Advanced Firewall 2008 Admin-FP5 G3 1st-Ed

Advanced Firewall
Administrators Guide
Smoothwall Advanced Firewall, 2008 FP5-G3, Administrators Guide, 1st Edition, March 2011 Smoothwall Ltd. publishes this guide in its present form without any guarantees. This guide replaces any other guides delivered with earlier versions of Advanced Firewall. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Smoothwall Ltd. For more information, contact: docs@smoothwall.net This document was created and published in the United Kingdom. 2001 2011 Smoothwall Ltd. All rights reserved. Trademark notice Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd. Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC. DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95, Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Apple and Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation. Core is a trademark of Intel Corporation. All other products, services, companies, events and publications mentioned in this document, associated documents and in Smoothwall software may be trademarks, registered trademarks or service marks of their respective owners in the UK, US and/or other countries. Acknowledgements Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team: Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley, Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S. Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc Wormgoor. Advanced Firewall contains graphics taken from the Open Icon Library project http:// openiconlibrary.sourceforge.net/ Address Smoothwall Limited 1 John Charles Way Leeds. LS12 6QA United Kingdom info@smoothwall.net www.smoothwall.net USA and Canada: United Kingdom: All other countries: USA and Canada: United Kingdom: All other countries: 1 800 959 3760 0870 1 999 500 +44 870 1 999 500 1 888 899 9164 0870 1 991 399 +44 870 1 991 399
Email Web Telephone
Fax
Contents
Chapter 2
Advanced Firewall Overview ......................................... 3

Accessing Advanced Firewall....................................................................... 3 Main................................................................................................................. 4 Info................................................................................................................... 4 Reports............................................................................................................. 5 Alerts................................................................................................................ 5 Realtime........................................................................................................... 5 Logs ................................................................................................................. 5 Settings ............................................................................................................ 6 Networking...................................................................................................... 6 Filtering ............................................................................................................ 6 Routing............................................................................................................. 7 Interfaces ......................................................................................................... 7 Firewall............................................................................................................. 8 Outgoing........................................................................................................... 8 Settings ............................................................................................................ 8 Services .......................................................................................................... 8 Authentication .................................................................................................. 9 User Portal ....................................................................................................... 9 Proxies ............................................................................................................. 9 SNMP............................................................................................................. 10 DNS................................................................................................................ 10 Message Censor............................................................................................ 10 Intrusion System ............................................................................................ 10 DHCP............................................................................................................. 11 System .......................................................................................................... 11 Maintenance................................................................................................... 11 Preferences.................................................................................................... 12 Administration ................................................................................................ 12 Hardware........................................................................................................ 13 Diagnostics..................................................................................................... 13 Certs............................................................................................................... 13
1s
Ed i
ti
on
Overview of Advanced Firewall .................................................................... 1 Who should read this guide?........................................................................ 2 Other Documentation and User Information ............................................... 2 Support ........................................................................................................... 2 Annual Renewal............................................................................................... 2
Contents
Chapter 3
Working with Connections........................................... 21

Managing Network Interfaces ..................................................................... 21 Changing the IP Address ............................................................................ 22 Virtual LANs ................................................................................................... 23 Interfaces ....................................................................................................... 23 Restarting Networking.................................................................................... 24 About Connection Methods and Profiles................................................... 24 About Connection Profiles for Modems.......................................................... 24 Creating a Connection Profile..................................................................... 24 Configuring Global Settings ........................................................................... 25 Configuring a Static Ethernet Connection...................................................... 26 Configuring a DHCP Ethernet Connection..................................................... 27 Configuring a PPP over Ethernet Connection................................................ 27 Configuring a PPTP over Ethernet Connection.............................................. 28 Configuring an ADSL/DSL Modem Connection ............................................. 28 Configuring an ISDN Modem Connection...................................................... 29 Configuring a Dial-up Modem Connection ..................................................... 30 Creating a PPP Profile ................................................................................. 30 Modifying Profiles ........................................................................................ 31 Deleting Profiles........................................................................................... 32
Chapter 4
ii
1s
Managing Your Network Infrastructure ...................... 33

Creating Subnets ......................................................................................... 33 Editing and Removing Subnet Rules ............................................................. 34 Using RIP ...................................................................................................... 34 Sources......................................................................................................... 36 Creating Source Rules................................................................................... 36 Removing a Rule............................................................................................ 37 Editing a Rule................................................................................................. 37 About IP Address Definitions ......................................................................... 38
Ed i
ti
VPN................................................................................................................ 13 Email.............................................................................................................. 14 SMTP ............................................................................................................. 14 POP3.............................................................................................................. 15 Content........................................................................................................... 15 Anti-spam....................................................................................................... 15 Quarantine ..................................................................................................... 15 Configuration Guidelines ............................................................................ 15 Specifying Networks, Hosts and Ports........................................................... 15 Using Comments............................................................................................ 16 Creating, Editing and Removing Rules .......................................................... 16 Connecting via the Console........................................................................ 17 Connecting Using a Client.............................................................................. 17 Connecting Using Web-based SSH ............................................................... 18 Secure Communication ............................................................................... 18 Unknown Entity Warning................................................................................ 18 Inconsistent Site Address............................................................................... 18
on
Smoothwall Advanced Firewall Administrators Guide
Ports.............................................................................................................. 38 Creating a Ports Rule..................................................................................... 38 Creating an External Alias Rule.................................................................. 39 Editing and Removing External Alias Rules................................................... 40 Port Forwards from External Aliases.............................................................. 40 Creating a Source Mapping Rule................................................................ 40 Editing and Removing Source Mapping Rules............................................... 41 Managing Internal Aliases........................................................................... 41 Creating an Internal Alias Rule ...................................................................... 42 Editing and Removing Internal Alias Rules .................................................... 42 Working with Secondary External Interfaces ............................................ 43 Configuring a Secondary External Interface .................................................. 43 Blocking by IP .............................................................................................. 47 Creating IP Blocking Rules ............................................................................ 47 Editing and Removing IP Block Rules............................................................ 48 Configuring Advanced Networking Features ............................................ 49 Enabling Traffic Auditing ............................................................................ 50 Dropping Traffic on a Per-interface Basis ................................................. 51 Working with Port Groups........................................................................... 51 Creating a Port Group.................................................................................... 52 Adding Ports to Existing Port Groups............................................................. 52 Editing Port Groups........................................................................................ 53 Deleting a Port Group .................................................................................... 53
Chapter 7
1s
Chapter 6
Configuring Inter-Zone Security.................................. 55
About Zone Bridging Rules......................................................................... 55 Creating a Zone Bridging Rule ................................................................... 55 Editing and Removing Zone Bridge Rules ................................................ 57 A Zone Bridging Tutorial ............................................................................. 57 Creating the Zone Bridging Rule.................................................................... 58 Allowing Access to the Web Server ............................................................... 58 Accessing a Database on the Protected Network.......................................... 58 Group Bridging............................................................................................. 59 Group Bridging and Authentication ................................................................ 59 Creating Group Bridging Rules ...................................................................... 59 Editing and Removing Group Bridges............................................................ 61
Managing Inbound and Outbound Traffic .................. 63

Introduction to Port Forwards Inbound Security ................................... 63 Port Forward Rules Criteria............................................................................ 63 Creating Port Forward Rules.......................................................................... 64 Load Balancing Port Forwarded Traffic.......................................................... 65 Editing and Removing Port Forward Rules .................................................... 66 Advanced Network and Firewall Settings.................................................. 66 Network Application Helpers.......................................................................... 66 Managing Bad External Traffic....................................................................... 67
iii
Ed i
ti
on
Chapter 5
General Network Security Settings ............................. 47
Contents
Configuring Reflective Port Forwards ............................................................ 67 Outbound Access ........................................................................................ 67 Port Rule Modes ............................................................................................ 68 Preset Port Rules........................................................................................... 68 Creating a Port Rule....................................................................................... 68 Editing a Port Rule ......................................................................................... 69 Viewing a Port Rule........................................................................................ 70 Source Rules.................................................................................................. 70 Configuring the Default Source Rule Settings................................................ 71 Managing External Services ....................................................................... 72 Assigning Rules to Groups......................................................................... 73 Working with User Portals .......................................................................... 75 Creating a Portal ............................................................................................ 75 Configuring a Portal ....................................................................................... 77 Accessing Portals........................................................................................... 80 Editing Portals................................................................................................ 80 Deleting Portals.............................................................................................. 81 Web Proxy..................................................................................................... 81 Configuring and Enabling the Web Proxy Service ......................................... 82 About Web Proxy Methods ............................................................................ 85 Configuring End-user Browsers ..................................................................... 86 Instant Messenger Proxying ....................................................................... 87 Monitoring SSL-encrypted Chats ............................................................... 90 SIP Proxying................................................................................................. 90 Types of SIP Proxy ........................................................................................ 90 Choosing the Type of SIP Proxying ............................................................... 91 Configuring SIP.............................................................................................. 91 FTP Proxying................................................................................................ 92 Configuring FTP Proxying .............................................................................. 92 About Transparent and Non-transparent FTP Proxying................................. 94 SNMP............................................................................................................. 94 Censoring Content....................................................................................... 95 DNS................................................................................................................ 95 Adding Static DNS Hosts ............................................................................... 95 Enabling the DNS Proxy Service ................................................................... 96 Managing Dynamic DNS................................................................................ 96 Censoring Instant Message Content.......................................................... 98 Configuration Overview.................................................................................. 98 Managing Custom Categories........................................................................ 98 Setting Time Periods.................................................................................... 100 Creating Filters............................................................................................. 101 Creating and Applying Message Censoring Policies ................................... 102 Editing Polices.............................................................................................. 103 Deleting Policies........................................................................................... 103 Managing the Intrusion System................................................................ 104
iv
1s
Ed i
ti
on
Chapter 8
Advanced Firewall Services......................................... 75
Chapter 9
Virtual Private Networking ......................................... 117

Advanced Firewall VPN Features ............................................................. 117 What is a VPN?........................................................................................... 117 About VPN Gateways .................................................................................. 118 Administrator Responsibilities ...................................................................... 118 About VPN Authentication ........................................................................ 118 PSK Authentication ...................................................................................... 119 X509 Authentication..................................................................................... 119 Configuration Overview............................................................................. 121 Working with Certificate Authorities and Certificates ............................ 121 Creating a CA............................................................................................... 121 Exporting the CA Certificate......................................................................... 123 Importing Another CA's Certificate............................................................... 123 Deleting the Local Certificate Authority and its Certificate ........................... 124 Deleting an Imported CA Certificate............................................................. 124 Managing Certificates................................................................................ 124 Creating a Certificate ................................................................................... 124 Reviewing a Certificate ................................................................................ 126 Exporting Certificates................................................................................... 126 Exporting in the PKCS#12 Format ............................................................... 127 Importing a Certificate.................................................................................. 127 Deleting a Certificate.................................................................................... 128 Setting the Default Local Certificate ........................................................ 128 Site-to-Site VPNs IPSec .......................................................................... 129 Recommended Settings............................................................................... 129 Creating an IPsec Tunnel............................................................................. 130 IPSec Site to Site and X509 Authentication Example .......................... 135 Prerequisite Overview.................................................................................. 135 Creating the Tunnel on the Primary System ................................................ 135
1s
Ed i
ti
About the Default Policies............................................................................ 104 Deploying Intrusion Detection Policies......................................................... 104 Deploying Intrusion Prevention Policies....................................................... 105 Creating Custom Policies............................................................................. 107 Uploading Custom Signatures ..................................................................... 108 DHCP........................................................................................................... 109 Enabling DHCP............................................................................................ 110 Creating a DHCP Subnet ............................................................................. 110 Editing a DHCP subnet ................................................................................ 113 Deleting a DHCP subnet.............................................................................. 113 Adding a Dynamic Range ............................................................................ 113 Adding a Static Assignment ......................................................................... 113 Adding a Static Assignment from the ARP Table......................................... 114 Editing and Removing Assignments ............................................................ 114 Viewing DHCP Leases................................................................................. 114 DHCP Relaying............................................................................................ 115 Creating Custom DHCP Options.................................................................. 115
on
Contents
Creating the Tunnel on the Secondary System ........................................... 136 Checking the System is Active..................................................................... 138 Activating the IPSec tunnel .......................................................................... 138 IPSec Site to Site and PSK Authentication.............................................. 138 Creating the Tunnel Specification on Primary System................................. 138 Creating the Tunnel Specification on the Secondary System ...................... 140 Checking the System is Active..................................................................... 141 Activating the PSK tunnel............................................................................. 141 About Road Warrior VPNs......................................................................... 141 Configuration Overview................................................................................ 141 IPSec Road Warriors.................................................................................. 142 Creating an IPSec Road Warrior.................................................................. 143 Supported IPSec Clients ........................................................................... 146 Creating L2TP Road Warrior Connections .............................................. 146 Creating a Certificate ................................................................................... 146 Configuring L2TP and SSL VPN Global Settings......................................... 147 Creating an L2TP Tunnel............................................................................. 148 Configuring an iPhone-compatible Tunnel ................................................... 149 Using NAT-Traversal.................................................................................... 150 VPNing Using L2TP Clients....................................................................... 151 L2TP Client Prerequisites ............................................................................ 151 Connecting Using Windows XP/2000 .......................................................... 151 Installing an L2TP Client .............................................................................. 151 Connecting Using Legacy Operating Systems............................................. 156 VPNing with SSL ........................................................................................ 156 Prerequisites ................................................................................................ 156 Configuring VPN with SSL ........................................................................... 156 Managing SSL Road Warriors................................................................... 158 Managing Group Access to SSL VPNs........................................................ 158 Managing Custom Client Scripts for SSL VPNs........................................... 159 Generating SSL VPN Archives .................................................................... 159 Configuring SSL VPN on Internal Networks................................................. 160 Configuring and Connecting Clients............................................................. 160 VPN Zone Bridging .................................................................................... 164 Secure Internal Networking....................................................................... 164 Creating an Internal L2TP VPN.................................................................... 165 Advanced VPN Configuration ................................................................... 167 Multiple Local Certificates ............................................................................ 167 Creating Multiple Local Certificates.............................................................. 167 Public Key Authentication ............................................................................ 169 Configuring Both Ends of a Tunnel as CAs.................................................. 169 VPNs between Business Partners ............................................................... 170 Extended Site to Site Routing ...................................................................... 171 Managing VPN Systems ............................................................................ 172 Automatically Starting the VPN System ....................................................... 172 Manually Controlling the VPN System ......................................................... 173 Viewing and Controlling Tunnels.................................................................. 174
vi
1s
Ed i
ti
on
VPN Logging................................................................................................ 175 VPN Tutorials.............................................................................................. 175 Example 1: Preshared Key Authentication................................................... 175 Example 2: X509 Authentication.................................................................. 177 Example 3: Two Tunnels and Certificate Authentication.............................. 179 Example 4: IPSec Road Warrior Connection ............................................... 180 Example 5: L2TP Road Warrior ................................................................... 183 Working with SafeNet SoftRemote ........................................................... 184 Configuring IPSec Road Warriors................................................................ 184 Using the Security Policy Template SoftRemote ......................................... 185 Creating a Connection without the Policy File.............................................. 186 Advanced Configuration............................................................................... 189 SMTP Settings............................................................................................ 191 SMTP Relay Settings................................................................................... 191 Anti-malware Settings .................................................................................. 192 Transparent SMTP Interfaces Settings........................................................ 193 External Mail Relay ...................................................................................... 193 Non-standard SMTP Checking .................................................................... 193 Internal Domains........................................................................................ 194 Outgoing ..................................................................................................... 195 Archiving..................................................................................................... 195 The Email Queue........................................................................................ 196 POP3 Proxy................................................................................................. 197 POP3 Proxy Configuration........................................................................... 198 Anti-malware ................................................................................................ 198 Customize Malware Message ...................................................................... 198 Interfaces ..................................................................................................... 199 Content........................................................................................................ 199 Footers......................................................................................................... 199 Attachments ................................................................................................. 200 Anti-spam.................................................................................................... 201
Chapter 11
Chapter 12
1s
Configuring Spam Management................................ 209

Configuring Email Relaying ...................................................................... 209 Configuring POP3 Proxying...................................................................... 212 Configuring Footers................................................................................... 213 Managing Attachments.............................................................................. 213
Administering Email ................................................... 215

About Subscription Information ............................................................... 215 Manually Updating Anti-malware Subscriptions........................................... 215 Managing Spam Protection....................................................................... 216 Placing Email in Quarantine...................................................................... 216 Configuring Quarantine................................................................................ 217 Managing Quarantined Email....................................................................... 218 Quarantine and Users.................................................................................. 219
vii
Ed i
ti
on
Chapter 10
Email Settings ............................................................. 191
Contents
Archiving Email.......................................................................................... 220 Creating Archive Rules ................................................................................ 220 Editing Archive Rules................................................................................... 220 Deleting Archive Rules................................................................................. 220 Managing the Email Queue ....................................................................... 221
Chapter 13
Authentication and User Management ..................... 223

Managing Local Users............................................................................... 223 Adding Users................................................................................................ 224 Viewing Local Users..................................................................................... 224 Editing Local Users ...................................................................................... 224 Importing New Users.................................................................................... 225 Exporting Local Users.................................................................................. 225 Deleting Users.............................................................................................. 225 Moving Users between Groups.................................................................... 226 Managing Temporarily Banned Users...................................................... 226 Creating a Temporary Ban........................................................................... 226 Removing Temporary Bans ......................................................................... 227 Removing Expired Bans............................................................................... 227 Viewing User Activity................................................................................. 227 Authenticating Users with SSL Login ...................................................... 228 Enabling SSL Login...................................................................................... 229 Creating SSL Login Exceptions ................................................................... 229 Customizing the SSL Login Page ................................................................ 230 Reviewing the SSL Login Page.................................................................... 230 Managing Groups of Users ....................................................................... 231 About Groups............................................................................................... 231 Configuring the Number of Groups .............................................................. 232 Renaming a Group....................................................................................... 232 Configuring Authentication Settings ....................................................... 233 Global Login Timeout ................................................................................... 233 About Advanced Firewall and Directory Servers.......................................... 233 Supported Directory Servers........................................................................ 234 Configuring a Microsoft Active Directory Connection................................... 234 Configuring an LDAP Connection ................................................................ 238 Configuring a RADIUS Connection .............................................................. 241 Reordering Directory Servers....................................................................... 243 Editing Removing Directory Servers ............................................................ 243 Mapping Groups........................................................................................... 243 Remapping Groups...................................................................................... 244 Managing the Authentication System ...................................................... 244 Restarting the Authentication System .......................................................... 244 Stopping the Authentication System ............................................................ 244 Viewing System Status ................................................................................ 245 Running Diagnostics .................................................................................... 245 Accessing Reporting ................................................................................. 247
Chapter 14
viii
1s
Reporting ..................................................................... 247
Ed i
ti
on
Generating Reports...................................................................................... 248 Saving Reports............................................................................................. 248 About Recent and Saved Reports................................................................ 248 Changing Report Formats............................................................................ 249 Managing Reports and Folders.................................................................... 249 Report Permissions...................................................................................... 250 Making Reports Available to Other Portals .................................................. 250 Scheduling Reports ................................................................................... 251 Managing Report Data ............................................................................... 253 Storing Report Data Remotely ..................................................................... 253 Managing Disk Space ................................................................................ 255 About Disk Usage ........................................................................................ 255 Monitoring Log Insertion............................................................................... 256 Optimizing, Emptying and Pruning Databases............................................. 257 Backing up Data........................................................................................... 257 Restoring Data ............................................................................................. 258 About Migrating from Earlier Versions ......................................................... 258 Working with Crystal Reports................................................................... 258 Installing the Crystal Reports Client ........................................................ 258 Overview of the Crystal Reports Client ........................................................ 259 Using Custom Templates............................................................................. 260 Retrieving Logs ............................................................................................ 260 Opening Crystal Reports-compatible Reports.............................................. 260 Retrieving Information and Opening Reports............................................... 261 Uninstalling the Crystal Reports Client......................................................... 261
1s
Chapter 15
Information, Alerts and Logging ............................... 263

About the Control Page ............................................................................. 263 About the Summary Page ......................................................................... 263 About the About Page ............................................................................... 264 Alerts........................................................................................................... 264 Overview ...................................................................................................... 265 Available Alerts ............................................................................................ 265 Enabling Alerts............................................................................................. 266 Looking up an Alert by Its Reference........................................................... 268 Configuring Alert Settings ............................................................................ 268 Realtime ...................................................................................................... 273 System Information ...................................................................................... 273 Firewall Information...................................................................................... 274 IPsec Information ......................................................................................... 275 Realtime Email Information .......................................................................... 276 Portal Information......................................................................................... 276 Instant Messaging........................................................................................ 276 Traffic Graphs .............................................................................................. 277 Logs............................................................................................................. 278 System Logs ................................................................................................ 279 Firewall Logs................................................................................................ 281
Ed i
ti
on
ix
Contents
Chapter 16
Managing Your System .............................................. 299

Managing Updates ..................................................................................... 299 Installing Updates Manually ......................................................................... 300 Managing Modules..................................................................................... 301 Installing Modules Manually......................................................................... 301 Removing a Module ..................................................................................... 302 Licenses...................................................................................................... 302 Installing Licenses........................................................................................ 302 Archives...................................................................................................... 302 About Profiles............................................................................................... 302 Creating an Archive...................................................................................... 303 Downloading an Archive .............................................................................. 303 Restoring an Archive.................................................................................... 304 Deleting Archives ......................................................................................... 304 Uploading an Archive................................................................................... 304 Scheduling.................................................................................................. 304 Scheduling Remote Archiving...................................................................... 305 Editing Schedules ........................................................................................ 307 Replication.................................................................................................. 307 Shutting down and Rebooting .................................................................. 308 Shell Access............................................................................................... 309 Setting System Preferences...................................................................... 309 Configuring the User Interface ..................................................................... 310 Setting Time................................................................................................. 311 Configuring Registration Options ................................................................. 312
1s
Ed i
IPsec Logs ................................................................................................... 283 Email Logs ................................................................................................... 284 IDS Logs ...................................................................................................... 285 IPS Logs....................................................................................................... 286 IM Proxy Logs .............................................................................................. 287 Web Proxy Logs........................................................................................... 288 User Portal Logs .......................................................................................... 289 Configuring Log Settings .......................................................................... 290 Configuring Other Log Settings.................................................................... 291 Managing Automatic Deletion of Logs ......................................................... 292 Configuring Groups ................................................................................... 293 Creating Groups........................................................................................... 293 Editing a Group ............................................................................................ 293 Deleting a Group.......................................................................................... 294 Configuring Output Settings..................................................................... 294 About Email to SMS Output ......................................................................... 295 About Placeholder Tags............................................................................... 295 Configuring Email to SMS Output ................................................................ 296 Testing Email to SMS Output....................................................................... 296 Output to Email ............................................................................................ 297 Generating a Test Alert................................................................................ 297
ti
on
Appendix A
Appendix B
1s
Authentication............................................................. 335
Overview ..................................................................................................... 335 Verifying User Identity Credentials............................................................... 335 About Authentication Mechanisms............................................................... 335 Other Authentication Mechanisms ............................................................... 336 Choosing an Authentication Mechanism...................................................... 336 About the Login Time-out............................................................................. 336 Advanced Firewall and DNS...................................................................... 336 A Common DNS Pitfall................................................................................. 337 Working with Large Directories................................................................ 337 Active Directory.......................................................................................... 338 Active Directory Username Types................................................................ 338 Accounts and NTLM Identification ............................................................... 338 Programmable Drill-Down Looping Engine............................................. 339 Example Report Template ........................................................................... 340 Example Report ........................................................................................... 340 Report Templates, Creation and Editing...................................................... 340
xi
Configuring the Hostname ........................................................................... 313 Configuring Administration and Access Settings .................................. 314 Configuring Admin Access Options.............................................................. 314 Referral Checking ........................................................................................ 315 Configuring External Access........................................................................ 316 Editing and Removing External Access Rules............................................. 317 Administrative User Settings........................................................................ 317 Hardware..................................................................................................... 318 UPS Settings................................................................................................ 318 Enabling UPS Monitoring............................................................................. 319 Managing Hardware Failover .................................................................... 322 How does it work?........................................................................................ 322 Prerequisites ................................................................................................ 323 Configuring Hardware Failover .................................................................... 323 Administering Failover.................................................................................. 326 Testing Failover............................................................................................ 327 Configuring Modems ................................................................................. 327 Installing and Uploading Firmware .......................................................... 329 Diagnostics................................................................................................. 329 Configuration Tests...................................................................................... 329 Generating Diagnostics................................................................................ 330 IP Tools........................................................................................................ 331 WhoIs........................................................................................................... 331 Analyzing Network Traffic ............................................................................ 332 Managing CA Certificates.......................................................................... 332 Reviewing CA Certificates............................................................................ 333 Importing CA Certificates ............................................................................. 333 Exporting CA Certificates............................................................................. 333 Deleting and Restoring Certificates.............................................................. 334
Understanding Templates and Reports.................... 339
Ed i
ti
on
Contents
Appendix C
Troubleshooting VPNs ............................................... 363

Site-to-site Problems ................................................................................. 363 L2TP Road Warrior Problems ................................................................... 364 Enabling L2TP Debugging ........................................................................... 364 Windows Networking Issues..................................................................... 364 About SMTP................................................................................................ 367 About Mail Relay.......................................................................................... 368 About POP3 ................................................................................................ 368 Internal Self-Managed SMTP Server......................................................... 369
Viewing Reports, Exporting and Drill Down Reporting................................. 340 Changing Report Formats............................................................................ 341 Changing Report Date Ranges.................................................................... 342 Navigating HTML Reports............................................................................ 342 Interpreted Results....................................................................................... 343 Saving Reports............................................................................................. 343 Changing the Report.................................................................................... 343 Investigating Further (Drill down) ................................................................. 344 Creating Template Reports and Customizing Sections ............................... 345 Ordering Sections ........................................................................................ 345 Grouped Sections ........................................................................................ 346 Understanding Groups and Grouped Options.............................................. 346 Feed-Forward Reporting.............................................................................. 347 Iterative Reporting........................................................................................ 347 Group Ordering ............................................................................................ 348 Grouping Sections........................................................................................ 348 Creating Feed-forward and Iterative Groups................................................ 348 Exporting Options......................................................................................... 349 Reporting Folders ...................................................................................... 350 Creating a Folder ......................................................................................... 353 Renaming Folders........................................................................................ 353 Deleting Folders........................................................................................... 353 Scheduling Reports ................................................................................... 353 Portal Permissions..................................................................................... 354 Reporting Sections .................................................................................... 354 Generators and Linkers................................................................................ 354 General Sections.......................................................................................... 355 Network Interfaces ....................................................................................... 356 The Anatomy of a URL................................................................................. 356 HTTP Request Methods, HTTPS Interception and Man in the Middle......... 357 Guardian Status Filtering ............................................................................. 358 Search Terms and Search Phrases............................................................. 358 Filtering by Search Terms ............................................................................ 359 URL Extraction and Manipulation................................................................. 360 Origin Filtering.............................................................................................. 362
Appendix D
Appendix E
xii
1s
Email Protocols........................................................... 367
Deploying in an Existing Email Infrastructure ......... 369
Ed i
ti
on
Appendix F
Hosting Tutorials ........................................................ 373
External Self-Managed SMTP Email Server............................................. 369 External Mail Server using POP3 Collection ........................................... 370 Basic Hosting Arrangement...................................................................... 373 Extended Hosting Arrangement ............................................................... 374 More Advanced Hosting Arrangement..................................................... 375
Glossary Index
...................................................................................... 379 ...................................................................................... 385
1s
Ed i
ti
on
xiii
Contents
xiv
1s
Ed i
ti
on
An overview of Advanced Firewall Who should read this guide Support information.
Introduction
Chapter 1
In this chapter:
Overview of Advanced Firewall

Advanced Firewall is the Unified Threat Management system for enterprise networks. Combining the functions of perimeter and internal firewalls, Advanced Firewall employs Microsoft Active Directory/LDAP user authentication for policy based access control to local network zones and Internet services.
Secure wireless, secure remote access and site-to-site IPSec connectivity are provided by the integrated VPN gateway. Advanced Firewall provides: Perimeter firewall multiple Internet connections with load sharing and automatic connection failover User authentication policy-based access control and user authentication with support for Microsoft Active Directory, Novell eDirectory and other LDAP authentication servers Load balancer the ideal solution for the efficient and resilient use of multiple Internet connections. Internal firewall segregation of networks into physically separate zones with user-level access control of inter-zone traffic
Chapter 1 Who should read this guide?
Email Security: anti-spam, anti-malware, mail relay and control. VPN Gateway site-to-site, secure remote access and secure wireless connections.
Who should read this guide?

System administrators maintaining and deploying Advanced Firewall should read this guide.
Note: We strongly recommend that everyone working with Smoothwall products attend Smoothwall training. For information on our current training courses, see http://www.smoothwall.net/support/training/
Other Documentation and User Information

Apart from this guide, the following documentation is available:
http://www.smoothwall.net/support/ contains support, self-help and training information as well as
product updates and the latest product manuals.
Support
All Smoothwall products include unlimited email and telephone support for 30 days from the date of purchase of the software licence. For more information, visit: http://www.smoothwall.net/support/
Annual Renewal
To ensure that you have all the functionality documented in this guide, we recommend that you purchase annual renewal. Annual renewal is a single yearly payment that covers the issue of subscriptions, security patches and Feature Packs for Advanced Firewall for a period of 12 months. For more information, contact your Smoothwall representative or visit http://www.smoothwall.net/
Chapter 2
Advanced Firewall Overview

In this chapter: How to access Advanced Firewall An overview of the pages used to configure and manage Advanced Firewall.
Note: The following sections assume that you have registered and configured Advanced Firewall as To access Advanced Firewall:
https://192.168.72.141:441
Note: The example address above uses HTTPS to ensure secure communication with your Advanced
Firewall. It is possible to use HTTP on port 81 if you are satisfied with less security. For more information, see Secure Communication on page 53. 2 Accept Advanced Firewalls certificate. The following screen is displayed:
Enter the following information:

Field Username Password Information
1s
Enter admin. This is the default Advanced Firewall administrator account. Enter the password you specified for the admin account when installing Advanced Firewall.
Ed i
In the browser of your choice, enter the address of your Advanced Firewall, for example:
ti
described in the Advanced Firewall Installation and Setup Guide.
on
Accessing Advanced Firewall
Chapter 2 Advanced Firewall Overview Main
Click Login. The control page opens.
The following sections give an overview of Advanced Firewalls default sections and pages.
Info
The info section contains the following sub-sections and pages:
1s
Pages control summary about
The main section contains the following pages:

Description
Main
The control page is the default home page of your Advanced Firewall system. It displays a to-do list for getting started, service information, external connectivity controls and a customizable number of summary reports. For more information, see Chapter 15, About the Control Page on page 263. Displays a number of generated reports. For more information, see Chapter 15, The about page is where Advanced Firewall product, registration and trademark information as well as acknowledgements are displayed. For more information, see Chapter 15, About the About Page on page 264.
About the Summary Page on page 263.
Ed i
The navigation bar displayed at the top of every page contains links to Advanced Firewall's sections and pages.
ti
on
Reports
Pages reports recent and saved scheduled custom Description
Generating Reports on page 248.
Where you generate and organize reports. For more information, see Chapter 14, Lists recently-generated and previously saved reports. For more information, see Chapter 14, Saving Reports on page 248. Sets which reports are automatically generated and delivered. For more information, see Chapter 14, Scheduling Reports on page 251. Enables you to create and view custom reports. For more information, see Appendix B, Understanding Templates and Reports on page 339.
Alerts
Pages alerts alert settings Description
Determine which alerts are sent to which groups of users and in what format. For more information, see Chapter 15, Alerts on page 264.
Realtime
Pages system firewall ipsec
Description
Logs
Pages system Description
1s
portal im proxy
traffic graphs Displays a realtime bar graph of the bandwidth being used by each interface,
A realtime view of the system log with some filtering options. For more information, see Chapter 15, System Information on page 273. A realtime view of the firewall log with some filtering options. For more information, see Chapter 15, Firewall Information on page 274. A realtime view of the IPSec log with some filtering options. For more information, see Chapter 15, IPsec Information on page 275. A realtime view of activity on user portals. For more information, see Chapter 15, Portal Information on page 276. A realtime view of recent instant messaging conversations. For more information, see Chapter 15, Instant Messaging on page 276. including IPsec interfaces, with traffic passing down it. For more information, see Chapter 15, Traffic Graphs on page 277.
Simple logging information for the internal system services. For more information, see Chapter 15, System Logs on page 279.
Ed i
Settings to enable the alert system and customize alerts with configurable thresholds and trigger criteria. For more information, see Chapter 15, Configuring Alert Settings on page 268.
ti
on
5
Chapter 2 Advanced Firewall Overview Networking Pages firewall ipsec ids ips im proxy web proxy user portal log settings Description
Displays all data packets that have been dropped or rejected by the firewall. For more information, see Chapter 15, Firewall Logs on page 281. Displays diagnostic information for VPN tunnels. For more information, see Chapter 15, IPsec Logs on page 283. Displays network traffic detected by the intrusion detection system (IDS). For more information, see Chapter 15, IDS Logs on page 285. Displays network traffic detected by the intrusion detection system (IDS). For more information, see Chapter 15, IPS Logs on page 286. Displays information on instant messaging conversations. For more information, see Chapter 15, IM Proxy Logs on page 287.
Settings
Pages database settings database backup groups
Description
Networking
The networking section contains the following sub-sections and pages:
Filtering
Pages Description zone bridging Used to define permissible communication between pairs of network zones. For
1s
output settings
Settings to manage the database storing Advanced Firewall report data. For more information, see Chapter 14, Managing Report Data on page 253. Enables you to back-up and restore data stored by add-on modules in the logging and reporting database. For more information, see the add-on module administrator guides.
Where you create groups of users which can be configured to receive automated alerts and reports. For more information, see Chapter 15, Configuring Groups on page 293. Settings to configure the Email to SMS Gateway and SMTP settings used for delivery of alerts and reports. For more information, see Chapter 15, Configuring Output Settings on page 294.
more information, see Chapter 6, About Zone Bridging Rules on page 55.
Ed i
Settings to configure the logs you want to keep, an external syslog server, automated log deletion and rotation options. For more information, see Chapter 15, Configuring Log Settings on page 290.
ti
Displays information on access by users to portals. For more information, see Chapter 15, User Portal Logs on page 289.
on
Displays detailed analysis of web proxy usage. For more information, see Chapter 15, Web Proxy Logs on page 288.
Smoothwall Advanced Firewall Administrators Guide Pages group bridging ip block Description
Used to define the network zones that are accessible to authenticated groups of users. For more information, see Chapter 6, Group Bridging on page 59. Used to create rules that drop or reject traffic originating from or destined for single or multiple IP addresses. For more information, see Chapter 5, Creating IP Blocking Rules on page 47.
Routing
Pages subnets Description
rip sources
ports
Used to create rules to set the external interface based on the destination port. For more information, see Chapter 4, Ports on page 38.
Interfaces
Pages interfaces
1s
internal aliases external aliases connectivity ppp secondaries
Description
Configure and display information on your Advanced Firewalls internal and external interfaces. For more information, see Chapter 3, Managing Network Interfaces on page 21.
Used to create aliases on internal network interfaces, thus enabling a single physical interface to route packets between IP addresses on a virtual subnet without the need for physical switches. For more information, see Chapter 4, Managing Internal Aliases on page 41. Used to create IP address aliases on static Ethernet external interfaces. External aliases allow additional static IPs that have been provided by an ISP to be assigned to the same external interface. For more information, see Chapter 4, Creating an External Alias Rule on page 39. Used to create external connection profiles and implement them. For more information, see Chapter 3, Creating a Connection Profile on page 24. Used to create Point to Point Protocol (PPP) profiles that store PPP settings for external connections using dial-up modem devices. For more information, see Chapter 3, Creating a PPP Profile on page 30.
Used to configure an additional, secondary external interface. For more information, see Chapter 4, Working with Secondary External Interfaces on page 43
Ed i
Used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. For more information, see Chapter 4, Sources on page 36.
ti
Used to enable and configure the Routing Information Protocol (RIP) service on the system. For more information, see Chapter 4, Using RIP on page 34.
on
Used to generate additional routing information so that the system can route traffic to other subnets via a specified gateway. For more information, see Chapter 4, Creating Subnets on page 33.
Chapter 2 Advanced Firewall Overview Services
Firewall
Pages port forwarding source mapping advanced Description
Used to forward incoming connection requests to internal network hosts. For more information, see Chapter 7, Introduction to Port Forwards Inbound Security on page 63. Used to map specific internal hosts or subnets to an external alias. For more information, see Chapter 4, Creating a Source Mapping Rule on page 40 Used to enable or disable NAT-ing helper modules and manage bad external traffic. For more information, see Chapter 7, Network Application Helpers on page 66.
Outgoing
Pages sources groups ports Description
Used to assign outbound access controls to IP addresses and networks. For more information, see Chapter 7, Source Rules on page 70.
Used to define lists of outbound destination ports and services that should be blocked or allowed. For more information, see Chapter 7, Outbound Access on page 67. Used to define a list of external services that should always be accessible to internal network hosts. For more information, see Chapter 7, Managing External Services on page 72.
external services
The settings section contains the following pages:

Pages port groups advanced Description
Services
The services section contains the following sub-sections and pages:
1s
Settings
Create and edit groups of ports for use throughout Advanced Firewall. For more information, see Chapter 5, Working with Port Groups on page 51. Used to configure advanced network and traffic auditing parameters. For more information, see Chapter 5, Configuring Advanced Networking Features on page 49.
Ed i
Used to assign outbound access controls to authenticated groups of users. For more information, see Chapter 7, Assigning Rules to Groups on page 73.
ti
on
Authentication
Pages control Description
Used to view the current status of the authentication system, and to restart and stop the service. It also allows diagnostic tests to be performed against different areas of the authentication service. For more information, see Chapter 13, Authentication and User Management on page 223.
settings groups temporary bans local users
Configuring Authentication Settings on page 233.
Used to set global login time settings. For more information, see Chapter 13, Used to customize group names. For more information, see Chapter 13, Managing Groups of Users on page 231.
user activity
ssl login
13, Enabling SSL Login on page 229.
Used to customize the end-user login page. For more information, see Chapter
User Portal
Pages portals
Proxies
Pages web proxy Description
1s
groups user exceptions instant messenger sip
Description
This page enables you to configure and manage user portals. For more information, see Chapter 8, Working with User Portals on page 75. This page enables you to assign groups of users to portals. For more information, see Chapter 8, Assigning Groups to Portals on page 79.
This page enables you to override group settings and assign a user directly to a portal. For more information, see Chapter 8, Making User Exceptions on page 79.
Used to configure and enable the web proxy service, allowing controlled access to the Internet for local network hosts. For more information, see Chapter 8, Web Proxy on page 81. Used to configure and enable instant messaging proxying. For more information, see Chapter 8, Instant Messenger Proxying on page 87. Used to configure and enable a proxy to manage Session Initiated Protocol (SIP) traffic. For more information, see Chapter 8, SIP Proxying on page 90.
Ed i
Displays the login times, usernames, group membership and IP address details of recently authenticated users. For more information, see Chapter 13, Viewing User Activity on page 227.
ti
Used to add, import and export user profiles, for example: usernames and passwords, to and from the systems own local user database. For more information, see Chapter 13, Managing Local Users on page 223.
on
Enables you to manage temporarily banned user accounts. For more information, see Chapter 13, Managing Temporarily Banned Users on page 226
Chapter 2 Advanced Firewall Overview Services Pages ftp Description
Used to configure and enable a proxy to manage FTP traffic. For more information, see Chapter 8, FTP Proxying on page 92.
SNMP
Pages snmp Description
Used to activate Advanced Firewalls Simple Network Management Protocol (SNMP) agent. For more information, see Chapter 8, SNMP on page 94.
Pages static dns
Description
dns proxy dynamic dns
Used to configure access to third-party dynamic DNS service providers. For more information, see Chapter 8, Managing Dynamic DNS on page 96.
Message Censor
Pages policies
Intrusion System
Pages signatures Description
10
1s
filters time custom categories
Description
Enables you to create and manage filtering policies by assigning actions to matched content. For more information, see Chapter 8, Creating and Applying Message Censoring Policies on page 102. This is where you create and manage filters for matching particular types of message content. For more information, see Chapter 8, Creating Filters on page 101. This is where you create and manage time periods for limiting the time of day during which filtering policies are enforced. For more information, see Chapter 8, Setting Time Periods on page 100. Enables you to create and manage custom content categories for inclusion in filters. For more information, see Chapter 8, Managing Custom Categories on page 98.
Enables you to deploy customized and automatic rules in the intrusion detection and intrusion prevention systems. For more information, see Chapter 8, Uploading Custom Signatures on page 108.
Ed i
Used to provide a DNS proxy service for local network hosts. For more information, see Chapter 8, Enabling the DNS Proxy Service on page 96.
ti
Used to create a local hostname table for the purpose of mapping the hostnames of local network hosts to their IP addresses. For more information, see Chapter 8, Adding Static DNS Hosts on page 95.
on
DNS
Smoothwall Advanced Firewall Administrators Guide Pages policies Description
Enables you to configure Advanced Firewalls intrusion detection and prevention rules for inclusion in IDS and IPS policies. For more information, see Chapter 8, Creating Custom Policies on page 107. Used to enable and configure policies to monitor network activity using the Intrusion Detection System (IDS). For more information, see Chapter 8, Deploying Intrusion Detection Policies on page 104. Used to enable and configure policies to monitor network activity using the Intrusion Prevention System (IDS). For more information, see Chapter 8, Deploying Intrusion Prevention Policies on page 105.
intrusion detection intrusion prevention
Pages global
Description
dhcp leases
Used to view all current DHCP leases, including IP address, MAC address, hostname, lease start and end time, and the current lease state. For more information, see Chapter 8, Viewing DHCP Leases on page 114. Used to configure the DHCP service to forward all DHCP requests to another DHCP server, and re-route DHCP responses back to the requesting host.For more information, see Chapter 8, DHCP Relaying on page 115. Used to create and edit custom DHCP options. For more information, see Chapter
dhcp relay
System
The system section contains the following sub-sections and pages:
Maintenance
Pages updates Description
1s
dhcp custom options modules licenses
8, Creating Custom DHCP Options on page 115.
Used to display and install available product updates, in addition to listing currently installed updates. For more information, see Chapter 16, Managing Updates on page 299. Used to upload, view, check, install and remove Advanced Firewall modules. For more information, see Chapter 16, Managing Modules on page 301. Used to display and update license information for the licensable components of the system. For more information, see Chapter 16, Licenses on page 302.
Ed i
dhcp server
Used to configure automatic dynamic and static IP leasing to DHCP requests received from network hosts. For more information, see Chapter 8, Creating a DHCP Subnet on page 110.
ti
Used to enable the Dynamic Host Configuration Protocol (DHCP) service and set its mode of operation. For more information, see Chapter 8, Enabling DHCP on page 110.
on
DHCP
11
Chapter 2 Advanced Firewall Overview System Pages archives scheduler Description
Used to create and restore archives of system configuration information. For more information, see Chapter 16, Archives on page 302. Used to automatically discover new system updates, modules and licenses. It is also possible to schedule automatic downloads of system updates and create local and remote backup archives. For more information, see Chapter 16, Scheduling on page 304. Used to configure your Advanced Firewall as a replication master or a replication slave. For more information, see Chapter 16, Replication on page 307.
replication shutdown shell
Shutting down and Rebooting on page 308.
Used to shutdown or reboot the system. For more information, see Chapter 16,
Pages
Description
interface and specify reports to display. For more information, see Chapter 16, Configuring the User Interface on page 310. Used to manage set Advanced Firewalls time zone, date and time settings. For more information, see Chapter 16, Setting Time on page 311. Used to configure a web proxy if your ISP requires you use one. Also, enables you configure sending extended registration information to Smoothwall. For more information, see Chapter 16, Configuring Registration Options on page 312. Used to configure Advanced Firewalls hostname. For more information, see Chapter 16, Configuring the Hostname on page 313.
time registration options hostname
Administration
Pages
12
1s
external access
admin options Used to enable secure access to Advanced Firewall using SSH, and to enable
administrative Used to manage user accounts and set or edit user passwords on the system. For users more information, see Chapter 16, Administrative User Settings on page 317.
Description
referral checking. For more information, see Chapter 16, Configuring Admin Access Options on page 314. Used to create rules that determine which interfaces, services, networks and hosts can be used to administer Advanced Firewall. For more information, see Chapter 16, Configuring External Access on page 316.
Ed i
user interface Used to set the host description of the system, select the behavior of the web
ti
Preferences
on
Used to access the Advanced Firewalls system console via a Java-based SSH shell. For more information, see Chapter 16, Shell Access on page 309.
Hardware
Pages ups Description
Used to configure the system's behavior when it is using battery power from an Uninterruptible Power Supply (UPS) device. For more information, see Chapter 16, UPS Settings on page 318. Used to specify what Advanced Firewall should do in the event of a hardware failure. For more information, see Chapter 16, Managing Hardware Failover on page 322. Used to create up to five different modem profiles, typically used when creating external dial-up connections. For more information, see Chapter 16, Configuring Modems on page 327. Used to upload firmware used by USB modems. For more information, see Chapter 16, Installing and Uploading Firmware on page 329.
failover
modem
firmware upload
Pages
Description
configuration Used to ensure that your current Advanced Firewall settings are not likely to cause tests problems. For more information, see Chapter 16, Diagnostics on page 329. diagnostics ip tools whois traffic analysis
Used to create diagnostic files for support purposes. For more information, see Chapter 16, Generating Diagnostics on page 330.
IP Tools on page 331.
Contains the ping and traceroute IP tools. For more information, see Chapter 16, Used to find and display ownership information for a specified IP address or domain name. For more information, see Chapter 16, WhoIs on page 331. Used to generate and display detailed information on current traffic. For more information, see Chapter 16, Analyzing Network Traffic on page 332.
Certs
VPN
The vpn section contains the following pages:
Pages control Description
1s
Page ca
Description
Provides certification authority (CA) certificates and enables you to manage them for clients and gateways. For more information, see Chapter 16, Managing CA Certificates on page 332.
Used to show the current status of the VPN system and enable you to stop and restart the service. For more information, see Chapter 9, Managing VPN Systems on page 172.
Ed i
ti
Diagnostics
on
13
Chapter 2 Advanced Firewall Overview Email Pages ca Description
Used to create a local certificate authority (CA) for use in an X509 authenticated based VPN setup. It is also possible to import and export CA certificates on this page. For more information, see Chapter 9, Working with Certificate Authorities and Certificates on page 121. Used to create host certificates if a local CA has been created. This page also provides controls to import, export, view and delete host certificates. For more information, see Chapter 9, Managing Certificates on page 124. Used to configure global settings for the VPN system. For more information, see Chapter 9, Setting the Default Local Certificate on page 128. Used to configure IPSec subnet VPN tunnels. For more information, see Chapter 9, Site-to-Site VPNs IPSec on page 129.
certs
global ipsec subnets
ipsec roadwarriors Used to configure IPSec road warrior VPN tunnels. For more information, see
Chapter 9, IPSec Road Warriors on page 142.
ssl roadwarriors
Email
SMTP
14
1s
Pages relay internal domains outgoing archiving queue
t
Description
The email section contains the following sub-sections and pages:
This is where you configure and enable email relay settings. For more information, see Chapter 10, SMTP Relay Settings on page 191. This is where you set the domains that SmoothZap will relay incoming email for. For more information, see Chapter 10, Internal Domains on page 194. This is where you set the IP address or subnets of machines on the local network that are to be allowed to relay mail through SmoothZap. For more information, see Chapter 10, Outgoing on page 195. Here you can specify the criteria used to determine which email messages are to be archived. For more information, see Chapter 10, Archiving on page 195. Here you can view summary information and statistics about the email relay queue. You can also manually flush the email queue if required. For more information, see Chapter 10, The Email Queue on page 196.
Ed i
Enables you to configure and upload custom SSL VPN client scripts. For more information, see Chapter 9, Managing Custom Client Scripts for SSL VPNs on page 159.
ti
l2tp roadwarriors
Used to create and manage L2TP road warrior VPN tunnels. For more information, see Chapter 9, Creating L2TP Road Warrior Connections on page 146.
on
POP3
Pages proxy Description
Here you configure and enable transparent POP3 proxying and AV scanning for incoming email. For more information, see Chapter 10, POP3 Proxy on page 197.
Content
Pages footers attachments Description
Here you can enter text you want to add to email managed by SmoothZap. For more information, see Chapter 10, Footers on page 199.
Pages anti-spam
Description
Quarantine
Pages Viewer Settings
Description
Configuration Guidelines
This section provides guidance about how to enter suitable values for frequently required configuration settings.
Specifying Networks, Hosts and Ports

IP Address
An IP address defines the network location of a single network host. The following format is used:
192.168.10.1
IP Address Range
An IP address range defines a sequential range of network hosts, from low to high. IP address ranges can span subnets. For example:
1s
On this page, you can preview release and/or delete email messages. For more information, see Chapter 12, Managing Quarantined Email on page 218. On this page, you configure quarantine settings. For more information, see Chapter 12, Configuring Quarantine on page 217.
Ed i
Here you configure protection against spam. For more information, see Chapter 10, Anti-spam on page 201.
ti
Anti-spam
on
Here you specify how SmoothZap should manage email attachments. For more information, see Chapter 10, Attachments on page 200.
15
Chapter 2 Advanced Firewall Overview Configuration Guidelines 192.168.10.1-192.168.10.20 192.168.10.1-192.168.12.255
Subnet Addresses
A network or subnet range defines a range of IP addresses that belong to the same network. The format combines an arbitrary IP address and a network mask, and can be entered in two ways:
192.168.10.0/255.255.255.0 192.168.10.0/24
Netmasks
A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address. Some pages allow a network mask to be entered separately for ease of use. Examples:
21 7070
Port Range
Using Comments
Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment. This feature is provided so that administrators can record human-friendly notes against configuration settings they implement. Comments are entered in the Comment fields and displayed alongside saved configuration information.
Creating, Editing and Removing Rules

Much of Advanced Firewall is configured by creating rules for example, IP block rules and administration access rules.
Creating a Rule
To create a rule:
1 2
Enter configuration details in the Add a new rule area. Click Add to create the rule and add it to the appropriate Current rules area.
16
1s
137:139
A 'Port range' can be entered into most User defined port fields, in order to describe a sequential range of communication ports from low to high. The following format is used:
Ed i
A Service or Port identifies a particular communication port in numeric format. For ease of use, a number of well known services and ports are provided in Service drop-down lists. To use a custom port number, choose the User defined option from the drop-down list and enter the numeric port number into the adjacent User defined field. Examples:
ti
Service and Ports
on
255.255.255.0 255.255.0.0 255.255.248.0
Editing a Rule
To edit a rule:
1 2 3 4
Find the rule in the Current rules area and select its adjacent Mark option. Click Edit to populate the configuration controls in the Add a new rule area with the rules current configuration values. Change the configuration values as necessary. Click Add to re-create the edited rule and add it to the Current rules area.
Removing a Rule
To remove one or more rules:
1 2
Select the rule(s) to be removed in the Current rules area.
Note: The same processes for creating, editing and removing rules also apply to a number of pages
You can access Advanced Firewall via a console using the Secure Shell (SSH) protocol.
Note: By default, Advanced Firewall only allows SSH access if it has been specifically configured. See
Chapter 16, Configuring Admin Access Options on page 314 for more information.
When SSH access is enabled, you can connect to Advanced Firewall via a secure shell application, such as PuTTY, or from the system > maintenance > shell page.
To connect using an SSH client:
1 2
Check SSH access is enabled on Advanced Firewall. See Chapter 16, Configuring Admin Access Options on page 314 for more information. Start PuTTY or an equivalent client.
1s
Connecting Using a Client
Ed i
Connecting via the Console
ti
where hosts and users are the configuration elements being created. On such pages, the Add a new rule and Current rules area will be Add a new host and Current users etc.
on
Click Remove to remove the selected rule(s).
17
Chapter 2 Advanced Firewall Overview Secure Communication

Field Port Protocol Description
Host Name (or IP address) Enter Advanced Firewalls host name or IP address.
Enter 222 Select SSH.
Click Open. When prompted, enter root, and the password associated with it. You are given access to the Advanced Firewall command line.
Connecting Using Web-based SSH

1 Navigate to the system > maintenance > shell page.
Enter the username root, and the password associated with it. As a root user, you will access the Advanced Firewall command line.
Secure Communication
Unknown Entity Warning

This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which is signed by a trusted third party. However, Advanced Firewalls certificate is a self-signed certificate.
Note: The data traveling between your browser and Advanced Firewall is secure and encrypted.
To remove this warning, your web browser needs to be told to trust certificates generated by Advanced Firewall. To do this, import the certificate into your web browser. The details of how this are done vary between browsers and operating systems. See your browsers documentation for information on how to import the certificate.
Inconsistent Site Address

Your browser will generate a warning if Advanced Firewalls certificate contains the accepted site name for the secure site in question and your browser is accessing the site via a different address.
18
1s
When you connect your web browser to Advanced Firewalls web-based interface on a HTTPS port for the first time, your browser will display a warning that Advanced Firewalls certificate is invalid. The reason given is usually that the certificate was signed by an unknown entity or because you are connecting to a site pretending to be another site.
Ed i
ti
on
To connect via the web-based SSH:
A certificate can only contain a single site name, and in Advanced Firewalls case, the hostname is used. If you try to access the site using its IP address, for example, the names will not match. To remove this warning, access Advanced Firewall using the hostname. If this is not possible, and you are accessing the site by some other name, then this warning will always be generated. In most cases, browsers have an option you can select to ignore this warning and which will ignore these security checks in the future. Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate that HTTPS is also about identity as well encryption.
1s
Ed i
ti
on
19
Chapter 2 Advanced Firewall Overview Secure Communication
20
1s
Ed i
ti
on
Chapter 3
Working with Connections

In this chapter: How to manage Advanced Firewalls network interfaces.
Managing Network Interfaces

You can configure and review network interfaces on Advanced Firewalls internal and external interfaces page.
To access interface settings:
Browse to the networking > interfaces > interfaces page.
21
Chapter 3 Working with Connections Changing the IP Address
The following settings for your Advanced Firewalls internal interface are available:
Setting Default interface Heartbeat interface Description
A drop-down list of the current interfaces available. The network interface used by the hardware failover master and failover unit systems to communicate with each other. For more information, see Chapter 16, Managing Hardware Failover on page 322.
Primary DNS
If Advanced Firewall is to be integrated as part of an existing DNS infrastructure, enter the appropriate DNS server information within the existing infrastructure. If in doubt, leave this setting at the default value of 127.0.0.1, i.e. localhost. For more information, see Appendix A, Advanced Firewall and DNS on page 336.
Secondary DNS
Enter the IP address of the secondary DNS server, if one is available. If the primary DNS server setting is set to 127.0.0.1, i.e. localhost, leave this setting empty. If Advanced Firewall is not going to become your networks gateway, enter the gateway here.
Note: In nearly all setups, Advanced Firewall will be connected to an
Default gateway
external connection such as an ADSL router, leased line, or ISDN line. In this case, leave this field blank.
Changing the IP Address

If required, it is possible to change Advanced Firewalls IP address.
To change the IP address:
On the networking > interfaces > interfaces page, locate the interface from the Default interface dropdown list and, in the appropriate Settings area, enter the following settings:
Field IP address Netmask Explanation
Enter the IP address you want Advanced Firewall to use on your internal network. If required, enter the netmask Advanced Firewall should use on your internal network.
Browse to the bottom of the page. Click Save to save the changes and then click Restart to restart networking.
Note: Restarting the networking system can take some time and may interrupt some services.
After 15 seconds, in your browsers address field, enter the new IP address. When prompted, enter your user name and password. Advanced Firewall now uses the new IP address.
22
Virtual LANs
Advanced Firewall supports the creation of Virtual LANs (VLANs) by binding a virtual network interface to a regular NIC on the system. Each VLAN is treated by Advanced Firewall as an isolated network zone, just as if it were a regular network zone attached to a real NIC.
Creating a VLAN
To create a VLAN:
On the networking > interfaces > interfaces page, configure the following settings:
Setting Interface VLAN tag Description
Select the interface from the drop-down list of NICs available. Enter a tag in the range 1 - 4095 to create a separate network.
Note: We do not recommend using a VLAN tag of 1.
Click Add. The VLAN is added to the list of interfaces below where you can configure it.
Configuring a VLAN
To configure the VLAN:
In the Interfaces area, locate the VLAN and configure the following settings:
Setting Name VLAN tag Internal IP address Netmask MTU Description
Enter a name for the VLAN. Displays the tag you specified when first creating the VLAN.
Note: We do not recommend using a VLAN tag of 1.
Select to specify internal VLAN settings. Enter the IP address that this VLAN NIC will use on your internal network. Enter the network mask used in conjunction with the internal IP address to define the network that this VLAN NIC belongs to, Accept the default maximum transmission unit (MTU), or enter the value required in your environment.
Click Save to save your settings and click Restart to restart the network and implement the VLAN.
Note: Restarting networking can take some time and may interrupt some services.
Interfaces
Here you can review all the settings for your Advanced Firewall interfaces.
Tip:
Clicking the graph takes you to the relevant interface report. Text in blue denotes the current IP address and other information is different to the entered values. This is useful for showing IPs of external interfaces so they are not accidentally reconfigured to be internal ones.
23
Chapter 3 Working with Connections About Connection Methods and Profiles
Restarting Networking
Several key changes may have an effect on connectivity of Advanced Firewall. For this reason, most changes are only applied when networking is restarted.
To restart networking:
Click Restart.
Note: Restarting networking can take some time and may interrupt some services.
About Connection Methods and Profiles

Advanced Firewall supports the following connection methods:
Connection Method Ethernet Modem Ethernet/modem hybrid Description
An Ethernet NIC routed to an Internet connection, not controlled by Advanced Firewall. An internal or external modem connected to the Internet via an ISP, controlled by Advanced Firewall. An Ethernet NIC routed to an external modem connected to the Internet via an ISP, controlled by Advanced Firewall.
Up to five different connections to the Internet can be defined, each stored in its own connection profile. Each connection profile defines the type of connection that should be used and appropriate settings.
About Connection Profiles for Modems

PPP Profiles
Connection profiles for modems, including ISDN, and Ethernet/modem hybrid devices use an additional profile: a Point-To-Point (PPP) profile. A PPP profile contains the username, password and other settings used for dial-up type connections. The advantage of storing these settings in a PPP profile is that multiple connection profiles can refer to the same authentication and dial settings. This is useful for creating multiple profiles to ISPs that support a range of access technologies that are authenticated via the same user account.
Modem Profiles
A modem profile is used solely for connections using dial-up modems. A modem profile contains hardware and dialling preferences to control the behavior of dial-up modem devices.
Creating a Connection Profile

The following sections explain how to create a connection profile. When creating a connection profile, you configure the global settings, including the connection method, and then configure the method-specific settings.
24
Configuring Global Settings

To configure global settings:
Navigate to the networking > interfaces > connectivity page.
Configure the following settings:

Setting Profiles Profile name Method Description
Select Empty from drop-down list and click Select. Enter a name for the connection profile. Choose the connection method from the drop-down list. Options include:
Static Ethernet for more information, see Configuring DHCP Ethernet for more information, see Configuring
Connection on page 26. Connection on page 27. Connection on page 27.
a Static Ethernet a DHCP Ethernet
PPP over Ethernet for more information, see Configuring a PPP over Ethernet PPTP over Ethernet for more information, see Configuring ADSL Modem for more information, see Configuring
Ethernet Connection on page 28. Connection on page 28.
a PPTP over
an ADSL/DSL Modem
ISDN TA for more information, see Configuring an ISDN Modem Connection
on page 29.
Modem for more information, see Configuring a Dial-up Modem Connection
on page 30.
Auto connect on boot Custom MTU
By default, all connections will automatically connect at boot time. If you wish to disable this behavior, deselect this option. Some ISPs supply additional settings that can be used to improve connection performance. If your ISP provides a custom MTU value, enter it here.
25
Chapter 3 Working with Connections Creating a Connection Profile Setting Automatic failover to profile Description
Optionally, select to specify a different external connection profile to switch to if communication cannot be established with the hosts identified in the Primary failover ping IP and Secondary failover ping IP fields.
Note: Using this option, you can daisy-chain profiles to use if Advanced Firewall
cannot establish a connection using the specified connection profile. There is also a reboot option which you can use to restart the system if all of the connections fail.
Primary Enter an IP address that is known to be contactable if the external connection is failover ping IP operating correctly.
If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu.
Secondary Optionally, enter a secondary IP address that is known to be contactable if the failover ping IP external connection is operating correctly.
If the primary and secondary IP addresses cannot be contacted, the connection will failover, if another profile has been chosen in the Automatic failover to profile drop-down menu.
Load balance Select to ensure that outbound NATed traffic is divided among the primary outgoing traffic external connection and any other secondary connections that have been added to
the load balancing pool.

Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.

Load balance web proxy traffic
Select to ensure that web proxy traffic is divided among the primary external connection and any other secondary connections that have themselves been added to the proxy load balancing pool.
Note: If no load balance settings are enabled, all traffic will be sent out of the
primary external connection.

