DL manuals
Freedom9
Firewall
freeGuard 100
Administration Manual

Freedom9 freeGuard 100 Administration Manual

Other manuals for freeGuard 100: Specifications, Reference Manual, Install Manual, Command Line Interface Manual

Manual is about: UTM Firewall

Page of 292

Download

Print this page

Bookmark us

freeGuard 100 Administration Guide

freeGuard 100

UTM Firewall

ADMINISTRATION GUIDE

P/N: F0025000

Rev. 1.1

1 2 3 4 5 6 7 Next › »

Summary of freeGuard 100

Page 1
Freeguard 100 administration guide freeguard 100 utm firewall administration guide p/n: f0025000 rev. 1.1.
Page 2
Copyright and trademark information this document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated into another language without express prior to written consent of freedom9 inc. © copyright 2...
Page 3
Ii table of contents 1 introduction ......................................................................................................1 1.1 a bout free g uard 100 utm f irewalls ........................................................................................1 1.1.1 a ntivirus protection ...
Page 4
Freeguard 100 administration guide iii 4.6.1 c onnecting a modem to the free g uard 100...................................................................46 4.6.2 c onfiguring modem settings ..........................................................................................46 4.6.3 r edundant...
Page 5
Iv 7.2.2 a ccess profile options ...................................................................................................97 8 system maintenance .....................................................................................99 8.1 b ackup and restore ...................................
Page 6
Freeguard 100 administration guide v 10.5.1 r outing monitor list ..................................................................................................... 140 11 firewall ...........................................................................................................142 11.1 ...
Page 7
Vi 12.3.1 radius server list ...................................................................................................... 185 12.3.2 radius server options ................................................................................................ 185 12.4 ldap ...........................
Page 8
Freeguard 100 administration guide vii 15.2 c onfig ...................................................................................................................................... 225 15.2.1 v irus list .............................................................................................
Page 9
Viii 17.7 b anned word ........................................................................................................................... 256 17.7.1 b anned word list .......................................................................................................... 256 17.7.2 b anne...
Page 11
Freeguard 100 administration guide 1 1 introduction freedom9 unified threat management (utm) firewalls support network-based deployment of application-level services, including antivirus protection and full-scan content filtering. Freedom9 utm firewalls improve network security, reduce network misus...
Page 12
2 1.1.2 web content filtering freeguard 100 web content filtering can scan all http content protocol streams for urls, url patterns, and web page content. If there is a match between a url on the url block list, or a web page contains a word or phrase that is in the content block list, the freeguard...
Page 13
Freeguard 100 administration guide 3 the freeguard 100 firewall protects your computer networks from internet threats. After basic installation of the freeguard 100, the firewall allows users on the protected network to access the internet while blocking internet access to internal networks. You can...
Page 14
4 1.1.5 vlans and virtual domains the freeguard 100 supports ieee 802.1q-compliant virtual lan (vlan) tags. Using vlan technology, a single freeguard 100 can provide security services to, and control connections between, multiple security domains according to the vlan ids added to vlan packets. The ...
Page 15
Freeguard 100 administration guide 5 o xauth authentication, o dead peer detection, o dhcp over ipsec, o secure internet browsing. • pptp for easy connectivity with the vpn standard supported by the most popular operating systems. • l2tp for easy connectivity with a more secure vpn standard, also su...
Page 16
6 web-based manager using http or a secure https connection from any computer running internet explorer, you can configure and manage the freeguard 100. The web-based manager supports multiple languages. You can configure the freeguard 100 for http and https administration from any freeguard 100 int...
Page 18
8 freeguard 100 log message reference guide describes the structure of freeguard 100 log messages and provides information on all log messages generated by the freeguard 100..
Page 19
Freeguard 100 administration guide 9 2 web-based manager using http or a secure https connection from any computer running a web browser, you can configure and manage the freeguard 100. The web-based manager supports multiple languages. You can configure the freeguard 100 for http and https administ...
Page 20
10 figure 2: web-based manager button bar • contact customer support • easy setup wizard • console access • logout 2.1.1 contact customer support the contact customer support button opens the freedom9 support web page in a new browser window. From this page you can • register your freeguard 100 (pro...
Page 21
Freeguard 100 administration guide 11 figure 3: console access connect connect to the freeguard 100 using the cli. Disconnect disconnect from the freeguard 100. Clear screen clear the screen. 2.1.4 logout the logout button immediately logs you out of the web-based manager. Log out before you close t...
Page 22
12 figure 4: parts of the web-based manager 2.2.1 web-based manager menu the menu provides access to configuration options for all major features of the freeguard 100. System configure system facilities, such as network interfaces, virtual domains, dhcp services, time and set system options. Router ...
Page 23
Freeguard 100 administration guide 13 figure 5: example of a web-based manager list the list shows some information about each item and the icons in the rightmost column enable you to take action on the item. In this example, you can select delete to remove the item or select edit to modify the item...
Page 24
14 2.2.4 status bar the status bar is at the bottom of the web-based manager screen. Figure 6: status bar the status bar shows: • how long the freeguard 100 has been operating since the last time it was restarted • the virtual domain to which the current page applies virtual domain information is no...
Page 25
Freeguard 100 administration guide 15 3 system status you can connect to the web-based manager and view the current system status of the freeguard 100. The status information that is displayed includes the system status, unit information, system resources, and session log. This chapter includes: • s...
Page 26
16 automatic refresh interval select to control how often the web-based manager updates the system status display. Go select to set the selected automatic refresh interval. Refresh select to manually update the system status display. System status up time the time in days, hours, and minutes since t...
Page 27
Freeguard 100 administration guide 17 downloaded. Select details to see the ftp site url, date, time, user and lists of files uploaded and downloaded. Interface status all interfaces in the freeguard 100 are listed in the table. Interface the name of the interface. Ip / netmask the ip address and ne...
Page 28
18 history the history page displays 6 graphs representing the following system resources and protection: cpu usage history cpu usage for the previous minute. Memory usage history memory usage for the previous minute. Session history session history for the previous minute. Network utilization histo...
Page 29
Freeguard 100 administration guide 19 the new host name is displayed in the host name field, and in the cli prompt, and is added to the snmp system name. To update the firmware version to update the antivirus definitions manually 1. Download the latest antivirus definitions update file from freedom9...
Page 30
20 mode, you may have to change the ip address of your computer to the same subnet as the management ip address. To change to nat/route mode after you change the freeguard 100 from the nat/route mode to transparent mode, most of the configuration resets to transparent mode factory defaults, except f...
Page 31
Freeguard 100 administration guide 21 page down icon select to view previous page in the session list protocol the service protocol of the connection, for example, udp, tcp, or icmp. From ip the source ip address of the connection. From port the source port of the connection. To ip the destination i...
Page 32
22 testing a new firmware image before installing it use this procedure to test a new firmware image before installing it. To use this procedure you must connect to the cli using the freeguard 100 console port and a null-modem cable. This procedure temporarily installs a new firmware image using you...
Page 33
Freeguard 100 administration guide 23 5. Enter the following command to copy the firmware image from the tftp server to the freeguard 100: execute restore image where is the name of the firmware image file and is the ip address of the tftp server. For example, if the firmware image file name is free...
Page 34
24 5. Type the path and filename of the firmware image file, or select browse and locate the file. 6. Select ok. The freeguard 100 uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the freeguard 100 login. This process takes a few ...
Page 35
Freeguard 100 administration guide 25 9. To confirm that the new firmware image has been loaded, enter: get system status 10. To restore your previous configuration if needed, use the command: execute restore config 11. Update antivirus and attack definitions. For information, see “to update antivir...
Page 36
26 execute ping 192.168.1.168 6. Enter the following command to restart the freeguard 100: execute reboot the freeguard 100 responds with the following message: this operation will reboot the system ! Do you want to continue? (y/n) 7. Type y. As the freeguard 100s starts, a series of system startup ...
Page 37
Freeguard 100 administration guide 27 you do not enter the ip address of another device on this network. The following message appears: enter file name [image.Out]: 11. Enter the firmware image filename and press enter. The tftp server uploads the firmware image file to the freeguard 100 and message...
Page 38
28 2. Make sure the tftp server is running. 3. Copy the new firmware image file to the root directory of the tftp server. 4. Make sure that the internal interface is connected to the same network as the tftp server. You can use the following command to ping the computer running the tftp server. For ...
