Operations Guide - Smoothwall: Product Documentation

Operations Guide - Smoothwall: Product Documentation
Unified Threat Management
Advanced Firewall Operations Guide
For future reference
Advanced Firewall serial number:
Date installed:
Smoothwall contact:
Smoothwall® Advanced Firewall, Operations Guide, December 2014
Smoothwall publishes this guide in its present form without any guarantees. This guide replaces any other
guides delivered with earlier versions of Advanced Firewall.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of Smoothwall.
For more information, contact: docs@smoothwall.net
© 2001 – 2014 Smoothwall Ltd. All rights reserved.
Trademark notice
Smoothwall and the Smoothwall logo are registered trademarks of Smoothwall Ltd.
Linux is a registered trademark of Linus Torvalds. Snort is a registered trademark of Sourcefire INC.
DansGuardian is a registered trademark of Daniel Barron. Microsoft, Internet Explorer, Window 95,
Windows 98, Windows NT, Windows 2000 and Windows XP are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Netscape is a registered
trademark of Netscape Communications Corporation in the United States and other countries. Apple and
Mac are registered trademarks of Apple Computer Inc. Intel is a registered trademark of Intel Corporation.
Core is a trademark of Intel Corporation.
All other products, services, companies, events and publications mentioned in this document, associated
documents and in Smoothwall software may be trademarks, registered trademarks or service marks of
their respective owners in the UK, US and/or other countries.
Acknowledgements
Smoothwall acknowledges the work, effort and talent of the Smoothwall GPL development team:
Lawrence Manning and Gordon Allan, William Anderson, Jan Erik Askildt, Daniel Barron, Emma Bickley,
Imran Chaudhry, Alex Collins, Dan Cuthbert, Bob Dunlop, Moira Dunne, Nigel Fenton, Mathew Frank, Dan
Goscomb, Pete Guyan, Nick Haddock, Alan Hourihane, Martin Houston, Steve Hughes, Eric S.
Johansson, Stephen L. Jones, Toni Kuokkanen, Luc Larochelle, Osmar Lioi, Richard Morrell, Piere-Yves
Paulus, John Payne, Martin Pot, Stanford T. Prescott, Ralf Quint, Guy Reynolds, Kieran Reynolds, Paul
Richards, Chris Ross, Scott Sanders, Emil Schweickerdt, Paul Tansom, Darren Taylor, Hilton Travis, Jez
Tucker, Bill Ward, Rebecca Ward, Lucien Wells, Adam Wilkinson, Simon Wood, Nick Woodruffe, Marc
Wormgoor.
Advanced Firewall contains graphics taken from the Open Icon Library project http://
openiconlibrary.sourceforge.net/
Address
Smoothwall Limited
1 John Charles Way
Leeds. LS12 6QA
United Kingdom
Email
info@smoothwall.net
Web
www.smoothwall.net
Telephone
USA and Canada:
United Kingdom:
All other countries:
1 800 959 3760
0870 1 999 500
+44 870 1 999 500
Fax
USA and Canada:
United Kingdom:
All other countries:
1 888 899 9164
0870 1 991 399
+44 870 1 991 399
Contents
About This Guide...................................................... 1
Audience and Scope ......................................................................... 1
Organization and Use ....................................................................... 1
Conventions....................................................................................... 2
Related Documentation.................................................................... 2
Chapter 1
Introduction ............................................................... 3
Overview of Advanced Firewall ....................................................... 3
Annual Renewal................................................................................. 4
Chapter 2
Advanced Firewall Overview.................................... 5
Accessing Advanced Firewall .......................................................... 5
Dashboard ......................................................................................... 6
Logs and reports ............................................................................... 6
Reports ..................................................................................... 7
Alerts......................................................................................... 7
Realtime.................................................................................... 8
Logs .......................................................................................... 9
Settings..................................................................................... 9
Networking ...................................................................................... 10
Filtering ................................................................................... 10
Routing ................................................................................... 10
Interfaces................................................................................ 11
Firewall.................................................................................... 11
Outgoing ................................................................................. 12
Settings................................................................................... 12
Services............................................................................................ 12
Authentication........................................................................ 13
User Portal.............................................................................. 13
Proxies ................................................................................... 14
SNMP ...................................................................................... 14
DNS ......................................................................................... 14
Message Censor .................................................................... 15
iii
Advanced Firewall Operations Guide
Contents
Intrusion System .................................................................... 15
DHCP ...................................................................................... 16
System ............................................................................................. 16
Maintenance........................................................................... 16
Central Management............................................................. 17
Preferences ............................................................................ 17
Administration........................................................................ 17
Hardware ................................................................................ 18
Diagnostics............................................................................. 18
Certificates ............................................................................. 18
VPN ................................................................................................... 19
Configuration Guidelines................................................................ 19
Specifying Networks, Hosts and Ports ................................ 19
Using Comments ................................................................... 20
Creating, Editing and Removing Rules ................................ 20
Connecting via the Console ........................................................... 21
Connecting Using a Client .................................................... 21
Secure Communication .................................................................. 22
Unknown Entity Warning....................................................... 22
Inconsistent Site Address ..................................................... 23
Chapter 3
Advanced Firewall Services ................................... 25
Working with Portals ...................................................................... 26
Creating a Portal.................................................................... 26
Configuring a Portal .............................................................. 27
Editing Portals........................................................................ 31
Deleting Portals ..................................................................... 31
Managing the Web Proxy Service.................................................. 31
Configuring and Enabling the Web Proxy Service.............. 32
About Web Proxy Methods ................................................... 35
Configuring End-user Browsers........................................... 36
Instant Messenger Proxying .......................................................... 37
Monitoring SSL-encrypted Chats .................................................. 40
SIP Proxying .................................................................................... 40
Types of SIP Proxy................................................................. 40
Choosing the Type of SIP Proxying ..................................... 41
Configuring SIP ...................................................................... 41
FTP Proxying ................................................................................... 43
Configuring non-Transparent FTP Proxying ....................... 43
Configuring Transparent FTP Proxying ............................... 45
Reverse Proxy Service.................................................................... 47
Configuring the Reverse Proxy Service............................... 47
SNMP................................................................................................ 49
DNS................................................................................................... 51
Adding Static DNS Hosts ...................................................... 51
Enabling the DNS Proxy Service .......................................... 52
Managing Dynamic DNS ....................................................... 52
Censoring Message Content ......................................................... 54
Configuration Overview......................................................... 54
Managing Custom Categories.............................................. 55
iv
Smoothwall Ltd
Advanced Firewall Operations Guide
Contents
Setting Time Periods ............................................................. 56
Creating Filters....................................................................... 57
Creating and Applying Message Censor Policies............... 59
Editing Polices ....................................................................... 60
Deleting Policies .................................................................... 60
Managing the Intrusion System..................................................... 61
About the Default Policies .................................................... 61
Deploying Intrusion Detection Policies ............................... 61
Deploying Intrusion Prevention Policies.............................. 62
Creating Custom Policies ..................................................... 64
Uploading Custom Signatures ............................................. 65
Using BYOD with Advanced Firewall ............................................ 66
About the RADIUS requests ................................................. 66
Implementation Examples .................................................... 67
Configuring BYOD for Advanced Firewall ........................... 70
Prerequisites .......................................................................... 70
Adding RADIUS Clients ......................................................... 72
Blocking Access to the Wireless Network .......................... 73
Adding External RADIUS Servers......................................... 74
Using the Advanced Firewall Certificate ............................. 75
Chapter 4
Producing Reports.................................................. 77
About Reports ................................................................................. 77
About Report Templates ....................................................... 77
About Report Outputs ........................................................... 78
Using Drill Down Reports...................................................... 78
Generating Reports......................................................................... 79
Canceling a Report ................................................................ 79
Regenerating and Saving Reports ....................................... 80
About the Summary Report .................................................. 80
Scheduling Reports ........................................................................ 81
Example Schedule Report Configuration ............................ 82
Managing Scheduled Reports .............................................. 82
Creating Custom Report Templates ............................................. 83
Creating Basic Custom Reports........................................... 83
About Advanced Custom Reports ....................................... 84
Managing Custom Reports................................................... 87
Managing Reports and Report Folders......................................... 87
Creating Folders .................................................................... 87
Deleting Folders..................................................................... 88
Deleting Reports .................................................................... 88
Making Reports Available on User Portals................................... 88
Saving a Report Output to Other User Portals ................... 89
Removing Reports from a User Portal................................. 90
Chapter 5
Using Alerts, Information, and Logging ................ 91
About the Dashboard...................................................................... 91
About Alerts ..................................................................................... 92
Available Alerts ...................................................................... 92
Configuring Alert Settings..................................................... 95
v
Advanced Firewall Operations Guide
Contents
Enabling Instantaneous Alerts............................................ 102
Looking up Previous Alerts by Reference ......................... 102
About Advanced Firewall’s Realtime Viewer.............................. 103
Realtime System Information ............................................. 103
Realtime Firewall Information............................................. 104
Realtime IPsec Information ................................................ 104
Realtime Portal Information................................................ 105
Realtime Instant Messaging ............................................... 106
Realtime Traffic Graphs ...................................................... 107
About Advanced Firewall’s Log Files .......................................... 108
System Logs......................................................................... 108
Firewall Logs ........................................................................ 110
IPSec Logs............................................................................ 112
Email Logs ............................................................................ 114
IDS Logs ............................................................................... 116
IPS Logs................................................................................ 117
IM Proxy Logs ...................................................................... 118
Web Proxy Logs ................................................................... 119
Reverse Proxy Logs............................................................. 119
User Portal Logs .................................................................. 121
Configuring Log Settings .................................................... 121
Configuring Other Log Settings ......................................... 123
Managing Log Retention..................................................... 124
Managing Automatic Deletion of Logs .............................. 125
Configuring Report and Alert Output Settings ........................... 125
About Email-to-SMS Output ............................................... 125
About Placeholder Tags...................................................... 125
Configuring Email to SMS Output ...................................... 127
Configuring Output to Email ............................................... 128
Generating a Test Alert ....................................................... 128
Configuring Alert and Report Groups ......................................... 129
Creating Groups................................................................... 129
Editing a Group .................................................................... 130
Deleting a Group .................................................................. 130
Chapter 6
Managing Your Advanced Firewall...................... 131
Installing Updates ......................................................................... 132
Installing Updates ................................................................ 132
Installing Updates on a Failover System ........................... 133
Managing Modules .............................................................. 133
Removing a Module............................................................. 134
Licenses ......................................................................................... 135
Installing Licenses ............................................................... 135
Archives ......................................................................................... 136
About Archive Profiles......................................................... 136
Creating an Archive ............................................................. 136
Downloading an Archive ..................................................... 137
Restoring an Archive ........................................................... 137
Deleting Archives................................................................. 137
Uploading an Archive .......................................................... 137
vi
Smoothwall Ltd
Advanced Firewall Operations Guide
Contents
Scheduling ..................................................................................... 137
Scheduling Remote Archiving ............................................ 139
Editing Schedules ................................................................ 140
Rebooting and Shutting Down..................................................... 140
Setting System Preferences ........................................................ 141
Configuring the User Interface ........................................... 141
Setting Time ......................................................................... 142
Configuring Registration Options ...................................... 143
Configuring the Hostname.................................................. 145
Configuring Administration and Access Settings ...................... 145
Configuring Administration Access Options..................... 145
Referral Checking ................................................................ 146
Configuring External Access .............................................. 147
Editing and Removing External Access Rules .................. 148
Administrative User Settings .............................................. 148
Managing Tenants ........................................................................ 149
Creating Tenants ................................................................. 150
Editing a Tenant ................................................................... 150
Deleting a Tenant................................................................. 150
Hardware ....................................................................................... 151
Managing UPS Devices ....................................................... 151
Managing Hardware Failover....................................................... 154
How does it work? ............................................................... 155
Prerequisites ........................................................................ 155
Configuring Hardware Failover .......................................... 155
Administering Failover ........................................................ 159
Testing Failover.................................................................... 159
Configuring Modems .................................................................... 160
Installing and Uploading Firmware.............................................. 161
Using Advanced Firewall’s Diagnostic Tools ............................. 162
Testing Advanced Firewall Functionality........................... 162
Exporting Advanced Firewall’s Configuration................... 164
Using IP Tools ...................................................................... 164
Using Whois ......................................................................... 166
Analyzing Network Traffic................................................... 166
Managing CA Certificates ............................................................ 167
Reviewing CA Certificates .................................................. 167
Importing CA Certificates ................................................... 167
Exporting CA Certificates ................................................... 167
Deleting and Restoring Certificates................................... 168
Appendix A
Available Reports .................................................. 169
All blocked activity for a specific user ........................................ 172
Amount of time a user spent browsing a URL ........................... 172
Amount of time a user spent browsing sites in a category ...... 172
Amount of time an IP address spent browsing a URL .............. 172
Amount of time an IP address spent browsing sites in a category
........................................................................................................ 173
Application Bandwidth Statistics ................................................ 173
About the Generated Report .............................................. 174
vii
Advanced Firewall Operations Guide
Contents
Authentication Cache ................................................................... 175
Bandwidth usage by a specific user ........................................... 175
Complete IP address audit trail ................................................... 175
Complete user audit trail.............................................................. 176
Connection details and traffic statistics ..................................... 176
Control page template.................................................................. 176
Daily category comparison .......................................................... 176
Daily domain comparison............................................................. 176
Daily user comparison.................................................................. 177
Disk information ............................................................................ 177
Estimated cost of Spam and Malware ........................................ 177
Executive summary of activity of a specific IP address ............ 177
Executive summary of activity of a specific user....................... 178
Executive summary of all group activity ..................................... 178
Firewall activity.............................................................................. 178
Incoming email summary incl last 24 hours ............................... 179
Interfaces and IP addresses ........................................................ 179
Mailbox activity ............................................................................. 179
Malware Incl last 24 hours ........................................................... 180
Outgoing email summary incl last 24 hours ............................... 180
Portal users logged in status ....................................................... 180
Summary page template .............................................................. 180
System information....................................................................... 181
Time spent browsing for a specific user .................................... 181
Time spent browsing sites in a specific category for a specific
user................................................................................................. 182
Times of day a group browses a specific URL........................... 182
Times of day a user browses a specific URL ............................. 182
Times of day a user browses and the categories browsed ...... 182
Times of day an IP address browses a specific URL ................ 183
Times of day an IP address browses and the categories browsed
........................................................................................................ 183
Times of day members of a group browses and the categories
browsed ......................................................................................... 184
Top blocked domains by hits....................................................... 184
Top blocked users by hits ............................................................ 184
Top categories by hits and bandwidth........................................ 184
Top categories by hits and bandwidth - with options ............... 185
Top client IPs by hits and bandwidth .......................................... 185
Top client IPs by hits and bandwidth - with options ................. 185
Top domains by hits and bandwidth ........................................... 186
Top domains by hits and bandwidth - with options................... 186
Top search terms .......................................................................... 187
Top search terms and the searches they were used in for a specific user ........................................................................................ 187
Top users by hits and bandwidth ................................................ 187
Top users by hits and bandwidth - with options........................ 187
Top users using banned search terms ....................................... 188
Updates.......................................................................................... 188
VPN status and history ................................................................. 188
Web filter statistics ....................................................................... 188
viii
Smoothwall Ltd
Advanced Firewall Operations Guide
Appendix B
Contents
Application Groups ............................................... 189
Application Groups ....................................................................... 189
Deep Packet Inspection Application Groups ............................. 190
Glossary ................................................................. 197
Index....................................................................... 207
ix
About This Guide
Smoothwall’s Advanced Firewall is a licenced feature of your Smoothwall System.
This manual provides guidance for configuring Advanced Firewall.
Audience and Scope
This guide is aimed at system administrators maintaining Advanced Firewall.
This guide assumes the following prerequisite knowledge:
•
An overall understanding of the functionality of the Smoothwall System
•
An overall understanding of networking concepts
Note: We strongly recommend that everyone working with Smoothwall products attend
Smoothwall training. For information on our current training courses, contact your Smoothwall
representative.
Organization and Use
This guide is made up of the following chapters and appendices:
•
Chapter 1, Introduction on page 3
•
Chapter 2, Advanced Firewall Overview on page 5
•
Chapter 3, Advanced Firewall Services on page 25
•
Chapter 4, Producing Reports on page 77
•
Chapter 5, Using Alerts, Information, and Logging on page 91
•
Chapter 6, Managing Your Advanced Firewall on page 131
•
Appendix A:Available Reports on page 169
•
Appendix B:Application Groups on page 189
1
Advanced Firewall Operations Guide
•
About This Guide
Index on page 207
Conventions
The following typographical conventions are used in this guide:
Item
Convention
Example
Key product terms
Initial Capitals
Advanced Firewall
Smoothwall System
Menu flow, and screen objects
Bold
System > Maintenance > Shutdown
Click Save
Cross-references
Blue text
References to other guides
Italics
See Chapter 1, Introduction on page 3
Refer to the Advanced Firewall Administration
Guide
Filenames and paths
Courier
The portal.xml file
Variables that users replace
Courier Italics
http://<my_ip>/portal
Links to external websites
Blue text, underlined
Refer to http://www.smoothwall.net/support
This guide is written in such a way as to be printed on both sides of the paper.
Related Documentation
The following guides provide additional information relating to Advanced Firewall:
•
Advanced Firewall Installation Guide, which describes how to install Advanced Firewall
•
Advanced Firewall Administration Guide, which describes how to configure Advanced Firewall
•
Advanced Firewall Upgrade Guide, which describes how to upgrade Advanced Firewall
•
Advanced Firewall User Portal Guide, which describes how to use the Advanced Firewall user
portal
•
2
http://www.smoothwall.net/support contains the Smoothwall support portal, knowledge base
and the latest product manuals.
Smoothwall Ltd
1 Introduction
This chapter introduces Advanced Firewall, including:
•
Overview of Advanced Firewall on page 3
•
Annual Renewal on page 4
Overview of Advanced Firewall
Advanced Firewall is the Unified Threat Management system for enterprise networks. Combining the
functions of perimeter and internal firewalls, Advanced Firewall employs Microsoft Active Directory/
LDAP user authentication for policy based access control to local network zones and Internet
services.
Secure wireless, secure remote access and site-to-site IPSec connectivity are provided by the
integrated VPN gateway.
Advanced Firewall provides:
•
Perimeter firewall – multiple Internet connections with load sharing and automatic connection
failover
•
User authentication – policy-based access control and user authentication with support for
Microsoft Active Directory, Novell eDirectory and other LDAP authentication servers
•
Load balancer – the ideal solution for the efficient and resilient use of multiple Internet
connections.
•
Internal firewall – segregation of networks into physically separate zones with user-level access
control of inter-zone traffic
•
Email Security: anti-spam, anti-malware, mail relay and control.
•
VPN Gateway – site-to-site, secure remote access and secure wireless connections.
3
Advanced Firewall Operations Guide
Introduction
Annual Renewal
To ensure that you have all the functionality documented in this guide, we recommend that you
purchase annual renewal. For more information, contact your Smoothwall representative.
4
Smoothwall Ltd
2 Advanced Firewall
Overview
In this chapter:
•
How to access Advanced Firewall
•
An overview of the pages used to configure and manage Advanced Firewall.
Accessing Advanced Firewall
To access Advanced Firewall:
1.
In a web browser, enter the address of your Advanced Firewall, for example:
https://192.168.72.141:441
Note: The example address above uses HTTPS to ensure secure communication with your
Advanced Firewall. It is possible to use HTTP on port 81 if you are satisfied with less security.
Note: The following sections assume that you have registered and configured Advanced Firewall as
described in the Advanced Firewall Installation and Setup Guide.
2.
Accept Advanced Firewall’s certificate.The login screen is displayed.
5
Advanced Firewall Operations Guide
3.
4.
Advanced Firewall Overview
Enter the following information:
Field
Information
Username
Enter admin This is the default Advanced Firewall administrator
account.
Password
Enter the password you specified for the admin account when installing
Advanced Firewall.
Click Login. The Dashboard opens.
The following sections give an overview of Advanced Firewall’s default sections and pages.
Dashboard
The dashboard is the default home page of your Advanced Firewall system. It displays service
information and customizable summary reports.
Logs and reports
The Logs and reports section contains the following sub-sections and pages:
6
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Overview
Reports
Pages
Summary
Description
Displays a number of generated reports. For more information, see About the
Summary Report.
Reports
Where you generate and organize reports. For more information, see
Generating Reports on page 79.
Recent and saved
Lists recently-generated and previously saved reports. For more information,
see Regenerating and Saving Reports.
Scheduled
Sets which reports are automatically generated and delivered. For more
information, see Scheduling Reports on page 81.
Custom
Enables you to create and view custom reports. For more information, see
Creating Custom Report Templates on page 83.
Alerts
Pages
Description
Alerts
Determine which alerts are sent to which groups of users and in what format.
For more information, see About Alerts on page 92.
Alert settings
Settings to enable the alert system and customize alerts with configurable
thresholds and trigger criteria. For more information, see Configuring Alert
Settings on page 95.
7
Advanced Firewall Operations Guide
Advanced Firewall Overview
Realtime
8
Pages
Description
System
A real time view of the system log with some filtering options. For more
information, see Realtime System Information on page 103.
Firewall
A real time view of the firewall log with some filtering options. For more
information, see Realtime Firewall Information on page 104.
IPSec
A real time view of the IPSec log with some filtering options. For more
information, see Realtime IPsec Information on page 104.
Email
Displays the email log viewer running in real time mode. For more information,
see Email Logs on page 114.
Portal
A real time view of activity on user portals. For more information, see Realtime
Portal Information on page 105.
IM proxy
A real time view of recent instant messaging conversations. For more
information, see Realtime Instant Messaging on page 106.
Traffic graphs
Displays a real time bar graph of the bandwidth being used. For more
information, see Realtime Traffic Graphs on page 107.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Overview
Logs
Pages
Description
System
Simple logging information for the internal system services. For more
information, see System Logs on page 108.
Firewall
Displays all data packets that have been dropped or rejected by the firewall. For
more information, see Firewall Logs on page 110.
IPSec
Displays diagnostic information for VPN tunnels. For more information, see
IPSec Logs on page 112.
Email
Displays sender, recipient, subject and other email message information. For
more information, see Email Logs on page 114.
IDS
Displays network traffic detected by the intrusion detection system (IDS). For
more information, see IDS Logs on page 116.
IPS
Displays network traffic detected by the intrusion detection system (IPS). For
more information, see IPS Logs on page 117.
IM proxy
Displays information on instant messaging conversations. For more
information, see IM Proxy Logs on page 118.
Web proxy
Displays detailed analysis of web proxy usage. For more information, see Web
Proxy Logs on page 119.
Reverse proxy
Displays information on reverse proxy usage. For more information, see
Reverse Proxy Logs on page 119.
Log settings
Settings to configure the logs you want to keep, an external syslog server,
automated log deletion and rotation options. For more information, see
Configuring Log Settings on page 121.
Settings
Pages
Description
Datastore settings
Contains settings to manage the storing of log files. For more information, see
Managing Log Retention.
Groups
Where you create groups of users which can be configured to receive
automated alerts and reports. For more information, see Configuring Alert and
Report Groups on page 129.
Output settings
Settings to configure the Email to SMS Gateway and SMTP settings used for
delivery of alerts and reports. For more information, see Configuring Report and
Alert Output Settings on page 125.
9
Advanced Firewall Operations Guide
Advanced Firewall Overview
Networking
The Networking section contains the following sub-sections and pages:
Filtering
Pages
Description
Zone bridging
Used to define permissible communication between pairs of network zones.
For more information, refer to the Advanced Firewall Administration Guide.
Group bridging
Used to define the network zones that are accessible to authenticated groups
of users. For more information, refer to the Advanced Firewall Administration
Guide.
IP block
Used to create rules that drop or reject traffic originating from or destined for
single or multiple IP addresses. For more information, refer to the Advanced
Firewall Administration Guide.
Routing
10
Pages
Description
Subnets
Used to generate additional routing information so that the system can route
traffic to other subnets via a specified gateway. For more information, refer to
the Advanced Firewall Administration Guide.
RIP
Used to enable and configure the Routing Information Protocol (RIP) service on
the system. For more information, refer to the Advanced Firewall Administration
Guide.
Sources
Used to determine which external network interface will be used by internal
network hosts for outbound communication when a secondary external
connection is active. For more information, refer to the Advanced Firewall
Administration Guide.
Ports
Used to create rules to set the external interface based on the destination port.
For more information, refer to the Advanced Firewall Administration Guide.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Overview
Interfaces
Pages
Description
Interfaces
Configure and display information on your Advanced Firewall’s internal
interfaces. For more information, refer to the Advanced Firewall Administration
Guide.
Internal aliases
Used to create aliases on internal network interfaces, thus enabling a single
physical interface to route packets between IP addresses on a virtual subnet –
without the need for physical switches. For more information, refer to the
Advanced Firewall Administration Guide.
External aliases
Used to create IP address aliases on static Ethernet external interfaces.
External aliases allow additional static IPs that have been provided by an ISP to
be assigned to the same external interface. For more information, refer to the
Advanced Firewall Administration Guide.
Connectivity
Used to create external connection profiles and implement them. For more
information, refer to the Advanced Firewall Administration Guide.
PPP
Used to create Point to Point Protocol (PPP) profiles that store PPP settings for
external connections using dial-up modem devices. For more information, refer
to the Advanced Firewall Administration Guide.
Secondaries
Used to configure an additional, secondary external interface. For more
information, refer to the Advanced Firewall Administration Guide
Firewall
Pages
Description
Port forwarding
Used to forward incoming connection requests to internal network hosts. For
more information, refer to the Advanced Firewall Administration Guide.
Source mapping
Used to map specific internal hosts or subnets to an external alias. For more
information, refer to the Advanced Firewall Administration Guide.
Advanced
Used to enable or disable NAT-ing helper modules and manage bad external
traffic. For more information, refer to the Advanced Firewall Administration
Guide.
11
Advanced Firewall Operations Guide
Advanced Firewall Overview
Outgoing
Pages
Description
Policies
Used to assign outbound access controls to IP addresses and networks. For
more information, refer to the Advanced Firewall Administration Guide.
Ports
Used to define lists of outbound destination ports and services that should be
blocked or allowed. For more information, refer to the Advanced Firewall
Administration Guide.
External services
Used to define a list of external services that should always be accessible to
internal network hosts. For more information, refer to the Advanced Firewall
Administration Guide.
Settings
Pages
Description
Port groups
Create and edit groups of ports for use throughout Advanced Firewall. For
more information, refer to the Advanced Firewall Administration Guide.
Advanced
Used to configure advanced network and traffic auditing parameters. For more
information, refer to the Advanced Firewall Administration Guide.
Services
The Services section contains the following sub-sections and pages:
12
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Overview
Authentication
Pages
Description
Settings
Used to set global login time settings. For more information, refer to the
Advanced Firewall Administration Guide.
Directories
Used to connect to directory servers in order to retrieve groups and apply
network and web filtering permissions and verify the identity of users trying to
access network or Internet resources. For more information, refer to the
Advanced Firewall Administration Guide.
Groups
Used to customize group names. For more information, refer to the Advanced
Firewall Administration Guide.
Temporary bans
Enables you to manage temporarily banned user accounts. For more
information, refer to the Advanced Firewall Administration Guide.
User activity
Displays the login times, usernames, group membership and IP address details
of recently authenticated users. For more information, refer to the Advanced
Firewall Administration Guide.
SSL login
Used to customize the end-user SSL login page and configure SSL login
redirection and exceptions. For more information, refer to the Advanced
Firewall Administration Guide.
Kerberos keytabs
This is where Kerberos keytabs are imported and managed. For more
information, refer to the Advanced Firewall Administration Guide.
BYOD
Enables you to authenticate users with their own devices and allow them to
connect to the network. For more information, see Using BYOD with Advanced
Firewall on page 66.
User Portal
Pages
Description
Portals
This page enables you to configure and manage user portals. For more
information, see Working with Portals on page 26.
Group access
This page enables you to assign groups of users to portals. For more
information, see Creating a Portal on page 26.
User access
This page enables you to override group settings and assign a user directly to
a portal. For more information, see Granting Individual User Access on
page 30.
13
Advanced Firewall Operations Guide
Advanced Firewall Overview
Proxies
Pages
Description
Web proxy
Used to configure and enable the web proxy service, allowing controlled
access to the Internet for local network hosts. For more information, see
Managing the Web Proxy Service on page 31.
Instant messenger
Used to configure and enable instant messaging proxying. For more
information, see Instant Messenger Proxying on page 37.
SIP
Used to configure and enable a proxy to manage Session Initiated Protocol
(SIP) traffic. For more information, see SIP Proxying on page 40.
FTP
Used to configure and enable a proxy to manage FTP traffic. For more
information, see FTP Proxying on page 43.
Reverse proxy
The reverse proxy service enables you to control requests from the Internet and
forward them to servers in an internal network. For more information, see
Reverse Proxy Service on page 47.
SNMP
Pages
Description
SNMP
Used to activate Advanced Firewall’s Simple Network Management Protocol
(SNMP) agent. For more information, see SNMP on page 49.
DNS
14
Pages
Description
Static DNS
Used to create a local hostname table for the purpose of mapping the
hostnames of local network hosts to their IP addresses. For more information,
see Adding Static DNS Hosts on page 51.
DNS proxy
Used to provide a DNS proxy service for local network hosts. For more
information, see Enabling the DNS Proxy Service on page 52.
Dynamic DNS
Used to configure access to third-party dynamic DNS service providers. For
more information, see Managing Dynamic DNS on page 52.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Overview
Message Censor
Pages
Description
Policies
Enables you to create and manage filtering policies by assigning actions to
matched content. For more information, see Creating and Applying Message
Censor Policies on page 59.
Filters
This is where you create and manage filters for matching particular types of
message content. For more information, see Creating Filters on page 57.
Time
This is where you create and manage time periods for limiting the time of day
during which filtering policies are enforced. For more information, see Setting
Time Periods on page 56.
Custom categories
Enables you to create and manage custom content categories for inclusion in
filters. For more information, see Managing Custom Categories on page 55.
Intrusion System
Pages
Description
Signatures
Enables you to deploy customized and automatic rules in the intrusion
detection and intrusion prevention systems. For more information, see
Uploading Custom Signatures on page 65.
Policies
Enables you to configure Advanced Firewall’s intrusion detection and
prevention rules for inclusion in IDS and IPS policies. For more information, see
Creating Custom Policies on page 64.
IDS
Used to enable and configure policies to monitor network activity using the
Intrusion Detection System (IDS). For more information, see Deploying Intrusion
Detection Policies on page 61.
IPS
Used to enable and configure policies to monitor network activity using the
Intrusion Prevention System (IDS). For more information, see Deploying
Intrusion Prevention Policies on page 62.
15
Advanced Firewall Operations Guide
Advanced Firewall Overview
DHCP
Pages
Description
Global
Used to enable the Dynamic Host Configuration Protocol (DHCP) service and
set its mode of operation. For more information, refer to the Advanced Firewall
Administration Guide.
DHCP server
Used to configure automatic dynamic and static IP leasing to DHCP requests
received from network hosts. For more information, refer to the Advanced
Firewall Administration Guide.
DHCP leases
Used to view all current DHCP leases, including IP address, MAC address,
hostname, lease start and end time, and the current lease state. For more
information, refer to the Advanced Firewall Administration Guide.
DHCP relay
Used to configure the DHCP service to forward all DHCP requests to another
DHCP server, and re-route DHCP responses back to the requesting host. For
more information, refer to the Advanced Firewall Administration Guide.
Custom options
Used to create and edit custom DHCP options. For more information, refer to
the Advanced Firewall Administration Guide.
System
The System section contains the following sub-sections and pages:
Maintenance
16
Pages
Description
Updates
Used to display and install available product updates, in addition to listing
currently installed updates. For more information, see Installing Updates on
page 132.
Modules
Used to upload, view, check, install and remove Advanced Firewall modules.
For more information, see Managing Modules on page 133.
Licenses
Used to display and update license information for the licensable components
of the system. For more information, see Licenses on page 135.
Archives
Used to create and restore archives of system configuration information. For
more information, see Archives on page 136.
Scheduler
Used to automatically discover new system updates, modules and licenses. It
is also possible to schedule automatic downloads of system updates and
create local and remote backup archives. For more information, see
Scheduling on page 137.
Shutdown
Used to shutdown or reboot the system. For more information, see Rebooting
and Shutting Down on page 140.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Overview
Central Management
Pages
Description
Overview
This is where you monitor nodes and schedule updates in a Smoothwall
system. For more information, refer to the Advanced Firewall Administration
Guide.
Child nodes
This is where you add and configure nodes in a Smoothwall system. For more
information, refer to the Advanced Firewall Administration Guide.
Local node settings
This is where you configure a node to be a parent or child in a Smoothwall
system and manage central management keys for use in the system. For more
information, refer to the Advanced Firewall Administration Guide.
Preferences
Pages
Description
User interface
Used to manage Advanced Firewall’s dashboard settings. For more
information, see Configuring the User Interface on page 141.
Time
Used to manage Advanced Firewall’s time zone, date and time settings. For
more information, see Setting Time on page 142.
Registration options
Used to configure a web proxy if your ISP requires you use one. Also, enables
you configure sending extended registration information to Smoothwall. For
more information, see Configuring Registration Options on page 143.
Hostname
Used to configure Advanced Firewall’s hostname. For more information, see
Configuring the Hostname on page 145.
Administration
Pages
Description
Admin options
Used to enable secure access to Advanced Firewall using SSH, and to enable
referral checking. For more information, see Configuring Administration Access
Options on page 145.
External access
Used to create rules that determine which interfaces, services, networks and
hosts can be used to administer Advanced Firewall. For more information, see
Configuring External Access on page 147.
Administrative users
Used to manage user accounts and set or edit user passwords on the system.
For more information, see Administrative User Settings on page 148.
17
Advanced Firewall Operations Guide
Advanced Firewall Overview
Hardware
Pages
Description
UPS
Used to configure the system's behavior when it is using battery power from
an Uninterruptible Power Supply (UPS) device. For more information, see
Managing UPS Devices on page 151.
Failover
Used to specify what Advanced Firewall should do in the event of a hardware
failure. For more information, see Managing Hardware Failover on page 154.
Modem
Used to create up to five different modem profiles, typically used when creating
external dial-up connections. For more information, see Configuring Modems
on page 160.
Firmware upload
Used to upload firmware used by USB modems. For more information, see
Installing and Uploading Firmware on page 161.
Diagnostics
Pages
Description
Functionality tests
Used to ensure that your current Advanced Firewall settings are not likely to
cause problems. For more information, see Using Advanced Firewall’s
Diagnostic Tools on page 162.
Configuration report
Used to create diagnostic files for support purposes. For more information, see
Exporting Advanced Firewall’s Configuration on page 164.
IP tools
Contains the ping and trace route IP tools. For more information, see Using IP
Tools on page 164.
Whois
Used to find and display ownership information for a specified IP address or
domain name. For more information, see Using Whois on page 166.
Traffic analysis
Used to generate and display detailed information on current traffic. For more
information, see Analyzing Network Traffic on page 166.
Certificates
18
Page
Description
Certificate
authorities
Provides certification authority (CA) certificates and enables you to manage
them for clients and gateways. For more information, see Managing CA
Certificates on page 167.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Overview
VPN
The VPN section contains the following pages:
Pages
Description
Control
Used to show the current status of the VPN system and enable you to stop and
restart the service. For more information, refer to the Advanced Firewall
Administration Guide.
Certificate
authorities
Used to create a local certificate authority (CA) for use in an X509 authenticated
based VPN setup. It is also possible to import and export CA certificates on this
page. For more information, refer to the Advanced Firewall Administration
Guide.
Certificates
Used to create host certificates if a local CA has been created. This page also
provides controls to import, export, view and delete host certificates. For more
information, refer to the Advanced Firewall Administration Guide.
Global
Used to configure global settings for the VPN system. For more information,
refer to the Advanced Firewall Administration Guide.
IPSec subnets
Used to configure IPSec subnet VPN tunnels. For more information, refer to the
Advanced Firewall Administration Guide.
IPSec roadwarriors
Used to configure IPSec road warrior VPN tunnels. For more information, refer
to the Advanced Firewall Administration Guide.
L2TP roadwarriors
Used to create and manage L2TP road warrior VPN tunnels. For more
information, refer to the Advanced Firewall Administration Guide.
SSL roadwarriors
Enables you to configure and upload custom SSL VPN client scripts. For more
information, refer to the Advanced Firewall Administration Guide.
Configuration Guidelines
This section provides guidance about how to enter suitable values for frequently required
configuration settings.
Specifying Networks, Hosts and Ports
IP Address
An IP address defines the network location of a single network host. The following format is used:
192.168.10.1
IP Address Range
An IP address range defines a sequential range of network hosts, from low to high. IP address ranges
can span subnets. For example:
192.168.10.1-192.168.10.20
19
Advanced Firewall Operations Guide
Advanced Firewall Overview
192.168.10.1-192.168.12.255
Subnet Addresses
A network or subnet range defines a range of IP addresses that belong to the same network. The
format combines an arbitrary IP address and a network mask, and can be entered in two ways:
192.168.10.0/255.255.255.0
192.168.10.0/24
Netmasks
A netmask defines a network or subnet range when used in conjunction with an arbitrary IP address.
Some pages allow a network mask to be entered separately for ease of use. Examples:
255.255.255.0
255.255.0.0
255.255.248.0
Service and Ports
A Service or Port identifies a particular communication port in numeric format. For ease of use, a
number of well known services and ports are provided in Service drop-down lists. To use a custom
port number, choose the User defined option from the drop-down list and enter the numeric port
number into the adjacent User defined field. Examples:
21
7070
Port Range
A 'Port range' can be entered into most User defined port fields, in order to describe a sequential
range of communication ports from low to high. The following format is used:
137:139
Using Comments
Almost every configurable aspect of Advanced Firewall can be assigned a descriptive text comment.
This feature is provided so that administrators can record human-friendly notes against configuration
settings they implement.
Comments are entered in the Comment fields and displayed alongside saved configuration
information.
Creating, Editing and Removing Rules
Much of Advanced Firewall is configured by creating rules – for example, IP block rules and
administration access rules.
20
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Overview
Creating a Rule
To create a rule:
1.
Enter configuration details in the Add a new rule area.
2.
Click Add to create the rule and add it to the appropriate Current rules area.
Editing a Rule
To edit a rule:
1.
Find the rule in the Current rules area and select its adjacent Mark option.
2.
Click Edit to populate the configuration controls in the Add a new rule area with the rule’s
current configuration values.
3.
Change the configuration values as necessary.
4.
Click Add to re-create the edited rule and add it to the Current rules area.
Removing a Rule
To remove one or more rules:
1.
Select the rule(s) to be removed in the Current rules area.
2.
Click Remove to remove the selected rule(s).
Note: The same processes for creating, editing and removing rules also apply to a number of pages
where hosts and users are the configuration elements being created. On such pages, the Add a new
rule and Current rules area will be Add a new host and Current users etc.
Connecting via the Console
You can access Advanced Firewall via a console using the Secure Shell (SSH) protocol.
Note: By default, Advanced Firewall only allows SSH access if it has been specifically configured.
See Configuring Administration Access Options on page 145 for more information.
Connecting Using a Client
When SSH access is enabled, you can connect to Advanced Firewall via a secure shell application,
such as PuTTY.
To connect using an SSH client:
1.
Check SSH access is enabled on Advanced Firewall. See Configuring Administration Access
Options on page 145 for more information.
21
Advanced Firewall Operations Guide
Advanced Firewall Overview
2.
Start PuTTY or an equivalent client.
3.
Enter the following information:
4.
Field
Description
Host Name (or IP
address)
Enter Advanced Firewall’s host name or IP address.
Port
Enter 222
Protocol
Select SSH.
Click Open. When prompted, enter root, and the password associated with it. You are given
access to the Advanced Firewall command line.
‘
Secure Communication
When you connect your web browser to Advanced Firewall’s web-based interface on a HTTPS port
for the first time, your browser will display a warning that Advanced Firewall’s certificate is invalid. The
reason given is usually that the certificate was signed by an unknown entity or because you are
connecting to a site pretending to be another site.
Unknown Entity Warning
This issue is one of identity. Usually, secure web sites on the Internet have a security certificate which
is signed by a trusted third party. However, Advanced Firewall’s certificate is a self-signed certificate.
Note: The data traveling between your browser and Advanced Firewall is secure and encrypted.
To remove this warning, your web browser needs to be told to trust certificates generated by
Advanced Firewall.
To do this, import the certificate into your web browser. The details of how this are done vary
between browsers and operating systems. See your browser’s documentation for information on
how to import the certificate.
22
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Overview
Inconsistent Site Address
Your browser will generate a warning if Advanced Firewall’s certificate contains the accepted site
name for the secure site in question and your browser is accessing the site via a different address.
A certificate can only contain a single site name, and in Advanced Firewall’s case, the hostname is
used. If you try to access the site using its IP address, for example, the names will not match.
To remove this warning, access Advanced Firewall using the hostname. If this is not possible, and
you are accessing the site by some other name, then this warning will always be generated.
In most cases, browsers have an option you can select to ignore this warning and which will ignore
these security checks in the future.
Neither of the above issues compromise the security of HTTPS access. They simply serve to illustrate
that HTTPS is also about identity as well encryption.
23
3 Advanced Firewall
Services
This chapter describes additional features and services of Advanced Firewall, including:
•
Working with Portals on page 26
•
Managing the Web Proxy Service on page 31
•
Instant Messenger Proxying on page 37
•
Monitoring SSL-encrypted Chats on page 40
•
SIP Proxying on page 40
•
FTP Proxying on page 43
•
Reverse Proxy Service on page 47
•
SNMP on page 49
•
DNS on page 51
•
Censoring Message Content on page 54
•
Managing the Intrusion System on page 61
•
Using BYOD with Advanced Firewall on page 66
For information on authentication services, refer to your Advanced Firewall Administration Guide.
25
Advanced Firewall Operations Guide
Advanced Firewall Services
Working with Portals
Advanced Firewall enables you to create portals, simplified versions of the Advanced Firewall user
interface, to manage operations, including:
•
Use the policy tester — This is a simplified version of Advanced Firewall’s policy tester. For more
information, refer to the Advanced Firewall Administration Guide.
•
Generate reports — You can restrict the number of reports available. You can also save reports
generated on the administration user interface to the user portal.
•
Manage web access — You can block web access for groups of users, or from specified
locations.
•
Manage categories — You can add or remove domains, and search terms from categories.
For a detailed description about using a portal, refer to the Advanced Firewall User Portal Guide.
Creating a Portal
The following section explains how to create a portal and make it accessible to users in a specific
group.
To create a user portal, do the following:
1.
26
Browse to Services > User portal > Portals.
Smoothwall Ltd
Advanced Firewall Operations Guide
2.
From the Portals panel, click New.
3.
Configure a name for the portal in the Name text box.
4.
Click Save.
Advanced Firewall Services
Users access the portal from a web browser, using the URL:
http://<Advanced Firewall_IPAddress>/portal.
where Advanced Firewall_IPAddress is the IP address assigned to Advanced Firewall.
5.
Browse to Services > User portal > Groups access..
6.
Configure the following parameters:

