3Com® X Family Local Security Manager User’s Guide X5 (25-user license) – 3CRTPX5-25-96 X5 (unlimited license) – 3CRTPX5-U-96 X506 – 3CRX506-96 Version 2.5.1 Part Number TECHD-176 Rev B01 Published April 2007 http://www.3com.
3Com Corporation 350 Campus Drive Marlborough, MA 017523064 Copyright © 2005–2007, 3Com Corporation and its subsidiaries. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
Contents Contents About This Guide xi Target Audience Knowledge, Skills, and Abilities Conventions Cross References Internal Cross References External Cross References Typeface Procedures Menu Navigation Sample Procedure Screen Captures Messages Warning Caution Note Tip Related Documentation Online Help Customer Support Contact Information Chapter 1. System Overview Overview X Family Device Core Functionality X Family Environment Local Clients System Requirements SMS Configuration Chapter 2.
Contents Tabbed Menu Options System Summary System Status Health Packet Stats Network DHCP Reboot Device Log Summary Product Specifications Chapter 3.
Contents Managing Firewall Rules 68 Configuring Firewall Rules 71 Firewall Services 75 Firewall Services Page Field Descriptions 77 Configuring Service Groups 78 Schedules 79 Firewall Schedules Page Field Descriptions 80 Managing Schedules 81 Virtual Servers 82 Virtual Servers page 83 Virtual Servers Summary Information 83 Configuring Virtual Servers 84 Web Filtering 85 How Web Filtering Works 86 Setting Up Web Filtering 87 Web Filtering Page 88 Web Filtering General Configuration Parameters 89 Web Filter
Contents Memory and Disk Usage Module Health Performance/Throughput Port Health Reports Attack Reports Rate Limit Reports Traffic Reports Traffic Threshold Report Quarantine Report Configure Adaptive Filter Events Report Firewall Reports Chapter 6.
Contents Multicast (IGMP and PIM-DM) IGMP Setup PIM-DM Setup Default Gateway DHCP Server Overview DHCP Server Page Configure DHCP Server DHCP Relay Configuring DHCP Relay Static Reservations Network Tools DNS Lookup Find Network Path Traffic Capture Ping Traceroute Chapter 7.
Contents Updating the TOS Software System Snapshots Time Options Internal CMOS Clock NTP Server Time Zones SMS/NMS High Availability How High Availability Works Failover Operation Standby Operation Polling Configuration Overview Configuring High Availability with AutoDV Troubleshooting High Availability with AutoDV Thresholds to Monitor Memory and Disk Usage Email Server Syslog Servers Setup Wizard Chapter 9.
Contents Security Alert Certificate Authority Invalid Certificate Name Example - Creating Personal Certificate Appendix B. Web Filter Service Overview Core Categories Productivity Categories Available Productivity Categories Purchasing a Web Filter License 273 274 277 279 281 281 282 284 284 289 Appendix C.
Contents x X Family LSM User’s Guide V 2.5.
About This Guide Explains who this guide is intended for, how the information is organized, where information updates can be found, and how to obtain customer support if you cannot resolve a problem. Welcome to the Local Security Manager (LSM). The LSM is the control center from which you can configure, monitor, and report on the X family devices in your network.
About This Guide Conventions This guide follows several procedural and typographical conventions to better provide clear and understandable instructions and descriptions. These conventions are described in the following sections.
Conventions Menu Navigation The LSM provides drop-down menu lists to navigate and choose items in the user interface. Each instruction that requires moving through the menus uses an arrow (>) to indicate the movement. For example, Edit > Details means, select the Edit menu item. Then, click the Details option. Sample Procedure STEP 1 Click the Filters tab. STEP 2 Place your mouse cursor over the Open menu. Screen Captures The instructions and descriptions in this document include images of screens.
About This Guide Note Notes tell you about information that might not be obvious or that does not relate directly to the current topic, but that may affect relevant behavior. For example: Note If the device is not currently under SMS control, you can find out the IP address of the last SMS that was in control by checking SMS & NMS page (System > Configuration > SMS/NMS). Tip Tips are suggestions about how you can perform a task more easily or more efficiently.
Customer Support please take a moment to gather some basic information from your records and from your system before contacting customer support. Information Location Your X family device serial number You can find this number in the LSM in the System Summary page, on the shipping invoice that came with the device, or on the bottom of the device. Your TOS version number You can find this information in the LSM in the Device Summary page, or by using the CLI show version command.
About This Guide xvi X Family LSM User’s Guide V 2.5.
1 System Overview The X family device is a high-speed, comprehensive security system with a browser-based manager called the Local Security Manager (LSM). The Overview section provides an overview of the LSM functions and use in the X family device. Overview Enterprise security schemes once consisted of a conglomeration of disparate, static devices from multiple vendors.
Chapter 1 System Overview The X family firewall functionality provides service-level, stateful inspection of network traffic. It incorporates filtering functionality to protect mission-critical applications. An administrator can use firewalls and content filters to determine how the device handles traffic to and from a particular service. These filters are specified by the source, destination, and service or protocol of the traffic.
X Family Device • • • • • • • usage policy by prohibiting the download of non-work related web sites and offensive or illegal Web content. Bandwidth management — enforce network usage policy by rate-limiting applications such as peerto-peer file sharing and instant messaging applications. Prioritization of traffic inside and outside VPN tunnels with flexible, policy-based controls.
Chapter 1 System Overview When the X family device is installed and configured, it protects your network zones (LAN, WAN, and VPN, for example) using firewall rules and IPS filters. The device scans and reacts to network traffic according to the actions configured in the firewall rule or IPS filter. Each security zone and device can use a different set of firewall rules and IPS filters.
2 LSM Navigation LSM Navigation describes the LSM interface, how to log in, and the general sections of the application. Overview The Local Security Manager (LSM) is a graphical user interface (GUI) that makes configuring and monitoring your X family device easy by providing a user-friendly interface to help accomplish administrative activities. You access the LSM through a browser. See “Log in to the LSM” on page 6 for more information.
Chapter 2 LSM Navigation In addition, you can configure the LSM to communicate using either an HTTP or an HTTPS server. The default configuration is to use an HTTPS server.Whenever the device is connected to your network, you should run the HTTPS server, not the HTTP server. HTTP servers are not secure because your user name and password travel over your network unencrypted.
Logging In Figure 2–1: LSM Logon Page STEP 2 Enter your Username. STEP 3 Enter your Password STEP 4 Click Log On. The LSM validates your account information against the permitted users of the software. If the information is valid, the LSM software opens. If the account information is not valid, the Login page is redisplayed. Note Only 10 Web client and 10 SSH (for CLI) connections are allowed to connect to a device at once. X Family LSM User’s Guide V 2.5.
Chapter 2 LSM Navigation LSM Screen Layout The LSM provides features in two main areas of the browser window: • Main Menu Bar — Located at the top of the browser window (see item 1 in the figure). This area provides quick access to the System Summary page, online help, and current user and device status. • Navigation — Located on the left side bar of the browser window (see item 2 in the figure). The Navigation bar provides access to the LSM menu functions.
LSM Screen Layout Main Menu Bar The dark blue bar at the top of the LSM screen provides quick access to basic logon information. The following table lists the available options in the Main Menu Bar: Table 2–1: Main Menu Bar Options Option Description System Summary To display the System Summary, click the System Summary icon. For information about this page, see “System Summary” on page 12. Online Help To access the X family online help, click the Launch Help Window icon.
Chapter 2 LSM Navigation Navigation You can access the available features of the LSM by selecting an option from the navigation area. The LSM displays the page you select in the content and functionality area of the browser.
LSM Screen Layout Table 2–2: Navigation Options (Continued) Option Description Network • Configure network ports, security zones, IP interfaces, IP Address Groups, the DNS server, the default gateway, routing, and DHCP server information. • Access network tools for DNS lookup, find network path, traffic capture, ping, and trace route functionality. See Chapter 6‚ “Network” for more information. Authentication Create, modify, and manage user accounts. Configure authentication.
Chapter 2 LSM Navigation System Summary The System Summary page automatically displays when you first log onto the LSM. To redisplay the System Summary page at any time, click the System Summary icon, in the Main Menu Bar. The System Summary page includes the following: • System Status — Displays summary information about the device health, packet statistics, and network DHCP. Also provides access to the Reboot Device function. • Log Summary — Displays summary information about all the Event Logs.
System Summary Packet Stats The Packet Stats section provides basic traffic statistics including the following: • • • • Received — Total number of packets received and scanned by the Threat Suppression Engine Blocked — Total number of packets that have been blocked by the Threat Suppression Engine Rate Limited — The number of packets that matched a filter configured to a permit action set Dropped — Total number of packets that have been dropped because they are not properly formed or formatted To reset t
Chapter 2 LSM Navigation For more detailed information about these logs, select Events > Logs. Product Specifications The Product Specification section displays the following information: • • • • • • • • 14 Model Number — Model number of the device. Product Code — The device product code. Serial Number — Serial number of the device. TOS Version — Version number of the TOS software. Digital Vaccine — Version number of the Digital Vaccine. Boot Time — Time when the device was last started.
3 IPS Filtering LSM Navigation describes the LSM interface, how to log in, and the general sections of the application.
Chapter 3 IPS Filtering The default security profile is set to the ANY ==> ANY security zone pair with all IPS filters configured with the default Digital Vaccine settings. With the default profile in place, all incoming and outgoing traffic in any security zone configured on the device is monitored according to the recommended IPS filter configuration.
Security Profiles Security Profiles On the X family device, Security Profiles are used to apply DV filter policies. A Security Profile defines the traffic to be monitored based on security zones (for example, ANY ==> ANY, LAN ==> WAN, or WAN ==> LAN) and the DV filters to be applied. A Security Profile consists of the following components: • Identification —Profile name and description. • Security Zones — Specifies the incoming and outgoing security zones to which the Security Profile applies.
Chapter 3 IPS Filtering Example 2: Security Profile Zone Configuration Security Profile Applies To Security Zone Pair #4 ANY ==> ANY #5 ANY ==> WAN #6 LAN ==> WAN In Example 2, a packet going from the LAN zone to the WAN zone matches Security Profiles #4, #5 and #6. However, the X family device applies filtering rules from Security Profile #6 to the packet because the LAN zone is more specific than the ANY zone.
Security Profiles Managing Security Profiles Use the Security Profiles page (IPS > Security Profiles) to create and manage the Security Profiles used to apply IPS filtering to security zone traffic. Figure 3–1: Security Profiles Page The following table provides a summary of tasks available to configure and manage security profiles from the Security Profiles menu pages in the LSM.
Chapter 3 IPS Filtering Table 3–1: Security Profile Tasks (Continued) Task Procedure Override global filter settings (create filter level settings) On the Edit Security Profile page in the Profile Details (Advanced) Filters section, click Search Filters. On the Search Filters page, locate the filter to override. Click the + icon to add the filter to the Security Profile. Then, edit the filter to customize the settings.
Security Profiles Table 3–2: Security Profile Details (Continued) Parameter Description Security Zones: This section lists all the security zone pairs that are currently protected by a Security Profile. Note If a Traffic Threshold has been configured with a Security Zone pair that is not protected by a Security Profile, the pair will be listed in the table in red along with the following message: No security profile is assigned to the security zones. Traffic will NOT be inspected by the IPS.
Chapter 3 IPS Filtering Settings table, change the global State or Action for a filter Category Group if required. For more detailed instructions, see “Edit Category Settings for a Filter Group” on page 30. STEP 5 Click Create. After you create the Security Profile, you can edit the Security Profile and perform additional advanced configuration to create filter overrides and specify global limits and exceptions. Edit a Security Profile STEP 1 On the LSM menu, select IPS > Security Profiles.
IPS Digital Vaccine (DV) Filters IPS Digital Vaccine (DV) Filters TippingPoint IPS Digital Vaccine (DV) Filters are used to monitor traffic passing between network security zones. Based on the Security Profiles configured on the device, the X family applies the filters to traffic passing between network security zones. Each Security Profile has its own filter settings.
Chapter 3 IPS Filtering Filter Components IPS filters have the following components which determine the identity the filter type, global and customized settings, and how the device will respond when the Threat Suppression Engine finds traffic matching the filter: • Category — defines the type of network protection provided by the filter. The category is also used to locate the filter in the LSM and to control the global filter settings using the Category Setting configuration.
IPS Digital Vaccine (DV) Filters Filter Override Settings For the best system performance, we recommend that you use global Category Settings and the Recommended action set for all DV filters. However, in some cases, you may need to override the category settings and recommended action for individual filters due to specific network requirements, or in cases where the recommended settings for a filter interact poorly with your network.
Chapter 3 IPS Filtering View DV Filters You can view and manage filters configured for a Security Profile using either the Filters and Filter Search pages. Both pages can be accessed from the Advanced Options Filters section of the Security Profile pages.
IPS Digital Vaccine (DV) Filters Filter Search Filter search provides options to view all filters or only those matching user-specified search criteria. You can access the Filter Search page by clicking the Search Filters button when you are editing a Security Profile (IPS > Security Profiles, then edit a profile). You can sort filter search results by filter name, control type, action, or state by clicking a column heading in the Filters List table. The search is a string search is is not case sensitive.
Chapter 3 IPS Filtering Filter List Details The following table describes the information and functions available on the Filters List page. Table 3–4: Filter List Details Parameter Description Search Interface For details on the search criteria fields, see “Search Filter Criteria Parameters” on page 27. Check Box Use the check box for a filter entry to select it for editing.
IPS Digital Vaccine (DV) Filters For details on viewing filters on the Filter List page, see the following topics: • “View Filters with Recommended (Default) Settings” on page 29 • “View Filter Overrides and Custom Settings” on page 29 View Filters with Recommended (Default) Settings STEP 1 On the LSM menu, select IPS > Security Profiles.
Chapter 3 IPS Filtering installed on your network. From the LSM, you can modify the filter configuration for a Security Profile by category or by changing individual filter settings. You can make the following types of changes: • Edit a Filter Category Group to enable/disable all filters in the group or change the assigned action for all filters in the group. • Edit an individual filter or group of filters to modify the following settings: State, Action, Adaptive Filter Configuration State, Exceptions.