Page 39
Freeguard 100 administration guide 29 the ip address must be on the same network as the tftp server, but make sure you do not use the ip address of another device on this network. The following message appears: enter file name [image.Out]: 11. Enter the firmware image file name and press enter. The ...
Page 40
30 4 system network system network settings control how the freeguard 100 connects to and interacts with your network. Basic network settings start with configuring freeguard 100 interfaces to connect to your network and configuring the freeguard 100 dns settings. More advanced network settings incl...
Page 41
Freeguard 100 administration guide 31 ip the current ip address of the interface. Netmask the netmask of the interface. Access the administrative access configuration for the interface. Status the administrative status for the interface. If the administrative status is a green arrow, the interface i...
Page 42
32 • to control administrative access to an interface • to change the mtu size of the packets leaving an interface • to configure traffic logging for connections to an interface name the name of the interface. Interface select the name of the physical interface to add the vlan sub interface to. All ...
Page 43
Freeguard 100 administration guide 33 ip address from the dhcp server. The default gateway is added to the static routing table. Override internal enable override internal dns to use the dns addresses retrieved from the dhcp server instead of the dns server ip addresses on the dns page. You should a...
Page 44
34 of ip addresses, use one of them. Otherwise, this ip address can be the same as the ip address of another interface or can be any ip address. Initial disc timeout initial discovery timeout. The time to wait before retrying to start a pppoe timeout discovery. Set initial disc to 0 to disable. Init...
Page 45
Freeguard 100 administration guide 35 password the password to use when connecting to the ddns server. Ping server add a ping server to an interface if you want the freeguard 100 to confirm connectivity with the next hop router on the network connected to the interface. Adding a ping server is requi...
Page 46
36 4.1.2 configuring interfaces use the following procedures to configure freeguard 100 interfaces and vlan sub interfaces. You cannot use the following procedures for the modem interface. • to bring down an interface that is administratively up • to add interfaces to a zone • to add an interface to...
Page 47
Freeguard 100 administration guide 37 2. Choose the zone to add the interface or vlan sub interface to and select edit. 3. Select the names of the interfaces or vlan sub interfaces to add to the zone. 4. Select ok to save the changes. To add an interface to a virtual domain if you have added virtual...
Page 48
38 to configure an interface for pppoe use this procedure to configure any freeguard 100 interface to use pppoe. 1. Go to system > network > interface. 2. Choose an interface and select edit. 3. In the addressing mode section, select pppoe. 4. Enter your pppoe account user name and password. 5. Ente...
Page 49
Freeguard 100 administration guide 39 to configure support for dynamic dns services 1. Go to system > network > interface. 2. Select the interface to the internet and then select edit. 3. Select ddns enable. 4. From the server list, select one of the supported dynamic dns services. 5. In the domain ...
Page 50
40 to change the mtu size of the packets leaving an interface 1. Go to system > network > interface. 2. Choose an interface and select edit. 3. Select override default mtu value (1500). 4. Set the mtu size. To configure traffic logging for connections to an interface 1. Go to system > network > inte...
Page 51
Freeguard 100 administration guide 41 4.2.1 zone settings figure 14: zone settings name enter the name to identify the zone. Block intra-zone traffic select block intra-zone traffic to block traffic between interfaces or vlan sub interfaces in the same zone. Interface members enable check boxes to s...
Page 52
42 3. Select edit to modify a zone. 4. Select or deselect block intra-zone traffic. 5. Select the names of the interfaces or vlan sub interfaces to add to the zone. 6. Clear the check box for the names of the interfaces or vlan sub interfaces to remove from the zone. 7. Select ok. 4.3 management con...
Page 53
Freeguard 100 administration guide 43 to configure the management interface 1. Go to system > network > management. 2. Enter the management ip/netmask. 3. Enter the default gateway. 4. Select the management virtual domain. 5. Select apply. 6. The freeguard 100 displays the following message: managem...
Page 54
44 to add dns server ip addresses 1. Go to system > network > dns. 2. Change the primary and secondary dns server ip addresses as required. 3. Select apply to save the changes. 4.5 routing table (transparent mode) in transparent mode, you can configure routing to add static routes from the freeguard...
Page 55
Freeguard 100 administration guide 45 to add a transparent mode route 1. Go to system > network > routing table. 2. Select create new to add a new route. 3. Set the destination ip and mask to 0.0.0.0. For the default route, set the destination ip and mask to 0.0.0.0. 4. Set gateway to the ip address...
Page 56
46 4.6.1 connecting a modem to the freeguard 100 the freeguard 100 can operate with most standard external serial interface modems that support standard hayes at commands. To connect, install a usb-to-serial converter between one of the two usb ports on the freeguard 100 and the serial port on the m...
Page 57
Freeguard 100 administration guide 47 routed to the modem interface. The modem disconnects after the idle timeout period. You cannot select dial on demand if auto-dial is selected. Idle timeout (standalone mode only) enter the timeout duration in minutes. After this period of inactivity, the modem d...
Page 58
48 redial limit enter the maximum number of times to retry if the isp does not answer. Dialup account 1 dialup account 2 dialup account 3 enter the isp phone number, user name and password for up to three dialup accounts. 4. Select apply. 5. Configure a ping server for the ethernet interface the mod...
Page 59
Freeguard 100 administration guide 49 you can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the freeguard 100. 4.6.6 connecting and disconnecting the modem the modem must be in standalone mode. To connect to a dialup account 1. Go ...
Page 60
50 a vlan segregates devices logically instead of physically. Each vlan is treated as a broadcast domain. Devices in vlan 1 can connect with other devices in vlan 1, but cannot connect with devices in other vlans. The communication among devices on a vlan is independent of the physical network. A vl...
Page 61
Freeguard 100 administration guide 51 in nat/route mode, the freeguard 100s support vlans for constructing vlan trunks between an ieee 802.1q-compliant switch (or router) and the freeguard 100. Normally the freeguard 100 internal interface connects to a vlan trunk on an internal switch, and the exte...
Page 62
52 figure 22: freeguard 100 in nat/route mode 4.8.3 adding vlan sub interfaces the vlan id of each vlan sub interface must match the vlan id added by the ieee 802.1q- compliant router. The vlan id can be any number between 1 and 4096. Each vlan sub interface must also be configured with its own ip a...
Page 63
Freeguard 100 administration guide 53 4.9 vlans in transparent mode in transparent mode, the freeguard 100 can apply firewall policies and services, such as authentication, protection profiles, and other firewall features, to traffic on an ieee 802.1 vlan trunk. You can insert the freeguard 100 oper...
Page 64
54 figure 24: freeguard 100 in transparent mode 4.9.1 rules for vlan ids in transparent mode two vlan sub interfaces added to the same physical interface cannot have the same vlan id. However, you can add two or more vlan sub interfaces with the same vlan ids to different physical interfaces. There ...
Page 65
Freeguard 100 administration guide 55 figure 25: sample transparent mode vlan list create new select create new to add a vlan sub interface to a freeguard 100 interface. Virtual domain select a virtual domain to display the vlan interfaces added to this virtual domain. Name the name of the interface...
Page 66
56 note: a vlan must not have the same name as a virtual domain or zone. 1. Go to system > network > interface. 2. Select create new to add a vlan sub interface. 3. Enter a name to identify the vlan sub interface. 4. Select the physical interface that receives the vlan packets intended for this vlan...
Page 67
Freeguard 100 administration guide 57 5 system dhcp you can configure dhcp server or dhcp relay agent functionality on any freeguard 100 interface or vlan sub interface. A freeguard 100 interface can act as either a dhcp server or as a dhcp relay agent. An interface cannot provide both functions at ...
Page 68
58 figure 28: view or edit dhcp service settings for an interface interface the name of the interface. None no dhcp services provided by the interface. Dhcp relay agent select to configure the interface to be a dhcp relay agent. Type select the type of dhcp relay agent. Regular configure the interfa...
Page 69
Freeguard 100 administration guide 59 to configure an interface to be a dhcp server you can configure a dhcp server for any freeguard 100 interface. As a dhcp server, the interface dynamically assigns ip addresses to hosts on the network connected to the interface. You can also configure a dhcp serv...
Page 70
60 5.2.1 dhcp server settings figure 30: server options name enter a name for the dhcp server configuration. Interface select the interface for which to configure the dhcp server. Domain enter the domain that the dhcp server assigns to dhcp clients. Default gateway enter the ip address of the defaul...
Page 71
Freeguard 100 administration guide 61 an even number of hexadecimal characters and is not required for some option codes. For detailed information about dhcp options, see rfc 2132, dhcp options and bootp vendor extensions. To configure a dhcp server for an interface after configuring an interface to...
Page 72
62 starting ip the starting ip of the exclude range. Ending ip the ending ip of the exclude range. Delete delete an exclude range. Edit/view icon view or modify an exclude range. 5.3.1 dhcp exclude range settings the range cannot exceed 65536 ip addresses. Figure 32: exclude range settings starting ...
Page 73
Freeguard 100 administration guide 63 delete icon. Delete an ip/mac binding pair. Edit/view icon. View or modify an ip/mac binding pair. 5.4.1 dhcp ip/mac binding settings figure 34: ip/mac binding options name ip enter a name for the ip/mac address pair. Ip address enter the ip address for the ip a...
Page 74
64 6 system config use the system config page to make any of the following changes to the freeguard 100 system configuration: • system time • options • ha • snmp • replacement messages 6.1 system time go to system > config > time to set the freeguard 100 system time. For effective scheduling and log...
