting Started

3 User Interface

4 Application Examples

Annex

A Decoder Reference

FTP Commands

HTTP MIME Types

Index

Quick Links

User Manual

Need help?

Questions and answers

Related Manuals for Rohde & Schwarz GP-S

Summary of Contents for Rohde & Schwarz GP-S

Table of Contents