Weighting
Select from the drop-down list to assign an external connection in the load balancing pool. Load balancing is performed according to the respective weights of each connection.
3 4
Click Update to display further method-specific settings in the settings area. At this point, click Save as configuration using other pages may be necessary for some connection methods, for example PPP and modem profiles. To complete the connection profile, refer to the method-specific sections in the remaining sections of this chapter.
Configuring a Static Ethernet Connection

A static Ethernet connection enables Advanced Firewall to use a static IP address, as assigned by your ISP.
To create a static Ethernet connection:
Configure the global settings and select Static Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update.
26
In the Static Ethernet settings area, configure the following settings:

Setting Interface Default gateway Address Netmask Primary DNS Secondary DNS Description
From the drop-down list, select the Ethernet interface for this connection. Enter the default gateway IP address as provided by your ISP. Enter the static IP address provided by your ISP. Enter the subnet mask as provided by your ISP. Enter the primary DNS server details as provided by your ISP. Enter the secondary DNS server details as provided by your ISP.
Click Save.
Configuring a DHCP Ethernet Connection

A DHCP Ethernet connection enables Advanced Firewall to be allocated a dynamic IP address, as assigned by the ISP.
To create a DHCP Ethernet connection:
1 2
Configure the global settings and select DHCP Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the DHCP Ethernet settings area, configure the following settings:
Setting Interface DHCP Hostname MAC spoof Description
From the drop-down list, select the Ethernet interface for this connection. Optionally enter a DHCP hostname, if provided by your ISP. Enter a MAC spoof value if required. Some cable modems require the MAC address of the connecting NIC to be spoofed in order to function correctly. For more information about whether MAC spoof settings are required, consult the documentation supplied by your ISP and modem supplier.
Click Save.
Configuring a PPP over Ethernet Connection

This section explains how to configure Advanced Firewall to use a PPPoE modem for Internet connectivity.
To create a PPP over Ethernet connection:
1 2
Configure the global settings and select PPP over Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the PPP over Ethernet settings area, configure the following settings:
Setting Service name Concentrator Interface Description
If required, enter the service name as specified by your ISP. If required, enter the concentrator name as specified by your ISP. From the drop-down list, select the Ethernet interface for this connection.
27
Chapter 3 Working with Connections Creating a Connection Profile Setting PPP Profile Description
From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one.
Click Save.
Configuring a PPTP over Ethernet Connection

This section explains how to configure Advanced Firewall to use a PPTP modem for Internet connectivity.
To create a PPTP over Ethernet connection:
1 2
Configure the global settings and select PPTP over Ethernet as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the PPTP over Ethernet settings area, configure the following settings:
Setting Interface PPP Profile Description
From the drop-down list, select the Ethernet interface for this connection. From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one. For more information, see Creating a PPP Profile on page 30.
Address Netmask Gateway Telephone
Enter the IP address assigned by your ISP. Enter the netmask assigned by your ISP. Enter the gateway assigned by your ISP Enter the dial telephone number as provided by your ISP.
Click Save.
Configuring an ADSL/DSL Modem Connection

Advanced Firewall can connect to the Internet using an ADSL modem. If your ADSL connection uses a PPPoE connection, see Configuring a PPP over Ethernet Connection on page 27 for more information.
Note: To connect using an ADSL modem, the ADSL device must have been either configured during
the initial installation and setup or post-installation by launching the setup program from the system console. For further information, see the Advanced Firewall Installation and Setup Guide.
To complete the connection profile:
1 2
Configure the global settings and select ADSL Modem as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the ADSL Modem settings area, configure the following settings:
Setting Service name Concentrator Description
Leave this field blank. It is not required for this type of profile. Leave this field blank. It is not required for this type of profile.
28
Smoothwall Advanced Firewall Administrators Guide Setting PPP Profile Description
From the drop-down list, select the PPP profile for this connection. Or, if no PPP profile has been created, click Configure PPP to go to the ppp page and create one. For more information, see Creating a PPP Profile on page 30.
Click Save.
Configuring an ISDN Modem Connection

This section explains how to configure Advanced Firewall to use an ISDN modem for Internet connectivity.
Note: To connect using an ISDN modem, an ISDN device must have been configured during the initial
installation and setup of Advanced Firewall. Alternatively, ISDN devices can be configured post-installation by launching the setup program from the system console. For further information, see the Advanced Firewall Installation and Setup Guide.
To complete the connection profile:
1 2
Configure the global settings and select ISDN TA as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the ISDN settings area, configure the following settings:
Setting PPP Profile Description
Telephone Channels Keep second channel up
Enter the telephone number for the ISDN connection. From the drop-down list, select either Single channel or Dual channel, depending on whether you are using one or two ISDN lines. Select to force the second channel to remain open when its data rate falls below a worthwhile threshold.
Note: ISDN connections sometimes suffer from changeable data throughput
rates. If this occurs in dual channel mode, and the data-rate of the second channel decreases below a threshold where it is of no benefit, Advanced Firewall will automatically close it. Forcing the second channel to stay up will help prevent this from happening.
Minimum time Enter a minimum time, in seconds, if your ISDN connection experiences to keep second intermittent loss of data throughput for short periods of time. channel up This option is of use when the second channel data-rate falls below the threshold (sec)
for short periods of time.
Click Save.
29
Chapter 3 Working with Connections Creating a PPP Profile
Configuring a Dial-up Modem Connection

This section explains how to configure Advanced Firewall to use a dial-up modem for Internet connectivity.
To complete the profile:
1 2
Configure the global settings and select Modem as the connection method. For more information on global settings, see Configuring Global Settings on page 25. Click Update. In the Modem settings area, configure the following settings:
Setting PPP Profile Description
Modem profile Telephone
From the drop-down list, select the modem profile to use. See Configuring Modems on page 327 for more information on modem profiles. Enter the telephone number for the connection.
Click Save.
Creating a PPP Profile

Up to five PPP profiles can be created to store username, password and connection-specific details for connections where Advanced Firewall controls the connecting device, e.g. an ADSL modem attached to Advanced Firewall.
To create a PPP profile:
Navigate to the networking > interfaces > ppp page.
30

Setting Profiles Profile name Dial on Demand Description
From the drop-down list, select Empty. Enter a name for the profile. Select to ensure that the PPP connection is only established if an outwardbound request is made. This may help reduce costs if your ISP uses per unit time billing.
Dial on Demand for Select to ensure that the system dials for DNS requests this is normally the DNS desired behavior. Idle timeout
Enter the number of minutes that the connection must remain inactive for before it is automatically closed by Advanced Firewall. Enter 0 to disable this setting. Select to ensure that once this PPP connection has been established, it will remain connected, regardless of the value entered in the Idle timeout field. Enter the maximum number of times that Advanced Firewall will try to connect following failure to connect. Enter your ISP assigned username. Enter your ISP assigned password. Choose the authentication method as specified by your ISP in this field. Enter the name of a logon script here, if your ISP informs you to do so. Ensure that the relevant script type has been selected in the Method drop-down list. Specifies the DNS type used by your ISP.
Manual select if your ISP has provided you with DNS server addresses to
Persistent connection Maximum retries Username Password Method Script name Type
enter.
Automatic select if your ISP automatically allocates DNS settings upon connection. Primary DNS Secondary DNS
If Manual has been selected, enter the primary DNS server IP address. If Manual has been selected, enter the secondary DNS server IP address.
Click Save to save your settings and create a PPP profile.
Modifying Profiles
To modify an existing connection, PPP or modem profile:
1 2 3
Navigate to the appropriate profile page. Choose the profile from the Profiles drop-down list that you wish to modify and click Select. The profile details will now be displayed. Make changes to any of the fields, review the changes and click Save. following re-connection. The connection can be manually restarted on the main > control page.
Note: Any changes made to a profile that is used as part of a current connection will only be applied
31
Chapter 3 Working with Connections Deleting Profiles
Deleting Profiles
To delete an existing connection, PPP or modem profile:
1 2 3
Navigate to the appropriate profile page. Choose the profile from the Profiles drop-down list that you wish to delete and click Select. The profile details will now be displayed. If you are certain that you wish to delete the selected profile, click Delete. close.
Note: Deleting a profile that is used as part of a current connection will cause the current connection to
32
Chapter 4
Managing Your Network Infrastructure

In this chapter: Creating subnets and internal subnet aliases Enabling and configuring the RIP service Determining which interface to use based on sources and ports Configuring and managing external aliases and source mapping
Creating Subnets
Large organizations often find it advantageous to group computers from different departments, floors and buildings into their own subnets, usually with network hubs and switches.
Note: This functionality only applies to subnets available via an internal gateway. To create a subnet rule:
Navigate to the networking > routing > subnets page.

Setting Network Netmask Description
Enter the IP address that specifies the network ID part of the subnet definition when combined with a netmask value. Enter a network mask that specifies the size of the subnet when combined with the network field.
33
Chapter 4 Managing Your Network Infrastructure Using RIP Setting Gateway Description
Enter the IP address of the gateway device by which the subnet can be found. This will be an address on a locally recognized network zone. It is necessary for Advanced Firewall to be able to route to the gateway device in order for the subnet to be successfully configured. The gateway address must be a network that Advanced Firewall is directly attached to.
Metric
Enter a router metric to set the order in which the route is taken. This sets the order in which the route is evaluated, with 0 being the highest priority and the default for new routes. Enter a description of the rule. Select to enable the rule.
Comment Enabled
Click Add. The rule is added to the Current rules table.
Editing and Removing Subnet Rules

To edit or remove existing subnet rules, use Edit and Remove in the Current rules area.
Using RIP
The Routing Information Protocol (RIP) service enables network-wide convergence of routing information amongst gateways and routers. A RIP-enabled gateway passes its entire routing table to its nearest neighbor, typically every 30 seconds. Advanced Firewalls RIP service can: Operate in import, export or combined import/export mode Support password and MD5 authentication Export direct routes to the systems internal interfaces.
34
Smoothwall Advanced Firewall Administrators Guide To configure the RIP service:
Navigate to the networking > routing > rip page.

Setting Enabled Scan interval Description
Select to enable the RIP service. From the drop-down menu, select the time delay between routing table imports and exports. Select a frequent scan interval for networks with fewer hosts. For networks with greater numbers of hosts, choose a less frequent scan interval.
Note: There is a performance trade-off between the number of RIP-enabled
devices, network hosts and the scan frequency of the RIP service. The periodic exchange of routing information between RIP-enabled devices increases the ambient level of traffic on the host network. Accordingly, administrators responsible for larger networks should consider increasing the RIP scan interval or the suitability of the RIP service for propagating routing information.
Direction
From the drop-down menu, select how to manage routing information. The following options are available:
Import and Export
The RIP service will add and update its routing table from information received from other RIP enabled gateways. The RIP service will also broadcast its routing tables for use by other RIP enabled gateways.
Import
The RIP service will add and update its routing table from information received from other RIP enabled gateways.
Export
The RIP service will only broadcast its routing tables for use by other RIP enabled gateways.
Logging level
From the drop-down menu, select the level of logging.
35
Chapter 4 Managing Your Network Infrastructure Sources Setting RIP interfaces Authentication Description
Select each interface that the RIP service should import/export routing information to/from. Enabling RIP authentication ensures that routing information is only imported and exported amongst trusted RIP-enabled devices. Select one of the following options to manage authentication:
None
In this mode, routing information can be imported and exported between any RIP device. We do not recommend this option from a security standpoint.
Password
In this mode, a plain text password is specified which must match other RIP devices.
MD5
In this mode, an MD5 hashed password is specified which must match other RIP devices.
Password Again Direct routing interfaces
If Password is selected as the authentication method, enter a password for RIP authentication. If Password is selected as the authentication method, re-enter the password to confirm it. Optionally, select interfaces whose information should also include routes to the RIP services own interfaces when exporting RIP data. This ensures that other RIP devices are able to route directly and efficiently to each exported interface.
Click Save.
Sources
The sources page is used to determine which external network interface will be used by internal network hosts for outbound communication when a secondary external connection is active. Source rules can be created for individual hosts, ranges of hosts or subnet ranges.
Creating Source Rules

Source rules route outbound traffic from selected network hosts through a particular external interface.
36
Smoothwall Advanced Firewall Administrators Guide To create a source rule:
Navigate to the networking > routing > sources page.

Setting Source IP or network Internal interface External interface Description
Enter the source IP or subnet range of internal network host(s) specified by this rule. For more information, see About IP Address Definitions on page 38 From the drop-down menu, select the internal interface that the source IP must originate from to use the external connection. From the drop-down menu, select the external interface that is used by the specified source IP or network for external communication. Alternatively, select Exception to create an exception rule to ensure that all outbound traffic from the specified source IP, network and internal interface is routed via the primary external interface.
Note: If the external interface is set to Exception, any traffic specified here will not
be subject to any load balancing.

Note: Using Exception will always send traffic out via the primary, no matter what
interface is currently being used by the primary connection.

Comment Enabled
Optionally, enter a description for the source rule. Select to activate the rule.
Click Add.
Removing a Rule
Select each rule in the Current rules area and click Remove.
Editing a Rule
To edit a rule:
1 2
Locate it within the Current rules region, select it and click Edit to populate the configuration controls in the Add a new rule region with the rule's current configuration values. Alter the configuration values as necessary, and click Add.
37
Chapter 4 Managing Your Network Infrastructure Ports
About IP Address Definitions

Single or multiple IP addresses can be specified in a number of different manners: IP address An identifier for a single network host, written as quartet of dotted decimal values, e.g. 192.168.10.1 IP subnet [dotted decimal] An arbitrary IP address and network mask that specifies a subnet range of IP addresses, e.g. 192.168.10.0/255.255.255.0 defines a subnet range of IP addresses from 192.168.10.0 to 192.168.10.255 IP subnet [network prefix] An arbitrary IP address and network mask in network prefix notation, e.g. 192.168.10.0/24 defines a subnet range of IP addresses from 192.168.10.0 to 192.168.10.255.
Ports
The ports page is where you route outbound traffic for selected ports through a particular external interface. For example, you can create a rule to send all SMTP traffic down a specific external interface.
Note: The rules specified on the sources pages will always be examined first, so a rule will only travel
down this list of ports if it does not first hit a sources rule. For more information, see Sources on page 36.
Creating a Ports Rule

Port rules route outbound traffic for selected ports through a particular external interface.
To create a ports rule:
Navigate to the networking > routing > ports page.

Setting Protocol Service Description
From the drop down menu, select the protocol the traffic uses. From the drop down menu, select the select the services, port range or group of ports.
38
Smoothwall Advanced Firewall Administrators Guide Setting Port Description
If the service is user defined, enter the port number. Select Exception to never route the traffic via an alternative interface.
Note: Using Exception will always send traffic out via the primary, no matter
External interface From the drop-down menu, select the external interface to use.
what interface is currently being used by the primary connection.

Comment Enabled
Enter a description of the rule. Select to enable the rule currently active.
Click Add to create the rule. The rule is created and listed in the Current rules area.
Removing Rules
Select each rule in the Current rules area and click Remove.
Editing a Rule
To edit a rule:
1 2
Select the rule in the Current rules area and click Edit. In the Add a new rule area, make the changes you require and click Add. The rule is updated and listed in the Current rules area.
Creating an External Alias Rule

Advanced Firewall enables you to associate multiple public IP addresses with a single Advanced Firewall by creating external aliases. An external alias binds an additional public IP address to Smoothwall Systems external interface. See Appendix F, Hosting Tutorials on page 373 for practical examples.
To create an external alias rule:
Navigate to the networking > interfaces > external aliases page.
39
Chapter 4 Managing Your Network Infrastructure Creating a Source Mapping Rule

Setting External interface Select Connectivity profile Description
From the drop-down list, select the external interface to which you want to bind an additional public IP address. Click to select the interface. Used to determine when the external alias is active. Options include:
All The external alias will always be active, irrespective of the currently active connection profile. Named connection profile The external alias will only be active if the named connection profile is currently active. This is particularly useful for creating aliases for connection profiles that are used as failover connections.
Alias IP Netmask
Enter the IP address of the external alias. This address should be provided by your ISP as part of an multiple static IP address allocation. Used to specify the network mask of the external alias. This value is usually the same as the external interface's netmask value. This value should be provided by your ISP. A field used to assign a helpful message describing the external alias rule. Determines whether the external alias rule is currently active.
Comment Enabled
Click Add. The external alias rule is added to the Current rules table.
Editing and Removing External Alias Rules

To edit or remove existing external alias rules, use Edit and Remove in the Current rules region.
Port Forwards from External Aliases

Advanced Firewall extends your systems port forwarding capabilities by allowing port forward rules to be created that can forward traffic arriving at an external alias. No special configuration is required to use this feature. Use the existing networking > firewall > port forwarding page and select the required external alias from the Source IP drop-down list.
Creating a Source Mapping Rule

Advanced Firewall enables you to map internal hosts to an external IP alias, instead of the default, real external IP, by creating source mapping rules. This allows outbound communication from specified hosts to appear to originate from the external alias IP address. A common use for source mapping rules is to ensure that SMTP mail servers send and receive email via the same IP address. If the incoming IP address is an external alias, and outbound mail fails to mirror the IP address as its source, some SMTP servers will reject the mail. This is because the mail will not appear to originate from the correct IP address, i.e. the Advanced Firewall default external IP is not the MX for the email domain. This problem can be alleviated by using a source mapping rule to ensure that the SMTP server uses the same IP address for inbound and outbound traffic. See Appendix F, Hosting Tutorials on page 373 for practical examples.
40
Smoothwall Advanced Firewall Administrators Guide To create a source mapping rule:
Navigate to the networking > firewall > source mapping page.

Setting Source IP Description
Enter the source IP or network of hosts to be mapped to an external. For a single host, enter its IP address. For a network of hosts, enter an appropriate IP address and subnet mask combination, for example, enter 192.168.100.0/255.255.255.0 will create a source mapping rule for hosts in the IP address range 192.168.100.1 through to 192.168.100.255. For all hosts, leave the field blank.
Alias IP Comment Enabled
From the drop-down list, select the external alias that outbound communication is mapped to. Enter a description of the rule. Select to enable the rule.
Click Add. The source mapping rule is added to the Current rules table.
Editing and Removing Source Mapping Rules

To edit or remove existing source mapping rules, use Edit and Remove in the Current rules area.
Managing Internal Aliases

Advanced Firewall can be configured to create internal aliases for each installed NIC. Internal aliases can be used to create logical subnets amongst hosts within the same physical network zone.
Note: This function is recommended only for experienced network administrators, as there are a number
of security implications and limitations that using this feature will impose on the rest of your network. Internal alias rules are used to create such bindings on an internal network interface, thus enabling it to route packets to and from IP addresses on a virtual subnet without the need for physical switches.
41
Chapter 4 Managing Your Network Infrastructure Managing Internal Aliases
Note: No services will run on the alias IP. Note: Use of this feature is not normally recommended for the following reasons:
No physical separation Internal aliases should not be considered as a substitute for physically separating multiple networks. Network users can join a logical subnet by changing their IP address. No DHCP service DHCP servers cannot serve a logical subnet, as it is impossible for it to know which subnet (physical or logical) that the client should be on. No direct DNS or proxy access The DNS proxy and web proxy services cannot be accessed by hosts on a logical subnet. Requests for such services must be routed via the IP address of the physical interface this is not the case when an alias is in use. Generally, internal aliases should only be created in special circumstances.
Creating an Internal Alias Rule

To create an internal alias rule:
Navigate to the networking > interfaces > internal aliases page.

Setting Interface IP address Netmask Comment Enabled Description
From the drop-down menu, select the internal interface on which to create the alias. Enter an IP address for the internal alias. Enter a network mask that specifies the size of the subnet accessible via the internal alias (when combined with a network value). Enter a description of the rule. Select to enable the rule.
Click Add. The internal alias rule is added to the Current rules table.
Editing and Removing Internal Alias Rules

To edit or remove existing internal alias rules, use Edit and Remove in the Current rules area.
42
Working with Secondary External Interfaces

The secondaries page is used to configure an additional, secondary external interface. A secondary external interface will operate independently of the primary external interface, NATing its own outbound traffic. Once a secondary external interface is active, the system can be configured to selectively route different internal hosts, ranges of hosts and subnets out across either the primary or secondary external interface.
Configuring a Secondary External Interface

Note: It is not possible to perform L2TP or OpenVPN connections to secondary interfaces. To configure a secondary external interface:
Navigate to the networking > interfaces > secondaries page.

Setting Secondary external interface Select Address Netmask Default gateway Enabled Description
From the drop-down list, select the interface you want to use as the secondary external interface. Click to select the interface. Enter the IP address. Enter the netmask. Enter the default gateway. Select to enable the interface
43
Chapter 4 Managing Your Network Infrastructure Working with Secondary External Interfaces Setting Primary failover ping IP Description
Optionally, specify an IP address that you know can be contacted if the secondary connection is operating correctly. When enabled, the IP address is pinged every two minutes over the secondary to ensure that the connection is active. If this IP address cannot be contacted, all outbound traffic will be redirected to the primary connection. If a secondary failover IP has been entered, it must also fail before failover routing is activated.
Secondary failover ping IP
Optionally, specify an additional IP address that you know can be contacted if the secondary connection is operating correctly. When enabled, the IP address is pinged every two minutes over the secondary to ensure that the connection is active. If this IP address and the primary failover ping IP cannot be contacted, all outbound traffic will be redirected to the primary connection.
Load balance outgoing traffic Optionally, select to add the currently selected secondary address to
the load balancing pool of connections. Selecting this option ensures that outbound NATed traffic is divided among the currently selected secondary address and any other connections, primary or secondary, that have been added to the load balancing pool.
Note: If no load balance options are enabled, all traffic will be sent
out of the primary external connection.

Load balance web proxy traffic
Optionally, select to add the currently selected secondary address to the proxy load balancing pool. Selecting this option ensures that web proxy traffic is divided among the currently selected secondary address and any other connections, primary or secondary, that have themselves been added to the proxy load balancing pool. Note - If no load balance tick-box controls are selected, all traffic will be sent out of the primary external connection.
Weighting
Optionally, select to set the weighting for load balancing on the currently selected secondary address. A weighting is assigned to all external connections in the load balancing pool and load balancing is performed according to the respective weights of each connection. For example: A connection weighted 10 will be given 10 times as much load as a connection weighted 1. A connection weighted 6 will be given 3 times as much load as a connection weighted 2. A connection weighted 2 will be given twice as much load as a connection weighted 1.
The weighting value is especially useful for load balancing external connections of differing speeds.
44
Click Save to save your settings and enable the secondary external interface.
45
Chapter 4 Managing Your Network Infrastructure Working with Secondary External Interfaces
46
Chapter 5
General Network Security Settings

In this chapter: Using IP blocking to block source IPs and networks Reviewing network interface information Fine-tuning network communications using the advanced networking features Creating groups of ports for use throughout Advanced Firewall.
Blocking by IP
IP block rules can be created to block network traffic originating from certain source IPs or network addresses. IP block rules are primarily intended to block hostile hosts from the external network, however, it is sometimes useful to use this feature to block internal hosts, for example, if an internal system has been infected by malware. IP block rules can also operate in an exception mode allowing traffic from certain source IPs or network addresses to always be allowed.
Creating IP Blocking Rules

IP block rules block all traffic to/from certain network hosts, or between certain parts of distinct networks.
To create an IP block rule:
Navigate to the networking > filtering > ip block page.
47
Chapter 5 General Network Security Settings Blocking by IP

Control Description
Source IP or network Enter the source IP, IP range or subnet range of IP addresses to block or
exempt. To block or exempt: An individual network host, enter its IP address, for example: 192.168.10.1. A range of network hosts, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter an appropriate subnet range, for example, 192.168.10.0/255.255.255.0 or 192.168.10.0/24.
Destination IP or network
Enter the destination IP, IP range or subnet range of IP addresses to block or exempt. To block or exempt: An individual network host, enter its IP address, for example: 192.168.10.1. A range of network hosts, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter an appropriate subnet range, for example, 192.168.10.0/255.255.255.0 or 19
Drop packet Reject packet Exception
Select to ignore any request from the source IP or network. The effect is similar to disconnecting the appropriate interface from the network. Select to cause an ICMP Connection Refused message to be sent back to the originating IP, and no communication will be possible. Select to always allow the source IPs specified in the Source IP or Network field to communicate, regardless of all other IP block rules. Exception block rules are typically used in conjunction with other IP block rules, for example, where one IP block rule drops traffic from a subnet range of IP addresses, and another IP block rule creates exception IP addresses against it.
Log Comment Enabled
Select to log all activity from this IP. Optionally, describe the IP block rule. Select to enable the rule.
Click Add. The rule is added to the Current rules table. same subnet. Such traffic is not routed via the firewall, and therefore cannot be blocked by it.
Note: It is not possible for an IP block rule to drop or reject traffic between network hosts that share the
Editing and Removing IP Block Rules

To edit or remove existing IP block rules, use Edit and Remove in the Current rules area.
48
Configuring Advanced Networking Features

Advanced Firewalls advanced networking settings can help prevent denial of service (DoS) attacks and enforce TCP/IP standards to restrict broken network devices from causing disruption.
To configure advance networking features:
Navigate to the networking > settings > advanced page.

Setting Block ICMP ping broadcasts Block ICMP ping Description
Select to prevent the system responding to broadcast ping messages, from all network zones (including external). This can prevent the effects of a broadcast ping-based DoS attack. Select to prevent the system responding to normal ping messages, from all network zones (including external). This will effectively hide the machine from Internet Control Message Protocol (ICMP) pings, but this can also make connectivity problems more difficult to diagnose.
Enable SYN cookies
Select to defend the system against SYN flood attacks. A SYN flood attack is where a huge number of connection requests, SYN packets, are sent to a machine in the hope that it will be overwhelmed. The use of SYN cookies is a standard defence mechanism against this type of attack, the aim being to avoid a DoS attack.
Block and ignore IGMP packets
Select this option to block and ignore multi-cast reporting Internet Group Management Protocol (IGMP) packets. IGMP packets are harmless and are most commonly observed when using cable modems to provide external connectivity. If your logs contain a high volume of IGMP entries, enable this option to ignore IGMP packets without generating log entries.
Block and ignore multicast traffic
Select this option to block multicast messages on network address 224.0.0.0 from ISPs and prevent them generating large volumes of spurious log entries.
49
Chapter 5 General Network Security Settings Enabling Traffic Auditing Setting Connection tracking table size Description
Select to store information about all connections known to the system. This includes NATed sessions, and traffic passing through the firewall. The value entered in this field determines the tables maximum size. In operation, the table is automatically scaled to an appropriate size within this limit, according to the number of active connections and their collective memory requirements. Occasionally, the default size, which is set according to the amount of memory, is insufficient use this field to configure a larger size.
SYN backlog queue size Select this option to set the maximum number of requests which may be
waiting in a queue to be answered. The default value for this setting is usually adequate, but increasing the value may reduce connection problems for an extremely busy proxy service. 3 Click Advanced to access the following settings:
Setting Block SYN+FIN packets Description
Select to automatically discard packets used in SYN+FIN scans used passively scan systems. Generally, SYN+FIN scans result in large numbers of log entries being generated. With this option enabled, the scan packets are automatically discarded and are not logged.
Enable TCP timestamps Select this option to enable TCP timestamps (RFC1323) to improve TCP
performance on high speed links.

Enable selective ACKs Enable window scaling Enable ECN
Select this option to enable selective ACKs (RFC2018) to improve TCP performance when packet loss is high. Select this option to enable TCP window scaling to improve the performance of TCP on high speed links. Select this option to enable Explicit Congestion Notification (ECN) a mechanism for avoiding network congestion. Whilst effective, it requires communicating hosts to support it, and some routers are known to drop packets marked with the ECN bit. For this reason, this feature is disabled by default.
Click Save to enable the settings you have selected.
Enabling Traffic Auditing

Traffic auditing is a means of recording extended traffic logs for the purpose of analyzing the different types of incoming, outgoing and forwarded traffic.
To activate a particular traffic auditing feature:
Navigate to the networking > settings > advanced page.
50
Click Advanced to access the Traffic auditing area and configure the following settings:
Setting Description
Direct incoming traffic Select to log all new connections to all interfaces that are destined for the
firewall.
Direct outgoing traffic Forwarded traffic
Select to log all new connections from any interface. Select to log all new connections passing through one interface to another.
Click Save. logs generated is acceptable.
Note: Traffic auditing can potentially generate vast amounts of logging data. Ensure that the quantity of
Note: Traffic auditing logs are viewable on the info > logs > firewall page.
Dropping Traffic on a Per-interface Basis

All internal traffic destined for Advanced Firewall can be dropped on a per-interface basis. This feature is useful for preventing non-trusted hosts, such as servers in a DMZ, from having direct connectivity to Advanced Firewall.
To drop all direct traffic on a particular internal interface:
1 2 3
Navigate to the networking > settings > advanced page and click Advanced. Select the interface in the Drop all traffic on internal interfaces area. Click Save.
Note: Take care not to drop traffic from the interface that is used to administer Advanced Firewall.
Working with Port Groups

You can create and edit named groups of TCP/UDP ports for use throughout Advanced Firewall. Creating port groups significantly reduces the number of rules needed and makes rules more flexible. For example, you can create a port group to make a single port forward to multiple ports and modify which ports are in the group without having to recreate the rules that use it. In this way you could easily add a new service to all your DMZ servers.
51
Chapter 5 General Network Security Settings Working with Port Groups
Creating a Port Group

To create a port group:
Navigate to the networking > settings > port groups page.
In the Port groups area, click New and configure the following settings:
Setting Group name Name Port Description
Enter a name for the port group and click Save. Enter a name for the port or range of ports you want to add to the group. Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example:
1024:65535
For non-consecutive ports, create a separate entry for each port number.
Comment
Optionally, add a descriptive comment for the port or port range.
Click Add. The port, ports or port range is added to the group.
Adding Ports to Existing Port Groups

To add a new port:
1 2
Navigate to the networking > settings > port groups page. Configure the following settings:
Setting Port groups Name Description
From the drop-down list, select the group you want to add a port to and click Select. Enter a name for the port or range of ports you want to add to the group.
52
Smoothwall Advanced Firewall Administrators Guide Setting Port Description
Enter the port number or numbers. For one port, enter the number. For a range, enter the start and end numbers, separated by : for example:
1024:65535
Comment
Optionally, add a descriptive comment for the port or port range.
Click Add. The port, ports or range are added to the group.
Editing Port Groups

To edit a port group:
1 2 3 4
Navigate to the networking > settings > port groups page. From the Port groups drop-down list, select the group you want to edit and click Select. In the Current ports area, select the port you want to change and click Edit. In the Add a new port, edit the port and click Add. The edited port, ports or range is updated.
Deleting a Port Group

To delete a Port group:
1 2 3
Navigate to the networking > settings > port groups page. From the Port groups drop-down list, select the group you want to delete and click Select. Click Delete.
Note: Deleting a port group cannot be undone.
53
Chapter 5 General Network Security Settings Working with Port Groups
54
Chapter 6
Configuring Inter-Zone Security

In this chapter: How bridging rules allow access between internal network zones.
About Zone Bridging Rules
Term Zones Direction Source Destination Service Protocol
Description
Defines whether the bridge is accessible one-way or bi-directionally. Defines whether the bridge is accessible from an individual host, a range of hosts, a network or any host. Defines whether the bridge allows access to an individual host, a range of hosts, a network or any hosts. Defines what ports and services can be used across the bridge. Defines what protocol can be used across the bridge.
It is possible to create a narrow bridge, e.g. a one-way, single-host to single-host bridge, using a named port and protocol, or a wide or unrestricted bridge, e.g. a bi-directional, any-host to anyhost bridge, using any port and protocol. In general, make bridges as narrow as possible to prevent unnecessary or undesirable use.
Creating a Zone Bridging Rule

Zone bridging rules enable communications between specific parts of separate internal networks.
1s
Ed i
Defines the two network zones between which the bridge exists.
ti
A zone bridging rule defines a bridge in the following terms:
on
By default, all internal network zones are isolated by Advanced Firewall. Zone bridging is the process of modifying this, in order to allow some kind of communication to take place between a pair of network zones.
55
Chapter 6 Configuring Inter-Zone Security Creating a Zone Bridging Rule To create a zone bridging rule:
Navigate to the networking > filtering > zone bridging page.

Setting Source interface Destination interface Bi-directional Description
From the drop-down menu, select the source network zone. From the drop-down menu, select the destination network zone. Select to create a two-way bridge where communication can be initiated from either the source interface or the destination interface.
Note: To create a one-way bridge where communication can only be initiated
1s
Protocol Source IP
56
From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. Enter the source IP, IP range or subnet range from which access is permitted. To create a bridge from: A single network host, enter its IP address, for example: 192.168.10.1. A range of network hosts, enter an appropriate IP address range: for example, 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter an appropriate subnet range, for example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24. Any network host in the source network, leave the field blank.
Ed i
from the source interface to the destination interface and not vice versa, ensure that this option is not selected.
ti
on
Smoothwall Advanced Firewall Administrators Guide Setting Destination IP Description
Enter the destination IP, IP range or subnet range to which access is permitted. To create a bridge to: A single network, enter its IP address, for example, 192.168.10.1. A range of network hosts, enter an IP address range, for example, 192.168.10.1-192.168.10.15. A subnet range of network hosts, enter a subnet range, for example: 192.168.10.0/255.255.255.0 or 192.168.10.0/24. To create a bridge to any network host in the destination network, leave the field blank.
Or, select User defined and leave the Port field blank to permit access to all ports for the relevant protocol.
Note: This is only applicable to TCP and UDP. Port Comment Enabled
If User defined is selected as the destination port, specify the port number. Enter a description of the bridging rule. Select to enable the rule.
A Zone Bridging Tutorial

In this tutorial, we will use the following two local network zones:
Network zone Protected network DMZ Description IP address 192.168.100.0/24 192.168.200.0/24
1s
To edit or remove existing zone bridging rules, use Edit and Remove in the Current rules area.
Note: The DMZ network zone is a DMZ in name alone until appropriate bridging rules are created,
neither zone can see or communicate with the other. In this example, we will create a DMZ that: Allows restricted external access to a web server in the DMZ, from the Internet. Does not allow access to the protected network from the DMZ. Allows unrestricted access to the DMZ from the protected network.
Editing and Removing Zone Bridge Rules
Contains local user workstations and confidential business data. Contains a web server.
Ed i
Or, leave the field blank to permit access to all ports for the relevant protocol.
ti
on
Service
From the drop-down list, select the services, port range or group of ports to which access is permitted.
57
Chapter 6 Configuring Inter-Zone Security A Zone Bridging Tutorial
A single zone bridging rule will satisfy the bridging requirements, whilst a simple port forward will forward HTTP requests from the Internet to the web server in the DMZ.
Creating the Zone Bridging Rule

To create the rule:
Navigate to the networking > filtering > zone bridging page and configure the following settings:
Settings Source interface Protocol Comment Enabled Description
From the drop-down menu, select the protected network. From the drop-down list, select All. Enter a description of the rule. Select to activate the bridging rule once it has been added.
Destination interface From the drop-down menu, select the DMZ.
To allow access to a web server in the DMZ from the Internet:
Navigate to the networking > firewall > port forwarding page and configure the following settings:
Setting Protocol Destination IP Source Description
From the drop-down list, select TCP.
Click Add.
Accessing a Database on the Protected Network

Multiple zone bridging rules can be used to further extend the communication allowed between the zones. As a extension to the previous example, a further requirement might be to allow the web server in the DMZ to communicate with a confidential database in the Protected Network.
To create the rule:
Navigate to the networking > filtering > zone bridging page and configure the following settings:
Setting Source interface Protocol Source IP Description
1s
Comment Enabled 58
Destination interface From the drop-down menu, select Protected Network.
Enter the IP address of the web server 192.168.200.10. From the drop-down menu, select HTTP (80) to forward HTTP requests to the web server. Enter a description, such as Port forward to DMZ web server. Select to activate the port forward rule once it has been added.
From the drop-down menu, select DMZ. From the drop-down menu, select TCP. Enter the web servers IP address: 192.168.200.10
Ed i
Allowing Access to the Web Server
ti
Click Add. Hosts in the protected network will now be able to access any host or service in the DMZ, but not vice versa.
on
Smoothwall Advanced Firewall Administrators Guide Setting Destination IP Service Port Comment Enabled Description
Enter the databases IP address: 192.168.100.50 Select User defined. The database service is accessed on port 3306. Enter 3306. Enter a comment: DMZ web server to Protected Network DB. Select Enabled to activate the bridging rule once the bridging rule has been added.
Click Add.
Group The group of users from the authentication sub-system that may access the bridge. Zone The destination network zone. Destination Defines whether the bridge allows access to an individual host, a range of hosts, a subnet of hosts or any hosts. Service Defines what ports and services can be used across the bridge.
In general, bridges should be made as narrow as possible to prevent unnecessary or undesirable use.
Group Bridging and Authentication

Group bridging uses the core authentication mechanism, meaning that users must be preauthenticated before group bridging rules can be enforced by Advanced Firewall. Users can authenticate themselves using the authentication systems Login mechanism, either automatically when they try to initiate outbound web access or manually by browsing to the secure SSL Login page. Authentication can also be provided by any other mechanism used elsewhere in the system. For further information about authentication, see Chapter 13, Authentication and User Management on page 223.
Creating Group Bridging Rules

Group bridging rules apply additional zone communication rules to authenticated users.
1s
Like zone bridges, group bridges can be narrow (e.g. allow access to a single host, using a named port and protocol) or wide (e.g. allow access to any host, using any port and protocol).
Protocol Defines what protocol can be used across the bridge.
Ed i
Authenticated groups of users can be bridged to a particular network by creating group bridging rules. A group bridging rule defines a bridge in the following terms:
ti
By default, authenticated users may only access network resources within their current network zone, or that are allowed by any active zone bridging rules. Group bridging is the process of modifying this default security policy, in order to allow authenticated users from any network zone to access specific IP addresses, IP ranges, subnets and ports within a specified network zone.
on
Group Bridging
59
Chapter 6 Configuring Inter-Zone Security Group Bridging To create a group bridging rule:
Navigate to the networking > filtering > group bridging page.

Setting Groups Select Destination interface Destination IP Description
From the drop-down menu, select the group of users that this rule will apply to. Click to select the group. Select the interface that the group will be permitted to access. Enter the destination IP, IP range or subnet range that the group will be permitted to access. To create a rule to allow access to: A single network host in the destination network, enter its IP address, for example: 192.168.10.1. A range of network hosts in the destination network, enter an appropriate IP address range, for example: 192.168.10.1-192.168.10.15. A subnet range of network hosts in the destination network, enter an appropriate subnet range, for example: 192.168.10.0/ 255.255.255.0 or 192.168.10.0/24. Any network host in the destination network, leave the field blank.
60
1s

Protocol Service Port Comment
From the drop-down list, select a specific protocol to allow for communication between the zones or select All to allow all protocols. From the drop-down list, select the service, port or port range to be used. To restrict to a custom port, select User defined and enter a port number in the Port field. To allow any service or port to be used, select User defined and leave the Port field empty. If applicable, enter a destination port or range of ports. If this field is blank, all ports for the relevant protocol will be permitted. Enter a description of the rule.
Ed i
ti
on
Smoothwall Advanced Firewall Administrators Guide Setting Enabled Description
Select to enable the rule.
Editing and Removing Group Bridges

To edit or remove existing group bridging rules, use the Edit and Remove buttons in the Current rules region.
1s
Ed i
ti
on
61
Chapter 6 Configuring Inter-Zone Security Group Bridging
62
1s
Ed i
ti
on
Chapter 7
Managing Inbound and Outbound Traffic

In this chapter: How port forward rules work How to manage outbound access to IP addresses and networks. Application helpers which allow traffic passing through the firewall to work correctly
It is common to think of such requests arriving from hosts on the Internet; however, port forwards can be used to forward any type of traffic that arrives at an external interface, regardless of whether the external interface connects to the Internet or some other external network zone.
Port Forward Rules Criteria
Port forward rules can be configured to forward traffic based on the following criteria:
1s
Criterion External IP Source IP Port Protocol Destination IP Destination port
For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a De-Militarized Zone (DMZ). If the web server has an IP address of 192.168.2.60, you can create a port forward rule to forward all port 80 TCP traffic to port 81 on 192.168.2.60.
Description
Forward traffic if it originated from a particular IP address, IP address range or subnet range. Forward traffic if it arrived at a particular external interface or external alias. Forward traffic if it was destined for a particular port or range of ports. Forward traffic if it uses a particular protocol. A port forward will send traffic to a specific destination IP. A port forward will send traffic to a specific destination port.
Ed i
Port forwards are used to forward requests that arrive at an external network interface to a particular network host in an internal network zone.
ti
Introduction to Port Forwards Inbound Security
on
63
Chapter 7 Managing Inbound and Outbound Traffic Introduction to Port Forwards Inbound Security
Note: It is important to consider the security implications of each new port forward rule. Any network
is only as secure as the services exposed upon it. Port forwards allow unknown hosts from the external network to access a particular internal host. If a cracker manages to break into a host that they have been forwarded to, they may gain access to other hosts in the network. For this reason, we recommend that all port forwards are directed towards hosts in isolated network zones, that preferably contain no confidential or security-sensitive network hosts. Use the networking > filtering > zone bridging page to ensure that the target host of the port forward is contained within a suitably isolated network, i.e. a DMZ scenario.
Creating Port Forward Rules

To create a port forward rule:
Navigate to the networking > firewall > port forwarding page.

Setting External interface Description
1s
From the drop-down menu, select the interface that the port forward will be bound to. By default, a port forward is bound to the primary external connection. However, if you have a secondary external connection you can assign a port forward explicitly to it.
Select Protocol
64
t
Click to select the external interface specified. From the drop-down list, select the network protocol for the traffic that you want to forward. For example, to port forward a HTTP request, which is a TCP-based protocol, choose the TCP option.
Ed i
ti
on
Smoothwall Advanced Firewall Administrators Guide Setting External IP or network Description
Enter the IP address, address range or subnet range of the external hosts allowed to use this rule. Or, to create a port forward rule that will forward all external hosts (such as that required to port forward anonymous HTTP requests from any network host to a web server), leave this field blank.
Log IPS Source IP Source service
Select to log all port forwarded traffic. Select to deploy intrusion prevention. See Chapter 8, Deploying Intrusion Prevention Policies on page 105 for more information. Select the external IP alias that this rule will apply to. In most cases, this will be the IP of the default external connection.
Note: Only applies to the protocols TCP and UDP.
Destination IP Destination service User defined
1s
Comment Enabled
Click Add. The port forward rule is added to the Current rules table.
Load Balancing Port Forwarded Traffic

Advanced Firewall enables you to load balance port forwarded traffic to different network hosts.
To load balance port forwards:
1 2
On the networking > firewall > port forwarding page, create a port forward rule to the first network host. See Creating Port Forward Rules on page 64 for more information. On the networking > firewall > port forwarding page, create another port forward rule using exactly the same settings except for the destination IP to the second network host. Advanced Firewall automatically balances the traffic between the hosts.
Ed i
Port ranges are specified using an A:B notation. For example: 1000:1028 covers the range of ports from 1000 to 1028. Enter the IP address of the network host to which traffic should be forwarded. From the drop-down menu, select the service, port, port range or group of ports. Or, select User defined. If User defined is selected as the destination service, enter a destination port. Leave this field empty to create a port forward that uses the source port as the destination port. If left blank and the source service value specified a port range, the destination port will be the same as the port that the connection came in on. If it contains a single port, then this will be used as the target. Enter a description of the port forward rule. Select to enable the rule.
ti
User defined
If User defined is selected in the Source service drop-down menu, enter a single port or port range.
on
From the drop-down menu, select the service, port, port range or group of ports. Or, to specify a user defined port, select User defined.
65
Chapter 7 Managing Inbound and Outbound Traffic Advanced Network and Firewall Settings
Editing and Removing Port Forward Rules

To edit or remove existing port forward rules, use Edit and Remove in the Current rules area.
Advanced Network and Firewall Settings

The following sections explain network application helpers, how you can manage bad traffic actions and reflective port forwarding.
Network Application Helpers

To activate helper applications:
Navigate to the networking > firewall > advanced page.
The following helper applications are available:

Application FTP IRC Advanced PPTP client support Description
1s
66
t
IP information is embedded within FTP traffic this helper application ensures that FTP communication is not adversely affected by the firewall. IP information is embedded within IRC traffic this helper application ensures that IRC communication is not adversely affected by the firewall. When enabled, loads special software modules to help PPTP clients. This is the protocol used in standard Windows VPNing. If this option is not selected, it is still possible for PPTP clients to connect through to a server on the outside, but not in all circumstances. Difficulties can occur if multiple clients on the local network wish to connect to the same PPTP server on the Internet. In this case, this application helper should be used.
Note: When this application helper is enabled, it is not possible to forward PPTP
Ed i
traffic. For this reason, this option is not enabled by default.
ti
on
Advanced Firewall includes a number of helper applications which must be enabled to allow certain types of traffic passing through the firewall to work correctly.
Smoothwall Advanced Firewall Administrators Guide Application H323 Description
When enabled, loads modules to enable passthrough of H323, a common protocol used in Voice over IP (VoIP) applications. Without this option enabled, it will not be possible to make VoIP calls. Additionally, with this option enabled, it is possible to receive incoming H323 calls through the use of a port forward on the H323 port. This option is disabled by default because of a theoretical security risk associated with the use of H323 passthrough. We recommend that you only enable this feature if you require VoIP functionality.
To enable a helper application:
1 2 3
In the Network application helpers area, select the application(s) you require. Optionally, in the Advanced area, select Drop to drop traffic silently. This runs Advanced Firewall in a stealth-like manner and makes things like port scans much harder to do. Click Save.
Managing Bad External Traffic
Using the Bad external traffic action option, you can drop traffic silently which enables you to stealth your firewall and make things like port scans much harder to do.
To manage bad external traffic:
1 2
Navigate to the networking > firewall > advanced page. From the Bad external traffic action drop-down list, select Drop to silently discard the traffic and not send a message to the sender, or Reject to keep the default behavior, that is, reject the traffic and notify the sender. Click Save to implement your selection.
Configuring Reflective Port Forwards

By default, port forwards are not accessible from within the same network where the destination of the forward resides. However, when enabled, the reflective port forwards option allows port forwards originating on an internal network to reach a host on the same network. This makes it possible to access a port forwarded service from inside the internal network using the same (external) address as an external host would.
To configure reflective port forwards:
1 2
Navigate to the networking > firewall > advanced page. Select Reflective port forwards and click Save.
Outbound Access
The following sections discuss outbound port and source rules. Port rules are used to create lists of outbound communication rules that can be subsequently applied to individual hosts and networks using source rules.
1s
Ed i
By default, bad traffic is rejected and a No one here ICMP message is bounced back to the sender. This is what Internet hosts are meant to do.
ti
on
67
Chapter 7 Managing Inbound and Outbound Traffic Outbound Access
Port Rule Modes

Port rules can operate in one of two modes:
Mode Permissive Restrictive Description
Reject only outbound requests to the named ports. Allow only outbound requests to the named ports.
Preset Port Rules

Advanced Firewall supports a maximum of 20 port rule sets, of which the following preset rules are installed by default and can be customized:
MS ports Known exploits Basic services DMZ
Ports commonly associated with Microsoft Windows such as SMB (NetBIOS), Active Directory etc. Ports associated with many common exploits against a variety of programs and services, including many ports associated with malware attacks
Basic ports necessary for hosting servers in a DMZ network.
In addition, the following preset rules are included and cannot be customized:
Preset port rules Allow all Reject all Description
This port rule allows unrestricted access to the Internet.
Creating a Port Rule

To create a port rule:
Navigate to the networking > outgoing > ports page.
68
1s
This port rule denies all outbound access to the Internet.
Ed i
Services common to most user computers, including web browsing (HTTP and HTTPS), email (POP3), DNS etc.
ti
on
Preset port rules
Description

Setting Port rules Port rule name Reject only listed ports Allow only listed ports Rejection logging Stealth mode Block eDonkey Block KaZaA Block Gnutella Block BitTorrent Description
From the drop-down menu, select Empty and click Select. Enter a name for the port rule. This name will be displayed in the Port rules drop-down list and where ever the rule can be selected. Select to reject listed ports. Select to allow listed ports. Select if you want to log outbound requests rejected by this rule. Select if you want to log but not reject outbound requests. Select to block access to eDonkey and eMule P2P variants. Select to block access to the Gnutella and GnutellaNet P2P networks. Select to block access to the KaZaA P2P network.
Block DirectConnect Select to block access to the DirectConnect file sharing network.
Click Save. The port rule is added to the Port rules drop-down list. Various P2P applications are port-aware and use a number of evasive techniques to circumvent regular outbound access controls. Advanced Firewall is able to detect such activity when these options are activated, and ensure that P2P communication is completely blocked.
Note: The dedicated P2P blocking options are provided due to the nature of certain P2P software.
In the Add a new rule area, configure the following settings:
1s
Setting Protocol Service Port Comment Enabled
Click Add. The rule is added to the Current rules region.
Editing a Port Rule

To edit an existing port rule:
Description
From the drop-down menu, select a network protocol to add to the port rule. From the drop-down menu, select the service, port, port range or group of ports you want to allow or deny, depending on the rule you are creating. Select User defined to be able to specify a specific port number in the User defined port or range field. Enter a custom port number or range of ports if User defined is selected in the Service drop-down list. A port range is specified using from:to notation, for example: 1024:2048. Enter a description of the rule. Select to enable the rule.
Ed i
Select to block the use of the BitTorrent protocol for P2P file transfers.
ti
on
Note: This generates a lot of data and should be used with care.
69
Chapter 7 Managing Inbound and Outbound Traffic Outbound Access
2 3 4
Choose the port rule that you wish to edit from the Port rules drop-down list. Click Select to display the port rule and make any changes to the port rule settings using the controls in the Port rules region. Click Save in the Port rules region.
Editing and Removing Protocols and Ports

To edit or remove existing protocols and ports for a port rule, use Edit and Remove in the Current rules region.
Deleting a Port Rule

To delete an existing port rule:
Select the port rule that should be deleted using the Port rules drop-down list from the Port rules region. Click Delete.
Viewing a Port Rule

1 2
To display the contents of preset or custom port rules:
In the Port rules region, choose a set of port rules using the Port rules drop-down list. Click Select. The set of port rules and associated configuration are displayed in the Port rules and Current rules regions.
Source Rules
When the source IP of an outbound packet originates from a host that is defined in a source rule, Advanced Firewall checks that the packet does not break the port rules assigned to the host. If the packet is destined for a banned port, the packet is rejected. If the packet is destined for an allowed port, the packet is allowed.
Note: Once a packet matches a source rule, it will not be subjected to further rule matching. Source rules
cannot be stacked.
70
1s
Source rules are used to assign outbound access controls to IP addresses and networks. Each source rule associates a particular host or network with a preset or customized port rule.
Ed i
ti
on
Configuring the Default Source Rule Settings

To create a source rule:
Navigate to the networking > outgoing > sources page.

Setting Default port rule Description
From the drop-down list, select the port rule to be applied to outbound packets originating from a source IP that has no matching source rule configured. This value is usually set to one of the preset catch-all port rules, either Allow all or Reject all. Selecting Allow all enables all hosts that are not matched by a source rule to initiate any kind of outbound communication. Selecting Reject all prevents all outbound communication from all non-matching hosts. Best practice is to select Reject all. Select to log all traffic rejected by the default or current list of source rules. Select to allow all traffic that would normally be rejected by the default port rule and log all traffic information in the firewall logs.
Click Save. In the Add a new rule area, configure the following settings:
Setting Description
1s
Rejection logging Stealth mode Port rule Comment
Source IP or network Enter the source IP or network that the selected port rule will affect.
To apply the port rule to: A specific host, enter its IP address. A range of network hosts, enter an IP address range, for example, entering the value 192.168.10.10:50 will encompass the range of addresses from 192.168.10.10 to 192.168.10.50. A subnet, enter a source IP and network mask, for example, 192.168.10.0/255.255.255.0 will encompass the range of range of addresses from 192.168.10.0 to 192.168.10.255.
From the drop-down list, select the port rule to apply. Enter a description of the rule.
Ed i
ti
on
71
Chapter 7 Managing Inbound and Outbound Traffic Managing External Services Setting Enabled Description
Select to enable the rule.
Click Add. The source rule is added to the Current rules table.
Editing and Removing Source Rules

To edit or remove existing source rules, use Edit and Remove in the Current rules region.
Managing External Services

To create an external service rule:
Navigate to the networking > outgoing > external services page.

Setting Service Service rule name Protocol Service Port Description
1s
Rejection logging Stealth mode
72
t
Select Empty from the drop-down list. Enter a name for the rule. Select the protocol used by the service. From the drop-down menu, select the service, port, port range or group of ports. Or, to specify a user defined port, select User defined. If User defined is selected in the Service drop-down menu, enter a single port or port range. Port ranges are specified using an A:B notation. For example: 1000:1028 covers the range of ports from 1000 to 1028. Select to log all traffic rejected by the external services rule Select to allow traffic that would normally be rejected by the external services rule and log all traffic in the firewall logs.
Ed i
ti
on
You can prevent local network hosts from using external services by creating appropriate source and port rules to stop outbound traffic.
Click Save. In the Add a new rule area:

Setting Destination IP Comment Enabled Description
Enter the IP address of the external service to which the rule applies. Enter a description of the rule. Select to enable the rule.
Click Add. The external service rule is added to the Current rules region:
Editing and Removing External Service Rules

To edit or remove existing external service rules, use Edit and Remove in the Current rules area.
Assigning Rules to Groups
To assign rules to groups:
2 3 4
Select Enable authenticated groups. Locate the authentication group in the Group rules region and choose its port rule from the adjacent Port rule drop-down list. Click Save.
1s
Ed i
Navigate to the networking > outgoing > groups page.
ti
The groups page is used to assign outbound access controls to authenticated groups of users. Each group rule associates a particular authenticated group of users with a preset or customized port rule.
on
73
Chapter 7 Managing Inbound and Outbound Traffic Assigning Rules to Groups
Note: Group rules cannot be enforced in all circumstances. If a user has not actively authenticated
themselves, using the SSL Login page or by some other authentication method, the user is unknown to the system and group rules cannot be applied. In this case, only source rules will be applied. Group rules are often more suitable for allowing access to ports and services. In such situations, users have a reason to pro-actively authenticate themselves so that they can gain access to an outbound port or service.
74
1s
Ed i
ti
on
Chapter 8
Advanced Firewall Services

In this chapter: User portals Web proxying IM proxying Monitoring SSL-encrypted chats SIP proxying FTP proxying SNMP DNS Censoring content Managing the intrusion system DHCP. For information on authentication services, see Chapter 13, Authentication and User Management on page 223.
Working with User Portals

Advanced Firewall enables you to create user portals which can be configured to make reports and software downloads available and enable users with the correct privileges to ban other users or locations from web browsing. For information using a portal, see the Advanced Firewall Portal Users Guide.
Creating a Portal
The following section explains how to create a portal and make it accessible to users in a specific group.
75
Chapter 8 Advanced Firewall Services Working with User Portals To create a user portal and make it available to users:
Browse to the services > user portal > portals page.
In the Portals area, enter a name for the portal and click Save. Advanced Firewall creates the portal and makes it accessible on your Advanced Firewall system at, for example: http://
192.168.72.141/portal/
Browse to the services > user portal > groups page.
76

Setting Group Description
From the drop-down menu, select the group containing the users you want to authorize to use the portal. For more information on users and groups, see Chapter 13, Managing Groups of Users on page 231. From the drop-down menu, select the portal you want the group to access.
Portal
Click Add. Advanced Firewall authorizes the group to use the portal. The next step is to configure the portal to enable authorized users to use it to download files, manage web access and display reports.
Configuring a Portal
The following sections explain how to configure a Advanced Firewall portal so that authorized users can view reports, block other users from accessing the web, download VPN client files and receive a welcome message.
Making Reports Available

When enabled, Advanced Firewall will make the most often viewed reports available on the portal. For more information on working with reports, see Chapter 14, Reporting on page 247.
To make reports available on a portal:
Browse to the info > reports > recent and saved page, locate the report you want to publish on a portal and click Permissions. A dialog box containing report details opens, for example:
2 3 4
From the Add access drop-down list, select the portal where you want to publish the report and click Add. Click Close to close the dialog box. Browse to the services > user portal > portals page and, in the Portals area, configure the following settings:
Setting Portals Description
From the drop-down list, select the portal on which you want to make reports available and click Select.
In the Portal published reports and templates area, configure the following settings:
Setting Enabled Top reports displayed on portal home page Description
Select Enabled. From the drop-down list, select the number of reports you want to display on the portals home page. Advanced Firewall will display the most often viewed reports.
77
Chapter 8 Advanced Firewall Services Working with User Portals
Browse to the bottom of the page and click Save to save the settings and make the reports available on the portal.
Enabling Groups to Block Users Access

You can enable users in a specific group which can access the portal to block individual user web access.
To authorize blocking:
Browse to the services > user portal > portals page and, in the Portals area, configure the following settings:
Setting Portals Description
From the drop-down list, select the portal on which you want to authorize groups to block users.
In the Portal permissions for web access blocking, configure the following settings:
Setting Enabled Allow control of groups Description
Select Enabled. Select this option and, in the list of groups displayed, select the group(s) containing the users that the group is authorized to block from accessing the web. To select consecutively listed groups, hold down the Shift key while selecting. To select non-consecutively listed groups, hold down the Ctrl key while selecting.
Browse to the bottom of the page and click Save to save the settings.
Making VPN Client Archives Available for Download

You can configure Advanced Firewall to make an SSL VPN client archive available for download from a portal.
To make an archive available:
Browse to the services > user portal > portals page and, in the VPN connection details area, configure the following settings:
Setting Description
SSL VPN client archive download Select this option to make the archive available for download on
the portal home page. See Chapter 9, Generating SSL VPN Archives on page 159 for information on how to create the archive. 2 Browse to the bottom of the page and click Save to save the settings.
Configuring a Welcome Message

Advanced Firewall enable you to display a customized welcome message when a user visits a portal.
78
Smoothwall Advanced Firewall Administrators Guide To display a welcome message on a portal:
Browse to the services > user portal > portals page and, in the Welcome message area, configure the following settings:
Setting Welcome message Description
Select to display the message on the portal. In the text box, enter a welcome message and/or any information you wish the user to have, for example regarding acceptable usage of the portal.
Browse to the bottom of the page and click Save to save the settings.
Assigning Groups to Portals

The following section explains how to assign a group of users to a portal so that they can access it.
To assign a group to a portal:
1 2
Browse to the services > user portal > groups page. Configure the following settings:
Setting Group Description
From the drop-down menu, select the group you want to allow access to the portal. For more information on groups, see Chapter 13, Managing Groups of Users on page 231. From the drop-down menu, select the portal you want the group to access.
Portal
Click Add. Advanced Firewall will allow members of the group to access the specified portal.
Making User Exceptions

You can configure Advanced Firewall so that a user uses a specific portal. This setting overrides group settings.
To make user exceptions on a portal:
Browse to the services > user portal > user exceptions page.