Page 75
Freeguard 100 administration guide 65 information about ntp and to find the ip address of an ntp server that you can use, see http://www.Ntp.Org. Server enter the ip address or domain name of the ntp server that the freeguard 100 can use to set its time and date. Syn interval specify how often the f...
Page 76
66 figure 36: system config options idle timeout set the idle time out to control the amount of inactive time before the administrator must log in again. The maximum admin time out is 480 minutes (8 hours). To improve security keep the idle timeout at the default value of 5 minutes. Auth timeout set...
Page 77
Freeguard 100 administration guide 67 to select a language for the web-based manager 1. Go to system > config > options. 2. From the languages list, select a language for the web-based manager to use. 3. Select apply. To modify the dead gateway detection settings modify dead gateway detection to con...
Page 78
68 freeguard 100s can increase overall network performance by sharing the load of processing network traffic and providing security services. The cluster appears to your network to be a single device, adding increased performance without changing your network configuration. The freeguard clustering ...
Page 79
Freeguard 100 administration guide 69 freeguard 100 ha compatibility with dhcp and pppoe freeguard 100 ha is not compatible with ppp protocols such as dhcp or pppoe. If one or more freeguard 100 interfaces is dynamically configured using dhcp or pppoe you cannot switch to operating in ha mode. Also,...
Page 80
70 figure 37: ha configuration standalone mode standalone mode is the default operation mode. If standalone mode is selected the freeguard 100 is not operating in ha mode. Select standalone mode if you want to stop a cluster unit from operating in ha mode. High availability select high availability ...
Page 81
Freeguard 100 administration guide 71 virtual mac address set for each group id. Group id mac address 0 00-09-0f-06-ff-00 1 00-09-0f-06-ff-01 2 00-09-0f-06-ff-02 3 00-09-0f-06-ff-03 … … 63 00-09-0f-06-ff-3f table 3: ha group id and mac address if you have more than one ha cluster on the same network...
Page 82
72 password enter a password for the ha cluster. The password must be the same for all cluster units. The maximum password length is 15 characters. If you have more than one freeguard 100 ha cluster on the same network, each cluster must have a different password. Schedule if you are configuring an ...
Page 83
Freeguard 100 administration guide 73 either of these interfaces or enable ha heartbeat for other interfaces. In most cases you can maintain the default heartbeat device configuration as long as you can connect the heartbeat device interfaces together. The heartbeat priority must be set for at least...
Page 84
74 for most freeguard 100 models if you do not change the heartbeat device configuration, you would isolate the ha interfaces of all of the cluster units by connecting them all to the same switch. If the cluster consists of two freeguard 100s you can connect the heartbeat device interfaces directly ...
Page 85
Freeguard 100 administration guide 75 • to configure weighted-round-robin weights • to switch between load balancing virus scanning sessions and all sessions to configure a freeguard 100 for ha operation each freeguard 100 in the cluster must have the same ha configuration. Use the following procedu...
Page 86
76 using the same hub or switch. Freedom9 recommends using switches for all cluster connections for the best performance. Inserting an ha cluster into your network temporarily interrupts communications on the network because new physical connections are being made to route traffic through the cluste...
Page 87
Freeguard 100 administration guide 77 to add a new unit to a functioning cluster 1. Configure the new cluster unit for ha operation with the same ha configuration as the other units in the cluster. 2. If the cluster is running in transparent mode, change the operating mode of the new cluster unit to...
Page 88
78 the subordinate units process more connections than the primary unit, and both subordinate units, on average, process the same number of connections. To switch between load balancing virus scanning sessions and all sessions by default a freeguard 100 ha cluster load balances virus scanning sessio...
Page 89
Freeguard 100 administration guide 79 to view the status of each cluster member 1. Connect to the cluster and log into the web-based manager. 2. Go to system > config > ha. 3. Select cluster members. A list of cluster members appears. The list includes the cluster id of each cluster member as well a...
Page 90
80 excluded. Active sessions the number of communications sessions being processed by the each cluster unit. Total packets the number of packets that have been processed by the cluster unit since it last started up. Virus detected the number of viruses detected by the cluster unit. Network utilizati...
Page 91
Freeguard 100 administration guide 81 subordinate unit results in the following: • the cluster contains fewer freeguard 100s. The failed unit no longer appears on the cluster members list. • the master unit logs the following message to the event log: detected ha member dead to manage individual clu...
Page 92
82 this section describes: • configuring snmp • snmp community • freeguard 100 mibs • freeguard 100 traps • freedom9 mib fields 6.4.1 configuring snmp go to system > config > snmp v1/v2c to configure the snmp agent. Figure 40: configure snmp snmp agent enable the freeguard 100 snmp agent. Descriptio...
Page 93
Freeguard 100 administration guide 83 6.4.2 snmp community an snmp community is a grouping of equipment for network administration purposes. Add snmp communities so that snmp managers can connect to the freeguard 100 to view system information and receive snmp traps. You can add up to three snmp com...
Page 94
84 figure 42: snmp community options (part 2) community name enter a name to identify the snmp community. Hosts identify the snmp managers that can use the settings in this snmp community to monitor the freeguard 100. Ip address the ip address of an snmp manager than can use the settings in this snm...
Page 95
Freeguard 100 administration guide 85 1. Go to system > network > interface. 2. Choose an interface that an snmp manager connects to and select edit. 3. For administrative access, select snmp. 4. Select ok. To configure snmp access to an interface in transparent mode before a remote snmp manager can...
Page 96
86 your snmp manager to monitor all freeguard 100 configuration settings. Freedom9.Trap.2.80.Mib the freedom9 trap mib is a proprietary mib that is required for your snmp manager to receive traps from the freeguard 100 snmp agent. The freeguard 100 snmp agent supports mib ii groups with the followin...
Page 97
Freeguard 100 administration guide 87 100_serial_no>) (intfipchange) configured with dynamic ip addresses set using dhcp or pppoe. Table 9: freeguard 100 system traps trap message description vpn tunnel is up (vpntunnelup) an ipsec vpn tunnel starts up and begins processing network traffic. Vpn tunn...
Page 98
88 hamode the current freeguard 100 high-availability (ha) mode (standalone, a-a, a-p) opmode the freeguard 100 operation mode (nat or transparent). Cpuusage the current cpu usage (as a percent). Memusage the current memory utilization (in mb). Sescount the current ip session count. Table 15: system...
Page 99
Freeguard 100 administration guide 89 radius. State whether the local user is enabled or disable. Table 18: local users mib field description index the index number virtual domain added to the freeguard 100. Name the name of the virtual domain added to the freeguard 100. Each freeguard 100 includes ...
Page 100
90 6.5.1 replacement messages list figure 43: replacement messages list name the type of replacement message. You can change messages added to email, web pages in http traffic, messages that are displayed to ftp users, alert mail messages, messages added to smtp email, and messages added to web page...
Page 101
Freeguard 100 administration guide 91 6.5.2 changing replacement messages figure 44: sample http virus replacement message replacement messages can be text or html messages. You can add html code to html messages. In addition, replacement messages can include replacement message tags. When users rec...
Page 102
92 %%email_to%% the email address of the intended receiver of the message from which the file was removed. %%nidsevent%% the ips attack message. %%nidsevent%% is added to alert email intrusion messages. %%service%% the name of the web filtering service. %%category%% the name of the content category ...
Page 103
Freeguard 100 administration guide 93 7 system admin when the freeguard 100 is first installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each o...
Page 104
94 execute restore execute router execute time execute traceroute log & report get alertemail get log execute enter config alertemail config log execute enter security policy get antivirus get firewall get ips get spamfilter get vpn get webfilter execute enter execute vpn config antivirus config fir...
Page 105
Freeguard 100 administration guide 95 name the login name for an administrator account trusted hosts the trusted host ip address and netmask from which the administrator can log in. Permission the permission profile for the administrator. Edit or view icon select to edit or view the administrator ac...
Page 106
96 4. Type and confirm a password for the administrator account. 5. Optionally type a trusted host ip address and netmask from which the administrator can log into the web-based manager. 6. Select the access profile for the administrator. 7. Select ok. Figure 47: change an administrator password to ...
Page 107
Freeguard 100 administration guide 97 7.2.1 access profile list figure 48: access profile list create new add a new access profile. Profile name the name of the access profile. Delete icon select to delete the access profile. You cannot delete an access profile that has administrators assigned to it...
Page 108
98 log & report select read to allow an administrator to view log setting, log access, and alert email features. To allow an administrator to modify these features, enable both read and write. Security policy select read to allow an administrator to view the firewall, vpn, ips, and antivirus feature...
Page 109
Freeguard 100 administration guide 99 8 system maintenance use the web-based manager to maintain the freeguard 100. 8.1 backup and restore you can back up system configuration, vpn certificate, web and spam filtering files to the management computer. You can also restore system configuration, vpn ce...
Page 110
100 web url block list restore or back up the web url block list. Web url exempt list restore or back up the web url exempt list. Spam filtering ip address restore or back up the spam filter ip address list. Rbl & ordbl restore or back up the spam filter dnsbl and ordbl list. Email address restore o...