Group — From the drop-down menu, select the user group that will use this portal. For more
information about users and groups, refer to the Advanced Firewall Administration Guide.

Portal — From the drop-down menu, select the portal that this group can access.
The next step is to configure the portal to enable authorized users to use it to download files, manage
web access and display reports.
Configuring a Portal
Configuring a user portal involves the following:
•
Enabling the Policy Tester on page 28
•
Making Reports Available on page 28
•
Managing Bandwidth Classes on page 28
•
Enabling Groups to Block Users’ Access on page 29
•
Managing Filter Lists on page 29
•
Making the SSL VPN Client Archive Available on page 30
•
Configuring a Welcome Message on page 30
The following sections explain how to configure a Advanced Firewall portal so that authorized users
can view reports, enable the policy tester, block other users from accessing the web, download VPN
client files and receive a custom welcome message.
27
Advanced Firewall Operations Guide
Advanced Firewall Services
Enabling the Policy Tester
The policy tester enables portal users to test if a URL is accessible to a user at a specific location and
time. It also enables them to request that content reported by the tool as blocked be unblocked by
Advanced Firewall’s system administrator.
To grant access to the policy tester, do the following:
1.
Browse to Services > User portal > Portals.
2.
Select the relevant portal from the drop down list, and click Select.
3.
Scroll down to the Policy tester panel, and configure the following:
4.

Enabled — Select to enable or disable access to the policy tester from this portal.

Allow block/unblock requests — Select this to allow portal users to send an unblock
request to the Advanced Firewall’s system administrator.

Administrator’s email address — Enter the email address to send the unblock request to.
Scroll down to the bottom of the page, and click Save.
For more information about the policy tester, refer to the Advanced Firewall Administration Guide.
Making Reports Available
There are two methods available to make reports available to a user portal; you can either add a
number of reports at the same time, or add them individually.
The following procedure describes how to add a number of reports to a portal. For a detailed
description of how to add individual reports to a portal, see Making Reports Available on User Portals
on page 88.
To make a number of reports available to the portal, do the following:
1.
Browse to Services > User portal > Portals.
2.
Select the relevant portal from the drop down list, and click Select.
3.
Scroll down to the Portal published reports and templates panel, and configure the
following:
4.

Reporting on portal — Select to enable or disable access to reports from this portal

Select templates — Select those reports that can be run from this user portal. Note that
by selecting a top-level folder, access is granted to all reports contained in that folder.
Scroll down to the bottom of the page, and click Save.
Managing Bandwidth Classes
Portal users can enable or disable Bandwidth classes as required.
Note: Bandwidth is a licensed add-on module of Unified Threat Management, and may not be
available through your administration interface. For more information about using the Bandwidth
module, refer to your Smoothwall representative.
28
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
To grant access to Bandwidth classes management, do the following:
1.
Browse to Services > User portal > Portals.
2.
Select the relevant portal from the drop down list, and click Select.
3.
Scroll down to the Bandwidth management panel, and configure the following:

4.
Allow control of bandwidth classs — Select to enable or disable Bandwidth class
management from this user portal.
Scroll down to the bottom of the page, and click Save.
For more information about the Bandwidth module of Unified Threat Management, refer to the
Bandwidth Installation and Administration Guide.
Enabling Groups to Block Users’ Access
You can enable portal users in a specific group to block web access for all users in a specific group,
or specific location.
To grant access for web access management, do the following:
1.
Browse to Services > User portal > Portals.
2.
Select the relevant portal from the drop down list, and click Select.
3.
Scroll down to the Portal permissions for web access management panel, and configure
the following:

Enabled — Select to enable or disable web access management from this user portal.

Allow control of groups — Select to enable or disable blocking of web access for groups
from this user portal.
From the list of groups underneath, select the group, or groups, that the user is authorized
to block. Use CTRL or SHIFT to select multiple groups.

Allow control of locations — Select to enable or disable blocking of web access for
locations from this user portal.
From the list of locations underneath, select the location, or locations, that the user is
authorized to block. Use CTRL or SHIFT to select multiple locations.
4.
Scroll down to the bottom of the page, and click Save.
For more information about configuring groups and locations, refer to the Advanced Firewall
Administration Guide.
Managing Filter Lists
Portal users can add or remove domains and search terms from web filter categories.
To grant access to filter lists management, do the following:
1.
Browse to Services > User portal > Portals.
2.
Select the relevant portal from the drop down list, and click Select.
3.
Scroll down to the Portal filter list management panel, and configure the following:

4.
Manage filter lists on portal — Select to enable or disable filter lists management from
this user portal.
Scroll down to the bottom of the page, and click Save.
29
Advanced Firewall Operations Guide
Advanced Firewall Services
For more information about web filter categories, refer to the Advanced Firewall Administration
Guide.
Making the SSL VPN Client Archive Available
You can configure Advanced Firewall portals to make an SSL VPN client archive available for
download on the portal.
To make the archive available:
1.
In the VPN connection details panel, select SSL VPN client archive download. For a
detailed description about creating the archive, refer to your Advanced Firewall Administration
Guide.
2.
Browse to the bottom of the page and click Save to save the settings.
Configuring a Welcome Message
Advanced Firewall enable you to display a customized welcome message when a user visits a portal.
To display a welcome message on a portal, do the following:
1.
Browse to Services > User portal > Portals.
2.
Select the relevant portal from the drop down list, and click Select.
3.
Scroll down to the Welcome message panel, and configure a welcome message.
To disable the welcome message, untick the Welcome message box.
4.
Scroll down to the bottom of the page, and click Save.
Granting Individual User Access
You can configure Advanced Firewall so that a user uses a specific portal. This setting overrides
group settings.
To grant individual access, do the following:
1.
Browse to the Services > User portal > User access page.
2.
From the Add user panel, configure the following parameters:
3.
30

Username — Enter the username for the user for this user portal. This is case-sensitive.