Setting Username Description
Enter the username of the user you want to access the portal.
79
Chapter 8 Advanced Firewall Services Working with User Portals Setting Portal Description
From the drop-down list, select the portal you want the user to access.
Click Add. Advanced Firewall gives the user access to the portal.
Accessing Portals
The following section explains how to access a portal.
To access a portal:
1 2
In the browser of your choice, enter the URL to the portal on your Advanced Firewall system, for example: http://192.168.72.141/portal/ Accept any certificate and other security information. Advanced Firewall displays the login page for the portal, for example:
Enter a valid username and password and click Login. The portal is displayed, for example:
For more information, see the Advanced Firewall Portal User Guide.
Editing Portals
The following section explains how to edit a portal.
To edit a portal:
1 2 3 4
Browse to the services > user portal > portals page. From the Portals drop-down list, select the portal you want to edit. Make the changes you require, see Configuring a Portal on page 77 for information on the settings available. Click Save to save the changes.
80
Deleting Portals
The following section explains how to delete a portal.
To delete a portal:
1 2 3
Browse to the services > user portal > portals page From the Portals drop-down list, select the portal you want to delete. Click Delete. Advanced Firewall deletes the portal.
Web Proxy
Advanced Firewalls web proxy service provides local network hosts with controlled access to the Internet with the following features: Transparent or non-transparent operation Caching controls for improved resource access times Support for automatic configuration scripts Support for remote proxy servers.
81
Chapter 8 Advanced Firewall Services Web Proxy
Configuring and Enabling the Web Proxy Service

To configure and enable the web proxy service:
Navigate to the services > proxies > web proxy page.
82

Control Cache size Description
Enter the amount of disk space, in MBytes, to allocate to the web proxy service for caching web content, or accept the default value. Web and FTP requests are cached. HTTPS requests and pages including username and password information are not cached. The specified size must not exceed the amount of free disk space available. The cache size should be configured to an approximate size of around 40% of the systems total storage capacity, up to a maximum of around 10 gigabytes approximately 10000 megabytes for a high performance system with storage capacity in excess of 25 gigabytes. Larger cache sizes can be specified, but may not be entirely beneficial and can adversely affect page access times. This occurs when the system spends more time managing the cache than it saves retrieving pages over a fast connection. For slower external connections such as dial-up, the cache can dramatically improve access to recently visited pages.
Remote proxy
Optionally, enter the IP address of a remote proxy in the following format:

hostname:port
In most scenarios this field will be left blank and no remote proxy will be used. Used to configure the web proxy to operate in conjunction with a remote web proxy. Larger organizations may wish to use a dedicated proxy or sometimes ISPs offer remote proxy servers to their subscribers.
Remote proxy username Remote proxy password Max object size
Enter the remote proxy username if using a remote proxy with user authentication. Enter the remote proxy password when using a remote proxy with user authentication. Specify the largest object size that will be stored in the proxy cache. Objects larger than the specified size will not be cached. This prevents large downloads filling the cache. The default of 4096 K bytes (4 M bytes) should be adjusted to a value suitable for the needs of the proxy end-users.
Min object size
Specify the smallest object size that will be stored in the proxy cache. Objects smaller than the specified size will not be cached. The default is no minimum this should be suitable for most purposes. This can be useful for preventing large numbers of tiny objects filling the cache.
Max outgoing size Specify the maximum amount of outbound data that can be sent by a browser
in any one request. The default is no limit. This can be used to prevent large uploads or form submissions.
Max incoming size Specify the maximum amount of inbound data that can be received by a
browser in any one request. This limit is independent of whether the data is cached or not. The default is no limit. This can be used to prevent excessive and disruptive download activity.
83
Chapter 8 Advanced Firewall Services Web Proxy Control Transparent Description
Select to enable transparent proxying. When operating in transparent mode, network hosts and users do not need to configure their web browsers to use the web proxy. All requests are automatically redirected through the cache. This can be used to prevent network hosts from browsing without using the proxy server. In nontransparent mode, proxy server settings (IP address and port settings) must be configured in all browsers. For more information, see About Web Proxy Methods on page 85.
Disable proxy logging Enabled Allow admin port access
Select to disable the proxy logging. Select to enable the web proxy service. Select to permit access to other network hosts over ports 81 and 441. This is useful for accessing remote a Smoothwall System, or other nonstandard HTTP and HTTPS services, through the proxy. In normal circumstances such communication would be prevented.
Note: By selecting this option, it is possible to partially bypass the admin
access rules on the system > administration > admin options page. This would allow internal network hosts to access the admin logon prompt via the proxy.
Do not cache
Enter any domains that should not be web cached. Enter domain names without the www. prefix, one entry per line. This can be used to ensure that old content of frequently updated web sites is not cached.
Exception local IP Enter any IP addresses on the local network that should be completely exempt addresses from authentication restrictions.
Exception local IP addresses are typically used to grant administrator workstations completely unrestricted Internet access.
Banned local IP addresses
Enter any IP addresses on the local network that are completely banned from using the web proxy service. If any hosts contained in this list try to access the web they will receive an error page stating that they are banned.
No user authentication Proxy authentication
Select to allow users to globally access the web proxy service without authentication. Select to allow users to access the web proxy service according to the username and password that they enter when prompted by their web browser. The username and password details are encoded in all future page requests made by the user's browser software.
Note: You can only use proxy authentication if the proxy is operating in non-
transparent mode.
Core authentication
Select to allow users to access the web proxy service by asking the authentication system whether there is a known user at a particular IP address. If the user has not been authenticated by any other authentication mechanism, the users status is returned by the authentication system as unauthenticated.
84
Smoothwall Advanced Firewall Administrators Guide Control Description
Groups allowed to Authenticated users can be selectively granted or denied access to the web use web proxy proxy service according to their authentication group membership.
Proxy access permissions are only applied if an authentication method other than No user authentication has been selected.
Automatic configuration script custom direct hosts
Enter any additional hosts required to the automatic configuration scripts list of direct (non-proxy routing) hosts. This is useful for internal web servers such as a company intranet server. All hosts listed will be automatically added to a browser's Do not use proxy server for these addresses proxy settings if they access the automatic configuration script for their proxy settings.
Note: Browsers must be configured to access the automatic configuration
script to receive this list of direct routing hosts

Use automatic configuration script address
After enabling and restarting the service, the automatic configuration script location is displayed here.
Note: Microsoft Internet Explorer provides only limited support for automatic
configuration scripts. Tests by Smoothwall indicate a number of intermittent issues regarding the browsers implementation of this feature. Smoothwall recommends the use of Mozilla-based browsers when using the automatic configuration script functionality.
Manual web browser proxy settings Interfaces
After enabling and restarting the service, the proxy address and port settings to be used when manually configuring end-user browsers are displayed here. Select the interface for the web proxy traffic.
Save and restart the web proxy service by clicking Save and Restart or Save and Restart with cleared cache. of all data. This is useful when cache performance has been degraded by the storage of stale information typically from failed web-browsing or poorly constructed web sites. The web proxy will be restarted with any configuration changes applied.
Note: Save and Restart with cleared cache Used to save configuration changes and empty the proxy cache
Note: Restarting may take up to a minute to complete. During this time, end-user browsing will be
suspended and any currently active downloads will fail. It is a good idea to a restart when it is convenient for the proxy end-users.
About Web Proxy Methods

The following sections discuss the types of web proxy methods supported by Advanced Firewall.
Transparent Proxying
If Advanced Firewall's web proxy service has been configured to operate in transparent mode, all HTTP port 80 requests will be automatically redirected through the proxy cache.
85
Chapter 8 Advanced Firewall Services Web Proxy
If you are having problems with transparent proxying, check that the following settings are not configured in end-user browsers: Automatic configuration Proxy server.
Non-Transparent Proxying
If Advanced Firewalls web proxy service has not been configured to operate in transparent mode, all end-user browsers on local workstations in Advanced Firewall network zones must be configured. You can configure browser settings:
Manually Browsers are manually configured to enable Internet access. Automatically using a configuration script Browsers are configured to receive proxy configuration
settings from an automatic configuration script, proxy.pac. The configuration script is automatically generated by Advanced Firewall and is accessible to all network zones that the web proxy service is enabled on.
WPAD automatic script Browsers are configured to automatically detect proxy settings and a local
DNS server or Advanced Firewall static DNS has a host wpad.YOURDOMAINNAME added.
Configuring End-user Browsers

The following steps explain how to configure web proxy settings in the latest version of Internet Explorer available at the time of writing.
To configure Internet Explorer:
1 2 3
Start Internet Explorer, and from the Tools menu, select Internet Options. On the Connections tab, click LAN settings. Configure the following settings:
Method: Manual To configure:
1 2
In the Proxy server area, select Use a proxy server for your LAN Enter your Advanced Firewall's IP address and port number 800. This information is displayed on the services > proxies > web proxy page, in the Automatic configuration script area. Click Advanced to access more settings. In the Exceptions area, enter the IP address of your Advanced Firewall and any other IP addresses to content that you do not want filtered, for example, your intranet or local wiki. Click OK and OK to save the settings. In the Automatic configuration area, select Use automatic configuration script. Enter the location of the script, for example: http://192.168.72.141/ proxy.pac. The location is displayed on the services > proxies > web proxy page, in the Automatic configuration script area. Ensure that no other proxy settings are enabled or have entries. Click OK and OK to save the settings.
3 4
5
Automatic configuration script
1 2
3 4
86
Smoothwall Advanced Firewall Administrators Guide Method: WPAD To configure: Note: This method is only recommended for administrators familiar with
configuring web and DNS servers. 1 2 3 In the Automatic configuration area, select Automatically detect settings. Click OK and OK to save the settings. On a local DNS server or using Advanced Firewall static DNS, add the host wpad.YOURDOMAINNAME substituting your domain name. The host must resolve to the Advanced Firewall IP. When enabled in end-user browsers, Web Proxy Auto-Discovery (WPAD) prepends the hostname wpad to the front of its fully qualified domain name and looks for a web server on port 80 that can supply it a wpad.dat file. The file tells the browser what proxy settings it should use.
Note: PCs will have had to be configured with the same domain name as the A
record for it to work. However, Microsoft Knowledge Base article Q252898 suggests that the WPAD method does not work on Windows 2000. They suggest that you should use a DHCP auto-discovery method using a PAC file. See the article for more information. This is contrary to some of our testing.
Instant Messenger Proxying

Advanced Firewalls Instant Messenger (IM) proxy service can log the majority of IM traffic. Advanced Firewall can also censor instant messaging content, for more information, see Censoring Instant Message Content on page 98.
Note: Advanced Firewall cannot monitor IM sessions within HTTP requests, such as when Microsoft
MSN connects through an HTTP proxy. Neither can Advanced Firewall intercept conversations which are secured by end-to-end encryption, such as provided by Off-the-Record Messaging (http://www.cypherpunks.ca/otr/). However, using SSL Intercept, see below, Advanced Firewall can monitor Jabber/Google Talk and AIM sessions protected by SSL.
87
Chapter 8 Advanced Firewall Services Instant Messenger Proxying To configure the instant messaging proxy service:
Browse to the services > proxies > instant messenger page.

Setting Enabled Description
Select to enable the instant messaging proxy service.
88
Smoothwall Advanced Firewall Administrators Guide Setting Enable Message Censor Description
Select to enable censoring of words usually considered unsuitable. Advanced Firewall censors unsuitable words by replacing them with *s. For more information, see Censoring Instant Message Content on page 98.
Hide conversation text Block all file-transfers
Select this option to record instant message events, such as messages in and out, but to discard the actual conversation text before logging. Select this option to block file transfers using certain IM protocols. Currently, when enabled, this setting blocks files transferred using MSN, ICQ, AIM and Yahoo IM protocols.
MSN AIM and ICQ Yahoo GaduGadu Jabber Intercept SSL
Select to proxy and monitor Microsoft Messenger conversations. Select to proxy and monitor ICQ and AIM conversations. Select to proxy and monitor Yahoo conversations. Select to proxy and monitor GaduGadu conversations. Select to proxy and monitor conversations which use the Jabber protocol. Select to monitor conversations on Google Talk or AIM instant messaging clients which have SSL mode enabled. For more information, see Monitoring SSL-encrypted Chats on page 90. Select to inform IM users that their message or file transfer has been blocked. This option does not work with the ICQ/AIM protocol. Select to inform IM users that their conversation is being logged.
Note: This option does not work with the ICQ/AIM protocol.
Blocked response
Logging warning response Blocked response message
Optionally, enter a message to display when a message or file is blocked; or accept the default message. If multiple messages or files are blocked, this message is displayed at 15 minute intervals.
Logging warning response message Automatic whitelisting
Optionally, enter a message to display informing users that their conversations are being logged. This message is displayed once a week. Settings here enable you to control who can instant message your local users.
Block unrecognized remote users Select this option to automatically add
a remote user to the white-list when a local user sends them an instant message. Once added to the white-list, the remote user and the local use can instant message each other freely. When this option selected, any remote users who are not on the whitelist are automatically blocked.
Number of current entries Displays the number of entries currently in the
whitelist user list.

Clear Automatic Whitelisted user list Click to clear the white-list.
89
Chapter 8 Advanced Firewall Services Monitoring SSL-encrypted Chats Setting White-list users Black-list users Enabled on interfaces Exception local IP addresses Description
To whitelist a user, enter their instant messaging ID, for example JohnDoe@hotmail.com. To blacklist a user, enter their instant messaging ID, for example JaneDoe@hotmail.com. Select the interfaces on which to enable IM proxying. To exclude specific IP addresses, enter them here.
Click Save to save and implement your settings.
Monitoring SSL-encrypted Chats

Advanced Firewall can monitor Google Talk and AIM instant message (IM) chats which use SSL for encryption.
Note: Using Advanced Firewall to monitor SSL-encrypted IM chats reduces security on IM clients as
the clients are unable to validate the real IM server certificate.

To monitor SSL-encrypted conversations:
Browse to the services > proxies > instant messenger page. Enable IM proxying and configure the settings you require. For full information on the settings available, see Instant Messenger Proxying on page 87. Select Intercept SSL, select the interfaces on which to enable the monitoring and click Save. Click Export Certificate Authority certificate. Advanced Firewall generates a Advanced Firewall CA certificate. Download and install the certificate on PCs which use Google Talk and SSL-enabled AIM IM clients. Advanced Firewall will now monitor and log the chats.
2 3 4
SIP Proxying
Advanced Firewall supports a proxy to manage Session Initiation Protocol (SIP) traffic. SIP is often used to set up calls in Voice over Internet Protocol (VoIP) systems. SIP normally operates on port 5060, and is used to set up sessions between two parties. In the case of VoIP, it is an RealTime Protocol (RTP) session that is set up, and it is the RTP stream that carries voice data. RTP operates on random unprivileged ports, and, as such, is not NAT friendly. For this reason, Advanced Firewalls SIP proxy ensures that RTP is also proxied, allowing VoIP products to work correctly. Advanced Firewalls SIP proxy is also able to proxy RTP traffic, solving some of the problems involved in setting up VoIP behind NAT.
Types of SIP Proxy

There are two types of SIP proxy: a registering SIP proxy, and a pass-through proxy. A registering proxy or registrar allows SIP clients to register so that they may be looked up and contacted by
90
external users. A pass-through proxy merely rewrites the SIP packets such that the correct IP addresses are used and the relevant RTP ports can be opened. Some clients will allow users to configure one SIP proxy this is invariably the registering proxy, others will allow for two proxies, one to which the client will register, and one which the client users for access, a pass-through.
Choosing the Type of SIP Proxying

As with many types of proxy, the SIP proxy can be used in transparent mode. In transparent mode, the proxy is only useful as a pass-through. This mode is useful for those clients which do not support a second proxy within their configuration. If all your clients can be properly configured with a second proxy, transparent mode is not required. If the proxy is operating in transparent mode, the non-transparent proxy is still available, so a mixture of operation is possible.
Configuring SIP
To configure and enable the SIP proxy:
Browse to the services > proxies > sip page.

Setting Enabled SIP client internal interface Description
Select to enable the SIP proxy service. From the drop-down list, select the interface for the SIP proxy to listen for connections on. This is the interface on which you will place your SIP clients.
91
Chapter 8 Advanced Firewall Services FTP Proxying Setting Logging Description
Select the logging level required. Select from:

Normal Just warnings and errors Detailed Warnings, errors and informational messages Very detailed Everything, including debugging messages.
Log calls Maximum number of clients Diffserv mark for RTP packets
Select if you require individual call logging. Select the maximum number of clients which can use the proxy. Setting the maximum number of clients is a useful way to prevent malicious internal users performing a DoS on your registering proxy. From the drop-down menu, select a Diffserv mark to apply to SIP RTP packets. This traffic can be traffic shaped with SmoothTraffic, if it is installed. The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for which it proxies. This is useful because it is otherwise quite tricky to define RTP traffic, as it may occur on a wide range of ports. Prioritizing SIP traffic on port 5060 would not make any difference to VoIP calls. The standard mark is BE which is equivalent to doing nothing. Other marks may be interpreted by upstream networking equipment, such as that at your ISP, and can also be acted upon by SmoothTraffic, Smoothwalls Quality of Service (QoS) module if it is installed. In this way, traffic passing through the firewall may be prioritized to give a consistent call quality to VoIP users.
Transparent
The SIP proxy may be configured in both transparent and non-transparent mode. Select this option if you require a transparent SIP proxy. When operating transparently, the SIP proxy is not used as a registrar, but will allow internal SIP devices to communicate properly with an external registrar such as an ITSP.
Exception IPs
Hosts which should not be forced to use the transparent SIP proxy must be listed in the Exception IPs box below.
Click Save to enable and implement SIP proxying. use the transparent proxy until the firewall is rebooted. This is due to the in-built connection tracking of the firewalls NAT.
Note: If a client is using the proxy when transparent proxying is turned on, the existing users may fail to
FTP Proxying
Advanced Firewall provides you with a proxy to manage FTP traffic and also makes transparent proxying possible.
Configuring FTP Proxying

The following section explains how to configure FTP proxying on Advanced Firewall.
92
Smoothwall Advanced Firewall Administrators Guide To configure FTP proxying:
Browse to the services > proxies > ftp page.

Setting Enabled Enable transparent FTP proxying Port Description
Select to enable the FTP proxy. Select to enable transparent proxying. For more information, see About Transparent and Non-transparent FTP Proxying on page 94. From the drop-down list select the port for FTP traffic.
Note: The port you select must be open for the FTP client. You
configure this on the system > administration > external access page. See Chapter 16, Configuring External Access on page 316 for more information.
Enable anti-malware scanning Remote FTP server white-list
Select to scan files for malware. Enter the hostname or IP address of any remote FTP servers you want to white-list. Enter one hostname or IP, colon and port per line, for example: ftp.company.com:21 or 1.2.3.4:21 If no information is listed, all hostnames on all ports will be accessible.
Transparent FTP interfaces Exception local IP addresses
When proxying transparently, from the list available, select the interface(s) to use. Enter the IP addresses of local machines which are to be excluded from transparent FTP proxying.
Click Save to save the settings and enable FTP proxy.
93
Chapter 8 Advanced Firewall Services SNMP
About Transparent and Non-transparent FTP Proxying

When running Advanced Firewalls FTP proxy in transparent mode, you do not need to configure any FTP client applications. When running Advanced Firewalls FTP proxy in non-transparent mode, configure FTP clients as follows:
Setting Remote host Remote port Remote username Description
Enter Advanced Firewalls hostname or IP address. Enter the FTP proxy port configured on Advanced Firewall, either 21 or 2121. See Configuring FTP Proxying on page 92 for more information. Enter the username in the following format:
remoteusername@remoteftpserver
SNMP
Simple Network Management Protocol (SNMP) is part of the IETFs Internet Protocol suite. It is used to enable a network-attached device to be monitored, typically for centralized administrative purposes. Advanced Firewalls SNMP service operates as an SNMP agent that gathers all manner of system status information, including the following: System name, description, location and contact information Live TCP and UDP connection tables Detailed network interface and usage statistics Network routing table Disk usage information Memory usage information. In SNMP terminology, Advanced Firewall can be regarded as a managed device when the SNMP service is enabled. The SNMP service allows all gathered management data to be queried by any SNMP-compatible NMS (Network Management System) devices, that is a member of the same SNMS community. The Community field is effectively a simple password control that enables SNMP devices sharing the same password to communicate with each other.
To enable and configure the SNMP service:
Navigate to the services > snmp > snmp page.
94
2 3
Select Enabled and enter the SNMP community password into the Community text field. The default value public is the standard SNMP community. Click Save. management tool is required. For specific details about how to view all the information made accessible by Advanced Firewalls SNMP service, please refer to the product documentation that accompanies your preferred SNMP management tool.
Note: To view information and statistics provided by the system's SNMP service, a third-party SNMP
Note: To access the SNMP service, remote access permissions for the SNMP service must be
configured. For further information, see Chapter 16, Configuring Administration and Access Settings on page 314.
Censoring Content
Advanced Firewall enables you to censor content in: Instant messages, for more information, see Censoring Instant Message Content on page 98 Web forms, for more information, see Chapter 15, Censoring Web Form Content on page 212.
DNS
The following sections discuss domain name system (DNS) services in Advanced Firewall.
Adding Static DNS Hosts

Advanced Firewall can use a local hostname table to resolve internal hostnames. This allows the IP addresses of a named host to be resolved by its hostname.
Note: Advanced Firewall itself can resolve static hostnames regardless of whether the DNS proxy
service is enabled.
To add a static DNS host:
Navigate to the services > dns > static dns page.
95
Chapter 8 Advanced Firewall Services DNS

Control IP address Hostname Comment Enabled Description
Enter the IP address of the host you want to be resolved. Enter the hostname that you would like to resolve to the IP address. Enter a description of the host. Select to enable the new host being resolved.
Click Add. The static host is added to the Current hosts table.
Editing and Removing Static Hosts

To edit or remove existing static hosts, use Edit and Remove in the Current hosts area.
Enabling the DNS Proxy Service

The DNS proxy service is used to provide internal and external name resolution services for local network hosts. In this mode, local network hosts use Advanced Firewall as their primary DNS server to resolve external names, if an external connection is available, in addition to any local names that have been defined in the Advanced Firewalls static DNS hosts table.
To enable the DNS proxy service on a per-interface basis:
Navigate to the services > dns > dns proxy page.
Select each interface that should be able to use the DNS proxy and click Save. process of Advanced Firewall, the system will use the DNS proxy for name resolution.
Note: If the DNS proxy settings were configured as 127.0.0.1 during the initial installation and setup
Managing Dynamic DNS

Advanced Firewalls dynamic DNS service is useful when using an external connection that does not have a static IP. The dynamic DNS service can operate with a number of third-party dynamic DNS service providers, in order to enable consistent routing to Advanced Firewall from the Internet. Dynamic host rules are used to automatically update leased DNS records by contacting the service provider whenever the system's IP address is changed by the ISP.
96
The following dynamic DNS service providers are supported:

DNS service providers
dhs.org dyndns.org (Dynamic) dyns.cx ez-ip.net

To create a dynamic host:
hn.org dyndns.org (Custom) no-ip.com zoneedit.com
easydns.com dyndns.org (Static) ods.org
Many of these service providers offer a free of charge, basic service. 1 Navigate to the services > dns > dynamic dns page.

Setting Service Behind a proxy Enable wildcards Description
From the drop-down list, select your dynamic DNS service provider. Select if your service provider is no-ip.com and the system is behind a web proxy. Select to specify that sub-domains of the hostname should resolve to the same IP address, for example domain.dyndns.org and sub.domain.dyndns.org will both resolve to the same IP.
Note: This option cannot be used with no-ip.com, it must be selected from
their web site.

Hostname Domain Username Password Comment Enabled
Enter the hostname registered with the dynamic DNS service provider.
Note: This is not necessary when using dyndns.org as the service provider.
Enter the domain registered with the dynamic DNS service provider. Enter the username registered with the dynamic DNS service provider. Enter the password registered with the dynamic DNS service provider. Enter a description of the dynamic DNS host. Select to enable the service.
Click Add. The dynamic host will be added to the Current hosts table.
97
Chapter 8 Advanced Firewall Services Censoring Instant Message Content
Editing and Removing Dynamic Hosts

To edit or remove existing dynamic hosts, use Edit and Remove in the Current hosts area.
Forcing a Dynamic DNS Update

The dynamic DNS service will update the DNS records for the host whenever the hosts IP address changes. However, it may be necessary on some occasions to forcibly update the service provider's records.
To force an update:
Click Force update. changed, and may suspend the user accounts of users they deem to be abusing their service.
Note: Dynamic DNS service providers do not like updating their records when an IP address has not
Censoring Instant Message Content

Advanced Firewall enables you to create and deploy policies which accept, modify, block and/or log content in instant messages.
Configuration Overview
Configuring an instant message censor policy entails: Defining custom categories required to cater for situations not covered by the default Advanced Firewall phrase lists, for more information, see Managing Custom Categories on page 98 Configuring time periods during which policies are applied, for more information, see Setting Time Periods on page 100 Configuring filters which classify messages by their textual content, for more information, see Creating Filters on page 101 Configuring and deploying a policy consisting of a filter, an action, a time period and level of severity, see Creating and Applying Message Censoring Policies on page 102.
Managing Custom Categories

Custom categories enable you to add phrases which are not covered by the default Advanced Firewall phrase lists. The following sections explain how to create, edit and delete custom categories.
Creating Custom Categories

The following section explains how to create a custom category.
98
Smoothwall Advanced Firewall Administrators Guide To create a custom category:
Browse to the services > message censor > custom categories page.

Setting Name Phrases Description
Enter a name for the custom category. Enter the phrases you want to add to the category. Enter one phrase, in brackets, per line, using the format:
(example-exact-phrase) Advanced Firewall matches exact phrases without
Comment Optionally, enter a description of the category.
taking into account possible spelling errors.

(example-approximate-phrase)(2) For the number specified, Advanced
Firewall uses fuzzy matching to take into account that number of spelling mistakes or typographical errors when searching for a match. 3 Click Add. Advanced Firewall adds the custom category to the current categories list and makes it available for selection on the services > message censor > filters page.
Editing Custom Categories

The following section explains how to edit a custom category.
To edit a custom category:
1 2 3 4
Browse to the services > message censor > custom categories page. In the Current categories area, select the category and click Edit. In the Phrases area, add, edit and/or delete phrases. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
99
Deleting Custom Categories

The following section explains how to delete custom categories.
To delete custom categories:
1 2 3
Browse to the services > message censor > custom categories page. In the Current categories area, select the category or categories and click Remove. At the top of the page, click Restart to apply the changes.
Setting Time Periods

You can configure Advanced Firewall to apply policies at certain times of the day and/or days of the week.
To set a time period:
Browse to the services > message censor > time page.

Setting Active from to Name Comment Description
From the drop-down lists, set the time period. Select the weekdays when the time period applies. Enter a name for the time period. Optionally, enter a description of the time period.
Click Add. Advanced Firewall creates the time period and makes it available for selection on the services > message censor > policies page.
Editing Time Periods

The following section explains how to edit a time period.
To edit a time period:
1 2 3 4
Browse to the services > message censor > time page. In the Current time periods area, select the time and click Edit. In the Time period settings, edit the settings. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
100
Deleting Time Periods

The following section explains how to delete time periods.
To delete time periods:
1 2 3
Browse to the services > message censor > time page. In the Current time periods area, select the period(s) and click Remove. At the top of the page, click Restart to apply the changes.
Creating Filters
Advanced Firewall uses filters to classify messages according to their textual content. Advanced Firewall supplies a default filter. You can create, edit and delete filters. You can also create custom categories of phrases for use in filters, for more information, see Creating Custom Categories on page 98.
To create a filter:
Browse to the services > message censor > filters page.

Setting Name Comment Custom phrase list Description
Enter a name for the filter. Optionally, enter a description of the filter. Select the categories you want to include in the filter.
Click Add. Advanced Firewall creates the filter and makes it available for selection on the services > message censor > policies page.
Editing Filters
You can add, change or delete categories in a filter.
To edit a filter:
Browse to the services > message censor > filters page.
101
2 3 4
In the Current filters area, select the filter and click Edit. In the Custom phrase list area, edit the settings. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
Deleting Filters
You can delete filters which are no longer required.
To delete filters:
1 2 3
Browse to the services > message censor > filters page. In the Current filters area, select the filter(s) and click Remove. At the top of the page, click Restart to apply the changes.
Creating and Applying Message Censoring Policies

The following section explains how to create and apply a censor policy for IM content. A policy consists of a filter, an action, a time period and a level of severity.
To create and apply a censor policy:
Browse to the services > proxies > instant messenger page and, in the Instant Messaging proxy area, configure the following settings:
Setting Enabled Enable Message Censor Description
Check that instant messaging proxying is enabled. Select this option to enable censoring of words usually considered unsuitable.
Browse to the services > message censor > policies page.
102

Setting Service Description
From the drop-down menu, select one of the following options:

IM proxy incoming Select to apply the policy to incoming instant message content. IM proxy outgoing Select to apply the policy to outgoing instant message content.
Click Select to update the policy settings available.

Filter Time period Action
From the drop-down menu, select a filter to use. For more information on filters, see Creating Filters on page 101. From the drop-down menu, select a time period to use, or accept the default setting. For more information on filters, see Setting Time Periods on page 100. From the drop-down menu, select one of the following actions:
Block Content which is matched by the filter is discarded. Censor Content which is matched by the filter is masked but the message is
delivered to its destination.

Categorize Content which is matched by the filter is allowed and logged. Allow Content which is matched by the filter is allowed and is not processed by
any other filters.

Log severity Based on the log severity level, you can configure to send an alert if the policy is level violated.
From the drop-down list, select a level to assign to the content if it violates the policy. See Chapter 15, Configuring the Inappropriate Word in IM Monitor Alert on page 272 for more information.
Comment Enabled
Optionally, enter a description of the policy. Select to enable the policy.
Click Add and, at the top of the page, click Restart to apply the policy. Advanced Firewall applies the policy and adds it to the list of current policies.
Editing Polices
You can add, change or delete a policy.
To edit a policy:
1 2 3 4
Browse to the services > message censor > policies page. In the Current policies area, select the policy and click Edit. Edit the settings as required, see Creating and Applying Message Censoring Policies on page 102 for information on the settings available. When finished, click Add to save your changes. At the top of the page, click Restart to apply the changes.
Deleting Policies
You can delete policies which are no longer required.
103
Chapter 8 Advanced Firewall Services Managing the Intrusion System To delete policies:
1 2 3
Browse to the services > message censor > policies page. In the Current policies area, select the policy or policies and click Remove. At the top of the page, click Restart to apply the changes.
Managing the Intrusion System

Advanced Firewalls intrusion system performs real-time packet analysis on all network traffic in order to detect and prevent malicious network activity. Advanced Firewall can detect a vast array of well-known service exploits including buffer overflow attempts, port scans and CGI attacks. All violations are logged and the logged data can be used to strengthen the firewall by creating IP block rules against identified networks and source IPs.
Note: Currently, it is not possible to deploy Advanced Firewall intrusion prevention policies and run
SmoothTraffic at the same time. This limitation will be removed as soon as possible. Contact your Smoothwall representative if you need more information.
About the Default Policies

By default, Advanced Firewall comes with a number of intrusion policies which you can deploy immediately. The default policies will change as emerging threats change and will be updated regularly.
Deploying Intrusion Detection Policies

Advanced Firewalls default policies enable you to deploy intrusion detection immediately to identify threats on your network.
To deploy an intrusion detection policy:
Browse to the services > intrusion system > intrusion detection page.
104

Setting IDS Policy Description
From the drop-down list, select the policy you want to deploy. See About the Default Policies on page 104 for more information on the policies available. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network, see Chapter 8, Creating Custom Policies on page 107.
Interface Comment Enabled
From the drop-down list, select the interface on which you want to deploy the policy. Enter a description for the policy Select this option to enable the policy.
Click Add. Advanced Firewall deploys the policy and lists it in the Current IDS policies area.
Removing Intrusion Detection Policies

To remove an intrusion detection policy from deployment:
1 2 3
Browse to the services > intrusion system > intrusion detection page. In the Current IDS policies area, select the policy you want to remove. Click Remove. Advanced Firewall removes the policy.
Deploying Intrusion Prevention Policies

Note: Currently, it is not possible to deploy Advanced Firewall intrusion prevention policies and run
SmoothTraffic at the same time. This limitation will be removed as soon as possible. Contact your Smoothwall representative if you need more information. Advanced Firewall enables you to deploy intrusion prevention policies to stop intrusions such as known and zero-day attacks, undesired access and denial of service.
To deploy an intrusion prevention policy:
Browse to the services > intrusion system > intrusion prevention page.
105
Chapter 8 Advanced Firewall Services Managing the Intrusion System

Setting IPS Policy Description
From the drop-down list, select the policy you want to deploy. See About the Default Policies on page 104 for more information on the policies available. You can select from the default policies provided with Advanced Firewall or customize a policy to suit your network, see Chapter 8, Creating Custom Policies on page 107.
Comment Enabled
Enter a description for the policy Select this option to enable the policy.
3 4
Click Add. Advanced Firewall lists the policy in the Current IPS policies area. Browse to the networking > firewall > port forwarding page and configure a port forwarding rule with IPS enabled to deploy the policy. For more information on port forwarding, see Chapter 7, Creating Port Forward Rules on page 64.
Removing Intrusion Prevention Policies

To remove an intrusion prevention policy from deployment:
1 2 3
Browse to the services > intrusion system > intrusion prevention page. In the Current IPS policies area, select the policy you want to remove. Click Remove. Advanced Firewall removes the policy.
106
Creating Custom Policies

By default, Advanced Firewall contains a number of policies which you can deploy to detect and prevent intrusions. It is also possible to create custom policies to suit your individual network.
To create a custom policy:
Browse to the services > intrusion system > policies page.
Tip:
If the list of signatures takes some time to load, try upgrading to the latest version of your browser to speed the process.
107
Chapter 8 Advanced Firewall Services Managing the Intrusion System

Setting Name Comment Signatures Description
Enter a name for the policy you are creating. Enter a description for the custom policy. From the list, select the signatures you want to include in the policy. For information on how to add custom signatures, see Uploading Custom Signatures on page 108.
Click Add. Advanced Firewall creates the policy and lists it in the Current policies area. The policy is now available when deploying intrusion detection and intrusion prevention policies. For more information, see Deploying Intrusion Detection Policies on page 104 and Deploying Intrusion Prevention Policies on page 105.
Uploading Custom Signatures

Advanced Firewall enables you to upload custom signatures and/or Sourcefire Vulnerability Research Team (VRT) signatures and make them available for use in intrusion detection and prevention policies.
To upload custom signatures:
Navigate to the services > intrusion system > signatures page.

Setting Custom signatures Description
Click Browse to locate and select the signatures file you want to upload. Click Upload to upload the file. Advanced Firewall uploads the file and makes it available for inclusion in detection and prevention policies on the services > intrusion system > policies page.
Note: Use custom signatures with caution as Advanced Firewall cannot
verify custom signature integrity.
108
Smoothwall Advanced Firewall Administrators Guide Setting Use syslog for Intrusion logging Oink code Description
Select this option to enable logging intrusion events in the syslog. If you have signed-up with Sourcefire to use their signatures, enter your Oink code here. Click Update to update and apply the latest signature set. Advanced Firewall downloads the signature set and makes it available for inclusion in detection and prevention policies on the services > intrusion system > policies page.
Note: Updating the signatures can take several minutes.
For more information, visit http://smoothwall.net/support/oinkcode/ 3 Click Save. Any custom signatures you have uploaded to Advanced Firewall or Sourcefire VRT signatures you have downloaded to Advanced Firewall will be listed on the services > intrusion system > policies page. For information on deploying intrusion policies, see Deploying Intrusion Detection Policies on page 104 and Deploying Intrusion Prevention Policies on page 105.
Deleting Custom Signatures

It is possible to delete custom signatures that have been made available on the services > intrusion system > policies page.
Note: If you choose to delete custom signatures, Advanced Firewall will delete all custom signatures. If
there are detection or prevention policies which use custom signatures, the signatures will be deleted from the policies.
To delete custom signatures:
1 2
On the services > intrusion system > signatures page, click Delete. Advanced Firewall prompts you to confirm the deletion. Click Confirm, Advanced Firewall deletes the signatures.
DHCP
Advanced Firewall's Dynamic Host Configuration Protocol (DHCP) service enables network hosts to automatically obtain IP address and other network settings. Advanced Firewall DHCP provides a fully featured DHCP server, with the following capabilities: Support for 2 DHCP subnets Allocate addresses within multiple dynamic ranges and static assignments per DHCP subnet Automate the creation of static assignments using the ARP cache
109
Chapter 8 Advanced Firewall Services DHCP
Enabling DHCP
To enable DHCP:
Navigate to the services > dhcp > global page.

Setting Enabled Server Relay (forwarding proxy) Enable logging Description
Select to enable the DHCP service. Select to set the DHCP service to operate as a DHCP server in standalone mode for network hosts. Select to set the DHCP service to operate as a relay, forwarding DHCP requests to another DHCP server. Select to enable logging.
Click Save to enable the service.
Creating a DHCP Subnet

The DHCP service enables you to create DHCP subnets. Each subnet can have a number of dynamic and static IP ranges defined.
110
Smoothwall Advanced Firewall Administrators Guide To create a DHCP subnet:
Navigate to the services > dhcp > dhcp server page.

Setting DHCP Subnet Subnet name Network Description
From the drop-down menu, select Empty and click Select. Enter a name for the subnet. Enter the IP address that specifies the network ID of the subnet when combined with the network mask value entered in the netmask field. For example: 192.168.10.0. Define the subnet range by entering a network mask, for example 255.255.255.0. Enter the value that a requesting network host will receive for the primary DNS server it should use. Optionally, enter the value that a requesting network host will receive for the secondary DNS server it should use. Enter the value that a requesting network host will receive for the default gateway it should use.
Netmask Primary DNS Secondary DNS Default gateway
111
Chapter 8 Advanced Firewall Services DHCP Setting Enabled Primary WINS Description
Determines whether the DHCP subnet is currently active. Optionally, enter the value that a requesting network host will receive for the primary WINS server it should use. This is often not required on very small Microsoft Windows networks. Optionally, enter the value that a requesting network host will receive for the secondary WINS server it should use. This is often not required on very small Microsoft Windows networks. Optionally, enter the IP address of the Network Time Protocol (NTP) server that the clients will use if they support this feature.
Tip:
Click Advanced to access the following settings:
Secondary WINS
Primary NTP
Enter Advanced Firewalls IP address and clients can use its time services if enabled. See Chapter 16, Setting Time on page 311 for more information.
Secondary NTP
Optionally, enter the IP address of a secondary Network Time Protocol (NTP) server that the clients will use if they support this feature.
Tip:
Enter Advanced Firewalls IP address and clients can use its time services if enabled. See Chapter 16, Setting Time on page 311 for more information.
Default lease time (mins)
Enter the lease time in minutes assigned to network hosts that do not request a specific lease time. The default value is usually sufficient. and being granted, impractically long DHCP leases. The default value is usually sufficient.
Max lease time (mins) Enter the lease time limit in minutes to prevent network hosts requesting,
TFTP server Network boot filename Domain name suffix Automatic proxy config URL Custom DHCP options
Enter which Trivial File Transfer Protocol (TFTP) server workstations will use when booting from the network. Specify to the network booting client which file to download when booting off the above TFTP server. Enter the domain name suffix that will be appended to the requesting host's hostname. Specify a URL which clients will use for determining proxy settings. Note that it should reference an proxy auto-config (PAC) file and only some systems and web browsers support this feature. Any custom DHCP options created on the services > dhcp > dhcp custom page are listed for use on the subnet. For more information, see Creating Custom DHCP Options on page 115.
Click Save. is required. Dynamic ranges and static assignments must be added to the DHCP subnet so that the server knows which addresses it should allocated to the various network hosts.
Note: For the DHCP server to be able to assign these settings to requesting hosts, further configuration
112
Editing a DHCP subnet

To edit a DHCP subnet:
1 2 3 4
Navigate to the services > dhcp > dhcp server page. From the DHCP Subnet drop-down list, select the subnet and click Select. Edit the settings displayed in the Settings area. Click Save.
Deleting a DHCP subnet

To delete a DHCP subnet:
1 2 3
Navigate to the services > dhcp > dhcp server page. From the DHCP Subnet drop-down list, select the subnet and click Select. Click Delete.
Adding a Dynamic Range

Dynamic ranges are used to provide the DHCP server with a pool of IP addresses in the DHCP subnet that it can dynamically allocate to requesting hosts.
To add a dynamic range to an existing DHCP subnet:
1 2 3
Navigate to the services > dhcp > dhcp server page. Choose an existing DHCP subnet from the DHCP subnet drop-down list, and click Select. In the Add a new dynamic range, configure the following settings:
Setting Description
Start address Enter the start of an IP range over which the DHCP server should supply dynamic
addresses from. This address range should not contain the IPs of other machines on your LAN with static IP assignments.
End address
Enter the end of an IP range over which the DHCP server should supply dynamic addresses to. For example, enter 192.168.10.15. This address range should not contain the IPs of other machines on your LAN with static IP assignments.
Comment Enabled
Enter a description of the dynamic range. Select to enable the dynamic range.
Click Add dynamic range. The dynamic range is added to the Current dynamic ranges table.
Adding a Static Assignment

Static assignments are used to allocate fixed IP addresses to nominated hosts. This is done by referencing the unique MAC address of the requesting hosts network interface card. This is used to ensure that certain hosts are always leased the same IP address, as if they were configured with a static IP address.
To add a static assignment to an existing DHCP subnet:
Navigate to the services > dhcp > dhcp server page.

113
Chapter 8 Advanced Firewall Services DHCP
2 3
Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select. Scroll to the Add a new static assignment area and configure the following settings:
Setting Description
MAC address Enter the MAC address of the network hosts NIC as reported by an appropriate
network utility on the host system. This is entered as six pairs of hexadecimal numbers, with a space, colon or other separator character between each pair, e.g. 12 34 56 78 9A BC or
12:34:56:78:9A:BC IP address Comment Enabled
Enter the IP address that the host should be assigned. Enter a description of the static assignment. Select to enable the assignment.
Click Add static. The static assignment is added to the Current static assignments table.
Adding a Static Assignment from the ARP Table

In addition to the previously described means of adding static DHCP assignments, it is possible to add static assignments automatically from MAC addresses detected in the ARP table.
To add a static assignment from the ARP cache to an existing DHCP subnet:
1 2 3 4 5
Navigate to the services > dhcp > dhcp server page. Choose an existing DHCP subnet profile from the DHCP subnet drop-down list, and click Select. Scroll to the Add a new static assignment from ARP table area: Select one or more MAC addresses from those listed and click Add static from ARP table. Click Save.
Editing and Removing Assignments

To edit or remove existing dynamic ranges and static assignments, use the options available in the Current dynamic ranges and Current static hosts areas.
Viewing DHCP Leases

To view free leases:
Navigate to the services > dhcp > dhcp leases page.
114
Select Show free leases and click Update. The following information is displayed:
Field IP address Start time End time Description
The IP address assigned to the network host which submitted a DHCP request. The start time of the DHCP lease granted to the network host that submitted a DHCP request. The end time of the DHCP lease granted to the network host that submitted a DHCP request. The hostname assigned to the network host that submitted a DHCP request. The current state of the DHCP lease. The state can be either Active, that is, currently leased; or Free, the IP address is reserved for the same MAC address or re-used if not enough slots are available.
MAC address The MAC address of the network host that submitted a DHCP request. Hostname State
DHCP Relaying
Advanced Firewall DHCP relay enables you to forward all DHCP requests to another DHCP server and re-route DHCP responses back to the requesting host.
To configure DHCP relaying:
Connect to Advanced Firewall and navigate to the services > dhcp > dhcp relay page.
2 3
Enter the IP addresses of an external primary and secondary (optional) DHCP server into the Primary DHCP server and Secondary DHCP server fields. Click Save.
Note: DHCP relaying must be enabled on the services > dhcp > global page.
Creating Custom DHCP Options

Advanced Firewall enables you to create and edit custom DHCP options for use on subnets. For example, to configure and use SIP phones you may need to create a custom option which specifies a specific option code and SIP directory server.
115
Chapter 8 Advanced Firewall Services DHCP To create a custom option:
Browse to the services > dhcp > dhcp custom options page.

Setting Option code Description
From the drop-down list, select the code to use. The codes available are between the values of 128 and 254, with 252 excluded as it is already allocated.
Option type
From the drop-down list, select the option type.

IP address Select when creating an option which uses an IP address. Text Select when creating an option which uses text.
Description Comment Enabled
Enter a description for the option. This description is displayed on the services > dhcp > dhcp server page. Optionally, enter any comments relevant to the option. Select to enable the option.
Click Add. Advanced Firewall creates the option and lists it in the Current custom options area. For information on using custom options, see Creating a DHCP Subnet on page 110.
116
Chapter 9
Virtual Private Networking

In this chapter: All about Advanced Firewall, VPNs and tunnels.
Advanced Firewall VPN Features

Feature IPSec site-to-site L2TP road warriors Description
IPSec road warriors SSL VPN Authentication
Certificate management Full certificate management controls built into the interface, with import
1s
Tunnel controls Internal VPNs Logging
What is a VPN?
A VPN, in the broadest sense, is a network route between computer networks, or individual computers, across a public network. The public network, in most cases, is the Internet. Typically, a VPN replaces a leased line or other circuit which is used to link networks together over some geographic distance. In a similar way to how a VPN can replace leased line circuits used to route networks together, a VPN can also replace Remote Access Server (RAS) phone or ISDN lines. These types of connections are usually referred to as road warriors. The P in VPN technologies refers to the encryption and authentication employed to maintain an equivalent level of privacy that one would expect using a traditional circuit which a VPN typically replaces.
Ed i
Mobile user VPN support using Microsoft Windows 2000 and XP, as well as older versions of Windows. No client software required; the software is part of the Windows operating system. Mobile user VPN support using IPSec road warriors clients such as SafeNet SoftRemote, as well as others. Mobile user VPN support using OpenVPN SSL and a light-weight client installed on the users computer/laptop. Industry-standard X509 certificates or PreShared Keys (subnet VPN tunnels). and export capabilities in a number of formats. Self-signed certificates can be generated. Individual controls for all VPN tunnels. Support for VPNs routed over internal networks. Comprehensive logging of individual VPN tunnels.
ti
Industry-standard IPSec site-to-site VPN tunneling.
on
Advanced Firewall contains a rich set of Virtual Private Network (VPN) features:
117
Chapter 9 Virtual Private Networking About VPN Authentication
There are several technologies which implement VPNs. Some are wholly proprietary, others are open standards. The most commonly deployed VPN protocol is called IPSec, for IP Security, and is a well established and open Internet standard. Many implementations of this standard exist, and generally all vendors of network security products will have an offering in their product portfolio. VPNs are mostly used to link multiple branch office networks together, site-to-site VPNs, or to connect mobile and home users, road warriors, to their office network. The network route between a site-to-site or road warrior VPN is provided by a VPN tunnel. Tunnels can be formed between two VPN gateways. All data traversing the tunnel is encrypted, thus making the tunnel and its content unintelligible and therefore private to the outside world.
About VPN Gateways

Allow VPN tunnels to be configured.
Route all data received from its own Local Area Network (LAN) to the correct VPN tunnel. Encrypt all data presented to the VPN tunnel into secure data packets. Route all data received from the tunnel to the correct computer on the LAN. Allow VPN tunnels to be managed.
Administrator Responsibilities

Specify the tunnel define the tunnel on each VPN gateway. Configure authentication define a secure means for each VPN gateway to identify the other. Manage tunnels control the opening and closing of tunnels.
About VPN Authentication

Authentication is the process of validating that a given entity, that is a person, system or device, is actually who or what it identifies itself to be. Since VPN gateways are not usually in the same physical location, it is not readily determinable that either gateway is genuine. A gateway that initiates a VPN connection must be assured that the remote gateway is the right one. Conversely, the remote gateway must be assured that the initiating gateway is not an imposter. Advanced Firewall supports several authentication methods that can be used to validate a VPN gateways identity:
Authentication method Pre-Shared Key Description
1s
A network administrator has three responsibilities:
118
Ed i
Decrypt secure data received from the VPN tunnel.
Usually referred to as PSK, this is a simplistic authentication method based on a password challenge. For more information, see PSK Authentication on page 119.
ti
Authenticate the other end of a VPN connection, i.e. ensure it can be identified and trusted.
on
A VPN gateway is a network device responsible for managing incoming and outgoing VPN connections. A VPN gateway must perform a number of specific tasks:
Smoothwall Advanced Firewall Administrators Guide Authentication method X509 Description
An industry strength and internationally recognized authentication method using a system of digital certificates, as published by the ITUT and ISO standardization bodies. For more information, see X509 Authentication on page 119. In addition to using X509, all users of L2TP road warrior connections must enter a valid username and password, as specified when the L2TP tunnel definition is created. This ensures that both the user and the VPN gateway (the L2TP client) are authenticated.
Username/password
X509 Authentication
In this model, each VPN gateway is given a digital certificate that it can present to prove its identity, much like a traveler can present his or her passport. Digital certificates are created and issued by a trusted entity called a Certificate Authority (CA), just like a government is entrusted to provide its citizens with passports. In the world of digital certificates, a CA can be called upon to validate the authenticity of a certificate, in the same way that a government can be asked to validate a citizen's passport.
About Digital Certificates

A digital certificate, referred to here as a certificate, is an electronic document that uniquely identifies its owner, and contains the following information:
Information Subject Description
1s
PSK authentication is best suited when a single site-to-site or road warrior VPN capability is required. Whilst it is possible to create large VPN networks based entirely on PSK authentication, such a scheme is likely to prove unmanageable in the long run and liable to misuse.
The simplicity of PSK is both its strength and its weakness. Whilst PSK tunnels are quick to set up, there are human and technological reasons that make this method unsuitable for larger organizations. Password protection is easily circumvented as passwords are frequently written down, spoken aloud or shared amongst administrator colleagues. Some VPN configurations will also require multiple tunnels to use the same password highly undesirable if your organization intends to create multiple road warrior VPN connections.
Information about who the certificate was issued to, their country, company name etc.
Ed i
To use the Pre-Shared Key (PSK) method, connecting VPN gateways are pre-configured with a shared password that only they know. When initiating a VPN connection, each gateway requests the others password. If the password received by each gateway matches the password stored by each gateway, both gateways know that the other must be genuine. Hence, each gateway is authentic and a secure, trusted VPN tunnel can be established.
ti
PSK Authentication
on
A more in depth examination of the PSK and X509 authentication methods can be found in the following sections, including recommendations for the usage of each.
119
Chapter 9 Virtual Private Networking About VPN Authentication Information Issuer Certificate ID Validity period Description
Information about the CA that created and signed the certificate. An alternative identifier for the certificate owner in abbreviated form. The start and expiry dates, during which time the certificate is valid.
Certificates contain information about both its owner, i.e. the subject and its issuer, i.e. the CA. However, it is not yet clear whether the certificate is a forgery to prove absolute authenticity, X509 utilizes public-key cryptography. Public-key cryptography is an encryption mechanism that involves the use of a mathematically related pair of encryption keys, one called a private key and the other called a public key. The mathematical relationship allows messages encrypted with the private key to be decrypted by the public key and vice versa. It is computationally infeasible to derive either key from the other. It is also impossible for any other key to decrypt a message apart from the encrypting key's counterpart. If the private key is kept secret by its owner, and the public key is freely accessible to all, any message successfully decrypted using the public key can only have originated from the private key owner. This concept is exploited by CAs to sign all certificates they create, thus proving that the certificate is genuine.
Advanced Firewall and Digital Certificates

Advanced Firewall is equipped to handle all aspects of setting up a self-contained X509 authentication system. Advanced Firewall enables you to: Create a trusted CA. Create signed, digital certificates. Manage exporting and installing certificates on other Advanced Firewall / VPN gateway systems. Alternatively, digital certificates can be leased from companies like Verisign or Thawte and then imported, or they can be created by a separate CA such as the one included in Microsoft Windows 2000. The use of a local Advanced Firewall CA is recommended as a more convenient and equally secure approach. It is usual for a single CA to provide certificates for an entire network of peer systems, but there are alternative schemes that use multiple CAs which will be discussed later.
120
1s
However, this only proves that the CA genuinely issued the certificate. Just because a passport was validly issued by a government does not mean that the person presenting it is its rightful owner. This is solved by one further stage of encryption, this time the certificate owner uses its private key to encrypt the entire certificate (including the CA's signature) before presenting the certificate. It can now be proven beyond all doubt that the certificate is the property of its rightful owner (by decrypting it using the owner's public key) and that the certificate was issued by the specified CA (by decrypting the CA's signature from the certificate using the CA's public key).
Ed i
To sign a certificate, the CA takes the content of the certificate and encrypts it using its private key. The encrypted content is inserted into the certificate, much like a watermark or other security feature is added to a passport by a government. Anybody wishing to determine the authenticity of the certificate can therefore attempt to decrypt the CA signature using the public key attainable from the issuing CA. If the signature can be successfully decrypted and matches the issuer details declared in the certificate, the certificate is proven to be authentic.
ti
on
The following sections cover the separate topics of CAs, certificates, site-to-site VPNs, road warrior VPNs, internal VPNs and management in great depth. As an overview to these sections, these are the steps required to create a typical site-to-site VPN connection: 1 2 3 4 5 6 7 8 9 10 On the master Advanced Firewall system, create a local Certificate Authority. For details, see Creating a CA on page 121. Create certificates for the master Advanced Firewall system and the remote Advanced Firewall system. Install the master Advanced Firewalls certificate as its default local certificate. Create a tunnel specification on the master Advanced Firewall system that points to the remote Advanced Firewall system. Export the CA certificate and the remote Advanced Firewall certificate from the master Advanced Firewall system. Import the CA certificate on the remote Advanced Firewall system, as exported by step 5. Import and install the remote Advanced Firewall systems certificate, as exported by step 5. Create a tunnel specification on the remote Advanced Firewall system that matches the one created by step 4. Bring the connection up. Ensure that appropriate zone bridging rules are configured and active in order to permit traffic to and from the VPN tunnel. For further information see Chapter 6, Configuring Inter-Zone Security on page 55.
Working with Certificate Authorities and Certificates

A Certificate Authority (CA) is an implicitly trusted system that is responsible for issuing and managing digital certificates. A certificate created by a known CA can be authenticated as genuine. The following sections explain how to create a local CA using Advanced Firewall, for the purpose of creating certificates for VPN tunnel authentication. They also explain how to export and import CA certificates so that a remote Advanced Firewall has knowledge of the CA. Maintenance tasks such as how to delete CAs are also discussed.
Creating a CA
To create your own certificates for use in VPN tunnel authentication, you require access to at least one CA. It is possible to purchase certificates from an externally managed CA, but this can be inconvenient and costly. This section explains how to create a CA using Advanced Firewall. If you already have a CA on your network, it may be useful to use that, in which case refer to Importing Another CA's Certificate on page 123.
1s
Note: For VPN configuration tutorials, see VPN
Ed i
ti
Tutorials on page 175.
on
121
Chapter 9 Virtual Private Networking Working with Certificate Authorities and Certificates To create a CA:
Navigate to the vpn > vpn > ca page.
Setting Common name Email Organization Department Locality or town Country
Description
Enter an easily identifiable name. Enter an administrative email address. Enter an organizational identifier. Enter a departmental identifier. Enter a locality or town. Enter a state or province. Enter a two letter country code. From the drop-down menu, select the length of time that the CA will remain valid for. of days the CA will be valid.
Click Create Certificate Authority.
122
1s
State or province Life time
User defined (days) If User defined is selected as the life time value of the CA, enter the number
Ed i
ti
on
The local CA is created and displayed, for example:
Once a CA has been created, you need to export its certificate so that other systems can recognize and authenticate any signed certificates it creates. There are two different export formats:
To export the CA certificate:
Navigate to the vpn >vpn > ca page and configure the following settings:
Setting Name
Click Export and choose to save the file to disk from the dialog box launched by your browser. You can deliver the certificate to another system without any special security requirements since it contains only public information.
Importing Another CA's Certificate

To authenticate a signed certificate produced by a non-local CA, you must import the non-local CAs certificate into Advanced Firewall.
1s
Export format
Description
In the Installed Certificate Authority certificates area, locate and select the local CA certificate. From the drop-down list, select the format in which to export the certificate authoritys certificate. The following formats are available:
CA certificate in PEM An ASCII (textual) certificate format commonly used by
Microsoft operating systems. Select this format if the certificate is to be used on another Smoothwall System.
CA certificate in BIN A binary certificate format, select if the certificate is to be used on a system which requires this format. Consult the systems documentation for more information.
Ed i
Exporting the CA Certificate
ti
Once a CA has been created, you can use it to create digital certificates for network hosts. You can also export the CAs own certificate to other systems which can use it to authenticate digital certificates issued by the CA.
on
123
Chapter 9 Virtual Private Networking Managing Certificates
This is usually done on secondary Advanced Firewall systems so that they can authenticate certificates created by a master Advanced Firewall system's CA.
Note: The certificate must be in PEM format to be imported. To import the CA's certificate:
1 2 3 4
Navigate to the vpn > ca page. In the Import Certificate Authority certificate area, click Browse. Locate and open the CAs certificate that you wish to import. Click Import CA cert from PEM. The certificate is listed in the Installed Certificate Authority certificates list of certificates area.
To delete the local CA and its certificate:
2 3
In the Delete local Certificate Authority region, select Confirm delete. Click Delete Certificate Authority.
Once the local CA has been deleted, the Create local Certificate Authority region will be displayed. This change in layout occurs because a CA no longer exists on the Advanced Firewall system. The Create local Certificate Authority region replaces the Delete local Certificate Authority region.
To delete an imported CA's certificate:
1 2 3
Navigate to the vpn > ca page. Locate and select the non-local CA certificate in the Installed Certificate Authority certificates region. Click Delete. The CA certificate will no longer appear in the Installed Certificate Authority certificates region and Advanced Firewall will not be able to authenticate any certificates created by it.
Managing Certificates
The following sections explain how to create, view, import, export and delete certificates in Advanced Firewall.
Creating a Certificate
Once a local Certificate Authority (CA) has been created, you can generate certificates. The first certificate created is usually for the Advanced Firewall system that the CA is installed on. This is because the Advanced Firewall VPN gateway is a separate entity to the CA, and therefore requires its own certificate.
124
1s
Deleting an Imported CA Certificate
Ed i
Note: Deleting the local CA will invalidate all certificates that it has created.
ti
Navigate to the vpn > ca page.
on
Deleting the Local Certificate Authority and its Certificate
It is normal for a single CA to create certificates for all other hosts that will be used as VPN gateways, i.e. all other Advanced Firewall systems.
To create a new signed certificate:
Navigate to the vpn > vpn > certs page.
Scroll to the Create new signed certificate area and configure the following settings:
Setting ID type
1s
ID value Common name Email Organization Department
Description
From the drop-down menu, select the certificatess ID type. The options are:
No ID Not recommended but available for inter-operability with other VPN
gateways.
Host & Domain Name Recommended for most site-to-site VPN connections. This does not need to be a registered DNS name. IP address Recommended for site-to-site VPNs whose gateways use static IP
addresses.
Email address Recommended for road warrior or internal VPN connections. This does not need to be a real email address, although the use of a real email address is recommended.
Enter an ID value. For a site-to-site Advanced Firewall VPN this is typically a hostname. For a road warrior this is usually the users email address. Enter a common name for the certificate, for example Head Office. Enter an email address for the individual or host system that will own this certificate. Enter an organizational identifier for the certificate owner. Enter a departmental identifier for the certificate owner.
Ed i
ti
on
125
Chapter 9 Virtual Private Networking Managing Certificates Setting Locality or town State or province Country Life time Description
Enter a locality or town for the certificate owner. Enter a state or province for the certificate owner. Enter a two letter country code. From the drop-down menu, select the length of time that the certificate will remain valid for. number of days the certificate will be valid for.
User defined (days) If User defined is selected as the life time value of the certificate, enter the
Click Create signed certificate. The certificate is listed in the Installed signed certificates area.
You can review the content of a certificate. Reviewing certificates can be useful for checking certificate content and validity.
To review a certificate:
1 2 3
Navigate to the vpn > certs page.
Click the certificate name. The content is displayed in a new browser window, for example:
Close the browser window to return to Advanced Firewall.
Exporting Certificates
Any certificates you create for the purpose of identifying other network hosts must be exported so that they can be distributed to their owner.
To export a certificate:
Navigate to the vpn > certs page and scroll to the Installed signed certificates area.
126
1s
Ed i
Locate the certificate that you wish to view in the Installed signed certificates region.
ti
on
Reviewing a Certificate
Select the certificate you want to export and configure the following settings:
Setting Export format Description
From the drop-down menu, select the format in which to export the certificate. The following formats are available:
Certificate in PEM An ASCII (textual) certificate format commonly used by
Microsoft operating systems. Recommended for all Advanced Firewall to Advanced Firewall VPN connections.
Certificate in DER A binary certificate format for use with non-Advanced
Firewall VPN gateways.

Private key in DER Exports just the private key in binary for use with non-
Advanced Firewall VPN gateways. 3 Click Export. Choose to save the certificate file (a .pem or .der file) to disk in the dialog box launched by your browser software. The certificate will be saved to the browsers local file system in the specified format. should only be known by the certificate owner.
Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that
Exporting in the PKCS#12 Format
PKCS#12 is a container format used to transport a certificate and its private key. It is recommended for use in all Advanced Firewall to Advanced Firewall VPNs and L2TP road warriors.
To export a certificate in the PKCS#12 container format:
3 4 5
Enter and confirm a password in the Password and Again fields. Click Export certificate and key as PKCS#12. Choose to save the PKCS#12 container file (a .p12 file) to disk in the dialog box launched by your browser software. The PKCS#12 file will be saved to the browser's local file system. should only be known by the certificate owner.
Note: Distribute the certificate to its recipient host in a secure manner as it contains the private key that
Importing a Certificate
Advanced Firewall systems that do not have their own CA will be required to import and install a host certificate to identify themselves. This is the normal process for secondary Advanced Firewall systems, for example, branch office systems connecting to a head office that has a Advanced Firewall system and CA.
1s
In the Installed signed certificates region, locate and select the certificate that you wish to export.
Navigate to the vpn >certs page.
Ed i
ti
on
127
Chapter 9 Virtual Private Networking Setting the Default Local Certificate To import a certificate:
Navigate to the vpn > certs page. In the Import certificates area, configure the following settings:
Setting Password Import PKCS#12 filename Import PEM filename Description
Enter the password that was specified when the certificate was created.
To import a certificate in PKCS#12 format:
1 2 1 2
Click Browse and navigate to and select the certificate file. Click Import certificate and key from PKCS#12.
To import a certificate in PEM format:
Click Browse and navigate to and select the certificate file. Click Import certificate from PEM.
Advanced Firewall imports the signed certificate lists it in the Installed signed certificates area.
To delete an installed certificate:
1 2 3
Navigate to the vpn > certs page.
Click Delete. The signed certificate will be removed from the Installed signed certificates region.
Setting the Default Local Certificate
128
1s
One of the most important configuration tasks is to set the default local certificate on each Advanced Firewall host. The default local certificate should be the certificate that identifies its host.
Ed i
In the Installed signed certificates region, locate and select the certificate that you wish to delete.
ti
Deleting a Certificate
on
Smoothwall Advanced Firewall Administrators Guide To set the default local certificate:
Navigate to the vpn > vpn > global page.
When prompted by Advanced Firewall, click Restart to deploy the certificate.
Site-to-Site VPNs IPSec

The following sections explain how to create a site-to-site VPN tunnel between two Advanced Firewall systems. The tunnel will use the IPSec protocol to create a secure, encrypted tunnel between head office and a branch office.
Recommended Settings
For Advanced Firewall to Advanced Firewall connections, the following settings are recommended for maximum security and optimal performance:
Setting Encryption Authentication type Hashing algorithm Selection
1s
In the Default local certificate region, select the hosts certificate from the Certificate drop-down list and click Save. This certificate will now be used by default in all future tunnel specifications, unless otherwise specified.
Ed i
AES ESP SHA
ti
on
129
Chapter 9 Virtual Private Networking Site-to-Site VPNs IPSec Setting Perfect Forward Secrecy Compression Selection
Enabled Enabled unless predominant VPN traffic is already encrypted or compressed.
Creating an IPsec Tunnel

To create a site-to-site tunnel:
On the Advanced Firewall at head office, browse to the vpn > vpn > ipsec subnets page.
Note: Many parameters are used when creating an IPSec site-to-site VPN tunnel. For Advanced Firewall
to Advanced Firewall connections, many settings can be left at their default values. However, for maximum compatibility with other VPN gateways, some settings may require adjustment. This section describes each parameter that can be configured when creating an IPSec tunnel. For more VPN tutorials, see VPN Tutorials on page 175. 2 Configure the following settings:
.
1s
Setting Name Enabled Local IP
130
t
Description
Enter a descriptive name for the tunnel connection, for example: New York to London. Select to enable the connection. Enter the IP address of the external interface used on the local Advanced Firewall host.
Note: This field should usually be left blank to automatically use the default
Ed i
external IP (recommended).
ti
on
Smoothwall Advanced Firewall Administrators Guide Setting Description
Local network Specify the local subnet that the remote host will have access to.
This is specified using the IP address/network mask format, e.g. 192.168.10.0/ 255.255.255.0.
Local ID type
From the drop-down list, select the type of the ID that will be presented to the remote system. The choices available are:
Default local Certificate Subject Uses the subject field of the default local certificate
as the local certificate ID.

Local IP Uses the local IP address of the host as the local certificate ID. User specified Host & Domain Name Uses a user specified host and domain name as
the local certificate ID.

User specified IP address Uses a user specified IP address name as the local
certificate ID. certificate ID. certificate ID.
User specified Email address Uses a user specified email address as the local User specified Certificate Subject Uses a user specified certificate subject as the local
Local ID value This field is only used if the local ID type is a User specified type (this is typically
used when connecting to non-Advanced Firewall VPN gateways).
1s
Remote network Remote ID type
Remote IP or hostname
In most cases, you can leave this field blank because its value will be automatically retrieved by Advanced Firewall during the connection process (according to the chosen ID type). Enter the IP address or hostname of the remote system. The remote IP can be left blank if the remote peer uses a dynamic IP address. This should specify the remote subnet that the local host will have access to. This is specified using the IP address/network mask format, e.g. 192.168.20.0/ 255.255.255.0.
From the drop-down menu, select the type of ID that the remote gateway is expected to present. The choices are:
Remote IP (or ANY if blank Remote IP) The remote ID is the remote IP address, or any
other form of presented ID

User specified Host & Domain Name Allows the user to specify a custom host and
domain name that it should expect the remote gateway to present as ID.
User specified IP address Allows the user to specify a custom IP address that it
should expect the remote gateway to present as ID.