IPS Digital Vaccine (DV) Filters The following figure shows the Category Settings table. Figure 3–3: Edit Security Profile Page - Advanced Options - Category Settings Click Show Advanced Options if the Advanced Options table is not displayed. STEP 4 Modify the settings as required: • In the State field for the Category group, clear the check box to disable all filters in the group, or check it to enable all filters in the group.
Chapter 3 IPS Filtering Edit Individual Filter Settings Note These instructions are for editing all Application Protection, Infrastructure Protection, and Performance Protection filters with the exception of the Port Scan/ Host Sweep filters available in the Application Protection: Reconnaissance category. For details on Port Scan/Host Sweep filters, see “Port Scan/Host Sweep Filters” on page 35. STEP 1 From the LSM menu, click Security Profiles.
IPS Digital Vaccine (DV) Filters On the View Filter page, you can also add or remove the filter from Security Profiles using the check boxes in the Security Profiles table. After making changes, click Save. STEP 6 In the Filters List table, select the filter or filters to edit: • To select a single filter, click to add the filter to the Security Profile. • To select multiple filters, select the check box for each filter. Then, click the Add Selected Filters button at the bottom of the Filters page.
Chapter 3 IPS Filtering Configure Filter Limits/Exceptions based on IP Address Limits and exceptions allow you to configure the device so that the filters in a Security Profile can be applied differently based on IP address. For example, you can specify a limit setting so that filters only apply to specified source and destination IP addresses or address ranges.
IPS Digital Vaccine (DV) Filters STEP 4 In the Application Protection Filter Setting Exceptions section, specify the IP address exceptions for Application Protection, Traffic Normalization, Network Equipment Protection and Performance Protection filters. STEP 5 In the Performance Protection Filter Settings section, specify IP address limits for Performance Protection filters. STEP 6 Click Apply. Delete a Global Limit/Exception Setting STEP 1 From LSM menu, click IPS.
Chapter 3 IPS Filtering The Port Scan/Host Sweep Filters (Filter numbers 7000- 7004) available in the Application Protection Category - Reconnaissance group are designed to protect the network against these types of attacks. These filters monitor the rate of connections generated by hosts on the network. The filter triggers when the connection rate during a specified interval goes above a given threshold. The following figure shows the Port Scan/Host Sweep Filters added to the Security Profile for editing.
IPS Digital Vaccine (DV) Filters STEP 3 STEP 4 Locate the Port Scan/Host Sweep filters: STEP A Click Search Filters. Then, on the Filter Search page, specify the search criteria: STEP B In the Categories selection list, click Reconnaissance. STEP C In the Severity selection list, click Low. STEP D Click Search. STEP E In the Filters List with the search results, click the >> page control button to go to the last page of the results.
Chapter 3 IPS Filtering Traffic Threshold Filters Note The default X family configuration does not include any Traffic Threshold filters. You must create them based on your network requirements. Traffic threshold filters alert you and the device when network traffic varies from the norm. The device determines normal traffic patterns based on the network statistics over time. You can set four types of thresholds for each filter: • • • • major increase — Traffic is greatly over the set threshold.
Traffic Threshold Filters Managing Traffic Threshold Filters You can manage Traffic Threshold filters from the Traffic Threshold Filters page (IPS > Traffic Threshold filters). The following figure shows the Traffic Threshold Filters page. Figure 3–5: Traffic Threshold Filters Page You can complete the following tasks from the Traffic Threshold Filters page: • • • • Create a filter Edit a filter Reset a Traffic Threshold filter - after a filter triggers, it does not resume monitoring until it is reset.
Chapter 3 IPS Filtering Table 3–5: Traffic Threshold Filters Details Column Definition Units The number of selected units per second. The unit values include packets, bytes, and connections/second. Period The period of time for the historical data. The period values include the last minute, hour, day, 7 days, 30 days, and 35 days.
Traffic Threshold Filters Create or Edit a Traffic Threshold Filter Use the Create or Edit Traffic Threshold Filter page to configure the Traffic Threshold filter for your environment. You must create a separate filter for each security zone pair that you want to monitor. The following figure shows the Create Traffic Threshold Filter page.
Chapter 3 IPS Filtering Traffic Threshold Configuration Parameters The following table describes the Traffic Threshold filter configuration parameters. Table 3–6: Traffic Threshold Filters Configuration Parameters Column Definition Filter Name Name of the filter Incoming Security Zone Outgoing Security Zone Select the security zones for the traffic source (incoming) and destination (outgoing). Only zones with a physical port are included in the selection list.
Traffic Threshold Filters Table 3–6: Traffic Threshold Filters Configuration Parameters (Continued) Column Definition Type Select the traffic protocol or application type of the traffic to be monitored: • Protocol — monitor traffic from the selected protocol: TCP, Other, ICMP, and UDP. • Application — monitor traffic for the selected application type on the specified port: TCP or UDP and the Port. Apply to: specify whether the filter monitor tracks requests, replies, or both.
Chapter 3 IPS Filtering STEP D STEP 8 For Below Normal Minor, select the Enabled check box, enter a percentage amount of normal. Then, select the action to perform when the filter triggers. Select either the protocol or application Type for the traffic to be monitored: • Protocol — Select the type of protocol from the drop-down list, including TCP, Other, ICMP, and UDP. • Application — Select the type of application: TCP or UDP; enter the Port.
Action Sets in the action set. For example, the user can display a Quarantine web page to notify the user of the problem and optionally provide instructions for fixing it, or the action may redirect all traffic from the quarantined IP address to a quarantine server that provides instructions to correct the problem.
Chapter 3 IPS Filtering Default Action Sets The X family device is pre-configured with a collection of default Action Sets. You can edit the default settings for an action set, or create a new one. You cannot delete a default action set. The following actions sets are available: • • • • • • 46 Recommended Block Block + Notify Block + Notify Trace Permit + Notify Permit + Notify + Trace X Family LSM User’s Guide V 2.5.
Action Sets Managing Actions Use the Action Sets page to review, create and modify Action Sets. The following figure shows the Action Sets page: Figure 3–7: IPS: Action Sets Page You can complete the following tasks from the Action Sets page: • View and manage existing actions To sort the Actions listing by characteristics, use the link at the top of each column in the Action Sets list table.
Chapter 3 IPS Filtering Table 3–7: Action Sets Details (Continued) Column Description TCP Reset Indicates whether the option to reset a TCP connection is enabled. With TCP reset enabled, the device can reset the TCP connection for the source or destination IP when the Block action executes. This option can be configured on Block action sets. Quarantine Indicates whether the option to Quarantine an IP address is enabled.
Action Sets STEP 6 Choose one or more Contacts by checking the box next to the appropriate Contact Name. If there are no contacts displayed, you must Create an Email or SNMP Notification Contact first. Note If using Quarantine on a managing SMS, you must add the SMS notification contact to the action sets for filters. Only filters with the SMS contact enabled on actions sets are accessible through the SMS for quarantine. STEP 7 Click Create.
Chapter 3 IPS Filtering For additional information on configuring Quarantine Action Sets, see the following topics: • “Quarantine Action Set Configuration Parameters” on page 50 • “Configure a Quarantine Action Set” on page 51 Quarantine Action Set Configuration Parameters The following table describes the Quarantine Action Set configuration parameters: Table 3–8: Quarantine Action Set Configuration Parameters Parameter Description Web Requests Select an option to specify how the Quarantine action mana
Action Sets Table 3–8: Quarantine Action Set Configuration Parameters (Continued) Parameter Allow Quarantined Host Access Description Configure a list of IP addresses that a quarantined host is still allowed to access if traffic from the host triggers the Quarantine Action Set. Configure a Quarantine Action Set STEP 1 From the LSM menu, click Action Sets. STEP 2 On the Action Sets page, click Create Action Set, or click the pencil icon for a filter you want to edit.
Chapter 3 IPS Filtering STEP 11 STEP A In the Allow quarantined hosts to access the following IP address(es) table, enter a Destination Address. STEP B Click add to table below. STEP C Repeat to add multiple hosts. Click Create/Save. Notification Contacts Configuring notification contacts allows you to send messages to a recipient (either human or machine) in response to a traffic-related event that occurs on the X family device.
Notification Contacts minute timer starts. The device sends e-mail notifications until the threshold is reached. Any notifications received after the threshold is reached are blocked. After one minute, the device resumes sending email alerts. The device generates a message in the system log whenever email notifications are blocked. CAUTION Short aggregation periods can significantly affect system performance. The shorter the aggregation period, the higher the system load.
Chapter 3 IPS Filtering Configure the Remote System Log Contact CAUTION Remote syslog, in adherence to RFC 3164, sends clear text log messages using the UDP protocol with no additional security protections. Therefore, you should only use remote syslog on a secure, trusted network to prevent syslog messages from being intercepted, altered, or spoofed by a third party. STEP 1 From the LSM menu, select IPS > Action Sets. Then, on the Action Sets page, click the Notification Contacts tab.
IPS Services You cannot delete a Notification Contact if it is currently configured on an Action Set. STEP 3 On the confirmation dialog, click OK. IPS Services Use the Services page (IPS > Services) to add and manage non-standard ports supported by the device. This feature enables you to configure additional ports associated with specific applications, services, and protocols to expand scanning of traffic.
Chapter 3 IPS Filtering For additional information, see the following topics: • “IPS Services Page Details” on page 56 • “Add a Port” on page 56 • “Delete a Port” on page 56 IPS Services Page Details The IPS Services page provides the following information: Table 3–9: IPS: IPS Services Details Parameter Definition Application Type of application/network service Protocol The protocol for the application User-Defined Ports The list of the custom ports defined on the X family.
Preferences Preferences Use the IPS Preferences page (IPS > Preferences) to configure settings related to the Threat Suppression Engine and filtering performance.
Chapter 3 IPS Filtering Configure Threat Suppression Engine (TSE) On the IPS Preferences page, configure global settings for the TSE in the Configure Threat Suppression Engine table. Refer to the following table for a description of the TSE configuration parameters: Table 3–10: IPS Preferences: TSE Configuration Parameters Parameter Description Connection Table Timeout Specifies the global timeout interval for the connection table.
Preferences Configure Global Settings for the TSE STEP 1 From the LSM menu, select IPS > Preferences. STEP 2 On the IPS Preferences page in the Configure Threat Suppression Engine (TSE) table, change the configuration parameters as required. To configure the Quarantine Timeout, check Automatically release addresses from quarantine after specified duration. To configure Congestion Percentage and Disable Time for the disable logging feature, select Disabled if congested in the Logging Mode field.
Chapter 3 IPS Filtering Adaptive Filter Configuration You can configure the global settings for the Adaptive Filter from the IPS Preferences page (IPS > IPS Preferences) and the Configure Adaptive Filter Events page (Events > Reports > Adaptive Filter). At the filter level, you have the option to disable Adaptive Filter configuration so that a filter is never impacted by Adaptive Filter settings on the device. For details, see “Edit DV Filter Category Settings” on page 29.
Preferences STEP 3 Select the Log Severity of the system log message that is automatically generated when a filter triggers the Adaptive Filter function. STEP 4 Click Apply. X Family LSM User’s Guide V 2.5.
Chapter 3 IPS Filtering 62 X Family LSM User’s Guide V 2.5.
4 Firewall The Firewall section describes how to enable, disable, and modify firewall rules and various features using the Firewall Rules table. This section also details virtual servers, services, service groups, and schedules. Overview The X family provides a Stateful Packet Inspection Firewall, providing session level control for IP-based protocols.
Chapter 4 Firewall You can view and manage Firewall Rules and configuration options from the Firewall menu pages. The menu provides the following options: • Firewall Rules —Allows you to manage and configure security policy to monitor traffic between security zones. You can also specify IP hosts/subnets/rangesto monitor traffic within a specified zone. You can optionally configure services, rate limiting, scheduling, authentication, and web filtering as part of each firewall rule.
How Firewall Rule Enforcement Works STEP 1 The user starts a web browser. The web browser resolves the DNS name for the URL and initiate a TCP connection to the target web server via the X family device. STEP 2 The X family device inspects the session header and identifies the following information about the request: • Source IP — The address of the device that initiated the request. • Destination IP — The address of the device for which the request is intended.
Chapter 4 Firewall The firewall rule table is searched from the top of the table to the end (if necessary) looking for the first firewall rule that will match the session. Thus, it is important to put the most specific rules (for example, those configured with user authentication, IP address groups/ ranges, or web filtering) towards the top of the table. The following diagram illustrates how session requests are evaluated.
How Firewall Rule Enforcement Works For additional information on setting up firewall rules, see the following topics: • • • • • “Default Firewall Rules” on page 67 “Managing Firewall Rules” on page 68 “Firewall Services” on page 75 “Schedules” on page 79 “Virtual Servers” on page 82 Default Firewall Rules The following table lists the default firewall rules available on the X family device. You can add, delete or edit these rules.
Chapter 4 Firewall Table 4–1: Default Firewall Rule Configuration (Continued) ID Action Source Zone Dest Zone Service Logging State Description Permit thisdevice ANY ANY Enabled This is an implicit firewall rule that cannot be modified or viewed from the LSM. It is needed for AutoDV, Web Filtering, and other features. This rule also allows the Network Tools to operate. Block ANY ANY ANY Enabled Implicit rule that blocks all other traffic with a silent drop.
How Firewall Rule Enforcement Works The following figure shows the Firewall Rules page. Figure 4–2: FIREWALL - Firewall Rules Page You can complete the following tasks from the Firewall Rules page: • Create/Edit a firewall rule • Delete a firewall rule • Filter the Firewall Rules List to display only those configured for a user-specified Source and Destination zone.
Chapter 4 Firewall Table 4–2: Firewall Rules List Details (Continued) Column Description Service The service or service group associated with the firewall rule. The firewall rule only applies to a session request for the specified service or service within the specified Service Group. If ANY is specified, the firewall rule applies to all services available. Advanced The icons indicate which advanced options are enabled for the firewall rule.