Portal — From the drop-down menu, select the portal that the user can access.
Click Add.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Editing Portals
The following section explains how to edit a portal.
To edit a portal:
1.
Browse to the Services > User portal > Portals page.
2.
From the Portals drop-down list, select the portal you want to edit.
3.
Make the changes you require, see Configuring a Portal on page 27 for information on the
settings available.
4.
Click Save to save the changes.
Deleting Portals
The following section explains how to delete a portal.
To delete a portal:
1.
Browse to the Services > User portal > Portals page
2.
From the Portals drop-down list, select the portal you want to delete.
3.
Click Delete. Advanced Firewall deletes the portal.
Managing the Web Proxy Service
Advanced Firewall’s web proxy service provides local network hosts with controlled access to the
Internet with the following features:
•
Transparent or non-transparent operation
•
Caching controls for improved resource access times
•
Support for automatic configuration scripts
•
Support for remote proxy servers.
31
Advanced Firewall Operations Guide
Advanced Firewall Services
Configuring and Enabling the Web Proxy Service
To configure and enable the web proxy service:
1.
Navigate to the Services > Proxies > Web proxy page.
2.
Configure the following settings:
Control
Description
Cache size
Enter the amount of disk space, in MBytes, to allocate to the web proxy
service for caching web content, or accept the default value.
Web and FTP requests are cached. HTTPS requests and pages including
username and password information are not cached.
The specified size must not exceed the amount of free disk space
available. The cache size should be configured to an approximate size of
around 40% of the system’s total storage capacity, up to a maximum of
around 10 gigabytes – approximately 10000 megabytes for a high
performance system with storage capacity in excess of 25 gigabytes.
Larger cache sizes can be specified, but may not be entirely beneficial
and can adversely affect page access times. This occurs when the
system spends more time managing the cache than it saves retrieving
pages over a fast connection.
For slower external connections such as dial-up, the cache can
dramatically improve access to recently visited pages.
32
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Control
Description
Remote proxy
Optionally, enter the IP address of a remote proxy in the following format:
hostname:port
In most scenarios this field will be left blank and no remote proxy will be
used.
Used to configure the web proxy to operate in conjunction with a remote
web proxy. Larger organizations may wish to use a dedicated proxy or
sometimes ISPs offer remote proxy servers to their subscribers.
Remote proxy
username
Enter the remote proxy username if using a remote proxy with user
authentication.
Remote proxy
password
Enter the remote proxy password when using a remote proxy with user
authentication.
Max object size
Specify the largest object size that will be stored in the proxy cache.
Objects larger than the specified size will not be cached. This prevents
large downloads filling the cache.
The default of 4096 K bytes (4 M bytes) should be adjusted to a value
suitable for the needs of the proxy end-users.
Min object size
Specify the smallest object size that will be stored in the proxy cache.
Objects smaller than the specified size will not be cached. The default is
no minimum – this should be suitable for most purposes.
This can be useful for preventing large numbers of tiny objects filling the
cache.
Max outgoing size
Specify the maximum amount of outbound data that can be sent by a
browser in any one request. The default is no limit.
This can be used to prevent large uploads or form submissions.
Max incoming size
Specify the maximum amount of inbound data that can be received by a
browser in any one request. This limit is independent of whether the data
is cached or not. The default is no limit.
This can be used to prevent excessive and disruptive download activity.
Transparent
Select to enable transparent proxying. When operating in transparent
mode, network hosts and users do not need to configure their web
browsers to use the web proxy.
All requests are automatically redirected through the cache. This can be
used to prevent network hosts from browsing without using the proxy
server. In non-transparent mode, proxy server settings (IP address and
port settings) must be configured in all browsers.
For more information, see About Web Proxy Methods on page 35.
Disable proxy
logging
Select to disable the proxy logging.
Enabled
Select to enable the web proxy service.
33
Advanced Firewall Operations Guide
Advanced Firewall Services
Control
Description
Allow admin port
access
Select to permit access to other network hosts over ports 81 and 441.
This is useful for accessing remote a Smoothwall System, or other nonstandard HTTP and HTTPS services, through the proxy. In normal
circumstances such communication would be prevented.
Note: By selecting this option, it is possible to partially bypass the admin
access rules on the System > Administration > Admin options
page. This would allow internal network hosts to access the
admin logon prompt via the proxy.
Do not cache
Enter any domains that should not be web cached. Enter domain names
without the www. prefix, one entry per line.
This can be used to ensure that old content of frequently updated web
sites is not cached.
Exception local IP
addresses
Enter any IP addresses on the local network that should be completely
exempt from authentication restrictions.
Exception local IP addresses are typically used to grant administrator
workstations completely unrestricted Internet access.
Banned local IP
addresses
Enter any IP addresses on the local network that are completely banned
from using the web proxy service.
If any hosts contained in this list try to access the web they will receive an
error page stating that they are banned.
No user
authentication
Select to allow users to globally access the web proxy service without
authentication.
Proxy authentication
Select to allow users to access the web proxy service according to the
username and password that they enter when prompted by their web
browser.
The username and password details are encoded in all future page
requests made by the user's browser software.
Note: You can only use proxy authentication if the proxy is operating in
non-transparent mode.
Core authentication
Select to allow users to access the web proxy service by asking the
authentication system whether there is a known user at a particular IP
address.
If the user has not been authenticated by any other authentication
mechanism, the user’s status is returned by the authentication system as
unauthenticated.
Groups allowed to
use web proxy
Authenticated users can be selectively granted or denied access to the
web proxy service according to their authentication group membership.
Proxy access permissions are only applied if an authentication method
other than No user authentication has been selected.
Automatic
configuration script
custom direct hosts
Enter any additional hosts required to the automatic configuration script’s
list of direct (non-proxy routing) hosts.
This is useful for internal web servers such as a company intranet server.
All hosts listed will be automatically added to a browser's Do not use
proxy server for these addresses proxy settings if they access the
automatic configuration script for their proxy settings.
Note: Browsers must be configured to access the automatic
configuration script to receive this list of direct routing hosts
34
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Control
Description
Use automatic
configuration script
address
After enabling and restarting the service, the automatic configuration
script location is displayed here.
Note: Microsoft Internet Explorer provides only limited support for
automatic configuration scripts.
Tests by Smoothwall indicate a number of intermittent
issues regarding the browser’s implementation of this
feature. Smoothwall recommends the use of Mozilla-based
browsers when using the automatic configuration script
functionality.
3.
Manual web browser
proxy settings
After enabling and restarting the service, the proxy address and port
settings to be used when manually configuring end-user browsers are
displayed here.
Interfaces
Select the interface for the web proxy traffic.
Save and restart the web proxy service by clicking Save and Restart or Save and Restart
with cleared cache.
Note: Save and Restart with cleared cache – Used to save configuration changes and empty
the proxy cache of all data. This is useful when cache performance has been degraded by the
storage of stale information – typically from failed web-browsing or poorly constructed web sites. The
web proxy will be restarted with any configuration changes applied.
Note: Restarting may take up to a minute to complete. During this time, end-user browsing will be
suspended and any currently active downloads will fail. It is a good idea to a restart when it is
convenient for the proxy end-users.
About Web Proxy Methods
The following sections discuss the types of web proxy methods supported by Advanced Firewall.
Transparent Proxying
If Advanced Firewall's web proxy service has been configured to operate in transparent mode, all
HTTP port 80 requests will be automatically redirected through the proxy cache.
If you are having problems with transparent proxying, check that the following settings are not
configured in end-user browsers:
•
Automatic configuration
•
Proxy server
35
Advanced Firewall Operations Guide
Advanced Firewall Services
Non-Transparent Proxying
If Advanced Firewall’s web proxy service has not been configured to operate in transparent mode,
all end-user browsers on local workstations in Advanced Firewall network zones must be configured.
You can configure browser settings:
•
Manually – Browsers are manually configured to enable Internet access.
•
Automatically using a configuration script – Browsers are configured to receive proxy
configuration settings from an automatic configuration script, proxy.pac. The configuration
script is automatically generated by Advanced Firewall and is accessible to all network zones
that the web proxy service is enabled on.
•
WPAD automatic script – Browsers are configured to automatically detect proxy settings and
a local DNS server or Advanced Firewall static DNS has a host wpad.YOURDOMAINNAME added.
Configuring End-user Browsers
The following steps explain how to configure web proxy settings in the latest version of Internet
Explorer available at the time of writing.
To configure Internet Explorer:
1.
Start Internet Explorer, and from the Tools menu, select Internet Options.
2.
On the Connections tab, click LAN settings.
3.
Configure the following settings:
Method:
To configure:
Manual
1.
In the Proxy server area, select Use a proxy server for your
LAN …
2.
3.
4.
5.
Automatic
configuration script
1.
In the Automatic configuration area, select Use automatic
configuration script.
2.
3.
4.
36
Enter your Advanced Firewall's IP address and port number 800.
This information is displayed on the Services > Proxies > Web proxy
page, in the Automatic configuration script area.
Click Advanced to access more settings.
In the Exceptions area, enter the IP address of your Advanced
Firewall and any other IP addresses to content that you do not want
filtered, for example, your intranet or local wiki.
Click OK and OK to save the settings.
Enter the location of the script, for example: http://
192.168.72.141/proxy.pac. The location is displayed on the
Services > Proxies > Web proxy page, in the Automatic
configuration script area.
Ensure that no other proxy settings are enabled or have entries.
Click OK and OK to save the settings.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Method:
To configure:
WPAD
Note: This method is only recommended for administrators familiar with
configuring web and DNS servers.
In the Automatic configuration area, select Automatically
detect settings.
2.
Click OK and OK to save the settings.
3.
On a local DNS server or using Advanced Firewall static DNS, add
the host wpad.YOURDOMAINNAME substituting your domain
name. The host must resolve to the Advanced Firewall IP.
When enabled in end-user browsers, Web Proxy Auto-Discovery
(WPAD) prepends the hostname wpad to the front of its fully
qualified domain name and looks for a web server on port 80 that
can supply it a wpad.dat file. The file tells the browser what proxy
settings it should use.
Note: PCs will have had to be configured with the same domain name
as the A record for it to work. However, Microsoft Knowledge
Base article Q252898 suggests that the WPAD method does not
work on Windows 2000. They suggest that you should use a
DHCP auto-discovery method using a PAC file. See the article for
more information. This is contrary to some of our testing.
1.
Instant Messenger Proxying
Advanced Firewall’s Instant Messenger (IM) proxy service can log the majority of IM traffic. Advanced
Firewall can also censor instant messaging content, for more information, see Censoring Message
Content on page 54.
Note: Advanced Firewall cannot monitor IM sessions within HTTP requests, such as when Microsoft
MSN connects through an HTTP proxy. Neither can Advanced Firewall intercept conversations
which are secured by end-to-end encryption, such as provided by Off-the-Record Messaging
(http://www.cypherpunks.ca/otr/). However, using SSL Intercept, see below, Advanced
Firewall can monitor Jabber/Google Talk and AIM sessions protected by SSL.
37
Advanced Firewall Operations Guide
Advanced Firewall Services
To configure the instant messaging proxy service:
38
1.
Browse to the Services > Proxies > Instant messenger page.
2.
Configure the following settings:
Setting
Description
Enabled
Select to enable the instant messaging proxy service.
Enable Message
Censor
Select to enable censoring of words usually considered unsuitable.
Advanced Firewall censors unsuitable words by replacing them with *s.
For more information, see Censoring Message Content on page 54.
Hide conversation
text
Select this option to record instant message events, such as messages
in and out, but to discard the actual conversation text before logging.
Block all filetransfers
Select this option to block file transfers using certain IM protocols.
MSN
Select to proxy and monitor Microsoft Messenger conversations.
AIM and ICQ
Select to proxy and monitor ICQ and AIM conversations.
Yahoo
Select to proxy and monitor Yahoo conversations.
GaduGadu
Select to proxy and monitor GaduGadu conversations.
Jabber
Select to proxy and monitor conversations which use the Jabber
protocol.
Intercept SSL
Select to monitor conversations on Google Talk or AIM instant messaging
clients which have SSL mode enabled. For more information, see
Monitoring SSL-encrypted Chats on page 40.
Currently, when enabled, this setting blocks files transferred using MSN,
ICQ, AIM and Yahoo IM protocols.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Setting
Description
Blocked response
Select to inform IM users that their message or file transfer has been
blocked.
This option does not work with the ICQ/AIM protocol.
Logging warning
response
Select to inform IM users that their conversation is being logged.
Blocked response
message
Optionally, enter a message to display when a message or file is blocked;
or accept the default message.
Note: This option does not work with the ICQ/AIM protocol.
If multiple messages or files are blocked, this message is displayed at 15
minute intervals.
Logging warning
response message
Optionally, enter a message to display informing users that their
conversations are being logged.
This message is displayed once a week.
Automatic
whitelisting
Settings here enable you to control who can instant message your local
users.
Block unrecognized remote users – Select this option to
automatically add a remote user to the white-list when a local user sends
them an instant message. Once added to the white-list, the remote user
and the local use can instant message each other freely.
When this option selected, any remote users who are not on the white-list
are automatically blocked.
Number of current entries – Displays the number of entries currently
in the whitelist user list.
Clear Automatic Whitelisted user list – Click to clear the whitelist.
3.
White-list users
To whitelist a user, enter their instant messaging ID, for example
JohnDoe@hotmail.com.
Black-list users
To blacklist a user, enter their instant messaging ID, for example
JaneDoe@hotmail.com.
Enabled on
interfaces
Select the interfaces on which to enable IM proxying.
Exception local IP
addresses
To exclude specific IP addresses, enter them here.
Click Save to save and implement your settings.
39
Advanced Firewall Operations Guide
Advanced Firewall Services
Monitoring SSL-encrypted Chats
Advanced Firewall can monitor Google Talk and AIM instant message (IM) chats which use SSL for
encryption.
Note: Using Network Guardian to monitor SSL-encrypted IM chats reduces security on IM clients
as the clients are unable to validate the real IM server certificate.
To monitor SSL-encrypted conversations:
1.
Browse to the Services > Proxies > Instant messenger page. Enable IM proxying and
configure the settings you require. For full information on the settings available, see Instant
Messenger Proxying on page 37.
2.
Select Intercept SSL, select the interfaces on which to enable the monitoring and click Save.
3.
Click Export Certificate Authority certificate. Advanced Firewall generates a Advanced
Firewall CA certificate.
4.
Download and install the certificate on PCs which use Google Talk and SSL-enabled AIM IM
clients. Advanced Firewall will now monitor and log the chats.
SIP Proxying
Advanced Firewall supports a proxy to manage Session Initiation Protocol (SIP) traffic. SIP is often
used to set up calls in Voice over Internet Protocol (VoIP) systems.
SIP normally operates on port 5060, and is used to set up sessions between two parties. In the case
of VoIP, it is an RealTime Protocol (RTP) session that is set up, and it is the RTP stream that carries
voice data.
RTP operates on random unprivileged ports, and, as such, is not NAT friendly. For this reason,
Advanced Firewall’s SIP proxy ensures that RTP is also proxied, allowing VoIP products to work
correctly.
Advanced Firewall’s SIP proxy is also able to proxy RTP traffic, solving some of the problems involved
in setting up VoIP behind NAT.
Types of SIP Proxy
There are two types of SIP proxy: a registering SIP proxy, and a pass-through proxy. A registering
proxy or registrar allows SIP clients to register so that they may be looked up and contacted by
external users. A pass-through proxy merely rewrites the SIP packets such that the correct IP
addresses are used and the relevant RTP ports can be opened.
Some clients will allow users to configure one SIP proxy – this is invariably the registering proxy,
others will allow for two proxies, one to which the client will register, and one which the client users
for access, a pass-through.
40
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Choosing the Type of SIP Proxying
As with many types of proxy, the SIP proxy can be used in transparent mode. In transparent mode,
the proxy is only useful as a pass-through.
This mode is useful for those clients which do not support a second proxy within their configuration.
If all your clients can be properly configured with a second proxy, transparent mode is not required.
If the proxy is operating in transparent mode, the non-transparent proxy is still available, so a mixture
of operation is possible.
Configuring SIP
To configure and enable the SIP proxy:
1.
Browse to the Services > Proxies > SIP page.
2.
Configure the following settings:
Setting
Description
Enabled
Select to enable the SIP proxy service.
SIP client internal
interface
From the drop-down list, select the interface for the SIP proxy to listen for
connections on. This is the interface on which you will place your SIP
clients.
Logging
Select the logging level required. Select from:
Normal – Just warnings and errors
Detailed – Warnings, errors and informational messages
Very detailed – Everything, including debugging messages.
Log calls
Select if you require individual call logging.
Maximum number of
clients
Select the maximum number of clients which can use the proxy.
Setting the maximum number of clients is a useful way to prevent
malicious internal users performing a DoS on your registering proxy.
41
Advanced Firewall Operations Guide
Advanced Firewall Services
Setting
Description
Diffserv mark for RTP
packets
From the drop-down menu, select a Diffserv mark to apply to SIP RTP
packets. This traffic can be traffic shaped with SmoothTraffic, if it is
installed.
The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for
which it proxies. This is useful because it is otherwise quite tricky to
define RTP traffic, as it may occur on a wide range of ports. Prioritizing
SIP traffic on port 5060 would not make any difference to VoIP calls.
The standard mark is BE which is equivalent to doing nothing. Other
marks may be interpreted by upstream networking equipment, such as
that at your ISP, and can also be acted upon by SmoothTraffic,
Smoothwall’s Quality of Service (QoS) module if it is installed. In this way,
traffic passing through the firewall may be prioritized to give a consistent
call quality to VoIP users.
Transparent
The SIP proxy may be configured in both transparent and nontransparent mode. Select this option if you require a transparent SIP
proxy.
When operating transparently, the SIP proxy is not used as a registrar,
but will allow internal SIP devices to communicate properly with an
external registrar such as an ITSP.
Exception IPs
3.
Hosts which should not be forced to use the transparent SIP proxy must
be listed in the Exception IPs box below.
Click Save to enable and implement SIP proxying.
Note: If a client is using t4he proxy when transparent proxying is turned on, the existing users may
fail to use the transparent proxy until the firewall is rebooted. This is due to the in-built connection
tracking of the firewall’s NAT.
42
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
FTP Proxying
Advanced Firewall provides you with a proxy to manage FTP traffic and also makes transparent
proxying possible.
Configuring non-Transparent FTP Proxying
The following section explains how to configure FTP proxying in non-transparent mode.
1.
Browse to the Services > Proxies > FTP page.
2.
Configure the following settings:
Setting
Description
Status
Select Enabled to enable the FTP proxy.
Anti-malware
scanning
Select to scan files for malware.
Note: For performance reasons, files larger than 100 MB are not
scanned for malware.
Proxy port
From the drop-down list, select the port for FTP traffic.
Note: The port you select must be open for the FTP client. You
configure this on the System > Administration > External access
page. See Chapter 6, Configuring External Access on page 147
for more information.
43
Advanced Firewall Operations Guide
Advanced Firewall Services
Setting
Description
Access control
Allow
connections to
any server
Select to allow FTP connections to all servers.
Only
connections to
specified servers
Select to specify which remote FTP connections
are allowed and configure the following:
Remote FTP server white-list – Enter the
hostname or IP address of any remote FTP
servers you want to white-list.
Enter one hostname or IP, colon and port per
line, for example: ftp.company.com or
1.2.3.4
If no information is listed, all hostnames on all
ports will be accessible.
3.
Click Save changes to save the settings and enable non-transparent FTP proxying.
4.
Configure FTP clients as follows:
Setting
Description
Remote host
Enter Advanced Firewall’s hostname or IP address.
Remote port
Enter the FTP proxy port configured on Advanced Firewall, either 21 or
2121. See Configuring non-Transparent FTP Proxying on page 43 for
more information.
Remote username
Enter the username in the following format:
remoteusername@remoteftpserver
44
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Configuring Transparent FTP Proxying
To configure transparent FTP proxying:
1.
Browse to the Services > Proxies > FTP page.
2.
Configure the following settings:
Setting
Description
Status
Select Enabled to enable the FTP proxy.
Anti-malware
scanning
Select to scan files for malware.
Note: For performance reasons, files larger than 100 MB are not
scanned for malware.
Proxy port
From the drop-down list, select the port for FTP traffic.
Note: The port you select must be open for the FTP client. You
configure this on the System > Administration > External access
page. See Chapter 6, Configuring External Access on page 147
for more information.
Access control
Allow
connections to
any server
Select to allow FTP connections to all servers.
Only
connections to
specified servers
Select to specify which remote FTP connections
are allowed and configure the following:
Remote FTP server white-list – Enter the
hostname or IP address of any remote FTP
servers you want to white-list.
Enter one hostname or IP, colon and port per
line, for example: ftp.company.com or
1.2.3.4
If no information is listed, all hostnames on all
ports will be accessible.
45
Advanced Firewall Operations Guide
3.
Advanced Firewall Services
In the Transparent proxy settings area, configure the following settings:
Setting
Description
Source IPs
Transparently
proxy all IPs
Select to transparently FTP proxy for all source
IPs.
Transparently
proxy only the
following IPs
Select to transparently FTP proxy for the source
IPs specified.
Enter the IP addresses of local machines which
are to be allowed access to transparent FTP
proxying.
Enter one IP address per line, for example:
1.2.3.4
Transparently
proxy all except
the following IPs
Select to transparently FTP proxy all except the
source IPs specified.
Enter the IP addresses of local machines which
are to be excluded from transparent FTP
proxying.
Enter one IP address per line, for example:
1.2.3.4
Destination IPs
Transparently
proxy all IPs
Select to transparently FTP proxy for all
destination IPs.
Transparently
proxy only the
following IPs
Select to transparently FTP proxy for the
destination IPs specified.
Enter the IP addresses of the machines which
are to be allowed access to transparent FTP
proxying.
Enter one IP address per line, for example:
1.2.3.4
Transparently
proxy all except
the following IPs
Select to transparently FTP proxy all except the
destination IPs specified.
Enter the IP addresses of the machines which
are to be excluded from transparent FTP
proxying.
Enter one IP address per line, for example:
1.2.3.4
Transparent proxy
interfaces
4.
Select the interface on which to transparently proxy FTP traffic.
Click Save changes to save the settings and enable transparent FTP proxying.
When running Advanced Firewall’s FTP proxy in transparent mode, you do not need to
configure FTP client applications.
46
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Reverse Proxy Service
Advanced Firewall’s reverse proxy service enables you to control requests from the Internet and
forward them to servers in an internal network. The reverse proxy service:
•
Provides the ability to route multiple HTTP and HTTPS sites to each of their own internal servers.
•
Provides the ability to publish Microsoft Exchange services such as Outlook Web Access (OWA)
and Outlook Anywhere (previously RPC over HTTPS)
•
Monitors traffic passing through the reverse proxy
•
Increases server efficiency by SSL off-loading.
•
Improves web server security using intrusion prevention system (IPS).
Configuring the Reverse Proxy Service
The following sections explain how to enable, configure and deploy the reverse proxy service.
To enable, configure and deploy the reverse proxy service:
1.
Navigate to the Services > Proxies > Reverse proxy page.
2.
In the Global options area, configure the following settings:
Setting
Description
Reverse proxy
Select one of the following settings:
Enable – Select to enable the service.
Disable – Select to disable the service.
47
Advanced Firewall Operations Guide
Advanced Firewall Services
Setting
Description
SSL certificate
The reverse proxy service caters for HTTPS sites using an SSL
certificate. Select one of the following options to specify the SSL
certificate to use:
Built-in – Select this option to use Advanced Firewall’s built in SSL
certificate.
Custom certificate – Select this option to upload a custom certificate
and key file.
Note: The certificate and key files must be distinct and separate and
they must be in the unencrypted PEM format.
To upload a custom certificate and key:
Certificate – Click the Choose file/Browse button and
browse to and select the certificate. Click Upload to upload the
certificate.
Key – Click the Choose file/Browse button and browse to and
2.
select the key. Click Upload to upload the certificate.
Tip: You can use the XCA certificate and key management client
to import and export your SSL certificates and key files in any
standard format.
1.
3.
Optionally, click Advanced and configure the following settings:
Setting
Description
Intrusion prevention
Advanced Firewall’s intrusion prevention system (IPS) policies stop
intrusions such as known and zero-day attacks, undesired access and
denial of service.
Select Enable apply to apply an enabled IPS policy.
For more information, see Managing the Intrusion System on page 61.
Failback internal
address
4.
Enter the IP address, e.g. 192.168.1.1 or IP address and port, e.g.
192.168.1.1:1234, of the web server to failback to, if a request
does not match an address already configured.
Click Save to save the global options. In the Manage rule area, configure the following settings:
Setting
Description
Name
Enter a descriptive name for the reverse proxy rule.
External address
Enter the URL, domain or IP address of the site you want to publish in
the following format: http://example.com, https://
www.example.com/, http://.example.com or http://
example.com/path/
You must include http or https in the address.
You can also enter a path to the site you want to publish in the URL.
Note: When configuring: www.example.com and example.com,
they are treated as distinct and separate sites, unless you use a
wildcard for the domain. To use a wildcard, specify it as:
.example.com
48
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Setting
Description
Internal address
Enter the protocol with the IP address or IP address and port of the web
server, e.g. http://192.168.1.1, https://192.168.1.1,
http://192.168.1.1:1234
A port number is optional on the internal address, this enables you to
specify custom destination ports for various internal web servers. If no
port is specified, Advanced Firewall will default to 80 for HTTP sites and
443 for HTTPS sites.
5.
Click Save. Advanced Firewall enables and deploys the reverse proxy service and lists it in the
Rules area.
Repeat the steps above to enable, configure and deploy more rules.
SNMP
Simple Network Management Protocol (SNMP) is part of the IETF’s Internet Protocol suite. It is used
to enable a network-attached device to be monitored, typically for centralized administrative
purposes.
Advanced Firewall’s SNMP service operates as an SNMP agent that gathers all manner of system
status information, including the following:
•
System name, description, location and contact information
•
Live TCP and UDP connection tables
•
Detailed network interface and usage statistics
•
Network routing table
•
Disk usage information
•
Memory usage information.
In SNMP terminology, Advanced Firewall can be regarded as a managed device when the SNMP
service is enabled. The SNMP service allows all gathered management data to be queried by any
SNMP-compatible NMS (Network Management System) devices, that is a member of the same
SNMS community.
49
Advanced Firewall Operations Guide
Advanced Firewall Services
The Community field is effectively a simple password control that enables SNMP devices sharing the
same password to communicate with each other.
To enable and configure the SNMP service:
1.
Navigate to the Services > SNMP > SNMP page.
2.
Select Enabled and enter the SNMP community password into the Community text field. The
default value public is the standard SNMP community.
3.
Click Save.
Note: To view information and statistics provided by the system's SNMP service, a third-party
SNMP management tool is required. For specific details about how to view all the information made
accessible by Advanced Firewall’s SNMP service, please refer to the product documentation that
accompanies your preferred SNMP management tool.
Note: To access the SNMP service, remote access permissions for the SNMP service must be
configured. For further information, see Chapter 6, Configuring Administration and Access Settings
on page 145.
50
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
DNS
The following sections discuss domain name system (DNS) services in Advanced Firewall.
Adding Static DNS Hosts
Advanced Firewall can use a local hostname table to resolve internal hostnames. This allows the IP
addresses of a named host to be resolved by its hostname.
Note: Advanced Firewall itself can resolve static hostnames regardless of whether the DNS proxy
service is enabled.
To add a static DNS host:
1.
Navigate to the Services > DNS > Static DNS page.
2.
Configure the following settings:
3.
Setting
Description
IP address
Enter the IP address of the host you want to be resolved.
Hostname
Enter the hostname that you would like to resolve to the IP address.
Comment
Enter a description of the host.
Enabled
Select to enable the new host being resolved.
Click Add. The static host is added to the Current hosts table.
Editing and Removing Static Hosts
To edit or remove existing static hosts, use Edit and Remove in the Current hosts area.
51
Advanced Firewall Operations Guide
Advanced Firewall Services
Enabling the DNS Proxy Service
The DNS proxy service is used to provide internal and external name resolution services for local
network hosts.
In this mode, local network hosts use Advanced Firewall as their primary DNS server to resolve
external names, if an external connection is available, in addition to any local names that have been
defined in the Advanced Firewall’s static DNS hosts table.
To enable the DNS proxy service on a per-interface basis:
1.
Navigate to the Services > DNS > DNS Proxy page.
2.
Configure the following settings:
Setting
Description
Interfaces
Select each interface that should be able to use the DNS proxy.
Advanced
Forward SRV & SOA records – Optionally, select this setting to stop
the DNS proxy from filtering out SRV & SOA records. Any such filtering
would prevent SIP, Kerberos and other services from functioning.
3.
Click Save.
Note: If the DNS proxy settings were configured as 127.0.0.1 during the initial installation and setup
process of Advanced Firewall, the system will use the DNS proxy for name resolution.
Managing Dynamic DNS
Advanced Firewall’s dynamic DNS service is useful when using an external connection that does not
have a static IP.
The dynamic DNS service can operate with a number of third-party dynamic DNS service providers,
in order to enable consistent routing to Advanced Firewall from the Internet.
Dynamic host rules are used to automatically update leased DNS records by contacting the service
provider whenever the system's IP address is changed by the ISP.
52
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
The following dynamic DNS service providers are supported:
DNS service providers
dhs.org
hn.org
easydns.com
dyndns.org (Dynamic)
dyndns.org (Custom)
dyndns.org (Static)
dyns.cx
no-ip.com
ods.org
ez-ip.net
zoneedit.com
Many of these service providers offer a free of charge, basic service.
To create a dynamic host:
1.
Navigate to the Services > DNS > Dynamic DNS page.
2.
Configure the following settings:
Setting
Description
Service
From the drop-down list, select your dynamic DNS service provider.
Behind a proxy
Select if your service provider is no-ip.com and the system is behind
a web proxy.
Enable wildcards
Select to specify that sub-domains of the hostname should resolve to the
same IP address, for example domain.dyndns.org and
sub.domain.dyndns.org will both resolve to the same IP.
Note: This option cannot be used with no-ip.com, it must be
selected from their web site.
Hostname
Enter the hostname registered with the dynamic DNS service provider.
Note: This is not necessary when using dyndns.org as the service
provider.
Domain
Enter the domain registered with the dynamic DNS service provider.
Username
Enter the username registered with the dynamic DNS service provider.
Password
Enter the password registered with the dynamic DNS service provider.
53
Advanced Firewall Operations Guide
3.
Advanced Firewall Services
Setting
Description
Comment
Enter a description of the dynamic DNS host.
Enabled
Select to enable the service.
Click Add. The dynamic host will be added to the Current hosts table.
Editing and Removing Dynamic Hosts
To edit or remove existing dynamic hosts, use Edit and Remove in the Current hosts area.
Forcing a Dynamic DNS Update
The dynamic DNS service will update the DNS records for the host whenever the host’s IP address
changes. However, it may be necessary on some occasions to forcibly update the service provider's
records.
To force an update:
1.
Click Force update.
Dynamic DNS service providers do not like updating their records when an IP address has not
changed, and may suspend the user accounts of users they deem to be abusing their service.
Censoring Message Content
Advanced Firewall enables you to create and deploy policies which accept, modify, block and/or log
content in messages.
Configuration Overview
Configuring an message censor policy entails:
54
•
Defining custom categories required to cater for situations not covered by the default Advanced
Firewall phrase lists, for more information, see Creating Custom Categories on page 55
•
Configuring time periods during which policies are applied, for more information, see Setting
Time Periods on page 56
•
Configuring filters which classify messages by their textual content, for more information, see
Creating Filters on page 57
•
Configuring and deploying a policy consisting of a filter, an action, a time period and level of
severity, see Creating and Applying Message Censor Policies on page 59.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Managing Custom Categories
Custom categories enable you to add phrases which are not covered by the default Advanced
Firewall phrase lists. The following sections explain how to create, edit and delete custom categories.
Creating Custom Categories
The following section explains how to create a custom category.
To create a custom category:
1.
Browse to the Services > Message censor > Custom categories page.
2.
Configure the following settings:
Setting
Description
Name
Enter a name for the custom category.
Comment
Optionally, enter a description of the category.
Phrases
Enter the phrases you want to add to the category.
Enter one phrase, in brackets, per line, using the format:
(example-exact-phrase) – Advanced Firewall matches exact
phrases without taking into account possible spelling errors.
(example-approximate-phrase)(2) – For the number
specified, Advanced Firewall uses ‘fuzzy’ matching to take into account
that number of spelling mistakes or typographical errors when searching
for a match.
3.
Click Add. Advanced Firewall adds the custom category to the current categories list and
makes it available for selection on the Services > Message censor > Filters page.
55
Advanced Firewall Operations Guide
Advanced Firewall Services
Editing Custom Categories
The following section explains how to edit a custom category.
To edit a custom category:
1.
Browse to the Services > Message censor > Custom categories page.
2.
In the Current categories area, select the category and click Edit.
3.
In the Phrases area, add, edit and/or delete phrases. When finished, click Add to save your
changes.
4.
At the top of the page, click Restart to apply the changes.
Deleting Custom Categories
The following section explains how to delete custom categories.
To delete custom categories:
1.
Browse to the Services > Message censor > Custom categories page.
2.
In the Current categories area, select the category or categories and click Remove.
3.
At the top of the page, click Restart to apply the changes.
Setting Time Periods
You can configure Advanced Firewall to apply policies at certain times of the day and/or days of the
week.
To set a time period:
1.
Browse to the Services > Message censor > Time page.
2.
Configure the following settings:
Setting
Description
Active from – to
From the drop-down lists, set the time period.
Select the weekdays when the time period applies.
56
Smoothwall Ltd
Advanced Firewall Operations Guide
3.
Advanced Firewall Services
Setting
Description
Name
Enter a name for the time period.
Comment
Optionally, enter a description of the time period.
Click Add. Advanced Firewall creates the time period and makes it available for selection on the
Services > Message censor > Policies page.
Editing Time Periods
The following section explains how to edit a time period.
To edit a time period:
1.
Browse to the Services > Message censor > Time page.
2.
In the Current time periods area, select the time and click Edit.
3.
In the Time period settings, edit the settings. When finished, click Add to save your changes.
4.
At the top of the page, click Restart to apply the changes.
Deleting Time Periods
The following section explains how to delete time periods.
To delete time periods:
1.
Browse to the Services > Message censor > Time page.
2.
In the Current time periods area, select the period(s) and click Remove.
3.
At the top of the page, click Restart to apply the changes.
Creating Filters
Advanced Firewall uses filters to classify messages according to their textual content. Advanced
Firewall supplies a default filter. You can create, edit and delete filters. You can also create custom
categories of phrases for use in filters, for more information, see Creating Custom Categories on
page 55.
57
Advanced Firewall Operations Guide
Advanced Firewall Services
To create a filter:
1.
Browse to the Services > Message censor > Filters page.
2.
Configure the following settings:
3.
Setting
Description
Name
Enter a name for the filter.
Comment
Optionally, enter a description of the filter.
Custom phrase list
Select the categories you want to include in the filter.
Click Add. Advanced Firewall creates the filter and makes it available for selection on the
Services > Message censor > Policies page.
Editing Filters
You can add, change or delete categories in a filter.
To edit a filter:
58
1.
Browse to the Services > Message censor > Filters page.
2.
In the Current filters area, select the filter and click Edit.
3.
In the Custom phrase list area, edit the settings. When finished, click Add to save your changes.
4.
At the top of the page, click Restart to apply the changes.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Deleting Filters
You can delete filters which are no longer required.
To delete filters:
1.
Browse to the Services > Message censor > Filters page.
2.
In the Current filters area, select the filter(s) and click Remove.
3.
At the top of the page, click Restart to apply the changes.
Creating and Applying Message Censor Policies
The following section explains how to create and apply a censor policy for message content. A policy
consists of a filter, an action, a time period and a level of severity.
To create and apply a censor policy:
1.
Browse to the Services > Message censor > Policies page.
2.
Configure the following settings:
Setting
Description
Service
From the drop-down menu, select one of the following options:
IM proxy incoming – Select to apply the policy to incoming instant
message content.
IM proxy outgoing – Select to apply the policy to outgoing instant
message content.
Click Select to update the policy settings available.
Filter
From the drop-down menu, select a filter to use. For more information on
filters, see Creating Filters on page 57.
Time period
From the drop-down menu, select a time period to use, or accept the
default setting. For more information on filters, see Setting Time Periods
on page 56.
59
Advanced Firewall Operations Guide
Advanced Firewall Services
Setting
Description
Action
From the drop-down menu, select one of the following actions:
Block – Content which is matched by the filter is discarded.
Censor – Content which is matched by the filter is masked but the
message is delivered to its destination.
Categorize – Content which is matched by the filter is allowed and
logged.
Allow – Content which is matched by the filter is allowed and is not
processed by any other filters.
Log severity level
Based on the log severity level, you can configure Advanced Firewall to
send an alert if the policy is violated.
From the drop-down list, select a level to assign to the content if it
violates the policy.
See Chapter 5, Configuring the Inappropriate Word in IM Monitor on
page 99 for more information.
3.
Comment
Optionally, enter a description of the policy.
Enabled
Select to enable the policy.
Click Add and, at the top of the page, click Restart to apply the policy. Advanced Firewall
applies the policy and adds it to the list of current policies.
Editing Polices
You can add, change or delete a policy.
To edit a policy:
1.
Browse to the Services > Message censor > Policies page.
2.
In the Current policies area, select the policy and click Edit.
3.
Edit the settings as required, see Creating and Applying Message Censor Policies on page 59
for information on the settings available. When finished, click Add to save your changes.
4.
At the top of the page, click Restart to apply the changes.
Deleting Policies
You can delete policies which are no longer required.
To delete policies:
60
1.
Browse to the Services > Message censor > Services > Message censor > Policies page.
2.
In the Current policies area, select the policy or policies and click Remove.
3.
At the top of the page, click Restart to apply the changes.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Managing the Intrusion System
Advanced Firewall’s intrusion system performs real-time packet analysis on all network traffic in order
to detect and prevent malicious network activity. Advanced Firewall can detect a vast array of wellknown service exploits including buffer overflow attempts, port scans and CGI attacks.
All violations are logged and the logged data can be used to strengthen the firewall by creating IP
block rules against identified networks and source IPs.
Note: Currently, it is not possible to deploy Advanced Firewall intrusion prevention policies and run
SmoothTraffic at the same time. This limitation will be removed as soon as possible. Contact your
Smoothwall representative if you need more information.
About the Default Policies
By default, Advanced Firewall comes with a number of intrusion policies which you can deploy
immediately. The default policies will change as emerging threats change and will be updated
regularly.
Deploying Intrusion Detection Policies
Advanced Firewall’s default policies enable you to deploy intrusion detection immediately to identify
threats on your network.
To deploy an intrusion detection policy:
1.
Browse to the Services > Intrusion system > IDS page.
61
Advanced Firewall Operations Guide
2.
Advanced Firewall Services
Configure the following settings:
Setting
Description
IDS Policy
From the drop-down list, select the policy you want to deploy. See About
the Default Policies on page 61 for more information on the policies
available.
You can select from the default policies provided with Advanced Firewall
or customize a policy to suit your network, see Chapter 3, Creating
Custom Policies on page 64.
3.
Interface
From the drop-down list, select the interface on which you want to
deploy the policy.
Comment
Enter a description for the policy
Enabled
Select this option to enable the policy.
Click Add. Advanced Firewall deploys the policy and lists it in the Current IDS policies area.
Removing Intrusion Detection Policies
To remove an intrusion detection policy from deployment:
1.
Browse to the Services > Intrusion system > IDS page.
2.
In the Current IDS policies area, select the policy you want to remove.
3.
Click Remove. Advanced Firewall removes the policy.
Deploying Intrusion Prevention Policies
Note: Currently, it is not possible to deploy Advanced Firewall intrusion prevention policies and run
SmoothTraffic at the same time. This limitation will be removed as soon as possible. Contact your
Smoothwall representative if you need more information.
Advanced Firewall enables you to deploy intrusion prevention policies to stop intrusions such as
known and zero-day attacks, undesired access and denial of service.
To deploy an intrusion prevention policy:
1.
62
Browse to the Services > Intrusion system > IPS page.
Smoothwall Ltd
Advanced Firewall Operations Guide
2.
Advanced Firewall Services
Configure the following settings:
Setting
Description
IPS Policy
From the drop-down list, select the policy you want to deploy. See About
the Default Policies on page 61 for more information on the policies
available.
You can select from the default policies provided with Advanced Firewall
or customize a policy to suit your network, see Chapter 3, Creating
Custom Policies on page 64.
3.
Comment
Enter a description for the policy
Enabled
Select this option to enable the policy.
Click Add. Advanced Firewall lists the policy in the Current IPS policies area.
Removing Intrusion Prevention Policies
To remove an intrusion prevention policy from deployment:
1.
Browse to the Services > Intrusion system > IPS page.
2.
In the Current IPS policies area, select the policy you want to remove.
3.
Click Remove. Advanced Firewall removes the policy.
63
Advanced Firewall Operations Guide
Advanced Firewall Services
Creating Custom Policies
By default, Advanced Firewall contains a number of policies which you can deploy to detect and
prevent intrusions. It is also possible to create custom policies to suit your individual network.
To create a custom policy:
1.
Browse to the Services > Intrusion system > Policies page.
Tip: If the list of signatures takes some time to load, try upgrading to the latest version of your
browser to speed up the process.
2.
3.
Configure the following settings:
Setting
Description
Name
Enter a name for the policy you are creating.
Comment
Enter a description for the custom policy.
Signatures
From the list, select the signatures you want to include in the policy. For
information on how to add custom signatures, see Uploading Custom
Signatures on page 65.
Click Add. Advanced Firewall creates the policy and lists it in the Current policies area.
The policy is now available when deploying intrusion detection and intrusion prevention policies. For
more information, seeDeploying Intrusion Detection Policies on page 61 andDeploying Intrusion
Prevention Policies on page 62.
64
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Uploading Custom Signatures
Advanced Firewall enables you to upload custom signatures and/or Sourcefire Vulnerability Research
Team (VRT) signatures and make them available for use in intrusion detection and prevention
policies.
To upload custom signatures:
1.
Navigate to the Services > Intrusion system > Signatures page.
2.
Configure the following settings:
Setting
Description
Custom signatures
Click Browse to locate and select the signatures file you want to upload.
Click Upload to upload the file. Advanced Firewall uploads the file and
makes it available for inclusion in detection and prevention policies on the
Services > Intrusion system > Policies page.
Note: Use custom signatures with caution as Advanced Firewall cannot
verify custom signature integrity.
Use syslog for
Intrusion logging
Select this option to enable logging intrusion events in the syslog.
Oink code
If you have signed-up with Sourcefire to use their signatures, enter your
Oink code here.
Click Update to update and apply the latest signature set. Advanced
Firewall downloads the signature set and makes it available for inclusion
in detection and prevention policies on the Services > Intrusion system >
Policies page.
Note: Updating the signatures can take several minutes.
3.
Click Save. Any custom signatures you have uploaded to Advanced Firewall or Sourcefire VRT
signatures you have downloaded to Advanced Firewall will be listed on the Services > Intrusion
system > Policies page. For information on deploying intrusion policies, see Deploying Intrusion
Detection Policies on page 61 and Deploying Intrusion Prevention Policies on page 62.
65
Advanced Firewall Operations Guide
Advanced Firewall Services
Deleting Custom Signatures
It is possible to delete custom signatures that have been made available on the Services > Intrusion
system > Policies page.
Note: If you choose to delete custom signatures, Advanced Firewall will delete all custom
signatures. If there are detection or prevention policies which use custom signatures, the signatures
will be deleted from the policies.
To delete custom signatures:
1.
On the Services > Intrusion system > Signatures page, click Delete.
Advanced Firewall prompts you to confirm the deletion. Click Confirm, Advanced Firewall
deletes the signatures.
Using BYOD with Advanced Firewall
Advanced Firewall makes use of RADIUS accounting to allow users to connect their own wireless
devices to the network, known as “bring your own device” (BYOD), and authenticate unobtrusively.
This has the added advantage of not having to install additional software on the users’ device.
Advanced Firewall links your organization's directory service to its RADIUS server. As a network
administrator, you can configure your wireless network infrastructure to authenticate users using the
RADIUS server so that users can use their directory service accounts as wireless client login details.
About the RADIUS requests
The following RADIUS requests can be processed by Advanced Firewall, depending on the BYOD
network implementation:
•
Accounting — A request to inform that the user has left or joined the wireless network. Typically,
this is sent by the network access server (NAS) acting as the RADIUS client. Advanced Firewall
uses this request to physically log the user on or off the network.
•
Authentication — A request to confirm that the supplied user credentials are valid, and the user
authorized to join the wireless network. Typically, this is sent by the network access server
acting as the RADIUS client. Advanced Firewall can only receive requests via an Extensible
Authentication Protocol (EAP) tunnel, with an Microsoft Challenge-Handshake Authentication
Protocol (MSCHAP) handshake.
You can define groups to explicitly allow or reject the authorization requests.
The following RADIUS attributes will be used within account requests:
66
•
Filter-ID — This is an optional attribute, used to supply the authentication group of the user.
Typically, the group assignment is used by Advanced Firewall when there is no directory service
configured to use for group mapping.
•
Framed-IP-Address — This contains the IP address of the client that has been authorized
to join the wireless network. This attribute is essential to the BYOD service.
•
Interim-Update — This is a status update received from the network access server,
advising of the status of the client’s session. If Advanced Firewall does not receive this at least
once an hour, it assumes the session has ended and logs the client out.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Implementation Examples
The following describes possible implementations for using BYOD with Advanced Firewall.
Advanced Firewall Provides DHCP, Authentication, and Accounting Services
You can choose to configure Advanced Firewall to be the DHCP server, and the RADIUS server for
both authentication, and accounting requests.
This may be implemented as follows:
•
In the network access server, Advanced Firewall is configured as the RADIUS server which will
receive authentication, and authorization requests
•
In the network access server, Advanced Firewall is also configured as the RADIUS server which
will receive accounting requests
•
Advanced Firewall connects to an Active Directory server to perform user authentication
•
Advanced Firewall is the DHCP server, therefore does not perform DHCP relays for the wireless
network. Advanced Firewall must be on the same subnet as the network access server for this
to work.
Advanced Firewall Provides Authentication and Accounting
This implementation is similar to the Advanced Firewall Provides Accounting Services
implementation, except Advanced Firewall provides greater control over authentication services.
67
Advanced Firewall Operations Guide
Advanced Firewall Services
Advanced Firewall will authenticate the user, and authorize them to the wireless network. However,
Advanced Firewall is informed of the IP address assigned to the user in the RADIUS accounting
packet received from the network access server. This will be contained in the Framed-IPAddress attribute.
Advanced Firewall Provides Accounting Services
You can delegate user authentication and authorization to the wireless network to the network
access server, and only use Advanced Firewall as the RADIUS server which will receive accounting
requests. Typically, Advanced Firewall will use the accounting requests to log the user on or off the
network — for this to work the network access server must include the Framed-IP-Address
attribute (as well as Accounting-Start or Accounting-Stop) in the RADIUS accounting
packet to Advanced Firewall.
This may be implemented as follows:
•
The network access server can use any directory service to authenticate the user.
•
In the network access server, Advanced Firewall is configured as the RADIUS server which will
receive accounting requests.
•
The network access server must send an Interim-Update at least once a hour to confirm
the user’s session is still active.
•
If supported, the network access server must be configured to send the users’ IP address in the
Framed-IP-Address attribute of the RADIUS accounting packet, otherwise the IP address
of the network access server will be sent instead. This will lead to Advanced Firewall being
unable to log individual users on or off the wireless network.
•
You can add a directory service Type of RADIUS accounting to Advanced Firewall, to indicate
to it that all authentication and authorization requests are provided by an external RADIUS
server. You must add group mappings in Advanced Firewall to map the RADIUS group, to
Advanced Firewall groups. For more information, refer to the Advanced Firewall Administration
Guide.
•
Optionally, to support group mappings, the network access server must be configured to send
the Filter-ID RADIUS attribute in the accounting requests to Advanced Firewall. Advanced
Firewall must also be configured to authenticate the users.
Note: It is also possible for Advanced Firewall to just provide DHCP services, and receive RADIUS
accounting requests if the network access server is configured to connect to a directory service for
authentication and authorization to the wireless network.
68
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Using BYOD in a Multi-Tenant Setup
Using BYOD is possible in a Multi-Tenant configuration, with the client’s IP address passed in the
Framed-IP-Address attribute denoting the tenant membership.
Typically, you add all network access servers’ IP addresses into the same tenant as the clients they
are serving.This is essential if the network access server is unable to support sending the client’s IP
address in the Framed-IP-Address attribute (Advanced Firewall would receive the IP address of
the network access server instead), or if Framed-IP-Address is not sent in every accounting
packet. This is to ensure users receive the correct web filtering policies.
For more information about licensing and using the Multi-Tenant feature of Advanced Firewall, refer
to the Multi-Tenant Administration Guide.
Using BYOD in a Centrally Managed Solution
A BYOD service in a centrally managed solution, could potentially be configured with any of the
implementations previously described.
You can choose to configure the parent Advanced Firewall node as the primary RADIUS server, with
the child nodes acting as extra RADIUS servers receiving forwarded accounting packets.
It is also possible to configure more than one Advanced Firewall to act as the RADIUS server for the
network access server, with each processing a different RADIUS request.
You can also choose to configure the network access servers to use one of the Advanced Firewall
nodes as a backup RADIUS server. However, the following limitations apply:
•
The network access server must send the Framed-IP-Address attribute to all nodes,
including those that are not being used for authentication
•
Each Advanced Firewall node must be configured to see all other Advanced Firewall nodes in
the centrally managed solution

You must ensure the correct shared secret is configured for each node

Each node must be configured to forward accounting packets to all other nodes
Note: Nodes from a centrally managed solution are not added automatically to the BYOD
configuration. You must add them separately to the Forward RADIUS accounting to panel located
at Services > Authentication > BYOD. For more information, see Adding External RADIUS Servers
on page 74.
For a detailed description of how to implement a centrally managed Smoothwall System, refer to the
Advanced Firewall Administration Guide.
69
Advanced Firewall Operations Guide
Advanced Firewall Services
Configuring BYOD for Advanced Firewall
To configure BYOD, do the following:
1.
Browse to Services > Authentication > BYOD.
2.
Configuring Advanced Firewall for BYOD involves the following:

Prerequisites on page 70

Adding RADIUS Clients on page 72

Blocking Access to the Wireless Network on page 73

Adding External RADIUS Servers on page 74

Using the Advanced Firewall Certificate on page 75
Prerequisites
Irrespective of the type of BYOD setup, before you configure Advanced Firewall you must have the
following information:
70
•
The IP addresses for the wireless access points
•
The IP addresses for any external RADIUS servers, if required
•
The shared secrets for the RADIUS servers and clients
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
When Advanced Firewall is the RADIUS Authentication Server
If Advanced Firewall is acting as the RADIUS server for authentication, the following must be
considered:
•
Users’ wireless devices must support WPA Enterprise with Protected Extensible Authentication
Protocol (PEAP), and Microsoft Challenge-Handshake Authentication Protocol (MSCHAP)
version 2.
•
If a web filtering policy is applied to users, Guardian must be configured to use core
authentication. For more information, refer to the Guardian Installation and Administration
Guide.
•
Active Directory must be used to authenticate users to the wireless network.
Note that no other directory services are supported if Advanced Firewall is the authentication
server, including the legacy method of using Active Directory.
For a detailed description of how to configure Advanced Firewall to connect to an Active
Directory server, refer to the Advanced Firewall Administration Guide.
When Basic Network Access Servers are Used
If the network access server is unable to authenticate the user, or act as a DHCP server to provision
the wireless device with an IP address, the following must be considered:
•
You must enable DHCP on Advanced Firewall, and configure a valid DHCP subnet. For a
detailed description of how to do this, refer to the Advanced Firewall Administration
Guide.
•
All network access servers must be located in the same subnet as Advanced Firewall. Network
switches can be used, but there must not be any routers between them. Again, Advanced
Firewall must be the DHCP server for that subnet.
•
Advanced Firewall must act as the RADIUS authentication and accounting server. The
prerequisites listed in When Advanced Firewall is the RADIUS Authentication Server on page 71
also apply.
Notes for the Network Access Servers
Note: Refer to your documentation for the network access server you are using for a detailed
description of how to configure the access points.
The following should be considered:
•
The wireless network added to, or modified in the network access server must use WPA2 with
802.1X.