User specified Email address Allows the user to specify a custom email address that
it should expect the remote gateway to present as ID.

User specified Certificate Subject Allows the user to specify a custom certificate subject string that it should expect the remote gateway to present as ID (typically used for non-Advanced Firewall VPN gateways).
Ed i
Note: User specified types are mostly used when connecting to non-Advanced
Firewall VPN gateways. Consult your vendor's administration guide for details regarding the required ID type and its formatting.
ti
on
131
Chapter 9 Virtual Private Networking Site-to-Site VPNs IPSec Setting Remote ID value Authenticate by Description
Enter the value of the ID used in the certificate that the remote peer is expected to present. From the drop-down list, select the authentication method. For more information on PSK and X509 authentication, About VPN
Authentication on page 118.
Preshared key Enter the preshared key when PSK is selected as the authentication method. Preshared key Re-enter the preshared key entered in Preshared key field if PSK is selected as the again authentication method. Use compression
Select to compresses tunnel communication. This is useful for low bandwidth connections, but it does increase CPU utilization on both host systems. The benefits of compression also vary depending on the type of traffic that will flow through the tunnel. For example, compressing encrypted data such as HTTPS, or VPN tunnels within tunnels may decrease performance. The same rule applies when transferring data that is already compressed, for example streaming video.
Initiate the connection Comment
Select to enable the local VPN system to initiate this tunnel connection if the remote IP address is known. Enter a descriptive comment for the tunnel, for example: London connection
.100 to Birmingham .250.
Optionally, click Advanced. they can be tweaked for performance gains in Advanced Firewall to Advanced Firewall VPN connections.
Note: Advanced settings are usually used for compatibility with other VPN gateway systems, although

Setting Local certificate Interface Description
1s
Perfect Forward Secrecy
132
This is used in non-standard X509 authentication arrangements. For more information, see Advanced VPN Configuration on page 167. Select which interface will be used for this connection either on external or internal interfaces. PRIMARY means the connection will be on the external interface. Select to enable the use of the PFS key establishment protocol, ensuring that previous VPN communications cannot be decoded should a key currently in use be compromised. PFS is recommended for maximum security. VPN gateways must agree on the use of PFS.
Ed i
For any tunnel with a high proportion of encrypted or already-compressed traffic, compression is not recommended. For non-encrypted, uncompressed traffic compression is recommended. This setting must be the same on the tunnel specifications of both connecting gateways.
ti
on
Smoothwall Advanced Firewall Administrators Guide Setting Authentication type Description
Select the authentication type used during the authentication process. This setting should be the same on both tunnel specifications of two connecting gateways.
ESP Encapsulating Security Payload uses IP Protocol 50 and ensures
confidentiality, authenticity and integrity of messages. Recommended for optimal performance.

AH IP Authentication Header uses IP Protocol 51 and ensures
authentication and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended.
3DES A triple strength version of the DES cryptographic standard using a
AES 256 Advanced Encryption Standard replaces DES/3DES as the US governments cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance.
1s
Phase 1 hash algo Phase 2 cryptographic algo
Blowfish This algorithm uses a variable-length key, from 32 to 448 bits. It is faster than 3DES but was superseded by Twofish. CAST This algorithm uses a DES-like crypto system with a 128 bit key (also
known as CAST-128 or CAST5).

Twofish This algorithm is based on Blowfish, and is a former NIST AESfinalist designed to replace the DES algorithm. Although NIST selected the Rijndael algorithm, Twofish is as strong as AES and can outperform it in some scenarios.
Select the hashing algorithm to use for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
MD5 A cryptographic hash function using a 128-bit key. Recommended for faster performance and compatibility. SHA Secure Hashing Algorithm uses a 160-bit key and is the US government's hashing standard. Recommended for maximum security.
Selects the encryption algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options.
Ed i
AES 128 Advanced Encryption Standard replaces DES/3DES as the US governments cryptographic standard. AES offers faster and stronger encryption than 3DES.
ti
168-bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.
on
Phase 1 cryptographic algo
Select the encryption algorithm to use for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
133
Chapter 9 Virtual Private Networking Site-to-Site VPNs IPSec Setting Phase 2 hash algo Description
Selects the hashing algorithm to use for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. Set the length of time that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended. Set the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero value because if an active connection drops, it will persistently try to re-key a connection that it can't initiate.
Key life
Key tries
IKE lifetime Do not rekey
Set how frequently the Internet Key Exchange keys are re-exchanged.
Click Add to create the tunnel.
134
1s
Ed i
Select to disable re-keying. This can be useful when working with NAT-ed end-points.
ti
on
IPSec Site to Site and X509 Authentication Example

This example explains how to create a site-to-site IPSec tunnel using X509 authentication between two Advanced Firewall systems.
Prerequisite Overview
Before you start, you must do the following: 1 2 3 4 5 6 Create a CA on the local system for information on how to do this, see Creating a CA on page 121 Create certificates for the local and remote systems using Host and Domain Name as the ID type, for information on how to do this, see Creating a Certificate on page 124.
Export the remote certificate in the PKCS#12 container format, for information on how to do this, see Exporting in the PKCS#12 Format on page 127.
Once the above steps have been completed, proceed with creating tunnel specifications on the local and remote systems as detailed in the following sections.
Creating the Tunnel on the Primary System
1s
Setting Name Enabled Local IP Local network Local ID type
On the primary system, navigate to the vpn > vpn > ipsec subnets page and configure the following settings:
Description
To create the tunnel on the primary system:
Ed i
Leave empty.
Import and install the certificate as the default local certificate on the remote system, for information on how to do this, see Importing a Certificate on page 127.
Enter a descriptive name for the tunnel. Select to ensure that the tunnel can be activated once configuration is completed. It will be automatically generated as the default external IP address at connection time Specify the local network that the secondary system will be able to access. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.10.0/ 255.255.255.0. From the drop-down list, select Default local Certificate ID. This will identify the primary system to the secondary system by using the host and domain name ID value in the primary systems default local certificate.
ti
Certificates on page 126.
Export the CA certificate in PEM format, for information on how to do this, see Exporting
on
Install the local certificate as the default local certificate on the local system, for information on how to do this, see Importing a Certificate on page 127.
135
Chapter 9 Virtual Private Networking IPSec Site to Site and X509 Authentication Example Setting Local ID value Description
Leave empty. Its value will be automatically retrieved by Advanced Firewall during the connection process.
Remote IP or hostname Remote network
If the secondary system has a static IP address or hostname, enter it here. If the secondary system has a dynamic IP address, leave this field blank. Specify the network on the secondary system that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/ 255.255.255.0.
Remote ID type Remote ID value Authenticate by
From the drop-down list, select User specified Host & Domain Name. Enter the ID value (the hostname) of the secondary systems default local certificate. From the drop-down list, select Certificate provided by peer. This will instruct Advanced Firewall to authenticate the secondary system by validating the certificate it presents as its identity credentials.
Preshared Key again Use compression Initiate the connection Comment
The advanced settings are left to their default values in this example. The next step is to create a matching tunnel specification on the remote system.
Creating the Tunnel on the Secondary System

To create the tunnel on the secondary system:
On the secondary system, navigate to the vpn > vpn > ipsec subnets page and configure the following settings:
Setting Name Enabled Local IP Description
1s
Click Add to create the tunnel specification and list it in the Current tunnels area:
136
Ed i
Leave empty. Leave empty.
Preshared Key
Leave empty.
Select to reduce bandwidth consumption. This is useful for low bandwidth connections, however, it will require more processing power. Do not select. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system. Enter a descriptive comment. For example, Tunnel to Branch Office.
Enter a descriptive name for the tunnel. Select to ensure that the tunnel can be activated once configuration is completed. It will be automatically generated as the default external IP address at connection time.
ti
on
Smoothwall Advanced Firewall Administrators Guide Setting Local network Description
Specify the local network that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0.
Local ID type
From the drop-down list, select Default local Certificate ID. This will identify the secondary system to the primary system by using the host and domain name ID value in the secondary systems default local certificate.
Local ID value
Leave empty.
Enter the external IP address of the primary system. Unlike the first tunnel specification, this cannot be left blank. The secondary system will act as the initiator of the connection and therefore requires a destination IP address in order to make first contact. Enter the network on the primary system that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0.
Remote network
Remote ID type
1s
Remote ID value Authenticate by Preshared Key Preshared Key again Use compression Initiate the connection Comment
t
2
Click Add. All advanced settings can be safely left at their defaults.
Ed i
Leave empty. Leave empty.
From the drop-down list, select User specified Host & Domain Name. This matches the primary systems certificate type of Host and Domain Name, as listed in Prerequisite Overview on page 135. Enter the ID value (the hostname) of the primary systems default local certificate. From the drop-down list, select Certificate provided by peer. This instructs Advanced Firewall to authenticate the primary system by validating the certificate it presents as its identity credentials.
Select if you selected it on the primary system. Select as the secondary system is responsible for its connection to the primary Advanced Firewall system. Enter a descriptive comment, for example, Tunnel to Head Office.
ti
on
Its value will be automatically retrieved by Advanced Firewall during the connection process.
137
Chapter 9 Virtual Private Networking IPSec Site to Site and PSK Authentication
Checking the System is Active

Once the tunnel specifications have been created, the tunnel can be activated. To do this, first ensure that the VPN subsystem is active on both the primary and secondary systems.
To ensure the VPN subsystem is active on both systems:
1 2 3 4
On the primary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. On the secondary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart.
Activating the IPSec tunnel

To initiate the VPN connection:
Next, the secondary system should initiate the VPN connection. 1 2 On the secondary system, navigate to the vpn > control page.
Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure
Configuring Inter-Zone Security on page 55.
that appropriate zone bridging rules are configured. For further information, see Chapter 6,
Creating the Tunnel Specification on Primary System

To create the primary tunnel specification:
On the primary system, navigate to the vpn > vpn > ipsec subnets page and configure the following settings:
Setting Name Enabled Local IP Description
1s
Pre-Shared Key (PSK) authentication is useful for creating a basic VPN site-to-site connection where there is no requirement for multiple tunnel authentication and management controls.
138
IPSec Site to Site and PSK Authentication
Ed i
In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up.
Enter a descriptive name for the tunnel. Select to ensure that the tunnel can be activated once configuration is completed. Leave blank so that it is automatically generated as the default external IP address at connection time.
ti
on
Smoothwall Advanced Firewall Administrators Guide Setting Local network Description
Specify the local network that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/ 255.255.255.0.
Local ID type
From the drop-down list, select Local IP. This will identify the primary system to the secondary system by using the local IP address of the primary systems external IP address. Leave empty. It will be automatically generated as Local IP was chosen as the local ID type.
Local ID value Remote IP or hostname Remote network
This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.20.0/ 255.255.255.0.
Remote ID type
Remote ID value Authenticate by
1s
Preshared Key again Use compression Initiate the connection Comment
Preshared Key
Click Add. All advanced settings can be safely left at their defaults. Advanced Firewall lists it in the Current tunnels area. The next step is to create a matching tunnel specification on the remote system.
Ed i
Enter a passphrase.
From the drop-down list, select Remote IP (or ANY if blank Remote IP). This will allow the primary system to use the secondarys IP address (if one was specified). Enter the local IP address of the secondary system.
From the drop-down list, select Preshared Key. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. Re-enter the passphrase to confirm it. Select this option if you wish to reduce bandwidth consumption. It is useful for low bandwidth connections but requires more processing power. Do not select this option. It will be the responsibility of all secondary systems to initiate their own connection to the primary Advanced Firewall system. Enter a description, for example: Tunnel to Birmingham Branch
ti
Specify the network on the secondary system that the primary system will be able to access.
on
If the secondary system has a static IP address or hostname, enter it here. If the secondary system has a dynamic IP address, leave this field blank.
139
Chapter 9 Virtual Private Networking IPSec Site to Site and PSK Authentication
Creating the Tunnel Specification on the Secondary System

To create the secondary tunnel specification:
On the secondary system, navigate to the vpn > vpn > ipsec subnets page and configure the following settings:
Setting Name Enabled Local IP Local network Description
Enter a descriptive name for the tunnel. Select to ensure that the tunnel can be activated once configuration is completed. Leave blank so that it is automatically generated as the default external IP address at connection time. Specify the local network that the primary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. From the drop-down list, select Local IP. This will identify the primary system to the secondary system by using the local IP address of the primary systems external IP address.
Local ID type
Local ID value
1s
Remote ID type Remote ID value Authenticate by Preshared Key Preshared Key again Use compression Initiate the connection Comment
Remote network
Click Add. All advanced settings can be safely left at their defaults.
140
Ed i
Leave empty. It will be automatically generated as Local IP was chosen as the local ID type. Enter the external IP address of the primary system. Unlike the first tunnel specification, this cannot be left blank. The secondary system will act as the initiator of the connection and thus it requires a destination IP address in order to make first contact. Specify the network on the primary system that the secondary system will be able to access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0. From the drop-down list, select Remote IP (or ANY if blank Remote IP). This will allow the primary system to use the secondary's IP address (if one was specified). Enter the local IP address of the secondary system.
From the drop-down list, select Preshared Key. This will instruct Advanced Firewall to authenticate the secondary system by validating a shared pass phrase. Enter the same passphrase as was entered in the Preshared Key field on the primary system. Re-enter the passphrase to confirm it. Select this option if compression was enabled on the primary system. Select this option as it is the responsibility of the secondary system to initiate its connection to the primary Advanced Firewall system. Enter a descriptive comment, for example, Tunnel to Head Office.
ti
on
Checking the System is Active

Once the tunnel specifications have been created, the tunnel can be activated. To do this, first ensure that the VPN subsystem is active on both the primary and secondary systems.
To check the system is active:
1 2 3 4
On the primary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart. On the secondary system, navigate to the vpn > control page. In the Manual control region, identify the current status of the VPN system. If the status is Running, you do not need to do anything. If the status is Stopped, click Restart.
Activating the PSK tunnel

To activate the tunnel:
Next, the secondary system should initiate the VPN connection. 1 2 On the secondary system, navigate to the vpn > control page.
Note: In order to permit or deny inbound and outbound access to/from a site to site VPN tunnel, ensure
Configuring Inter-Zone Security on page 55.
that appropriate zone bridging rules are configured. For further information, see Chapter 6,
Advanced Firewall supports two different VPN protocols for creating road warrior connections:
L2TP L2TP connections are extremely easy to configure for road warriors using Microsoft operating systems. There are fewer configuration parameters to consider when creating a tunnel specification. However, all L2TP road warriors must connect to the same internal network. IPSec IPSec road warrior connections use the same technology that Advanced Firewall uses to
create site-to-site VPNs. It is recommended for road warriors using Apple Mac, Linux or other non-Microsoft operating systems. IPSec road warriors must have IPSec client software installed and configured to connect to Advanced Firewall. IPSec road warriors can be configured to connect to any internal network.
Note: Road warrior configuration tutorials are provided in VPN
1s
This part of the manual explains how to create road warrior VPN connections to enable mobile and home-based workstations to remotely join a host network.
About Road Warrior VPNs
Ed i
In the IPSec subnets region, identify the tunnel that was just created and click its Up button to initiate the connection and bring the tunnel up.
ti
Typically, a road warrior connection is configured as follows: 1 Create a certificate for each road warrior user, usually with the user's email address as its ID type.
on
Tutorials on page 175.
141
Chapter 9 Virtual Private Networking IPSec Road Warriors
2 3 4 5 6 7
Decide which VPN protocol best suits your road warrior's needs L2TP for Win 2000/XP, IPSec for all others. Decide which internal networks and what IP ranges to allocate to road warriors. Create the tunnel specification on the Advanced Firewall system. Install the certificate and any necessary client software on the road warrior system and configure. Connect. Ensure that inbound and outbound access to the road warrior have been configured using appropriate zone bridging rules. For further information, see Chapter 6, Configuring InterZone Security on page 55. When a road warrior connects to Advanced Firewall, it is given an IP address on a specified internal network. When connected, the road warrior client machine will, to all intents and purposes, be on the configured internal network. You can route to other subnets, including other VPN-connected ones. Other machines on the same internal network can see the client, just as if it was plugged into the network directly.
Each user requires their own tunnel, so create as many tunnels as there are road warriors.
IPSec Road Warriors
Each connection can use different types of cryptographic and authentication settings. Client software will need to be installed on road warrior systems. Also note that the same advanced options that are available when configuring IPSec site-to-site VPNs are also available to IPSec road warriors. This includes overriding the default local certificate.
142
1s
Each connection can be routed to a different internal network.
Before creating a road warrior connection using IPSec, check the following list to assess whether it is the right choice:
Ed i
When configuring a tunnel, the client IP settings is used to assign the road warrior's IP address on the local network. This IP address must match the network that the road warrior connects too (globally specified for L2TP connections, individually specified for each IPSec road warrior.
ti
Each road warrior must use a unique, unused IP address. Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically assigned machines such as servers.
on
Creating an IPSec Road Warrior

To create an IPSec road warrior connection:
Navigate to the vpn > vpn > ipsec roadwarriors page.

Setting Name Enabled Local network Description
Enter a descriptive name for the tunnel. Select to activate the tunnel once it has been added. Enter the IP address and network mask combination of the local network. For example, 192.168.10.0/255.255.255.0.
Note: It is possible to restrict (or extend) the hosts that a road warrior can see
1s
Client IP Local ID type Local ID value Remote ID type Remote ID value
Enter a client IP address for this connection. The IP address must be a valid and available address on the network specified in the Local network field. From the drop-down list, select the local ID type. Default local Certificate Subject is recommended for road warrior connections. If you chose a User Specified ID type, enter a local ID value. From the drop-down list, select Remote IP (or ANY if blank Remote IP). This is recommended as it allows the road warrior to present any form of valid ID. Enter the value of the ID used in the certificate that the road warrior is expected to present.
Ed i
192.168.2.10/3
on its assigned internal network by changing this setting. For example, if you wish to restrict the connected road warrior to a specific IP address such as 192.168.2.10, set the local network to Accordingly, enter the value 192.168.2.0/24 or 192.168.2.0/ 255.255.255.0 to allow the road warrior to access all addresses in the range 192.168.2.0 to 192.168.2.255.
ti
on
143
Chapter 9 Virtual Private Networking IPSec Road Warriors Setting Authenticate by Description
From the drop-down list, select one of the following options: To use the road warrior's certificate, select it. To use a certificate created by a different CA, choose Certificate presented by peer. Authenticating by a named certificate is recommended for ease of management.
Preshared Key, select to use the global preshared key as defined on the vpn > vpn
> global.
Use compression Select to reduce bandwidth consumption (useful for low bandwidth
connections). This will require more processing power.

Comment
Click Advanced and enter the following information:

Setting Description
Local certificate This is used in less standard X509 authentication arrangements. For more
information, see Advanced VPN Configuration on page 167.
Interface
Used to specify whether the road warrior will connect via an external IP or an internal interface.
Perfect Forward This enables the use of the PFS key establishment protocol, ensuring that Secrecy previous VPN communications cannot be decoded should a key currently in use
be compromised. PFS is recommended for maximum security. VPN gateways must agree on the use of PFS.
144
1s
Authentication type
Provides a choice of ESP or AH security during the authentication process. For further details, see below. This setting should be the same on both tunnel specifications of two connecting gateways.
ESP Encapsulating Security Payload uses IP Protocol 50 and ensures confidentiality, authenticity and integrity of messages. Recommended for optimal performance. AH IP Authentication Header uses IP Protocol 51 and ensures authentication
and integrity of messages. This is useful for compatibility with older VPN gateways. Because AH provides only authentication and not encryption, AH is not recommended.
Ed i
ti
on
Enter a descriptive comment, for example: IPSec connection to Joe Blogg's on .240.
Smoothwall Advanced Firewall Administrators Guide Setting Phase 1 cryptographic algo Description
This selects the encryption algorithm used for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
3DES A triple strength version of the DES cryptographic standard using a 168-
bit key. The 3DES is a very strong encryption algorithm though it has been exceeded in recent years. It is the default encryption scheme on most VPN gateways and is therefore recommended for maximum compatibility.
AES 128 Advanced Encryption Standard replaces DES/3DES as the US governments cryptographic standard. AES offers faster and stronger encryption than 3DES.
governments cryptographic standard. AES offers faster and stronger encryption than 3DES. It is recommended for maximum security and performance.
CAST This algorithm uses a DES-like crypto system with a 128 bit key (also known as CAST-128 or CAST5).
Phase 1 hash algo
1s
Phase 2 cryptographic algo Phase 2 hash algo Key life
This selects the hashing algorithm used for the first phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways.
MD5 A cryptographic hash function using a 128-bit key. Recommended for
faster performance and compatibility. hashing standard. Recommended for maximum security.
SHA Secure Hashing Algorithm uses a 160-bit key and is the US government's
This selects the encryption algorithm used for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 cryptographic algo for more information on the options. This selects the hashing algorithm used for the second phase of VPN tunnel establishment. This setting should be the same on both tunnel specifications of two connecting gateways. See Phase 1 hash algo for more information on the options. This sets the duration that a set of keys can be used for. After the key-life value has expired, new encryption keys are generated, thus reducing the threat of snooping attacks. The default and maximum value of 60 minutes is recommended.
Ed i
Twofish This algorithm is based on Blowfish, and is a former NIST AESfinalist designed to replace the DES algorithm. Although NIST selected the Rijndael algorithm, Twofish is as strong as AES and can outperform it in some scenarios.
ti
Blowfish This algorithm uses a variable-length key, from 32 to 448 bits. It is faster than 3DES but was superseded by Twofish.
on
AES 256 Advanced Encryption Standard replaces DES/3DES as the US
145
Chapter 9 Virtual Private Networking Supported IPSec Clients Setting Key tries Description
This sets the maximum number of times the host will attempt to re-try the connection before failing. The default value of zero tells the host to endlessly try to re-key a connection. However, a non-initiating VPN gateway should not use a zero value because if an active connection drops, it will persistently try to re-key a connection that it can't initiate.
IKE lifetime Do not Rekey
Sets how frequently the Internet Key Exchange keys are re-exchanged. Turns off re-keying which can be useful for example when working with NATed end-points.
Click Add at the bottom of the page to add the tunnel to the list of current tunnels. for a site-to-site IPSec connection. For details on the operation of each advanced control, see Section 5.1 Introduction to Site to Site VPNs.
Note: The advanced settings of an IPSec road warrior tunnel operate in exactly the same manner as those
Smoothwall currently recommends the use of the following third-party IPSec client applications for IPSec road warriors with Microsoft Operating Systems: SafeNet SoftRemote LT SafeNet SoftRemote 10 SafeNet SoftRemote 9
This section covers the steps required to create an external road warrior connection using L2TP. Such connections have the following features: All connections share the same, globally specified subnet. Mostly supported by Microsoft operating systems with built-in support on Windows 2000 and XP. Very easy to configure.
Creating a Certificate
The first task when creating an L2TP road warrior connection is to create a certificate. For further information, see Creating a Certificate on page 124. A road warrior certificate is typically created using the user's email address as the certificate ID.
146
1s
Creating L2TP Road Warrior Connections
Ed i
Supported IPSec Clients
ti
on
Configuring L2TP and SSL VPN Global Settings

To configure L2TP and SSL VPN global settings:
Click Save.
1s
Setting L2TP and SSL VPN client configuration settings L2TP settings

Description
Enter primary and secondary DNS settings. These DNS settings will be assigned to all connected L2TP road warriors and SSL VPN users. If applicable, enter primary and secondary WINS settings.These WINS settings will be assigned to all connected L2TP road warriors and SSL VPN users. From the drop-down list, select the internal network that L2TP road warriors will be connected to.
Ed i
ti
on
147
Chapter 9 Virtual Private Networking Creating L2TP Road Warrior Connections
Creating an L2TP Tunnel

To create an external L2TP road warrior connection:
Navigate to the vpn > vpn > l2tp roadwarriors page.
Setting Name Enabled Client IP
Description
Enter a descriptive name for the tunnel. For example: Joe Blogg's L2TP. Select to activate the tunnel once it has been added. Enter a client IP address for this connection in the Client IP field. The IP address must be a valid and available IP on the globally specified internal network. Enter a username for this connection. Enter a password for the tunnel. Re-enter the password to confirm it. From the drop down list, select one of the following options:
Certificate presented by peer If the certificate was created by a different CA,
3
148
Click Add to create the L2TP tunnel specification and add it to the Current tunnels region.
1s
Username Password Again Authenticate by L2TP client OS Comment Advanced Local certificate Interface
choose this option. Authenticating by a named certificate is recommended for ease of management.
Common Name's organization certificate The peer has a copy of the public part
of the hosts certificate. Here both ends are Certificate Authorities, and each has installed the peers public certificate. From the drop-down list, select the L2TP clients operating system. Enter a descriptive comment. Click Advanced to access more options. From the drop-down list, select the default local certificate to provide the Advanced Firewalls default local certificate as proof of authenticity to the connecting road warrior. Select PRIMARY.
Ed i
Click Advanced to display all settings and configure the following settings:
ti
on
Configuring an iPhone-compatible Tunnel

Advanced Firewall enables you to configure iPhone-compatible tunnels. Configuring an iPhonecompatible tunnel entails: setting a preshared key and configuring DNS and interface settings on the vpn > vpn > global page creating the tunnel on the vpn > vpn > l2tp roadwarriors page. authentication mode: all connections from unknown IP addresses, including IPSec and L2TP road warriors, must use the same authentication method, and, in the case of PSK, the same secret. In practice, this means that if you want to create a tunnel between an iPhone-compatible device and Advanced Firewall, you must: not have any IPSec subnet tunnels to unknown (blank) remote IPs. There is a workaround for subnet tunnels to unknown, remote IPs but the IPSec subnets would have to use PSK authentication with the same shared secret as the iPhone-compatible device.
To configure an iPhone-compatible tunnel:
Note: Before you start, please be aware of the following limitation in IPSec preshared key (PSK)
Browse to the vpn > vpn > global page.
1s
Ed i
ti
on
not have any L2TP or IPSec road warriors, as they use certificates for authentication
149
Chapter 9 Virtual Private Networking Creating L2TP Road Warrior Connections

Setting IPSec Road Warrior (and L2TP) Preshared Key Description Preshared key Enter a strong password which
contains more than 6 characters.

Again Re-enter the password to confirm it. L2TP and SSL VPN client configuration settings Enter the primary and secondary DNS settings.
3 4
Click Save and browse to the vpn > vpn > l2tp roadwarriors page. Configure the following settings:
Setting Name Enabled Client IP Username Password Again Comment Authenticate by L2TP client OS Description
Select to activate the tunnel once it has been added. Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network. Enter a username for this connection. Enter a password for the tunnel.
6 7
On the iPhone-compatible device, navigate to settings > general > network > vpn. Select Add VPN Configuration and configure the following settings:
Setting Server Account RSA SecurID Password Secret Send All Traffic Proxy Description Description
1s
Select Save to save the tunnel configuration. The tunnel is now ready for use.
Using NAT-Traversal
Passing IPSec traffic through any NATing device such as a router (or a separate firewall in front of the VPN gateway/client) can cause problems.
150
Click Add. Advanced Firewall creates the tunnel and lists it in the Current tunnels area.
Ed i
key entered in step 2. Set to OFF. Set to OFF.
Re-enter the password to confirm it. Optionally, enter a description of the tunnel.
Preshared key (iPhone compatible) Select this option to use the preshared
From the drop-down list, select Apple (iPhone compatible).
Enter a description for the tunnel. Enter Advanced Firewalls external IP address. Enter the username as entered in step 4. Enter the password as entered in step 4. Enter the PSK as configured in step 2. Set to ON on for routing to other VPNs.
ti
on
Enter a descriptive name for the tunnel. For example: CEO's iPhone.
IPSec normally uses Protocol 50 which embeds IP addresses within the data packets standard NATing will not change these addresses, and the recipient VPN gateway will receive VPN packets containing private (non-routable) IP addresses. In this situation, the VPN cannot work. However, Advanced Firewall can operate in IPSec NAT Traversal (NAT-T) mode. NAT-T uses the UDP Protocol instead of Protocol 50 for IPSec VPN traffic UDP is not affected by the NAT process. This does of course require that the other end of the VPN tunnel supports NAT-T. Both SafeNet SoftRemote and SSH Sentinel support this mode, as do the vast majority of other modern VPN gateway devices.
Note: Any IPSec VPN client connections from a local network behind Advanced Firewall that connect
to another vendor's VPN gateway will also need to use NAT-T rather than Protocol 50 for the reasons stated above.
Note: NAT-T is a VPN gateway feature, not a NATing feature.
VPNing Using L2TP Clients

L2TP Client Prerequisites
To connect to an L2TP tunnel, a road warrior must be using a Microsoft operating system which is covered by the Microsoft support lifecycle.
Connecting Using Windows XP/2000

Users of Windows XP or Windows 2000 should first ensure that they are running the latest service release of their operating system. Specifically, one particular windows update is required for L2TP connections to function: Q818043 L2TP/IPSec NAT-T update. Information about this patch can be found at http://
support.microsoft.com/?kbid=818043
The above update will already be installed if you are running Windows XP SP2 or above, or Windows 2000 SP4 or above. Please use the Microsoft Windows Update facility to ensure compliance, see http://windowsupdate.microsoft.com/ One further requirement is that the road warrior user must be a member of the Administrator group in order to install the necessary certificates into the Local Computer certificate store.
Installing an L2TP Client

The first step in the connection process is to run the SmoothTunnel L2TP Client Wizard. You can find this in the extras folder on the Advanced Firewall installation CD. It is a freely distributable application that automates much of the configuration process.
Note: There is an alternative configuration method that uses a command line tool, thus enabling an L2TP
Configuration on page 167.
connection to be configured as part of a logon script. For details, see Advanced VPN
1s
Ed i
This section explains the configuration process for supported Microsoft operating systems.
ti
on
151
Chapter 9 Virtual Private Networking VPNing Using L2TP Clients
When started, the SmoothTunnel L2TP Client Wizard first ensures that the Q818043 hotfix is installed. If it is not, the program issues a warning. Assuming the hotfix is installed, it will then guide the user through the steps of configuring the connection to the Advanced Firewall system.
To install the L2TP client:
Run the SmoothTunnel L2TP Client Wizard on the road warrior system.
View the license and click Next to agree to it. The following screen is displayed:
Click Browse and open the CA certificate file as exported during the certificate creation process. Click Next. The following dialog opens:
Click Browse to locate and select the road warrior's host certificate file. This must be a PKCS#12 file, typically saved as *.p12, as exported during the certificate creation process. Enter the password and click Next.
152
1s
Ed i
ti
on
The following screen is displayed:
Ensure that the Launch New Connection Wizard option is selected and click Install.
The wizard install the certificates. Click Finish. The Microsoft New Connection Wizard is launched.
Click Next.
1s
Ed i
ti
on
153
Chapter 9 Virtual Private Networking VPNing Using L2TP Clients
Select Connect to the network at my workplace and click Next.
10
Enter a name for the connection and click Next.
154
1s
Select Virtual Private Network connection and click Next. The following screen is displayed:
Ed i
ti
on
11
Enter Advanced Firewalls host name or IP address and click Next.
13
Enter the username and password of the road warrior and click Connect. Ensure that the tunnel is enabled. connections are first established. Only UDP port 500 and UDP port 4500 and/or ESP should flow from the road warrior when using a Smoothwall L2TP over an IPSEC connection. Any alerts concerning this kind of traffic can be safely ignored, and unblocked communication permitted.
Note: Certain anti-malware and worm detection software may generate alerts when L2TP client
1s
12
Click Finish. The Connect dialog box is displayed
Ed i
ti
on
155
Chapter 9 Virtual Private Networking VPNing with SSL
Connecting Using Legacy Operating Systems

It is possible to create L2TP connections from a number of legacy operating systems. You can find more information in the support area of Smoothwalls web site: http://www.smoothwall.net/support/
VPNing with SSL

Advanced Firewall supports OpenVPN SSL connections. Using light-weight clients, which can be easily configured and distributed, any user account able to authenticate to the directory service configured, plus the list of local users gain easy and secure VPN access to your network. All your users need to know is their Advanced Firewall user account name and password.
An installed default local certificate, see Setting the Default Local Certificate on page 128 for more information.
Configuring VPN with SSL
156
1s
Ed i
The following section explains how to configure Advanced Firewall for VPNing with SSL.
ti
on
Prerequisites
Smoothwall Advanced Firewall Administrators Guide To configure SSL VPN settings:
Browse to the vpn > vpn > global page.Configure the following settings:
1s
Transport protocol SSL VPN netmask
Enable SSL VPN
Setting
SSL VPN network address Accept the default network address or enter a new one.
Ed i
Description
Select to enable SSL VPN on Advanced Firewall. Select the network protocol. The following options are available:
TCP (HTTPS) Select to run the SSL VPN connection over TCP on port
443, the standard HTTPS port. This protocol is preferd for compatability with filters between the client and the server.
UDP (1194) Select to run the SSL VPN connection over UDP on port 1194. This protocol is is prefered for performance.
SSL VPN users, when they connect, get an IP address on a virtual interface, within Advanced Firewall. The IP range must not be one not used for any physical network. If the default subnet, 10.110.0/24, is taken by any existing network, configure this setting to use range not taken on the network.
Note: Because connected clients are placed on a virtual network, all
machines they access must also have a route to this network. Accept the default network netmask or enter a new one.
ti
on
157
Chapter 9 Virtual Private Networking Managing SSL Road Warriors Setting Force clients to use SSL VPN as gateway Description
Select to configure Advanced Firewall to force the client to send all its traffic through the SSL VPN connection. Advanced Firewall can force all connected clients to route through it, which is generally better as it enforces the policy on the server end.
SSL VPN client gateway
Select to override the default IP or hostname that the client will be configured to use as its gateway. Usually, the client is configured to use Advanced Firewalls primary external IP address as its gateway. However, if dynamic DNS is used, this will not work. Therefore, you have the option to set a different gateway.
Managing SSL road warriors entails managing group access to SSL VPNs and managing custom scripts for SSL VPNs. See the sections that follow for more information.
Note: On Windows Vista, to ensure that a user gets full VPN connectivity, add the user to the built-in
network configuration operator group.
Managing Group Access to SSL VPNs

To disable a group from using SSL VPN:
Browse to the vpn > vpn > ssl roadwarriors page.
2 3
From the Select group drop-down list, select the group you want to disable from using SSL VPN and then click Select. Advanced Firewall displays SSL VPN group settings. De-select the Enable option and click Save. Advanced Firewall disables access.
158
1s
By default all groups are allowed to use SSL VPN. Advanced Firewall enables you to stop one or more groups from using SSL VPNs by disabling access.
Ed i
ti
Managing SSL Road Warriors
on
Click Save to save the settings, and, at the top of the page, click Restart to apply the settings.
Repeat the steps above for any other groups you want to disable from using SSL VPN.
Managing Custom Client Scripts for SSL VPNs

Advanced Firewall enables you to upload or remove preconnect, connect and disconnect scripts which can carry out custom commands before or after a VPN comes up or goes down. You can also deploy scripts based on groups.
Uploading Scripts
To upload scripts:
1 2
3 4 5
When prompted, browse to and select the script. Click Upload preconnect script. Advanced Firewall uploads the script, displays the size of the script and a message confirming a successful upload.
Removing Scripts
To remove scripts:
1 2
4 5
Advanced Firewall removes the script and displays a message confirming a successful removal. Repeat the steps above to remove connect and disconnect scripts as required.
Generating SSL VPN Archives

You can generate an archive of the SSL VPN settings which can be distributed to users. Archives can contain SSL VPN settings and, optionally, custom client scripts.
To generate an SSL client archive:
1 2
On the vpn > vpn > global page, configure the SSL VPN settings. For information on how, see Configuring VPN with SSL on page 156. If you do not want to include custom scripts in the archive, you can generate the archive now. Click Generate client archive, Advanced Firewall generates an archive containing the client software and the VPN settings required. When Advanced Firewall prompts you, save the file in a suitable location. See step 4 for what to do next. If you want to include scripts in the archive, browse to the vpn > vpn > ssl roadwarriors page and configure the scripts. For information on how, see Managing Custom Client Scripts for SSL VPNs on page 159.
1s
To remove a preconnect script, in the Custom client scripts area beside the Upload Preconnect Script text box, click Remove preconnect script.
In the Select group area, accept the default settings to remove any uploaded scripts from all groups, or, from the Select group drop-down list, select the group from which the script(s) will be specifically removed. Click Select.
Ed i
Repeat the steps above to upload connect and disconnect scripts as required.
ti
To upload a preconnect script, in the Custom client scripts area beside the Upload Preconnect Script text box, click Browse.
on
In the Select group area, accept the default settings to apply any uploaded scripts to all groups, or, from the Select group drop-down list, select the group to which the script(s) will be specifically deployed. Click Select.
159
Chapter 9 Virtual Private Networking Managing SSL Road Warriors
Click Generate client archive, Advanced Firewall generates an archive containing the client software and the VPN settings required. When Advanced Firewall prompts you, save the file in a suitable location. Once saved, distribute the archive to those users who will be using SSL VPNing. You can use the Advanced Firewall portal to distribute the archive. For more information, see Chapter 8, Working with User Portals on page 75. See Configuring and Connecting Clients on page 160 for information on how to install the SSL VPN software on clients.
Note: An archive can be used for both internal and external use. See Configuring
Internal Networks on page 160 for more information on internal use.
SSL VPN on
To configure SSL VPN on internal network:
1 2 3
Click Advanced and, in the SSL VPN internal interfaces area, select the interface on which to deploy the SSL VPN. Click Generate client archive. Advanced Firewall generates an archive containing the client software and the VPN settings required and prompts you to save the file in a suitable location. on page 156 for more information on external use.
Note: The same archive can be used for both internal and external use. See Configuring VPN with SSL
Configuring and Connecting Clients

The following sections explain how to install the SSL VPN client software. and connect using an SSL VPN connection.
160
1s
Once saved, distribute the archive to users who require secure access to the internal wireless interface. You can use the Advanced Firewall portal to distribute the archive. For more information, see Chapter 8, Working with User Portals on page 75.
Ed i
On the vpn > global page, configure the SSL VPN settings, see Configuring VPN with SSL on page 156.
ti
Advanced Firewalls SSLVPN functionality can be deployed to secure internal wireless interfaces.
on
Configuring SSL VPN on Internal Networks
Installing the Software

To install the SSL VPN client software:
Extract the client archive, see Configuring VPN with SSL on page 156, to a suitable location and double-click on Smoothwall-SSL-OpenVPN-client.exe to start the installation wizard. The following screen opens:
Click Next to continue. The following screen opens:
Read the license and click I agree to continue.
1s
Ed i
ti
on
161
Chapter 9 Virtual Private Networking Managing SSL Road Warriors
The following screen opens:
Accept the default components and click Next to continue. The following screen opens:
Click Continue Anyway.
162
1s
Accept the default destination folder or click Browse to select a different destination. Click Install to continue. The following screen opens:
Ed i
ti
on
The following screen opens:
Click Next to continue. The following screen opens:
To open an SSL VPN connection:
In the system tray, right click on OpenVPN GUI and select Connect. The following dialog box is displayed:

Setting Username Description
1s
Opening an SSL VPN Connection
Click Finish to complete the installation.
Enter the name of the user account to be used.
Ed i
ti
on
163
Chapter 9 Virtual Private Networking VPN Zone Bridging Setting Password Description
Enter the password belonging to the account.
Click OK. The SSL VPN connection is opened.
Closing an SSL VPN Connection

To close an SSL VPN connection:
In the system tray, right click on OpenVPN GUI and select Disconnect.
VPN Zone Bridging

L2TP road warriors and SSL VPNs require zone bridging rules that bridge the interface. IPSec road warriors also require zone bridging rules, and share their zone bridging configuration with IPSec subnets. For more information, see Chapter 6, Configuring Inter-Zone Security on page 55.
Secure Internal Networking
This part of the manual explains how Advanced Firewall can be used to provide secure internal networking using VPN technology. An internal VPN capability can be useful in many situations, a few examples of typical scenarios are given below: Secure wireless access Commonly used wireless access protocols offer relatively weak levels of security, thus allowing potential intruders to directly access and intercept confidential data on an organizations internal network. Advanced Firewall can ensure secure wireless access by providing an additional interface as an internal VPN gateway. By attaching a wireless access point to this interface, wireless clients can connect and create a secure tunnel to the desired internal network. Without the necessary authentication credentials (a certificate), wireless intruders cannot gain access to any network resource. Hidden network access It is possible to create a hidden network that can only be accessed via a secure VPN tunnel. This might be useful to guarantee that certain resources can only be accessed by an exclusively authenticated member of staff. To do this, create a network that is not bridged to any other. Nominate an internal interface as a VPN gateway and set the client internal interface to the hidden network. There is no complicated configuration process for creating such internal VPNs, the facility is provided by globally nominating an internal VPN interface and creating tunnels specifying it as its interface.
164
1s
Ed i
ti
on
In order to permit or deny inbound and outbound access to and from a site-to-site VPN tunnel, ensure that appropriate zone bridging rules are configured.
Creating an Internal L2TP VPN

To create an internal L2TP VPN connection:
Optionally, click Advanced and configure the following settings:

Setting Description
1s
Enable NATTraversal Enable Dead Peer Detection
In the L2TP settings area, from the L2TP client internal interface drop-down list, choose an internal network interface.
NAT-T is enabled by default and allows IPSec clients to connect from behind NATing devices. In some advanced and unusual situations, however, this feature may prevent connections, therefore, NAT-T can be disabled. Used to activate a keep-alive mechanism on tunnels that support it. This setting, commonly abbreviated to DPD, allows the VPN system to almost instantly detect the failure of a tunnel and have it marked as Closed in the control page. If this feature is not used, it can take any time up to the re-keying interval (typically 20 minutes) to detect that a tunnel has failed. Since not all IPSec implementations support this feature, it is not enabled by default. In setups consisting exclusively of Advanced Firewall VPN gateways, it is recommended that this feature is enabled.
Ed i
ti
on
165
Chapter 9 Virtual Private Networking Secure Internal Networking Setting Description
Copy TOS (Type Of When selected, TOS bits are copied into the tunnel from the outside as VPN Service) bits in and traffic is received, and conversely in the other direction. This makes it out of tunnels possible to treat the TOS bits of traffic inside the network (such as IP phones)
in traffic shaping rules within SmoothTraffic and traffic shape them. If this option is not selected, the TOS bits are hidden inside the encrypted tunnel and it is not possible to traffic shape VPN traffic.
Note: There is a theoretical possibility that enabling this setting can be used
to spy on traffic 4 Click Save.
Tunnels connecting to the nominated additional interface will be assigned an IP address on the L2TP client internal interface, as shown in the L2TP settings region.
5 6
Create a certificate for the L2TP client. See Creating a Certificate on page 124. Browse to the vpn > vpn > l2tp roadwarriors page and configure the following settings:
Setting Name Enabled Client IP Username Password Again Description
Enter a descriptive name for the tunnel. Select to activate the tunnel once it has been added. Enter a client IP address for this connection. The IP address must be a valid and available IP on the globally specified internal network. Enter a username for this connection. Enter a password for the connection. Re-enter the password to confirm it. To dedicate this connection to a specific user, choose the users certificate from the drop-down list. To allow any valid certificate holder to use this tunnel, choose Certificate provided
by peer option.
7 8
Click Advanced and, from the Local certificate drop-down list, select Default. Click Add. Advanced Firewall lists the tunnel in the Current tunnels area. To configure client access to the L2TP tunnel, see Installing an L2TP Client on page 151.
166
1s
Authenticate by Comment
L2TP client OS From the drop-down list, select the L2TP client's OS.
If your organization anticipates supporting many road warrior connections, authenticating by a specific certificate is recommended for ease of management. Enter a descriptive comment.
Ed i
ti
If a zone bridge is created between the additional nominated interface and the L2TP client interface, it allows the VPN to be circumvented and thus limits its usefulness.
on
Note: We advise you to limit any zone bridging from the nominated interface to other interfaces.
Advanced VPN Configuration

The following sections explain how and when you might want to use non-standard configurations of CAs, certificates and tunnel definitions to: Allow sites to autonomously manage their own road warriors Create VPN links between co-operating organizations Create VPN hubs that link networks of networks.
Multiple Local Certificates

In some instances, it may be desirable to install multiple local certificates that are used to identify the same host. There are a number of situations, where this might be desirable: Autonomous management of road warrior tunnels from multiple sites. Autonomous management of site-to-site tunnels from multiple sites. Multiple local certificates are typically used to de-centralize VPN management in larger networks. For instance, a VPN could be used to create a WAN (Wide Area Network) between three head offices of an multinational company. Each head office must be responsible for its own VPN links that connect its regional branches to its head office, as otherwise there would be a reliance on a single set of administrators in one country / time zone preparing certificates for the entire organization. Using the above example, each head office VPN gateway could utilize two local IDs (certificates): Country head office ID This ID would be used by a head office to identify itself to head offices from other countries, to form VPN tunnels that make up the international WAN.
Regional branch office ID This ID would be used by a branch office to identify itself to the head office and other branch offices that make up the country-wide WAN. Branch office ID This ID would be used by a branch office to identify itself to its local road warriors, so that it can manage road warrior connectivity to its own branch.
Creating Multiple Local Certificates

This example will demonstrate how to delegate VPN management from an unconfigured master Advanced Firewall system to an unconfigured secondary Advanced Firewall system. The secondary Advanced Firewall system will be responsible for managing site-to-site and road warrior connections within its own geography. Firstly, we must create a tunnel to link the master Advanced Firewall to the secondary Advanced Firewall. Since this example covers configuration from scratch, you must follow the instructions from the step most appropriate to your current level of VPN connectivity. 1 On the master system, navigate to the vpn > ca page.
1s
The same concept can be applied to any situation where autonomous VPN management is required. To continue the above example, many of the offices within one particular country require a number of road warrior users to connect to their local networks. In this instance, a branch office VPN gateway could utilize two local IDs (certificates):
Head office ID This ID would be used by a head office to identify itself to other domestic offices, so that it can manage VPN tunnel connectivity within its own region.
Ed i
ti
on
167
Chapter 9 Virtual Private Networking Advanced VPN Configuration
2 3 4 5 6 7
Create a local Certificate Authority, see Creating a CA on page 121. Create signed certificates for the master and secondary Advanced Firewall systems, see Managing Certificates on page 124.
Setting the Default Local Certificate on page 128.
Install the master signed certificate as the master Advanced Firewall's default local certificate, see
Create the tunnel specification to the secondary Advanced Firewall system, see Site-to-Site VPNs IPSec on page 129. Export the secondary Advanced Firewall's signed certificate using the PKCS#12 format, see Exporting Certificates on page 126. Export the master Advanced Firewall's CA certificate in PEM format, see Exporting the CA Certificate on page 123.
To create the primary site-to-site link:
2 3 4 5 6
Import the CA certificate on the secondary Advanced Firewall, see Importing Another CA's Certificate on page 123.
Install the signed certificate as the default local certificate, see Setting the Default Local Certificate on page 128. Create the tunnel specification to the master Advanced Firewall system, with Local certificate set to Default see Site-to-Site VPNs IPSec on page 129. Test the VPN connection. The next step is to create an additional CA on the secondary Advanced Firewall system. This additional CA will be used to create another local certificate for the secondary Advanced Firewall system, as well as certificates for any further site-to-site or road warrior connections that it will be responsible for managing.
To create an additional CA on the secondary Advanced Firewall system:
1 2 3
On the secondary system, navigate to the vpn > ca page. Create a new local Certificate Authority, see Creating a CA on page 121. Create a new signed certificate for the secondary Advanced Firewall system (this will be used as the secondary Advanced Firewall's second local certificate, see Creating a Certificate on page 124. Create a new signed certificate for any host whose VPN connectivity will be managed by the secondary Advanced Firewall system. Create a site-to-site or road warrior tunnel specification, and choose the second signed certificate (created by the previous step) as the Local certificate. Export the local CA and signed certificate created by step 4 to any host whose VPN connectivity will be managed by the secondary Advanced Firewall system. Create the remote tunnel specification (this could be a road warrior client or another site-to-site gateway).
4 5 6 7
168
1s
Ed i
Import the signed certificate on the secondary Advanced Firewall system, see Importing a Certificate on page 127.
ti
On the secondary system, navigate to the vpn > ca page.
on
The remaining series of configuration steps are all carried out on the secondary Advanced Firewall system, firstly to create the primary site-to-site link.
Public Key Authentication

It is possible to authenticate a VPN tunnel by exchanging each host's public key with the other. During authentication, each host uses the other host's public key to decrypt the (private key encrypted) certificate it will be passed as identity credentials. This configuration does not require the CA that created either host's certificate to be known to either VPN gateway. This can be useful in many ways: Simplified internal management, using certificates created by an external Certificate Authority. Tunnelling between two separate organizations using certificates created by different (possibly external) CAs. Alternative scheme to allow both ends of the tunnel to create their own CA and default local certificates. This would enable each VPN gateway to manage their own site-to-site and road warrior connections. This achieves the same result as the previous technique described in the Multiple local certificates section. stringent X509 based authentication setup. Whilst public key authentication does use some of the same technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As such, appropriate precautions should be taken when considering implementing this alternative authentication method.
Note: The use of public key authentication should not be considered as a direct replacement for a
Configuring Both Ends of a Tunnel as CAs

This configuration example uses public key authentication to connect two Advanced Firewall systems, each with their own CA so that they can manage their own site-to-site and road warrior connections. The following assumptions have been made: 1 2 3 4 5 Each Advanced Firewall has its own CA. Each CA has created a signed certificate for its own local Advanced Firewall system.
To create the tunnel specifications:
On both systems, navigate to the vpn > certs page. Export the local certificates from both Advanced Firewall systems using the PEM format, see Exporting Certificates on page 126. Import each PEM certificate on the opposite Advanced Firewall system, see Importing a Certificate on page 127. Create an IPSec site-to-site tunnel specification on the first Advanced Firewall system, and select the second Advanced Firewall system's host certificate in the Authenticate by drop-down list. Create an IPSec site-to-site tunnel specification on the second Advanced Firewall system, and select the first Advanced Firewall system's host certificate in the Authenticate by drop-down list. The tunnel can now be established and authenticated between the two Advanced Firewall systems. In addition, each Advanced Firewall system is able to autonomously manage its own site-to-site and road warrior connections by using its own CA to create additional certificates.
1s
Two Advanced Firewall systems.
Ed i
ti
on
169
Chapter 9 Virtual Private Networking Advanced VPN Configuration
VPNs between Business Partners

To create a VPN between two separate organizations (such as two firms working together as partners), it is most likely that an IPSec tunnel will be required. This may be to a non-Advanced Firewall system, so a degree of co-ordination will be required to decide upon a compatible tunnel specification. This example uses certificates created by an external, commercial CA so that each organization can authenticate certificates presented by the other using a CA that is independent of both organizations. This configuration example assumes the following: Local Advanced Firewall system. Host certificates created by the same commercial CA. Host certificate, Certificate B created by the commercial CA for the other organizations VN gateway.
To import the certificate:
1 2 1 2
On the local system, navigate to the vpn > certs page.

Next, import the commercial CA's certificate:
On the system, navigate to the vpn > certs page. Import the CA's certificate according to the file format it was supplied in, see Importing Another CA's Certificate on page 123. Next, configure the local tunnel specification in co-operation with the other organization. This is most likely to be an IPSec site-to-site connection, though it is possible that you could connect to their network as a road warrior. In either case, full consultation between both organizations is required to decide on the configuration options to be used on the respective VPN gateways.
Follow these steps to create a site-to-site connection:
1 2
Connect to Advanced Firewall on the Advanced Firewall system and navigate to the vpn > ipsec subnets page. In the local tunnel specification, choose Default local cert subject or Default local cert subject alt.name from the Local ID type drop-down list. However, it may be necessary to use user specified values if the other VPN gateway is not directly compatible with Advanced Firewall's communication of certificate subjects. Choose Certificate A from the Local certificate drop-down list to ensure that this tunnel overrides any default local certificate that might be configured. Choose Certificate provided by peer from the Authenticate by drop-down list. This will ensure that Advanced Firewall will authenticate Certificate B when is presented by the other organizations VPN gateway. Choose the remote ID type from the Remote ID type drop-down list that was entered during the creation of Certificate B using the commercial CA. Confer with the other organization regarding all other configuration settings and ensure that they authenticate the tunnel using the CA's certificate and Certificate A as provided by Advanced Firewall as connection time.
3 4
5 6
170
1s
Ed i
Import Certificate A, see Importing a Certificate on page 127.
ti
Firstly, import the certificate created for the local Advanced Firewall system (Certificate A).
on
Host certificate, Certificate A created by the commercial CA for the Advanced Firewall system.
Extended Site to Site Routing

A useful feature of Advanced Firewall is its ability to use the VPN as a means of linking multiple networks together by creating a centralized VPN hub. The hub is used to route traffic to between different networks and subnets by manipulation of the local and remote network settings in each tunnel specification. This potentially allows every network to be linked to every other network without the need for a fully routed network of VPN tunnels, i.e. a tunnel from every site to every other site. A fully routed network can be awkward to configure and maintain. This configuration example assumes the following: Site A Local network: 192.168.10.0/255.255.255.0 Tunnel A connects to Site B. Site B Local network: 192.168.20.0/255.255.255.0 Tunnel A connects to Site A, Tunnel C connects to Site C. Site C Local network: 192.168.30.0/255.255.255.0 Tunnel C connects to Site B. The advantage of this approach is that only one tunnel is required for each remote network. The disadvantage is that the central VPN gateway is now routing traffic not destined for it, thus it requires additional resources for its bandwidth. Also, the central VPN creates a single point of failure in the network. An improved approach would incorporate backup tunnel definitions that could be used to create a fail-over VPN hub elsewhere on the network.
Site A Tunnel Definition
A definition for Tunnel A (connecting Site A to Site B) is required. Use the following local and remote network settings: Local network 192.168.10.0/255.255.255.0 Remote network 192.168.0.0/255.255.0.0 With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the definition of the remote end of Tunnel A. Any traffic destined for the Site C network (any address in the range 192.168.30.0 to 192.168.30.255) will also be routed to Site B, as this range also falls within the definition of the remote end of Tunnel A. However, this traffic still needs to be forwarded to Site C to reach its destination Tunnel C from Site B will ensure this.
Site B Tunnel Definitions

First, a definition for Tunnel A (connecting Site B to Site A) is required. Use the following local and remote network settings: Local network 192.168.0.0/255.255.0.0 Remote network 192.168.10.0/255.255.255.0 With this configuration, any traffic destined for the Site A network (any address in the range 192.168.10.0 to 192.168.10.255) will be routed to Site A, as this range falls within the definition of the remote end of Tunnel A. Next, a definition for Tunnel C (connecting Site B to Site C) is required. Use the following local and remote network settings: Local network 192.168.0.0/255.255.0.0 Remote network 192.168.30.0/255.255.255.0
1s
Ed i
ti
on
171
Chapter 9 Virtual Private Networking Managing VPN Systems
With this configuration, any traffic destined for the Site C network (any address in the range 192.168.30.0 to 192.168.30.255) will be routed to Site C, as this range falls within the definition of the remote end of Tunnel C.
Site C tunnel definition

A definition for Tunnel C (connecting Site C to Site B) is required. Use the following local and remote network settings: Local network 192.168.30.0/255.255.255.0 Remote network 192.168.0.0/255.255.0.0 With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) will be routed to Site B, as this range falls within the definition of the remote end of Tunnel C. Any traffic destined for the Site A network (any address in the range 192.168.10.0 to 192.168.10.255) will also be routed to Site B, as this range also falls within the definition of the remote end of Tunnel C. However, this traffic still needs to be forwarded to Site A to reach its destination Tunnel A from Site B will ensure this.
The following sections document how to: Control VPNs Open and close tunnels
Monitor and report tunnel activity Update tunnel licensing.
Automatically Starting the VPN System

Advanced Firewalls VPN system can be set to automatically start when the system is booted. This allows road warriors to tunnel in without having to wait for the system to be started. It also allows site-to-site tunnels that are initiated on the Advanced Firewall system to automatically negotiate a site-to-site connection.
172
1s
Display tunnel logging information
Ed i
Managing VPN Systems
ti
on
Smoothwall Advanced Firewall Administrators Guide To configure automatic start up:
Navigate to the vpn > control page.
2 3
In the Automatic control region, select Start VPN sub-system automatically. Click Save.
Starting/Restarting the VPN system

To start or restart the VPN system:
1 2
Navigate to the vpn > control page. Click Restart in the Manual control region.
Stopping the VPN system

To stop the VPN system:
1 2
Navigate to the vpn > control page. Click Stop from the Manual control region.
Viewing the VPN system status

To view the VPN system status:
1 2 3
Navigate to the vpn > control page. Click Refresh in the Manual control region. View the current status from the Current status information field. There are two possible system statuses:
1s
The following sections explains how to start, restart, stop and view the status of the VPN system.
Manually Controlling the VPN System
Ed i
ti
on
173
Chapter 9 Virtual Private Networking Managing VPN Systems
Running The VPN system is currently operational; tunnels can be connected. Stopped The VPN system is not currently operational; no tunnels can be connected.
Viewing and Controlling Tunnels

All configured tunnels can be viewed and controlled from the vpn > control page. There are two possible tunnel statuses:
Open The tunnel is connected; communication across the tunnel can be made. Closed The tunnel is not connected; no communication across the tunnel can be made.
IPSec Subnets
Name The name given to the tunnel. Control: Up Open the tunnel connection
Down Close the tunnel connection.
IPSec Road Warriors
IPSec road warrior connections are shown in the IPSec road warriors region of the vpn > control page. The information displayed is: Name The name given to the tunnel. Up Open the tunnel connection Down Close the tunnel connection. Internal IP The IP address of the local tunnel end. Remote IP The IP address of the other end of the tunnel.
L2TP Road Warriors

L2TP road warrior connections are shown in the L2TP Road Warriors region of the vpn > control page. The information displayed is: Name The name given to the tunnel. Control: Up Open the tunnel connection Down Close the tunnel connection. Internal IP The IP address of the local tunnel end.
SSL Road Warriors

SSL road warrior connections are shown in the SSL Road Warriors region of the vpn > control page. The information displayed is: Username The name given to the tunnel.
174
1s
Control:
Ed i
Remote IP The IP address of the other end of the tunnel.
ti
on
Site-to-site IPSec subnet connections are shown in the IPSec subnets region of the vpn > control page. The information displayed is:
Control Up Open the tunnel connection Down Close the tunnel connection.
Internal IP The IP address of the local tunnel end. External IP The IP address of the other end of the tunnel.
VPN Logging
VPN log entries can be found in the information > logs > ipsec page and the information > logs > system page.
Example 1: Preshared Key Authentication
This first example begins with a simple two network VPN using shared secrets.The following networks are to be routed together via a VPN tunnel:
We will use Preshared Key authentication initially. This is the easiest to setup.
Configuring Network A
There is no need for a CA or any certificates. On the Create a tunnel with the following characteristics. This tunnel we call Tunnel 1. Where a parameter is not listed, leave it at its default value:
Parameter Name Local network Local ID type Remote IP or hostname Remote network Remote ID type Description
1s
Tunnel 1 Set to the opposite ends remote network value. Local IP 200.0.0.1 192.168.12.0/24 Remote IP (or ANY if blank Remote IP)
Ed i
ti
The following tutorials cover the creation of the main types of VPN tunnels. The examples build on each other, i.e. the configuration settings in an example builds on that of the previous.
on
VPN Tutorials
175
Chapter 9 Virtual Private Networking VPN Tutorials Parameter Authenticate by Preshared Key Preshared Key again Description
Preshared Key loudspeaker loudspeaker
All other settings can be left at their defaults.
Configuring Network B
Here a single tunnel is created:
Parameter Name Local network Local ID type Remote IP or hostname Remote network Remote ID type Authenticate by Preshared Key Preshared Key again Description
Set to the opposite ends remote network value. Local IP 100.0.0.1 192.168.0.0/24
Remote IP (or ANY if blank Remote IP)
Creating a Zone Bridge
In order for traffic to flow down the tunnel, you must create a zone bridge.
To create the zone bridge:
For more information, see Chapter 6, Configuring Inter-Zone Security on page 55.
Testing
Restart the VPN system on both ends. Because both ends are set as initiators, the tunnels should come up immediately. If this does not happen please refer to Appendix C, Troubleshooting VPNs on page 363. To actually test that the VPN is routing, ping a host on the remote network from a machine on the local one. You should also be able to connect to servers and desktops on the remote network using your standard tools.
Note: When configuring multiple PSK-based tunnels, use the User specified IP address as the remote
system ID type and the remote system external IP in the Remote system ID Value.
176
1s
On the networking > filtering > zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bi-directional.
Ed i
Preshared Key loudspeaker loudspeaker
ti
on
Tunnel 1
Example 2: X509 Authentication

In this example, the same network as used in Example 1 will be used, see Example 1: Preshared Key Authentication on page 175. This time we will improve the setup by using x509 authentication instead of PSK.
Configuring Network A
Begin by going to the ca page and setting up the CA. In this example, we will list only the required fields. You should, of course, enter values appropriate to your organization:
Parameter Common Name Organization
From now on, we will enter My Company Ltd in all Organization fields on the certificates we create.
1s
Parameter ID Type ID Value Common Name Parameter ID Type ID Value Common Name Organization
Switch to the certificates page, and create the local certificate. It requires ID information:
Description
The peer (the Network B machine) needs a certificate too:

Description
Create both certificates, and then export the Network B Cert certificate in PKCS#12 format. You will need to enter the passphrase to encrypt this certificate with; enter it in both boxes. We will call this file tunnelb.p12. Now onto the tunnels page. Choose the Network A Local Cert certificate to be the Default local certificate, and press Save. We will Restart the VPN shortly to make this change active.
177
Next you should export this certificate in PEM format. We will call this file ca.pem, and save it on the local workstations hard disk. You will need this file later.
Host & Domain name tunnela.mycompany.com Network A Local Cert
Host & Domain name tunnelb.mycompany.com Network B Cert My Company Ltd
Ed i
Description
Network A Cert Auth My Company Ltd
ti
Network A will be configured to be the Certificate Authority in the system.
on
Chapter 9 Virtual Private Networking VPN Tutorials
The tunnel specification is a little more complex. Here it is:

Parameter Name Local network Local ID type Remote IP or hostname Remote network Remote ID type Remote ID value Authenticate by Description
Tunnel 1 Set to the opposite end's remote network value. Default local cert subject alt. name 200.0.0.1 192.168.12.0/24 Host & Domain name tunnelb.mycompany.com Certificate presented by peer
Add the tunnel.
The first step is to import the certificates.