Page 111
Freeguard 100 administration guide 101 to back up individual categories 1. Go to system > maintenance > backup & restore. 2. Select the backup icon for the type of file you want to back up. 3. Save the file. To restore individual categories 1. Go to system > maintenance > backup & restore. 2. Select...
Page 112
102 the freeguard 100 supports the following antivirus and attack definition update features: • user-initiated updates from the fsdn, • hourly, daily, or weekly scheduled antivirus and attack definition and antivirus engine updates from the fsdn, • push updates from the fsdn, • update status includi...
Page 113
Freeguard 100 administration guide 103 successfully connected to the override server. If the freeguard sp distribution network stays set to not available, the freeguard 100 cannot connect to the override server. Check the freeguard 100 configuration and the network configuration to make sure you can...
Page 114
104 to make sure the freeguard 100 can connect to the fsdn 1. Go to system > config > time and make sure the time zone is set to the time zone for the region in which your freeguard 100 is located. 2. Go to system > maintenance > update center. 3. Select refresh. The freeguard 100 tests its connecti...
Page 115
Freeguard 100 administration guide 105 3. Type the fully qualified domain name or ip address of a server. 4. Select apply. The freeguard 100 tests the connection to the override server. If the freeguard sp distribution network setting changes to available, the freeguard 100 has successfully connecte...
Page 116
106 connect to the fsdn. 8.2.2 enabling push updates the fsdn can push updates to freeguard 100s to provide the fastest possible response to critical situations. You must register the freeguard 100 before it can receive push updates. When you configure a freeguard 100 to allow push updates, the free...
Page 117
Freeguard 100 administration guide 107 in transparent mode if you change the management ip address, the freeguard 100 also sends the setup message to notify the fsdn of the address change. Enabling push updates through a nat device if the fsdn can connect to the freeguard 100 only through a nat devi...
Page 118
108 destination the virtual ip added above. Schedule service always any action nat accept selected. 3. Select ok. To configure the freeguard 100 on the internal network 1. Go to system > maintenance > update center. 2. Select the allow push update check box. 3. Select the use override push check box...
Page 119
Freeguard 100 administration guide 109 9 system virtual domain freeguard 100 virtual domains provide multiple logical firewalls and routers in a single freeguard 100. Using virtual domains, one freeguard 100 can provide exclusive firewall and routing services to multiple networks so that traffic fro...
Page 120
110 o vlan sub interfaces o zones o management ip • routing configuration o router configuration in nat/route mode o routing table configuration in transparent mode • firewall settings o policies o addresses o service groups o ip pools (are associated with an interface) o virtual ips (are associated...
Page 121
Freeguard 100 administration guide 111 o options o ha o snmp v1/v2c o replacement messages o freeguard 100 configuration • system admin o administrators o access profiles • system maintenance o update center • firewall o services (predefined and custom) but not service groups o schedules o protectio...
Page 122
112 figure 52: virtual domain list create new add a new virtual domain. Current the name of the current virtual domain. Select change to choose a different domain. The default virtual domain is root. Management the name of the virtual domain used for system management. Select change to choose a diff...
Page 123
Freeguard 100 administration guide 113 zone. 4. Select ok. 9.2.2 selecting a virtual domain the following procedure applies to nat/route and transparent mode. To select a virtual domain to configure 1. Go to system > virtual domain > virtual domains. 2. Select change following the current virtual do...
Page 124
114 9.3 configuring virtual domains the following procedures explain how to configure virtual domains: • adding interfaces, vlan sub interfaces, and zones to a virtual domain • configuring routing for a virtual domain • configuring firewall policies for a virtual domain • configuring ipsec vpn for a...
Page 125
Freeguard 100 administration guide 115 the vlan sub interface moves to the virtual domain. Firewall ip pools and virtual ip added for this vlan sub interface are deleted. You should manually delete any routes that include this vlan sub interface. To view the interfaces in a virtual domain 1. Go to s...
Page 126
116 3. Choose the virtual domain for which to configure firewall policies. 4. Select ok. 5. Go to firewall > policy. 6. Select create new to add firewall policies to the current virtual domain. You can only add firewall policies for the physical interfaces, vlan sub interfaces, or zones added to the...
Page 127
Freeguard 100 administration guide 117 9.3.4 configuring ipsec vpn for a virtual domain to configure vpn for a virtual domain the following procedure applies to nat/route and transparent mode. 1. Go to system > virtual domain > virtual domains. 2. Select change following the current virtual domain n...
Page 128
118 10 router this chapter describes how to configure freeguard 100 routing and rip. It contains the following sections: • static • policy • rip • router objects • monitor • cli configuration 10.1 static a static route specifies where to forward packets that have a particular destination ip address....
Page 129
Freeguard 100 administration guide 119 figure 53: making a router the default gateway to route outbound packets from the internal network to destinations that are not on network 192.168.20.0/24, you would edit the default static route and include the following settings: • destination ip/mask: 0.0.0....
Page 130
120 figure 54: destination on networks behind internal routers to route packets from network_1 to network_2, router_1 must be configured to use the freeguard 100 internal interface as its default gateway. On the freeguard 100, you would create a new static route with these settings: • destination ip...
Page 131
Freeguard 100 administration guide 121 ip the destination ip address for this route. Mask the netmask for this route. Gateway the ip address of the first next hop router to which this route directs traffic. Device the name of the freeguard 100 interface through which to route traffic. Distance the a...
Page 132
122 to move static routes 1. Go to router > static > static route. 2. Select the move to icon beside the route you want to move. Current order shows the existing number for this route. Figure 57: move a static route 3. For move to, select either before or after and type the number that you want to p...
Page 133
Freeguard 100 administration guide 123 delete and edit icons delete or edit a policy route 10.2.2 policy route options figure 59: policy route configuration protocol match packets that have this protocol number. Incoming interface match packets that are received on this interface. Source address / m...
Page 134
124 9. Select ok. 10.3 rip the freeguard 100 implementation of the routing information protocol (rip) supports both rip version 1 as defined by rfc 1058, and rip version 2 as defined by rfc 2453. Rip version 2 enables rip messages to carry more information, and to support simple authentication and s...
Page 135
Freeguard 100 administration guide 125 timeout the time interval in seconds after which a route is declared unreachable. The route is removed from the routing table. Rip holds the route until the garbage timer expires and then deletes the route. If rip receives an update for the route before the tim...
Page 136
126 figure 61: rip networks list create new add a new rip network. Ip/netmask the ip address and netmask for the rip network. Delete and edit icons delete or edit a rip network definition. 10.3.2 networks options figure 62: rip networks configuration to configure a rip network definition 1. Go to ro...
Page 137
Freeguard 100 administration guide 127 split-horizon the split horizon type. Authentication the authentication type. Delete and edit icons delete or edit a rip interface definition. 10.3.4 interface options figure 64: rip interface configuration interface the freeguard 100 interface name. Send versi...
Page 138
128 authentication select the authentication used for rip version 2 packets sent and received by this interface. If you select none, no authentication is used. If you select text, the authentication key is sent as plain text. If you select md5, the authentication key is used to generate an md5 hash....
Page 139
Freeguard 100 administration guide 129 figure 65: rip distribute list create new add a new distribute list. Direction the direction for the filter. Filter the type of filter and the filter name. Interface the interface to use this filter on. If no interface name is displayed, this distribute list is...
Page 140
130 3. Set direction to in or out. 4. Select either prefix-list or access-list. 5. Select the prefix list or access list to use for this distribute list. 6. Select an interface to apply this distribute list to, or select the blank entry to apply this distribute list to all interfaces. 7. Select or c...
Page 141
Freeguard 100 administration guide 131 10.3.8 offset list options figure 68: rip offset list configuration direction select in to apply the offset to the metrics of incoming routes. Select out to apply the offset to the metrics of outgoing routes. Access-list select the access list to use for this o...
Page 142
132 the freeguard 100 attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny. For an access list to take effect it must be called...
Page 143
Freeguard 100 administration guide 133 10.4.3 new access list entry figure 71: access list entry configuration list entry the access list name and the number of this entry. Action set the action to take for this prefix to permit or deny. Prefix select match any to match any prefix. Select match a ne...
Page 144
134 figure 72: prefix list create new add a new prefix list name. An access list and a prefix list cannot have the same name. Name the prefix list name. Action the action to take for the prefix in a prefix list entry. Prefix the prefix in a prefix list entry. Ge the greater than or equal to number. ...
Page 145
Freeguard 100 administration guide 135 10.4.6 new prefix list entry figure 74: prefix list entry configuration list entry the prefix list name and the number of this entry. Action set the action to take for this prefix to permit or deny. Prefix select match any to match any prefix. Select match a ne...
Page 146
136 10.4.7 route-map list route maps are a specialized form of filter. Route maps are similar to access lists, but have enhanced matching criteria, and in addition to permit or deny actions can be configured to make changes as defined by set statements. The freeguard 100 attempts to match the rules ...
Page 147