•
The wireless network type may be referred to as WPA2-Enterprise, WPA2-RADIUS, or
WPA2 with a separate option for RADIUS accounting. WPA2 is the most secure. To support
older hardware, WPA1 is also supported. Some network access servers may support WPA1
and WPA2 simultaneously.
Some network access servers require you to enter Advanced Firewall’s details twice, if
Advanced Firewall is the RADIUS server for both authentication and accounting.
71
Advanced Firewall Operations Guide
Advanced Firewall Services
Unblocking Communication Ports for RADIUS Traffic
Advanced Firewall uses port 1812 and 1813 to send and receive RADIUS traffic. You must add the
following external rules to allow traffic from BYOD devices through to Advanced Firewall.
If Advanced Firewall is acting as both the RADIUS authentication and accounting server,
do the following:
1.
Browse to System > Administration > External access.
2.
Add an external access rule for the following Service — RADIUS authentication (1812).
3.
Create an additional external access rule for the following Service — RADIUS accounting
(1813).
For all other BYOD configurations, do the following:
1.
Browse to System > Administration > External access.
2.
Add an external access rule for the following Service — RADIUS accounting (1813).
For a detailed description of using external access rules, including how to configure them, see
Configuring External Access on page 147.
Adding RADIUS Clients
You must add the RADIUS clients’ details that are authorized to connect to Advanced Firewall.
Depending on your network configuration, the RADIUS clients will either advise of user authentication
and authorization, or send a request for the user to either be authenticated, authorized for access,
or both.
To add RADIUS clients, do the following:
1.
Browse to Services > Authentication > BYOD.
2.
Scroll down to the Authorized RADIUS clients panel, and click Add new RADIUS client.
3.
Configure the following:

Status — Clear the selection if you don’t want this RADIUS client to send requests

Name — Configure a meaningful name for the RADIUS client

IP address — Enter the IP address of the RADIUS client

Shared secret — Enter the shared secret (password) that will be used by this client to
successfully communicate with the RADIUS server.
It is recommended you use a minimum of eight characters, using a combination of
alphanumeric and punctuation characters.

Confirm — Re-enter the shared secret. Do not copy and paste from the previous text box,
as this may copy any errors.

Comment — Configure an optional comment for this server.
An additional button, Show comments, will be displayed on the Authorized RADIUS
clients table if any comments are configured. Clicking this will display configured comments
under the client name.
4.
72
Click Add.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Editing RADIUS Clients
To edit an existing RADIUS client, do the following:
1.
Browse to Services > Authentication > BYOD.
2.
Scroll down to the Authorized RADIUS clients panel.
3.
Highlight the relevant RADIUS client, and click Edit.
4.
Edit the configuration as required. For a detailed description of each setting, see Adding
RADIUS Clients on page 72.
5.
Click Save changes.
Deleting RADIUS Clients
To remove an existing RADIUS client, do the following:
1.
Browse to Services > Authentication > BYOD.
2.
Scroll down to the Authorized RADIUS clients panel.
3.
Highlight the relevant RADIUS client, and click Delete.
4.
Click Delete to confirm deleting the client.
Blocking Access to the Wireless Network
You can add rules to block access to the wireless network according to group membership.
However, to be able to do this, the following prerequisites must be met:
•
Advanced Firewall must be the authentication RADIUS server for the network
•
RADIUS authentication is via Active Directory
•
The network access server must be able to send the users’ authentication group in the
Filter-ID RADIUS attribute
A default rule is provided as a “catch-all” for any groups not listed in this section — All other groups.
The default behavior for this rule is to allow access to the wireless network.
Note: This is a complete block to the wireless network, not just to the Internet. You can use
Guardian to block access to the Internet, but still allow access to the wireless network. For a detailed
description of how to do this, refer to the Guardian Installation and Administration Guide.
To add an access control rule, do the following:
1.
Browse to Services > Authentication > BYOD.
2.
Scroll down to the Access control rules panel, and click Add new access control rule.
3.
Configure the following:

Status — Clear the selection if you do not want this group to use access control rules.

Group — From the drop-down list, select the relevant group for this rule.

Rule — From the drop-down list, select whether this rule is to Allow access to the wireless
network, or to Block access.

Comment — Configure an optional comment for this rule.
73
Advanced Firewall Operations Guide
Advanced Firewall Services
An additional button, Show comments, will be displayed on the Access control rules
table if any comments are configured. Clicking this will display configured comments under
the group name.
4.
Click Add.
For a detailed description of how to add groups to Advanced Firewall, see Managing Groups of Users
on page 289.
Editing an Access Control Rule
To edit an existing access control rule, do the following:
1.
Browse to Services > Authentication > BYOD.
2.
Scroll down to the Access control rules panel.
3.
Highlight the relevant rule, and click Edit.
4.
Edit the configuration as required. For a detailed description of each setting, see Blocking
Access to the Wireless Network on page 73.
5.
Click Save changes.
Adding External RADIUS Servers
Typically, Advanced Firewall acts as the RADIUS server, but will act as the client when it needs to
forward RADIUS accounting data to upstream servers, such as, a billing system, or a captive portal.
This can also be other Advanced Firewall nodes in a centrally managed solution.
If Advanced Firewall is to forward RADIUS accounting requests to an additional server, you must
configure the servers that will receive the RADIUS accounting packets.
To add RADIUS servers, do the following:
1.
Browse to Services > Authentication > BYOD.
2.
Scroll down to the Forward RADIUS accounting to panel, and click Add new RADIUS
server.
3.
Configure the following:

Status — Clear the selection if you don’t want this RADIUS server to handle requests

Name — Configure a meaningful name for the RADIUS server

IP address — Enter the IP address of the RADIUS server

Shared secret — Enter the shared secret (password) that will be used by connecting
RADIUS clients to successfully communicate with this server.
It is recommended you use a minimum of eight characters, using a combination of
alphanumeric and punctuation characters.

Confirm — Re-enter the shared secret. Do not copy and paste from the previous text box,
as this may copy any errors.

Comment — Configure an optional comment for this server.
An additional button, Show comments, will be displayed on the Forward RADIUS
accounting to table if any comments are configured. Clicking this will display configured
comments under the server name.
4.
74
Click Add.
Smoothwall Ltd
Advanced Firewall Operations Guide
Advanced Firewall Services
Editing RADIUS Servers
To edit an existing RADIUS server, do the following:
1.
Browse to Services > Authentication > BYOD.
2.
Scroll down to the Forward RADIUS accounting to panel.
3.
Highlight the relevant RADIUS server, and click Edit.
4.
Edit the configuration as required. For a detailed description of each setting, see Adding External
RADIUS Servers on page 74.
5.
Click Save changes.
Deleting RADIUS Server
To remove an existing RADIUS server, do the following:
1.
Browse to Services > Authentication > BYOD.
2.
Scroll down to the Forward RADIUS accounting to panel.
3.
Highlight the relevant RADIUS server, and click Delete.
4.
Click Delete to confirm deleting the server.
Using the Advanced Firewall Certificate
If authentication services are provided through Advanced Firewall, you may find that some devices
may not automatically accept Advanced Firewall’s certificate when users try to authenticate onto the
wireless network. You can download Advanced Firewall’s certificate, and make it available in a way
supported by those affected devices.
To download the certificate, do the following:
1.
Browse to Services > Authentication > BYOD.
2.
From the Certificates panel, click Download CA certificate.
3.
Copy the certificate to a secure location, then import it into the devices’ browser.
For a detailed description of how to import certificates, refer to the devices’ accompanying
documentation.
75
4 Producing Reports
This chapter describes how to use the reporting engine of Advanced Firewall, including:
•
About Reports on page 77
•
Generating Reports on page 79
•
Scheduling Reports on page 81
•
Creating Custom Report Templates on page 83
•
Managing Reports and Report Folders on page 87
•
Making Reports Available on User Portals on page 88
About Reports
Advanced Firewall’s supplied reports are found under the Logs and reports > Reports menu.
Those reports available to run are dependant on the Smoothwall System, and licenced modules,
installed. All other supplied reports have been deprecated from the Smoothwall System, but remain
in the Archive folder for backwards compatibility. For a detailed description of the supplied reports,
see Appendix A:Available Reports on page 169.
About Report Templates
A report template is the structure for a supplied report or custom report.
You can create custom report templates tailored to your installation. These can be created from
scratch, or you adjust the content of the supplied report templates to suit. However, this will create
a copy of the supplied report template rather than changing the existing report structure. For a
detailed description of how to create custom templates, see Creating Custom Report Templates on
page 83.
77
Advanced Firewall Operations Guide
Producing Reports
About Report Outputs
When a report is initially generated, it is outputted as HTML-rendered to the screen.
A Contents menu is displayed to provide quick and easy navigation to sections within the report. A
Back to top quick-link is also provided to reduce scrolling for large reports.
Some result data, such as, IP addresses and URLs, can present additional information when hovered
over. This is particularly useful where Advanced Firewall has truncated a long URL for display
purposes. Note that not all reports and results have this feature.
Once generated, you can save the report, change the date range and change the output format.
About Other Report Outputs
You can also choose to save the report to one of the following outputs:
•
CSV — Comma separated values
•
Excel — Microsoft™ Excel format
•
PDF — Portable document format
•
PDFBW — Portable document format, but in black and white only
•
TSV — Tab separated values
Using Drill Down Reports
Some supplied reports come with the ability to drill down through the data presented for further
investigation. Note that not all reports have this feature. Drill down reports are actually other supplied
reports that can be run using the same data.
Drill down reports are stored with the report under the Recent reports panel of the Recent and
saved page:
Note: The list of available drilled down reports is determined by the report group and cannot be
altered.
78
Smoothwall Ltd
Advanced Firewall Operations Guide
Producing Reports
For example, a report showing the amount of traffic used by the top IP addresses can be drilled down
to show the bandwidth usage for one of the IP addresses; a report showing number of times a
website has been requested can be drilled down to show the URL was requested or which users
actually visited the site:
Note: Drill down reports are not available through the user portal.
Generating Reports
To generate a supplied report, do the following:
1.
From your Advanced Firewall, browse to Logs and reports > Reports > Reports.
2.
Open the relevant report folder.
3.
Enter a date range.
4.
Click the Advanced >> button for the required report, and enter any relevant information.
5.
Click Run Report. The report is generated to screen.
To choose a different format, select the relevant output type. Follow the instructions for your
browser to download and save the report.
Note: You can also run reports from Advanced Firewall’s user portal. The reports available depend
on the users’ login credentials. For a detailed description of how to run reports from Advanced
Firewall’s user portal, refer to the Advanced Firewall User Portal Guide.
Canceling a Report
You can also choose to cancel a report, for example, if it was incorrectly run, or taking too long to
generate.
To cancel a report generation, do the following:
•
From the report progress bar, click Cancel.
Advanced Firewall does not display the report generated so far.
79
Advanced Firewall Operations Guide
Producing Reports
Regenerating and Saving Reports
You can access all reports generated for a limited time frame — from the last hour, today, yesterday,
and older. You can also regenerate previously run reports, change the date range, or change their
output format.
To see recently generated reports, go to Logs and Reports > Reports > Recent and saved.
You can also save generated reports for permanent access.
To permanently save a report, do the following:
1.
Generate a report as detailed in Generating Reports on page 79.
2.
When the report has generated to screen, enter a name for the report in the Save as text box
at the top.
The report appears under Logs and reports > Reports > Recent and saved in the Saved
reports panel.
About the Summary Report
The Summary report is provided separately on Advanced Firewall. The Summary report provides
summary information about your Advanced Firewall installation, including:
•
Alerts
•
The running status of system services
•
Network ARP table
•
Updates for your Smoothwall System
•
Tip of the day
•
Summary of uptime
•
Processor information
•
Memory information
•
Hard disk drive information
•
Interface and host bandwidth usage
•
Per IP address statistics
•
Network routing table
To run the Summary report, do the following:
•
From your Advanced Firewall, browse to Logs and reports > Reports > Summary.
You can customize the content of the summary report to suit. For more information, see
Creating Custom Report Templates on page 83. Note that any customized versions on the
Summary report will be run from Logs and reports > Reports > Reports, rather than the
Summary page.
80
Smoothwall Ltd
Advanced Firewall Operations Guide
Producing Reports
Scheduling Reports
You can configure Advanced Firewall to send reports at scheduled times of the day, to specified
users and user groups. Both supplied and custom reports can be scheduled.
To create a scheduled report, do the following:
1.
From your Advanced Firewall, browse to Logs and reports > Reports > Scheduled.
2.
Configure the Schedule details:
3.

Start date — Choose the month and day to schedule the report on. If this is a repeated
schedule, enter the date for the first schedule.

Time — Enter the time, in 24-hour format, for the report schedule.

Repeat — Choose the type of schedule. Available options are:
Repeat Option
Description
No repeat
The report is generated only at the time and date specified.
Daily repeat
The report is generated at the specified time, every day.
Weekday repeat
The report is generated at time specified, Monday to Friday.
Weekly repeat
The report is generated at the time specified, once a week.
Monthly repeat
The report is generated at the time specified, once a month.

Enabled — Click to enable or disable the schedule as required.

Comment — An optional description for the report schedule.
Configure the Report details:

Report — Select the required report for the schedule.

Report shows period — If required, select the required date range. Available ranges are:
1 day, 2 days, 3 days, 4 days, 5 days, 6 days, 1 week, 2 weeks, 3 weeks, 1 month, 2
months, 3 months, 4 months, 5 months, and 6 months.
Click the Update button. If the report requires extra information to search against, such as, a
specific IP address, you will be prompted to enter it.
4.
5.
6.
To save the report after it has been generated, do the following from the Save report panel:

Save report — Click to enable this report to be saved to your Smoothwall System. Saved
reports are found under Logs and reports > Reports > Recent and saved.

Report name — Enter a name for the report schedule.

Publish from portal — If user portals have been enabled for your Smoothwall System, you
can choose to publish the scheduled report to a user portal. Leave this option as none to
ignore all portals.
To create an email scheduled report, do the following from the Email report panel:

Email report — Click to create an email scheduled report.

Group — From the drop-down menu, choose the group to email the reports to. For a
detailed description of how to setup email groups, see Configuring Alert and Report Groups
on page 129.
Click Add to create the scheduled report.
81
Advanced Firewall Operations Guide
Producing Reports
Example Schedule Report Configuration
Managing Scheduled Reports
The Scheduled reports panel lists all created, scheduled reports. You can edit, and remove
scheduled reports from this panel.
To remove a scheduled report, do the following:
1.
Highlight the relevant report, ensuring that Mark is ticked.
2.
Click the Remove button.
This removes the entire schedule. If you want to keep the report setup but not run the schedules,
you can disable the report schedule by editing the report setup and unclicking the Enabled check
box. For a detailed description of how to edit a report, see below.
To edit a scheduled report, do the following:
1.
Highlight the relevant report, ensuring that Mark is ticked.
2.
Click the Edit button.
The schedule details are displayed in the relevant panels.
3.
82
Make the required changes and click Add.
Smoothwall Ltd
Advanced Firewall Operations Guide
Producing Reports
Creating Custom Report Templates
Custom reports allow you to extract data and present it in your own report. You can choose to save
custom reports you create in existing, supplied report folders, or in custom folders.
The data available to use in custom reports are grouped into sections.
Existing report templates, including those previously created as custom reports, can be used to
create new custom reports. However, if that template is updated whilst being used by other custom
reports, the changes will not be filtered through.
Note: The report sections available for custom reports depend on the Smoothwall System installed,
and the modules licenced.
Creating Basic Custom Reports
The following section describes how to create a basic custom report, with only a single reporting
section.
To create a basic custom report, do the following:
1.
From your Advanced Firewall, browse to Logs and reports > Reports > Custom.
2.
From the Customize reports panel, configure the following:

Name — The name of your custom report.

Report icon — Choose a relevant icon for your custom report from the drop-down menu.

Description — Add an optional description for your custom report. This text is displayed
under the report link in the Reports page.

Location — Choose a relevant folder to store your custom report from the drop-down
menu. For a detailed description of how to create a new folder, see Creating Folders on
page 87.
83
Advanced Firewall Operations Guide
Producing Reports
3.
Within the Sections panel, expand the relevant Available sections folder. Highlight the
required report section by clicking it.
4.
Click Add >> to include the report section in your custom report.
A new panel, headed with the section name, will be created at the bottom of the screen with
the following tabs:
5.

Description — The description of the included section.

Options — Some sections deal with only a limited set of data, such as a single group or a
single IP address, in which case this tab will not apply. For other sections, you will be
prompted to choose the type of data for the report, such as, incoming or outgoing traffic,
interface number, and so on.

Results — The results returned for that section. This is useful if the section is used in feedforward reporting. For more information, see About Advanced Custom Reports on page 84.

Export — This tab displays those data items that a user can be prompted to enter to narrow
the search when running the report, such as, username or IP address. The exported options
appear on the Advanced >> table when running the reports — see Generating Reports on
page 79.
Click Create report.
About Advanced Custom Reports
An advanced custom report is typically one where the report data can be taken from different aspects
of Advanced Firewall’s logs, such as, user activity, browsing history, bandwidth used.
Custom reports can make use of the advanced features of Advanced Firewall’s reporting engine:
•
Grouping sections — You may want to group sections together to allow multiple, logically similar
sections to share reporting options. For example, you can group together sections which
require a username to be entered for the report to run against.
You can also create subgroups within grouped sections.
When you group section together, you will be presented with extra Grouped options to report
on. Sections that have report Options to narrow down the report data can be used to override
84
Smoothwall Ltd
Advanced Firewall Operations Guide
Producing Reports
the data for the section group you have setup. For example, for a traffic report showing incoming
data only, you can setup one section in a report to report disregard all internal traffic.
•
Re-ordering sections — You can reorder included sections to create a logical report.
If you are using feed-forward reporting, sections that provide feeder data should always be
before those sections utilizing the data.
•
Feed-forward reporting — Feed-forward reporting allows a section’s results to be used as the
source of options for subsequent sections. For example, a network interfaces section can be
used to gather the configuration details of external network interfaces, whilst another section
can use that data to display the bandwidth usage per interface.
•
Iterative reporting — Iterative reporting is where a section is repeated in the same report, but
with a few details changed.
Example Advanced Custom Report Scenarios
The following are high level examples of the types of reports that can be classified as advanced
custom reports:
•
Show user activity for each user, by department, during a specific date range. The user activity
should be broken down into the websites they were looking at, the categories those websites
belong to, and the length of time spent browsing.
•
Show the bandwidth used for configured interfaces, including both incoming and outgoing data.
Ignore internal data.
Creating Advanced Custom Reports
When creating an advanced custom report, it is best to imagine the report structure from a groups
perspective, that is:
•
What data needs to be grouped together?
•
Which groups, or data should be repeated?
85
Advanced Firewall Operations Guide
Producing Reports
To create an advanced custom report, do the following:
1.
Create a custom report as detailed in Creating Basic Custom Reports on page 83, adding
multiple report sections. Don’t click Create report.
Tip: You can highlight multiple available sections before clicking the Add >> button to add multiple
sections at once.
2.
To group sections together, do the following:

Within the Included sections panel, highlight those sections you want to group together.
Note that you do not need to hold the CTRL button down to click multiple sections.

Click Group.

In the report panel underneath, those selected sections will be grouped together. Add a
meaningful Group name.

To ungroup grouped sections, highlight the group name in the Included sections panel,
and click Ungroup.
Note that un-grouping sections may affect any feed-forward, iterative, or group options you
have configured.
3.
To re-order the included sections, do the following:

Within the Included sections: panel, highlight the section you want to move.

Click either the Move up or Move down button as required.

You can move groups in the same manner by highlighting the group name.
Note that you cannot move sections outside of groups.
4.
To create a feed-forward group, do the following:

Create a report group as detailed in step 2.

From the Repeat > Using results from a section: drop-down menu, select the section
you want to feed-forward from.
Only suitable sections for feed-forward reporting will be listed under this heading. The
resulting data is listed in the Results tab for that section.
5.

Click the Update button. The feed-forward section will be removed from its parent group,
and displayed in a new (feeder) section.

Configure any extra configuration options for the feeder section.

Click Update again.
To create an iterative report, do the following:

Create a report group as detailed in step 2.

From the Repeat > Based upon grouped option: drop-down menu, select the option that
best suits the section you want to be repeated.
Note that if a grouped option is chosen to be repeated, it will no longer be available as an
option from its parent section.
6.
86

Click the Update button to display extra configuration options for the repeated section.

Configure any extra configuration options for the iterative section.

Click Update again to save your extra configuration settings.
Click Create report.
Smoothwall Ltd
Advanced Firewall Operations Guide
Producing Reports
Managing Custom Reports
The custom report interface can be used to edit supplied reports. Note that this does not override
the supplied report structure. Instead, a copy of the report, with your changes, will be made.
To edit an existing report, or custom report, do the following:
1.
Browse to either the Logs and reports > Reports > Reports or Logs and reports >
Reports > Recent and saved page.
2.
Click the Edit
3.
Edit the report as required.
4.
Click Update to save your changes.
button for the relevant report.
For a detailed description of how to delete a custom report, see Deleting Reports on page 88.
Managing Reports and Report Folders
Supplied and custom reports are grouped into folders on Advanced Firewall. You can customize the
report folders for your installation.
Creating Folders
You can create additional folders, and subfolders, to the Reports page. You can also add subfolders
to the supplied report folders on Advanced Firewall.
Note: You cannot change the folder location of supplied reports.
To create a folder or subfolder, do the following:
1.
From your Advanced Firewall, browse to Logs and reports > Reports > Reports.
To add a subfolder to an existing location, open the relevant folder.
2.
Click the New folder
button.
3.
Enter a new name for the folder, and click Rename.
To add reports to your new folder, do one of the following:
•
Create a new custom report, and save it to the folder location.
•
Edit an existing report, and change the report location from the Location drop-down menu of
the Customize reports panel.
87
Advanced Firewall Operations Guide
Producing Reports
Renaming Folders
Note: Only custom folders you have created can be renamed. Supplied folders cannot be renamed.
To rename an existing folder, do the following:
1.
From your Advanced Firewall, browse to Logs and reports > Reports > Reports.
2.
Click the Edit
3.
Enter a new name for the folder, and click Rename.
button for the relevant report.
Deleting Folders
Folders that contain reports cannot be deleted. You must empty the folders first.
Note: Only custom folders you have created can be deleted. Supplied folders cannot be deleted.
To delete an existing folder, do the following:
1.
From your Advanced Firewall, browse to Logs and reports > Reports > Reports.
2.
Click the Delete
button for the relevant folder.
Deleting Reports
You can only delete recently generated, saved, and custom reports. Supplied reports cannot be
removed from Advanced Firewall.
Note: Only custom reports you have created can be deleted. Supplied report templates cannot be
deleted.
To delete an existing report, do the following:
1.
From your Advanced Firewall, browse to Logs and reports > Reports > Reports.
2.
Click the Delete
button for the relevant report.
Making Reports Available on User Portals
The following describes an alternative method of adding reports to user portals, to the one described
in Configuring a Portal on page 27.
To make the report available, do the following:
88
1.
From your Advanced Firewall, browse to Logs and reports > Reports > Reports.
2.
Open the relevant report folder, and locate the required report.
3.
Click the Advanced >> button.
4.
From the Permissions tab, click Portal access.
Smoothwall Ltd
Advanced Firewall Operations Guide
Producing Reports
The following pop-up is displayed:
Those portals that this report is available from are listed in the Available to panel.
5.
To make this report available from a user portal, select it from the Add access drop-down list,
and click Add.
6.
Click Close.
Saving a Report Output to Other User Portals
You can also make the reports generated from one user portal available to another portal. This may
be useful for users that need specific information but may not necessarily have access, or the time
to run such a report.
Note: By following the method described below, the report output for the specified report will always
be saved to the configured user portal.
To always save a report output to a user portal, do the following:
1.
From your Advanced Firewall, browse to Logs and reports > Reports > Reports.
2.
Open the relevant report folder, and locate the required report.
3.
Click the Advanced >> button.
4.
From the Permission tab, click Automatic access.
Those portals already receiving a copy of this reports’ output are listed in the Automatic
Access panel.
5.
To make this reports’ output available from to a user portal, select it from the Add access dropdown list, and click Add.
6.
Click Close.
89
Advanced Firewall Operations Guide
Producing Reports
Removing Reports from a User Portal
To remove a report from a user portal, do the following:
1.
From your Advanced Firewall, browse to Logs and reports > Reports > Reports.
2.
Open the relevant report folder, and locate the required report.
3.
Click the Advanced >> button.
4.
From the Permissions tab, click Portal access.
Those portals that this report is available from are listed in the Available to panel.
5.
Select those reports to remove from the user portal, and click Delete.
6.
Click Close.
Tip: The above method can also be used to stop a report outputting to a user portal. Follow steps
1 to 6, deleting those reports under the Available Access panel instead.
90
Smoothwall Ltd
5 Using Alerts,
Information, and Logging
This chapter describes the information, alerts and log files that are available in your Smoothwall
System, including:
•
About the Dashboard on page 91
•
About Alerts on page 92
•
About Advanced Firewall’s Realtime Viewer on page 103
•
About Advanced Firewall’s Log Files on page 108
•
Configuring Report and Alert Output Settings on page 125
•
Configuring Alert and Report Groups on page 129
About the Dashboard
The dashboard is the default home page of your Advanced Firewall system, providing a summary of
the current state of the Advanced Firewall system.
The dashboard displays service status, external connectivity controls, and a number of summary
reports.
To access the dashboard, do the following:
•
Browse to the Dashboard page.
91
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
About Alerts
Advanced Firewall contains a comprehensive set of incident alerting controls.
Alerts are generated when certain trigger conditions are met. Trigger conditions can be individual
events, for example, an administrator login failure, or a series of events occurring over a particular
time period, for example, a sustained high level of traffic over a five minute period. Some alerts allow
their trigger conditions to be edited to customize the alert sensitivity.
Some situations are constantly monitored, particularly those relating to critical failures, for example,
UPS and power supply alerts.
It is possible to specify two-trigger conditions for some alerts – the first acts as a warning alert, and,
in more critical circumstances, the second denotes the occurrence of an incident.
You access the alerts and their settings on the Logs and reports > Alerts > Alerts page.
Available Alerts
The following alerts are available to you:
Alert
Description
VPN Tunnel
Status
VPN Tunnel status notifications occur when
an IPSEC Tunnel is either connected, or
disconnected. Monitored once every five
minutes.
Web filter
violations
Monitors web filter activity and generates
warnings about suspicious or blocked web
accesses.
Default Settings
Forbidden user accesses:
•
Exclude adverts
•
Warning threshold: 20
•
Caution threshold: 100
Forbidden IP address accesses:
•
•
•
92
Hardware
failure alerts,
harddisk failure
Generates messages when hardware
problems are detected.
License expiry
status warnings
Generates messages when the license is due
for renewal or has expired. Monitored once
an hour.
Hardware
Failover
Notification
Generates messages when a hardware
failover occurs, or when failover machines
are forced on and offline.
VPN Certificate
Monitor
Validates Advanced Firewall VPN certificates
and issues warnings about potential
problems, or impending expiration dates.
Monitored once an hour.
Exclude adverts
Warning threshold: 20
Caution threshold: 100
Notification of expired certificates:
•
•
Number of days left
(warning): 7
Number of days left (critical):
1
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Alert
Description
UPS, Power
Supply status
warnings
Generates messages when server power
switches to and from mains supply. Constant
monitoring.
Outgoing Traffic
Violations
Monitors outbound access activity and
generates warnings about suspicious
behavior. Constant Monitoring.
Default Settings
Forbidden services:
•
•
•
Monitor ports for accesses
Warning threshold: 5
Destination Port list: 25,
4662, 4661, 6881, 6882,
6699
Forbidden accesses:
•
•
•
•
•
•
System
Resource
Monitor
Firewall
Notifications
Monitor destination IP
addresses
Warding threshold: 100
Incident threshold: 300
Monitor destination ports
Warding threshold: 100
Incident threshold: 300
These alerts are triggered whenever the
system resources exceed predefined
limitations. Monitored once every five
minutes.
System load average warning level:
3.0
Monitors firewall activity and generates
warnings based on suspicious activities to or
from certain IP addresses involving particular
ports. Constant monitoring.
Monitor source IP addresses:
System memory warning level: 80%
Disk usage warning level: 80%
•
Warning threshold: 50
•
Incident threshold: 200
Monitor destination IP addresses:
•
Warning threshold: 100
•
Incident threshold: 200
Monitor destination ports:
•
•
•
L2TP VPN
Tunnel Status
L2TP Tunnel status notifications occur when
an L2TP (Layer 2 Tunnelling Protocol) Tunnel
is either connected, or disconnected.
Monitored once every five minutes.
System Service
Monitoring
This alert is triggered whenever a critical
system service changes statues, that is,
starts or stops. Monitored once every five
minutes.
Warning threshold: 50
Incident threshold: 150
Ignored ports: 135, 136, 137,
138, 139, 445, 80
Web server
Cron server
Monitor alerts
SystemD
Reverse proxy
violations
Monitors reverse proxy activity and
generates warnings about connectivity
issues. Constant Monitoring
93
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Alert
Description
Health Monitor
Checks on remote services for activity.
Default Settings
Health monitor alerts are intended to enable
you to keep an eye on various aspects of
your network which are usually outside of the
remit of Advanced Firewall.
Web filter
upstream proxy
status
This alert is triggered when connectivity to an
upstream proxy fails or returns. Monitored
once every five minutes.
NG
Email Virus
Monitor
These alerts are triggered by detection of
malware being relayed via SMTP or
downloaded via POP3. Monitoring is
constant.
Web filter URL
violations
Monitors URL activity. Monitored once every
five minutes.
NG
IM proxy
monitored word
alert
Monitors instant messaging chats activity
and generates warnings based on excessive
use of inappropriate language.
External
Connection
Failover
Monitors the external connection(s) and
alerts in the case of failover. Monitoring is
constant.
Traffic Statistics
Monitor
These alerts are triggered whenever the
traffic flow for the external interface exceeds
certain thresholds. Monitored once every five
minutes.
Incoming bandwidth: 1,000 Kbps
Outgoing bandwidth: 1,000 Kbps
Data transfer for the previous: Week
Incoming data exceeds: 1,000,000
KB
Outgoing data exceeds: 1,000,000
KB
Total data exceeds: 1,500,000 KB
Output System
Test Messages
Catches test alerts generated for the
purposes of testing the Advanced Firewall
Output systems. Constant Monitoring.
Inappropriate
word in IM
Monitor
Generates an alert whenever a user uses an
inappropriate word or phrase in IM chat
conversation
Enabled on received text
Enabled on sent text
Generate alert for each message
which exceeds the Message Censor
severity threshold:
•
Threshold: 0
Generate alert when users exceed
the rate of inappropriate messages:
•
•
94
Threshold: 0
Number of inappropriate
messages in 15mins: 5
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Alert
Description
Administration
Login Failures
Monitors both the Secure Shell (SSH) and
Web Interface services for failed login
attempts. Constant Monitoring.
Bandwidth
Monitor
These alerts are triggered whenever the
traffic flow for an external interface or bridge
exceeds certain thresholds.
Update
Monitoring
Monitors the system for new updates once
an hour.
Intrusion
System Monitor
These alerts are triggered by violations and
notices generated by the intrusion system by
suspicious network activity. Constant
Monitoring.
Mail Queue
Monitor
Watches the email queue and informs if the
number of messages therein exceeds a
certain threshold. Monitored once an hour
Global Proxy
This alert monitors for Global Proxy activity.
Alerts are triggered when client
misconfiguration, or potential abuse is
detected.
System Boot
(Restart)
Notification
This alert is generated whenever the system
is booted; that is, is turned on or restarted.
Monitored once every five minutes.
Default Settings
Priority: High
Configuring Alert Settings
You can configure additional alerts, or change the default settings of pre-defined alerts.
To configure alert settings, do the following:
1.
From your Advanced Firewall system, browse to Logs and reports > Alerts > Alerts
settings.
2.
Locate the relevant alert and configure the appropriate settings:

Configuring the Web Filter Violations Alert on page 96

Configuring the VPN Certificate Monitor on page 96

Configuring the Outgoing Traffic Violations Alert on page 97

Configuring the System Resource Monitor on page 97

Configuring the System Resource Monitor on page 97

Configuring the System Service Monitoring Alert on page 98

Configuring the Health Monitor Alert on page 98

Configuring the Traffic Statistics Monitor on page 99

Configuring the Web Filter URL Violations Alert on page 99

Configuring the Inappropriate Word in IM Monitor on page 99

Configuring the Email Virus Monitor on page 100
95
Advanced Firewall Operations Guide
3.