To import the certificates:
2 3
On to the certificates page, import the tunnelb.p12 file you created earlier. Remember to input the passphrase used to create the export file in both boxes. Chose the certificate, Network B Cert as the Default local certificate and click Save. The tunnel configuration should look like this:
Parameter Name Description
1s
Local ID type Remote network Remote ID type Remote ID value Authenticate by
Local network

In order for traffic to flow down the tunnel, you must create a zone bridge. On the networking > filtering > zone bridging page, create a zone bridge between the local network and the IPSec interface. If you want traffic to flow in both directions, make the rule bidirectional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 55.
Testing
As before, restart both ends of the tunnel. If the tunnel fails to come up, the most likely cause is a mismatch of IDs. Check the IDs in the certificates by clicking on them in the certificate page. The ID is the same as the Certificate ID. Examine the log for telltale messages.
178
Ed i
Tunnel 1 100.0.0.1
On the ca page, import the ca.pem file.
Set to the opposite end's remote network value. Default local cert subject alt. name 192.168.0.0/24 Host & Domain name tunnel.mycompany.com Certificate presented by peer
ti
Configuring Network B
on
Example 3: Two Tunnels and Certificate Authentication

We will now add an additional system, Network C to the VPN network. We want Network C to be able to access both the Network A subnet and Network B.
In Extended Site to Site Routing on page 171, we explained how to create centralized VPN hubs using extended subnetting. We will use this technique to allow Network B to route to Network C, and vice versa.
Network A Configuration
1s
Parameter ID Type ID Value Common Name Organization Parameter Local subnet Parameter Name Local subnet Local ID type
Modify the existing tunnel to Network B. All settings are unchanged except:
Description
Notice how this subnet mask now covers all subnets in the VPN. Now we create a new tunnel to Advanced Firewall C:
Description
Create a new certificate for the new peer, and export it as a PKCS#12 file. We set the following properties for this certificate:
Description
Host & Domain name tunnelc.mycompany.com Advanced Firewall C Cert My Company Ltd
192.168.0.0/16
Ed i
Tunnel 2 192.168.0.0/16 250.0.0.1
Default local cert subject alt. name
ti
on
179
Chapter 9 Virtual Private Networking VPN Tutorials Parameter Remote network Remote ID type Remote ID value Authenticate by Description
192.168.13.0/24 Host & Domain name tunnelc.mycompany.com Certificate presented by peer
Network B Configuration
Modify the tunnel as follows:
Parameter Remote subnet Description
Network C Configuration
Import the certificate, and then create the tunnel to Network A:

Parameter Name Local ID type Remote network Remote ID type Remote ID value Authenticate by Remote IP or hostname Description
Tunnel 2 100.0.0.1
Testing
Test in the same way as before. After bringing up both tunnels, you should test by pinging a machine on the Network A end from both of the Network B and Network C networks. Then you should test that you can route across Network A by pinging a host on the Network C network from the Network B network.
Example 4: IPSec Road Warrior Connection

Now we will add a road warrior, running SafeNet SoftRemote. This road warrior will connect to the Network A gateway. In addition to being able to access the Network A local network (192.168.0.0/24), the road warrior will be able to access Network B and Network C as well.
180
1s
Ed i
192.168.0.0/16
Default local cert subject alt. name
Host & Domain name tunnela.mycompany.com Certificate presented by peer
ti
on
192.168.0.0/16
The road warrior is required to assume an internal IP on Network As local network, in this case: 192.168.0.5:
Create a certificate with the following properties:
Note: No ID is required on this certificate.
Now create the IPSec road warrior tunnel:

Parameter Name Local network Local ID type Client IP Remote ID type Authenticate by Description
Export the certificate in PKCS#12 format. We will call this file computercert.p12.You will also need the CA file, ca.pem.
1s
Common Name Organization
Parameter
Description
IPSec road warrior My Company Ltd
IPSec road warrior 192.168.0.0/16 Default local cert subject 192.168.0.5 Remote IP (or ANY if blank Remote IP) Certificate provided by peer
Ed i
ti
on
181
Chapter 9 Virtual Private Networking VPN Tutorials
SoftRemote Configuration
This tutorial describes setting up the client using a policy template as a shortcut to getting the connection up and running. Full details, including detailed screen shots, are given in Working with SafeNet SoftRemote on page 184. After installing the client, begin by going to the Certificate Manager and importing the ca.pem and the computercert.p12 certificate. In the Security Policy Editor, import the template policy, policytemplate.spd, which is on the installation CD. This policy file contains most of the input fields pre-filled with suitable defaults, and will save a lot of time configuring the client. If you use different settings to those described in this tutorial, compression for example, then you will have to modify those settings. The following fields need to be filled in after importing the policy template. In road warrior:
Parameter Gateway IP Address Subnet Mask Description 100.0.0.1
192.168.0.0 255.255.0.0
Parameter
Internal Network IP Address
After making the changes, remember to save the Security Policy.
Testing
To bring up the connection, the simplest way is to ping a host on the network behind the gateway. After a few retries, you should see the task bar icon change to show a yellow key. This indicates that the tunnel is up. Your client computer will then appear to be connected to the local network behind the VPN gateway. This works both ways; a machine on the local network can connect to the road warrior. You should be able to browse web servers, and so on. Also, because the tunnel covers all three local networks, you should be able to connect to all three.
182
1s
Ed i
Description
In My Identity:
192.168.0.5
ti
on
Example 5: L2TP Road Warrior

This example consists of an additional road warrior client, this time running Microsoft Windows XP and using Microsofts L2TP road warrior client.
Note: No ID is required on this certificate.
Now create the L2TP road warrior tunnel:

Parameter Name Authenticate by Client IP Username Password Description
Export the certificate in PKCS#12 format. We will call this file computercert.p12. You will also need the CA file, ca.pem.
1s
Common Name Organization
Parameter
Create a certificate with the following properties:

Description
L2TP road warrior My Company Ltd
L2TP road warrior Certificate provided by peer 192.168.0.6 road warrior microphone
Ed i
ti
on
183
Chapter 9 Virtual Private Networking Working with SafeNet SoftRemote
L2TP Client Configuration

This tutorial only outlines the process of configuring an L2TP client. For detailed instructions, see Installing an L2TP Client on page 151. Begin by using the SmoothL2TPWizard to import the two certificates. After bringing up the New Connection wizard, the only details that must be configured is the VPN gateway external address, 100.0.0.1 in this example. In TCP/IP properties; Advanced settings, you can choose to use the remote network as the default gateway for the L2TP client. This option, enabled by default, is required if the client needs to be able to route to the Advanced Firewall B and Advanced Firewall C networks. This is because the L2TP client does not provide any facilities for setting up remote network masks. In the Connection dialog, enter the username and password as configured on the Advanced Firewall A gateway:
Username Password
road warrior microphone
Finally, press the Connect button to initiate a connection the Advanced Firewall A VPN gateway.
In order for traffic to flow down the tunnel, you must create a zone bridge. On the networking > filtering > zone bridging page, create a zone bridge between the local network and the L2TP interface. If you want traffic to flow in both directions, make the rule bidirectional. For more information, see Chapter 6, Configuring Inter-Zone Security on page 55.
The following sections are a configuration guide for connecting to the Advanced Firewall VPN gateway using SafeNet SoftRemote.
Configuring IPSec Road Warriors

First, create a signed certificate for the road warriors. An ID type is not normally required, although it does no harm to include one when creating the certificate. When connected, each road warrior gets an IP address in a specified local network zone. The IP address should be a previously unused address and unique to the road warrior. Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically assigned machines such as servers. Each road warrior user will need their own IP address. On the vpn > IPSec roadwarrior page, the Client IP field is used to input the particular local network IP address. Such an IP address must be in a local network zone and currently unused. Set the Local ID type to Default local cert Subject, and set the Authenticate by setting to the certificate for this road warrior connection. Then add the tunnel. Each road warrior requires their own tunnel, so create as many tunnel as there are road warriors. When connected, each road warrior client will, to all intents and purposes, be on the local network
184
1s
Working with SafeNet SoftRemote
Ed i
ti
on
Parameter
Description
zone. It will be possible to route to other subnets, including VPN-connected ones. This also means that other machines in the network can see the client, just as if it was plugged in directly.
Note: The same advanced options are available as used when configuring IPSec Subnet VPNs. This
includes the encryption settings, and overriding the default local certificate.
Using the Security Policy Template SoftRemote

This documentation covers version both 9 and version 10 of this client. Older versions which support Virtual IP addresses should also inter-operate. Specifically, version 8 is known to work as well as version 9. However, you should consider upgrading to at least version 9 because of known security-related problems with version 8.
1 2
After installation, open the Certificate Manager. In the Root CAs tab, import a CA .PEM from Advanced Firewall.
Next, create a connection in the Security Policy Editor. Open it. To make configuration of this client easier, you may use a Security Policy template, that will pre-fill most of the settings to suitable values, saving you from the chore of doing it yourself. For completeness, we will also describe how you would setup the client without the policy. Import the Security Policy template, policytemplate.spd, which can be found in the extras folder on the installation CD. After importing this policy, a single connection, named road warrior will become available.
1s
Ed i
In the My Certificates tab, import a .P1. Enter the export password, and a short time later the certificate should appear in the list. Select the certificate, and click Verify (on the right). You should get a message saying the certificate is valid (because the CA certificate is installed) but lacks a CRL (Certificate Revocation List). This indicates the certificate is valid.
ti
NAT-T is handled automatically by this client. No extra configuration is required. Check the log messages in the client to see if NAT-T mode is being used as expected.
on
We also recommend that the LT versions of this software be used, which do not incorporate Zone Alarm. Configuration of Zone Alarm will not be covered in this manual.
185
Assuming the Advanced Firewall gateway is using the standard settings for its road warrior clients, i.e. those described above, only a handful of settings must be entered. In the road warrior section:
6 7
Enter the Remote Subnet, Mask and the gateways hostname (or IP address). In the My Identity section, enter the Internal Network IP Address.:
Enter the Internal Network IP Address. All other fields will be pre-filled. Obviously, if you are not using standard settings, as described in D.1, then you will have to modify those particular settings. For instance, if you are using compression, then you will have to enable it in the client.
9 10
Save the settings, and close the Security Policy Editor. To bring up the connection to the Advanced Firewall gateway, you must send it a packet. The easiest way to do this is by pinging a host on the remote network. After a series of Request timed out messages you should start to get packets back, indicating that the VPN is up (you will also notice the system tray icon change).
Creating a Connection without the Policy File

We will now describe how to setup the client without using the security policy template.
186
1s
Ed i
ti
on
Before creating the connection, you must activate a special feature within the client which allows you to specify a local network zone IP address for the client to take when it connects to the VPN gateway. 1 Select Global Policy Settings from the Options menu. A window will appear, and you should tick the box marked Allow to specify internal network address.
Choose Secure Gateway Tunnel from the Connect using drop-down list, and select an ID Type of Any. You should then enter either a Gateway IP Address or Gateway Hostname.
Next, move to the My Identity node. Select the certificate you imported earlier. The ID types default, the Distinguished Name; another word for the subject of a certificate, will suffice. Virtual adapter should be disabled, and Internet Interface set to Any.
1s
Ed i
Now go back to the tree control on the left and choose the New Connection node. You can rename this to something more appropriate, like road warrior. In this node, configure the remote Subnet address and Mask.
ti
on
187
In the Internal network IP, enter the local network zone IP address (the Client IP) that was specified when the tunnel was created.
Finally create a Phase 2 security policy, and again 3DES and MD5, in a tunnel. Tick the ESP box. In this page you can select compression or not, as well as key life settings.
188
1s
Ed i
ti
Create a new Phase 1 security policy: Select 3DES encryption, and MD5 as the hashing algorithm. Set the key group to 5, and choose a SA Life of 3000 seconds. This time period has to be less then the equivalent setting in the Advanced Firewall, which defaults to 60 minutes (3600 seconds). This is necessary to ensure the tunnel is always re-keyed.
on
Once again, set the SA Life to 3000 seconds.
Advanced Configuration
Using the configuration previously described, the selected certificate will be required by the client in order to obtain a connection. This method is usually desired, but in other cases an Authenticate by setting of Certificate provided by peer can be more useful, especially if the client certificates are not installed onto the VPN gateway server. It is also possible to restrict (or extend) the hosts that the road warrior can access on the local network zone. This is done by adjusting the Local network parameter in the tunnel configuration. For example, if you wish to restrict the connected road warriors so that they can only contact a specific IP address, for example 192.168.2.10, then you could set the Local network parameter to 192.168.2.10/32. Note that this setting is a network address, so you must always specify a network mask, even if that network mask covers only a single host. If the VPN server the road warrior connects to is routed onto other networks such as subnet VPNs or other local network zones, the Local network setting can likewise be expanded to cover them. Visit https://support.smoothwall.net/ for information on setting up other clients.
1s
Ed i
ti
Test as before, by initiating a connection to a host on the Remote Network. Diagnostic logs are available through the tool bar icon.
on
189
190
1s
Ed i
ti
on
Chapter 10
Email Settings
In this chapter: Overview of Advanced Firewalls email pages and settings.
SMTP Settings
Advanced Firewalls SMTP settings enable you to configure email relaying using SMTP. For more information on SMTP in general, see Appendix D, Email Protocols on page 367. The following sections document the settings available.
SMTP Relay Settings

To access smtp relay settings:
Navigate to the email > smtp > relay page.
Click Advanced to view all settings. The following settings control email relaying:
Setting Enable mail relay Description
Select to activate relaying after configuring incoming and outgoing relaying.
191
Email Settings SMTP Settings Setting Maximum email size Description
Used to specify the maximum email size, in Mb, that Advanced Firewall will accept. Any emails above this limit will be rejected. Min = 1 MB Default = 10 MB Max = Unlimited
Maximum bounce size Specifies the maximum size of an email which is used in a bounce email.
Min = 10 KB Default = 10 KB Max = Unlimited

Time to hold undeliverable mail
Used to specify the amount of time an email will be held in the queue if it cannot be sent. Advanced Firewall will periodically attempt to re-send all email that is held in the queue. Min = 5 hours Default = 5 days Max = 5 days
Enable transparent SMTP relay
Capture outgoing email and relay it through Advanced Firewall.
Anti-malware Settings
Advanced Firewall can scan relayed email for malware and take appropriate action as specified by the anti-malware settings configured here.
Setting Enable anti-malware scanning Action to perform on malware: Description
Activates anti-malware scanning for relayed email. Determines what to do if malware is found in relayed email.
Drop (discard) email
Discard the email, without notifying the sender or intended recipient.

Bounce email (warn sender)
Return the email to the sender, along with a warning message.

Neutralize email
Send a warning email to the recipient, with the original email as an attachment.
Allow email delivery
Allow the email to be delivered, and the malware will be logged.
192
Transparent SMTP Interfaces Settings

If you select the Enable transparent SMTP relay option, see SMTP Relay Settings on page 191, you must select at least one internal interface to proxy the traffic.
Setting Interface name IP exception list Description
Specify which interface(s) SMTP traffic will be transparently captured from. Enter any IP addresses, subnets or ranges that should not be transparently proxied.
Once SMTP traffic has been captured, Advanced Firewall will apply all anti-malware and antispam checks that are enabled, and relay the email accordingly. Outgoing SMTP traffic will be queued and relayed as if the client had sent the email directly to Advanced Firewall.
External Mail Relay

By default, Advanced Firewall will attempt to deliver all outbound email directly to the appropriate server. However, using the settings below you can configure Advanced Firewall to relay all outgoing email to another mail relay.
Setting Enable relay host Relay host Username Password Description
Select to enable Advanced Firewall to send outgoing email to another relay within an existing email infrastructure. The IP address or hostname of the relay. The username, if required by the remote relay. The password, if required by the remote relay.
Non-standard SMTP Checking

Non-standard SMTP checking options enable Advanced Firewall to check email which does not adhere to the SMTP message format and contains badly formatted or bogus information about the sender and/or recipient.
Note: In order for the non-standard SMTP checks to work, Advanced Firewall must be operating as the
MX record for the recipient domain. To alter your domain's MX record, you will need to access your domains DNS server settings. Refer to your email server documentation and/or your email provider to find out how to alter the MX record. It should be set to your Smoothwall Systems external IP address.
Setting Use strict HELO checks Sender domain validity Description
Ensure validity of the initial communication between a connecting SMTP client and the Advanced Firewall email relay. Check that the sender domain is formatted correctly and has a real IP address. IP addresses.
Recipient domain validity Check that all recipient domains are formatted correctly and have real
193
Email Settings Internal Domains Setting External sender domain spoofing Description
Check if the sender of incoming email is falsely using an internally relayed domain in their from address. Emails are rejected if the senders email address purports to be from a domain listed on the incoming page, but the senders IP address cannot be found on the outgoing page.
Internal Domains
On the internal domains page, you specify which incoming email messages will be accepted and relayed by Advanced Firewall. Only messages to addresses whose domain names are listed here will be accepted by Advanced Firewall.
To access settings:
Navigate to email > smtp > internal domains page.
The following settings are available:

Setting/field Description
Domain to relay for The name of the domain that Advanced Firewall will accept email for. For
example, for Advanced Firewall to accept email for people at Smoothwall, enter: smoothwall.net
Relay IP
The IP address of the email server that the incoming email is relayed to. In most cases this will be an internal IP, usually the email server behind your Smoothwall System.
Anti-malware scanning Append footers
Activates anti-malware scanning for email accepted by Advanced Firewall for the specified domain. This option appends the text entered in the email > content > footers page below to all outgoing email except HTML and signed email.
Note: HTML emails are normally sent in two parts: an HTML part and a text
part. The footer will be appended to the text part even if the Append to HTML emails option is selected.
194
Smoothwall Advanced Firewall Administrators Guide Setting/field Comment Enabled Current domains Description
A useful description for a particular domain, for example, Inbound relay domain for smoothwall.net. Enables incoming email relaying for the specified domain. Lists the domains for which Advanced Firewall will accept and relay email.
Outgoing
On the outgoing page, you specify which IP address or subnets of machines on the local network that are allowed to relay mail through Advanced Firewall.
To access outgoing relay settings:
Navigate to email > smtp > outgoing page.
The following outgoing relay email settings are available:

Setting/field IP or subnet to relay from Description
The IP address or subnets of machines on the local network that are to be allowed to relay mail through Advanced Firewall For example:
192.168.10.10
Comment Enabled
A useful description for a particular IP or subnet, for example, Outbound relaying for smoothwall.net. Select to enable outbound email relaying for the specified IP or subnet.
Current allowed addresses Lists the addresses from which outgoing email can be sent.
Archiving
On the archiving page you specify what email you want archived based on domain information, a specific email address, by sender or recipient.
195
Email Settings The Email Queue To access archiving settings:
Navigate to email > smtp > archiving page.
The following archiving settings are available:

Setting/field Archive address Match recipient Match sender Comment Enabled Select to/enter:
Match domain or address Specify either a domain or an email address to match.
Specify the email address that matched email is forwarded to. Specify that matching of the domain or address should be performed against the recipients email address. Specify that matching of the domain or address should be performed against the senders email address. A useful description for a match rule, for example, email archiving for company domain. Used to enable email archiving for the archive rule.
The Email Queue

On the email queue page you can view summary information and statistics about the email relay queue. You can also flush the queue.
196
Smoothwall Advanced Firewall Administrators Guide To access the queue:
Navigate to email > smtp > queue page.
The Summary area contains the following information/options:

Information/option Mails in queue Total size of queue Number of unique senders Number of unique recipients Manually flush mail queue Refreshing page Description
The total number of email messages waiting in the queue. The amount of data in KB currently held in the queue. The total number of unique senders for all email messages in the queue. The total number of unique recipients for all email messages in the queue. Requests Advanced Firewall attempt to re-send all queued email. Updates the page and displays the current status of the queue.
The mail queue viewer provides a view of all email currently waiting in the queue.
POP3 Proxy
On the pop3 proxy page, you enable and configure transparent POP3 proxying. Advanced Firewall's transparent POP3 proxying captures POP3 traffic without the user's knowledge, and automatically scans it for malware, viruses and unsolicited content. This ensures that email downloaded from POP3 servers is subjected to scanning without requiring every employee to install expensive email anti-malware software on their workstations. For general information on POP3, see Appendix D, About POP3 on page 368.
197
Email Settings POP3 Proxy To access POP3 proxy settings:
Navigate to the email > pop3 > proxy page.
POP3 Proxy Configuration

Setting Enable transparent POP3 proxy Description
Enables transparent POP3 proxy.
Anti-malware
Setting Enable anti-malware scanning Description
Enables anti-malware scanning on relayed email.
Customize Malware Message

Here you specify what information should be displayed in any malware alerts sent by Advanced Firewall.
Setting Show malware name Show sender address Show recipient address Show date Show subject Description
The malware name in the body of the email alert. The sender's email address. The recipient's email address. The date that the email was sent. The subject of the email.
198
Smoothwall Advanced Firewall Administrators Guide Setting Show connection data Description
The IP addresses of both the client connecting to download email and the POP3 server.
Interfaces
Here you set which internal interfaces will transparently proxy POP3 traffic.
Setting Interface name Description
Select the interfaces you wish to proxy POP3 traffic.

Note: You must select at least one internal interface for the POP3 proxy to
work.
IP exception list
IP addresses allowed to download email via POP3 without being proxied.
Content
Advanced Firewalls content pages manage email footer information and attachments.
Footers
You configure footer content settings, such as standard email disclaimers, on the footers page.
To access the footer settings:
Navigate to email > content > footers page.

Setting Append to HTML emails Description
When enabled, this option appends the text entered in the text box below to outgoing HTML email messages.
199
Email Settings Content Setting Append to signed emails Description
This option appends the text entered in the text box below to outgoing email messages which have a digital signature attached. When you select this option, the footer is appended to signed emails in a way which maintains the fingerprint.
Per-domain footers
The settings here enable you to specify which footer to use with which domain.
Internal domain From the drop-down list, select the domain and click Select. If a domain does not have a specific footer, the default domain is
used.
Append the following text to outgoing email Enter the footer text you want
to append.
Attachments
You configure how Advanced Firewall handles relayed email attachments on the attachments page.
To access attachment settings:
Navigate to email > content > attachments page. The following settings are available:
Setting Remove All Compressed archives Executables Vector graphics Time and bandwidth wasting Music and audio Description
Removes all attachments from relayed email. Removes compressed attachments, such as tar and zip files, from relayed email. Removes files that can be executed, such as msi and exe files, from relayed email. Removes vector graphic files, such as svg and wmf files, from relayed email. Removes files deemed to contain time wasting content, such as iso and p2p files, from relayed email. Removes files containing music and audio, such as midi and mp3 files, from relayed email. relayed email.
Documents capable of macros Removes files that can run macros, such as doc and xls files, from Video Standard Web content
Removes files containing video, such as mov and mpeg files, from relayed email. Removes files containing Web content, such as asp and php files, from relayed email.
200
Anti-spam
Advanced Firewalls anti-spam service manages spam filtering.
To access the anti-spam page:
Navigate to email > anti-spam > anti-spam page.
The following sections document Advanced Firewalls anti-spam settings.
201
Email Settings Anti-spam
SMTP Anti-spam Settings

The following anti-spam settings are available for relayed email:
Setting Enable spam filtering Action to perform on spam Description
Select to enable spam filtering for relayed email. Determines what Advanced Firewall should do with relayed email deemed to be spam. The options are:
Drop (discard) email Discard the email discarded email is not relayed. Redirect mailbox Send the email to the mailbox as specified in the Redirect
mailbox field.
Mark subject as spam Add ***SPAM*** to the subject of the email and relay
it.
Allow email delivery Relay the email and take no action. Note: All of the actions above are transparent to the sender; that is, no
rejection notices are sent. This is because it is a common spammer tactic to harvest email addresses by sending known bad email and awaiting the rejection notices. Rejection notices not only confirm email addresses as valid, they also inform spammers which anti-spam system you have in place. Therefore, Advanced Firewall does not provide options for sender notification for spam.
Apply action above Advanced Firewall calculates a statistical probability that the email it is spam score scanning is spam. The probability of a message being spam varies, and the
options here enable you to customize the level at which an email will be treated as spam. Various refinements to the algorithm used by Advanced Firewall to optimize for speed or resources will affect the accuracy of this probability. For most configurations, we recommend a spam threshold of 80%; that is, email which is more than 80% likely to be unwanted will be treated as spam. Select the threshold above which email will be considered spam.
90 The most easily identified spam will be filtered out, but a significant
amount of spam may be allowed through.

50-80 messages likely to be spam will be filtered out, which means some
non-spam messages may also be caught.

30-40 messages that are possibly spam will be filtered out, and non-spam
messages are likely to be caught.

10 spam filtering is very aggressive. Non-spam messages are as likely to be
caught as spam messages.

Note: When using the Spam check optimization mode: Most accurate option,
see below, we recommend that you set the spam threshold to 90.
Redirect mailbox
Enter the address of the mailbox you want to redirect email to.
202
POP3 Anti-spam Settings

The following anti-spam settings are available for POP3 email:
Setting Enable spam filtering Action to perform on spam Description
Select to enable spam filtering for POP3 email. Determines what to do with POP3 email deemed to be spam. The options are:
Replace spam with warning Send an automatic warning to the recipient and do
not send the email.

Mark subject as spam Add ***SPAM*** to the subject of the email and
deliver it.
Allow email delivery Deliver the email and take no action. Note: All of the actions above are transparent to the sender; that is, no
rejection notices are sent. This is because it is a common spammer tactic to harvest email addresses by sending known bad email and awaiting the rejection notices. Rejection notices not only confirm email addresses as valid, they also inform spammers which anti-spam system you have in place. Therefore, Advanced Firewall does not provide options for sender notification for spam.
Spam threshold
Advanced Firewall calculates a statistical probability that the email it is scanning is spam. The probability of a message being spam varies, and the options here enable you to customize the level at which an email will be treated as spam. Various refinements to the algorithm used by Advanced Firewall to optimize for speed or resources will affect the accuracy of this probability. For most configurations, we recommend a spam threshold of 80%; that is, email which is more than 80% likely to be unwanted will be treated as spam. Select the threshold above which email will be considered spam.
90 The most easily identified spam will be filtered out, but a significant
amount of spam may be allowed through.

50-80 messages likely to be spam will be filtered out, which means some
non-spam messages may also be caught.

30-40 messages that are possibly spam will be filtered out, and non-spam
messages are likely to be caught.

10 spam filtering is very aggressive. Non-spam messages are as likely to be
caught as spam messages.

Note: When using the Spam check optimization mode: Most accurate option,
see below, we recommend that you set the spam threshold to 90.
203
Tuning
The following tuning settings are available for spam filtering:
Setting Spam check optimization mode Description
Fine-tune how Advanced Firewalls anti-spam service uses system resources.

Note: Due to the transient nature of email, the time taken to scan an
individual email is often considered immaterial. We strongly recommend that accuracy options only be decreased in favour of speed in order to alleviate specific bursts of traffic or increase throughput on loaded networks. The following options are available:
Most Accurate This option filters spam very accurately. Advanced Firewall
will bypass the global fingerprint cache and check each email against the latest spam filter information. This can introduce network latency and decrease performance, however it is the most resiliant to bursts of spam traffic across the Internet.
More Accurate This option filters spam accurately. This option has the same
advanced parsing options as the most accurate option but uses a global fingerprint cache to allow for a local comparison to alleviate the network latency of the most accurate option.
Note: This option offers high levels of accuracy at increased speed, but
requires more memory and system resources.

Less Resources This option provides moderate levels of spam filtering by using a wide range of spam processing options but ommiting the more memory intensive scanning options. Least Resources This option provides reasonable levels of spam filtering by
using a range of options which tend to provide the most accurate determination of spam whilst using the smallest amount of system resources.
Note: This option is only recommended for machines which have limited
system resources or memory, or are heavily loaded.

Fastest This option provides moderate levels of spam filtering by ommiting the more time intensive scanning methods. Each email is scanned briefly against a set of rules which provide a more immediate appraisal of an email. This option ommits any network checking to avoid latency and any labor or processing intensive scanning. Faster This option provides limited spam checking abilities as emails are
subjected to only a limited subset of spam recognition techniques. Scanning techniques which are either time-intensive, or prone to network latency are ommited in order to provide the highest possible throughput .
Note: This option is only recommended for systems which are heavily loaded
and should therefore avoid any intensive activity.

Rule update frequency
Determines how often Advanced Firewall checks for spam rule updates.
204
Smoothwall Advanced Firewall Administrators Guide Setting Scan attachments Description
Select if Advanced Firewall should scan email attachments for spam.

Note: Email is one of the Internets oldest protocols and has been adapted
many times to allow for attachments and HTML emails. In order for these emails to be properly scanned, we recommend that Advanced Firewall be configured to scan attachments.
Home Regions
Option Home region Description
Here you can specify regions from which Advanced Firewall scores email less aggressively for spam. You can select from the following regions:
Australia and Oceania European Union South America Asia Europe North America
SMTP Graylisting
Graylisting is an anti-spam feature designed to detect messages that have not been sent by a genuine email server.
Note: In order for graylisting to work, Advanced Firewall must be operating as the MX record for the
recipient domain. To alter your domain's MX record you will need to access your domains DNS server settings. Refer to your email server documentation and/or your email provider to find out how to alter the MX record. It should be set to your Smoothwall Systems external IP address. Only incoming email will be graylisted, outgoing email will be allowed automatically. To understand how graylisting works, it is necessary to understand how email sent by a spammer differs from that sent by a genuine email server. Most email servers employ a re-send mechanism to try and deliver any failed messages. This approach ensures that the email server pro-actively manages email delivery, and does not annoy users simply because of an intermediary network failure or temporary email server outage. Most spammers will not go to the trouble of re-sending mails that have been rejected they are mostly concerned with the volume of spam that they can send to easy targets. Graylisting uses this to its advantage by initially rejecting all incoming email. If the remote SMTP client retries after a short while, the email is allowed because it most likely originates from a genuine sender. All senders deemed genuine are added to the graylist, and are not subjected to initial blocking for subsequent mails.
Setting Enable graylisting Description
Provides spam protection by detecting messages that have not been sent by a genuine email server.
205
Email Settings Anti-spam Setting Graylist delay (minutes) Maximum age (weeks) Description
From the drop-down list, select the time in minutes that must pass before resent incoming email will be relayed. From the drop-down list, select the time in weeks that a graylisted sender will remain on the graylist. After this time has elapsed, the sender will again be subjected to an initial block. In most cases, senders will be re-added to the graylist because their email server will employ its re-send mechanism again.
SMTP RBL Checks

Remote Blackhole Listing (RBL) checking blocks email originating from well-known spammers. RBL blocklists are compiled by various organizations on the Internet.
Setting User defined RBL (comma separated) Description
Enter the hostnames, separated by commas, of RBL blocklists that you wish Advanced Firewall to use.
SMTP Automatic Whitelisting

Option Enabled Description
With automatic whitelisting enabled, any email sent through Advanced Firewall will be added to the white list.
Note: Advanced Firewall matches partial domains, If a domain like nhs.gov.uk is added to a whitelist, then all emails such as: user@southampton.nhs.gov.uk and bob@leeds.nhs.gov.uk will be matched. This extends all the way up to a single domain, like uk.
Number of current entries Clear automatic whitelisted address list
Displays the number of entries on the automatic white list. Click to clear the automatic whitelisted address list.
SMTP White-list Spam Addresses

Here you can define senders and recipients that Advanced Firewall should accept as not being associated with spam.
Note: Advanced Firewall matches partial domains, If a domain like nhs.gov.uk is added to a whitelist, then all emails such as: user@southampton.nhs.gov.uk and bob@leeds.nhs.gov.uk will be matched. This extends all the way up to a single domain, like uk. Setting Sender addresses and domains Description
Enter the email addresses and domains of email senders whose messages Advanced Firewall should always accept.
Recipient addresses and Enter the email addresses and domains of recipients of messages domains Advanced Firewall should always accept.
206
SMTP Black-list Spam Addresses

Here you can define sender and recipient information that Advanced Firewall should treat as spam.
Note: Advanced Firewall matches partial domains, If a domain like nhs.gov.uk is added to a blacklist, then all emails such as: user@southampton.nhs.gov.uk and bob@leeds.nhs.gov.uk will be matched. This extends all the way up to a single domain, like uk. Setting Sender addresses and domains Description
Enter the email addresses and domains of email senders whose messages Advanced Firewall should always treat as spam.
Recipient addresses and Enter the email addresses and domains of recipients of messages domains Advanced Firewall should always treat as spam.
207
208
Chapter 11
Configuring Spam Management

In this chapter: Email relaying POP3 proxying Email content
Configuring Email Relaying

Configuring and enabling email relaying entails allowing SMTP traffic access and configuring relay settings for incoming and outgoing email. For information on email relay settings, see Chapter 10, Email Settings on page 191.
To configure email relaying:
Browse to the system > administration > external access page.

Setting Interface Service Comment Enabled Description
From the drop-down list, select the external interface that will accept SMTP traffic. From the drop-down list, select SMTP (25). Optionally, enter information on the configuration. Select to enable the configuration
Click Add. The SMTP access rule is added to the list of current rules.
209
Configuring Spam Management Configuring Email Relaying
Go to the email > smtp > internal domains page.
5 6 7
Configure the relay settings for incoming email. See Chapter 10, Internal Domains on page 194 for information on the settings available. Click Add. The configuration is listed in the Current domains area. Go to the email > smtp > outgoing page.
8 9
Configure the relay settings for outgoing email. See Chapter 10, Outgoing on page 195 for information on the settings available. Click Add. The configuration is listed in the Current allowed addresses area.
210
10
Go to the email > smtp > relay page.
11 12
Configure the settings for email relaying. See Chapter 10, SMTP Settings on page 191 for information on the settings available. Click Save and restart to implement email relaying.
211
Configuring Spam Management Configuring POP3 Proxying
Configuring POP3 Proxying

You can configure Advanced Firewall to retrieve POP3 email traffic and automatically scan it for malware.
To configure POP3 proxying:
Go to the email > pop3 > proxy page.
2 3
Configure the POP3 settings you require for your environment, see Chapter 10, POP3 Proxy on page 197 for more information on the settings available. Click Save and restart to implement Advanced Firewall POP3 proxying.
212
Configuring Footers
Advanced Firewalls footer page manage email footer information.
To configure footers:
Browse to the email > content > footers page.
2 3
Select the footer options you want to use, see Chapter 10, Footers on page 199 for information on the options available. Click Save to implement the footer content.
Managing Attachments
To manage attachments:
Browse to the email > content > attachments page.
2 3
Select the attachment options you want to use, see Chapter 10, Attachments on page 200 for information on the options available. Click Save to implement the attachment options.
213
Configuring Spam Management Managing Attachments
214
Chapter 12
Administering Email
In the this chapter: Managing anti-malware and anti-spam subscriptions Managing spam and quarantining email Archiving email and managing the email queue.
About Subscription Information

The license page displays information on your anti-spam and anti-malware subscriptions.
To review subscription information:
1 2
Navigate to system > maintenance > licenses page. Click Refresh subscription information to get the latest information.
Manually Updating Anti-malware Subscriptions

To manually update signatures:
On the system > maintenance > licenses page, in the Licenses area, click Update signatures now. Advanced Firewall gets the latest information available and updates the signatures.
215
Administering Email Managing Spam Protection
Managing Spam Protection

To configure anti-spam options:
Browse to the email > anti-spam > anti-spam page.
2 3
Configure the anti-spam options, see Chapter 10, Anti-spam on page 201 for more information on the options available. Click Save to implement the options.
Placing Email in Quarantine

Advanced Firewall enables you to manage email which is probably spam by placing it in quarantine where you can review, release or delete it.
216
Note: You must have administrator or SMTP quarantine permissions to access the SMTP quarantine
pages. Permissions are set on the system > administration > administrative users page. The following sections explain how to configure and manage email quarantine,
Configuring Quarantine
Each email message received by Advanced Firewall is given a spam score which indicates the probability that the message is spam. The higher the score, the higher the probability. You can use this score to determine whether to quarantine or drop the message.
To configure quarantine:
Browse to the email > quarantine > settings page.

Setting Enable quarantine Quarantine above spam score Enable spam drop Drop above spam score Description
Select this option to quarantine email messages which have a higher spam score than specified in the Quarantine above spam score option. From the drop-down list, select the spam score above which messages will be quarantined. Select this option to drop email messages which have a higher spam score than specified in the Drop above spam score option. From the drop-down list select the spam score above which messages will be dropped.
217
Administering Email Placing Email in Quarantine Setting Subscribed quarantine users' email addresses Description
Enter the email addresses of the users whose email you want to manage for spam. Enter one email address per line. Users whose email addresses are subscribed to the quarantine receive a summary email each day listing all quarantined messages. If any messages are incorrectly quarantined, the user can preview and release them via a link in the daily email.
Max disk usage
From the drop-down list, select the maximum amount of disk space to be used to hold quarantined email.
Note: If the size limit is reached, Advanced Firewall deletes messages
newer than the configured maximum age.

Max age of quarantined mail
From the drop-down list, select how long to keep quarantined email before dropping it. Advanced Firewall prunes quarantined email every hour and deletes messages which are older than the age specified.
Click Save to save the settings and enable quarantine.
Managing Quarantined Email

Managing quarantined email entails previewing messages and releasing and/or deleting them.
Previewing Quarantined Messages

To preview a message:
1 2
Browse to the email > quarantine > viewer page. In the Quarantined emails area, locate the message and click Preview.
218
Advanced Firewall displays the message.
By default, Advanced Firewall displays main header information and the message in plain text. Click on All headers and text/html to view or hide their contents.
Releasing Messages
To release a message:
1
Tip:
Browse to the email > quarantine > viewer page. Select the message and click Release. Advanced Firewall sends the message to the recipient. You can also release a message when previewing it.
Deleting Messages
To delete a message:
Browse to the email > quarantine > viewer page. Select the message and click Delete. Advanced Firewall deletes the message.
Quarantine and Users

Any users subscribed to Advanced Firewalls spam quarantine service will receive a summary email listing email messages addressed to them which have been placed in quarantine. The summary email contains links to the quarantined message(s). Users can use the links to preview and/or release the messages. Users can also use a link in the summary email to request an updated report. This lists all the spam from the last 24 hours.
219
Administering Email Archiving Email
Archiving Email
Advanced Firewall enables you to archive email based on domain information, a specific email address, by sender or recipient. When a match is found, Advanced Firewall archives the email by Blind Carbon Copying (BCC-ing) it to the specified email address. The archive email address can be different for each match.
Creating Archive Rules

To create an archive rule:
Browse to email > smtp > archiving page.
2 3
Enter the criteria to use to identify email to be archived. See Chapter 10, Archiving on page 195 for information on the settings available. Click Add. The archive rule is added to the Current archives list.
Editing Archive Rules

To edit an archive rule:
1 2 3
Browse to email > smtp > archiving page. In the Current archives list, select the rule and click Edit. The rules settings are displayed in the Add domain or address to archive area. Make the changes you require and click Edit. The rule is updated in the Current archives list.
Deleting Archive Rules

To delete an archive rule:
1 2
Browse to email > smtp > archiving page. In the Current archives list, select the rule and click Remove. Advanced Firewall deletes the rule.
220
Managing the Email Queue

The email queue contains all incoming and outgoing emails that have not yet been relayed.
To manage the queue:
Navigate to the email > smtp > queue page.
For information on queue details, see Chapter 10, The Email Queue on page 196. 2 3 Click Refresh page to ensure you have the current contents to review. Click Manually flush mail queue to flush the queue. Advanced Firewall flushes the queue.
221
Administering Email Managing the Email Queue
222
Chapter 13
Authentication and User Management

In this chapter: Managing local users Configuring login time-out Managing temporarily banned users Viewing user activity Authenticating users with SSL login Managing groups Working with directory servers Managing the authentication system and running diagnostics.
Managing Local Users

Advanced Firewall stores user account information comprised of usernames, passwords and group membership, in its local user database, so as to provide a standalone authentication service for network users. Administrators can quickly add, view, edit, import, export and delete users to or from the local user database and map local users to a local authentication group.
223
Chapter 13 Authentication and User Management Managing Local Users
Adding Users
To add a user to the local user database:
Navigate to the services > authentication > local users page.

Setting Username Password Repeat password Select group Description
Enter the user account name. Enter the password associated with the user account. Passwords must be a minimum of six characters long. Re-enter the password to confirm it. From the drop-down menu, select a group to assign the user account to.
Click Add. Advanced Firewall saves the information and lists the user in the Current users area.
Viewing Local Users

To view existing users from the local user database:
1 2
Navigate to the services > authentication > local users page. Review the Current users area of the page. Users are listed alphabetically by username.
Editing Local Users

To edit an existing user's details:
1 2 3 4
Navigate to the services > authentication > local users page. In the Current users area, locate and select the user you wish to edit. Click Edit user. Once this button has been clicked, the user will be suspended, and physically removed from the user list. The user's details are displayed in the Add a user area. Edit the users details as required. For more information, see Adding Users on page 224.
224
Click Add. Advanced Firewall updates the information and re-lists the user in the Current users area. user, his/her information is permanently lost.
Note: Once you click Edit, the user is effectively removed from the user list. If you do not re-add the
Importing New Users

New users can be imported into the local user database using a comma-separated text file in the following format:
Username1,Password1 Username2,Password2 ... Note: The username and password must be lower case, and have no special characters or spaces. You
must include the comma to separate the columns. If the password is in clear text, i.e. not encrypted, it will automatically be encrypted when the user is added. We recommend that you test importing a few users to confirm that you are getting the results you expect.
To import users to the local user database:
1 2 3
Navigate to the services > authentication > local users page. In the Import users area, click Browse, navigate to and select the text file containing the user information and click Open. Click Import users. Advanced Firewall imports the user information into the local user database.
Exporting Local Users

Existing groups of users can be exported from the local user database to a comma-separated file in the following format:
Username1:ENCRYPTED_PASSWORD Username2:ENCRYPTED_PASSWORD ...
An example line in the export file might resemble something like the following:
testuser:$apr1$Np4hD...$2eNu.nSQuj8b2apdZufcz0e To export a group of users:
1 2 3
Navigate to the services > authentication > local users page. In the Export users area, from the Select group drop-down list select the group containing the users you want to export and click Export users users. Select the Save to disk or equivalent option from the dialog box displayed by your browser and click its OK, Save or equivalent button. The exported users will be saved to a text file called users.txt. Files exported in this format can be imported back into the local user database using the import facility.
Deleting Users
To delete users:
Navigate to the services > authentication > local users page.
225
Chapter 13 Authentication and User Management Managing Temporarily Banned Users
2 3
In the Current users area, locate and select the user or users you want to delete. Click Delete user(s). Advanced Firewall deletes the user(s).
Moving Users between Groups

To change the group mapping:
1 2 3 4 5
Navigate to the services > authentication > local users page. Locate and select the user or users you wish to move in the Current users area of the page. In the Current users area, locate and select the user or users you want to move. From the Group to move users to drop-down list, select the group to move the user or users to. Click Move user(s). Advanced Firewall moves the user(s).
Managing Temporarily Banned Users

Advanced Firewall enables you to temporarily ban specific user accounts.
Creating a Temporary Ban

Note: Only administrators and accounts with Temp ban access, can manage banned accounts. For more
information, see Chapter 16, Administrative User Settings on page 317.

To ban an account temporarily:
Navigate to the services > authentication > temporary bans page.

Setting Username Comment Ban expires Enabled Description
Enter the user name of the account you want to ban. Optionally, enter a comment explaining why the account has been banned. From the drop-down lists, select when the ban expires. Click to enable the ban.
Click Add. Advanced Firewall lists the ban in the Current rules area and enforces the ban immediately.
226
Tip:
You can edit the block page displayed to banned users so that it gives them information on the ban in force. See Chapter 14, Managing Block Pages on page 185 for more information. There is also a ban option on the services > authentication > user activity page, for more information, see Viewing User Activity on page 227.
Tip:
Removing Temporary Bans

To remove a ban:
1 2
Navigate to the services > authentication > temporary bans page. In the Current rules area, select the ban and click Remove. Advanced Firewall removes the ban.
Removing Expired Bans

To remove bans which have expired:
1 2
Navigate to the services > authentication > temporary bans page. In the Current rules area, click Remove all expired. Advanced Firewall removes all bans which have expired.
Viewing User Activity

Advanced Firewall enables you to see how many users are logged in, who is logged in and who has recently logged out.
To view activity:
Navigate to the services > authentication > user activity page.
Advanced Firewall displays the number of users currently logged in, who is logged in and which users have either recently logged themselves out or been logged out by Advanced Firewall because of inactivity. Recently logged out users are listed for 1 hour. For more information, see Configuring Authentication Settings on page 233.
227
Chapter 13 Authentication and User Management Authenticating Users with SSL Login
You can configure the following settings:

Setting Most recent users to show Ban Description
From the drop-down list, select the number of users to display and click Show. Advanced Firewall displays the specified number in the User activity area. Click to ban a user. Advanced Firewall copies the users information and displays it on the temporary ban page. For more information, see Creating a Temporary Ban on page 226. Click to log out a user immediately. Advanced Firewall logs the user out and lists him/her in the Recently logged out users area.
Note: Unless the user is using SSL Login as the authentication method, there is
Logout
nothing to stop the user from logging in again.
Authenticating Users with SSL Login

Advanced Firewall provides SSL Login as a built-in authentication mechanism which can be used by authentication-enabled services to apply permissions and restrictions on a customized, per-user basis. When SSL Login is enabled, network users requesting port 80 for outbound web access will be automatically redirected to a secure login page, the SSL Login page, and prompted for their user credentials. The SSL Login page can also be manually accessed by users wishing to pro-actively authenticate themselves, typically where they need to use a non-web authentication-enabled service for example, group bridging. SSL Login authentication works by dynamically adding a rule for the IP address of each authenticated user, thus allowing SSL Login redirection to be bypassed for authenticated users. When an authenticated user logs out or exceeds the time-out limit, the rule is removed and future outbound requests on port 80 will again cause automatic redirection to the SSL Login.
228
Enabling SSL Login

SSL Login authentication is enabled on a per-interface basis.
To enable SSL Login:
Navigate to the services > authentication > ssl login page.
2 3
In the SSL Login redirect interfaces area, select each interface that the SSL Login should be active on. Click Save. Advanced Firewall enables SSL Login for the selected interfaces.
Creating SSL Login Exceptions

SSL Login exceptions can be created in order to prevent certain hosts, ranges of hosts or subnets from being automatically redirected to the SSL Login page. This is mostly useful to avoid the need for servers to authenticate.
To create an SSL login exception:
1 2 3 4
On the services > authentication > ssl login page, locate the SSL Login redirect interfaces area. In the Exception local IP addresses field, enter an IP address, IP range or subnet that should not be redirected to the SSL Login. Repeat the step above on a new line for each further exception you want to make. Click Save.
229
Chapter 13 Authentication and User Management Authenticating Users with SSL Login
Customizing the SSL Login Page

You can customize the title graphic, background image and message displayed on an SSL login page.
Customizing the Title Graphic

It is possible to customize the title graphic displayed on the SSL login page.
Note: The title graphic must be in jpeg format and must be 500 x 69 pixels. To upload a title graphic for the login page:
1 2 3
On the services > authentication > login page, click Browse adjacent to the Custom title image field. Browse to and select the file and click OK, Open or equivalent button. Click Upload. Advanced Firewall uploads the file and uses it on the SSL login page.
Customizing the Background Image

It is possible to customize the background image used on an SSL login page.
Note: The background image must be in jpeg format and must be 500 x 471 pixels. To upload a background image:
1 2 3
On the services > authentication > login page, click Browse adjacent to Custom background image. Browse to and select the file and click OK, Open or equivalent button. Click Upload. Advanced Firewall uploads the file and uses it on the SSL login page.
Removing Custom Files

To remove a custom file:
1 2 3
Browse to the services > authentication > login page. To remove the title image, click Remove. To remove the background image, click Remove.
Customizing Messages
It is possible to provide users with customized messages containing instructions.
To customize the login messages:
1 2 3 4
Navigate to the services > authentication > login page. To alter the first line in the login message, enter your custom message in Message line 1. To alter the second line in the login message, enter your custom message in Message line 2. Click Save.
Reviewing the SSL Login Page

You can access and review the SSL Login page.
To access and review the SSL Login page:
In the web browser of your choice, enter your Advanced Firewall systems IP address and / login. For example: http://192.168.72.141/login or, using HTTPS, https://
192.168.72.141:442/login
230
Advanced Firewall displays the SSL Login page, for example:
Managing Groups of Users

The following sections discuss groups of users and how to manage them.
About Groups
Advanced Firewalls uses the concept of groups to provide a means of organizing and managing similar user accounts. Authentication-enabled services can associate permissions and restrictions to each group of user accounts, thus enabling them to dynamically apply rules on a per-user account basis. Local users can be added or imported to a particular group, with each group being organized to mirror an organizations structure. Groups can be renamed by administrators to describe the users that they contain. Currently, Advanced Firewall supports up to 100 groups and by default, contains the following groups:
Group Unauthenticated IPs Description
The main purpose of this group is to allow certain authenticationenabled services to define permissions and restrictions for unauthenticated users, i.e. users that are not logged in, currently unauthenticated or cannot be authenticated.
Note: This group cannot be renamed.
Default Users
Users can be mapped to Default Users. The main purpose of this group is to allow certain authentication-enabled services to define permissions and restrictions for users that are not specifically mapped to an Advanced Firewall group, i.e. users that can be authenticated, but who are not mapped to a specific Advanced Firewall authentication group.
Note: This group cannot be renamed.
Banned Users
This purpose of this group is to contain users who are banned from using an authentication-enabled service. The Banned Users group can be both renamed.
231
Chapter 13 Authentication and User Management Managing Groups of Users Group Network Administrators Description
This group is a normal user group, configured with a preset name, and setup for the purpose of granting network administrators access to an authentication-enabled service. Because the Network Administrators group is a normal group with a preset configuration, it can be both renamed and used by authentication-enabled services to enforce any kind of permissions or restrictions.
Configuring the Number of Groups

Advanced Firewall enables you to set the number of groups available.
To configure the number of groups available:
Navigate to the services > authentication > groups page.
From the Number of groups drop-down list, select the number you require. available. If the number of groups you select requires more memory than is available to Advanced Firewall, Advanced Firewall will require you to select fewer groups.
Note: When you select the number of groups, Advanced Firewall calculates the amount of memory
Click Save and Restart to save the change.
Renaming a Group
All groups, except the Unauthenticated IPs and Default Users groups, can be renamed.
To rename a group:
Navigate to the services > authentication > groups page and configure the following settings:
Setting Existing name New name Description
From the drop-down list, select the group you want to rename. Enter the new group name.
Click Rename. Advanced Firewall renames the group.
232
Configuring Authentication Settings

Configuring authentication settings entails setting login timeout and configuring directory servers.
Global Login Timeout

You can configure Advanced Firewall to require users to log-in again after a specific period of inactivity. For more information, see Appendix A, About the Login Time-out on page 336.
To configure the login timeout:
Navigate to the services > authentication > settings page.
In the Login timeout field, accept the default or enter the time out period. transparent NTLM or SSL Login. It also increase the rate of re-authentication requests. Setting a long login timeout may enable unauthorized users to access the network if users leave computers without actively logging out.
Note: Setting a short login timeout increases the load on the machine, particularly when using
Click Save, navigate to the services > authentication > control page and click Restart. period. For example, the SSL Login refresh rate will update to ensure that authenticated users do not time-out.
Note: The behavior of some authentication mechanisms is automatically adjusted by the time-out
Tip:
Encourage users to pro-actively log-out of the system to ensure that other users of their workstation cannot assume their privileges if login time-out is yet to occur.
About Advanced Firewall and Directory Servers

The Advanced Firewall authentication service is designed to enable Advanced Firewall to connect to multiple directory servers in order to: Retrieve groups configured in directories and apply network and web filtering permissions to users based on group membership within directories
233
Chapter 13 Authentication and User Management Configuring Authentication Settings
Verify the identity of a user who is trying to access network or Internet resources. If multiple directories exist, Advanced Firewall tries them in the order they are listed. If most of your users are in one directory, list that directory first so as to reduce the number of queries required. If user passwords are checked by a RADIUS server and group information is obtained from LDAP, list the RADIUS server first. Once the connection to a directory service has been configured, Advanced Firewall retrieves a list of groups configured in the directory and maps them to the groups available in Advanced Firewall. When the groups have been mapped, permissions and network access permissions in the filtering and outgoing sections can be granted on the basis of group membership. For information on how authentication works and interacts with other systems, see Appendix A, Authentication on page 335. The following sections explain how to configure Advanced Firewall for use with directory servers.
Supported Directory Servers

Currently, Advanced Firewall supports the following directory servers:
Directory Microsoft Active Directory Description
Microsofts Active Directory, for more information, see page 234.
Configuring a Microsoft Active Directory Connection on

Novell eDirectory
Various directories which support the LDAP protocol, for more Apple Open Directory/Open LDAP information, see Configuring an LDAP Connection on page 238 Sun Directory
Fedora Directory Red Hat Directory Netscape Directory RADIUS
Remote Authentication Dial In User Service, for more information, see Configuring a RADIUS Connection on page 241.
Configuring a Microsoft Active Directory Connection

The following sections explain the prerequisites for Microsoft Active Directory and how to configure Advanced Firewall to work with Microsoft Active Directory.
Prerequisites for Active Directory

Before you configure any settings for use with Active Directory: Run the Advanced Firewall Setup program and check that the DNS server containing the Active Directory information is specified correctly. This DNS server is used by Advanced Firewall for name lookups. For more information, see Appendix A, Advanced Firewall and DNS on page 336 and the Advanced Firewall Installation and Setup Guide.
234
Check that DNS reverse lookup is configured on the Active Directory DNS server for the Active Directory servers. Ensure that the times set on Advanced Firewall and your Active Directory server are synchronized. have a Windows 2000 username, preventing the account from being used by the authentication service.
Note: Do not use the administrator account as the lookup user. Often the administrator account will not
Configuring an Active Directory Connection

Configuring an Active Directory connection entails specifying server details, the Kerberos realm to use, search roots and any optional advanced settings required.
To configure the connection:
1 2
Navigate to the services > authentication > settings page. In the Add directory server area, from the Directory server drop-down list, select Active Directory and click Next. Advanced Firewall displays the settings for Active Directory.
235

Setting LDAP server Description
Enter the directory servers full hostname.

Note: For Microsoft Active Directory, Advanced Firewall requires DNS
servers that can resolve the Active Directory server hostnames. Often, these will be the same servers that hold the Active Directory. The Active Directory DNS servers will need a reverse lookup zone with pointer (PTR) records for the Active Directory servers for a successful lookup to be able to take place. Refer to the Microsoft DNS server help if you need assistance in setting up a reverse lookup zone. See also, Appendix A, Advanced Firewall and DNS on page 336 for more information.
Server username
Enter the username of a valid account. Enter the username without the domain. The domain will be added automatically by Advanced Firewall. In a multi domain environment, the username must be a user in the top level domain. For more information, see Appendix A, Active Directory on page 338.
Server password Kerberos realm Use default search roots
Enter the password of a valid account. Enter the Kerberos realm in capital letters. Select this option to configure Advanced Firewall to start looking for user accounts at the top level of the directory.
Tip:
In larger directories, it may be a good idea to use the Use custom search roots option, to narrow the user search root so Advanced Firewall does not have to look through the entire directory. See below for more information.
Use custom search roots
Select this option to specify where in the directory Advanced Firewall should start looking for user accounts and groups.
Custom user search root Enter the user search root to start looking in, for example: ou=myusers,dc=mydomain,dc=local Note: When working with multi-domain environments, the user search root
must be set to the top level domain.

Custom group search root Enter where in the directory, Advanced Firewall should start looking for user groups, for example: ou=mygroups,dc=mydomain,dc=local Note: Some directories will not return more than 1 000 results for a search,
so if there are more than 1 000 groups in the directory, a more specific group search root needs to be configured.
Comment Enabled
Optionally, enter a comment about the directory server and the settings used. Select this option to enable the connection to the directory server.
236
Optionally, click Advanced to access and configure the following settings:

Setting LDAP port Cache timeout Description
Accept the default, or enter the LDAP port to use. Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall will not need to query the directory server for users who log out and log back in as long as their records are still in the cache.
Note: Setting a short cache timeout increases the load on the directory
server. Setting a long cache timeout means that old passwords are valid for longer, i.e. until the cache timeout has been passed.
Discover Kerberos using DNS
Select this option to use DNS to discover Kerberos realms. Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the Active Directory by querying the DNS server that holds the Active Directory information. For this to work, Advanced Firewall needs to have a configured hostname in the Active Directory domain. For example: Active Directory domain: domain.local Advanced Firewall hostname: system.domain.local The hostname is needed so Advanced Firewall knows what domain to query for subdomains.
Use sAMAccountName NetBIOS workgroup
This setting applies when using Microsoft Windows NT4 or older installations. Enter the sAMAccountName to override the userPrincipleName. This setting applies when using NTLM authentication with Guardian. Advanced Firewall cannot join domains required for NTLM authentication where the workgroup, also known as NetBIOS domain name or preWindows 2000 domain name, is not the same as the Active Directory domain. Here you can enter a NetBIOS domain name and set this as the value when joining the workgroup.
Extra user search Roots
This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Enter search roots one per line. Optionally, enter where in the directory, Advanced Firewall should start looking for more user groups. Enter search roots one per line. For more information, see Appendix A, Working with Large Directories on page 337.
Extra group search roots
237
Chapter 13 Authentication and User Management Configuring Authentication Settings Setting Extra realms Description
This setting enables you to configure subdomains manually, as opposed to automatically, using DNS. This can be useful if the Active Directory is in a state where orphaned domains are referenced or only certain subdomains are needed for user authentication.
Click Save to save your settings and restart the authentication service on the control page. See Restarting the Authentication System on page 244 for more information.
Configuring an LDAP Connection

The following section explains what is required to configure a connection to an LDAP directory server.
1 2
Navigate to the services > authentication > settings page. In the Add directory server area, from the Directory server drop-down list, select the directory server you want to connect to and click Next. Advanced Firewall displays the settings.
238

Setting LDAP server Bind method Description
Enter the directorys IP address or hostname.

Note: If using Kerberos as the bind method, you must enter the hostname.
Accept the default bind method, or from the drop-down list, select one of the following options:
TLS (with password) Select to use Transport Layer Security (TLS). Kerberos Select to use Kerberos authentication. Simple bind Select to bind without encryption. This is frequently used by
directory servers that do not require a password for authentication.

Server username
Enter the username of a valid account in the LDAP notation format The format depends on the configuration of the LDAP directory. Normally it should look something like this:
cn=user,ou=container,o=organization
This is what is referred to in the Novell eDirectory as tree and context. A user part of the tree Organization and in the context Sales would have the LDAP notation:
cn=user,ou=sales,o=organization
For Apple Open Directory, when not using Kerberos, the LDAP username can be written as: uid=user,cn=users,dc=example,dc=org Consult your directory documentation for more information.
Server password Kerberos realm User search root
Enter the password of a valid account.

Note: A password is not required if using simple bind as the bind method.
If using Kerberos, enter the Kerberos realm. Use capital letters. Enter where in the directory, Advanced Firewall should start looking for user accounts. Usually, this is the top level of the directory. For example: ou=myusers,dc=mydomain,dc=local In LDAP form, this is seen in the directory as dc=mycompany,dc=local.
OpenLDAP based directories will often use the form o=myorganization Apple Open Directory uses the form: cn=users,dc=example,dc=org
A Novell eDirectory will refer to this as the tree, taking the same form as the OpenLDAP-based directories o=myorganization.
Note: In larger directories, it may be a good idea to narrow down the user
search root so Advanced Firewall does not have to look through the entire directory. For example, if all users that need to be authenticated have been placed in an organizational unit, the user search root can be narrowed down by adding ou=userunit in front of the domain base.
Note: When working with multi domain environments, the user search root
must be set to the top level domain.
239
Chapter 13 Authentication and User Management Configuring Authentication Settings Setting Group search roots Description
Enter where in the directory, Advanced Firewall should start looking for user groups. Usually this will be the same location as configured in the user search root field. For example: ou=mygroups,dc=mydomain,dc=local
Apple Open Directory uses the form: cn=groups,dc=example,dc=org Note: With larger directories, it may be necessary to narrow down the group
search root. Some directories will not return more than 1000 results for a search, so if there are more than 1000 groups in the directory, a more specific group search root needs to be configured. The principle is the same as with the user search root setting. If there are multiple OUs containing groups that need to be mapped, add the other locations in the advanced section.
Comment Enabled
Optionally, enter a comment about the connection. Select to enable the connection.
Optionally, click Advanced to access and configure the following settings:

Setting LDAP port Cache timeout Description
Accept the default, or enter the LDAP port to use.

Note: LDAPS will be automatically used if you enter port number 636.
Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache.
Discover Kerberos using DNS
Only available if you have selected Kerberos as the authentication method, select this advanced option to use DNS to discover Kerberos realms. Using DNS to discover realms configures Advanced Firewall to try to find all the domains in the directory server by querying the DNS server that holds the directory information. For this to work, Advanced Firewall needs to have a configured hostname in the directory domain. For example: Directory domain: domain.local Advanced Firewall hostname: system.domain.local The hostname is needed so Advanced Firewall knows what domain to query for subdomains.
Extra user search roots
This option enables you to enter directory-specific user search paths when working with a large directory structure which contains multiple OUs and many users. Enter search roots one per line.
240
Smoothwall Advanced Firewall Administrators Guide Setting Extra group search roots Description
Optionally, enter where in the directory, Advanced Firewall should start looking for more user groups. Enter search roots one per line. For more information, see Appendix A, Working with Large Directories on page 337.
Extra realms
This setting enables you to configure subdomains manually, as opposed to automatically, using DNS.
Click Save to save your settings and restart the authentication service on the control page. See Restarting the Authentication System on page 244 for more information.
Configuring a RADIUS Connection

You can configure Advanced Firewall to use a Remote Authentication Dial In User Service (RADIUS) as an authentication service.
Prerequisites
Before you configure any settings: Configure the RADIUS server to accept queries from Advanced Firewall. Consult your RADIUS server documentation for more information.
Configuring the Connection

Navigate to the services > authentication > settings page.
241
In the Add directory server area, from the Directory server drop-down list, select RADIUS and click Next. Advanced Firewall displays the settings.