Freeguard 100 administration guide 137 10.4.9 route map list entry figure 77: route map entry configuration route-map entry the route map name and the id number of this route map entry. Action select permit to permit routes that match this entry. Select deny denying routes that match this entry. Mat...
Page 148
138 to configure a route map entry 1. Go to router > router objects > route map. 2. Select the add route-map entry icon to add a new route map entry or select the edit icon beside an existing route map entry to edit that entry. 3. Select permit or deny for the action to take for this route map entry...
Page 149
Freeguard 100 administration guide 139 to add a key chain name 1. Go to router > router objects > key-chain. 2. Select create new. 3. Enter a name for the key chain. 4. Select ok. 10.4.12 key chain list entry figure 80: key chain entry configuration key-chain entry the key chain name and the id numb...
Page 150
140 2. Select the add key-chain entry icon to add a new key chain entry or select the edit icon beside an existing key chain entry to edit that entry. 3. Enter a key. 4. Under accept lifetime, select the required hour, minute, second, year, month and day to start using this key for received routing ...
Page 151
Freeguard 100 administration guide 141 up time how long the route has been available. To filter the routing monitor display 1. Go to router > monitor > routing monitor. 2. Select a type of route to display or select all to display routes of all types. For example, select connected to display all the...
Page 152
142 11 firewall firewall policies control all traffic passing through the freeguard 100. Firewall policies are instructions that the freeguard 100 uses to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to e...
Page 153
Freeguard 100 administration guide 143 this section describes: • how policy matching works • policy list • policy options • advanced policy options • configuring firewall policies 11.1.1 how policy matching works when the freeguard 100 receives a connection attempt at an interface, it selects a poli...
Page 154
144 id the policy identifier. Policies are numbered in the order they are added to the policy list. Source the source address or address group to which the policy applies. Dest the destination address or address group to which the policy applies. Schedule the schedule that controls when the policy s...
Page 155
Freeguard 100 administration guide 145 figure 84: standard policy options interface / zone select the source and destination interface or zone for the firewall policy. Interfaces and zones are listed and configured in system > network. Source select the name of the source interface or zone for the p...
Page 156
146 service select the name of a service or service group that matches the service or protocol of the packets to be matched with this policy. You can select from a wide range of predefined services or add custom services and service groups. Action select how you want the firewall to respond when the...
Page 157
Freeguard 100 administration guide 147 zone is configured using dhcp or pppoe. Fixed port select fixed port to prevent nat from translating the source port. Some applications do not function correctly if the source port is changed. Inmost cases, if you select fixed port, you would also select dynami...
Page 158
148 figure 86: select user groups for authentication you can select authentication for any service. Users can authenticate with the firewall using http, telnet, or ftp. For users to be able to authenticate you must add an http, telnet, or ftp policy that is configured for authentication. When users ...
Page 159
Freeguard 100 administration guide 149 differentiated services differentiated services describes a set of end-to-end quality of service (qos) capabilities. End-to-end qos is the ability of a network to deliver service required by specific network traffic from one end of the network to another. By co...
Page 160
150 to delete a policy 1. Go to firewall > policy. 2. Select the delete icon beside the policy you want to delete. 3. Select ok. To edit a policy 1. Go to firewall > policy. 2. Select the edit icon beside the policy you want to edit. 3. Edit the policy as required. 4. Select ok. To change the positi...
Page 161
Freeguard 100 administration guide 151 firewall policy command keywords and variables keywords & variables description default availability http_retry_count define the number of times to retry establishing an http connection when the connection fails. 0 all models. Natip configure natip for a firewa...
Page 162
152 • configuring addresses • address group list • address group options • configuring address groups 11.2.1 address list you can add addresses to the list and edit existing addresses. The freeguard 100 comes configured with the default ‘all’ address which represents any ip address on the network. F...
Page 163
Freeguard 100 administration guide 153 • all possible ip addresses (represented by ip address: 0.0.0.0 and netmask: 0.0.0.0) an ip address can be: • the ip address of a single computer (for example, 192.45.46.45). • the ip address of a sub network (for example, 192.168.1.0 for a class c subnet). • 0...
Page 164
154 11.2.4 address group list you can organize related addresses into address groups to make it easier to configure policies. For example, if you add three addresses and then configure them in an address group, you can configure a single policy using all three addresses. Note: if an address group is...
Page 165
Freeguard 100 administration guide 155 the lists. 11.2.6 configuring address groups to organize addresses into an address group 1. Go to firewall > address > group. 2. Select create new. 3. Enter a group name to identify the address group. 4. Select an address from the available addresses list and s...
Page 166
156 • configuring service groups 11.3.1 predefined service list figure 91: predefined service list the predefined services list has the following icons and features. Name the name of the predefined services. Detail the protocol for each predefined service. Table 24 lists the freeguard 100 predefined...
Page 167
Freeguard 100 administration guide 157 configuration parameters from dhcp servers to hosts. Dns domain name service for translating domain names into ip addresses. Tcp udp 53 53 finger a network service that provides information about users. Tcp 79 ftp ftp service for transferring files. Tcp 21 goph...
Page 168
158 info_address icmp address mask request messages. Icmp 17 pop3 post office protocol is an email protocol for downloading email from a pop3 server. Tcp 110 pptp point-to-point tunneling protocol is a protocol that allows corporations to extend their own corporate network through private tunnels ov...
Page 169
Freeguard 100 administration guide 159 the custom services list has the following icons and features. Create new select a protocol and then create new to add a custom service. Service name the name of the custom service. Detail the protocol and port numbers for each custom service. Delete & edit ico...
Page 170
160 protocol type select the protocol type of the service you are adding (icmp). Type enter the icmp type number for the service. Code enter the icmp code number for the service if required. Ip custom service options figure 95: ip custom service options name the name of the ip custom service. Protoc...
Page 171
Freeguard 100 administration guide 161 to add a custom ip service 1. Go to firewall > service > custom. 2. Select create new. 3. Enter a name for the new custom ip service. 4. Select ip as the protocol type. 5. Enter the ip protocol number for the service. 6. Select ok. You can now add this custom s...
Page 172
162 figure 97: service group options service group has the following options. Group name enter a name to identify the address group. Available services the list of configured and predefined services. Use the arrows to move services between the lists. Members the list of services in the group. Use th...
Page 173
Freeguard 100 administration guide 163 4. Select ok. 11.4 schedule use schedules to control when policies are active or inactive. You can create one-time schedules and recurring schedules. You can use one-time schedules to create policies that are effective once for the period of time specified in t...
Page 174
164 11.4.2 one-time schedule options figure 99: one-time schedule options one-time schedule has the following options. Name enter the name to identify the one-time schedule. Start enter the start date and time for the schedule. Stop enter the stop date and time for the schedule. 11.4.3 configuring o...
Page 175
Freeguard 100 administration guide 165 or on specified days of the week. For example, you might want to prevent game play during working hours by creating a recurring schedule. Note: if you create a recurring schedule with a stop time that occurs before the start time, the schedule starts at the sta...
Page 176
166 11.4.6 configuring recurring schedules to add a recurring schedule 1. Go to firewall > schedule > recurring. 2. Select create new. 3. Enter a name for the schedule. 4. Select the days of the week that you want the schedule to be active. 5. Set the start and stop time for the recurring schedule. ...
Page 177
Freeguard 100 administration guide 167 destination network. Using port forwarding you can also route packets with a specific port number and a destination address that matches the ip address of the interface that receives the packets. This technique is called port forwarding or port address translat...
Page 178
168 figure 103: virtual ip options; static nat figure 104: virtual ip options; port forwarding virtual ip has the following options. Name enter the name to identify the virtual ip. Addresses, address groups, and virtual ips must all have unique names to avoid confusion in firewallpolicies. External ...
Page 179
Freeguard 100 administration guide 169 11.5.3 configuring virtual ips to add a static nat virtual ip 1. Go to firewall > virtual ip. 2. Select create new. 3. Enter a name for the virtual ip. 4. Select the virtual ip external interface from the list. The external interface is connected to the source ...
Page 180
170 to any other address. For example, if the virtual ip provides access from the internet to a server on your internal network, the external ip address must be a static ip address obtained from your isp for this server. This address must be a unique address that is not used by another host. However...
Page 181
Freeguard 100 administration guide 171 to edit a virtual ip 1. Go to firewall > virtual ip. 2. Select the edit icon beside the virtual ip you want to modify. 3. Select ok. 11.6 ip pool an ip pool (also called a dynamic ip pool) is a range of ip addresses added to a firewall interface. You can enable...
Page 182
172 11.6.2 ip pool options figure 106: ip pool options virtual ip has the following options. Interface select the interface to which to add an ip pool. Name enter a name for the ip pool. Ip range/subnet enter the ip address range for the ip pool. 11.6.3 configuring ip pools to add an ip pool 1. Go t...