Configuring the Mail Queue Monitor Alert on page 100

Configuring the Bandwidth Monitor Alert on page 101

Configuring the Intrusion System Monitor on page 101

Configuring the Global Proxy Alert on page 102
Using Alerts, Information, and Logging
Click Save or Add.
Configuring the Web Filter Violations Alert
The Web filter violations alert comes pre-defined, but disabled, upon installation.
Adjust the alert parameters as needed:
•
•
Forbidden user accesses — These parameters define the alert thresholds for when users
access blocked domains:

Monitor for blocked accesses — Select this to enable this alert

Warning threshold — Enter the number of hits allowed for blocked accesses before the
warning alert is triggered

Caution threshold — Enter the number of hits allowed for blocked accesses before the
caution alert is triggered

Exclude adverts — Select this to exclude adverts in this alert
Forbidden IP address accesses — These parameters define the alert thresholds for when IP
addresses access blocked domains:

Monitor for blocked accesses — Select this to enable this alert

Warning threshold — Enter the number of hits allowed for blocked accesses before the
warning alert is triggered

Caution threshold — Enter the number of hits allowed for blocked accesses before the
caution alert is triggered

Exclude adverts — Select this to exclude adverts in this alert
Configuring the VPN Certificate Monitor
The VPN certificate monitor comes pre-defined upon installation.
Adjust the alert parameters as needed:
96
•
Notification of expired certificates — Select this to disable this alert
•
Number of days left (Warning) — Enter the number of days before the certificate expires that
will trigger a warning alert
•
Number of days left (Critical) — Enter the number of days before the certificate expires that
will trigger a critical alert
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Configuring the Outgoing Traffic Violations Alert
The Outgoing Traffic Violations alert comes pre-defined upon installation.
Adjust the alert parameters as needed:
•
•
Forbidden services — These parameters define the alert thresholds for forbidden services:

Monitor ports for accesses — Select to disable port monitoring for this alert

Warning threshold — Enter the number of forbidden hits for all ports before the warning
alerts is triggered

Destination Port list — Enter a comma-separated list of destination port numbers to be
monitored
Forbidden accesses — These parameters define the alert thresholds for forbidden accesses:

Monitor destination IP addresses — Select to disable destination IP address monitoring

Warning threshold — Enter the number of forbidden hits to destination IP addresses
before the warning alert is triggered

Incident threshold — Enter the number of forbidden hits to destination IP addresses
before an incident alert is triggered

Monitor destination ports — Select to disable destination port monitoring

Warning threshold — Enter the number of forbidden hits to destination ports before the
warning alert is triggered

Incident threshold — Enter the number of forbidden hits to destination ports before an
incident alert is triggered
Configuring the System Resource Monitor
The System Resource Monitor comes pre-defined upon installation.
Adjust the alert parameters as follows:
•
System load average warning level (per CPU core) — This is used to set the threshold of
the average number of processes waiting to use the processors over a five minute period.
A system operating at normal performance should record a load average of between 0.0 and
1.0. While higher values are not uncommon, prolonged periods of high load (for example,
averages greater than 3.0) may merit attention.
•
Disk usage (%) warning level — This is used to set the threshold of the disk space usage
percentage threshold before the alert is triggered. Low amounts of free disk space can
adversely affect system performance.
•
System memory (%) warning level — This is used to set the system memory usage
percentage threshold before the alert is triggered.
Advanced Firewall uses system memory aggressively to improve system performance, so
higher than expected memory usage may not be a concern. However, prolonged periods of
high memory usage may indicate that the system could benefit from additional memory.
97
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Configuring the Firewall Notifications Alert
The Firewall Notifications alert comes pre-defined upon installation.
Adjust the alert parameters as follows:
•
Monitor source (remote) IP addresses — Select this to disable this alert.
This detects suspicious inbound communication from remote IP addresses. Alerts will be
generated if a rapid series of inbound requests from the same remote IP address is detected.
•

Warning threshold — Enter the number of hits from the source IP addresses before the
warning alert is triggered.

Incident threshold — Enter the number of hits from the source IP addresses before the
incident alert is triggered.

Ignore — Enter a comma-separated list of source IP addresses that should be ignored for
this alert.
Monitor source (remote) ports — Select this to enable this alert.
This detects suspicious inbound communication from remote ports. Alerts will be generated if
a rapid series of inbound requests from the same remote port is detected.
•
Monitor destination (local) IP addresses — Select this to disable this alert.
This detects suspicious inbound communication to local IP addresses. Alerts will be generated
if a rapid series of inbound requests to the same local IP address is detected.
•
Monitor destination (local) ports — Select this to disable this alert.
This detects suspicious inbound communication to local ports. Alerts will be generated if a rapid
series of inbound requests to the same local port is detected.
Configuring the System Service Monitoring Alert
The System Service Monitoring alert comes pre-defined upon installation.
Adjust the alert parameters as follows:
•
Select the components, modules and services that should generate alerts when they start or
stop.
Configuring the Health Monitor Alert
The Health Monitor alerts are disabled upon installation.
To enable Health Monitor alerts, configure the following:
•
98
Web server (HTTP) — This alert will retrieve the specified web page, and check for specific
keywords. If the keywords are missing, an alert will be triggered.

Request URL — Enter the URL of the web page to monitor. You can omit http:// when
entering the URL.

No of tries — Enter the number of attempts to retrieve the web page

Keywords — Enter a comma-separated list of keywords to search for
Smoothwall Ltd
Advanced Firewall Operations Guide
•
•
Using Alerts, Information, and Logging
Other services — This alert checks the specified port is open and offering a service.

IP Address — Enter the IP address

Port — Enter the port number

Protocol — From the drop-down list, select the protocol of the service you want to check
for a response. Select Other to check that there is any response to connections on the
associated port.

No of tries — Enter the number of times Advanced Firewall should check the address and
not receive a response before generating an alert.
DNS name resolution — This alert checks that a domain has not expired, or been taken over.

Name — Enter the domain name

Address — Enter the domain address (URL)
Configuring the Traffic Statistics Monitor
The Traffic Statistics Monitor comes pre-defined upon installation.
Adjust the alert parameters as follows:
•
Incoming bandwidth — Enter the total incoming bandwidth, in kilobits per second (kbps)
before the alert is triggered
•
Outgoing bandwidth — Enter the total outgoing bandwidth, in kilobits per second (kbps)
before the alert is triggered
•
Data transfer for the previous — From the drop-down menu, select the time period to collect
traffic statistics for
•
Incoming data exceeds — Enter the total incoming data threshold, in kilobytes (KBps), before
the alert is triggered
•
Outgoing data exceeds — Enter the total outgoing data threshold, in kilobytes (KBps), before
the alert is triggered
•
Total data exceeds — Enter the total incoming and outgoing data threshold, in kilobytes,
before the alert is triggered
Configuring the Web Filter URL Violations Alert
The Web filter URL violations alerts are disabled upon installation.
To enable Web filter URL violations, configure the following:
•
URLs to monitor — Enter each URLs on a separate line to monitor
•
Warning threshold — Enter the number of hits to the URL before the warning alert is triggered
•
Caution threshold — Enter the number of hits to the URL before the caution alert is triggered
Configuring the Inappropriate Word in IM Monitor
The Inappropriate word in IM Monitor comes pre-defined upon installation.
Adjust the alert parameters as follows:
•
Enabled on received text — Select to disable this alert
•
Enabled on sent text — Select to disable this alert
99
Advanced Firewall Operations Guide
•
Using Alerts, Information, and Logging
Generate alert for each message which exceeds Message Censor severity threshold
— Select to disable this alert

Threshold — From the drop-down list, select the threshold above which an alert will be
generated.
For information on the Message censor threshold, see Censoring Message Content on
page 54.
•
Generate alert when users exceed the rate of inappropriate messages — Select to
disable this alert

Threshold —From the drop-down list, select the threshold above which an alert will be
generated.

Number of inappropriate messages in 15 mins — Enter the number of times users can
use inappropriate messages in 15 minute before the alert is trigg.ered
Configuring the Email Virus Monitor
When configured, these alerts are triggered when malware being relayed via SMTP or downloaded
via POP3 are detected.
To configure the alert(s):
1.
2.
Enable the following settings:

Monitor POP3 proxy for viruses — Select to enable alerting when malware is detected
when loading via POP3.

Monitor SMTP relay for viruses — Select to enable alerting when malware is detected
when relaying via SMTP.
Click Save to enable the alerts.
Configuring the Mail Queue Monitor Alert
This alert is triggered the number of messages in the email queue exceeds a the specified threshold.
To configure and enable the alert:
1.
2.
100
Configure the following settings:
Setting
Description
Threshold number of
messages
Enter the number of messages above which the alert is triggered.
Click Save to save the settings and enable the alert.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Configuring the Bandwidth Monitor Alert
The Bandwidth Monitor Alert is disabled upon installation.
Note: Bandwidth monitoring is a licenced feature of Advanced Firewall, and may not be installed on
your system. For more information about bandwidth monitoring, refer to your Smoothwall
representative.
To enable the Bandwidth Monitor, configure the following:
•
Incoming — Select this to enable incoming bandwidth monitoring
•
Outgoing — Select this to enable outgoing bandwidth monitoring
Note: Each alert you configure can only monitor traffic in a single direction. However, you can
configure multiple Bandwidth Monitor alerts to enable you monitor all traffic.
•
Traffic for — From the drop-down list, select to monitor the bandwidth used for:

Total — For all interfaces configured on your Advanced Firewall

Any IP — Any IP address using Advanced Firewall

Single application — A single, specified application.
A additional drop down list will appear for you to specify the application.

Single application group — A single, specified application group.
A additional drop down list will appear for you to specify the application group.
•
Time period — From the drop-down list, select the required time period to monitor bandwidth
for
•
MB — The maximum amount of data usage, in megabytes, permitted before the alert is
triggered.
•
kbps — The average data transfer rate, in kilobits per second, permitted before the alert is
triggered.
Note: Advanced Firewall will calculate the bandwidth used to two decimal places.
Configuring the Intrusion System Monitor
The Intrusion System Monitor is pre-defined upon installation.
Adjust the alert parameters as follows:
•
Priority — From the drop-down list, select the appropriate priority level for this alert.
101
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Configuring the Global Proxy Alert
The Global Proxy alert comes pre-defined upon installation.
Adjust the alert parameters as follows:
•
Monitor for incorrect certificates — Select this to disable alerting when a client fails to present
the correct certificate.
This is either due to the client having the wrong certificate, or due to unauthorized access.
•
Monitor for D0S attempts — Select this to disable alerting when a client, with a valid certificate,
repeatedly attempts a connection. Repeated connections from a client are assumed to be a
Denial of Service (DoS) attempt.
Enabling Instantaneous Alerts
By default, Advanced Firewall queues alerts in two minute intervals, and then distributes a merged
notification of all alerts.
Advanced Firewall can configured to process instantaneous alerts as soon as they were triggered.
You can choose to have them delivered via SMS or email.
To enable instantaneous alerts, do the following:
1.
From your Advanced Firewall system, browse to Logs and reports > Alerts > Alerts.
2.
Configure the following settings:

From the Groups panel, select the group of recipients from the Group name drop down
list. For a detailed description of how to configure groups, see Configuring Alert and Report
Groups on page 129.

From the Alert options panel, select Enable instantaneous alerts.
3.
For each alert you want to send, select the delivery method: SMS
4.
Click Save.
or email
.
Looking up Previous Alerts by Reference
You can also look up the content of a status that has been sent. This can be for instantaneous as
well as standard alerts.
To view the content of an alert that has already been sent, do the following:
1.
From the Lookup alert details panel, enter the alert’s unique ID into the Alert ID field.
2.
Click Show.
The content of the alert will be displayed in the Alert details panel at the top.
102
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
About Advanced Firewall’s Realtime Viewer
Advanced Firewall’s Realtime viewer provides live information about your system.
Realtime System Information
The System page is a realtime version of the system log viewer with some filtering options.
To access the System page:
1.
Browse to the Logs and reports > Realtime > System page.
By default, all information in the system log is displayed and updated automatically approximately
every second.
To display information on specific components:
1.
From the Section drop-down list, select the component and click Update. If there is information
on the component available in the system log, it is displayed in the Details area.
103
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Realtime Firewall Information
The Firewall page is a realtime version of the firewall log viewer with some filtering options. All entries
in the firewall log are from packets that have been blocked by Advanced Firewall.
To access the page:
1.
Browse to Logs and reports > Realtime > Firewall page.
By default, information is displayed and updated automatically approximately every second.
To display information on specific sources and destinations:
1.
Enter a complete or partial IP address and/or port number in the fields and click Update.
Realtime IPsec Information
The IPSec page is a realtime version of the IPSec log viewer with some filtering options.
To access the IPSec page:
1.
Browse to Logs and reports > Realtime > IPSec page.
By default, all information in the log is displayed and updated automatically approximately every
second.
104
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
To display information on a specific tunnel:
1.
2.
Configure the following settings:
Setting
Description
Connection
From the drop-down list, select the tunnel.
Show only lines
connecting
Enter the text you are looking for.
Click Update. If there is information available in the system log, it is displayed in the Details area.
Realtime Portal Information
The Portal page displays realtime information on users accessing Advanced Firewall portals.
To access the portal page:
1.
Browse to Logs and reports > Realtime > Portal page.
For more information on portals, see Chapter 3, Working with Portals on page 26.
105
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Realtime Instant Messaging
The IM proxy page is a realtime version of the IM proxy log viewer with some filtering options.
To view IM conversations:
1.
Browse to Logs and reports > Realtime > IM proxy page.
The page displays a view of ongoing conversations for each of the monitored protocols and
displays a selected conversation as it progresses.
Note:As most IM clients communicate with a central server, local conversations are likely to be
displayed twice as users are recognized as both local and remote.
Active conversations which have had content added to them within the last minute are displayed in
bold text in the left pane. If nothing has been said for more than a minute, the remote username will
be displayed in the normal style font.
The local username is denoted in blue, the remote username is denoted in green.
You can use the following settings to manage how the conversation is displayed.
106
2.
In the Username or IP address field, enter the username or IP address. If there is information
available in the web filter log, it is automatically displayed in the Details area.
3.
To show lines containing specific text, in the Show only lines containing field, enter the text. If
the text is found, it is automatically displayed in the Details area.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Realtime Traffic Graphs
The Traffic graphs page displays a realtime graph of the bandwidth in bits per second being used by
the currently selected interface.
To access the traffic graphs page:
1.
Browse to Logs and reports > Realtime > Traffic graphs page.
The Interfaces area displays a list of the active interfaces on Advanced Firewall. Clicking on an
interface displays its current traffic.
Top 10 Incoming displays the 10 IP addresses which are using the greatest amount of incoming
bandwidth.
Top 10 Outgoing displayed the 10 IP addresses which are using the greatest amount of outgoing
bandwidth.
107
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
About Advanced Firewall’s Log Files
The log pages display system, firewall, IPsec, intrusion system, email and proxy information.
System Logs
The system logs contain simple logging and management information.
To access system logs:
1.
108
Browse to the Logs and reports > Logs > System page.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
The following filter criteria controls are available in the Settings area:
Control
Description
Section
Used to select which system log is displayed. The following options are
available:
Authentication service– Log messages from the authentication system,
including service status messages and user authentication audit trail.
IM Proxy – Log messages from the instant messaging proxy service.
Kernel – Log messages from the core Advanced Firewall operating system.
Message censor – Displays information from the message censor logs.
NTP – Log messages from the network time system.
SystemD – Log messages from the system super server.
SSH – Log messages from the SSH system.
System – Displays server log information.
Monitor – Displays monitoring system information including service status
and alert/report distribution audit trail.
System – Simple system log messages, including startup, shutdown, reboot
and service status messages.
UPS – Log messages from the UPS system, including service status
messages.
Update transcript – Displays information on update history.
VIPRE engine – Displays information on the anti-malware engine.
Month
Used to select the month that log entries are displayed for.
Day
Used to select the day that log entries are displayed for.
Export format
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all dates
Exports the currently displayed log for all available dates.
To view specific information:
1.
Select the filtering criteria using the Settings area and click Update.
A single column is displayed containing the time of the event(s) and descriptive messages.
109
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Firewall Logs
The firewall logs contain information on network traffic.
To view the firewall logs:
1.
Browse to the Logs and reports > Logs > Firewall page.
Filtering Firewall Logs
The following filter criteria controls are available in the Settings area:
110
Control
Description
Section
Used to select which firewall log is displayed. The content of each section is
discussed below.
Month
Used to select the month that log entries are displayed for.
Day
Used to select the day that log entries are displayed for.
Compression
Used to ghost repeated sequential log entries for improved log viewing.
Source
Enter an IP address and click Update to display log entries for that source
address.
Src port
This drop-down list is populated with a list of all source ports contained in the
firewall log. Select a port and click Update to display log entries for that port.
Destination
Enter an IP address and click Update to display log entries for that destination
address.
Dst port
This drop-down list is populated with a list of all destination ports contained in
the firewall log. Select a port and click Update to display log entries for that
port.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Control
Description
Export format
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all dates
Exports the currently displayed log for all available dates.
The list of possible sections that can be viewed are as follows:
Section
Description
Main
All rejected data packets.
Incoming audit
All traffic to all interfaces that is destined for the firewall – if Direct incoming
traffic is enabled on the Networking > advanced page.
Forward audit
All traffic passing through one interface to another – if Forwarded traffic is
enabled on the Networking > Settings > Advanced page.
Outgoing audit
All traffic leaving from any interface – if Direct outgoing traffic is enabled on the
Networking > Settings > Advanced page.
Port forwards
All data packets from the external network that were forwarded by a port
forward rule – if port forward logging is enabled on the Networking > Firewall
> Port forwarding page.
Outgoing - rejects
All data packets from the internal network zones that were rejected by an
outbound access rule.
Outgoing - stealth
All data packets from the internal network zones that were logged but not
rejected by an outbound access rule.
Viewing Firewall Logs
To view firewall logs, select the appropriate filtering criteria using the Settings area and click Update.
The following columns are displayed:
Column
Description
Time
The time that the firewall event occurred.
In
The interface at which the data packet arrived.
Out
The interface at which the data packet left.
Protocol
The network protocol used by the data packet.
Source
The IP address of the data packet's sender.
Src Port
The outbound port number used by the data packet.
Destination
The IP address of the data packet's intended destination.
111
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Column
Description
Dst port
The inbound port number used by the data packet.
Looking up a Source IP – whois
The firewall log viewer can be used to find out more information about a selected source or
destination IP by using the whois tool.
To use whois:
1.
Navigate to the Logs and reports > Logs > Firewall page.
2.
Select a particular source or destination IP in Source and Destination columns.
3.
Click Lookup. A lookup is performed and the result displayed on the System > Diagnostics
> whois page.
Blocking a Source IP
The firewall log viewer can be used to add a selected source or destination IP to the IP block list.
To block a source IP:
1.
Navigate to the Logs and reports > Logs > Firewall page.
2.
Select one or more source or destination IPs.
3.
Click Add to IP block list.
The selected source and destination IPs will be automatically added to the IP block list which you
can review on the Networking > Filtering > IP block page. See Blocking by IP on page 65 for more
information.
IPSec Logs
IPSec logs show IPSec VPN information.
To access the logs:
112
1.
On Logs and reports > Logs > IPSec.
2.
Choose the tunnel you are interested in by using the Tunnel name control.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
3.
To view the logs for all of the tunnels at once, choose ALL as the tunnel name.
4.
After making a change, click Update.
Exporting Logs
To export and download all log entries generated by the current settings, click Export.
Exporting all dates
To export and download all log entries generated by the current settings, for all dates available, select
Export all dates, and click Export.
Viewing and Sorting Log Entries
The following columns are displayed in the Web log region:
Column
Description
Time
The time the tunnel activity occurred.
Name
The name of the tunnel concerned.
Description
Log entries generated by the VPN system.
Log entries are displayed over a manageable number of pages. To view a particular page, click its
Page number hyperlink displayed above or below the log entries. The adjacent << (First), < (Previous),
> (Next) and >> (Last) hyperlinks provide an alternative means of moving between pages.
To sort the log entries in ascending or descending order on a particular column, click its Column title
hyperlink. Clicking the currently selected column reverses the sort direction.
113
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Email Logs
Email logs provide detailed, configurable and searchable information on email activity regarding time,
sender recipient, subject and spam status.
Configuring Email Logs
To access and configure email logs:
1.
Navigate to the Logs and reports > Logs > Email page. Advanced Firewall displays the
currently configured log entries.
2.
Click Advanced, the following options are displayed:
3.
Option
Description
Sender
Select to display who sent the email message(s).
Recipient
Select to display who the email message(s) are for.
Subject
Select to display to display the subject line of the email message(s).
Spam
Select to display information on message(s) that have been classified as
spam.
Select the options you want to display. Advanced Firewall updates what is displayed.
Monitoring Email Log Activity in Realtime
It is possible to monitor email log activity in realtime.
To monitor email log activity in realtime:
1.
114
On the Logs and reports > Logs > Email page, click Realtime. Advanced Firewall displays
the currently configured log options in realtime in a table of log entries and in the email graph.
The results are updated automatically.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Tip: To get a closer look at what is happening at a specific time, locate and click on that time in the
graph. Advanced Firewall stops the realtime display and shows what has been logged at the time
you clicked on.
2.
To stop realtime monitoring, click Realtime. Advanced Firewall stops displaying realtime data.
Searching for/Filtering Email Log Information
Advanced Firewall enables you to search for/filter information in a number of ways.
To search for/filter information:
1.
On the Logs and reports > Logs > Email page, use one or more of the following methods:
Method
Description
Graph
On the graph, locate and click on the time you are interested in.
Advanced Firewall displays what was logged at the time you clicked on.
Time
Click in the date and time picker and specify when to search from. Click
Apply. Advanced Firewall displays the results from the time specified and
two hours forward.
Free search term
In the Sender, Recipient, Subject and/or Spam column(s), enter one or
more search terms. Advanced Firewall displays the search results.
Exporting Email Data
It is possible to export logged data in comma-separated (CSV) format.
To export data:
1.
On the Logs and reports > Logs > Email page, configure or search for the data you want
export. For more information, see Configuring Email Logs on page 114 and Searching for/
Filtering Email Log Information on page 115 Information.
2.
Click Export. Follow your browser’s prompts to save and export the data.
115
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
IDS Logs
The IDS logs contain details of suspicious network activity detected by Advanced Firewall’s intrusion
detection system (IDS).
To view the IDS logs:
1.
Navigate to the Logs and reports > Logs > IDS page.
Advanced Firewall displays the results.
Option
Select to:
Month
Specify which month you wish to view logs for.
Day
Specify which day you wish to view logs for.
Export format
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all dates
Exports the currently displayed log for all available dates.
Exporting Logs
To export logs:
116
1.
Filter the logs to show the information you want to export.
2.
Select the export format and if you want to export all dates.
3.
Click Export. To save the exported log, use the browser's File, Save As option.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
IPS Logs
The IPS logs contain details of suspicious network activity prevented by Advanced Firewall’s intrusion
prevention system (IPS).
To view the IDS logs:
1.
Navigate to the Logs and reports > Logs > IPS page.
Advanced Firewall displays the results.
Option
Select to:
Month
Specify which month you wish to view logs for.
Day
Specify which day you wish to view logs for.
Export format
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft Excel
format. You will need an Excel-compatible spreadsheet application to view
these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all dates
Exports the currently displayed log for all available dates.
117
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
IM Proxy Logs
The IM proxy log page displays a searchable log of instant messaging conversations and file
transfers.
To view the IM proxy logs:
1.
Browse to Logs and reports > Logs > IM proxy page.
The following settings are available:
118
Setting
Description
Local user filter
Enter the name of a local user whose logged conversations you want to view.
Enable local user
filter
Select to display conversations associated with the local user name entered.
Remote user filter
Enter the name of a remote user whose logged conversations you want to
view.
Enable remote user
filter
Select to display conversations associated with the remote user name entered.
Enable smilies
Select to display smilies in the conversation.
Enable links
Select to make links in the conversation clickable.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Setting
Description
Search
Here you can enter a specific piece of text you want to search for.
Conversations
Enables you to browse conversations by instant messaging protocol, user ID
and date.
Web Proxy Logs
The proxy logs contain detailed information on all Internet access made via the web proxy service. It
is possible to filter the proxy logs using any combination of requesting source IP, and requested
resource type and domain.
To view the web proxy logs:
1.
Browse to Logs and reports > Logs > Web proxy page.
Reverse Proxy Logs
The reverse proxy logs contain time, source IP and web site information about requests made using
the reverse proxy service.
To view reverse proxy logs:
1.
Browse to the Logs and reports > Logs > Reverse proxy page.
Filtering Reverse Proxy Logs
The following filter criteria controls are available in the Settings area:
Control
Description
Month
Used to choose the month that proxy logs are displayed for.
Day
Used to choose the day that proxy logs are displayed for.
119
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Control
Description
Year
Used to choose the year that proxy logs are displayed for.
Ignore filter
Used to enter a regular expression that excludes matching log entries.
The default value excludes common log entries for image, JavaScript, CSS
style and other file requests.
Enable ignore filter
Select to enable the filter.
Domain filter
Used to display log entries recorded against a particular domain.
Matching will occur on the start of the domain part of the URL. For example,
www.abc will match www.abc.com and www.abc.net but not match
abc.net.
It is possible to include regular expressions within the filter – for example
(www.)?abc.com will match both abc.com and www.abc.com.
Enable domain filter
Select to enable the filter.
Export format
Logs can be exported in the following formats:
Comma Separated Values – The information is exported in comma
separated text format.
Microsoft (tm) Excel (.xls) – The information is exported in Microsoft
Excel format. You will need an Excel-compatible spreadsheet application to
view these reports.
Raw Format – The information is exported without formatting.
Tab Separated Value – The information is exported separated by tabs.
Export all dates
Exports the currently displayed log for all available dates.
Note: When running SSL VPNs in TCP mode, the reverse proxy access logs generated for HTTPS
requests will contain a source address of 127.0.0.1. This is because OpenVPN has to proxy the
HTTPS traffic. Therefore, from Advanced Firewall’s point of view, the traffic is originating from
localhost.
Viewing Reverse Proxy Logs
To view proxy logs:
1.
120
Select the appropriate filtering criteria using the Settings area and click Update. Proxy logs are
displayed in the Proxy log area. The following columns are displayed:
Column
Description
Time
The time the web request was made.
Source IP
The source IP address the web request originated from.
Website
The URL of the requested web resource.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
User Portal Logs
The User portal log page displays information on users who have accessed user portals.
To view user portal log activity:
1.
Browse to the Logs and reports > Logs > User portal page.
Advanced Firewall displays the information.
Configuring Log Settings
Advanced Firewall can send syslogs to an external syslog server, automatically delete log files when
disk space is low and set the maximum log file retention settings.
To configure logging settings:
1.
Browse to the Logs and reports > Logs > Log settings page.
121
2.
In the Syslog logging area, select the logging you require.
3.
To enable and configure remote logging, configure the following settings:
Setting
Description
Remote syslog
To send logs to an external syslog server, select this setting.
Syslog server
If you have selected the Remote syslog option, enter the IP address of
the remote syslog server.
Default retention
To set default log retention for all of the logs listed above, select one of
the following settings:
•
•
•
•
•
•
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2
months.
•
Three months – Rotate the log file monthly and keep the last
3 months.
•
Four months – Rotate the log file monthly and keep the last 4
months.
•
Five months – Rotate the log file monthly and keep the last 5
months.
•
Six months – Rotate the log file monthly and keep the last 6
months.
•
Seven months – Rotate the log file monthly and keep the last
7 months.
•
Eight months – Rotate the log file monthly and keep the last 8
months.
•
Nine months – Rotate the log file monthly and keep the last 9
months.
•
Ten months – Rotate the log file monthly and keep the last 10
months.
•
•
Eleven months – Rotate the log file monthly and keep the last
11 months.
A year – Rotate the log file monthly and keep the last 12
months.
4.
Optionally, to set an individual retention period for specific logs, click Advanced and configure
the settings displayed.
5.
Click Save. Advanced Firewall will log and retain the information you have specified and, if
configured, send logs to the remote syslog server.
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Configuring Other Log Settings
Advanced Firewall enables you to configure retention settings for other logs.
To configure other logs:
1.
Browse to the Logs and reports > Logs > Log settings page.
2.
In the Other logging area, configure the following settings:
Setting
Description
Default retention
To set default log retention for all of the logs listed in the table below,
select one of the following settings:
•
•
•
•
•
•
1 Day – Rotate the log file daily and keep the last day.
2 Days – Rotate the log file daily and keep the last 2 days.
A week – Rotate the log file weekly and keep the last week.
2 weeks – Rotate the log file weekly and keep the last 2 weeks.
A month – Rotate the log file monthly and keep the last month.
2 months – Rotate the log file monthly and keep the last 2
months.
•
Three months – Rotate the log file monthly and keep the last 3
months.
•
Four months – Rotate the log file monthly and keep the last 4
months.
•
Five months – Rotate the log file monthly and keep the last 5
months.
•
Six months – Rotate the log file monthly and keep the last 6
months.
•
Seven months – Rotate the log file monthly and keep the last
7 months.
•
Eight months – Rotate the log file monthly and keep the last 8
months.
•
Nine months – Rotate the log file monthly and keep the last 9
months.
•
Ten months – Rotate the log file monthly and keep the last 10
months.
•
•
3.
Eleven months – Rotate the log file monthly and keep the last
11 months.
A year – Rotate the log file monthly and keep the last 12 months.
Click Advanced to see what other logs are available and to determine if you want to set
individual log retention settings.
Setting
Description
Default retention
From the drop-down menu, select the default retention period you want
to use for advanced logging settings. To set individual retention periods,
configure the settings below.
Intrusion detection
logs
From the drop-down menu, select how long you want to keep intrusion
detection logs.
Intrusion prevention
logs
From the drop-down menu, select how long you want to keep intrusion
prevention logs.
123
Advanced Firewall Operations Guide
4.
Using Alerts, Information, and Logging
Setting
Description
IM logs
From the drop-down menu, select how long you want to keep instant
messaging logs.
Click Save. Advanced Firewall will now retain the logs as you have specified.
Managing Log Retention
The Datastore settings page uses a pie chart to display current disk usage by Advanced Firewall
logs. The Objects seen will depend on the modules installed.
You can configure the length of time Advanced Firewall retains logs for use in reporting and network
troubleshooting.
To manage log retention, do the following:
1.
Browse to Logs and reports > Settings > Datastore settings.
2.
Using the slider in the Retention settings panel, specify the minimum and maximum number
of months Advanced Firewall should retain log files, where:

The minimum number of months possible is 0.
If a log file is older than the minimum retention period specified, it may be deleted if storage
space starts to run out.

The maximum number of months possible is infinite.
If a log file is older than the maximum retention period specified, it will be deleted.
For example, if the minimum retention period is set to 3 months and the maximum retention
period is set to 6 months, Advanced Firewall will always keep log files for 3 months and, if there
is available storage space, will keep them for 6 months.
Note: If, because of a lack of disk space, the minimum log retention is not possible, Advanced
Firewall will stop working and display a warning.
3.
124
Click Save changes.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Managing Automatic Deletion of Logs
Advanced Firewall can be set to automatically delete log files if there is a limited amount of free disk
space available.
To configure automatic log deletion:
1.
Browse to the Logs and reports > Logs > Log settings page.
2.
In the Automatic log deletion area, configure the settings:
3.
Setting
Description
Delete old logs when
free space is low
Select to automatically delete logs when the specified amount of disk
space has been used.
Amount of disk
space to use for
logging
From the drop-down list, select the level at which Advanced Firewall will
delete logs.
Click Save. Advanced Firewall will delete the logs when the specified amount of disk space has
been used.
Configuring Report and Alert Output Settings
Reports and alerts are distributed according to Advanced Firewall’s output settings. In order to send
reports and alerts, Advanced Firewall must be configured to operate with mail servers and email-toSMS gateway systems.
About Email-to-SMS Output
Advanced Firewall generates SMS alerts by sending emails to a designated email-to-SMS gateway.
When an email-to-SMS gateway receives an email, it extracts the information it needs and composes
an SMS message which is then sent.
A wide variety of different email-to-SMS gateway services are available. However, each has its own
definition of the format that an email should arrive in. While there are a few conventions, typically the
destination SMS number is placed in the email's subject line. It is necessary to configure Advanced
Firewall so that it can format email messages in the format specified by your email-to-SMS gateway
service provider.
About Placeholder Tags
To allow easy configuration of message formats for different service providers, Advanced Firewall
uses placeholder tags that can be incorporated into an email template. The placeholder tags
available are as follows:
Placeholder
Description
%%ALERT%%
The content of the alert message.
%%SMS%%
The recipient SMS number.
125
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Placeholder
Description
%%EMAIL%%
The recipient's email address.
%%HOSTNAME%%
The hostname of the Advanced Firewall system (useful when using multiple
firewall systems).
%%DESCRIPTION%%
The description of the Advanced Firewall system (useful when using multiple
firewall systems).
%%--%%
A special placeholder that indicates that all text following it should be truncated
to 160 characters.
This requires truncation to be enabled (indicated by the Truncate SMS
messages to 160 characters option).
For example, if an email-to-SMS gateway requires emails to be sent to:
<telephone number>@sampleSMS.com
the following configuration would provide this:
%%SMS%%@sampleSMS.com
If the content of the message should be entered in the email message body, the following
configuration would provide this: %%ALERT%%
Networks with multiple Advanced Firewall systems may wish to include details of the system that the
alert was generated by. The following examples would provide this:
%%ALERT%%
%%ALERT%%
%%ALERT%%
%%ALERT%%
%%ALERT%%
- From: %%HOSTNAME%%
- From: %%HOSTNAME%% (%%DESCRIPTION%%)
- From: %%DESCRIPTION%%
-%%HOSTNAME%%
:%%DESCRIPTION%% (%%HOSTNAME%%)
About Truncating Messages
Some email-to-SMS gateways cannot process messages whose content is longer then 160
characters. Advanced Firewall can be configured to truncate messages – in this mode, all characters
past position 155 are removed and the text: .. + is appended to the message to indicate that
truncation has occurred.
A further complication is caused by email-to-SMS gateways that require parameters such as
usernames and passwords to be set within the email's message body. In situations where truncation
is enabled, such additional (yet required) parameter text may force truncation of the actual alert. To
compensate for this, insert the special %%--%% placeholder at the start of the actual message
content, so that any truncation is only applied to the actual alert content.
126
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Configuring Email to SMS Output
To configure Advanced Firewall's SMS settings, do the following:
1.
Browse to Logs and reports > Settings > Output settings.
2.
Configure the following settings:

SMTP server — Enter the hostname, or IP address of the SMTP server to be used by
Advanced Firewall.