How Firewall Rule Enforcement Works Configuring Firewall Rules When configuring a firewall rules, you must define the action, logging options and other components that make up the rule. Before you can configure the firewall rule, the components should be configured so that they are available for selection during the configuration process.
Chapter 4 Firewall the device. If a local user has not been authenticated, the rule is ignored and lower priority rules are examined to find a match the session. Note For additional information on the advanced options, refer to the Concepts Guide. Configuration Notes • When a firewall rule is created, the default settings are to enable the firewall rule, disable local and remote logging, and position the firewall rule at the end of the firewall rules table.
How Firewall Rule Enforcement Works STEP G To record sessions matching this firewall rule in the Firewall Session Log (for permitted sessions) or Firewall Block log (for blocked sessions), check Enable logging. To offload log entries to a remote syslog server, check Enable syslog logging. STEP 4 In the Network table, configure the Source zone parameters. STEP A From the Source Zone drop-down list, select the source security zone for this firewall rule.
Chapter 4 Firewall To control the rate of traffic flow between zones, configure bandwidth management as follows: STEP A STEP B In the Type field, choose the type of bandwidth management to be applied, either: • Select Per Rule to indicate that the total bandwidth will be shared by all sessions that match the rule. • Select Per Session to indicate that the specified amount of bandwidth will be available to every session that matches the rule.
How Firewall Rule Enforcement Works STEP 3 On the Edit Firewall Rule page in the Firewall Rule Setup table, click the Enable check box to enable the rule. To disable the rule, clear the check box. STEP 4 Click Save. Change the Order in which Firewall Rules are Applied STEP 1 From the LSM menu, select Firewall > Firewall Rules. STEP 2 On the Firewall Rules page, select the row you want to move. Then, drag the rule to the desired location.
Chapter 4 Firewall Service and Service Groups have been configured, you can assign them to firewall rules or virtual servers based on your network security requirements. Use the Firewall Services page (Firewall > Services) to view and manage Services and Service Groups. The following figure shows the Firewall Services page.
How Firewall Rule Enforcement Works Firewall Services Page Field Descriptions The following table describes the fields available on the Firewall Services page. Table 4–3: Firewall Service and Service Group Information Column Description Firewall Services Service The name of the service. This name displays in the Service dropdown selection list for firewall and virtual interface configuration. Protocol The IP protocol used by the service.
Chapter 4 Firewall STEP 4 • From the Type drop-down list, select the service type. Protocol types supported are TCP, UDP, ICMP, and IP. • If the service type is IP, enter the protocol number. Click Save. Click Cancel to return to the Firewall Services page without saving the changes. Editing a Service STEP 1 On the LSM menu, select Firewall > Services. STEP 2 On the Firewall Services page, click the service name or Edit icon to edit an existing userdefined service.
Schedules STEP 4 For each service you want to add to the group, select the service from the Service drop-down list. Then, click the Add button. STEP 5 After adding all services, review the Service table to verify the changes. STEP 6 Click Create to save the new Service Group and update the Firewall Services page. Edit a Service Group STEP 1 From the LSM menu, select Firewall > Services to open the Firewall Services page.
Chapter 4 Firewall You can apply the same schedule to as many firewall rules as required. For device maximum configurable values, see “Appendix D‚ “Device Maximum Values”. Use the Schedules page (Firewall > Schedules) to view and manage Firewall schedules.
Schedules Table 4–4: Schedules Page: Field Descriptions (Continued) Field Description • Edit a schedule to add or remove scheduled time intervals. (Click the linked Schedule name to edit the schedule). • Delete a Schedule.
Chapter 4 Firewall STEP 5 Click Save/Create. Click Cancel to return to the Firewall - Schedules page without saving the Schedule. Delete Days and Times from an Existing Schedule STEP 1 From the LSM menu, select Firewall > Schedules. STEP 2 On the Schedules page in the Schedule List table, click the linked Schedule name to access the Edit Schedule page. STEP 3 In the Schedule table, click the Delete icon next to the schedule entry you want to delete.
Virtual Servers Virtual Servers page Use the Virtual Servers page (Firewall > Virtual Servers) to view and configure Virtual Servers.
Chapter 4 Firewall Configuring Virtual Servers For device maximum configurable values, see “Appendix D‚ “Device Maximum Values”. The following information applies to Virtual Server configuration: • Virtual Server traffic is subject to firewall rules. You must set up a firewall rule to allow the traffic for the desired services through the device firewall. To allow incoming traffic, use the IP address, or the zone containing the IP address of the LAN device as the destination address of the firewall rule.
Web Filtering Configure a Virtual Server and Provide One-to-One NAT STEP 1 From the LSM menu, select Firewall > Virtual Servers. STEP 2 On the Virtual Servers page, To add a new virtual server, click Create. To edit an existing one, click the Edit icon for that server. STEP 3 On the Create/Edit Virtual Server page, select the Service that will run on this virtual server. Note To provide one-to-one NAT to a LAN client, select ALL from the Service drop-down list.
Chapter 4 Firewall used to determine whether a Web site may be accessed or not. You must specify all rules to permit or block access to specific Web sites. • Web Filter Service is a subscription service that provides filtering based on classifications of Web sites. Web sites are classified into Core Categories or Productivity Categories. You control Web site access by permitting or blocking access to these categories.
Web Filtering STEP 5 If there is no pattern match in the URL Block List, the device checks to see if the Web Filter Service is licensed and enabled. If it is enabled, the device contacts the Web Filter Service server to determine if the URL matches a category included in the Web Filter Service database. If a match is found in a blocked category, the request is filtered executing the action configured for the Web Filter Service: block only, log only, block and log.
Chapter 4 Firewall If you create a Custom Filter, can select the Create default firewall rule option to automatically generate the web filtering firewall rule. However, you will have to reposition the rule to the top of the firewall rule table after it has been generated. STEP 5 Configure user privileges to bypass web filtering (optional). For details, see “Create/Edit a Privilege Groups” on page 254.
Web Filtering For details, see the following topics: • • • • “Web Filter General Configuration Parameters” on page 89 “Configure Web filtering” on page 89 “Web Filter Service” on page 90 “Custom Filter List” on page 92 Web Filtering General Configuration Parameters The following table describes the general configuration parameters to enable and configure the Web Filter functions available on X family devices.
Chapter 4 Firewall STEP 3 In the Filtering Action table, configure the behavior for web filter events. This configuration determines how the device handles logging for blocked web requests. Select one of the following: • To block requests without creating entries in the Firewall Block Log even if the web filter firewall rule has logging enabled, select Block Only. • To permit the requests and record them in the Firewall Block Log, select Log Only.
Web Filtering in a variety of languages (65 languages) from over 200 countries.Web sites are classified into two main categories: • Core Categories cover web sites that contain offensive, potentially dangerous, or criminal content. • The Web Filter Service blocks URLs that are included in any Core category by default. If necessary, you can change the default setting for any category to allow access. For a list of the category types, see “Core Categories” on page 282.
Chapter 4 Firewall STEP 3 STEP A Clear the check box next to a category name to allow access. To block access, check the check box next to the category name. STEP B Click Apply to save changes and apply the filtering. To configure filters in the Productivity Categories table: STEP A To block access, clear the check box next to the category name. To allow access, check the check box next to the category name. STEP B Click Apply to save changes and apply the filtering.
Web Filtering You can complete the following tasks from the Custom Filter List page: • • • • • • Enable/disable Manual URL filtering using the Custom Filter List Create a default firewall rule with a web filter action Create Permit/Block Lists Delete a URL from the Permit/Block List Import the Permit and Block List from another X family device Export the Permit and Block List from the current device to a file Custom Filter List Configuration Parameters and Functions The following table describes the conf
Chapter 4 Firewall STEP 3 Create and add the URL patterns to the Permit/Block lists: STEP A In the Add URL Pattern table, select the Action to take when a web request matches the pattern: Permit or Block. STEP B Type or edit the URL Pattern you want to match. If you are using a regular expression, check the Regular Expression check box. For details on creating regular expressions, see “Configure URL Patterns” on page 94. STEP C Click Add.
Web Filtering Regular expression pattern matching enables you to enter regular expressions into the Permit/Block lists to identify URLs. URL patterns that match these expressions are either permitted or blocked. The simplest use of pattern matching is to implement keyword blocking, where any URL containing a keyword will be blocked regardless of its categorization. A valid regular expression must be between 3 and 64 characters in length, and conform to the full regular expression syntax.
Chapter 4 Firewall Value Description "[xyz]\"images" The literal string [xyz]"images" \x If x is a, b, f, n, r, t, or v, then the ANSI-C interpretation of \x; Otherwise, a literal X. This is used to escape operators such as *. \0 A NULL character \123 The character with octal value 123 \x2a The character with hexadecimal value 2a (r) Matches an r; where r is any regular expression.
5 Events: Logs, Traffic Streams, Reports The Events section describes the logs, views and reports available to monitor system performance and traffic-related events triggered by firewall rules, web filters, IPS filters and traffic threshold policies. In this section, you will review the information presented in the Events pages and learn how to manage the logs and reports. Only users with Super-user access may view all of the logs and reports available. X Family LSM User’s Guide V 2.5.
Chapter 5 Events: Logs, Traffic Streams, Reports Overview The Events menu pages of the LSM allow you to monitor system performance and review traffic-related events. The menu provides the following options: • Logs — View information on system events and traffic-related events triggered by firewall, IPS, and traffic threshold security policies. • Managed Streams — Review and manage traffic streams that have been blocked, rate-limited, or quarantined by IPS policies.
Logs Log Maintenance The X family device maintains two files for each log: a historical log file and a current log file. When the current log file reaches the default size (4MB), the log is de-activated and saved as the historical file. A new log file is started as the current log. If a historical file already exists, that file is deleted. When the log is rolled over, the device generates a message in the Audit log.
Chapter 5 Events: Logs, Traffic Streams, Reports Table 5–1: Alert Log Field Descriptions (Continued) Column Description Source Address The source address of the triggering traffic Dest Address The destination address of the triggering traffic Packet Trace Details if a packet trace is available Hit Count Details how many packets have been detected Audit Log The audit log tracks user activity that may have security implications, including user attempts (successful and unsuccessful) to do the follow
Logs Table 5–2: Audit Log Field Descriptions (Continued) Column Description Component The area in which the user perform an action (LOGIN, LOGOUT and Launch Bar Tabs) Result The action performed or the result of a LOGIN or LOGOUT attempt Action The action performed as a result. For example, Log Files Reset. IPS Block Log The IPS Block log contains information about packets that have triggered an IPS filter configured with a Block + Notify action set.
Chapter 5 Events: Logs, Traffic Streams, Reports Firewall Block Log The Firewall Block Log captures information about events that have triggered a firewall rule that blocks matching traffic and has logging enabled. A log entry is generated for each of the following events. • Block web request event: occurs when the X family device blocks a web request due to web filtering • Block event: occurs when a firewall rule with Block action is triggered.
Logs Firewall Session Log For firewall and web filter permit rules with logging enabled, this log captures information on session creation and termination, including the time the session started, and the URL being accessed (for web requests). When a session terminates the Firewall Session Log shows how many bytes were transferred through the session. A log entry is generated for each of the following events if the firewall rule had logging enabled.
Chapter 5 Events: Logs, Traffic Streams, Reports Table 5–5: Firewall Session Log Field Descriptions (Continued) Column Description Bytes For Session End events, this field contains the number of bytes transferred during each session. For web request events, this field indicates the number of bytes downloaded from the HTTP GET.
Logs System Log The System Log contains information about the software processes that control the X family device, including startup routines, run levels, and maintenance routines. System log entries can provide useful troubleshooting information if you encounter problems with the device. To maintain a complete history of entries and provide a backup, you can configure the device to send System Log entries to a syslog server from the Syslog Servers page.For details, see “Syslog Servers” on page 242.
Chapter 5 Events: Logs, Traffic Streams, Reports For details on configuring the Syslog Server contact for the System, Audit, VPN, and Firewall Session log, see “Configure remote syslog for the System, Audit, VPN, and Firewall Session logs” on page 106. CAUTION Remote syslog, in adherence to RFC 3164, sends clear text log messages using the UDP protocol with no additional security protections.
Logs For additional details, refer to the following topics: • • • • • “Viewing Logs” on page 107 “Downloading a Log” on page 107 “Searching a Log” on page 109 “Resetting a log” on page 108 “Searching a Log” on page 109 Viewing Logs Logs can be viewed from the Events menu. View a log file STEP 1 From the LSM Events menu, click the name of the log you want to view. STEP 2 Click the desired log. The LSM updates to display the log page for the selected item.
Chapter 5 Events: Logs, Traffic Streams, Reports Download a Log STEP 1 On the log page in the Log Functions section, click the Download icon. Note If the log is empty, the download link will be disabled, or grayed out. STEP 2 Verify that the Log Type dropdown list box has the correct log selected. STEP 3 In the Log Entry section, specify the criteria for the log entries to be included in the downloaded file: • Select All to download all entries. OR • Select Current to download all current entries.
Logs Searching a Log Some logs provide a search function to help locate specific entries. This feature is available on the Alert, Audit, IPS Block Log, Firewall Block Log. To locate an entry within a log file, use the Search function available on each log page. You can search for entries by specifying one or more of the following criteria: • Date Range — Search all log entries or specify a date range. You can also enter a time range.
Chapter 5 Events: Logs, Traffic Streams, Reports Managed Streams The Managed Streams menu pages provide options to review and manage traffic streams that have been blocked, rate-limited, or quarantined by IPS policies. These events are captured by the Threat Suppression Engine (TSE), which uses a blend of ASICs and network processors to detect threats and anomalies in network traffic.
Managed Streams The Blocked Log Entries table displays up to 50 entries. Entries are added when the block event occurs. Entries are automatically removed when the connection times out based on the Connection Table timeout setting configured from the IPS > IPS Preferences page. The default timeout settings is 1800 seconds (30 minutes). You can manually remove an entry by terminating the connection using the Flush functions.
Chapter 5 Events: Logs, Traffic Streams, Reports Rate Limited Streams When traffic triggers an IPS filter configured with a Rate Limit action set, traffic from the source IP and port is limited based on the rate limit settings in the action set. Traffic from the source IP address and port to the destination IP address and port remains rate-limited until the connection timeout period expires, or until the connection is manually terminated from the LSM.
Managed Streams Table 5–10: Rate Limited Streams Table (Continued) Column Definition Security Zone (pair) The Security Zone pair where the stream is rate limited (LAN WAN, for example) Reason The filter link that details why the traffic connection stream was blocked. Click the link to display and manage the filter. Search rate-limited streams STEP 1 From the LSM menu, select Events > Managed Streams > Rate Limited Streams.
Chapter 5 Events: Logs, Traffic Streams, Reports From the Quarantined Addresses page, you can: • View and search for information on quarantined addresses • Force an address into quarantine • Remove all or selected addresses from quarantine The following figure shows the Quarantine Addresses page: Figure 5–3: Quarantined Addresses Page For each quarantined address, the Quarantined Addresses page provides the following information: Table 5–11: Quarantined Address Table Column Description IP address The I
Managed Streams STEP 3 Click Search. The Quarantined Addresses table updates with addresses matching the search criteria. To reset the search field and update the Quarantined Addresses table to display all entries, click Reset. Force IP address into quarantine To manually quarantine a host, you must first configure a Quarantine action set which determines the behavior when the host attempts to access the network.
Chapter 5 Events: Logs, Traffic Streams, Reports Health The Health menu pages show the current status and network performance of the X family device. From the Monitor page you can review: • Device health indicated by memory and disk usage statistics • Module health including the Threat Suppression Engine and Ethernet ports • Performance/Throughput Figure 5–4: Monitor Page 116 X Family LSM User’s Guide V 2.5.
Health To access the Monitor page, select Events > Health > Monitor, or click Health on the System Summary page. For details on each type of Health information, see the following: • • • • “Device Health” on page 117 “Module Health” on page 118 “Performance/Throughput” on page 120 “Port Health” on page 120 Device Health The Device Health section of the Monitor page displays the current status of a variety of chassis components, including power modules, fans, temperature, and memory and disk space usage.
Chapter 5 Events: Logs, Traffic Streams, Reports require notification, but this difference only comes into play when network traffic matches or nearly matches these filters. Firewall rules with logging enabled also consume more memory.
Health Table 5–13: Module Health Column Description Module State A description of the current operation state of the module.
Chapter 5 Events: Logs, Traffic Streams, Reports Performance/Throughput To view the current throughput performance of the device, select Events > Monitor > Performance. If the device is experiencing performance problems, the following information is provided. Table 5–14: Performance/Throughput Column Description Component The component or resource being monitored.
Reports Table 5–15: Port Health (Continued) Column Description Qual-1 A description of any reasons for an other-than-active state of the module Qual-2 Additional description of any reasons for an other-than-active state of the module Media The type of media of the port, such as copper or fiber Type The type of the port, such as Ethernet Reports The Reports menu provides access to detailed information about the LSM system alert and traffic activity. Data for each report is gathered in real time.
Chapter 5 Events: Logs, Traffic Streams, Reports STEP 3 To update the report data, use the Refresh option. On some reports, an Animate Charts option is available to update the data in real time. Attack Reports The Attack Reports page allows you to view data on traffic that has been filtered by the device based on the IPS filter and firewall rule configuration. Firewall rules display as filter ids in the 7400 to 7410 range.
Reports Rate Limit Reports In the LSM, you can configure a rate limit action set to define the maximum amount of bandwidth available for traffic matching IPS filters that have a rate limit action set assigned. If two or more IPS filters use the same rate limit action set, then all packets matching these filters share the bandwidth. For each rate limit action set, the Rate Limit Reports page allows you to view the percentage of bandwidth consumed by rate-limited traffic graphed as a function of time.
Chapter 5 Events: Logs, Traffic Streams, Reports The following figure shows the Traffic Profile Reports page..
Reports Traffic Threshold Report In the LSM, traffic threshold filters track statistical changes in network traffic patterns. You can specify the amount of traffic that triggers a Traffic Threshold filter from the Traffic Threshold Reports page. The units used in the report (packets/hour, bytes/minute, connections/second, etc.) is determined by the units configured in the Traffic Threshold filter.
Chapter 5 Events: Logs, Traffic Streams, Reports The Configure Adaptive Filter Events report page provides the following information: Table 5–16: TSE Adaptive Filter Configuration Details Column Settings Definition The Settings table allows you to change the global system configuration for the Adaptive Filter function. For details, see “Adaptive Filter Configuration” on page 60. Ten Most Recent: Table that displays the ten most recent filters managed by adaptive filtering.
Reports whichever is more recent. Data is added when the firewall session is closed; therefore, a large file transfer in progress, for example, will not be tabulated until after it finishes. Data is presented as one of the following graphs: • Top Web sites — The 25 most visited external Web sites by bandwidth. You must create a firewall rule to match with the “web-filter” action between zones that you wish to monitor.
Chapter 5 Events: Logs, Traffic Streams, Reports 128 X Family LSM User’s Guide V 2.5.
6 Network The Network section describes IP interfaces, security zones, DHCP functionality, routing, and IP address groups and explains how to enable, disable, and modify their various features. The network tools provided by the LSM are also described. Overview The Network menu pages in the LSM enable you to set up the X family device so that it can work within your network environment.
Chapter 6 Network For additional information, see the following topics: • • • • • • • • • • • “Configuration Overview” on page 130 “Deployment Modes” on page 131 “Network Port Configuration” on page 132 “Security Zone Configuration” on page 135 “IP Interfaces” on page 140 “IP Address Groups” on page 153 “DNS” on page 155 “Default Gateway” on page 156 “Routing” on page 157 “DHCP Server” on page 167 “Network Tools” on page 176 Configuration Overview The X family device has a default configuration so that t
Deployment Modes For additional information, see the following topics: • • • • • • • • • • “Deployment Modes” on page 131 “Network Port Configuration” on page 132 “Security Zone Configuration” on page 135 “IP Interfaces” on page 140 “IP Address Groups” on page 153 “DNS” on page 155 “Default Gateway” on page 156 “Routing” on page 157 “DHCP Server” on page 167 “Network Tools” on page 176 Deployment Modes The deployment mode you select determines how to configure the IP interfaces and routing on the device.
Chapter 6 Network IP addresses, respectively. The LAN security zone is in one broadcast domain while the DMZ and WAN zones are in another. Figure 6–2: X Family Transparent DMZ - NAT/Routed LAN Deployment Mode • Bridge — In this mode, the device acts as a bridge to transparently connect security zones assigned to the same virtual interface. You do not have to configure IP routes to bridge traffic.
Network Port Configuration The following figure shows the Port Configuration page: Figure 6–4: Network: Configuration: Port Configuration Page The Port Configuration page provides the following information: Column Description Port The port number on the device. Auto Negotiation Indicates whether the port auto-negotiates line speed based on the Line Speed setting.
Chapter 6 Network Edit Port Configuration STEP 1 From the LSM menu, select Network > Configuration > Network Ports. STEP 2 On the Port Configuration page, clear the Auto Negotiation checkbox for the port you want to configure. The page updates to show configuration fields for Line Speed and Duplex Setting. STEP 3 Select the Line Speed setting from the drop-down menu. STEP 4 Select the Duplex setting: Full or Half. STEP 5 Check the Restart checkbox.
Security Zone Configuration Security Zone Configuration A security zone is a section of the network which is associated with a port or VLAN. If you need to control the traffic between devices, the devices must be in separate security zones. Using the LSM, you can add, edit, or delete security zones. Security zones enable you to logically segment your networks so that the device can apply firewall rules and IPS filters to control the traffic passing between the zones.
Chapter 6 Network The Security Zones page provides the following information about each zone: Column Description Zone The name of the Security Zone. Initially, the device is configured with LAN, VPN and WAN default zones. Untagged Port(s) The ports on the device that have been assigned to each zone. VLAN ID Identifies the VLAN associated with the security zone (if applicable). VLAN Port(s) The physical ports that have been allocated to the VLAN (if applicable).
Security Zone Configuration You can create and edit Security Zones from the Create/Edit Security Zone page. Figure 6–6: Create/Edit Security Zone Page The following table lists the Security Zone configuration parameters. Table 6–2: Security Zone Configuration Parameters Parameter Description Zone Type a name for the security zone. Ethernet Port(s) Select one or more ports on the device to be assigned to the zone.
Chapter 6 Network Table 6–2: Security Zone Configuration Parameters (Continued) Parameter Description Bandwidth Management (rate limiting) Enable bandwidth rate limiting Select this option to specify bandwidth rate limiting for the access speed for outbound (upload) traffic and inbound (download) traffic across the device. Applying bandwidth limitation physically limits the rate of traffic flow. You can define separate limits for outbound and inbound traffic in kbps.
Security Zone Configuration Configure a Security Zone STEP 1 From the LSM menu, select Network > Security Zones. STEP 2 Click Create (for a new security zone) or click the Edit icon for the zone you want to edit. STEP 3 On the Create/Edit Security Zone type the Security Zone Name for the new zone. You can only edit the Security Zone name when you are creating the zone. STEP 4 Check the Ethernet Ports that you want to add to the zone.
Chapter 6 Network IP Interfaces Configuration Overview IP interfaces provide the X family device with the interfaces to make the network connections required for your environment. An IP interface is the Layer 3 configuration for the device, that is, the IP configuration for its set of security zones (and hence Ethernet ports within the security zones).
IP Interfaces For additional information, see the following topics: • • • • • “Managing IP Interfaces” on page 141 “IP Addresses: Configuration Overview” on page 142 “Configuring a GRE Tunnel” on page 148 “Manage Security Zones for IP Interfaces” on page 149 “Configuring Routing for IP Interfaces” on page 150 Managing IP Interfaces The IP Interfaces page (Network > Configuration > IP Interfaces), shows the IP interfaces that are currently configured on the device.
Chapter 6 Network Column Description Subnet The subnet mask for the interface MAC The MAC address for the interface. The device automatically assigns a unique MAC address for every virtual interface configured on the device.
IP Interfaces For details on configuring the IP address for each type of interface, see the following topics: • • • • • • “Internal Interface: Static IP Address” on page 143 “External Interface: Static IP Address Configuration” on page 144 “External Interface: DHCP Configuration” on page 145 “External Interface: PPTP Client Configuration” on page 145 “External Interface: L2TP Client Configuration” on page 146 “External Interface: PPPoE Client Configuration” on page 147 After you have configured the basic
Chapter 6 Network After you have configured the basic options for the internal IP interface, you can manage the security zones associated with the interface, or configure routing in the Advanced Options section.
IP Interfaces After you have configured the basic options for the internal IP interface, you can manage the security zones associated with the interface, or configure routing in the Advanced Options section.
Chapter 6 Network Configure PPTP client on the External IP interface STEP 1 From the LSM menu, select Network > Configuration > IP Interfaces. STEP 2 On the IP Interfaces page, click the Create IP Interface button or select the Edit icon for the interface that you want to edit. STEP 3 On the Create/Edit IP Interface page, select External as the Interface Type. Note You can only configure one External IP interface on the device.
IP Interfaces Configure L2TP client on the External IP interface STEP 1 From the LSM menu, select Network > Configuration > IP Interfaces. STEP 2 On the IP Interfaces page, click the Create IP Interface button or select the Edit icon for the interface that you want to edit. STEP 3 On the Create/Edit IP Interface page, select External as the Interface Type. Note You can only configure one External Interface on the device.
Chapter 6 Network Configure PPPoE client on the External IP interface STEP 1 From the LSM menu, select Network > Configuration > IP Interfaces. STEP 2 On the IP Interfaces page, click the Create IP Interface button or select the Edit icon for the interface that you want to edit. STEP 3 On the Create/Edit IP Interfaces page, select the External interface. Note You can only configure one External Interface on the device.
IP Interfaces Configure a GRE Tunnel to a Remote Device STEP 1 From the LSM menu, select Network > Configuration > IP Interfaces. STEP 2 On the IP Interfaces page, click Create IP Interface or select the Edit icon for the interface that you want to edit. STEP 3 On the Create/Edit IP Interfaces page, click GRE Tunnel secured by IPSec SA as the Interface Type. Then, select the Security Association from the drop-down list.
Chapter 6 Network STEP 4 From the Security Zone drop-down list, select the zone you want to add to the IP interface. Then, click add to table below. Add as many zones as needed. STEP 5 To delete a zone, in the Function(s) column for the zone, click STEP 6 Click Save. . Click Cancel to return to the IP Interfaces page without saving the changes. Configuring Routing for IP Interfaces You can configure IP interfaces to perform dynamic unicast or multicast routing if required.
IP Interfaces Using RIP, the device determines the route for network packets based on the fewest number of hops between the source and the destination. RIP regularly broadcasts routing information to other devices on the network RIPv1 Configuration Settings RIPv1 is a a simple distance vector protocol where the longest path cannot exceed 15 hops and static metrics are used to compare routes. RIPv1 should only be used to communicate routing information with legacy devices that cannot support RIPv2.
Chapter 6 Network STEP 7 Select one of the following from the Receive mode drop-down list: • • • • STEP 8 Do not receive updates — Ignore all route advertisements received on this interface. RIP v1 only — Accept only v1 advertisements received on this interface. RIP v2 only— Accept only v2 advertisements received on this interface. RIP v1 or v2— Accept any RIP advertisements received on this interface.
IP Address Groups The device supports two multicast protocols. You can configure an IP interface with either or both protocols. • IGMP — Internet Group Management Protocol, used by hosts to define multicast group membership. Multicast groups are identified by special IP addresses. IGMP must be enabled on all IP interfaces that are directly connected to clients using multicast traffic. • PIM-DM — Protocol Independent Multicast-Dense Mode routing protocol, used for multicast routing between remote sites.
Chapter 6 Network IP Address Groups can be used when configuring the following features: • • • • • • Firewall rules DHCP server address pool IPSec local and destination subnets PPTP pool L2TP pool Security zones You can manage IP Address Groups from the IP Address Groups page (Network > Configuration > IP Address Groups).
DNS The IP Address Groups page provides the following information about existing groups: Table 6–3: IP Address Group Details Column Description Name The name of the IP Address Group IP Addresses The IP addresses belonging to the group. These can include IP hosts, IP ranges and IP subnets Function(s) The functions available to manage each IP Address Group listed in the table: • Delete an IP Address Group • Edit the IP Address Group to add or remove IP addresses.
Chapter 6 Network Obtain DNS Configuration from WAN Connection STEP 1 From the LSM menu, select Network > DNS. STEP 2 On the DNS page, select Use DNS configuration from WAN connection. When this option is selected, the DNS server configuration returned from the ISP will be used. Alternatively, the DNS servers can be explicitly set using the manual configuration option. STEP 3 Click Apply.
Routing Routing Overview The device provides static and dynamic routing which can be managed and configured from the Routing menu pages. The menu provides the following options: • Routing Table — View all current routes on the device. Use the Routing Table to view the routes by IP Address and Subnet Mask. • Static Routes — Review, manage and create static routes for the device. A Static Route defines the gateway to use for a particular network.
Chapter 6 Network The following figure shows the Routing Table page: Figure 6–9: Network Configuration: Routing Table Page The Network - Routing Table provides the following information: Column 158 Description Destination The IP address of the destination network Subnet Mask The subnet mask of the destination network Next Hop The IP address of the router that will be used to access a host or subnet.
Routing Static Routes A Static Route defines the gateway to use for a particular network. The device supports the use of static routes to forward traffic: • Between the device and any external interface, for example, you may need to define a static route so that the device can communicate with the email server used to send event notifications. • Between the device and any GRE interface.
Chapter 6 Network The Static Routes page provides the following information: Column Description Destination The IP address of the destination network for the static route Subnet Mask The subnet mask of the destination network Gateway The IP address of the device to which the device forwards traffic destined for the destination network Metric A number (between 1 and 15) that is used to determine the order in which the static route will be accessed.
Routing number of hops between the source and the destination. RIP regularly broadcasts routing information to other devices on the network. CAUTION When RIP is enabled, the device automatically re-distributes any static routes configured on the device into RIP. If you do not want to re-distribute some static routes, configure those with a metric of 15. The other peer routers will receive these routes, increment the metric by one (to 16).
Chapter 6 Network Column Description Split Horizon Whether Split Horizon is enabled or disabled on the interface. Split Horizon reduces convergence time by not allowing routers to advertise networks in the direction from which those networks were learned. The announcements only include networks in the opposite direction. This also reduces loops. Poison Reverse Whether Poison Reverse is enabled or disabled on the interface.
Multicast (IGMP and PIM-DM) For more information on configuring interfaces, see “Enable Bridge Mode on an IP Interface” on page 150. Multicast (IGMP and PIM-DM) The device can act as an IP multicast router, supporting IGMP and PIM-DM multicast protocols. • IGMP — Internet Group Management Protocol, used by hosts to define multicast group membership. Multicast groups are identified by special IP addresses.
Chapter 6 Network This following figure shows the IGMP Setup page: Figure 6–12: Network Configuration: IGMP Setup Page On the IGMP Setup page, the IP Interfaces Setup table lists the existing interfaces on the device, and provides the following information about the IGMP configuration on each interface: Column 164 Description IGMP State Whether IGMP is enabled or disabled on this IP interface. Host Query Interval Interval in seconds between queries from the IGMP querier router to multicast groups.
Multicast (IGMP and PIM-DM) For additional information, see the following topics: • “Enable IGMP Globally” on page 165 • “Edit IGMP Configuration on an IP Interface” on page 165 • “Managing IP Interfaces” on page 141 Enable IGMP Globally STEP 1 From the LSM, select Network > Routing > IGMP. STEP 2 On the IGMP Setup page, check Enable IGMP. Note You must enable IGMP globally in order to run it on an interface. STEP 3 Click Apply to save the change.
Chapter 6 Network This following figure shows the PIM-DM Setup page: Figure 6–13: Network Configuration: PIM-DM Setup Page Enable PIM-DM globally STEP 1 Check Enable PIM-DM. Note You must enable PIM-DM globally in order to run it on an interface. STEP 2 Enter a value between 1 and 600 seconds (default 30 seconds) for the Query Interval. STEP 3 Optionally, enter a value between 1 and 900 seconds (default 180 seconds) for the Prune Timeout. Prune Timeout alleviates some PIM-DM flood problems.
Default Gateway Default Gateway The default gateway is the route to which the device will forward any packet whose destination address it does not recognize. You configure this route when you configure the external interface. Note If you are using PPPoE or DHCP, then the default route will be automatically configured by your ISP and you cannot configure it yourself. Configure the Default Route 1. Go to Network > Interfaces. The NETWORK - Interfaces page opens. 2.
Chapter 6 Network For additional information, see the following topics: • • • • “DHCP Server Page” on page 168 “DHCP Relay” on page 171 “Static Reservations” on page 174 “Configure DHCP Server” on page 169 DHCP Server Page DHCP Server leases the IP addresses to the DHCP clients. If a lease has not been released normally, you can release it manually. By default, the device DHCP server grants leases for one hour. You can edit the duration of the lease on the Configure DHCP page.
DHCP Server For additional information, see the following topics: • • • • “Release a DHCP Lease” on page 169 “Configure DHCP Server” on page 169 “DHCP Relay” on page 171 “Static Reservations” on page 174 Release a DHCP Lease STEP 1 From the LSM menu, select Network > DHCP Server. STEP 2 On the DHCP Server page in the DHCP Client Summary table, click the Release icon to end the lease and update the table.
Chapter 6 Network Enable and Configure the DHCP Server STEP 1 From the LSM menu, select Network > DHCP Server. Then, click the Configure DHCP tab. STEP 2 On the Configure DHCP Server page, check Enable DHCP Server to enable the DHCP server. Then, configure the following options as required: • In the Lease Duration field, enter a value between 1 and 600 minutes (default 60 minutes) for the duration of the lease to the DHCP client.
DHCP Server DHCP Relay Note To use DHCP Relay, you must disable the DHCP Server. See “Disable the DHCP Server” on page 170 for more information. DHCP Relay allows DHCP to operate between a DHCP client on one security zone and a DHCP server on another. To use DHCP relay, you configure the device to act as a DHCP relay agent. The device will relay DHCP packets to the destination DHCP server and back to the client across security zone boundaries.
Chapter 6 Network Configuring DHCP Relay You can configure DHCP Relays from the DHCP Relay page (Network > DHCP Server > DHCP Relay tab). From this page, you can: • Enable/disable the DHCP Relay option • Configure the device as a Central DHCP agent with or with out the Relay Over VPN option • Configure the device as a Remote DHCP Relay Agent The following figure shows the DHCP Relay page.
DHCP Server Table 6–5: Network: DHCP Relay Configuration Parameters (Continued) Parameter Description Relay Requests to DHCP Server The IP address of the central DHCP server where requests are sent. Enable DHCP Relay Over VPN For a Central DHCP Relay Agent, selecting this checkbox allows the device to act as a VPN Relay agent and supports DHCP requests arriving over VPN tunnels using IKE. The device will forward the requests onto the DHCP server.
Chapter 6 Network Configure the DHCP Relay Mode as Remote VPN Relay Agent STEP 1 From the LSM menu, select Network > DHCP Server. Then, click the DHCP Relay tab. STEP 2 On the DHCP Relay page, check Enable DHCP Request Relaying to enable DHCP Relay. STEP 3 Select Remote DHCP Relay Agent. With this configuration, the device listens for DHCP requests from its LAN and forwards them to a Central DHCP Relay.
DHCP Server The following figure shows the DHCP Static Reservations page: Figure 6–16: Network: DHCP Static Reservations Page The Current Reservations table provides the following information for each static reservation: Table 6–6: Static Reservation Details Column Description IP Address The IP address you want to assign to the device MAC Address The MAC address of the device Function(s): The available functions for static reservations: • Delete a static reservation.
Chapter 6 Network Network Tools The LSM provides the following network tools: • DNS Lookup — a network tool that displays the IP Address for a given DNS name • Find Outgoing zone— a network tool that displays the physical interface/security zone (and router IP address if appropriate) that the device would use to reach a given location • Traffic Capture — a network tool that allows you to capture network packets into a file.
Network Tools DNS Lookup Use the DNS Lookup tool to find the IP address for a given DNS name. DNS lookup can be used to verify that the DNS Servers on the device are configured properly. Find the IP address for a DNS name STEP 1 From the LSM, select Network > Tools. STEP 2 In the DNS Lookup table, type the Hostname in the IP field. STEP 3 Click DNS Lookup. The IP addresses and aliases associated with the DNS name are displayed.
Chapter 6 Network From the Traffic Capture page, you can: • View and manage existing packet capture files. To view and manage packet capture files, select Network > Tools > Traffic Capture. Then, select the Traffic Capture tab. • Create a new traffic capture file. To see a list of packet capture files, go to Network > Tools > Traffic Capture. Perform a Traffic Capture STEP 1 From the LSM, select Network > Tools. On the Tools page, click the Traffic Capture tab.
Network Tools STEP 4 If required, configure any of the following options: • Inter Packet Interval —the number of seconds between each packet • TTL — (IP Time To Live) the maximum number of IP routers that the packet can go through before being thrown away. Each router will decrease the TTL value on the packet by one.
Chapter 6 Network STEP 4 Configure any of the following options: STEP 5 • First Hop — you can choose which is the first hop that you get information about.
7 VPN The VPN section provides an overview of Virtual Private Networks and describes how they are implemented. Overview The VPN menu pages in the LSM allow you to configure the protocol and authentication method for VPN tunnels so that remote users and devices can access the X family device. The following menu options are available: • IPSec Status — View and manage IPSec configuration for the X family device.
Chapter 7 VPN For additional information, see the following topics: • • • • • “About VPN” on page 182 “IPSec Configuration” on page 184 “IKE Proposal” on page 198 “L2TP Configuration” on page 208 “PPTP Configuration” on page 212 About VPN A Virtual Private Network (VPN) uses a public network infrastructure such as the Internet to link physically separate private networks together to form one large virtual private network. The data is kept private by using encryption.
About VPN • Authentication establishes the identity of a remote user or device to verify that they have permission to access network resources. The X family provides two types of authentication methods: o User Authentication — username/password verification methods to ensure that only authorized users may access client-to-site VPNs. Access privileges are used to control what network services are available to each user. On the X family device, user accounts are configured from the Authentication menu page.
Chapter 7 VPN STEP 3 For client-to-site VPNs, determine whether you will use the PPTP, L2TP, or L2TP over IPSec tunneling protocol. PPTP and L2TP are not recommended because they are not very secure. For site-to-site VPN connections, you must use the IPSec protocol. For authentication, you can use either X.509 certificates or Pre-Shared Key (PSK). X.509 certificates are recommended because they are more secure.
IPSec Configuration The following figure shows the IPSec Status page: Figure 7–1: IPSec Status Page From this page, you can complete the following tasks: • • • • If IPSec is enabled, view current status of the IPSec SA Phase 1 and Phase 2 negotiation process. View a summary of IPSec SA that have been used to negotiate tunnels on the device. Renegotiate IKE Phase 1 or Phase 2 of the IPSec VPN connection.
Chapter 7 VPN Table 7–1: IPSec Status Details (Continued) Column Status Description The current status of the connection: Phase 1: Idle — Phase 1 negotiation has not started, or it has started but the connection subsequently timed out, or did not complete successfully Phase 1: Negotiating — the X family device is in the process of authenticating a Phase 1 of the IPSec VPN connection Phase 1: Failed — the negotiation failed Phase 1: Established — the X family device has successfully completed Phase 1 neg
IPSec Configuration IPSec Configuration Use the IPSec Configuration page (VPN > IPSec Status, IPSec Configuration tab) to view and manage the IPSec configuration and the IPSec Security Associations. IPSec configuration is required if you want to use site-to-site or client-to-site L2TP over IPSec VPN tunnels.
Chapter 7 VPN IPSec Configuration Parameters and IP Security Association Details The following table describes the configuration parameters for the IPSec security protocol: Table 7–2: IPSec Configuration Parameters and IP Security Association Details Parameter Description IPSec Global Setup Enable Verbose messages in the VPN Log Select this option to log more detailed information when the X family device is establishing a VPN connection.
IPSec Configuration Enable and Configure IPSec Global Settings Note Before configuring IPSec and the IPSec Security Association, configure the required IP Address Groups and the IKE proposals. For details, see “Configuring IKE Proposals” on page 200. STEP 1 From the LSM menu, select VPN > IPSec Status. Then, click the IPSec Configuration tab. STEP 2 On the IPSec Configuration page, check Enable IPSec Global VPNs.
Chapter 7 VPN STEP 1 IPSec Security Association Setup — configure the Peer ID address, terminated security zone, and keying mode STEP 2 Select the Keying Mode, either IKE or Manual. Manual keying is only recommended for testing as this mode is not secure. STEP 3 Set up the keys used to authenticate the VPN connection. Depending on the keying mode selected, specify the parameters for IKE Setup or Manual Setup.
IPSec Configuration Table 7–3: IPSec Security Association Configuration Parameters (Continued) Parameter Terminated Security Zone Description Select the remote security zone on which to terminate the VPN from the Terminated Security Zone drop-down list. All devices within the termination zone have unrestricted access to the VPN. Traffic received over the VPN has unrestricted access to all devices within the termination zone. Firewall rules must be used to access other zones.
