Académique Documents
Professionnel Documents
Culture Documents
Legal Information
End-User License Agreement
The use of the products described in these materials is subject to the then current end-user license agreement, which can be found at the Stonesoft website: www.stonesoft.com/en/support/eula.html
Replacement Service
The instructions for replacement service can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/return_material_authorization/
Hardware Warranty
The appliances described in these materials have a limited hardware warranty. The terms of the hardware warranty can be found at the Stonesoft website: www.stonesoft.com/en/support/view_support_offering/warranty_service/
Disclaimer
Although every precaution has been taken to prepare these materials, THESE MATERIALS ARE PROVIDED "AS-IS" and Stonesoft makes no warranty to the correctness of information and assumes no responsibility for errors, omissions, or resulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and are used for illustrative purposes only. Copyright 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change.
Revision: SGMIG_20110502
TABLE OF CONTENTS
I NTRODUCTION
CHAPTER 3
Using StoneGate Documentation . . . . . . . . . . . 7 How to Use This Guide . . . . . . . . . . . . . . . . . . 8 Typographical Conventions . . . . . . . . . . . . . . 8 Documentation Available . . . . . . . . . . . . . . . . . Product Documentation. . . . . . . . . . . . . . . . . Support Documentation . . . . . . . . . . . . . . . . System Requirements. . . . . . . . . . . . . . . . . . Supported Features . . . . . . . . . . . . . . . . . . . Contact Information . . . . . . . . . . . . . . . . . . . . Licensing Issues . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . Your Comments . . . . . . . . . . . . . . . . . . . . . . Other Queries. . . . . . . . . . . . . . . . . . . . . . . .
CHAPTER 4
9 9 9 10 10 10 10 10 10 10
Planning the Management Center Installation . . 11 StoneGate System Architecture . . . . . . . . . . . . Overview to the Installation Procedure . . . . . . . Important to Know Before Installation . . . . . . . Supported Platforms. . . . . . . . . . . . . . . . . . . Date and Time Settings . . . . . . . . . . . . . . . . Hosts File . . . . . . . . . . . . . . . . . . . . . . . . . . Obtaining Installation Files . . . . . . . . . . . . . . . Downloading the Installation Files . . . . . . . . . Checking File Integrity . . . . . . . . . . . . . . . . . . Creating the Installation CD-ROM . . . . . . . . . . Obtaining License Files . . . . . . . . . . . . . . . . . . 12 13 13 13 13 13 14 14 14 14 15
Installing in Demo Mode. . . . . . . . . . . . . . . . Finishing the Installation. . . . . . . . . . . . . . . . Starting the Management Center After Installation . . . . . . . . . . . . . . . . . . . . . . . . . . Starting the Management Server. . . . . . . . . . Starting the Management Client . . . . . . . . . . Logging in to the Management Center . . . . . . Accepting the Management Server Certificate Installing Licenses . . . . . . . . . . . . . . . . . . . . Binding POL-Based Licenses to Servers. . . . . Starting the Log Server and Web Portal Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting Servers Manually. . . . . . . . . . . . . . . If the Log Server or Web Portal Server Fails to Start . . . . . . . . . . . . . . . . . . . . . . . . Generating Server Certificates . . . . . . . . . . . After the Management Center is Installed . . . . Configuring Secondary Management Servers . . Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing a License for a Secondary Management Server. . . . . . . . . . . . . . . . . . . Installing a Secondary Management Server . . Configuring Log Servers for Backup Management Servers . . . . . . . . . . . . . . . . . . Applying the Authentication Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . Non-Graphical Installation . . . . . . . . . . . . . . . .
CHAPTER 6
27 28 29 29 29 30 30 31 32 33 33 34 34 36 37 37 37 37 40 40 41
Distributing Management Clients through Web Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Getting Started with Web Start Distribution . . . Distributing Clients from the SMC Servers . . . . Distributing Clients from a Separate Server . . . Accessing the Web Start Clients . . . . . . . . . . .
CHAPTER 7
I NSTALLING
CHAPTER 5
THE
M ANAGEMENT C ENTER
44 44 45 46
Installing the Management Center . . . . . . . . . . 19 Getting Started with Management Center Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . Installing on Linux . . . . . . . . . . . . . . . . . . . . Configuration Overview . . . . . . . . . . . . . . . . . Installing Management Center Components . . . Installing a Management Server . . . . . . . . . . Installing a Log Server . . . . . . . . . . . . . . . . . Installing a Web Portal Server . . . . . . . . . . . . Installing an Authentication Server. . . . . . . . . 20 20 20 21 23 24 25 26
Configuring NAT Addresses for StoneGate Components . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Configuration Overview . . . . . . . . . . . . . . . . . . Configuration Overview . . . . . . . . . . . . . . . . . Defining Locations . . . . . . . . . . . . . . . . . . . . . Adding SMC Server Contact Addresses . . . . . . Setting the Management Clients Location . . . . 48 49 49 51 53
Table of Contents
M AINTENANCE
CHAPTER 8
Upgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Getting Started with Upgrading the Management Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Overview . . . . . . . . . . . . . . . . . Upgrading Licenses . . . . . . . . . . . . . . . . . . . . Upgrading Licenses Under One Proof Code . . . Upgrading Licenses Under Multiple Proof Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing Licenses . . . . . . . . . . . . . . . . . . . . Upgrading the Management Center . . . . . . . . .
CHAPTER 9
58 58 59 59 60 61 62
Uninstalling the Management Center . . . . . . . . 65 Overview to Uninstalling the Management Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Uninstalling in Windows . . . . . . . . . . . . . . . . . 66 Uninstalling in Linux . . . . . . . . . . . . . . . . . . . . 67
A PPENDICES
APPENDIX A
Command Line Tools . . . . . . . . . . . . . . . . . . . . 71 Management Center Commands . . . . . . . . . . . 72 Engine Commands . . . . . . . . . . . . . . . . . . . . . 81 Server Pool Monitoring Agent Commands . . . . . 86
APPENDIX B
Default Communication Ports. . . . . . . . . . . . . . 89 Management Center Ports. . . . . . . . . . . . . . . . Firewall/VPN Engine Ports . . . . . . . . . . . . . . . . IPS Engine Ports. . . . . . . . . . . . . . . . . . . . . . . Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 92 96 99
Table of Contents
I NTRODUCTION
In this section:
Using StoneGate Documentation - 7 Planning the Management Center Installation - 11
C H A P TE R 3
Welcome to Stonesofts StoneGate Management Center. This chapter describes how to use the StoneGate Management Center Installation Guide and lists other available documentation. It also provides directions for obtaining technical support and giving feedback. The following sections are included: How to Use This Guide (page 8) Documentation Available (page 9) Contact Information (page 10)
Typographical Conventions
The following conventions are used throughout the documentation:
Table 3.1 Typographical Conventions
Formatting
User Interface text References, terms Command line User input Command parameters
Informative Uses
Text you see in the User Interface (buttons, menus, etc.) and any other interaction with the user interface are in bold-face. Cross-references and first use of acronyms and terms are in italics. File names, directories, and text displayed on the screen are monospaced. User input on screen is in monospaced bold-face. Command parameter names are in monospaced italics.
We use the following ways to indicate important or additional information: Note Notes prevent commonly-made mistakes by pointing out important points. Caution Cautions prevent breaches of security, information loss, or system downtime. Cautions always contain critical information that you must observe. Tip Tips provide additional helpful information, such as alternative ways to complete steps. Example Examples present a concrete scenario that clarifies the points made in the adjacent text.
Chapter 3
Documentation Available
StoneGate documentation is divided into two main categories: Product Documentation and Support Documentation. Each StoneGate product has a separate set of manuals.
Product Documentation
The table below lists the available product documentation. PDF guides are available on the Management Center CD-ROM and at http://www.stonesoft.com/support/.
Table 3.2 Product Documentation
Guide
Description
Explains the operation and features of StoneGate comprehensively. Demonstrates the general workflow and provides example scenarios for each feature area. Available for StoneGate Management Center, Firewall/VPN, and StoneGate IPS. Instructions for planning, installing, and upgrading a StoneGate system. Available for StoneGate Management Center, Firewall/VPN, and IPS. Describes how to configure and manage the system step-by-step. Accessible through the Help menu and by using the Help button or the F1 key in any window or dialog. Available in the StoneGate Management Client and the StoneGate Web Portal. An HTML-based system is available in the StoneGate SSL VPN Administrator through help links and icons. Describes how to configure and manage the system step-by-step. Available as a combined guide for both StoneGate Firewall/VPN and StoneGate IPS, and as separate guides for StoneGate SSL VPN and StoneGate IPsec VPN Client. Instructions for end-users. Available for the StoneGate IPsec VPN Client and the StoneGate Web Portal. Instructions for physically installing and maintaining StoneGate appliances (rack mounting, cabling, etc.). Available for all StoneGate hardware appliances.
Reference Guide
Installation Guide
Online Help
Administrators Guide
Users Guide
Support Documentation
The StoneGate support documentation provides additional and late-breaking technical information. These technical documents support the StoneGate guide books, for example, by giving further examples on specific configuration scenarios. The latest StoneGate technical documentation is available at the Stonesoft website at http://www.stonesoft.com/support/.