Sender’s email address — Enter the sender's email address.
Typically be a valid email address reserved and frequently checked for IT administration
purposes. This might also be an email address that is registered with your email-to-SMS
gateway provider.

SMS to address — Specify the formatting of the email's To: address according to the
format required by your service provider.
This may be a regular email address, or it may require additional placeholders, such as,
%%SMS%% to identify the destination of the SMS.

Truncate SMS messages to 160 characters — Select if you want the contents of the
SMS message body to be truncated to 160 characters, or if your email-to-SMS gateway
service provider instructs you to do so.

Enable SMTP auth — Select to use SMTP auth if required.

Username — If using SMTP auth, enter the username.

Password — If using SMTP auth, enter the password.

SMS subject line — Enter the subject line of the SMS email as specified by your email-toSMS service provider.
This will often contain the %%SMS%% placeholder, as many email-to-SMS gateways use the
subject line for this purpose.

SMS message body — Enter additional placeholders and the content of the alert message.
If the truncation is required from a particular point onwards, use the %%--%% placeholder to
indicate its start position.
3.
Click Save.
127
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Testing Email to SMS Output
To test the output system, do the following:
1.
In the Send test to field, enter the cell phone number of the person who is to receive the test.
2.
Click Send test.
Configuring Output to Email
To configure Advanced Firewall’s email settings, do the following:
1.
Browse to Logs and reports > Settings > Output settings.
2.
Configure the following settings:

SMTP server — Enter the hostname, or IP address of the SMTP server to be used by
Advanced Firewall.

Sender’s email address — Enter the sender's email address.
Typically be a valid email address reserved and frequently checked for IT administration
purposes. This might also be an email address that is registered with your email gateway
provider.
3.

Enable SMTP auth — Select to use SMTP auth if required.

Username — If using SMTP auth, enter the username.

Password — If using SMTP auth, enter the password.
Click Save.
Generating a Test Alert
To generate a test alert, do the following:
128
1.
Configure Email to SMS output and, or, SMTP (Email) output.
2.
Click Generate test alert.
Smoothwall Ltd
Advanced Firewall Operations Guide
Using Alerts, Information, and Logging
Configuring Alert and Report Groups
You can configure Advanced Firewall to email scheduled reports to users, or groups of users. Alerts
can also be sent via email, or SMS.
Creating Groups
To be able to use the email and SMS feature, you must configure user groups, and the group
members who will receive alerts and reports.
To create a group of users, do the following:
1.
Browse to the Logs and reports > Settings > Groups page.
2.
Configure the following settings:
3.

Group name — From the Group name drop-down list, select Empty and click Select.

Name — Enter a name for the group
Click Save.
Advanced Firewall creates the group.
4.
5.
In the Add user panel, configure the following settings:

Name — Enter the user’s name

Email address — If required, enter the user’s email address

SMS number — If required, enter the user’s SMS number

Enable HTML Email — Select this to send emailed reports in HTML format

Comment — Enter an optional description

Enabled — Select this to enable alerts and, or, reports to be sent to this user.
Click Add.
The user's details will be added to the list of current users in the Current users panel.
129
Advanced Firewall Operations Guide
6.
Using Alerts, Information, and Logging
You can test the configured details by selecting either Email to SMS Output System or SMTP
(Email) Output System from the drop-down list at the bottom. Click Send test.
For a detailed description of how to set up Advanced Firewall to send email and SMS, see
Configuring Report and Alert Output Settings on page 125.
Editing a Group
You can either edit the group name, or add or remove group members.
To edit a group, do the following:
1.
Browse to the Logs and reports > Settings > Groups page.
2.
Choose the group that you wish to edit from the Group name drop down list.
3.
Click Select to display the group.
4.
Make any changes to the group using the controls in the Add a user and Current users
panels. For more information about using these panels, see Creating Groups on page 129.
Deleting a Group
Note: Deleting a group will also delete all group members.
To delete a group, do the following:
130
1.
Browse to the Logs and reports > Settings > Groups page.
2.
Select the group to be deleted using the Group name drop-down list.
3.
Click Delete.
Smoothwall Ltd
6 Managing Your
Advanced Firewall
This chapter describes how to maintain your Advanced Firewall, including:
•
Installing Updates on page 132
•
Licenses on page 135
•
Archives on page 136
•
Scheduling on page 137
•
Rebooting and Shutting Down on page 140
•
Setting System Preferences on page 141
•
Configuring Administration and Access Settings on page 145
•
Managing Tenants on page 149
•
Hardware on page 151
•
Managing Hardware Failover on page 154
•
Configuring Modems on page 160
•
Installing and Uploading Firmware on page 161
•
Using Advanced Firewall’s Diagnostic Tools on page 162
•
Managing CA Certificates on page 167
131
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Installing Updates
Administrators should use Advanced Firewall's update facility whenever a new update is released.
Updates are typically released in response to evolving or theoretical security threats as they are
discovered. System updates may also include general product enhancements as part of
Smoothwall’s commitment to continuous product improvement.
Advanced Firewall must be connected to the Internet in order to discover, download and install
system updates.
Smoothwall’s support systems are directly integrated with Advanced Firewall’s system update
procedure, allowing the Smoothwall support department to track the status of your system.
Installing Updates
The following section explains how to install updates.
Note: If Advanced Firewall is configured for failover, see Installing Updates on a Failover System on
page 133 for information on how to proceed.
To install updates:
132
1.
Navigate to the System > Maintenance > Updates page.
2.
Configure the following settings:
Setting/button
Description
Refresh update list
Click to get a list of available updates. Any updates available will be listed
in the Available updates area.
Download updates
Click to download all available updates. Once downloaded, the updates
are listed in the Pending updates area.
Smoothwall Ltd
Advanced Firewall Operations Guide
3.
Managing Your Advanced Firewall
Setting/button
Description
Clear download
cache
Click to clear any downloaded updates stored in the cache.
Install updates
Click to install all updates in the Pending updates area immediately
Install at this time
Enter the time at which you want to install the updates if you do not want
to install them immediately and click Install at this time.
If the update requires a reboot, reboot the system on the System > Maintenance >
Shutdown page.
Installing Updates on a Failover System
The following section explains how to install updates on a failover system. Following theses steps
ensures the correct application of all pending updates and also performs a failover test between the
master and the failover unit.
To install updates on a failover system:
1.
On the master’s System > Maintenance > Updates page, download the updates.
2.
Wait until the updates have been transferred to the failover unit. This should happen within 5
minutes.
3.
Go to the failover unit’s web interface and install the pending updates. Once they have been
installed, the failover unit displays information on the update and prompts for a reboot.
4.
On the System > Maintenance > Shutdown page, reboot the failover unit.
5.
When the failover unit is up and running again, install the updates on the master and reboot.
During master downtime, the failover unit is active and remains so until the master is live again.
Managing Modules
Advanced Firewall's major system components are separated into individually installed modules.
Modules can be added to extend Advanced Firewall’s capabilities, or removed in order to simplify
administration and reduce the theoretical risk of, as yet un-discovered, security threats.
Note: Modules must be registered against your Advanced Firewall serial number before they can be
installed and used. For further information, please consult your Smoothwall partner or, if purchased
directly, Smoothwall.
Advanced Firewall must be connected to the Internet in order to install modules.
133
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
To install a module:
1.
Navigate to the System > Maintenance > Modules page.
Note: The information displayed depends on the product series you are using.
2.
In the Available modules area, locate the module and click Install.
Note: Some module installations require a full reboot of Advanced Firewall. Please read the module
description carefully prior to installation.
Removing a Module
To remove a module:
134
1.
Navigate to the System > Maintenance > Modules page.
2.
In the Installed modules area, locate the module and click Remove.
3.
Reboot Advanced Firewall on the System > Maintenance > Shutdown page.
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Licenses
Advanced Firewall contains information on licenses and subscriptions.
To view license information:
1.
Navigate to the System > Maintenance > Licenses page.
Note: The information displayed depends on the Smoothwall product you are using.
Installing Licenses
You can buy additional licenses from Smoothwall or an approved Smoothwall partner. License,
installation and activation is an automated process, initiated via a secure request to Smoothwall
licensing servers.
To install additional licenses:
1.
Navigate to the System > Maintenance > Licenses page.
2.
Click Refresh license list. This will cause the available license information to be updated via
the Internet, and any new licenses will be installed.
Note: The Subscriptions area is used to manage blocklists used by add-on modules. For more
information, see the documentation delivered with your Smoothwall add-on module.
135
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Archives
The Archives page is used to create and restore archives of system settings. Archives can be saved
on removable media and used when restoring a Advanced Firewall system. They can also be used
to create clones of existing systems.
Tip: Log on to our support portal and read how to set up a Windows SSH server with keys in order
to backup system settings.
Note: You can automatically schedule the creation of backup archives. For further information, see
Scheduling on page 137.
About Archive Profiles
You can assign a profile to an archive enabling you to specify which components you want backed
up in a particular archive.
You can create and assign up to 20 profiles and generate their archives automatically.
Profiles are also used to store settings for Smoothwall replication systems. For more information,
refer to the Advanced Firewall Administration Guide.
Creating an Archive
To create an archive:
1.
Navigate to the System > Maintenance > Archives page.
2.
Configure the following settings:
Settings
Description
Profile
To create a new profile, from the drop-down list, select Empty and click
Select.
To reuse or modify an existing profile, from the drop-down list select the
profile and click Select.
Profile name
Enter a name for the profile.
Comment
Enter a description for the archive.
Automatic backup
Select if you want to archive settings automatically.
Settings
Settings available include general settings for Advanced Firewall and
replicable settings which can be used in a Smoothwall system.
Indicates that the setting can be replicated.
Select the components you want to archive or select All to select and
archive all settings.
For more information about replication in Smoothwall systems, refer to
the Advanced Firewall Administration Guide.
Logs
136
Select the log files you want to archive or select All to select and archive
all logs.
Smoothwall Ltd
Advanced Firewall Operations Guide
3.
Managing Your Advanced Firewall
Click Save and backup to create the archive.
Downloading an Archive
To download an archive:
1.
In the Archives area, select the archive.
2.
Click Download and save the archive to disk using the browser's Save as dialog box.
Restoring an Archive
To restore an archive:
1.
In the Archives area, select the archive.
2.
Click Restore. The archive contents are displayed.
3.
Select the components in the archive that you want to restore and click Restore.
Deleting Archives
To delete an archive:
1.
In the Archives area, select the archive and click Delete.
Uploading an Archive
This is where you upload archived settings from previous versions of Advanced Firewall and
Smoothwall modules so that they can be re-used in the current version(s).
To upload an archive:
1.
In the Upload area, enter the name of the archive and click Browse.
2.
Navigate to and select the archive.
3.
Click Upload to upload the archive.
Scheduling
You can configure Advanced Firewall to automatically discover and download system updates,
modules and license upgrades using the scheduler.
You can also use the scheduler to create and remotely archive automatic backups. Other system
modules can integrate with the scheduler to provide additional automated maintenance tasks.
137
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
To create a schedule of tasks:
138
1.
Navigate to the System > Maintenance > Scheduler page.
2.
Configure the following settings:
Setting
Description
Day
From the drop-down list, select the day of the week that the tasks will be
executed.
Hour
From the drop-down list, select the time of day at which the tasks will be
executed.
Check for new
updates
Select to check for new system updates.
Download updates
Select to download available updates.
Check for new
modules
Select to check for new modules.
Check for license
upgrades
Select to discover and install license upgrades.
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Setting
Description
Prune archives
Options here enable you to schedule archive pruning if you require it.
Select one of the following options:
Don’t prune – This is the default option, archives are never pruned.
Over a month – Select this option to prune archives that are older
than one month.
Over 2 months – Select this option to prune archives that are older
than two months.
Over 3 months – Select this option to prune archives that are older
than three months.
3.
Click Save.
Scheduling Remote Archiving
Scheduled remote archiving uses SSH keys to allow Advanced Firewall to securely copy files to a
remote SSH server without the need for passwords.
The use of SSH keys requires Advanced Firewall to generate a key pair which it will use to encrypt
all file transfers sent to the SSH server.
The SSH server must be configured to accept connections from Advanced Firewall in this manner –
it requires the public half of the key pair to be installed.
To schedule remote archiving:
1.
Navigate to the System > Maintenance > Scheduler page.
2.
In the Remote archive destinations area, click Export Public Backup Key.
3.
Install the public key on the remote SSH server – for details on how to do this, please consult
the administrator's guide of the SSH server in use.
4.
In the Remote archive destinations area, enter the following information:
Setting
Description
Name
Enter a name to identify this destination.
Username
Specify the user name of the account on the SSH server that will be used.
For additional security it is recommended that this user has no additional
privileges and is only allowed write access to the specified Remote path.
Remote path
Enter the path where archives are to be stored on the remote SSH server,
for example: /home/mypath/
If left blank, Advanced Firewall uses the default home directory of the
specified remote user.
Server
Set the IP address of the SSH server.
Port Number
Set the port number used to access the SSH server (normally port 22).
Transfer Speed Limit
Specify the maximum transfer speed when automatic archiving occurs.
This control is useful for preventing the automatic remote archiving
system adversely affecting the performance of other network traffic.
139
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Setting
Description
Comment
Enter a description of the destination.
5.
Click Add.
6.
Repeat the steps above to make other destinations available.
7.
In the Remote archival area, enter the following information:
Setting
Description
Day
The day of the week to carry out the archive.
Hour
The hour of the day to carry out the archive.
Archive destination
From the drop-down list, select a destination as configured in the Remote
archive destinations area.
Archive profile
From the drop-down list, select an archive profile as configured on the
archives page.
Enabled
Select to enable the archive.
Comment
Enter a description of the archive.
8.
Click Add.
9.
Repeat the steps above to configure other archives for scheduled remote archive.
Note: A local copy of the archive is also created and stored.
Editing Schedules
To edit a schedule:
1.
In the appropriate area, select the destination or task and click Edit or Remove.
Rebooting and Shutting Down
You can choose to reboot or shut down Advanced Firewall either immediately, after a time delay, or
at a predetermined time.
To reboot or shut down Advanced Firewall, do the following:
1.
140
Browse to the System > Maintenance > Shutdown page.
Smoothwall Ltd
Advanced Firewall Operations Guide
2.
3.
Managing Your Advanced Firewall
Choose the type of reboot or shutdown:

immediately — Reboot or shut down Advanced Firewall now.

delay action for — From the drop-down list, choose the length of time to delay the reboot
or shutdown. Valid options are given in five minute increments, from five minutes to one hour.

at the following time — From the drop-down lists, choose the time, in 24-hour format, to
perform the reboot or shutdown.
Click Reboot or Shutdown.
The Smoothwall logo is displayed whilst the system is rebooting or shutting down. If a reboot is
occurring, this page will refresh to the login prompt once the reboot has completed. If a shutdown is
occurring, you will need to manually close your browser window.
Setting System Preferences
The following sections discuss how to configure the user interface, time settings and a web proxy if
your ISP requires you use one.
Configuring the User Interface
Advanced Firewall can be customized in different ways, depending on how you prefer working. The
main changes that can be made are the method of displaying errors and the drop-down list
navigation system. It is also possible to alter the system's description.
To configure the user interface:
1.
Browse to the System > Preferences > User interface page.
2.
Configure the following settings:
Setting
Description
Host information
In the description field, enter a description to identify Advanced Firewall.
This will be displayed in the title bar of the browser window.
141
Advanced Firewall Operations Guide
3.
Managing Your Advanced Firewall
Setting
Description
System control page
From the Report to show drop-down list, select the report you want
displayed on the Dashboard.
Dashboard sections
Determines what, if any, information is displayed in the System Services
area on the Dashboard.
Click Save.
Setting Time
Advanced Firewall's time zone, date and time settings can be specified manually or automatically
retrieved from a local or external Network Time Protocol (NTP) server, typically located on the
Internet.
Advanced Firewall can also act as an NTP server itself, allowing network wide synchronization of
system clocks.
To set the time:
1.
Navigate to the System > Preferences > Time page.
2.
Configure the following settings:
Setting
Description
Timezone
From the drop-down list, select the appropriate time zone.
Time and date
To manually set the time and date:
1.
142
Select Set and use the drop-down lists to set the time and date.
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Setting
Description
Network time
retrieval
To automatically retrieve time settings:
1.
2.
3.
4.
Network time service
interfaces
Select Enabled in the Network time retrieval area.
Choose the time retrieval frequency by selecting an interval from the
Interval drop-down list.
Select Save time to RTC to ensure that the time is written back
to the system's hardware clock (the Real-Time Clock).
Choose one of the following network retrieval methods:
Multiple random public servers – select to set the time as
the average time retrieved from five random time servers
Selected single public server –select from the drop-down
list a public time server to use to set the time
User defined single public or local server – Enter the
address of a specific local or external time server.
Advanced Firewall can be used to synchronize the system clocks of local
network hosts by providing a time service.
To synchronize the network time service:
1.
2.
3.
Enable network time retrieval.
Select each internal network interface that the network time service
should be available from.
Click Save.
Configuring Registration Options
Advanced Firewall enables you to use an upstream registration proxy if your ISP requires you to use
one, and optionally, supply information about the status of your system and web filtering statistics.
To configure registration options:
1.
Navigate to the System > Preferences > Registration options page.
143
Advanced Firewall Operations Guide
2.
Managing Your Advanced Firewall
Configure the following settings:
Setting
Description
Upstream
registration proxy
Server – Enter the hostname or IP address of the proxy server.
Port – Enter the port number to use.
Username – Enter the username provided by your ISP.
Password – Enter the password provided by your ISP.
Note: The upstream proxy has no bearing on Advanced Firewall proxy
services.
Extended
registration
information
When registering, updating and/or installing add-on modules, Advanced
Firewall sends information about licences, subscription and add-on
modules to Smoothwall.
When this option is enabled and depending on which add-on modules
are installed, the following information is also sent:
•
•
Enabled status for optional services
The number of configured interfaces and whether they are internal
or external
•
Authentication service settings and the LDAP server type
•
Guardian transparent mode and authentication service settings
mode
•
Manufacturer name and product name – from dmidecode
•
Main board manufacturer and main board product name – from
dmidecode.
Note: No usernames, passwords or sensitive information are sent and
any potentially identifying data is summarized before sending.
Provide filtering
feedback information
When enabled, Advanced Firewall will periodically send information
about web filtering accuracy and a list of the domains of any web sites
which could not be classified.
Smoothwall will take every available measure to ensure data cannot be
associated with your organization and no personal information is ever
sent.
3.
144
Click Save. Advanced Firewall starts to use the configured upstream proxy and, if enabled,
send registration and/or filtering information.
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Configuring the Hostname
You can configure Advanced Firewall’s hostname. A hostname should usually include the name of
the domain that it is within.
To change the hostname:
1.
Browse to the System > Preferences > Hostname page.
2.
Enter a new value in the Hostname field and click Save.
Note: After setting the hostname, a reboot is required before the HTTPS server will use the
hostname in its Common Name field.
Configuring Administration and Access Settings
The following sections discuss administration, external access and account settings.
Configuring Administration Access Options
You can enable and disable remote access to Advanced Firewall’s console via Secure Shell (SSH)
and configure remote access referral checking.
To access Advanced Firewall via remote SSH, the following criteria must be met:
•
The host must be from a valid network zone
•
The host must be from a valid source IP
•
The SSH service must be enabled
•
Admin access must be set to enabled
•
The setup or root username and password must be known.
145
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
To permit access to the console via SSH:
1.
Navigate to the System > Administration > Admin options page.
2.
Select SSH and click Save.
Note: Terminal access to Advanced Firewall uses the non-standard port 222.
Referral Checking
In order to ensure that configuration requests from the web interface originate from a logged in
administrator, and not some third party web page, you can enable remote access referral checking.
When enabled, administration requests are only processed if the referral URL contains the local IP
address, the local hostname, or the external IP address where applicable.
If the referral is not from a Advanced Firewall page, the request is ignored and reported in the general
Smoothwall log file.
Note: This function prevents Advanced Firewall from being accessed remotely via a DNS or a
Dynamic DNS address. To remotely manage an Advanced Firewall system via a DNS or a Dynamic
DNS address, the referral URL check must be disabled.
To enable referral checking:
146
1.
Navigate to the System > Administration > Admin access page.
2.
Select Allow admin access only from valid referral URLs in the Remote Access area.
3.
Click Save.
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Configuring External Access
External access rules are used to determine which interfaces, services, networks and host systems
can be used to administer Advanced Firewall.
The default external access rule allows administrators to access and configure Advanced Firewall
from any source IP that can route to the system's first (default) network interface.
This default rule allows administrators to access any of the following administration services:
•
SSH admin – Access to the system console using port 222. Requires the SSH access to be
enabled, see Configuring Administration Access Options on page 145.
•
HTTP admin – Access to the web-based interface on port 81.
•
HTTPS admin – Access to the web-based interface on port 441.
To enable external access:
1.
Browse to the System > Administration > External access page.
2.
Configure the following settings:
Setting
Description
Interface
From the drop-down list, select the interface that access is permitted
from.
Source IP, or
network
Specify individual hosts, ranges of hosts or subnet ranges of hosts that
are permitted to use admin access.
For a range of hosts, enter an IP address range, for example,
192.168.10.1-192.168.10.50.
For a particular subnet of hosts, enter a subnet range, for example,
192.168.10.0/255.255.255.0 or 192.168.10.0/24.
If no value is entered, any source IP can access the system.
Service
Select the permitted access method.
Comment
Enter a description for the access rule.
Enabled
Select to activate access.
147
Advanced Firewall Operations Guide
3.
Managing Your Advanced Firewall
Click Add. The access rule is added to the Current rules table.
Note: Do not remove the default external access rule, it provides access to the default internal
network.
Editing and Removing External Access Rules
To edit or remove access rules, use Edit and Removes in the Current rules area.
Administrative User Settings
Advanced Firewall supports different types of administrative accounts.
To manage accounts:
148
1.
Navigate to the System > Administration > Administrative users page.
2.
Configure the following settings:
Setting
Description
Username
Enter a name for the user account.
Password
Enter a password. Passwords are case sensitive and must be at least six
characters long.
Again
Re-enter the password to confirm it.
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Setting
Description
Permissions
Select the account permissions you want to apply to the account.
•
•
•
•
•
•
•
•
•
Administrator – Full permission to access and configure
Advanced Firewall.
Log – Permission to view the system log files.
Operator – Permission to shutdown or reboot the system.
Portal User – Permission to access the user portal pages.
SMTP quarantine – Permission to access and manage the
SMTP quarantine pages.
Realtime logs – Permission to view realtime logs.
Reporting system – Permission to access the reporting
system.
Rule editor user – Permission to edit networking outgoing
policies ports and external services.
Temp ban – Permission to access and change temporary ban
status.
•
3.
Click Add to add the account.
Changing a User's Password
To set or edit a user's password:
1.
Browse to the System > Administration > Administrative users page.
2.
In the Current users area, select the user and click Edit.
3.
Enter and confirm the new password in the Password and Again fields.
4.
Click Add to activate the changes.
Managing Tenants
Note: To add tenants, Advanced Firewall must have the Multi-Tenant license type installed. Contact
your Smoothwall representative for more information.
Multi-Tenant is designed to allow you to deploy your Smoothwall filter as a managed service for
discrete individual clients, referred to as tenants. It provides a means of logically partitioning a
Smoothwall cluster into multiple virtual instances. Each instance, or tenant, applies a core set of
policies for all customers, as well as policies designed for individual tenants.
A Multi-Tenant system can only provide filtering services to clients configured as tenants. It is not
possible to configure your Smoothwall System to support tenant, and non-tenant modes.
Multi-Tenant provides the following features:
•
Central administration control over all tenants
•
Maintenance of data integrity between individual tenants, ensuring no data or policy overlap
•
Tenant control of report generation for their own operations
•
Tenant specific category filtering, and content modification rules
149
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
For information about tenants and directories, refer to the Multi-Tenant Managed Services
Administration Guide.
For information about self-service reporting for tenants, refer to the Multi-Tenant Managed Services
Administration Guide.
Creating Tenants
You must assign a unique name to each tenant supported, including the IP ranges used by that
tenant.
Note: Requests from IP addresses not assigned to a tenancy will be blocked.
To create tenants, do the following:
1.
From your Advanced Firewall system, browse to System > Administration > Tenants.
2.
Click Add new tenant.
3.
Configure the following parameters:

Name — The name of the tenant.