Chapter 7 VPN Table 7–3: IPSec Security Association Configuration Parameters (Continued) Parameter Description Manual Setup: These configuration parameters are available if Manual is selected as the Keying mode. Encryption Select an appropriate encryption method: • ESP DES-CBC (weak encryption, not recommended) • ESP 3DES-CBC (strong encryption) • ESP AES-CBC-128 (strong encryption) • ESP AES-CBC-192(strong encryption) • ESP AES-CBC-256(strong encryption) Enter a hexadecimal Key value for the key.
IPSec Configuration Table 7–3: IPSec Security Association Configuration Parameters (Continued) Parameter Description Tunnel Setup Local Networks Select one of the following methods to determine what local traffic may access or be accessed from the VPN tunnel. This method is only used for IPSec tunnel mode connections: • IP Address Group (configure from Network > Configuration > IP Address Groups) - use this option if traffic allowed over the VPN tunnel is from multiple IP subnets.
Chapter 7 VPN Table 7–3: IPSec Security Association Configuration Parameters (Continued) Parameter Description Enable NAT of local network addresses Enable this option to perform NAT on traffic entering a VPN tunnel. Selecting this option allows multiple remote VPN sites can use the same IP subnet. If you enable NAT, enter the NAT IP Address. This address must be included in the Local ID configured for the local network. Only one NAT IP address can be used for outgoing sessions for one VPN tunnel.
IPSec Configuration STEP 7 Click Save to save the configuration. Click Cancel to return to the IPSec Configuration page without saving the changes. All devices within the termination zone have unrestricted access to the VPN. Traffic received over the VPN has unrestricted access to all devices within the termination zone. Firewall rules must be configured to access the other zones.
Chapter 7 VPN The same pre-shared key must be configured on the remote device establishing a VPN tunnel with the local device.
IPSec Configuration STEP A In the Tunnel Setup, check Enable IPSec Tunnel connections. STEP B In the Local Networks table, select the source IP addresses that the originating device allows to route VPN traffic to the peer VPN Firewall, for the specific security association. This applies only to IPSec tunnel mode connections. STEP C STEP 4 • To use specific IP addresses for routing, select IP Address group, IP Subnet, or IP Range. Then, configure the value(s) for the selected field.
Chapter 7 VPN Click Cancel to return to the IPSec Configuration page without saving the changes. IKE Proposal Internet Key Exchange (IKE) is used to negotiate the keying material used by the IPSec VPN encryption and integrity algorithms. IKE uses UDP port number 500 and precedes the actual IPSec data flow. IKE is a two-stage mechanism for automatically establishing IPSec tunnels with dynamically generated keying material.
IKE Proposal The following figure shows the IKE Proposals summary page. Figure 7–3: VPN: IKE Proposals Page From this page you can complete the following tasks: • View and manage existing IKE proposals configured on the device.
Chapter 7 VPN Table 7–4: VPN: IKE Proposal Details (Continued) Column Functions Description Icons representing functions to manage IKE Proposals. The following functions are available: • Delete a proposal • Edit a proposal Configuring IKE Proposals IKE proposals provide the authentication and encryption methods that are used to configure the IPSec Security Associations for IPSec VPN tunnel. Configure an IKE proposal for each type of remote network device that requires a VPN connection.
IKE Proposal The following figure shows the Create/Edit IKE Proposal page: Figure 7–4: VPN: Create/Edit IKE Proposal Page For additional information, see the following topics: • “IKE Proposal Configuration Parameters: Phase 1 and 2” on page 202 • “Configure Phase 1 Setup Parameters for an IKE Proposal” on page 206 • “Configure Phase 2 Setup Parameters for an IKE Proposal” on page 207 X Family LSM User’s Guide V 2.5.
Chapter 7 VPN IKE Proposal Configuration Parameters: Phase 1 and 2 The following table describe the IKE Phase 1 and Phase 2 Configuration parameters.
IKE Proposal Table 7–5: IKE Proposal Phase 1 and Phase 2 Configuration Parameters (Continued) Parameter Description Lifetime Specify the length of time the security association remains valid before new authentication and encryption keys must be exchanged (between 1 and 65535 seconds, default 28800). A lower value increases security, but may be inconvenient, since the connection is temporary disabled.
Chapter 7 VPN Table 7–5: IKE Proposal Phase 1 and Phase 2 Configuration Parameters (Continued) Parameter Options: Enable Aggressive Mode Description To enable Aggressive mode, check Enable Aggressive Mode. Aggressive Mode is required when using dynamic WAN IP addresses. However, this mode is less secure. By default, the device uses Main Mode. If you select aggressive mode, configure the Local ID and Peer ID information that will be used to authenticate the Phase 1 of the IPSec connection.
IKE Proposal Table 7–5: IKE Proposal Phase 1 and Phase 2 Configuration Parameters (Continued) Parameter Delete Phase 2 SA when Phase 1 SA terminates Description Check this option to delete all Phase 2 security associations if the Phase 1 security association terminates. If this is selected, it can improve interoperability with VPN devices that automatically delete all the Phase 2 security associations if the Phase 1 security association terminates.
Chapter 7 VPN Table 7–5: IKE Proposal Phase 1 and Phase 2 Configuration Parameters (Continued) Parameter Phase 2 Local ID configuration options Description These options determine how the device negotiates IKE Phase 2 local-id checking: • Select Enable strict ID checking of local network to restrict the use of the Phase 2 tunnel to packets with a source IP address corresponding to a local-id configured for the local network of the IPSec security association. For backwards compatibility with the 2.
IKE Proposal STEP 9 If you are using Pre-Shared Key with Aggressive Mode: STEP 10 • From the Local ID Type drop-down list, select the identifier for the device to use for validation purposes, either IP Address, Email Address, or Domain Name. • From the Peer ID Type drop-down list, select the identifier for the device to use for validation purposes, either IP Address, Email Address, or Domain Name.
Chapter 7 VPN STEP 3 To provide enhanced security, check Enable Perfect Forward Secrecy, and then select the Diffie-Hellman Group to use from the drop-down list. Note This feature must be supported by both VPN devices. STEP 4 Configure the Phase 2 Local ID checking options to determine how the X family device negotiates IKE Phase 2 local-id checking. For details, see “Phase 2 Local ID configuration options” on page 206. STEP 5 Click Create/Save to save the configuration.
L2TP Configuration The following figure shows the L2TP Status page: Figure 7–5: VPN: L2TP Status Page From this page, you can complete the following tasks: • View current L2TP connections on the device • Terminate a current connection • Access the L2TP Server Configuration page to enable and configure the L2TP server for the X family device L2TP Status Page Details The L2TP Connections table provides the following information about current connections: Table 7–6: VPN: L2TP Status Page Details Column Des
Chapter 7 VPN For additional information, see the following topics: • “L2TP Server Configuration” on page 210 • “Enable L2TP Server and Configure L2TP Client and Addresses” on page 211 L2TP Server Configuration You can configure the X family device to act as an L2TP server from the L2TP Server Configuration page (VPN > L2TP Status, L2TP Server Configuration tab).
L2TP Configuration Table 7–7: L2TP Server Configuration Parameters Parameter Description WINS Servers If you are using Microsoft Networking, type the IP addresses of your primary (WINS Server 1) and secondary (WINS Server 2) WINS servers. DNS Servers Determines the DNS severs that the PPTP Server uses: • Select Device Acts as DNS Relay to enable the X family device to act a proxyDNS server (DNS relay), passing DNS queries to its configured DNS servers.
Chapter 7 VPN STEP 7 To configure your DNS Servers, either: STEP 8 • Select Device Acts as DNS Relay if you want the X family to act as a proxy-DNS server (DNS relay), passing DNS queries to its configured DNS servers • Select Specify DNS Server and enter up to two local DNS server IP addresses, in the order in which they are to be accessed, in the DNS Server fields To assign L2TP IP Addresses, either: STEP 9 • Select IP Address Assigned by RADIUS, if you want the X family to use the RADIUS server to
PPTP Configuration From this page, you can complete the following tasks: • View current PPTP connections on the device • Terminate a current connection • Access the PPTP Server Configuration page to enable and configure the PPTP server for the X family device.
Chapter 7 VPN The following figure shows the PPTP Server Configuration page: Figure 7–8: VPN: PPTP Server Configuration Page PPTP Server Configuration Parameters The following table provides descriptions for the PPTP Server Configuration Parameters: Table 7–9: VPN: PPTP Server Configuration Parameters Parameter Description PPTP Server Enable PPTP Server If checked, allows VPN clients to use the device as a VPN terminator for PPTP.
PPTP Configuration Table 7–9: VPN: PPTP Server Configuration Parameters (Continued) Parameter PPTP Addresses Description Determines how IP addresses are allocated to clients connected through the PPTP server: • Select IP address assigned by RADIUS to enable the device to use the RADIUS server to assign the PPTP client IP address. The RADIUS server must be enabled on the RADIUS page (Authentication > RADIUS).
Chapter 7 VPN 216 X Family LSM User’s Guide V 2.5.
8 System The System menu provides options to update and manage TOS and Digital Vaccine packages, configure timekeeping options, access for remote management applications (SMS & NMS), enable high availability to provide system failover, configure email and syslog servers, and access the setup wizard to change device and network configuration settings for the X family device.
Chapter 8 System For details, see the following sections: • • • • • • • • “Update TOS and Digital Vaccine Software” on page 218 “Time Options” on page 229 “SMS/NMS” on page 232 “High Availability” on page 235 “Thresholds to Monitor Memory and Disk Usage” on page 239 “Email Server” on page 241 “Syslog Servers” on page 242 “Setup Wizard” on page 242 Update TOS and Digital Vaccine Software For up-to-date network protection, TippingPoint provides the following update options: • TOS update package for the IPS
Update TOS and Digital Vaccine Software The following figure shows the Update page.
Chapter 8 System Field Description Current Installed Version: Type, Version Package Size Identifies the properties of the current TOS software and Digital Vaccine versions installed on the device. Any functions available are listed in the function(s) column Function(s): Any functions available are listed in the function(s) column. The rollback icon indicates that there is at least one prior version of the X family software on the device that you can rollback to.
Update TOS and Digital Vaccine Software Perform a Software Rollback CAUTION If you perform a rollback, read the release notes for both the software version you are rolling back from and the software version you are rolling back to. Note When you update and rollback, the LSM does not lose your settings or configurations. STEP 1 On the Update page in the Current Installed Versions table, click the Rollback icon in the Functions column for the TOS Software. A confirmation message displays.
Chapter 8 System For additional information, see the following: • “Updating the Digital Vaccine (Filters)” on page 222 • “Updating the TOS Software” on page 224 Updating the Digital Vaccine (Filters) When new types of network attack are discovered, or when detection methods for existing threats improve, the Digital Vaccine team at the Threat Management Center (TMC) creates and releases new filters to add to your filter database. These filters are released as Digital Vaccine (DV) packages.
Update TOS and Digital Vaccine Software When you select the check box, the scheduling fields appear so you can establish one of the following schedule types for the DV update process. • Periodic — Performs an update every number of days starting from a set day. The option includes a time to perform the update. • Calendar — Performs an update on a set day and time per week. STEP 3 STEP 4 STEP 5 To set a Periodic update: STEP A Enter the interval number of days.
Chapter 8 System MB. If the update package that you downloaded is smaller than , proceed to Step 3. STEP B If the update package is larger than , delete older versions of the software to free disk space. For details see “Delete a previously installed TOS software version” on page 221. After freeing disk space, return to the TOS/DV Update page and repeat Step 2 and 3.
Update TOS and Digital Vaccine Software During a graceful shutdown, as during an update or reboot (in the LSM or command in the CLI), Packet Trace data may not be automatically flushed to disk. To guarantee Packet Trace data is flushed to disk, do the following: • Click on any Packet Trace icon in the alert or block logs • Click on the Packet Trace (TCPDUMP) icon Software Update Process Overview The update procedure takes approximately 30 minutes for the entire procedure, depending on your download speed.
Chapter 8 System STEP 1 If necessary, download a software update package from TMC. STEP 2 From the LSM menu, select System > Update. On the Update page, click the TOS/DV Update tab. STEP 3 Verify available disk space. STEP A In Step 2 on the SYSTEM - Update - Manual Software Update page, locate the line that says: Make sure the file you downloaded is smaller than: MB. If the update package that you downloaded is smaller than , proceed to Step 3.
Update TOS and Digital Vaccine Software System Snapshots From the System Snapshots page, you can create, manage, restore and import local snapshots for the X family device. After restoring a snapshot, the device will always restart CAUTION You can apply a single snapshot to multiple devices. However, applying the snapshot to devices managed by an SMS can cause a device ID conflict. Do not apply a snapshot to multiple devices when managed by SMS.
Chapter 8 System The following figure shows the System Snapshots page: Figure 8–2: System: System Snapshots Page The System Snapshots page provides the following information: Column Definition Name Name of the snapshot Date The date the snapshot was generated Software Build The build number for the TOS software running when the snapshot was generated Digital Vaccine The version number of the Digital Vaccine package running when the snapshot was generated Model Type The model name of the device
Time Options Import a Snapshot STEP 1 From the LSM menu, select System > Update. Then, click the System Snapshots tab. STEP 2 On the System Snapshots page in the Import Snapshot table, click Browse to select the file to import. STEP 3 Click Install. The selected snapshot uploads and displays in the list of snapshots. Restore a Snapshot STEP 1 From the LSM menu, select System > Update. Then, click the System Snapshots tab.
Chapter 8 System Use the Time Options page (System > Configuration > Time Options) to configure the timezone and timekeeping mechanism for the device: • Internal CMOS Clock — Configures the device to keep time independently using its internal clock. • NTP Server — Configures the device to synchronize its internal clock by querying user-defined Network Time Protocol (NTP) servers. • Time Zone — Logs are kept in Universal Time (UTC or Greenwich Mean Time).
Time Options Internal CMOS Clock Set the Internal CMOS Clock Time STEP 1 From the LSM, select System > Configuration > Time Options. STEP 2 On the Time Options page in the Clock Source table, click Internal CMOS clock. STEP 3 To automatically populate the date and time settings, click Set Time to Local Browser Time. OR Type the CMOS Date and Time in the formats specified next to the fields. STEP 4 Click Apply.
Chapter 8 System Configure the X family device for NTP Servers STEP 1 From the LSM menu, select System > Configuration > Time Options. STEP 2 On the Time Options page in the Time Zone table, click NTP protocol. STEP 3 Type the Server host IP address and port for the NTP server. Then, click Add to table below. You can add multiple NTP server hosts. STEP 4 In the Duration field, type the interval at which the X family device will check the time server (in minutes).
SMS/NMS From an NMS, you can remotely monitor the events and system status of the X family device. Configuring an NMS enables applications such as HP OpenViewTM to monitor the device. When a device is under SMS management, the message (DEVICE UNDER SMS CONTROL) displays in red at the top of each page in the LSM. In this state, you can view system configuration and status but editing is not available with the exception of Authentication configuration.
Chapter 8 System The following figure shows the Configure - SMS and NMS page: Figure 8–4: Configure - SMS and NMS Page CAUTION Communication between the X family device and the SMS or NMS is managed by the SNMP server which provides access to interface counters and other statistics, configuration data, and general system information via the Simple Network Management Protocol (SNMP). You enable the SNMP server by selecting the SNMP V2 option during the SMS/NMS configuration process.
High Availability STEP 4 Click Apply. Note If the X family has previously been managed by an SMS, the serial number, IP address, and port for SMS displays. View or Configure NMS Information STEP 1 From the LSM menu, select System > Configuration > SMS/NMS. STEP 2 On the SMS & NMS page in the Configure SMS table, verify that the SNMP V2: Enabled field is selected. STEP 3 In the NMS Settings table, type NMS Community String. You can enter 1-31 characters for this string.
Chapter 8 System How High Availability Works The following sections describe how high availability works in failover and standby mode and how the polling works to monitor the state of the active device. For details on configuring High Availability, see “Configuration Overview” on page 237.
High Availability Polling The High Availability function provides an optional polling feature that can be configured through the CLI. Polling is used to determine the regular heartbeat mechanism between the standby device and the active device. This function provides the following configuration parameters: • Poll-timer determines the period in seconds that the standby device polls the active device. This, in turn, determines how quickly the standby device will detect that the active device has failed.
Chapter 8 System You can configure and manage High Availability from the High Availability page available from the LSM System menu. From this page you can: • Configure an X family device for high availability • Enable high availability • Force a device to change its high availability state Set up Devices for High Availability STEP 1 Configure two X family devices with the same configuration. STEP 2 Configure the network.
Thresholds to Monitor Memory and Disk Usage STEP A On the High Availability page in the Communication Channel table, specify a HA Management IP Address for the Internal and External interfaces. Enter IP addresses that are one host number higher than the addresses you entered for the first device. For example, if you entered 192.168.1.201 for the internal interface on the first device. Then, enter 192.168.1.202 for the second device. STEP B Apply the changes.
Chapter 8 System You can specify the following settings for the disk and memory thresholds: • Major Level — Set the major threshold to a level that provides enough time to react before the situation is critical. For example, for disk usage, set a level where the disk is getting full, but is not so full that system activity is interrupted. The default value for both disk and memory usage is 90%. • Critical Level —Set the critical threshold at a level that warns users before damage is about to occur.
Email Server Email Server The X family device can be configured to send an email message when an IPS filter is triggered. The Email Server page allows you to configure the default email server settings to provide the email address, domain server, and SMTP address for the messages being sent from the device. After the email server settings have been configured, you can specify the email address contacts from the Notification Contacts page when you create or edit an action set.
Chapter 8 System STEP 7 Click Apply. STEP 8 Click Test Email to verify your configuration settings. For additional information on sending emails from the X family device, see “Notification Contacts” on page 52. Syslog Servers To maintain and backup all log data from the X family device, you can configure remote syslog servers for system-related logs (System, Audit, VPN and Firewall Session logs).
Setup Wizard You can also setup the X family devices from an ssh command line using the CLI setup wizard. The CLI setup wizard provides additional options for configuring SMS and NMS management. The CLI Wizard is documented in the Command Line Interface Reference. The following table lists the configuration steps included in the Setup Wizard along with links to documentation on the configuration task.
Chapter 8 System 244 X Family LSM User’s Guide V 2.5.
9 Authentication The Authentication section describes how to create and manage users accounts and configure the Privilege groups, RADIUS server and X.509 certificates used for VPN authentication. X Family LSM User’s Guide V 2.5.
Chapter 9 Authentication Overview The LSM Authentication menu pages enable Administrators to create and manage user accounts and configure authentication rules. The Authentication menu provides the following options: • User List — create and manage user accounts to provide access to LSM operators and administrators and to provide local users with access to network services through the X family device.
User List TOS and Local User Accounts The X family device has two types of user accounts: A TOS User account provides access to the administrative interfaces of TOS to manage the device through the LSM web interface or from the Command Line Interface (CLI). The management functions available to a TOS user are determined by the account access level configured on the account. TOS users can only be defined in the embedded TOS user database on the device. TOS users cannot be configured in a RADIUS server.
Chapter 9 Authentication Table 9–1: LSM Functions available to TOS Users based on Security Level (Continued) Functional Area Operator Administrator Super-user System view all all Events/Logs view (except Audit log) view all (except Audit log) all Update view all all Configure view all except system time all Admin change own password view system log change own password view system log all, including change Idle Timeout change Password Expiration Help view view view Username and P
User List Managing User Accounts From the User List menu, you can complete the following tasks: • Create an account • Edit an existing account • Change account passwords The following figure shows the User List page: Figure 9–1: User List Page User Account Parameter Details The configuration parameters for user accounts are provided in the following table. Table 9–3: User Account Parameters Detail Description TOS User Accounts Username The login name used to access LSM management functions.
Chapter 9 Authentication Table 9–3: User Account Parameters (Continued) Detail Description Local Users Login Username for the account. This is the login name used to access network services through the X family device. Usernames must be 6 to 31 alphanumeric characters. Privilege Group Privilege group which user account is a member of. This determines whether the user has VPN client access and if they are subject to firewall rule authentication and web filtering policies.
How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates See “Username and Password Requirements” on page 248 for more information. STEP 7 Verify the password by re-entering it in Confirm Password field. STEP 8 Click Create. Change Your Password Note All TOS users can change the password on their own account. Only users with Super-user access can change passwords on any account. STEP 1 From the LSM menu, select Authentication > User List.
Chapter 9 Authentication STEP 1 A user logs on to the device to gain access to network resources. To access network services through the device Firewall, the user opens up a standard Web browser and logs in using the LAN IP address of the device via HTTPS. When prompted, the user enters a username and password. STEP 2 The device authenticates the user (checks that the user is listed in the database and that the username and password are correct).
How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates You may choose to use RADIUS for VPN clients only, or to use it for both User Authentication and VPN Client Access. STEP 4 In the Radius Server Setup table: STEP A Type the Server Timeout value (between 1 and 30). If no response is received from the RADIUS server, this value defines the time in seconds before the X family attempts to reconnect. STEP B Type the Server Retries value (between 1 and 10).
Chapter 9 Authentication The following figures shows the Privilege Groups page.
How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates STEP 3 On the Create/Edit Privilege Group, type or edit the Privilege Group Name. The name can be up to 32 alphanumeric characters, using only a to z, A to Z, 0 to 9, (hyphen) and _ (underscore). STEP 4 Check or uncheck each of the following: • VPN Client Access — allow/deny VPN client dialup, inter-site VPN access and Internet access. • Policy Authentication — allow/deny user authentication for firewall rules.
Chapter 9 Authentication • • • • own CA server or use a third-party organization for creating certificates. The same CA certificate is imported onto all X family devices that must authenticate with each other. Certificate Requests—provides a form and encoding method for the X family administrator to generate a signed Local certificate from the CA server. The administrator has to export the Certificate Request, and then provide it to the CA server.
How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates CA Certificates CA Certificates are digital certificates issued and signed by either a local Certificate Authority server or a Certificate Authority organization such as Verisign. You can create CA Certificates and sign them yourself using tools like OpenSSL. CA Certificates are installed on the CA server for your organization and are used to verify local certificates by signing them.
Chapter 9 Authentication Table 9–5: Current CA Certificates Information (Continued) Column Functions Description For each CA Certificate listed in the table, you can: • Delete the certificate. • Export the certificate to a file. • Edit the CA Certificate to view the certificate details, specify a Certificate Revocation List (CRL), and configure parameters to automatically update the CRL. CRL Expiry Status The expiration date of the Certificate Revocation List (CRL) associated with the CA Certificate.
How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates Certificate Revocation Lists (CRLs) are continuously updated by the issuing Certificate Authority. To maintain the integrity of the CA Certificates, use the X.509 CA Certificate Details page to import and maintain the CRL used to validate the CA Certificate. From this page you can: • View the certificate details • Import a Certificate Revocation List (CRL) for the CA Certificate • Configure automatic update of the CRL.
Chapter 9 Authentication Configure CRL Parameters for a CA Certificate STEP 1 From the LSM menu, select Authentication > X.509 Certificates. STEP 2 On the CA Certificate page in the Current CA Certificates table, locate the CA Certificate that you want configure. Then, in the Function(s) field, click the Edit icon. STEP 3 On the X.509 CA Certificate Details page in the Certificate Revocation List, select File. Then, type the File path and name for the CRL, or click Browse and navigate to the file.
How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates The following figure shows the Certificate Request page: Figure 9–5: Authentication: Certificate Request Page For additional information, see the following topics: • • • • “Certificate Requests Parameter Details” on page 261 “Managing Certificate Requests” on page 262 “Import a signed Local Certificate” on page 263 “X.
Chapter 9 Authentication Managing Certificate Requests You can perform the following managment functions from the Certificate Request page: Table 9–8: Certificate Request Functions Function Icon/Field Description Import Signed Local Certificate Import Signed Request table When you receive a signed certificate from the Certificate Authority, you can import the certificate so that it is available on the X family device.
How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates STEP A In the DN Attribute field, select an attribute from the drop down list. STEP B Type the value in the data field. STEP C Click Add to table below. The attribute and value are added to the Distinguished Name table. You can delete an attribute if required. STEP D STEP 6 Repeat this process until you have defined the necessary information for the certificate. Click Create.
Chapter 9 Authentication The device uses PKCS#12 format for importing Local Certificates with their private key. PKCS#12 format is a commonly used portable format for importing certificates into browsers. The imported file may also include the CA Certificate, in which case the device adds the CA Certificate to the CA list. A local certificate can be installed using one of the following methods: • Install the local certificate directly from the LSM Local Certificate page with a private key.
How Local User Authentication Works: RADIUS, Privilege Groups and X.509 Certificates Table 9–9: Local Certificate Details (Continued) Column Distinguished Name Description The Distinguished Name of this Local Certificate. See “Certificate Requests” on page 260 for information about Distinguished Names. These include CommonName, Locale, State or Province, Organization, Department, Country, and Street Address.
Chapter 9 Authentication STEP 4 Type the Local Certificate File path and filename for the signed local certificate, or click Browse and navigate to the file. The CA Certificate file must use the PKCS#12 format. You can only import a Local Certificate that has been signed by a CA Certificate available on the device. For details on importing CA Certificates, see “CA Certificates” on page 257. STEP 5 Click Import to upload the Local Certificate onto the device.
Preferences The following figure shows the Preferences page used to configure LSM user security settings: Figure 9–7: Authentication - Preferences Page Preferences Parameter Details The following table provides information on the security preferences parameters.
Chapter 9 Authentication Table 9–10: Authentication: Preferences for X Family User, Session, and Device Security (Continued) Field Description TOS User Preferences Security Level Determines the length and complexity requirements for passwords. The following options are available: • No Security Checking (Level 0)— Usernames cannot have any spaces. Passwords are not required.
Preferences Table 9–10: Authentication: Preferences for X Family User, Session, and Device Security (Continued) Field Description Local User Preferences Inactivity Timeout For local users, the amount of time (in minutes) that can elapse with no user activity before the X family device logs out account access. This setting prevents unauthorized users from accessing network services if the user is unexpectedly called away from the workstation or forgets to log out.
Chapter 9 Authentication 270 X Family LSM User’s Guide V 2.5.
A= 1 A Certificates Browser Details creating browser certificates for use in Internet Explorer to ensure notification messages are no longer reported to user. Overview Due to the security settings of the Local Security Manager (LSM), Internet Explorer may display a Client Authentication message followed by a Security Alert message. Message dialogs display when you first establish an HTTPS session with the X family device. This appendix details how to create certificates to remove these messages.
Appendix A Browser Certificates Client Authentication Message The X family device uses the same HTTPS channel to communicate with other products as it does to communicate with LSM. During the SSL handshake, the device asks for a client certificate for validation. This is meant for other products; however, LSM users may also be prompted for a client certificate. You can ignore this dialog.
Security Alert STEP 1 Open Microsoft Internet Explorer (version 6.0 or later). STEP 2 Select Tools > Internet Options. STEP 3 Click on the Content tab. Click Certificates. STEP 4 Click Import. The Certificate Import Wizard opens. STEP 5 Click Next. STEP 6 On the File to Import screen, do the following: STEP 7 STEP A Click Browse. STEP B Locate and select the file to_import.p12. STEP C Click Next. On the Password screen, do the following: STEP A Enter your private key Password.
Appendix A Browser Certificates Certificate Authority The following dialog warning displays for a certificate authority security alert: Figure A–2: Certificate Authority You can eliminate the Certificate Authority warning with the following procedure: STEP 1 When the warning displays, click View Certificate. The Certificate dialog box displays. Figure A–3: Certificate Dialog Box STEP 2 274 Select the Certification Path tab. X Family LSM User’s Guide V 2.5.
Security Alert STEP 3 Select the Root Authority. Click View Certificate. Figure A–4: Certification Path Tab - Root Authority STEP 4 The Certificate Import Wizard opens. Click Next. Figure A–5: Certificate Import Wizard X Family LSM User’s Guide V 2.5.