Documentation Available
System Requirements
The system requirements for running the StoneGate Management Center can be found in the Management Center Release Notes available at the Stonesoft Support Documentation pages.
Supported Features
Not all StoneGate features are supported on all platforms. See the Appliance Software Support Table at the Stonesoft Support Documentation pages for more information.
Contact Information
For street addresses, phone numbers, and general information about StoneGate and Stonesoft Corporation, visit our website at http://www.stonesoft.com/.
Licensing Issues
You can view your current licenses at the License Center section of the Stonesoft website at https://my.stonesoft.com/managelicense.do. For license-related queries, e-mail order@stonesoft.com.
Technical Support
Stonesoft offers global technical support services for Stonesofts product families. For more information on technical support, visit the Support section at the Stonesoft website at http://www.stonesoft.com/support/.
Your Comments
We want to make our products fulfill your needs as well as possible. We are always pleased to receive any suggestions you may have for improvements. To comment on software and hardware products, e-mail feedback@stonesoft.com. To comment on the documentation, e-mail documentation@stonesoft.com.
Other Queries
For queries regarding other matters, e-mail info@stonesoft.com.
10
Chapter 3
C H A P TE R 4
PLANNING
THE
MANAGEMENT CENTER
INSTALLATION
This chapter provides important information to take into account before the StoneGate Management Center installation can begin. It also includes an overview to the installation process. The following sections are included: StoneGate System Architecture (page 12) Overview to the Installation Procedure (page 13) Important to Know Before Installation (page 13) Obtaining Installation Files (page 14) Obtaining License Files (page 15)
11
Management Client
Web Portal
Management Server
Log Server
Authentication Server
Firewall/VPN and IPS Engines The Management Center consists of the following standard components: The Management Server. One or more Log Servers. The Management Client is a single unified tool that is used for all configuration and monitoring tasks related to the whole StoneGate system. You can install an unlimited number of Management Clients. Optionally, and for a separate license fee, you can also have: One or more backup Management Servers. One or more Web Portal Servers for Web Portal users. One Authentication Server with up to two nodes for end-user authentication. The Management Center components can be installed separately on different machines or on the same machine, depending on your requirements. The Management Center can manage several StoneGate firewalls and IPS Sensors and Analyzers. See the Management Center Reference Guide, Firewall/VPN Reference Guide, and the IPS Reference Guide for general information on the Management Center, firewalls, and IPS engines.
12
Chapter 4 Planning the Management Center Installation
Supported Platforms
The Release Notes list the basic requirements for installation. For information on supported and certified hardware, search for the version-specific Hardware Requirements in the technical documentation search at http://www.stonesoft.com/en/support/.
Hosts File
Due to a restriction of the Java platform, the Management Server and Log Server hostnames must be resolvable on the computer running the Management Client (even if running on the same computer as the servers) to ensure good performance. To ensure that the hostnames can be resolved, you can add the IP address-hostname pairs into the local hosts file on the client computer: In Linux: /etc/hosts In Windows: \WINNT\system32\drivers\etc\hosts
13
4. Compare the displayed output to the checksum on the website. They must match. Caution Do not use files that have invalid checksums. If downloading the files again does not help, contact Stonesoft technical support to resolve the issue. Whats Next? If you downloaded the installation files as a .zip file, unzip the contents to the installation location and proceed to creating Obtaining License Files (page 15). Otherwise, continue by Creating the Installation CD-ROM.
14
Chapter 4
15
16
Chapter 4
17
18
C H A P TE R 5
INSTALLING
THE
MANAGEMENT CENTER
This chapter instructs how to install the StoneGate Management Center on Windows and Linux platforms. The following sections are included: Getting Started with Management Center Installation (page 20) Installing Management Center Components (page 21) Starting the Management Center After Installation (page 29) After the Management Center is Installed (page 36) Configuring Secondary Management Servers (page 37) Non-Graphical Installation (page 41)
19
Installing on Linux
The installation creates sgadmin user and group accounts. If there is a pre-existing sgadmin account, the installation fails. All the shell scripts are owned by sgadmin and can be executed either by root or the sgadmin user. The shell scripts are executed with sgadmin privileges. After the installation, the sgadmin account is disabled. The sgadmin account is deleted at uninstallation.
Configuration Overview
1. Install the Management Center. See Installing Management Center Components (page 21). If you are installing on separate servers, install the Management Server as the first component. 2. Start the Management Center. See Starting the Management Center After Installation (page 29). 3. (Optional) Install the secondary Management Server(s). See Configuring Secondary Management Servers (page 37). Caution Do not install the Management Center on a StoneGate appliance.
20
Chapter 5
6. (Optional) Click Choose to browse for a different installation folder. This folder is for the application, and a Log Server can have a separate data storage location.
Installing Management Center Components
21
7. Click Next.
8. Select the settings for creating shortcuts. These shortcuts can be used to manually start components and to run some maintenance tasks. 9. Click Next.
10.Click one of the icons to select the installation type: Typical installs all Management Center components except the Web Portal Server. Management Client Only installation is meant for administrators workstations. Demo Mode installation is meant for evaluating StoneGate in a simulated environment. Custom installation allows you to select components one by one. 11.Click Next. To select components for the Custom installation 1. Select the components that you want to install. 1
22
Chapter 5
2. Click Next. Note Make sure you have a license for any separately licensed components before installing them. The Web Portal Server and Authentication Server are not included in standard Management Center licenses. Whats Next? For Demo Mode installations, proceed to Installing in Demo Mode (page 27). Otherwise, proceed to the next applicable section according to the components you are installing: Installing a Management Server. Installing a Log Server (page 24). Installing a Web Portal Server (page 25). Installing an Authentication Server (page 26).
2. Enter the IP address of the Log Server to which this Management Server sends its alerts. 3. (Optional) To install a backup server, select Install as a Secondary Management Server for High Availability and see Installing a Secondary Management Server (page 37). 4. Leave Install as a Service selected to make the Management Server start automatically. 5. Click Next. You are prompted to create a superuser account. Note This is the only account that can log in after the installation.
23
6. Type in a User Name. 7. Enter and confirm the Password. 8. Click Next. Whats Next? Proceed to the next applicable section according to the components you are installing: Installing a Log Server. Installing a Web Portal Server (page 25). Installing an Authentication Server (page 26). Finishing the Installation (page 28).
2. Enter the IP address of the Management Server that controls this Log Server. 3. If the components are installed on different machines and the Management Server is not reachable at the moment, deselect Certify the Log Server during the Installation to avoid connection attempts after installation. Certifying is mandatory for running the Log Server.
24
Chapter 5
4. Leave Install as a Service selected to make the Log Server start automatically. 5. Click Next.
6. (Optional) Click Select to browse for a different storage folder for log data. Remote locations are not suitable for active storage, since quick and reliable access is required. 7. Click Next. Whats Next? Proceed to the next applicable section according to the components you are installing: Installing a Web Portal Server. Installing an Authentication Server (page 26). Finishing the Installation (page 28).
2. Type in the IP address for the Management Server that controls this Web Portal Server.
Installing Management Center Components
25
3. If the components are installed on different machines and the Web Portal Server is not reachable at the moment, deselect Certify the Web Portal Server during the Installation to avoid connection attempts after installation. Certifying is mandatory for running the Web Portal Server. 4. Leave Install as a Service selected to make the Web Portal Server start automatically. 5. Click Next. Whats Next? Proceed to the next applicable section according to the components you are installing: Installing an Authentication Server. Finishing the Installation (page 28).
2. Enter or select the IP address of the Management Server that controls this Authentication Server. 3. If you are installing the components are installed on different machines and the Management Server is not reachable at the moment, deselect Certify the Authentication Server during the Installation to avoid connection attempts after installation. Certifying is mandatory for running the Authentication Server and for installing the second node of a cluster. 4. Leave Install as a Service selected to make the Authentication Server start automatically. 5. Click Next. Whats Next? Proceed to Finishing the Installation (page 28).
26
Chapter 5
2. (Custom backup file only) Click Choose and browse to the location of the backup file.
3. Click Next. The installation starts. 4. When the installation finishes, click Next.
27
5. Click Done to close the installer. The Management Center starts up automatically in the background. Whats Next? The simulated environment is now ready for your testing. Proceed to Logging in to the Management Center (page 30).
3. Click Install to install the selected components. This is the last chance to Cancel or make changes by clicking Previous. 4. Depending on the options you selected, you may be prompted to generate certificates in the course of the installation. If this happens, see the section To generate a certificate for a StoneGate server (page 35).
28
Chapter 5
5. Click Done to close the installer. Note If any Log Server, Web Portal Server, or Authentication Server certificate was not retrieved during the installation, a certificate must be retrieved manually before the server can be started. See To manually certify a Server (page 34).
29
4. Click Login. If you connect to the Management Server from an external network, the Management Servers IP address may be translated using NAT. Tip You can access the Online Help system in the Login window or any other window in the Management Client by pressing the F1 key.
30
Chapter 5
Installing Licenses
The Management Center servers require licenses to become operational. To obtain licenses, see Obtaining License Files (page 15). You can install licenses even before the components are installed. With no valid Management Server license, a notification is shown when you log in. If the message appears after licensing, make sure the licensed IP address is correct and active on the server when the Management Server service starts up. To install licenses through the License Information message Click Continue and select the license file(s) in the dialog that opens.
Whats Next? If the message is not shown, install the licenses as explained below. Otherwise, proceed to the section To check that the licenses were installed correctly. To install licenses 1. Select FileSystem ToolsInstall Licenses.
2. Import one or more license files in the dialog that opens. To check that the licenses were installed correctly 1. Click the Configuration icon and select Administration. The Administration Configuration view opens. 1
31
3. Check that all licenses you imported are listed here. Whats Next? If you have Log Server or Web Portal Server licenses that are bound to the Management Servers POL code, proceed to Binding POL-Based Licenses to Servers. Otherwise, continue by Starting the Log Server and Web Portal Server (page 33).
32
Chapter 5
2. Right-click a management-bound license (a license that states Dynamic in place of an IP address) and select Bind. The Select License Binding dialog opens.
3. Select the correct server from the list. 4. Click Select. The license is now bound to the selected Log or Web Portal Server element. If you made a mistake, you can still right-click the license and select Unbind. Note The license is permanently bound to the Log or Web Portal Server when the server is started for the first time. Such licenses cannot be re-bound to some other Log or Web Portal Server without re-licensing or deleting the Log or Web Portal Server element it is bound to. Until you do that, the unbound license is shown as Retained.
33
2. If you have a Web Portal Server, start it in the same way: In Windows, use the shortcut icon in the location you selected during installation (default: StartProgramsStoneGateWeb Portal Server) or run the script <installation directory>/bin/sgStartWebPortalServer.bat. In Linux, run the script <installation directory>/bin/ sgStartWebPortalServer.sh. Whats Next? If you have started all servers successfully, proceed to After the Management Center is Installed (page 36). If you have trouble starting the server, see If the Log Server or Web Portal Server Fails to Start.
34
Chapter 5
To generate a certificate for a StoneGate server 1. Enter the user name and password for the account you created during the Management Server installation (other accounts with unrestricted permissions can also be used).
2. Click Accept to accept the certificate fingerprint of the Management Servers Certificate Authority. As a precaution, you can ensure that the communication really is with your Management Server as explained in To check the Certificate Authority fingerprint (page 30). The Log Server Selection or Web Portal Server Selection dialog opens.
3. (Log Server or Web Portal Server only) Identify the component: If the correct server is listed, select it. If the correct server is not listed, select Create a New Log Server or Create a ne Web Portal Server and enter a Name. This name is shown in the Management Client.
35
4. (Authentication Server only) Identify the component: If the correct server is listed, select it. If the correct server is not listed, select Create a New Authentication Server and enter a Name. This name is shown in the Management Client. If you are installing the second node of an existing Authentication Server, select Create a new Authentication Server node in an existing cluster and select the Authentication Server where you want to add the node.
5. Click OK. Whats Next? Start the Log Server or Web Portal Server as described in Starting the Log Server and Web Portal Server (page 33), then proceed to After the Management Center is Installed. The Authentication Server installation is complete. Proceed to After the Management Center is Installed.
36
Chapter 5
Overview
1. If you have not yet installed a license for the secondary Management Server, install the license. See Installing a License for a Secondary Management Server. 2. Install the secondary Management Server using the Installation Wizard. See Installing a Secondary Management Server. 3. Add the IP addresses of all your Management Servers to the Log Servers configuration. See Configuring Log Servers for Backup Management Servers (page 40).
37
3. If you also want to install a Log Server and a local Management Client on this computer, you can leave Typical selected. Otherwise, you must select Custom.
4. Click Next. To select components for the Custom installation 1. Select the components that you want to install (select at least Management Server). 1
2. Click Next. To configure the secondary Management Server 1. Enter or select the Management Servers IP address. The Management Servers license must be generated with this IP address as the binding.
2. Enter the IP address of the Log Server to which this Management Server sends its alerts.
38
Chapter 5 Installing the Management Center
3. Select Install as a Secondary Management Server for High Availability. 4. Leave Install as a Service selected to make the Management Server start automatically. 5. Click Next. After a while, a login prompt for Replication opens.
6. Enter the user name and the password for an unrestricted administrator account (such as the account you created during the installation of the primary Management Server). 7. Click OK. The Management Server Selection dialog opens.
8. Identify the component: If the correct server is listed, select it. If the correct server is not listed, select Create a New Management Server and type in a name. This name is shown in the Management Client. 9. Click OK. The databases are synchronized. After successful database synchronization between the secondary Management Server and primary Management Server, the installation is complete. If the synchronization fails for some reason (such as a network connection problem), the secondary Management Server is not installed properly. Rerun the Installation Wizard as above. Repeat the steps above as necessary to install other secondary Management Servers. Note You cannot log in to the secondary Management Server directly. If you want to check the status of the secondary Management Server or to change its configuration, log in to the primary Management Server with the Management Client.
39
40
Chapter 5
2. Right-click Authentication Server and select Apply Configuration. A progress dialog opens.
3. Click Close when the operation finishes. Whats Next? Continue the configuration of the Authentication Server in the Management Client. See the Administrators Guide or the Management Client Online Help.
Non-Graphical Installation
In Linux, the Management Center can also be installed on the command line. Before installing, check the installation package integrity using the MD5 or SHA-1 file checksums as explained in Checking File Integrity (page 14). Note You need a graphical environment to use the Management Client. It cannot be run on the command line. Only the server components can be run in a command line-only environment. To begin the non-graphical installation 1. Open the shell and change to the directory where the installer is stored. If installing from a CD-ROM, the installer is in:
CD-ROM/StoneGate_SW_Installer/Linux/
If the CD-ROM is not automatically mounted, mount the CD-ROM with command:
mount /dev/cdrom /mnt/cdrom
2. Run the command ./setup.sh -nodisplay (the -nodisplay switch can be omitted if there is no graphical environment running). The installer starts. You can use the following general commands at any point where the installer asks for your input: Type back to return to the previous step. Type quit to cancel the installation. 3. When prompted, press Enter to continue. The license agreement is displayed.
Non-Graphical Installation
41
4. Press Enter to scroll through the license agreement and accept by typing Y. You are prompted to select the installation directory. 5. Press Enter to install to the default installation directory, or specify a different directory. If you specify a different directory, you are prompted to confirm it. 6. You are prompted to select the link location for shortcuts to the most commonly used command line tools. 7. Press Enter to create the StoneGate links in the default directory or select one of the other options. A reminder to verify the hosts file appears. 8. Press Enter to continue. 9. Select the StoneGate components you want to install: Press Enter to install all Management Center components except the Web Portal Server. Press 2 to install only the Management Client. Press 3 to install a simulated network environment for evaluation in Demo Mode. Press 4 to install a different selection of components. 10.(Customized installation only) Enter the numbers of the components you want to select/ deselect, separated by commas. Entering the number of a selected component deselects it. Entering the number of a component that is not selected selects it. By default, the Management Server, Log Server, and Management Client are selected. You can verify your selection by typing back in the next stage. Example To install only the Web Portal Server, type 1,2,3,4 and press Enter. The other installation options for the Management Center components are the same as in the graphical installation.
42
Chapter 5
C H A P TE R 6
The Management Client can be distributed through Java Web Start. This eliminates the need for each administrator to upgrade their client when the SMC is upgraded to a new version (the version of the client must always match the version of the respective server). The following sections are included: Getting Started with Web Start Distribution (page 44) Distributing Clients from the SMC Servers (page 44) Distributing Clients from a Separate Server (page 45) Accessing the Web Start Clients (page 46)
43
2. Expand Servers.
2 3
3. Right-click a Management Server and select Properties. The Properties dialog opens. 4
4. Switch to the Web Start tab. 5. Select Enable. The Web Start server options are enabled.
44
Chapter 6 Distributing Management Clients through Web Start
6. (Optional) Change the (TCP) Port Number that the Web Start Server uses. By default, the standard HTTP port 80 is used on Windows and 8080 on Linux (which does not allow the use of reserved ports for this type of service). Note Make sure that the port is not used by other listening services on the server. For ports reserved for StoneGate services, see Default Communication Ports (page 89). 7. Click OK. With these settings, the users can access the Web Start files at any addresses that the Management Server may have. Whats Next? Test the client as explained in Accessing the Web Start Clients (page 46).
45
4. Run the Web Start setup script and give the URL or the path of the directory where the Web Start files are located on your server as the parameter: Windows: cscript webstart_setup.vbs <web start directory> Linux: run webstart_setup.sh <web start directory>
Table 6.1 Examples
Installation on
Web server Network drive
5. If necessary, modify the configuration of the Web server to return the appropriate MIME type for.jnlp files (application/x-java-jnlp-file). Consult the manual of your Web server for instructions on how to configure the MIME type. 6. Delete the webstart_setup.vbs and webstart_setup.sh files from the directory.