Page 183
Freeguard 100 administration guide 173 packets used by the connection. Nat translates source ports to keep track of connections for a particular service. You can select fixed port for nat policies to prevent source port translation. However, selecting fixed port means that only one connection can be...
Page 184
174 • profile cli configuration 11.7.1 protection profile list figure 107: sample list showing the default protection profiles the protection profile list has the following icons and features. Create new select create new to add a protection profile. Delete remove a protection profile from the list....
Page 185
Freeguard 100 administration guide 175 configuring antivirus options figure 109: protection profile antivirus options virus scan enable or disable virus scanning (for viruses and worms) for each protocol (http, ftp, imap, pop3, smtp). Grayware, if enabled in antivirus > config > grayware, is include...
Page 186
176 configuring web filtering options figure 110: protection profile web filtering options web content block enable or disable web page blocking for http traffic based on the banned words and patterns in the content block list. Web url block enable or disable web page filtering for http traffic base...
Page 187
Freeguard 100 administration guide 177 provide details for blocked 4xx and 5xx http errors display a replacement message for 4xx and 5xx http errors. If the error is allowed through then malicious or objectionable sites could use these common error pages to circumvent web category blocking. Rate ima...
Page 188
178 helo dns lookup enable or disable looking up the source domain name (from the smtp helo command) in the domain name server. E-mail address bwl enable or disable checking incoming email addresses against the check configured spam filter email address list. Return e-mail dns check enable or disabl...
Page 189
Freeguard 100 administration guide 179 configuring content archive options figure 114: protection profile content archive options the following options are available for content archive through the protection profile. Display content metainformation on the system dashboard enable to have meta-inform...
Page 190
180 2. Select a policy list to which you want to add a protection profile. For example, to enable network protection for files downloaded from the web by internal network users, select an internal to external policy list. 3. Select create new to add a policy or select edit for the policy you want to...
Page 191
Freeguard 100 administration guide 181 virus is detected, the freeguard 100 stops the upload and attempts to delete the partially uploaded file from the ftp server. To delete the file successfully, the server permissions must be set to allow deletes. When downloading files from an ftp server the fre...
Page 192
182 enter all the actions you want this profile to use. Use a space to separate the options you enter. If you want to remove an option from the list or add an option to the list, you must retype the list with the option removed or added. This example shows how to display the settings for the firewal...
Page 193
Freeguard 100 administration guide 183 12 user you can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or a vpn tunnel, the user must belong to one of the user groups that is allowed access. The user then ...
Page 194
184 12.2.1 local user list figure 115: local user list create new add a new local username. User name the local user name. Type the authentication type to use for this user. Delete & edit icons the delete and edit icons. 12.2.2 local user options figure 116: local user options user name enter the us...
Page 195
Freeguard 100 administration guide 185 to delete a user name from the internal database you cannot delete user names that have been added to user groups. Remove user names from user groups before deleting them. 1. Go to user > local. 2. Select the delete icon for the user name that you want to delet...
Page 196
186 to configure the freeguard 100 for radius authentication 1. Go to user > radius. 2. Select create new to add a new radius server or select the edit icon to edit an existing configuration. 3. Enter the name of the radius server. 4. Enter the domain name or ip address of the radius server. 5. Ente...
Page 197
Freeguard 100 administration guide 187 reflects the hierarchy of ldap database object classes above the common name identifier. Delete & edit icons the delete and edit icons. 12.4.2 ldap server options figure 120: ldap server configuration name enter a name to identify the ldap server. Server name/i...
Page 198
188 5. Enter the port used to communicate with the ldap server. 6. Enter the common name identifier for the ldap server. 7. Enter the distinguished name used to look up entries on the ldap server. 8. Select ok. To delete an ldap server you cannot delete an ldap server that has been added to a user g...
Page 199
Freeguard 100 administration guide 189 members the users, radius servers, or ldap servers in a user group. Protection profile the protection profile associated with this user group. Delete & edit icons the delete and edit icons. 12.5.2 user group options figure 122: user group configuration group na...
Page 200
190 to delete a user group you cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a pptp or l2tp configuration. 1. Go to user > user group. 2. Select delete beside the user group that you want to delete. 3. Select ok..
Page 201
Freeguard 100 administration guide 191 13 vpn freeguard 100s support the following protocols to authenticate and encrypt traffic: • internet protocol security (ipsec) • point-to-point tunneling protocol (pptp) • layer two tunneling protocol (l2tp) this chapter contains information about the followin...
Page 202
192 generate unique ipsec encryption and authentication keys automatically. In situations where a remote vpn peer requires a specific ipsec encryption and/or authentication key, you must configure the freeguard 100 to use manual keys instead. 13.1.1 phase 1 list figure 123: ipsec vpn phase 1 list cr...
Page 203
Freeguard 100 administration guide 193 • if one or more dialup clients with dynamic ip addresses will be connecting to the freeguard 100, select dialup user. • if a remote peer that has a domain name and subscribes to a dynamic dns service will be connecting to the freeguard 100, select dynamic dns ...
Page 204
194 • to grant access to selected remote peers or clients based on a certificate distinguished name, select accept this peer certificate only and select the name of the certificate from the list. The certificate must be added to the freeguard 100 configuration through the config user peer cli comman...
Page 205
Freeguard 100 administration guide 195 authenticity of messages during phase 1 negotiations: • md5-message digest 5, the hash algorithm developed by rsa data security. • sha1-secure hash algorithm 1, which produces a 160-bit message digest. To specify a third combination, use the add button beside t...
Page 206
196 13.2 phase 2 you configure phase 2 settings to specify the parameters for creating and maintaining a vpn tunnel between the freeguard 100 and the remote peer or client. In most cases, you only need to configure the basic phase 2 settings. To configure phase 2 settings 1. Go to vpn > ipsec > phas...
Page 207
Freeguard 100 administration guide 197 13.3.1 phase 2 basic settings figure 127: phase 2 basic settings tunnel name type a name to identify the tunnel configuration. Remote select the phase 1 configuration to assign to this tunnel. Gateway the phase 1 configuration describes how remote peers or clie...
Page 208
198 you define. You can select any of the following symmetric-key algorithms: • null-do not use an encryption algorithm. • des-digital encryption standard, a 64-bit block algorithm that uses a 56bit key. • 3des-triple-des, in which plain text is encrypted three times by three keys. • aes128-a 128-bi...
Page 209
Freeguard 100 administration guide 199 browsing interface from the list. Quick mode identities enter the method for choosing selectors for ike negotiations: • to choose a selector from a firewall encryption policy, select use selectors from policy. • to disable selector negotiation, select use wildc...
Page 210
200 13.4.1 manual key list figure 129: ipsec vpn manual key list create new select create new to create a new manual key configuration. Remote gateway the ip address of the remote peer or client. Encryption the names of the encryption algorithms used in the configuration. Algorithm authentication th...
Page 211
Freeguard 100 administration guide 201 figure 130: adding a manual key vpn tunnel encryption key if you selected: • des, type a 16-character hexadecimal number (0-9, a-f). • 3des, type a 48-character hexadecimal number (0-9, a-f) separated into three segments of 16 characters. • aes128, type a 32-ch...
Page 212
202 13.5 concentrator in a hub-and-spoke configuration, connections to a number of remote peers radiate from a single, central freeguard 100. Site-to-site connections between the remote peers do not exist; however, vpn tunnels between any two of the remote peers can be established through the freegu...
Page 213
Freeguard 100 administration guide 203 members a list of tunnels that are members of the concentrator. To remove a tunnel from the concentrator, select the tunnel and select the left-pointing arrow. 13.6 ping generator the ping generator generates traffic in an ipsec vpn tunnel to keep the tunnel co...
Page 214
204 source ip 1 enter the ip address from which traffic may originate locally. Destination ip 1 enter the ip address of the remote computer to ping. Source ip 2 if you want to generate traffic on a second vpn tunnel simultaneously, enter a second ip address from which traffic may originate locally. ...
Page 215
Freeguard 100 administration guide 205 bring down tunnel icons may have to reconnect to establish a new vpn session. Page up and page down icons display the previous or next page of dialup-tunnel status listings. 13.7.2 static ip and dynamic dns monitor the list of tunnels provides information about...
Page 216
206 figure 136: pptp range enable pptp you must add a user group before you can select the option. Starting ip type the starting address in the range of reserved ip addresses. Ending ip type the ending address in the range of reserved ip addresses. User group select the name of the pptp user group t...
Page 217
Freeguard 100 administration guide 207 starting ip type the starting address in the range of reserved ip addresses. Ending ip type the ending address in the range of reserved ip addresses. User group select the name of the pptp user group that you defined. Disable pptp select the option to disable p...
Page 218
208 figure 139: certificate details 13.10.2 certificate request to obtain a personal or site certificate, you must send a request to a ca that provides digital certificates that adhere to the x.509 standard. The freeguard 100 provides a way for you to generate the request. The generated request incl...
Page 219