Setting Server Secret Port Obtain groups from RADIUS Description
Enter the RADIUS servers domain name Enter the secret shared with the server. Accept the default port, or enter the port to use. IF the RADIUS server can provide group information, select this option to enable Advanced Firewall to use the group information in the RADIUS Filter-Id attribute. The Filter-Id attribute must have the following format: GROUPn, e.g. GROUP5 or GROUP16. When not enabled, Advanced Firewall will use group information from the next directory server in the list. If there are no other directories in the list, Advanced Firewall will place all users in the Default Users group.
If login attempt fails
Try next directory server, if any Select this option if users in RADIUS are
unrelated to users in any other directory server.

Deny access Select this option if the RADIUS password should override the password set in another directory server, for example when using an authentication token.
242
Smoothwall Advanced Firewall Administrators Guide Setting Cache timeout Description
Accept the default or specify the length of time Advanced Firewall keeps a record of directory-authenticated users in its cache. Advanced Firewall does not query the directory server for users who log out and log back in as long as their records are still in the cache.
Enabled
Select to enable the connection
Click Save to save your settings and restart the authentication service on the control page. See Restarting the Authentication System on page 244 for more information. For information on groups and directory servers, see Mapping Groups on page 243.
Reordering Directory Servers

If multiple directory servers exist, Advanced Firewall tries them in the order they are listed. If most of your users are in one directory, list that directory first so as to reduce the number of queries required.
To reorder directory servers:
1 2
Navigate to the services > authentication > settings page. In the Directory servers area, select the directory server you want to move and click Up or Down until the servers are in the order you require.
Editing Removing Directory Servers

To remove a directory server:
1 2
Navigate to the services > authentication > settings page. In the Directory servers area, select the directory server you want to remove and click Remove. Advanced Firewall removes the server.
Mapping Groups
Once you have successfully configured a connection to a directory you can map the groups Advanced Firewall retrieves from the directory to apply permissions and restrictions to the users in the groups.
To map directory groups to Advanced Firewall groups:
After configuring the connection to the directory, see About Advanced Firewall and Directory Servers on page 233, go to the services > authentication > groups page. fixed.
Note: Only directory servers containing groups that are mapped will be displayed. RADIUS groups are
In the Available groups tree, navigate to and highlight the group you want to map and click Select. Advanced Firewall lists the group in the Mapped groups area. By default, Advanced Firewall maps all groups to the Unauthenticated IPs group. For more information on groups, see About Groups on page 231. From the Mapped group drop-down list, select the group you want to map the group to and click Save. Repeat the step above to map any other groups required.
3 4
243
Chapter 13 Authentication and User Management Managing the Authentication System
Remapping Groups
It is possible to change group mappings.
To remap groups:
1 2 3
Navigate to the services > authentication > groups page and in the Mapped groups area, locate the directory server group you want to remap. From the Mapped group drop-down list, select the Advanced Firewall group you want to remap the directory server group to. Tick the Mark check box. Click Save. Advanced Firewall remaps the group.
Managing the Authentication System

Advanced Firewalls authentication system can be stopped, started and monitored.
To access the authentication system controls:
Navigate to the services > authentication > control page.
See the sections below for information on restarting, stopping and reviewing the service.
Restarting the Authentication System

It may be necessary to restart the authentication system if unapplied configuration changes have been made. In this situation, a warning will be displayed at the top of all authentication pages as a reminder that a restart is required. A full restart normally takes a few seconds to complete, after which users will be required to reauthenticate. A restart will also cause all active downloads to be terminated.
To restart the authentication system:
Navigate to the services > authentication > control page and click Restart.
Note: It is a good idea to only restart the authentication system at a convenient time for network users.
Stopping the Authentication System

There are no reasons to stop the authentication system in normal operation. This procedure should only be carried out if instructed by the Smoothwall support team.
To stop the authentication system:
On the services > authentication > control page.
244
Click Stop in the Manual control area.
Viewing System Status

To display the current status of the authentication system:
1 2
Navigate to the services > authentication > control page. Click Refresh in the Manual control area. The current status will be displayed in Current status field and can be either Running or Stopped.
Running Diagnostics
To check that the authentication system is operating correctly, diagnostic tests can be run.
To run authentication diagnostics:
On the services > authentication > control page, click Run. Advanced Firewall runs the tests and displays the results.
Test Checking forward DNS Checking reverse DNS Description
Authentication service self test Checks to see if the authentication service can be contacted.
Available when using Kerberos, Advanced Firewall that the hostname resolves to a single address. Available when using Kerberos, and the Checking forward DNS test has succeeded, Advanced Firewall checks that the address resolves to the same hostname. Checks that the directory server can be contacted.
Tip:
Checking connection to directory server Checking existence of user account
If this test fails, check the system logs for information.
Checks that the user account used when configuring the connection exists.
Checking whether clock is set Available when using Kerberos, checks that the machines clock is to within 5 minutes of directory set to within 5 minutes of the directory servers clock. server's clock Checking user account password Checking whether group list can be retrieved
Checks that the user password used when configuring the connection is correct. Checks that group information can be retrieved.
Tip:
If this test fails, check that the search roots specified are correct.
245
Chapter 13 Authentication and User Management Managing the Authentication System
246
Chapter 14
Reporting
In this chapter: Working with Advanced Firewall reports Managing report data databases How to install and work with Smoothwalls Crystal Reports client.
Accessing Reporting
Advanced Firewall can produce many types of reports which provide information on almost every aspect of Advanced Firewall.
To access reporting:
Navigate to the info > reports > reports page.
247
Chapter 14 Reporting Accessing Reporting
Generating Reports
Advanced Firewall contains a broad range of reports which can be generated immediately.
To generate a report:
Navigate to the info > reports > reports page.
2 3
Tip:
Click on a folder containing the report you want to generate. Click on the report to access its options. Advanced Firewall displays the options available. Click Advanced to see a description of the report, access advanced options and portal publication permissions. For more information on publishing reports, see Chapter 8, Making Reports Available on page 77. If applicable, set the time interval for the report and enter/select any option(s) you require. Click on the reports title or icon to generate the report. Advanced Firewall displays the report.
4 5
Saving Reports
If you want permanent access to a report, you must save it.
To save a report:
1 2
Generate the report, see Generating Reports on page 248. In the Save as field, enter a name for the report and click Save. You can access the report on the info > reports > recent and saved page.
About Recent and Saved Reports

You can access all reports generated in the last three days on the info > reports > recent and saved page. You can also save recently generated reports and change report formats on this page.
248
Changing Report Formats

Advanced Firewall enables you to change reports viewed and/or saved in one format to another.
To change a report format:
Navigate to the info > reports > recent and saved page.
Locate the report you want to change and click on the format you want to change the report to. The following formats are available:
Format csv excel pdf pdfbw tsv Description
The report will be generated in comma separated text format. The report will be generated in Microsoft Excel format. The report will be generated in Adobes portable document format. The report will be generated in black and white in Adobes portable document format. The report will be generated in tab separated text format.
Managing Reports and Folders

The following sections explain how to create, delete and navigate reports and folders in Advanced Firewall.
Creating Folders
You can create a folder to contain reports on the info > reports > reports page or in a folder or subfolder contained on the page.
To create a folder:
1 2 3
On the info > reports > reports page, determine where you want to create the folder, on the page or in an existing folder. Click the Create a new folder button. Advanced Firewall creates the folder. Enter a name for the folder and click Rename.
Deleting Folders
To delete a folder:
On the info > reports > reports page, locate the folder.
249
Chapter 14 Reporting Accessing Reporting
Click the Delete button. Advanced Firewall deletes the folder. delete the folder.
Note: You cannot delete a folder which contains reports. Delete the report(s) in the folder first, then
Navigating between Folders

You can navigate between folders using the Location bar.
Tip:
To go up a level, click the Go up a folder level button.

To navigate between folders on the location bar:
On the info > reports > reports page, click on a folder in the Location bar.
From the drop-down list, click on the folder you want to go to. Advanced Firewall takes you to the folder.
Deleting Reports
To delete a report:
1 2
Navigate to the info > reports > recent and saved page. Locate the report and click the Delete button.
Report Permissions
Advanced Firewall enables you to publish reports on a portal. For more information, see Chapter 8, Making Reports Available on page 77.
Making Reports Available to Other Portals

You can make reports generated on one portal available to other portals.
250
Smoothwall Advanced Firewall Administrators Guide To make the report available:
1 2
Navigate to the info > reports > reports page. Locate the report you want to publish to other portals and click Automatic Access. The following dialog box opens:
3 4
In the Automatic Access area, from the Add access drop-down list. select the portal you want to publish the generated report on and click Add. Click Close to close the dialog box. Advanced Firewall publishes the report to the portal.
Scheduling Reports
Advanced Firewall can generate and deliver reports to specified user groups at specified intervals.
To schedule a report:
Navigate to the info > reports > scheduled page.
251
Chapter 14 Reporting Scheduling Reports

Setting Start date Description
Select the month and day on which to create and deliver the report. If the report is to be repeated, enter the date on which the first report should be created and delivered.
Time Repeat
Select the hour and minute at which to deliver the report. Scheduled reports can be generated and delivered more than once. Select from the following options:
No Repeat The report will be generated and delivered once on the specified date at the specified time. Daily Repeat The report will be generated and delivered once a day at the
specified time starting on the specified date.

Weekday Repeat The report will be generated and delivered at the specified time, Monday to Friday, starting on the specified date. Weekly Repeat The report will be generated and delivered at the specified
time, once a week, starting on the specified date.

Monthly Repeat The report will be generated and delivered at the specified
time, once a month, starting on the specified date.

Enabled Comment Report Report shows period Save report
Select to enable the scheduled report. Optionally, enter a description of the scheduled report. From the drop-down list, select the report. From the drop-down list, select how long to collate data for this report. Select this option if you want to save the scheduled report after it has been generated. The report will be available on the info > reports > recent and saved page. Enter a name for the scheduled report. Optionally, from the drop-down menu, select a portal to publish the report from. Select this option if you want to email the report to a group of users. From the drop-down list, select the group you want to deliver the report to. For more information, see Chapter 15, Configuring Groups on page 293.
Report name Publish from portal Email report Group
Click Add. Advanced Firewall schedules the report and lists it in the Scheduled reports area.
252
Managing Report Data

To manage a local report database:
Navigate to the info > settings > database settings page.

Setting Mode Description
Accept the default setting Local. For information on how to store report data in a remote database, see Storing Report Data Remotely on page 253.
Database

Username Accept the default user name or enter a new user name. Password Enter a password for the database.
Pruning
Select if you want to prune entries in the database at specified intervals to save storage space or potentially speed up information processing.
Dont prune Select to not remove any enties from the database. Over a month Select to remove entries that are more than one month old and
repeat every month.

Over three months Select to remove entries that are more than three months old and repeat every month. Over six months Select to remove entries that are more than six months old and
repeat every month. 3 Click Save to save the database management settings.
Storing Report Data Remotely

Advanced Firewall can be configured to store report data remotely in the database of a compatible system. Storing data in a remote database entails: First configuring the remote database management system with username and password information Then configuring the local system with the IP address of the remote database.
253
Chapter 14 Reporting Managing Report Data To store reports remotely:
On the remote, compatible system which will store the data, navigate to the info > settings > database settings page.

Setting Mode Database Description
Accept the default setting Local. Enter the following information:

Username Enter a new user name. Password Enter a new password for the database and store it securely for future reference. Note: The user name and password specified here must be the same as the user
name and password specified on the local database.

Note: If the user name and/or password are changed here, they must also be
changed on all databases using this database to store data.

Pruning
Select if you want to prune the database at specified intervals to save storage space or potentially speed up information processing.
Dont prune Select to not remove any entries from the database. Over a month Select to remove entries that are more than one month old and
repeat removal every month.

Over three months Select to remove entries that are more than three months old and repeat removal every month. Over six months Select to remove entries that are more than six months old and
repeat removalevery month. 3 On the local Advanced Firewall, navigate to the info > settings > database settings page and configure the following settings:
Setting Mode Description
Select Remote to store the data on a remote system and enter the IP address of the remote Smoothwall system.
254
Smoothwall Advanced Firewall Administrators Guide Setting Database Description

Username Enter the user name used when configuring the remote database. Password Enter the password used when configuring the remote database. Note: If the user name and/or password are changed on the remote system, they
must also be changed here in order for remote storage to continue functioning.
Pruning
Select if you want to prune the database at specified intervals to save storage space or potentially speed up information processing.
Dont prune Select to not remove any enties from the database. Over a month Select to remove entries that are more than one month old and
repeat removal every month.

Over three months Select to remove entries that are more than three months old and repeat removal every month. Over six months Select to remove entries that are more than six months old and
repeat removal every month. 4 Click Save. Advanced Firewall starts to store data on the remote system.
Managing Disk Space

Using Advanced Firewall, you can review how disk space is used to store log and database information, optimize, empty or prune the database and back-up data in an archive.
About Disk Usage

Advanced Firewall displays information on how much data and the type of data being stored on the systems hard disk.
255
Chapter 14 Reporting Managing Disk Space To review information on disk usage:
Browse to the info > settings > database backup page.
The following information is available:

Disk information Description Log and database In this area, Advanced Firewall shows a summary of how much disk partition usage summary space there is, how much has been used and how much is free. Usage broken down by module/category
In this area, Advanced Firewall shows how much disk space is being used to store information by module and type of storage.
Note: If configured to store data in a remote database, see Storing
Report Data Remotely on page 253, Advanced Firewall will show N/A in the Database column. To find information on disk usage, access the info > settings > database page on the remote system.
Advanced Firewall updates the information every 60 minutes and all figures shown are approximate.
Monitoring Log Insertion

Advanced Firewall enables you to monitor the process of inserting log information into the database.
256
Smoothwall Advanced Firewall Administrators Guide To monitor log insertion:
Browse to the info > settings > database backup page. Current information is displayed in the Log insertion process area.
Optimizing, Emptying and Pruning Databases

It is possible to optimize, empty and prune databases in order to improve performance and use disk space in the best possible way.
Tip:
Run the Reporting database health report, to determine the databases status before using any of the database management options documented in the following sections. See Chapter 14, Reporting on page 247 for more information on generating reports.
Optimizing a Database
Note: Optimizing a database can take a long time to complete and may have an impact on the systems
performance.
To optimize a database:
1 2
Browse to the info > settings > database backup page and click Optimize database. When prompted, click Continue to confirm. The database is optimized.
Emptying a Database
Note: Emptying a database removes all data from the database and can take a long time to complete. To empty a database:
1 2
Browse to the info > settings > database backup page and click Empty database. When prompted, click Continue to confirm. The database is emptied.
Pruning a Database
Note: Pruning a database can take a long time to complete and may have an impact on the systems
performance.
To prune a database:
1 2
Browse to the info > settings > database backup page and click Prune now. When prompted, click Continue to confirm.The database is pruned.
Backing up Data
It is possible to back up your report data in an archive. This enables you to restore data, for example, when recovering from hardware failure.
To back up data:
1 2
Browse to the info > settings > database backup page. In the Backup area, click Backup, the data is backed up in an archive and listed it in the Backup area.
257
Chapter 14 Reporting Working with Crystal Reports
In the Backup area, select the archive and click Download. When prompted, save the archive in a secure location for use if you need to restore data.
Restoring Data
The following section explains how to restore data.
Note: When you restore data, the database is not emptied. Therefore, if the database is not empty,
restoring data can cause duplicate data. We recommend that you always ensure that the database is empty to avoid duplicate data. See Emptying a Database on page 257 for information on how to empty a database.
To restore data:
1 2 3 4
Browse to the info > settings > database backup page. In the Upload area, click Browse. In the File Upload dialog box, navigate to where the backup archive stored, select it and click Open. Click Upload. The file is uploaded and listed it in the Backup area. Select the file and click Restore. The data is restored.
About Migrating from Earlier Versions

When updating to the latest version, existing data stored in the database may not be accessible for reporting. If this is the case, a warning message will be displayed. The data is safe but not accessible in its current format. To make it accessible, create a backup archive and restore it. For more information, see Backing up Data on page 257 and Restoring Data on page 258.
Working with Crystal Reports

With the Smoothwall Crystal Reports Client, you can design and integrate reports in your Crystal Reports system.
Note: You can use the Smoothwall Crystal Reports Client to import data from log files and store it in
comma-separated (csv) format without having access to Crystal Reports.
Installing the Crystal Reports Client

Note: The Crystal Reports Client only runs on Microsoft Windows systems. To install the Crystal Reports Client:
1 2 3
Insert your Advanced Firewall CD into your CD drive and, in Windows Explorer, browse to the Extras directory on the CD. Locate and double-click on Smoothwall Crystal Reports Client Setup.exe. The installation wizard starts. Accept all the default options and complete the wizard.
258
Click Windows Start, from the Programs group, select Crystal Reports Client. The Crystal Reports Client starts:
For information on working in the Crystal Reports Client, see the following sections.
Note: When you install the Crystal Reports Client, ODBC Data Sources for the proxy and filter logs are
created using the Microsoft Text Driver. These are named SW_CR_ProxyDataSource and SW_CR_FilterDataSource respectively.
Overview of the Crystal Reports Client

The Crystal Reports Client contains the following settings and options:
Option Guardian IP/ Hostname Username Password Previous Proxy logs Description
The IP or hostname of Advanced Firewall containing the log files you want to use. The name of a user account authorized to access your Advanced Firewall. The password associated with the account. A drop-down list of time intervals you want the logs to cover. You can select logs for: the last day, week, month or year. Specifies that you want to access the information contained in the proxy logs on your Advanced Firewall. If you select this option, Crystal Report-compatible reports to manage bandwidth usage and basic log information become available below.
Filter logs
Specifies that you want to access the information contained in the filter logs on your Advanced Firewall. If you select this option, Crystal Report-compatible reports to manage denied pages and malware information become available below.
Retrieve Log
Retrieves and saves the information as a csv file in your local Documents and Settings folder. If you have selected Proxy logs, the file will be stored under:
Application Data\Smoothwall Crystal Reports Client\Log Files\Proxy.
If you have selected Filter logs, the file will be stored under:
Application Data\Smoothwall Crystal Reports Client\Log Files\Filter. csv
files can be opened in most text editors and spreadsheet applications.
259
Chapter 14 Reporting Installing the Crystal Reports Client Option Open Report Description
Opens the currently selected Crystal Reports-compatible report in Crystal Reports.

Note: You must have Crystal Reports installed and accessible for this to work.
Retrieve and Open
Retrieves information from the selected log and displays it in the currently selected Crystal Reports-compatible report.
Note: You must have Crystal Reports installed and accessible for this to work.
Using Custom Templates

You can install custom templates in Crystal Reports Clients data directory. These templates become available after restarting Crystal Reports Client.
To manually manage log files and templates:
From the File menu, select Open. The default directory structure is as follows: The Log files directory which contains the sub directories: Filter and Proxy The Templates directory which contains the sub directories: Filter and Proxy.
2 3
Place Crystal Reports templates for working with web filter logs in the Templates\Filter folder. Place Crystal Reports templates for working with proxy logs in the Templates\Proxy folder.
Retrieving Logs
Note: On a busy network, log files will be large and may take some time to retrieve and process. To retrieve logs:
1 2 3 4 5
Click Windows Start and, from the Programs group, select Crystal Reports Client. Enter the IP or hostname of Advanced Firewall and the user name and password of an authorized account. Select the time period for the logs. Select the type of logs you want to retrieve. Click Retrieve Logs. The Crystal Reports Client retrieves and saves the information as a csv file in your local Documents and Settings folder. If you have selected Proxy logs, the file will be stored under: Application Data\Crystal
Reports Client\Log Files\Proxy.
If you have selected Filter logs, the file will be stored under: Application Data\Crystal
Reports Client\Log Files\Filter.
Opening Crystal Reports-compatible Reports

See Overview of the Crystal Reports Client on page 259 for information on the options available. The Crystal Reports Client contains a number of predefined Crystal Reports-compatible reports which you can review in Crystal Reports.
Note: Crystal Reports must be installed and accessible for this function to work.
260
Smoothwall Advanced Firewall Administrators Guide To open a report:
1 2 3 4
Click Windows Start and, from the Programs group, select Crystal Reports Client. Select proxy log or filter log. Depending on the type of log you selected, choose one of the following: Bandwidth usage per user, Basic log view, Denied pages per user or Virus occurrences. Click Open Report. The report is opened in Crystal Reports. For information on working in Crystal Reports, see your Crystal Reports documentation.
Retrieving Information and Opening Reports

See Overview of the Crystal Reports Client on page 259 for information on the options available. The Crystal Reports Client contains a number of predefined Crystal Reports-compatible reports which you can use to display Advanced Firewall proxy and filter log information in Crystal Reports.
Note: Crystal Reports must be installed and accessible for this function to work. Note: On a busy network, log files will be large and may take some time to retrieve and process. To retrieve information and display it in Crystal Reports:
1 2 3 4 5
Click Windows Start and, from the Programs group, select Crystal Reports Client. Enter the IP or hostname of Advanced Firewall and the user name and password of an authorized account. Select the time period for the logs. Select the type of logs you want to retrieve. Click Retrieve & Open. The Crystal Reports Client retrieves the information, starts Crystal Reports and displays the information. For information on working in Crystal Reports, see your Crystal Reports documentation.
Uninstalling the Crystal Reports Client

To uninstall the Crystal Reports Client:
Click Windows Start and, in the Programs group, select Crystal Reports Client and Uninstall. The following dialog opens:
Click Uninstall and, when the process is complete, click Close. The Crystal Reports Client is removed from your workstation and is no longer available.
261
Chapter 14 Reporting Installing the Crystal Reports Client
Note: Uninstalling the Crystal Reports Client does not remove the ODBC Data Sources or the data
directory. They must be removed manually.
262
Chapter 15
Information, Alerts and Logging

In this chapter: About the control, summary and about pages Viewing, analyzing and configuring alerts, realtime information and log files.
The control page is the default home page of your Advanced Firewall system.
To access the control page:
Browse to the main > main> control page.
The control page displays a to-do list for getting started, service information, external connectivity controls and a customizable number of summary reports.
User Interface on page 310.
For information on customizing the information displayed, see Chapter 16, Configuring the
About the Summary Page

The summary page displays a customizable list of Advanced Firewall reports.
1s
Ed i
ti
on
About the Control Page
263
Chapter 15 Information, Alerts and Logging About the About Page To access the summary page:
Navigate to the main > main > summary page.
A list of reports, which are generated by default, is displayed. For information on customizing the reports displayed, see Chapter 16, Configuring the User Interface on page 310.
About the About Page

The about page displays product, registration, copyright and trademark information. It also displays acknowledgements.
To access the about page:
Browse to the main > main > about page.
Alerts
Advanced Firewall contains a comprehensive set of incident alerting controls.
264
1s
Ed i
ti
on
Overview
Alerts are generated when certain trigger conditions are met. Trigger conditions can be individual events, for example, an administrator login failure, or a series of events occurring over a particular time period, for example, a sustained high level of traffic over a five minute period. Some alerts allow their trigger conditions to be edited to customize the alert sensitivity. Some situations are constantly monitored, particularly those relating to critical failures, for example, UPS and power supply alerts. It is possible to specify two trigger conditions for some alerts the first acts as a warning alert, and, in more critical circumstances, the second denotes the occurrence of an incident.
Available Alerts
You access the alerts and their settings on the info > alerts > alerts page.
Alert VPN Tunnel Status Description
License expiry status warnings Generates messages when the license is due for renewal or has
Hardware Failover Notification Generates messages when a hardware failover occurs, or when
SmoothTunnel VPN Certificate Validates Advanced Firewall VPN certificates and issues warnings Monitor about potential problems, or impending expiration dates.
1s
Firewall Notifications Health Monitor Email Virus Monitor
UPS, Power Supply status warnings SmoothRule Violations System Resource Monitor
L2TP VPN Tunnel Status
System Service Monitoring
Ed i
Hardware failure alerts, harddisk failure
Generates messages when hardware problems are detected.
expired. Monitored once an hour. failover machines are forced on and offline.
Monitored once an hour. Generates messages when server power switches to and from mains supply. Constant monitoring. Monitors outbound access activity and generates warnings about suspicious behavior. Constant Monitoring. These alerts are triggered whenever the system resources exceed predefined limitations. Monitored once every five minutes. Monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports. Constant monitoring. L2TP Tunnel status notifications occur when an L2TP (Layer 2 Tunnelling Protocol) Tunnel is either connected, or disconnected. Monitored once every five minutes. This alert is triggered whenever a critical system service changes statues, i.e. starts or stops. Monitored once every five minutes. Checks on remote services for activity. These alerts are triggered by detection of malware being relayed via SMTP or downloaded via POP3. Monitoring is constant.
ti
VPN Tunnel status notifications occur when an IPSEC Tunnel is either connected, or disconnected. Monitored once every five minutes.
on
265
Chapter 15 Information, Alerts and Logging Alerts Alert Description
IM proxy monitored word alert Monitors instant messaging chats activity and generates warnings
based on excessive use of inappropriate language.

Traffic Statistics Monitor
These alerts are triggered whenever the traffic flow for the external interface exceeds certain thresholds. Monitored once every five minutes. Advanced Firewall Output systems. Constant Monitoring.
Output System Test Messages Catches test alerts generated for the purposes of testing the Inappropriate word in IM Monitor Administration Login Failures Intrusion System Monitor
Generates an alert whenever a user uses an inappropriate word or phrase in IM chat conversation
Update Monitoring SmoothZap Mail Queue Monitor System Boot (Restart) Notification
Monitors the system for new updates once an hour.
Enabling Alerts
Advanced Firewall contains a comprehensive set of incident alerting controls.
266
1s
Ed i
Watches the email queue and informs if the number of messages therein exceeds a certain threshold. Monitored once an hour This alert is generated whenever the system is booted; i.e. is turned on or restarted. Monitored once every five minutes.
ti
These alerts are triggered by violations and notices generated by the intrusion system by suspicious network activity. Constant Monitoring.
on
Monitors both the Secure Shell (SSH) and Web Interface services for failed login attempts. Constant Monitoring.
Smoothwall Advanced Firewall Administrators Guide To enable alerts:
Browse to the info > alerts > alerts page.

Setting Group name Enable instantaneous alerts Description
3 4
For each alert you want to send, select the delivery method: SMS or Email. Click Save.
1s
From the drop-down list, select a group of recipients and click Select. For information on creating a group, see Configuring Groups on page 293. By default, Advanced Firewall queue alerts in two minute intervals, and then distributes a merged notification of all alerts. Select this option to send the alert(s) individually as soon as they are triggered.
Ed i
ti
on
267
Chapter 15 Information, Alerts and Logging Alerts
Looking up an Alert by Its Reference

To view the content of an alert that has already been sent:
Enter the alerts unique ID into the Alert ID field and click Show. The content of the alert will be displayed on a new page.
Configuring Alert Settings

The following sections explain how to configure Advanced Firewall alert settings.
To access the alert settings:
Browse to the info > settings > alert settings page.
Configuring the SmoothTunnel VPN Certificate Alert

This alert validates VPN certificates and issues warnings about potential problems or impending expiration dates.
To adjust the settings:
Enter or choose appropriate settings for each of the following controls:

Setting Description
1s
Number of days left (Warning) Number of days left (Critical)
Notification of expired Used to generate alerts when certificates have expired. certificates
Click Save.
Configuring the SmoothRule Violations Alert

This alert monitors outbound activity and generates warnings about suspicious behavior.
268
t
Used to specify the number of days before a certificate expires that a warning alert is sent. Used to specify the number of days before a certificate expires that a critical alert is sent.
Ed i
ti
on
Smoothwall Advanced Firewall Administrators Guide To adjust the settings:

Setting Description
Monitor ports Enables outbound port access monitoring. for accesses Use the adjacent Warning threshold text field to enter the number of port accesses
that would generate an alert. Use the Destination port list to specify a comma separated list of outbound ports that this alert applies to.
Monitor Enables outbound IP address monitoring. Alerts will be generated if a rapid series Destination IP of outbound requests are made to the same destination IP. addresses Monitor Destination Ports
Enables outbound port monitoring. Alerts will be generated if a rapid series of outbound requests are made to the same destination port. Use the Warning threshold and Incident threshold fields to set the respective levels at which alerts are generated for this kind of activity.
Configuring the System Resource Alert

This alert is triggered whenever particular system resources exceed some predefined limitations. 1 Enter or choose appropriate settings for each of the following controls:
Click Save.
Configuring the Firewall Notifications Alert

This alert monitors firewall activity and generates warnings based on suspicious activities to or from certain IP addresses involving particular ports.
1s
Disk usage System memory usage
System load average
Setting
Description
Used to set a threshold for the average number of processes waiting to use the processor(s) over a five minute period. A system operating at normal performance should record a load average of between 0.0 and 1.0. Whilst higher values are not uncommon, prolonged periods of high load (for example, averages greater than 3.0) may merit attention. Used to set a disk space usage percentage threshold, that generates an alert once exceeded. Low amounts of free disk space can adversely affect system performance.
Used to set a system memory usage percentage threshold, that generates an alert once exceeded. Advanced Firewall uses system memory aggressively to improve system performance, so higher than expected memory usage may not be a concern. However, prolonged periods of high memory usage may indicate that the system could benefit from additional memory.
Ed i
Click Save.
ti
on
Use the Warning threshold and Incident threshold fields to set the respective levels at which alerts are generated for this kind of activity.
269
Chapter 15 Information, Alerts and Logging Alerts To adjust the settings:

Setting Description
Monitor Source Detects suspicious inbound communication from remote IP addresses. (remote) IP addresses Alerts will be generated if a rapid series of inbound requests from the same
remote IP address is detected.

Monitor Source (remote) Ports Monitor Destination (local) IP Addresses Monitor Destination (local) Ports
Detects suspicious inbound communication from remote ports. Alerts will be generated if a rapid series of inbound requests from the same remote port is detected. Detects suspicious inbound communication to local IP addresses. Alerts will be generated if a rapid series of inbound requests to the same local IP address is detected. Detects suspicious inbound communication to local ports. Alerts will be generated if a rapid series of inbound requests to the same local port is detected.
Click Save.
levels at which alerts are generated for each type of activity.

Note: To exempt particular ports from monitoring, enter a comma separated list of ports into the
appropriate Ignore fields.
Configuring the System Service Alert

This alert is triggered whenever a critical system service changes states, i.e. starts or stops. 1 2 Select the components, modules and services that should generate alerts when they start or stop. Click Save.
Configuring the Health Monitor

This alert is triggered whenever a remote service fails to report activity. Health monitor alerts are intended to enable you to keep an eye on various aspects of your network which are usually outside of the remit of Advanced Firewall. The health monitor provides the following checks and alerts: Web Servers (HTTP) When enabled, tries to retrieve the specified web page and check that it contains specific keywords. This is for detecting defacement.
Setting Request URL Description
270
1s
To adjust the settings for this alert:
Enter the URL of the web page you want retrieved and checked for keywords, for example: example.com/index.htm
Note: Omit http:// when entering the URL.
Ed i
Note: The adjacent Warning threshold and Incident threshold fields can be used to set the respective
ti
on
Smoothwall Advanced Firewall Administrators Guide Setting No of tries Keywords Description
Enter the number of times Advanced Firewall should try to retrieve the page. Enter the keywords to be checked in the page.
Assuming the page has been retrieved and the keywords are missing, an alert is generated. Other Services Checks that the specified port is open and offering a service.
Setting IP Address Port Protocol Description
Enter the IP address. From the drop-down list, select the protocol of the service you want to check for a response. Select Other to check that there is any response to connections on the associated port. Enter the number of times Advanced Firewall should check the address and not receive a response before generating an alert.
No of tries
Setting Name Address
Description
Enter the domain name.
Enter the domain address.
2 3 4
Enter keywords, port numbers and number of tries, if applicable. Select the protocol. Click Add for each service.
Configuring the Traffic Statistics Alert

This alert is triggered whenever the traffic flow for the external interface exceeds certain thresholds.

Setting Incoming bandwidth Outgoing bandwidth Data transfer for the previous Description
1s
For the services, enter the URL, IP address or name.
To configure the alert:
Ed i
DNS Name Resolution Checks that a domain has not expired or been hijacked.
Used to set an average incoming data rate limit in Kbps if this is exceeded over a five minute period, an alert is triggered. Used to set an average outgoing data rate limit in Kbps. If this is exceeded over a five minute period, an alert is triggered. Used to specify whether alerts should be generated for a daily, weekly or monthly data limit.
ti
on
Enter the port number.
271
Chapter 15 Information, Alerts and Logging Alerts Setting Incoming data exceeds Description
Used to set an incoming data threshold (in KB). An alert is generated if the specified amount is exceeded in a day, week or month (dependent on the setting chosen from the Data transfer for the previous drop-down list). Used to set an outgoing data threshold (in KB). An alert is generated if the specified amount is exceeded in a day, week or month (dependent on the setting chosen from the Data transfer for the previous drop-down list). Used to set an total data threshold (in KB). An alert is generated if the specified amount of incoming and outgoing traffic is exceeded in a day, week or month (dependent on the setting chosen from the Data transfer for the previous drop-down list).
Outgoing data exceeds
Total data exceeds
Click Save.
Configuring the Inappropriate Word in IM Monitor Alert
These alerts are generated whenever a user uses an inappropriate word or phrase in instant messaging chat conversations.
To configure the alert:

Setting
Enabled on received text Enabled on sent text
1s
2
272
Generate alert for each message which exceeds the Message Censor severity threshold
Generate alert when users exceed the rate of inappropriate messages Number of inappropriate messages in 15 mins
Click Save to save the settings.
Configuring the Intrusion System Alert

This alert is triggered by violations and notices generated by the intrusion system caused by suspicious network activity.
Ed i
Description
Select to generate the alert when an inappropriate word is used in a message received from a remote user. Select to generate the alert when an inappropriate word is used in a message sent by a local user. Select to generate an alert when the Message Censor threshold is exceeded. For information on the Message censor threshold, see Chapter 8, Censoring Instant Message Content on page 98. From the drop-down list, select the threshold above which an alert will be generated. Select to generate an alert when users exceed the specified number of inappropriate messages within a 15 minute period. Specify how many inappropriate messages to allow in a 15 minute period before generating an alert.
ti
on
Smoothwall Advanced Firewall Administrators Guide To adjust the settings:

Setting Priority Description
Used to set the priority level threshold for IDS detected warnings that, once exceeded, generates an alert.
Click Save.
Configuring the Email Virus Monitor Alert

When configured, these alerts are triggered when malware being relayed via SMTP or downloaded via POP3 are detected. 1 Enable the following setting(s):
Setting Description
Monitor POP3 proxy for viruses Select to alert when malware is detected when downloading via
POP3. 2 Click Save to enable the alerts.
Monitor SMTP relay for viruses Select to alert when malware is detected when relaying via SMTP.
Configuring the Mail Queue Monitor Alert
This alert is triggered the number of messages in the email queue exceeds a the specified threshold.
To configure and enable the alert:
1s
Setting
Threshold number of messages Enter the number of messages above which the alert is triggered.
Click Save to save the settings and enable the alert.
Realtime
The realtime pages provide access to realtime information about your system, IPsec tunnels, the firewall and traffic.
System Information
The system page is a realtime version of the system log viewer with some filtering options.
Ed i
Description
ti
on
273
To configure the alert(s):
Chapter 15 Information, Alerts and Logging Realtime To access the system page:
Browse to info > realtime > system page.
To display information on specific components:
From the Section drop-down list, select the component and click Update. If there is information on the component available in the system log, it is displayed in the Details area.
Firewall Information
The firewall page is a realtime version of the firewall log viewer with some filtering options. All entries in the firewall log are from packets that have been blocked by Advanced Firewall.
274
1s
By default, all information in the system log is displayed and updated automatically approximately every second.
Ed i
ti
on
Smoothwall Advanced Firewall Administrators Guide To access the page:
Browse to info > realtime > firewall page.
To display information on specific sources and destinations:
Enter a complete or partial IP address and/or port number in the fields and click Update.
IPsec Information
1
The ipsec page is a realtime version of the IPSec log viewer with some filtering options.
To access the ipsec page:
Browse to info > realtime > ipsec page.
By default, all information in the log is displayed and updated automatically approximately every second.
To display information on a specific tunnel:

Setting Connection Show only lines connecting Description
1s
From the drop-down list, select the tunnel. Enter the text you are looking for. 2 Click Update. If there is information available in the system log, it is displayed in the Details area.
Ed i
ti
By default, information is displayed and updated automatically approximately every second.
on
275
Chapter 15 Information, Alerts and Logging Realtime
Realtime Email Information

You can review realtime information on relayed and delivered email.
To view realtime information:
Browse to the info > realtime > email page.
Advanced Firewall displays and automatically updates the realtime information available on relayed and delivered email.
The portal page displays realtime information on users accessing Advanced Firewall portals.
To access the portal page:
Browse to info > realtime > portal page.
For more information on portals, see Chapter 8, Working with User Portals on page 75.
Instant Messaging
The im proxy page is a realtime version of the im proxy log viewer with some filtering options.
276
1s
Ed i
Portal Information
ti
on
Smoothwall Advanced Firewall Administrators Guide To view IM conversations:
Browse to info > realtime > im proxy page.
The page displays a view of ongoing conversations for each of the monitored protocols and displays a selected conversation as it progresses.
Note: As most IM clients communicate with a central server, local conversations are likely to be
displayed twice as users are recognized as both local and remote. Active conversations which have had content added to them within the last minute are displayed in bold text in the left pane. If nothing has been said for more than a minute, the remote username will be displayed in the normal style font. The local username is denoted in blue, the remote username is denoted in green. You can use the following settings to manage how the conversation is displayed.
Setting <html> ScrLk Description
2 3
In the Username or IP address field, enter the username or IP address. If there is information available in the web filter log, it is automatically displayed in the Details area. To show lines containing specific text, in the Show only lines containing field, enter the text. If the text is found, it is automatically displayed in the Details area.
Traffic Graphs
The traffic graphs page displays a realtime graph of the bandwidth in bits per second being used by the currently selected interface.
1s
Click to remove any html tags at the start or end of a conversation. Click to lock the conversation pane to the bottom of the conversation. I.e. when someone says something new the text will scroll off the top of the screen.
Ed i
ti
on
277
Chapter 15 Information, Alerts and Logging Logs To access the traffic graphs page:
Browse to info > realtime > traffic graphs page.
Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming bandwidth. Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing bandwidth.
Logs
The log pages display system, firewall, IPsec, intrusion system, email and proxy information.
278
1s
The Interfaces area displays a list of the active interfaces on Advanced Firewall. Clicking on an interface displays its current traffic.
Ed i
ti
on
System Logs
The system logs contain simple logging and management information.
To access system logs:
Browse to the info > logs > system page.
1s
Ed i
ti
on
279
Chapter 15 Information, Alerts and Logging Logs
The following filter criteria controls are available in the Settings area:
Control Description Authentication service Log messages from the authentication system, including service status messages and user authentication audit trail. DHCP server Log messages from the SmoothDHCP system. DNS Proxy Log messages from the DNS proxy service. Heartbeat Log messages from the hardware failover system. IM Proxy Log messages from the instant messaging proxy service. IPSec logs the VPN system including service status changes. Kernel Log messages from the core Advanced Firewall operating system. L2TP Logs L2TP service status messages. ISDN Log messages from external connections using a local ISDN device. Section Used to select which system log is displayed. The following options are available:
Message censor Displays information from the message censor logs. NTP Log messages from the network time system. PPP Log messages from the system, for external modem or dial-up connections. Routing service Logs routing including service status messages. SIP service Logs SIP-based VoIP service information. SNMP Logs Simple Network Management Protocol activity. SmoothD Log messages from the SmoothD super server. SSL VPN Log messages from the SSL VPN system. SmoothD Displays server log information. SSH Log messages from the SSH system.
To view specific information:
Select the filtering criteria using the Settings area and click Update. A single column is displayed containing the time of the event(s) and descriptive messages.
280
1s
Month Day
SmoothMonitor Displays monitoring system information including service status and alert/report distribution audit trail.
System Simple system log messages, including startup, shutdown, reboot and service status messages. UPS Log messages from the UPS system, including service status messages. Update transcript Displays information on update history.
Used to select the month that log entries are displayed for. Used to select the day that log entries are displayed for.
Ed i
ti
L2TP PPP Logs L2TP PPP transport negotiation messages.
on
Firewall Logs
The firewall logs contain information on network traffic. The firewall logs contain details about all data packets rejected by Advanced Firewall. In addition, the firewall logs can display port forwards, and all incoming, outgoing and forwarded data packets, if traffic auditing has been configured on the networking > firewall >advanced page.
To view the firewall logs:
Browse to the info > logs > firewall page.
Filtering Firewall Logs
The list of possible sections that can be viewed are as follows:

Section Main Incoming audit Description
1s
Month Day Compression Source Src port Destination Dst port
Section
Control
Description
Used to select which firewall log is displayed. The content of each section is discussed below. Used to select the month that log entries are displayed for. Used to select the day that log entries are displayed for. Used to ghost repeated sequential log entries for improved log viewing. Enter an IP address and click Update to display log entries for that source address. This drop-down list is populated with a list of all source ports contained in the firewall log. Select a port and click Update to display log entries for that port.
Enter an IP address and click Update to display log entries for that destination address. This drop-down list is populated with a list of all destination ports contained in the firewall log. Select a port and click Update to display log entries for that port.
All rejected data packets. All traffic to all interfaces that is destined for the firewall if Direct incoming traffic is enabled on the Networking > advanced page.
Ed i
ti
on
281
Chapter 15 Information, Alerts and Logging Logs Section Description
Forward audit All traffic passing through one interface to another if Forwarded traffic is
enabled on the networking > settings > advanced page.

Outgoing audit
All traffic leaving from any interface if Direct outgoing traffic is enabled on the networking > settings > advanced page. rule if port forward logging is enabled on the networking > firewall > port forwarding page.
Port forwards All data packets from the external network that were forwarded by a port forward
SmoothRule - All data packets from the internal network zones that were rejected by an outbound rejects access rule.
Viewing Firewall Logs
Column Time In Out Protocol Source Src Port Dst port Destination
Description
The time that the firewall event occurred. The interface at which the data packet arrived. The interface at which the data packet left. The network protocol used by the data packet. The IP address of the data packet's sender.
Looking up a Source IP whois

The firewall log viewer can be used to find out more information about a selected source or destination IP by using the whois tool.
To use whois:
1 2 3
Navigate to the info > logs > firewall page. Select a particular source or destination IP in Source and Destination columns. Click Lookup. A lookup is performed and the result displayed on the system > diagnostics > whois page.
Blocking a Source IP
The firewall log viewer can be used to add a selected source or destination IP to the IP block list.
To block a source IP:
1 2 3
Navigate to the info > logs > firewall page. Select one or more source or destination IPs. Click Add to IP block list.
282
1s
The outbound port number used by the data packet. The IP address of the data packet's intended destination. The inbound port number used by the data packet.
Ed i
ti
To view firewall logs, select the appropriate filtering criteria using the Settings area and click Update. The following columns are displayed:
on
SmoothRule - All data packets from the internal network zones that were logged but not rejected stealth by an outbound access rule.
The selected source and destination IPs will be automatically added to the IP block list which you can review on the networking > filtering > ip block page. See Chapter 5, Blocking by IP on page 47 for more information.
IPsec Logs
The ipsec logs page displays information on VPN tunnels.
To access IPsec logs:
Browse to info > logs > ipsec:
2 3 4
Choose the tunnel you are interested in by using the Tunnel name control. To view the logs for all of the tunnels at once, choose ALL as the tunnel name. After making a change, click Update.
Exporting all dates
To export and download all log entries generated by the current settings, for all dates available, select Export all dates, and click Export.
Viewing and Sorting Log Entries

The following columns are displayed in the Web log region:
Column Time Name Description Description
Log entries are displayed over a manageable number of pages. To view a particular page, click its Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous), > (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages. To sort the log entries in ascending or descending order on a particular column, click its Column title hyperlink. Clicking the currently selected column reverses the sort direction.
1s
To export and download all log entries generated by the current settings, click Export.
Exporting Logs
The time the tunnel activity occurred. The name of the tunnel concerned. Log entries generated by the VPN system.
Ed i
ti
on
283
Email Logs
Advanced Firewall provides logs on SMTP relaying and POP3 proxying.
To access email logs:
Navigate to the info > logs > email page.
Option Section Month Day From address To address
1s
Export format Export all dates 284
Show only infected mail Show only email that is infected with malware.
Ed i
Select to:
In the Settings area, you choose whether you want to view logs on relay email or POP3 proxy email.
Choose the type of logs to view: SMTP relay logs or POP3 logs. Specify which month you wish to view logs for. Specify which day you wish to view logs for. Choose to show only mails from a particular address. Show only email to a particular address. Logs can be exported in the following formats:
Comma Separated Values The information is exported in comma separated
text format.
Microsoft (tm) Excel (.xls) The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view these reports.
Portable Document Format (.pdf) The information is exported in PDF. You
will need a PDF reader to view these reports.

Raw Format The information is exported without formatting. Tab Separated Value The information is exported separated by tabs.
Exports the currently displayed log for all available dates.
ti
on
About Status Conditions

The following status conditions may be displayed:
Status Deferred Description
Deferred means that the email could not be delivered and has been deferred for later delivery.
Note: If the same email shows up a number of times in a row, all but one will be
grayed out.
Unchecked
In the Spam column, Unchecked means that the email has been whitelisted or, for some other reason, has been excluded from being checked or that anti-spam settings have not been enabled.
Log Filtering
To filter log entries:
Exporting Logs
To export logs:
1 2 3
Filter the logs to show the information you want to export. Select the export format and if you want to export all dates.
IDS Logs
The IDS logs contain details of suspicious network activity detected by Advanced Firewalls intrusion detection system (IDS).
To view the IDS logs:
Navigate to the info > logs > ids page.
1s
Click Export. To save the exported log, use the browser's File, Save As option.
Ed i
Adjust the filter criteria in the Settings area and click Update.
ti
Log files are automatically displayed using the default or existing filter criteria in the Settings area.
on
In the Anti-malware column, Unchecked means that anti-malware protection is not enabled or the email has been whitelisted.
285
Advanced Firewall displays the results.
IPS Logs
The IPS logs contain details of suspicious network activity prevented by Advanced Firewalls intrusion prevention system (IPS).
To view the IDS logs:
Navigate to the info > logs > ips page.
Advanced Firewall displays the results.
286
1s
Ed i
ti
on
IM Proxy Logs
The IM proxy log page displays a searchable log of instant messaging conversations and file transfers.
To view the IM proxy logs:
Browse to info > logs > im proxy page.

Setting Local user filter Enable local user filter Remote user filter Enable remote user filter Enable smilies Enable links Search Conversations Description
1s
Enter the name of a local user whose logged conversations you want to view. Select to display conversations associated with the local user name entered. Enter the name of a remote user whose logged conversations you want to view. Select to display conversations associated with the remote user name entered. Select to display smilies in the conversation. Select to make links in the conversation clickable. Here you can enter a specific piece of text you want to search for. Enables you to browse conversations by instant messaging protocol, user ID and date.
Ed i
ti
on
287
Web Proxy Logs

The proxy logs contain detailed information on all Internet access made via the web proxy service. It is possible to filter the proxy logs using any combination of requesting source IP, and requested resource type and domain.
To view the web proxy logs:
Browse to info > logs > web proxy page.
Filtering Proxy Logs
1s
Day Year Source IP Ignore filter Enable ignore filter Domain filter Enable domain filter 288
Month
Note: To restore the default filter criteria, click Restore defaults.
Control
Ed i
Description
Used to choose the month that proxy logs are displayed for. Used to choose the day that proxy logs are displayed for. Used to choose the year that proxy logs are displayed for. Used to display proxy logs from a specific source IP. Used to enter a regular expression that excludes matching log entries. The default value excludes common log entries for image, JavaScript, CSS style and other file requests. To enable the ignore filter, Enable ignore filter must be selected. Used to activate the ignore filter. Used to display log entries recorded against a particular domain. Matching will occur on the start of the domain part of the URL. For example, www.abc will match www.abc.com and www.abc.net but not match abc.net. It is possible to include regular expressions within the filter for example
(www.)?abc.com will match both abc.com and www.abc.com.
Used to activate the domain filter.
ti
on
Viewing Proxy Logs

To view proxy logs:
Select the appropriate filtering criteria using the Settings area and click Update. Proxy logs are displayed in the Log area. The following columns are displayed:
Column Time Source IP Website Description
The time the web request was made. The source IP address the web request originated from. The URL of the requested web resources.
User Portal Logs

The user portal log page displays information on users who have accessed user portals.
To view user portal log activity:
Browse to the info > logs > user portal page.
Advanced Firewall displays the information.
1s
Ed i
ti
on
289
Chapter 15 Information, Alerts and Logging Configuring Log Settings
Configuring Log Settings

Advanced Firewall can send logs to an external syslog server, automatically delete log files when disk space is low and set the maximum log file retention settings.
To configure logging settings:
Browse to the info > logs > log settings page.
In the Syslog logging area, select the logging you want to enable and configure the following settings:
Setting
1s
Remote syslog Syslog server 290
Description
To send logs to an external syslog server, select this setting. If you have selected the Remote syslog option, enter the IP address of the remote syslog server.
Ed i
ti
on
Smoothwall Advanced Firewall Administrators Guide Setting Default retention Description
To set default log retention for all of the logs listed above, select one of the following settings:
1 Day Rotate the log file daily and keep the last day. 2 Days Rotate the log file daily and keep the last 2 days. A week Rotate the log file weekly and keep the last week. 2 weeks Rotate the log file weekly and keep the last 2 weeks. A month Rotate the log file monthly and keep the last month. 2 months Rotate the log file monthly and keep the last 2 months. Three months Rotate the log file monthly and keep the last 3 months. Five months Rotate the log file monthly and keep the last 5 months. Six months Rotate the log file monthly and keep the last 6 months. Seven months Rotate the log file monthly and keep the last 7 months. Eight months Rotate the log file monthly and keep the last 8 months. Ten months Rotate the log file monthly and keep the last 10 months. Eleven months Rotate the log file monthly and keep the last 11 months. A year Rotate the log file monthly and keep the last 12 months. Nine months Rotate the log file monthly and keep the last 9 months. Four months Rotate the log file monthly and keep the last 4 months.
3 4
Optionally, to set an individual retention period for specific logs, click Advanced and select the required retention period. Click Save. Advanced Firewall will log and retain the information you have specified and, if configured, send logs to the remote syslog server.
Configuring Other Log Settings

Advanced Firewall enables you to configure retention settings for other logs.
To configure other logs:
Browse to the info > logs > log settings page.
1s
Ed i
ti
on
291
Chapter 15 Information, Alerts and Logging Configuring Log Settings
In the Other logging area, configure the following settings:

Setting Default retention Description
To set default log retention for all of the logs listed in the table below, select one of the following settings:
1 Day Rotate the log file daily and keep the last day. 2 Days Rotate the log file daily and keep the last 2 days. A week Rotate the log file weekly and keep the last week. 2 weeks Rotate the log file weekly and keep the last 2 weeks. A month Rotate the log file monthly and keep the last month. 2 months Rotate the log file monthly and keep the last 2 months. Three months Rotate the log file monthly and keep the last 3 months. Four months Rotate the log file monthly and keep the last 4 months. Six months Rotate the log file monthly and keep the last 6 months. Seven months Rotate the log file monthly and keep the last 7 months. Nine months Rotate the log file monthly and keep the last 9 months. Ten months Rotate the log file monthly and keep the last 10 months. Eleven months Rotate the log file monthly and keep the last 11 months. A year Rotate the log file monthly and keep the last 12 months. Eight months Rotate the log file monthly and keep the last 8 months. Five months Rotate the log file monthly and keep the last 5 months.
3 4
Managing Automatic Deletion of Logs

Advanced Firewall can be set to automatically delete log files if there is a limited amount of free disk space available.
To configure automatic log deletion:
1 2
Browse to the info > logs > log settings page. In the Automatic log deletion area, configure the settings:
Setting Delete old logs when free space is low Description
1s
Click Save. Advanced Firewall will now retain the logs as you have specified.
Click Advanced to see what other logs are available and to determine if you want to set individual log retention settings.
Amount of disk space to use for logging From the drop-down list, select the level at which
Click Save. Advanced Firewall will delete the logs when the specified amount of disk space has been used.
292
Ed i
ti
Select to automatically delete logs when the specified amount of disk space has been used. Advanced Firewall will delete logs.
on
Configuring Groups
The groups page is used to create groups of users which can be configured to receive automated alerts and reports.
Creating Groups
To create a group of users:
Browse to the info > settings > groups page.
Group name Name
Click Save. Advanced Firewall creates the group. In the Add user area, configure the following settings:
Setting Name SMS number Comment Email address Enable HTML Email Description
1s
Setting
Description
From the Group name drop-down list, select Empty and click Select. Enter a name for the group.
4 5
Select Enabled to ensure that the user will receive any reports or alerts that are sent to the group. Click Add. The user's details will be added to the list of current users in the Current users region.
Editing a Group
To edit a group:
Browse to the info > settings > groups page.
Ed i
Enter a user's name. If required, enter the users SMS number details Optionally, enter a description or comment. If required, enter the user's email address. Select if you want emailed reports to be sent in HTML format.
ti
on
293
Chapter 15 Information, Alerts and Logging Configuring Output Settings
2 3
Choose the group that you wish to edit using the Group name drop-down list. Click Select to display the group. Make any changes to the group using the controls in the Add a user and Current users areas.
Deleting a Group
To delete a group:
1 2 3
Browse to the info > settings > groups page. Select the group to be deleted using the Group name drop-down list. Click Delete.
To access output settings:
294
1s
Ed i
Browse to the info > settings > output settings page.
ti
Reports and alerts are distributed according to Advanced Firewalls output settings. In order to send reports and alerts, Advanced Firewall must be configured to operate with mail servers and email-to-SMS gateway systems.
on
Configuring Output Settings
About Email to SMS Output

Advanced Firewall generates SMS alerts by sending emails to a designated email-to-SMS gateway. When an email-to-SMS gateway receives an email, it extracts the information it needs and composes an SMS message which is then sent. A wide variety of different email-to-SMS gateway services are available. Unfortunately, each has its own definition of the format that an email should arrive in. Whilst there are a few conventions, usually the destination SMS number is placed in the email's subject line, it is necessary to configure Advanced Firewall so that it can format email messages in the format specified by your email-to-SMS gateway service provider.
About Placeholder Tags
Placeholder %%ALERT%% %%SMS%% %%EMAIL%% %%HOSTNAME%%
Description
The content of the alert message.
%%DESCRIPTION%% The description of the Advanced Firewall system (useful when using
For example, if an email-to-SMS gateway requires emails to be sent to: <telephone number>@sampleSMS.com, the following configuration would provide this: %%SMS%%@sampleSMS.com If the content of the message should be entered in the email message body, the following configuration would provide this: %%ALERT%% Networks with multiple Advanced Firewall systems may wish to include detail of the system that the alert was generated by, the following examples would provide this:
%%ALERT%% %%ALERT%% %%ALERT%% %%ALERT%% %%ALERT%% - From: %%HOSTNAME%% - From: %%HOSTNAME%% (%%DESCRIPTION%%) - From: %%DESCRIPTION%% -%%HOSTNAME%% :%%DESCRIPTION%% (%%HOSTNAME%%)
Some email-to-SMS gateways cannot process messages whose content is longer then 160 characters. Advanced Firewall can be configured to truncate messages in this mode, all characters past position 155 are removed and the text: .. + is appended to the message to indicate that truncation has occurred. A further complication is caused by email-to-SMS gateways that require parameters such as usernames and passwords to be set within the email's message body. In situations where truncation
1s
%%--%%
Ed i
The recipient SMS number.
The recipient's email address.
The hostname of the Advanced Firewall system (useful when using multiple firewall systems). multiple firewall systems).
A special placeholder that indicates that all text following it should be truncated to 160 characters. This requires truncation to be enabled (indicated by the Truncate SMS messages to 160 characters option).
ti
on
To allow easy configuration of message formats for different service providers, Advanced Firewall uses placeholder tags that can be incorporated into an email template. The placeholder tags available are as follows:
295
is enabled, such additional (yet required) parameter text may force truncation of the actual alert. To compensate for this, insert the special %%--%% placeholder at the start of the actual message content, so that any truncation is only applied to the actual alert content.
Configuring Email to SMS Output

To configure Advanced Firewall's SMS settings:
1 2
Browse to info > settings > output settings. In the Email to SMS Output System area, configure the following settings:
Setting SMTP server Sender's email address field Description
Enter the sender's email address.
Truncate SMS messages to 160 Select if you want the content of SMS message body to be characters truncated to 160 characters or if your email-to-SMS gateway Enable SMTP auth Username Password
1s
SMS subject line SMS message body
Click Save.
Testing Email to SMS Output

To test the output system:
1 2
In the Send test to: field, enter the cell phone number of the person who is to receive the test. Click Send test.
296
Ed i
SMS to address
Specify the formatting of the email's To: address according to the format required by your service provider.
This may be a regular email address, or it may require additional placeholders such as %%SMS%% to identify the destination of the SMS.
service provider instructs you to do so. Select to use SMTP auth if required. If using SMTP auth, enter the username. If using SMTP auth, enter the password. Enter the subject line of the SMS email in the SMS subject line field as specified by your email-to-SMS service provider. This will often contain the %%SMS%% placeholder as many emailto-SMS gateways use the subject line for this purpose. Enter additional parameters and the content of the alert message. If the truncation is required from a particular point onwards, use the %%--%% placeholder to indicate its start position.
ti
This would typically be a valid email address reserved and frequently checked for IT administration purposes. This might also be an email address that is registered with your email-to-SMS gateway provider.
on
Enter the hostname or IP address of the SMTP server to be used by Advanced Firewall.
Output to Email
To configure email settings:
1 2
Browse to info > settings > output settings. In the SMTP (Email) Output System area, configure the following settings:
Setting SMTP server Sender's email address Description
Enter the hostname or IP address of the SMTP server to be used by Advanced Firewall. Enter the sender's email address. This would typically be a valid email address reserved and frequently checked for IT administration purposes. This might also be an email address that is registered with your email-to-SMS gateway provider.
Enable SMTP auth Username Password
Select to use SMTP auth if required.
If using SMTP auth, enter the password.
Click Save.
Generating a Test Alert

To generate a test alert:
1 2
Configure Email to SMS output and/or SMTP (Email) output. Click Generate test alert.
1s
Ed i
ti
If using SMTP auth, enter the username.
on
297
298
1s
Ed i
ti
on
Chapter 16
Managing Your System

In this chapter: Managing system and security updates Managing module installations and product licensing Creating and restoring backup archives Scheduling automatic maintenance Producing diagnostic support files Managing certificates Shutting down and restarting Advanced Firewall Uploading firmware updates to Alcatel hardware Managing hardware failover How to use Advanced Firewalls network tools to perform a variety of everyday network maintenance tasks.
Managing Updates
Administrator's should use Advanced Firewall's update facility whenever a new system update is released. Updates are typically released in response to evolving or theoretical security threats, as and when they are discovered. System updates may also include general product enhancements, as part of Smoothwalls commitment to continuous product improvement. Advanced Firewall must be connected to the Internet in order to discover, download and install system updates. Smoothwalls support systems are directly integrated with Advanced Firewalls system update procedure, allowing the Smoothwall support department to readily track the status of your system.
299
Chapter 16 Managing Your System Managing Updates To manage updates:
Navigate to the system > maintenance > updates page.

Setting/button Refresh update list Download updates Clear download cache Install updates Install at this time Description
Click to get a list of available updates. Any updates available will be listed in the Available updates area. Click to download all available updates. Once downloaded, the updates are listed in the Pending updates area. Click to clear any downloaded updates stored in the cache. Click to install all updates in the Pending updates area immediately Enter the time at which you want to install the updates if you do not want to install them immediately and click Install at this time.
If the update requires a reboot, reboot the system on the system > maintenance > shutdown page.
Installing Updates Manually

The Install new update area enables you to install system updates manually.
To manually install an update:
1 2 3 4 5 6
Navigate to the system > maintenance > updates page and click Refresh update list. In the Available updates list, locate the update and click Info. The Smoothwall updates web page opens. Download the update to a suitable location. On the system > maintenance > updates page, click Advanced. In the Install new update area, click Browse to find and open the update. Click Upload to upload and install the update file.
300
Managing Modules
Advanced Firewall's major system components are separated into individually installed modules. Modules can be added to extend Advanced Firewalls capabilities, or removed in order to simplify administration and reduce the theoretical risk of, as yet un-discovered, security threats.
Note: Modules must be registered against your Advanced Firewall serial number before they can be
installed and used. For further information, please consult your Smoothwall partner or, if purchased directly, Smoothwall. Advanced Firewall must be connected to the Internet in order to install modules.
To install a module:
Navigate to the system > maintenance > modules page.
In the Available modules area, locate the module and click Install. description carefully prior to installation.
Note: Some module installations require a full reboot of Advanced Firewall. Please read the module
Installing Modules Manually

To install a module manually:
Navigate to the system > maintenance > modules page and click Advanced.
301
Chapter 16 Managing Your System Licenses
2 3
In the Upload module file area, browse to and select the module. Click Upload. The module is uploaded and installed
Removing a Module
To remove a module:
1 2 3
Navigate to the system > maintenance > modules page. In the Installed modules area, locate the module and click Remove. Reboot Advanced Firewall on the system > maintenance > shutdown page.
Licenses
Advanced Firewall contains information on licenses and subscriptions.
To view license information:
Navigate to the system > maintenance > licenses page.
Note: The information displayed depends on the Smoothwall product you are using.
Installing Licenses
You can buy additional licenses from Smoothwall or an approved Smoothwall partner. License, installation and activation is an automated process, initiated via a secure request to Smoothwall licensing servers.
To install additional licenses:
1 2
Navigate to the system > maintenance > licenses page. Click Refresh license list. This will cause the available license information to be updated via the Internet, and any new licenses will be installed. modules. For more information, see the documentation delivered with your Smoothwall add-on module.
Note: The Subscriptions area is used to manage anti-malware signatures and blocklists used by add-on
Archives
The archives page is used to create and restore archives of system settings. Archives can be saved on removable media and used when restoring a Advanced Firewall system. They can also be used to create clones of existing systems.
Note: It is possible to automatically schedule the creation of backup archives. For further information,
see Scheduling on page 304.
About Profiles
You can assign a profile to an archive enabling you to specify which components you want backed up in a particular archive.
302
You can create and assign up to 20 profiles and generate their archives automatically. Profiles are also used to store settings for Smoothwall replication systems. For more information, see Replication on page 307.
Creating an Archive
To create an archive:
Navigate to the system > maintenance > archives page.

Settings Profile Description
To create a new profile, from the drop-down list, select Empty and click Select. To reuse or modify an existing profile, from the drop-down list select the profile and click Select.
Profile name Comment Automatic backup Settings Logs
Enter a name for the profile. Enter a description for the archive. Select if you want to archive settings automatically. Select the components you want to archive or select All to select and archive all settings. Select the log files you want to archive or select All to select and archive all logs.
Click Save and backup to create the archive.
Downloading an Archive
To download an archive:
1 2
In the Archives area, select the archive. Click Download and save the archive to disk using the browser's Save as dialog box.
303
Chapter 16 Managing Your System Scheduling
Restoring an Archive
To restore an archive:
1 2 3
In the Archives area, select the archive. Click Restore. The archive contents are displayed. Select the components in the archive that you want to restore and click Restore.
Deleting Archives
To delete an archive:
In the Archives area, select the archive and click Delete.
Uploading an Archive
This is where you upload archived settings from previous versions of Advanced Firewall and Smoothwall modules so that they can be re-used in the current version(s).
To upload an archive:
1 2 3
In the Upload area, enter the name of the archive and click Browse. Navigate to and select the archive. Click Upload to upload the archive.
Scheduling
You can configure Advanced Firewall to automatically discover and download system updates, modules and license upgrades using the scheduler. You can also use the scheduler to create and remotely archive automatic backups. Other system modules can integrate with the scheduler to provide additional automated maintenance tasks.
304
Smoothwall Advanced Firewall Administrators Guide To create a schedule of tasks:
Navigate to the system > maintenance > scheduler page.

Setting Day Hour Check for new updates Download updates Check for new modules Check for license upgrades Description
From the drop-down list, select the day of the week that the tasks will be executed. From the drop-down list, select the time of day at which the tasks will be executed. Select to check for new system updates. Select to download available updates. Select to check for new modules. Select to discover and install license upgrades.
Click Save.
Scheduling Remote Archiving

Scheduled remote archiving uses SSH keys to allow it to securely copy files to a remote SSH server without the need for passwords. The use of SSH keys requires Advanced Firewall to generate a key pair which it will use to encrypt all file transfers sent to the SSH server. The SSH server must be configured to accept connections from Advanced Firewall in this manner it requires the public half of the key pair to be installed.
305
Chapter 16 Managing Your System Scheduling To schedule remote archiving:
1 2 3 4
Navigate to the system > maintenance > scheduler page. In the Remote archive destinations area, click Export Public Backup Key. Install the public key on the remote SSH server for details on how to do this, please consult the administrator's guide of the SSH server in use. In the Remote archive destinations area, enter the following information:
Setting Name Username Description
Enter a name to identify this destination. Specify the user name of the account on the SSH server that will be used. For additional security it is recommended that this user has no additional privileges and is only allowed write access to the specified Remote path. Enter the path where archives are to be stored on the remote SSH server, for example: /home/mypath/ If left blank, Advanced Firewall uses the default home directory of the specified remote user.
Remote path
Server Port Number
Set the IP address of the SSH server. Set the port number used to access the SSH server (normally port 22).
Transfer Speed Specify the maximum transfer speed when automatic archiving occurs. This Limit control is useful for preventing the automatic remote archiving system adversely
affecting the performance of other network traffic.

Comment
Enter a description of the destination.
5 6 7
Click Add. Repeat the steps above to make other destinations available. In the Remote archival area, enter the following information:
Setting Day Hour Archive destination Description
The day of the week to carry out the archive. The hour of the day to carry out the archive. From the drop-down list, select a destination as configured in the Remote archive destinations area. page.
Archive profile From the drop-down list, select an archive profile as configured on the archives Enabled Comment
Select to enable the archive. Enter a description of the archive.
8 9
Click Add. Repeat the steps above to configure other archives for scheduled remote archive.
Note: A local copy of the archive is also created and stored.
306
Editing Schedules
To edit a schedule:
In the appropriate area, select the destination or task and click Edit or Remove.
Replication
Using replication, you can configure Advanced Firewall as a replication master or a replication unit.
Configuring the Replication Master

To configure the replication master:
Navigate to the system > maintenance > replication page.
2 3
In the Master settings area, click Export Public Backup Key to generate a public key. In the Master settings area, enter the following information:
Setting Enabled Master Export public backup key Slave IP Profile Description
Select to enable replication. Select to set this Advanced Firewall as the master. Click Save. Click to generate the backup key. Enter the replication units IP address. From the drop-down list, select the profile containing the replication settings you want to implement on the replication unit. See the archives page for a list of which settings can be replicated. Enter a description for the replication unit. Select to enable the settings.
Comment Enabled
4 5
Click Add to add the replication unit to the list of current replication units. Install the key on any systems you want to configure as this master's replication units.
307
Chapter 16 Managing Your System Shutting down and Rebooting
Ensure that SSH is enabled and can be contacted on the replication unit. unit archive when you install the replication unit. The old replication unit archive will not work.
Note: If you reinstall your replication master using a backup image, you must create a new replication
Configuring the Replication Unit

To configure the replication unit:
1 2 3 4
On your Advanced Firewall master system, on the system > maintenance > archives page, create an archive containing the replication settings you want to implement. On your Advanced Firewall replication unit system, on the system > maintenance > replication page, in the Settings area, select Enabled and Slave. Click Save. In the Slave settings area, click Browse and navigate to and select the archive containing the replication unit settings. Click Upload and On to implement the replication unit settings. and other timing constraints.
Note: Settings are not implemented immediately. There will be a delay depending on the network load
Shutting down and Rebooting

Advanced Firewall can be shutdown or restarted immediately, after a specified delay or at a predetermined time.
To shut down or reboot:
Browse to the system > maintenance > shutdown page.

Setting Immediately Delay action for Description
Select to shut down or reboot immediately. Select to shut down or reboot after a specified length of time. From the drop-down menu, select the length of time.
At the following time Select to shut down or reboot at a specified length of time.
From the drop-down menu, select the hour and minute at which to shut down or reboot. 3 Click Reboot to reboot at the specified time, or click Shutdown to shut down at the specified time
308
Shell Access
The web-based secure shell (SSH) remote access tool enables command line administration of the Advanced Firewall system through a web browser.
Note: In order to use this feature, SSH access must be enabled. See Chapter 16, Configuring Admin
Access Options on page 314.
The browser that is connected to the Advanced Firewall system is required to have a Java Virtual Machine capability installed. For details on setting your browser up in this way, consult your browser help system.
To use the shell tool:
Navigate to the system > maintenance > shell page.
2 3
Click on the shell window once the Java applet has loaded. Enter the following information:
Information User name Password Description
Enter root. Enter the root accounts password.
Click Login.You gain access to the shell.
Setting System Preferences

The following sections discuss how to configure the user interface, time settings and a web proxy if your ISP requires you use one.
309
Chapter 16 Managing Your System Setting System Preferences
Configuring the User Interface

Advanced Firewall can be customized in different ways, dependent on how you prefer working. The main changes that can be made are the method of displaying errors and the drop-down list navigation system. It is also possible to alter the system's description.
To configure the user interface:
Browse to the system > preferences > user interface page.

Setting Host information Web interface Description
In the description field, enter a description to identify Advanced Firewall. This will be displayed in the title bar of the browser window.
Enable dropdown menus Select to enable drop-down menus in Advanced
Firewall.
Always show second tier menus Select to always show second tier menus. Show information bar Select to show information on the trail to the page you
are on.
Show the to-do list Select to show the to-do list on main > main > control
page.
Popup error box Select to display error messages in a popup window. In-page error report Select to display error messages on the web page. System Control page From the Report to show drop-down list, select the report you want
displayed on the main > main > control page.

Dashboard sections
Determines what, if any, information is displayed in the System Services area on the main > main > control page.
310
Smoothwall Advanced Firewall Administrators Guide Setting System Summary page Description
From the Report to show drop-down list, select the report you want displayed on the info > reports > summary page.
Click Save.
Setting Time
Advanced Firewall's time zone, date and time settings can be specified manually or automatically retrieved from a local or external Network Time Protocol (NTP) server, typically located on the Internet. Advanced Firewall can also act as an NTP server itself, allowing network wide synchronization of system clocks.
To set the time:
Navigate to the system > preferences > time page.

Setting Timezone Time and date Description
From the drop-down list, select the appropriate time zone.

To manually set the time and date:
Select Set and use the drop-down lists to set the time and date.
311
Chapter 16 Managing Your System Setting System Preferences Setting Network time retrieval Description To automatically retrieve time settings:
1 2 3 4
Select Enabled in the Network time retrieval area. Choose the time retrieval frequency by selecting an interval from the Interval drop-down list. Select Save time to RTC to ensure that the time is written back to the system's hardware clock (the Real-Time Clock). Choose one of the following network retrieval methods:
Multiple random public servers select to set the time as the average time retrieved from five random time servers Selected single public server select from the drop-down list a public time
server to use to set the time

User defined single public or local server Enter the address of a specific local
or external time server.

Network time service interfaces
Advanced Firewall can be used to synchronize the system clocks of local network hosts by providing a time service.
To synchronize the network time service:
1 2 3 Click Save.
Enable network time retrieval. Select each internal network interface that the network time service should be available from.
Configuring Registration Options

Advanced Firewall enables you to use an upstream registration proxy if your ISP requires you to use one, and optionally, supply information about the status of your system and web filtering statistics.
To configure registration options:
Navigate to the system > preferences > registration options page.
312

Setting Upstream registration proxy Description Server Enter the hostname or IP address of the proxy server. Port Enter the port number to use. Username Enter the username provided by your ISP. Password Enter the password provided by your ISP. Note: The upstream proxy has no bearing on Advanced Firewall proxy services. Extended registration information
By default Advanced Firewall sends information about your system to Smoothwall when registering and updating update, licence, subscription and addon module information. It also sends information when installing Smoothwall addon modules. When enabled and depending on which add-on modules are installed, the following information is sent: Enabled status for optional services The number of configured interfaces and whether they are internal or external Authentication service settings and the LDAP server type Guardian transparent mode and authentication service settings mode Manufacturer name and product name from dmidecode Main board manufacturer and main board product name from dmidecode.
Note: and no sensitive authentication information or passwords are sent. Provide filtering feedback information
When enabled, Advanced Firewall will periodically send information about the accuracy of the web filter, listing the domains of any web sites which could not be classified. Smoothwall will take every available measure to ensure data cannot subsequently be associated with your organization and no personal information is ever sent.
Click Save. Advanced Firewall starts to use the configured upstream proxy and, if enabled, send registration and/or filtering information.
Configuring the Hostname

You can configure Advanced Firewalls hostname. A hostname should usually include the name of the domain that it is within.
313
Chapter 16 Managing Your System Configuring Administration and Access Settings To change the hostname:
Browse to the system > preferences > hostname page.
Enter a new value in the Hostname field and click Save. its Common Name field.
Note: After setting the hostname, a reboot is required before the HTTPS server will use the hostname in
Configuring Administration and Access Settings

The following sections discuss administration, external access and account settings.
Configuring Admin Access Options

You can enable and disable remote access to Advanced Firewalls console via Secure Shell (SSH) and configure remote access referral checking. To access Advanced Firewall via remote SSH, the following criteria must be met: The host must be from a valid network zone The host must be from a valid source IP The SSH service must be enabled Admin access must be set to enabled The setup or root username and password must be known. To use Advanced Firewall's web-based SSH shell, the host browser must have a Java Virtual Machine installed.
314
Smoothwall Advanced Firewall Administrators Guide To permit access to the console via SSH:
Navigate to the system > administration > admin options page.
Select SSH and click Save.
Note: Terminal access to Advanced Firewall uses the non-standard port 222.
Referral Checking
In order to ensure that configuration requests from the web interface originate from a logged in administrator, and not some third party web page, you can enable remote access referral checking. When enabled, administration requests are only processed if the referral URL contains the local IP address, the local hostname, or the external IP address where applicable. If the referral is not from a Advanced Firewall page, the request is ignored and reported in the general Smoothwall log file.
Note: This function prevents Advanced Firewall from being accessed remotely via a DNS or a Dynamic
DNS address. To remotely manage an Advanced Firewall system via a DNS or a Dynamic DNS address, the referral URL check must be disabled.
To enable referral checking:
1 2 3
Navigate to the system > administration > admin access page. Select Allow admin access only from valid referral URLs in the Remote Access area. Click Save.
315
Chapter 16 Managing Your System Configuring Administration and Access Settings
Configuring External Access

External access rules are used to determine which interfaces, services, networks and host systems can be used to administer Advanced Firewall. The default external access rule allows administrators to access and configure Advanced Firewall from any source IP that can route to the system's first (default) network interface. This default rule allows administrators to access any of the following admin services: 1 SSH admin Access to the system console using port 222. Requires the SSH access to be enabled, see Configuring Admin Access Options on page 314. HTTP admin Access to the web-based interface on port 81. HTTPS admin Access to the web-based interface on port 441.
To enable external access:
Browse to the system > administration > external access page.

Setting Interface Description
From the drop-down list, select the interface that access is permitted from. If this is set to External, the currently active external interface will be accessible for administration purposes. Specify individual hosts, ranges of hosts or subnet ranges of hosts that are permitted to use admin access. For a range of hosts, enter an IP address range, for example, 192.168.10.1192.168.10.50. For a particular subnet of hosts, enter a subnet range, for example, 192.168.10.0/255.255.255.0 or 192.168.10.0/24. If no value is entered, any source IP can access the system.
Source IP, or network
Service Comment Enabled
Select the permitted access method. Enter a description for the access rule. Select to activate access.
Click Add. The access rule is added to the Current rules table.
316
Note: Do not remove the default external access rule, it provides access to the default internal network.
Editing and Removing External Access Rules

To edit or remove access rules, use Edit and Removes in the Current rules area.
Administrative User Settings

Advanced Firewall supports different types of administrative accounts.
To manage accounts:
Navigate to the system > administration > administrative users page.

Setting Username Password Again Description
Enter a name for the user account. Enter a password. Passwords are case sensitive and must be at least six characters long. Re-enter the password to confirm it.
317
Chapter 16 Managing Your System Hardware Setting Permissions Description
Select the account permissions you want to apply to the account.

Administrator Full permission to access and configure Advanced Firewall. Log Permission to view the system log files. Operator Permission to shutdown or reboot the system. Portal User Permission to access the user portal pages. SMTP quarantine Permission to access and manage the SMTP quarantine pages. Realtime logs Permission to view realtime logs. Reporting system Permission to access the reporting system. Rule editor user Permission to edit rules. Temp ban Permission to access and change temporary ban status. VPN Permission to access VPN settings.
Click Add to add the account.
Changing a User's Password

To set or edit a user's password:
1 2 3 4
Browse to the system > administration > administrative users page. In the Current users area, select the user and click Edit. Enter and confirm the new password in the Password and Again fields. Click Add to activate the changes.
Hardware
The following sections discuss UPS, failover, modem and firmware settings
UPS Settings
Advanced Firewall can be connected to a local Uninterruptible Power Supply (UPS) device to protect the system against power cuts. With this arrangement, local UPS status monitoring can be configured, and the system can be configured to automatically react when it detects that it is using UPS battery power. In this mode, it is also possible for Advanced Firewall to act as a UPS master, and broadcast power status messages to other appropriately configured UPS systems or devices so that they too can react to power changes. Alternatively, Advanced Firewall can be configured as a UPS device to an appropriately configured master UPS system or device. In this mode, the status of the UPS service will be updated over the network, whenever the UPS master device alerts the Advanced Firewall system. This mode also allows Advanced Firewall to react when it is informed that UPS battery power is being used.
318
Enabling UPS Monitoring

To enable UPS monitoring:
Navigate to the system > hardware > ups page.

Setting Enable UPS monitor support UPS connection type Description
Select to enable support. Select one of the following options:

Local connection select to monitor a UPS device which is directly connected to the Advanced Firewall system. For more information, see Configuring a Local UPS Connection on page 319.
network. For more information, see Connecting to a Network UPS on page 320. 3 Click Save.
Network connection select to monitor a UPS device that is connected to the
Configuring a Local UPS Connection

Once UPS monitoring is enabled and operating in Local connection mode, the appropriate local UPS settings are configured using the Local UPS Configuration area:
319
Chapter 16 Managing Your System Hardware
The following controls are used to configure a local UPS connection:

Control Select UPS type Description
Used to set the manufacturer, model or compatible setting for the local UPS device (refer to the UPS device's technical documentation if this is not readily known). Used to set the serial or USB port that the UPS device is attached to. Used to set the type of cable that connects to the UPS device (refer to the UPS device's technical documentation if this is not readily known).
Select UPS COM port Select UPS cable type
To configure a local UPS connection:
1 2 3 4 5
Navigate to the system > hardware > ups page. Choose the manufacturer, model or compatible setting for the UPS device from the Select UPS type drop-down list. Choose the serial or USB port that the UPS device is attached to from the Select UPS COM port dropdown list. Choose the cable type that the UPS device is attached by from the Select UPS cable type drop-down list. Click Save.
Connecting to a Network UPS

Once UPS monitoring is enabled and operating in Network connection mode, the appropriate network UPS settings are configured using the Network UPS Configuration area: The following controls are used to configure a network UPS connection:
Control Master IP Address Port Description
The IP address of the 'master' UPS device. The numeric port number of the master UPS device's network service.
To configure a network UPS connection (with Advanced Firewall acting as a UPS device):
1 2 3 4
Navigate to the system > hardware > ups page. Enter the IP address of the UPS device into the Master IP Address field. Enter the port number that the UPS device uses into the Port field. Click Save.
Customizing UPS Behavior

Once UPS monitoring is enabled and an appropriate connection to a remote or local UPS device has been configured, UPS behavior can be customized. The Action to take when UPS on battery area is used for this purpose. The following controls are used to customize UPS behavior:
Control Action to take... Description
Provides a combination of choices that configure different logging, shutdown and continue options in the event of a switch to battery power.
320
Smoothwall Advanced Firewall Administrators Guide Control Force shutdown... Description
Used to forcibly shutdown the system once battery power falls below a set level (between 5% and 30%). This feature will only work with UPS devices that support UPS 'Smart' mode (refer to the UPS device's technical documentation to determine if functionality is supported).
To customize UPS behavior:
1 2 3 4
Navigate to the system > hardware > ups page. Choose what action should be taken when using battery power using the Action to take drop-down list. If the UPS device operates in Smart mode, use the Force shutdown drop-down list to choose the battery power level that will trigger the Advanced Firewall system to be forcibly shutdown. Click Save.
Viewing UPS Device Status

If UPS monitoring is enabled and all UPS configuration is correct, the UPS area can be used to view a variety of UPS status information. The following information fields are displayed:
Field Status UPS monitor daemon Time and date of listed status information Model Serial number Cable type Load percentage Battery charge Estimated battery run time Time been on battery Line supply voltage Line supply frequency UPS internal temperature Last reason for switching to battery Last time was on battery Last time came off battery Description
The current status of the UPS device. The current status of the system's UPS monitoring service. The time of the last update. The model description of the UPS device. The serial number of the UPS device. The UPS device's cable connection type. The current load required from the UPS as a percentage of the total UPS output capacity. The amount of charge currently stored in the UPS device's battery. The estimated duration that battery power can be sustained whilst being used. The amount of time that the UPS device has used battery power for (if currently running on battery). The mains voltage. The mains frequency. The internal temperature of the UPS device. The last reason for switching to battery power. The last date and time that the UPS device's battery was used. The last date and time that the UPS device's switched from battery to mains.
321
Chapter 16 Managing Your System Managing Hardware Failover
Acting as a UPS Master Device

Advanced Firewall can be configured to operate as a UPS master device, allowing it to connect to appropriately configured UPS devices and send them UPS status updates. UPS devices can be daisy-chained to propagate UPS status updates. This means that the system can operate as both a UPS device and a master, i.e. the system connects as a UPS device to a UPS system or device over a network and receives UPS status updates. Following each update, the system acts as a master by sending status information to its UPS devices. To act as a UPS master device, UPS monitoring must be enabled and a local or network UPS connection must be configured and working correctly. The Local UPS configuration area is then used to enter appropriate configuration settings:
To act as a UPS master:
1 2 3 4
Navigate to the system > hardware > ups page. Enter the port number that UPS devices can connect to into the Port field. Enter up to five IP addresses into the appropriate Slave IP Address fields. Each IP address should belong to a UPS device. Click Save.
Managing Hardware Failover

Advanced Firewalls hardware failover enables you to configure a failover Advanced Firewall system which, in the event of hardware failure, provides all the protection and services your master Advanced Firewall usually provides.
Note: Hardware failover is not included as standard with Advanced Firewall it must be licensed separately. Contact an authorized Smoothwall partner or visit www.smoothwall.net for more
information.
How does it work?

When configured and enabled, the failover Advanced Firewall runs in a standby mode monitoring the master Advanced Firewall for a heartbeat communication. Heartbeat is the name of a suite of services and configuration options that enable two identical Advanced Firewall systems to be configured to provide hardware failover. The master periodically copies settings to the failover unit to ensure that the failover unit can provide a fully configured service if the master fails.
Note: Settings are copied intermittently and it is theoretically possible that the failover unit will be a few
minutes behind configuration changes made to the master. If the master fails, it stops responding to the failover units heartbeat and the failover unit therefore determines that the primary system is no longer available. This will occur somewhere between 0 seconds and the keep-alive time specified when configuring failover. The failover unit then enters a more responsive mode where it monitors the master for its revival. It remains in this mode for the length of dead time you have configured. This stage is designed principally to cope with intermittent failures within the communication system, such a heavily loaded master.
322
Once the dead time has expired, the failover unit awakens from its standby mode and begins reinstating the settings and services which allow it to take over operations from the master. Since part of this information includes the IP addresses for each of the master interfaces, the failover unit will essentially provide a drop-in replacement and the transition will generally go unnoticed. When the master starts to respond again, be it minutes, days or weeks later, assuming that autofailback is enabled, the failover unit hands over control to the master, de-activates its configuration and services and returns to standby mode.
Prerequisites
The following must be in place for hardware failover to work: A private network consisting of only two Advanced Firewall systems connected via their heartbeat interfaces preferably using a crossover cable The master and slave should both use the same types of hard disk drives, RAM, and above all the same type and number of network interface cards The failover unit must be plugged into all the switches the master is plugged into SSH must be enabled on the master, see Chapter 16, Configuring Admin Access Options on page 314 for more information.
Configuring Hardware Failover

Configuring hardware failover entails: On the master, specifying a network interface for the heartbeat and configuring and generating a failover archive to deploy on the failover unit On the failover unit, installing Advanced Firewall and deploying the failover archive.
323
Chapter 16 Managing Your System Managing Hardware Failover
Configuring the Master

To configure the master Advanced Firewall:
Navigate to the networking > interfaces > interfaces page.
From the Heartbeat interface drop-down list, select a network interface to use for the heartbeat communication between the master and failover unit. network. It is critically important that this network is not congested and suffers as little latency as is possible. For these reasons, we strongly recommend that this connection be a crossover cable. Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat interface is on could fail.
Note: The master and failover unit systems are connected via their heartbeat interfaces on a private
Click Save and Restart to save the setting and restart networking. networking.
Note: If Advanced Firewall is connected to the Internet, you must disconnect before you can restart
324
Navigate to the system > hardware > failover page.

Setting Enabled Auto failback Description
Select to enable failover. Select if you want the failover unit to automatically hand back control to the master when the master starts to respond after a hardware failure. The failover unit will hand over control to the master, deactivate its configuration and services and return to standby status. Set the interval after which the master and failover unit communicate to ensure the master is still working. The default is 1 second. In non-congested networks, we recommend a very short interval which is undetectable in terms of system performance.
Keep-alive internal
Dead time Master heartbeat IP
Specify how long after the failover unit has become aware that the master is no longer responding it should wait before taking over from the master. Enter an IP address for the master.
Note: We recommend that this network be private and only used by the
master and failover units.

Slave heartbeat IP
Enter an IP address for the failover unit.

master and failover units.

Netmask
Enter a netmask.
master and failover units. 6 7 Click Save. Browse to the system > maintenance > shutdown page, select Immediately and click Reboot. Wait a couple of minutes for the system to reboot and then log in again. The next step is to generate the failover archive to deploy on the failover unit.
Generating a Failover Archive

A failover archive contains the settings required to configure the failover unit to provide hardware failover for Advanced Firewall.
325
Chapter 16 Managing Your System Managing Hardware Failover To generate a failover archive:
1 2 3
Navigate to the system > hardware > failover page and configure and save the failover settings. See Configuring the Master on page 324. Click Generate slave setup archive. Advanced Firewall generates the archive and prompts you to specify where to save it. Save the archive on some suitable removable media accessible by the slave. The next step is to use the archive to implement the failover settings on the failover unit. bytes is an average size.
Note: The size of the failover unit archive varies depending on the Smoothwall modules installed. 50 M
Implementing Failover Settings on the Failover Unit

Implementing failover on the failover unit entails running the setup program and using the restore options to apply the settings.
To implement failover on the failover unit:
Install Advanced Firewall using the quick install option. See the Advanced Firewall Installation and Setup Guide for more information. On the following screen:
2 3 4 5
Select Yes and press Enter. Select the type of media the archive is stored on and press Enter. You are prompted to insert the media. Insert the media and press Enter. Select the archive and press Enter. The failover settings are installed.
When prompted, press Enter to reboot the failover unit. The failover unit will reboot and automatically enter standby mode.
Administering Failover
There are no noticeable differences between administering Advanced Firewall used as a master and one which is not used as a master. There should be little or no need to administer the failover unit on a day to day basis. However, from time to time, you will need to install updates.
326
Updates are not automatically applied in order to ensure that the failover unit can provide a known good system to failover to in case of any issues resulting from updates to the master.
Accessing the Failover Unit

With failover implemented, the active Advanced Firewall system is always accessed via the usual address, whether services and protection are being supplied by the master or the failover unit. When you need to access the failover unit directly you can do so using a variation of the address for master. For example, to access the master's update page the address would usually look as follows:
https://192.168.72.142:441/cgi-bin/admin/updates.cgi
To access the settings on the failover unit, the address would be:
https://192.168.72.142:440/cgi-bin/admin/updates.cgi
All communications with the user interface on the failover unit are via HTTPS and on port 440 instead of port 441. The address used, in the example above: 192.168.72.142, is the address of the master, as when in standby mode the failover unit has no effective presence on any of the local or remote networks.
Testing Failover
In order to test failover, you can force the master to enter standby mode.
To test failover:
1 2
On the master, go to the system > hardware > failover page and click Enter standby mode. After a short period of time the failover unit will take over from the master. To restore operations to the master, on the active system, go to the system > hardware > failover page and click Enter standby mode. Operations will be transferred to the master. failover unit into standby mode.
Note: If Auto failback is enabled, rebooting the master will also return it to active service and force the
Manual Failback
In configurations where Auto failback is not enabled, when the failover unit is in active operation, but the master system has become available again after corrective action has been taken you can manually failback to the master.
To manually failback:
On the failover unit, go to the system > hardware > failover page and click Enter standby mode to restore the system to normal operation.
Configuring Modems
Advanced Firewall can store up to five modem profiles.
327
Chapter 16 Managing Your System Configuring Modems To configure a modem profile:
Browse to the system > hardware > modem page.

Setting Profiles Profile name Interface Description
From the drop-down list, select Empty to create a modem profile. Enter a name of the modem profile. Select the serial port that the modem is connected to. usually connected at the default 115200 rate.
Computer to modem rate Select the connection speed of the modem. A standard 56K modem is Modem speaker on Dialing mode
Select to enable audio output during the modem dialing process, if the modem has a speaker. Select the dialing mode.
Tone Select if your telephone company supports tone dialing. Pulse Select if your telephone company supports pulse dialing.
Init Hangup Speaker on Speaker off Tone dial Pulse dial Connect timeout
Enter the commands required to initialize the modem. Enter the commands required to end a connection. Enter the commands required to turn the speaker on. Enter the commands required to turn the speaker off. Enter the commands required to turn tone dialing on. Enter the commands required to turn pulse dialing on. Enter the amount of time in seconds to allow the modem to attempt to connect.
Click Save to save your settings and create the profile.
328
Installing and Uploading Firmware

Advanced Firewall can upload the third-party mgmt.o file to the system. Without this file, Alcatel SpeedTouch USB ADSL modems will not work.
To upload and install the Alcatel firmware:
Navigate to the system > hardware > firmware upload page.
2 3 4
Click Browse adjacent to Upload file field. Use the browser's Open dialog to find and open the mgmt.o firmware update file. Click Upload to upload the firmware update. activated.
Note: Once this process has been completed, the system must be rebooted before the new firmware is
Note: The 330 version of this modem also requires its own firmware update to function correctly.
Diagnostics
The following sections discuss configuration tests, diagnostics, IP tools and traffic analysis.
Configuration Tests
The configuration tests page is used to ensure that your current Advanced Firewall settings are not likely to cause problems. Components installed on your Advanced Firewall add tests to this page which, when run, highlight problem areas. For example, DNS resolution is checked, gateways are ping-ed and network routing is tested to make sure your current settings are not likely to cause problems.
To test your configuration:
Navigate to the system > diagnostics > configuration tests page.
329
Chapter 16 Managing Your System Diagnostics
Click Perform tests. The results are displayed in the Details area. port forward is to a port range, the first and last addresses will be tested. If a test fails, it is classified as a timeout if the destination takes longer than 1 second to respond, or as unreachable, as the test receives an error condition as a response. If a test is successful, the time taken for the destination to respond is displayed (or the average time in the case of a port range). If one or more port forwards in a range are successful and one or more other port forwards in the same range are unsuccessful then this is displayed as a warning.
Note: TCP port forwards are tested by attempting to connect to the destination IP address and port. If a
Generating Diagnostics
Advanced Firewall provides diagnostics facilities, typically used to provide Smoothwall support engineers with complete system configuration information to aid problem solving.
To generate a diagnostics file:
Navigate to the system > diagnostics > diagnostics page.

Setting System Modules Description
Select All to include all system components, or individually select the components you want to include in the diagnostics results. Select All to include all modules, or individually select the modules you want to include in the diagnostics results.
Click Generate. When prompted, save the results in a suitable location for review.
330
IP Tools
The IP tools page is used to check connectivity, both from Advanced Firewall to computers on its local networks and to hosts located externally on the Internet. There are two IP Tools:
Ping
Ping establishes that basic connectivity to a specified host can be made. Use it to prove that Advanced Firewall can communicate with hosts its local networks and external hosts on the Internet.
Traceroute
Traceroute is used to reveal the routing path to Internet hosts, shown as a series of hops from one system to another. A greater number of hops indicates a longer (and therefore slower) connection. The output of these commands is as it would be if the commands were run directly by the root user from the console of the Advanced Firewall system. It is of course, more convenient to run them from this page.
Using Ping
To use Ping
Navigate to the system > diagnostics > ip tools page.
2 3 4
Select the Ping option from the Tool drop-down list. Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames field. Click Run. The result of the ping command is displayed.
Using Traceroute
To use Traceroute:
1 2 3 4
Navigate to the system > diagnostics > ip tools page. Select the Traceroute option from the Tool drop-down list. Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames field. Click Run. The result of the traceroute command is displayed.
WhoIs
Whois is used to display ownership information for an IP address or domain name. A major use for this is to determine the source of requests appearing in the firewall or Detection System logs. This can assist in the identification of malicious hosts.
331
Chapter 16 Managing Your System Managing CA Certificates To use Whois:
Navigate to the system > diagnostics > whois page.
2 3
Enter an IP address or domain name that you wish to lookup in the IP addresses or domain name field. Click Run. The output of the whois command is as it would be if the command were run directly by the root user from the console of the Advanced Firewall system. It is of course, more convenient to run it from this page.
Analyzing Network Traffic

The traffic analysis page displays detailed information on what traffic is currently on the network.
To analyze traffic:
Navigate to the system > diagnostics > traffic analysis page.
2 3 4
From the Interface drop-down list, select the interface. From the Time to run for drop-down list, select how long to analyze the traffic. Click Generate. After the time specified has elapsed, the traffic a breakdown of what ports and services have been used is presented, as well as specific information on connections made. It is possible to view a complete transcript of TCP and UDP sessions, including pictures sent or received on web requests.
Managing CA Certificates
When Advanced Firewalls instant messenger proxy and/or Guardian are configured to intercept SSL traffic, certificates must be validated. Advanced Firewall validates the certificates by
332
checking them against the list of installed Certificate Authority (CA) certificates on the system > certs > ca page. The following sections describe how you can import new CA certificates, export existing CA certificates and edit the list to display a subset or all of the CA certificates available. For information on certificates used in VPNs, see Chapter 9, Virtual Private Networking on page 117.
Reviewing CA Certificates
By default, Advanced Firewall comes with certificates issued by well-known and trusted CAs.
To review the certificates:
Browse to the system > certs > ca page. Advanced Firewall displays the certificates available. It also displays which certificates are valid and which are built-in, i.e. included in Advanced Firewall by default. To review a specific certificate, click on its name. Advanced Firewall displays it.For example:
Click your browsers Back button to return to Advanced Firewall.
Importing CA Certificates
To import CA certificates:
1 2 3
Navigate to the system > certs > ca page and locate the Import Certificate Authority certificate area Click Browse, navigate to the certificate and select it. Click the import option. Advanced Firewall imports the certificate and displays it at the bottom of the list.
Exporting CA Certificates
To export certificates:
On the system > certs > ca page, select the certificate.
333
Chapter 16 Managing Your System Managing CA Certificates
From the Export format drop-down list, select one of the following options:
Option CA certificate in PEM CA certificate in BIN Description
Export the certificate in an ASCII (textual) certificate format commonly used by Microsoft operating systems. Export the certificate in a binary certificate format.
Click Export and save the certificate on suitable medium.
Deleting and Restoring Certificates

You can remove built-in certificates from the list on the system > certs > ca page. You can also restore them to the list if required.
To delete certificates:
On the system > certs > ca page, select the certificate(s) and click Delete. Advanced Firewall removes the certificate(s).
To restore the built-in list:
On the system > certs > ca page, click Clear built-in deleted list. Advanced Firewall restores any builtin certificates which have been deleted from the list.
334
Appendix A
Authentication
In this appendix: authentication methods.
Overview
Advanced Firewall's authentication system enables the identity of internal network users to be verified, such that service permissions and restrictions can be dynamically applied according to a user's group membership. Identity verification authenticate users by checking supplied identity credentials, e.g. usernames and passwords, against known user profile information. Identity confirmation provide details of known authenticated users at a particular IP address.
Verifying User Identity Credentials

In order to authenticate users, Advanced Firewall must be able to verify the identity credentials, usernames and passwords, supplied by network users. Credentials are verified against the authentication system's local user database. Network users must provide their identity credentials when using an authentication-enabled service for the first time. If the credentials cannot be verified by the authentication system, i.e. a matching username and password cannot be found in the local user database, the user's identity status will be set to 'Unauthenticated'. Unauthenticated users are usually granted limited, or sometimes no, access to authentication-enabled services. A user that is authenticated can be described as being logged in.
About Authentication Mechanisms

All authentication-enabled services use the authentication system to discover what users are accessing them. Once a particular user is known, an authentication-enabled service can enforce customized permissions and restrictions. Authentication-enabled services can interact with the authentication system in the following ways: Passive interrogation of whether there is an already-authenticated user at a particular IP address, and if so their details Active provision of user-supplied identity credentials, for onward authentication. The means by which these two types of interactions are combined and implemented defines a particular named authentication mechanism.
335
Appendix A Authentication Advanced Firewall and DNS
The Core Authentication Mechanism

This is a special type of authentication mechanism that uses the first interaction method exclusively, i.e. it only ever asks the authentication system whether there is a known user at a particular IP address. If the user has not been authenticated by any other authentication mechanism, the user's status is returned by the authentication system as 'Unauthenticated'.
Other Authentication Mechanisms

All other authentication mechanisms use a combination of the previously discussed interactions. Such mechanisms usually interrogate the authentication system to determine if the user at the requesting IP has already been authenticated. If the user has been authenticated, appropriate permissions and restrictions can be enforced by the requesting service. However, if the user is currently unauthenticated, the second type of interaction occurs i.e. the requesting service pro-actively provides end-user identity credentials to the authentication system, for onward authentication. Thus, it follows that such authentication mechanisms must also provide an appropriate means of collecting end-user identity credentials.
Choosing an Authentication Mechanism

As discussed in the preceding sections, all authentication-enabled services must use some kind of authentication mechanism to interact with the authentication system. Some authenticationenabled services offer no choice of mechanism used in such cases, the authentication mechanism will always be 'Core authentication'.
About the Login Time-out

The login time-out is the length of time that a user's authenticated status will last once they are authenticated. Time-out does not occur if Advanced Firewall can determine that the same user is still active for example, by seeing continued web browsing from the same user. However, if Advanced Firewall sees no activity from a particular user for the length of time specified by the time-out period, the user's authenticated status will be invalidated. The login time-out affects the load on the local system. Lower time-out values increase the frequency of re-authentication requests. A value of 10 minutes is effective for most networks. Time-out values that are too low may adversely affect system performance, resulting in failed login attempts. However, longer time-outs increase the risk of a new user at the same IP address being granted inappropriate rights, if the original user fails to pro-actively log-out.
Advanced Firewall and DNS

Advanced Firewalls authentication service uses internal DNS servers for name lookups. Internal DNS servers are specified using Advanced Firewalls setup program. Advanced Firewalls DNS proxy server uses external DNS servers for name lookups. External DNS servers are specified when setting up an Advanced Firewall connectivity profile. In this way, Advanced Firewall can be configured to use an internal DNS server and the internal DNS server can, in turn, be configured to use Advanced Firewall as its DNS forwarder.
336
A Common DNS Pitfall

Often Advanced Firewall is configured so that an internal DNS server is configured as the primary DNS server and an external DNS server configured as the secondary DNS server. This is not the correct way to configure DNS servers on any client. DNS is a system that was designed to be able to respond to any request by redirecting questions to the DNS servers responsible for the various registered domains on the public Internet. This means the client assumes that it does not matter which DNS server it uses, as all DNS servers will have access to the same information. With the proliferation of private networks and internal DNS zones, this no longer is the case. A DNS client will behave in the following way when looking up a host: If a reply of host not found is received, the client will NOT ask other DNS servers If the DNS is not answering, the client will try to ask another DNS server The client will ask randomly between configured DNS servers Taking the above conditions into account, it is clear that a DNS configuration that has an internal DNS and an external DNS server in the configuration will not work, or at least, will not work reliably. The internal DNS server that holds the Active Directory information needs to be configured so it can resolve external hostnames. The easiest way to do this is to configure the DNS server to use a forwarder, like Advanced Firewalls DNS proxy server.
Working with Large Directories

The Additional Group search roots option enables you to specify several OUs in which to search for groups. When dealing with large directories, a search through the entire directory can take a long time and make the Advanced Firewall include groups page unwieldy to manage. Normally, a specified group search root can help in narrowing the scope of where to search for groups, but if groups are distributed in multiple OUs, one group search root may not be enough. Consider, for example, a directory with 5000 users and 2500 groups. Setting the group search root to the top level of the directory would result in an include groups page with 2500 entries. This would probably take a long time to load and be hard to get an overview of. The administrator of the Active Directory domain has 2 OUs, where the groups to be mapped are located. In the groups search root, the administrator enters the path for the primary OU and in the additional groups search, the second OU is entered:
User search root: dc=domain,dc=local Group search root: ou=guardiangroups,dc=domain,dc=local Additional group search root: ou=networkgroups,ou=users,dc=sub1,dc=domain.dc=local
The above example is for a multi domain Active Directory installation, where the second OU is in the sub-domain sub1. Remember that multiple groups can be mapped to the same Advanced Firewall permissions group.
337
Appendix A Authentication Active Directory
Active Directory
The following sections usernames and group membership which must be configured correctly in order to successfully implement Active Directory-based authentication.
Active Directory Username Types

A user account on a Windows 2000+ server will have 2 types of usernames: A Windows 2000+ username, which takes the form of user@domain.local An old style Windows NT 4 username, which has no domain attached to it. When a Windows 2000+ domain has been migrated from a legacy Windows NT4 domain, the Windows NT 4 style usernames are not automatically duplicated to Windows 2000+ usernames. In order for Advanced Firewall authentication to be able to successfully look up and authenticate Windows users, a Windows 2000+ username needs to be present.
Accounts and NTLM Identification

When using NTLM identification on an Active Directory server that has been set up with no preWindows 2000 access permissions, the server lookup user account needs to be a member of the Pre-Windows 2000 Compatible Access group. This group is normally found in the built-in OU in the Active Directory Users and Groups snap-in.
338
Appendix B
Understanding Templates and Reports

In this appendix: How to use custom reporting.
Programmable Drill-Down Looping Engine

The Advanced Firewall reporting system is divided into two conceptually different ideas, those of templates and reports. A template is a series of report sections and their configuration which contains instructions for extracting and manipulating data from Advanced Firewall and producing a report by filling in the templates sections. A template is as described above nothing more than a structured series of sections. A report section can be considered to be similar to a building block from a construction kit or a piece from a jigsaw puzzle. It has shape, color and provides some information however its power is better expressed when used in combination with other blocks to build more complicated and more interesting shapes. A template in that metaphor is analogous to the instruction sheet for the building blocks, it shows how to assemble the blocks together to produce the report which is analogous to the finished model. The act of building it takes the template and finds each of the individual blocks, retrieving data as appropriate and assembling it as the template dictates. To this extent a section has a variety of inputs and a number of outputs. These can be connected to each other where the input and output types are equivalent in the way that jigsaw pieces can be connected if their input and output facets match.
339
Appendix B Understanding Templates and Reports Programmable Drill-Down Looping Engine
Example Report Template
Example Report
Report Templates, Creation and Editing

Creating report templates is done via the Advanced Firewall custom page, which gives rise to the ability to add, remove and manipulate the sections which it contains. The description of how to do this is covered elsewhere however there are a few details which allow for some level of flexibility. Each report template can be assigned an icon, name and description. The name is clearly the name of the report template as it appears in the reports section, the description and icon options are equally obvious as to their use. The description field is actually unlimited in length and reasonably permissive in the characters it may contain. Long descriptions will be truncated in the interface for brevity however the full version of the description will appear under the report templates advanced options. Once a report template has been created it may be edited (including changing its name) via the edit this report link under the report icon on the reports page. Whilst editing a report template is a useful feature, there are occasions when it would be better to simply alter or manipulate an exact copy of a report template, for this purpose the edit a copy of this report option should be used. This will take a copy of all the reports options and sections whilst leaving the original report template unchanged. When editing a report template, or a copy of a report template the preview button may be used without making changes to the existing template. Changes will only be saved to the desired report template when the create report option is used. Note again that the edit report option on the report display page (seen whilst viewing a rendered report) is analogous to the edit a copy of this report option seen from the reports page.
Viewing Reports, Exporting and Drill Down Reporting

The term reports has been made deliberately ambiguous and is now used to describe both a report and what was formerly known as a template, with the terms report and report template are used in this appendix where the distinction between the two is deemed important. For the bulk of users, the distinction between what is a report and what is a report template is unimportant, each will eventually show them a set of details about what their system is doing, what it has been doing historically and where their users may have been attempting things with nefarious end. The difference between the two is perhaps moot for the most part, however the key difference is that a report is a combination of several things, the report template used to create it and the data which was extracted and interpreted along with its interpretation.
340
In the building block metaphor a report template is the instructions alone, Advanced Firewall is the warehouse full of bins of pieces and a report is the final boxed model ready for building. It has the instructions and the pieces but is still not quite ready for a user to play with. This should leave the question so when does the model actually get built, the answer to which is reasonably simple, basically the construction of a rendered report requires the following steps to be undertaken, again using the building-block metaphor. 1 2 3 4 Retrieve assembly instructions. Collect necessary parts from warehouse. Place all the required pieces into a box along with its instructions. Assemble the model and present to the awaiting small child. A report template provides the first stage of this process, i.e. it is the instruction sheet for building the model, executing it, i.e. generating a report will conduct steps 2 and 3. Viewing a report is the final step in this process and renders the report data (assembles the model) according to one of the output methods, i.e. this renders the report out into HTML, PDF, Excel, CSV or other formats. These stages are always transparent to the user, but do deserve some explanation. The reports page lists the report templates or instruction sheets. The recent and saved page shows the list of boxed models ready for assembly, clicking on a report template link or a report itself from either the reports or recent and saved pages will complete the missing steps and show the requesting user the final model.
Changing Report Formats

The reporting system provides multiple output formats, whilst HTML output is the most commonly used there are additional formats which might allow for further analysis or interpretation of data. The formats available are: Adobe PDF Format Adobe PDF Format (suitable for black and white printers) Microsoft Excel format Comma Separated Value (csv format) Tab Separated Value (tsv format) Due to the nature of a report and the rendering options, changing the rendering method does not regenerate the report, only the way it is presented. Thus any saved reports can be exported exactly as is without the need to regenerate them, making the export process relatively quick in comparison to the generation process.
341
Changing Report Date Ranges

From the reports page, and whilst viewing a rendered report it is possible to change the date range over which the report data is accrued. Note this would require the regeneration of the report data afterwards.
From the report page, clicking on either the report template name, its icon or one of the output formats shown in the bottom right will use the date range specified at the top of the page.
From viewing a report the date controls appear at the top right of the page next to the table of contents view, the preview button here will regenerate a new report according to those date ranges. Note again, that both these actions will generate a new report, which may be saved accordingly.
Navigating HTML Reports

The HTML rendered version of a report contains a table of contents for quick and easy navigation within the report. This table is accessed by clicking on the contents button in the top left hand corner of the report when it is being viewed. The table of contents is automatically generated and is based upon the sections contained within the report itself. Features such as feed-forward and iterative reporting are reflected as titles within the report and consequently as a level of indentation in the table of contents. At the bottom right hand of each section is a link to the top of the page (labeled top) this can (obviously) be used to skip back to the top of the page where both the table of contents and rendering format options are presented.
342
Interpreted Results
Some results, such as URLs or IP addresses can present additional information which might not be apparent from the result itself. For example IP addresses can contain whois information which would allow for greater understanding of the IP address and why it might have appeared; URLs too can contain more information than is immediately apparent from viewing the URL. To activate the Advanced Firewalls advanced interpreter simply hover the mouse over the desired result, this will produce a tool-tip which contains more information about the result. For example:
In this example, the user has used the advanced interpreter to show the result for a YouTube video. The URL in question has been truncated to show only the immediately relevant information (the protocol, domain and path) and hovering the mouse over the line in the results produces a tool-tip which not only shows the full URL, any associated parameters but has also retrieved the video title, description and thumbnail from the YouTube server. The advanced interpreter is capable of recognizing many different types of URL and will present them in an appropriate manner.
Saving Reports
Reports can be saved for viewing later if this is desired. Saving a report will stop it being subject to the 48 hour rolling deletion which tidies the reports list each day. It is also important to note that a saved report is format-less and as such can be rendered to HTML, pdf, csv etc as desired. Saved reports are listed on the recent and saved page under the reporting section, and can be viewed, deleted and reused (by means of viewing the template used to generate them) in the same manner as a recent report.
Changing the Report

Once a report has been generated the report template used to create it is stored alongside the report data itself, and can therefore be used to produce a new report with refined options, alternative date ranges or saved to appear on the reports page. This is achieved in numerous ways depending upon location. When viewing the recent and saved page, underneath the reports icon is a link to Edit report. This option will present the custom page
343
with the report template used to generate this report already loaded. This report template is a copy of the actual report template used to generate the report and may be edited as desired without altering the version stored within the report itself. Whilst viewing a report there is an edit report button presented underneath the table of contents which leads to the custom page with the report template used to generate the viewed report already loaded. Note again that this is a copy of the report template and so may be manipulated as desired.
Investigating Further (Drill down)

Each report section when it is generated can present a series of related or drill down reports; these are pre-determined report templates which will allow further investigation relevant to the item in the section in question. To better illustrate this behavior, imagine a report taken from Guardian which lists the top users who have requested internet sites via the Guardian content filter. This list would present a series of usernames, suggested drill down reports might allow for a report on the actual sites visited by an individual user, the full web activity for that user and so on. This is in a way analogous to the feed-forward reporting which will be discussed later, however this is a manual process which allows for a particular result to be investigated further. Drill down reports will be stored notionally underneath the report in the recent and saved section. Related reports are presented in a variety of ways depending upon the number of options available, and the section which is being used, when a particular result has only one related report available clicking on the result itself will lead to the related report for that result. When a result has more than one related report associated with it then clicking on the result will produce a menu of the available related reports, clicking on the relevant option will result in generating the relevant related report.
Note the list of related reports is determined by the report section and cannot be altered.
344
Creating Template Reports and Customizing Sections
Report templates and customized sections are managed and manipulated from the custom page on your Advanced Firewalls interface. Creating templates is a matter of choosing, grouping and refining a number of sections into the correct set of instructions for the Advanced Firewalls reporting engine to interpret and use to extract and manipulate data from the Advanced Firewalls logs. A list of available sections is included on the custom page under the heading Available sections, existing template reports are also included in this list so that, once created they can be included into new report templates without having to redefine them. The available sections list is structured as a simple tree, with the sections belonging to each module categorized accordingly, the templates folder at the bottom of this list includes any existing report templates for inclusion as mentioned above. It should be noted that when a template report is included within another template report its options, and sections are copied into the template at the time of its inclusion. Subsequent modifications to the template will not update any other templates that include it. On the right of the available sections list is the included sections list, which shows a simplified form of the sections currently included in the template report being edited. This list deliberately mirrors its counterpart and denotes both the list of included sections and any groups that have been configured. Groups are shown as folders in the included sections list. To add and remove sections from the included sections list sections can be highlighted by clicking on them and the add or remove controls used accordingly. Note multiple sections can be added at once, and that sections can appear more than once in a template report.
Ordering Sections
Save the caveats detailed under grouping sections, sections can be included anywhere in a report and ordered to make logical sense to the reader. To reorder a section simply select it from the
345
Included sections list and press either move up or move down depending upon which direction you wish to move it. Note that sections cannot be moved outside of their containing folders.
Grouped Sections
Many of the underlying concepts in Advanced Firewalls reporting system are based around the notion of grouped sections. A section group is a logical construct which allows for logically connected sections to be collated together. Grouping two sections together will produce a number of consequences and will allow for advanced options such as iteration and feed-forwarding to be used. Primarily grouping options is done to allow multiple, logically similar sections to share options. For example, the Guardian web content filter module provides a number of reports which can show aspects of web browsing activity as conducted by a particular user. For example a Domain activity section could be configured to show the top 20 domains visited by a particular user, a Browsing times section could be configured to show the times of day that a particular user tends to browse the internet. Both of these sections have a username field, these sections could be grouped together and share the username option, allowing for it to be entered only once when the report is generated. Groups also form the basis of both iterative reports and feed-forward reports, which are simply special cases of section groups. For iterative groups, the variable to iterate over can be chosen from the options common to the grouped sections. For feed-forward groups, a section which produces results of a suitable type can be nominated and other sections in the group will iterate over the results from that section. Groups can contain other groups, which may of course be standard groups, iterative or feedforward groups. They may also contain single sections. By containing groups within groups complicated reporting structures can be developed which allows reports to automatically drill down and produce fine grained detail from a high level overview.
Understanding Groups and Grouped Options

The first details shown in a group are a text entry field allowing for the group name to be changed, this name provides a group to be given a title which will help with understanding the template structure, and does not bear any influence on the report creation. The second option is a drop down list of repeat options; this is used for controlling iterative and feed-forward reporting and will be discussed in the appropriate sections. When options are grouped together they will be presented as an option in the group under a section called grouped options. They may also have a small visual indicator shown next to them in both the grouped options section as well as the regular options panel for each section. This indicator shows which options are grouped together and allows for them to be quickly collated together, for example if two options are given slightly different names, but require the same value. The list of sections contained within the group is listed below the grouped options each in its own collapsible section. Grouped options will be included for each section here alongside regular per-section options, with a visual indicator allowing them to be related to their grouped counterparts. Each option may be overridden by means of ticking the corresponding checkbox. An option with an override will use the value given to that option rather than the option it receives from its
346
grouped parent, thus a group containing two sections both of which possess a limit field (the number of items to show) can have different limits applied to them. Next to the override option is a small description denoting why the option is inherently disabled, and where the value comes from. This may be grouped, feed-forward or repeating, meaning that the value will be assigned by the parent group, the results of a feed-forward section or from one of the list provided in an iterating group. Options which are not grouped, fed-forward or iterated over will be displayed using a format which is appropriate to the type of value expected. This may be any number of common user interface elements (checkboxes, select boxes, text entry fields etc) and may provide auto-complete features to assist in finding an appropriate value. Any overridden options will also be displayed and entered in this manner and, when provided will replace values as would be expected.
Feed-Forward Reporting
Due to the jigsaw or building block like nature of reporting sections a particular report section may only provide part of the information which is desired, rather than the complete picture. To allow for this the reporting template system in Advanced Firewall allows for a sections results to be used as the source of options for subsequent sections. To lead by example, take the Network Interfaces and Individual Network Interfaces sections. These in turn can be used to show a list of all network interfaces which are configured on Advanced Firewall, or those which are configured for internal or external networking. This information provides limited details for the network interface such as its IP address and other details; however it does not show monthly usage statistics. The Individual Network Interfaces section can provide this information, but needs to be supplied with the name of the interface for which to provide details for. These sections can be chained together using a mechanism known as feed-forward where the results from one section are used to define the behavior of another. In this example the Network Interfaces report can produce one or more Interfaces, which is one of the options for the Individual Network Interfaces section. By chaining these two report sections together it is possible to produce a report template which will detail the configured external interface for Advanced Firewall, and then display the advanced usage and bandwidth statistics from it.
Iterative Reporting
Some report sections only deal with a limited set of data, a single group, username or IP address for example. For this reason it may be desired to repeat a section using mostly the same options, but with one particular option changed each time. For example it may be desired to see the Individual Network Interface section for several (but notably not all) of the local network interfaces. In this case it would be possible to select the local network interfaces that are desired and repeat the section once for each of the desired interfaces. Note that there is potential overlap here, and if the desired result is a list of all the local interfaces then feed-forwarding could be used instead. However, feed-forward would produce a list of all internal interfaces, as well as include the Network Interfaces report. Note that whilst it was covered first, feed-forward is actually a special case of iteration, where the list of values to be iterated over is produced as the list of answers from a particular report section.
347
Group Ordering
Sections within a group can be re-ordered, this notionally changes nothing other than the order in which they are included in the final report once data has been acquired. There are exceptions to this rule however. Groups utilizing feed-forward will require one of their sections to be promoted (denoted as the feeder) to a state where it will provide the answers for which the other sections within that group are to be repeated. Naturally a feeder must be included before the sections it is feeding, and therefore it is removed from the normal section ordering and placed above the grouped options list in the groups display.
Grouping Sections
To group a number of sections together they should be selected from the included sections list and then grouped using the group button. Note that only sections at the same level in the included sections tree can be grouped together, although a group can contain any number of items including other groups. Similarly the ungroup command should be used to either disband a group or to remove a single item from an existing group. Ungrouping a group will disband that group, moving all its contained sections to the same level on the included sections tree that the group previously occupied, the group folder will then be removed. Ungrouping a single section will move that section up the tree to the same depth as is occupied by the group that it has just been removed from. Note, ungrouping sections will remove any properties that the group contains, and so may affect any feed-forward, iterative or grouped options.
Creating Feed-forward and Iterative Groups

Creating a group construct for use with feed-forward or iterative operations is done in the same way as creating a normal group. It should be noted that when feed-forward is desired the section producing results should be included in the group when it is first created, this will form the basis of the feed-forward. To create an iterative group, the desired sections should be grouped and the option which will form the basis of the iteration selected from the Repeat drop-down which can be found immediately above the grouped options section for that group. Options which may be used in this way are included under a heading (in the drop down menu) of based upon grouped option and the list will contain most of the options that the grouped options section contains. When iterating over a grouped option, that option is no longer available in the group. Creating a feed-forward enabled group is done in a similar manner; however this time under the Repeat drop down a list of sections is included under the title using results from a section. The results returned by each section are visible under the results tab on the section in question, as well as the bottom right hand side of the sections description in the available sections list. By choosing a section to feed-forward the results from, this section is removed from the normal flow within the group and is instead included as a feeder section. This is due to the nature of feedforwarding reports, that they must produce the list of results to iterate over prior to iterating over them. Feed-forward results pass from one variable into another, however the variables are named in a way which makes them human readable, but not always identically for the sake of clarity. For
348
example, the Network ARP Table section produces a list of interfaces which the connection is on. The result is labelled as Connected Interface and is of a type suitable for forwarding into the Individual Network Interface section. Some care should be taken when choosing sections to flow into each other, however generally results such as username should be taken to be suitable for feeding a username field. Additional caution should be taken when considering feed-forward reports as to the volume of data produced, along with the potential work load that this would require on Advanced Firewall. For example, a report which shows the top 20 groups within an organization, the top 50 users within each of those groups and the top 100 banned URLs each of those users attempted to request is entirely possible. However, this would result in the following execution tree. Group Activity Section 20 x User Activity Section 50 x URL Activity Section 100 URLs Hence, 20x50x100 URLs, or potentially the results for a thousand users, and hundred thousand URLs. It would also require the execution and calculation of the top URLs section up to a thousand times, assuming a reasonable time period for the calculation of each, such a report would potentially take several hours to compile and be bewilderingly detailed for any person who chooses to read it.
Exporting Options
Each report section provides a list of options which define its behavior. This behavior may be defined at a later stage to make the report template truly flexible. For example a domain activity section can take a username value to show the domains requested for a particular user which were subsequently banned. Creating a template for this information for each user within an organization is time consuming and unwieldy to say the least. It is for this purpose that section options may be exported. In this particular example a domain activity section could be included in a report template, and have its Denied status checkbox enabled. Swapping to the export tab would show a list of all the available options for this report, choosing to export the username field prior to creating the report template would mean that the username
349
Appendix B Understanding Templates and Reports Reporting Folders
field is present for this template report on the reports tab on the Advanced Firewall main interface (info > reports > reports).
Choosing the Denied option on the export tab would again make this setting available outside of the report template (on the reports page), however it would also have the added effect of allowing a user to turn this option off when using the template, similarly typing a username into the sections username option (on the options tab) allows the template report to create a default username, which can be changed by the person using the report template.
Reporting Folders
Report templates can be arranged into a common hierarchy to allow for like purposed report templates to be kept together and alleviate some of the confusion in finding the desired template.Report templates are structured into one of the following folders on a standard Advanced Firewall installation assuming that installation has the Guardian3 or module installed. Email Firewall and networking System Trends
350
Users
IP address analysis IP address analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines Top IP addresses Top users User analysis User analysis per web content category Blogs Image and video sharing News Reference and educational Shopping and online auctions Social bookmarking Social networking Sport Web portals and search engines
Web content
Per category
Blogs
Blogger Blogs WordPress
Category analysis Image and video sharing Dailymotion Flickr Fotolog ImageShack ImageVenue YouTube News BBC News CNet CNN News Slashdot
351
Appendix B Understanding Templates and Reports Reporting Folders
Reference and educational Shopping and online auctions
IMDB Wikipedia Amazon Craiglists Ebay Shopping and online auctions
Social bookmarking
Delicious Digg Reddit Stumbleupon
Social networking Bebo Facebook Friendster Hi5 Linkedin Myspace Orkut Social networking Twitter Sport BBC Sport ESPN Sport Web portals and search engines AOL Google Search engines Windows Live and MSN Yahoo Site analysis Top categories Top domains Top URLs Top web searches The destination folder for a report template can be set when creating the report template itself by means of the Location option. This option contains an indented drop-down list of available folders, report templates can be placed in any folder as desired. Folders can be created or deleted from the reports page, which is the main location to use to find report templates and report folders. It also provides the ability to rename folders and edit and remove report templates.
352
Folder navigation is achieved by clicking on the folder name. A location bar is also present along the top of the reports page which allows users to navigate the folder structure. Clicking on a folder higher up in the hierarchy provides a list of alternative folders on the same level of the tree this provides a faster means to navigate the list of available folders.
Creating a Folder
To create a folder simply navigate to the appropriate location in the hierarchy and click on the create folder button next to the location bar, this will create a new folder called new folder with the ability to rename it. Entering the name that is desired into the text box that is present and clicking rename will change the name of the report folder. A new folder should be named using letters, numbers and a limited set of punctuation symbols. Note that report folder names must be unique at the same level.
Renaming Folders
Deleting Folders
Folders can be deleted from the reports page by pressing the red cross icon immediately below the folder image. Only empty folders can be deleted, so care should be taken to ensure that all report templates and other folders have been removed before deleting a folder. Note, this limitation is in place because folder and report template deletion cannot be undone therefore such potentially dangerous actions are deliberately long winded.
Scheduling Reports
It is possible to schedule a report template to be executed at a particular time of day and repeated at desired intervals. Reports generated in this way may be saved for use later via the recent and saved reports section and/or emailed to a list of people as an HTML embedded email or plaintext email. Scheduled reports are deliberately flexible and present a full list of all report templates to be scheduled. Options exported to the reports page may also be set on a report by report basis so it is possible to schedule a particular user (the sales manager for example) the web activity for the sales group using a web activity report template and another user (the support manager) the web activity report for the support group by means of the same report template. Scheduled repeats allow for the automated generation of reports at specific intervals, the intervals available are: Daily each day at the time allocated Weekday each working day (Monday to Friday) at the allocated time Weekly every week at the allocated time on the same day of the week as the first report. Monthly every month at the allocated time on the same day of the month as the first report. Repetition can also be disabled if it is not desirable to receive a report at regular intervals.
353
Appendix B Understanding Templates and Reports Portal Permissions
Scheduled reports can also be made available to particular portals using the report templates portal permissions. Since portal permissions can be configured to behave differently depending upon the portal the generating user is assigned to it is possible to assign a specific portal for the scheduled report to be generated by.
Portal Permissions
Reports can be made available to individuals who do not have access to the Advanced Firewall administrative interface via the Advanced Firewall user portal. This is achieved via a report, or report templates portal permissions. There are two variations to portal permissions which dictate exactly how a report might be used. Normal report permissions allow a user via the portal access to either a particular report, or a particular report template. Access in this context means that they are able to generate and view the report data. Automatic access allows a users reporting activity to be made available to other users via the portal. To clarify this, a report template will generate a report when it is used. When it is generated via the portal this report will by default only be available to the user who created it. Automatic access allows this report to be made automatically available to other users who share the authors portal, or to one or more other portals as desired. The Automatic access permission of portal is a special permission which allows a generated report to be assigned to all members of the portal belonging to the person who generated the report, regardless of which portal that user was in.
Reporting Sections
Generators and Linkers
Reporting sections can be divided into principally two types, generators and linkers.
354
Whilst all report sections generate results, and display those results in the final rendered report, some sections generate results which are intended for use in feed-forward reports and are only really useful in that context. For example, the Guardian module provides a report section entitled Per user Client IP addresses. This section will take a Guardian username (be it derived from Active Directory or other such authentication mechanism) and show the IP addresses that are associated with this user in the Guardian web proxy access logs. It will also show the timestamps that these hits occurred at. By this mechanism it is possible to deduce the IP address a user has been seen to use, and the time period during which they were using it. This information is perhaps informative, but not particularly. However the results, Client IP address and Time-Period are both filters which can be applied to other reports, reports which might not be able to associate activity with a particular username. For example, the SmoothIM module provides tracking of Instant Message conversations, however users are unlikely to (not to mention forbidden from) using their work usernames as their local usernames for such conversations. The SmoothIM module however does record the IP address used in these conversations, so using a linker section such as the one described above would be able to feed from a username, to an IP address, to an IM conversation.
General Sections
The bulk of Advanced Firewalls reporting sections are reasonable easy to describe and are detailed quite well by their descriptions, there are however several big reports which defy such description and require a more in depth discussion, these will be covered later. Standard sections will show up in the available sections list in a manner similar to the following.
This shows the sections description, title and any results that are returned for use in the systems feed-forward ability.
355
Appendix B Understanding Templates and Reports Reporting Sections
Network Interfaces
A list of the configured internal and external network interfaces on the system. Includes details about the hardware, configuration and recent network activity for each interface. This report section lists the interfaces available on Advanced Firewall, including any internal NIC interfaces, External NIC interfaces, modems, VLANs and VPN interfaces. The options available to this interface allow you to discriminate between Internal, External and VPN interfaces as well as the ability to show or hide any disconnected interfaces. This section returns an interface which may be passed into a report section such as the Individual network interface report section.
The Anatomy of a URL