IP address range(s) — The IP address ranges that are assigned to the tenant.
If multiple ranges are assigned to the tenant, add each range on a new line.
4.
Click Save changes.
Editing a Tenant
To edit a tenant, do the following:
1.
From your Advanced Firewallsystem, browse to System > Administration > Tenants.
2.
Highlight the relevant tenant, and click Edit.
3.
In the Edit tenant dialog box, change the settings as required. For a detailed description of the
available settings, see Creating Tenants on page 150.
4.
Click Save changes.
Deleting a Tenant
Before deleting a tenant, the following behavior should be noted:
•
Any directory services assigned to that tenant, must have their association removed first before
the tenant can be deleted. If this is not done, a warning message will be displayed.
For more information, refer to the Advanced Firewall Administration Guide.
•
Any tenant-specific custom categories, and content modifications are retained for future use by
other tenants.
Advanced Firewall will display Deleted tenant against categories or content modifications for
deleted tenants.
•
150
Access to historical data from the deleted tenant must be made using SQL. For more
information, refer to your Smoothwall representative.
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
To delete a tenant, do the following:
1.
From your Advanced Firewall system, browse to System > Administration > Tenants.
2.
Highlight the relevant tenant, and click Delete.
3.
Confirm that you want to delete the tenant.
You can also delete multiple tenants at the same time.
To delete multiple tenants, do the following:
1.
From your Advanced Firewall system, browse to System > Administration > Tenants.
2.
Mark the relevant tenants, and click Delete.
3.
Confirm that you want to delete the tenants.
Hardware
The following sections discuss how to configure UPS devices, modems and firmware settings.
Managing UPS Devices
Uninterruptible Power Supply (UPS) device(s) physically connected to Advanced Firewall provide
emergency power to Advanced Firewall if the mains power supply fails.
UPS Connection Prerequisites
Before you start configuring Advanced Firewall to use a UPS device:
1.
Follow the documentation delivered with your UPS device to prepare it for use.
2.
Connect the UPS device to Advanced Firewall.
3.
On the System > Maintenance > Shutdown page, reboot immediately. Once rebooted, you
are ready to start configuring the UPS device.
Configuring the Global Shut Down Condition
The global shut down condition determines when, if ever, a Advanced Firewall connected to a UPS
device should shut down.
151
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
To configure the global shut down condition:
1.
Browse to the System > Hardware > UPS page.
2.
Select when Advanced Firewall should shut down:
Setting
Description
Never
Select to never shut down Advanced Firewall.
When all remaining
UPS are at low
battery
Select to shut down Advanced Firewall when all currently connected UPS
devices are at low battery levels.
After a set time of
being on battery
Select to specify how long to wait before shutting down Advanced
Firewall when on running on UPS battery.
Delay before shut down – Enter how long in minutes to wait before
shutting down Advanced Firewall.
3.
Click Save changes. Advanced Firewall applies the shut down condition.
Configuring UPS Devices
UPS devices can be configured to use the following types of connections:
•
USB – connects to Advanced Firewall via a USB connection, for more information, see
Configuring a UPS Device with a USB Connection on page 153
•
Serial – connects to Advanced Firewall via a serial connection, for more information, see
Configuring a UPS Device with a Serial Connection on page 153
•
SNMP – connects to Advanced Firewall via an SNMP connection, for more information, see
Configuring a UPS Device with an SNMP Connection on page 153
•
SNMP – connects to Advanced Firewall via an HTTP connection, for more information, see
Configuring a UPS Device with an HTTP Connection on page 154.
Advanced Firewall also makes information about UPS devices available on the System > Central
management > Overview page. For more information, refer to the Advanced Firewall Administration
Guide.
152
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
It is also possible to configure an alert which is triggered when power switches to and from mains
supply. For more information, see Chapter 5, Enabling Instantaneous Alerts on page 102.
Configuring a UPS Device with a USB Connection
To configure a USB connection:
1.
2.
On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS.
In the Add new UPS dialog box, configure the following settings:
Setting
Description
Name
Enter a name for the UPS device.
UPS connection
Select USB.
Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area.
Configuring a UPS Device with a Serial Connection
To configure a serial connection:
1.
2.
On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS.
In the Add new UPS dialog box, configure the following settings:
Setting
Description
Name
Enter a name for the UPS device.
UPS connection
Select Serial.
Manufacturer
From the drop-down lists, select the UPS device’s manufacturer and
model.
Port
From the drop-down list, select the port the USP device uses.
Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area.
Configuring a UPS Device with an SNMP Connection
To configure an SNMP connection:
1.
2.
On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS.
In the Add new UPS dialog box, configure the following settings:
Setting
Description
Name
Enter a name for the UPS device.
UPS connection
Select SNMP.
IP address
Enter the IP address that the UPS device will use.
SNMP community
Enter the UPS device’s SNMP community string.
Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area.
153
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Configuring a UPS Device with an HTTP Connection
To configure an HTTP connection:
1.
2.
On the System > Hardware > UPS page, in the Connected UPS area, click Add new UPS.
In the Add new UPS dialog box, configure the following settings:
Setting
Description
Name
Enter a name for the UPS device.
UPS connection
Select HTTP.
IP address
Enter the IP address that the UPS device will use.
Username
If required, enter the user name to be used to connect the device to
Advanced Firewall.
Password
If required, enter the password to be used to connect the device to
Advanced Firewall.
Confirm
If required, re-enter the password to be used to connect the device to
Advanced Firewall.
Click Add. Advanced Firewall adds the UPS device and lists it in the Connected UPS area.
Editing UPS Devices
To edit a UPS device’s settings:
1.
On the System > Hardware > UPS page, point to the device you want to edit and click Edit.
2.
In the Edit UPS dialog box, make the changes required. See Configuring UPS Devices on
page 152 for information on the settings available.
3.
Click Save changes. Advanced Firewall changes the settings and lists the device in the
Connected UPS area.
Deleting UPS Devices
To delete a UPS device:
1.
On the System > Hardware > UPS page, point to the device you want to delete and click
Delete.
2.
When prompted, click Delete to confirm that you want to delete the device. Advanced Firewall
deletes the device and removes it from the list in the Connected UPS area.
Managing Hardware Failover
Advanced Firewall’s hardware failover enables you to configure a failover Advanced Firewall system
which, in the event of hardware failure, provides all the protection and services your master Advanced
Firewall usually provides.
Note: Hardware failover is not included as standard with Advanced Firewall – it must be licensed
separately. Contact an authorized Smoothwall partner or visit www.smoothwall.net for more
information.
154
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
How does it work?
When configured and enabled, the failover Advanced Firewall runs in a standby mode monitoring the
master Advanced Firewall for a heartbeat communication. Heartbeat is the name of a suite of
services and configuration options that enable two identical Advanced Firewall systems to be
configured to provide hardware failover.
The master periodically copies settings to the failover unit to ensure that the failover unit can provide
a fully configured service if the master fails.
Note: Settings are copied intermittently and it is theoretically possible that the failover unit will be a
few minutes behind configuration changes made to the master.
If the master fails, it stops responding to the failover unit’s heartbeat and the failover unit therefore
determines that the primary system is no longer available. This will occur somewhere between 0
seconds and the keep-alive time specified when configuring failover.
The failover unit then enters a more responsive mode where it monitors the master for its revival. It
remains in this mode for the length of dead time you have configured. This stage is designed
principally to cope with intermittent failures within the communication system, such a heavily loaded
master.
Once the dead time has expired, the failover unit awakens from its standby mode and begins reinstating the settings and services which allow it to take over operations from the master. Since part
of this information includes the IP addresses for each of the master interfaces, the failover unit will
essentially provide a drop-in replacement and the transition will generally go unnoticed.
When the master starts to respond again, be it minutes, days or weeks later, assuming that autofailback is enabled, the failover unit hands over control to the master, de-activates its configuration
and services and returns to standby mode.
Prerequisites
The following must be in place for hardware failover to work:
•
A private network consisting of only two Advanced Firewall systems connected via their
heartbeat interfaces preferably using a crossover cable
•
The master and failover unit should both use the same types of hard disk drives, RAM, and
above all the same type and number of network interface cards
•
The failover unit must be plugged into all the switches the master is plugged into
•
SSH must be enabled on the master, see Configuring Administration Access Options on
page 145 for more information.
Configuring Hardware Failover
Configuring hardware failover entails:
•
On the master, specifying a network interface for the heartbeat and configuring and generating
a failover archive to deploy on the failover unit
155
Advanced Firewall Operations Guide
•
Managing Your Advanced Firewall
On the failover unit, installing Advanced Firewall and deploying the failover archive.
Configuring the Master
To configure the master Advanced Firewall:
1.
Navigate to the Networking > Interfaces > Interfaces page.
2.
Point to the interface to be used by the hardware failover master and failover unit systems to
communicate with each other and click Edit.
Note:The master and failover unit systems are connected via their heartbeat interfaces on a private
network. It is critically important that this network is not congested and suffers as little latency as is
possible. For these reasons, we strongly recommend that this connection be a crossover cable.
Using a crossover cable also minimizes the risk of failure as it is possible that the switch the heartbeat
interface is on could fail.
3.
156
In the Edit interface dialog box, configure the following settings:
Setting
Description
Name
Accept the default name or enter a custom name.
Use as
Select Heartbeat interface.
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Setting
Description
Spoof MAC
Optionally, enter a spoof MAC if required.
Some cable modems require the MAC address of the connecting NIC to
be spoofed in order to function correctly. For more information about
whether MAC spoof settings are required, consult the documentation
supplied by your ISP and modem supplier.
MTU
Optionally, enter the maximum transmission unit (MTU) value required in
your environment.
4.
Click Save changes.
5.
Navigate to the System > Hardware > Failover page.
6.
Configure the following settings:
Setting
Description
Enabled
Select to enable failover.
Auto failback
Select if you want the failover unit to automatically hand back control to
the master when the master starts to respond after a hardware failure.
The failover unit will hand over control to the master, deactivate its
configuration and services and return to standby status.
Keep-alive internal
Set the interval after which the master and failover unit communicate to
ensure the master is still working. The default is 1 second.
In non-congested networks, we recommend a very short interval which
is undetectable in terms of system performance.
Dead time
Specify how long after the failover unit has become aware that the
master is no longer responding it should wait before taking over from the
master.
Master heartbeat IP
Enter an IP address for the master.
Note: We recommend that this network be private and only used by the
master and failover units.
Slave heartbeat IP
Enter an IP address for the failover unit.
Note: We recommend that this network be private and only used by the
master and failover units.
157
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Setting
Description
Netmask
Enter a netmask.
Note: We recommend that this network be private and only used by the
master and failover units.
7.
Click Save.
8.
Browse to the System > Maintenance > Shutdown page, select Immediately and click
Reboot. Wait a couple of minutes for the system to reboot and then log in again.
The next step is to generate the failover archive to deploy on the failover unit.
Generating a Failover Archive
A failover archive contains the settings required to configure the failover unit to provide hardware
failover for Advanced Firewall.
To generate a failover archive:
1.
Navigate to the System > Hardware > Failover page and configure and save the failover
settings. SeeConfiguring the Master on page 156.
2.
Click Generate slave setup archive. Advanced Firewall generates the archive and prompts
you to specify where to save it.
3.
Save the archive on some suitable removable media accessible by the failover unit. The next
step is to use the archive to implement the failover settings on the failover unit.
Note: The size of the failover unit archive varies depending on the Smoothwall modules installed. 50
M bytes is an average size.
Implementing Failover Settings on the Failover Unit
Implementing failover on the failover unit entails running the setup program and using the restore
options to apply the settings.
To implement failover on the failover unit:
158
1.
Install Advanced Firewall using the quick install option. See the Advanced Firewall Installation
Guide for more information. On the following screen:
1.
Select Yes and press Enter.
2.
Select the type of media the archive is stored on and press Enter. You are prompted to insert
the media.
3.
Insert the media and press Enter.
4.
Select the archive and press Enter. The failover settings are installed.
Smoothwall Ltd
Advanced Firewall Operations Guide
5.
Managing Your Advanced Firewall
When prompted, press Enter to reboot the failover unit. The failover unit will reboot and
automatically enter standby mode.
Note: For information on installing updates in failover units, see Installing Updates on a Failover
System on page 133.
Administering Failover
There are no noticeable differences between administering Advanced Firewall used as a master and
one which is not used as a master.
There should be little or no need to administer the failover unit on a day to day basis. However, from
time to time, you will need to install updates.
Updates are not automatically applied in order to ensure that the failover unit can provide a known
good system to failover to in case of any issues resulting from updates to the master.
Accessing the Failover Unit
With failover implemented, the active Advanced Firewall system is always accessed via the usual
address, whether services and protection are being supplied by the master or the failover unit.
When you need to access the failover unit directly you can do so using a variation of the address for
master. For example, to access the master's Update page the address would usually look as follows:
https://192.168.72.142:441/cgi-bin/admin/updates.cgi
To access the settings on the failover unit, the address would be:
https://192.168.72.142:440/cgi-bin/admin/updates.cgi
All communications with the user interface on the failover unit are via HTTPS and on port 440 instead
of port 441.
The address used, in the example above: 192.168.72.142, is the address of the master, as when
in standby mode the failover unit has no effective presence on any of the local or remote networks.
Testing Failover
In order to test failover, you can force the master to enter standby mode.
To test failover:
1.
On the master, go to the System > Hardware > Failover page and click Enter standby
mode. After a short period of time the failover unit will take over from the master.
2.
To restore operations to the master, on the active system, go to theSystem > Hardware >
FailoverFailover page and click Enter standby mode. Operations will be transferred to the
master.
Note: If Auto failback is enabled, rebooting the master will also return it to active service and force
the failover unit into standby mode.
159
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Manual Failback
In configurations where Auto failback is not enabled, when the failover unit is in active operation, but
the master system has become available again after corrective action has been taken you can
manually failback to the master.
To manually failback:
1.
On the failover unit, go to the System > Hardware > Failover page and click Enter standby
mode to restore the system to normal operation.
Configuring Modems
Advanced Firewall can store up to five modem profiles.
To configure a modem profile:
160
1.
Browse to the System > Hardware > Modem page.
2.
Configure the following settings:
Setting
Description
Profiles
From the drop-down list, select Empty to create a modem profile.
Profile name
Enter a name of the modem profile.
Interface
Select the serial port that the modem is connected to.
Computer to modem
rate
Select the connection speed of the modem. A standard 56K modem is
usually connected at the default 115200 rate.
Modem speaker on
Select to enable audio output during the modem dialing process, if the
modem has a speaker.
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Setting
Description
Dialing mode
Select the dialing mode.
Tone – Select if your telephone company supports tone dialing.
Pulse – Select if your telephone company supports pulse dialing.
3.
Init
Enter the commands required to initialize the modem.
Hangup
Enter the commands required to end a connection.
Speaker on
Enter the commands required to turn the speaker on.
Speaker off
Enter the commands required to turn the speaker off.
Tone dial
Enter the commands required to turn tone dialing on.
Pulse dial
Enter the commands required to turn pulse dialing on.
Connect timeout
Enter the amount of time in seconds to allow the modem to attempt to
connect.
Click Save to save your settings and create the profile.
Installing and Uploading Firmware
Advanced Firewall can upload the third-party mgmt.o file to the system. Without this file, Alcatel
SpeedTouch USB ADSL modems will not work.
To upload and install the Alcatel firmware:
1.
Navigate to the System > Hardware > Firmware upload page.
2.
Click Browse adjacent to Upload file field.
3.
Use the browser's Open dialog to find and open the mgmt.o firmware update file.
4.
Click Upload to upload the firmware update.
Note: Once this process has been completed, the system must be rebooted before the new
firmware is activated.
Note: The 330 version of this modem also requires its own firmware update to function correctly.
161
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Using Advanced Firewall’s Diagnostic Tools
Advanced Firewall comes with the ability to perform diagnostics, and test the configuration. The
following tools are available for use:
•
Testing Advanced Firewall Functionality on page 162
•
Exporting Advanced Firewall’s Configuration on page 164
•
Using IP Tools on page 164
•
Using Whois on page 166
•
Analyzing Network Traffic on page 166
Testing Advanced Firewall Functionality
You can test Advanced Firewall’s connectivity and networking configuration. Available test types are:
Test Question
Test Result Text
Check authentication service hostname?
Results for authentication service hostname
Can the primary DNS server resolve hostname?
Primary DNS results for hostname hostname
Can the secondary DNS server resolve hostname?
Secondary DNS results for hostname hostname
Can the DNS server(s) resolve the external site
domain?
External DNS resolution results for domain
Does a reverse DNS entry exist for
smoothwall_IP_address?
Reverse DNS results for IP
smoothwall_IP_address
What is our direct download speed?
Direct download results
What is our web-filtered download speed?
Web-filtered results
Does the primary DNS server (primary_DNS_IP)
have latency issues?
Primary DNS server latency results
Does the secondary DNS server
(secondary_DNS_IP) have latency issues?
Secondary DNS server latency results
Does the default gateway respond?
Default gateway ping requests
Does the LT2P primary DNS server respond?
L2TP primary DNS server ping results
Does the LT2P secondary DNS server respond?
L2TP secondary DNS server ping results
Does the LT2P primary WINS server respond?
L2TP primary WINS server ping results
Does the LT2P secondary WINS server respond?
L2TP secondary WINS server ping results
Do the internal subnets overlap?
Do any subnets overlap?
162
Are the internal networks within reserved IP ranges?
Internal networks within reserved IP ranges results
Are the internal networks within private subnets?
Internal networks within reserved private subnets
results
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Test Question
Test Result Text
Can we connect to internal server IP using port
port
Results for connection $name. Trying to connect to
hostname on port port
Are the installed root certificates valid?
Results for installed root certificates
Are the installed certificates valid?
Results for installed certificates
Note: By default, all testing options are selected to be included. However, the test options available
are dependant on the configuration of your Advanced Firewall.
You can customize the test, and run it as follows:
1.
Browse to System > Diagnostics > Functionality tests.
2.
Expand either Basic Connectivity or Networking Configuration, and clear the selection for
those tests you do not want to run.
Tip: Clearing the selection for Basic Connectivity or Networking Configuration removes all test
options against that test category.
3.
Click Test selected.
A progress bar is displayed to indicate the test progress.
When completed, the Functionality test results window is displayed, using the following Status
indicators:
•
A green tick indicates the test was run successfully, with no follow up actions required
•
An amber exclamation mark indicates the test was run successfully. However, an issue was
flagged up that does not impact on day-to-day operations.
•
A red cross indicates a problem was found with the test run. The Details column provides a
description of the issue.
163
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Exporting Advanced Firewall’s Configuration
You can export Advanced Firewall’s system configuration to a text file, for example, to aid
troubleshooting.
To export Advanced Firewall’s configuration, do the following:
1.
Browse to System > Diagnostics > Configuration report.
Note: By default, all configuration options are selected to be included. However, the test options
available are dependant on the configuration of your Advanced Firewall.
2.
Clear the selection for those options that you do not want to export.
3.
Click Generate.
When prompted, save the results in a suitable location for review.
Using IP Tools
The IP tools page is used to check connectivity, both from Advanced Firewall to computers on its
local networks and to hosts located externally on the Internet. There are two IP Tools:
•
Ping
Ping establishes that basic connectivity to a specified host can be made. Use it to prove that
Advanced Firewall can communicate with hosts its local networks and external hosts on the
Internet.
•
Traceroute
Traceroute is used to reveal the routing path to Internet hosts, shown as a series of hops from
one system to another. A greater number of hops indicates a longer (and therefore slower)
connection.
The output of these commands is as it would be if the commands were run directly by the root user
from the console of the Advanced Firewall system. It is of course, more convenient to run them from
this page.
164
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Using Ping
To use Ping:
1.
Navigate to the System > Diagnostics > IP tools page.
2.
Select the Ping option from the Tool drop-down list.
3.
Enter an IP address or hostname that you wish to ping in the IP addresses or hostnames
field.
4.
Click Run. The result of the ping command is displayed.
Using Traceroute
To use Traceroute:
1.
Navigate to the System > Diagnostics > IP tools page.
2.
Select the Traceroute option from the Tool drop-down list.
3.
Enter an IP address or hostname that you wish to trace in the IP addresses or hostnames
field.
4.
Click Run. The result of the traceroute command is displayed.
165
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
Using Whois
Whois is used to display ownership information for an IP address or domain name. A major use for
this is to determine the source of requests appearing in the firewall or Detection System logs. This
can assist in the identification of malicious hosts.
To use Whois:
1.
Navigate to the System > Diagnostics > Whois page.
2.
Enter an IP address or domain name that you wish to lookup in the IP addresses or domain
name field.
3.
Click Run. The output of Whois is as it would be if it were run directly by the root user from the
console of the Advanced Firewall system.
Analyzing Network Traffic
The Traffic analysis page displays detailed information on what traffic is currently on the network.
To analyze traffic:
166
1.
Navigate to the System > Diagnostics > Traffic analysis page.
2.
From the Interface drop-down list, select the interface.
Smoothwall Ltd
Advanced Firewall Operations Guide
Managing Your Advanced Firewall
3.
From the Time to run for drop-down list, select how long to analyze the traffic.
4.
Click Generate. After the time specified has elapsed, the traffic a breakdown of what ports and
services have been used is presented, as well as specific information on connections made. It
is possible to view a complete transcript of TCP and UDP sessions, including pictures sent or
received on web requests.
Managing CA Certificates
When Advanced Firewall’s instant messenger proxy and/or Guardian are configured to intercept SSL
traffic, certificates must be validated. Advanced Firewall validates the certificates by checking them
against the list of installed Certificate Authority (CA) certificates on the System > Certificates >
Certificate authorities page.
The following sections describe how you can import new CA certificates, export existing CA
certificates and edit the list to display a subset or all of the CA certificates available.
Reviewing CA Certificates
By default, Advanced Firewall comes with certificates issued by well-known and trusted CAs.
To review the certificates:
1.
Browse to the System > Certificates > Certificate authorities page. Advanced Firewall
displays the certificates available. It also displays which certificates are valid and which are builtin, i.e. included in Advanced Firewall by default.
2.
To review a specific certificate, click on its name. Advanced Firewall displays it.
3.
Click your browser’s Back button to return to Advanced Firewall.
Importing CA Certificates
To import CA certificates:
1.
Navigate to the System > Certificates > Certificate authorities page and locate the Import
Certificate Authority certificate area.
2.
Click Browse, navigate to the certificate and select it.
3.
Click the import option. Advanced Firewall imports the certificate and displays it at the bottom
of the list.
Exporting CA Certificates
To export certificates:
1.
On the System > Certificates > Certificate authorities page, select the certificate.
2.
From the Export format drop-down list, select one of the following options:
Option
Description
CA certificate in PEM
Export the certificate in an ASCII (textual) certificate format commonly
used by Microsoft operating systems.
167
Advanced Firewall Operations Guide
3.
Managing Your Advanced Firewall
Option
Description
CA certificate in BIN
Export the certificate in a binary certificate format.
Click Export and save the certificate on suitable medium.
Deleting and Restoring Certificates
You can remove built-in certificates from the list on the System > Certificates > Certificate authorities
page. You can also restore them to the list if required.
To delete certificates:
1.
168
On the System > Certificates > Certificate authorities page, select the certificate(s) and
click Delete. Advanced Firewall removes the certificate(s).
Smoothwall Ltd
Appendix A: Available
Reports
This appendix describes the reports available to run from Advanced Firewall.
The following table describes the report types, and shows the corresponding reports:
Report
Folder
Comparison
reports
Email
Description
Available Reports
These reports provide timebased comparison of the
common activity for each
report type.
Daily category comparison on page 176
These reports provide an
analysis of email traffic.
Estimated cost of Spam and Malware on page 177
Daily domain comparison on page 176
Daily user comparison on page 177
Incoming email summary incl last 24 hours on page 179
Mailbox activity on page 179
Malware Incl last 24 hours on page 180
Outgoing email summary incl last 24 hours on page 180
Executive
summary
These reports provide an
analysis of the web traffic from
specified reporting types.
Executive summary of activity of a specific IP address on
page 177
Executive summary of activity of a specific user on
page 178
Executive summary of all group activity on page 178
169
Advanced Firewall Operations Guide
Report
Folder
Firewall and
networking
Available Reports
Description
Available Reports
These reports provide an
analysis of the web traffic
through your Smoothwall
firewall.
Application Bandwidth Statistics on page 173
Connection details and traffic statistics on page 176
Firewall activity on page 178
Interfaces and IP addresses on page 179
VPN status and history on page 188
System
These reports provide an
analysis of your Smoothwall
System.
Authentication Cache on page 175
Control page template on page 176
Disk information on page 177
Portal users logged in status on page 180
Summary page template on page 180
System information on page 181
Updates on page 188
Web filter statistics on page 188
Time of day
activity
These reports provide an
analysis of the web activity at
specific times of the day.
Times of day a group browses a specific URL on page 182
Times of day a user browses a specific URL on page 182
Times of day a user browses and the categories browsed
on page 182
Times of day an IP address browses a specific URL on
page 183
Times of day an IP address browses and the categories
browsed on page 183
Times of day members of a group browses and the
categories browsed on page 184
Time spent
browsing
These reports provide an
analysis of browsing activity.
Amount of time a user spent browsing a URL on page 172
Amount of time a user spent browsing sites in a category
on page 172
Amount of time an IP address spent browsing a URL on
page 172
Amount of time an IP address spent browsing sites in a
category on page 173
170
Smoothwall Ltd
Advanced Firewall Operations Guide
Report
Folder
Top reports
Available Reports
Description
Available Reports
These reports provide an
analysis of the web traffic of
each report type.
Top blocked domains by hits on page 184
Top blocked users by hits on page 184
Top categories by hits and bandwidth on page 184
Top categories by hits and bandwidth - with options on
page 185
Top client IPs by hits and bandwidth on page 185
Top client IPs by hits and bandwidth - with options on
page 185
Top domains by hits and bandwidth on page 186
Top domains by hits and bandwidth - with options on
page 186
Top search terms on page 187
Top users by hits and bandwidth on page 187
Top users by hits and bandwidth - with options on
page 187
Top users using banned search terms on page 188
User
analysis
These reports provide an
analysis of user activity.
All blocked activity for a specific user on page 172
Bandwidth usage by a specific user on page 175
Complete IP address audit trail on page 175
Complete user audit trail on page 176
Time spent browsing for a specific user on page 181
Top search terms and the searches they were used in for a
specific user on page 187
All other supplied reports have been deprecated from the Smoothwall System, but remain in the
Archive folder for backwards compatibility.
Note: If you are using a user portal, the reports available to you are dependant on the configuration
of your portal. For more information, see Configuring a Portal on page 27. Note that drill down reports
are not available from the user portal.
The following sections describe each report in detail. The reports are listed in alphabetical order.
Unless otherwise stated, all reports can be outputted to .csv, .xls, .pdf (either color, or black and
white), and .tsv.
171
Advanced Firewall Operations Guide
Available Reports
All blocked activity for a specific user
The All blocked activity for a specific user report lists the IP address used, the blocked URL, and
the corresponding category. Blocked adverts are not included in the users’ statistics.
To run the report for a specific user, click the Advanced >> button and enter the username in the
Username text box. Enter the required date range and click Run report.
Amount of time a user spent browsing a URL
The Amount of time a user spent browsing a URL report provides a graphical representation of
the data.
To run the report for a specific user and URL, click the Advanced >> button and enter the username
and URL in the Username and URL text boxes. Enter the required date range and click Run report.
Amount of time a user spent browsing sites in a
category
The Amount of time a user spent browsing sites in a category report provides a graphical
representation of the data.
To run the report for a specific user and category, click the Advanced >> button and enter the
username and category in the Username and Category text boxes. Enter the required date range
and click Run report.
Amount of time an IP address spent browsing a
URL
The Amount of time an IP address spent browsing a URL report provides a graphical
representation of the data.
Note: An IP address does not necessarily denote a particular user, as multiple users can use the
same device depending on the setup.
To run the report for a specific IP address and URL, click the Advanced >> button and enter the IP
address and URL in the Client IP and URL text boxes. Enter the required date range and click Run
report.
172
Smoothwall Ltd
Advanced Firewall Operations Guide
Available Reports
Amount of time an IP address spent browsing
sites in a category
The Amount of time an IP address spent browsing sites in a category report provides a
graphical representation of the data.
Note: An IP address does not necessarily denote a particular user, as multiple users can use the
same device depending on the setup.
To run the report for a specific IP address and category, click the Advanced >> button and enter
the IP address and URL in the Client IP and Category text boxes. Enter the required date range
and click Run report.
Application Bandwidth Statistics
The Application Bandwidth Statistics report provides details of the bandwidth used by
application groups, including:
•
Measurements of the incoming and outgoing bandwidth.
•
Measurements of the bandwidth used by individual IP addresses.
•
Measurements of the bandwidth used by individual applications.
•
Measurements of bandwidth across external interfaces, and, or, bridges.
•
Drill down through the report from application bandwidth into IP address bandwidth, and vice
versa.
•
Application classification into groups, and bandwidth measurements of these groups. For a
detailed description of each application grouping, see Appendix B:Application Groups on
page 189.
Note: A Layer 7 licence (deep packet inspection) is required to run this report fully. Without this
licence, limited information is displayed. For more information about obtaining a Layer 7 licence, refer
to your Smoothwall representative.
To run the report for a specific traffic direction and interface, click the Advanced >> button and
choose the traffic direction from the Data flow direction to highlight drop down list, and interface
from the Interface drop down list. Enter the required date range and click Run report.
173
Advanced Firewall Operations Guide
Available Reports
About the Generated Report
The generated Application Bandwidth Statistics report is broken down into the following sections:
174
•
Traffic statistics — Shows the incoming and outgoing bandwidth as a graph, over the specified
date range, for example:
•
Top 5 IP addresses over time — Shows the bandwidth used, as a graph, for each of the top
five IP address. Incoming or outgoing data is shown, dependant on the traffic direction chosen
when running the report.
•
Top 5 application groups over time — Shows the bandwidth used, as a graph, for each of the
top five application groups. Incoming or outgoing data is shown, dependant on the traffic
direction chosen when running the report.
Smoothwall Ltd
Advanced Firewall Operations Guide
Available Reports
You can also drill down through the graphs to show a further break down of either the IP addresses
that accessed the application groups, or the application groups accessed by the IP address. The
following example is a break down of the File Transfer application group from the image above:
Note that as you drill down through the report, the Traffic statistics graph is always displayed at
the top.
Authentication Cache
The Authentication Cache report displays a list of users, and their state within the cache, during a
specific date range.
To run the report, enter the required date range and click Run report.
Bandwidth usage by a specific user
The Bandwidth usage by a specific user report provides a graphical representation of the data.
You can click on the username to use drill down reports.
To run the report for a specific user, click the Advanced >> button and enter the username in the
Username box. Enter the required date range and click Run report.
Complete IP address audit trail
The Complete IP address audit trail report provides statistical information of all activity, including
web browsing and IM activity, for a specific IP address.
To run the report for a specific IP address, click the Advanced >> button and enter the IP address
in the Client IP box. Enter the required date range and click Run report.
175
Advanced Firewall Operations Guide
Available Reports
Complete user audit trail
The Complete user audit trail report provides statistical information of all activity, including web
browsing and IM activity, from a specific user.
To run the report for a specific user, click the Advanced >> button and enter the username in the
Username box. Enter the required date range and click Run report.
Connection details and traffic statistics
The Connection details and traffic statistics report provides statistical information for inbound
and outbound traffic on each interface. Information is split into the following tables:
•
Interface and host bandwidth usage
•
Per IP address statistics
To run the report, enter the required date range and click Run report.
Control page template
The Control page template is used on the control page. This displays control information about
your Smoothwall System installation, including:
•
Smoothwall System updates
•
Tip of the day
•
Support information, such as, serial number and license expiry dates.
To run the report, click Run report.
Daily category comparison
The Daily category comparison report lists the top 50 categories accessed today, in descending
order, plus their relative position for yesterday.
To run the report, click Run report.
Daily domain comparison
The Daily domain comparison report lists the top 50 domains accessed today, in descending
order, plus their relative position for yesterday.
To run the report, click Run report.
176
Smoothwall Ltd
Advanced Firewall Operations Guide
Available Reports
Daily user comparison
The Daily user comparison report lists the top 50 users today, in descending order, plus their
relative position for yesterday.
To run the report, click Run report.
Disk information
The Disk information report displays the status of the hard drive in your Advanced Firewall,
including:
•
Disk information
•
Processor information
•
Memory information
•
Disk space information (Hard Disk Drive Info), including how much space is taken by the
system installation, and log files.
To run the report, enter the required date range and click Run report.
Estimated cost of Spam and Malware
The Estimated cost of Spam and Malware report provides the estimated return on investment of
dealing with the quantity of spam and malware before it was rejected. The top originating recipients
and domains are also listed.
To run the report, enter the required date range and click Run report.
Executive summary of activity of a specific IP
address
The Executive summary of activity of a specific IP address report provides a graphical
representation of the following activity from a specified IP address:
•
The number of hits per day
•
The number of hits per hour
•
The total browsing time
•
The top search terms, or phrases, used by the IP address
•
The categories browsed
Note: An IP address does not necessarily denote a particular user, as multiple users can use the
same device depending on the setup.
177
Advanced Firewall Operations Guide
Available Reports
To run the report for a specific IP address, click the Advanced >> button and enter the IP address
in the Client IP text box. Enter the required date range and click Run report.
Executive summary of activity of a specific user
The Executive summary for a user report provides a graphical representation of the following
activity from a specified username:
•
The number of hits per day
•
The number of hits per hour
•
The total browsing time
•
The top search terms, or phrases, used by the user
•
The categories browsed
To run the report for a specific user, click the Advanced >> button and enter their username in the
Username text box. Enter the required date range and click Run report.
Executive summary of all group activity
The Executive summary for all group activity report scans all group activity, and provides a
graphical representation of the number of hits from the top ten most active groups. The categories
browsed by each group is also listed.
To run the report, enter the required date range and click Run report.
Firewall activity
The Firewall activity report displays important firewall activity, broken into:
•
Statistics for the firewall (main)
•
An outgoing audit (auditoutput)
•
Port-forwarding activity (portfw)
•
srule
•
srulestealth
To run the report, enter the required date range and click Run report.
178
Smoothwall Ltd
Advanced Firewall Operations Guide
Available Reports
Incoming email summary incl last 24 hours
The Incoming email summary incl last 24 hours report provides a graphical representation of the
number of emails received, the classification of those emails, and the bandwidth used per day. Email
classifications are:
•
Accepted
•
Spam
•
Virus
You can choose to run the report against a specific domain, or for all domains.
To run the report for a specific domain, click the Advanced >> button and choose the domain from
the Filter by domain drop down list. Enter the required date range and click Run report.
Interfaces and IP addresses
The Interfaces and IP addresses report displays all external, internal, and VPN interfaces,
including their connection details and DHCP leases. Information for each interface is grouped into the
following tables:
•
Network Address Resolution Protocol (ARP) information
•
Network routing information
To run the report, enter the required date range and click Run report.
Mailbox activity
The Mailbox activity report provides a list of emails received by active mailboxes but redirected to
the anti spam quarantine, and the size of the quarantine, in megabytes.The top ten quarantined users
are also displayed, broken down into:
•
By messages quarantined
•
By messages released
•
By message size
To run the report, enter the required date range and click Run report.
179
Advanced Firewall Operations Guide
Available Reports
Malware Incl last 24 hours
The Malware Incl last 24 hours report provides a graphical representation of the number of times
viruses and malware were attempted to be sent. Those received through the anti spam quarantine
are also shown. The top viruses detected are also listed.
You can choose to run the report against a specific domain, or for all domains.
To run the report for a specific domain, click the Advanced >> button and choose the domain from
the Filter by domain drop down list. Enter the required date range and click Run report.
Outgoing email summary incl last 24 hours
The Outgoing email summary incl last 24 hours report provides a graphical representation of the
number of emails sent, the classification of those emails, and the bandwidth used per day. Email
classifications are:
•
Accepted
•
Spam
•
Virus
You can choose to run the report against a specific domain, or for all domains.
To run the report for a specific domain, click the Advanced >> button and choose the domain from
the Filter by domain drop down list. Enter the required date range and click Run report.
Portal users logged in status
The Portal users logged in status report displays a list of those users who have access to the user
portal, and the current state of their session.
To run the report, enter the required date range and click Run report.
Summary page template
The Summary page template provides the template for the Summary report found under
Logs and reports > Reports > Summary. This displays summary information about your
Smoothwall System installation, including:
180
•
Alerts
•
The running status of system services
•
Network ARP table
•
Updates for your Smoothwall System
•
Tip of the day
•
Summary of uptime
Smoothwall Ltd
Advanced Firewall Operations Guide
•
Processor information
•
Memory information
•
Hard disk drive information
•
Interface and host bandwidth usage
•
Per IP address statistics
•
Network routing table
Available Reports
To run the report, either enter the required date range and click Run report, or click Logs and
reports > Reports > Summary.
System information
The System information report displays important information about your Advanced Firewall
installation, including:
•
Summary of uptime
•
The ports that are in use
•
System logs for:

Authentication service (auth)

Kernel (kernel)

System logs (smoothwall)