Appendix A Browser Certificates The Certificate Store dialog displays. Figure A–6: Certificate Store Dialog STEP 5 Select the Place all certificates in the following store option. The certificate store should be Trusted Root Certificate Authorities. Click Next. The Completing the Certificate Import Wizard dialog displays. Figure A–7: Completing the Certificate Import Wizard Dialog 276 X Family LSM User’s Guide V 2.5.
Security Alert STEP 6 Click Finish to install the certificate. The Root Certificate Store indicates the status of the import and displays the certificate information. Figure A–8: Root Certificate Store Verification STEP 7 Click Yes. The X family device LSM login page displays.
Appendix A Browser Certificates STEP 1 When the warning displays, click View Certificate. The Certificate dialog box displays. Figure A–10: Certificate Dialog Box STEP 2 On the General tab, make note of the serial number. STEP 3 Navigate and open the local workstation’s HOSTS file. On a Windows XP system, this file is located in C:\WINDOWS\system32\drivers\etc. Figure A–11: HOSTS File STEP 4 278 Add a line to the file with the X family device’s IP address and serial number.
Example - Creating Personal Certificate STEP 5 When browsing to the X family device, enter the workstation name instead of the IP address in your Web browser. This name and certificate works only on that particular workstation. Example - Creating Personal Certificate The following is an example of how to create you own personal certification. User entries are in bold. For security purposes, it is suggested that you do not use the passwords provided below. []# openssl req -new -x509 -days 3650 -out cert.
Appendix A Browser Certificates 280 X Family LSM User’s Guide V 2.5.
B Web Filter Service Detailed information about the Filter Service subscription service used to control access to web sites by categories. This service is offered in partnership with SurfControl, a market leading content filtering product. Overview The Web Filter Service is a subscription content filtering service that provides web content filtering based on web site category classifications. This service is operated in partnership with SurfControl, a provider of content filtering services.
Appendix B Web Filter Service Core Categories Core Categories are used to classify web sites that contain offensive, potentially dangerous, or criminal content. On the X family device, all Core Categories are blocked by default.
a public or private agency that provides educational information on drug use. Gambling This Core category includes sites on the following topics: • Online gambling or lottery sites that invite the use of real money. This also includes Web sites that provide phone numbers, online contacts or advice for placing wagers, participating in lotteries, or gambling real money newsgroups or sites discussing number running virtual casinos and offshore gambling ventures sports picks and betting pools.
Appendix B Web Filter Service Weapons This Core Category includes sites on the following topics: • Instructions, recipes or kits for making bombs or other harmful or destructive devices. • Web sites that primarily sell guns, weapons, ammunition or poisonous substances. • Web sites that allow online purchasing or ordering information, including lists of prices and dealer locations.
Advertisement • Banner Ad Servers • Pop-Up advertisements • Adware Arts & Entertainment • • • • • • • • • • • • Museums, galleries, artist sites (sculpture, photography, etc.) Performing arts (theatre, vaudeville, opera, symphonies, etc.
Appendix B Web Filter Service Finance & Investment • • • • Web sites that provide stock quotes, stock tickers and fund rates. Web sites that allow stock or equity trading online. Investing advice or contacts for trading securities. Money management/investment services or firms.
Hobbies & Recreation • • • • • • • Recreational pastimes such as collecting, gardening, kit airplanes Outdoor recreational activities such as hiking, camping, rock climbing Tips or trends focused on a specific art, craft, or technique Online publications on a specific pastime or recreational activity Online clubs, associations or forums dedicated to a hobby Traditional (board, card, etc.
Appendix B Web Filter Service Photo Searches • Sites that provide resources for photo and image searches • Online photo albums/digital photo exchange • Image hosting Real Estate • • • • • • Home, apartment, and land listings. Rental or relocation services. Tips on buying or selling a home. Mortgage and home loan information. Home improvement. Real estate agents and agencies.
Shopping This Productivity category includes sites on the following topics: • • • • Internet malls and online auctions. Department stores, retail stores, company catalogs online. Online downloadable product warehouses; specialty items for sale. Companies online dedicated to freebies or merchandise giveaways. Sports This Productivity category includes sites on the following topics: • • • • Official team or conference Web sites. National, international, college, professional scores and schedules.
Appendix B Web Filter Service Each license allows one year of filtering for a specific X family product. Licenses cannot be transferred between base products, except through the standard Return Materials Authorization (RMA) process. When you purchase a Web Filter Service subscription, you will receive a License pack which includes a unique License Key. To enable the Web Filter Service for your product, register the License Key at http:/ /eSupport.3com.com.
C Log Formats and System Messages Details the formats of the downloadable logs and system update status messages. Overview This appendix contains information on the formats of each of the downloaded logs from the Local Security Manager (LSM). This includes information on the remote syslog format and High Availability messages contained in the System Log. This chapter describes messages received during the system update process.
Appendix C Log Formats and System Messages Log Formats In the LSM, you can view all the logs in the GUI. In addition, you can download a text-only version of the log and view it in a browser window or save it in a file. If you save a log in a file, you can then off load it to a remote syslog server. When downloading a log, the format is a steam of data separated by the delimiter specified in the GUI. In the System Log, the fields displayed in the GUI are the same as the fields in the downloaded log.
Log Formats Table C–1: Alert and IPS Block Log Formats (Continued) Field Name Sub-Field Name Comp Message (Contained within quotes.) Message (continued) Description Software component that generated the message: • ALT = Alert Log • BLK = IPS Block Log Alert Action • Alert = for Alert Log • Block = for IPS Block Log Policy Log Version v4 Alert Type A bit field that identifies a message as traffic threshold, invalid, etc. Policy UUID ID for the policy, enclosed within brackets ([]).
Appendix C Log Formats and System Messages Table C–1: Alert and IPS Block Log Formats (Continued) Field Name Sub-Field Name Description In Security Zone NAME (string) Example: ANY Out Security Zone UUID (uuid) Out Security Zone NAME (string) Example: ANY Date & Time (Seconds) Beginning timestamp, in seconds, of the aggregation period. Date & Time (Nanoseconds) Beginning timestamp, in microseconds, of the aggregation period. Period Aggregation period, in minutes. 0 = no aggregation.
Log Formats Table C–2: Audit Log Format (Continued) Field Name Description Entry_time Date and time of event. YYYY-MM-DD 24H:MI:SS Access The access-level of the user performing the action. Type The interface from which the user logged in. • WEB for the LSM • CLI for the Command Line Interface Address The IP address from which the user connected to perform the action. Cat The area in which the use performed an action (LOGIN, LOGOUT, and Launch Bar tabs).
Appendix C Log Formats and System Messages Firewall Block Log Format An example of a comma-delimited Firewall Block Log entry follows: 6,2006-10-05 17:12:31,INFO,BLK,"Block v4 2 [c52e3da9-23e0-11db-9cdd00132055ccd2] 1 [00000001-0001-0001-0001-000000007400] firewall 17 UDP 152.67.137.49:137 152.67.140.
Log Formats Table C–3: Firewall Block Log Format (Continued) Field Name Message (cont.) Sub-Field Name Description Destination IP The destination IP address and port for the session. This represents the “target” of the session. Format is ddd.ddd.ddd.ddd:port. Packets Delta Not used. Mphy Ingress Port Number. Vlan Ingress VLAN. Normally used to identify the Security Zone. Source Zone UUID The UUID for the zone on which the source IP address appears.
Appendix C Log Formats and System Messages Table C–3: Firewall Block Log Format (Continued) Field Name Message (cont.) Sub-Field Name Description Packet trace seq begin Packet trace not supported by Firewall. Packet trace seq end Packet trace not supported by Firewall. The fields in this table are populated depending on the event being logged: • Block event: This event represents a firewall block. The Category, URL, Session Start and Bytes fields will be blank.
Log Formats Table C–4: Firewall Session Log Format (Continued) Field Name DstIP Description The destination IP address and port for the session. This represents the “target’ of the session. Format is ddd.ddd.ddd.ddd:port. Protocol Number Protocol () Source Zone UUID The UUID for the zone on which the source IP address appears. Source Zone Name The zone on which the source IP address appears.
Appendix C Log Formats and System Messages Table C–5: VPN Log Format (Continued) Field Name Description Sev Severity of the alert, from least to most severe: • INFO = for information only • WARN = warning • ERR= error • CRIT = critical Comp Software component that generated the message: VPN. Message (Contained within quotes.) The message text associated with the event.
Remote Syslog Log Format Remote Syslog Log Format The remote syslog format for the Alert, IPS Block, and the Firewall Block Logs is described in this section. Note For the System, Audit, VPN, and Firewall Session Logs, there is no specific format for the remote syslog. For these logs, the downloaded file is sent directly to the remote syslog server as a straight data dump without any manipulation of the data. The following is an example of packet data sent to a collector.
Appendix C Log Formats and System Messages Table C–7: Remote Syslog Field Descriptions (Continued) Field Description 10 Policy Name 11 Signature Name 12 Protocol name (“icmp”, “udp”, “tcp”, or “unknown”) 13 Firewall IP Protocol Numeric and String. Format is (). Only used in Firewall Block Logs for the X family device. In all other logs, this field will be 0.
System Update Status Messages Table C–8: High Availability Log Messages (Continued) Message Type Description Standby HA device (ip-address) detected Informational Active device has detected one of the HA management IP addresses of the standby device. This should be logged for each of the IP interfaces that is configured with an HA management IP address. Active HA device (ip-address) requesting pre-emption Informational Active device has detected that other device is also active (e.g.
Appendix C Log Formats and System Messages If an error occurs, the information changes. The state displays as “UpdateFailure:” where is one of the listed states in the previous table. The listed state displays a qualifier and message regarding the state.
D Device Maximum Values Details the maximum values for X family devices. The following table give the maximum values for configurable parameters of X family devices.
Appendix B Device Maximum Values Table D–1: Device Maximum Values (Continued) Parameter X5 X506 Network IP Address Groups 25 200 Entries per IP Address Group 50 200 Virtual Interfaces 6 32 GRE Virtual Interfaces 4 100 Static Routes 100 500 RIP Routes 5,000 8,000 Schedules 25 100 Virtual Servers 25 100 DHCP Static Mapping 128 512 Local Certificates 5 25 Certificate Request 5 5 CA Certificate 5 25 URL Patterns 200 1,000 Content Filter Default Cache Size 2 MB 4 MB
F Glossary action set An integral part of an attack or peer-to-peer filter, action sets determine what the X family device does when a packet triggers a filter. An action set can contain more than one action, and can contain more than one type of action. The types of action that can be specified include the following: • Flow Control actions — determines where a packet is sent after it is inspected. Permit allows a packet to reach its intended destination. Block discards a packet.
Glossary Application Protection Category of filter types that defend against known and unknown exploits that target applications and operating systems of workstations and servers on a network. These filters include a variety of attack protection and security policy filters. These filters detect specific recognition data to recognize an attempted attack and take specific courses of action that you define when an attempt is detected. attack filter package See “Digital Vaccine Package” on page 309.
Digital Vaccine Filters Digital Vaccine Filters block attacks and other malicious traffic from the network. Filters come with a set of recommended (default) settings which specify the filter status (enabled or disabled), the type of action to be taken when the filter is triggered (action set defined to permit or block traffic and/or send a notification) and the Adaptive Filter Configuration (see page 60) setting (on or off).
Glossary IKE (Internet Key Exchange) Internet Key Exchange (IKE) is used to negotiate the keying material that is used by the VPN encryption and integrity algorithms. IKE is a two-stage mechanism for automatically establishing IPSec tunnels with dynamically generated keying material. IKE uses UDP port number 500 and precedes the actual IPSec data flow.
Network Equipment filters Filters that detect and block the malicious attacks that target equipment accessible through a network. Network attacks can broadly or specifically seek access and data to corrupt on a network. These filters are part of the Infrastructure Protection filter category. notification contacts Recipients of alert messages. These contacts receive an email alert when a filter with the proper notification contacts settings triggers.
Glossary attack has gathered data by probing your system and scanning your network, it continues with pointed attacks against those vulnerabilities. Reconnaissance filters look for these patterns and alert either the LSM or the SMS when an attack is detected. Port Scan/Host Sweep filters (see page 311) filters are included in this category. These filters are part of the Application Protection filter category.
Streaming Media filters Streaming Media filters detect and control traffic from Streaming Media applications that deliver audio and video content utilizing IP protocols, typically UDP. Because these streaming media applications demand high bandwidth, the use of these applications can have a large negative impact on network performance. These filters can be used to block the operation of the Instant Messaging application. Many of the IM filters can also be used to rate limit traffic from IM applications.
Glossary 314 X Family LSM User’s Guide V 2.5.
Index A access level, user 247 action set 307 action sets 44 Block 45 Block + Notify 45 Block + Notify + Trace 45 category 308 create 48 create, quarantine 51 Delete, Edit 48 flow control 44, 307 notification contacts 44 packet trace 44, 307 Permit + Notify 45 Permit + Notify + Trace 45 quarantine 48, 49 rate-limiting 49 Recommended 45 adaptive filter config 33, 37 events 60, 125 administrator 247 aggregation period 53, 307 Application Protection reconnaissance filters filter tuning 36 port scans,host sweep
warning xiii related documentation xiv screen captures xiii H health Auto Refresh option 267 module 118 performance/throughput 120 system summary 12 Health Monitor default disk and memory thresholds 240 reset 240 High Availability 217, 235 and bridge mode 150 configuration 237 failover 236 forcing state change 239 polling 237 standby operation 236 host quarantine 115 sweeps filters 35 logging mode 58 disable if network is congested 59 logs formats 1.
reset filters 35 packet statistics 13 TCP 45 RIP, definition of 312 role, user 247 rollback states, messages 303 rules firewall 63 S Schedules Delete 81 Edit 81 screen refresh 11 Security Access Level default setting, changing 268 username and password requirements 268 security alert 273 certificate authority 274 invalid certificate name 277 Security Management System 312 security notes 5 Security Zone 312 edit configuration, delete 136 segment configuration 132 signature, update download 224 SMS 312 confi