2. Click the link for the Web Start client. Web Start automatically checks if the version on the server is already installed on your local computer. If not, the new client is automatically installed on your computer. This is done each time the client is started this way, automatically upgrading your client installation whenever needed without any action from you. The client starts and displays the login dialog. 3. Log in with your account credentials. Whats Next? If NAT is applied to communications between any system components, proceed to Configuring NAT Addresses for StoneGate Components (page 47). Otherwise, you are ready to configure the firewall and IPS element(s) in the Management Client. You must configure the elements before installing the physical engines. See the Firewall/VPN Installation Guide and the IPS Installation Guide for more information.
46
Chapter 6
C H A P TE R 7
FOR
This chapter contains the steps needed to configure Locations and contact addresses when a NAT (network address translation) operation is applied to the communications between any of the system components. The following sections are included: Configuration Overview (page 48) Defining Locations (page 49) Adding SMC Server Contact Addresses (page 51) Setting the Management Clients Location (page 53)
47
Configuration Overview
If there is network address translation (NAT) between communicating system components, the translated IP address may have to be defined for system communications. All communications between the StoneGate components are presented as a table in Default Communication Ports (page 89). You use Location elements to configure StoneGate components for NAT. There is a Default Location to which all elements belong if you do not assign them a specific Location. If NAT is applied between two system components, you must separate them into different Locations and add a contact address for the component that needs to be contacted. You can define a Default contact address for contacting a component (defined in the main Properties dialog of the corresponding element). The components Default contact address is used in communications when components that belong to another Location contact the component and the component has no contact address defined for their Location.
Illustration 7.1 An Example Scenario for Using Locations
Headquarters Location
Intranet Management/ Log Server Analyzer Sensor Firewall
In the example scenario above, a Management Server and a Log Server manage StoneGate components both at a companys headquarters and in a branch office. NAT could typically be applied at the following points: The firewall at the headquarters or an external router may provide the SMC servers external IP addresses on the Internet. The external addresses must be defined as contact addresses so that the components at the branch offices can contact the servers across the Internet. The branch office firewall or an external router may provide external addresses for the StoneGate components at the branch office. Also in this case, the external IP addresses must be defined as contact addresses so that the Management Server can contact the components. When contact addresses are needed, it may be enough to define a single new Location element, for example, for the branch office, and group the StoneGate components at the branch office into the Branch Office Location. The same Location element could also be used to group together StoneGate components at any other branch office if they also need to connect to the SMC servers at the headquarters and NAT is applied to the communications. To be able to view logs, the administrators at the branch office must select the Branch Office Location in the Management Client.
48
Chapter 7
Configuration Overview
1. Define Location element(s). See Defining Locations. 2. Define contact addresses for the Management Server, and Log Server(s). See Adding SMC Server Contact Addresses (page 51). 3. Select the correct Location for your Management Client. See Setting the Management Clients Location (page 53). 4. Select the correct Location for firewalls and IPS engines when you create the Firewall or IPS elements. See the Firewall/VPN Installation Guide and IPS Installation Guide.
Defining Locations
The first task is to group the system components into Location elements based on which components are on the same side of a NAT device. The elements that belong to the same Location element always use the primary IP address (defined in the main Properties dialog of the element) when contacting each other. To create a new Location element 1. Click the Configuration icon in the toolbar, and select Administration. The Administration Configuration view opens. 1
Defining Locations
49
3. Right-click Locations and select New Location. The Location Properties dialog opens.
6 5
4. Type in a Name. 5. Select element(s). 6. Click Add. 7. Repeat steps 5-6 until all necessary elements are added. 8. Click OK. Repeat to create other Locations as necessary. Whats Next? If your Management Server or Log Server needs a contact address, proceed to Adding SMC Server Contact Addresses (page 51). Otherwise, you are ready to configure the firewall and IPS element(s) in the Management Client. You must configure the elements before installing the physical engines. See the Firewall/VPN Installation Guide and the IPS Installation Guide for more information.
50
Chapter 7
3. If necessary, enter additional Default contact address(es). A default contact address is automatically entered based on the element properties. If the server has multiple Default contact addresses, separate the addresses with commas. If necessary, the Exceptions button allows you to define other contact addresses for specific Locations Note Elements that belong to the same Location element always use the primary IP address when contacting each other instead of any Contact Addresses. All elements not specifically put in a certain Location are treated as an additional Location. 4. Click OK.
Adding SMC Server Contact Addresses
51
Define the contact addresses for other servers as necessary in the same way. To define Authentication Server contact addresses 1. Right-click the Authentication Server and select Properties. The Authentication Server properties open.
2 2. Select the node for which you want to define contact addresses and click Edit. The Node Properties dialog opens.
3. Select the Location of this server. 4. If necessary, enter additional Default contact address(es). A default contact address is automatically entered based on the element properties. If the server has multiple Default contact addresses, separate the addresses with commas. If necessary, the Exceptions button allows you to define other contact addresses for specific Locations. 5. Click OK. Note Elements that belong to the same Location element always use the primary IP address when contacting each other instead of any Contact Addresses. All elements not specifically put in a certain Location are treated as an additional Location. Whats Next? If NAT is performed between your Management Client and a Log Server, proceed to Setting the Management Clients Location (page 53). Otherwise, you are ready to configure the firewall and IPS element(s) in the Management Client. You must configure the elements before installing the physical engines. See the Firewall/VPN Installation Guide and the IPS Installation Guide for more information.
52
Chapter 7
Whats Next? You are ready to configure firewall and IPS element(s). See the Firewall/VPN Installation Guide and the IPS Installation Guide for more information.
53
54
Chapter 7
M AINTENANCE
In this section:
Upgrading - 57 Uninstalling the Management Center - 65
55
56
C H A P TE R 8
UPGRADING
This chapter explains how you can upgrade the StoneGate Management Center. The following sections are included: Getting Started with Upgrading the Management Center (page 58) Upgrading Licenses (page 59) Upgrading the Management Center (page 62)
57
Configuration Overview
1. Obtain the installation files and check the installation file integrity as explained in Downloading the Installation Files (page 14). 2. (If automatic license updates have been disabled) Update the licenses as explained in Upgrading Licenses (page 59). 3. Upgrade all Management Servers, Log Servers, and Web Portal Servers as explained in Upgrading the Management Center (page 62). 4. Upgrade any locally installed the Management Clients by running the Management Center installer and any Web Start distributions that are located on an external servers as explained in Distributing Clients from a Separate Server (page 45). Whats Next? If the current licenses are valid for the new version, proceed to Upgrading the Management Center (page 62). Otherwise, continue by Upgrading Licenses (page 59).
58
Chapter 8
Upgrading
Upgrading Licenses
When you installed StoneGate for the first time, you installed licenses that work with all versions of StoneGate up to that particular version. If the first two numbers in the old and the new version are the same, the upgrade can be done without upgrading licenses (for example, when upgrading from 1.2.3 to 1.2.4). When either of the first two numbers in the old version and the new version are different, you must first upgrade your licenses (for example, when upgrading from 1.2.3 to 1.3.0). Automatic regeneration and installation of licenses is enabled by default. You can also upgrade the licenses at the Stonesoft website. If you do not need to upgrade licenses, proceed to Upgrading the Management Center (page 62). Whats Next? Proceed to Upgrading Licenses Under One Proof Code to upgrade the licenses one by one. Proceed to Upgrading Licenses Under Multiple Proof Codes (page 60) to upgrade several licenses at once.
Upgrading Licenses
59
2. Browse to LicensesAll Licenses. All the licenses appear in the right panel.
3. Ctrl-select or Shift-select the licenses you want to upgrade. 4. Right-click one of the selected items and select Export License Info. The StoneGate License Request Browser dialog opens. 5. Save the license information file. A confirmation dialog opens.
6 6. Optional) Click Yes to launch the Stonesoft License Center website's multi-upgrade form in your default Web browser.
60
Chapter 8
Upgrading
7. Upload the license upgrade request file to the Stonesoft License Center website using the multi-upgrade form. You can view and download your current licenses at the license website (log in by entering the proof-of-license or proof-of-serial number code at the License Center main page).
Installing Licenses
After you have upgraded the licenses as described above, you install the license file in the Management Client. To install licenses 1. Select FileSystem ToolsInstall Licenses.
2. Select one or more license files in the standard dialog that opens. 3. Browse to LicensesAll Licenses in the Administration Configuration view.
4. Check that the licenses are now correctly upgraded to the new version. When you only upgrade the software version in the license, old licenses are automatically replaced.
Upgrading Licenses
61
3 3. Indicate that you accept the License Agreement and click Next to continue the installation.
62
Chapter 8
Upgrading
4. Make sure the installation directory is correct for your installation and click Next. All installed components must be upgraded at the same time. You can install additional components if you wish (see Installing the Management Center (page 19) for installation instructions).
5 5. (Management Server only, optional) Select Save Current Installation to save a copy of the current installation that you can revert to at any time after the upgrade. 6. Click Next.
7. (Management Server only) Select the configuration data backup option and click Next: Select Yes to create a backup that can be used and viewed without a password. Select Yes, encrypt the backup to create a password-protected backup. You are prompted for the password as you confirm the selection. Select No if you already have a recent backup of the Management Server. Caution If you are working on a Windows system and you are upgrading any StoneGate component that runs as a service, make sure the Services window is closed before you complete the next step. Otherwise, the service may not be installed correctly.
63
8. Check the displayed information and click Install. The upgrade begins.
9. (Optional) When the upgrade is finished, follow the link(s) in the notification to launch the report(s) of system changes in your Web browser before you exit the installer. Whats Next? If administrators have Management Clients installed locally, upgrade the Management Clients by running the same Management Center installer on those hosts. If you are distributing Web Start Management Clients from an external server, install a new Web Start package in the same way as the original installation was made. See Distributing Management Clients through Web Start (page 43). Otherwise, the Management Center upgrade is now complete. See the Firewall/VPN Installation Guide and IPS Installation Guide if you are upgrading engines as well.
64
Chapter 8
Upgrading
C H A P TE R 9
This chapter instructs how to uninstall the Management Center components. The following sections are included: Overview to Uninstalling the Management Center (page 66) Uninstalling in Windows (page 66) Uninstalling in Linux (page 67)
65
Uninstalling in Windows
To uninstall in Windows 1. Launch the uninstaller in one of the following ways: Open the list of installed programs through the Windows Control Panel, right-click StoneGate Management Center, and select Uninstall/Change. Alternatively, run the script <installation directory>\uninstall\ uninstall.bat
2. When the uninstaller starts, click Uninstall. All Management Center components are uninstalled.
66
Chapter 9
Uninstalling in Linux
To uninstall in graphical mode 1. Stop the Management Center components on the machine. 2. Run the script <installation directory>/uninstall/uninstall.sh 3. When the uninstaller starts, click Uninstall. All Management Center components are uninstalled. To uninstall in non-graphical mode 1. Stop the Management Center components on the machine. 2. Run the script <installation directory>/uninstall/uninstall.sh -nodisplay
Uninstalling in Linux
67
68
Chapter 9
A PPENDICES
In this section:
Command Line Tools - 71 Default Communication Ports - 89 Index - 99
69
70
APPENDIX A
This appendix describes the command line tools for StoneGate Management Center and the engines. The following sections are included: Management Center Commands (page 72) Engine Commands (page 81) Server Pool Monitoring Agent Commands (page 86)
71
Command
Description
Displays or exports logs from archive. This command is only available on the Log Server. The operation checks privileges for the supplied administrator account from the Management Server to prevent unauthorized access to the logs. Enclose details in double quotes if they contain spaces. Host specifies the address of the Management Server. If the parameter is not defined, the loopback address is used. login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used. pass defines the password for the user account. format defines the file format for the output file. If this parameter is not defined, the XML format is used. i defines the source from which the logs will be exported. Can be a folder or a file. The processing recurses into subfolders. o defines the destination file where the logs will be exported. If this parameter is not defined, the output is displayed on screen. f defines a file that contains the filtering criteria you want to use for filtering the log data. You can export log filters individually in the Management Client through ToolsSave for Command Line Tools in the filters right-click menu. e allows you to type in a filter expression manually (using the same syntax as exported filter files). -h or -help displays information on using the script. -v displays verbose output on the command execution. Example (exports logs from one full day to a file using a filter): sgArchiveExport login=admin pass=abc123 i=c:/stonesoft/stonegate/data/archive/firewall/ year2009/month12/day01/ f=c:/stonesoft/ stonegate/export/MyExportedFilter.flp format=CSV o=MyExportedLogs.csv
sgArchiveExport [ host=<address> ] [ login=<login name> ] pass=<password> [ format=CSV|XML|CEF ] i=<input file> [ o=<output file> ] [ f=<filter file> ] [ e=<filter expression> ] [ -h | -help ] [ -v ]
72
Appendix A
Command
Description
Creates a backup of Authentication Server user information. The backup file is stored in the <installation directory>/ backups/ directory. Backing up the Authentication only backs up Users, not the configuration of the Authentication Server. The Authentication Server configuration is included in the Management Server backup. Also see sgRestoreAuthBackup. Creates a backup of Log Server configuration data. The backup file is stored in the <installation directory>/backups/ directory. Twice the size of log database is required on the destination drive. Otherwise, the operation fails. Also see sgRestoreLogBackup. Creates a complete backup of the Management Server (including both the local configuration and the stored information in the configuration database). The backup file is stored in the <installation directory>/backups/ directory. Twice the size of the Management Server database is required on the destination drive. Otherwise, the operation fails. Also see sgRestoreMgtBackup and sgRecoverMgtDatabase. Contacts the Management Server and creates a new certificate for the Authentication Server to allow secure communications with other system components. Renewing an existing certificate does not require changing the configuration of any other system components. Contacts the Management Server and creates a new certificate for the Log Server to allow secure communications with other system components. Renewing an existing certificate does not require changing the configuration of any other system components. Host specifies the address of the Management Server. If the parameter is not defined, the loopback address is used. Domain specifies the administrative Domain the Log Server belongs to if the system is divided in administrative Domains. If the Domain is not specified, the Shared Domain is used. Creates a new certificate for the Management Server to allow secure communications between the StoneGate system components. Renewing an existing certificate does not require changes on any other system components.
sgBackupAuthSrv
sgBackupLogSrv
sgBackupMgtSrv
sgCertifyAuthSrv
sgCertifyMgtSrv
73
Command
Description
Contacts the Management Server and creates a new certificate for the Web Portal Server to allow secure communications with other system components. Renewing an existing certificate does not require changing the configuration of any other system components. Host specifies the address of the Management Server. If the parameter is not defined, the loopback address is used. Domain specifies the administrative Domain the Web Portal Server belongs to if the system is divided in administrative Domains. If the Domain is not specified, the Shared Domain is used. Changes the Management Servers IP address in the Authentication Servers local configuration to the IP address you give as a parameter. Use this command if you change the Management Servers IP address. Restart the Authentication Server service after this command. Changes the Management Servers IP address in the Log Servers local configuration to the IP address you give as a parameter. Use this command if you change the Management Servers IP address. Restart the Log Server service after this command. Changes the Management Servers IP address in the local configuration to the IP address you give as a parameter. Use this command if you change the Management Servers IP address. Restart the Management Server service after this command. Starts a locally installed StoneGate Management Client. Creates an unrestricted (superuser) administrator account. The Management Server needs to be stopped before running this command.
sgClient sgCreateAdmin
74
Appendix A
Command
Description
Exports elements stored on the Management Server to an XML file. Enclose details in double quotes if they contain spaces. Host specifies the address of the Management Server. If the parameter is not defined, the loopback address is used. Domain specifies the administrative Domain for this operation if the system is divided in administrative Domains. If the Domain is not specified, the Shared Domain is used. login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used. pass defines the password for the user account. type specifies which types of elements are included in the export file: all for all exportable elements, nw for network elements, ips for IPS elements, sv for services, rb for security policies, or al for alerts. recursion includes referenced elements in the export, for example, the network elements used in a policy that you export. system includes any system elements that are referenced by the other elements in the export. name allows you to specify by name the element(s) that you want to export.
sgExport [host=<Management Server Address [\Domain ]>] [ login=<login name> ] pass=<password> file=<file path and name> type=<all|nw|ips|sv|rb|al> [-recursion] [-system] [name= <element name 1, element name 2, ...>]
75
Command
Description
Controls highly available (active and standby) Management Servers. Host specifies the address of the Management Server. If the parameter is not defined, the loopback address is used. Domain specifies the administrative Domain for this operation if the system is divided in administrative Domains. If the Domain is not specified, the Shared Domain is used. login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used. pass defines the password for the user account. -h or -help displays information on using the script. -set-active sets a standby Management Server as the active Management Server, sets the formerly active Management Server as a standby Management Server, and synchronizes the database between them. -set-standby sets the active Management Server as a standby Management Server. -force-active sets a standby Management Server as the active Management Server without synchronizing the database with the formerly active Management Server. -sync functions differently on a standby Management Server and an active Management Server. If you run it on an active Management Server, it replicates the active database to every standby Management Server that has the Include in Database Replication option selected in its properties. If you run it on a standby Management Server, it replicates the active database from the active Management Server only to this standby Management Server (regardless of whether the Include in Database Replication option is selected in the standby Management Servers properties). Imports StoneGate Management Server database elements from a StoneGate XML file. When importing, existing (non-default) elements are overwritten if both the name and type match. Host specifies the address of the Management Server. If the parameter is not defined, the loopback address is used. Domain specifies the administrative Domain for this operation if the system is divided in administrative Domains. If the Domain is not specified, the Shared Domain is used. login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used. pass defines the password for the user account. file defines the file whose contents you want to import.
sgHA [host=<Management Server Address [\Domain]>] [ login=<login name> ] pass=<password> [-h|-help] [-set-active] [-set-standby] [-force-active] [-sync]
sgImport host=<Management Server Address [\Domain]> [ login=<login name> ] pass=<password> file=<file path and name>
76
Appendix A
Command
Description
Imports and exports a list of Users and User Groups in an LDIF file from/to a StoneGate Management Servers internal LDAP database. To import User Groups, all User Groups in the LDIF file must be directly under the stonegate top-level group (dc=stonegate). The user information in the export file is stored as plaintext. Handle the file securely. Host specifies the address of the Management Server. If the parameter is not defined, the loopback address is used. Domain specifies the administrative Domain for this operation if the system is divided in administrative Domains. If the Domain is not specified, the Shared Domain is used. login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used. pass defines the password for the user account. action defines whether users are imported or exported. file defines the file that is used for the operation. Example: sgImportExportUser login=admin pass=abc123 action=export file=c:\temp\exportedusers.ldif Imports an additional language to the Web Portal end-user interface. You can run the command when the Web Portal Server service is running, but the imported language does not become available until the service is restarted. Host specifies the address of the Management Server. If the parameter is not defined, the loopback address is used. Domain specifies the administrative Domain for this operation if the system is divided in administrative Domains. If the Domain is not specified, the Shared Domain is used. login defines the username for the account that is used for this operation. If this parameter is not defined, the username root is used. pass defines the password for the user account. file defines the file that is used for the operation. The imported file must use the UTF-8 or UTF-16 text encoding. The file name must follow the format messages_XX[_YY[_ZZ]].txt where XX is the two-character ISO language code, YY the ISO country code and ZZ the ISO language variant code. The country code and language variant code are optional. Example: sgImportWebClientLanguage host=192.168.1.101/Helsinki login=ricky pass=abc123 file=messages_sv_fi.txt
sgImportExportUser host=<Management Server Address [\Domain]> [ login=<login name> ] pass=<password> action=[import|export] file=<file path and name>
sgImportWebClientLanguage host=<Management Server Address [\Domain]> [ login=<login name> ] pass=<password> file=<file path and name>
77
Command
Description
Creates a ZIP file that contains copies of configuration files and the system trace files. The resulting ZIP file is stored in the logged in users home directory. The file location is displayed on the last line of screen output. Provide the generated file to Stonesoft support for troubleshooting purposes. Restores a Management Server backup from one Management Server on another Management Server. -h | --help options display the help message backup option specifies the location of the backup file. If this is not specified, you are prompted to select the backup file from a list of files found in the backups directory. -nodiskcheck option disables the free disk space check before the backup restoration. standby-server option specifies the name of the Management Server on which you are running the script. Located in <installation directory>/bin/install. Creates a new Log Server configuration if the configuration file has been lost. Restores logs from archive files to the Log Server. This command is available only on the Log Server. ARCHIVE_DIR is the number of the archive directory (0 31) from where the logs will be restored. By default, only archive directory 0 is defined. The archive directories can be defined in the <installation directory>/data/ LogServerConfiguration.txt file: ARCHIVE_DIR_xx=PATH. Restores the Authentication Server user information from a backup file in the <installation directory>/backups/ directory. Apply the Authentication Servers configuration after this command. Restores the Certificate Authority (CA) or the Management Server certificate from a backup file in the <installation directory>/backups/ directory. Restores the Log Server (logs and/or configuration files) from a backup file in the <installation directory>/backups/ directory. Restores the Management Server (database and/or configuration files) from a backup file in the <installation directory>/backups/ directory.
sgInfo
sgReinitializeLogServer
sgRestoreArchive ARCHIVE_DIR
sgRestoreAuthBackup
sgRestoreCertificate
sgRestoreLogBackup
sgRestoreMgtBackup
78
Appendix A
Command
Description
Note! This script is located in the <installation directory>/uninstall/ directory. Reverts to the previous installation saved during the upgrade process. The previous installation can be restored at any time, even after a successful upgrade. Displays the CA certificates fingerprint on the Management Server. Starts the Authentication Server. Starts the Log Servers database. (The Log Servers database is started and stopped automatically when starting/stopping the Log Server service.) Starts the Log Server and its database. Starts the Management Servers database. There is usually no need to use this script. Starts the Management Server and its database. Starts the Web Portal Server. Stops the Log Server. Stops the Management Server and its database. Stops the Management Servers database. There is usually no need to use this script. Stops the Web Portal Server. Stops the Management Server service when run without arguments. To stop a remote Management Server service, provide the arguments to connect to the Management Server. host is the Management Servers host name if not localhost. port is the Management Servers Management Client port number (by default, 8902). login is a StoneGate administrator account for the login. pass is the password for the administrator account.
sgRevert
sgShowFingerPrint sgStartAuthSrv sgStartLogDatabase sgStartLogSrv sgStartMgtDatabase sgStartMgtSrv sgStartWebPortalSrv sgStopLogSrv sgStopMgtSrv sgStopMgtDatabase sgStopWebPortalSrv
sgStopRemoteMgtSrv [host=<Management Server Host Name>] [port=<port number>] [login=<login name>] [pass=<password>]
79
Command
Description
Displays or exports current or stored logs. This command is available on the Log Server. Enclose the file and filter names in double quotes if they contain spaces. The pass parameter defines the password for the user account used for this operation. The e parameter defines the filter that you want to use for filtering the log data. Type the name as shown in the Management Client. The f parameter defines the StoneGate exported filter file that you want to use for filtering the log data. The format parameter defines the file format for the output file. If this parameter is not defined, the XML format is used. The host parameter defines the address of the Management Server used for checking the login information. If this parameter is not defined, Management Server is expected to be on the same host where the script is run. If Domains are in use, you can specify the Domain the Log Server belongs to. If domain is not specified, the Shared Domain is used. The login parameter defines the username for the account that is used for this export. If this parameter is not defined, the username root is used. The o parameter defines the destination output file where the logs will be exported. If this parameter is not defined, the output is displayed on screen. The m parameter defines whether you want to view or export logs as they arrive on the Log Server (current) or logs stored in the active storage directory (stored). If this option is not defined, the current logs are used. The -h option displays information on using the script. The -v option displays verbose output on command execution.
sgTextBrowser pass=<password> [ e=<filter expression> ] [ f=<filter file> ] [ format=CSV|XML|CEF] [host=<Management Server address [\Domain]>] [login=<login name> ] [ o=<output file> ] [ m=current|stored ] [ -v ] [ -h ]
80
Appendix A
Engine Commands
The commands in the following two tables can be run on the command line on the analyzer, firewall, and/or sensor engines.
Table A.2 StoneGate-Specific Command Line Tools on Engines
Command
Engine Type
Description
Can be used to view, add, or delete active blacklist entries. The blacklist is applied as defined in Access Rules. Commands: show displays the current active blacklist entries in format: engine node ID | blacklist entry ID | (internal) | entry creation time | (internal) | address and port match | originally set duration | (internal) | (internal). Use the -f option to specify a storage file to view (/data/blacklist/db_<number>). The -v option adds operations details to the output. add creates a new blacklist entry. Enter the parameters (see below) or use the -i option to import parameters from a file. del deletes the first matching blacklist entry. Enter the parameters (see below) or use the -i option to import parameters from a file. iddel NODE_ID ID removes one specific blacklist entry on one specific engine. NODE_ID is the engines ID, ID is the blacklist entrys ID (as shown by the show command). flush deletes all blacklist entries. Add/Del Parameters: Enter at least one parameter. The default value is used for the parameters that you omit. You can also save parameters in a text file; each line in the file is read as one blacklist entry. src IP_ADDRESS/MASK defines the source IP address and netmask to match. Matches any IP address by default. dst IP_ADDRESS/MASK defines the destination IP address and netmask to match. Matches any IP address by default. proto {tcp|udp|icmp|NUM} defines the protocol to match by name or protocol number. Matches all IP traffic by default. srcport PORT[-PORT] defines the TCP/UDP source port or range to match. Matches any port by default. dstport PORT[-PORT] defines the TCP/UDP destination port or range to match. Matches any port by default. duration NUM defines in seconds how long the entry is kept. Default is 0, which cuts current connections, but is not kept. Examples: sg-blacklist add src 192.168.0.2/32 proto tcp dstport 80 duration 60 sg-blacklist add -i myblacklist.txt sg-blacklist del dst 192.168.1.0/24 proto 47
sg-blacklist show [-v] [-f FILENAME] | add [ [-i FILENAME] | [src IP_ADDRESS/MASK] [dst IP_ADDRESS/MASK] [proto {tcp|udp|icmp|NUM}] [srcport PORT{-PORT}] [dstport PORT{-PORT}] [duration NUM] ]| del [ [-i FILENAME] | [src IP_ADDRESS/MASK] [dst IP_ADDRESS/MASK] [proto {tcp|udp|icmp|NUM}] [srcport PORT{-PORT}] [dstport PORT{-PORT}] [duration NUM] ]| iddel NODE_ID ID | flush
firewall, sensor
Engine Commands
81
Command
Engine Type
Description
Can be used to edit boot command parameters for future bootups. --primary-console=tty0|ttyS PORT,SPEED parameter defines the terminal settings for the primary console. --secondary-console= [tty0|ttyS PORT,SPEED] parameter defines the terminal settings for the secondary console. --flavor=up|smp [-kdb] parameter defines whether the kernel is uniprocessor or multiprocessor. --initrd=yes|no parameter defines whether Ramdisk is enabled or disabled. --crashdump=yes|no|Y@X parameter defines whether kernel crashdump is enabled or disabled, and how much memory is allocated to the crash dump kernel (Y). The default is 24M. X must always be 16M. --append=kernel options parameter defines any other boot options to add to the configuration. --help parameter displays usage information. apply command applies the specified configuration options. Use this only if you want to return a StoneGate appliance to its factory settings. Clears all configuration from the engine. You must have a local console connection to the engine to use this command. Used to display or change the status of the node. status [-c SECONDS] command displays cluster status. When -c SECONDS is used, status is shown continuously with the specified number of seconds between updates. online command sends the node online. lock-online command sends the node online and keeps it online even if another process tries to change its state. offline command sends the node offline. lock-offline command sends the node offline and keeps it offline even if another process tries to change its state. standby command sets an active node to standby. safe-offline command sets the node to offline only if there is another online node. Used for establishing a trust relationship with the Management Server as part of engine installation or reconfiguration (see sg-reconfigure below). The engine contacts the Management Server using the one-time password created when the engines initial configuration is saved.
sg-bootconfig [--primary-console=tty0|ttyS PORT,SPEED] [--secondary-console= [tty0|ttyS PORT,SPEED]] [--flavor=up|smp] [--initrd=yes|no] [--crashdump=yes|no|Y@X] [--append=kernel options] [--help] apply
sg-clear-all
sg-cluster [status [-c SECONDS]] [online] [lock-online] [offline] [lock-offline] [standby] [safe-offline]
firewall
sg-contact-mgmt
82
Appendix A
Command
Engine Type
Description
Deletes VPN-related information (use vpninfo command to view the information). Option -d (for delete) is mandatory. -u deletes the VPN session of the named VPN client user. You can enter the user account in the form <username@domain> if there are several user storage locations (LDAP domains). -si deletes the VPN session of a VPN client user based on session identifier. -ck deletes the IKE SA (Phase one security association) based on IKE cookie. -tri deletes the IPSEC SAs (Phase two security associations) for both communication directions based on transform identifier. -ri deletes all SAs related to a remote IP address in gatewayto-gateway VPNs. -ci deletes all SAs related to a connection identifier in gateway-to-gateway VPNs. Can be used in scripts to create log messages with the specified properties. -f FACILITY_NUMBER parameter defines the facility for the log message. -t TYPE_NUMBER parameter defines the type for the log message. -e EVENT_NUMBER parameter defines the log event for the log message. The default is 0 (H2A_LOG_EVENT_UNDEFINED). -i "INFO_STRING" parameter defines the information string for the log message. -s parameter dumps information on option numbers to stdout -h parameter displays usage information. Configures a new hard drive. This command is only for StoneGate appliances that support RAID (Redundant Array of Independent Disks) and have two hard drives. -status option displays the status of the hard drive. -add options adds a new empty hard drive. Use -add -force if you want to add a hard drive that already contains data and you want to overwrite it. -re-add adds a hard drive that is already partitioned. This command prompts for the drive and partition for each degraded array. Use -re-add -force if you want to check all the arrays. -help option option displays usage information.
sg-ipsec -d [-u <username[@domain]> | -si <session id> | -ck <ike cookie> | -tri <transform id> -ri <remote ip> | -ci <connection id>]
firewall
Engine Commands
83
Command
Engine Type
Description
Used for reconfiguring the node manually. --boot option applies bootup behavior. Do not use this option unless you have a specific need to do so. --maybe-contact option contacts the Management Server if requested. This option is only available on firewall engines. --no-shutdown option allows you to make limited configuration changes on the node without shutting it down. Some changes may not be applied until the node is rebooted. Runs cryptography tests on the engine. -d option runs the tests in debug mode. -h option displays usage information. Displays information on the engines status. -l option displays all available information on engine status. -h option displays usage information. Switches the engine between the active and the inactive partition. This change takes effect when you reboot the engine. You can use this command, for example, if you have upgraded an engine and want to switch back to the earlier engine version. When you upgrade the engine, the active partition is switched. The earlier configuration remains on the inactive partition. To see the currently active (and inactive) partition, see the directory listing of /var/run/stonegate (ls-l / var/run/stonegate. The SHA1 SIZE option is used to verify the signature of the inactive partition before changing it to active. If you downgrade the engine, check the checksum and the size of the earlier upgrade package by extracting the signature and size files from the sg_engine_[version.build]_i386.zip file. --debug option reboots the engine with the debug kernel. --force option switches the active configuration without first verifying the signature of the inactive partition. Upgrades the node by rebooting from the installation CD-ROM. Alternatively, the node can be upgraded remotely using the Management Client. Displays the software version and build number for the node.
firewall
sg-upgrade
sg-version
84
Appendix A
Command
Engine Type
Description
Used for managing the XORP service on the engine. start command starts the XORP engine on the node. Once started, XORP continues to run until the stop command is issued, even if the node is rebooted. stop command stops the XORP engine on the node. restart command restarts the XORP engine on the node. backup command saves the current dynamic routing configuration in the specified file. restore command restores the dynamic routing configuration from the speficied file. info displays version information for the currently installed version of XORP . Gathers system information you can send to Stonesoft support if you are having problems. Use this command only when instructed to do so by Stonesoft support. -f option forces sgInfo even if the configuration is encrypted. -d option includes core dumps in the sgInfo file. -s option includes slapcat output in the sgInfo file. -p option includes passwords in the sgInfo file (by default passwords are erased from the output). -- option creates the sgInfo file without displaying the progress --help option displays usage information. Starts an interactive command shell for configuration of dynamic routing using XORP See also sg-xorp. .
firewall
firewall
xorpsh
firewall
The table below lists some general operating system commands that may be useful in running your StoneGate engines. Some commands can be stopped by pressing Ctrl+c.
Table A.3 General Command Line Tools on Engines
Command
dmesg halt ip ping ps reboot
Description
Shows system logs and other information. Use the -h option to see usage. Shuts down the system. Displays IP address information. Type the command without options to see usage. Example: type ip addr for basic information on all interfaces. Tests connectivity with ICMP echo requests. Type the command without options to see usage. Reports the status of running processes. Reboots the system.
Engine Commands
85
Command
scp sftp ssh tcpdump top traceroute vpninfo
Description
Secure copy. Type the command without options to see usage. Secure FTP Type the command without options to see usage. . SSH client (for opening a terminal connection to other hosts). Type the command without options to see usage. Gives information on network traffic. Use the -h option to see usage. Displays the top CPU processes taking most processor time. Use the -h option to see usage. Traces the route packets take to the specified destination. Type the command without options to see usage. Displays VPN information and allows you to issue some basic commands. Type the command without options to see usage.
Command
Description
Allows you to test different configurations before activating them. -d Dont Fork as a daemon. All log messages are printed to stdout or stderr only. -v level Set the verbosity level. The default level is 5. Levels 6-8 are for debugging where available. -c path Use the specified path as the first search directory for the configuration. test [files] Run in the test mode - status queries do not receive a response. If you specify the files, they are used for reading the configuration instead of the default files. The output is directed to syslog or eventlog instead of the console where the command was run unless you use the -d option. syntax [files] Check the syntax in the configuration file. If no files are specified, the default configuration files are checked. The output is directed to syslog or eventlog instead of the console where the command was run unless you use the -d option.
sgagentd [-d] [-v level] [-c path] [test [files]] [syntax [files]]
86
Appendix A
Command
Description
Sends a UDP query to the specified host and waits for a response until received, or until the timeout limit is reached. The request type can be defined as a parameter. If no parameter is given, status is requested. The commands are: status - query the status. info - query the agent version. proto - query the highest supported protocol version. -p port Connect to the specified port instead of the default port. -t timeout Set the timeout (in seconds) to wait for a response. -a id Acknowledge the received log messages up to the specified id. Each response message has an id, and you may acknowledge more than one message at a given time by using the id parameter. Note that messages acknowledged by sgmon will no longer appear in the firewall logs. host The IP address of the host to connect to. To get the status locally, you may give localhost as the host argument. This parameter is mandatory. Return value: 0 if the response was received 1 if the query timed out -1 in case of an error
87
88
Appendix A
APPENDIX B
This chapter lists the default ports used in connections between StoneGate components and the default ports StoneGate uses with external components. The following sections are included: Management Center Ports (page 90) Firewall/VPN Engine Ports (page 92) IPS Engine Ports (page 96)
89
Management Client
Log Server TCP: 8914-8918 TCP: 8902-8913 + 3021 (Log Server Certificate Request)
Management Server
Illustration B.2 Default Destination Ports for Optional SMC Components and Features External LDAP Server
Log Server
TCP: 8902-8913
TCP: 3020
90
Appendix B
The table below lists all default ports SMC uses internally and with external components. Many of these ports can be changed. The name of corresponding default Service elements are also included for your reference. For information on communications between SMC components and the engines, see the separate listings.
Table B.1 Management Center Default Ports
Listening Host
Authentication Server Authentication Server node
Port/ Protocol
89258929/TCP 89888989/TCP 53/UDP , 53/TCP
Contacting Hosts
Management Server Authentication Server node Management Client, Management Server, Log Server Management Server Monitored third party components
Service Description
StoneGate Management Server commands to Authentication Server. Data synchronization between Authentication Server nodes.
DNS server
DNS queries.
DNS (UDP)
LDAP server
389/TCP
External LDAP queries for display/ editing in the Management Client. SNMPv1 trap reception from third party components. Port 162 is used if installed on Windows, port 5162 if installed on Linux. Syslog reception from third party components. Port 514 is used if installed on Windows, port 5514 if installed on Linux. Alert sending.
LDAP (TCP)
Log Server
162/UDP , 5162/UDP 514/TCP , 514/UDP , 5514/TCP , 5514/UDP 3020/TCP 89148918/TCP 89168917/TCP 3021/TCP 89028913/TCP 8907/TCP
SNMP (UDP)
Log Server
Monitored third party components Authentication Server, Log Server Web Portal Server Management Client Web Portal Server Log Server, Web Portal Server Management Client, Log Server, Web Portal Server Authentication Server
Log Server
SG Log
Log Server
Log browsing.
SG Data Browsing SG Data Browsing (Web Portal Server) SG Log Initial Contact SG Control
Log browsing. System communications certificate request/renewal. Monitoring and control connections.
Status monitoring.
SG Control
91
Listening Host
Monitored Third Party Components Primary Management Server
Port/ Protocol
161/UDP
Contacting Hosts
Log Server Secondary Management Servers
Service Description
SNMP status probing to external IP addresses. Database replication (pull) to the secondary Management Server. RADIUS authentication requests for administrator logins. The default ports can be modified in the properties of the RADIUS Server element. Database replication (push) to the secondary Management Server. Update packages, engine upgrades, and licenses from update.stonesoft.com and smc.stonesoft.com. Log data export to syslog servers. The default ports can be modified in the LogServerConfiguration.txt file.
8903, 8907/TCP
SG Control
RADIUS server
1812/UDP
Management Server
RADIUS (Authentication)
89028913/TCP
SG Control
443/TCP
HTTPS
Syslog Server
514/UDP , , 5514/UDP
Log Server
Firewall
Other Node(s) in the Cluster TCP: 3002 3003 3010 UDP: 3000 3001 Multicast (Heartbeat interfaces)
92
Appendix B
Illustration B.4 Default Destination Ports for Firewall/VPN Engine Service Communications LDAP Server DNS Server User Agent RADIUS Server TACACS+ Server
Server Pool
TCP UDP: , 53
TCP: 16661
TCP: 49
RPC Server
UDP: 7777
DHCP Server
TCP UDP: , 111 Firewall UDP: 68 UDP: 500 4500 UDP: 161 UDP: 500 2746 4500
SNMP Server
UDP: 67
VPN Gateways
UDP: 162
VPN Clients
The table below lists all default ports StoneGate Firewall/VPN uses internally and with external components. Many of these ports can be changed. The name of corresponding default Service elements are also included for your reference.
Table B.2 Firewall/VPN Default Ports
Listening Host
Anti-virus signature server Authentication Server BrightCloud Server DHCP server
Port/Protocol
80/TCP 8925-8929/ TCP 2316/TCP
Contacting Hosts
Firewall
Service Description
Anti-virus signature update service. User directory and authentication services. BrightCloud web filtering update service. Relayed DHCP requests and requests from a firewall that uses dynamic IP address. Dynamic DNS updates. DHCP relay on firewall engine.
Firewall
Firewall
Firewall
Firewall Any
Listening Host
Firewall Firewall Firewall Firewall Firewall Firewall
Port/Protocol
68/UDP 161/UDP 500/UDP 636/TCP 2543/TCP 2746/UDP 3000-3001/ UDP 3002-3003, 3010/TCP 4500/UDP 4950/TCP 4987/TCP
Contacting Hosts
DHCP server SNMP server VPN clients, VPN gateways Management Server Any StoneGate VPN gateways
Service Description
Replies to DHCP requests. SNMP monitoring. VPN negotiations, VPN traffic. Internal user database replication. User authentication (Telnet) for Access rules. UDP encapsulated VPN traffic.
Firewall
FW/VPN engine
VPN client, VPN gateways Management Server Management Server Management Server Management Server, analyzer Firewall
VPN traffic using NAT-traversal. Remote upgrade. Management Server commands and policy upload. Connectivity monitoring; monitoring of blacklists, connections, and status for old engine versions. Blacklist entries. External LDAP queries, including StartTLS connections. Log and alert messages; monitoring of blacklists, connections, status, and statistics. System communications certificate request/renewal (initial contact). Monitoring (status) connection.
Firewall
8888/TCP
SG Monitoring
Firewall
15000/TCP
SG Blacklisting
LDAP server
389/TCP
LDAP (TCP)
3020/TCP
Firewall
SG Log
3021/TCP 3023/TCP
Firewall Firewall
94
Appendix B
Listening Host
Management Server
Port/Protocol
Contacting Hosts
Firewall
Service Description
Management connection for Single Firewalls with node-initiated contact selected. RADIUS authentication requests.
8906/TCP
RADIUS server
1812, 1645/ UDP 111/UDP 111/ , TCP 7777/UDP 162/UDP 49/TCP 16661/TCP 500/UDP , 2746/UDP (StoneGate gateways only), or 4500 UDP .
Firewall
RPC server Server Pool Monitoring Agents SNMP server TACACS+ server User Agent
Firewall
RPC number resolve. Polls to the servers Server Pool Monitoring Agents for availability and load information. SNMP traps from the engine. TACACS+ authentication requests. Queries for matching Users and User Groups with IP addresses. VPN traffic. Ports 2746 and 4500 may be used depending on encapsulation options.
VPN gateways
Firewall
ISAKMP (UDP)
95
TCP: 18890 Analyzer TCP: 4950 18888 Management Server TCP: 3021 3023
Other Node(s) in the Cluster TCP: 3002 3003 3010 UDP: 3000
The table below lists all default ports StoneGate IPS uses internally and with external components. Many of these ports can be changed. The name of corresponding default Service elements are also included for your reference.
Table B.3 IPS-Specific Ports
Listening Hosts
Analyzer Analyzer Analyzer Analyzer BrightCloud Server
Port/Protocol
514/UDP 4950/TCP 18889/TCP 18890/TCP 2316/TCP
Contacting Hosts
Syslog server Management Server Management Server Sensor Sensor
Service Description
Syslog messages forwarded to Analyzer. Remote upgrade. Management connection. Event data sent from the Sensors. BrightCloud web filtering update service. Log and alert messages from Analyzers; recording file transfers from Sensors; and monitoring of blacklists, status, and statistics from Sensors.
Log Server
3020/TCP
Analyzer, Sensor
SG Log
96
Appendix B
Listening Hosts
Management Server Management Server
Port/Protocol
3021/TCP 3023/TCP 3000-3001/ UDP 3002,3003, 3010/TCP 4950/TCP 18888/TCP
Contacting Hosts
Sensor, analyzer Sensor, analyzer
Service Description
System communications certificate request/renewal (initial contact). Backup monitoring (status) connection.
Sensor
Sensor
Sensor Sensor
Sensor, firewall
15000/TCP
Blacklist entries.
SG Blacklisting
97
98
Appendix B
I N D EX
A
administration client, see management client authentication server installing, 26 creating CD-ROMs, integrity of files , 14
14
4346
binding licenses ,
32
C
certificate authority checking fingerprint, 30 checksums , 14 command line installation see non-graphical installation command line tools , 71 commands engine, 81 log server, 72 management server, 72 compatibility with different platforms , contact addresses , 4753 exceptions, 51, 52 contact information , 10 customer support , 10
licenses , 15 binding, 32 checking, 31, 61 installing, 31, 61 retained, 33 upgrading, 15, 5961 linux for management center , locations , 4753 log server contact addresses, 5153 installing, 2425 starting, 33
20
13
management bound licenses , 32 management center components, 12 installing, 1942 upgrading, 62 management client configuration files, 66 installing, 20, 4346 installing using web start, 4446 logging in, 30 setting location, 53 starting, 29 web start, 46 management server contact addresses, 5153 database user account, 23 installing, 2324 starting, 29 MD5 checksum , 14 monitoring server, see web portal server
database user account , 23 date and time settings , 13 demo mode , 27 documentation available , 9
E F
51, 52
30
10
4753
installation files ,
13
14
Index
99
10
secondary management servers, installing , servers authentication server, 26 certifying, 34 log server, 2425 management server, 2324 secondary management servers, 3740 starting manually, 33 web portal server, 25 sgadmin user account , 20 SHA-1 checksum , 14 starting log server, 33 management client, 29 management server, 29 servers manually, 33 web portal server, 33 stonegate architecture , 12 support services , 10 supported platforms , 13 system architecture , 12 system requirements , 10
3740
62
W
web portal server installing, 25 starting, 33 web start , 4346 enabling web start server, web start files creating manually, 4546
4445
100
Index
StoneGate Guides
Administrators Guides - step-by-step instructions for configuring and managing the system. Installation Guides - step-by-step instructions for installing and upgrading the system. Reference Guides - system and feature descriptions with overviews to configuration tasks. User's Guides - step-by-step instructions for end-users.
Stonesoft Corporation Itlahdenkatu 22 A FI-00210 Helsinki Finland Tel. +358 9 476 711 Fax +358 9 4767 1349
Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA Tel. +1 770 668 1125 Fax +1 770 668 1131
Copyright 2011 Stonesoft Corporation. All rights reserved. All specifications are subject to change.