Freeguard 100 administration guide 209 • for e-mail, enter the email address of the owner of the freeguard 100 being certified. Typically, email addresses are entered only for clients, not gateways. Organization unit name of your department. Organization legal name of your company or organization. L...
Page 220
210 import select to import a ca root certificate. Name the names of existing ca root certificates. The freeguard 100 assigns unique names (ca_cert_1, ca_cert_2, ca_cert_3, and so on) to theca certificates when they are imported. Subject information about the ca. View certificate select to display c...
Page 221
Freeguard 100 administration guide 211 13.11.1 adding firewall policies for ipsec vpn tunnels firewall policies control all ip traffic passing between a source address and a destination address. A firewall encryption policy is needed to allow the transmission of encrypted packets, specify the permit...
Page 222
212 select inbound nat to translate the source ip addresses of inbound decrypted packets into the ip address of the freeguard 100 internal interface. Select outbound nat to translate the source address of outbound encrypted packets into the ip address of the freeguard 100 public interface. 3. You ma...
Page 223
Freeguard 100 administration guide 213 14 ips the freeguard 100 intrusion prevention system (ips) combines signature and anomaly intrusion detection and prevention with low latency and excellent reliability. The freeguard 100 can record suspicious traffic in logs, can send alert email to system admi...
Page 224
214 attack signatures for the freeguard 100. 14.1.1 predefined predefined signatures are arranged into groups based on the type of attack. By default, all signature groups are enabled while some signatures within groups are not. Check the default settings to ensure they meet the requirements of your...
Page 225
Freeguard 100 administration guide 215 revision the revision number for individual signatures. To show the signature group members, click on the blue triangle. Modify the configure and reset icons. Reset only appears when the default settings have been modified. Selecting reset restores the default ...
Page 226
216 figure 145: enabling or disabling a predefined signature group 3. Select the enable box to enable the predefined signature group or clear the enable box to disable the predefined signature group. 4. Select ok. To configure predefined signature settings 1. Go to ips > signature > predefined. 2. S...
Page 227
Freeguard 100 administration guide 217 • p2p • rpc_decoder • tcp_reassembler figure 147: example of dissector signature parameters: tcp_reassembler figure 148: example of dissector signature parameters: p2p idle_timeout if a session is idle for longer than this number of seconds, the session will no...
Page 228
218 containing pornography, you can add custom signatures similar to the following: f-sbid (--protocol tcp; --flow established; --content "nude cheerleader"; --no_case) when you add the signature set action to drop session. Note: custom signatures are an advanced feature. This document assumes the u...
Page 229
Freeguard 100 administration guide 219 figure 150: edit custom signature 3. Enter a name for the custom signature. You cannot edit the name of an existing custom signature. 4. Enter the custom signature. 5. Select the action to be taken when a packet triggers this signature. (see table 27 for action...
Page 230
220 anomaly list figure 151: the anomaly list name the anomaly names. Enable the status of the anomaly. A white check mark in a green circle indicates the anomaly is enabled. A white x in a grey circle indicates the anomaly is disabled. Logging the logging status for each anomaly. A white check mark...
Page 231
Freeguard 100 administration guide 221 name the anomaly name. Enable select the enable box to enable the anomaly or clear the enable box to disable the anomaly. Logging select the logging box to enable logging for the anomaly or clear the logging box to disable logging for the anomaly. Action select...
Page 232
222 3. Select the enable box to enable the anomaly or clear the enable box to disable the anomaly. 4. Select the logging box to enable logging for this anomaly or clear the logging box to disable logging for this anomaly. 5. Select an action for the freeguard 100 to take when traffic triggers this a...
Page 233
Freeguard 100 administration guide 223 15 antivirus antivirus provides configuration access to most of the antivirus options you enable when you create a firewall protection profile. While antivirus settings are configured for system-wide use, you can implement specific settings on a per profile bas...
Page 234
224 • file block • config • cli configuration 15.1 file block configure file blocking to remove all files that are a potential threat and to prevent active computer virus attacks. You can block files by name, by extension, or any other pattern, giving you the flexibility to block potentially harmful...
Page 235
Freeguard 100 administration guide 225 figure 154: default file block list file block list has the following icons and features: create new select create new to add a new file pattern to the file block list. Apply select apply to apply any changes to the file block configuration. Pattern the current...
Page 236
226 • config • grayware • grayware options 15.2.1 virus list the virus list displays the current viruses blocked in alphabetical order. You can view the entire list or parts of the list by selecting the number or alphabet ranges. You can update this list manually or set up the freeguard 100 to recei...
Page 237
Freeguard 100 administration guide 227 block oversized email and files for each protocol. Further file size limits for uncompressed files can be configured as an advanced feature via the cli. 15.2.3 grayware grayware programs are unsolicited commercial software programs that get installed on compute...
Page 238
228 bookmarks, start pages, and menu options. Plugin select enable to block browser plugins. Browser plugins can often be harmless internet browsing tools that are installed and operate directly from the browser window. Some toolbars and plugins can attempt to control or record and send browsing pre...
Page 240
230 encoding types and some encoding types translate into larger file sizes than the original attachment. The most common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. So a file may be blocked or logged as oversized even if the attachment is several megabytes less ...
Page 241
Freeguard 100 administration guide 231 command syntax pattern config antivirus service ftp set end config antivirus service ftp unset end get antivirus service [ftp] show antivirus service [ftp] keywords and variables description default memfilesizelimit set the maximum file size (in megabytes) that...
Page 242
232 end this example shows how to display the antivirus ftp traffic settings. Get antivirus service ftp this example shows how to display the configuration for antivirus ftp traffic. Show antivirus service ftp 15.3.4 config antivirus service pop3 use this command to configure how the freeguard 100 h...
Page 243
Freeguard 100 administration guide 233 examples this example shows how to set the maximum file size that can be buffered to memory for scanning at 20 mb, the maximum uncompressed file size that can be buffered to memory for scanning at 60 mb, and how to enable antivirus scanning on ports 110, 111, a...
Page 244
234 encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. So a file may be blocked or logged as oversized even if the attachment is several megabytes less than the configured oversize threshold. Port configure antivirus scanning on a nonstandard port number or multiple por...
Page 245
Freeguard 100 administration guide 235 end get antivirus service [smtp] show antivirus service [smtp] keywords and variables description default memfilesizelimit set the maximum file size (in megabytes) that can be buffered to memory for virus scanning. The maximum file size allowed is 10% of the fr...
Page 246
236 16 web filter web filter provides configuration access to the web filtering and web category filtering options you enable when you create a firewall protection profile. To access protection profile web filter options go to firewall > protection profile, select edit or create new, and select web ...
Page 247
Freeguard 100 administration guide 237 web filtering includes various modules and engines that perform separate tasks. The freeguard 100 performs web filtering in the order the filters appear in the web-based manager menu: content block, url block, url exempt, category block (freeguard 100), and scr...
Page 248
238 total the number of banned words in the web content block list. Page up, page down, and clear banned word list icons. Banned word the current list of banned words and patterns. Select the check box to enable all the banned words in the list. Pattern type the pattern type used in the banned word ...
Page 249
Freeguard 100 administration guide 239 16.2 url block you can block access to specific urls by adding them to the url block list. You can also add patterns using text and regular expressions (or wildcard characters) to block urls. The freeguard 100 blocks web pages matching any specified urls or pat...
Page 250
240 urls in the list. The delete and edit/view icons. 16.2.3 configuring the web url block list note: do not use regular expressions in the web url block list. You can use regular expressions in the web pattern block list to create url patterns to block. Note: you can type a top-level domain suffix ...
Page 251
Freeguard 100 administration guide 241 figure 162: sample web pattern block list 16.2.5 web pattern block options web pattern block has the following icons and features: create new select create new to add a new pattern to the web pattern block list. Pattern the current list of blocked patterns. Sel...
Page 252
242 website, you can add the url of this website to the exempt list so that the freeguard 100 does not virus scan files downloaded from this url. Figure 164: sample url exempt list note: enable web filtering > web exempt list in your firewall protection profile to activate the url exempt settings. 1...
Page 253
Freeguard 100 administration guide 243 this section describes • freeguard 100 managed web filtering service • category block configuration options • category block reports • category block reports options • generating a category block report 16.4.1 freeguard 100 managed web filtering service the fre...
Page 254
244 figure 166: category block configuration you can configure the following options to enable and help maintain freeguard 100 web filtering: enable service freeguard sp select to enable freeguard 100 web filtering. Status: select check status to test the connection to the freeguard 100 server. Stat...
Page 255
Freeguard 100 administration guide 245 script filter you can configure the freeguard 100 to filter certain web scripts. You can filter java applets, cookies, and activex controls from web pages. Figure 167: script filtering options note: blocking any of these items may prevent some web pages from fu...
Page 256
246 17 spam filter spam filter provides configuration access to the spam filtering options you enable when you create a firewall protection profile. While spam filters are configured for system-wide use, you can enable the filters on a per profile basis. Spam filter can be configured to manage unsol...
Page 257
Freeguard 100 administration guide 247 return address domain name does not match the ip address the email is marked as spam and the action selected in the protection profile is taken. Mime headers check spam filter > mime headers enable or disable checking source mime headers against the configured ...
Page 258
248 the order of spam filter operations may vary between smtp and imap or pop3 traffic because some filters only apply to smtp traffic (ip address and helo dns lookup). Also, filters that require a query to a server and a reply are run simultaneously. To avoid delays, queries are sent while other fi...
Page 259
Freeguard 100 administration guide 249 subject, and body of the email for common spam content. If freeguard sp finds spam content, the email is tagged or dropped according to the configuration in the firewall protection profile. Both freeguard sp antispam processes are completely automated and confi...
Page 260
250 the cache before contacting the server again. 17.1.3 configuring the freeguard sp cache 1. Go to spam filter > freeguard sp. 2. Select check status to make sure the freeguard 100 can access the freeguard sp server. After a moment, the freeguard sp status should change from unknown to available. ...
Page 261
Freeguard 100 administration guide 251 create new select create new to add an ip address to the ip address list. Total the number if items in the list. The page up, page down, and remove all entries icons. Ip address/mask the current list of ip addresses. Action the action to take on email from the ...
Page 262
252 freeguard 100 checks all the servers in the list simultaneously. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to the next spam filter. Note: because the freeguard 100 uses the server domain name to connect to the dnsbl or...
Page 263
Freeguard 100 administration guide 253 figure 172: adding an dnsbl or ordbl server 3. Enter the domain name of the dnsbl or ordbl server you want to add. 4. Select the action to take on email matched by the server. 5. Select enable. 6. Select ok. 17.5 email address the freeguard 100 uses the email a...
Page 264
254 action the action to take on email from the configured address. Actions are: mark as spam to apply the spam action configured in the protection profile, or mark as clear to let the email pass to the next filter. The delete and edit/view icons. 17.5.3 configuring the email address list to add an ...
Page 265
Freeguard 100 administration guide 255 for each header you configure. The freeguard 100 compares the mime header key-value pair of incoming email to the list pair in sequence. If a match is found, the corresponding protection profile action is taken. If no match is found, the email is passed on to t...
Page 266
256 figure 176: adding a mime header 3. Enter the mime header key. 4. Enter the mime header value. 5. Select a pattern type for the list entry. 6. Select the action to take on email with that mime header key-value. 7. Select ok. 17.7 banned word control spam by blocking email containing specific wor...
Page 267
Freeguard 100 administration guide 257 figure 177: sample banned word list 17.7.2 banned word options banned word has the following icons and features: create new select create new to add a word or phrase to the banned word list. Total the number of items in the list. The page up, page down, and rem...
Page 268
258 mark as spam to apply the spam action configured in the protection profile, or mark as clear to allow the email (since banned word is the last filter). Enable select to enable scanning for the banned word. 17.7.3 configuring the banned word list to add or edit a banned word 1. Go to spam filter ...
Page 269
Freeguard 100 administration guide 259 case sensitivity regular expression pattern matching is case sensitive in the web and spam filters. To make a word or phrase case insensitive, use the regular expression /i for example, /bad language/i will block all instances of “bad language” regardless of ca...
Page 271
Freeguard 100 administration guide 261 18 log & report the freeguard 100 provides extensive logging capabilities for traffic, system and network protection functions. You can set the severity level of the messages that are logged, and you can choose the types of events that are logged. All types of ...
Page 272
262 reference guide. This chapter describes: • log config • log access • cli configuration 18.1 log config use log config to configure log storage, alert emails and log filters. This section describes: • log setting options • alert e-mail options • log filter options • configuring log filters • enab...
Page 273
Freeguard 100 administration guide 263 the setting options appear. 4. Enter the settings the logging location requires. 5. Repeat steps 1 through 4 to configure other logging locations. 6. Select apply. Memory settings level the freeguard 100 logs all messages at and above the logging severity level...
Page 274
264 figure 181: alert email configuration settings authentication select the authentication enable check box to enable smtp enable authentication. Smtp server the name/address of the smtp server for email. Smtp user the smtp user name. Password the smtp password. Email to enter one to three email re...
Page 275
Freeguard 100 administration guide 265 messages. Apply select apply to activate any additions or changes to configuration. Note: if more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. To configure alert email note: before c...
Page 276
266 traffic log the traffic log records all the traffic to and through the freeguard 100 interfaces. You can configure logging for traffic controlled by firewall policies and for traffic between any source and destination addresses. You can also apply global settings, such as session or packet log. ...
Page 277
Freeguard 100 administration guide 267 content block the freeguard 100 logs all instances of blocked content (specified in thebanned words list). Url block the freeguard 100 logs all instances of blocked urls (specified in the url block list). Url exempt the freeguard 100 logs all instances of allow...
Page 278
268 the interface are recorded in the traffic log. Note: to record traffic log messages you must set the logging severity level to notification when configuring the logging location. Traffic log messages do not generally have a severity level higher than notification. 1. Go to system > network > int...
Page 279
Freeguard 100 administration guide 269 type the location of the log messages: memory. Go to previous page icon. View to the previous page in the log file. Go to next page icon. View to the next page in the log file. View per page select the number of log messages displayed on each page. Line: / type...
Page 280
270 figure 184: search for log messages 3. If you want to search for log messages in a particular date range, select the from and to dates. 4. Select one of the following options: all of the following the message must contain all of the keywords any of the following the message must contain at least...
Page 281
Freeguard 100 administration guide 271 powers, satanic or supernatural beings. 3. Hacking sites that provide information about or promote illegal or questionable access to or use of computer or communication equipment, software, or databases. Proxy avoidance -- sites that provide information about h...
Page 282
272 gambling or support online gambling, involving a risk of losing money. 12. Militancy and extremist sites that offer information about or promote or are sponsored by groups advocating anti government beliefs or action. 13. Nudity lingerie and swimsuit -- sites that offer images of models in sugge...
Page 283
Freeguard 100 administration guide 273 22. Pay to surf sites that pay users to view web sites, advertisements, or email 23. Web-based email sites that host web-based email. Potentially bandwidth consuming 24. File sharing and storage peer-to-peer file sharing -- sites that provide client software to...
Page 284
274 lesbian, or bisexual lifestyles, including those that support online shopping, but excluding those that are sexually or issue-oriented. 33. Health sites that provide information or advice on personal health or medical services, procedures, or devices, but not drugs. Includes self-help groups. 34...
Page 285
Freeguard 100 administration guide 275 - sites that support the offering and purchasing of goods between individuals. Real estate -- sites that provide information about renting, buying, selling, or financing residential real estate. 43. Social organizations professional and worker organizations -- ...
Page 286
276 about computers, software, the internet, and related business firms, including sites supporting the sale of hardware, software, peripherals, and services. 53. Military organizations military -- sites sponsored by branches or agencies of the armed services. Others 54. Dynamic content dynamic cont...
Page 287
Freeguard 100 administration guide 277 19 glossary address: an ip address (logical address) or the address of a physical interface (hardware address). An ethernet address is sometimes called a mac address. See also ip address. Aggressive mode: a way to establish a secure channel during ipsec phase 1...
Page 288
Freeguard 100 administration guide 1 unit of transmission on a different network layer. Encryption: a method of encoding a file so that it cannot be understood. The information must be decrypted before it can be used. Endpoint: the ip address or port number that defines one end of a connection. Esp,...
Page 289
2 ike, internet key exchange: a method of automatically exchanging ipsec authentication and encryption keys between two secure servers. Imap, internet message access protocol: an internet email protocol that allows access to an email server from any imap-compatible browser. Internal interface: the f...
Page 290
Freeguard 100 administration guide 3 nat, network address translation: a way of routing ipv4 packets transparently. Using nat, a router or freeguard 100 between a private and public network translates private ip addresses to public addresses. Netmask, network mask: also sometimes called subnet mask....
Page 291
4 port number) of a connection. Replay detection: a way to determine whether a replay attack is underway in an ipsec tunnel. A replay attack occurs when an unauthorized party intercepts a series of ipsec packets and changes them in an attempt to flood a tunnel or access a vpn. Rfc, request for comme...
Page 292
Freeguard 100 administration guide 5 broadcasting messages throughout the network. Virus: a computer program that replicates and spreads itself through computers or networks, usually with harmful intent. Vpn, virtual private network: a secure logical network created from physically separate networks...