URL processing in the Advanced Firewall reporting system is achieved via a series of mechanisms which automatically split a URL into a number of internal parameters which are used to speed up data processing and achieve the desired results efficiently and with minimal need to understand the dynamics of how an individual web site is constructed. However some explanation is required as several of the more advanced features of the Guardian reports require some manipulation of the URL. A Advanced Firewall reporting URL is extracted into three distinct components, the protocol, domain and parameters.
As can be seen, a URL entered into the Advanced Firewall reporting system will be automatically highlighted in color to denote where the appropriate parts of the URL are being extracted from. URLs entered in this fashion can be complete (as in the above example) or can alternatively be partial including a combination of protocol, protocol and domain, domain and parameters or the parameters themselves.
To use a partial URL the URL entered should be of an appropriate format depending upon the combination of parameters which is desired. Separation is effectively done from the right hand side backwards, so any URL starting with / would be viewed as simply the parameters. A URL which starts with a character other than / and does not end with :// is viewed as being the domain.
356
A URL fragment starting with characters and ending with the string :// will be interpreted as a protocol. Deciphering a URL can however be a none trivial task, especially due to some web sites, companies and organizations using a variety of load balancing techniques, curious URLs, subdomains and a variety of techniques which can only have been considered a good idea at the time. For example, StumbleUpon a Social bookmarking site exists not only at the domain www.stumbleupon.com but also stumbleupon.com a common enough concept with regards to the absence of www. However it also receives some of its content from cdn.stumble-upon.com and stumbleupon.stumble-upon.com. For this reason it is possible to switch the URL recognition options in the Advanced Firewall reporting system into dealing with URLs as regular expression matches rather than strict matching.
These options can be turned on individually for the protocol, domain and parameter parts of a URL and for speed / processing reasons it is advised that they be turned on for the minimum of the parts which are possible.
HTTP Request Methods, HTTPS Interception and Man in the Middle

The nature of HTTPS interception means that in essence a HTTPS intercepted site should be treated no differently to a non-HTTPS site in terms of its logging, indeed, other than the protocol there is nothing to distinguish HTTP and HTTPS methodology. Guardian however also logs connections made to HTTPS servers where the content of that communication has not been intercepted. To differentiate between the two it is possible to set the HTTP request method (optionally along with the protocol from the domain) to catch HTTPS content which has been intercepted and that which has not. HTTPS connections start with a HTTP CONNECT request, if the connection is not being intercepted this is the only part of the communication which is logged. If the connection is being subjected to HTTPS interception then the requests within the connection are additionally logged.
Hence, searching for options other than CONNECT will provide results which may have been subjected to HTTPS interception. Additionally setting the URL to include the string https:// will return only those results which have been HTTPS intercepted as it restricts the results to those which are via the HTTPS protocol and using a connection method other than CONNECT.
357
Guardian Status Filtering
Each URL which passes through Guardian is subjected to a level of filtering; the resulting action of that filtering is logged and can be used to filter any results within the Guardian reports. A URL may contain one or more of the following status messages, those being Almost blocked, Denied (or blocked), Exception, Infected or Modified. The meaning of these is covered below.
Almost blocked This denotes any result whose score for phrase analysis was between 90 and 100
(the default score over which a result is blocked). This shows content which contained a number of phrases which elevated its score, but did not quite cause the site to be blocked.
Denied This denotes sites which were blocked by the phrase or URL filtering in the Guardian
product. The reasoning why the page was banned can be determined by adding the include status option on those reports which support it. Note however that this can change the ordering of the results.
Exception The site in question was not filtered for one of several reasons, it may be that it is whitelisted, soft-blocked, temporarily bypassed, the client IP/Group is not subject to filtering etc. Infected This shows content which was marked as being viral/malware. Modified Determines content which was modified as it passed through the Guardian filter. This
might be due to a security rule (such as removing JavaScript etc), or to enforce AUP concepts such as safe search.
Search Terms and Search Phrases

There are three facets to the search term reporting on a Guardian system, searching of search terms, filtering by search term and selecting banned search terms. Discovering search terms and showing them is achieved with the search engine search strings and terms report section. This section has a few peculiarities to its options which will be covered below, however the section is essentially designed to show the top search terms, or phrases that have been encountered within the Guardian filtered URLs.
358
Search terms are denoted as being either an individual word, or the entire phrase which was searched for. For example: Searching for babylon 5 earth destroyer would be considered to be three search words, babylon 5, earth and destroyer and one search phrase. Note that the search term reporting will treat any quoted strings as a single search word. Search words and phrases are assumed to be case insensitive, as the vast majority of searches are done regardless of capitalization, however search filtering can be made case sensitive by usage of the case sensitive search option under the advanced options for this report. Both search terms and phrases can optionally be considered as regular expression matches via the appropriate option under the advanced options. Search terms, unlike search phrases can additionally be restricted to omit grammatical sugar or stop words. Words such as and, of and the are usually omitted by most search engines and this can be taken into consideration by using the option individual (uncommon) search terms on the search term matching drop-down box. The list of common search terms is taken to be the list of words omitted by the Google search engine, this list is as follows: i, a, about, an, are, as, at, be, by, com, de, en, for, from, how, in, is, it, la, of, on, or, that, the, this, to, was, what, when, where, who, will, with, und, the and www. Additional filtering options for username, group, client IP address and Guardian status are presented for this report. Note that a list of Blocked search phrases can be achieved by use of the Guardian status denied option under the Guardian status options.
Filtering by Search Terms

As explained earlier individual Guardian reports can be filtered by the search terminology they contain. For example it is possible to show the top ten domains which contained a search request for the word badger.
This filtering is achieved by using the individual report sections Search term matching options presented under an individual sections advanced options. Note that all search term filters operate over the search phrase rather than individual words and can optionally be changed to using regular expression matches rather than the default mode of operation which is strings containing this phrase. To search for blocked search terms this filter can be used in combination with the Guardian status filters.
359
URL Extraction and Manipulation

The Advanced Firewall reporting system for Guardian contains an advanced reporting section called URL interpretation and reporting which allows for a sophisticated set of URL manipulations to be conducted to extract information from the Guardian logs.
This reporting section has a lot of reasonably complicated options, however only a few of them are relevant to the discussion of its operation, those options which are not are grayed out in the example above and will be omitted from any further discussion as they apply the expected limitations on the search results, changing the number of results or any username, client IP address or group filter etc. The most important option for this report section is the URL, which in this example is a regular expression URL which refers to the BBC news web site. The protocol and domain fields in the URL in this example are reasonably straight forward, they do not contain any regular expression matches (anything in brackets) and as such will not be used for anything further in this report section. The parameters field however does contain two regular expression matches, the parts between the opening and closing brackets, ( ). The parts of the URL extracted by these matching parts of the URL regular expression are labelled 1 and 2 respectively and the appropriately labelled term will be used by the Match to extract from parameters and Match to compare parameters to fields to further analyze the URL. In this example, there are two matches which are extracted from the URL, in this case, if a BBC news article URL is considered: http://news.bbc.co.uk/1/hi/technology/
7878769.stm
The two matches would provide technology and 7878679 as matches. Of these two parameters one is the section from the BBC news site this article is from, the other is the article name. The Match to extract from domain and Match to extract from parameters options present which regular expression match ($1, $2, $3 etc) to extract from the URL for the purposes of
360
identifying unique content, in this example we can see that the parameter match 2, would be used to uniquely identify this URL, being the value of 7878769 or the article number. This value is subsequently used to uniquely identify the relevant URLs before producing a list of the top matches, in this case, the top news articles.
Rebuild and include example URL As part of its drill down and feed-forward abilities the URL extraction report section reconstitutes a probable URL for the linked material. When this option is ticked, this reconstructed URL is included in the report alongside the match.
Note, some sites such as YouTube for example can host several different URLs for the same video ID. In these cases the reconstructed URL is a potential URL that might have been used, even if it is not the actual URL that was encountered. To elaborate on this matter both of the following URLs:
http://www.youtube.com/get_video?video_id=6rNgCnY1lPg http://www.youtube.co.uk/get_video?video_id=6rNgCnY1lPg
are for the same video, and could be matched accordingly (giving two hits for this video), however the system would then have to construct a probable URL for the content, which would in this example reference either the .com or .co.uk address version.
Recognise common URLs This option allows the reporting system to recognise common URLs for
known sites. This includes the ability to extract a YouTube video name from a YouTube video ID, or the ability to extract a page title from a HTML pages header. In this example we can see that the option is enabled, thus for each of the reconstituted URLs the system would retrieve the HTML (.stm) page from the BBC News web site, extract the <title> section from the page header and include it in the report.
Domain match and Parameter match these options allow for additional information to be fed into the
searching and will replace particular matches in the URL with the appropriate values. The options of Match to compare domain to and Match to compare parameters to allow for values to be substituted into the appropriate URL regular expression match to further filter the URL. In the above example the Match to compare parameters to value is 1 which means that the value entered into the Parameter match box would be substituted into $1 in the URL. This would mean that entering the option technology into the Parameter match field would produce the top 50 news articles from the technology section of the BBC News web site.
Results title This report section is feed-forward enabled and can produce a list of regular
expression URLs to identify and extract matching content. However, the URL is rarely of interest to anyone viewing the resultant report although by default it would be included as the section title for the feed-forwarded results. For this purpose it is possible to override the title used for the feed-forward sections by entering a value into the results title box. This can be straight text, or can reference one of the results feedforward values by means of a wildcard. In the above example, we can see that %matchtitle% is used as the value, which would present the feed-forward result of matchtitle as the title for any feed-forward sections. In this case, %matchtitle% would be the <title> extracted from the relevant HTML page. Alternatively values of %domainmatch%, %parametermatch% or %url% could be used. In this manner, the URL extraction section provides one of the most flexible tools for extrapolating information about particular web sites with no inbuilt understanding of the site. This
361
means that the section can easily be tailored to accommodate new web sites, or internal web sites which may be processed by Guardian but outside of the scope of the standard templates.
In this example the URL extraction section is being used to display the top 50 video results from the YouTube site. The URL once again contains a series of regular expression matches, this time the domain also includes a series of wildcards (.*) to accommodate YouTube being hosted via multiple domains, sub-domains and TLDs.
Origin Filtering
Advanced Firewall contains the ability to aggregate reports over several different machines, Several Advanced Firewalls for example can be used as a cluster of web content filters or alternatively the system might be configured to receive the browsing activity from several mobile users via the MobileGuardian content filter. When these results are aggregated onto a central reporting Advanced Firewall system they each contain a unique identifier to state where they came from. This identifier can be used to filter particular results to have originated from a particular machine, or class of machines.
The origin filter on a Advanced Firewall report allows for the class of machine or in some cases the individual machine to be used to restrict the results.
Note: The list of originating systems does not include a list of individual MobileGuardian installations
as there may be several dozen or more of these.

Note: The recommended configuration for MobileGuardian installations is to have MobileGuardian
derive its configuration from a specific authentication group and so the default template reports have been constructed with that in mind. By default MobileGuardian filtering would be achieved using a group filter for the appropriate group however should more advanced processing be required the Origin filter could be used instead.
362
Appendix C
Troubleshooting VPNs
In this appendix: Solutions to problems with VPNs.
Site-to-site Problems
Check that it is possible to ping the IP address of the RED (Internet) NIC on both Smoothwall Systems. Failure to get a ping echo would indicate that: The remote Advanced Firewall is not running You have the wrong IP address for the remote Advanced Firewall There is a problem at your Internet Service Provider Advanced Firewall has ping disabled via the admin interface Verify IP addresses by checking the networking > interfaces > interfaces page for the appropriate Ethernet card.
To simplify the problem, attempt to get a connection with shared secrets before moving on to certificates. Verify the symmetry in the tunnel specification, i.e. that the IDs, IP addresses and Remote network addresses are mirrored. This is where most people make mistakes. Each node on the VPN network must have its own unique certificate. At least one field in the subject must be different. The subject is a composite of the information fields supplied when the certificate is created. Likewise the Alt (Alternative) Name field must be unique for each certificate. Obviously fields like company name can be common to all certificates. A different local network address must be configured at both ends of the tunnel; they cannot both use the default of 192.168.0.0. Likewise, ensure there is no conflict with another network address. Be consistent with IDs. For example: Hosts on static IPs should use the hostname for the gateway as the ID. Hosts on dynamic IPs should use the administrator's email address. Road warriors should usually not use an ID, unless they are using an unusual client that requires one.
1s
Verify with the ISP that VPN traffic is not being blocked by any firewall or router used by the ISP. Specifically, ESP mode uses IP protocol 50. AH mode uses IP protocol 50. In particular, if the tunnel goes into OPEN mode but no packets will flow between the two networks, it is possible that one of the ISPs involved is blocking the ESP or AH packets.
Check the routing information displayed in Advanced Firewall's status page, there must be a default route (gateway).
Ed i
There is a network connection problem check routers, hubs and cables etc.
ti
on
All the PCs that are to participate in the VPN need to be fully operational and visible on the network before attempting to install and configure VPN software.
363
Appendix C Troubleshooting VPNs L2TP Road Warrior Problems
L2TP Road Warrior Problems

The most likely problem with L2TP road warriors is establishing the initial IPSec transport connection. The most likely reason for a failure at this stage is an incorrect or invalid certificate. The same problems that can occur with any other type of IPSec connection can also occur with an L2TP road warrior. However, because the vast majority of parameter values are predefined it is generally not likely for an IPSec protocol error other then a certificate problem to occur. First of all, verify the correct certificate is installed using the Microsoft MMC tool. There must be a CA certificate, as well as a host certificate, present in the system. Also verify the certificate is within its valid time window. If the certificate is newly created, and the time is set incorrectly by only an hour or so, the connection will be refused because the certificate is not valid. MMC has facilities for verifying that a host certificate is recognized as being valid. Note that the error messages produced by the L2TP client can be somewhat strange. Modem not responding can mean that there was an IPSec certificate error, for instance. Check the IPSec logs first when looking for causes of problems. As a last resort, you can also enable debug logging on the Windows client.
In a default configuration, Microsoft's L2TP client does not produce any log files. This can make diagnosing problems difficult if the logs on the Advanced Firewall gateway are not sufficient for finding the cause or causes of connection issues. To enable IPSec-level logging if you are using Windows 2000 or XP, you must create a registry key:
net stop policyagent followed by: net start policyagent
The log file will be in Windows system directory:

\debug\oakley.log
The following URL is Microsoft's own guide to debugging L2TP connection problems:
http://support.microsoft.com/default.aspx?scid=kb;en-us;325034 Note: Smoothwall does not endorse manually editing the registry. Incorrectly altering registry values
may result in registry corruption and render the computer unusable.
Windows Networking Issues

In order to facilitate network browsing under Microsoft Windows across the VPN, it is necessary to make sure both ends of the tunnel are properly configured.
364
1s
Add a REG_DWORD value named 'EnableLogging'. Set the value to 1 to enable logging, or 0 to disable it. After changing this value, the VPN service must be restarted. From the command line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakle y
Ed i
Enabling L2TP Debugging
ti
on
In small, single subnet Windows networks, network browsing is facilitated via network broadcasts. In these small networks, network neighborhood will just work without any configuration required. If a road warrior were to connect in, though, it would be unable to browse the network unless the administrator has configured the network to enable it. This is because network broadcasts do not normally cross network boundaries, such as routers and VPNs. This problem is exactly what Windows network administrators experience when connecting two or more subnets via a router. If you are familiar with setting up multiple subnets of Windows machines, then the problem to be solved is the same. In the case of road warrior connections, the details depend on the client in use. The built in L2TP client for Windows can be configured to accept WINS and DNS server settings from the server. These parameters are configured in the Global Settings page.
1s
Ed i
In more complex arrangements, such as two subnets of Windows machines with a VPN between the two, it is necessary to set-up either one WINS server and share it between the subnets, or have one on each and configure a replicating system between the two. Again, the problem to be resolved is identical to that which the administrator would face with two normally routed networks.
ti
For NT networks, you will require a WINS server, normally running on your PDC. This WINS server is analogous to a DNS server for the Windows machines. Each of your desktop machines and servers should be configured to use the central WINS server in its network properties box. Any road warriors connecting in should also be set to use this WINS server. If this is done then when they are connected to the office network via the VPN, they should be able to browse the office network, attach to printers and shares, etc.
on
For inexperienced Windows administrators, the following notes are provided to assist with configuring your network to enable network browsing across the VPN.
365
Appendix C Troubleshooting VPNs Windows Networking Issues
366
1s
Ed i
ti
on
Appendix D
Email Protocols
This appendix contains: General information on the SMTP and POP3 email protocols.
About SMTP
Because every email transferred using SMTP is initiated by an SMTP client process, it is easiest to describe an email's journey to its destination from the point of view of successive SMTP clients. In this sense, the term SMTP client can be used to refer to the user's mail client software, or any intermediary SMTP server that serves to transfer the mail to another SMTP server en route.
SMTP client finds the next SMTP server for onward mail transfer. SMTP client connects to the next SMTP server. SMTP client authenticates itself to the SMTP server. SMTP client informs SMTP server of recipient address. SMTP client transfers email to SMTP server. SMTP client disconnects from SMTP server. This process is repeated until the email arrives at its final destination. Note that step 1 (where the SMTP client finds the next SMTP server) is the only area where the behavior of a user's mail client differs from that of an SMTP server: User's mail client This SMTP client looks at the user's mail account settings to find the next SMTP server for onward mail transfer. SMTP server This SMTP client looks at the MX (Mail eXchange) record in the DNS record of the recipient domain to find the next SMTP server for onward mail transfer. When email is transferred between one server and another, it is said to have been relayed. Mail servers usually provide additional services such as POP3 or IMAP so that mail can be downloaded or viewed by end-users.
1s
To summarize, successive SMTP clients will act independently to transfer an email to its destination, by following these steps:
Ed i
When a user sends an email, their mail client software uses SMTP to connect and transfer the email to the SMTP server listed in their account settings. Once an email has been transferred in this manner, it will continue to be transferred by successive SMTP servers until it arrives at its final destination. Each successive transfer is initiated by the SMTP server that currently holds the email.
ti
on
Simple Mail Transfer Protocol (SMTP) is a protocol used to send and receive email between mail servers. The protocol specifies the control messages and means of interaction that allow email to be transferred between two mail servers.
367
Appendix D Email Protocols About POP3
About Mail Relay

In contrast to a fully featured mail server, a mail relay can be considered as a cut-down mail server that provides mail transfer capabilities only it does not store mail, and hence does not provide end-users with the facility to download their mail from it. Mail relays are typically used by larger organizations to distribute a high volume of mail to a number of internal mail servers. Advanced Firewalls SMTP relay can be used exactly for this purpose.
About POP3
Such applications use POP3 to connect to a user's mail server and download email from their personal mailbox to their local system. Most mail clients can be configured to periodically check for email, as well as allowing users to manually request their mailbox to be checked.
368
1s
Ed i
ti
on
Post Office Protocol 3 (POP3) is a standard protocol designed for retrieving email from mail servers. All popular mail client applications support the POP3 protocol, including Eudora, Microsoft Outlook Express and Mozilla Thunderbird.
Appendix E
Deploying in an Existing Email Infrastructure

This appendix discusses: Placing Advanced Firewall in existing internal and external, self-managed SMTP server infrastructures External mail servers that use POP3 collection.
In such situations, it is common practice for the domain name servers (DNS) to have their mail exchange (MX) records for the appropriate domain to contain the IP address of the firewall. The firewall then uses a system of network translations to direct incoming email to the local SMTP server. In these scenarios, it is usually not necessary to make any changes to the existing DNS records to direct mail through Advanced Firewall. Advanced Firewall would be configured to relay mail from the firewall to the internal SMTP server.
Server on page 369.
For assistance in setting up the external DNS servers, see External Self-Managed SMTP Email
External Self-Managed SMTP Email Server

In many company infrastructures, the company email server will exist on an external network, being either at a remote geographical location or a server in some form of network data centre. In these cases, it is often necessary to deliver email to Advanced Firewall and then back out to the existing network server. Since this requires a level of redirection which is not already established, it frequently mandates the alteration of the DNS MX records for a domain. A comprehensive introduction and explanation to DNS and in particular MX records is outside of the scope of this document, however a few simple concepts will be explained in order to make this guide easier to understand. In SMTP email delivery, the sending email process will attempt to register where to deliver the email to. Since the email address is of the form name@domain.tld, the server will perform a specialized DNS request to find the address of the server which handles email for the appropriate domain. This is known as an MX record.
1s
Ed i
In many networks, the email server, running via SMTP, exists internally to the protected network, usually on a demilitarized zone (DMZ). In these cases, it is common to place Advanced Firewall between the outside world and the email server, usually on or as close to the firewall or gateway as is possible.
ti
Internal Self-Managed SMTP Server
on
369
Appendix E Deploying in an Existing Email Infrastructure External Mail Server using POP3 Collection
Since mail servers are prone to being unavailable for periods of time, a domain may have several MX records, each given a numeral value. By default, MX records will be processed lowest numbered first. That is to say, an email will be delivered to whichever server responds correctly, starting with the one with the lowest number. Assuming that the DNS MX record for example.com currently points at 123.123.123.123, it is necessary to break this arrangement and insert Advanced Firewall before it reaches the server 123.123.123.123. Assuming that Advanced Firewall is located at address 200.200.200.200, the primary MX record would be changed to point to 200.200.200.200. Advanced Firewall would then be configured on the email > smtp > incoming page to direct traffic to example.com to 123.123.123.123.
Where this is done, should Advanced Firewall be unavailable, email will be delivered immediately, albeit unchecked for spam and malware, to the original email server.
dealing with secondary MX records.
Increasingly, spam is being directed deliberately at the secondary MX record as opposed to the primary. This is because, in many situations, the secondary MX record has less aggressive antispam and anti-malware measures applied to its email. Of course, to combat such mechanisms the secondary and tertiary MX records could all be routed through a Advanced Firewall-enabled system.
External Mail Server using POP3 Collection

Many external mail servers are connected to and managed via a POP3 or Post Office Protocol system. This traditionally includes most Internet Service Providers (ISPs) although it is a service increasingly offered by the web-mail based services. Advanced Firewall supports POP3 services via a system known as a transparent pop3 proxy, that is to say, any traffic originating on a local network and accessing the Internet via an enabled Advanced Firewall will have any traffic on the POP3 port, port 110, intercepted and analyzed by Advanced Firewall. In these cases, little more is required than to install Advanced Firewall somewhere in the traffic path between the client machine and the POP3 server and enable the transparent POP3 proxy. Note that due to the manner of the POP3 protocol, Advanced Firewall is only able to offer a limited array of options for unsolicited or malware infected email. It is not possible to completely discard any such messages when processing POP3 communications in-line. Therefore, the options are limited to those that will either amend the content of the email, or, in the case of malware, strip any offending attachments or content.
370
1s
Ed i
Note: The technique described in the tip above can be very effective, however caution should be paid to
ti
on
Tip:
Since Advanced Firewall may be temporarily unavailable for one reason or another be it as the result of a minor network glitch or something more serious it is considered good practice to place the final destination, in this case 123.123.123.123, as a secondary or higher numbered MX record for the domain.
Note: In some situations, a mail server, such as Microsoft Exchange, may be using POP3 for mail
retrieval since the POP3 protocol is not strictly limited to client delivery. In these scenarios, Advanced Firewalls transparent pop3 proxy would allow for email to be processed on route to the mail server.
1s
Ed i
ti
on
371
Appendix E Deploying in an Existing Email Infrastructure External Mail Server using POP3 Collection
372
1s
Ed i
ti
on
Appendix F
Hosting Tutorials
In this appendix: examples of hosting using Advanced Firewall.
Basic Hosting Arrangement

In this example, a DMZ has been configured with a network address of 192.168.1.0/24, i.e. it can support host IP addresses of 192.168.1.1 through to 192.168.1.254. Within the DMZ there are two servers:
Web server .2 This server will have an internal IP address of 192.168.1.2 and present an external IP address of 216.1.1.2. Mail server .3 This server will have an internal IP address of 192.168.1.3 and present an external IP address of 216.1.1.3. To configure this scenario:
First create the external aliases:

Alias IP: 216.1.1.2 | Netmask: 255.255.255.0 Comment: External Alias .2 Alias IP: 216.1.1.3 | Netmask: 255.255.255.0 Comment: External Alias .3
Next, add the port forwards:

Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .3 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: POP3 (110)
373
Appendix F Hosting Tutorials Extended Hosting Arrangement Destination port: POP3 (110) Comment: Mail Server .3 POP3
Finally, add the source mappings:

Source IP: 192.168.1.2 | Alias IP: 216.1.1.2 Comment: Web Server .2 Source IP: 192.168.1.3 | Alias IP: 216.1.1.3 Comment: Mail Server .3
Extended Hosting Arrangement

In this example, a DMZ has been configured with a network address of 192.168.1.0, i.e. it can support host IP addresses of 192.168.1.1 through to 192.168.1.254. Within the DMZ are three servers:
Web server .2 This server will have an internal IP address of 192.168.1.2 and present an external IP address of 216.1.1.2. It supports both HTTP and HTTPS. Web server .3 This server will have an internal IP address of 192.168.1.3 and present an external IP address of 216.1.1.3. It should only be accessible to external hosts in the range 100.100.100.0/24 and 100.100.101.0/24. Mail server .4 This server will have an internal IP address of 192.168.1.4 and present an external IP address of 216.1.1.4 To configure this scenario:

Alias IP: 216.1.1.2 | Netmask: 255.255.255.0 Comment: External Alias .2 Alias IP: 216.1.1.3 | Netmask: 255.255.255.0 Comment: External Alias .3 Alias IP: 216.1.1.4 | Netmask: 255.255.255.0 Comment: External Alias .4

Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTPS (443) Destination port: HTTPS (443) Comment: Web Server .2 HTTPS Protocol: TCP
374
Smoothwall Advanced Firewall Administrators Guide External IP: 100.100.100.0/24 Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: 100.100.10.0/24 Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.4 Destination IP: 192.168.1.4 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .4 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.4 Destination IP: 192.168.1.4 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .4 POP3

Source IP: 192.168.1.2 | Alias IP: 216.1.1.2 Comment: Web Server .2 Source IP: 192.168.1.3 | Alias IP: 216.1.1.3 Comment: Web Server .3 Source IP: 192.168.1.4 | Alias IP: 216.1.1.4 Comment: Mail Server .4
More Advanced Hosting Arrangement

In this example, a DMZ has been configured with a network address of 192.168.1.0, i.e. it can support host IP addresses of 192.168.1.1 through to 192.168.1.254. A local private network, 192.168.10.0/24 contains 3 servers:
SQL Server .2 Internal IP: 192.168.10.2 Mail Server [int] .3 Internal IP: 192.168.10.3 Intranet Web Server .4 External IP: 216.1.1.4, Internal IP: 192.168.10.4, restricted
users. A DMZ network, 192.168.1.0/24 contains 5 servers:
375
Appendix F Hosting Tutorials More Advanced Hosting Arrangement Web Server .2 External IP: 216.1.1.2, Internal IP: 192.168.1.2, bridged to SQL Server .2. Web Server .3 External IP: 216.1.1.3, Internal IP: 192.168.1.3. Virtual Web Server .5 External IP: 216.1.1.5, Internal IP: 192.168.1.5, same physical host as Virtual Web Server .6. Virtual Web Server .6 External IP: 216.1.1.6, Internal IP: 192.168.1.5, same physical host as Virtual Web Server .5. Mail Server [ext. out] External IP: 216.1.1.7, Internal IP: 192.168.1.6, for
outgoing mail.
Mail Server [ext. in] External IP: 216.1.1.7, Internal IP: 192.168.1.7, relaying to Mail Server [int] .3. To configure this scenario:

Alias IP: 216.1.1.2 | Netmask: 255.255.255.0 Comment: External Alias .2 Alias IP: 216.1.1.3 | Netmask: 255.255.255.0 Comment: External Alias .3 Alias IP: 216.1.1.4 | Netmask: 255.255.255.0 Comment: External Alias .4 Alias IP: 216.1.1.5 | Netmask: 255.255.255.0 Comment: External Alias .5 Alias IP: 216.1.1.6 | Netmask: 255.255.255.0 Comment: External Alias .6 Alias IP: 216.1.1.7 | Netmask: 255.255.255.0 Comment: External Alias .7

Port forwards for example 3. Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.2 Destination IP: 192.168.1.2 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .2 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.3 Destination IP: 192.168.1.3 Source port: HTTP (80) Destination port: HTTP (80) Comment: Web Server .3 HTTP Protocol: TCP External IP: <BLANK>
376
Smoothwall Advanced Firewall Administrators Guide Source IP: 216.1.1.4 Destination IP: 192.168.10.4 Source port: HTTP (80) Destination port: HTTP (80) Comment: Intranet Web Server .4 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.5 Destination IP: 192.168.1.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .5 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.6 Destination IP: 192.168.1.5 Source port: HTTP (80) Destination port: HTTP (80) Comment: Virtual Web Server .6 HTTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.7 Destination IP: 192.168.1.7 Source port: SMTP (25) Destination port: SMTP (25) Comment: Mail Server .7 SMTP Protocol: TCP External IP: <BLANK> Source IP: 216.1.1.7 Destination IP: 192.168.1.7 Source port: POP3 (110) Destination port: POP3 (110) Comment: Mail Server .7 POP3
Next, add the zone bridges:

Zone bridging for example 3. Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.168.1.2 Destination IP: 192.168.10.2 Destination port: User defined, 3306 Comment: Web Server .2 to SQL Server .2 Source interface: Eth1 Destination interface: Eth2 Protocol: TCP Source IP: 192.168.1.7 Destination IP: 192.168.10.3 Destination port: SMTP (25) Comment: Mail Server [ext. in] .7 to Mail Server [int.] .3 377
Appendix F Hosting Tutorials More Advanced Hosting Arrangement

Source mapping for example 3. Source IP: 192.168.1.2 | Alias IP: 216.1.1.2 Comment: Web Server .2 Source IP: 192.168.1.3 | Alias IP: 216.1.1.3 Comment: Web Server .3 Source IP: 192.168.10.4 | Alias IP: 216.1.1.4 Comment: Intranet Web Server .4 Source IP: 192.168.1.5 | Alias IP: 216.1.1.5 Comment: Virtual Web Server .5 & .6 Source IP: 192.168.1.6 | Alias IP: 216.1.1.6 Comment: Mail Server [ext. out] .6
378
Glossary
Numeric
2-factor authentication
The password to a token used with the token. In other words: 2factor authentication is something you know, used together with something you have. Access is only be granted when you use the two together.
Algorithm
In Smoothwall products, an algorithm is a mathematical procedure that manipulates data to encrypt and decrypt it. terminology, an alias is an additional public IP that operates as an alternative identifier of the red interface.
Alias or External Alias In Smoothwall
3DES A triple strength version of the DES

cryptographic standard, usually using a 168-bit key.
ARP
(Address Resolution Protocol) A protocol that maps IP addresses to NIC MAC addresses. Used by ARP to maintain the correlation between IP addresses and MAC addresses.
ARP Cache
A
Acceptable Use Policy
See AUP
AUP Access control The process of preventing

unauthorized access to computers, programs, processes, or systems.
Active Directory
Microsoft directory service for organizations. It contains information about organizational units, users and computers. A Microsoft reusable component technology used in many VPN solutions to provide VPN client access in a road warrior's web browser.
(Acceptable Use Policy) An AUP is an official statement on how an organization expects its employees to conduct messaging and Internet access on the organizations email and Internet systems. The policy explains the organizations position on how its users should conduct communication within and outside of the organization both for business and personal use.
ActiveX*
Authentication The process of verifying identity or authorization.
B
Bandwidth Bandwidth is the rate that data can
be carried from one point to another. Measured in Bps (Bytes per second) or Kbps.
AES (Advanced Encryption Standard) A

method of encryption selected by NIST as a replacement for DES and 3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES provides high security with fast performance across multiple platforms.
AH (Authentication Header) Forms part of the

IPSec tunnelling protocol suite. AH sits between the IP header and datagram payload to maintain information integrity, but not secrecy.
BIN A binary certificate format, 8-bit compatible version of PEM. Buffer Overflow An error caused when a
program tries to store too much data in a temporary storage area. This can be exploited by
379
Glossary
hackers to execute malicious code.
C
CA (Certificate Authority) A trusted network
entity, responsible for issuing and managing x509 digital certificates.
today. DES is scheduled for official obsolescence by the US government agency NIST.
DHCP (Dynamic Host Control Protocol) A

protocol for automatically assigning IP addresses to hosts joining a network.
Dial-Up A telephone based, non-permanent

network connection, established using a modem.
Certificate A digital certificate is a file that

uniquely identifies its owner. A certificate contains owner identity information and its owner's public key. Certificates are created by CAs.
DMZ (Demilitarized Zone) An additional

separate subnet, isolated as much as possible from protected networks.
DNS
Cipher
A cryptographic algorithm.
(Domain Name Service) A name resolution service that translates a domain name to an IP address and vice versa. Windows network that is responsible for allowing host access to a Windows domain's resources.
Ciphertext Encrypted data which cannot be

understood by unauthorized parties. Ciphertext is created from plain text using a cryptographic algorithm.
Domain Controller A server on a Microsoft
Client Any computer or program connecting

to, or requesting the services of, another computer or program.
Dynamic IP A non-permanent IP address

automatically assigned to a host by a DHCP server.
Cracker A malicious hacker. Cross-Over Cable

A network cable with TX and RX (transmit and receive) reversed at either end to provide a direct peer-to-peer network connection. designed to make information unintelligible.
Dynamic token A device which generates one-time passwords based on a challenge/ response procedure.
Cryptography The study and use of methods
E
Egress filtering The control of traffic leaving
your network.
D
Default Gateway
The gateway in a network that will be used to access another network if a gateway is not specified for use.
Encryption The transformation of plaintext into a less readable form (called ciphertext) through a mathematical process. A ciphertext may be read by anyone who has the key to decrypt (undoes the encryption) it. ESP
(Encapsulating Security Payload) A protocol within the IPSec protocol suite that provides encryption services for tunnelled data.
Denial of Service Occurs when a network

host is flooded with large numbers of automatically generated data packets. The receiving host typically slows to a halt whilst it attempts to respond to each request.
DER (Distinguished Encoding Rules) A

certificate format typically used by Windows operating systems.
Exchange Server A Microsoft messaging system including mail server, email client and groupware applications (such as shared calendars). Exploit A hardware or software vulnerability
that can be 'exploited' by a hacker to gain access to a system or service.
DES (Data Encryption Standard) A historical

64-bit encryption algorithm still widely used
380
F
Filter A filter is a collection of categories containing URLs, domains, phrases, lists of file types and replacement rules. Filters are used in policies to determine if a user should be allowed access to information or files he/she has requested using their web browser. FIPS Federal Information Processing Standards. See NIST. Firewall A combination of hardware and
software used to prevent access to private network resources.
suite. It is chiefly used by networked computers' operating systems to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached.
IDS Intrusion Detection System Internet Protocol IPS Intrusion Prevention System
A 32-bit number that identifies each sender and receiver of network data.
IP Address
IPtables The Linux packet filtering tool used by Smoothwall to provide firewalling capabilities. IPSec (Internet Protocol Security) An
internationally recognized VPN protocol suite developed by the Internet Engineering Task Force (IETF).
G
Gateway A network point that acts as an entrance to another network. Green In Smoothwall terminology, green identifies the protected network.
IPSec Passthrough A 'helper' application on

NAT devices that allows IPSec VPN traffic to pass through.
ISP An Internet Service Provider provides

Internet connectivity.
H
Hacker A highly proficient computer
programmer who seeks to gain unauthorized access to systems without malicious intent.
K
Key A string of bits used with an algorithm to
encrypt and decrypt data. Given an algorithm, the key determines the mapping of plaintext to ciphertext.
Host A computer connected to a network. Hostname A name used to identify a network

host.
HTTP (Hypertext Transfer Protocol) The set of

rules for transferring files on the World Wide Web.
Kernel The core part of an operating system that provides services to all other parts the operating system. Key space The name given to the range of possible values for a key. The key space is the number of bits needed to count every distinct key. The longer the key length (in bits), the greater the key space.
HTTPS A secure version of HTTP using SSL. Hub A simple network device for connecting
networks and network hosts.
I
ICMP
(Internet Control Message Protocol) One of the core protocols of the Internet protocol
L
L2F (Layer 2 Forwarding) A VPN system, developed by Cisco Systems.
381
Glossary
L2TP (Layer 2 Transport Protocol) A protocol based on IPSec which combines Microsoft PPTP and Cisco Systems L2F tunnelling protocols. LAN
(Local Area Network) is a network between hosts in a similar, localized geography. (Or private circuits) A bespoke high-speed, high-capacity site-to-site network that is installed, leased and managed by a telephone company.
teams in your organization.
P
Password A protected/private string of
characters, known only to the authorized user(s) and the system, used to authenticate a user as authorized to access a computer or data.
Leased Lines
Lockout A method to stop an unauthorized

attempt to gain access to a computer. For example, a three try limit when entering a password. After three attempts, the system locks out the user.
PEM (Privacy Enhanced Mail) A popular certificate format. Perfect Forward Secrecy
A keyestablishment protocol, used to secure previous VPN communications, should a key currently in use be compromised.
M
MAC Address
(Media Access Control) An address which is the unique hardware identifier of a NIC.
PFS See Perfect Forward Secrecy Phase 1

Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1 negotiates the security parameter agreement. Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the agreed parameters from Phase 1 to bring the tunnel up.
Phase 2
(Mail eXchange) An entry in a domain name database that specifies an email server to handle a domain name's email.
MX Record
Ping A program used to verify that a specific IP address can be seen from another. PKCS#12 (Public Key Cryptography
Standards # 12) A portable container file format for transporting certificates and private keys. (Public Key Infrastructure) A framework that provides for trusted third party vetting of, and vouching for, user identities; and binding of public keys to users. The public keys are typically in certificates.
N
NAT-T (Network Address Translation
Traversal) A VPN Gateway feature that circumvents IPSec NATing problems. It is a more effective solution than IPSec Passthrough.
PKI
NIC Network Interface Card NIST (National Institute of Standards and

Technology) NIST produces security and cryptography related standards and publishes them as FIPS documents.
Plaintext
Data that has not been encrypted, or ciphertext that has been decrypted. time settings and authentication requirements, to determine how Advanced Firewall handles web content and downloads to best protect your users and your organization.
Policy Contains content filters and, optionally
NTP
(Network Time Protocol) A protocol for synchronizing a computer's system clock by querying NTP Servers.
O
OU An organizational unit (OU) is an object used to distinguish different departments, sites or
382
Port A service connection point on a computer system numerically identified between 0 and 65536. Port 80 is the HTTP port. Port Forward A firewall rule that routes traffic from a receiving interface and port combination to another interface and port
combination. Port forwarding (sometimes referred to as tunneling) is the act of forwarding a network port from one network node to another. This technique can allow an external user to reach a port on a private IP address (inside a LAN) from the outside via a NATenabled router.
VPNs.
Red In Smoothwall, red is used to identify the Unprotected Network (typically the Internet). RIP (Routing Information Protocol) A routing protocol which helps routers dynamically adapt to changes in network connections by communicating information about which networks each router can reach and how far away those networks are. Road Warrior
An individual remote network user, typically a travelling worker 'on the road' requiring access to a organizations network via a laptop. Usually has a dynamic IP address.
PPP (Point-to-Point Protocol) Used to

communicate between two computers via a serial interface.
PPTP (Peer-to-Peer Tunnelling Protocol) A

widely used Microsoft tunnelling standard deemed to be relatively insecure.
Private Circuits See Leased Lines. Private Key A secret encryption key known
only by its owner. Only the corresponding public key can decrypt messages encrypted using the private key. A formal specification of a means of computer communication.
Route A path from one network point to

another.
Routing Table A table used to provide

directions to other networks and hosts.
Protocol
Proxy An intermediary server that mediates

access to a service.
Rules In firewall terminology, rules are used to determine what traffic is allowed to move from one network endpoint to another.
PSK (Pre-Shared Key) An authentication

mechanism that uses a password exchange and matching process to determine authenticity.
S
Security policy A security policy is a collection of procedures, standards and guidelines that state in writing how an organization plans to protect its physical and information technology (IT) assets. It should include password, account and logging policies, administrator and user rights and define what behavior is and is not permitted, by whom and under what circumstances.
In general, a computer that provides shared resources to network users.
Public Key
A publicly available encryption key that can decrypt messages encrypted by its owner's private key. A public key can be used to send a private message to the public key owner.
PuTTY A free Windows / SSH client.
Q
QOS (Quality of Service) In relation to leased
lines, QOS is a contractual guarantee of uptime and bandwidth.
Server
SIP (Session Initiation Protocol) A protocol

for initiating, modifying, and terminating an interactive user session that involves multimedia elements such as video, voice, instant messaging, online games, and virtual reality. Commonly used in VOIP applications.
R
RAS (Remote Access Server) A server which
can be attached to a LAN to allow dial-up connectivity from other LANs or individual users. RAS has been largely superseded by
Single Sign-On (SSO) The ability to log-in to multiple computers or servers in a single action by entering a single password. Site-To-Site A network connection between
383
Glossary
two LANs, typically between two business sites. Usually uses a static IP address.
U
User name / user ID A unique name by which each user is known to the system.
Smart card A device which contains the credentials for authentication to any device that is smart card-enabled. Spam Junk email, usually unsolicited. SQL Injection A type of exploit whereby
hackers are able to execute SQL statements via an Internet browser.
V
VPN
(Virtual Private Network) A network connected together via securely encrypted communication tunnels over a public network, such as the global Internet.
Squid A high performance proxy caching

server for web clients.
SSH (Secure Shell) A command line interface

used to securely access a remote computer.
VPN Gateway An endpoint used to establish,

manage and control VPN connections.
SSL A cryptographic protocol which provides

secure communications on the Internet.
SSL VPN A VPN accessed via HTTPS from any browser (theoretically). VPNs require minimal client configuration.
A term given to describe a cryptographic system that uses a key so long that, in practice, it becomes impossible to break the system within a meaningful time frame.
X
X509 An authentication method that uses the
exchange of CA issued certificates to guarantee authenticity.
Strong encryption
Subnet An identifiably separate part of an

organizations network.
Switch An intelligent cable junction device

that links networks and network hosts together.
Syslog A server used by other hosts to

remotely record logging information.
T
Triple DES (3-DES) Encryption
A method of data encryption which uses three encryption keys and runs DES three times Triple-DES is substantially stronger than DES. for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network.
Tunneling The transmission of data intended
384
Index
A accessing 4 action to perform on malware 192 action to perform on spam 203 active directory extra realm 238, 241 group search root 237, 241 kerberos discover 237, 240 kerberos realm 236, 239 multiple user search roots 237, 240 netbios domain name 237 port 237, 240 sam account name 237 server password 236, 239 server username 236, 239 admin 3 admin options 12 administration 12 administration login failures 266 administrative users 12 adsl modem settings 28 advanced 8 AIM 89 aim 89 alerts 5, 265 administration login failures 265 email 297 email to sms 296 firewall notifications 265 hardware failover notification 265 hardware failure alerts 265 health monitor 265 inappropriate words in im 266 intrusion detection system monitor 266 l2tp vpn tunnel status 265 license expiry status 265 output system test messages 266 settings 5 smoothrule violations 265 smoothtunnel vpn certificate monitor 265 system boot (restart) notification 266 system resource monitor 265 system service monitoring 265 traffic statistics monitor 266 update monitoring 266 ups, power supply status warning 265 vpn tunnel status 265 allow email delivery 202 anti-malware 192, 198 action to perform on malware 192 enable scanning 192 anti-spam 15, 201 pop3 203 smtp 202 tuning 204 append footers 194 application helper 66 ftp 66 h323 passthrough support 67 irc 66 pptp client support 66 apply action above spam score 202 archive 220 archive address 196 archives 12 archiving 14, 195 archive address 196 match domain or address 196 match recipient 196 match sender 196 attachments 15, 200, 213 manage 213 authentication 9, 118, 223 choosing 336 diagnostics 233, 245 mechanisms 335 SSL login 228 time out 233 time-out 233 authentication system diagnostics 244 managing 244 restarting 244
1s
Ed i
ti
on
385
Index
status 245 stopping 244 automatic whitelisting 89 av 9 B banned users 231 BitTorrent 69 black-list users 90 blacklisting 207 bridging groups 59 rules 55 zones 55 C ca 13, 14 censoring 89 certs 14 ca 13 configuration tests 13 connection methods 24 dial-up modem 30 ethernet 24, 26 ethernet/modem hybrid 24 isdn modem 29 modem 24 connection profiles 24 creating 24 deleting 32 modem 24 modifying 31 connection tracking 50 connections 21 connectivity 7 console connecting via 17 content 15, 199 attachments 200 footers 199 control 4, 9, 13 control page 4 create 5 current allowed addresses 195 current domains 195 custom categories 10 custom signatures 108
disk usage 255 password 253, 254, 255 pruning 253 remote 253 settings 6 username 253, 254, 255 default gateway 22 interface 22 users 231 deferred email 285 denial of service 49 detection policies 104 dhcp 11 custom options 11 leases 11 relay 11 server 11 dhcp ethernet 27 settings 27 diagnostics 13, 233, 245 dial-up modem 30 DirectConnect 69 directory settings 233 prerequisites 234, 241 disk usage 255 dns 10, 95 dynamic 10 proxy 10 proxy service 96 static 10, 95 documentation 2 domain to relay for 194 DoS 49 drop (discard) email 202 E ECN 50 eDonkey 69 email archive 220 logging 284 logs 284 status 285 realtime information 276 email management administering 215 implementing 209 overview 191 email queue 196, 221 mails in 197
D database 253 backup 6
386
1s
Ed i
ti
on
F failover 13, 322, 323 failover unit 326 master 324 filtering 6 filters 10 firewall 5, 6 accessing browser 4 connecting 17 notifications 265 firmware upload 13 footers 15, 199, 213 configure 213 ftp 10, 66, 92 G gadugadu 89 global 11, 14 global settings 25 configuring 25 Gnutella 69 graylisting 205 graylisting settings delay 206
Ed i
manually flush 197 refreshing page 197 total size of 197 email queues number of unique senders 197 email to sms 296 enable anti-malware scanning 192 enable graylisting 205 enable relay host 193 enable spam filtering 203 enable transparent SMTP relay 192 ethernet 24 external access 12 aliases 7 external mail enable relay host 193 password 193 relay host 193 username 193 external mail relay 193 external sender domain spoofing 194 external services 8, 72 editing 73 removing 73
enable 205 maximum age 206 group bridging 7, 59 group search root additional 237, 241 groups 6, 8, 9, 231 banned users 231 default users 231 mapping 243 network administrators 232 renaming 232 unauthenticated ips 231 H h323 passthrough support 67 hardware 13 failover 323 hardware Failover 322 hardware failover notification 265 hardware failure alerts 265 health monitor 265 heartbeat 322 heartbeat interface 22 helo checks 193 hide conversation text 89 hostname 12 https 4 hybrid 24 I icmp 49 ICMP ping 49 ICMP ping broadcast 49 ICQ 89 ids 6, 10 igmp 49 IGMP packets 49 im 87 hide conversation text 89 proxy 5 im proxy 6 inappropriate words in im 266 information 4 instant messenger 9, 87 block file transfers 89 blocked response 89 blocked response message 89 censor 89 intercept ssl 89 logging warning 89 logging warning message 89
1s
ti
on
387
Index
protocols aim 89 gadugadu 89 icq 89 jabber 89 msn 89 proxy 87, 88 instant messenger proxy enable 88 enabled on interfaces 90 exception local IP addresses 90 interface name 193 interfaces 7, 199 internal aliases 7 internal domains 14 append footers 194 current domains 195 domain to relay for 194 malware scanning 194 relay ip 194 inter-zone security 55 intrusion detection 11 intrusion detection system 11 intrusion prevention 11 intrusion system 104 custom policies 107 detection policies 104 policies 104 prevention policies 105 intrusion system monitor 266 ip address defining 38 block 7 tools 13 ip exception list 193 ip or subnet to relay from 195 ips 6, 65 ipsec 5, 6 roadwarriors 14 subnets 14 irc 66 isdn modem 29 settings 29 isp 26 J jabber 89 K KaZaA 69
kerberos 237, 240 extra realms 238, 241 kerberos realm 236, 239 L l2tp roadwarriors 14 l2tp vpn tunnel status 265 license expiry status 265 licenses 11 local users 9 activity 227 adding 224 deleting 225 editing 224 exporting 225 importing 225 managing 223 moving 226 viewing 224 log settings 6 logging 284 logs 5 email 284 enable remote syslog 290 inserting 256 remote syslog server 290 retention 291 M mac spoof 27 mail relay about 368 mails in queue 197 main about 4 control 4 maintenance 11 malware message 198 malware scanning 194 manually flush mail queue 197 mark subject as spam 202 master 324 match domain or address 196 match recipient 196 match sender 196 maximum age 206 maximum bounce size 192 maximum email size 192 message censor 10 custom categories 10 filters 10
388
1s
Ed i
ti
on
time 10 Microsoft Messenger 89 modem 13, 24 settings 30 modem profile 24 modules 11 MSN 89 multicast traffic 49 multiple user search roots 237, 240 N netbios domain name 237 network administrators 232 interface 21 networking 6, 8 restart 24 source mapping 40 non-standard smtp checking 193 number of unique senders 197 O OpenVPN 156 outbound access port rules 67 source rules 70 outgoing 8, 14, 195 current allowed addresses 195 ip or subnet to relay from 195 output settings 6 output system test messages 266 P pages email
anti-spam 15 content 15 attachments 15 footers 15 pop3 15 proxy 15 smtp 14 archiving 14 internal domains 14 outgoing 14 queue 14 relay 14 info alerts 5 alerts 5 custom 5
logs 5 firewall 6 ids 6 im proxy 5, 6 ips 6 ipsec 6 system 5 web proxy 6 realtime 5 firewall 5 ipsec 5 portal 5 system 5 traffic graphs 5 reports reports 5 saved 5 scheduled reports 5 settings alert settings 5 database backup 6 database settings 6 groups 6 log settings 6 output settings 6 user portal 6 information 4 reports summary 4 main 4 networking 6, 8 filtering 6 group bridging 7 ip block 7 zone bridging 6 firewall 8 advanced 8 port forwarding 8 source mapping 8 interfaces 7 connectivity 7 external aliases 7 interfaces 7 internal aliases 7 ppp 7 secondaries 7 outgoing 8 external services 8 groups 8 ports 8 sources 8
1s
Ed i
ti
on
389
Index
routing 7 ports 7 rip 7 sources 7 subnets 7 settings advanced 8 port groups 8 services 8 authentication 9 control 9 groups 9 local users 9 settings 9 ssl login 9 temporary bans 9 user activity 9 dhcp dhcp custom options 11 dhcp leases 11 dhcp relay 11 dhcp server 11 global 11 dns 10 dns proxy 10 dynamic dns 10 static dns 10 ids 10 intrusion system detection 11 policies 11 prevention 11 signatures 10 message censor 10 proxies 9 ftp 10 im proxy 9 sip 9 web proxy 9 snmp 10 user portal 9 groups 9 portals 9 user exceptions 9 system administration 12 admin options 12 administrative users 12 external access 12 diagnostics 13 configuration tests 13
Ed i
diagnostics 13 ip tools 13 traffic analysis 13 whois 13 hardware 13 failover 13 firmware upload 13 modem 13 ups 13 maintenance 11 archives 12 licenses 11 modules 11 replication 12 scheduler 12 shell 12 shutdown 12 updates 11 preferences 12 hostname 12 registration options 12 time 12 user interface 12
390
1s
ti
on
vpn 13 ca 14 certs 14 control 13 global 14 ipsec roadwarriors 14 ipsec subnets 14 l2tp roadwarriors 14 ssl roadwarriors 14 password 193 passwords 3 permissive 68 policies 10, 11, 104 intrusion 104 pop3 15, 197 about 368 anti-spam 203 action to perform on spam 203 enable spam filtering 203 spam threshold 203 proxy 212 pop3 proxy anti-malware 198 configure 212 enable anti-malware scanning 198 enable transparent 198 interfaces 199 malware message 198
pop3 proxy configuration 198 port forwarding 8 port forwards 63 comment 65 creating 64 criteria 63 destination address 65 destination port 65 editing 66 enabled 65 external ip 65 ips 65 logging 65 protocol 64 removing 66 source IP 65 source port 65 user defined 65 port groups 8 port rules 67 creating 68 deleting 70 editing 69 modes 68 permissive 68 preset 68 restrictive 68 stealth 69, 71 viewing 70 portal 5, 9, 75, 276 access 80 configure 75 delete 81 edit 80 groups 79 user except 79 portals 9 ports 7, 8 ppp 7 ppp over ethernet settings 27 ppp profile 24 creating 30 pptp client support 66 pptp over ethernet settings 28 preferences 12 prevention policies 105 primary dns 22 proxies 9
dns 96 pop3 197 sip 90 proxy 15 ftp 92 pruning 253, 254, 255 Q quarantine mailbox 202 queue 14 R rbl settings user defined 206 realtime 5 redirect email 202 refreshing page 197 registration options 12 relay 14, 209 configure 209 relay host 193 relay ip 194 replication 12 reports 5, 117, 247 custom 5 database 253 reports 5 scheduled 5 restrictive 68 rip 7 routing 7 rule update frequency 204 rules archive 220 assigning 73 dynamic host 96 external access 316 external service 72 group bridging 59 internal alias 41 ip blocking 47 port 38 port forward 63 smtp access 209 source 70 source mapping 40 subnet 33 zone bridging 55 S sam account name 237
1s
Ed i
ti
on
391
Index
scan attachments 205 scheduled reports 5 scheduler 12 secondaries 7 secondary dns 22 selective ACK 50 sender domain validity 193 server password 236, 239 server username 236, 239 services authentication 9, 233 dhcp 11, 109 dns 10, 95 dns proxy 96 dynamic dns 96 ids 10 intrusion system 104 message censor 10 portal 9 rip 34 sip 90 snmp 10, 94 settings 6, 9 shell 12 shutdown 12 signatures 10 sip 9, 90 types 90 site address 18 smoothrule violations 265 smoothtunnel vpn certificate monitor 265 smtp 14, 191 about 367 anti-malware 192 anti-spam 202 allow email delivery 202 drop (discard) email 202 mark subject as spam 202 quarantine email 202 quarantine mailbox 202 spam threshold 202 archiving 195 email queue 196 internal domains 194 outgoing 195 relay 191 enable transparent SMTP relay 192 maximum bounce size 192 maximum email size 192 time to hold undeliverable mail 192 whitelisting 206
smtp settings anti-malware 192 graylisting 205 relay 191 smtp transparent ip exception list 193 snmp 10, 94 snmp 10 source mapping 8, 40 source rules 70 creating 71 editing 72 rejection logging 71 removing 72 settings 71 sources 7, 8 spam manage 209 spam check optimization mode 204 spam protection 216 spam threshold 202, 203 ssh 17 client 17 web-based 18 SSL 156 ssl login 9, 228 accessing the page 230 customizing 230 enabling 229 exceptions 229 ssl roadwarriors 14 static ethernet settings 27 stealth 69 subnets 7 subscription 215 subscriptions av update 215 summary 4 support 2 SYN backlog queue 50 SYN cookies 49 SYN+FIN packets 50 system 5 system boot (restart) notification 266 system resource monitor 265 system service monitoring 265 T TCP timestamps 50
392
1s
Ed i
ti
on
U unauthenticated ips 231 unchecked email 285 unknown entity 18 updates 11 ups 13 ups, power supply status warning 265 user activity 9, 227 identity 335 interface 12 user defined 206 user exceptions 9 user portal 6 username 193 users banned 231 default 231 local 223 network administrators 232 temporary ban 226 unauthenticated IPs 231
1s
Ed i
telephony settings 31 temporary ban 226 temporary bans 9 time 12 time out 233 time slots 10 time to hold undeliverable mail 192 time-out 336 total size of queue 197 traffic analysis 13 graphs 5 traffic audit 50 traffic statistics monitor 266 training 2 transparent smtp interface name 193 transparent smtp interfaces settings 193 tuning 204 rule update frequency 204 scan attachments 205 spam check optimization mode 204 tutorial vpn 175 zone bridging 57
V virtual lans 23 vlan 23 voip 90 vpn 13, 117 authentication 118 psk 119 x509 119 vpn tunnel status 265 W web proxy 6, 9 white-list users 90 whitelisting 206 whois 13 window scaling 50 Y yahoo 89
ti
on
Z zone bridge narrow 55 rule create 55 settings 56 tutorial 57 wide 55 zone bridging 6, 55
393
394
Index
1s t Ed i ti on
1s
Ed i
ti
on
395
1s
Copyright Smoothwall All rights reserved.
Ed i
ti
on

Advanced Firewall 2008 Admin-FP5 G3 1st-Ed

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Advanced Firewall 2008 Admin-FP5 G3 1st-Ed

Transféré par

Droits d'auteur :

Formats disponibles

Advanced Firewall

Email Web Telephone

Advanced Firewall Overview ......................................... 3

Working with Connections........................................... 21

Managing Your Network Infrastructure ...................... 33

Smoothwall Advanced Firewall Administrators Guide

Configuring Inter-Zone Security.................................. 55

Managing Inbound and Outbound Traffic .................. 63

General Network Security Settings ............................. 47

Advanced Firewall Services......................................... 75

Smoothwall Advanced Firewall Administrators Guide

Virtual Private Networking ......................................... 117

Smoothwall Advanced Firewall Administrators Guide

Configuring Spam Management................................ 209

Administering Email ................................................... 215

Email Settings ............................................................. 191

Authentication and User Management ..................... 223

Reporting ..................................................................... 247

Smoothwall Advanced Firewall Administrators Guide

Information, Alerts and Logging ............................... 263

Managing Your System .............................................. 299

Smoothwall Advanced Firewall Administrators Guide

Understanding Templates and Reports.................... 339

Troubleshooting VPNs ............................................... 363

Email Protocols........................................................... 367

Deploying in an Existing Email Infrastructure ......... 369

Smoothwall Advanced Firewall Administrators Guide

Hosting Tutorials ........................................................ 373

...................................................................................... 379 ...................................................................................... 385

Overview of Advanced Firewall

Chapter 1 Who should read this guide?

Who should read this guide?

Other Documentation and User Information

product updates and the latest product manuals.

Advanced Firewall Overview

Enter the following information:

described in the Advanced Firewall Installation and Setup Guide.

Accessing Advanced Firewall

Chapter 2 Advanced Firewall Overview Main

Click Login. The control page opens.

The main section contains the following pages:

About the Summary Page on page 263.

Smoothwall Advanced Firewall Administrators Guide

Generating Reports on page 248.

Chapter 2 Advanced Firewall Overview Services

The settings section contains the following pages:

Smoothwall Advanced Firewall Administrators Guide

settings groups temporary bans local users

Configuring Authentication Settings on page 233.

13, Enabling SSL Login on page 229.

Chapter 2 Advanced Firewall Overview Services Pages ftp Description

Pages static dns

dns proxy dynamic dns

Smoothwall Advanced Firewall Administrators Guide Pages policies Description

intrusion detection intrusion prevention

8, Creating Custom DHCP Options on page 115.

Chapter 2 Advanced Firewall Overview System Pages archives scheduler Description

replication shutdown shell

Shutting down and Rebooting on page 308.

time registration options hostname

Smoothwall Advanced Firewall Administrators Guide

IP Tools on page 331.

Chapter 2 Advanced Firewall Overview Email Pages ca Description