SSH (ssh)
•
Loaded kernel modules
•
Information about any installed Universal Power Supplies (UPS)
•
Disk information
•
Processor information
•
Memory information
•
Hard disk drive information
•
The running status of system services
•
Updates for your Smoothwall System
To run the report, enter the required date range and click Run report.
Time spent browsing for a specific user
The Time spent browsing for a specific user report provides a graphical representation of the
data.
To run the report for a specific user, click the Advanced >> button and enter the username in the
Username text box. Enter the required date range and click Run report.
181
Advanced Firewall Operations Guide
Available Reports
Time spent browsing sites in a specific category
for a specific user
The Time spent browsing sites in a specific category for a specific user report provides a
graphical representation of the data.
To run the report for a specific user and category, click the Advanced >> button and enter the
username and category in the Username and Category text boxes. Enter the required date range
and click Run report.
Times of day a group browses a specific URL
The Times of day a group browses a specific URL report provides a graphical representation of
the data.
To run the report for a specific group and URL, click the Advanced >> button and select the group
from the Group drop-down menu. Enter the URL in the URL text box. Enter the required date range
and click Run report.
Note: Even though a date range can be entered, the graph only displays data for a 24-hour period.
It is recommended you limit your report range to a 24-hour period.
Times of day a user browses a specific URL
The Times of day a user browses a specific URL report provides a graphical representation of
the data.
To run the report for a specific user and URL, click the Advanced >> button and enter the username
and URL in the Username and URL text boxes. Enter the required date range and click Run report.
Note: Even though a date range can be entered, the graph only displays data for a 24-hour period.
It is recommended you limit your report range to a 24-hour period.
Times of day a user browses and the categories
browsed
The Times of day a user browses and the categories browsed report provides a graphical
representation of the data. The categories they have browsed, is displayed in the Per hour table.
To run the report for a specific user, click the Advanced >> button and enter the username in the
Username text box. Click Run report.
182
Smoothwall Ltd
Advanced Firewall Operations Guide
Available Reports
Note: Even though a date range can be entered, the graph only displays data for a 24-hour period.
It is recommended you limit your report range to a 24-hour period.
Times of day an IP address browses a specific
URL
The Times of day an IP address browses a specific URL report provides a graphical
representation of the data.
Note: An IP address does not necessarily denote a particular user, as multiple users can use the
same device depending on the setup.
To run the report for a specific IP address and URL, click the Advanced >> button and enter the IP
address and URL in the Client IP and URL text boxes. Enter the required date range and click Run
report.
Note: Even though a date range can be entered, the graph only displays data for a 24-hour period.
It is recommended you limit your report range to a 24-hour period.
Times of day an IP address browses and the
categories browsed
The Times of day an IP address browses and the categories browsed report provides a
graphical representation of the data. The categories they have browsed, is displayed in the Per hour
table.
Note: An IP address does not necessarily denote a particular user, as multiple users can use the
same device depending on the setup.
To run the report for a specific IP address, click the Advanced >> button and enter the IP address
in the Client IP text box. Click Run report.
Note: Even though a date range can be entered, the graph only displays data for a 24-hour period.
It is recommended you limit your report range to a 24-hour period.
183
Advanced Firewall Operations Guide
Available Reports
Times of day members of a group browses and
the categories browsed
The Times of day members of a group browses and the categories browsed report provides
a graphical representation of the data. The categories browsed, is displayed in the Per hour table.
To run the report for a specific group, click the Advanced >> button and select the group from the
Group drop-down menu. Enter the required date range and click Run report.
Note: Even though a date range can be entered, the graph only displays data for a 24-hour period.
It is recommended you limit your report range to a 24-hour period.
Top blocked domains by hits
The Top blocked domains by hits report lists the top 20 blocked domains for the specified time
period. By clicking a domain, you can use drill down reports to report on that domain specifically. The
data is also presented as a graph, and pie chart.
For more information about drill down reports, see Using Drill Down Reports on page 78.
To run the report, enter the required date range, and click Run report
Top blocked users by hits
The Top blocked users by hits report lists the top 20 blocked users for the specified time period.
By clicking a username, you can use drill down reports to report on that username specifically.The
data is also presented as a graph.
For more information about drill down reports, see Using Drill Down Reports on page 78.
To run the report, enter the required date range, and click Run report
Top categories by hits and bandwidth
The Top categories by hits and bandwidth report provides a graphical representation of the top
20 most frequently accessed categories. The top 20 categories are also listed according to the
amount of bandwidth used. By clicking a category, you can use drill down reports to report on that
category specifically. For more information about drill down reports, see Using Drill Down Reports on
page 78.
To run the report, enter the required date range and click Run report.
184
Smoothwall Ltd
Advanced Firewall Operations Guide
Available Reports
Top categories by hits and bandwidth - with
options
The Top categories by hits and bandwidth - with options report is exactly the same as the Top
categories by hits and bandwidth report, except that you can customize the report for your own
operational needs. Available options are:
•
Display top — Change the number of categories to display. Valid values are: 10, 20, 50, 100,
200, or 500
•
Client IP — Enter a valid IP address to only report on the top categories browsed from that
address
•
Group — From the drop down list, choose a group to only report on the top categories
browsed from that group
•
Username — Enter a valid username to only report on the top categories browsed by that
username
•
URL — Enter a URL to only report on the top categories that the URL belongs to
•
Denied — Select this option to only report on the top categories where browsing was blocked
due to URL, or search term or phrase, filtering
•
Denied POST — Select this option to only report on the top categories where a message, or
similar, upload was blocked due to banned words or phrases
To run the report, click the Advanced >> button, and configure the relevant options. Enter the
required date range and click Run report.
Top client IPs by hits and bandwidth
The Top client IPs by hits and bandwidth report provides a graphical representation of the top 20
busiest IP addresses. The top 20 IP addresses are also listed according to the amount of bandwidth
used. By clicking an IP address, you can use drill down reports to report on that IP address
specifically. For more information about drill down reports, see Using Drill Down Reports on page 78.
To run the report, enter the required date range and click Run report.
Top client IPs by hits and bandwidth - with
options
The Top client IPs by hits and bandwidth - with options report is exactly the same as the Top
client IPs by hits and bandwidth report, except that you can customize the report for your own
operational needs. Available options are:
•
Display top — Change the number of client IP addresses to display. Valid values are: 10, 20,
50, 100, 200, or 500
•
Category — Enter a category to only report on those IP address that have browsed domains
in that category
185
Advanced Firewall Operations Guide
Available Reports
•
Group — From the drop down list, choose a group to only report on those IP addresses
belonging to that group
•
Exclude adverts — Select this option to ignore hits and bandwidth used by adverts received
•
URL — Enter a URL to only report on those IP addresses that have visited the URL
•
Denied — Select this option to only report on the top IP addresses where browsing was
blocked due to URL, or search term or phrase, filtering
•
Denied POST — Select this option to only report on the top IP addresses where a message,
or similar, upload was blocked due to banned words or phrases
To run the report, click the Advanced >> button, and configure the relevant options. Enter the
required date range and click Run report.
Top domains by hits and bandwidth
The Top domains by hits and bandwidth report provides a graphical representation of the top 20
most requested domains. The top 20 domains are also listed according to the amount of bandwidth
used. By clicking a domain, you can use drill down reports to report on that domain specifically. For
more information about drill down reports, see Using Drill Down Reports on page 78.
To run the report, enter the required date range and click Run report.
Top domains by hits and bandwidth - with
options
The Top domains by hits and bandwidth - with options report is exactly the same as the Top
domains by hits and bandwidth report, except that you can customize the report for your own
operational needs. Available options are:
•
Display top — Change the number of domains to display. Valid values are: 10, 20, 50, 100,
200, or 500
•
Category — Enter a category to only report on those domains in that category
•
Client IP — Enter a valid IP address to only report on those domains requested by the IP
address
•
Group — From the drop down list, choose a group to only report on those domains visited by
that group
•
Username — Enter a valid username to only report on those domains visited by that user
•
Exclude adverts — Select this option to ignore hits and bandwidth used by adverts received
•
Denied — Select this option to only report on the top IP addresses where browsing was
blocked due to URL, or search term or phrase, filtering
•
Denied POST — Select this option to only report on the top IP addresses where a message,
or similar, upload was blocked due to banned words or phrases
To run the report, click the Advanced >> button, and configure the relevant options. Enter the
required date range and click Run report.
186
Smoothwall Ltd
Advanced Firewall Operations Guide
Available Reports
Top search terms
The Top search terms report lists the top 20 most frequently searched for terms or phrases.
To run the report, enter the required date range and click Run report.
Top search terms and the searches they were
used in for a specific user
The Top search terms and the searches they were used in for a specific user report lists the
top 50 search terms or phrases, excluding common words, used by a specific user. The searches
the terms were used in is also shown.
To run the report for a specific user, click the Advanced >> button and enter the username in the
Username text box. Enter the required date range and click Run report.
Top users by hits and bandwidth
The Top users by hits and bandwidth report provides a graphical representation of the top 20
most active users by individual web page visits. The top 20 users are also listed according to the
amount of bandwidth used. By clicking a username, you can use drill down reports to report on that
domain specifically. For more information about drill down reports, see Using Drill Down Reports on
page 78.
To run the report, enter the required date range and click Run report.
Top users by hits and bandwidth - with options
The Top users by hits and bandwidth - with options report is exactly the same as the Top users
by hits and bandwidth report, except that you can customize the report for your own operational
needs. Available options are:
•
Display top — Change the number of usernames to display. Valid values are: 10, 20, 50, 100,
200, or 500
•
Category — Enter a category to only report on those categories visited by the user
•
Client IP — Enter a valid IP address to only report on web traffic originating from that IP
address. Note that an IP address does not necessarily denote a particular user, as multiple
users can use the same device depending on the setup.
•
Group — From the drop down list, choose a group to only report on those members of that
group
•
Exclude adverts — Select this option to ignore hits and bandwidth used by adverts received
•
URL — Enter a valid URL to only report on those users that have visited this particular URL
•
Denied — Select this option to only report on the top IP addresses where browsing was
blocked due to URL, or search term or phrase, filtering
187
Advanced Firewall Operations Guide
•
Available Reports
Denied POST — Select this option to only report on the top IP addresses where a message,
or similar, upload was blocked due to banned words or phrases
To run the report, click the Advanced >> button, and configure the relevant options. Enter the
required date range and click Run report.
Top users using banned search terms
The Top users using banned search terms report lists the top 20 users who have used banned
search terms or phrases.
To run the report, enter the required date range and click Run report.
Updates
The Updates report displays whether updates are needed for your Smoothwall System, and the last
time the blocklists were installed or updated.
To run the report, click Run report.
VPN status and history
The VPN status and history report provides statistical, and historical information about the status
of configured VPN tunnels. A table for each type of VPN tunnel is available, that is, IPSec, L2TP road
warrior, and SSL road warrior.
To run the report, enter the required date range and click Run report.
Web filter statistics
The Web filter statistics report provides statistical information about the performance of the HTTP
proxy service, and web content filter, including:
•
Web cache graphs
•
Web cache statistics
•
Median services times for the last five minutes
•
Median services times for the last 60 minutes
•
The last time the blocklists were installed or updated
To run the report, enter the required date range and click Run report.
188
Smoothwall Ltd
Appendix B: Application
Groups
This appendix lists the available application groups for Bandwidth, including:
•
Application Groups on page 189
•
Deep Packet Inspection Application Groups on page 190
Application Groups
Application groups are classified as follows
Application Group
Applications
Databases
•
•
•
Microsoft SQL
MySQL
PostgreSQL
File Transfer
•
FTP
Infrastructure
•
•
•
•
•
•
DHCP
DNS
ICMP
IGMP
Internet printing (IPP)
LDAP
Mail
•
•
•
IMAP
POP
SMTP
Messaging
•
IRC
News
•
NNTP
•
•
•
•
•
Microsoft
NTP
RPC/SMB/CIFS
SNMP
Sun RPC/NFS
189
Advanced Firewall Operations Guide
Application Groups
Application Group
Applications
Proxies
•
•
SOCK proxy
Web proxy
Remote Access
•
•
Remote Desktop
SSH
Streaming Media
•
SIP (VoIP)
VPN/Tunneling
•
•
IPsec tunneling
IPv6 tunneling
Web browsing
•
•
HTTP
HTTPS (unencryoted)
•
•
Telnet
VNC
Deep Packet Inspection Application Groups
If deep packet inspection (DPI) is licensed for Bandwidth, the following additional application groups
are also defined:
190
Application Group
Applications
Collaboration
•
•
•
•
•
•
•
Citrix
Citrix GoToMyPC
GoToMeeting
Groupwise
HL7
Lotus Notes
Lync
•
•
•
•
•
•
Meeting Maker
Microsoft ActiveSync
NetMeeting
SAP
SharePoint
WebEx
Databases
•
•
•
•
•
•
•
BLIDM
CLDAP
dBase
INGRES-NET
LDAP
MaxDB
Mini SQL
•
•
•
•
•
•
MS SQL
Oracle
RIS
SVN
Sybase SQL
TDS
Smoothwall Ltd
Advanced Firewall Operations Guide
Application Groups
Application Group
Applications
File Transfer
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
ACR-NEMA
AFP
Akamai Netsession
Apple Update
AppleJuice
Ares
Astraweb
auditd
AVG
Avira
BitDefender
BitTorrent
BITS
BlazeFS
CFDPTKT
CIFS
Clubbox
Commvault
DirectConnect
Dropbox
eDonkey
Eset
FASP
F-Prot
Freenet
Giganews
Gnutella
GPFS
Google Talk File Transfer
HiveStor
iCloud
iMesh
Kaspersky
Manolito
McAfee
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
MC-FTP
McIDAS
MUTE-net
NateOn File
NFA
NFS
NNTP
NovaBACKUP
OFTP
OFTPS
Paltalk File Transfer
Panda
Pando
PDbox
PDbox P2P
PFTP
Qik Upload
SBNTBCST
SFTP
Share P2P
Shareman
Skype File Transfer
SuperNews
TFTP
Usenet
Vegaa
WebDAV
WinMX
Winny
Windows Update
Xunlei
Yahoo Msg File Transfer
ZanNet
Games
•
•
Battle.net
Quake Live
•
•
Steam
XBox
Mail
•
•
•
•
•
•
•
Exchange
gmail
InfoStore
Microsoft Mail API
Microsoft Mail Transfer Agent
Microsoft RFR
MS IMAP
•
•
•
•
•
•
•
NI Mail
PCMAIL
POP2
POP3
Store Admin
SMTP
System Attendant
191
Advanced Firewall Operations Guide
192
Application Groups
Application Group
Applications
Messaging
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
050Plus
Aliwangwan
AIM
APNS
BaiduHi
C2DM
CISCOUC
CISUCAUD
CISUCVID
DeNA Comm
eBuddy
eBuddy XMS
Fring
Google Hangouts
Google Helpouts
Google Talk
iCall
ICQ
ISCHAT
Kakao
Kakao Audio
LINE
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Line2
Meebo
MMS
MSMQ
MSNP
NateOn
NateOn Phone
Nokia Message
OSCAR
Paltalk
Pinger
QQ
Skype Video
Skype Voice
Snapchat
Tango
Viber
WeChat
XMPP
YiXin
Yahoo Messenger
Smoothwall Ltd
Advanced Firewall Operations Guide
Application Groups
Application Group
Applications
Networking
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Active Directory
Apple ARP
Apple
AppleShare
AppleTalk
BGMP
BGP
BJNP
Cableport AX
Cisco DRP
Cisco FNATIVE
Cisco GDP
Cisco SYSMAINT
Cisoc TNATIVE
Clearcase
DASP
DCAP
DCCP
DCE/RPC
DHCP
DHCPv6
Diameter
DNS
FIX
GPRS Tunneling Protocol
Control
GPRS Tunneling Protocol
Prime
GPRS Tunneling Protocol
User
FINTA
HDAP
HTTP
Ident
IGMP
ISAKMP
Java RMI
Kerberos
LLMNR
MDNS
MFTP
Microsoft Spooler Subsystem
MobileIP
MortgageWare
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
MUMPS
NDS Auth
Netware
NSS
NSSTP
NetBIOS Datagram
Distribution Service
NetBIOS Name Service
NetBIOS Session Service
NTP
OCS
OCSP
ODMR
OSPF
PIM
PKIX Timestamp
PPP Discovery
PPP Session
Printer
PTP
RADIUS
RADIUS-ACCT
RAP
RPC2PMAP
RSVP
Rsync
SCCM
SCCP
SCTP
SEND
SSDP
SSL
STUN
Sun RPC
SVRLOC
TACACS
Teredo
Timbuktu
WCCP
WebSocket
Whois
Wyse TCX
XNS
193
Advanced Firewall Operations Guide
194
Application Groups
Application Group
Applications
Network Monitoring
•
•
•
•
•
•
•
•
Chargen
Daytime
Discard
Echo
Finger
ICMP
ICMPv6
Naverisk
•
•
•
•
•
•
•
•
SMUX
SNMP
Syslog
Systat
Tivoli
Tripwire
UMA
Zabbix
Proxies
•
•
•
•
Avocent
Freegate
Hopster
Jondo
•
•
•
•
Privax
SOCKS
Tor
Ultrasurf
Remote Access
•
•
•
•
•
•
•
•
•
•
Citrix CGP
Citrix ICA
Citrix IMA
Citrix Licensing
Citrix RTMPL
Citrix SLG
Citrix WANScaler
ERPC
GOM Remote
HP VMM
•
•
•
•
•
•
•
•
KWDB
LogMeIn
PCoIP
RDP
SCCM Remote Control
ShowMyPC
Sophos RED
TeamViewer
Smoothwall Ltd
Advanced Firewall Operations Guide
Application Groups
Application Group
Applications
Streaming Media
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Adobe Flash
FaceTime
Fring A/V
Google Talk Audio
Google Talk Video
Google Video
H.225
H.245
H.248
H.323
Hulu
Instagram Video
iTunes
Kugou
Lync Audio
Lync Media
Lync Video
MagicJack
Nate Video
NetFlix
Paltalk Video
Paltalk Voice
Pandora
PPTV
QIK
QIK Chat
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
QIK Video
QuickTime
RTCP
RTMP
RTP
RTSP
RTSPS
SHOUTcast
Silverlight
Sina Video
SIP
Skype
Sopcast
Spotify
Secure RTCP
SRTP
STRP Audio
SRTP Video
T-Mobile
UltraViolet
Vonage
WhatsApp
Windows Media
Yahoo Messenger Audio
Yahoo Messenger Video
VPN/Tunneling
•
•
•
•
•
•
•
•
AH
CyberGhost
DynGate
ESP
GRE
Hamachi
Hotspot Shield
IPComp
•
•
•
•
•
•
•
•
IPIP
IPsec
L2TP
OpenVPN
PPTP
RSVP Tunnel
SecurityKISS
VPNReactor
195
Glossary
Numeric
2-factor authentication
The password to a token used with the token. In other words: 2factor authentication is something you know, used together with
something you have. Access is only be granted when you use the
two together.
3DES
A triple strength version of the DES cryptographic standard, usually using a
168-bit key.
A
Acceptable Use Policy
See AUP
Access control
The process of preventing unauthorized access to computers, programs,
processes, or systems.
Active Directory
Microsoft directory service for organizations. It contains information about
organizational units, users and computers.
ActiveX*
A Microsoft reusable component technology used in many VPN solutions
to provide VPN client access in a road warrior's web browser.
AES
Advanced Encryption Standard
A method of encryption selected by NIST as a replacement for DES and
3DES. AES supports key lengths of 128-bit, 192-bit and 256-bit. AES
provides high security with fast performance across multiple platforms.
AH
Authentication Header
Forms part of the IPSec tunnelling protocol suite. AH sits between the IP
header and datagram payload to maintain information integrity, but not
secrecy.
Algorithm
Smoothwall products, an algorithm is a mathematical procedure that
manipulates data to encrypt and decrypt it.
197
Advanced Firewall Operations Guide
Alias
Glossary
or External Alias
In Smoothwall terminology, an alias is an additional public IP that operates
as an alternative identifier of the red interface.
ARP
Address Resolution Protocol
A protocol that maps IP addresses to NIC MAC addresses.
ARP Cache
Used by ARP to maintain the correlation between IP addresses and MAC
addresses.
AUP
Acceptable Use Policy
An AUP is an official statement on how an organization expects its
employees to conduct messaging and Internet access on the
organization’s email and Internet systems. The policy explains the
organization’s position on how its users should conduct communication
within and outside of the organization both for business and personal use.
Authentication
The process of verifying identity or authorization.
B
Bandwidth
Bandwidth is the rate that data can be carried from one point to another.
Measured in Bps (Bytes per second) or Kbps.
BIN
A binary certificate format, 8-bit compatible version of PEM.
Buffer Overflow
An error caused when a program tries to store too much data in a
temporary storage area. This can be exploited by hackers to execute
malicious code.
C
CA
Certificate Authority
A trusted network entity, responsible for issuing and managing x509 digital
certificates.
Certificate
A digital certificate is a file that uniquely identifies its owner. A certificate
contains owner identity information and its owner's public key. Certificates
are created by CAs.
Cipher
A cryptographic algorithm.
Ciphertext
Encrypted data which cannot be understood by unauthorized parties.
Ciphertext is created from plain text using a cryptographic algorithm.
Client
Any computer or program connecting to, or requesting the services of,
another computer or program.
Cracker
A malicious hacker.
Cross-Over Cable
A network cable with TX and RX (transmit and receive) reversed at either
end to provide a direct peer-to-peer network connection.
Cryptography
The study and use of methods designed to make information unintelligible.
198
Smoothwall Ltd
Advanced Firewall Operations Guide
Glossary
D
Default Gateway
The gateway in a network that will be used to access another network if a
gateway is not specified for use.
Denial of Service
Occurs when a network host is flooded with large numbers of automatically
generated data packets. The receiving host typically slows to a halt while it
attempts to respond to each request.
DER
Distinguished Encoding Rules
A certificate format typically used by Windows operating systems.
DES
Data Encryption Standard
A historical 64-bit encryption algorithm still widely used today. DES is
scheduled for official obsolescence by the US government agency NIST.
DHCP
Dynamic Host Control Protocol
A protocol for automatically assigning IP addresses to hosts joining a
network.
Dial-Up
A telephone based, non-permanent network connection, established using
a modem.
DMZ
Demilitarized Zone
An additional separate subnet, isolated as much as possible from protected
networks.
DNS
Domain Name Service
A name resolution service that translates a domain name to an IP address
and vice versa.
Domain Controller
A server on a Microsoft Windows network that is responsible for allowing
host access to a Windows domain's resources.
Dynamic IP
A non-permanent IP address automatically assigned to a host by a DHCP
server.
Dynamic token
A device which generates one-time passwords based on a challenge/
response procedure.
E
Egress filtering
The control of traffic leaving your network.
Encryption
The transformation of plaintext into a less readable form (called ciphertext)
through a mathematical process. A ciphertext may be read by anyone who
has the key to decrypt (undoes the encryption) it.
ESP
Encapsulating Security Payload
A protocol within the IPSec protocol suite that provides encryption services
for tunnelled data.
Exchange Server
A Microsoft messaging system including mail server, email client and
groupware applications (such as shared calendars).
Exploit
A hardware or software vulnerability that can be 'exploited' by a hacker to
gain access to a system or service.
199
Advanced Firewall Operations Guide
Glossary
F
Filter
A filter is a collection of categories containing URLs, domains, phrases, lists
of file types and replacement rules. Filters are used in policies to determine
if a user should be allowed access to information or files he/she has
requested using their web browser.
FIPS
Federal Information Processing Standards. See NIST.
Firewall
A combination of hardware and software used to prevent access to private
network resources.
G
Gateway
A network point that acts as an entrance to another network.
Green
In Smoothwall terminology, green identifies the protected network.
H
Hacker
A highly proficient computer programmer who seeks to gain unauthorized
access to systems without malicious intent.
Host
A computer connected to a network.
Hostname
A name used to identify a network host.
HTTP
Hypertext Transfer Protocol
The set of rules for transferring files on the World Wide Web.
HTTPS
A secure version of HTTP using SSL.
Hub
A simple network device for connecting networks and network hosts.
ICMP
Internet Control Message Protocol
I
One of the core protocols of the Internet protocol suite. It is chiefly used by
networked computers' operating systems to send error messages
indicating, for example, that a requested service is not available or that a
host or router could not be reached.
IDS
Intrusion Detection System
IP
Internet Protocol
IPS
Intrusion Prevention System
IP Address
A 32-bit number that identifies each sender and receiver of network data.
200
Smoothwall Ltd
Advanced Firewall Operations Guide
Glossary
IPtables
The Linux packet filtering tool used by Smoothwall to provide firewalling
capabilities.
IPSec
Internet Protocol Security
An internationally recognized VPN protocol suite developed by the Internet
Engineering Task Force (IETF).
IPSec Passthrough
A 'helper' application on NAT devices that allows IPSec VPN traffic to pass
through.
ISP
An Internet Service Provider provides Internet connectivity.
K
Key
A string of bits used with an algorithm to encrypt and decrypt data. Given
an algorithm, the key determines the mapping of plaintext to ciphertext.
Kernel
The core part of an operating system that provides services to all other
parts the operating system.
Key space
The name given to the range of possible values for a key. The key space is
the number of bits needed to count every distinct key. The longer the key
length (in bits), the greater the key space.
L
L2F
Layer 2 Forwarding
A VPN system, developed by Cisco Systems.
L2TP
Layer 2 Transport Protocol
A protocol based on IPSec which combines Microsoft PPTP and Cisco
Systems L2F tunnelling protocols.
LAN
Local Area Network
A network between hosts in a similar, localized geography.
Leased Lines
Or private circuits
A bespoke high-speed, high-capacity site-to-site network that is installed,
leased and managed by a telephone company.
Lockout
A method to stop an unauthorized attempt to gain access to a computer.
For example, a three try limit when entering a password. After three
attempts, the system locks out the user.
M
MAC Address
Media Access Control
An address which is the unique hardware identifier of a NIC.
201
Advanced Firewall Operations Guide
MX Record
Glossary
Mail eXchange
An entry in a domain name database that specifies an email server to
handle a domain name's email.
N
NAT-T
Network Address Translation Traversal
A VPN Gateway feature that circumvents IPSec NATing problems. It is a
more effective solution than IPSec Passthrough
NIC
Network Interface Card
NIST
National Institute of Standards and Technology
NIST produces security and cryptography related standards and publishes
them as FIPS documents.
NTP
Network Time Protocol
A protocol for synchronizing a computer's system clock by querying NTP
Servers.
O
OU
An organizational unit (OU) is an object used to distinguish different
departments, sites or teams in your organization.
P
Password
A protected/private string of characters, known only to the authorized
user(s) and the system, used to authenticate a user as authorized to access
a computer or data.
PEM
Privacy Enhanced Mail
A popular certificate format.
Perfect Forward Secrecy
A key-establishment protocol, used to secure previous VPN
communications, should a key currently in use be compromised.
PFS
See Perfect Forward Secrecy
Phase 1
Phase 1 of a 2 phase VPN tunnel establishment process. Phase 1
negotiates the security parameter agreement.
Phase 2
Phase 2 of 2 phase VPN tunnel establishment process. Phase 2 uses the
agreed parameters from Phase 1 to bring the tunnel up.
Ping
A program used to verify that a specific IP address can be seen from
another.
PKCS#12
Public Key Cryptography Standards # 12
A portable container file format for transporting certificates and private keys.
202
Smoothwall Ltd
Advanced Firewall Operations Guide
PKI
Glossary
Public Key Infrastructure
A framework that provides for trusted third party vetting of, and vouching
for, user identities; and binding of public keys to users. The public keys are
typically in certificates.
Plaintext
Data that has not been encrypted, or ciphertext that has been decrypted.
Policy
Contains content filters and, optionally time settings and authentication
requirements, to determine how Advanced Firewall handles web content
and downloads to best protect your users and your organization.
Port
A service connection point on a computer system numerically identified
between 0 and 65536. Port 80 is the HTTP port.
Port Forward
A firewall rule that routes traffic from a receiving interface and port
combination to another interface and port combination. Port forwarding
(sometimes referred to as tunneling) is the act of forwarding a network port
from one network node to another. This technique can allow an external
user to reach a port on a private IP address (inside a LAN) from the outside
via a NAT-enabled router.
PPP
Point-to-Point Protocol
Used to communicate between two computers via a serial interface.
PPTP
Peer-to-Peer Tunnelling Protocol
A widely used Microsoft tunnelling standard deemed to be relatively
insecure.
Private Circuits
See Leased Lines.
Private Key
A secret encryption key known only by its owner. Only the corresponding
public key can decrypt messages encrypted using the private key.
Protocol
A formal specification of a means of computer communication.
Proxy
An intermediary server that mediates access to a service.
PSK
Pre-Shared Key
An authentication mechanism that uses a password exchange and
matching process to determine authenticity.
Public Key
A publicly available encryption key that can decrypt messages encrypted by
its owner's private key. A public key can be used to send a private message
to the public key owner.
PuTTY
A free Windows / SSH client.
Q
QOS
Quality of Service
In relation to leased lines, QOS is a contractual guarantee of uptime and
bandwidth.
203
Advanced Firewall Operations Guide
Glossary
R
RAS
Remote Access Server
A server which can be attached to a LAN to allow dial-up connectivity from
other LANs or individual users. RAS has been largely superseded by VPNs.
Red
In Smoothwall, red is used to identify the Unprotected Network (typically the
Internet).
RIP
Routing Information Protocol
A routing protocol which helps routers dynamically adapt to changes in
network connections by communicating information about which networks
each router can reach and how far away those networks are.
Road Warrior
An individual remote network user, typically a travelling worker 'on the road'
requiring access to a organization’s network via a laptop. Usually has a
dynamic IP address.
Route
A path from one network point to another.
Routing Table
A table used to provide directions to other networks and hosts.
Rules
In firewall terminology, rules are used to determine what traffic is allowed to
move from one network endpoint to another.
S
Security policy
A security policy is a collection of procedures, standards and guidelines that
state in writing how an organization plans to protect its physical and
information technology (IT) assets. It should include password, account and
logging policies, administrator and user rights and define what behavior is
and is not permitted, by whom and under what circumstances.
Server
In general, a computer that provides shared resources to network users.
SIP
Session Initiation Protocol
A protocol for initiating, modifying, and terminating an interactive user
session that involves multimedia elements such as video, voice, instant
messaging, online games, and virtual reality. Commonly used in VOIP
applications.
Single Sign-On
(SSO) The ability to log-in to multiple computers or servers in a single action
by entering a single password.
Site-To-Site
A network connection between two LANs, typically between two business
sites. Usually uses a static IP address.
Smart card
A device which contains the credentials for authentication to any device that
is smart card-enabled.
Spam
Junk email, usually unsolicited.
SQL Injection
A type of exploit whereby hackers are able to execute SQL statements via
an Internet browser.
Squid
A high performance proxy caching server for web clients.
204
Smoothwall Ltd
Advanced Firewall Operations Guide
SSH
Glossary
Secure Shell
A command line interface used to securely access a remote computer.
SSL
A cryptographic protocol which provides secure communications on the
Internet.
SSL VPN
A VPN accessed via HTTPS from any browser (theoretically). VPNs require
minimal client configuration.
Strong encryption
A term given to describe a cryptographic system that uses a key so long
that, in practice, it becomes impossible to break the system within a
meaningful time frame.
Subnet
An identifiably separate part of an organization’s network.
Switch
An intelligent cable junction device that links networks and network hosts
together.
Syslog
A server used by other hosts to remotely record logging information.
T
Triple DES (3-DES) Encryption
A method of data encryption which uses three encryption keys and runs
DES three times Triple-DES is substantially stronger than DES.
Tunneling
The transmission of data intended for use only within a private network
through a public network in such a way that the routing nodes in the public
network are unaware that the transmission is part of a private network.
U
User name / user ID
A unique name by which each user is known to the system.
V
VPN
Virtual Private Network
A network connected together via securely encrypted communication
tunnels over a public network, such as the global Internet.
VPN Gateway
An endpoint used to establish, manage and control VPN connections.
X
X509
An authentication method that uses the exchange of CA issued certificates
to guarantee authenticity.
205
Index
A
system service monitoring 93
accessing 6
admin 6
admin options 17
administration 17
administration login failures 95
administrative users 17
advanced 11, 12
AIM 38
aim 38
alert
im proxy monitored word 94
traffic statistics monitor 94
alerts 7, 92
administration login failures 92
email 128
email to sms 127
update monitoring 95
ups, power supply status warning 93
vpn tunnel status 92
application groups 189
NAVL 190
archives 16
authentication 13
automatic whitelisting 39
B
black-list users 39
BYOD
block 73
email virus monitor 94
certificate 75
external connection failover 94
external RADIUS server 74
firewall notifications 93
groups 73
hardware failover notification 92
RADIUS clients 72
hardware failure alerts 92
health monitor 94
inappropriate words in im 94
intrusion detection system monitor 95
l2tp vpn tunnel status 93
license expiry status 92
output system test messages 94
settings 7
smoothrule violations 93
smoothtunnel vpn certificate monitor 92
system boot (restart) notification 95
system resource monitor 93
C
ca 18, 19
censoring 38
certificate 75
certs 19
ca 18
connectivity 11
console
connecting via 21
control 19
control page 6
create 7
creating tenants 150
custom categories 15
207
Advanced Firewall Operations Guide
Index
custom signatures 65
groups 9, 13
D
H
database
settings 9
hardware 18
failover 155
detection policies 61
dhcp 16
custom options 16
hardware Failover 154
hardware failover notification 92
hardware failure alerts 92
health monitor 94
heartbeat 155
hide conversation text 38
hostname 17
https 6
leases 16
relay 16
server 16
diagnostics 18, 162
functionality 162
directories 13
dns 14, 51
dynamic 14
proxy 14
proxy service 52
static 14, 51
documentation 2
E
email 8, 9
email to sms 127
email virus monitor 94
External 94
external
access 17
aliases 11
external connection failover 94
external services 12
I
ICQ 38
ids 9, 15
im 37
hide conversation text 38
proxy 8
im proxy 9
inappropriate words in im 94
information 6
instant messenger 14, 37
block file transfers 38
blocked response 39
blocked response message 39
censor 38
intercept ssl 38
logging warning 39
logging warning message 39
protocols
F
aim 38
failover 18, 154, 155
failover unit 158
gadugadu 38
master 156
filtering 10
filters 15
firewall 8, 9
accessing
browser 6
connecting 21
notifications 93
firmware upload 18
ftp 14, 43
G
gadugadu 38
global 16, 19
group bridging 10
icq 38
jabber 38
msn 38
proxy 37, 38
instant messenger proxy
enable 38
enabled on interfaces 39
exception local IP addresses 39
interfaces 11
internal aliases 11
intrusion detection 15
intrusion detection system 15
intrusion system 61
custom policies 64
detection policies 61
policies 61
208
Smoothwall Ltd
Advanced Firewall Operations Guide
prevention policies 62
intrusion system monitor 95
ip
block 10
tools 18
ips 9
ipsec 8, 9
roadwarriors 19
subnets 19
Index
P
pages
central management 17
info
alerts 7
alerts 7
custom 7
logs 9
firewall 9
J
ids 9
jabber 38
im proxy 8, 9
ips 9
K
ipsec 9
kerberos keytabs 13
system 9
web proxy 9
L
l2tp roadwarriors 19
l2tp vpn tunnel status 93
license expiry status 92
licenses 16
log settings 9
logs 9
email 114
enable remote syslog 122
realtime 8
firewall 8
ipsec 8
portal 8
system 8
traffic graphs 8
reports
remote syslog server 122
reports 7
retention 122
saved 7
scheduled reports 7
M
maintenance 16
master 156
message censor 15
custom categories 15
settings
alert settings 7
database settings 9
groups 9
filters 15
log settings 9
time 15
Microsoft Messenger 38
modem 18
modules 16
MSN 38
multi-tenants managed services 149
output settings 9
information 6
main 6
networking 9, 12
filtering 10
group bridging 10
N
networking 9, 12
node
configure child 17
local settings 17
O
outgoing 12
output settings 9
output system test messages 94
ip block 10
zone bridging 10
firewall 11
advanced 11
port forwarding 11
source mapping 11
interfaces 11
connectivity 11
external aliases 11
209
Advanced Firewall Operations Guide
Index
interfaces 11
sip 14
internal aliases 11
web proxy 14
ppp 11
snmp 14
secondaries 11
user portal 13
groups 13
outgoing 12
portals 13
external services 12
user exceptions 13
policies 12
ports 12
routing 10
system
administration 17
ports 10
admin options 17
rip 10
administrative users 17
sources 10
external access 17
subnets 10
central management
child nodes 17
settings
advanced 12
local node settings 17
port groups 12
overview 17
services 12
diagnostics 18
configuration report 18
authentication 13
directories 13
functionality test 18
groups 13
ip tools 18
kerberos keytabs 13
traffic analysis 18
settings 13
whois 18
ssl login 13
hardware 18
temporary bans 13
failover 18
user activity 13
firmware upload 18
modem 18
dhcp
ups 18
dhcp custom options 16
dhcp leases 16
maintenance 16
dhcp relay 16
archives 16
dhcp server 16
licenses 16
global 16
modules 16
scheduler 16
dns 14
dns proxy 14
shutdown 16
dynamic dns 14
updates 16
static dns 14
preferences 17
ids 15
hostname 17
intrusion system
registration options 17
time 17
detection 15
policies 15
signatures 15
210
vpn 18
ca 19
message censor 15
certs 19
proxies 14
control 19
ftp 14
global 19
im proxy 14
ipsec roadwarriors 19
Smoothwall Ltd
Advanced Firewall Operations Guide
ipsec subnets 19
l2tp roadwarriors 19
Index
services
authentication 13
dhcp 16
ssl roadwarriors 19
dns 14, 51
passwords 6
policies 15, 61
intrusion 61
dns proxy 52
dynamic dns 52
outgoing 12
ids 15
port forwarding 11
port groups 12
portal 8, 13, 105
access 31
intrusion system 61
message censor 15
portal 13
sip 40
configure 26
snmp 14, 49
delete 31
edit 31
groups 30
user except 30
portals 13
ports 10, 12
ppp 11
preferences 17
prevention policies 62
proxies 14
dns 52
sip 40
proxy
ftp 43
R
RADIUS client 72
RADIUS server 74
realtime 8
email 8, 9
reboot 140
registration options 17
reports 7
custom 7
reports 7
scheduled 7
reverse proxy 9, 14
violations alert 93
rip 10
routing 10
rules
dynamic host 52
external access 147
S
scheduled reports 7
scheduler 16
secondaries 11
settings 9, 13
shutdown 16, 140
signatures 15
sip 14, 40
types 40
site address 23
smoothrule violations 93
smoothtunnel vpn certificate monitor 92
snmp 14, 49
snmp 14
source mapping 11
sources 10
ssh 21
client 21
ssl login 13
ssl roadwarriors 19
subnets 10
system 8, 9
system boot (restart) notification 95
system resource monitor 93
system service monitoring 93
T
temporary bans 13
tenants 149
testing functionalty 162
time 17
time slots 15
traffic
analysis 18
graphs 8
traffic statistics monitor 94
training 1
U
unknown entity 22
updates 16
ups 18, 151
ups, power supply status warning 93
211
Advanced Firewall Operations Guide
Index
user
activity 13
user exceptions 13
user portal
bandwidth classes 28
blocking access 29
filter lists 29
policy tester 28
reports 28
SSL VPN client 30
welcome message 30
V
voip 40
vpn 18
vpn tunnel status 92
W
web proxy 9, 14
white-list users 39
whois 18
Y
yahoo 38
Z
zone bridging 10
212
Smoothwall Ltd
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising